First off I better explain what a WISP , it means Wireless Internet Service Provider. For this sorry tale the WISP in question is OceanTelecom who operate in West Waterford/East Cork.

I got a call the other day from my friend’s wife who was having problems receiving mail from her eircom.net account when using POP to retreive it. Sometimes she would get some mail and other times none. Using the webmail interface to her account she could see her mail there. All this started she claimed around two weeks ago.

Strange thought I, but then she mentioned that she had gotten a few spam reports in her mail.

Even stranger thought I, so I asked her to forward one of them on to me and here’s what I saw:

This mail was generated automatically from Endian Firewall, which runs on
efw1-oceantelecom.localdomain.(none) for scanning all mails for spam and viruses.

In a mail sent to you a virus has been found.

Virus name: Suspect.Bredozip-zippwd-2
Sender of the email:  “DHL Manager Felipe Dove” <shipping@dhl.com>
Subject: DHL delivery problem number 25130.
Connection date: POP3 from 149.5.34.3:11778 to 159.134.198.135:110
Message File: Per instruction, the message has been deleted.

Instead of the infected email this message has been sent to you.

Regardless of the fact that it was a virus, it was the very fact that it had been intercepted before it got to her PC was annoying her. Her POP session to eircom’s mail server was intercepted by her ISP. Her ISP acted as a POP proxy without her permisison. Therefore her ISP is effectively snooping on her mail. You can see clear as day in the report above that their firewall intercepted her connection to eircom’s POP3 server.

As you can imagine this really, really annoyed her so she rang ComReg (Ireland’s Communications Regulator) to find out if OceanTelecom were allowed to do this. ComReg said it was a grey area and advised her to contact the office of the Data Protection Commissioner which she duly did. The advice she received from the DPC was that they should not be snooping on her mail as her mail is not being hosted by her ISP.

With this information in hand, she rang OceanTelecom to compain and promptly received torrents of abuse from the owner! Ranting and raving about how he is protecting his network, etc, etc and if she didn’t like it she could cancel her account! How about that for customer service?

But when she informed him that she had already contacted ComReg and the DPC he terminated the call! He hung up a call from a loyal customer of over two years!

She rang me yesterday to tell me what had happened and that that she was naturally going to change her ISP which is only right IMHO.

So, for anyone looking to choose an ISP keep this information in mind. An ISP is an internet service provider. Their only obligation should at it’s most basic level to provide you with access to the internet and nothing else. Everything else should be optional. How you use your internet connection should be of no interest to your ISP once you keep within the terms of your contract, the laws of the land and adhere to their fair use policy. You can view eircom’s policy here.  Some choice quotes from their policy are:

eircom net will use its reasonable endeavours to prevent unauthorised access to the Service by third parties, but shall have no liability to the Customer for any unauthorised access to the Customer’s computer system. The Customer is responsible for selecting and properly using any security procedures made available by eircom net as well as other procedures and measures necessary to safeguard and back-up the Customer’s files, data and programs or any other form of information

and

You acknowledge that eircom net has no control over the information which can be accessed by using eircom net services and that we do not examine the use to which you or other users put the Services or the nature of the information you or they are sending or uploading. We therefore exclude all liability of any kind for the transmission or reception or such information of whatever nature.

Pretty much common sense. The onus is on the customer to remain secure, eircom as an ISP only provide a service which is more than can be said for OceanTelecom.

However I understand that OceanTelecom is a privately owned business and ultimately it is their network and they can pretty much do what they want but I would not have expected that to include interfering with clients  e-mail that is hosted elsewhere. I certainly wouldn’t like my ISP reading my mail before me. Some serious privacy implications there.

If you are an OceanTelecom customer or are considering becoming one, based on the above I would suggest you avoid them or terminate your subscription. If anything the shocking and abusive customer service alone should be good enough reason.

I have four different networks, three wireless access points, and an unearthly amount of machines. To give you an idea of the chaos I made up a lovely diagram which is below. (There will be a fourth wireless access point in place soon but that is for a particular plan that I’m up to. More on that sometime in the future.)

The Sun Sparcs and the HP-UX machine are only powered up occasionally. I use a Dell TFT monitor which is the only display in regular use. Other than that I have a 19in Mitsubishi CRT that I use only when setting up or repairing other machines. I’ve probably mentioned this before but the room is on it’s own electrical circuit which actually has it’s own meter on it and the room is currently consuming between €1.50 and €2 of electricity per day.

I bet you thought it might be more! Most of them are desktops and spent quite a lot of time idling away consuming between 90 and 120 watts of electricity.

If you look at the diagram and are wondering about the External WLAN limited to 1Mb, this is the access point and network that I use whenever I have a nasty virus and or spyware infected PC or laptop for repair.

Anyway, Click on the diagram for a bigger version:

So first up was the retirement of my IIS server on which my tech blog used to reside. I have migrated that blog over to WordPress and it along with this blog and my main site have been relocated on to a new Debian 64bit server which was previously the already mentioned IIS server.

The migration also meant that I could catch up on some tweaks that I had long been putting on the back burner. As my main site is running Mediawiki I have configured the new server so that Mediawiki now uses memcached to help speed up queries and reduce hits to the database. It has had a bit of an effect already. in keeping with the desire to reduce queries on the database I installed Donncha’s excellent WP Super Cache plugin on both WordPress blogs. To give an idea of the difference that made a quick benchmark was called for.

Using Apache Bench I made requested a blog entry 100 times over 10 concurrent connections:

ab -n 100 -c 10 http://tech.sweetnam.eu/2008/06/even-intel-wont-touch-vista/

Without WP Super Cache the results were 20.72 seconds to complete with 71.47kbytes/sec

With WP Super Cache the results were 2.287 seconds to complete and 658.38kbytes/sec

However there is a caveat with those results as each test first passed through my reverse proxy but nonetheless the results are pretty conclusive. Another configuration change that I made that may skew those results is that I have disabled Apache logging on the web server. As all traffic first passes through my reverse proxy I use its logfiles for analysis. Interestingly from another test I tried recently, disabling logging on Squid Cache had absolutely no effect on its performance!

With everything now happily in place on the new server it was time to shut down and power off both of my Sun Machines. They will be ressurected for anytime I wish to play with Solaris. My mailserver remains running on my Poweredge 2800 although I took the opportunity to upgrade to the latest version of Zimbra today.

After all todays tweaking and migrating I am now left with my Smoothwall firewall performing NAT, my reverse proxy which I decided to keep up and running as it is outstanding for filtering unwanted traffic, the new web server and my existing mail server.

It’s probably still a tad excessive though! Next up is to change the theme for this site as I can’t configure the sidebars and the search option is strangely missing!

As all of you know, running a blog or any site can have it’s problems and almost all these problems are dealing with deluges of spam and trying to block unwanted crawlers siphoning information from your site. There are many excellent methods to reduce this unwanted traffic namely Akismet or Fail2ban however given the nature of my setup here Akismet is not as effective as it should be and fail2ban is not an option but this is where Squid comes into its own.

Squid is utterly configurable with so many options that you could find yourself easily overwhelmed. But there is one particular feature that is absolutely stellar in allowing me to control who and what accesses my sites. That feature is using Squid’s built in ability to use regular expressions to deny access based on a visitor or bots browser string. Apache can perform similar functionality using mod_rewrite but I find that having Squid to do the dirty work is a much more elegant solution as it flately denies access to the backend servers in the first place.

So how does one go about doing this? Well you can pop on over to my Wiki where I have put together a HowTo which also has the regular expressions that are used to block all the bad browsers.

Needless to say my setup is vastly different than most but nontheless my HowTo could possibly help others in tweaking their methods of keeping the bad guys at bay.

If anyone finds it useful or spots something that could be improved I would be happy to hear from you.

What is wrong with this picture? Well for a start it lists the updates that are available but it does not provide any details! There is a big blank area below the list where they could have included the details once you highlighted an update but no, instead you have to right click on an update and select ‘View Details’ which pops up another window!

I can only imagine it is the same for the nightmare that goes by the name of Windows Vista. Except with Vista you would probably have to click that damn UAC button 27 times first.

While I’m at it I may as well complain about the Windows Update tray notification icon itself. Remember on Windows XP, if there was an update available you would have a very prominent yellow shield icon with an exclamation mark in the middle? Well that rather intuitive icon has been replaced by this:

How on earth are you supposed to know what that is?

As an aside, Windows 2008 is actually quite a decent OS. As you can tell from the screenshots I have the Aero desktop enabled and I’m using it as a desktop OS rather than a server and it is incredibly fast. This has me puzzled also. How come Vista is like a three legged dog and 2008 is like a greyhound on steroids despite there being little between them technology wise! Whatever that ‘little’ is – it makes a lot of difference.

Last year I installed Vista Home Premium on the very same P.C. and it made me want to cry. 2008 seems to be quite decent and Half Life 2 runs as fast as it did on XP. In fact I have noticed little in the way of a performance hit compared to XP which is more than can be said for Vista.

Incidentially, action finally seems to have been taking by AVG after a large community forum in Australia were getting particularly badly hit with traffic and posted a banner on top of every page served urging people to change to anothe AV product.

Their discussion begins here and an AVG manager posted to the forum here.

Via Slashdot.

This is bad because it seriously skews my statistics for one and very bad because it is chewing up a lot of my available bandwidth. So what is one to do?

As I noted previously, AVG uses a few unique user agent strings. These can be used in a .htaccess file to deny access to Linkscanner or as in my case redirect the request to a certain page. Unfortunately my ability with using regular expressions is pretty limited to say the least but while browsing a discussion about Linkscanner on reddit.com last night someone posted a solution. That someone was none other than Pádraig Brady who is a frequent contributor to the Irish Linux Users Group.

Rather than post Pádraig’s solution here I will link to it instead. However instead of directing AVG users back to the AVG site as Pádraig’s example does – I redirect them to a custom page I made earlier. I was going to link to my custom page but since I will be using it to keep a tally of AVG hits I decided not to link to it here.

To get an idea of how much extra traffic is generated as a result of Linkscanner consider that this site is relatively light on traffic but in the two hours since I started redirecting AVG users, the page mentioned above has been hit over 240 times!

Bad AVG, very bad.

I’ve been observing some really, really strange behaviour while looking through my log files. Two posts that I put up a few months ago are getting a lot of traffic. 896 hits alone on one and 154 on the other. in the past three days. Now that is not a lot of hits really but I suppose it is for me. But it gets weirder than that.

All entries are HTTP GET requests as one would expect but each client does not get the entire post. It looks for all intents and purposes like a crawler or a spambot. But here is the really bizarre thing:

All the IP addresses are Irish! Eircom, Clearwire, BT and NTL. I can’t for the life of me figure it out. I’m 99% sure that they are all PC’s compromised with malware and attempting to scrape content – mainly because every request has the exact same useragent. In this case IE6 So is there an Irish only botnet out there?

Here are a few examples:

BT: 79.97.XXX.XXX [29/May/2008:16:10:27 +0100] “GET /2008/02/16/spotted-on-daftie HTTP/1.0″ 301 – “-”"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)”

Eircom: 86.44.XXX.XXX [29/May/2008:16:27:07 +0100] “GET /2008/02/16/spotted-on-daftie HTTP/1.0″ 301 – “-”"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)”

Other blog entries are also being targeted in the exact same manner as described above although not as often yet. And the UserAgent always claims to be Windows NT 5.1;1813. This makes them kind of easy to identify. A quick grep of the my blogs log gives me 1616 results and a grep of my main sites logs returns 30 and all those 30 were from Irish IP address attempting to connect to my long dead www.sweetnam.eu/blog URL.

Very strange.

Update – I enlightened myself! From a little digging about it appears that the AVG tool bar might be responsible.

http://www.webmasterworld.com/search_engine_spiders/3615360.htm

This actually stands to reason as AVG includes a link checker for search engine results. All the pages that I am getting a lot of hits for appear on the first two pages of a search for those terms on google.ie.

I knew AVG was popular here but not that popular! And the increasing traffic corresponds with AVG users being encouraged to up date to the newly released version 8.

Now for the neat stuff. Unfortunately most of you will never see it as it’s all behind the scenes. As mentioned already I made some major changes to my reverse proxy and one rather nifty new trick I added to it was to block out bad bots and most comment spam using the reverse proxy itself which negates the need for me to mess around with loads of .htaccess files. Squid-cache allows you to deny access based on various criteria one of which is via the useragent string supplied by a clients web browser.

I have a lovely write up about it over on my tech blog for anyone who is interested. It has also managed to reduce my spam comments from about 150+ per day to 4 in the past 11 hours.

While spending the day playing with and configuring my proxy server I also took the opportunity to completely rewrite the tutorial over on my wiki. Hopefully it now makes more sense as it is getting increasingly popular.

The letter was a notification of a laptop belonging to the IBTS had been stolen in New York recently and that records of some of my family members were stored on it.

The letter states that the data stored on the laptop comprises of name, address, date of birth and donation record. They further state that the laptop was in New York for a “software upgrade to provide better service to donors, patients and the public service.”

Then it goes on to mention security:

We are always aware of the potential for data loss, and took all measures to ensure that state-of-the-art data encryption was used. The records were on a CD that was encrypted with a 256 bit encryption key. Those records were transferred to a laptop and re-encrypted with a 256 bit encryption key. This represents the highest level of security available.

I would like to assure you that the possibility of anyone breaking this encryption/ security system is extremely remote. When you consider that the normal PIN we all use to access bank machines etc is a four character code the code on this laptop is thirth five characters. To our knowledge there has never been a report of a successful attack against a 256 bit encryption key.

Interesting stuff but is it believable? I have visions of a Microsoft Access database being copied onto a CD and then on to the laptop in question. Or maybe even an Excel spreadsheet but that is highly unlikely as it seems that the highest encryption level for Microsoft Office is 128 bit and almost as easy to crack as an egg.

In the letter it is the mention of re-encryption that has me a little confused. If the data on the CD had already been encrypted then why do so again on the laptop? I presume they mean that they decrypted the data on the CD, transferred (transfused?) it to the laptop and encrypted it using a different key.

Anyway, given that the person that had the laptop was mugged, chances are that it was done by someone looking to sell it on quickly and they were not specifically targeted. Still there is a small potential for identity theft but most of the information that the IBTS claim was on it is easily accessible through other means.

Now I wonder what software they were using?