Migrating from Amazon Web Services to Linode

Well, I’m not sure what you did with your Friday night, but I’ve spent the last few hours migrating websites from my Amazon Web Services instance to a virtual server at Linode. I’ve experimented with AWS for just over a year now, but the simple fact is that running multiple sites in a micro instance was just not a good idea. My micro instance would hit CPU throttling after less than a minute of CPU use, and then would be cut back to 2% CPU usage. I knew this limitation going in to AWS, but it finally became too big a hassle.

Cindy and I run a total of seven sites. None of them are particularly high traffic, and I’m sure we would be fine in a small instance at AWS. Unfortunately, a small instance is a lot more money. A Linode node is about the same price, but the customer service at Linode is what really pushed me over the edge.

I run a Tor relay on Linode that I’ve secured fairly heavily. The few times I’ve noticed another Linode customer scanning my system or had some other technical issue, the Linode support staff have been extremely responsive. But best of all, not only are they timely, you actually talk to someone who knows what the fuck is going on. As much as I admire automation, I have to admit it’s very comforting to know that if I email Linode tonight, I’ll have an actual technical person replying to me by the morning (and they’re likely to have already fixed the issue).

Now, in the grand scheme of things, Linode is not really competing against AWS. AWS is all about automated provisioning and large scale rapid development. Linode doesn’t have anywhere near the provisioning and deployment features AWS has. But that’s ok. I’m not trying to rapidly scale up to handle millions of customers, I’m just trying to run a few blogs.

Another migration that I’m part way through is moving our systems into CloudFlare for security and acceleration. Unfortunately, getting self-signed SSL certificates and WordPress to play well with the free version of CloudFlare is proving to be tricky. Once I get the wrinkles ironed out, that’ll be another blog post.

If you’re looking for a server host, and want to support Cindy’s & my websites, use our Linode referal link!

Facebook Servers Pinging Home Users?

I’ve been playing around with splunk lately, and one thing I’ve noticed is that I am getting a lot of pings from a certain range of IPs. I block inbound ping at my firewall, but this was so persistent I got a little curious. Here’s the log exerpt that piqued my interest:



Jan 23 2012 22:02:17 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.63.186.228 on interface outside
Jan 23 2012 22:02:17 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.63.186.228 on interface outside
Jan 23 2012 22:02:16 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.63.186.228 on interface outside
Jan 23 2012 21:55:05 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.171.228.232 on interface outside
Jan 23 2012 21:55:05 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.171.228.232 on interface outside
Jan 23 2012 21:55:04 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.171.228.232 on interface outside
Jan 23 2012 21:45:58 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.63.179.30 on interface outside

That’s the trimmed output, but you can see a bigger set of logs if you’re interested.

So just who are these persistent pingers?



whois 69.171.228.232
#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 69.171.228.232"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=69.171.228.232?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       69.171.224.0 - 69.171.255.255
CIDR:           69.171.224.0/19
OriginAS:       AS32934
NetName:        TFBNET3
NetHandle:      NET-69-171-224-0-1
Parent:         NET-69-0-0-0-0
NetType:        Direct Assignment
RegDate:        2010-08-05
Updated:        2010-10-15
Ref:            http://whois.arin.net/rest/net/NET-69-171-224-0-1

OrgName:        Facebook, Inc.
OrgId:          THEFA-3
Address:        1601 S. California Ave
City:           Palo Alto
StateProv:      CA
PostalCode:     94304
Country:        US
RegDate:        2004-08-11
Updated:        2011-09-24
Ref:            http://whois.arin.net/rest/org/THEFA-3

OrgTechHandle: OPERA82-ARIN
OrgTechName:   Operations
OrgTechPhone:  +1-650-543-4800
OrgTechEmail:  domain@facebook.com
OrgTechRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

OrgAbuseHandle: OPERA82-ARIN
OrgAbuseName:   Operations
OrgAbusePhone:  +1-650-543-4800
OrgAbuseEmail:  domain@facebook.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#



whois 69.63.186.228
#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 69.63.186.228"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=69.63.186.228?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       69.63.176.0 - 69.63.191.255
CIDR:           69.63.176.0/20
OriginAS:       AS32934
NetName:        TFBNET2
NetHandle:      NET-69-63-176-0-1
Parent:         NET-69-0-0-0-0
NetType:        Direct Assignment
Comment:        Contact abuse@facebook.com with issues.
RegDate:        2007-02-07
Updated:        2010-07-08
Ref:            http://whois.arin.net/rest/net/NET-69-63-176-0-1

OrgName:        Facebook, Inc.
OrgId:          THEFA-3
Address:        1601 S. California Ave
City:           Palo Alto
StateProv:      CA
PostalCode:     94304
Country:        US
RegDate:        2004-08-11
Updated:        2011-09-24
Ref:            http://whois.arin.net/rest/org/THEFA-3

OrgTechHandle: OPERA82-ARIN
OrgTechName:   Operations
OrgTechPhone:  +1-650-543-4800
OrgTechEmail:  noc@fb.com
OrgTechRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

OrgAbuseHandle: OPERA82-ARIN
OrgAbuseName:   Operations
OrgAbusePhone:  +1-650-543-4800
OrgAbuseEmail:  noc@fb.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

RTechHandle: OPERA82-ARIN
RTechName:   Operations
RTechPhone:  +1-650-543-4800
RTechEmail:  noc@fb.com
RTechRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

RAbuseHandle: OPERA82-ARIN
RAbuseName:   Operations
RAbusePhone:  +1-650-543-4800
RAbuseEmail:  noc@fb.com
RAbuseRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

RNOCHandle: OPERA82-ARIN
RNOCName:   Operations
RNOCPhone:  +1-650-543-4800
RNOCEmail:  noc@fb.com
RNOCRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

As you can see, both ranges are owned by Facebook. So the question of the day… Why is Facebook ping scanning me?!? Get your guesses in now, because I’m going to email their abuse address and see what they say. 😉

EU – No to X-Ray Scanners

For those who don’t know, the European Union has much stronger safety and privacy laws than the US. The EU just announced their new official policy for the deployment of airport scanners. Two key quotes:

It is still for each Member State or airport to decide whether or not to deploy security scanners, but these new rules ensure that where this new technology is used it will be covered by EU wide standards on detection capability as well as strict safeguards to protect health and fundamental rights.

In order not to risk jeopardising citizens’ health and safety, only security scanners which do not use X-ray technology are added to the list of authorised methods for passenger screening at EU airports.

If only TSA would accept that dosing people with X-rays and taking nude pictures of them isn’t actually necessary for security! Hopefully the new EU regulations will spur Congress to pass similar laws that protect the health and privacy of Americans. As Scientific American reports, the TSA is planning on deploying over 1800 scanners in airports across the country. Write your Representative and Senators now to encourage them to follow the EU’s lead in protecting citizens!

Complexities of Protecting Information

I love movies where a complex string of innocent circumstances finally draw together into a dramatic finale. Sometimes, life is like that too…

The German publication Speigel has an article about the series of unfortunate events (to borrow a phrase) that eventually resulted in the leaking of WikiLeaks’ trove of US diplomatic cables. Reading over it, it’s striking how each event was just one more step down the primrose path to destruction. For those of us not involved, it’s a dramatic example of how hard it is to avoid unintended consequences while trying to keep information safe and secure. For the unlucky few who are named in the cables, this is a much more dangerous development.

Spotify Install

Some thoughts on Spotify’s setup and install…

  • Why are zipcode, gender, and birthday required? Zipcode doesn’t really bother me, but gender and birthday is rather annoying. If you don’t have a compelling reason (i.e. key functionality will break) you should make collection of information optional. (I’d probably put it in there anyway, but you’d be a better global citizen.)
  • Creating a start menu item and creating a desktop icon should be two options in the installer, not one. Guess what, I don’t necessarily need an icon for EVERYTHING on my damn desktop.
  • Really, Facebook is the only way to “get social” on your platform? Guess what… A) I don’t really want Facebook to be hooked to everything I do on the planet & B) I want to connect to music friends who I don’t want to share my Facebook life with.

TSA: Like burglar alarms?

Bear with me on this one…

Among the many thoughts I’ve been having on the TSA’s controversial backscatter “strip search” scanners are some musings based in game theory. Let’s look at the “players” in the security game:

  • TSA: Chartered with securing air travel. Strongly motivated to avoid the possibility of blame being assigned to them when a terrorist event occurs.
  • Politicians: Want to be re-elected. Subject to the whims of the polls; right now that means being “tough of terrorists”. Current controversies may swing some politicians away from the “security at any cost” mindset.
  • Pilots/Crew: Concerned with balancing security against their own personal well being and effectiveness as employees.
  • Flyers: Want to be safe, but there are threshold costs for security which won’t be acceptable. Where those thresholds are is subject to some debate.
  • Non-flying public: Insulated from any costs (economic, political, mental, social, etc.) of flying security measures. Hard to uniformly classify motivation as a single group.
  • Terrorists: Want to disrupt American lifestyle sufficiently to achieve their goal (remove US from Middle East/undermine support for Israel/support Sharia law in homeland/influence domestic US politics and laws towards Islam/whatever).

Some interesting features of the game:

One thing that clearly strikes me is that the interests of TSA do not align with the interests of the Pilots/Crew or the Flyers. TSA has no interest in assuming a “compromise” or “balanced” security policy. TSA only wants one thing from both groups – unquestioning compliance. I think this conjecture from the game bears out in the reported demeanor of TSA in real life.

Non-flying public is numerically larger than the flying public. Politicians are influenced by these two groups, but because the Non-flying Public doesn’t bear any direct costs to security, it is natural for the Politicians to under-value to the cost imposed on the Flyers group. The Politicians exert influence on the TSA. So the combination of the TSA having no incentive to decrease costs of security and the Politicians under-valuing costs of security implies that the feedback loop that should limit and control security policy to a reasonable level is actually weak and likely to result in over-costly security policy.

In the “mini-game” of a Terrorist attack, it’s not necessary for the attack to succeed in order for it to benefit the goals of the Terrorists. This means that it’s actually possible for a failed terror attack to be viewed as “positive outcome” to both the TSA and the Terrorists. The TSA because they can claim success and justification for their security measures. The Terrorists can as well, as long as the attack foments alarmist media and political coverage and results in increased fear.

Another striking feature of our “game” is that Terrorists and TSA are not diametrically opposed to each other. It’s possible for TSA and Terrorists to both “win” (or at least, both not lose) assuming the Terrorists can find a way to disrupt America that doesn’t depend on attacking the airline industry. Here at last is the feature of the game that inspires my title! Economics and game theory say that a burglary alarm doesn’t necessarily prevent all burglaries, it only has to prevent burglaries against the homeowner who pays for it. If it causes burglaries to shift to adjacent homes, there is a benefit to the alarmed homeowner, but a consequent loss to the neighbors. TSA is, in effect, like a burglar alarm – it encourages Terrorists to attack other targets. As long as the targets aren’t aviation related, TSA “wins” their part of the game. Of course, the problem is that the actions TSA takes to win are not necessarily the best for the public at large.

Just a few quick concrete examples of why this feature of the game should be so worrisome:

  • Security spending is limited to a finite budget. Ideally we should optimize our security budget over all policies and activities to result in the best security possible. Or, in the terms of our game, we should optimize our security spending so the Terrorists get as low a score as possible in the game. TSA (and all other single-scoped security agencies) are not motivated to do that. They are motivated to increase their security budget as greedily as possible in order to maximize their chances of securing their sector in the game, regardless of how cost-effective any given policy is.
  • Shifting behavior and secondary effects may impose costs higher than the Terrorists. For example, driving is much more dangerous than flying. Every time someone decides to drive instead of fly a long distance, we are increasing the number of deaths and injuries suffered on the roads. Since the death and injury rate from Terrorists is so very low, it doesn’t take many additional deaths to negate the benefits of enhancing aviation security.

The secondary health losses are one of the big controversies over the backscatter x-ray searches, and are also a perfect example of the second point. Even though the health risk is likely minuscule from a single scan, if the scanners are widely used on a significant percentage of fliers, the minuscule health impacts accumulate into being more damaging than the Terrorists. Since terror attacks are such a highly improbable event, even scanners that sound very very safe in the context of a single scan could easily accumulate a negative impact that outweighs any benefit to stopping Terrorists.

I’d love to see a more detailed analysis of this game, but from just my cursory knowledge of game theory it’s obvious to me that the flying public must 1) become very vocal about the costs of the TSA policies and 2) gain support from the non-flying public. Only then can we muster enough influence on Politicians to push through and influence the TSA.

If you agree, I encourage you to write or call Congress, talk to your friends and family about why you disagree with TSA policies, and, if you’re flying, opt out of the invasive body scanners. You’ll be subjected to an invasive “enhanced pat-down” as a result. I would encourage you to complain to your Congressional representatives as well as the ACLU if you feel that the TSA policy is inappropriate.

If you’re interested in a huge collection of links related to the TSA policy situation, please check out this post from Bruce Schneier: TSA Backscatter X-ray Backlash.

Promotion to Apple Fanboy Complete

Today was a banner day for Apple in our household – we heralded the arrival of my iPad case and both of our new iPhone 4s. All told this month I’ve ended up ordering two iPads, two iPhone 4s, and accessories for each of them.

I think this single month expenditure earns me an automatic spot in Apple Heaven, even if I’m not a mindless Jobs Acolyte, right?

Must Have Internet!!!

Since moving Cindy’s stuff into the apartment, we’ve been trying to find a way to get our PS3 to stream movies from our Synology NAS. The first attempt was to use the Netgear Powerline Ethernet adapters that we brought over from her house. Unfortunately, they didn’t work so well. So I tried setting the PS3 to use the wireless, but that didn’t work any better here than it did in her house.

The actual Internet connection via power line was fine – fast enough for gaming, but still a little slow on the downloads. The big issue was that some of her HD movies on the NAS require 13+ Mbps to stream, and we couldn’t seem to push more than about 8-9 Mbps via the powerline adapters and even less via the wireless. Finally, I gave in to the reality that I would have to use a Cat5 cable to get the performance we needed.

My first instinct was to just run the cable along the floor board and tuck it under the carpet. The first problem with that plan was that I had to traverse the kitchen, which is linoleum. The second problem was that the build quality in the apartment is actually pretty good, and I couldn’t easily pull up the carpet edge.

Next I thought I might just get some white cable and staple it to the ceiling/wall. Reflection on that idea revealed that it would look too ghetto, especially since I couldn’t readily find color matching cable.

So I finally settled on doing it the “right way.” I got a shit load of wire mold (aka conduit) and starting running the cable. Several hours worth of labor later, we have 100 Mbps from the NAS to the PS3 and all is right with the world! 🙂

The Hemorrhaging, Make It Stop!

I’ve been hemorrhaging cash left and right lately. This has been an expensive few months for me, and it doesn’t look to be getting better this month. Fortunately, almost all of these expenses can be viewed as investments in my life instead of frivolous spending. Today’s latest round of spending was a Dell R210 that had a $573 discount on it and an Apple iPad.

The Dell R210 is going to be the foundation for the NinjaLAN in our new apartment. It’ll have ESXi on it so I can setup VMs to experiment with Windows 2008 and Linux (two skillsets I need to polish). It also has a iDRAC6 card, so I can remotely power it on and off when I’m traveling for work.

The iPad is the more controversial of the two purchases… When the iPad came out, I was fairly vocal about my disapproval of the pricing. And truth be told I still think it’s overpriced. (It’s Apple, so no real surprise there, right?) But I’ve decided to make a real push at going completely away from paper for my work. At this point, I’m down to a notepad that I use for daily notes and at meetings, etc. I’ve already started transitioning everything I take notes on to Evernote, but the iPhone is just too small and unwieldy to use as a note taking tablet in meetings.

The other hurdle I’ve had with the iPhone platform for the last year or so was the absence of a task tracking sync between Outlook and the phone. However, I started using ToodleDo this past month and have been extremely happy with it. The features are so much richer, I would have happily moved to it from Outlook regardless of the mobile device issues. The combination of the ToodleDo app and the ToodleDo mobile website make using the iPhone and my laptop/desktop a perfect integration.

So now the end goal is to get to a completely virtual workflow for my professional work. The last impediment to that goal is the paper notebooks I lug around. I have more than one, because I separate my clients into separate notebooks. (I typically surrender the notebook to the client when a long term project completes, so they have complete work notes of how everything was put together.)

So we’ll see how it all works out in the end. Hopefully this really will be the last major expense for a while!