Planet Debian Administration

The default timeout in rsync is 0, meaning never timeout.

For years this has never caused me any issues, however recently found box with 8 days worth of backup scripts all running at once. Seems the receiving server was in a mess, logging kernel messages about CPUs being stuck, as a result the rsync was never finishing, and never timing out.

So note for self, always set a timeout for rsync (and always remember the delete option as well)!

I've just been informed that the SSL certificate on this site had expired - so I've regenerated another one.

The certificate is still self-signed because nobody is throwing money at me, and I in turn don't want to throw money at verisign ;)

You can verify the fingerprint by following these instructions:

• https://www.debian-administration.org/about/SSL%20Certificate

Decided to write a couple of short scripts
that make Debian truetype fonts available
as a zip file, so that I can install then
on any website that needs some custom
fonts without any fuss.

http://simonwaters.technocool.net/fonts.htm

Demo page

Netcraft just published an article bemoaning the slow response of registrars in dealing with fraudulent websites but it omits a key point.

The DNS architecture is flawed in regard of the hierarchy. There is no way to tell when a domain is deleted or expired what domains are hosted on name servers in that domain. One can only tell what domains aren't hosted on name servers in that domain.

Now most domains don't have name servers, so most of the time
suspending a domain name has no such effect, but some domains do, and suspending it will stop any domains which have name servers in that domain from working.

Suspending domains is thus like lopping branches of a tree, a tree whose branches are all the same thickness so provide no clue to how much tree is on the end of it. Most of the branches you prune turn out to be twigs, but every so often you'll lop off a big chunk of tree by accident.

We use nameservers in two domains to prevent such a single point of failure, but many domains don't do this including "." "com." "net." "co.uk." "microsoft.com." oh and "netcraft.com.". And I've seen enough plugs pulled on sites causing collateral damage to know this will eventually happen if registrars get too keen at dropping domain names without detailed investigation.

http://news.netcraft.com/archives/2009/06/22/faster_actions_needed_against_phishing_domains.html

Messed up hosts.allow on a rackforce virtual server, locking all SSH users out.

Ticket was acknowledged by a human (who clearly understands hosts.allow syntax) 4 minutes after entering it through support interface, and the issue fixed, my confirmation of that fix acknowledged, and closed 7 minutes later, making a total of 11 minutes from opening to closing the support request.

Okay this is a premium support service, a simple problem, and I did ask in their normal working day, but still impressed by turn around. As it happens this wasn't an urgent issue, but it adds confidence to our use of them as a provider.

My computer should know that /var/log/squid/access.log.9.gz
is less import that /var/spool/squid and /var/log/squid.access.log.8.gz.

Thus when disk space is tight rather than failing, it should free low priority files (obviously with a limit beyond which it has to fail - so I don't lose my data - but so it can lose transient files of no permanent interest). Windows already does this for files in the Trash can (allegedly).

Similarly my database is more important than the contents of /usr/share/doc.

I appreciate these priorities would have to be configurable, because some folks have a legal obligation to keep old email log files for example. So how priorities are assigned is difficult, on the other hand this is about what it should do, not how to do it. I suspect defaults that mean cache files are a low priority, and that old log files are less important than new one.

Sure disk space is cheap - but cache files and log files are a common pattern. I want to cache/log as much as possible but without undue pain.

I saw a comment that firefox 3.5 will support @font-face, allowing downloadable fonts.

However dreams of a nice universal font downloaded on demand are stomped on by IE only supporting some Microsoft proprietary embeddable font designed to prevent people sharing font files (even those they are allowed to).

Finding a succinct source with accurate data on browser support for this was hard, a bug report on the Microsoft web site was the best I found.

Wikipedia has two articles, both of them pretty useless.

Obligatory Test page:

http://simonwaters.technocool.net/test/fonts.html

Soon everyone will have a browser that supports downloadable fonts, just you have to do more work to make it work in IE - alternatively they could just "get Firefox". So the above test page should display in an almost unreadable script font everywhere but IE. If it doesn't show as a handwriting font - get a better browser.

Discovered Google indexing content for a secure server using a weird domain name.

On inspection Google is indexing content using the domain name supplied, and ignoring the certificate (and the certificate mismatch).

So it seems if you want the secure content of www.example.com indexed only under www.example.com, you need to add:

RewriteCond %{HTTP_HOST} !^www\.example\.com [NC]
ReWriteRule ^/(.*) https://www.example.com/$1 [L,R]

Since otherwise someone could create duplicate content in Google merely by pointing an A record at you and creating a link for Google to follow.

Surely there is a better way of doing this in Apache?

Google Page Speed - a Firefox plugin that extend Firefox is cool.

However top recommendation for Javascript on one of our sites....

Minify JavaScript
There is 44kB worth of JavaScript. Minifying could save 6.3kB (14.3% reduction).

    * Minifying https://ssl.google-analytics.com/urchin.js could save 3.7kB (16.7% reduction). See minified version.

I am accessing my Debian Lenny server from a laptop running MS Vista. VNCViewer (realvnc) loads up fine, but I have to walk to the Debian machine and click "Allow" on a pop up window that says a user is trying to control the desktop and has 2 buttons - ALLOW REFUSE. Once I click ALLOW the desktop shows up on my laptop fine. What do I need to do on the Debian machine to allow me to connect via VNCViewer without having to click ALLOW on it every time I want to connect?

Summary

Recently I was forced to compute mail bandwith per domain. Our MTA is Postfix, reporting tool is Awstats. After some googling I found some hints but they have to be slightly modified to present agregated per domain statistics. Resources and software

1. Awstats -- especially the FAQ: http://awstats.sourceforge.net/docs/awstats_faq.html#MAIL
2. Prepflog -- no debian package: http://web.tiscali.it/postfix/prepflog.html
3. Postfix of course

Comments on debian setup

These comments are not step by step how-to; just hints to someone like me, who tries to force Awstat show per domain mail statistics. Software

First thing to note -- Debian installs awstats scripts into /usr/share/doc/awstats/examples. Beacause of this, you have some trouble to generate the default Awstats config, but you dont have to do that -- you can simply copy the default and modify it (dont forget to remove/modify the Include directive if you copy the default one).

Prepflog is probably a good idea, though i just believe to what is said on the product page -- it should narrow the log, so no duplicate entries are present. Principle

You use your standard /var/log/mail.info.0 Postfix log, you pipe it through several usefull perl one liners producing CLF (common logging format) file for Awstats. Thankfully, Awstats is capable of proccessing a piped input directly. Settings Generate and modify the config for awstats

Create a config according to
http://awstats.sourceforge.ne/docs/awstats_faq.html#MAIL

It is important to set all the options as required -- with two notable exceptions -- LogFile and SiteDomain. For example my config looks like:

LogFile="/root/hampejz/awstats_mail_filter_by_domain.sh |"
SiteDomain="domain.mail.example.com"
Include "/etc/awstats/awstats.0.mail.example.com.common"

Note that LogFile points to my custom filter. Include just includes standard Awstats file according to URL above. Prepare the custom filter

#! /bin/sh

# filters the postfix mail log to be used by awstats
# if the generation takes long, switch off DNS lookup in awstats config        
# filtering is preproccessed by perl to collect per-domain statistics

cat /var/log/mail.info.0 | \
    perl /root/hampejz/prepflog.pl | \
    perl /usr/share/doc/awstats/examples/maillogconvert.pl standard | \
    perl -pe 's/<>/user\@unknown/g' | \
    perl -pe 's/(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} )((\S+)(@\S+ ))((\S+)(@\S+ ))/\1\4\7/g' | \
    perl -pe 's/(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} )((\S+)(@\S+ ))((\S+ ))/\1\4\@localhost /g'

Some comments:

1. We use /var/log/mail.info.0 -- my system is configured with delayed compression of logfiles -- so I can always use static log files to generate statistics (they are modified no more by daemons).
2. We run the prepflog (I just believe the agenda :)
3. We run the Awstats filter, which produces the CFL file. From now on, the Awstats is capable of processing the result, though it would show the mail by user, not by domain.
4. We handle the mail with no sender (some kind of spam and some locally generated messages from ugly crontabs)
5. 's/(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} )((\S+)(@\S+ ))((\S+)(@\S+ ))/\1\4\7/g' -- regexp guru could make it nicer, but I just want to make it readable. This changes
   
   DATE TIME sender@somewhere1 recepient@somewhere2 ANYTHING
   
   into
   
   DATE TIME @somewhere1 @somewhere2 ANYTHING.
   
   This leaves all the mail from sending and receiving domain to be agregated (it is taken as a mail from single user).
6. 's/(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} )((\S+)(@\S+ ))((\S+ ))/\1\4\@localhost /g'
   
   handles locally generated mail for local delivery (ie. no domain) as a mail for @localhost.

Crontab

All of this should be run from crontab. I believe you can handle that, so let it be the homework for a reader -- my file in /etc/cron.hourly:

#! /bin/sh

# updates awstats files

files=`ls /etc/awstats/awstats.*.conf`

for i in $files; do
    domain=`echo $i | sed -e 's/\/etc\/awstats\/awstats\.\(.*\)\.conf/\1/g'`
    # generate statistics and build static pages in one command
    mkdir -p /var/www/awstats/$domain
    perl /usr/share/doc/awstats/examples/awstats_buildstaticpages.pl \
	-config=$domain \
        -configdir=/etc/awstats \
        -update \
        -output \
        -staticlinks \
        -awstatsprog=/usr/lib/cgi-bin/awstats.pl \
        -dir=/var/www/awstats/$domain \
        -diricons=/awstats-icon
    chown www-data.www-data -R /var/www/awstats/$domain
done
chown www-data.www-data /var/lib/awstats/*

Having dealt with JSRedir-R, some bunch of script kiddies found a bit of one of our webservers that shouldn't have been running PHP, but was. My fault no doubt.

Just cleaning up, but would be easier if they hadn't run a defacement script over many many gigabytes of stuff that only looks like web pages.

As far as I can tell they defaced 1 website, put 10 defacement files in the wrong place, and defaced thousands and thousands of directories that aren't visible to anyone but me (and my boss if he cared to look).

Annoyingly the one website defaced was one I'd changed to be owned by "www-data" having advised this may have adverse security implications. Guess it did - hohum.

On the upside did find one script kiddie toolkit stashed away, which had been uploaded for safe keeping to one of our web hosting accounts.

Now have to take lots of tedious precautions, for people who probably don't know a c-shell from a sea shell.

One of the sites I work on for fun got hit with this.

Injection of Javascript malware between "/head" and "body" tag, that is obfuscated, the usual replacing "exec" with "alert" shows it is sending folk to gumblar.cn for the rest of the abuse to follow.

The files are owned by the user who should own them, no write permission from www-data. No Apache requests that match the exploit date/time.

So looks like the exploit was done using FTP, or on the end users PC before uploading. Seems I don't have sufficient logging on FTP to establish this for sure. My guess is compromise of the FTP password, or infection on the PC that usually edits the files (someone elses).

Some folk report a trojan that steals the users FTP passwords, but I can't find a convincing explanation. Does anyone here know for sure?

Last Saturday there was a power lost in the city, may home systems all crashed but suffer almost no damage, I was happy that we finish a mayor upgrade in the electrical systems where I work, and that a larger UPS was install recently by a co-worker.
To my disappointment when I try to get my mail from home, the mail system was down.
>.<

This entry has been truncated read the full entry.

NICE are suppose to offer clinical guidance in the UK on how the NHS should treat their patients.

The latest guidance on low back pain recommends the use of acupuncture, and estimates it costs about £25 per session.

The report looked at various studies and concluded that acupuncture was a cost effective treatment for lower back pain compared to other therapies.

You might think it is an open and shut case. However the evidence they looked at (and discuss) makes a fairly clear case that acupuncture is a placebo. In nearly all the studies "sham acupuncture" - performs as well as acupuncture. This means that the "theory" behind acupuncture is devoid of content, so the waffle the practitioners spout is drivel..

Should this matter if the treatment is "cost effective"?

Well there are a few points that leap to my mind.

First, if we accept acupuncture is a placebo, we should ask is it the safest, and most cost effective placebo for the condition? With a 2 to 10% incidence of minor side effects, I suspect the answer is no.

There is also the encouraging of mumbo-jumbo. Since there is no evidence that acupuncture points matter, and given GP appointments are £18 (less than the £25 for acupuncture), it would seem more cost effective to have the GP, or a nurse provide sham acupuncture (using retractable needles would avoid puncturing the skin and reduce the risk further), than squander money encouraging the acupuncture nuts who think it is Qi. Indeed I suspect another 10 appointments with the doctor with or without needles would make any patient feel well cared for.

Third, one is directing people who are ill to people who are less medically qualified (There is no qualification required to be an acupuncture practitioner in the UK). Having a friend who lost her ability to walk, and then her life, due to "low back pain" which later turned out to be a malignancy, I don't want my taxes spent sending ill people to less qualified quacks for a placebo, when even qualified doctors may make a crucial error in diagnosis and could presumably adequately deliver suitable placebos if required.

I didn't see any discussion of the ethics of placebo treatments. Which is another topic altogether, but needs to be referred if this is the guidance issued.

The report recommended further research in all sorts of areas, some wiser than others, but if the best treatment we have for low back pain is a placebo, I'd be both extremely surprised, and thinking that where we need the research is in understanding the causes of low back pain.

I wonder what the comparison would be if you referred such patients to a succession of ten doctors, to see if a better diagnosis could be made.

If we used squid, and each one of the computers client's was restricted for access was based on the configuration in squid. However had a person who was naughty that is by replacing MAC Address or IP Address in order to be able to access the internet through it. There was a method in the style of the tukang nggame , that possibly could become the solution. Despite still had the gap at least could be useful moreover if the client was still lay about the security of the network. Get found it easy.

Make a file exp fixip.sh
It's contents (exp)

#!/bin/bash
/usr/sbin/arp -s 192.168.1.67     00:14:76:1D:F1:11
/usr/sbin/arp -s 192.168.1.68     00:15:F5:74:B1:51
/usr/sbin/arp -s 192.168.1.69     00:16:46:F2:B1:F1

Change permision file

#cmod +x fixip.sh

Running that file

#./fixip.sh

Now, Edit file /etc/squid/squid.conf. This is example for IP and MAC above.

acl     foo67           src             192.168.1.67/255.255.255.255
acl     foo67_mac	arp		00:14:76:1D:F1:11

acl     foo68           src             192.168.1.68/255.255.255.255
acl     foo68_mac       arp             00:15:F5:74:B1:51

acl     foo69           src             192.168.1.69/255.255.255.255
acl     foo69_mac       arp             00:16:46:F2:B1:F1

http_access    allow   foo67   foo67_mac
http_access    allow   foo68   foo68_mac
http_access    allow   foo69   foo69_mac

http_reply_access    allow   foo67   foo67_mac
http_reply_access    allow   foo68   foo68_mac
http_reply_access    allow   foo69   foo69_mac

Then restart squid.

#/etc/init.d/squid  force-reload

I have a Dell Latitude C600/C500. It has a vga output, presumably to have a larger screen. When I connect a vga from my laptop to either a monitor or a sony bravia HD readyt tv nothing happens.When I type: #lspci -vvx the reply is: 01:00.0 VGA compatible controller: ATI Technologies Inc Rage Mobility M3 AGP 2x (rev 02) (prog-if 00 [VGA controller]) Subsystem: Dell Latitude C600 Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Step I can't find the settings to identify the presance of another screen, can anyone help me? Thanks

My mother suffered from Lupus, which eventually led to a lung transplant, the complications of which eventually led to her death in 1996. She specifically requested donations instead of flowers for her funeral, which were given to the Norfolk and Norwich Hospital Department of Respiratory medicine.

As my 40th birthday approaches, and people asked what do I want as a present, I could think of nothing I'd like better than to raise some money for Lupus UK. Lupus UK is a charity which my mother did some work for, and who I know have helped many people with Lupus.

Despite a lot of progress in its treatment, Lupus can still be fatal and is often debilitating. Lupus UK both fund research and provide information to people with the disorder. Recently they have been able to support the appointment of specialist nurses.

You can donate here:
http://www.justgiving.co.uk/simonrwaters

Learn more about the charity:
http://www.lupusuk.org.uk/

About Systemic Lupus Erythematosus:
http://en.wikipedia.org/wiki/Systemic_lupus_erythematosus

Everyone wants to define Web 3 - well the marketing folk do. So I'll define my own Web 3.

We'll have more and more tools to help us with making decisions, and getting on with things. If Web 2 was community and social networking, Web 3 is about AI and emergent phenomena from web 2, and getting stuff done (finally!).

I get a weekly email with the cheapest Petrol prices locally from petrolprices.com. My browser and email client are both trying hard to stop me being scammed, or abused. My online vendors are trying hard to profile me, and match my interests to things bought by those like me. Google will do less search, and more recommendations. On-line shopping service mysupermarket.co.uk is already offering you the option to buy from different supermarkets, or to switch products to save money.

http://www.petrolprices.com/
http://www.mysupermarket.co.uk/
http://www.google.com/history/items?hl=en

Okay - it isn't a dramatic revolution from web 2, but I think it is a discernible trend.

My latest find in this field is:

http://www.quackometer.net/?page=quackometer

Which I suspect is doing little more than counting phrases, but hey it saves over exercising the grey cells.

http://www.quackometer.net/faq/2007/06/science-of-quackometrics.html

Of course by this definition web 3 was probably here before the web, but trends are trends.

Google so needs just a little bit of skeptical weighting. I suspect a little bit of skeptical know-how in the search engine weightings of links, and they might be able to stop doing a lot of those hand finished results for medical terms, and it might even spot a little more spam, come on Matt Cutts give me the job!

We need a dedicated hosted Debian box for work. Thankfully it's not my problem to find.

Yesterday I let aptitude upgrade KDE from version 3 to 4.

It's all in now, it wasn't painless but it went in mostly okay. Lots of things don't work and quite a few applications crash constantly or run like treacle. It's pretty but it's as yet unstable and unfinished. I think Debian was wise to release Lenny with KDE3, by the time Squeeze comes out KDE4 will be feature complete and stable.

I think I'd have been better not allowing it to upgrade my KDE3 settings to KDE4 and simply started with all new KDE4 and vanilla defaults. My customised KDE3 settings did not migrate cleanly too KDE4. Also my old AMD64 2GHz CPU and Nvidia FX graphics card is not up to the job of all the eye candy.

Matt Palmer discussed why water supplies are reliable and tries to generalise to IT.

http://www.hezmatt.org/~mpalmer/blog/general/water_tanks_reliability_and_redundancy.html

I think he misses some key points with water supply. Drinkable water falls from the sky (okay it picks up a few bacteria when it falls), so whilst gravity fed delivery is reliable, water quality needs a lot of active work to be maintained. Your supplier is constantly fiddling, yet still achieves these levels of reliability.

Societies organise themselves such that meddling with the water supply is a serious offence, and the provisioning is generally highly regulated.

But I think on provision of IT service he misses a point, many authoritative DNS providers have attained many years of reliable provision with minimal maintenance. In their case it is about protocol design, and simple precautions in deployment (multiple servers on multiple independent networks). But DNS is simple because it is effectively a broadcast technology, there is no meaningful interaction with the user.

I agree strongly with his point that layering in technology, redundant servers, and complex fail-over schemes, often isn't the right way to provision all services reliably. I've seen too many complex schemes fail in ways that simpler (nominally less redundant systems) simply could not fail.

In the case of web technologies, I've always been appalled at the "out of the box" performance of many web servers. But for real scalability the architecture is simply wrong, when more people access your content it should be cached wider, and thus accessed quicker. DNS does this, freenet does this, HTTP for static content would in the days when caching proxies were common, but we've now eaten away at the underlying technologies with cookies, encryption, and other variables, that a general purpose cache for HTTP usually only saves you ~50% of your bandwidth.

But again static content is the easy stuff to make redundant. As soon as you get to making update-able data redundant, there is a whole new ball game (think bank account balance). I don't think it permits of a magic bullet solution. There are inherent levels of complexity in the problem, which became very apparent when I first learnt about Oracle database replication. One can of course study any particular case to see how much doesn't have this inherent complexity to it. I note that withdrawing cash from cash machines doesn't always update the balance immediately. So presumably banks sometimes side step this issue, even in cases where you might initially think there is no sensible way around it.

Interrobang is one of those daft extra symbols, which I decided I ought to be able to type it on my Debian box with "Compose" "!" "?".

Well it is a long time since I fiddled with keyboard mappings, so I browsed around, and found that the Compose mapping ought to be in:

/usr/share/X11/locale/en_US.UTF-8/Compose

Except a load of these don't work, including the mapping for Interrobang which is already there!

I figured GNOME was doing something "helpful" here, and indeed it seems it is, see the "Important Note" here:

http://www.jw-stumpel.nl/stestu.html#T6.1

Got me installing im-switch, and using default-xim as described, and I can type Interrobang and the other non-functioning combinations from the Compose file above.

Now how best do I ensure that the VT Consoles behave the same way as X in this regard?

I wonder if someone knows if it is possible to merge two separate X servers in a master/slave configuration so they form a single desktop. It would be useful too if all keyboards and mices from both X servers can be used as input.
The main usage would be to use my laptop at home as a secondary monitor for my desktop.

Dear lazyweb,

I've got a log ( a .txt file) containing a loooong sequence of raw network packets. The log looks like this:

ff ff ff ff ff ff 00 03 91 4b 33 57 08 06 00 01    ..3W....
08 00 06 04 00 01 00 03 91 4b 33 57 0a 27 f4 07    ........3W.'?
00 00 00 00 00 00 0a 27 f4 01 00 00 00 00 00 00    .......'?......
00 00 00 00 00 00 00 00 00 00 00 00                ............

00 13 11 e9 c3 e6 00 03 91 4b 33 57 08 00 45 00    ...橨?.3W..E.
00 2c 00 bc 00 00 40 06 8b 50 0a 27 f4 07 cb 61    .,.?.@..'?犿
25 30 1b 69 00 50 00 0f 72 25 00 00 00 00 60 02    %0.i.P..r%....`.
16 d0 04 a9 00 00 02 04 05 b4                      .??....?

(many more packets here)

I am looking for a tool which would let me import (perfectly the whole file, failing that - one packet at a time ) this data and analyze it. (in similar way Wireshark does it for its captures.)

I've searched the web and came up empty-handed. Any hints?

Last week at eurocrypt, a small group of researchers announced a fairly serious attack against the SHA-1 digest algorithm, which is used in many cryptosystems, including OpenPGP. The general consensus is that we should be moving in an orderly fashion toward the theater exits, deprecating SHA-1 where possible with an eye toward abandoning it soon (one point of reference: US gov't federal agencies have been directed to cease all reliance on SHA-1 by the end of 2010, and this directive was issued before the latest results).

Since Debian relies heavily on OpenPGP and other cryptographic infrastructure, i'll be blogging about how Debian users can responsibly and carefully migrate toward better digests. This post focuses on some first steps for users of gpg, and for Debian Developers and Debian Maintainers in particular.

The good news is that gpg and gpg2 both support digest algorithms from the stronger SHA-2 family: SHA512, SHA384, SHA256, and SHA224.

By using these stronger digest algorithms some of your signatures may be un-readable by users of older software. However, gpg and PGP (a proprietary implementation) have both had support for at least SHA256 for well over 5 years. Debian's gnupg packages have supported the full SHA-2 family since sarge.

However, most existing signatures in today's Web of Trust were made over the SHA-1 digest algorithm, which means that abandoning it immediately would cause the Web of Trust as we know it to evaporate. So we need to rely on SHA-1-based signatures until a reasonably-fleshed-out Web of Trust based on stronger digests is in place. Since we don't want to have to rely on SHA-1 for too much longer, we need to collectively start the transition now.

So what can you do to help facilitate the move away from SHA-1? I'll outline three steps that current gpg users can do today, and then i'll walk through how to do each one:

• start making data signatures and web-of-trust certifications using stronger digests,
• explicitly state your preferences for stronger digests when receiving private communications, and
• If you are currently using a 1024-bit DSA primary key (which relies for signatures on a 160-bit hash, traditionally SHA-1), transition to a new 2048-bit RSA key.

The first two are simple, quick, and painless actions. You'll be done with them in minutes! The third is tougher, and while you can start it today, key transitions take a little bit of time to complete. Read on for a HOWTO!

This entry has been truncated read the full entry.

Domain registrations rejected for:

Error: the MNAME in SOA says "domain.server." is the primary name server.
The MNAME field in the SOA record (first parameter) lists a different
primary name server from the one specified for this check. RFC1035
section 3.3.13

After some pondering, this error is because they assume the first listed name server is the name server that should occurs in the MNAME field of the SOA record.

i.e. They arbitrarily apply some ordering criteria to the name servers.

From my understanding of the DNS RFCs and common practices, looking at the MNAME record in the domain is not something registries should ever concern themselves with. Whilst somethings in Domain Name registration processes are confused, or have evolved in weird ways, this is the first criteria which potentially has adverse impact as well as being completely pointless.

http://www.sidn.nl/ace.php/c,728,5886,,,,Nameserver_check.html

Providing city services only to users of specific proprietary software is bad public policy.

I just discovered that New York City's 2009 Summer Youth Employment Program requires Internet Explorer in order to apply online.

Even downloading the pdf version of the application to print out from the site is impossible under non-IE browsers because the actual pdf link is wrapped in some IE-only javascript. And even if you could download the PDF directly, any additional "online information to help you select a SYEP provider" is inaccessible for the same reason.

I just called 311 and filed an official complaint against the NYC Dept. of Youth and Community Development (DYCD), who sponsor the program.

I also called the number on the application page (1-800-246-4646), and spoke with "Karen" from the DYCD, who explained that the site was a New York City web site, and that it had been created by DoITT (the Department of Information Technology and Telecommunications) at the request of the DYCD, but that the DYCD didn't program it directly. She seemed to misunderstand the tech behind the situation, saying "we can't bring it to a higher level (like Firefox) because then it wouldn't work for everyone". I was happy that she understood that Firefox was a concern here, but the point is not to build the site "higher" to Firefox, but to use standard technology that all browsers can access for a public site.

Karen also seemed to think the situation was acceptable because the city youth "can always use IE on local public library computers" to access the site. Note that the applications involve submitting very detailed information (SSN, health insurance, family income, criminal record, selective service registration #, etc), which are things that i would personally be unwilling to submit over a shared public computer if i had any other choice. Furthermore, this crappy implementation decision encourages the NYPL to continue to spend limited resources on proprietary software to an out-of-state monopolist to run their computer labs, which is money that could be better spent locally (or even spent on books or something similarly quaint and library-like).

I'm frustrated. This is 2009. The application process for public services here should not require any proprietary technology, but it uses it gratuitously. This excludes legitimate citizens, and encourages Microsoft in its ongoing pursuit of monopoly status. Both of these are bad things.

I submitted feedback on the DYCD customer survey web site, and submitted two 150-word-limited(!) complaints to Commissioner Mulgrav of the DYCD and Commissioner Cosgrave of DoITT.

I'm sure they'd be interested in hearing from other people about this. Is this kind of proprietary lock-in what we should expect from a Mayor who cuts budgets city-wide except for IT? Where is all that money going? What is the city getting out of it?

I've updated the webpages describing how to run the code behind this site yourself - the content hasn't completely been finished, but I'll work on it some more over the coming days.

The reason for the sudden update? We have yet another site using the code:

• Police State UK

They're using a slightly older version of the code, but I think that might change in the near future. I'm not even sure if anybody noticed but I updated the way articles are linked on the site:

• http://www.debian-administration.org/article/Testing_SMTP_servers_with_SWAKS

v.s http://www.debian-administration.org/articles/633 - the former is a lot more bookmarkable, although the latter will work forever too. Legacy links, love'em?

Plugged in SATA drive as replacement in a PC, BIOS failed to recognize it.

Seems some old SATA version 1 chipsets don't negotiate SATA version 2 drives into playing with them.

http://www.tomshardware.co.uk/forum/page-243507_14_0.html

In this PC it was a VT8237 chipset, which Ubuntu claims is a VT6420 SATA RAID Controller (hmm).

The article says Hitachi drives are without a jumper, Hitachi support suggested using Feature Tool.

http://www.hitachigst.com/hdd/support/download.htm#FeatureTool

Unfortunately the drive had already been sent back, for one with a jumper on I could set, so I've no idea if it works. But hey one to file away in the brain, as the Hitachi drive was definitely better value - we lost 90GB in switching brands.