Public Service Announcement

CitiBank Redux

Posted on by tarus

Last September I wrote about my Citibank business credit card being cancelled due to the number being reported as compromised. Well, it’s happened again. Yesterday both Jeff and I were informed that our card numbers were possibly stolen and that Citi would have to issue new ones. No word yet on my personal card.

While this is slightly inconvenient, what really pisses me off is that Citibank will not reveal the name of the merchant who allowed the security breach. I believe I have a right to know and to possibly avoid using that merchant in the future, but no matter how hard I pressed, the agent I talked to either didn’t know or wouldn’t tell.

It’s almost enough to make me change banks, and I thought it funny that when the agent signed off with “Thanks for using Citi” it came across as “$hitty”.

I do like the fact that Citi was proactive in contacting me and closing the account, but the fact that they are willing to hide the identity of the real culprit bothers me. The merchant should be held accountable. At OpenNMS, when we take credit cards we use a system that does not store the number or any detailed information once the payment is processed. I can honestly tell our customers that their payment information is not stored by us.

So, did anyone else get “the call” and have to replace their credit cards? Is there some information that I’m missing (as a Google search doesn’t turn up anything recent)?

(sigh)

OpenNMS Could Aggravate Bug on Cisco Switches Running 12.2(44)se1

Posted on by tarus

Tom Powers posted on the install list today information he discovered about HTTP polling on Cisco 3550 switches.

On Cisco 3550 switches, running 12.2(44)SE1, the standard OpenNMS HTTP service polling will kick off a memory leak in these switches.

This is resolved with se2 and higher (se6 is out now).

On a switch with 30+ mb ram…it took about 3 days to kick off the memory leak to where HTTP, HTTPS, Telnet and SSH failed. The switch still runs…but the memory pool shows full (steady decrease from point of monitoring)

This article talks about the http core services memory leak fixed first in SE2.

We found this in an installation with 56 switches and every one of these 3550s (eight of them) with 12.2(44) SE1 leaked out. Older and newer switches all were fine.

Just a heads up. Note that this is not an OpenNMS bug. The fix is to upgrade the Cisco software, and a workaround would be to unmanage HTTP on these devices. To see if you have any Cisco 3550 switches in your network, if you have SNMP enabled on all your devices you should be able to find them in the database:

psql -U opennms opennms

SELECT nodeid, nodelabel, nodesysdescription
     FROM node
     WHERE nodesysdescription LIKE '%3550%';

q

I don’t have any of these switches on my network, so I can’t verify it but my guess is that the sysDescription will include the software version as well.

UPDATE: Tom wrote more on this:

After talking with Cisco this morning, and explaining our situation and findings … this issue is not confined just the 3550 switches…it is all Cisco catalyst switches with the 12.2(44)se1 revision IOS that are affected. We were just lucky enough to have all 3550s in the environment we caught this in.

Turns out the rest of the series switches, 2900’s and such are affected as well since they all use the same IOS.

Cisco also confirmed that polling of the http interface like OpenNMS does would aggravate this leak.

Here’s a picture of what happens.

Costco 401(k)

Posted on by tarus

I never saw a class in college called “How to Start a Corporation” so I never took it, and thus much of what I’ve done with the OpenNMS Group has been on the job training.

Most of what is required to incorporate, pay taxes, etc. can be understood with enough patience, online research and tools like Quickbooks coupled with a payroll service. I did take an accounting course in college so I had a leg up on double entry accounting, and I understand cash flow, balance sheets and profit/loss statements.

At the company our most powerful assets are our people, so I always want to take care of them. The easiest way is to pay them lots of money, but unfortunately in order to build the business I can’t pay them near what they are worth. If you’ll remember, our business plan is “spend less than you earn.”

So when we started I made sure to have lots of holidays. We recognize pretty much every national holiday and then some (like having the day after Thanksgiving as well as the day itself). At least half of us tend to work at least a few hours on any given holiday anyway, so our clients don’t go without attention, and it helps offset the average 60 to 80 hour work week (and doesn’t cost me anything).

About six months after we got started we were able to afford a proper healthcare plan. Again, being employee focused we cover 100% of the employee’s premium for medical, dental and vision, and offer a tax exempt way of contributing for family health insurance through payroll deduction.

Last year we started offering pager pay. Everyone who is in the “on call” rotation gets a little reimbursement in their paycheck to cover cell phone and internet costs. It isn’t much but it helps pay for, say, an iPhone.

This year we decided to set up a 401(k) plan. In the US a 401(k) is a tax deferred plan that lets one save for retirement and to migrate income tax obligations to later years (where revenue and thus amount of tax should be lower). Since most of that money is invested in the stock market (either directly, through index funds or mutual funds) now is the time to get into the program since the prices are so low.

While I have been a participant in 401(k) plans most of my professional life, this was the first time I was asked to set one up. Jeff pointed me to Costco, of all places, has a 401(k) plan that they offer through a company called ShareBuilder.

I have to say I am rather pleased so far with the process. The setup costs were less than one thousand dollars and the monthly fee is less than $100. I figured it was worth it to be able to offer the benefit to my team.

I should point out that the setup and monthly fees are only a portion of the costs associated with a 401(k). There are some hidden costs. The first is that one must have a bond to cover the account should the trustee (i.e. me) do something bad with the funds. That ran me about $100 a year.

But the main thing is that the 401(k) code has some strict limits on “highly compensated employees“. A highly compensated employee (HCE) is someone who makes over a particular amount of money or owns more than 5% of the business. I don’t have many of the former but a have a number of the latter. The amount the HCEs can contribute to the plan is controlled by the amount the non-HCEs in the company contribute, and there are penalties if a number of “tests” aren’t passed. These tests were designed to make sure that the executives in a company don’t benefit more than the rank and file, but they scared the heck out of me.

Stephanie, at ShareBuilder, told me about a number of “safe harbor” options which allow a company to be exempt from these tests, usually by setting up a profit sharing plan. If you have a small company like I do, I strongly suggest going with one of these options in order to take full advantage of the 401(k) for the owners.

Yeah, it costs at lot more, but it’s small change in the larger scheme of things, and my guys are worth it.

Lintopia

Posted on by tarus

When I was at the Linux Live show in London, I was introduced to yet another social networking site called Lintopia.

I don’t know much about it, but I registered and thought I’d share it. It aims to be a site for people involved in open source software. I haven’t had time to see what it offers over other sites that might be open source specific except for the “project” section (I added OpenNMS).

The only social networking site I somewhat frequent is LinkedIn (and to a lesser degree the more European-centic Xing) so I’m not sure what will happen with Lintopia, but its open source focus at least makes it interesting to me so I thought it might interest others..

Tip for Wi-Fi Issues in Europe

Posted on by tarus

While I like our hotel, the Wi-Fi service has been really wonky. Stuff coming down seemed to be fine, but anytime I tried to send data up it would timeout or not go at all.

I had some nagging memory of this happening before, and when I woke up this morning the solution dawned on me. Once while working in England the same thing happened, and it had to do with PPPoE limiting the MTU size to 1492, while the default is 1500 for most ethernet interfaces.

Simply running:

sudo ifconfig en1 mtu 1400

on my Mac fixed my issues completely, so I thought I’d share. This is probably not limited to Europe but that’s where I have seen it before.

Congressional Order of Merit

Posted on by tarus

Okay, I’m not known for being able to keep my mouth shut. When I see something stupid or wrong or misleading I have to say something. I can’t help it. I sometimes feel like I should join one of those help groups:

Hello. My name is Tarus Balog, and I’m a talkaholic.

So this post will delve into the realm of politics, one I try to avoid. For those of you who are sensitive to such things, you’d be better off checking out Dilbert.

Within America’s two party system, I’m unaffiliated with either party. My views can’t be easily grouped into either one. I’m a social liberal and a fiscal conservative (one of the reasons that OpenNMS is profitable). In the past I have voted for both Republican and Democratic candidates.

I am really concerned with how well a potential US President understands technology. Things like patent reform, net neutrality and intellectual property rights are very important to me, as well as broader ideas such as science education and medical research. I want someone in office whose grasp of the Internet is more than just “a series of tubes“.

Today I received a message from the office of Congressman Tom Cole of Oklahoma informing me that I had received the “Congressional Order of Merit” for being a “business leader”, and, I assume, such a darned nice guy. It was delivered with such a flourish that my head filled with images of medals, State dinners and at least one thing to blog about. (grin)

However, it seemed a little too good to be true. I mean, I doubt there is a single member of Congress who has heard of OpenNMS, much less the OpenNMS Group, and since I’ve been online in some form or another since 1984 I’ve learned that things that seem too good to be true often are.

So it was off to Google.

It appears that the Congressional Order of Merit is nothing more than a ploy by the National Republican Congressional Committee to hit me up for money. While I figured it was as much, it pisses me off in a couple of ways.

First off, did they not think I would look it up online? It seems that they’ve hit up some other “leaders” too, such as Ira Flatow from Science Friday and this guy who took the process to its conclusion.

Second, why the subterfuge? Why the misleading phone calls? Why not call up and say “Hello Mr. Balog, we see that you are a small businessman and here’s our vision on how the NRCC can help you. We need your donation to help us realize that vision” versus the whole “Order of Merit” crap.

If the NRCC can’t be honest about that, I doubt they can be trusted to do anything in my best interest. I guess it is time for a change.

PSA Number 1: Credit Freeze

Posted on by tarus

This doesn’t have much to do with OpenNMS, but since I am pretty much a privacy/security nut I thought I’d post this as a public service. The “S” in FCAPS stands for security so it is tangentially related to management. It is only relevant in the US, but I’d be interested to learn how other countries handle this.

I am amazed at how often I read about this firm or that firm losing private data; data that could be used to steal someone’s identity. I found out yesterday that there is a way for consumers to protect themselves. It’s called a “credit freeze“. It prevents the credit bureaus from distributing your credit report without your express authorization, which will prevent any new credit being issued in your name.

In North Carolina this became available in 2005 and the Attorney General has a nice document (PDF) about it.

Since the idea of a credit freeze is appealing, here’s my plan:

I went to www.optoutprescreen.com to stop any new offers coming in the mail. This I hope will both reduce the amount of junk mail offers I receive and prohibit someone from stealing my identity through one of these offers.

Then I went to www.annualcreditreport.com and requested a report from Equifax, TransUnion and Experian. The process takes about 20-30 minutes, as as I was asked for a lot of personal information to verify my identity as well as being prompted for some non-free services such as my credit score. My spouse will do the same thing.

We’ll review the information and close any really old or unused accounts. I don’t want to close all of them, because one thing lenders look for is your debt to credit ratio, which is the amount of credit you have versus the amount you use. So a guy with a $20K on a credit line of $100K will sometimes look better than a guy with $1K on a credit line of $2K. But I really want to limit the number of accounts out there since I plan to keep an eye on them.

Finally we’ll spend the $60 (2 people x 3 credit reporting services x $10) to get our credit frozen. We have enough credit for now, so I don’t expect it to be a problem, and the upside is a serious reduction in the chance that someone could steal our identities. If we ever need new credit, it will be a little more involved to temporarily “unfreeze” our credit, but I think the hassle is worth it.