1/4/2000 to 1/4/2025: the mistakes

Continuing my series on the first 25 years in ICT (previous post).

I've made some mistakes in my career, here are the two most important ones, in ascending order (most serious last),

My second biggest mistake is, in hindsight, a trivial network masking error that ended costing a customer a large internet bill (when internet was still metered) and overflowed into an investigation. The investigation ended without consequences but was nonetheless worrisome.
The setup was as follows: a flat internal network with a proxy to control outgoing internet traffic. The firewall had rules that only allowed certain hosts (servers, and the proxy itself) to access the internet without restrictions. Everybody else had to go through the proxy. My mistake was adding a rule for a new server, but instead of setting the source ip in the rule to ip/32 in CIDR notation I set it to ip/24, effectively allowing all network to bypass the proxy. This went undetected for a while, at least until the first unusually large bill arrived.
Trust me, I double check all network masks now 😅

My biggest mistake was not leaving my old job sooner. Considering how far I've gotten in my past 8 years I wonder where I would be today if I had moved to a larger organization sooner than I did. I don't regret my choices, but I do try to learn so that I don't fall into the same habit again.

Popular posts

Opengrep quickstart

Since I could not find a quickstart to run opengrep with the full set of rules from their fork I thought I'd document what I found out. Setup Download the opengrep binary from github and make it executable with chmod +x . Clone the rules repo: git clone git@github.com:opengrep/opengrep-rules.git and clean it up to make it usable to opengrep: cd opengrep-rules rm -rf ".git",".github",".pre-commit-config.yaml", "elixir", "apex" find . -type f -not -iname "*.yaml" -delete rm -rf .github rm -rf .pre-commit-config.yaml Ensure opengrep can load the rules with: opengrep_manylinux_x86 validate . The same can be done for custom rules maintained in a separate repository. AFAIU Multiple repositories can be specified by repeating -f option as needed, see below. We are now ready to scan a repo, from the repo root directory run: opengrep_manylinux_x86 scan \   -f <path_to>/opengrep-rules \   --error \   --exclude-rule=VAL some ti...
Read more

Mirth: recover space when mirthdb grows out of control

I was recently asked to recover a mirth instance whose embedded database had grown to fill all available space so this is just a note-to-self kind of post. Btw: the recovery, depending on db size and disk speed, is going to take long. The problem A 1.8 Mirth Connect instance was started, then forgotten (well neglected, actually). The user also forgot to setup pruning so the messages filled the embedded Derby database until it grew to fill all the available space on the disk. The SO is linux. The solution First of all: free some disk space so that the database can be started in embedded mode from the cli. You can also copy the whole mirth install to another server if you cannot free space. Depending on db size you will need a corresponding amount of space: in my case a 5GB db required around 2GB to start, process logs and then store the temp files during shrinking. Then open a shell as the user that mirth runs as (you're not running it as root, are you?) and cd in...
Read more

From 0 to ZFS replication in 5m with syncoid

The ZFS filesystem has many features that once you try them you can never go back. One of the lesser known is probably the support for replicating a zfs filesystem by sending the changes over the network with zfs send/receive. Technically the filesystem changes don't even need to be sent over a network: you could as well dump them on a removable disk, then receive  from the same removable disk.
Read more