Author: Michael Lucas

Writer. Sysadmin. Owns this site.
Posted on

“Absolute OpenBSD, 2nd edition” ebook download available

I’m told that No Starch Press now has the ebook for the new Absolute OpenBSD available for download. If you preordered the book, go get the electronic version while you’re waiting for the print to arrive.

If you haven’t preordered, go get it now. If you use coupon code ILUVMICHAEL, you save 30% and I make a couple extra bucks on it.

The auction for the first print copy off the press is up to $910. If it breaks $1000, I’ll post a coupon code for discounts on the electronic versions of my Mastery books from my Web site.

Posted on

First barrier breached

The Absolute OpenBSD auction has been going about 10 hours now. In less than those 10 hours, the price exceeded the amount raised for the FreeBSD Foundation.

Well done.

But I bet you slackers can’t possibly double it. No, I DOUBLE DOG-DARE YOU to double it.

How I love picking a fight in a good cause.

Posted on

First copy of “Absolute OpenBSD, 2nd ed” now on auction

You’ve asked me how to get Absolute OpenBSD early.

The answer is simple. You buy it. At auction. All proceeds to the OpenBSD Foundation.

The printer will take the first copy of Absolute OpenBSD off the press and overnight it to me. I will sign it, and label it on the title page as the first copy. I will include a Certificate of Authenticity stating that this is the one true first copy off the press. I will ship this book anywhere in the world, as fast as reasonable, at a cost of up to $100. (If you win the bid and want it shipped to Antarctica, it will take a little longer.)

To reassure the security-minded among: I also promise that this is the only copy that I will sign and label as the first copy.

Being able to do this gives me warm fuzzies. It makes me look like a nice person without me doing any real work. After all, No Starch Press provided the physical book and Austin Hook is running the auction. I just have to scribble my name and stuff an envelope.

We did this for the first copy of Absolute FreeBSD, and raised $600 for the FreeBSD Foundation. Frankly, I expect you OpenBSD folks to beat that handily.

If you do not beat that amount, I will be disappointed in the community.

Do not disappoint me.

You wouldn’t like me when I’m disappointed.

Posted on

DNSSEC Mastery release

I had hoped to get DNSSEC Mastery out before my trip next week. That’s not going to happen, thanks to the copyeditor. (And I do mean “thanks” in a completely non-sarcastic way.)

Most of her comments are easily fixable. But she goes into detail on one point that is utterly, completely, compellingly damning. “The thing I worry about is that while this book may be perfectly acceptable, if people open it up really eager to get some more good clean Lucas (strange people), then there’s not a lot of that there.”

All the knowledge is in there. But the writing needs more life.

I really wanted to have this book in print before BSDCan 2013. I tried to keep that deadline, despite my surprise appendectomy in January. I’ve felt kind of uneasy about this book, but it was technically finished, so I sent it on.

As I’m self-publishing, I both have the freedom to make the book correct and no excuse for not doing so. There’s no offset press scheduled for a feeding.

So, the book will be delayed a couple weeks. And it will be better for it.

And if you need a copyeditor who isn’t afraid to tell you in detail exactly why you suck, I have one.

Posted on

Misc: Books, and April Fool’s

Absolute OpenBSD is at the printer. I can do nothing more on this book. For better or worse, the book is complete. I’m resisting the urge to scream “I can do it better! Give me the book back, I will rewrite it until it doesn’t suck!”

I got copyedits back on DNSSEC Mastery. Hopefully, the ebook will be available on the weekend, with print next month.

On an unrelated note

April 1st is a tedious day, with all the efforts to be funny drifting around the Internet. Unless, of course, you’re the one pulling the gag, in which case it’s freaking hilarious. I don’t pull pranks, of course.

Unless they’re really, REALLY good. So I’d like to present a flash from the past here, and point you at FretBSD.

And, of course, there’s always the Great Committer. You know, I haven’t spoken with John Baldwin much since that post. Odd, really…

Posted on

Upcoming Appearances

For those who want the dubious pleasure of encountering me in meatspace:

I am a guest at Penguicon April 26-28, 2013, in Pontiac, MI, USA.

I am teaching at BSDCan, May 15-18, 2013, in Ottawa, Ontario, CA.

I expect to have copies of Absolute OpenBSD at both events. (Penguicon might be pushing it, but I’m hopeful.) I’ll sell them in person for $50USD. This is a little more expensive than buying them online, but you get hand delivery and possibly even a handshake depending on how many people have been poking at me in the recent past. Also, I hate carrying change.

Why do I sell books, instead of giving them away to all the fans who take the trouble to come see me? One, because I have to pay for them. Two, because mortgage.

Posted on

LeanPub experiences, and my own ebook store

At the urging of Gerald Weinberg, I decided to try publishing my newest self-pub nonfiction book, DNSSEC Mastery, as I wrote it, using LeanPub. I offered the book at a discount for early adopters, with the intention of raising the price for the finished book. Those eager for my next book got an early peek and I got paid early.

Personally, I don’t know that I would buy a book early. But people have asked me for early access, and I do try to listen to my customers. So, what I would pay for isn’t exactly relevant.

One of the interesting features of LeanPub is that it lets readers overpay for books. You can have a minimum price and a suggested price, but a reader can give the author as much as they want. They also have a royalty calculator visible to the reader, so that the reader can see how much the author gets after LeanPub takes their (modest) cut.

Here are my results.

44 people bought DNSSEC Mastery via LeanPub.

Of those, 15 (34%) overpaid for the book.

  • 9 paid $10 (the final MSRP)
  • 1 paid $8.35
  • 1 paid $9.01
  • 1 paid $11.67 (so that the author royalty is $10)
  • 1 paid $15
  • 1 paid $22.78 (so that the author royalty is $20)
  • 1 paid $25 (they like me, they really like me)

    • For those who bought the early draft at all: thank you. To those of you who gave me a tip: thank you so much! For the person who paid $25 for the pre-pub manuscript: I’m deeply flattered, but I’m already married.

    The total for this experiment is: $356.47. Average pice paid was $9.5575, or almost MSRP.

    Not bad for a book that I haven’t actually finished.

    Sales appear to have been totally driven by my own blog posts and tweets. I’d post something, and a couple people bought.

    There’s one headache with LeanPub. Your book needs to be uploaded in Markdown, a text-to-HTML conversion tool. LeanPub takes the Markdown text and converts it to various ebook formats.

    The sales through LeanPub are nice, but nowhere near my sales for completed books from Amazon and Smashwords.

    That presents me with a problem. Amazon wants us independents to deliver ebooks as HTML files, which they then crunch into their format. Smashwords wants MS Word, but has recently started taking epub files as well. My books are highly formatted. The easiest way to produce these is to write in MS Word or LibreOffice and export HTML or convert to epub.

    There are tools to convert other formats to Markdown. They aren’t quite ready for prime time. LeanPub offers an HTML-to-Markdown converter, but they freely admit it’s not really meant for re-importing newer versions of the same document.

    The end result is, I spent several hours futzing with Markdown.

    I don’t want to learn another markup language. If ebook platforms were all about the technically best option, we’d all use LaTeX. But they’re not.

    My early LeanPub experience was profitable. But not overwhelmingly so. My fans like it. I like making early drafts available. But adding another step into my production is an annoyance, and that step uses a language not usable for any other ebook platform. Plus, the tools to do that transformation automatically are not yet reliable, at least for my highly formatted technical documents.

    But there’s obviously a market for early work.

    It did make me wonder: how hard would it be to sell early drafts on my own? And how much extra work would that be? The answer is: a week of bugging my fellow writers, two days of intermittent research, and four hours of technical setup.

    Tilted Windmill Press now has its own ebook store. You can buy SSH Mastery and the DNSSEC Mastery pre-pub draft directly from me. I produce PDF, mobi, and epub versions using pretty reliable tools.

    I’ll blog some other time about how I set up the store, but I can say: total cost to me, $0.00. Zip. Nada. I will be spending- money on some additional features, but you can get a fully working ecommerce solution for no money. (Admittedly, I leveraged my expertise, my free hosting access, and so on, but even if I had to pay for those, it would still be Pretty Durn Cheap.)

    The store is PayPal-only at the moment, but I suspect I’ll be adding other payment methods before long. And you can’t overpay. I’ll be adding that in the next few days because, well, if people want to give me money, who am I to argue?

    I’m publishing the LeanPub sales numbers now, because I’m splitting the market.

    This raises other possibilities. Would people be interested in pre-ordering print+ebook bundles of DNSSEC Mastery and other TWP titles? I could sell signed print copies of my other titles as well. (I can’t sell ebooks of my No Starch titles, as I don’t have the rights for that.) I couldn’t highly discount print titles, as I cannot compete with Amazon. They would crush me like a bug.

    Let me know your interests in in the comments below.

    [update: I should say that LeanPub works exactly as advertised. Their royalty rate is higher than any other ebook store, and my customers have all had good experiences there. Technical support was exactly as responsive as claimed. If their formatting works easily for your books, I would recommend them.]

    Posted on

    “DNSSEC Mastery” status, dates, and acknowledgements

    Monday night, I sent DNSSEC Mastery to copyedit. If all goes well, it’ll be back at the beginning of next month. Making corrections from copyedits is a quick task.

    The copyedit-ready manuscript has been uploaded to LeanPub, so if you’re one of the early purchasers, it’s in your account for you. The manuscript is now technically correct.

    I’m going to a writer’s workshop on 5 April. If all goes well, I’d like to have the ebook available before I go. That would also let me hand it to the print layout team by then. Which means that I would have print copies for BSDCan, of which I am a sponsor.

    It might not be the final book. But I’d like to have a few proofs to give to reviewers and possibly even for the charity auction. (“It’s not defective, it’s limited edition.”)

    I think it’s very important to appreciate those who help me, and publicly acknowledge that appreciation. In that spirit, here are the credits for DNSSEC Mastery.

    Acknowledgments

    A special thanks to my pre-publication reviewers: Henrik Lund Kramshøj, Fredrik Ludl, Jan-Piet Mens, Scott Murphy, Mike O’Connor, Eivind Olsen. Notably, Alan Clegg and Carsten Strotmann went above and beyond in reviewing the book.

    Before even starting this book, I asked poor Doug Barton of BlueCat Networks to be my lead technical reviewer. Mutual friends tell me that he’s stopped moaning “Oh, the pain,” and should be able to talk coherently any day now. I do hope he’s learned his lesson.

    Any errors in this book crept in despite the efforts of these fine folks.

    As an experiment, I published in-progress versions of this manuscript on LeanPub (https://www.leanpub.com). To my surprise, many people bought the incomplete book. To my greater surprise, several people chose to overpay for it. I want to thank everyone who purchased the in-progress book. While I won’t publically name and shame those who wanted to give me a tip, I will say thanks to parts of their email addresses: sven, nawfal, bonetruck, alejandro, olgamirth, axel, shori, marcus, and cdjk.

    Sadly, those early drafts included plain bad advice caught by the technical reviewers. My best fans got ripped off. I hope that they, too, have learned a valuable lesson.

    This book is for the folks trying to keep their name service intact despite the miscellaneous scumbags trying to break it. For all the folks on Twitter who encouraged @mwlauthor to write it. And, of course, for She Who Must Be Obeyed.

    Posted on

    Diagnosing “+Limiting icmp unreach response from…” with tcpdump

    Anyone who has run a FreeBSD server for any length of time has seen these messages in their daily security emails. (You do read those, right?)

    +Limiting icmp unreach response from 296 to 200 packets/sec
    +Limiting icmp unreach response from 337 to 200 packets/sec
    +Limiting icmp unreach response from 318 to 200 packets/sec
    +Limiting icmp unreach response from 535 to 200 packets/sec
    +Limiting icmp unreach response from 332 to 200 packets/sec
    +Limiting icmp unreach response from 328 to 200 packets/sec

    Way back in the Bronze Age, I learned that this mean “someone is port scanning.” The usual advice is to disable these messages by setting the sysctl net.inet.icmp.icmplim to 0. This silences the messages. I’m guilty of giving that advice myself.

    What it really means is that something is sending your server UDP packets on a port that isn’t open. This could be a port scanner. It could also be a host legitimately trying to reach your host for a service it thinks you provide, or a service your host should be providing but isn’t.

    I could go to my netflow collector and run a few commands to track down where these packets are coming from. In this case, the problem host is my netflow collector. I’m somewhat leery of using a tool to diagnose itself. An initial check shows that everything on the collector is running, so let’s see if it’s still happening with tcpdump.

    I could run tcpdump -i em0 icmp and see all the ICMP traffic, but that’s inelegant. I don’t want to miss the traffic I’m looking for amidst a torrent of ICMP. And why have my brain filter traffic when ICMP will do it for me?

    The first step is to identify exactly what we’re looking for. ICMP isn’t a monolithic protocol. Where TCP and UDP have ports, ICMP has types and codes. You can find a friendly list of types and codes here, or my readers can look in my Network Flow Analysis.

    ICMP’s “port unreachable” message is type 3, code 3. Unlike TCP ports, the type and code are separate fields. Type 3 is “destination unreachable,” while the code indicates exactly what is unreachable — the port, the network, whatever. Type is ICMP field 0, while code is ICMP field 1. Tcpdump lets you filter on these just like the more familiar port numbers. Enclose more complicated filter expressions in quotes.

    # tcpdump -ni em0 "icmp[0]=3 and icmp[1]=3"
    10:01:03.287063 IP 10.250.250.10 > 192.0.2.214: ICMP 10.250.250.10 udp port 11022 unreachable, length 36
    10:01:03.331388 IP 10.250.250.10 > 192.0.2.214: ICMP 10.250.250.10 udp port 11022 unreachable, length 36
    10:01:03.356052 IP 10.250.250.10 > 192.0.2.214: ICMP 10.250.250.10 udp port 11022 unreachable, length 36
    10:01:03.378256 IP 10.250.250.10 > 192.0.2.214: ICMP 10.250.250.10 udp port 11022 unreachable, length 36
    10:01:03.411046 IP 10.250.250.10 > 192.0.2.214: ICMP 10.250.250.10 udp port 11022 unreachable, length 36
    10:01:03.437458 IP 10.250.250.10 > 192.0.2.214: ICMP 10.250.250.10 udp port 11022 unreachable, length 36
    10:01:03.457858 IP 10.250.250.10 > 192.0.2.214: ICMP 10.250.250.10 udp port 11022 unreachable, length 36

    The host 192.0.2.214 is constantly trying to reach my collector on port 11022. 192.0.2.214 is my busiest border router.

    That’s a router. This is a netflow collector. Maybe it’s netflow traffic? Let’s see.

    # tcpdump -ni em0 -T cnfp ip host 192.0.2.214 and udp port 11022
    192.0.2.214.11022 > 10.250.250.10.11022: NetFlow v5, 1897575.270 uptime, 1363184870.488773000, #1285199613, 30 recs
    started 1897571.570, last 1897571.570
    ...

    Yep. Either my router or my collector is misconfigured. And my monitoring system is misconfigured, because it should have caught that the collector process isn’t running. Or I should have noticed that I wasn’t actually getting any flow files from the collector running on another port.

    Now to go back in time, find that young punk who wrote Absolute BSD, and whup his butt.