Author: Ari Rabinowitz

I’m back, for now, I think

In case anyone noticed that this blog has been down for a little over 3 months, it was because I logged in on my birthday and saw something that made me think the AWS EC2 instance that this runs on was hacked and the instance was busy mining bitcoins for someone else. I don’t think that they would get many bitcoins from an EC2 t2.micro, but I guess they were trying anything that they could get. I shut down the instance and left it for the past few months. Today, I finally took the time to look at it and decided to bring it back up and see what happens. Before I brought it back up I created a new instance, detached the disk from the old instance and attached it as a second drive to the new instance where I glanced briefly at the logs to see if I could see anything that looked bad. I didn’t, so I just made a snapshot of the drive, then re-attached it to the old instance and started it up. After logging back in and updating the SSL certificate I was able to bring this blog back up.

I’m not sure when I’ll take the time to write anything else, but I will keep a closer eye on this blog and if I see any more signs of hacking it will go away for another while.

All the best,
Ari

Tales of the Old Blue Rambler

My daughter telling me of her car woes brought back memories of my first car and all of the stories associated with it. Since some of these stories may be amusing or informative I figured I would take the opportunity to tell them here.

The first car I owned was a blue 1968 Rambler Ambassador. For those of you who don’t remember the 1968 Rambler Ambassador, it was a “full size” sedan and the first car made by an American car company that offered air conditioning as standard equipment (although you could ask them to delete it to save a little money). Ours had the air conditioning. It was my father’s car which I inherited when he died in 1975. I traveled cross country twice in that car, once as a passenger with my parents in 1972 and again on my own (with a few hitch hikers along the way) in 1975.

Some time in the later 1970’s an old friend of my parents, who was an independent taxi owner in NYC, died in his cab. His family didn’t want the cab which was too old for a new owner to register as a yellow cab in NYC, although his wife did manage to remove and sell the meter and medallion, so they gave me the 1974 Ford Crown Victoria. Owning one car in Manhattan is a challenge, owning 2 is impossible so I passed the yellow Ford on to a brother who had worn out the crank socket on his old Peugeot after the starter motor had died. He didn’t keep the Ford for very long, either.

Owning a car while living in a Manhattan apartment is a challenge, but since I was working at Albert Einstein College of Medicine at the time I was able to get a parking permit for the Bronx Municipal Hospital Center parking lot. I usually left the car in the BMHC lot and took the subway to and from work, although sometimes I would drive the car the 1/2 mile to the subway and leave it parked by the entrance overnight while I rode the subway home. I can’t count how many times I would get to the subway, jump out of the car and run to the subway entrance, only to reach into my pocket for a subway token and notice that my car keys weren’t in my pocket because I had left them in the car, with the motor still running. Fortunately, I always remembered before I got into the subway so I never left the car running all night.

Keeping the car running as it got older was sometimes a fun challenge. Like the time I was picking up my friends Beth and Ingrid to drive out to the Fire Island ferry. As I pulled up in front of Beth’s apartment on West 74th Street there was a flood of steam coming out from under the hood. I popped the hood and saw that the lower radiator hose had split, so I told Beth to call Ingrid and tell her we might be a few minutes late picking her up. I then pulled my spare universal radiator hose out from the trunk, along with 3 gallons of water, and I proceeded to replace the bad hose and refill the radiator with water. We got to Ingrid’s only a little late, and I got them to the ferry on time, although I took the next ferry because I decided to go to an auto parts store to get another universal radiator hose, just in case.

There was also the time I drove up to Boothbay Harbor, Maine, on Labor Day weekend to pick up a friend who had spent the summer up there doing dinner theater. She had just turned in the keys to the house she had rented for the season, and the sun was going down as we started the drive back to the city. I stepped on the brake to slow down, and when I released the brake pedal there was an awful racket coming from the front left tire. I pulled over to the side of the road and jacked up the front of the car to see what was happening. The car had old drum brakes and one of the brake return springs, which pulled the brake shoes away from the drum, had broken so that brake didn’t fully release. Unconcerned I went into the trunk of the car and pulled out my brake tools and brake repair kit which included the needed replacement springs. I got the brake fixed and we were back on the road shortly.

I kept that car running until the early 1980’s, when my mother gave me her newer 1978 Pontiac Sunbird, and I couldn’t keep 2 cars in Manhattan, so I drove the old Rambler to a junk yard and left it with them.

Introduction to sol!ursa!ari

I’ve added this introduction as a new post because I recently upgraded my AWS EC2 instance to AWS Linux 2023 and installed WordPress newly and something has messed up the default so that if you just go to the home page of the site you get a 404 (Page Not Found) page instead of the introduction. I’ll see if I can get this working again, but until then I’ll be fighting with WordPress, PHP and MariaDB to see if I can fix it.

Welcome to my blog. I have been thinking about this for several years, but I was never sure that I had anything worth saying. In addition to that, I’ve often silently laughed at my friends and relatives who post what they’re making for dinner tonight, or where they are out for drinks. I don’t think anyone really cares what Holly and I had for dinner last night, or that we stopped for drinks at The Trailer Park or Walker’s on our way home. On the other hand, people have been interested in some of my stories about things I’ve done in my life, so much of this blog will be stories from my memory. This will be a random collection of my thoughts, some will be remembrances of things past and some will be comments about current events.

You are welcome to share these with others and comment, but please don’t bother to attack me or anyone else in the comments since I will delete any attacks on myself or others which I don’t think are appropriate. Also, these remembrances are coming from my memory, so don’t bother to complain about inaccuracies in names, dates or places. My memory is not what it used to be, in fact, I don’t remember if it ever was that good.

I’ve added a new form so that you can contact me privately if you have any comments or questions which you don’t want published to the blog. Feel free to use it to reach me and let me know that you have been here.

May the Circle be Unbroken

Two weeks ago my career in IT came full circle. Fifty-five years ago, as a rising high school senior, I took a summer course in computers at Columbia University in NYC. It was a very comprehensive course which covered theories of computing, algorithms, compilers, etc. in the mornings and then taught us programming in Fortran and assembler for Columbia’s newly updated IBM 7094 computer in the afternoons. For many years, that course was my only formal training in computers and IT. Most of what I have learned since then was either self-taught or learned on the job.

The 7094 had recently been updated from a 7090. The hottest question at the time was what was the difference between a 7090 and a 7094, and the answer was 4. In addition to a few other changes in clock speed, instruction set, etc. a major change between the two computers was that the 7094 had 4 more index registers. The 36 bit instructions for these computers had 3 Tag bits set aside to indicate the use of an index register, often used for stepping through memory in loops. In the 7090 these 3 bits selected one of 3 index registers. For the 7094, a binary decoder circuit was added so that the 3 bits could select one of 7 index registers, thus the update from 7090 to 7094.

Part of my decision to take a course in computers during that summer was the news that my high school, Brooklyn Technical High School, was planning to get a new IBM 1130 computer in the fall. In addition to taking the course at Columbia that summer I also went to the IBM offices on Maiden Lane in lower Manhattan and bought a set of manuals for the IBM 1130 so that I would be ready to use the computer when it arrived. In fact, I ended up being the first person to successfully run a program on Tech’s 1130. My oldest brother was going to school at Brooklyn College at the time, and was working on the IBM 1620 which they had there. I was able to visit his office and use a keypunch machine there to punch my program onto the punch cards then used as input for computers. As I recall, the program was to calculate great-circle bearings from NYC to other points on the globe. My father was a ham radio operator and he had installed a large, rotatable antenna on a tower alongside our home in Queens. He asked me to give him a table of bearings to point his antenna depending on where in the world he wanted to speak to someone, so I wrote the program, punched it onto cards at Brooklyn College (along with the Monitor Control Records, an early form of JCL for the 1130) and then walked into the computer room at Brooklyn Tech one day and asked the teacher there, I believe it was the head of the electronics course, if I could use the computer. He stared in amazement as I walked over to the card reader, inserted my card deck and then proceeded to run the program which generated many pages of output tables. He was sufficiently impressed by my ability to get the computer working that from that day on I was always welcome to come into the computer room, even if I was cutting a class to do it.

One interesting sideline about the 1130 was that it was a desk-sized computer console with a removable rotating magnetic disk cartridge (IBM 2315) behind a panel in the desk stand. The monitor program, as well as the compiler and other utilities were loaded onto the disk drive from 2 boxes of punched cards (about 4000 total cards). One item which I seem to have neglected to notice in the manuals I bought was that you had to turn off the disk drive with a switch behind the front panel before you shut off the computer. Otherwise, the retracting head of the magnetic drive would scribble all over the disk as the power was removed. We wondered why we had to load the 2 boxes of cards onto the magnetic drive every day, until someone realized that the switch inside the front panel would save us that chore.

There is irony in the fact that this IBM 1130 was bigger and more powerful than the IBM 1620 computer at the college I went to, although my college also managed to purchase an IBM 1130 during the summer before my senior year. More about that in another post.

The full circle I was talking about in the first paragraph of this post is that 2 weeks ago I started working as a system administrator in the computer research facility of the computer science department at Columbia. So my career in computing, which started with a course at Columbia 55 years ago, has now returned me to Columbia.

Sometimes You Just Need a Man-in-the-Middle (MITM)

Ok, to be politically correct I suppose it should be called a Person-in-the-Middle, but the acronym PITM is just too close to PITA for me. Maybe I’ll change it to Machine-in-the-Middle since that is what it usually is, but for me it was just a process on the receiving machine.

For those of you who don’t know it, MITM is often used in the context of an attack on web browsing. When a browser (like Chrome, Edge, Firefox, …) connects to a sever the name of the server is converted to an IP Address via DNS and then the packets are routed between the browser and the server. Of course, if someone can corrupt your DNS or stick a malicious router into the path between your browser and the server then they can read all of the packets that go back and forth. That is called a MITM attack.

The S in HTTPS is for Security and indicates that the connection is encrypted between the browser and the server using Transport Layer Security (TLS), which is an update to the previous Secure Socket Layer (SSL) which it turns out wasn’t really as secure as people hoped it would be. This is intended to protect against MITM attacks by making sure that the machine-in-the-middle can’t read the encrypted packets. When a browser connects to a server over HTTPS the server supplies its Certificate to the browser so that the browser can confirm that it is connecting to the correct server. The certificate contains the name of the server and is cryptographically signed by a Certificate Authority (CA) which confirms that the server name belongs to the server. This is called Public Key Infrastructure (PKI) which is well beyond the scope of this blog post. If the name of the server in the certificate doesn’t match the name of the server you asked the browser to connect to, if the certificate is signed by a CA that your browser doesn’t trust, or if there is another problem with the certificate like it is expired, then your browser will put up a warning about the certificate before letting you see the web site. Some corporate web proxy servers, which connect computers in a corporate environment, include a MITM which allows them to snoop on what their employees are doing on the Internet, even when the employee is using HTTPS. To avoid their employees getting the browser certificate warning the proxy server has to create on the fly a certificate for the specific server which the browser is connecting to. Since no legitimate CA will sign such a certificate the proxy server has its own CA and any browsers which use that proxy have to install the CA certificate from the proxy server as a Trusted CA.

This blog post is about why I needed a MITM in order to solve a problem I was having. We have 6 Amazon Web Services (AWS) Elastic Compute Cloud (EC2) Virtual Machines (VM) and I wanted to have all of them send their logs to one common VM for analysis. These VMs came with RSyslogD, a standard Linux/Unix system logging utility which I planned to use. Of course, the version of RSyslogD installed was 5.8.10, which was released in 2010 and last updated in 2012. For comparison, the latest version of RSyslogD is 8.2104. Since I am a card carrying Certified Information Systems Security Professional (CISSP) I decided that the logs should be transmitted to the common log server over TLS even though the servers were all in our AWS Virtual Private Cloud (VPC) meaning that no other computers should have access to our packets. Configuring RSyslogD to use TLS wasn’t too hard, but we also had some Python programs written in-house which I wanted to have transfer their logs directly to the common log server without using RSyslogD on the local VM. If you read my earlier blog post about Python you know how much I love looking for and using standard Python modules. I was able to find a Python module which said it interfaced the standard Python logging module to the Syslog protocol used by RSyslogD. Of course, it didn’t support sending the packets over TLS so I had to modify the module to wrap the packets in TLS. I was able to get the Python programs to send their logs successfully to the common log server using the Syslog protocol without TLS but when I wrapped the packets with TLS the logs were ignored. I could see that the TLS connections were being made, but since TLS encrypts the packets I couldn’t see what was in the encrypted packets that kept it from working. The packets going between the RSyslogD processes on the servers was working, but my TLS wrapped Python packets were being ignored.

To figure out what the issue was, I needed a MITM where I could decrypt the packets and inspect them to see what the difference was between the working logs from the RSyslogD process and the non-working logs from my Python module. Since I was already so embedded in Python for this I decided to write a MITM module for Python which would accept the encrypted TLS connection from the source, decrypt and display the logs, and then re-encrypt them and pass them on to the RSyslogD process on the common log server. Normally a MITM module is blocked by browsers because it supplies a certificate whose name doesn’t match the server you are connecting to, or is signed by an untrusted CA, but in this case I didn’t have that problem. For these TLS connections I had created our own local CA which only needed to be trusted by the VMs in our VPC. Since I had already been doing all this Python coding with TLS I had no problem cobbling together a simple MITM module with which I quickly discovered that the working messages had the length of the log message inserted before the actual log message. Adding that to my Python TLS wrapper module got the log messages flowing cleanly. Of course, if I had Googled “Syslog over TLS protocol”, as I should have, I would have quickly found RFC5425 which would have given me the needed answer without the necessity of an MITM, but what would have been the fun in that?

Metropolitan Diary

The NY Times finally published on Sunday, July 12, 2020, the submission I made to their Metropolitan Diary column on May 15, 2019. They edited it so I will provide here both my original submission and their edited version so you can decide if they removed anything of interest or if, as Tony often told me, I was too wordy.

My initial submission:

DEAR DIARY:
It was the spring of 1974, before CitiBike and the multitude of cyclists and protected bike lanes which now exist in the city. I was riding home from Central Park early one morning when I stopped at a red light at 57th St and 6th Ave (yes some cyclists do stop at red lights). A delivery truck from H&H Bagels pulled up next to me at the light. As is common with those delivery trucks, the passenger side door was open so I looked up at the driver and said hello. He said hello and then reached into a bag by his side and handed me a fresh bialy out of the truck. Only in New York.

The version as they published it:

Dear Diary:

It was spring 1974, and I was riding my bike home from Central Park early one morning. I stopped for a red light at 57th Street and Sixth Avenue.

As I waited for the light to change, a delivery truck from H&H Bagels pulled up alongside me.

I looked up at the driver and said hello. He said hello. Then he reached into a bag by his side and handed me a fresh bialy.

Of course they did include a nice illustration with it:

Crazy Conspiracy Theories

I’ve thought of a few crazy conspiracy theories which I’m expecting to see floating around the Internet soon. Please don’t spread these yourself as they are not true, they are simply the result of my warped sense of cynicism.

  • Trump had the novel coronavirus (Covid-19) released in Seattle to force the Fed to lower interest rates. He’s been after the Fed for a long time to lower the rates for a long time. Also, how else could the virus have gotten from Wuhan in China to a nursing home in a Seattle suburb.
  • Elizabeth Warren’s campaign is being funded by the Democratic establishment in order to take votes away from Bernie Sanders. Why else would she still be in the race when she has had such a lack of success in the primaries? Of course, some people might say that she is being funded by the Republicans (or even the Russians) to mix up the Democratic nominating process, but I don’t go quite that far.

As I said above, please do not repeat or spread these ideas. I’ve made them up with absolutely no evidence

Diversity frightens SWMs

If you’re not sure what I mean by SWMs, check out my last blog post. Back in the “good old days” movies and television were for the most part made by and starring straight white males. Of course there were a few exceptions but for several decades people of color and LGBTQ people were rare in the entertainment media, although there was a veiled hint that the villains in “The Maltese Falcon” might have been gay. Now you are hard pressed to find any recent TV series or movie which doesn’t prominently feature these people and that reality can be disturbing to people who aren’t used to it. I certainly don’t feel disturbed by this trend, but I suspect that it is fueling the rise in white-supremacy feelings and the support of Donald Trump. I’m afraid that many people see life as a zero-sum game so the more that others not like them are visible, the less they become visible and the more vulnerable they feel. The fact that this country is becoming a majority of minorities and people of color is frightening to some people who forget that this continent was originally inhabited by people of color.

Enough of my ranting for today. As always, comments are welcome.

Archie Bunker is alive and supporting Trump

In my last blog post I wrote about Trump promising to run the government as a business. A reader (my only one?), asked why people would want someone who had a history of bankruptcy running any business, let alone running the federal government as a business. That’s a good question, which I have actually asked in the past. I guess the answer is that people didn’t really elect Trump to run the government as a business, they elected him to “Make America Great Again”. Their vision of the “great America” was not LBJ’s “Great Society” but was an earlier, more restrictive view of America. For almost the first 200 years of the United States it was governed by SWM (straight WASP males). Ok, maybe there was a closeted gay president at some point, but that wasn’t taught in my American History courses. I’m old enough to remember the concerns that the Pope would run our government if we elected a Catholic president. The Catholic was elected and the Pope didn’t run our country, although the president didn’t get to live out his whole term so who knows what might have transpired.

I think Trump’s election was a result of some people wanting to go back to the “good old days” when SWM’s ran the country. We had just gone through 8 years of our first African-American president and the alternative to Trump was a woman. I’m not condoning this backlash (whitelash?) but that is what I have observed.

Other’s comments are welcome.

The Fallacy of running a Government as a Business

President Trump promised to run the government as a business. The problem with that is that the purpose of a business is very different from the purpose of a government. While businesses may make something, or provide some service, the primary purpose of a business, in our capitalistic society, is to make money for its owners. Trump seems to think that he and his cabinet/cronies are the owners of the business of government so they are out to get all of the money they can out of this government. On the other hand, the purpose of our government, as defined in the US Constitution is “form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defense, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity”. I don’t see anything there about making money for the president, the congress or the cabinet.

The major problem with running the government as a business is that in most businesses there is a relationship between income and expenditures. That is, an increase in expenditures is usually connected to some expected increase in income, either through R&D or through increased production capacity. The income of government is not as directly related to its expenditures. The expenditures are for general services which the government provides such as education, policing, sanitation etc. and increasing these expenditures is not related to any direct increase in government income. Ideally a government should run with a balanced budget, such that the income for any given period should cover the expenses for that period. Unfortunately that doesn’t always occur.

Ok, enough of my meaningless ranting for today. Does anyone want to comment about this?