Below are the most recent 13 friends' journal entries.

Friday, January 8th, 2010
gushi	1:29a	2009 Meme [Unknown LJ tag] What did you do in 2009 that you'd never done before? Got hit by a car, while on foot. I'm going to mention this several times since I'm still feeling the effects. Did you keep your new years' resolutions, and will you make more for next year? I didn't have any. Did anyone close to you give birth? Jason and Rebecca. Well, Rebecca, anyway. Did anyone close to you die? Not as far as I know. What countries did you visit? None What would you like to have in 2010 that you lacked in 2009? Freedom from debt. What date from 2009 will remain etched upon your memory, and why? December 29th. What was your biggest achievement of the year? A few pieces of software I wrote? What was your biggest failure? Not discussing it here, but I know what it is. Did you suffer illness or injury? Oh yeah. What was the best thing you bought? Another car, I guess. Where did most of your money go? Food, Rent, Taxes? What did you get really, really, really excited about? I don't get excited like that. What song will always remind you of 2009? I Gotta Feeling by Black Eyed Peas Compared to this time last year, are you: Happier, I suppose. What do you wish you'd done more of? More coding. What do you wish you'd done less of? Vegetating in front of the idiot box. How did you spend Christmas? Chinese food and a movie that we wound up not seeing due to overcrowding. Did you fall in love in 2009? No. I told someone I didn't have feelings for them. That was hard, and felt honest but mean at the same time. How many one-night stands? We have one nightstand on the side of our bed. What was your favorite TV program? Lie to me. House. The Big Bang Theory. The IT Crowd. Dexter. Californication. Dollhouse. Do you hate anyone now that you didn't hate this time last year? Life's too short to carry hate. What was the best book you read? I can't recall one. What was your greatest musical discovery? What did you want and get? A new vehicle. What did you want and not get? Not talking about this right now. What was your favorite film of this year? 9. What did you do on your birthday, and how old were you? Went to the Duke of Edinburgh inn with Jeff and Kat. What one thing would have made your year immeasurably more satisfying? These questions are getting repetitive. How would you describe your personal fashion concept in 2009? Sweats and geeky tee shirts. What kept you sane? For most of the year? Why is that? A second question? Caffiene. Which celebrity/public figure did you fancy the most? Barack Obama. He's a PILF. Nohomo. What political issues stirred you the most? Prop 8 and the resulting post-disappointments at the repeal. Who did you miss? Naryu. Sai. Who was the best new person you met? Leah and Francisco are sitting pretty highly in my regard right now. Tell us a valuable life lesson you learned in 2009: Always look both ways, and it's going faster than you think it is. Quote a song lyric that sums up your year: "I'm blue daboo dee daboo dai..." Where did you begin 2009? Asleep on the couch. What was your relationship status by Valentine's Day? What you might expect. Were you in school anytime this year? I went to the trauma center at a teaching hospital. How did you earn your money? By doing what I love. Did you have to go to the hospital? Minorly, for an digestive problem. Oh yeah, and after being struck down by a hit and run. Did you have any encounters with the police? Other than a DWI checkpoint, and the interaction in #42, no. Would you relive 2009 over and over again? That would get old pretty fast. What did you purchase that was over $1000? I purchase my rent each month. Since we moved I've spent over 15K on it. Also, attempted to finance a used car. Did you know anybody who got married? Jon and Jess. Probably others. Has anyone betrayed you in 2009? My family, on a regular basis. A couple other people have managed to disgust and disappoint me. Where do you live now? San Carlos, California. What's something you thought you'd never do but did in 2009? Got hit by a car. Didn't see that one coming. What has been your favorite moment? I've had a few of those. What's something you learned about yourself? Not sure how to answer this. I know myself pretty well. Were you in a relationship this year? At least one. What music will you remember 2009 by? Yeah, if you're going to write a meme, quality over quantity. This is the same fucking question as #14 Would you say you've changed since the beginning of this year? If I hadn't my clothes would likely smell rather bad. Do you think 2010 will be better or worse? I would say better. But then, that's the only attitude to have. (1 Comment |Comment on this)
Thursday, January 7th, 2010
gushi	5:24a	I had the staples removed from my head today... Well there (the subject) is something I never thought I'd be able to say. Yay for being able to shower a bit more normally now. (4 Comments |Comment on this)
Wednesday, January 6th, 2010
gushi	12:34a	Just logged into Blue Shield's Website... Nothing to add a lump to your throat like seeing this claim: $10,328.51: Pending I'm not even sure if that's for one or both of us. Honestly? Even if I had to pay that whole thing out of pocket (I'm sure I won't)...it was worth it. The care we got was absolutely amazing, and everyone was absolutely top-notch. (4 Comments |Comment on this)
Tuesday, January 5th, 2010
gushi	10:56p	Random Firefox Annoyance I just noticed that Firefox 3.5, when clicking on a "mailto:" link, no longer has the option to "copy link", only to "copy email address". You know, Firefox, some of us still don't keep our browser configured to send mail. Personally, alpine -url "mailto:bug-followup@FreeBSD.org,mdh%5Flists@yahoo.com?subject=Re:%20bin/128725:%20%5Bpatch%5D%20whois%28%31%29%20does%20not%20correctly%20send%20queries%20regarding%20IPv%36%20addresses%20to%20the%20RIR%20whois%20servers" does the right thing for me, adding the correct CC, subject, and all. (5 Comments |Comment on this)
Sunday, January 3rd, 2010
gushi	5:42a	How to use me (or anyone) as a job reference. I have a general policy in handling Job recommendations for friends. I have no problem with doing it, but I'm incredibly honest in doing so. Many of the communities I move in are small enough that people will remember if I give a good recommendation for someone who turns out bad. In general, you should do the following things: DO tell me in advance that you're looking for a job. I consider myself reasonably well connected in many fields, and if I've worked with you in some manner that applies to the work you're applying for, I'm more than happy to quite honestly tell people that. DO ask for my most current information. I've had a couple of cell phone and home numbers over the years, and these are subject to change. I don't in general mind being called at work, however I have a fairly restrictive policy about answering calls to my cell from people I don't recognize. To that end, anyone you give my number to, please explain that I work in data centers that screw up my cell phone, and that voicemails do get returned. DO NOT just randomly hand out my number without at least giving me a heads up, although I prefer to be asked rather than informed that I'm being used. DO try to give me a heads up as to what you've told people in interviews about me. For example, how long you claim to have known me and how long I claim to have known you could look sloppy if there's disagreement. While I'm not suggesting you rehearse this info too much, it's not a bad idea to do some fact-checking first. DO NOT expect me to lie for you. I can enhance the truth in good faith, if we've for example worked in a casual basis (for example, with I-CON or another similar project), or if you've worked with/for me in a sense where it wasn't formal employment. DO, If you consider me both a friend and a colleague, list either or both on your resume, but please tell me which you're using me for. (I.e. a character reference versus a work/performance reference). DO tell me when you have gotten a job, and when I should no longer expect calls. DO ask me to at least spot-check your resume/CV. I've gotten rather good at handling them over the years. I haven't yet charged for the redos I've done for various people, but I have managed to make something workable given very little to go on. (5 Comments |Comment on this)
Friday, January 1st, 2010
gushi	9:18a	2009 was an interesting year. I moved a ton closer to work, and have basically been living alone with Kat since then. We live at a hotel (as some of you may know), but it's basically a fully-furnished apartment with a month-to-month lease and no credit hassles to move in. There's a mostly-full kitchen, but no oven. It's a better deal and has better amenities than most of the apartments I've seen around here. I attempted to buy a car, and after initial credit pre-approval, was turned down. Oddly, the same company that wouldn't trust me to pay $300 a month in financing was more than happy to rent me a car for $600+ a month. A couple months ago, I bought another used car. Those of you that know me, know what kind it is. My health has been okay. I ran into a minor digestive issue in January, but other than that, clean slate. I'm still fat. The liver problems of a few years ago haven't shown up again. I'm not afraid of drinking, but I believe in moderation and can count on one hand the number of times in this year I've been inebriated. Work is going well. Kat's started working with the company in a minor fashion, and I've managed to get one other friend's foot in the door, which in turn served to jumpstart the company's interest in interns (because we do, after all, have an educational mission). Entertainment-wise, Kat and I managed to get caught up in House, Lie to Me, The Big Bang Theory, Glee, and Californication. We also just (as in today) got done watching Boston Legal (the last three seasons I now own on DVD, I may pick up the first two later). Finances are kinda-sorta behaving. I've closed out and paid off two credit card accounts, as well as being within a couple hundred dollars of paying off the debts from my Jersey Colo. My Big Debt (the IRS) is slowly being paid down (I'll probably know exactly where I stand after I file this year's Tax Return). Once that happens, it's like gaining a free extra couple hundred dollars each paycheck. I've put together a few articles and howtos on this Journal that I feel most of you don't have the requisite interest in, but that I may in turn cross-post to my company's blog. I also wrote a few minor pieces of software, including a cool shell script to publish your PGP keys in DNS. (Which works better than the default tools). There was the whole getting-hit-by-a-car thing that kinda closed out the year. Would like not to experience that again. Do not want. Number of dollars spent supporting Michael Bay: 0 For 2010: Buy a new phone, finally. Get the staples out of my head. I'd like to try to complete a few other software projects: perhaps get the work done on my CMS, perhaps get more work done on my LJ client (those are in opposite directions). Perhaps work on something to deal with all the spam I have to handle on a regular basis. I might finally attempt to try to get back to school again. I work with some of the most intelligent people I've ever known, and I lack even the most basic of degrees. I'd like to finally get up and going at Tech Shop. Perhaps we can get the rest of the credit cards paid down, who knows, maybe, gasp start amassing savings. (5 Comments |Comment on this)
gushi	5:18a	Random Thought How much better a world would this be if we had a Violin Hero? (12 Comments |Comment on this)
Wednesday, December 30th, 2009
gushi	4:46a	Kat and I were just hit-and-run by a car Yes, you read that right. As Kat and I were crosing the street to head home, we were both hit-and-run, presumably (According to local PD) by a drunk driver who left the scene without even stopping. There was loss of consciousness on both our parts, duration unknown. The last thing we both saw was a car down the street, then people standing around us. Kat attempted to sit up, and move; I remained prone, which is the most intelligent thing you can do in that situation. They backboarded and transported us, we've been there since 5pm (it's now 2am). What people witnessed was not much at best. People claim to have seen some kind of pickup truck with a camper on the back, like the derelicts that seem to hang around our neighborhood. I'm back at home, and have 11 staples in my head and a vicodin script. I will be out of work tomorrow, though may tap a ride from FO to go up to stanford to retrieve Kat. She's being held for the night, based on something erroneous they may have seen on her head-CT, but other than some scared she seems okay. Her laptop is toast, and is literally bent, we estimate it took some of the brunt of the impact. If you NEED to reach her hospital room it's 650-721-6914. She has her cell but not a charger. For what it's worth, alert and talking, and crisis-managing is how I tend to boot up in a situation like that: it's not always a good sign, I tend to ignore symptoms if I'm worried about someone else. I'd specifically like to thank Francisco, who stayed by my and Kat's side the whole time. I'm in general disgusted by people right now. And I want a reserved parking spot. -Dan (26 Comments |Comment on this)
Monday, December 28th, 2009
gushi	7:59p	This post is not about sysadmin stuff... We went to the banks today, to one bank to cash Kat's check, then to mine to deposit it. (I'm functioning as her debit card provider). When we got to mine, which is Chase, we stood on the ten-person line long, where the bank had (at noon on a monday) seven windows and three tellers open, showing us how efficiently they can manage their resources. Anyway, there was a small table in a corner, where an older woman sat, facing the corner, and talking on her phone. She was sobbing softly, and we could hear her telling the person on the other end of the phone line "I'm at chase, there's no money in my account and I don't have the gas to get home." I was going to tell Kat to just go give her some, and Kat was herself considering this without being told. By the time we left, she was gone, but I can't help but think about how sad it was. I strongly suspect there was BankFuckery present, which in turn makes me just want to stuff my cash under my mattress. Still, I'm bothered that I didn't take the chance to do what I wanted to, when I wanted to. (2 Comments |Comment on this)
gushi	5:41p	Polite Ranting I woke up this morning to find a mailbox with several hundred bounce-messsages in it. Mostly from japan, china, and portugal. It seems that, once again, some spammer has used some email addresses in danmahoney.com as his "From:", or his "Return Path:" address. DanMahoney.com is my father's domain. He gets a few limited addresses there, I get the rest. For various reasons, I find this useful: for example, to see how clueless people are, that they can't get an email address like DAN AT DANMAHONEY DOT COM right. Now, like I do with gushi.org, for a long while I used danmahoney.com as a "catch-all" domain, for anyone who wanted my address for a no-good reason. Ignoring the irony of some of the countries I'm getting bounces from not having such clean noses themselves... It would be great if there were some sort of mechanism whereby I could say "the only hosts that will originate mail claiming to be from danmahoney.com are these..." Wait. There is. It's called SPF, or "Sender-ID". And I've been using it for YEARS now, at the most strict setting: %dig +short danmahoney.com SPF "v=spf1 mx -all" %dig +short danmahoney.com TXT "v=spf1 mx -all" But people don't get it. They continue to SEND ME bounce messages. Hell, even Google's Mailservers received a message from this, then forwarded it on, and then sent me "sorry, we couldn't deliver this" messages: ( This fucked up my page ) I tried to contact them, but they're not listening (covered in another LJ post). What needs to happen here is simple: We, as a nation of mailserver admins, need to accept that if people set the -all sigil in their SPF records, then they are asserting, for sure, that the only mail to ever be legitimately send from their domain will come from those records. We need to assume that this record doesn't get added to DNS by itself, and we need to work with the assumption that when people add it, they accept that unless mail is being sent through their mailserver, it will be dropped on the floor. We need to acknowledge that people do not want bounces for mail they did not send, and why else would they put up a record to legitimize their mail? In a celebration of this concept, I've just made prime a tiny bit more restrictive: If you attempt to send me a message that fails SPF, it will be dropped on the floor, outright. Note again that this will only happen for domains that set -all. Anyone setting ?all or anything else, will still get through. I've collected some samples... ( My Samples, Let me Show You Them ) Argh. Most people I know think the SMTP infrastructure is damaged beyond repair. I don't think this, but I do think that people need to wake the fuck up and start doing the right thing. (8 Comments |Comment on this)
gushi	4:54p	Like, come on google... It's called RFC1648, RFC2821, RFC1123, RFC5321... ( this stretched my page ) (Comment on this)
Sunday, December 27th, 2009
gushi	8:53a	Feeding an RBL from bad DNS queries. It's the holiday time, and the IT-driven life I lead has been a little slow, as nobody wants to make sweeping changes over the holidays. Instead, I'm once again playing with my personal code, and my vendetta against the people who abuse servers. In my last post, I detailed how bad DNS queries can indicate that someone is querying nonstandard sources on your DNS server. For example, someone querying your servers for the A records of the google mail servers. What I've discovered since then is that with a tiny bit of perl, I can run through a day's logs, and feed the data into a hash, to de-duplicate them. Then, with the magic of nsupdate, I can feed them into an RBL that my mail servers will query. I don't even need any intermediate database. So What's an RBL? I'm sure those of you who use SpamAssassin or whatnot may know what an RBL is: it's a Realtime BlockList. Your mail servers do a special dns lookup. For example, if the ip address 1.2.3.4 is connecting to you, your mail servers may query the rbl at "zen.spamhaus.org", by first reversing the ip address, and then appending it to the blacklist name. So 1.2.3.4 becomes 4.3.2.1.zen.spamhaus.org. If a lookup of that returns an ip, it's listed. Typically, the ip returned is in the 127.0.0.x range. On some blocklists, certain return codes have certain meanings. Generate your key. Most people who do dynamic updates with BIND, use a security method called TSIG (Transaction SIGnatures). The key in these cases is a "shared secret", and needs to be chunked into named.conf. This is the "Old Way" of doing things. In my instance, I am using something most people don't get, called sig(0). Instead of having to put my keys in my named.conf file, I simply list them right in my zone. Instead of being the standard HMAC-MD5 keys that one sees using TSIG queries, I can simply tell any given party "generate a key, send me the public component" and never worry about the secret key crossing the wire. (Yes, to be sure, I should tell them to pgp sign it to make sure it's not modified in transit). The real beauty of this is that with a properly-crafted update-policy, I can set things up so that future keys can be added with nsupdate, and I never have to touch named.conf to add "feeders" again. The command I ran to generate my keys was: dnssec-keygen -a RSASHA1 -b 512 -k -n HOST rbl.gushi.org That will give me two files: a .private file that's a bunch of Field: Value statements, and a single .key file which contains my key, in a resource record. While the format of these filenames may look very similar to those used for DNSSEC, the records being generated are of the "KEY" type, whereas DNSSEC uses "DNSKEY" records. I copied these to my home directory. Create the zonefile After generating the key, I created a basic zone: $TTL 360 ; 6 minutes rbl.gushi.org. IN SOA prime.gushi.org. root.gushi.org. ( 2009123678 ; serial 7200 ; refresh (2 hours) 7200 ; retry (2 hours) 604800 ; expire (1 week) 360 ; minimum (6 minutes) ) rbl.gushi.org. NS prime.gushi.org. And then added my key statement: rbl.gushi.org. KEY 512 3 5 ( AwEAAbt55viC4mTSNbvlZlEM9QN/aDRAcBiItmmGylNV GDw9eBLF71TBtzF/zVLUExsptCj3ez/wYstkQjfWGfjO zl0= ) ; key id = 65002 Note that the contents of the .key file were literally:rbl.gushi.org. IN KEY 512 3 5 AwEAAbt55viC4mTSNbvlZlEM9QN/aDRAcBiItmmGylNVGDw9eBLF71TB tzF/zVLUExsptCj3ez/wYstkQjfWGfjOzl0= on a single line, but the above pretty-wrapped line was generated after the zone got rewritten by named. I made sure to put the zonefile in a directory where named could write to (it would be overwriting the zonefile, as well as creating a ".jnl" file in the same directory). (I also added an NS record in my main zonefile, pointing to prime.gushi.org exclusively for this zone), as well as specifying an update-policy in my zone definition in named.conf: zone "rbl.gushi.org" { type master; file "d/rbl.gushi.org.hosts"; update-policy { grant rbl.gushi.org. subdomain rbl.gushi.org A TXT; }; }; That update policy basically tells named that the key labeled rbl.gushi.org can update any subdomain of rbl.gushi.org, but only the A or TXT records. While this policy is pretty granular, named currently lacks the ability to say things like "this key can only add but not delete TXT records" or "this key can update records, but cannot change the number of records (i.e. it may not add two A records). I then issued an "rndc reconfig" to tell named to reload the config files (in the "old days" this would have been done with a SIGHUP or by stopping and restarting the process. Then I checked the logs to be sure the reconfig had run, and that the new zone had been loaded (rndc doesn't tell you these things). Testing dynamic updates After that, I ran the following: prime# nsupdate -k /home/danm/Krbl.gushi.org.+005+65002.private > update add test.rbl.gushi.org. 3600 A 127.0.0.1 > send > update add test.rbl.gushi.org 3600 TXT "this is a test" > send > quit Then, a dig to test it: prime# dig @prime test.rbl.gushi.org ANY ; <<>> DiG 9.6.1-P1 <<>> @prime test.rbl.gushi.org ANY ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50427 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;test.rbl.gushi.org. IN ANY ;; ANSWER SECTION: test.rbl.gushi.org. 3600 IN TXT "this is a test" test.rbl.gushi.org. 3600 IN A 127.0.0.1 ;; AUTHORITY SECTION: rbl.gushi.org. 3600 IN NS prime.gushi.org. ;; ADDITIONAL SECTION: prime.gushi.org. 360 IN A 72.9.101.130 ;; Query time: 0 msec ;; SERVER: 72.9.101.130#53(72.9.101.130) ;; WHEN: Sun Dec 27 01:56:55 2009 ;; MSG SIZE rcvd: 115 From there, if I were to do an rndc freeze rbl.gushi.org, I would see it show up in the zonefile. Until that point, it would live in a journal (.jnl) file maintained by named. At this point, I had a zonefile that I could add things to, and remove them from, but getting the data out of my logs was still a problem. Parsing my logs Enter perl. While programmers may love python, and web programmers may love ruby, to the sysadmin, perl is still the "swiss army chainsaw" we reach for in such a situation. A quick well-caffienated night (christmas night) of programming yields this script, which works for me (and in fact, will work from multiple systems, even across the internet). I just run it against the requisite logfiles, and I'm set. After running it, I issue an "rndc freeze rbl.gushi.org" to tell named to save the data back to the master zonefile and look at the zonefile: $ORIGIN 109.rbl.gushi.org. $TTL 3600 ; 1 hour 0.88.110 A 127.0.0.2 TXT "Last seen Dec 26 16:11:19 polling for ASPMX4.GOOGLEMAIL.COM/A/IN" 144.28.121 A 127.0.0.2 TXT "Last seen Dec 26 17:50:46 polling for ALT1.ASPMX.L.GOOGLE.COM/A/IN" 96.136.184 A 127.0.0.2 (...) And so on. Note that the format of those files is a little annoying: named currently lacks a config knob to tell it to dump in any format but that one, although I've submitted a suggestion request. I personally feel the above would be more readable if every entry were fully-qualified, without the $ORIGIN statements. I'm also able to do digs against the above. (And so can you: dig 109.110.88.0.rbl.gushi.org ANY: try it!) Once I'm satisfied, and have made any manual tweaks, I can do an rndc thaw rbl.gushi.org and updates are allowed again. Another feature subtly absent from BIND that I've put in for, is that there's no way to tell it "just save the data to the master, but don't stop accepting updates". Time will tell there. Configuring Sendmail Once I'm happy that the data is going to an easily-pollable source, I simply need to tell my mailer to read it. While I won't make any assumptions about the installed-based of readers here, I run FreeBSD, which comes with sendmail by default, and that's what I use. Sendmail contains built-in support for this type of RBL. In addition to the other ones I poll, I simply added the following file to my sendmail.mc: FEATURE(enhdnsbl',rbl.gushi.org',Message from $&{client_addr} rejected - GushiSystems Blocklist')` I chase that down with a quick make install-cf && make restart and I'm ready to go. At any point, I can grep my maillogs for "GushiSystems Blocklist". Sadly, what I'm finding (although as is typical, I didn't find it when I discovered the problem), is that the CBL detects most (but not all) of these as the cutwail SpamBOT, a rather massive command-and-control botnet. Does that make this effort wasted, though? Not at all. After all, now that the updating code is written, it's trivially easy to take the same code and do other things with it. For example, it's still relevant in a DNS context to show how I could turn this on my maillogs, where both sendmail and spamassassin log, and do neat things with a few lines of perl like "blacklist any ip that sends a spam that scores over 20 points AND sends to three distinct domains in an hour. The above is literally five lines of code to correlate the requisite log entries, another ten perhaps to act on them. Right now, the perl code is written to builds its big hash of information in a single pass (when my logs are rotated), and then write to the zonefile all at once. A trivial enhancement would be to have it listen on a named pipe, or socket, and periodically flush its cache, so it didn't grow forever over time. I could at the same time, use the code to feed a list of people trying to send Guestbook Spam, or people posting to dead/abandoned phpBB boards. Again, most webservers don't have the ability to poll this sort of a database, but there's no reason it can't be easily added. A minor footnote I'm not sure where it stands in the POSIX standards or whatnot, but I've discovered that the date format used by FreeBSD's syslogd both does not log the year, and is non-configurable. Considering as I write this we're four days away from the end of the year, I may have some tweaky date-logic to write (keeping in mind that this script currently runs on the previous day's logs), so assuming the current year isn't the best answer. On that note, I'd like to wish everyone here a safe new year. Here's looking forward to more cool stuff in 2010. (2 Comments |Comment on this)
gushi	6:08a	Sometimes I hate mysql Mysql, as everyone knows, is a database server with two different storage engines. One engine, MyISAM, is the default, and is reasonably fast and well-optimized. The other engine, InnoDB, is a more "professional grade" engine, supporting things like transactions, row-level locking, and the rest. This engine is supported by a commercial entiry, InnoDB, in the same way that PHP is supported by Zend: in that sort of "you can do more useful things if you're willing to pay for it" sort of way. The other big, big, annoyance, is that out-of-the-box, InnoDB keeps all data, for all tables in all databases, in one huge fucking blob, that can automatically grow at a rate you specify, but that never shrinks. Not even if you drop every database. Right now, my little innoDB blob is five gigs, and that's for a remarkably small number of applications using it. And there we have the rub. There are a few applications that use the functions of InnoDB, and that default their table types to be InnoDB tables. Among these are MediaWiki, and gallery2. Looking at that blob, there's also no easy way to tell what databases are using it. MySQL's "show table status" (which could tell you the type) doesn't work on a global base, you have to select a database first (of which I have many. The solution to this is an option that should have been on-by-default the whole time, the innodb_file_per_table option. This tells mysql to treat innodb blobs much like it would treat MyISAM tables: they go into the database-specific directories, so you can easily (with tools like du) tell which databases are bloating (because, for example, some user installed phpBB and then forgot about it). After turning that option on, there's still a problem: it doesn't cause the SQL server to migrate your data for you. It only affects newly created databases. It's easy enough to dump-then-restore each database during a maintenance window, but wouldn't it be nice if there was some way to spot the databases which needed it? (Remember, InnoDB is not the default). As it happens, the following short shell script can do this for you: #!/bin/sh # InnoDB finder $Id: findinnodb.sh,v 1.1.1.1 2009/12/27 12:48:33 danm Exp $ # Dan Mahoney, danm@prime.gushi.org # ISC License applies cd /var/db/mysql # Change to your DB dir for i in `find . -regex '.*.frm' | cut -d '.' -f 1-2` do # echo "testing $i" # file $i.MYI dbname=`echo $i | cut -d "/" -f 2` tablename=`echo $i |cut -d "/" -f 3` if [ -e "$i.MYI" ] then echo "$i is MyISAM" else if [ -e "$i.ibd" ] then echo "$i is InnoDB, but self-contained" else engtype=`mysql -E $dbname -e "show table status like '$tablename'"| grep -i engine | cut -d ":" -f 2` # add a --password=xxx option above if you don't have one in .my.cnf or whatnot echo "$i is$engtype (from MySQL DB)" fi fi done Note that it goes by file-system-wise clues, instead of eating time connecting to mysql. It only connects to mysql if it can't figure it out. For example, without asking mysql, a memory-only table looks identical to an InnoDB. I was rather surprised to find that nobody on the MySQL pages had suggested this, after all, "find the piggy" is a big part of detecting abuse and resource-problems (Comment on this)