The Scary Devil Monastery

Some of the neat things that I’ve run into at work recently:

  • A pristine, unopened copy of Caldera’s OpenLinux Lite. I wonder if it’s worth anything.
  • PrimeOS version 19.2.3. Never heard of it? Neither have I. The fact that it’s on a pair of 8″ floppies might have something to do with that, of course.
  • A box full of 8″ floppies. Shocking enough, but I also found an 8″-floppy drive; it’s the size of a small suitcase, and I think it’s made out of depleted uranium.
  • A 300-baud “Acoustic Coupler”, designed to snugly fit sixties-era bakelite phones for optimum whistle-screech transmission, or something. It does come in a very elegant wood-grain finish, though.
  • A Kaypro 1.
  • A 50-ft flat cable that has an RJ-45 jack at one end and an RJ-11 jack at the other. No indication of what it might have plugged into, if anything ever.
  • A Microsoft Cobol reference manual.

Some not-so-neat things I ran into at work recently:

Once upon a time, in dark ages past, I worked at a place that had the only sane network setup I have ever seen – a nested-star topology with Linux boxes at the center and Windows boxes at the peripheries. The Linux boxes, older x86 machines centrally administered with some clever application of rsync whose details I was not privy to, firewalled the Windows machines both ways so that even if somebody clicked on a malicious e-mail inside the gates, brought in their infected laptop, or somebody was outside knocking on some forbidden port trying to get in, the blast radius of a problem was always limited to a handful of machines. I’m told they even did some clever traffic analysis if need be, reporting back to base if there was somebody knocking persistently on doors they shouldn’t have been. Swoon.

That’s not what we have where I work. Here, we rely on a combination of DeepFreeze and shoe leather, which has proven (again) to be a complete fucking disaster. You’d think that MSBlast would have taught somebody something, but I guess not. Right now the way it works is this: if we’re fucked anywhere, we’re fucked everywhere.

Dear Microsoft – I understand that there are some really, really smart people working for you. If you could figure out who they are, round them up and fire everyone else, I’d really appreciate it. Thanks.

Dear Person Who Wrote Sasser – If I ever meet you, I’m going to punch you until you stop moving, and then I’m going to write down what I did so that I don’t overlook anything when I do it again.


  1. Posted May 4, 2004 at 11:35 am | Permalink

    I’m not a network admin, but it seems to me there are ways you could rig your network up to contain outbreaks, just with regular switches ‘n’ routers ‘n’ stuff.

    Also, of course, if you had some system for making sure all your PCs were up to date, you wouldn’t be vulnerable in this case. I believe MS puts out an administrator tool that lets you push updates to PCs automatically. (But again, no network admin I. And in practice, all the networks I’ve been on have been shoddily administered and just as vulnerable as yours.)

  2. Mike Bruce
    Posted May 4, 2004 at 3:41 pm | Permalink

    A linux or BSD machine is more convenient, and cheaper, than some kind of dedicated router.

    Terrible suggestion: put each client machine on its own firewalled subnet.

    Automatically pushing (or pulling, which is a little bit conceptually smoother) updates is probably easy on some level, but the practical details are irritating.

  3. Mike Hoye
    Posted May 4, 2004 at 4:59 pm | Permalink

    Linux/BSD routers are not only better, they’re hugely cheaper – they’re typically running on hardware that you already own, that’s a generation or two behind what you’ve currently deployed. Two 10/100 NICs and a consumer-grade hub, and you’re gold.

    Automatic updates seem like a great idea, as does this whole deep-freeze thing, but in real life they’re a disaster. The patch for Sasser is less than three weeks old, doesn’t work reliably, and those AutoUpdates have a nasty habit of breaking production software. The only real answer that I know of is a sane, heterogeneous network topology that doesn’t rely on a moat model, but not only am I not in charge here, the admin who is just said “No, we’re not seeing any unusual traffic on port 445”.

    Which is a sure sign that my week’s going to get a lot worse.

  4. Mike Bruce
    Posted May 5, 2004 at 4:34 pm | Permalink

    If you want to get absurdly slick, you can get one of those little Soekris boxes for under $200 that boot from a CF drive. Put together a cut-down OpenBSD or Linux system, and you’ve got a tiny (4.85″ x 5.7″ board) router without any moving parts. You can even PXE boot them, if you’re feeling frisky.

  5. Mike Hoye
    Posted May 6, 2004 at 12:35 am | Permalink

    That’s a fancy widget, but this is not a fancy-widget problem. Especially when I have more powerful tools and hardware available for exactly free.

    As usual, the real problems are social and institutional, not technological.

  6. Mike Bruce
    Posted May 6, 2004 at 10:08 am | Permalink

    Enh. I don’t like routers with hard drives, so much. $200 to avoid having a big loud box with a drive that will probably fail within two years seems like a deal. Plus you have less hardware variance to deal with.

    Currently, I think the best way to deal with the virus/worm problem is to make sure that recovery is painless, and just accept that you’re going to get completely screwed at some point. If all you have to do to recover is stick in a CD and wait 15 minutes, or choose a network booting option and wait 15 minutes, it makes things sting a bit less.

    In fact, if I had a staff and a budget to get things set up, I’d have every bit of user data on the network, reload clients over the network as a matter of routine maintenance (every two weeks, say, in a rolling schedule, automated), and use reloading as the main problem-solving technique. I would avoid AV software. I would chunk things up into firewalled subnets (or, if I was feeling pointlessly clever, one subnet with transparent filtering bridges), as you suggest. Servers are another story, a bit more complicated, so I won’t pontificate here.