I'm sitting here in Canada trying to work for my employer back in the US for a month. It's been a few weeks already, and I'm surprisingly pleased (or pleasantly surprised) with how well it's working. At the same time, certain aspects of this rather suck.

One huge obstacle so far is (of course) Windows. Aside from the Linux server that I convinced IT to let me run out of a closet, the whole place is Microsoft. Whatever MS VPN software we're using is slow, clunky, unreliable, and generally annoying.

At one point I tried to fetch a file from a network drive and watched it download at 0.2 k/sec. Then I had someone back home copy it onto my Linux box, and I downloaded from there at 120 k/sec. The Windows and Linux servers are in the same room in the same building behind the same network connection; I don't understand how VPN overhead slowed things down by that many orders of magnitude.

After connecting to VPN, there's about a 25% chance that Outlook will be able to connect to the Exchange server at work. Generally I have to fire up the VPN, turn it off, turn it on, turn it off, turn it on and then Outlook will find it. Sometimes I close Outlook, but it lives on as a zombie, futilely hammering away at the server but unable to find it, until I CTRL-ALT-DEL and kill it. This is with Office 2007.

But the work I do on the Linux server is (of course) easy. No problems whatsoever. Working over SSH is how I did things when I was sitting in my office anyways. I tunnel in and use local GUI SQL clients. I put VirtualBox on my laptop and I do a bunch of stuff in a Linux VM and rsync it back home with no problems. I can edit files over SSH right in Emacs as if they were on my local box, if I care to.

Sometimes I wonder if my dislike of Microsoft is irrational. Any belief that is caused by or results in a strong emotional response should be subject to questioning. Then reality comes waltzing by and reminds me that no, MS software really does suck.

I've worked for this company for over two years before moving. I don't know how well I'd be doing if this was a company I just started with. It's hard to see how important face-to-face communication is until it's impossible. Email is OK, but the benefit of knowing people in person and knowing how they talk and how they think really goes a long way to being able to interpret and understand plaintext communication.

In Linux when I use SSH I usually pass the host and port and username on the command line and then type the password when prompted. (In those rare cases I don't use certificates to log in without a password.) In Windows, PuTTY makes you pick a host and port and then prompts you for the username AND password.

This leads to unpleasant results. I'm so conditioned to open SSH and type my password at the prompt and hit Enter that I often end up typing my password as my username in PuTTY. Bad.

I've sometimes opened webpages that have some stupid Javascript bullcrap that tries to auto-focus the username field in a login form. But if you're a fast typist (and mouse-ist) like I am, you can focus the field, type your username, and hit tab to get to the password field before the long-loading Javascript bloat has a time to load and run. Which can result in auto-re-focusing the username field, which if it happens at just the right instant, results in my typing the password into it and pounding Enter before I have a chance to notice what's happened. Bad bad bad.

I use a computer far too often to have time too read every prompt, which leads to bad things. Anyone who's used to flying around an interface at light-speed by instinct and repeated learned behavior has experienced this kind of thing I'm sure.

This is horrendously bad because these programs often log the usernames of login attempts in plaintext in logs that lots of potentially evil people have the ability to read. The logs don't usually log the passwords of login attempts, but if you type a password AS a username, oops, you're screwed. Thankfully I'm root on most or all of the machines I ever SSH to, and I can go into /var/log and erase my mistake from the logs before anyone can see. But that doesn't help for web pages I don't know. And I wonder how often this kind of thing happens to other people. I wonder how many people who aren't familiar with computers accidentally send their password as their username to a bunch of websites.

After all the effort we go to to try to secure computer applications, these kinds of stupid human factors can still so easily ruin everything.

I use Gaim Pidgin, and I often need to transfer files to someone. File transfer via instant messengers sucks. The file transfer for Yahoo Messenger protocol for example apparently uploads your file to some Yahoo server and then serves it to the person you're talking to. At least that's my guess judging by its behavior; I don't know for sure (which is another problem: I don't know what it's doing, which is scary enough that I can't use it to send any important files). Some protocols let you set up a "direct connection" to the person you're talking to, but this is always clumsy at best, or broken at worst (if you're behind a NAT router).

So what other options are there? SCP obviously. But I talk to people who (sadly) use Windows, and they don't run SSH servers. Nor do they have any interest in learning how to do it. Nor do they have any desire to use the command line for anything. Can't blame them really; not everyone is a geek.

I run a local Apache, and I can open it to the world and let people access my files that way, but that's not a lot of fun to try to secure and it's overkill just to transfer files. I'm certainly not going to leave a wide-open Apache server running all the time, which means I have to restart it every time someone wants to get a file from me. I've used Apache for this purpose before and it tends to go something like this:

Someone: I bet that song is nice. Can I have an MP3 of it?

Me: Sure! Just hold on while I edit /etc/apache2/httpd.conf and set the port and bound IP correctly, then reconfigure my firewall to allow incoming connections for that port, change DOCUMENT_ROOT to point to an empty directory for you or maybe set up a vhost, throw a .htaccess on there to prevent spying eyes, and restart the daemon.

I could run an FTP server, but same problem: overkill, and I don't want to have to secure it. I could set up a VPN, but that's not fun to configure ("Sure, I'll send you this file. Let's both install OpenVPN. First you need to set up a new TUN or TAP device. I'll wait while you do that.") There's always email, but that suffers from the same problem of my files having to pass through an intermediary server, and the inevitable problem of email mail box size limits (I don't have one, but other people may). I guess I could set up a local bittorrent server, maybe. Hmm.

It seems like such a simple problem: Quickly transfer a file from one computer to another given a port and IP address, using some kind of GUI. I'm thinking of writing my own little program that does this just so I can use it with people I know. Unless there's a good option I'm missing.

Password login on my SSH server is now disabled and the only way someone's getting in is if they steal my MP3 player and gank my private key. Thanks to all who posted comments in my last entry. I also found these Gentoo docs helpful, as well as this very nice tutorial on getting PuTTY to work with key files.

I checked my /var/log/messages recently and it turns out my SSH server on my home machine is being hammered with login attempts. I suppose that's pretty common and it's probably just a bunch of bots. I carefully grepped through my logs and none of the login attempts were successful (so far as I can tell), which is good. One IP tried the following usernames one after the other:

staff sales recruit alias office samba tomcat webadmin spam virus cyrus oracle michael ftp test webmaster paul guest admin linux user david web apache pgsql info tony core newsletter named visitor ftpuser username administrator library test admin guest master admin admin admin admin test test webmaster username user admin test danny alex brett mike alan data www-data http httpd pop backup info shop sales web www wwwrun adam stephen richard george john angel pgsql ident webpop susan sunny steven ssh search sara robert richard party amanda rpm sgi users admins admins dean unknown securityagent tokend windowserver appowner xgridagent agent xgridcontroller jabber amavisd clamav appserver mailman cyrusimap qtss eppc telnetd identd gnats jeff irc list eleve proxy sys zzz frank dan james snort radiomail harrypotter divine popa3d aptproxy desktop workshop mailnull nfsnobody rpcuser rpc gopher

Are there really that many people in the world using "harrypotter" as their usernames? Other common login attempts seem to be for usernames "admin" and "oracle".

I've started taking SSH security more seriously since then. I limited the number of login attempts you can make before it blocks you. I made sure root login in SSH is disabled entirely. And I have SSH listening on a non-standard port. That last one is "security though obscurity", sure, but it seems to defeat bots. I've had 0 login attempts at all since I've moved to a different port. I've had a lot of garbage connection attempts, but those are apparently bots looking for a different service since they don't provide any identification at all. My next step is probably limiting login to using a key file I'll carry around with me on a flash drive, if I can figure out how to get that working.

I have an extra computer here, so I decided to install FreeBSD today. I've never used FreeBSD before. Never touched it. So to make this fun, I decided to try the install without reading any directions. What better way to tesout t an installer? It's also arguably a stupid way to install an OS, but stupid is fun sometimes.

My girlfriend is stuck behind a very restrictive firewall at college. It hides her behind some kind of NAT. No open ports whatsoever. In a way I can understand it; when you have thousands of Windows machines running on a high-speed network, you need all the help you can get. In another way, I just couldn't live with that kind of crippled access. I know I'm not really a typical user, but I needs me my open ports for SSH and whatnot.

We wanted to play ZSNES over the internet, which needs a direct connection between two computers. It took me forever to figure out how to get a reverse SSH tunnel set up, but I finally did. The terminology is always very confusing. "Local" vs. "remote"; is that from the point of view of the client, or the server?

Just so I have a record of how to do this:

ssh -R 12345:localhost:6881 SERVER_NAME

-R means SSH will LISTEN for connections on the REMOTE host ("remote" from the point of view of the PERSON RUNNING THE COMMAND, i.e. the client). (-L is the opposite.) It will listen for connections on port 12345 on the machine where the server resides; it will forward the data to incoming port 6881 on the machine where the client resides.

After getting that working, it turns out we needed UDP forwarding too, so I had to look for something else. I ended up using OpenVPN. That program is pretty amazing. It only took a short while to install, by following the HOWTO. Even on Windows (though it has Linux versions too). I used had to use TAP devices instead of TUN; I have no idea what either of those things is, but TAP seems to create imaginary network devices. The program uses some nice encryption too. And using this program, you can do anything you could do with someone who was physically on your LAN.

Turns out OpenVPN is in portage, too. I wish I'd have noticed it sooner.

Just so I don't forget this: How to SSH-tunnel VNC. It took me forever to figure out. (This will work with any service, not just VNC.)

Home: 2 computers, both behind a firewall. Linux = 192.168.15.15, OS X = 192.168.15.16. The Linux computer is running sshd (but you can only SSH to the Linux box via the LAN, i.e. it's behind the firewall). The OS X computer is running sshd too; port 22 is the only port open on the firewall, and it's forwarded to the OS X machine only. Remote: 1 computer, Windows. Can't run any services, but can run TightVNC viewer. Goal: Run VNC on the home Linux computer and use TightVNC at the remote site to view it.

Here's how I did it. First SSH to my home IP using PuTTY on the remote computer, which takes me to the OS X machine. SSH from there to the Linux box. Run VNC on the Linux computer:

x11vnc -display :0

This shares an already-running X session. To run an independent session I could've run

vncserver :1

Leave that running. Now, I SSH again in a separate session to my home IP. In the Tunnels section, put Source port 5900 (or 5901, whatever port VNC is using on the Linux machine). For Destination put 192.168.15.15:5900 (or 5901). Open the connection and login.

Now on the remote machine, run TightVNC and connect to 127.0.0.1::5900 (or 5901). That's it! Now I see my Linux desktop on the remote machine. The whole "local" vs. "remote" distinction for SSH tunnels is a bit confusing, especially when you're bouncing around to a bunch of different computers.