life, code, and idiocy

Google’s relatively new Google Over IPv6 service has just recently been extended to users of Hurricane Electric’s TunnelBroker.net service. It’s pretty cool even though you don’t notice what’s going on. There’s just something magical about knowing that all my Google searches and e-mail are going through IPv6 from a completely nearly untraceable /48 routed by a leading tier-1 ISP.

Of course there are bugs. One of my favorites is caused by the way their reverse proxy works: the IP that shows up is one of Google’s own, registering as “Unavailable” in the IP history table (presumably because Google internal IPs are probably stripped from IP logs) but shows up as “This computer is using IP address 74.125.114.147.”

(Why, you ask, am I allowing my real IPv4 IP to show? Answer: because your computer already knows it - the server running this blog is on the same IP )

Nowhere does the IPv6 address I used to access my Gmail account show up in the history. Of course this means that if you want to hack a Gmail account, this is a great way to do it: your IP history is never recorded, and apparently your IPv6 IP never reaches any Google servers that log requests in a very traceable form.

Oh good, you say. More privacy! Not necessarily. Every single website out there should be logging your IP address. All my servers do, as do 99% of other sites. It’s needed for forensic purposes. If all requests are logged, and an intrusion is detected, one can trace the intrusion back to its source and contact relevant authorities. This is an important thing for someone to be able to do. In my opinion, Gmail is well within ethical guidelines regarding IP logging, because its logs are made available to the owner of the account.

If I could speculate for a minute here, let me deliver my suspicions: I think Google is cheating with their IPv6 support. They probably have a rack of servers with IPv6 access that simply reverse proxy up to their IPv4 production systems which provide the actual service. If that’s the case, they should be able to just whitelist the reverse proxy’s IP in the trusted X-Forwarded-For list and perhaps alter a few database tables to support IPv6 addresses (a maximum of 39 characters) instead of just IPv4 (max. 15) and perhaps some regular expression checks against IPs.

Anyways, Google needs to get this fixed. It could make it very difficult to trace an intrusion into a Gmail account, something their new IP address logging feature was designed to expose.

It was really a beautiful Memorial Day. Around 12PM my friend Gina stopped by and we drove up to the ‘burbs where a mutual friend lives. Ed’s the kind of guy that would do anything for Chipotle, so we all hit the local joint and trashed ourselves with $7 burritos, pop, and chips and guac. Yummy.

We got back to Ed’s place and I remembered that when I was over there on Saturday I promised him I’d give Monster a shot. He’s an addict; I’m an interested follower, especially being a geek (plus it was Geek Pride Day). Mind you, I’ve never had an energy drink before. Ed and I also have severe ADHD. That’s a fun combination.

He was happy to tell me how it made him “more mellow”, which I could believe because he tends to not be a very wild person and I know he drinks 1-2 cans of the stuff every day. So I had a can of the orange flavor, Khaos. It took me about an hour to drink through it; I wasn’t that thirsty, and I had to get used to the flavor. Ed was pretty surprised it took me a full hour to get through it.

Though *extremely* sweet, it had only 34g of sugar in the whole 16oz can. WTF? There was a lot of fruit juice in there, and as much as I would doubt that anything actually natural would be in something like that, it seems to actually be there. Right alongside the ginseng and bat pee, but yeah, it’s there.

So, yeah. I never got any sort of energy buzz at all. By the time I finished driving Gina home (finding out the hard way that the exit we needed was northbound only, and thus going waaaaaay out of my way) I was extremely tired. Alert, yes, but physically weary.

Conclusion: I’m gonna stay away from energy drinks. Dunno if it’s ADHD or the high-octane brain syndrome or what, but they do just about the opposite of what they say on the tin for me. Plus, they’re… errm, pretty bad for you.

Oh yeah. After dinner I couldn’t make it any longer and crashed, to the point that I don’t even know how the lights in my bedroom got turned off. Here I am, writing this after suddenly awaking at 10:15PM.

Well, decision time came and passed. I guess it was about two weeks ago. I’ll give you the TL;DR version way up top: I’m going to major in Information Security & Forensics at Rochester Institute of Technology, starting this fall.

I’m going to start off by saying I waited as long as possible. I had two schools that were my top choices: RIT and the University of Advancing Technology. The former is in Rochester, NY; the latter, Tempe, AZ. Having been raised in Cleveland, I jumped at the thought of going to college in the Valley of the Sun. Why, you ask, am I talking about UAT, if I picked RIT? Here’s the story.

On March 27, I applied for UAT’s Ray Kurzweil scholarship. That was the $9,000 I needed in order to put UAT into my family’s budget range. (Like just about everyone, I lost a few bucks to Wall St. last fall.) Their info sheet said to expect a decision about a month after you apply.

On April 14, I e-mailed UAT and let them know that in order to make sure I got a spot in the university of my choice, I was going to make a decision on the 20th. I already had enough in grants and scholarships from RIT to go there. If UAT gave me the Ray Kurzweil, it was UAT; if they didn’t, it was RIT.

April 20 came. I hadn’t heard from Arizona. I was busy with my 70-hour week at school as the sound guy for our musical, so I waited a day. And another. And another. Finally, Thursday night came and I told my dad I had made my decision: RIT.

I think that’s where my parents really wanted me. I came home from school the next day to find a large, bright orange stack of RIT stuff on my desk and a note saying “the RIT admissions deposit has been made.” Over the next week or so, I signed a few papers and got my housing contract in.

Fast forward to today, Cinco de Mayo. 8PM sharp (5PM in Tempe, meaning right at their closing time) the phone rings. It’s the head of UAT’s admissions department, asking urgently to speak with Dan. Congratulations to me, not only did I get the Kurzweil, they pulled it from the graduate scholarship pool because they liked my essay so much. (It was over 4 times the required length, a) because Enano can’t be described in 400 words, and b) as you probably can tell I’m a very verbose writer; this post is currently over 500 words.) Of course, I couldn’t make it work.

As flattered as I was, I couldn’t help but feel a little bit heartless about the whole thing. They waited too long, and I gave them a 4 day grace period. I had a gut feeling I was going to earn the Kurzweil, but that was a risk I could not afford to take. If I hadn’t enrolled in RIT by May 1, I would lose my spot and, had UAT not given me the Kurzweil, I’d be going to a state school or (worse) Defiance College, which has done some creepy things to say the least. (To not offend the folks at Defiance, I won’t get any more specific than that.)

So, I’m going to Rochester. There’s no Chipotle there - yes, I will be writing Steve Ells - and everything has metal roofs. But there are business minors at RIT. And tunnels. And Gracie’s Dining Hall (best damn college food I ever had, couldn’t help but select “unlimited meals” before my parents could force me to click something else). And, come this fall, someone else in my high school class - a considerable feat considering the fact that my class size is 27.

And yes, my torrent activity will stay at home. I can only promise, RIT, that I won’t break your TOU.

This is just an interesting tidbit of information I put together, based on the cost of my dad’s first PC and my iPod touch I purchased in March of last year.

Moore’s Law is a powerful thing, is it not?

Neal Gompa wouldn’t stop complaining about my dark theme, so to subside his demonic curse I’ve enabled Arcsin’s Grunge Superstar theme. I’ve been favoring his themes and decided this time I’d put together a custom header based on my Facebook profile picture and a Photoshop tutorial I found somewhere and rapidly adapted to GIMP.

P.S. This theme is sexy; maybe I should be thinking about an Enano port? *wink wink*

The Gigabit switch came in a day later than I expected, but it’s all up and working now. That means my LAN is fully Gigabit!

Really, this is quite an exciting upgrade. First and foremost it makes my network faster. But what’s also important is the fact that I actually have some spare ports to work with now. Before, I had two routers hooked together using a normal Ethernet cable connecting two of the LAN ports. (That works for joining switches because of how Ethernet works; ordinarily I think you need a crossover cable but my WRT54GL supports automatic crossover.) The new switch is hooked into the WRT54GL in the same way, because I still need the wireless access point and it’s nice to have the GL functioning as a PPPoE bridge without me having to configure something manually on yet another Linux or FreeBSD gateway box.

Benchmarks are relatively promising - 32MB/sec was the rate I recorded for HTTP transfers. That’s up from about 10.5MB/sec on the 100Mbps network - about a 3x speed increase, not bad and especially good to know that i have a much fatter pipe so it’s possible to conduct operations in parallel (can you say “distcc”?).

The switch itself is a Netgear ProSafe JGS516 with 16 ports, 8 currently used by myself and the computers used by others in my house. There’s a fan on the side but its noise is nothing against the fans in Nighthawk and Bigmomma (contrary to the reviews).

And of course I have the bragging rights associated with a rainbow stream of 8 cables running their way out of a switch that looks much more like a business product than a consumer product. Sure you get better ping times and a few spare ports, but it’s always the looks that count the most!

I finally got some freelance work again, so I decided it was time to invest in a little bit of backbone for my LAN. Most of my home directory on Nighthawk is mounted over NFS and I’m constantly doing strange things between boxes, so I decided that the thing most in order was an upgrade of my wired network to Gigabit. I’m honestly quite excited at the prospect of having a full 1000Mbps pipe between the computers on my LAN because it presents a rather valuable opportunity to integrate things even closer than they are now.

The upgrade was ordered on Saturday, give or take, and the first box came in today. It was just the more basic stuff from TigerDirect: the PCI cards (3 white-box Netgear GA311s) and five cat6 cables, three for Nighthawk, Bigmomma and Xombie, 1 for Scribus which already has Gigabit, and 1 for Capsaicin in the event that I decide to upgrade her.

The switch was (I hope) the best part of the deal. It’s a NetGear JGS516 ProSafe switch with 16 Gigabit ports and decent specs for a lower-end switch. I plan to hook it into my WRT54GL and continue to use the GL as a wireless AP and PPPoE gateway. That hopefully won’t be too hard to configure since the GL has auto-sensing ports (and I have a crossover cable if needed).

So I got home from school today and there was a big shiny box waiting for me at the door of the basement. I went downstairs and proceeded to install the cards in all three boxen. I fired everything up and all was well. After a little bit of browsing however, I noticed something had to be awry.

Yessir, we’ve arrived at the “exploits… oh my!” portion of this post. Thank you for your patience; it shall be rewarded momentarily, you sadistic little devil, you.

An automatic bot managed to find my old copy of RoundCube Webmail on Bigmomma. Sexy little web app; too bad they had to use a third party library that insisted on using the PCRE “e” flag. The bot managed to upload a few files into apache’s document root on Bigmomma and throw a little bit of extra code into my root .htaccess. If you want the IP address for ethical purposes and ethical purposes only (read: don’t DDoS it, just add it and its entire /24 to your blacklist because the entire network is considered malicious), it’s 91.212.65.95. It didn’t overwrite anything and I know that it didn’t get the chance to do much more, because when it added an [L] RewriteRule to the top of my .htaccess, it stopped all URLs to PHP scripts from going through my virtual host logic and thus blocked access to the malicious script that was uploaded. Moreover, the stats script that the attacker was trying to run didn’t manage to run, because it was only able to inject itself into HTML documents when the URL ended in .html or .php (or some variant thereof). My server probably looks like a honeypot now!

A forensic sweep over the system found the offending IP and vulnerable script, and pretty soon I had quarantined the modified files and restored original ones - or, in the case of that old copy of Roundcube, deleted them except for the quarantine copy.

So, there’s my little networking brawl for the day. It’s a hard life, ain’t it?

If you’ve been following Enano lately you will know about our worst-kept secret of 2009 so far, the Yubikey plugin. Part of developing this plugin was, of course, purchasing and welcoming into my life my very own Yubikey. I was pretty excited when it came in the mail and deploying it was actually one of the easiest things I’ve ever done.

Basically there’s a PAM module that provides support for Yubikey as a login device just about anywhere you can be prompted for a password on a UNIX or Linux system. The version in Google Code has a number of annoying debug messages which I had to remove when I built the plugin. They show even when the “debug” flag is omitted so I presume this is just the result of sloppy development procedure. Aside from the uncomfortable thoughts I’m having of sloppy development on a PAM module, it works beautifully. So beautifully, in fact, that I’ve deployed it across all my servers, and deauthorized my SSH key from root on bigmomma and ktulu so that the only thing that can get you on to either is my Yubikey (with the exception of ktulu, which has an emergency root password somewhere in my encrypted storage - sshhhhh, it’s a secret). It’s much easier to just press my Yubikey instead of typing out one of my Insane Passwords™ so it’s also motivated me to use stronger passwords than what I have now (which are strong with one exception somewhere I think).

Developing for this thing was great except for one thing: signatures. OK, so I wasn’t using a standards-compliant implementation of HMAC; that got fixed. But I also failed to account for carriage returns (0×0D or “\r”) in the regular expression I used to parse their response. (And of course my test server didn’t send them.) That caused the first couple commits to my plugin to not work right with Yubico’s official API. The cool thing about the Enano plugin was that 80% of the functionality the Yubico verification routine needed was already there in hmac.php and http.php. Yeap, you heard it right: most of the Yubikey PHP library is the HTTP client. And the official one (which is used in most integration plugins) can’t even sign requests or verify signatures because it lacks HMAC support. Anyways, eventually I got it all working and it properly logged me into my test site.

Then I had to make a screencast about it, but that’s another story for another day. Hey, I supposedly get 5 free Yubikeys out of it, so why not, right?

If anyone here sends money to me via PayPal, you might notice that my seller reputation has dropped and I’m now a “new” member. Well, that’s because “my” PayPal account before was actually my dad’s. No worries, I had permission, and he never really used it anyway. I just had to use his because I was under 18. I can do the whole checking account deal now, so that’s all set up and I’m now officially PayPal’ed.

In the mean time, it took me very close to a full month to get around to opening a checking account and getting the PIN from my bank so I could actually link the two accounts. (I needed my PIN to see the online statement to complete their verification process.)

And I can say that I’m one of very few people to have actually registered a PayPal exactly on my 18th birthday. w00t!

I figured it might be time to disclose this, just because I’ve kept it under wraps for a long time for various personal and professional reasons. Take it for what it is, nothing more, nothing less.

For years, I’ve tried - HARD - to conceal vital parts of my identity. My name has been out there for a while, I don’t consider it to be too much of a secret. I want my name out there because my work ends up being able to be associated with me, meaning I can point to projects like Enano and say, “I did that” and prove to whoever is interviewing me or checking me out that I deserve their attention as a student, employee, intern, or volunteer. That gives me a powerful edge when people want to see samples of my work and, because my real name is on there, they can clearly see that I am telling the truth.

So here’s the flip-side. I’m going to let you, the Internet community, know that I’m just finishing up my senior year of high school. January 31st was my (rather simple but nice and enjoyable) 18th birthday. Enano’s core concept has been a side-project of mine since I was a puny little freshman; the current codebase has been being developed since the start of my sophomore year. There are, of course, obvious differences between code I wrote then and code I write now, but guess what? The core design - 5 singletons, 5 major components - has held up perfectly, and is continually being actively developed, with no current plans to abandon it.

Going back even farther, I want to talk about my first project: the ExperienceUI.

I was 13 when I started the ExperienceUI, and was just about to turn 14 when the first release came out. It was of course bumpy, because I didn’t really understand the concept of open source software yet and lacked maturity in many areas (espcially PR). Nevertheless, it was a smashing success, not only for being the first competition for NSIS’s Modern UI, but also for cracking wide open the realm of branded user experience in NSIS installers. By a 14-year-old.

So, what do I gain by telling you this? Let’s start with the fact that you, the reader, hopefully understand my time constraints. There are exam-heavy weeks. There are huge projects. There are deadlines that could dramatically change the next four years of my life if I miss them. They are school; they must take priority over Enano. Colleges these days pay huge attention to your grades in the second semester of your senior year. They don’t want people with senioritis. Therefore, there are times when supporting Enano, even something so little as finding time to commit and push out a bugfix, is a very difficult thing for me to do.

Am I saying this as a result of changed policies? Absolutely not. This post changes nothing; it simply clarifies what has already been in place. If workload is light, Enano is usually one of the first things I rush to work on. Two and a half years after the first spark that ignited Enano’s development, I still enjoy it above almost anything else. Right now, it would take quite a blow to get me to severely delay or cease development on Enano. I still use it for many of my own projects, and I always find myself in need of new features - so there is absolutely no justification for stopping development in any way.

Ladies and gentlemen, my goal for my teen years, though I didn’t realize it at the time, was to prove that teenagers aren’t the stupid, pimply, caffeine-addicted, irresponsible population that some people like to label them as. We start trends. We influence people and ideas. We come up with things nobody’s thought of before; we innovate. We might not do it in the most orthodox or civilized ways, but we can look at loopholes, missing features, or needs, and fulfill them. Age discrimination is insanely, painfully common. Had I announced that I was 13 in that Winamp Forums post, it would have probably been an immediate turn-off for potential users, or perhaps would have resulted in me being treated radically differently. I’m here to announce that none of that is necessary, called for, or appropriate. Give teens the chance they deserve. You did it for me without knowing it; as a result of that, I’ve been able to visit colleges, pull up enanocms.org, and go “yeah, that’s me right there” as they ponder whether a teenager could really have done this. My answer to that is, what adults can do with procedure and incentives, a teenager can do with hope, passion, and creative talent.

What is it that I hope to end through this? Age discrimination - a.k.a. the belief that teenagers are incompetent at running a business or changing the world. My résumé is quite an impressive one that contradicts such beliefs, thanks in large part to projects such as IIS-Aid, during which I developed an NSIS installer that set up PHP on Windows Server, all editions from 2000 through 2008. At $30 an hour, as a high school kid. Guys and gals, $30 an hour is DIRT CHEAP for software development. It’s also twice what all of my friends are making. Despite my low rates, I’ve been praised highly by multiple people for my professionalism. I have a great record, and I’ve proven to the world what teens are capable of.

To teenagers that are reading this, I want to offer a few words of encouragement. High school sucks; get used to it. Guess what? You won’t have anywhere near this amount of free time in college, and you’ll never get to go back to relive high school. Make a difference now, ‘cuz otherwise you’re throwing that chance out the window.

(I also have a legal reason for not stating my age. As a professional contractor that has been in business since 2005, I have relied on contract law to ensure that my clients comply with my anti-fraud measures. This is for my own protection, and I have no intentions to change this policy. Because U.S. contract law considers a contract invalid if a minor drafts or signs it, I was forced to keep my age hidden so that nobody would simply look at the fact that I was a minor and could thus safely ignore my contracts. Reversing this, I also wanted people to believe that I was legally bound to their contracts; if I was not legally bound, it might have resulted in tensions or just plain lack of business.)