After installing a Cisco ASA 5505 on our network and setting it to inspect FTP (much like the PIX fixup command), passive FTP stopped working when connecting to some remote servers. It turns out the ASA was blocking the responses to a PASV request if the remote FTP server was a Microsoft IIS server behind NAT. It seems the Cisco is trying to prevent a very out of date and useless distributed denial of service (DDoS) attack that could be initiated when using passive FTP data transfers. It comes to this conclusion because the IP address advertised in the PASV response (the IIS server’s internal IP address) is in fact different from the public IP address which the Cisco observed during the FTP connection. When the Cisco sees this it instantly drops the connection claiming it detected a bounce attack.

What’s the solution? I can only figure a few:

1. Cisco please create an option that will allow users the ability to disable checking for FTP bounce attacks! This is the best route to fixing this. FTP bounce attacks are ancient and almost every FTP client out there ignores the IP address octets in the response to a PASV request which makes this attack out of date. Another reason for this being the best solution is most FTP connections are initiated by users who know what they’re doing and only connect to trusted FTP sites.
2. Cisco could also check if the IP address octets are within the registered address ranges of internal IP addresses. If it detects that the address is an internal IP then it should let the response through. The whole object of a bounce attack is to flood a server somewhere with thousands of connection requests. It is not feasible to imagine that you can flood an internal IP without the help of the entire internet. For a server with an internal IP address to be denial of serviced it would take an entire company with thousands of computers to all access this malicious FTP site at the same time to DoS their own internal server… Highly unlikely.
3. Plead to Microsoft to add an option for specifying the external IP address within IIS. IIS has been around years without this option so I doubt they’re considering this anytime soon. In which case you could choose a different FTP server.
4. Use a firewall comparable to a Cisco ASA or PIX that will monitor your server FTP connections (using fixup or inspect) and replace any private IP addresses with public IP addresses.
5. Disable fixup or inspect FTP on your ASA or PIX and just use passive FTP. This is the route I chose. Ofcoarse you can no longer use active FTP when you do this! I decided that I did not care to use active FTP as passive is preferable anyway.

I would like to say – on the off chance that LT. Col Shaffer ever sees this – that his testimony in front of congress was one of the most heroic efforts I have ever seen in my lifetime. LT. Col Shaffer literally threw himself on a grenade set to destroy his career in the hopes that the American people would hear what he had to say. The sad part is that most people missed this.

Anyway, years later here is an awesome interview where he is able to disclose even more information.

Part 1

Part 2

Part 3

Background on Able Danger

In the CME Group’s FIX/FAST for market data specification there is a tag 326 called SecurityTradingStatus. This tag is sent in a Security Status message (35=f), which is generated every time an individual security or security group changes its trading status. There doesn’t appear to be much documentation on this tag as I suppose it should be self explanatory. That being said, I still had some questions so I called up their development help desk and asked for some details. Here’s my conclusion for the different values:

2 = Trading Halt An event in the market or someone at the CME decided to halt trading for reasons which might be explained in HaltReason (tag 327) if it is not NULL. Documentation for HaltReason is found in a separate pdf outside of the FIX/FAST SDK called multipledepthbookFF.pdf.

5 = Price Indication I’m not too sure about this one, but I’m taking a guess that this is when HighPx (tag 332) and LowPx (tag 333) will be provided.

17 = Ready to trade (start of session) Trading is wide open for the security or security group. Anything goes…

18 = Not Available for trading (end of session) This would be what you’re looking for to determine if trading has ended normally for the day.

20 = Unknown or Invalid The security is in an unknown or invalid state?

21 = Pre-Open From what was explained to me, this is a period before 17 = Ready to trade (start of session) where certain types of actions can be performed, such as placing orders and cancels, but no orders will be matched or filled during this time.

24 = Pre-Cross The person I spoke to was really not to sure about this one or 25 = Cross. However he did say that both of these took place for about a split second.

25 = Cross Read 24 = Pre-Cross above.

26 = No-Cancel I’m taking a guess this means you can’t cancel your orders.

I hope I was able to shed some light on this rather undocumented tag. As always if you have more information on this tag feel free to post a comment.

Lord Christopher Monckton interviews a poor Greenpeace activist. I honestly feel sorry for her, but Lord Monckton handles the situation as nicely as he can. Anyway Lord Monckton might be my new hero… When is the last time you’ve heard an interviewer with so many facts and possessed the ability to lead their guest as logically?

Millions of people all over the world are devastated about the future of Earth. They believe we are systematically destroying our planet one car at a time. Can I just ask a simple question:

From whose authority did this idea come from that man is causing climate change? More importantly from whose authority came the belief that the current climate change is anymore drastic than the Medieval Warm Period or the Little Ice Age?

Before you equate me to something along the lines of a Holocaust denier please try to understand how my brain works: when presented with a new theory or idea I first try to logically deduce whether the presented theory is rational. In order to accomplish this I must understand the logic and any observations which were used to build the theory and to determine if the theory contains contradictions or lacks the ability to explain certain occurrences. In my school years many theories were presented to me, including many that were presented as fact. One such theory was the Big Bang. This is a theory that describes how our universe started. It’s an interesting concept, but it requires more faith than logic to take it as truth. Current observations of the accelerating galaxies and the idea of singularity (or zero) containing all matter in the universe are just a few wrenches in that theories gears.

The reason I ask “from whose authority” is because the man induced climate change theory is more faith than science. When I was first presented with this theory I did not dismiss it, as I give all theories a chance no matter how odd they are. The problem with this one seems to be the fact that I can’t even start my logical processes of deduction as there is no evidence or proof presented to support it. Any decent programmer can create a computer model based on linear regression and have it produce the output to support your goal. Hell I just did that last summer to predict the futures market. Now if you believe that a computer model can predict something as complex as the market that’s one thing, but climate? Do you have any idea how many variables would be necessary for that multiple linear regression formula to even come close to predicting next weeks climate? I’ll answer that for you: no you don’t. No one does. Back to my point: this theory must be one based on authority and not truth. There is one thing that is certain: the majority of people (not all) do not have a mind of their own, thus most willfully submit to authority.

“Blind obedience to authority is the greatest enemy of truth.” – Albert Einstein

By the way, if anyone has the “lost” temperature/CO2 data used in the IPCC models, please send it my way as I’ll gladly write a computer model which can be used to prove or disprove the IPCC’s findings.

One last thing: if you really believe in man made climate change I want you to know that I don’t have bad feelings towards you. I really don’t mind making money in the new trillion dollar carbon market.

Update
I just found this article which was also published today from the Daily Express out of the UK that I thought fit nicely with this post: CLIMATE CHANGE IS NATURAL: 100 REASONS WHY. To start the list off:

1) There is “no real scientific proof” that the current warming is caused by the rise of greenhouse gases from man’s activity.

2) Man-made carbon dioxide emissions throughout human history constitute less than 0.00022 percent of the total naturally emitted from the mantle of the earth during geological history.

3) Warmer periods of the Earth’s history came around 800 years before rises in CO2 levels.

4) After World War II, there was a huge surge in recorded CO2 emissions but global temperatures fell for four decades after 1940.

5) Throughout the Earth’s history, temperatures have often been warmer than now and CO2 levels have often been higher – more than ten times as high.

6) Significant changes in climate have continually occurred throughout geologic time.

7) The 0.7C increase in the average global temperature over the last hundred years is entirely consistent with well-established, long-term, natural climate trends.

8) The IPCC theory is driven by just 60 scientists and favourable reviewers not the 4,000 usually cited.

9) Leaked e-mails from British climate scientists – in a scandal known as “Climate-gate” – suggest that that has been manipulated to exaggerate global warming

10) A large body of scientific research suggests that the sun is responsible for the greater share of climate change during the past hundred years.

11) Politicians and activiists claim rising sea levels are a direct cause of global warming but sea levels rates have been increasing steadily since the last ice age 10,000 ago

… It goes on and on.

It’s humbling to be a veteran programmer and make a very drastic mistake. Today I made a startling discovery that two libraries I wrote contain two C functions with the same name. They do almost exactly the same thing too. Their names were RemoveClient(). The fact that they have the same name is not so surprising, what is surprising is that one of my programs which makes use of these two libraries had a segmentation fault today. I was dumbfounded at first as a backtrace of the stack calls looked normal yet one of the variables passed to RemoveClient() was NULL. That made no sense as the variable was declared on the stack and should always be valid for this code to even run.

It wasn’t until I looked a bit closer at the backtrace when I realized the unbelievable. The code was calling the RemoveClient() from the other library instead of the proper one declared within. I’m admitting this major mistake because I think it’s important for people to realize that there can always be flaws in your logic. Programming is almost completely a task in logic, which I should unquestionably be an expert at. Yet I made a very simple mistake of overlooking declaring these functions as static.

After realizing my mistake, I instantly thought: “how the heck have I avoided making this mistake in all my years of programming?” Well that was relatively easy to answer. I have always made sure my functions and variables are very descriptive and uniquely named. This time however I was under the gun to get this code completed and when rushed I’ve been known to simply copy and paste. Which by the way, I have made more errors in coding when copying and pasting my own code. It has to be the worst thing a programmer can ever do.

Anyway, the point I hope everyone will take from my experience, is try hard to be the best at what you do, but don’t let being the best blind you from your potential to make mistakes.

I just received news from one of my coworkers. Michigan passed a public smoking ban. Thank you career politicians for deciding the Michigan public is too stupid to make decisions for themselves. Its not enough to let private business owners decide whether they will allow smoking in their establishment or to allow their customers choose to support such places. Instead the political swine must make that decision by pissing their greater good of society on all of us.

Let the Market Do its Thing
Lets say I own a restaurant called Spit In Your Face. Our motto is that every time you sit down to enjoy your meal, a waitress comes up to you and spits in your face. By the way, Spit In Your Face restaurants make no guarantee about the gender or appearance of your waitress/waiter. Do you imagine Spit In Your Face will have many customers after the first week of business? Perhaps there will be a few that get a kick out of that, but I’ll assume the majority will disapprove and choose other restaurants to frequent. As astute readers will gather there is no need for a law prohibiting restaurant workers from spitting in customer’s faces. People made the choice and my restaurant went out of business. Take this one step further. If people severely disprove of smoking sections in restaurants or bars, why is it that these places are still in business? Let’s say that 50% or even 70% of the Michigan public dislike smoking. Then is it not their right to avoid smoking establishments and frequent the many 100% smoke free restaurants and bars (here’s a list of thousands that have made that choice on their own)? Yes those places might not be very popular, as I can’t even name a popular smoke free bar in Michigan, but the point still stands. No one is putting a gun to anyone’s head forcing them to goto places that allow smoking. If you want restaurants and bars to ban smoking simply remove their economic incentive.

Flight of Michigan’s Youth
Until today I was under the impression that the Michigan moochers in office were working hard to prevent the flight of it’s youth. By hard, I mean pushing some papers around and spewing do-gooder rhetoric. Not only is it impossible for youth out of college to get a decent job around here, they’ve now added a huge restriction on their freedoms. Banning smoking might not seem like a like a vast encroachment on our freedoms, yet it sets the precedence for a nanny state.

The Outcome
I am one of Michigan’s youth. My goal was to create a successful technology company that would excite our youth into staying in Michigan. Well government you just killed that dream. I for one will not live or even think about starting a family in a state that declares war on my freedoms. As soon as I am economically viable I will leave along with my company.

Michigan I will do what liberty loving citizens should do: remove your taxable income and watch you drown in your debt.

Watch this South Park clip that hit’s the nail on the head. You’ll get a kick out of it:

I just got back from a 6 hour adventure. One of my servers seems to have caught something like swine flu or more appropriately as I’m learning to call just “Windows”. It seems the network cards have all but died. Windows sees them, but after spending 4 hours trying to get any of the three NICs to work, I finally gave up by pulling the server out of the rack and driving it back to the office for a vaccination, er reformat.

This server had one job, to run a service I wrote and on top of that it was completely cut off from the internet. Initially I thought: “hmm maybe a virus that slipped in the network form another host?”. No such luck. If that had been the case I could have destroyed it in a matter of minutes and been on my way home. I’m bashing my head about this as this program would take about 2 weeks to rewrite for Linux. Should I allocate my time to rewriting this code that has run for over a year with no problems just to get around Windows? It’s a tough call. Maybe after a reformat, I’ll find out all the NICs really are dead…

Update:
There I go bashing Windows. I suppose I was just a little bit too tired writing this at 6 in the morning. After getting the server back to the office I plugged in an ethernet cable on all interfaces and wouldn’t you know it, they all work. Which means, I’m an asshole and Windows is the best after all. It’s now time to now look into the network equipment or cables.