Warren Myers : automatically extract email attachments with common linux tools

April 24, 2014 03:53 PM

I had need to automatically process emails to a specific address to pull attachments out, and this is how I did it:

$ yum install mpack

$ cat extract-attach.sh 
#!/bin/bash
rm -rf ~/attachtmp
mkdir ~/attachtmp
mv ~/Maildir/new/* ~/attachtmp
cd ~
munpack ~/attachtmp/*
rm -rf ~/attachtmp

$ crontab -l
*/5 * * * *	~/extract-attach.sh

Why, you may ask? Because I get a report a few times per day to the email address in question.


Note – this runs in my crontab every 5 minutes on a CentOS 6 x64 server; I’m sure the process is similar/identical on other distros, but I haven’t personally tried.

Mark Turner : Raleigh tops list of shallow single men?

April 24, 2014 02:53 AM

broken-heart-pixabay.com
Raleigh ranked tops in one category it might have wished to have avoided. My single female friends were nodding in agreement last week when dating service Zoosk proclaimed Raleigh to be the least open-minded dating city in America. Even Birmingham, Alabama, is more open-minded, folks.

Zoosk claims it analyzed one million conversations between the singles who use its service and ranked cities based on how willing someone was to date someone different than themselves. Raleigh ranks last in single men’s attitudes about age and college degrees.

Now, I’m leery of any infographic-driven website. Anyone who’s used Facebook lately knows that numbered lists are sure-fire clickbait: people love to read numbered lists. Mention a few major cities in that list and you’ve got a sure-fire recipe for free PR. Also, with only an infographic to go by and no real data, we’re left wondering how these conclusions were drawn.

It all sounds like a publicity stunt. At the very least, since Zoosk draws its information from its user base, it is really nothing more than a reflection of its users. Perhaps Raleigh’s single men who use Zoosk are simply … well, losers.

Now, back when I was single in Raleigh (you know, before the Internet), my complaint was that there were not enough women around. Too many male engineering geeks crowded the Hillsborough Street bars. Fortunately, Raleigh gained some higher-quality clubs and diversified its job market a bit (I would have preferred that more women would have chosen engineering careers since I find female geeks quite attractive, but I digress) and going out became somewhat less of a swordfight.

There are obviously plenty of men who go the young bimbo route (or, at least, there are men like this who also use Zoosk), but looks alone were never my thing. I think that’s the same for many men, Raleigh ladies, so don’t despair. Keep those standards high, keep your heads up, and stay the hell away from Zoosk if you want to find the right guy!

Warren Myers : kingmakers by karl ernest meyer and shareen blair brysac

April 23, 2014 01:41 PM

Karl Ernest Meyer and Shareen Blair Brysac present what should be a fascinating history of the modern Middle East in their recent book Kingmakers: The Invention of the Modern Middle East.

I have been interested in Middle Eastern history (ancient and modern) for many years, and so was excited to see this book as I was browsing my local library recently. A couple years ago I read Gideon’s Spies. And I have read various articles, books, and treatises that either focus on the Middle East, or reference it in less-than-passing ways over the years.

Sadly, like so many other books I’ve read in the recent past, Kingmakers stays too academic to read comfortably. I couldn’t get through more than a couple chapters before deciding I would learn more about Middle Eastern history from Al Jazeera and Wikipedia than from this book.

Mark Turner : I has the penalty for public services

April 22, 2014 04:13 PM

Oh noes!!1! I got an urgent email today from the Chief of Texas Department of Revenue. It seems I has the penalty for public services, whatever that means. And, differently I’ll obtain court claim. I sure don’t want that happening!

Good morning!
You has the penalty for public services.
Total: $300.70

===Detailed notice is in the attached file===

You gotta check out paper before: August 26th 2014.
Differently you’ll obtain court claim.

Yours truly,
Chief of Texas Department of Revenue.
Jamal Ortiz
+1 (580) 196-17-52

This e-mail was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.

No threats found in this notification.
Checked by BitDefender.

Phishers crack me up.

Warren Myers : setting up an unreal irc server on centos 6

April 22, 2014 03:14 PM

Ever want to run an IRC server? I recently set one up at irc.datente.com using a Digital Ocean VM running CentOS 6.5 x64.

Here’s what I did, if you want to replicate the process for yourself (full documentation available from Unreal’s website):

  • acquire CentOS 6.5 x64 server (as I mentioned, I used Digital Ocean)
  • `yum -y install screen wget gcc`
  • `yum -y upgrade`
  • `adduser unreal`
  • `su – unreal`
  • download Unreal to your server (http://www.unrealircd.com/downloads/unreal/source – `wget http://www.unrealircd.com/downloads/Unreal3.2.10.2.tar.gz`)
  • `tar zxf Unreal*.gz`
  • `cd Unreal*`
  • `make clean`
  • `./Config`
    • answer prompts – most can be left default
  • `make`
  • `cp doc/example.conf unrealircd.conf`
  • edit unrealircd.conf (use your editor of choice)
    • see sample config file below for what I did (minus passwords / emails)
  • if all has gone well, start Unreal
    • `screen ./unreal start`
  • create a startup script to ensure Unreal launches on reboot as user `unreal`

That’s it. Thankfully, while the config file isn’t pleasant to play with, it’s a lot better than it used to be.

loadmodule "src/modules/commands.so";
loadmodule "src/modules/cloak.so";

include "help.conf";
include "badwords.channel.conf";
include "badwords.message.conf";
include "badwords.quit.conf";
include "spamfilter.conf";

me
{
        name "your.irc.server.tld";
        info "Your IRC Server";
        numeric 1;
};

admin {
        "Your Name";
        "yournick";
        "your@email.tld";
};

class           clients
{
        pingfreq 90;
        maxclients 500;
        sendq 100000;
        recvq 8000;
};

class           servers
{
        pingfreq 90;
        maxclients 10;          /* Max servers we can have linked at a time */
        sendq 1000000;
        connfreq 100; /* How many seconds between each connection attempt */
};

allow {
        ip             *@*;
        hostname       *@*;
        class           clients;
        maxperip 25;
};

/* Passworded allow line */
allow {
        ip             *@255.255.255.255;
        hostname       *@*.passworded.ugly.people;
        class           clients;
        password "f00Ness";
        maxperip 1;
};

allow channel {
        channel "#WarezSucks";
        class "clients";
};

oper youroperatornick {
        class           clients;
        from {
                userhost bob@smithco.com;
        };
        password "yourpassword";
        flags
        {
                netadmin;
                can_zline;
                can_gzline;
                can_gkline;
                global;
        };
};

listen         *:6697
{
        options
        {
// uncomment this line if you chose to compile Unreal with SSL support
//              ssl;
                clientsonly;
        };
};

listen         *:8067;
listen         *:6667;

/* not linking to any other servers right now
link            hub.mynet.com
{
        username        *;
        hostname        1.2.3.4;
        bind-ip         *;
        port            7029;
        hub             *;
        password-connect "LiNk";
        password-receive "LiNk";
        class           servers;
                options {
                        /* Note: You should not use autoconnect when linking services */
                        autoconnect;
                        ssl;
                        zip;
                };
};
*/

ulines {
        services.roxnet.org;
        stats.roxnet.org;
};

drpass {
        restart "I-love-to-restart";
        die "die-you-stupid";
};

log "ircd.log" {
        /* Delete the log file and start a new one when it reaches 20MB, leave this out to always use the 
           same log */
        maxsize 20971520;
        flags {
                oper;
                connects;
                server-connects;
                kills;
                errors;
                sadmin-commands;
                chg-commands;
                oper-override;
                spamfilter;
        };
};

alias NickServ { type services; };
alias ChanServ { type services; };
alias OperServ { type services; };
alias HelpServ { type services; };
alias StatServ { type stats; };

alias "identify" {
        format "^#" {
                target "chanserv";
                type services;
                parameters "IDENTIFY %1-";
        };
        format "^[^#]" {
                target "nickserv";
                type services;
                parameters "IDENTIFY %1-";
        };
        type command;
};

alias "services" {
        format "^#" {
                target "chanserv";
                type services;
                parameters "%1-";
        };
        format "^[^#]" {
                target "nickserv";
                type services;
                parameters "%1-";
        };
        type command;
};

alias "identify" {
        format "^#" {
                target "chanserv";
                type services;
                parameters "IDENTIFY %1-";
        };
        format "^[^#]" {
                target "nickserv";
                type services;
                parameters "IDENTIFY %1-";
        };
        type command;
};

alias "glinebot" {
        format ".+" {
                command "gline";
                type real;
                parameters "%1 2d Bots are not allowed on this server, please read the faq at http://www.example.com/faq/123";
        };
        type command;
};

files
{
        /* The Message Of The Day shown to users who log in: */
        /* motd ircd.motd; */

        /*
         * A short MOTD. If this file exists, it will be displayed to
         * the user in place of the MOTD. Users can still view the
         * full MOTD by using the /MOTD command.
         */
        /* shortmotd ircd.smotd; */

        /* Shown when an operator /OPERs up */
        /* opermotd oper.motd; */

        /* Services MOTD append. */
        /* svsmotd ircd.svsmotd; */

        /* Bot MOTD */
        /* botmotd bot.motd; */

        /* Shown upon /RULES */
        /* rules ircd.rules; */

        /*
         * Where the IRCd stores and loads a few values which should
         * be persistent across server restarts. Must point to an
         * existing file which the IRCd has permission to alter or to
         * a file in a folder within which the IRCd may create files.
         */
        /* tunefile ircd.tune; */

        /* Where to save the IRCd's pid. Should be writable by the IRCd. */
        /* pidfile ircd.pid; */
};

/*
tld {
        mask *@*.fr;
        motd "ircd.motd.fr";
        rules "ircd.rules.fr";
};
*/

/* note: you can just delete the example block above,
 * in which case the defaults motd/rules files (ircd.motd, ircd.rules)
 * will be used for everyone.
 */

ban nick {
        mask "*C*h*a*n*S*e*r*v*";
        reason "Reserved for Services";
};

ban ip {
        mask 195.86.232.81;
        reason "Delinked server";
};

ban server {
        mask eris.berkeley.edu;
        reason "Get out of here.";
};

ban user {
        mask *tirc@*.saturn.bbn.com;
        reason "Idiot";
};

ban realname {
        mask "sub7server";
        reason "sub7";
};

except ban {
        /* don't ban stskeeps */
        mask           *stskeeps@212.*;
};

deny dcc {
        filename "*sub7*";
        reason "Possible Sub7 Virus";
};

deny channel {
        channel "*warez*";
        reason "Warez is illegal";
        class "clients";
};

vhost {
        vhost           i.hate.microsefrs.com;
        from {
                userhost       *@*.image.dk;
        };
        login           stskeeps;
        password        moocowsrulemyworld;
};

set {
        network-name            "Datente";
        default-server          "irc.datente.com";
        services-server         "irc.datente.com";
        stats-server            "irc.datente.com";
        help-channel            "#datente";
        hiddenhost-prefix       "rox";
        /* prefix-quit          "no"; */
        /* Cloak keys should be the same at all servers on the network.
         * They are used for generating masked hosts and should be kept secret.
         * The keys should be 3 random strings of 5-100 characters
         * (10-20 chars is just fine) and must consist of lowcase (a-z),
         * upcase (A-Z) and digits (0-9) [see first key example].
         * HINT: On *NIX, you can run './unreal gencloak' in your shell to let
         *       Unreal generate 3 random strings for you.
         */
        cloak-keys {
                "aoAr1HnR6gl3sJ7hVz4Zb7x4YwpW";
                "aaAr1HnR6gl3sJ7hVz4Zb7x4YwpW";
                "aeAr1HnR6gl3sJ7hVz4Zb7x4YwpW";
        };
        /* on-oper host */
        hosts {
                local           "locop.roxnet.org";
                global          "ircop.roxnet.org";
                coadmin         "coadmin.roxnet.org";
                admin           "admin.roxnet.org";
                servicesadmin   "csops.roxnet.org";
                netadmin        "netadmin.roxnet.org";
                host-on-oper-up "no";
        };
};

set {
        kline-address "your@email.tld";
        modes-on-connect "+ixw";
        modes-on-oper    "+xwgs";
        oper-auto-join "#opers";
        options {
                hide-ulines;
                /* You can enable ident checking here if you want */
                /* identd-check; */
                show-connect-info;
        };

        maxchannelsperuser 10;
        /* The minimum time a user must be connected before being allowed to use a QUIT message,
         * This will hopefully help stop spam */
        anti-spam-quit-message-time 10s;
        /* Make the message in static-quit show in all quits - meaning no
           custom quits are allowed on local server */
        /* static-quit "Client quit";   */

        /* You can also block all part reasons by uncommenting this and say 'yes',
         * or specify some other text (eg: "Bye bye!") to always use as a comment.. */
        /* static-part yes; */

        /* This allows you to make certain stats oper only, use * for all stats,
         * leave it out to allow users to see all stats. Type '/stats' for a full list.
         * Some admins might want to remove the 'kGs' to allow normal users to list
         * klines, glines and shuns.
         */
        oper-only-stats "okfGsMRUEelLCXzdD";

        /* Throttling: this example sets a limit of 3 connection attempts per 60s (per host). */
        throttle {
                connections 3;
                period 60s;
        };

        /* Anti flood protection */
        anti-flood {
                nick-flood 3:60;        /* 3 nickchanges per 60 seconds (the default) */
        };

        /* Spam filter */
        spamfilter {
                ban-time 1d; /* default duration of a *line ban set by spamfilter */
                ban-reason "Spam/Advertising"; /* default reason */
                virus-help-channel "#help"; /* channel to use for 'viruschan' action */
                /* except "#help"; channel to exempt from filtering */
        };
};


Warren Myers : conference connectivity

April 21, 2014 06:36 PM

My friend Trent posted last week, “[m]eeting organizer Protip: select a location that gets cell phone service.”.

I am fairly certain I disagree. I disagree with Joel Spolsky on this, too.

If you are organizing a meeting, conference, or the like, there should ONLY be connectivity if you want your attenders to ignore the meeting – whether they ignore it by live-tweeting, or by playing Angry Birds, having access to the internet (or your cell phone) during meetings is bound to end poorly.

If you’re 100% OK with attendees missing >90% of what is said/shared/taught, then go ahead and have ensure connectivity. If the purpose of the event is primarily a networking and socialization one, and the presentation content is only to help enable those other two activities, then by all means ensure your attendees can get online.

But if your intent is for attendees to remember what they hear and use it later, you’re far better off ensuring they cannot get online easily (if at all).

Warren Myers : 35 great questions, part 3

April 20, 2014 01:14 PM

Part 3 of 5 in my condensed reprint of Inc’s article, “35 Great Questions” from the April 2014 issue. (part 1, part 2)

  1. Are we changing as fast as the world around us? –Gary Hamel
  2. If no one would ever find out about my accomplishments, how would I lead differently? –Adam Grant
  3. Which customers can’t participate in our market because they lack skills, wealth, or convenient access to existing solutions? –Clayton Christensen
  4. Who uses our product in ways we never expected? –Kevin P Coyne & Shawn T Coyne
  5. How likely is it that a customer would recommend our company to a friend or colleague? –Andrew Taylor
  6. Is this an issue for analysis or intuition? –Tom Davenport
  7. Who, on the executive team or the board, has spoken to a customer recently? –James Champy

Scott Schulz : Tweet: Just noticed that CoCoRaHs finally has an app! No…

April 19, 2014 11:23 AM

Just noticed that CoCoRaHs finally has an app! Now that will make thing easier #ncwx

Scott Schulz : Tweet: Watching Peter Pan from the Milwaukee Ballet Compa…

April 19, 2014 01:08 AM

Watching Peter Pan from the Milwaukee Ballet Company – Good end to the day

Scott Schulz : Tweet: Mowed the lawn, cleaned my portion of the house. V…

April 18, 2014 08:59 PM

Mowed the lawn, cleaned my portion of the house. Vacation days are hard work!

Mark Turner : Plane truths

April 18, 2014 04:02 PM

The Manhattan skyline appears in the windshield of a Vamoose bus.

The Manhattan skyline appears in the windshield of a Vamoose bus.

Last week I was booking a flight for my upcoming business trip to California when I discovered to my surprise that Southwest Airlines, long my airline of choice, offered fares twice as expensive as the lowest airfare. My company’s travel booking system actually wouldn’t let me book a Southwest flight because it was too expensive. I never thought I would ever get in trouble with my boss for booking Southwest, but it’s reached that point.

We’re on the road today to New York City by way of bus from DC. The bus is less than a year old, it’s quiet, clean, comfortable, and there are AC power outlets under each seat. Free WiFi, too, and we can make mobile calls anytime we want. I didn’t know what to expect when we began talking about a bus trip but I’ve been pleasantly surprised.

Putting these two ideas together, I mused to Kelly how perhaps these bus lines owe at least part of their renewed success to Southwest’s decision not to be the “bus of the skies” any more. Or perhaps travelers have simply gotten fed up with the unbelieveable hassle of air travel and have sought out more civilized means of travel.

Yes, I’d never thought I’d say it but traveling by bus may be more prefreable than travel by air. Are the high-flying days of air travel over?

Scott Schulz : Tweet: Interesting “upgrade” from @Linode :) — “vCPUs go…

April 18, 2014 12:46 PM

Interesting “upgrade” from @linode :) — “vCPUs go from 8 vCPUs → 2 vCPUs”

Warren Myers : print-at-home plans

April 18, 2014 12:18 PM

Someone needs to start a business selling print-at-home furniture/home-improvement plans that include parts lists (and, ideally, costs) from their local Lowes / Home Depot / TrueValue / Ace / etc.

Most folks who want to tackle small projects don’t want to buy books or magazines that may (or may not) include what they’re interested in – but which will definitely include loads of stuff they’re not.

Having a simple webstore that offered complete build instructions, parts lists, and approximate costs (both dollars and time) would be awesome.

I’m thinking something like an on-demand version of eMeals, but for your workshop.

Eric Christensen : 256 Bits of Security

April 17, 2014 02:25 PM

This is an incomplete discussion of SSL/TLS authentication and encryption.  This post only goes into RSA and does not discuss DHE, PFS, elliptical, or other mechanisms.

In a previous post I created an 15,360-bit RSA key and timed how long it took to create the key.  Some may have thought that was some sort of stunt to check processor speed.  I mean, who needs an RSA key of such strength?  Well, it turns out that if you actually need 256 bits of security then you’ll actually need an RSA key of this size.

According to NIST (SP 800-57, Part 1, Rev 3), to achieve 256 bits of security you need an RSA key of at least 15,360 bits to protect the symmetric 256-bit cipher that’s being used to secure the communications (SSL/TLS).  So what does the new industry-standard RSA key size of 2048 bits buy you?  According to the same document that 2048-bit key buys you 112 bits of security.  Increasing the bit strength to 3072 will bring you up to the 128 bits that most people expect to be the minimum protection.  And this is assuming that the certificate and the certificate chain are all signed using a SHA-2 algorithm (SHA-1 only gets you 80 60 bits of security when used for digital signatures and hashes).

So what does this mean for those websites running AES-256 or CAMELLIA-256 ciphers?  They are likely wasting processor cycles and not adding to the overall security of the circuit.  I’ll make two examples of TLS implementations in the wild.

First, we’ll look at wordpress.com.  This website is protected using a 2048-bit RSA certificate, signed using SHA256, and using AES-128 cipher.  This represents 112 bits of security because of the limitation of the 2048-bit key.  The certificate is properly chained back to the GoDaddy CA which has a root and intermediate certificates that are all 2048 bits and signed using SHA-256.  Even though there is a reduced security when using the 2048-bit key, it’s likely more efficient to use the AES-128 cipher than any other due to chip accelerations that are typically found in computers now days.

Next we’ll look at one of my domains: christensenplace.us.  This website is protected using a 2048-bit RSA certifcate, signed using SHA-1, and using CAMELLIA-256 cipher.  This represents 80 60 bits of security due to the limitation of the SHA-1 signature used on the certificate and the CA and intermediate certificates from AddTrust and COMODO CA.  My hosting company uses both the RC4 cipher and the CAMELLIA-256 cipher.  In this case the CAMELLIA-256 cipher is a waste of processor since the certificates used aren’t nearly strong enough to support such encryption.  I block RC4 in my browser as RC4 is no longer recommended to protect anything.  I’m not really sure exactly how much security you’ll get from using RC4 but I suspect it’s less than SHA-1.

So what to do?  Well, if system administrators are concerned with performance then using a 128-bit cipher (like AES-128) is a good idea.  For those that are concerned with security, using a 3072-bit RSA key (at a minimum) will give you 128 bits of security.  If you feel you need more bits of security than 128 then generating a solid, large RSA key is the first step.  Deciding how many bits of security you need all depends on how long you want the information to be secure.  But that’s a post for another day.


Warren Myers : why nations fail by daron acemoglu and james a robinson

April 16, 2014 02:23 PM

I first came across Why Nations Fail at my local Half Price Books. After seeing it on the shelves a couple times, but still being unsure about whether I really wanted to read it or not, I reserved it at my local library.

Now I wish I had bought it (and likely will) – Daron Acemoglu & James A Robinson, while sometimes slipping into an academic, journalistic tone, present a fantastic historical, economic, cultural, and international view into the similarities, and differences, of “national” failures around the world over the last several centuries.

They spend a great deal of time expounding on the differences of countries that succeed and those that don’t – and offer insights into how failing nations could, potentially, turn themselves around.

Interestingly, the factors that play-into national success and failure are similar throughout history – critical junctures, inclusive/pluralistic political and economic environments vs extractive/exclusive political and economic structures, empowered citizenries, overbearing rulers, literacy, economic incentives (positive and negative), etc.

The Iron Law of Oligarchy:

the overthrow of a regime presiding over extractive institutions heralds the arrival of a new set of masters to exploit the same set of pernicious extractive institutions (p366)

My recommendation? Buy it. Read it. Share it. The background and conclusions this book presents and reaches should be required reading for anyone who wants to see their nation “do better” – politicians, businessmen, citizens, NGOs: all would benefit from applying what is demonstrated in this excellent work.

  • Quality of writing: 4/5
  • Quality of content: 4.5/5
  • Historicity: 5/5
  • Educational value 4.5/5
  • Overall: 4.5/5

Mark Turner : Exhibit B for sloppy N&O editing

April 16, 2014 01:39 PM

Well, that didn’t take long. No sooner did I complain about a glaring error in the Sunday Midtown Raleigh News that I found an big error in today’s print edition. A story about the opening of the newly-renovated Terminal 1 at RDU Airport carried a headline referencing Terminal 2. This wasn’t a long, wonky story but one maybe ten paragraphs long, so there’s no excuse for the editor not being able to quickly scan the story and see which terminal was being discussed.

Sloppy, sloppy, sloppy. Come on, N&O. Get it together!

Scott Schulz : Tweet: 1.44 inches of rain at the homestead yesterday. On…

April 16, 2014 11:19 AM

1.44 inches of rain at the homestead yesterday. On the lookout for sparkly vampires.

Mark Turner : New York City bound

April 16, 2014 11:09 AM

As I mentioned, the Turners are on the move again. And, as usual, we’re all headed in different directions, at least initially.

Hallie left for school at 4 AM for her bus trip to New York City, where she and her fellow Ligon Middle School orchestra members will play Carnegie Hall Saturday night. An hour later, Kelly took Travis to his Conn Elementary school field trip to Fort Fisher. I’m staying here for work before heading to a fundraiser for Kay Hagan this evening.

Thursday night, Kelly, Travis, and I will travel to Kelly’s parents’ home (leaving the Rottweilers to guard the home while we’re away, of course). Friday morning we’ll head to DC to hop a bus which will take us to New York. We’ll stay long enough to watch Hallie’s performance before taking the bus back home.

Oh, and the following week I travel to Sacramento for work: the first business travel I’ve taken in a while. Should be fun.

Mark Turner : Tornado, three years later

April 16, 2014 11:03 AM

Today began for me much the same way it did that Saturday morning exactly three years ago. Then, as now, it was just the dog and me at home while Kelly and the kids were on the road.

Fortunately the similarities end there. This morning’s weather is clear, breezy and very chilly at 34 degrees F with no signs of any tornadoes. In fact, one of the last … er, signs of the tornado in my neighborhood was removed recently. Up until a few weeks ago, a “No Parking” sign stood outside St. Aug’s on a steel post that was twisted almost completely around, a daily reminder of the jaw-dropping power of violent wind.

Sadly, a day before I was to take a picture of it the city replaced the post and sign. Don’t know if I should be sad I missed it or happy the public works department is so on top of things. At any rate, life in East Raleigh is back to normal now.

Mark Turner : Loving the new job

April 16, 2014 01:18 AM

Raleigh_Team
Thursday marks my second week at the new job and, boy, what a difference it is from my last job! I actually have fun at work. No one micromanages me, no stupid mind games are being played. People don’t come into work seemingly to delight in making someone else’s day miserable. Night and day.

Two weeks into my job and I’ve already earned the trust of my colleagues. I’ve already jumped in and begun solving problems. I’ve even offered house-hunting advice to those new to Raleigh. It feels awesome to work someplace that appreciates my contributions.

Above is a photo I took of my team last week. Looks like a fun group, doesn’t it?

Mark Turner : Your Clever Password Tricks Aren’t Protecting You from Today’s Hackers

April 16, 2014 12:11 AM

Good password-choosing advice from Lifehacker. Bottom line: if you can remember your password it isn’t good enough.

Our passwords are much less secure than they were just a few years ago, thanks to faster hardware and new techniques used by password crackers. Ars Technica explains that inexpensive graphics processors enable password-cracking programs to try billions of password combinations in a second; what would have taken years to crack now may take only months or maybe days.

Making matters much worse is hackers know a lot more about our passwords than they used to. All the recent password leaks have helped hackers identify the patterns we use when creating passwords, so hackers can now use rules and algorithms to crack passwords more quickly than they could through simple common-word attacks.

via Your Clever Password Tricks Aren't Protecting You from Today's Hackers.

Mark Turner : N&O runs dedication story a week late

April 15, 2014 07:56 PM

In about ten minutes, a group of people will converge on the entrance to the Walnut Creek Greenway near the Worthdale Community Center. They will wait around in the rain until they become bored for a dedication ceremony that has come and gone, and sloppy editing on the part of the News and Observer is to blame.

Sunday’s Midtown Raleigh News carried a front-page story on the greenway dedication, stating the ceremony would occur Tuesday at 4 PM. The problem is that the ceremony took place last week. The story was correct when it ran a week earlier in the N&O but somehow it landed in Sunday’s Midtown edition without being updated to show the ceremony already took place.

I love the N&O’s spotlight of Raleigh’s parks. I called for more coverage in the past and still think Raleigh citizens value their parks highly enough (and they have invested enough in them ) for parks to merit media coverage. That said, inaccurate coverage might do more harm than no coverage at all.

I wish the N&O would work just a little bit harder on fact-checking its local coverage.

Eric Christensen : Time to generate a 15,360-bit RSA key

April 15, 2014 04:38 PM

$ time openssl genrsa 15360
Generating RSA private key, 15360 bit long modulus

<magic happens>

real    2m39.541s
user    2m39.236s
sys    0m0.006s


Warren Myers : 35 great questions, part 2

April 15, 2014 01:29 PM

Part 2 of 5 in my condensed reprint of Inc’s article, “35 Great Questions” from the April 2014 issue. (part 1)

  1. What counts that we are not counting? –Chip Conley
  2. In the past few months, what is the smallest change we have made that has had the biggest positive result? What was it about that small change that produced the large return? –Robert Cialdini
  3. Are we paying enough attention to the partners our company depends on to succeed? –Ron Adner
  4. What prevents me from making the changes I know will make me a more effective leader? –Marshall Goldsmith
  5. What are the implications of this decision 10 minutes, 10 months, and 10 years from now? –Suzy Welch
  6. Do I make eye contact 100 percent of the time? –Tom Peters
  7. What is the smallest subset of the problem we can usefully solve? –Paul Graham

Warren Myers : you don’t need ideas – you need questions

April 14, 2014 12:32 PM

Paul Graham asserts that startup ideas aren’t what’s important – and, in fact, think you need an “idea” is a major roadblock.

Convert your thinking from “idea” to “question”, and you have a potential curiosity to explore, tweak, develop, and deliver.

Your best work is going to come when you’ve thought about the problem but didn’t know you were thinking about it.

So stop trying to get an idea – ask questions, and chase them down.

Warren Myers : discover each man’s thumbscrew – law 33 – #48laws by robert greene

April 13, 2014 12:18 PM

Law 33

Everyone ahs a weakness, a gap in the castle wall. That weakness is usually an insecurity, and uncontrollable emotion or need; it can also be a small secret pleasure. Either way, once found, it is a thumbscrew you can turn to your advantage. –Robert Greene, The 48 Laws of Power (review)

Warren Myers : don’t blog

April 11, 2014 08:23 PM

to “compete” with others.

There are great reasons to blog – but there are also lousy ones to do it.

If you’re writing because you’re trying to ‘keep up with the Joneses’, so to speak, you’re doing it wrong.

Don’t blog because others do. Don’t blog because others do it better. Blog because you want to. Blog because you have something to say. Blog to learn.

But don’t blog to compete. It’s a game you’ll never “win”.

Warren Myers : 35 great questions, part 1

April 10, 2014 01:23 PM

Part 1 of 5 in my condensed reprint of Inc’s article, “35 Great Questions” from the April 2014 issue.

  1. How can we become the company that would put us out of business? –Danny Meyer
  2. Are we relevant? Will we be relevant five years from now? Ten? –Debra Kaye
  3. If energy were free, what would we do differently? –Tony Hsieh
  4. What is it like to work for me? –Robert Sutton
  5. If we weren’t already in business, would we enter it today? And if not, what are we going to do about it? –Peter Drucker
  6. What trophy do we want on our mantle? –Marcy Massura
  7. Do we have bad profits? –Jonathan L Byrnes

Warren Myers : what viability would a subscription-based social networking service have?

April 09, 2014 04:44 PM

You see stories like this one, and you wonder how Facebook is continuing to make it. So many people I know are either leaving, or reducing their involvement (including myself), that is seems it is destined to be the next MySpace.

Over the past couple years, I have seen companies advertise themselves by giving links like facebook.com/MyCompany. When it’s in addition to you “real” website (MyCompany.com), that’s not a bad thing.

But when it’s the only outlet you give people to interact with you? You’re outsourcing your business to someone else, and hoping they don’t screw you over.

That doesn’t seem to smart to me.

I understand Facebook needs to make money – they are a business, and not a charity (and even if they were the latter, they still need to pay for electricity, engineers, and equipment). But I think that the pure advertising model is not as lucrative as it once was.

Which makes me wonder how successful a subscription-based social network could be: call it something nominal – maybe $10-20 a year, but give users much fuller control over their “experience”: a mashup of MySpace’s crazy customizability, Facebook’s interface, and LinkedIn’s professionalism.

It’s a thought. Anyone want to build one with me?

Mark Turner : Heartbleed Bug

April 09, 2014 11:40 AM

While many news outlets were blathering on about the end of life for Windows XP, a huge hole in OpenSSL was discovered. OpenSSL secures a huge percentage of the Internet, meaning many of the sites you use have had their security compromised.

These revelations, while painful, are very much necessary to create a more secure Internet.

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging IM and some virtual private networks VPNs.The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

via Heartbleed Bug.

Bonus link: Bruce Schneier on the Heartbleed bug.

Mark Turner : Sticky switcheroo: FDA cracks down on honey labeling – Health – Boston.com

April 09, 2014 01:38 AM

The Food and Drug Administration is cracking down on the fake honey claims in some foods. Looks like I got my wish!

Have you been duped by a honey poser?

Companies have been selling sugary, sticky honey blends on grocery store shelves for years, adding syrups or sweeteners not made naturally by bees, but hiding their fraud on the packaging under the label “honey.” This food fraud also applies to foods that list “honey” as an ingredient. You might not be getting the real thing.

The Food and Drug Administration issued new guidelines Tuesday that will require companies to label any honey that is not pure, or even food containing this honey, with “blend of sugar and honey” or “blend of honey and corn syrup,” depending on the ingredients. This policy change is the result of organizations like the American Beekeeping Federation and other honey associations petitioning against the common food industry practice of misrepresenting “pure honey.”

via Sticky switcheroo: FDA cracks down on honey labeling – Health – Boston.com.

Warren Myers : april adoption update

April 09, 2014 12:38 AM

We’ve gotten an update in our adoption process. Please go check out our [private] adoption blog.

If you would like access to it, please leave a comment or email me.

Warren Myers : the “best” industries for starting a business?

April 08, 2014 01:04 PM

I generally really like Inc magazine.

But this article is kinda ridiculous: “The Eight Best Industries for Starting a Business.”

By the time an industry has landed on a list like this, the odds that you’re really going to be able to capitalize on it are super slim. There’s nothing “wrong” with starting a business in any of those industries – but you shouldn’t pick an industry because it’s “hot”; you should start your business in the industry you know and are ready to compete in.

If you’re already running a business, perhaps expanding your market reach into some of these “hot” industries is a good idea – and perhaps not. Make sure you are solving problems and delivering solutions.

The rest is gravy.

Sidebar – if you’re relying on mass-market publications like Inc to do your business research, you’re doing it wrong.

Mark Turner : Healthcare still sucks

April 08, 2014 02:07 AM

Now that I’m in a new job, Kelly and I spent some time this evening picking out a healthcare plan. Wading through a lot of boring-as-shit details boiled it down to the plain fact that insurance companies suck even more than they used to.

What kept popping up is this whole idea of “coinsurance.” Who came up with that? Basically if you get hit by a bus and the bills top $1 million, your broken, tire-track-covered ass is on the hook for $200,000. And that’s with insurance! “With friends like these,” right?

Healthcare is still broken and the industry is still playing everyone for suckers. If there’s ever a market that is screaming for more regulation – the kind with real teeth that stands up to these kinds of horseshit shell games that are still being played – healthcare is it.

Oh, and my opinion of UnitedHealthcare hasn’t improved any, either.

David Cafaro : IPv6 and WordPress, not for the faint of hearts.

April 07, 2014 02:20 PM

Unfortunately it appears that getting WordPress going in IPv6 is a constant undertaking.  Primary causes?

WordPress domains don’t support IPv6.  And my DNS provider doesn’t fully support IPv6 at their DNS server (I can add AAAA records, but you can’t access the NS via IPv6).

So I end up having to create a few /etc/hosts entries to get plug-in updates and reference urls to work within WordPress.  Additionally, pure IPv6 hosts would never be able to reach my domain because of lack of IPv6 at my DNS provider.

So if you are going this route, be ready to handhold your site for a while.

Scott Schulz : Tweet: /me offers @leylasantiago a “there“ to replace an…

April 07, 2014 12:45 PM

/me offers @leylasantiago a “there“ to replace an errant “they’re” in the Postal fire story on the @WRAL website

Warren Myers : magazines

April 07, 2014 12:42 PM

I am the [proud] holder of subscriptions to several magazines.

As part of my attempt to vary my reading materials, I get Wired, Inc, Fast Company, Western Horseman, and several others.

However – I’ve discovered that I just don’t care about most of what is any given issue; there are times when more than half of the magazine is of interest, but usually it’s substantially closer to 10% (excluding ads – include them, and you’re probably down to 5-6%).

It’d be awesome if there was a way of getting a print analogue to an RSS aggregator – in fact, if you know of any, please let me know!

But since there’s not, I’ve adopted  fairly-stringent policy of recycling magazines that show up in my mailbox if I don’t get to them within 2 weeks: and if somehow I miss that deadline, they definitely get scrapped when the new issue arrives.

The only time I will read an out-of-date magazine is when I’m waiting in a doctor’s or dentist’s office, or at the oil change place. There’s just no reason to read “news” and “insights” that old when you can still get them digitally from the magazine websites within days of the print copy arriving in your mailbox.

Scott Schulz : Tweet: What is this purple flowered plant which is taking…

April 06, 2014 04:44 PM

What is this purple flowered plant which is taking over NC? http://t.co/zAxxnDvCRP

BkjYCZrIYAASgs3

Scott Schulz : Tweet: First lawn mowing of the season complete. Least I…

April 06, 2014 03:37 PM

First lawn mowing of the season complete. Least I am caught up on @TalkinBirds episodes – 7300 steps

Scott Schulz : Tweet: Watching The Exam

April 06, 2014 12:12 AM

Watching The Exam

Warren Myers : vacation

April 05, 2014 07:35 PM

This CNBC story caused quite a bit of discussion on my Facebook wall this week. In short, Americans don’t take all the time off they can, and many don’t even take any.

I didn’t used to take much, either – but have since changed my view on the matter.

There seem to be a variety of issues at play in this discussion; some of the highlights of the thread:

“what if Americans enjoy their jobs more than anyone else, and so don’t want to take more breaks?” –CF

“what if Americans are more scared of losing their jobs while being on vacation, and instead work more tired, more stressed, and less effectively than their counterparts in other parts of the developed world” –me

“You don’t realize that you’re “working for something” if you don’t get to have time to enjoy that for which you’ve worked.” –MS

So what think ye?

Warren Myers : group admin in the era of facebook

April 04, 2014 12:21 PM

Along the difficulties of initially building a good group/community, comes the hassles of managing said [virtual] community – especially on the book of the face.

I am a coadmin on the Ontario & Western Railways Historical Society Inc Facebook group. My friend Peter is a coadmin of the Linux Mint group.

Something both of us have noticed is the ridiculous spam problem Facebook groups have developed over the past 1-2 years. It’s not a new problem, of course – Stack Overflow has had problems since very early on, too: they printed A Theory of Moderation to outline the issues they were seeing, and how they planned to handle it.

The real problem at the root of all the spam lies, though, not in technology, but in people.

Even with active community self-regulation, moderators occasionally need to intervene. Moderators are human exception handlers, there to deal with those (hopefully rare) exceptional conditions that should not normally happen, but when they do, they can bring your entire community to a screaming halt - if you don’t have human exception handling in place.

Spam doesn’t arise on its own – it’s all developed by people. Until the people problem of spam can be addressed, it will continue. Sadly, technology, in and of itself, cannot deal with the people problem.

So instead we have human admins and moderators whose [typically volunteer] job is to ensure that the communit[y|ies] keeps to a general standard, as defined by the community itself. By assuming technology could be made that would fix the problem, we’re asking the wrong question: human behavior needs to be addressed and improved; while technology is wonderful and can aid in the process, it is no panacea.

Encouragements for moderation teams can come in the form of gamification (the SO model), community accolade, or just the individual admin’s personal satisfaction.

The drawback is that this task can become so overwhelming at times and in places that it those tasked with caring for the community, when the community itself won’t do anything about the problem(s), give up because they adopt the view that it’s everyone’s problem, and presume that since it is everyone’s problem, it’s not “theirs”.

What are the solutions to these issues? I can think of a few – but many remain yet unanswered:

  1. the community must encourage the admins
    • if the community isn’t doing something to make their admins feel appreciated, the admins will, eventually, leave
  2. better tech
    • it’s not possible to solve all problems with technology, but there are certainly many areas that can be improved in this regard
  3. community engagement and education
    • seasoned community members and admins alike need to take the time to “mentor” new community members to make sure they stick to the guidelines of that community
    • community members need to be proactive in assisting the moderators when inappropriate items are posted, or conversation degrades below the stands of the group
  4. a willingness to say “no”
    • admins and the general community needs to be willing to tell some people they are not welcome
    • this should [almost] never be in a hateful, grudge-bearing manner, but it must be done to ensure the integrity of the community in the long-term
  5. a willingness to morph
    • the flip side of (4) is that the community needs to be willing on a regular basis:
      • review its own guidelines
      • change / modify rules
      • find new admins
      • welcome new members who aren’t yet versed in the ways of the group ( related to (3) above)

I am sure there are many many more items that can be added to this list. But this is the starting point for every successfully-maintained community I’ve ever seen.

What others would you add, or what would you change?

Mark Turner : Dr. Neil deGrasse Tyson at NCSU

April 04, 2014 02:11 AM

Hallie and Travis with Dr. Neil deGrasse Tyson

Hallie and Travis with Dr. Neil deGrasse Tyson


When I got word that Dr. Neil deGrasse Tyson was going to soon be speaking at N.C. State, I was determined to finagle some tickets. It seemed to be an impossible task, since he was speaking in the tiny Hunt library auditorium and it was mainly a College of Sciences event with few tickets available to the public. Even so, through a friend with close ties to the school I found out the time that the hundred or so general-admission tickets would be distributed online.

Learning that each registrant would be allowed just one guest, I got Kelly to join in my ticket quest. When that moment arrived – the second it arrived – Kelly and I were madly refreshing our browsers, waiting for a link to register for tickets. Somehow the stars aligned and both of us managed to put our names in the hat before the ticket window closed within three minutes!

The stars aligned again this evening for the event. Today was my first day at my new job on Centennial Campus, so I had a short walk from my office building to the Hunt Library. Kelly, however, was picking up the kids from Farmville, VA, and rolled into the library perhaps 30 seconds before the audience began to file into the auditorium.

I had attended a presentation in the auditorium a week prior, so I was familiar with the layout. Rather than follow the crowd down the right aisle, I led the family down the open left aisle, parking us on the very first row in front of the speaker podium! Another lucky break, though they say that fortune favors the prepared!

Dr. Tyson didn’t disappoint. He walked right by us on his way onstage, pausing a moment to high-five both kids! He also spent some time during his talk to interact with the kids, asking Hallie how old she was and taking a cue from Travis on another point. Kelly and I vigorously protested with Dr. Tyson told the kids that we as their parents actually don’t know everything. Hey, keep that to yourself, Neil!

The talk was lengthy and insightful, though the talk went on too long for questions to be taken from the audience. That’s a shame as I had thought for days what I might ask him and didn’t get the chance. It was disappointing but perhaps I’ll get another chance.

Being on the front row was less of an advantage for us when it came time to move to the reception upstairs. We had to wait while the rest of the auditorium exited above us. By the time we reached the auditorium, Dr. Tyson was surrounded by a crowd of fans, not giving us much of a chance for the kids to say hello to him.

Soon we saw him being gently nudged towards the door. The kids’ disappointment was mounting as they asked us “is he just going to leave?” While Kelly took things out of my hand, I directed the kids towards Dr. Tyson as he walked out into the hallway. Fortunately, he recognized his Front Row Buddies and paused for a few photos, goosing the kids comically in the last one. As my friend Guus commented on Facebook commented, it is a photo they will treasure for decades.

We all had a wonderful time this evening. I’m especially happy that our science-loving kids got a chance to meet such an influential scientist like Dr. Tyson. Perhaps this encounter will prompt them to pursue careers in science, or at least making the world a better place.

Warren Myers : lex>>fwd meeting @ west 6th tonight at 1730 edt

April 03, 2014 03:28 PM

LEX>>FWD is meeting tonight at West Sixth Brewery in Lexington at 5:30p.

The topic is scheduled to be “source control and specifically differences between distributed and centralized”.

If you’re int he Lexington area this evening, come join us.

Warren Myers : the seven stages of expertise

April 03, 2014 01:01 PM

I recently found The Seven Stages of Expertise in Software Engineering.

  • Stage 1: Innocent
    • barely knowledgeable if at all
  • Stage 2: Exposed
    • seeking knowledge
  • Stage 3: Apprentice
    • has read case studies and tries to apply those techniques
  • Stage 4: Practitioner
    • can actually apply concepts learned in one context to a not-identical context
  • Stage 5: Journeyman
    • professional understanding and application of the field; can mentor
  • Stage 6: Master
    • moved from “whats” and “hows” to “whys”; can mentor very effectively
  • Stage 7: Researcher
    • the teacher, presenter, mentor, speaker, evangelist, writer, authority

Presented firstly in the humorous guise of The Seven Stages of Expertise in Bear Hunting, Meilir Page-Jones makes a highly-compelling case for progressive advancement in [nearly] any field.

Some of the ideas seem similar to what Malcolm Gladwell brings in Outliers (review) or Robert Greene does in Mastery (review). Which seems to only lend more credence to those other works, given that this article is © 1998.

Eric Christensen : caff gpg.conf file settings

April 02, 2014 03:37 AM

After years of using caff for my PGP key-signing needs I finally come across the answer to a question I’ve had since the beginning.  I document it here so that I may keep my sanity next time I go searching for the information.

My question was “how do you make a specific certification in a signature?”.  As defined in RFC 1991, section 6.2.1, the four types of certifications are:

     <10> - public key packet and user ID packet, generic certification
          ("I think this key was created by this user, but I won't say
          how sure I am")
     <11> - public key packet and user ID packet, persona certification
          ("This key was created by someone who has told me that he is
          this user") (#)
     <12> - public key packet and user ID packet, casual certification
          ("This key was created by someone who I believe, after casual
          verification, to be this user")  (#)
     <13> - public key packet and user ID packet, positive certification
          ("This key was created by someone who I believe, after
          heavy-duty identification such as picture ID, to be this
          user")  (#)

Generally speaking, the default settings in caff only provide the first level “generic” certification. Tonight I found information specific to ~/.caff/gnupghome/gpg.conf. This file can contain, as far as I know, can contain three lines:

personal-digest-preferences SHA256
cert-digest-algo SHA256
default-cert-level 2

I can’t find any official information on this file as the man pages are a little slim on details.  That said, if you use caff you should definitely create this file and populate it with the above at a minimum with the exception of the default-cert-level.  The default-cert-level should be whatever you feel comfortable setting this as.  My default is “2″ for key signing parties (after I’ve inspected an “official” identification card and/or passport).  The other two settings are important as they provide assurances of using a decent SHA-2 hash instead of the default


Warren Myers : reading experiment

April 01, 2014 04:24 PM

In follow-up to a recent blog post shared to me by my friend Steven, thinking about my aunt’s old practices, and comments from my wife and another friend, I’m engaging in a “consumptive”/”reactive” reading experiment wherein I am going to do something I haven’t done in a non-workbook book since my time at HVCC – I’m going to try writing in a book.

Two, actually. One is To Engineer Is Human (by Henry Petroski; my review). The second is Knowing God by JI Packer.

Wish me luck. I’ll report back when I’ve completed at least one of the books in the experiment.

“Books are made to be broken–literally or figuratively. I recently bought a 80+ year old book for $76 (a rare book called If It Had Happened Otherwise). I took special pleasure folding the pages and writing on them. It’s mine, why treat it like a delicate flower?” –Ryan Holiday

Jesse Morgan : Saul’s Gimpy Inversion

March 31, 2014 03:38 PM

Note for next time- If I ever need to invert the alpha and black on 40+ layer images, this script-fu will do the trick in gimp.

(define (get-all-real-layers image)
  (define (get-children group)
    (let loop ((children (vector->list (cadr (gimp-item-get-children group))))
               (sub-layers '()) )
      (if (null? children)
        (reverse sub-layers)
        (loop (cdr children)
              (if (zero? (car (gimp-item-is-group (car children))))
                (cons (car children) sub-layers)
                (append sub-layers (get-children (car children))) )))))
  (let loop ((top-layers (vector->list (cadr (gimp-image-get-layers image))))
             (all-layers '()) )
    (if (null? top-layers)
      all-layers
      (loop (cdr top-layers)
            (if (zero? (car (gimp-item-is-group (car top-layers))))
              (append all-layers (list (car top-layers)))
              (append all-layers (get-children (car top-layers)))) ))))

(map
  (lambda (layer)
    (gimp-image-select-item image CHANNEL-OP-REPLACE layer)
    (gimp-drawable-fill layer FOREGROUND-FILL)
    (gimp-edit-clear layer) )
  (get-all-real-layers image) )

Big thanks to saul on irc.gimp.net for this snippet.

Mark Turner : Are hackers killing Yahoo email?

March 31, 2014 10:55 AM

A number of my friends who use Yahoo.com email addresses have been frustrated by spam emails that appear to be sent through their accounts. A look at the actual email headers reveals the emails do not actually originate from Yahoo:

Return-Path: yahoouser@yahoo.com
X-Original-To: Mark Turner
Delivered-To: Mark Turner
Received: from smtprelay.b.hostedemail.com (smtprelay0206.b.hostedemail.com [64.98.42.206])
by maestro.markturner.net (Postfix) with ESMTP id 9E6FEC81102
for Mark Turner; Sat, 29 Mar 2014 05:13:05 -0400 (EDT)
Received: from filter.hostedemail.com (b-bigip1 [10.5.19.254])
by smtprelay01.b.hostedemail.com (Postfix) with ESMTP id 9EE0D2D2A15;
Sat, 29 Mar 2014 09:13:06 +0000 (UTC)
X-Session-Marker: 536861776F6F64406265782E6E6574
X-Spam-Summary: 10,1,0,,d41d8cd98f00b204,,:::::::::::::::::::::::::::::::::::::::,RULES_HIT:41:72:355:379:539:540:541:542:543:590:962:96
X-HE-Tag: pets27_36a824eacc042
X-Filterd-Recvd-Size: 2630
Received: from bex.net (unknown [122.166.148.93])
(Authenticated sender: Shawood@bex.net)
by omf06.b.hostedemail.com (Postfix) with ESMTPA;
Sat, 29 Mar 2014 09:12:55 +0000 (UTC)
Message-ID: 120dcf1f0409$188b32c6$8c62fe50$@yahoo.com
From: Yahoo User yahoouser@yahoo.com

… but the damage is done. Many of my friends who use Yahoo for mail are bailing on it.
My guess is that the hackers may have compromised Yahoo’s email systems long enough to grab the contact lists of its users. Yahoo could have tightened up its security in the meantime, but the proverbial horse is now out of the barn. Hackers can continue to masquerade as Yahoo.com email users.

Instead of an SPF record to protect against faked emails, Yahoo uses Domain Keys (DKIM) to check signatures. This puts this kind of header in a legitimate Yahoo email:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024;
t=1396205703; bh=U70gbg8jCRRS3R/0591VaRt992y2uSHahGrbF9hZ2YM=;
h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:X-Rocket-Received:From:Content-Type:Content-Transfer-Encoding:Mime-Version:Subject:Message-Id:Date:References:In-Reply-To:To:X-Mailer;
b=aCBmZYk3B/8+1rSAjtjS+JAQIdMSZNt2zwRixj9xGuDPy5rJmn4/L7RPSbgj1N4fk6EzmpjM68HPIt3ZSYdPbQryO00hu1muPFBD0zv+iqb43KXgXCRHUrpRIz7T3g/DR6d98iegl+hahnx+seAS9rJuf8cyVpMM+eDaxNtN6YE=

I don’t have my mail server set up to parse this kind of header. Neither, apparently, does Gmail, as it still passes these bogus emails along as if they were legitimate. Yahoo could do as Gmail does and easily add an SPF record to its DNS zones to cut down on the bogus email and such an SPF record could complement its DKIM strategy. Instead, Yahoo leaves its email users vulnerable to faked emails, resulting in compromised computers and angry users (and subsequently, more Gmail customers).

It seems that Yahoo excels at taking a good idea and totally screwing it up.

Mark Turner : Snapping up talent

March 30, 2014 04:04 PM

I just heard that a certain open-source software company based in downtown Raleigh sometimes takes six months from when it gets a job applicant to actually hire that applicant. That’s crazy. How can a company think that a top job applicant has that kind of time to spend for a potential employer to get their act together? What makes a company think that an applicant is still going to be around six months later?

I spent three months between losing my job and getting a job offer and you know what? It sucked. It was three months of suck. When someone wants to make a move, they often don’t have the luxury of spending half a year for a potential employer to get going. I appreciate being thorough and making sure things are a good fit, of course, but six months is an insult to any job applicant.

I contrast this with my most recent job search, where the HR “talent acquisition team” always responded promptly to my questions and treated me as if I was important to them. That’s the way it should be done. Any company that doesn’t make a priority of hiring good people will soon find itself in trouble.