Advogato blog for jjw

7 Sep 2000

Thu, 7 Sep 2000 21:00:20 GMT

Wow. Stan has tapped a new vein of angst. I'm impressed, and not necessarily immune.

As somewhat usual, all of my local friends are finding out that their lives are not what they set them out to be. Me too. We're all in our mid to late twenties/early thirties, and not kids anymore, although we all act like it. It seems like a totally common thing that my parents (and others in their generation, I assume) grew up too fast, and have regrets while myself and friends in my generation seem to avoid the trappings of growing up like the plague, and have found that to be not all together satisfactory either.

Onto other stuff--

Net::DHCPClient is in the middle of having documentation written. My over-reacting about the Security Office references in my last diary entry seems to be taken care of. Either the guy thought better of what he asked, or didn't mean what it sounded like he meant. A flurry if email seems to have solved the whole thing.

Does email actually make communication worse? I am aware of the irony of the way in which that question is posed...

25 Aug 2000

Fri, 25 Aug 2000 19:43:03 GMT

Why are people so yucky?

So, the deal is that I wrote a silly little Apache module last week that does kerberos authentication based upon whatever comes through basic authentication. Not a big deal, and little piece of glue code to make Stan's life a little easier. A whole whopping 56 lines of code, and about three hours of my life figuring out how Authen::Krb5 works, writing and testing the module.

So after a weeks worth of problems involving the service that was under my authentication code (actually really weird routing problems involving DHCP) I get an email from a guy in the Security Office for IU...

A little background here: I work for the Messaging Team at Indiana University. We do DNS, Email, DHCP, News, DCE, various NT services, and Account generation for the campus. Theoretically for all eight campuses, but right now mostly just two. Most of my job is to be around and write code that any of those services need to stay running in a smooth manner. I also do big design work, so that the amount of glue code necessary (and available to break) stays to a minimum.

So this email from the Security Office basically says that I should have consulted them before I write this code (not that they had anything else available), consult them before I write any code that might possibly be used for security and that they should be the maintainers of the code. And I should mail it to them.

So I am in the midst of trying not to freak out. It sounds as though they have basically told me that I am not allowed to write anything that might possibly have a little bit of security involved. Does this involve anything I write that is encrypted? I write code that does all sorts of authentication and authorization. Does it need to be cleared by committee now?

I am probably over-reacting. Hell, I know I am over-reacting, but asking me not to write code that I (or my friends and co-workers) need to do our jobs is a little upsetting. This has been happening with increasing frequency. The "Don't do that, this project will do that later" vaporware thing is definately going on.

Anyway, my response to this is to get off my ass and register as a developer in CPAN so that I can get the stuff published, then I'll inform them that they can download the code, just like anyone else. It's not a great module, but it works and hasn't shown a problem in tens of thousands of authentications since it went production on Monday. And I wrote it, dammit. I don't care if someone else wants to contribute. That is what open source is all about. But I also don't want it hidden away or co-opted because it falls into someone else's kingdom.

Am I reacting in a completely idiotic way?

22 Aug 2000

Tue, 22 Aug 2000 15:14:31 GMT

Rewrote mod_authkrb (or whatever its name is -- the kerberos authentication module for apache) in mod_perl last week, using the extremely cool Authen::Krb5 module. Took a while to figure out, but it works well.

So, the project I am supposed to be working on for work is webmail. I am using the IMHO module for Roxen, with a couple of modifications. Let me tell you, there is no more boring a project than webmail. There is nothing (and I mean nothing) new and interesting about a web gateway to an imap server. And it hits every bad thing about the web. Web authentication, web encryption, stateless protocols trying to masquerade as persistent connections.

I hate the web, not because of the content of the web (which is bad -- how much porn can one world society generate? Not that porn in itself is evil, but my god! how much can there be until there is just enough of it? It should be there, but does it really need to be the 500 pound gorilla of online content?) but because the technology that makes it go is outdated. I can't even imagine that it was good enough when all this started. It wouldn't have been hard to imagine that connections need to be stated to keep authentication credentials in line even in 1992. It's not as tho' new technologies snuck up on the web. Stated protocols have been around for longer than I've been alive.

Enough of a rant. I will probably update this thing later.

17 Aug 2000

Thu, 17 Aug 2000 20:46:52 GMT

Built and responded to DHCP_DISCOVER packets from within Net::DHCPClient. Almost ready to go in CPAN as an alpha module. It might actually be useful. I sort of doubt it tho'. What I need it for is pretty specialized. At least it will see the light of day, as opposed to my other stuff.

In case anyone cares (or needs this sort of thing) I made modifications to the cyrus imap server to do kerberized rimapd logins, and I made modifications to Mail::IMAPClient to do kerberized (or really any) rimapd connections. I can't see that it is especially useful to anyone, but if anyone wants it, they can have it. This stuff ended up being really useful for us (Indiana University) for hiding the fact that we are running imap servers behind pine. Or not really hiding, but allowing the login credentials on the front end running pine to be used to authenticate to the imap server.

Why isn't there a good way to to kerberos authentication via the web? I am not talking about mod_kerb stuff, I mean I want to pass the damn ticket. Maybe a plugin, but that ends up being a support nightmare. Web authentication just sucks. I don't want to encrypt the data stream. It is expensive, and stupid to encrypt every jpeg that is used for a button or a mouseover. There need to be better options. What we are left with is total encryption, or plaintext, or some hybrid that protects the principal authentication tokens (username/password) but leaves a secondary token open (some sort of cookie deally-bopper).

Enough ranting. More working on something fun.

10 Aug 2000

Thu, 10 Aug 2000 22:01:21 GMT

So I posted my latest project. DHCPClient...it is supposed to let folks build DHCP packets from within perl. Probably not a big call for it, but I need it. It is not available via CPAN yet. I will wait until I have it regularly doing good DHCP_DISCOVERs first.

I have a ton of half completed projects that work "well enough" for me to do my job. Hopefully, posting this will get this one farther. I think all of my projects are initially too vast in scope, so I can get about a third done before I need to do something else for work. This ought to be focused enough.

Lots of my friends are unhappy with their jobs. I wish this wasn't so. It's like we've all hit this far in our lives, looked around, and noticed that the technology we are good at doesn't really make the world a better place, nor makes us any happier.

It'd be nice to actually make the world a better place.