Pants Full of Unix

I’m beyond fed up with this shit:

Oracle Registration violates RFC 5321

If you’re involved with OpenOffice.org, this is why I haven’t registered your product, even though I recognize that doing so would benefit you by demonstrating the volume of users. I put up with this horse hockey for registrations for something I actually need, but I don’t need to register an Oracle web account: you need me to. So get this fixed or fuck off.

And, just to be clear, RFC 5321 §2.3.11 clearly states:

The standard mailbox naming convention is defined to be “local-part@domain”; contemporary usage permits a much broader set of applications than simple “user names”. Consequently, and due to a long history of problems when intermediate hosts have attempted to optimize transport by modifying them, the local-part MUST be interpreted and assigned semantics only by the host specified in the domain part of the address.

By “intermediate hosts” we mean you, web form “developers”.

Knock it the fuck off!

Today, in regular email conversation (on several unrelated topics), a very good friend (left anonymous unless they ask differently, but I can’t imagine why they’d care, as they’ve several blogs that are better-read than mine) expressed frustration with their webmail provider (which I’ll just leave nameless here, less because of privacy or respect than because ALL ARE GUILTY). This frustration triggered a knee-jerk response for me about the ways in which computer software sucks… definitely a top-five knee-jerk response on that topic, although I’ve never enumerated that list, even for myself. There may be another post in that.

Anyhow, a portion of my response to them, edited only mildly (mostly to fill in a detail here or there that anyone who knows me in person, such as the recipient, already knows; also to make efficient use of HTTP for footnotes, because I don’t strictly hate the format, just its misuse, the deeper humor of which you may appreciate shortly) follows.

At 2011-08-20 14:19 -0700, [REDACTED] wrote:
>    You know, my Email doesn’t do that
>    >
>    >
>    >
>    thing anymore, which is inconvenient, because I do like to respond to Emails in chunks.

OH BOY have you touched a nerve with me there. None of the following is directed at you, so you can skip it entirely, but if you’re curious…

Once upon an apparently more gentle and simple time on the Internet, before, if you can believe this, the hyper-text transfer protocol (HTTP) and, thus, the world-wide web, we all just sent email as plain, goddamn text[1]. In order to reference material that someone else had sent, there was a de-facto standard of progressive indentation with a single character (and, for readability, a space), and a single quote line (often repeated on later quotation for simplicity) so that the conversation read like a mother-fucking conversation, should it be referred to later or any third party brought into the conversation. And the world was Good.

Then, along came the web, graphics, HTML email and, especially, Microsoft Outlook[2]. For reasons I’ll never, ever understand (it was simpler to code it that way? Maybe? But even that doesn’t make sense) the default behavior in Outlook (and, in fairness, Lotus Notes, which is a really great application environment with a really terrible mail reader UI) was to quote the entire previous email thread, including all kinds of crap that was no longer relevant, and put the user’s insertion cursor, upon reply, at the very *top*.

That simple decision had two major, I have to believe, unforseen implications, both of which I find to be undesirable.  You see, people in a hurry just replied where the cursor landed.  While that’s an understandable impulse (and even one that makes sense: quick messages should just be quick messages, skip the editing), there are two significant side effects.

First, in order to review the full conversation in context, the *reader* must scroll all the way to the bottom and then read not precisely upwards but down, then up, then down in spurts which are a stupid waste of time.

Second, *all* of the messaging history is retained, not just the parts that remain relevant to the continuing conversation, which is just a waste of message transfer resources (in the modern day, this is statistically irrelevant as compared with unsolicited commercial email, but the fact that your neighbors throw all of their refuse out the window onto the street is not a justification for you to litter).

Part of the reason that this *really* chaps my hide is that back at my first job out of college, back when I actually thought it was worth my while to swim upstream against the significant torrent and install an operating system other than Windows on the computer I used day-to-day for work on the basis that it’d make me slightly more efficient at my job, I was happily emailing away when my boss’s boss, the CTO, upbraided me (for bonus points, through a co-worker, my peer) for not adhering to the “quote fucking everything” format. His basis for this was that he, an adult male working in the IT industry at least since 1990, had grown used to the ass-backwards way Microsoft thought he should read email, and trying to read my emails (in which I quoted ONLY the relevant portions of emails, in an effort to *save* the reader time) irritated him. There were a lot of reasons I got fired from that job, but that’s definitely one of them. (In the end, my solution was to quote everything attached to the end of my edited-for-reading email, and I never heard anything more about it, but I’m pretty sure he caught my implied bird as flown.)

Now (as in “these days”, not just a convenient linguistic interjection), not only does Outlook work this way: Apple’s Mail.app works this way; Lotus Notes (for the forlorn few who still maintain it) works this way; Yahoo mail works this way; the insanely-popular-in-German-speaking-nations GMX.net works this way; inumerable web-based mail readers work this way; G-fucking-Mail works this way.

I’ve lost this fight, and I know it, but there are certain offenses up with which I will not put.

How is my mail reader different? My mail reader is Mutt. It is entirely text-based, and it runs only in a text-based interface (I believe that there’s a version that runs under Windows in the command terminal, but I wouldn’t know, since I no longer swim against that particular stream, so I just use Outlook for work, although I do use Mutt, through a screen(1)-maintained SSH session, in Terminal.app, on my home computer; you know, rather than using Mail.app). The interface to move through messages is obtuse if you’re used to pointy-clicking everything (although, if you enable keyboard shortcuts, gmail actually uses the same ones that Mutt does), but it’s familiar and efficient to me (you may recall, if you know me, that I generally advise people to keep using whatever computer interface they’re used to using), and you, my reader, don’t have to give a shit about that… because the messages that it produces are FUCKING LEGIBLE. Should I like to read email from an outside mail provider (rather than the mail server I take care of myself), I can do that, because I can use extablished protocols (IMAP and POP) to retrieve those messages and another (SMTP) to send messages back to it.

More relevantly, Mutt quotes the entirety of the message to which I’m responding, noting from whom it’s quoting that message in a single line at the top, indenting the quoted material with “> ” on each line. It puts my editing cursor at the top of that file to add my response… which line begins, “At 20…”. And then I insert my responses, in context, as appropriate, and elide the portions of the message to which I’m responding that are no longer relevant. Except for that one ex-boss, I haven’t had any complaints.

So… if your mail reader is not working for you, perhaps it’s time to consider a change? I’m not suggesting you install Linux on that Windows laptop, not even that you buy a Mac, but you really aren’t locked into what they think is a good idea. Given that they’re giving you the service for free, you probably can’t force them to change back as a customer, but you maybe don’t even have to change email addresses to do it. Just a thought.

[1] We also posted to a shared-resource “news” protocol, called Usenet using the Network News Transfer Protocol (NNTP), using whatever software we chose to use, rather than posting to isolated and radically different web forums and blogs using whatever crackpot webform whoever owns the server where it’s running decided was a good idea. But that’s a whole separate rant.

[2] Actually, not Microsoft, but NeXT, the short-lived computer company Steve Jobs left Apple in a huff to found in the early 1980s, was the first primary offender here, but NeXT users were also Unix people, and they generally eschewed the crappy email format, so MS is really to blame for forcing this crap on the world. Also, NeXT failed, and NeXTStep, the OS they built, became Mac OS X, after Apple bought the scraps, after Steve went back. NeXTMail is, thankfully, totally dead, not that Apple’s Mail.app mail reader is all that great, really. But, again, that’s a separate rant.

It’s not impossible that I’m paranoid, but my employer’s life insurance company is now offering “Identity Theft Protection” through SecurAssist, a feature of which is that I can plug “up to 10″ credit card numbers into their website, which they will then search for across “underground chat rooms where thieves sell and trade stolen personal information”.

This leads to the question: whence were those credit cards often stolen? Right, from businesses who did store customers’ credit card numbers and did not maintain security sufficiently. So, sure, I’ll totally put all of my credit cards in the same place: that sounds like a great idea!

Incidentally, a component of my job right now is to set up software on top of Splunk to help companies that do store credit cards (and other personal consumer information) demonstrate compliance with the PCI DSS Standard. No part of the current state of affairs makes me happy:

1. The standard is not written very well. There are obvious gaps and, as with SOX and HIPAA before it, expectations made of technology that are simply unrealistic, if not functionally impossible to implement algorithmically. (My favorite easy-to-grasp example of this kind of flawed thinking remains an off-handed item in HIPAA: in theory, you are required to destroy all records of a deceased party exactly two years after their date of death, including all backups of that data. Yes, really.)
2. Comprehension of the standard is worse than SOX and HIPAA, in several ways.
   • It is up to a given business, in cooperation with their auditor, to determine which of their systems fall into the several categories defined in the standard (PCI scope, systems that transfer consumer information and CCNs; cardholder, systems that store not just consumer information but actual CCNs; everything else). The standard presumes that it defines these classes clearly, but it is demonstrably not clear enough, given that ostensibly similar businesses have made different determinations about which systems fall where.
   • Different auditors demand disparate degrees of compliance with the standard and ding businesses for various miniscule details while, apparently (based on a game of telephone, of course: I just know what our customers tell me their auditors are demanding of them) disregarding whole swaths of the other requirements. The first part is theoretically okay (on the principle that a business is moving into compliance, but acknowledges that they aren’t there yet), but the second part is absurd: if the various private auditors are not holding all businesses to the same set of rules, then it’s not a “standard”.
3. Compliance with the standard is awful. (Before you panic, see also point 4.) The software I work with can help businesses comply, but because it is necessary to ensure that log data from all systems within PCI scope go into Splunk, and necessary to understand the inner workings of Splunk fairly well to know whether “no results” for a given dashboard (specific to a PCI DSS Requirement) means “no violations” or “something changed and the data’s not coming in properly”. I’m less than confident that some of the customers I’ve worked with will actually maintain this well, which doesn’t need to be a judgment of those with whom I’ve worked: it’s often just the rate of turnover at the customer.
4. Actual data security is very mixed. Some customers are doing better than the PCI DSS Standard would require them to do (and, in some cases, actually need to compromise their security standards just to make use of the software I set up with them), some are positively atrocious (minor nit: it’s 2010, people; if you’re even still cutting backups to tape, you simply have no excuse for lacking encryption). For obvious reasons, I won’t mention any names here, but if you know me personally and you’re considering giving your credit card to a business for recurring payments on anything (like, say, your phone bill), maybe you should run it past me first.

Well. That one kinda got away from me…

In contrast with Symantas’s recommendation, this is entirely possible without paying their managed services (which are a bit short of staff at the moment, so you may end up with someone from my current employer if you ask for that anyway), but it is kind of a pain in the ass.

I’m in the process (this is the first step) of writing up a white paper on this, so this is very much the DIY version. I make no guarantees: don’t be stupid. Take a catalog backup before you start on any of this, don’t permit any backups to run until you’re sure the system is functional again (bppllist -allpolicies | awk [details elided, as I'm not on an active NBU system at the moment] to note the active policies, then deactivate them all before you start), so forth.

This is tested, through some serious trial and error, in the migration of a 6.0MP7 environment, running on Windows 2003sp2 ia32, to a replacement master server, on Windows 2003sp2 x64, subsequently upgraded to 6.5.6. This is a process, not a magical bullet script that you can go run. Do not even dream of doing this if you don’t understand what all the commands listed here do without my explanation.

I’m also going to go ahead and just post a transcription of my notes, which I do intend to come back and wrap words around later (since I plan to write this up, at least for internal consumption at my employer), but at least this’ll be something if it takes me a while to come back to it.

• dump to files bppllist for all policies, bpstulist for all STUs, nbstl for all SLPs, so forth on the old master before you start; it’ll make rebuilding shorter (and you will need to rebuild; policies go across, but STUs will need to be rebuilt, and if you do the wrong thing at the wrong time, you’ll cause a policy to forget what STU / SLP it used to use)
• fresh 6.0MP7 on new master (nbmaster) and migration media server (nbmedia4)
• add nbmedia4 to old env
• configure DSU
• catalog backup to DSU
• nbemmcmd -deletehost -machinetype media -machinename nbmedia4
• remove nbmedia4 from SERVERs
• shut down svcs on nbmedia4
• add new master and swap in as master in BAR
• regedit to remove old master and replace new master in EMMSERVER
  • HKLM\SOFTWARE\VERITAS\NetBackup\CurrentVersion\Config
• start svcs on nbmedia4
• add nbmedia4 as a media server on nbmaster
• add DSU STU for nbmedia4 on nbmaster referencing same directory
• copy catalog BU file across to nbmaster (either straight from netbackup/db/images/<old master>/<date spec>/… or because you had the common sense to configure the DR tab in the catalog backup policy config)
• run the catalog backup recovery wizard (GUI or bprecover -wizard), referencing that file
• push nbmaster as a server to all media servers and clients through the old master while that’s running
• after catalog restore completes, on each media server:
  • stop svcs (netbackup stop / bpdown -f -v)
  • swap nbmaster in as the master and EMMSERVER (either bp.conf or regedit; remember to double-check vm.conf, regardless of OS, for stray references to the old master)
  • start svcs (netbackup start / bpup -f -v)
• at this point, master will start, but be inconsistent
  • nbemmcmd -listhosts will show all media servers
  • nbemmcmd -getemmserver will only show nbmaster and nbmedia4 as being “in domain”
• preferably, upgrade nbmaster to 6.5.3 or later here (or the second substep in the next step is way more time-intensive/scripted)
• for each media server, running commands on nbmaster:
  • bpmedialist -mlist -l -h <media server>
  • bpmedia -movedb -allvolumes -newserver nbmaster -oldserver <media server>
    • (-allvolumes is a 6.5.x addition; you can just loop around the output from the bpmedialist, and you’ll have to do that to put the media DB entries back on the media server where they came from, but…)
  • nbemmcmd -deletehost -machinetype media -machinename <media server>
  • nbemmcmd -addhost -machinetype media -masterserver nbmaster -netbackupversion 6 [or 6.5, or whatever; untested below 6.0MP5] -operatingsystem <whatever> -machinename <media server>
• at this point, the media servers should be back, but their devices won’t show up and their STUs, while still present, won’t work (and if you start poking at them, you’ll break them entirely)
• redo device config (through the GUI wizard or through tpconfig, whatever grabs ya)
• bpstulist at this point should claim that there are no STUs configured, but the GUI should still show them (because it’s picking them up from the policy config, but it doesn’t know what goes in them)
• for each STU configured on the old master:
  • bpstudel
  • bpstuadd (with the appropriate config)
• go back and loop bpmedia -movedb around your output from bpmedialist to put the various media DB entries back to referencing the media servers that created them, rather than nbmaster
• TEST!!! with new policies
• activate your old polices, strategically testing as you go
• if you run into 23/24/25 errors, then you’ve got your new master in a different DNS zone than your old one, or DNS was broken on some of your old media servers and clients, and you either weren’t noticing or had forgotten /etc/hosts entries you’d made… this is an excellent time to atone for that sin, for which proper use of bpclntcmd -pn is your friend

… by cocktail bloggers at Tales of the Cocktail 2009.

Just look:

% ping -c 5 google.com
PING google.com (74.125.67.100): 56 data bytes
64 bytes from 74.125.67.100: icmp_seq=0 ttl=55 time=1218.912 ms
64 bytes from 74.125.67.100: icmp_seq=3 ttl=55 time=731.904 ms
64 bytes from 74.125.67.100: icmp_seq=4 ttl=55 time=968.861 ms

— google.com ping statistics —
5 packets transmitted, 3 packets received, 40% packet loss
round-trip min/avg/max/stddev = 731.904/973.226/1218.912/198.844 ms

(See also.)