Topics

I'm increasingly irritated by this new trend in insurance ads ... They market personalization and friendship.

These guys aren't your friends, it's their business and their job. They're liars to claim anything more than that. Their ads make me think how manipulative these sons of bitches really are!

Found a link to this blog on some news site.

Here's an insensitive but very comical flow chart


Notice how it's impossible to be raptured (by that flow chart).

I think the news stations really ought to explain why numerological predictions are never accurate (except by chance). I like how Camping associates some length of time after crucifixion to [latex](5 \times 10 \times 17)^2[/latex], numbers that are artificially associated to unrelated ideas. Gee, why not [latex](5 + 10 + 17)^2[/latex] or [latex]\log(5 \times 10 \times 17)[/latex]. The Mayan Calendar doomsday is another example loosely associated to numerology (base 20 digits flipping over in their calendar system).

I think news stations should provide a bogus-prediction check list for those gullible who ruined their lives because of Camping's prediction. They should also describe what a well founded prediction is and maybe a check list for that too.

Sure, free speech and all that junk ... but I'd say Camping abused his position as a public figure and should be held accountable somehow.

LOL

Saw the link here
http://www.guardian.co.uk/world/2011/may/19/us-officials-prepare-zombie-apocalypse

And yes, it's actually on the CDC website! It's meant to be ruse as I understand it.
http://emergency.cdc.gov/socialmedia/zombies_blog.asp

Maybe some people should update zombiemeter.org ...

I guess it's no surprise ... we all heard of ChromeOS by now
http://www.guardian.co.uk/technology/2011/may/12/google-microsoft-chromebook-laptop

We're heading back to the 1960s and 70s. Time sharing on steroids.

Let's see if the consumer says NO to the Cloud ... a concept that really amounts to, "everything we already do" anyway. I'm not necessarily opposed to the Cloud, I'm just opposed to extreme applications of it (i.e. such as supplanting local storage).

But, I have a feeling the consumer will trade privacy for cheap/free cool toys and services. These guys are good at buying souls with candy and donuts.

I really had a good laugh, especially reading the title ...
http://www.guardian.co.uk/world/2011/may/05/ahmadinejad-allies-charged-with-sorcery

Seriously ... Iran must be behind by a few hundred years!

It's not new by any means ... but I'm absolutely astonished how well it works!

I tried youtube out with the HTML5 player enabled (link) and I can't even tell the difference! I can see Flash and Silverlight becoming irrelevant in the near to distant future (Though, at least moonlight runs on FreeBSD).

Pretty neat to be using youtube on a FreeBSD machine without setting up Linux emulation to run flash!

[opinion]

http://www.guardian.co.uk/technology/2011/mar/20/google-gmail

I think this is the future of hacking ... attacks that are not obviously attacks and might even be mistaken as a simple bug. Such subtleties can be used to modify user behavior or deter use of convenient features or services.  My opinion is that advertisers already do these types of attacks with digital video recorders, smart phones, TVs, and various other types of devices - and it's easy to get away with it.

EDIT: Let's take Comcast's PVR for example. A year or two ago, they added a "convenient feature" where fast forward and rewind would move back or forward respectively on resuming play, depending on how fast you fast forward/rewind. However, despite this "feature," I've yet to master positioning video, often having to wait through some advertisement. There are also complaints about this "feature".

Another example. Comcast's PVR strangely cannot gracefully switch between HD and analog (has always been this way).  Sometimes, HD channels get analog commercials. Hence, if you're fast forwarding/rewinding too fast through recorded HD and you hit an analog commercial, you risk crashing the PVR software or prematurely fast forwarding to the very end of the recording.

I'm not necessarily claiming Comcast did this to intentionally deter use of these features, but if they did ... who would know?  Hence, it is very possible that a subtle bug could be maliciously introduced (or remain unfixed) with the intent of modifying user behaviors (in this case, annoying users to watch a little bit of advertising). These are such subtle annoyances it's very easy for the user to ignore these problems or for a company to ignore complaints, play dumb or even deny the existence of said bug. It's so easy to get away with it.

[true probability]

I thought these were amusing:
http://intrade.com/
http://intrade.net/

A prediction market is a forum of trade where contracts on the outcomes of future events are bought and sold. Each contract pays the contract face value if the outcome is realized (well it could pay in other ways too). The incentive to profit motivates market participants to predict correctly. The trading prices of these contracts can be interpreted as the market's confidence that an event will realize those corresponding outcomes. The trading price is a fusion of all information publicly and privately known by the participants as a whole. Some studies have shown that the trading price even estimates the true probability of the outcome.

There have also been studies that indicate that these markets are more accurate at prediction than individual experts and polling methods. Of course, as with anything with humans, I'm sure there are cases when it breaks down. These types of markets have reliably predicted outcomes of political elections, sporting events, etc... and have been used internally for decision making in some companies.  There's also a concept of a futarchy which is a form of government that makes decisions based on the trading prices of decision contracts. It's like a form of weighted voting.

Anyway, I'm no expert at these markets or economics. My research primarily focuses on applying this concept in Machine Learning and so all my markets are artificial in nature. It can be used to fuse the predictions of a collection of models into a more accurate prediction. I have even developed theory that backs the claim that the trading price estimates the true probability (at least in my artificial markets). Regardless, I thought these sites were really cool (and amusing) and thought I would share them with you all.

[a lot]

Certainly, not a new idea, but something you'll probably not see very often (or ever) ... a "regression" tree that can infer things that aren't functions ... Very cool!

So, the typical regression problem is to infer some function on some observed points [latex]\{(\mathbf{x}_n,y_n)\}_{n=1}^N[/latex] where [latex]y_n[/latex] are possibly noisy (i.e. so interpolation wouldn't be appropriate).

The regression tree divides the feature space (the [latex]x[/latex]'s) in such a way so as to minimize
[latex]
\ell(Y) = \sum_{y \in Y} (y - \bar{y})^2 = |Y| \text{Var}(Y)
[/latex]

The divisions are binary splits, so each vertex is minimizing the above on each side
[latex]
\ell(Y_{\text{left}},Y_{\text{right}}) = \sum_{y \in Y_{\text{left}}} (y - \bar{y})^2 + \sum_{y \in Y_{\text{right}}} (y - \bar{y})^2 = N_{\text{left}} \text{Var}(Y_{\text{left}}) + N_{\text{right}}\text{Var}(Y_{\text{right}})
[/latex]

The left and right sides are per-feature (dimension) and determined by a threshold
[latex]
Y_{\text{left}} = \{ y_n\ :\ x_{nf} \leq t,\ n=1,2,3, ... N \} \\
Y_{\text{right}} = \{ y_n\ :\ x_{nf} > t,\ n = 1, 2, 3, ... N \}
[/latex]

So, to minimize the above, the vertex searches over thresholds [latex]t[/latex] in a subset of features [latex]f[/latex] and chooses the [latex](t,f)[/latex] with minimal residual.

Now, to generalize this to learn things that aren't functions, consider minimizing a modification of the above
[latex]
\ell(Y) = \sum_{k=1}^K \sum_{y \in Y_k} (y - \bar{y}_k)^2 = \sum_{k=1}^K |Y_k| \text{Var}(Y_k)
[/latex]

Each partition [latex]Y_k[/latex] is a cluster of [latex]y[/latex] values. So, for example, if you were to examine a cross-section of a cloud of points describing a circle, you would see two distinct clusters of [latex]y[/latex] values (unless you were at the ends of the circle).

The general residual to minimize is
[latex]
\ell(Y_{\text{left}},Y_{\text{right}}) = \ell(Y_{\text{left}}) + \ell(Y_{\text{right}})
[/latex]
And I don't really care to expand it further because all the subscripts get ugly.  The clusters are found using K-Means or similar. I chose to use K-Means because it is simple. The clustering problem is also simple ... 1D clustering.

So, I didn't explain any of this very well because I'm not really trying to lecture anyone ... just show some cool pictures with a little bit of explanation.

Here's some toy data:
Consider 1 feature [latex]x[/latex] and we want to predict [latex]y[/latex] (which can have two values).


So, here's some examples of individual KM regression trees:

These are plots of the pdfs which are estimated with Kernel Density Estimation. The parameters are inferred from K-Means clustering (the predictions for Y would be the K means).

This training set has 1000 instances. This tree has minimum local sample size of 20. This parameter is important so that clustering works well.


This is the same conditional, but at a different angle.


Here's an example of a cross-section which nicely captures the behavior of the data.


This training set has 3000 instances. This tree has minimum local sample size of 100.


This is the same conditional, but at a different angle.


Here's an attempt to infer Archimedes Spiral. This is the toy data below.


Here, the training set has 3000 instances. I trained a regression tree with K=5 clusters in mind and a minimum sample size of 100. Not a very nice picture


This is the same conditional, but at a different angle.


Lastly, here's a KM Regression Forest with 100 trees. It works very nicely here.


The same conditional at a different angle


Here are some cross-sections of the forest




You can use normal regression forest too ... but you don't get nice bimodal conditionals like that. Maybe if you had a lot of regression trees, it would work.

All of this was written in Octave using a mixture of C++ Octfile and Matlab scripting. The code can deal with general data ... these toy data sets were just to make some cool pictures.

I just came across this here:
http://www.guardian.co.uk/world/richard-adams-blog/2011/jan/22/keith-olbermann-msnbc-nbc-terminated

WOW. I didn't like his show, but I think that's a little harsh. Either the new owners did it or he did something really bad. I think the former.

[string length]

Sentences must be finite in length. You can only cram so many verbs, adjectives, nouns, adverbs, etc... into a sentence until you violate some grammar rules. So how would one go about computing the theoretically longest sentence possible? Let's suppose two measures of length: the string length and the word count.

To make it easier, let's first suppose the sentence doesn't necessarily need to make sense.

I don't think a mathematical description of comprehension exists yet. I don't think we could solve this over the set of sentences that make sense.

EDIT: Ok, so a trivial solution is to suppose a sentence that lists nouns indefinitely. Let's find a non-trivial solution.

[against]

Can someone explain to me the arguments against net neutrality?

I haven't heard a single argument from opponents that makes any sense! The people who oppose net neutrality seem to be technically illiterate.  When opposing politicians and biased news anchors talk, I hear technical terms incoherently strung together with no basis or meaning!

One good argument I heard against FCC passing net neutrality rules was that FCC doesn't/shouldn't have that kind of power and that net neutrality should be passed into law by the legislative branch of the government.  However, this isn't directly related to net neutrality itself.

What I find so incredibly odd is that a lot of free market advocates oppose net neutrality. Is it me, or are they contradicting themselves?  Allowing network operators to discriminate communication could potentially hinder competition in a variety of ways.  Isn't that bad if you're a free market advocate?  Talk about duh!

As for net neutrality advocates ... I almost feel like they're just as stupid!  Look at the SaveTheInternet website.  Play the flash video: Real vs Fake Net Neutrality.  I'm not sure what to take away from that presentation ... I'm not even sure what the purported fake net neutrality rules are or what makes them fake!

Look at this letter-to-congressman template:

Dear Member of Congress [cc: FCC]
Net Neutrality is the cornerstone of innovation, free speech and democracy on the Internet.

More than 1.9 million Americans have expressed support for Net Neutrality at Congress and the FCC. They want control over the Internet to remain in the hands of the people who use it every day.

Please stand with the public by protecting Net Neutrality once and for all.

(URL: http://act2.freepress.net/letter/two_million/)

Two million people have mailed TOILET PAPER to their representatives.  This isn't a good, well thought out reason to support net neutrality!  Where's the compelling argument for healthy competition? The government doesn't give a fuck about the innovation, free speech and democracy on the Internet (What ever that means!).

I am very afraid for the Internet!  We have complete morons arguing on both sides!  It's like two headless chickens duking it out!

Wow, this is creepy:
http://www.infoworld.com/d/security-central/former-contractor-says-fbi-put-back-door-in-openbsd-423?source=IFWNLE_nlt_firstlook_2010-12-15

The news keeps mentioning DDoS attacks against wikileaks and I've read that there are attacks against PayPal now ...
Has anybody taken the time to figure out who?  Who is orchestrating these attacks from both sides?  Isn't anybody else curious? 

Screw the documents, I'm curious about the attackers.  This isn't your typical anti-Microsoft or anti-copyright case ... this is some political crap.  Who in the heck pulls off attacks like this for crap like that?

I saw this on CNN today.  The expert they interviewed on CNN brought up a lot of the points I bring up (even Google was mentioned).

Now to read the article! :D

[The company said it found evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human-rights activists.]

I came across this on freebsd-chat mailing list:
http://online.wsj.com/article/SB126333757451026659.html

Google said it suffered a "highly sophisticated and targeted attack on our corporate infrastructure originating from China" in mid-December, which it said resulted in "the theft of intellectual property." The company said it found evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human-rights activists.

Gosh! I remember suggesting that one of the consequences of the Chinese hacking Google was that it could identify it's own citizens abroad viewing or propagating otherwise censored material!  Who knows what else the hackers had access to ...

It's not Google ... it's the fact that it collects and stores so much information about EVERYTHING. 

What's next? Facebook supplanting government issued ID (:D)?  These technological trends are shortchanging everyone ... but nobody can see that over all the free cool toys ... with the concealed price tag of your soul.

[However]

NOTE: \mathbf{} is broken ... I made vectors bold but they do not appear so.

I wandered into this cipher idea accidentally last night.  This cipher is very simple, but it does not appear trivial to break.
First off, the cipher operation is a linear transformation of the form

[latex]
\mathbf{c} = M \mathbf{x}
[/latex]

where [latex]\mathbf{c} \in \mathbb{R}^n[/latex] is the cipher text, [latex]\mathbf{x} \in \mathbb{R}^n[/latex] is the input block of data and [latex]M \in \mathbb{R}^{n \times n}[/latex] of the form

[latex]
M = PZR
[/latex]

Here [latex]P,R[/latex] are randomly generated invertible [latex]n \times n[/latex] matrices and [latex]Z[/latex] is an [latex]n \times n[/latex] singular matrix of the form

[latex]
Z = n I - \mathbf{1} \mathbf{1}^T \quad \text{where } \mathbf{1} = \begin{bmatrix}
1 \\
1 \\
\vdots \\
1 \\
\end{bmatrix}
[/latex]

(Sorry, [latex]\mathbf{1}[/latex] vector should be bold)

As a consequence, the matrix [latex]M[/latex] is also singular and the factorization is not unique (beyond mere scalar factors!).  However, even though [latex]M[/latex] is not invertible, this linear transformation can still be reversed with additional information.
Denote [latex]\mathbf{v} \in \mathbb{R}^n[/latex] to be the secret key either shared in advance or generated by some key agreement protocol.  Now we require the matrix [latex]R[/latex] to be randomly generated so that [latex]\mathbf{v} = R^T \mathbf{1}[/latex] (again \mathbf{} is broken, [latex]\mathbf{1}[/latex] should be bolded as it is a vector).  In addition to the cipher text [latex]\mathbf{c}[/latex], the value [latex]k = \mathbf{v}^T \mathbf{x}[/latex] is also provided to invert [latex]M[/latex].

The matrix [latex]Z[/latex] has the property that rows and columns sum to [latex]0[/latex].  I call these types of matrices zero sum matrices and they can be used to easily solve problems with summation-based constraints as unconstrained problems (an alternative to Lagrange multipliers for example).  [latex]Z[/latex] projects [latex]\mathbb{R}^n[/latex] into [latex]\{ \mathbf{x}\ :\ \mathbf{1}^T \mathbf{x} = 0,\ \mathbf{x} \in \mathbb{R}^n \}[/latex], the space of vectors whose components sum to [latex]0[/latex].  Any linear transformation with [latex]Z[/latex] discards the summation information of [latex]\mathbf{x}[/latex].  However, if the component sum of [latex]\mathbf{x}[/latex] is known, then this linear transformation can be inverted.  In our particular problem

[latex]
\mathbf{x} = \frac{1}{n} ( Z \mathbf{x} + \mathbf{1} (\mathbf{1}^T \mathbf{x}) )
[/latex]

(Sorry, [latex]\mathbf{1}[/latex] vector should be bold)

So, inverting [latex]M[/latex] works like this:
Given [latex]P,R,\mathbf{c},k[/latex]

1) Solve [latex]P \mathbf{y} = \mathbf{c}[/latex]
2) Compute [latex]\mathbf{z} = \frac{1}{n} ( \mathbf{y} + \mathbf{1} k )[/latex] (Sorry, [latex]\mathbf{1}[/latex] vector should be bold)
3) Solve [latex]R \mathbf{x} = \mathbf{z}[/latex] to recover [latex]\mathbf{x}[/latex]

Here's the crypto scheme:
Bob wants to securely share [latex]\mathbf{x} \in \mathbb{R}^n[/latex] with Alice.  Bob and Alice both have the secret key [latex]\mathbf{v}[/latex].

Alice	Bob
[latex]\mathbf{v}[/latex]	[latex]\mathbf{v},\mathbf{x}[/latex]

1) Alice randomly generates invertible [latex]P,R \in \mathbb{R}^{n \times n}[/latex] so that [latex]\mathbf{v} = R^T \mathbf{1}[/latex] (Sorry, [latex]\mathbf{1}[/latex] vector should be bold) and computes

[latex]
M = PZR
[/latex]

Alice shares [latex]M[/latex] with Bob.

Alice	Bob
[latex]\mathbf{v},P,R,M[/latex]	[latex]\mathbf{v},\mathbf{x},M[/latex]

2) Bob computes [latex]\mathbf{c} = M \mathbf{x}[/latex] and [latex]k = \mathbf{v}^T \mathbf{x}[/latex] and shares [latex]\mathbf{c},k[/latex] with Alice

Alice	Bob
[latex]\mathbf{v},P,R,M,\mathbf{c},k[/latex]	[latex]\mathbf{v},\mathbf{x},M,\mathbf{c},k[/latex]

3) Alice solves

[latex]
P \mathbf{y} = \mathbf{c}
\mathbf{z} = \frac{1}{n} ( \mathbf{y} + \mathbf{1} k )
R \mathbf{x} = \mathbf{z}
[/latex]

(Sorry, [latex]\mathbf{1}[/latex] vector should be bold)

to recover [latex]\mathbf{x}[/latex].

Alice	Bob
[latex]\mathbf{v},P,R,M,\mathbf{c},k,\mathbf{x}[/latex]	[latex]\mathbf{v},\mathbf{x},M,\mathbf{c},k[/latex]

Example Problem:
If you have the time and interest, I'd be curious if any of you could break the following example ciphertext:

[latex]
\mathbf{c} = \begin{bmatrix}
8856 \\
-16178 \\
246 \\
102128 \\
50331 \\
110304 \\
-6464 \\
-71322 \\
-13541 \\
-45762 \\
\end{bmatrix}
[/latex]

[latex]
k = 17409
[/latex]

Given

[latex]
M = \begin{pmatrix}
-156 & 96 & -10 & 34 & 32 & 134 & -162 & 296 & 268 & -138 \\
148 & -178 & -30 & 78 & 224 & -452 & -124 & -38 & -254 & 474 \\
84 & 236 & 0 & -216 & 372 & 194 & 58 & -344 & 428 & 302 \\
572 & 148 & 570 & 42 & 216 & 352 & 94 & 88 & 174 & 156 \\
204 & 6 & 140 & 64 & 127 & 269 & 223 & -79 & 273 & 177 \\
336 & -56 & 440 & 216 & -142 & 496 & 372 & 224 & -178 & 58 \\
-36 & 146 & -30 & 134 & 292 & -206 & 78 & -324 & 408 & -38 \\
-358 & -262 & -290 & -18 & 186 & -318 & -176 & -52 & 164 & 146 \\
6 & 144 & 50 & -154 & 53 & 1 & -143 & -21 & 57 & -117 \\
-58 & -12 & -440 & -68 & -334 & -268 & 34 & -82 & -466 & 86 \\
\end{pmatrix}
[/latex]

Copy and paste for matlab/octave input

Code Select Expand


c = [ 8856 -16178 246 102128 50331 110304 -6464 -71322 -13541 -45762 ]';
k = 17409;
M = [ -156 96 -10 34 32 134 -162 296 268 -138;
148 -178 -30 78 224 -452 -124 -38 -254 474;
84 236 0 -216 372 194 58 -344 428 302;
572 148 570 42 216 352 94 88 174 156;
204 6 140 64 127 269 223 -79 273 177;
336 -56 440 216 -142 496 372 224 -178 58;
-36 146 -30 134 292 -206 78 -324 408 -38;
-358 -262 -290 -18 186 -318 -176 -52 164 146;
6 144 50 -154 53 1 -143 -21 57 -117;
-58 -12 -440 -68 -334 -268 34 -82 -466 86 ];


I recently built a Mini ITX server to replace a larger, more power hungry, desktop server.  This is the setup.  The motherboard is relatively expensive but includes dual RJ45 jacks, 64 bit dual core HT Atom D510, and PCIe.  You can find cheaper boards with dual RJ45 jacks, but with legacy PCI (some with Mini PCIe which is worthless) and x86 VIA processors. I'm hoping to get many years out of this system and I don't want legacy hardware or software interfaces.

This server serves as a Wi-Fi access point, ethernet router, stateful firewall, NFS server, SVN server, SSH server (tunneling), and web server.

The D-Link DWA-556 is one of two PCIe wireless cards that I could find (Neither Netgear nor Linksys produce one).  It's based on the Atheros AR5008 chipset and works swell for hostap in FreeBSD and Linux (as with previous Atheros chipsets).  The other PCIe wireless card is the cheaper Asus PCE-N13 which is based on the Ralink RT2860 chipset and presently only supported by OpenBSD and Linux.  I have no experience with Ralink cards and hostap.  I would only recommend Atheros cards for Wi-Fi access points.

For size comparison, here is a picture of a mid-tower ATX case and a Mini ITX case side-by-side.  Here, the Mini ITX system is being configured to assume it's new role.

NOTE: If you build a Mini ITX system with a slim drive (e.g. like a Laptop DVD drive), be sure to order a Slim SATA cable as slim drives don't use the ordinary SATA cables.  Slim SATA cables combine power and SATA into one.

[better]

Why do we continue to abuse the word, "impact" when words like "affect" or "influence" are better alternatives!? I mean, turn on any news station and listen to them! Every damn thing is an impact, or something was impacted. I mean, look at these definitions for impact

–noun
1.
the striking of one thing against another; forceful contact; collision: The impact of the colliding cars broke the windshield.
2.
an impinging: the impact of light on the eye.
3.
influence; effect: the impact of Einstein on modern physics.
4.
an impacting; forcible impinging: the tremendous impact of the shot.
5.
the force exerted by a new idea, concept, technology, or ideology: the impact of the industrial revolution.
–verb (used with object) (Where the FUCK did this come from?)
6.
to drive or press closely or firmly into something; pack in.
7.
to fill up; congest; throng: A vast crowd impacted St. Peter's Square.
8.
to collide with; strike forcefully: a rocket designed to impact the planet Mars.
9.
to have an impact or effect on; influence; alter: The decision may impact your whole career. The auto industry will be impacted by the new labor agreements.
–verb (used without object) (Really!? ... "effect", "influence"?)
10.
to have impact or make contact forcefully: The ball impacted against the bat with a loud noise.
11.
to have an impact or effect: Increased demand will impact on sales. (... "effect"?)

I mean, almost EVERY definition has to do with physical collision or contact of some sort ... it's like these other definitions were tacked on!  They're not even similar!

I mean, why would you say,

How will this impact employers?

instead of

How will this affect employers?

Or

What impact will this have on residents?

as opposed to

What effect will this have on residents?

Or even

How will this impact immigration laws?

rather than

How will this influence immigration laws?

How in the heck did we manage to screw up a word like "impact"!?  Every time I watch the news, I feel like an earwig is eating my brain!

[everything]

I used to employ a firewall rule that would detect spurious connects on port 22 (ssh) and place both the offending IP on a badguys table and flush the state table for said IP (Meaning, anything connected with that source IP was no longer treated as connected by the firewall).  A cron job would then cleanup old entries from the badguys table.  For years, this worked remarkably!  My auth log would show 3 attempts and then activity from the source ceased.  Unfortunately, the bot nets got smarter.  I started seeing several hundreds of bots attempting a password every several minutes which isn't spurious.  As a consequence, my auth log would be flooded with annoying password failures!  So, I opted to block everything except address blocks of known locations (e.g. cafe, work, school, etc...) on top of the spurious connect rule.  This works well most of the time but did not fare so well with friends' or acquaintances' houses, airports, or new public WiFi locations in general (which I use my SSH server as a secure tunnel).  As I'm to travel soon, the thought of dynamic DNS came to mind.  Simply keep a list of dynamic domains and have a cron job resolve each one and add it to the goodguys table (and delete the previous resolutions if they differ).  I don't claim it's a new idea, but it's certainly ANOTHER solution.

Too Long Didn't Read

• Block ALL incoming (at least) SSH connections with your firewall.
• Add an exception rule for incoming SSH connections for any address on the goodguys table.
• Make a Dynamic DNS hostname (e.g. no-ip.com) for each trusted mobile computer.
• Install a Dynamic Update Client on each trusted mobile computer.
• Add a cron job (every 5 minutes) that resolves a list of dynamic hostnames and adds their corresponding IPs to the goodguys table (preferably deleting old different resolutions).
• Enjoy boiled peanuts (Very necessary, it won't work otherwise).

Here's an example of a Bourne shell script to do step 5 (for pf(4) on FreeBSD) (an updated version can be found here)

Code Select Expand


#!/bin/sh

GOODGUYS=/root/goodguys.txt
TABLE=goodguys

while read host
do
       hostfile="/tmp/goodguys.${host}"
       oldip=""

       if [ -s "${hostfile}" ]
       then
               read oldip < ${hostfile}
       fi

       str=`host -t A $host 2>/dev/null`
       if [ $? -eq 0 ]
       then
               ip=`echo "${str}" | awk '{ print $NF; exit }'`
               echo "${ip}" > ${hostfile}
       else
               ip=""
               rm -f ${hostfile}
       fi

       if [ -n "${oldip}" -a "${oldip}" != "${ip}" ]
       then
               /sbin/pfctl -t $TABLE -T del ${oldip} > /dev/null 2>&1
       fi

       if [ -n "${ip}" ]
       then
               /sbin/pfctl -t $TABLE -T add ${ip} > /dev/null 2>&1
       fi
done < $GOODGUYS


This reads a list of hostnames from /root/goodguys.txt and adds each resolved address to the table goodguys and stores the result in /tmp for later use. If the previous address is different than the current resolved address, the previous address is deleted from the goodguys table.

Place it in, say /root/bin/goodguys.sh

And here's what you'd add to /etc/crontab to do this every 5 minutes:

Code Select Expand


#minute hour    mday    month   wday    who     command
*/5     *       *       *       *       root    /root/bin/goodguys.sh


Voila! I find this to be the best solution of all the bruteforce solutions. Everyone is blocked except for you and friends ... granted you and your friends are using their own machines. No special software or firewall rules needed and most importantly NO ANNOYING AUTH LOG FAILURE MESSAGES!

Caveats

• It may take several minutes before you can ssh to your server.
• If your dynamic hostname expires, said hostname may resolve to the dynamic DNS provider.