/ Orb Designs Graffiti, a Daily Blog - May 10, 2004 thru May 16, 2004
Welcome 
to Orb Designs

Home

Graffiti

About

Sitemap

Visual

DevWork


Email Brian Bilbrey

Email Brian

GPG Key

GRAFFITI -- May 10, 2004 thru May 16, 2004

>> Link to the Current Week <<

Last Week << Mon   Tues   Wed   Thu   Fri   Sat   Sun >> Next Week


Search this site :

Welcome to Orb Graffiti, a place for me to write daily about life and computers. Contrary to popular belief, the two are not interchangeable.     About eMail - I publish email sometimes. If you send me an email and you want privacy or anonymity, please say so clearly at the beginning of your message.

Ron Paul in 2008

Creative Commons License

Read LinuxGazette, get a clue.

MONDAY    Tues    Wed    Thu    Fri    Sat    Sun   
May 10, 2004

0633 - Good morning. It was lightning and thunder all around at 0035 this morning as I clicked send on the button describing what I'd been doing to client machines via VNC out in California, putting almost all of the work of transitioning to Zidane, our new hosting box, behind us. Funny, it's easier to get up on time when I'm way short on sleep, instead of only a little bit. Anyway, I've still two mailing lists to put up, one for me and one for Bob. Then we watch the box and see what we forgot. But as my friend Tom says, all the big rocks are solidly in the jar.

Now I've got to get to work... Please advise if you see anything awry with services from this box - I have an out-of band email that I check every once in a while that's at bpbilbrey at yahoo dot com, if you think there's something borked and you can't get through via the mail links on this page. Have a great Monday!

Top  /  Email Brian


Mon    TUESDAY    Wed    Thu    Fri    Sat    Sun   
May 11, 2004

0726 - Good morning. Running a bit late, and while I got more rest, I feel more tired. Such is life. Zidane, the new box, appears to be holding up well, especially now that we've cut off the MS DoS attack against Bob's websites. Have a look at his page for more information there. Oh, and in case you only come by here to see what's happening with Marcia, she's posting again too. Now I'm off to meet Larry and an electrician at a client site - to try to figure out why a system that takes 120 was wired up for 240. Heh. Have a great day!

[Note - I see that the PHP code running on the new machine has me perched in CDT instead of EDT. Rocket, though sitting in Houston, was running EST/EDT, so I never worried about it. Now that Zidane, in the same center, is talking CDT, I'll have to take timezones into account in my code. Thanks.]

Top  /  Email Brian


Mon    Tues    WEDNESDAY    Thu    Fri    Sat    Sun   
May 12, 2004

0723 - Good morning. I'm still relatively whacked from our power-run over the weekend to get this new box running. I just haven't been able to catch up, it seems. And in an extra-special effort last night, I didn't do jack! I was home by 6 and just lazed about, had supper and watched the tube. I did enjoy that Dick Van Dyke reunion episode last night. That was kinda fun, and I'm looking forward to the Carol Burnett thing tonight. At first I thought that might be a re-run, but I see that Lyle Wagner is on, and he wasn't last time.

Those sorts of things are much better, I think, than most of the crap that's on TV today. I mean, really. Friends??? Eeesh. But it means that I'll have watched more of the moron box this week than I do generally in any given month.

Now to collect my contractor's gear - That's right, I'm doing more networking carpentry today, so I need supplies and tools. I'll be doing that, and applying the lastest Windows critical updates, including the "fix" for the announced flaw in the MS Help system that allows people to own your box remotely, once again. Lovely. Have a great day!

Top  /  Email Brian


Mon    Tues    Wed    THURSDAY    Fri    Sat    Sun   
May 13, 2004

0713 - Good morning. First up, remember to remind friends and family that they need to patch their windows boxes and keep their AV up to date. It may be time to do the volunteer thing and go check up on things. The time you invest now will be repaid in unasked questions later, because they're safe and virus free. Really. Even after I told ALL of them last month to apply all Critical Updates, a number of clients got their home machines whacked by Sasser. Poor people, should have followed directions.

We watched the Carol Burnett thing last night. It was on later than I wanted to be up, but I can't pass the show up, as I grew up watching those shows. Television really was much better back then. And they had the whole gang there on this show - it was a hoot.

Today I'm at a client site bringing up a new Dell box: updating, patching, registering and getting it tweaked up to go to someone's home office. Plus I'll be doing the Windows Update and system tune-up tango on all of the rest of the machines in the office. I guess I'd better be on my way!

Oh, in a little bit of good news, I managed to get both Tom's site and the Daynotes.com site running again remotely. I was in the machines to edit his BIND (DNS server) configuration to match up with the changes we made over the weekend in transitioning to this new Linux box, Zidane. I spelunked around until I found the right place in the machine where Tom's webs are served from, and kicked Apache in the head. When it sat up again, all was well.

Top  /  Email Brian


Mon    Tues    Wed    Thu    FRIDAY    Sat    Sun   
May 14, 2004

0729 - Good morning. Happy Friday. In place of my usual ravings, I'll give you Scott's rant. Have a great day!

RANT

One security tactic that doesn't seem to get enough attention is the router.

As fast as these worms propagate these days any solution that depends on
getting an update from somebody is risky.  I will confess that I was bad and
hadn't applied that patch to prevent Sasser, but because of my D-Link DI-604
I was fine.  While the router approach has it's limitations for servers that
need to provide services to the internet, for any home user, a locked down
router is well worth the price.

I think if you:

1.  Do not open unexpected e-mail attachements
2.  Set your ActiveX settings to paranoid and don't allow ActiveX controls
to run unless there is a good reason.
3.  Set Internet Explorer to paranoid (or better yet use something else like
Mozilla) and think hard about why you are about to click on that link in an
e-mail.
4.  Put a locked down router between your computer and your Cable/DSL modem
(and don't forget to check your stealthiness out using Shields Up at
grc.com).

you are pretty safe.  I think that software firewalls and anti-virus are
useful tools to contain damage and reduce the risk of an error (Norton AV
has saved me a couple of times when the mouse clicking was running ahead of
my brain), but they can't really be the first line of defense.

I don't imagine there is anything here you don't know, but I was thinking
maybe other people who read your site might learn something....

The SPAM load for my domain has gone from about 300/week to over 1,000/DAY
in the last couple of months and most of it comes from hacked Windows boxes
on broadband connections.  Between SpamAssassin on the server and a server
side filter less than 1% of that ever makes it to my desktop, but it sure
would be nice if people would do better about security (it would also be
nice if the router manufacturers would change the default configuration to
be completely stealthy, but they don't because they'd get more tech support
calls).

/RANT

Scott

Amen, brother.

Top  /  Email Brian


Mon    Tues    Wed    Thu    Fri    SATURDAY    Sun   
May 15, 2004

A lizard in the grass0857 - Good morning. I'm off to a late start. The dishwasher's empty, the coffee's brewed and I wanted to get in a visit here before things started rolling ... cars to be exact. I'm taking both of them (consecutively) for their periodic maintenance visit. Then I'll be building a box for Marcia's strawberry patch (no, you'll have to ask her...). Following that, it's time to mow the back 40, then plant some more corn, and weed the garden. It'll be a busy, hot day. Oh, yeah, the lizard over on the right. I ran into him while watering the front flower patch yesterday, and thought he deserved his 15 minutes of fame. I think he lives in the brush to the right of the house, as that's where he ended up skittering off to. Pleasantly colored fellow, though.

Now for some more about routers. Mark had questions, and Scott picks up the gauntlet:

Brian, appreciated the rant from Scott, but I suspect that most of us
don't know what a "locked down router" actually is.  Without that
information, he might as well type "you should attach a formable
downdraft generator in series with the power grid"!    (Oh, I might be
able to fake it...but wouldn't put a router I configured out on the net
between me and the net).  Like much advice from experts, this zips past
those of us who are less expert.  

So, Scott...help, what is a "locked down router"?  I just looked and
mine is locked in a box attached to my chimney!!  (grin, I've got a
Cisco wireless Airport box which pushes an 802.11b beam via a parabolic
antenna across a 4 mile stretch to my office...once there it lurks on
the internet behind some routers and  firewall thingee's).  I'm lucky
that I've got the mighty Ted between me and the internet.  Ted speaks
IOS and a bunch of other frightening tongues. I figure he configures the
firewall and "locks down" the router, when he isn't kicking my butt at
Steel Panthers.  

When I google for locked down router I get...not a lot that is very
useful.  Now as a more or less experienced user, I suspect that Scotts
locked down router has all ports closed that I don't use and I suspect
that those ports are those used for outgoing web, and those used for
mail.  Thus I suspect I'd close all my ports except 80 (for web
browsing), but how about 25 for smtp, 443 for ssl, 389 and so forth.  Of
note, I just spend 15 minutes looking on the net using google to try and
configure a locked down router.  I get useful advice such as "you should
close all the ports you aren't using!!"   Kind of like me telling a
person who comes to me for cardiac advice, "you should not do anything
that might increase your chances of getting coronary disease."   I sure
know what those things might be, but you probably don't.  

Now for Scott's reply...

A number of points:

Locked down means closed to all external originating traffic.  To do
"normal" things that most home users would do, there is no need to accept
external connections.  Whether it is e-mail (usually port 25 for SMTP and
port 110 for POP3), web browsing (port 80), etc., all these normal uses
start with connections originating locally.  There are exceptions like p2p
services (but if you're using p2p services, then I don't imagine security
is high on your list) or netmeeting where direct connections between two
computers are required, but I digress....

If you go to grc.com and scroll down about half way to "Shields Up", then
click proceed after reading the next page, then click All Service Ports,
and wait for the results.  If everything comes up green (and a few other
things described on the results page), then you are locked down.

This can be done either with a software firewall (like Zone Alarm or my
preference Sygate Personal Firewall) or a router.  If you have the
software firewall, disable and run the test to see if your hardware router
is locked down.  You can also try it with the software firewall on and the
router removed to see how it does.  While software firewalls are an
important element of security, they cannot fully protect the box they are
installed on.  That is why the router is important.

My experience is with DLink routers such as DI-604.  With others, YMMV.

On the DLink, they almost come "Locked down".

You need to set your computer to a static IP (192.168.1-254), enable the
DMZ (DMZ is an IP address that is not protected by the router), and set
the IP address of the DMZ computer (there is isn't any DMZ computer, but
that's the point, just wait a minute) to a different number in the range. 
What this does is point any inbound traffic that gets past the router to a
non-existant IP address, accomplishing the same thing as if it had been
blocked.  Port 113 tends to be locked open because there are a few things
that need it to be open (the router manufacturers say anyway, I haven't 
found anything).

You also need to tell the router not to respond to "ICMP Echo Requests"
aka Ping.

Once you've done those things, you should be locked down.

And yes, you still want the software firewall, but primarily to make sure
nothing on your computer is talking to the outside world that you don't
want to have access (great way to find out about spyware).  The grc.com
evaluation of a number of them is at:

http://grc.com/lt/scoreboard.htm

and well worth reading.

OK.  That's probably still not in plain english, but I expect it's a step
in the right direction.  I expect more questions, but more focused.....

Scott K.

I have some input on this topic, too, but I'll reserve it for tomorrow, as time is running away from me. Have a great day!

Top  /  Email Brian


Mon    Tues    Wed    Thu    Fri    Sat    SUNDAY  
May 16, 2004

0920 - Good morning. First off, I made a few changes to Scott's enhanced reply about how to lock down a router. The problems were omissions and typos that Scott sent me an email about and asked me to correct them. Generally, I don't revise what's been posted, but minor changes? What the heck! Now, at the end of his correction message, Scott was waiting to hear what I had to say. Let me review the points above and make a bit of commentary here and there. [post-Post comment: I kinda went overboard - there's a lot more below than a little commentary. Ooops. Heh.]

A little note for people who are seriously bored by the techie stuff - there's real life and pictures and stuff below. Otherwise, enjoy the geeky stuff...

First off, some background information about broadband (and dialup) connections. What you connect to with your cable, DSL, or dialup modem is NOT ethernet. The connection once it leaves your house is another protocol altogether. Dialup is most frequently found running Point-to-Point Protocol (PPP). A protocol known as DOCSIS, aka Data Over Cable Service Interface Specification, is the common Data Link Layer protocol for cable modems. And DSL modems (where the rate of change has been stunning of late) have commonly used ATM (Asynchronous Transfer Mode) for that purpose. Some DSL providers are now also providing actual Ethernet to the modem, but connection and authentication is accomplished by a protocol known as PPPoE (or Point-to-Point Protocol over Ethernet). I have one word to say about that: Eeeeew!

Whichever way the data gets to you, the modem provides the magic that converts the transfer protocol to Ethernet (either by direct connection to an ethernet port in your computer, or recently over a USB connection, to a USB network driver that runs in software. So anything OUTSIDE of the ethernet connection on the modem is out of your control.

Depending upon the type of connection you have and the policies and implementations of your connectivity provider, you may be exposed to the raw power of the Internet, or be protected (or restricted, depending on how you feel about that) to some degree or another. Okay, time for part two of the lesson: Packets and ports. Let's start off with the assumption for the moment that you're connected directly to the cable/DSL/dialup modem. You've got a real live connection to the Internet, with nothing standing in your way (more or less). We'll look at why this is bad later...

A packet is a collection of bits, with some information tacked on (often referred to as an envelope). The envelope for an Ethernet packet says things about where the packet is going, and where the packet came from. That may be wrapped in encryption (for transmission over a VPN or SSH connection), which may be further wrapped in whatever data transport protocol information is necessary for the packet to get to its destination. The rule of thumb is that every time a packet transits a driver or device travelling outbound towards a destination, it gets wrapped in another layer of information. Then, when that packet is inbound to its destination, each of those envelopes is stripped, and the information therein is used to decide what to do with the packet next.

Let's say you send a request for a web page to this site. You type "http://www.orbdesigns.com/bpages/current.html" into your browser location bar. What happens next? The first thing, is that the base name needs to be resolved. So (commonly) through some magic called DNS, your browser says, I need to send a packet to www.orbdesigns.com, where does that go? The name resolver software in your system either already knows (you've cached it), or it asked a resource out on the net. One way or another, the answer flows back: www.orbdesigns.com == 207.44.178.102. Now your browser, in conjunction with other software and devices on your system, constructs a packet with your web request. From your machine's IP addess and some port (I'll discuss ports in a few moments), a packet is sent requesting a web page with the textual address of "http://www.orbdesigns.com/bpages/current.html" to a system responding at the IP address 207.44.178.102, on port 80. Okay, now for addresses and ports:

An address is the IP (Internet Protocol) number that a machine listens on. When it comes to being connected to the internet, there can only be one of any given address, or the network stops networking, at least for those two systems. [I hear you say, but every Linksys router comes with the same IP configured on the inside, what's up with that? I say, hold your horses] So, only one address. That's not much, really. Does every service and software running listen on that address, waiting to see if the message is for it and only it? Yep, that's what the port numbers are for. To use a postal analogy, port numbers are like the names of people living at a house. When an envelope (remember, that packet is in an "envelope", too) arrives at your machine's IP address, the destination port tells the software that deals with such things which service to hand this data to. If nobody's listening at that port, then the software sends back a message that means "Connection Refused". If someone's listening, like this Apache web server is, then it accepts the packet. It sees a request from your IP address and some random high port number, sees which page you've asked for, gets that data, puts it in a packet and sends it back to the IP address and port number that requested it.

You'll have noted that I said you had a random port from which you sent the request, and that the webserver was listening on port 80. You have to know where to send any request for a web page, that's why webservers commonly listen on port 80. But your specific request is only waiting for the one answer, and that reply-to port is only open waiting for the return packet(s) containing the web page data that you requested. On your next web request, your browser may open another port, or the same one, it doesn't really matter. Requests usually go out on single-use ports, pointed at dedicated service port on some other machine.

This has been a long lead in to our main topics: Routers and Firewalls. It's important to note that these two are different things, although you can easily buy hardware that handles both functions. Let's look at routers first.

Let's now say that you have a Cable/DSL router. Why can one box handle both Cable and DSL? It's easy - it sits between the modem and your computer(s), you're on ethernet now, with either connection. What a router does is simple - it routes (or translates) packets from one network to another. Look at the router configuration, and you'll see that on the WAN (Wide Area Network, towards the modem) side, there's at least an IP address, a netmask and a gateway IP address. There are usually also name servers and broadcast addresses, but I'll bypass those). That IP address/gateway combination together defines your local neighborhood (in terms of IP space). All restrictions and protection aside, if you have an IP address of 243.67.89.17, and a netmask of 255.255.255.0, that means that every machine in the range of 243.67.89.1 to 243.67.89.254 can be talked to directly, without any router between machines with those IP addresses. The gateway box is where packets go that don't have an address inside that small local range. The gateway is the first of many routers that a packet traverses between two average machines on the internet. The gateway has it's own (larger) local neighborhood, and either the packet goes someplace in that space, or gets passed on to the next router, and so on.

How does this affect you? Well, that little Firewall/Gateway/Router box on your desk does one important thing in its guise as a router/gateway. It usually does NAT. NAT stands for Network Address Translation. You have an IP address (our example address, picked out of the air, I have NO idea (right now) who has this address) of 243.67.89.17. That's the IP address that you've got from your provider, either as a static IP address if your vendor is enlightened, or dynamically assigned for some period of time (this is called DHCP) otherwise. But at this time, this address is yours. Well, it's the address of your gateway/router. Your address is assigned by the gateway router (there's that DHCP again) or you've set it yourself as a static IP, either way often in the 192.168.1.1-254 range.

That means that you're no longer on the Internet directly, your system(s) are hidden from view by NAT, and that's the router's first method of firewalling you. When an unrequested packet comes in to 243.67.89.17, it doesn't have a destination, and the packet is dropped or bounces, perhaps logged, too. But if that packet was the Sasser worm coming to visit, it didn't get to any machine behind the router/firewall (unless you were silly enough to open a hole inbound that pointed to the ports that Sasser attacks, but more on that in a moment).

Let's look at the configuration I've got: I use (and recommend) Netgear - D-Link and Linksys also make this sort of stuff at the consumer level, there's plenty more (devices, capabilities and vendors) in the commercial client space. I could do a screenshot of my assorted configuration screens, but it's easier to do the Linux equivalent of a GRC Shields Up scan: I have a nearby box that I can use to run nmap (IP/port scanner software) against my Netgear:


[root@tserve /root]# nmap [my current IP address on the Netgear]
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on [Reverse DNS lookup and IP address]:
(The 1600 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
Nmap run completed -- 1 IP address (1 host up) scanned in 17 seconds

I only allow port 22 inbound. That's done (on the Netgear, YMMV) by going to Advanced --> Ports, and configuring the port range from 22 to 22 to land on the static IP of my workstation. Then, when the SSH server is running on my box here, I can get to my home system through the Netgear. I have SSH pretty carefully configured, we may talk about that another day.

Observe what's missing from that nmap listing: no ping, no ident, nada except the one service/destination I specify. Clearly, packets can't get through that, right? So how do I web browse? Get email? Do anything useful at all? The NAT implementation in the Netgear pays heed to what's going on with outbound packets. When I send a request to a webserver someplace with my own little LAN IP address and the random originating port, the NAT software in the Netgear translates that address and perhaps the port, but remembers what's been asked. When the answer comes back to the translated address and port, the Netgear uses that memory to translate the other way, and send that reply packet to me (if I originated the request) or Marcia (if otherwise). The jury is still out on Lucy as far as Internet savvy goes...

So NAT remembers state, and both routes packets and hides machines behind the NAT wall. That's half of firewalling - knowing what's coming inbound, and only allowing those packets explicitly permitted by rules (such as my port 22 rule for SSH) or allowing packets that are replies to requests (established sessions, as it were).

The other part of firewalling is the outbound. Do you want your firewall to pass outbound Windows Networking packets? No, I didn't think so, you don't really want your Windows Network shares accessible from the world, or even just your neighbors. So when Windows Networking broadcasts it's "Hey, I'm over here" message to anyone that'll listen, those packets are blocked outbound. I don't know of a single consumer-grade Gateway/Firewall that will permit those to be opened. Many of the late model Gateway/Firewalls permit some form of content filtering, too. That blocks access to specified websites or domain names according to some rule set or another. Of course, that is accomplished by the filtering software/hardware combination to open every packet that's destined for a port 80 someplace to see if the destination is banned. But packet inspection is a part of outbound firewalling.

Lastly, what services are found on which ports? If you run a Linux box, than many of the service-to-port associations are listed in the file /etc/services. Kurt Seifried put together a great online listing of ports and services, along with a couple of good articles on getting information from your system (Linux or Windows) about which services are using what ports. Here's the page to go to.

As noted earlier this week, firewalling software is available to run on your system. Scott made mention of ZoneAlarm. That's a product that recently popped up with it's own set of vulnerabilities - if you didn't update ZoneAlarm, you were vulnerable, running that firewalling software. That emphasises one key rule of system protection - don't use ONLY software running on a system to protect itself. There's always the possibility of a failure or vulnerability in the protection software. We have the Netgear here, plus Marcia runs Norton Internet Security. Yeah, it's a load on her system. When buying or upgrading, factor in the need for Antivirus and Firewalling functions. Figure that worst case they'll eat 25 - 50 percent of your performance on an old slow box (slower than 1G processor, okay?) when it counts - opening, reading, writing files (for the AV), less for the Firewalling, but still ... faster machines do better at this stuff than slower ones do.

What should you do if you're paranoid? Run full stateful inspection firewalling for both inbound and outbound traffic. Spend the money on Watchguard or Sonicwall - lock down the ports that can be accessed going each way. The way to do it right is block everything, then open up those ports you must have. Remember, that packet says where it's going and to what port. So you don't have to say (necessarily) which port is requesting a reply, you can just allow outbound 80, 81 and 443, 110 for pop3, 145 for imap2 (995 and 993 for the SSL versions of those protocols), and see what breaks. Let's say you know that some viruses/trojans create a listener on port 31337 (elite, neh), so you can also block outbound all traffic originating from that port on any machine inside. But then security consumes your life. So this isn't for the home user - if you're a security geek, you think about this all the time, and you want to execute the paranoid mode at work, only nobody will allow it because you can't identify what services the executive suite uses, and if you muck their connection to that Fantasy Football site running on port 8384 someplace, your job is toast. Such is life.

I tell you three times -a separate gateway/router/firewall box is a very good thing. Do, do remember to set the administrative password to something other than default, so that the kids can't Google the default and blow away your rules, bringing kazaa and other P2P crap into your life. Run a local AV and firewall on the workstations too. You can call it belt-and-suspenders security, or dual-condom computing, but two easy steps make computing much safer for you, and makes you not a problem for the rest of the Internet, since you're no longer likely to become a spam zombie, or a DDoS client or some other nefarious thing.

Wow. That was a lot longer than I planned when I started writing...


A freshly mowed lawnI did say I was going to be busy yesterday. That started with getting both vehicles down for an oil change. Additionally, I got Marcia's tires rotated and her fuel injectors cleaned. We somehow managed to miss that at the 15K service. After the truck service, I went over to Home Depot, picked up some plants, lumber, screws and topsoil. Then I headed home, getting in by 1230, and out into the yard at about 1300. Marcia's new strawberry bedThe time from then up until 1830 was pretty full ...

I started by mowing the back lawn. You can see the darker green spot in the middle where I rototilled and reseeded the area that held the play set and sand box from the former owners. Patching the lawnIt's moderately flat now, and grassy all over, instead of just in leperous patches. Then I built Marcia a raised-bed planter for her new strawberry obsession. That's a simple looking project, but you see, I tripled the effort required by cutting out the sod underneath that box, and using it to patch in a couple of areas that were in dire need. One (shown at left here) used to be the home of the immobilized base of the basketball standard they had off of the concrete pad. It was a 3' x 4' spot of gravel, sand and dandylions. Now it looks like a sod patch. Squash in the gardenHopefully it'll look like just plain lawn, sometime soon. That was hard work, but worth it. Oh, and the squash are coming along nicely - there are zucchini, summer squash and pumpkin growing. I have some mulching to do sometime soon - there's lots of revenent grass in my mini-farm at the moment. The garden overall is going quite well, and I'll have pictures of that up one of these days soon.

New annuals in frontNew flowers went into the front, too. On the left side bed, the marigolds were dying. Odd, because plants from the same flat are all thriving on the other side... Oh, well. So I picked up some new plants to replace them - there are two areas like the one pictured at left. A pretty flowering vineThen, this vine-growing flower (shown at right) is trying hard to own the lamp at the driveway/front walk interface. A mailbox towards the front of our street is covered by an identical plant (excepting bloom color). From the looks of things, I should have good color from this plant for at least another month or two.

While I worked outside, Marcia worked inside on a variety of projects ... not least of which was internal eyelid inspection. But she had a very busy week and she's prepping for three day's of business travel in the next week.

Today I hope to be lazy. Do you think I have a hope? A betting man would have to say "Nope." Okay, at least I know there's the shopping. We'll get to that now, and I'll see how little I can do today. I probably will do more on that mailbox project that I last touched last weekend. Now have a great day!

Top  /  Email Brian


Last Week << Mon   Tues   Wed   Thu   Fri   Sat   Sun >> Next Week


Visit the rest of the DAYNOTES GANG, a collection of bright minds and sharp wits. Really, I don't know why they tolerate me <grin>. My personal inspiration for these pages is Dr. Jerry Pournelle. I am also indebted to Bob Thompson and Tom Syroid for their patience, guidance and feedback. Of course, I am sustained by and beholden to my lovely wife, Marcia. You can find her online too, at http://www.dutchgirl.net/. Thanks for dropping by.

All Content Copyright © 1999-2011 Brian P. Bilbrey.

Creative Commons License
Except where otherwise noted, this site is licensed under the
Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.