It’s just one weekend, dirt cheap, and going to be loads of fun. It’s in Edmonton at the School of Library and Information Studies (University of Alberta).

Taught by Lisa Yeo, formerly of The Alberta Library, now a Ph.D. student, and author of “Personal Firewalls for Administrators and Remote Users” (and very cool person). The bonus is that yours-truely, Cloned Milkmen, will be giving demonstrations. RFID hacking, barcode hacking, wifi man-in-the-middle, and more.

Here’s an excerpt:

To introduce students to the theory and practice of information security – the protection of information and information systems. The course will focus on foundational concepts, assessment and evaluation of information security practices in the library and information studies context.

The Practice of System and Network Adminstration (2nd Ed.) by Limoncelli, Hogan, and Chalup.

Go by this now. Seriously. By a copy for yourself and your favourite sysadmin. While your at it, buy Limoncelli’s book “Time Management for Systems Administrators”. If you don’t buy this book and read it, your throwing away money. You are probably also losing good people and opportunities as well.

Proceedings of CHIMIT: Symposium on Computer-Human Interaction for Management of Information Technology

The papers from this conference are publicly available. Each year, this conference includes coverage of “Field Studies” where researches observe and study systems administrators and how they work. What makes sysadmins tick? What difficulties do they encounter when they do their jobs? What contributes to their succesess and failures? How do they work together? What can lower the number of mistakes made by sysadmins? The conference also covers how interfaces can be designed to support the work of systems administrators.

Proceedings of the ACM SIGMIS CPR Conference on Computer Personnel Research

This is available from the ACM Digital Library. Members can get access fairly cheap, or your local library may have access for free. This is a conference that disseminates research about IT Professionals (“Computer Personnel Research”). What motivates career decisions and satisfaction in IT? How are IT goals established and achieved? How do you manage IT groups and projects? What makes users accept or resist IT change? How do IT operations generate value? What is the impact of IT skill development? The papers cover a wide-variety of topics and the scope ranges from small to global, with international coverage.

On October 23, 2008 I gave a talk at Netspeed 2008 titled Hackers in the Library. The talk was designed to build awareness regarding information security threats in libraries and to dispel the myth that “nobody would want to hack a library.”

In this presentation I tell many stories of actual security incidents that I have encountered in various libraries and punctuate these stories with reports from the media of similar events in libraries around the world.

The slides for the presentation are now available for download in MS Powerpoint (PPT) format. The slides include embedded notes covering the content of my speech and additional commentary and links. I have also included some questions and answers that have come up after the talk.

I believe many sysadmins overlook database security believing that “no one knows its there so how could be attacked?” It’s a foolish notion. I think other admins believe that database servers are no vulnerable to attack in the same way that other services are. We hear about worms and trojans targeting desktop users, IM clients, and web applications, but less often we hear about buffer overflows in server applications. However, vulnerabilities in RDBMS services do occur, and often enough to make you worry. Remote code execution is a potential problem for any services that you can connect to directly.

Even if your database server is patched-up you have to worry about accounts on the database server. Do all your database users accounts have passwords? I have seen poor password selection on database accounts far too often. It makes my skin crawl actually. It’s hard to explain to programmers sometimes why password choice is important or sometimes even why passwords are necessary at all.

Many people believe that database servers are “behind the scenes” and inaccessible to Internet. Litchfield’s survey demonstrates how often that assumption is wrong.

Defense-in-depth applies to database security as much as any other network service:

• You need a firewall configured to deny access to your database server except to the few people that really need to connect.
• Ever account on your database should have a non-empty password and it should be a strong password.
• Accounts should have limited access to database. Read-only access should be your default. No account should have access to all your database unless necassary.
• You should monitor database access. Do you have logs showing which users logged in and when and from where?
• When put together, “limiting account access” and “monitoring” mean you should be able to tell who accessed which database from what application. Each web application should use a different account to access your databases (at the very minimum).
• Finally, you should have a process for auditing data integrity. Would you be able to tell if data in a database had been inserted or if data was invalid or inconsistent?

I was disappointed when I could find no place to attach an external antenna. I have a couple of 7db antenna and a directional antenna that I can use the boast the range of wifi, but I couldn’t not find any place to plug it in. Well, the morning I was staring at my WRT54GC and noticed a weird plastic thing that looked out of place. After a few minutes of picking at it, I discovered a secret antenna socket underneath!

If you are looking at the lights on the front of the WRT54GC and holding it horizontally (laying it flat), the plastic cover for the antenna connector is on the right-hand side. If you pry up on the rounded edge of that plastic cover, it will open like a door, and reveal a connector that will pop out. It is a mini-BNC style connector.

Now you can attach the antenna of your choice!

I have posted a complete set of photos on flickr showing in more detail how to reveal the hidden antenna connector.

In my mind this makes the WRT54GC twice as value able as I thought it was. It was a good value for a good price, but now that I know I can put an antenna on it… its an absolute bargain!

To drive the point home, Gary Feldman performed a song titled “The Day the Routers Died” (sung like “bye bye american pie”).

cloned.milkmen@paranoidagnostic.net

The first is called a URL and is used for web pages, and the second is an email address. While these addresses both look quite different and are used for different purposes they both contain something called a Domain Name (or DNS name). In this case the domain name is “paranoidagnostic.net”.

Domain names are used to organize Internet addresses in an orderly way and to delegate authority for the creation of Internet addresses.

Top-level Domains

Internet domain names are organized according to a hierarchy. Levels in the hierarchy are denoted by periods in the domain name. When you read a domain name from left to right, the left is the lowest level and the right is the top-most level of the hierarchy. The lower levels are referred to as subdomains of the higher level domains./p>

For example, the DNS name “www.paranoidagnostic.net” shows three levels of the hierarchy:

• net is called the top-level domain
• paranoidagnostic is a subdomain of net
• www is a subdomain of paranoidagnostic.net

The top-level domains (TLDs) are very important. There are only a limited number of top-level domains and they are controlled by various authorities around the world. There are generally three types of top-level domains: US-only, country specific, and generic.

US-only TLDs are only available to US institutions and are under tight control. For example, “mil” is only for the US military, “gov” is only for the US government, and “edu” is only for accredited US post-secondary institutions.

Country-specific TLDs have two letter codes that usually (but not always) correspond to international standard two-letter codes for those countries. For example, the TLD for Canada is “ca” and the TLD for the United Kingdom is “uk”.

generic TLDs are usually available to anyone in the world. “com”, “net”, “org”, “biz”, “info” and a growing list of others are in this category.

Who can have a domain? How do you get one?

TLDs are created by the Internet Corporation for Assigned Names and Numbers (ICANN). Regular organizations cannot have TLDs. Individual people or organizations can obtain subdomains of TLDs. ICANN assigns a separate authority to govern each TLD and those authorities set their own rules about who can and cannot have a subdomain.

For example, the “UK” TLD is governed by Nominet. Nominet administers all UK subdomains and sets rules for how they can be named. In the UK TLD commercial organizations are put in a further subdomain of “.co.uk” and educational institutions in “sch.uk”. For example, a phone company in the UK could get a domain of “myphonecompany.co.uk” but not “myphonecompany.uk” or “myphonecompany.sch.uk”. In the UK authority for some domains is delegated to an organization other than Nominet. For example, subdomains of “parliament.uk” have their own system of rules.

Contrast that with the “CA” TLD. “CA” is governed by an organization called the Canadian Internet Registry Authority (CIRA). It does not have a special subdomain for commercial organizations. A phone company in Canada could obtain “myphonecompany.ca” for a domain name. Similar to the UK TLD government subdomains are restricted. Only the Canadian Federal Government can obtain subdomains of “gc.ca”.

Some countries have turned over control of their TLDs to commercial companies that allow anyone in the world to use them. For example “TV”, “FM”, and “AD” are all country-specific TLDs that are administered by commercial organization that treat them like generic TLDs.

Finding TLD Authorities an Policies

It is often very helpful to know who governs a TLD and what their policies are. For example, if you find a website might appear to be for a institution in a specific country and have a subdomain that appears from that country. In the UK and Canada (“.ca”) you could be sure that any site that ends in “.parliament.uk” or “.gc.ca” are associated with the government. But a website in other subdomains may not be authentic. Each country has its own authority and own rules so verifying who is real and who is not can be challenging.

Fortunately, the Internet Assigned Numbers Authority (IANA) keeps a list of all of the TLD authorities. You can find the contact information, usually including website addresses, for every TLD on that list. You can then contact the listed authority to find out what their policies are.

Notes

Note: The Internet’s domain name system is referred to as DNS (Domain Name System) and defined by many RFCs (Internet standards).

The project is to catalogue my local public library’s collection of Chinese books in a wiki. The library doesn’t catalogue the foreign language books (probably because it cannot). I am using MediaWiki (same software used for Wikipedia) which already has localization for many languages including at least 5 Chinese options.

One significant problem is trying to choose the right localization. So far, no one I know who actually speaks Mandarin Chinese can tell me what pros and cons there might be to picking one over the other. As a sysadmin, normally it would be my job to tell people what the pros and cons of one technical choice over another are. In this case I feel like I’m in an alternate reality. I am the right person for this job, but also completely unqualified!

MediaWiki seems to be the right choice for this project, not only because of its open editing, version tracking, and simple-but-effective content markup system, but also because it natively understands what an ISBN is. MediaWiki scans any text entered for strings that start with “ISBN” and end with a number and some dashes. If it sees such a string, it turns that into a link to its own internal system for linking to places that can give you more information about an ISBN. This is really good for a book-based library project.

I intend to write another component to magically identify book’s barcodes in the same way it does ISBN numbers, so that we can automatically link to the library’s catalogue. Thus someone can have one click access to putting a hold on an item.

Stranger than all of these other things, is that is a project I created. Normally, I would be writing up all kinds of “about” pages and help for the users. I suppose I will do that in English, but I always hesitate because it is, after all, supposed to be in Chinese. I just hope my translator is good!

If the mechanism controlling the arm starts to fail, there will be warning signs first! One of the warning signs is that you start to get disk errors more often. But just prior to the complete failure of the disk you might start to hear loud clicking noises and the occasional “bouncing” noise. These are bad signs. Some drives sound like they are clicking normally, so it helps to see and hear and example of a drive that has failed to know the noises you can expect. This video demonstrates that.

I have opened the casing to show the motion of the traveling arm. Notice that the noise appears to coincide with the heads hitting the black plastic on the outside of the disk or the metal circle at the center of the disk. The noise is not generated by the heads hitting anything. In fact, the noise is generated by a small piece of plastic located under the metal housing visible in the top left corner of the hard disk shown in the video. If you watch carefully, you can see a flash of motion near the top left edge of the disk during the video. When the arm moves toward the outside and goes to far you will hear the bouncing noise. When the arm moves to far inside the disk, you will hear the clicking noise.

A word of warning. NEVER OPEN YOUR HARD DISK. It will never work again if you do. This demonstration was done because the hard disk was already ruined and unrecoverable.

These noises sometimes occur just before it is too late; just before the disk dies forever. If you reboot, your computer’s BIOS may not recognize the drive. You will very likely hear those clicking noises repeated over and over and the occasional “bouncing” noise (heard at the very beginning of the video. Mechanical failures are not the kind of thing you can fix on your own. A data recovery company might be able to get your data back, but they will need to open the hard disk and operate on it in a clean room (the air and dust can ruin it).

So, what do you do if you hear the clicking and bouncing noises?

1. Do NOT turn off your computer or disconnect your hard disk
2. Immediately begin to backup the data.
3. When the data is backed up, consider sending the disk in for warranty replacement if it is not too old

If you cannot backup the data or the backup fails, you can do this:

1. Shutdown the computer and disconnect the drive.
2. If the drive is an external drive, power it off
3. DO NOT power the drive on again.
4. DO NOT try repeated to get it to work or to listent to clicking noise
5. The chances of data recovery are reduced if you keep letting that clicking noise occur
6. Find a data recovery company that you can trust and have them work on it
7. In the event of a mechanical failure, they will need to operate on the disk in a clean room. It will probably be costly but they may be able to recover your data
8. Again, if you keep trying to reboot your disk or repeatedly try to access it while it is clicking it might reduce how much data can be recovered.

My presentation rejects the idea that people need to learn technical skills just to get a techie to help them. Instead I introduce management and communication skills that can be used to obtain better tech support.

The presentation is divided into three sections. First, I explain how helpdesks generally work following the Limoncelli (1999) 9-step/4-phase model. Second, I explain how to write a great support request that has enough information that tech support won’t need to ask a lot of question and give you the run-around. Last, I present some rules-of-thumb for effectively managing communication with tech support for those worst-case scenario problems.

All of the ideas are based on my nearly 15 years of experience in giving and getting support. The rules and advice are inspired by some of my worst-cases in getting support and I show how my advanced technical skills are not enough to allow me to get tech support: Managing communication is the key to getting good support.

The slides for my presentation can be downloaded and they contain commentary in the “notes” field that can be viewed or printed if you open the file in Powerpoint or OpenOffice. The presentation is covered by a Creative Commons license and can be redistributed and remixed as long as attribution is provided and you share-alike.