Posts

Posted on

Garbage at Melkweg, 19 June 2012

Garbage’s new album Not Your Kind Of People has seen a mixed reception: fans love it, but critics have generally gone “meh.” My own first impression of it was that even the heavy rock tracks like “Man On A Wire” felt pretty lightweight compared to their older material. It took me few listens to catch the flow of the album, and to get caught up in the hooks and grooves. There are some really good songs on there. “Blood For Poppies” has a bouncy sing-along chorus that belies its stark lyrics about war and battle. “Felt” has a throbbing drum and guitar backbone with the kind of melty vocals I find hard to resist. And “Automatic Systematic Habit” is a wicked synth-heavy opener that I would rate as one of their best ever songs, if it weren’t for how terrible and plain the first verse is compared to the tight interlocking slickness of the second.

That didn’t seem to bother anyone else at the gig, though. Melkweg was sold out. The crowd roared with approval when the band walked on stage, and went into a positive frenzy when Automatic Systematic Habit was what they kicked off with. Other songs from the new album got a good reception, too, but it was the older hits that got the biggest cheers. “Cherry Lips” and “Only Happy When It Rains” in particular raised the roof.

Shirley Manson looked great on stage, her hair up in a severe knot, strutting around with all the controlled aggression the songs demanded. Duke Erikson was absent, but Eric Avery took up bass duty and prowled around the stage like a groovy panther. I love watching drummers play, but unfortunately I didn’t see much of Butch Vig — the stage at Melkweg is low, and the Dutch are very tall. Fortunately, Garbage will be returning to Amsterdam in November to play Parasido, which is my favourite venue. This time, I must remember to buy tickets early, so that I’m not stuck buying them after-market.

  1. Automatic Systematic Habit
  2. Shut Your Mouth
  3. Temptation Waits
  4. Queer
  5. Metal Heart
  6. Stupid Girl
  7. Why Do You Love Me
  8. Control
  9. #1 Crush
  10. Cherry Lips (Go Baby Go!)
  11. Blood For Poppies
  12. Special
  13. Milk
  14. Man On A Wire
  15. I Think I’m Paranoid
  16. Bad Boyfriend
  17. Only Happy When It Rains
  18. Push It

Encore:

  1. Big Bright World
  2. The Trick Is To Keep Breathing
  3. Vow

Posted on

Scotland holiday

26 May – 3 June 2012:

  • Oban in the sunshine
  • Fish and chips in Oban…two days in a row
  • Hiking up Beinn Lora on a hot, hot day. Picnic at the top, with simply astonishing views.
  • The tour around Oban distillery. Oh, the smells!
  • Lovely accomodation at Lagnakeil Lodges
  • Sitting around in the quiet, reading books
  • The power station under the mountain at Ben Cruachan
  • Finally getting Alex & Fiona in to see The Avengers!
  • Gorgeous lunch at the Plumed Horse; catching up with Tony and Ian
  • Visiting Pulp Fiction on Bread Street for the first time
  • The amazing Pine Lodge at Archerfield
  • My first (half) round of golf in… four years? Let’s not talk about scores.
  • Private in-house family dinner with a personal chef
  • A mince pie and a fudge donut on Haddington High Street while watching the festival parade go by
  • Watching the kids skate and ride about at Space in North Berwick
  • Full Scottish breakfast whilst hung over

Best of all: spending so much time with my family.

Posted on

Fear of failure, by proxy

Alex is doing a presentation (“spreekbeurt”) at school today, about dragons.

I’ve done plenty of presentations, academically, profesionally and recrationally. I’m the kind of person who sweats bullets over homework, stays up whole nights studying for exams, and freaks out at the idea of being unprepared. Abi’s the same.

So it’s hard for me when Alex shows a stubborn lack of interest in his own school work. When I offer to help, he gets grumpy and insists he can do it himself. When I ask him to turn off his game and actually do the work, he gets angry. I get annoyed at his attitude. Everyone is miserable.

I so want to help! I want him to do get good grades! I want him to impress his classmates with his mad PowerPoint skills, and encyclopedic knowledge of all things draconic! What can’t he just do what I’d do?

Oops.

I want?” This isn’t about me. Every parent wants their child to work hard, to do their best, to excel. But what if they don’t? Disappointment? Scorn?

“Look” I said. “If you don’t spend more time on this presentation, you’re might fail. Is that what you want?”

“Well, live and learn!” Alex said defiantly.

He has the truth of it. This isn’t a doctoral thesis defense, or a speech at TED. It’s a five-to-ten minute classroom presentation at primary school. If he fumbles, all that will happen is that he’ll get a poor grade for this one thing. It won’t stop him from moving up to the next class after the summer. It won’t stop him from getting a job when he graduates. It won’t stop me loving him.

What is the lesson I want Alex to learn from this non-critical event, in the safe, nurturing environment of his primary school? Is it that he should live in constant fear of failure or poor performance, and that the only way to avoid it is to spend all his time trying to stop the hammer from falling? Or that failure (or even just imperfection) is part of life; that it is something he can deal with; that afterwards he can pick himself up and carry on?

Wouldn’t it be nice not to have to be the best to be recognized?

Not everyone can be the best in their chosen field. Not every child is above average. I don’t want to glorify failure or advocate laziness, but in the pursuit of excellence we should not vilify the ordinary.

Posted on

Amsterdam tourist tip: the free ferries across the river

As a tourist in Amsterdam, there’s a good chance you will arrive at Centraal Station, leave by the front, and spend most of your time in “the centre” — the concentric canals, bridges, merchant houses, cafés, museums, and sights make it a beautiful place to wander and cycle.

But if you want a slightly different view of the city, try heading out of the station in the opposite direction. Out the back is where you will find the river IJ (pronounce it “eye” or “aye”, and you’ll be close enough), and the ferries to take you to “Noord” (North).

With the exception of the green “Fast Fying Ferryhydrofoil to IJmuiden, the passenger ferries across the river are completely free. No tickets, no hassle — you just walk on (bikes and scooters are allowed on board), and enjoy the ride. There are various routes, but the ones I take most often are the “short ferry” to Buiksloterweg and the “long ferry” to NDSM.

The short ferry runs at least every 10 minutes day and night, and the crossing only takes a few minutes. The Buiksloterweg is on the other side of the river, directly opposite the station. You can sit yourself down at the very pleasant Café De Pont for a drink or something to eat, and watch the river traffic go by, with a great view of the back of the station. Film (and architecture) buffs may also be interested in the newly opened Dutch Film Museum in the eye-opening EYE building.

The long ferry is my favourite, though. It leaves once every 30 minutes throughout the day (every 15 minutes during commute hours), and is a relaxing 12-minute trip a couple of kilometers down the IJ to the NDSM Werf, a former shipbuilding an industrial area that is gradually transforming into a hot spot for local festivals and fresh startups. The ferry docks right next to an abandoned Zulu-class Soviet submarine.

Right at the end of the NDSM ferry you can relax at the trendy IJkantine, or walk a bit further to hang out at the more funky and organic Noorderlicht. (Ask for a cup of fresh mint tea if you’re into that kind of thing.) Both places have outdoor seating with great views of the river if it’s a nice day. NDSM is also a good point for setting off on a cycle ride to the countryside North of the city: Het Twiske, a lovely nature reserve (with a windmill!), is just a few miles away.

NDSM is the home of the Pancake Boat: a small cruise ship that will take you on an hour-long trip up and down the IJ, while serving an all-you-can-eat pancake buffet. Great views of the city, and enough food to choke a horse; fun for all the family.

Posted on

Hacked, grr

Late this afternoon, I happened to do a Google search for something I had written on my blog last year. The article came up in the search results, but when I clicked on it, I was redirected to a different site (a .ru domain). The target page didn’t load, though.

Primary investigative steps:

  1. Try it again. Still happens.
  2. Try search in a different browser. Still happens.
  3. Shit, I’ve been hacked.
  4. ssh to my server. Because I use Movable Type as my blog software, there are physical HTML files on disk for all my blog entries. Looking at the source code that should have been served up showed nothing unusual.
  5. Examine the .htaccess file for my site. This is where the damage was being done. The .htaccess file controls things like redirects, and a bunch of code had been added to mine. Interestingly, it was checking the referer on each incoming HTTP request, and only redirecting viewers that had come from a search engine. If you typed “http://sunpig.com/martin” directly into the address bar of your browser, or if you arrived via a bookmark or a non-search engine link, you would be let in as normal. The hack was designed purely to bleed off search engine traffic.

Next step: find out when the damage was done, and how long this had been going on. The modified time on the .htaccess file was very recent – just an hour previously, in fact. It seemed unlikely that I had caught the hack so quickly after it had happened.

I logged in to my host’s control panel, and checked the account access logs. These logs showed that no-one but me had logged in to my account using ssh or the control panel in the last month. Good. I changed my account password anyway. I also notified my host, and told them what I’d found so far.

I used the unix find command to see what files had been changed in the last 7 days:

find . -mtime -7

This showed a bunch of files I knew I had changed or added myself, some log files that I would have expected to be changed, and also: a stack of .htaccess files where there should not have been any, a bunch of unfamiliar PHP files all called “pagenews.php”, and two “index.php” files that I shoud not have been altered in the last week.

Next, I identified all .htaccess files in my account, and all files called pagenews.php:

find . -name ".htaccess"
find . -name "pagenews.php"

Then I looked for common text signatures in the files, to see if there was anything else I was missing:

grep -r "on\.ru" .
grep -r "FilesMan" .

Okay, infection identified. I could clean up the affected files, but I still didn’t know how the attacker got in in the first place. Without knowing that, there would be nothing to stop them getting straight back in again.

The time stamps on all the affected files went back three days. Some were stamped today, some were stamped yesterday; only one dated back to Monday. I checked the Apache log files of web traffic, and found that yesterday’s time stamps matched up with unusual HTTP POST requests to the two index.php and pagenews.php files. Those files used some kind of obfuscation, so I couldn’t figure out what they were actually doing; but the fact that the file timestamps matched the web access logs, it seems like a reasonable assumption that those POST requests were actually writing files on my server.

However, the one index.php file with a timestamp of Monday didn’t have a matching entry in the HTTP logs. I checked the file permissions, and found that they were set to 666: readable and writeable by everyone on the server.

So my working theory was: at some point on Monday, a process owned by some other user on the same server process on the shared server discovered that I had an index.php file ripe for taking over. It injected the malicious code, but didn’t do anything else immediately. Then, on Tuesday, some other part of the attack kicked in, and started making HTTP requests to the infected PHP file. Because the affected PHP code is running under my account now, it’s free to muck around with other files that belong to me. So the infection spreads to other areas around my server…

Recovery steps:

  • Remove the newly created pagenews.php files. Manually remove the infection code from the index.php files, and the .htaccess files. (The .htaccess files were modified, not overwritten. The malicious code was added to the start and end end of the file.)
  • Lock down permissions on all files and folders in my account, so that no-one else on the shared server has permission to write to them.
  • Remove unused code (old versions of Movable Type, Thinkup, lessn, inactive dev sites) to minimize attack surface for the future.
  • Upgrade to latest version of Movable Type (5.13)

    • To recursively apply 755 permissions to directories, and 644 permissions (read/write by me, read-only by others) to files:

    find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;

    Steps for the future: run a scheduled backup job for static files on the server. I already use autoMySQLBackup for daily backups of the databases on the server, but clearly I need to consider the static files, too. Vasilis van Gemert has an example here: https://gist.github.com/2415901.

    Lessons learned:

    • If you’re running on a shared server, make sure that your files are not writeable by others on that server.
    • Backups. It’s not a matter if if something goes wrong, it’s a matter of when. My home backup strategy is pretty solid; my server backups are still lacking.