LoneStar Overnight’s broken web page

I told them I’d give them 24 hours to respond. I actually gave them over a month. The only response was the automated “We’ve received your tech support email.” They have, to date, done jack all to fix any of the problems I alerted them to. So I’m going public.

To whom it may concern,

There are serious issues with the security of your public web site.

A search on Google and Duck-Duck-Go for “Lonestar Overnight” or “Lone Star Overnight” results in a list of links, the first of which points to www.lso.com. The rest point to various pages below www.lonestarovernight.com, all of which appear to be on the same server. However the GoDaddy-signed SSL / TLS certificate installed on that server contains only the name “*.lso.com” and the SANs (“Subject Alternative Names”) “*.lso.com” and “lso.com”. There is no SAN for any lonestarovernight.com hostname.

A potential customer or user clicking on any of the www.lonestarovernight.com links would receive a message from their browser that the certificate does not match the hostname. This can cost you business, as customers look elsewhere, to a competitor whose web server is perceived to be “trustable”.

You’ve already lost business from anyone looking for “lonestarovernight.com”. BTW, your web page does not contain the words “Lone Star Overnight” anywhere. Obviously, Like IBM, SGI, AT&T and other companies of decades past, you have pivoted to branding yourselves as “LSO”. You might communicate this to Amazon, in order to properly identify your service when they select you to perform delivery of their packages. At this time Amazon states that the courier is “Lone Star Overnight”.

The last is purely a marketing glitch, however, there are far more serious problems with your web site’s security.

You are using very weak, obsolete, encryption. This makes your customers vulnerable to man in the middle attacks.
You are still using 512-bit “export” grade encryption, and potentially vulnerable to the FREAK attack.
You ARE vulnerable to the POODLE attack.
You are still using SSL version 3.0, TLSv1.0 and TLSv1.1. All of which are considered obsolete.
You do NOT support the current TLSv1.2 standard.
You are using older, vulnerable versions of the RC4 protocols.
You do not support secure renegotiation.
You do not support Forward Secrecy

I am a highly skilled Unix Systems Administrator for a Fortune 500 company. These are BASIC items. I identified most of them using the well regarded, and free, SSL security scanning tool from Qualys Labs (qualys.com) to review your site, the results of which can be viewed here and here. To be clear: this is NOT an attempt to extort money from you or solicit my skills to you. IT Security is a highly specialized area of IT administration and I do not posses the knowledge, skills or interest, to do it justice. I am contacting you as a concerned “customer”, who regularly receives Amazon deliveries facilitated by your service. If you don’t have an IT Security expert on your staff, I would highly recommend you get in touch with an IT security consultant who can assist you with auditing your systems security and developing a remediation plan.

If there is no response to this message within 24 hours, I will post it publicly on a number of social media sites, to warn other potential customers that they should not use your web site.

Also, the tracking number for my recent “same day delivery” given by Amazon does not work on your site. It doesn’t even give an error that it could not be found. It simply reloads the page. Someone should probably look into that glitch on your site as well. I’m probably not the only Amazon customer awaiting a delivery who is trying to track their package.

For the record, it appears they fixed the tracking number glitch. At least as of today I am able to get the status of the package I’m waiting for. While typing this, I heard a car door outside and my delivery was on my doorstep when I checked.

I can’t stand “weight loss” entertainment shows

Extreme Weight Loss: How the most obese nation on earth makes itself feel good by publicly shaming the worst of us

I’m very glad the stack of routers and switches next to me is almost loud enough to drown out the TV. My wife is watching Extreme Weight Loss and I wanted to slap the “guest loser” about 30 seconds into it. (Queue sob story about how her entire family done her wrong when she was most vulnerable…)
Then they pulled the predictable and over-the-top “You’re exercising for the first time in 20 years. You’re sweaty, out of breath and straining like you’re giving birth again. Now while you strain against this weight, tell us why you’re mad at each member of your family. Great! You’re completely out of breath, drenched in sweat, face is completely red, you’re angry and crying. Now, tell us whom you’re the maddest at of all?” (Spoiler warning: she’s slightly less than pleased with herself. Bet you could have guessed that already, right?)

Oh, and the weight loss reveals, where the giant scale takes 10 seconds to “add up” how much the loser has lost this interval, piss me off. Especially when they start the “reveal”, explain what they weighed when they started, what they weighed at the last weigh in, how much they lost the first interval, how much they had to lose this time, and the overly dramatic “If you weigh less than XXX pounds today (pause) you’ve met your goal!” (because they, and the audience, can’t do math?) They step on, the scale takes 5 seconds to count down and…. ad break!
Break’s over. Let’s cover that entire conversation again. Now step on the scale and take 10 seconds to “add up” the weight…

They haven’t gotten to the part where they start discussing how close the “loser” is to having lost enough weight that the surgeon is comfortable performing the skin reduction surgery. As if the weight loss, and the chance for the surgery, actually goes away if they don’t hit that magic number by the end of the 1 hour episode.

I’d be far more interested in what the “losers” from the first season look like today. Did they maintain their magical transformations, or have half of them gone back to their original weight?

Back to this weeks episode: She’s already lost over 100 lbs, she’s down to 160-something and looks fantastic! But the narrator / trainer just said “But, she doesn’t look any different from when I last saw her three months ago in the Bahamas…” Are you kidding me? She hasn’t put on an ounce, looks great, “But she doesn’t look any different…” Fuck you. She’s not 4 feet tall and 160-ish is fat or something. And then you weigh in and she’s lost another 11 lbs and is down to 150? You, Sir, are a DICK. Double douche-bag points to the show for having her go back to her parents, on camera, and confront them with the emotional reconciliation. Either they agreed to this when the producers contacted them and all the on-camera stuff is fake, or they didn’t and you just sandbagged them. People watch this shit and actually believe it’s real?

Just imagine how much I’d be frothing at the mouth if I wasn’t sitting next to noisy equipment and could actually hear it?

Bach “Little” Fugue in G Minor, BMV 578 – Saxophone Quartet

The United States Army Field Band plays Bach’s “Little” Fugue in G Minor, BMV 578 – Saxophone Quartet

One of the most beautiful pieces of music I’ve ever heard, with a wonderful performance.

Quite a storm 

Wow, this storm stretches all the way across Texas, from Oklahoma to Mexico…

  

The Fort Worth Botanic Gardens, Memorial Day, 2015

Fort Worth Botanic Gardens, Memorial Day weekend, 2015, with Kem, Martin, Mandie and Lyla.

FWBG

Flickr Album Gallery Powered By: Weblizar

When you love without limits…

Best line I’ve heard all week:

When you love without limits, unconditionally,
when you love without fear,
then you shall be free.

More Geocaching

Heading out for an afternoon of geocaching with Kem.
We’re going to try to hit 10 caches in one day!

Guardian blocked from reporting Parliament

Guardian newspaper gagged from reporting the proceedings of Parliament

For the first time in history, a British news paper is blocked from reporting the proceedings of Parliament.
A law firm, Carter-Ruck, representing an oil company successfully obtained a gag order preventing the Guardian from reporting that a member of parliament has asked a question of a cabinet minister regarding the actions of the oil company, Trafigura, in dumping toxic waste in Ivory Coast.
This is apparently possible due to a the creation of the British Supreme Court earlier this month.

Engagement Ring – a set on Flickr

Pictures of the engagement ring.

Engagement Ring – a set on Flickr.

Shhh! I told her it wasn’t ready yet.
P1010168

P1010162

The WoW fans will appreciate this

Chrome Cow » US Democracy Server: Patch Day.

2008 Election Results from Google

When lesbians get hitched

Congratulations to my good friends and “p”.
They snuck off to “Canuckistan” to get married. From the pictures it was a lovely ceremony.
I wish them all the best and look forward to the reception they have planned here in Big D some time in Oct.

When death strikes close to home

Coming home from work the other night, as I turned into my neighborhood I encountered a bit of police and fire activity. No lights and sirens and fire was leaving the scene, so I didn’t think much of it. Probably someone called 911 for a medical emergency and it was all over. There was one police car still in the neighborhood and he drove off when he realized he was blocking me from turning onto my street.

Kestrel said there were two police cars out front when she got ome and the officers were talking to Jeff, our neighbor across the street. I know Jeff has a past, so I was a little worried, but she said they seemed to be laughing and joking. I stopped worrying figured I’d just ask him what happened the next day.

I came home from work yesterday, saw that Jeff was home so headed over to ask what all the excitement was the day before. Jeff and Jonnetta, his wife, were sitting at their kitchen table with Chris, the neighbor that shares the other half of their duplex. I’d never met Chris before, though I had spoken with her boyfriend and roommate, Mark. I’d seen her coming home from work so I recognized her and Jeff introduced us.
Monday afternoon, Mark died, apparently of heart failure.

He’d been ill for several months, first pneumonia, then a couple of bouts of bronchitis. He was fighting off another round of bronchitis when his doctors told him if he didn’t quit smoking, it was just going to keep coming back and his lungs would never heal, so he quit. 8 days later he was dead.

Chris said she called around 3:45 to get a phone number. He said it would take him a minute to get to it, as he was rather weak and was moving slowly. When he didn’t come right back, she figured he got distracted by a book or something, as he was in the habit of doing. (I saw him many times, at all hours of the day and night, stepping out to his porch to have a cigarette, always reading a book. He made his living buying and selling books online. Their house is so packed with books they can barely move.) Later she got an uneasy feeling and came home early, to find him collapsed on the floor, unresponsive. She called 911 and they had to take him out through the bedroom window. He was probably already dead before she got home, but they transported him to the hospital, attempting to revive him.

After getting back from the hospital, she had to deal with calling his parents to let them know their son had died. While still on the phone the police showed up and made her get off the phone RIGHT NOW, so they could remove her from the house and seal it off. They wouldn’t even let her re-enter the house to feed the dog. It wasn’t until midnight that they had their search warrant, completed their search and let her back in, satisfied that there was no appearance of a crime.

Chris and Mark had just gotten engaged and were supposed planning to sign the papers on a house they are buying this Friday. Instead she’s traveling to Oklahoma City bury him.

How to Speak Republican

I never was any good at foreign languages.

I’m voting Repulican!

Because I don’t think I should have money. Let Saudi Arabia have it all.

Big Buck Bunny – Official Trailer on Vimeo

This is the first I’ve heard of this, but this is the first trailer release of a new movie being produced entirely on Open Source software, under a Creative Commons license.

Big Buck Bunny – Official Trailer on Vimeo

last few days

I’m back.
OK, I’ve been back about 36 hours now.
Not that most of you noticed I was gone.

Next time I have to go to Houston I’ll just drive. Travel time by Southwest Airlines from DAL to HOU, including getting a ride to DAL[1], allowing for security, waiting for boarding, waiting for shuttle to hotel from HOU, crack-head shuttle driver, is about an hour longer than it would have taken to just drive. Return trip was the same, sans crack-head driver, since we just took a taxi, whose driver had a bit more clue where he was going. And big cajones[2].

The hotel[3] was not the nicest I’ve ever stayed, but it was very nice. It was easily the nicest bed I’ve slept in. I must acquire a set of bedding like theirs. Mattress pad, nice sheets, top sheet, pad, another top sheet, nice comforter.
No vent fan in the bathroom, so all the mirrors (and my glasses) got fogged up. Who ever heard of a hotel/motel that doesn’t vent the bathroom?

The conference was, over all, a waste of time. Their “beginner track” was too basic. “Installation”, “Configuration” and “SSL” scheduled for an hour each, were done in 10 minutes. The “advanced track” covered “Advanced troubleshooting”, mySQL, Anti-spam and php. “Advanced Troubleshooting” was simply “How to use strace”. Gee, how informative. mySQL covered “why you shouldn’t upgrade to 4.1 unless you REALLY mean it”. PHP was “don’t install 5.0. Really. Just don’t.” All of them were presented by a guy who started each presentation with a rundown of his resume (as if we were supposed to be impressed that he was a “senior technician” with one of the vendors at the conference before he came to work for cPanel.) His anti-spam presentation basically amounted to “make anyone who sends you mail prove their a real person by blocking their mail until the respond to your auto responder” and “RBLs suck. The people who run them are evil and clueless.”[4] Obviously he’s been using the wrong RBLs and doesn’t know how much the “prove that you love me” technique just pisses people off.

However, it was two days off work, with pay, some good meals and socializing with other industry folks.

Yesterday, I met up with for a while. Turns out the place he’s staying here in Dallas is just the next apartment complex over. Afterward I came home and got ready for a pool party at Amythest’s, with her sister, and other DFW Ufies. Shared that bottle of wine I bought a couple of weeks ago at the wine tasting and watched a silly movie.

So far last night / today I’ve made progress on Project X by getting Open-LDAP installed and successfully added an entry to the database. Next I get to configure Qmail to authenticate against it.

[1] Since ${poe} was too cheap to pay for a shuttle. REALLY cheap, since we were going to need a shuttle at the HOU end anyway.
[2] Got in the exit lane for the freeway interchange, which came to a complete stop. So he got out of the lane, slammed on the gas, passed everyone waiting to get on the interchange and cut right back in at the very last second.
[3] If I ever have to travel on business and the person arranging the travel forgets to PAY for the hotel again, I will hand them my two week notice. Going to check into a $300/night hotel and being asked for MY credit card was not fun. One call to the boss and he took care of it with his card, but he had to fax them both sides of his credit card and drivers license.
[4] With FUD like “All it takes is your competitor forging headers once to get you added to a whole bunch of RBLs” and “You have to pay each of them a ‘bribe’ to their pet charity to get off their list”. Guess he’s never heard of rfc-ignorant, ORDB, MAPS-RSS, MAPS-DUL, SORBS, DSBL