Author: Ari Rabinowitz

I’m back, for now, I think

In case anyone noticed that this blog has been down for a little over 3 months, it was because I logged in on my birthday and saw something that made me think the AWS EC2 instance that this runs on was hacked and the instance was busy mining bitcoins for someone else. I don’t think that they would get many bitcoins from an EC2 t2.micro, but I guess they were trying anything that they could get. I shut down the instance and left it for the past few months. Today, I finally took the time to look at it and decided to bring it back up and see what happens. Before I brought it back up I created a new instance, detached the disk from the old instance and attached it as a second drive to the new instance where I glanced briefly at the logs to see if I could see anything that looked bad. I didn’t, so I just made a snapshot of the drive, then re-attached it to the old instance and started it up. After logging back in and updating the SSL certificate I was able to bring this blog back up.

I’m not sure when I’ll take the time to write anything else, but I will keep a closer eye on this blog and if I see any more signs of hacking it will go away for another while.

All the best,
Ari

Tales of the Old Blue Rambler

My daughter telling me of her car woes brought back memories of my first car and all of the stories associated with it. Since some of these stories may be amusing or informative I figured I would take the opportunity to tell them here.

The first car I owned was a blue 1968 Rambler Ambassador. For those of you who don’t remember the 1968 Rambler Ambassador, it was a “full size” sedan and the first car made by an American car company that offered air conditioning as standard equipment (although you could ask them to delete it to save a little money). Ours had the air conditioning. It was my father’s car which I inherited when he died in 1975. I traveled cross country twice in that car, once as a passenger with my parents in 1972 and again on my own (with a few hitch hikers along the way) in 1975.

Some time in the later 1970’s an old friend of my parents, who was an independent taxi owner in NYC, died in his cab. His family didn’t want the cab which was too old for a new owner to register as a yellow cab in NYC, although his wife did manage to remove and sell the meter and medallion, so they gave me the 1974 Ford Crown Victoria. Owning one car in Manhattan is a challenge, owning 2 is impossible so I passed the yellow Ford on to a brother who had worn out the crank socket on his old Peugeot after the starter motor had died. He didn’t keep the Ford for very long, either.

Owning a car while living in a Manhattan apartment is a challenge, but since I was working at Albert Einstein College of Medicine at the time I was able to get a parking permit for the Bronx Municipal Hospital Center parking lot. I usually left the car in the BMHC lot and took the subway to and from work, although sometimes I would drive the car the 1/2 mile to the subway and leave it parked by the entrance overnight while I rode the subway home. I can’t count how many times I would get to the subway, jump out of the car and run to the subway entrance, only to reach into my pocket for a subway token and notice that my car keys weren’t in my pocket because I had left them in the car, with the motor still running. Fortunately, I always remembered before I got into the subway so I never left the car running all night.

Keeping the car running as it got older was sometimes a fun challenge. Like the time I was picking up my friends Beth and Ingrid to drive out to the Fire Island ferry. As I pulled up in front of Beth’s apartment on West 74th Street there was a flood of steam coming out from under the hood. I popped the hood and saw that the lower radiator hose had split, so I told Beth to call Ingrid and tell her we might be a few minutes late picking her up. I then pulled my spare universal radiator hose out from the trunk, along with 3 gallons of water, and I proceeded to replace the bad hose and refill the radiator with water. We got to Ingrid’s only a little late, and I got them to the ferry on time, although I took the next ferry because I decided to go to an auto parts store to get another universal radiator hose, just in case.

There was also the time I drove up to Boothbay Harbor, Maine, on Labor Day weekend to pick up a friend who had spent the summer up there doing dinner theater. She had just turned in the keys to the house she had rented for the season, and the sun was going down as we started the drive back to the city. I stepped on the brake to slow down, and when I released the brake pedal there was an awful racket coming from the front left tire. I pulled over to the side of the road and jacked up the front of the car to see what was happening. The car had old drum brakes and one of the brake return springs, which pulled the brake shoes away from the drum, had broken so that brake didn’t fully release. Unconcerned I went into the trunk of the car and pulled out my brake tools and brake repair kit which included the needed replacement springs. I got the brake fixed and we were back on the road shortly.

I kept that car running until the early 1980’s, when my mother gave me her newer 1978 Pontiac Sunbird, and I couldn’t keep 2 cars in Manhattan, so I drove the old Rambler to a junk yard and left it with them.

Introduction to sol!ursa!ari

I’ve added this introduction as a new post because I recently upgraded my AWS EC2 instance to AWS Linux 2023 and installed WordPress newly and something has messed up the default so that if you just go to the home page of the site you get a 404 (Page Not Found) page instead of the introduction. I’ll see if I can get this working again, but until then I’ll be fighting with WordPress, PHP and MariaDB to see if I can fix it.

Welcome to my blog. I have been thinking about this for several years, but I was never sure that I had anything worth saying. In addition to that, I’ve often silently laughed at my friends and relatives who post what they’re making for dinner tonight, or where they are out for drinks. I don’t think anyone really cares what Holly and I had for dinner last night, or that we stopped for drinks at The Trailer Park or Walker’s on our way home. On the other hand, people have been interested in some of my stories about things I’ve done in my life, so much of this blog will be stories from my memory. This will be a random collection of my thoughts, some will be remembrances of things past and some will be comments about current events.

You are welcome to share these with others and comment, but please don’t bother to attack me or anyone else in the comments since I will delete any attacks on myself or others which I don’t think are appropriate. Also, these remembrances are coming from my memory, so don’t bother to complain about inaccuracies in names, dates or places. My memory is not what it used to be, in fact, I don’t remember if it ever was that good.

I’ve added a new form so that you can contact me privately if you have any comments or questions which you don’t want published to the blog. Feel free to use it to reach me and let me know that you have been here.

May the Circle be Unbroken

Two weeks ago my career in IT came full circle. Fifty-five years ago, as a rising high school senior, I took a summer course in computers at Columbia University in NYC. It was a very comprehensive course which covered theories of computing, algorithms, compilers, etc. in the mornings and then taught us programming in Fortran and assembler for Columbia’s newly updated IBM 7094 computer in the afternoons. For many years, that course was my only formal training in computers and IT. Most of what I have learned since then was either self-taught or learned on the job.

The 7094 had recently been updated from a 7090. The hottest question at the time was what was the difference between a 7090 and a 7094, and the answer was 4. In addition to a few other changes in clock speed, instruction set, etc. a major change between the two computers was that the 7094 had 4 more index registers. The 36 bit instructions for these computers had 3 Tag bits set aside to indicate the use of an index register, often used for stepping through memory in loops. In the 7090 these 3 bits selected one of 3 index registers. For the 7094, a binary decoder circuit was added so that the 3 bits could select one of 7 index registers, thus the update from 7090 to 7094.

Part of my decision to take a course in computers during that summer was the news that my high school, Brooklyn Technical High School, was planning to get a new IBM 1130 computer in the fall. In addition to taking the course at Columbia that summer I also went to the IBM offices on Maiden Lane in lower Manhattan and bought a set of manuals for the IBM 1130 so that I would be ready to use the computer when it arrived. In fact, I ended up being the first person to successfully run a program on Tech’s 1130. My oldest brother was going to school at Brooklyn College at the time, and was working on the IBM 1620 which they had there. I was able to visit his office and use a keypunch machine there to punch my program onto the punch cards then used as input for computers. As I recall, the program was to calculate great-circle bearings from NYC to other points on the globe. My father was a ham radio operator and he had installed a large, rotatable antenna on a tower alongside our home in Queens. He asked me to give him a table of bearings to point his antenna depending on where in the world he wanted to speak to someone, so I wrote the program, punched it onto cards at Brooklyn College (along with the Monitor Control Records, an early form of JCL for the 1130) and then walked into the computer room at Brooklyn Tech one day and asked the teacher there, I believe it was the head of the electronics course, if I could use the computer. He stared in amazement as I walked over to the card reader, inserted my card deck and then proceeded to run the program which generated many pages of output tables. He was sufficiently impressed by my ability to get the computer working that from that day on I was always welcome to come into the computer room, even if I was cutting a class to do it.

One interesting sideline about the 1130 was that it was a desk-sized computer console with a removable rotating magnetic disk cartridge (IBM 2315) behind a panel in the desk stand. The monitor program, as well as the compiler and other utilities were loaded onto the disk drive from 2 boxes of punched cards (about 4000 total cards). One item which I seem to have neglected to notice in the manuals I bought was that you had to turn off the disk drive with a switch behind the front panel before you shut off the computer. Otherwise, the retracting head of the magnetic drive would scribble all over the disk as the power was removed. We wondered why we had to load the 2 boxes of cards onto the magnetic drive every day, until someone realized that the switch inside the front panel would save us that chore.

There is irony in the fact that this IBM 1130 was bigger and more powerful than the IBM 1620 computer at the college I went to, although my college also managed to purchase an IBM 1130 during the summer before my senior year. More about that in another post.

The full circle I was talking about in the first paragraph of this post is that 2 weeks ago I started working as a system administrator in the computer research facility of the computer science department at Columbia. So my career in computing, which started with a course at Columbia 55 years ago, has now returned me to Columbia.

Sometimes You Just Need a Man-in-the-Middle (MITM)

Ok, to be politically correct I suppose it should be called a Person-in-the-Middle, but the acronym PITM is just too close to PITA for me. Maybe I’ll change it to Machine-in-the-Middle since that is what it usually is, but for me it was just a process on the receiving machine.

For those of you who don’t know it, MITM is often used in the context of an attack on web browsing. When a browser (like Chrome, Edge, Firefox, …) connects to a sever the name of the server is converted to an IP Address via DNS and then the packets are routed between the browser and the server. Of course, if someone can corrupt your DNS or stick a malicious router into the path between your browser and the server then they can read all of the packets that go back and forth. That is called a MITM attack.

The S in HTTPS is for Security and indicates that the connection is encrypted between the browser and the server using Transport Layer Security (TLS), which is an update to the previous Secure Socket Layer (SSL) which it turns out wasn’t really as secure as people hoped it would be. This is intended to protect against MITM attacks by making sure that the machine-in-the-middle can’t read the encrypted packets. When a browser connects to a server over HTTPS the server supplies its Certificate to the browser so that the browser can confirm that it is connecting to the correct server. The certificate contains the name of the server and is cryptographically signed by a Certificate Authority (CA) which confirms that the server name belongs to the server. This is called Public Key Infrastructure (PKI) which is well beyond the scope of this blog post. If the name of the server in the certificate doesn’t match the name of the server you asked the browser to connect to, if the certificate is signed by a CA that your browser doesn’t trust, or if there is another problem with the certificate like it is expired, then your browser will put up a warning about the certificate before letting you see the web site. Some corporate web proxy servers, which connect computers in a corporate environment, include a MITM which allows them to snoop on what their employees are doing on the Internet, even when the employee is using HTTPS. To avoid their employees getting the browser certificate warning the proxy server has to create on the fly a certificate for the specific server which the browser is connecting to. Since no legitimate CA will sign such a certificate the proxy server has its own CA and any browsers which use that proxy have to install the CA certificate from the proxy server as a Trusted CA.

This blog post is about why I needed a MITM in order to solve a problem I was having. We have 6 Amazon Web Services (AWS) Elastic Compute Cloud (EC2) Virtual Machines (VM) and I wanted to have all of them send their logs to one common VM for analysis. These VMs came with RSyslogD, a standard Linux/Unix system logging utility which I planned to use. Of course, the version of RSyslogD installed was 5.8.10, which was released in 2010 and last updated in 2012. For comparison, the latest version of RSyslogD is 8.2104. Since I am a card carrying Certified Information Systems Security Professional (CISSP) I decided that the logs should be transmitted to the common log server over TLS even though the servers were all in our AWS Virtual Private Cloud (VPC) meaning that no other computers should have access to our packets. Configuring RSyslogD to use TLS wasn’t too hard, but we also had some Python programs written in-house which I wanted to have transfer their logs directly to the common log server without using RSyslogD on the local VM. If you read my earlier blog post about Python you know how much I love looking for and using standard Python modules. I was able to find a Python module which said it interfaced the standard Python logging module to the Syslog protocol used by RSyslogD. Of course, it didn’t support sending the packets over TLS so I had to modify the module to wrap the packets in TLS. I was able to get the Python programs to send their logs successfully to the common log server using the Syslog protocol without TLS but when I wrapped the packets with TLS the logs were ignored. I could see that the TLS connections were being made, but since TLS encrypts the packets I couldn’t see what was in the encrypted packets that kept it from working. The packets going between the RSyslogD processes on the servers was working, but my TLS wrapped Python packets were being ignored.

To figure out what the issue was, I needed a MITM where I could decrypt the packets and inspect them to see what the difference was between the working logs from the RSyslogD process and the non-working logs from my Python module. Since I was already so embedded in Python for this I decided to write a MITM module for Python which would accept the encrypted TLS connection from the source, decrypt and display the logs, and then re-encrypt them and pass them on to the RSyslogD process on the common log server. Normally a MITM module is blocked by browsers because it supplies a certificate whose name doesn’t match the server you are connecting to, or is signed by an untrusted CA, but in this case I didn’t have that problem. For these TLS connections I had created our own local CA which only needed to be trusted by the VMs in our VPC. Since I had already been doing all this Python coding with TLS I had no problem cobbling together a simple MITM module with which I quickly discovered that the working messages had the length of the log message inserted before the actual log message. Adding that to my Python TLS wrapper module got the log messages flowing cleanly. Of course, if I had Googled “Syslog over TLS protocol”, as I should have, I would have quickly found RFC5425 which would have given me the needed answer without the necessity of an MITM, but what would have been the fun in that?

Metropolitan Diary

The NY Times finally published on Sunday, July 12, 2020, the submission I made to their Metropolitan Diary column on May 15, 2019. They edited it so I will provide here both my original submission and their edited version so you can decide if they removed anything of interest or if, as Tony often told me, I was too wordy.

My initial submission:

DEAR DIARY:
It was the spring of 1974, before CitiBike and the multitude of cyclists and protected bike lanes which now exist in the city. I was riding home from Central Park early one morning when I stopped at a red light at 57th St and 6th Ave (yes some cyclists do stop at red lights). A delivery truck from H&H Bagels pulled up next to me at the light. As is common with those delivery trucks, the passenger side door was open so I looked up at the driver and said hello. He said hello and then reached into a bag by his side and handed me a fresh bialy out of the truck. Only in New York.

The version as they published it:

Dear Diary:

It was spring 1974, and I was riding my bike home from Central Park early one morning. I stopped for a red light at 57th Street and Sixth Avenue.

As I waited for the light to change, a delivery truck from H&H Bagels pulled up alongside me.

I looked up at the driver and said hello. He said hello. Then he reached into a bag by his side and handed me a fresh bialy.

Of course they did include a nice illustration with it:

The Fallacy of running a Government as a Business

President Trump promised to run the government as a business. The problem with that is that the purpose of a business is very different from the purpose of a government. While businesses may make something, or provide some service, the primary purpose of a business, in our capitalistic society, is to make money for its owners. Trump seems to think that he and his cabinet/cronies are the owners of the business of government so they are out to get all of the money they can out of this government. On the other hand, the purpose of our government, as defined in the US Constitution is “form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defense, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity”. I don’t see anything there about making money for the president, the congress or the cabinet.

The major problem with running the government as a business is that in most businesses there is a relationship between income and expenditures. That is, an increase in expenditures is usually connected to some expected increase in income, either through R&D or through increased production capacity. The income of government is not as directly related to its expenditures. The expenditures are for general services which the government provides such as education, policing, sanitation etc. and increasing these expenditures is not related to any direct increase in government income. Ideally a government should run with a balanced budget, such that the income for any given period should cover the expenses for that period. Unfortunately that doesn’t always occur.

Ok, enough of my meaningless ranting for today. Does anyone want to comment about this?

Simple Sample SAML Service Provider Programmed in Python

Try repeating the title of this blog posting three times fast.
And if you think that is tough, try coding one. I haven’t been paid to write computer programs since I left the research faculty of the Albert Einstein College of Medicine back in 1986, so my coding skills could be a little rusty, although I have written lots of simple scripts, modified dozens of others in multiple languages and help programmers debug their programs in more languages than I can count, but more about that in another post. This one is a rant about Python.

I was first introduced to Python as a programming language in 2001, when my boss at Bear Stearns at the time (who shall remain nameless) promised the London research team that he would speed up the delivery of their research Emails. At the time we were using Sendmail with some intervening shell scripts to manage our outbound Emails and the London research team was sending their research out to lists of several hundred addresses. Since Sendmail in those days was single-threaded the first addresses in the list got the research fairly quickly (by the standards of those days). Unfortunately the owners of the lists didn’t always keep them clean and up-to-date, so there were often bad addresses or addresses with misspelled domains. Since Sendmail would try every MX server for a domain, or the A record for the domain if there was no MX records, then every bad address or domain would slow down the delivery to subsequent recipient addresses. By the time Sendmail got to the end of the list the timely research was often obsolete so our London research team, and their customers, were understandably upset. My boss’ solution was to obtain 2 Unix servers, powerful Solaris boxes at the time, download Postfix, Python and Mailman onto those servers, and then hand them over to me and resign from the firm. It became my job to put all this together so that the London research team, and ultimately several other Bear Stearns teams, could use these servers to send out their research in a timely manner.

Mailman, for those of you who don’t know it, is open-source mailing list manager software written in Python. The then current version of Mailman did not include “Real name” support for members which I see is now a feature of the current version, but our users required it, since they couldn’t be bothered knowing the actual Email addresses of their clients. That version also didn’t include the concept of a list member manager separate from the list manager, although we wanted our research people to be able to maintain their mailing lists without having any access to the other features of their mailing lists. Thus, I had to write an entire new user interface for the Mailman mailing lists which allowed the list owners to import/add/delete real names and Email addresses for their clients but which hid from them the other features of Mailman and their lists. Fortunately Python is an object-oriented language and the Mailman lists were nested objects so it was not too difficult to add attributes to the list objects for real names, and to modify the user interface to restrict what our list owners could do. Of course, first I had to teach myself enough Python to understand the Mailman source code and figure out how to modify it. That took a couple of weeks. As I recall the Mailman code was written in Python 1.5, so things have changed a lot since then, but that was my introduction to Python.

Fast forward to 2019, where I’m helping an old friend from BS with some software she is writing in Python and she determines that she needs to be able to do Single Sign On (SSO) using SAML for one of her customers. This being the era of Linux, open-source software and shared library modules I searched for a Python module that could be used as a SAML Service Provider. I found a few, but none had adequate documentation to just plug them in and most were designed for specific web frameworks. My friend was writing her code in Python 2, using a web framework written by another old BS alumnus which mostly outputs JSON and was unable to supply the 302 status which the browser needed for simple HTTP redirects to the SAML IdP. Also, this being 2019 and the last year that Python 2 will be supported (although I see that there are still some utilities which may not be Python 3 ready), my code had to work with Python 2, but be upward compatible to Python 3. I managed to get a working proof of concept (POC) for the code using Apache and Python 2 CGI, but it is still clunky.

Moving the code from Python 2 to Python 3 has been more of a headache than anticipated, mostly because of the change in the way strings are handled. Distinguishing between byte strings and Unicode strings is very necessary, but it becomes a pain to manage when modifying lots of legacy code. But that’s not my major complaint about Python. Maybe my complaint is just because I haven’t taken the time to understand the issues involved, but it seems that the method Python uses for locating system modules has evolved over the last 20 years in not always compatible ways. The latest idea, of every application having its own environment with its own set of library modules may make sense in these days of really cheap memory and storage, but is difficult for us old-timers who are used to having limited memory to work with. Here again I will save this for another post.

I’ve had several utilities which are coded in Python and which self-update, but which have been unable to find their modules since the default Python was modified from Python 2 to Python 3, even if they have their own version of Python in their environments. I’m not sure how to tell these utilities how to find the commonly installed modules, or how to install needed modules into their specific environments. I’m sure I will figure this out in the next day or two, but it would have been great if Python was able to do it by itself without forcing me to go through these contortions to make things work.

Enough minor ranting for now, but I did make some promises above for more posts in the future. I’m hoping to put together more, shorter posts. We’ll see if I can do that.
Thanks for reading this.

More about why I’m doing this

If I really knew why I was doing this I probably wouldn’t have started. This is more a learning experience for me than anything else. As I stated in the introduction to this blog, I really don’t think most people care what we’re making for dinner tonight, or where we stopped for drinks the other night, although I do have social media friends who often post what they plan to cook for dinner every day or who check in at every watering hole they stop at in an evening.

I recently read a book called Borscht Belt Bungalows : Memories of Catskill Summers. Some of you may know that my grandparents owned a bungalow colony where I spent most of my summers when I was a kid, so the title of this book looked interesting to me. Of course, my grandparents’ bungalow colony wasn’t in the “Borscht Belt”, it was closer to the city and easier to reach that the ones mentioned in the book. What surprised me a little about the book was that some of the stories in the book really interested and delighted me while others bored me almost to tears. I was trying to figure out what the differences are, but it wasn’t obvious to me. What I think is the situation is that personal memories, telling of unique incidents or memories which were specific to the author and his family were not as interesting as those more universal incidents which had a larger impact. Of course, that wasn’t always the case, so I’m not sure what makes some personal memories more interesting than others. If anyone has any ideas about that, please post your comments here.

I’m thinking I should go to shorter, more frequent entries for this blog. I’ll see if I can do that, so come back and check for new posts regularly, or subscribe (if there is a way to do that).

Bowling and the fountain of youth

I’ve had a complaint that this blog is too “techy”, but I think that’s what more people would be interested in than my life. Does anyone, outside of my teammates and a few immediate family members, really care that my Monday night bowling team took 3rd place in our league this week, or that my Wednesday night bowling team took 1st place in the league last week?Yes, I bowl in a ” coed, young professionals, social” bowling league. I had to lie about my age to join, because the pull-down for the year of birth didn’t pull-down far enough for me. I guess they didn’t believe that anyone older than 55 could lift a bowling ball. I teased the league about that so much that they have since re-written the entire website for the league so now I have revealed my actual age on the website, but many other features of the new website, like “Past Leagues”, no longer work so I can’t say exactly when I started bowling with them. The old website also used to Email “virtual” trophies to anyone who broke 100. The new website is more geared to mobile devices than desktops, which is understandable in this age, but I really miss the Emailed trophies.
Here is a totally unsolicited, and unpaid, plug for the league, www.betteroffbowling.com, which hosts leagues in over 35 cities around the USA. I first started bowling with BetterOffBowling (or BOB as they sometimes refer to it) almost 8 years ago, when some of my coworkers at Morgan Stanley asked me to join their team. In the ensuing years all of the others have dropped out, but for some reason I have remained with them, often bowling in two different leagues in the same season, like the Monday night league and the Wednesday night league that both just ended. You’d think that after all these years of bowling pretty regularly that I’d get good at it, but you’d be wrong. I don’t think my average in the league has improved much after almost 8 years of bowling regularly. I’m still pleased when I break 100, which doesn’t always happen. Each league that I sign up for these days I create a team (usually named “Alley Oops” something) and then open it up to all of the “free-agents” and invite them to join me. Free-agents are what the league calls the people who sign up without having a specific team that they want to join, and they are often people who are new to the league. This is a way to meet new people, as well as to keep active and get out.

So what does all this have to do with the fountain of youth? I think back to the oral surgeon I went to when I was 10 years old to have an impacted lateral incisor removed. When I went to the first appointment I was chewing gum, which I seem to have done a lot of at that age. He had me spit out the gum and he then mimed putting my gum in his mouth, stating that this was the way that he stayed young. I think he was then about the age I am now, if not older, but was refusing to retire. I don’t think this is the secret to eternal youth, just as I don’t believe the stories where vampires have to drink the blood of youth in order to achieve eternal youth. On the other hand, I do believe that you are only as old as you act, so hanging out with younger people is my secret to staying young. Holly teaches an undergraduate class at NYU each year in order to stay around young people and it seems to work for her, too. Ryan always tells me that he hopes that when he reaches my age he’ll have half the energy I that I have. I’m just hoping that this world still exists when he reaches my age, in another 32 years.

Enough of this, now you see why I usually stick to “techy” posts, because my non-techy posts are boring. Still, I hope some of you found this somewhat interesting and I hope to expand on some of these thoughts, as well as posting some more techy and non-techy stuff, in the future.