More Zonkyness

Thoughts on Thatcher

Apr 132013

So Maggie Thatcher has died. And people are acting somewhat surprised that there is so much polarity in the reaction to her death – well, this is hardly a surprise given just how divisive she was in life. Or perhaps more accurately, how divisive she was in power. It is true that the anti-Thatcher reaction to her death is kind of tasteless – dancing on her grave is not exactly the best of behaviour.

But it is also kind of understandable. The first reactions to Thatcher’s death were from the pro-Thatcher brigade who loudly trumpeted just how good Thatcher was for Britain. The anti-Thatcher mob understandably reacted negatively to all of the positive things that were said about Thatcher in the first few hours.

What might come as a surprise to people who weren’t around in Britain during Thatcher’s reign (1979-1990) is that whilst Thatcher may well have been the most popular British Prime Minister of the modern era, she was also by far the most hated Prime Minister of the modern era. Because if you have to sum up Thatcher’s career in just one short phrase, it would have to be that she was probably the most divisive Prime Minister Britain has ever had.

If she were still around, she would quite happily admit to not being interested in consensus and to having the ambition of thrusting her beliefs and policies down everyone’s throat. She believed that she was right and that everyone else who disagreed with her was wrong. There are those who would say this is the essential ingredient to “leadership”, but it is actually only half of what makes a great leader; and it’s the dangerous half at that.

Listening to the opposition – and the louder they are, the harder you should listen – isn’t caving in to their demands, but simply listening. They might have something interesting to say.

For example, take Thatcher’s Poll Tax. Thatcher’s intention was that everyone should have to pay something towards the cost of local government in a way that illustrate just how expensive different councils were, and wanted to do so by everyone paying the same (students and the unemployed would only pay 20%). The opposition to the Poll Tax wasn’t based because of this policy, but the way that it was implemented. It could have been possible to implement Thatcher’s policy in a way that would not have caused the level of opposition that we saw :-

Those opposed to the Poll Tax were more opposed to the regressive nature of the tax, than the idea of a simplified means of paying for local government that would make it clearer how much local government was costing. As an example, a local income tax clearly marked in your payslip (“Local council: £37.95 – 1.5% compared with the national average of 1.2%) would quite possibly been much more widely accepted. Of course the Poll Tax was incredibly popular with the rich (as they would pay much less), but unfortunately for Thatcher, there really aren’t that many of them.

To set the context of Thatcher’s government, we have to remember that Britain in the 1970s was in poor shape with an industrial base reliant on old heavy industry, a former empire that was no longer buying British goods by default, paying much higher prices for oil, and of course an unnaturally militant bunch of unions :-

Of course the unions were to blame for everything bad that happened in the 1970s – OPEC rising oil prices, the hot weather in 1976, the civil war in Lebanon, Pinochet’s cout d’etat in Chile. That’s not to say that they couldn’t do with a little cutting down to size, but they probably sounded more radical than they actually were. Having been a member of a union, I can tell you that those who climb up the union hierarchy are those who are interested in the work involved whereas the majority of the members are less politically motivated; the 1970s union leaders may well have had a portrait of Uncle Joe that they regularly worshipped to, but the members didn’t.

There’s truth in the idea that the big heavy industry of the 1970s needed to become more efficient and less labour intensive; there’s also a grain of truth in the union’s claims that a great of rationalisation was more about making money for the company owners than gains in efficiency.

Thatcher’s union reforms – criminalising closed shop agreements, insisting on secret ballots, and preventing secondary strikes – all sound quite reasonable from the perspective of distance, but at the time it was clear that Thatcher was at war with the unions, which to many union members felt like the ruling classes were at war with them. And there was a belief that the long-running and exceptionally bitter Miner’s Strike of 1984 was little more than Thatcher’s revenge for the miners strike of 1974 which humiliated Heath :-

Apart from her attacks on the unions, she seemingly went about favouring the rich over the workers in other ways too. Her “big idea” in economic management was to switch priorities away from employment to reducing inflation. This was arguably a sensible change in priority, but then she also went ahead and raised VAT from 15% to 17.5% in pursuit of her obsession with switching to indirect taxes, which in turn immediately raised inflation. This of course made it necessary to pursue monetary policies much more harshly to try and control inflation, which had a much greater effect on unemployment than would otherwise be the case.

This in turn caused welfare spending to surge making it necessary to much more harshly cut public spending in other areas.

Which of course was compatible with her “no such thing as society” – not the speech itself which was a rant about people feeling entitled to assistance (a theme which is repeating itself), but the whole tone of her policies. Thatcher may not have been a disciple of that poisonous Nihilist Ayn Rand, but the only way to tell the difference was that you could find Thatcher in a church. Thatcher was all in favour of the “self-made man” which all too often turned out to be a loud-mouthed business-sociopath of the kind that inspired Harry Enfield’s loadsamoney character.

There’s a lot of truth in the at first rather bizarre claim that Thatcher was behind the current banking crisis – her deregulation of the banking industry kick started the whole big gambling side of banking and encouraged a whole generation of bankers to gamble bigger and bigger. Those that learned the wrong things in the 1980s were the ones at the top of the banking industry during the 1990s and 2000s when the mistakes that led to the collapse of banking were prevalent.

In terms of housing, her policies were rather bizarre. Her policy of selling off council houses at knock down prices was (for her) a way of bribing the electorate into voting for her. The effect on the people who bought their own council houses was positive, but Thatcher’s insistence that councils be prohibited from using the proceeds to build more social housing is rather extraordinary. Not only would it stop further generations from buying their own council houses, but it was almost guaranteed to result in a housing-bubble with house prices escalating out of control.

It’s probable that Glenda Jackson said it a whole lot better than me :-

Fixing A Mangled PDF With Some Pages Requiring Rotation

Working Notes No Responses »

Apr 032013

Scanning paper documents is such a tedious task that I tend to lose concentration when doing it. And as a result I recently ended up with two PDF documents needing post-processing. In the worst case, the PDF consisted of three pages – one in the correct orientation, and two rotated 180°!

As usual, there’s a Unix command to help out with that – pdftk. Specifically :-

pdftk \
  input-file.pdf \
  cat 1 2-endS \
  output out.pdf

The interesting operation is contained within the cat 1 2-endS which translates as copy the input page 1 to the output unaltered, and copy the remaining pages rotated 180° (or “S”) to the output. This is of course only the tiniest fraction of what this tool can do.

UK Is Persecuting The Christian Minority?

Media, Politics, Religion No Responses »

Mar 302013

In something I first heard about in the Daily Mail, so there was an instant credibility gap, it seems that Lord Carey has been blathering on about how Christians feel like a persecuted minority, and that the government is discriminating against them.

Which is of course complete rancid rhino bile.

And any christian who feels persecuted against needs to take a good hard look at things.

According to the 2011 census, 59% of the UK population claimed to be christian. Given that 59% is more than 41%, I’d say that any christian who feels that they are a minority probably needs to take their socks off to count above 10. It is the rest of us – humanists, secularists, muslims, buddists, hindus, atheists, agnostics – who have the right to claim to be a minority. Given that 2001 (72% christian) was the first time the question was asked, it is hard to make historical observations regarding levels of christianity in the UK. Christians would of course say that we have been historically a christian society where everyone was a christian; others would say those who weren’t christian were under a great deal of pressure to pretend.

There are occasions when we get forced to sit through some sort of christian ceremony, although it was more common in the past than today. And it can be quite creepy listening to you guys speaking to your imaginary friend (or is it friends?).

Nothing to do with what goes on inside your churches of course, but christian ceremonies in public life can be excluding to those who are not christian. Take for example, the infamous council meetings where pre-meeting prayers are no longer permitted. Or rather praying out loud as part of the meeting is no longer permitted. If such prayers are part of a council meeting, they are effectively an unconscious expression of the kind of people who should take part in the meetings – that is practising christians. Or in other words, you are saying that the real minorities – atheists, muslims, etc. are not welcome.

Not that a period of silent contemplation at the start of a council meeting is a bad idea – indeed, it is probably a very good idea. And nobody is saying that you cannot talk with your imaginary friend(s) in the silence of your mind.

Carey specifically mentions the legalisation of gay marriage as one of the symptoms of “aggressive secularisation” within the government. Actually legalising gay marriage is simply doing the right thing; there is nothing in the legislation that forces anyone to get married to someone not of their choice! So it is merely allowing those who choose to, to get married to the person of their choice.

What christians who oppose gay marriage are complaining about, is that they are no longer allowed to impose their views of what marriage should be onto those who believe differently.

In other words christians are complaining about not being allowed to persecute others.

If christians still feel they are being persecuted in the UK, perhaps they should look at some of the real examples of christians being persecuted around the world (see http://en.wikipedia.org/wiki/Persecution_of_Christians). Any kind of inspection of what happens around the world will make any decent person claiming that UK christians are being persecuted thoroughly ashamed. Whatever the rights or wrongs of the case (and frankly in the case of the BA employee, both sides could do with being told to just grow up), being unable to wear a cross in jewellery form at work hardly compares to being stoned to death.

Media Panics Over Spamhaus DDoS Attack

Computing, Security No Responses »

Mar 282013

This article is short on references because I haven’t gotten around to filling them in … they will come

The fuss in the mainstream media about the distributed denial of service (DDoS for short) attack against Spamhaus goes to show that journalists need to buy more drinks for geeks, and the right geeks. It is nowhere near as bad as described, although the DDoS attack was real enough and definitely caused “damage” :-

This article is not intended to be totally technically accurate in every detail; it is intended to describe the incident in enough detail and with enough accuracy that it can be understood without übergeek status.

So What Happened?

Spamhaus are experiencing on ongoing distributed denial of service attack that started on the 20th March, and is ongoing. The initial attack very quickly overwhelmed their 10Gbps (that’s about 1,000 times faster than your Internet connection) link to the Internet. Whilst this disrupted the Spamhaus web site, and various back office services, the main service that Spamhaus provides kept running (as it is distributed).

The very clued up geeks at Spamhaus who have had plenty of experience of being under attack, very quickly contacted CloudFlare which started hosting their web sites and other back office services at numerous data centres around the globe. Their services rapidly started returning to life – it isn’t the sort of thing that can be done instantly, and probably took a lot of late nights.

However the attacks escalated and reached levels of up to at least 300Gbps (that’s about 30,000 times faster than your Internet connection) or about 13Gbps of traffic for each of CloudFlare’s 23 data centres. That’s a lot and could be responsible for Internet slowdowns …

The Internet Is Slow. Is It The DDoS?

Well perhaps. We all have a very understandable tendency to blame known events for problems we’re having. Is the Internet slow? It must be that DDoS . But it is not necessarily so.

And if all the Internet was slow for you, it is quite possible that you were unknowingly taking part in the attack! Because the attack relied on infected PCs together with other stuff described below.

It is also possible that some parts of the Internet were overwhelmed by the DDoS. Reports have indicated that Internet services plugged in alongside the CloudFlare data centres (or in them) were suffering somewhat because of the extraordinary levels of traffic. However, this is the Internet and there is always lots of stuff going on that may cause slower performance than normal in various corners of the ‘net.

Was This The Biggest DDoS Attack?

Possibly. The figure of 300Gbps (and it was probably larger than that – the 300Gbps figure was through one Tier-1 ISP) probably qualifies as the largest known public DDoS.

However DDoS attacks are not always made public; there could well have been larger attacks that were not made public.

Various responses have indicated that the attack was not as serious as described by others :-

It may be that these commentators are mistaken to the extent that they didn’t see a problem; it may be that European and Asian networks were more prone to a slow-down than elsewhere.

What Is A Distributed Denial Of Service Attack?

If you were an attacker, you could try sending network traffic as fast as your PC could handle to the target of your attack. However the amount of traffic you could send would be very limited – you can’t send more than the speed of your Internet connection. Say 10Mbps … a lot less than most large services use for their own Internet connections.

To make an attack more effective, you will want to have lots of people send traffic as quick as they can. And the easy way to do that is to infect PCs with some sort of malware, and use your control of those infected PCs to send out that denial of service traffic. At which point it becomes a distributed denial of service attack because the attack traffic is distributed around the Internet.

And if you can find some way of amplifying your attack traffic so that say 10Mbps of traffic becomes 1Gbps of traffic, you make your attack much more effective.

So How Was This Done?

The details of what went on become pretty hairy very quickly, but very simply :-

The attacker takes control of a large number of infected PCs to make his or her “robot army” to send out network traffic under their control.
The attacker instructs their robot army to send out DNS requests as quickly as possible with the source address forged as the victim’s address.
The negligent ISP allows those packets out by not applying source filtering.
The network traffic reaches any number of misconfigured DNS servers that answer with a larger reply sent to the victim’s address.

DNS?

This is short for the domain name system and is a service that turns names into numbers (amongst other things). You type in a name such as www.google.com and the DNS server your PC is configured to talk to turns that name into an Internet address such as 203.0.113.63 or possibly 2001:db8:0:1234:0:5678:9:12. Your PC then makes a network connection to that numeric address in the background, and fetches a web page, a music stream or some other content you want.

Without the DNS we would all have to rely on numeric addresses to make connections – a lot tougher!

There’s another factor here as that DNS is an amplifying service – you ask for a name such as www.google.com, and the answer is a whole lot longer than just the numeric address you “need” as it can (and often does) contain a number of network addresses together with associated information :-

% dig www.google.com  

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;www.google.com.			IN	A

;; ANSWER SECTION:
www.google.com.		61	IN	A	74.125.138.104
www.google.com.		61	IN	A	74.125.138.106
www.google.com.		61	IN	A	74.125.138.99
www.google.com.		61	IN	A	74.125.138.147
www.google.com.		61	IN	A	74.125.138.105
www.google.com.		61	IN	A	74.125.138.103

;; AUTHORITY SECTION:
google.com.		126160	IN	NS	ns3.google.com.
google.com.		126160	IN	NS	ns2.google.com.
google.com.		126160	IN	NS	ns4.google.com.
google.com.		126160	IN	NS	ns1.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.		126160	IN	A	216.239.32.10
ns2.google.com.		126160	IN	A	216.239.34.10
ns3.google.com.		126160	IN	A	216.239.36.10
ns4.google.com.		126160	IN	A	216.239.38.10

;; Query time: 1 msec
;; SERVER: 10.0.0.26#53(10.0.0.26)
;; WHEN: Sat Mar 30 09:52:59 2013
;; MSG SIZE  rcvd: 264

If you are talking to a misconfigured DNS server, it could answer even when it should not. Normally DNS servers are configured to answer just for those they are intended to provide answers to – your ISP’s DNS servers will answer your questions, and not mine. However if they are misconfigured, they will answer any question and will function as a DDoS amplifier.

This does not include public DNS servers such as OpenDNS, or Google’s public DNS servers – they are specially configured to avoid acting as a DDoS amplifier – probably by imposing a rate limit to stop answering if you ask too many questions.

Source Filtering?

When you click on a link in your web browser, your browser sends out a network packet containing the request (“GET /webpage”), and that network packet contains the destination of the web server – so your request reaches it, and your own address – so the web server knows where to send the answer! Your own address (in these circumstances) is known as the source address.

With appropriate software, you can forge your source address so that replies to your request go back to a different place. Without that only the very simplest DDoS attacks would work.

Of course, it has been best practice to block forged source addresses since well, not long after the beginning of the Internet. This is known as source filtering. An Internet router is capable of deciding that packets coming in from wire A should not have the address assigned to wire B, so should be dropped on the floor.

An Internet router that doesn’t do that is poorly configured.

So How Can This Be Stopped?

The answer is that we have known how to stop this sort of attack for at least a decade. And indeed the best Internet citizens have done so for years.

The trouble lies with those on the Internet who are not necessarily the best Internet citizens. Of the big three remedies, two are probably being neglected because managers of ISPs do not see the business benefits of applying those remedies. And there isn’t a business benefit, but a social responsibility.

The three remedies are :-

The average Internet user needs to take action to prevent their PC from getting infected. Get anti-virus protection, and an Internet firewall. If the PC acts weird, get it looked at. And if the Mac acts weird, get it looked at too (yes they do get infected).
ISPs should apply BCP38 (which dates back to 2000) which specifies source filtering.
ISPs running DNS servers should ensure that their DNS servers are properly configured to only answer queries for legitimate clients.

And if you happen to know a senior manager at an ISP, ask them about BCP38 and if they’re doing it – source filtering is probably the most important action here.

But Who Is Responsible?

It is easy to get distracted by the problems caused by those leaving poorly configured router, and insecure PC lying around on the Internet. Whilst their owners are responsible for effectively leaving tools around that attackers can use (and all too often do use), they are not directly responsible for the attack.

The attacker is.

But who were they?

The fairly credible rumours are that the attackers were either Cyberbunker or Stophaus.com, as part of a campaign against the actions of Spamhaus. Various criminals behind the flood of spam targeting your mailbox with all sorts of rubbish have long complained about the actions of Spamhaus, as they try and prevent spam arriving. And Cyberbunker is an ISP dedicated to providing hosting to services that may get shut down elsewhere – they deal with anyone except paedophiles and terrorists, which leaves a whole world of swamp dwellers that you would really rather not know about. And spammers.

Who Are Spamhaus?

Spamhaus are subject to a great deal of black propoganda – including accusations of blackmail, extortion, censorship, and probably kicking cats too. The reason? They help identify spammers, so that ISPs can choose to block spam.

Spammers are somewhat irritated by this – their business model relies on polluting your mailbox so that the 1% (or so) of people who do respond to spam is a large enough number that they can carry on making money. And they get irritated very quickly if someone tries to interfere with their “right” to use your inbox to make money.

Mail server operators have long been blocking spammers using a whole variety of methods, and some of the best collaborated on producing lists of addresses of spammers that others could use. These evolved into DNS based RBLs, and one of the most respected groups of volunteers became known as Spamhaus.

You may be thinking that you still get plenty of spam, so they cannot be doing too great a job. But :-

You may be with an ISP that chooses not to use Spamhaus.
You don’t see the spam that gets blocked. Even if you see dozens of spam messages a day, you may be seeing only 5% of the spam that was sent your way.

It is telling that amongst those in the know, those who deal with spam and Internet abuse in general, there is practically nobody who thinks of Spamhaus as anything other than the good guys.

The Latest Map Of The Internet

Computing, Security No Responses »

Mar 242013

The above links to an interesting browser which allows zooming and selection of different data sets. It’s worth a look if you’re into that sort of thing. Although it’s rather surprising that it doesn’t like IPv6 addresses!

The most controversial thing about this map of the Internet gathered during 2012, is that it was produced with the aid of a botnet or in other words this researcher stole the resources they needed. Which is obviously wrong – no matter how good the cause – but now that it has been done, there is no reason not to look at the results (whilst wrong this isn’t really evil).

The first interesting discovery here is that this anonymous researcher managed to write a simple virus that would load the Internet scanner onto many devices with default passwords set – admin accounts with “admin” as the password, root accounts with “root” as the password, etc. You would have thought that such insecure devices would have been driven off the Internet by now, but it turns out not to be the case – there are at least 420,000 of them!

You could even argue that the owners of such machines are asking to have their devices controlled by anyone who wants to. Perhaps a little extreme, but certainly some people think so or this Internet survey wouldn’t exist.

But now the results. If you look at the default settings in the browser above, you will encounter large swathes of black squares where apparently nothing is in use. The trouble is that whilst it is true that an IP address that is pingable, or has ports open is “in use”, there is no guarantee that an IP address that is just registered in the DNS is in use or not, and finally unregistered IP addresses that do not appear to do anything may very well still be in use.

Essentially the whole exercise hasn’t really said much about how much of the Internet address space is in use, although that is not to say that the results are not useful.

One special point to make is that many of the large black squares that appear unused, are allocated to organisations that may very well want to have proper IP addresses that are not connected to the global Internet. That is not wrong in any way – before the wide spread adoption of NAT, it was common and indeed recommended that organisations obtain a public IP address before they were connected to the Internet to avoid duplicate network addresses appearing. And an organisation that legitimately obtained an old “class A” has no obligation to return the “unused” network addresses back to the unallocated pool. And even if they did, it would not make a big difference; we would still run out of addresses.

The answer to the shortage of IPv4 addresses is IPv6.

Older Entries Newer Entries