2013 Projects and 2012 Errata

When you set goals for a year, you need to tell people about them. The potential embarrassment of having to admit failure helps you complete the goals. With that in mind, here are my goals for 2013:

1) I will do three short technology books through my private label (aka “self-publish”). The first, on DNSSec, is underway. Some text exists, and I’m making copious use of scratch paper and whiteboards to figure out how to explain KSKs, ZSK, and the signature and key lifecycle in a coherent manner. (If you happen to have a good resource for this, please feel free to point me at it in the comments.)

2) I will write & self-publish one novel. If I write nothing but nonfiction, my brain freezes up and the tech books become unreadable. If I’m going to write fiction anyway, I might as well release it. Attempting to traditionally publish a novel takes more time and energy than writing a book and will probably fail, so I prefer to spend that T&E writing. The odds of the book succeeding are negligible either way, so I’d prefer to do so in the least expensive manner.

3) If I accomplish both of these early enough, I will continue writing. I will indulge myself in trying something that’s “just crazy enough to work,” like, say, “dc(1) Mastery” or “netstat Mastery.”

Now here’s a leftover from 2012:

Richard Bejtlich has reviewed hundreds and hundreds of technology books over the last ten years. For a time, he was one of Amazon’s Top 100 reviewers. Each year he posts a list of the best books he’s read, and gives one book the “Best Book Bejtlich Read” (BBBR) award. The award and $5 will get me a nice gelato.

I’ve been on the top 10 list before, in 2007, for Absolute FreeBSD, and 2006 for PGP & GPG.

2012’s BBBR went to (drumroll): SSH Mastery.

This comes with some caveats, mind you. Bejtlich read and reviewed only one tech book in 2012, and this is his final BBBR award. I had no competition. But I’m okay with that.

Bejtlich no longer reviews tech books, which I personally find disappointing. (I mean, how can I not like reviews that start start off with The master writes again? That’s the sort of thing I bookmark for those nights I get really depressed and start contemplating a shot of whiskey and a small handgun.)

Life changes, however, and he’s working in other areas now, so: Richard, so long, and thanks for all the fish. I’m still putting that last quote on the cover of the DNSSec book, though.

OpenBSD ruleset tracing

As Henning reviews the Absolute OpenBSD manuscript, he’s pointed out items that I’ve missed. Some of these are only documented in man pages, while others don’t seem to really be documented anywhere except in the source code. Here’s an interesting tidbit he pointed out that I haven’t seen anywhere other than Henning’s email. (Having said this in public, I’ll now find all sorts of examples that I missed, such as Henning’s slides from EuroBSDcon 2010.)

You can log specific connections to separate log devices, for simpler debugging. You need the log rule near the beginning of your ruleset, but it doesn’t have an effect on whether a packet is passed or blocked, or how it’s translated. Here’s a pf.conf line to tell PF to watch for connections from 192.0.2.226 to 203.0.113.34.

match log (matches) from 192.0.2.226 to 203.0.113.34

Now watch the log interface, searching for the destination address:

# tcpdump -n -e -ttt -i pflog0 ip host 203.0.113.34
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
Dec 17 17:40:25.071592 rule 2/(match) block out on fxp0: 192.0.2.226.14033 > 203.0.113.34.822: S 2830367545:2830367545(0) win 16384 (DF)
Dec 17 17:40:25.071600 rule 5/(match) pass out on fxp0: 192.0.2.226.14033 > 203.0.113.34.822: S 2830367545:2830367545(0) win 16384 (DF)
Dec 17 17:40:25.071604 rule 5/(match) pass out on fxp0: 192.0.2.226.14033 > 203.0.113.34.822: S 2830367545:2830367545(0) win 16384 (DF)
^C

You get the number of every rule that matches the packet. If you use NAT, it prints original and destination addresses. With my wussy PF rules, this isn’t terribly exciting. With more complicated rules, however, it makes debugging rulesets much easier.

This is the sort of useful information you’ll get if you preorder the new Absolute OpenBSD. (See how I subtly slipped that in? I’m getting good at this marketing stuff.)

TWP sponsoring BSDCan 2013

The money has left my bank account, so I guess this is official: Tilted Windmill Press (the LLC under which I self-publish) is the official T-shirt sponsor of BSDCan 2013.

Why do this? First, it’s important to give back to my community. BSDCan is one of the biggest and oldest cross-BSD conferences, and this sponsorship will buy plane tickets for several speakers. Second, independent publishers must meet two standards: a) write good books, and b) don’t be a jerk. This should put a touch more weight on the “not a jerk” side of the scale. Plus, everybody who goes to BSDCan will get a T-shirt featuring the TWP busted knight logo. That’s pretty dang cool, to me at least.

As I know someone will ask, I’ll also say: the conference is being paid for out of TWP profits, not out of my pocket. Self-publishing does work, and can be profitable. See point 2 above.

And if I can sponsor a BSD conference, you can too! BSDCan has cool sponsorships available, as do EuroBSDcon, and NYCBSDCon. Admittedly, there’s nothing quite as cool as being the T-shirt sponsor, but still, if I can swing that surely you or your employer can do something.

Absolute OpenBSD pre-orders now available

No Starch Press now has pre-orders for new Absolute OpenBSD. Order direct from the publisher, and get both the ebook and the paper for one price. If you use the coupon code ILUVMICHAEL you’ll get a discount, and I get a commission on the sale. (Bolded 20130207 because more than one person has said they missed that line.) If you use another coupon code, I still get paid, but not as much. I’m not deeply concerned which way you buy it, so long as you buy it.

Here’s the cover of the new edition. It incorporates art from the first edition, plus a new background.AO2e Cover

On a vaguely related note, I recently saw a link to my blog from a Chinese Unix users message board. Curious, I asked Google Translate what it said. It’s a discussion of the new book, which is awesome. Slightly worrying, though, is that in the translation they repeatedly refer to me as “Great God Lucas” or some variant thereof. I’m hoping that this is an artifact of translation, or some cultural thing I was previously unaware of.

Otherwise, it would seem that I have a cult of worshippers in China, and that I must learn Chinese in order to issue my commands.

Even more tangentially, links within a translated page take you to a translated version of that page. That’s pretty cool.

Next Nonfiction Book

I’ve made it a practice to not announce book topics or titles until the book is well underway. Writing a big book takes not less than a year (Absolute FreeBSD) and up to three years (Absolute OpenBSD, 2nd ed). Once I hand in the completed first draft to the publisher, there’s editing, tech edits, copyedit, page layout, and so on. It’s a few months to get the book into production.

Delaying the announcement also gives me the chance to determine if the book is realistic. I’ve made no secret that I write about topics that I’m not qualified to cover. I’ve had more than one tech book that I’ve started, only to discover three chapters in that I am so not the person to write this book. Delaying announcing the topic gives me a chance to back out without anybody knowing.

I’m trying something a little different this time. My next book will be published by Tilted Windmill Press (my private label) and much smaller than my BSD tomes. I have an outline. I’ve done the reading. My educational lab work is done (meaning that my rate of screaming “Why isn’t this working?” has dropped from thrice hourly to twice daily). And I’m doing a fairly wide variety of work with the topic in the next six months.

The next book is on (drum roll please): DNSSec. Blame Richard Bejtlich. (I wish I could find the tweet in question, but seriously, how am I supposed to resist him declaring “You’re our only hope?” Flattery will get you anywhere. Especially if you’ve given me enough cover quote copy to last the rest of my career.)

Writing the book concurrently with implementing DNSSec across great big piles of domains with multiple registrars should give me all sorts of problems to write about, and give my readers more benefit from my real-world pain.

I know a lot of people don’t like DNSSec, have cogent arguments why DNSSec is poo, and really wish it would go away. They take me writing a book about it as a refutation of their arguments. It’s not. But DNSSec is here. It’s the standard. We’ve got to deal with it. And the supporting software has improved to the point where DNSSec can be implemented by the typical overworked sysadmin, rather than only crypto fans.

DNSSec also gets you things like SSHFP records and vendor-free SSL certificates. The former is convenient. The latter will eliminate any excuse for unencrypted communications.

Why announce this ahead of time? For one, you’ll probably see me griping about random pieces of DNSSec boneheadedness on Twitter. The savvy will be able to guess. Announcing the book will help keep my nonfiction writing focused. It’s still possible that someone will rush a book into print ahead of me, but the shorter cycle of independent publishing reduces that risk. The audience and community reaction to SSH Mastery is also encouraging; I know that if I write a good book, my readers will tell others about it, regardless of the publisher. If someone beats me to print, my readers will still support me.

And if I write a crap book, it deserves to fail.

(As an aside: having readers who tell their friends and co-workers about my books is freaking awesome. I could not publish books if you didn’t support my work. Thank you.)

Ideally, I’ll have this book out for BSDCan 2013. Tilted Windmill Press is the BSDCan T-shirt sponsor, so having a book out for the conference would be a good idea.

More questions? Too bad. That’s all I know right now. Except that now that I’ve set and announced a goal, my life will go horribly askew specifically to delay me.

1st draft of Absolute OpenBSD, 2nd Ed. complete

Last night, I finished the first draft of the new edition of Absolute OpenBSD.

This is the longest book I’ve ever written (23 chapters). It’s taken longer than any other nonfiction book (3 years). Now that a first draft exists, I can state with some confidence that the book will be out about next spring-ish.

As a first draft exists, if I get trampled by a rabid caribou between now and then, the book will still come out.

This weekend is the first time in years that I will have had no work to do on the book. (Unless Henning sends me corrections on the few chapters he has left.) I plan to gaze blankly into space for several hours.

Absolute OpenBSD 2nd Edition status, 15 November 2012

Chapters 1-22 are written. Only chapter 23 remains.

The first 23 chapters are either in preliminary tech review (Henning Brauer), editing (No Starch Press), technical review (Peter Hansteen), or copyediting (No Starch Press). And every time any one of those folks are done, the chapter comes back to me for rewrites. Which is as it should be, of course… unlike some publishers, NSP gives me every chance to improve the book, as opposed to having some unpaid intern with a degree in medieval lit “fix” the text.

One chapter to go. Back to writing…

Easy Security Project: standalone ssh-ldap-helper

I’ve been waiting for quite a while for an official way to centrally manage user authentication keys in OpenSSH. If you have a dozen servers, copying authorized_keys files around is a pain. If you have more than that, it’s really really painful. The OpenSSH guys have had good reasons for not wanting to link LDAP libraries straight into OpenSSH. They also gave some general guidance of what they’d want to see in a patch that supported LDAP authentication.

Jan Chadima from Redhat took OpenSSH up on this, wrote a patch as per spec, and submitted it to OpenSSH. And Damien Miller committed it. LDAP support for OpenSSH will be in 6.2…

…sort of.

The patch adds support for getting a user’s authorized_keys file from a helper program. Redhat includes a helper program, ssh-ldap-helper. That program is not in the OpenSSH patch. And, truthfully, there’s no reason it should be in the main OpenSSH distribution. We’ll see helpers for LDAP, for database lookups, for FUSE and HTTP and whatever weird data storage people come up with. I don’t want the OpenSSH guys spending their time writing these helpers.

But the source code for ssh-ldap-helper is in the Red Hat source RPM. As far as I can tell, it’s under a BSD license.

If you’re looking for a way to contribute to the OpenSSH user community, however, digging into the RPM (it’s just a tarfile), extracting the included OpenSSH code, and adding the patch for ssh-ldap-helper, ssh-ldap-wrapper, and the man page is pretty easy. I got that far, after all! I imagine that someone with a little bit of knowledge could make it compile on xBSD. Or at least, it’s a place to start.

You’d make my life a lot easier. And give me more time to finish the new edition of Absolute OpenBSD. That’s what you lot want me to do with my time, isn’t it? (I’ll have a post on that status in a few days.)

I also have to give props to Red Hat on this. They had a need in OpenSSH. They were given the requirements for that need to be met in mainline OpenSSH. And they met those needs and submitted the patch. Everyone cooperated, everyone gets what they need. That is how open source should work. Given how some other open source companies and projects are behaving lately, this makes me feel pretty good about the BSD community.

Amazon Author Rank vs Writers

Amazon recently introduced Author Rank, where they list authors in order of popularity. I’ve had a lot of discussions about this feature and what it means to writers.

Amazon provides a surprising number of features for authors. Their Author Central system lets me see how many of which book sold, and where, over a given time period. There’s a neat little app that shows where in the country my books sold, according to Bookscan data. Bookscan data might not be complete, but it’s more information than my twice yearly No Starch royalty statements. I know that in the last four weeks, five of my NSP books sold in the SF-Oakland-San Jose area, and 4 in Washington, DC. That’s interesting, and for a tech author those sales numbers are not too shabby.

I choose the word “interesting” carefully. It’s interesting. But it’s not exactly useful. If these geographic sales charts show that I was consistently selling quite well in Amarillo, Texas, I might be inclined to see what’s going on down there. But the sales basically hit exactly where I expect: Silicon Valley, Washington DC, RTP, NYC, with others trailing.

An author can spend hours trawling through his sales data this way. It’s interesting, but: this data doesn’t help you sell books. It makes sense that you’d kill a couple hours the first time you get the data, but as an ongoing thing, it just takes up time. You’d be better off writing.

Author Central also gives graphs of how your books as a whole, or all your books, sell over time.

sales graph

Looking at this, I might think “Wow. What did I do the week of March 7, 2011? Why did that book do so well that week? And how can I repeat this?” The answer is, I didn’t do anything. This sales spike had nothing to do with me. I wrote a good book. Someone ordered a bunch of copies, perhaps for a test, perhaps for their company, or perhaps because the paper the book is printed on is thin and soft. All I can do is be appreciative of “the folks who bought my book,” whoever they are.

The more insidious question would be: “why have my sales dropped since then?” I have an easy answer. My print sales have dropped, but my ebook sales have increased. Also, technology books have a lifespan. I’m pleasantly stunned that the five-year-old Absolute FreeBSD is still selling this well, but I have no right to expect this trend to continue.

It’s conceivable that I might find a use for this data. If my books consistently sell well in Amarillo, a place not known for its high tech business, I’d probably want to investigate and see what’s happening down there. Perhaps I would somehow use Amarillo in a new book, to give a nod to that readership. But the data fits my expectations, so it won’t change anything I do.

Also, this graph contains data. X number of book Y sold in Week Z. Those are real numbers. Not terribly useful, but interesting.

Now consider the Amazon Author Rank graph.

rank graph

On October 5th, I was the #11,117th most popular author on Amazon. Think about that for a moment.

What is popularity? How is it calculated? What is that supposed to mean? Is that an average based on the sales of all of my books, or my sales in aggregate? How are authors ranked? Without this kind of knowledge, this chart isn’t data. It’s an arbitrary rank, no better than Klout. I’d actually find my Scalzi Number more useful; I know how that’s calculated, and hence could derive a shallow meaning from it.

This number will cause an author some kind of emotional reaction. Maybe they’re disappointed that 11,116 authors are more popular than them. Maybe they’re thrilled that hundreds of thousands of authors are less popular than them. Either way, this reaction does not help an author with their craft.

Ranking authors by some unknown popularity algorithm? It’s like high school all over again, and just as meaningful.

When this feature just came out, I exchanged tweets with other authors about it. Chris Sanders, author of Practical Packet Analysis, shared with the world that his author rank was 9425, a few thousand higher than mine.

I agree that his Practical Packet Analysis is a good book. But what am I to draw from him having a higher Amazon rank than I do?

I write the books I write. My Network Flow Analysis is the best book I can create on netflow. PPA is the best book Chris could write about Wireshark. Comparing them isn’t really possible: they’re different topics, different audiences, and completely different books. Even though both are books about networking, they are utterly different in purpose, execution, and readership.

And what does the difference mean? Does his one book sell more copies than all of my books compared together sell less than his? Could be. Even if his books outsell mine twenty-five to one, does it matter to me?

One of the very worst things an author can do is start comparing himself to other authors. That way lies despair and heartbreak. If I measured my success against Dean Koontz or James Patterson, or even Richard Stevens, I’d give up writing altogether. Because my books aren’t their books, my audience isn’t their audience, and my career is not their career. I write the best books I can. And my audience finds them useful enough to buy them. That’s enough.

You want to be a more popular author? Write the best books you can. Continuously work to improve your craft. Become a better author, and readers will come. Don’t get involved in high-school popularity contests, especially ones that offer no benefit to your career, your craft, or your ego.

Personally, I’m going to ignore Author Rank. I see no use for it. The best thing you can do is shut up and write.

And lest someone gets the wrong idea, I like Chris. If I get to Charleston, I plan to look him up and see if he’s free for lunch. I’m sure he knows where to get good barbeque. Mind you, he can pay for it. He’s the big-name popular author, after all.

Hey, maybe Author Rank isn’t completely useless…

Get Your Haiku Published in the new “Absolute OpenBSD”

Something weird happened as I worked on the second edition of Absolute OpenBSD: people started sending me haiku. The first edition included a haiku at the beginning of each chapter, something apropos to the topic.

TCP/IP
Learn how it fits together
You cannot escape

I reviewed the old book before outlining the new version, and the haiku made me wince. They’re mediocre at best. I considered dropping them from the new edition, or perhaps replacing them with quotes on trust, but an informal Twitter poll came out overwhelmingly in favor of the haiku. This demonstrates that computing professionals have lousy taste in poetry, or that an author is permitted no opinion on the quality of his own work. Or both.

Frankly, the haiku my fans send are better than the ones I write. Some of mine are okay, but they can’t compete with someone else’s inspiration.

So, here’s the deal:

You’ll find the outline for the second edition in my September status blog post. Each chapter needs a haiku.

Post your English-language haiku here, along with valid contact information and your name as you’d like to be credited. If your haiku is better than what I have for that chapter, I’ll use yours instead of mine. By posting your haiku here, you give me permission to use it in the book. Winners will be selected by me, at my sole discretion, based on whatever criteria I feel like using at the time. Your best bet is to amuse me.

If you don’t want to post your haiku, you can email it to me. Use the subject of “ao2e haiku” to avoid the Horrible Black Void that awaits most email I receive.

What is a haiku? Real haiku are in Japanese. I can’t use real haiku — I can’t even read real haiku. For my purposes, a haiku has:

  • 5-syllable first line, 7-syllable second line, 5-syllable third line
  • A season word (i.e., summer, snow, etc)
  • A comparison
  • You might note that my leading haiku breaks two of these three rules. It amuses me, however, which is more important than any other characteristic. But if you can follow all three rules in a haiku about packet filtering, I’ll be slightly impressed.

    Both entries and attributions must be PG-rated. As in, no obscenity. Sorry, folks, I know that obscenity is a staple in sysadmin circles, but AO2e is supposed to be a clean family book.

    I’m not limiting entries per person, but I can say that if you flood me with dozens of mediocre haiku I’ll probably miss the the one awesome one you do post. (“Oh, it’s him again. Sigh.”)

    So, what’s in it for you?

    Selected haiku will appear at chapter headings in the second edition of Absolute OpenBSD, with attribution. This is your chance at eternal fame. Selected haiku-ists will get an ebook of the finished book. If I can swing a sufficient number of physical copies, I’ll give those out as well. Depends on how many winners and how many copies I get.

    Competition will remain open until I finish the first draft of the book. I’m writing frantically, hoping to get a first draft done by mid-November. If I make that deadline, the book can exist for BSDCan 2013. That would be awesome. Can I make that deadline? Dunno. I’m holding the contradictory ideas “no, that’s impossible” and “sure I can!” in my brain simultaneously.

    So, in closing:

    Lucas is lazy
    Your haiku makes him chortle?
    Get free electrons.