No ads? Contribute with BitCoins: 16hQid2ddoCwHDWN9NdSnARAfdXc2Shnoa
Feb 132017

As an atheist, I find it difficult to be polite and not fall about laughing at things like “Intelligent Design”, but for the duration of this blog posting, I’ll try.

On one side are the scientists who spend their working lives investigating biological processes who have their theory of evolution. Now that word “theory” needs a bit of explanation; it does not mean that evolution hasn’t been accepted as fact by scientists. Evolution is one of those rare scientific theories that has never been disproved; merely refined. Essentially the word “theory” here is a challenge to disprove evolution and come up with a better theory – if you think you’re hard enough!

On the other side are a collection of religious leaders (admittedly Charles Thaxton trained as a chemist) who have spent their working lives telling people about god; and coming up with the theory of “Intelligent Design” in their spare time. The suspicion is that these people are letting their religious beliefs influence their “scientific” thinking.

When I want to know about plumbing, I ask a plumber. When I want to know about welding, I ask a boiler-maker. And when I want to know about biology, I ask a biologist.

Feb 122017

A very long time ago, I used to collect spam in order to graph how much spam a single mail server was likely to get over time, and almost as long ago, I lost interest in maintaining it. As a consequence I still get a ton of spam every day and after a long period of procrastination I have been slowly raising defences against spam.

This particular recipe is not really a defence against spam – it verifies that the remote server is properly DNS registered with a reverse DNS registration – in other words that the IP address it is connecting from is registered. This is a requirement for all mail servers, and as it turns out, spammers don’t care for registering their servers in the DNS.

This ACL snippet goes into the ACL for checking the recipient or for checking the message :-

   message = Your mail server is not properly DNS registered
   log_message = BLOCKED: No rDNS
   condition = ${if eq{$host_lookup_failed} {1} {1}{0}}
   # Check rDNS and block if not registered

There are three items of interest :-

  1. The message is intended to be easily read by recipients to determine what the problem is. It turns out that many people do not read NDRs, but if we get the message right at least we are doing the right thing.
  2. The log_message is intended to make automating log parsing easier.
  3. Within the condition, the $host_lookup_failed variable indicates that the reverse DNS lookup returned NXDOMAIN and not that it timed out (which would be $host_lookup_deferred).

That’s all there is to this little piece of configuration.

Feb 122017

Now this blog posting is not intended to defend the wrongs of colonialism; we all now accept that territorial expansion by conquest (except apparently Russia) is wrong. In fact it could be argued that Britain conquered India for commercial and not colonial reasons – for example no penal transportation to India occurred. Yes, British people went to live in India, but chiefly to do specific jobs – colonial administration, soldiering, or commercial activities.

Not mass migration.

We need to be wary of judging the past with the moral standards of today; it was not until the 20th century that conquest for territorial expansion was universally condemned. And the evils of the British Raj (and earlier) because it successfully conquered India; earlier (and there were many) attempts failed, although some were close. The very presence of islam within the Indian sub-continent is indicative of attempts to conquer.

And as for the notion that only the British Empire acted in evil ways in India, just take a look through the list of massacres in India; many of those listed had nothing to do with the British.

Does that excuse the excesses of British colonial rule? No of course it doesn’t.

But even if Europeans had not become involved with India, the evils of attempted conquest would still have occurred as they did occur before.

Feb 082017

One of the things that come up whenever IPv6 is mentioned on certain news sites, is that there are people out there who think that NAT solves all of the address size problems and doesn’t have any negatives. I could present a whole series of blog articles on why NAT is the work of the devil, and presents a clear and present danger to life, liberty, and the pursuit of happiness (I might be exaggerating just a touch here).

The naive approach to a security issue originating from a certain network address is to block that network address permanently, pending an appropriate response, or temporarily. Not a bad idea although it does resemble a game of hunt the wumpus, and to assist in this, there are community based collective blocklists.

But what happens when you block an address, and that address is the public address of a NAT device? You block everyone sharing that public address, which could be just a household or it could be thousands of unconnected people. For instance, I have up to 32,000 people behind a handful of public IP addresses.

And yes I do regularly see problems where blocks have been put in place, and from what I can see this is a problem that is widely shared amongst people who NAT.

And once you are blocked in this way, you may be able to get it removed if you manage to identify which blocklist you are on, stop the network abuse and it has a well-run mechanism for removal. Most blocklists (including the ones I run) don’t work this way.

Every IP address has a reputation associated with it, and if you share a public IP address that has a poor reputation, parts of the Internet will disappear for you, and these include some well known services.

Feb 042017

I could choose to criticise Trump’s stand in immigration from certain countries based on the rights and wrongs of it, because it’s certainly wrong. But firstly there has been plenty written and said about that aspect of it, and secondly those who don’t see how wrong it is are not likely to change.

But even those who do not see how wrong it is may well be able to see just how stupid this move is.

Just to remind ourselves, Trump has temporarily blocked all travel into the USA by anyone holding a passport issued by seven countries which were previously subject to heightened visa requirements. And for good reasons – the relevant countries have more than their fair share of terrorist activity – and it is more than reasonable to check on immigrants to verify that they are not known terrorists.

The first “own goal” is that the new restrictions blocks many people from travelling to the USA who have made their homes there including famous people like Mo Farah (although the ban may not apply to him). How much safer is the US by blocking Mo from entering the USA and going home?  Or all the others in his position?

And let’s be frank – there’s something less than honourable about issuing a visa allowing someone to travel, and then preventing them from travelling. There are people who have planned the holiday of a lifetime and arranged to visit Disneyworld or Disneyland, and all of a sudden they are prevented from travelling.

Now you could argue that if this action decreases the risk to US citizens it is worth taking. But even if it does significantly reduce the risk, I would argue that it is better to accept the increased risk to do the right thing. And in general if you do not accept a slightly increased risk to do the right thing, you are a morally bankrupt person.

But does this decrease the risk to US citizens? To assess that we need to assess how great is the risk of terrorist attacks to the USA, and specifically terrorist attacks from those seven countries.

In fact the risk attributed to terrorism is vastly overrated. Going through the Wikipedia list of terrorist incidents, I get a total of 5 incidents causing the deaths of 50 people (the perpetrators excluded), which includes the Pulse nightclub shooting. If you go back to 2015, the figures are 4 incidents and 23 deaths, and one of the incidents was a christian terrorist.

Working through a similar list of mass shootings in 2016, I get a total of 14 incidents causing the deaths of 56 individuals.

Which is basically saying that you’re about as likely to walk into a terrorist incident as into a mass shooting, and both are really, really unlikely. That doesn’t help much if you are caught up in such an incident, so taking reasonable and proportionate action to decrease that risk is worthwhile.

And targeting refugees fits into the disproportional category; of those 5 incidents in 2016, only one was perpetrated by a refugee (and nobody died).

And now onto the final bit of stupidity: Firing your legal adviser for telling you an executive order is illegal when it is being found so over and over again makes you look more than a bit foolish.  Particularly when you could accomplish almost as much (although in reality more) by simply stopping new visas being issued; especially when the decreased risk from terrorism is marginal at best.

Jan 262017

The comic book villainous president Trump has just spoken about how he believes that torture works.

The first thing to point out is that it is widely acknowledged that there is no evidence to show that it works, and anecdotally the torturer is in severe danger of hearing what she wants to hear from the victim. In other words the gut feeling that it ought to work is not to be trusted.

Secondly, torture is prohibited under international law. Now we know that the US is in the habit of showing the finger to the international community – if the US were not so powerful, they would be labelled a “rogue state”.  Just look at a list of the nations that utilise torture – it’s one of the key indicators of a bad state.

Finally, torture is wrong. Under all circumstances it is wrong. You do not “win” over terrorists by descending to their level!

Jan 222017

News story.

We’re all used to politicians lying – either baldly (“Is the sky blue? No, it’s pink.”) or by avoiding the subject altogether (“Is the sky blue? I think the question shouldn’t be is the sky blue, but whether the colour really matters.”). But normally you can see some rationale behind the lie – there’s some genuine advantage to the politician by lying.

And seeing a politician who doesn’t bow down to the media is somewhat gratifying. At least when it serves some purpose.

But headbutting the media and spouting easily disproved lies about the number of people attending Trump’s inauguration?

Crass stupidity and arrogance of the first order.

There’s no point to it – after all who really cares how many people were stroking Trump’s ego on the day? After all his ego doesn’t need any bolstering, and even if it did there were still plenty of people in attendance.

Shattering the establishment (which is something I don’t believe Trump really intends no matter how much he claims) is all very well, and indeed to be encouraged. But you don’t accomplish it by picking stupid fights over nothing important.

Trump is in danger of giving a new word to label stupidity – Trumpidity.


Jan 202017

There are people out there who believe that “I’m offended” is some sort of magical trump card that calls a halt to the debate and requires the offender to issue a grovelling apology. It finds it’s most extreme expression in religion – blasphemy.

Which is a useful place to find excellent examples of the foolishness of trying to avoid offence – there are those who consider that the Koran is blasphemous because it is not a christian holy book and similarly there are probably those who consider that christian churches are hotbeds of blasphemy because they’re not islamic. Which group is right? Or perhaps they are both wrong.

Now I do not believe in going out of my way to be offensive to people, but neither am I going to restrict my opinions because they might be offensive to some people out there.

And when you come down to it, the offended person isn’t really hurt are they? Nobody dies; nobody is hospitalised. The only “harm” that occurs is the harm that the offended person causes to themselves.

And if you choose to be offended by something I write, bear in mind that I can choose to be offended by some of the things you hold sacred :-

  1. That you  believe in a stone age psychotic deity who proclaims “Love and worship me, or I’ll send you to a place of eternal torture”.
  2. That you insist on eating charred decaying animal corpses; and worse do so where I can smell the odious aerial effluent.
  3. Perhaps you voted for what may very well turn out to be the most cartoonish president of the USA since records began. You did know that the entire world is looking at the US freak show and shaking their heads in disbelief?
  4. Perhaps you believe that certain groups are inferior – women, men, people of a different “race”, etc.
  5. Perhaps you think that the rich are perfectly entitled to avoid their obligations to society and that tax avoidance is not a dishonourable thing to do.

But I choose not to. I’ll argue about it, and quite possibly think of you as stupid. But I won’t be offended

And if you do get offended, well then good.


Jan 192017


Any serious cryptographic routines needs a good source of random numbers, and whilst Linux provides a random number generator by default it’s sources of entropy can be somewhat limited. Especially when you’re talking about a virtual machine.

Indeed if you try to pull too much randomness out of the Linux entropy pool (especially when it is especially limited), what you get might not be quite as random as you expect.

Which is where hardware randomness generators come in. And I finally have one (actually two), and have hooked them up. You may be able to guess what time I plugged it in from the graph below :-

So what real world difference does it make?

Well nothing is dramatically obvious, but :-

  1. I have slightly more confidence that any cryptographic software I might run has a good source of randomness and is less likely to accidentally perform poorly (in terms of cryptographic strength).
  2. Some cryptographic software blocks if the Linux entropy pool is empty; with a hardware source I can be more confident that any performance issues are not due to a lack of randomness.