33 today – another year in the books

I haven’t been posting as regularly as I would like lately.  The last few months have been a blur. It seems that everything has been changing in the last year and then the last few months it ramped up even more.  In the last year we (my little family) have experienced some major challenges and been through some changes and battles that we never saw coming.

Both my wife and I have switched jobs in the last year, for me just in the last 3 months.  Today marks 3 months at my new job and I am really enjoying it. I have been learning a completely new area of IT and I have enjoyed the challenges of being stretched in new ways. I miss many of my friends and co-workers that I have spent years getting to know, but this was a change that was in the best interest of my family. I am home every night and have an amazingly regular schedule that allows me to attend soccer practice and swim practice and many of the things I just couldn’t get home for early enough previously.  My wife is teaching at a new school that she loves, her second year starts tomorrow, as well as Ayden’s. They are loving it there and are both growing in new and different ways. Jamie is teaching subjects that she hasn’t taught before and Ayden is amazing me more each day with how he soaks up and retains everything.

However, it hasn’t all been unicorns and rainbows.  I lost two grandparents in the last few months and that has weighted heavily upon us. A big part of why we have never left the town that we are from is out families.  Jamie and I are both extremely close with our families and losing two grandparents so close together was really hard on all of us, especially Ayden.

The other dramatic change has been that in the last year Jamie and I have taken up serious focus on our health. I have lost 50 pounds since this time last year and I have never felt better.  All 3 of us are participating in 3 5K events is just as many months. It is going to be a fun time, which is never something I would have said about exercise previously, but it is fun because we are all doing it together.

Finally, we have spent a lot of time this year with our friends. We have made new friends and had some friendship attrition as people have grown and changed. If anyone knows me well, you know how important my friendships are to me and I take them seriously. If I call someone my friends it doesn’t mean I would call them for dinner, it means I would call them to help bury a body. We have rekindled some old friendships and made some new ones that I hope last a lifetime. My granddad used to say if you can make if your whole life and be able to count yourself as having 5 great friends you were really blessed.  We are beyond blessed and it means a lot to have these people in our lives.  To Jamie and I friends are synonymous  with family and we are blessed to have such a large family.

Anyway that is all for now I hope to be able to get more time to post as I get more into the groove with this new job.

Lin

 

 

Helpful WordPress Plugin

I have been using a free WordPress plugin to track unauthorized attempts to login to my WordPress instance. It is called “Limit Login Attempts” and can be found here: http://devel.kostdoktorn.se/limit-login-attempts. It comes configured to allow for 4 bad logins before blocking an IP address for 24 hours.  I set mine up this way and watched over the next few days as the same IP tried every day and got blocked every day.  At least this user is persistent, not smart, but persistent.. and noisy. Anyway, I have now moved the lockout time to 9999 hours (the max the box would allow for) just so I get less emails about this attacker.

Once you configure the “Limit Login Attempts” plugin it will send you a nice email reminder when it blocks someone that looks like this one below:

Screenshot_5_9_13_12_43_PM

Each time I see this email it just warms my heart, maybe I’m a little bit broken…

I could also edit my .htaccess file to block him/her, or the entire country the IP is originating from. However, that would cut into my fun of watching what is going on. That is what this is about anyway, my entertainment. There is a great site to help you write and edit .htaccess files that can be found here: http://incredibill.me/htaccess-block-country-ips there are some more specific tuning resources to be found here for .htaccess http://www.netmagazine.com/tutorials/protect-your-wordpress-site-htaccess

Another option is to limit your logins based on the originating IP address (this is a smart idea).  If you are on the go as I am often connecting from your phone, home, and or work this is not your best option as the rules will get long and messy.  It would also be “recommended” to disable or hobble your admin account.  I set my admin account to a basic read only account and used a complex password generator so if you can get into that account, it’s yours read all you want, but no posting.

Screenshot of the Plugin and it’s Logs, click on images for a larger view.

Screenshot_5_9_13_12_47_PM

 

MySQL Backup and Restore

I was having a time moving my blog from one database server to a newer one at my hosting company that had more space and was reportedly faster.  After banging around for a bit I found it was most easily accomplished from the command line using only two commands.  These technique requires access to your web host via SSH, and some knowledge of the *Nix command line.

To Backup:

mysqldump –host=server.name –user=user.name databasename -p > filetocreate.sql

You will be prompted for the password which you can enter. The file will be output into the folder you are currently in.  After this completes you can upload the file to your new database host with the following command:

To Restore

mysql –host=new.server.name –user=user.name -p databasename < fileyoucreated.sql

Again you will be prompted for the password which you can enter and the database will be streamed to it’s new location.  Once that is done backup wp-config.php and then pop into your wp-config.php and update the database name, username, database host name  and password.  Cross your fingers and open the site back up to see the results, your mileage may vary. Drop me a message if this doesn’t work for you.

ADHD

As anyone that knows me already knows I am ADHD personified at times. However, that is not what this post is about it is about another form of ADHD (Active Defense Harbinger Distribution) which a Linux distribution that provides honeypot services and a whole lot more.  There is some questionable legality in parts of the whole lot more, so I am just experimenting with the honeypot features. I forwarded a few ports to it on my home firewall so I can watch and see who is scanning me.  This distribution is capable of tracking back to a hackers source, but until more legal precedents are set I will be content just to know who is scanning me.

If you want to download it for yourself you can get it here, but be warned some of things in the package could get you into trouble, take care what you make public to the internet: http://sourceforge.net/p/adhd/wiki/Home/

It was created by some of the security minded folks that are creating inroads into offensive countermeasures: http://www.sans.org/course/offensive-countermeasures-defensive-tactics-work

 

Raspberry Pi – VPN & Proxy

Like a lot of people I purchased a Raspberry PI when they were all the rage about a year ago. Initially, I was super excited like everyone else about this piece of hardware that was going to change the world and bring affordable computers to everyone – fast forward a year – my Pi was sitting on my desk staring at me and I felt guilty for not putting it to better use.  Several of my friends had used theirs to start programming projects or a XBMC servers.  I am not much of a programmer and I already have Roku boxes on all of my TVs so it basically got booted up from time to time to show others that it was a tiny device that could hook to an TV with an HDMI port and surf the web… not earth shattering stuff.
I decided that my Pi needed to find new life as a part of my network.  I went to http://www.raspberrypi.org and downloaded the newest version of their operating system referred to as Raspbian “wheezy” – it is based on Debian Linux which I regularly use in my job as a security administrator.  However I use it mostly to launch Nessus scans from or NMap hosts with.  NMap the Pi can do… Nessus not so much.  I recalled some articles I had read on LifeHacker.com about using the Pi as a VPN / Proxy to put your traffic behind.  Ok, I travel quite a bit so this could be my use case.  I am not knocking LifeHacker, I am a regular reader of their articles and have found it to be tremendously useful resource.  However their material on making the Pi into your web proxy was referencing specific versions of software that made the article useful, but not especially helpful to someone new to using the Pi or Linux.
Well now that I am into this post, we should probably flash back to the beginning and start with a Pi that is dead, lifeless, and sitting on a shelf.  First we will need an operating system.  The one I mentioned above is the way to go for this project.  Once it is downloaded it needs to be uncompressed to SD media.  There is a great guide to be found here - http://elinux.org/RPi_Easy_SD_Card_Setup - what this guide doesn’t readily mention, and that it took me about 20 minutes to figure out, is that if you have fat fingers (guilty of ham hands here) it is easy to accidentally “lock” the SD card and make it read only.  The GUI tools that load the OS do not warn you of this fact.  I only discovered this after I got fed up with the GUI and went to do the command line route.  First command I type it tells me that the destination is read-only.  After I removed my palm from my forehead and flipped the switch I returned to the path of the GUI.  This only takes a few minutes and once it is done boot up the Pi for the first time.
What none of the guides told me, but I quickly figured out on my own is that the Pi doesn’t always start up correctly the first time. If you don’t see any video on the screen unplug the power, reconnect all of the cables, and re-insert it.  When the Pi boots for the first time it will give you a menu to reset the password for the Pi user (it defaults to raspberry). It also allows you to enable the SSH server – do this, and it allows you to say if you do or do not want to GUI to start at boot.  I went ahead with it starting but I may turn this off later as I am mostly using this guy for VPN and Proxy.  I want to conserve as many CPU cycles as I can to devote it to passing my VPN packets.  Once the Pi is up and running the rest of this can be done from your workstation it needs no monitor on the Pi just an SSH session.  To get the IP Address use the Terminal shortcut on the desktop of the GUI, or from the Terminal that it boots into if you did not enable the GUI, -and at the Terminal type ifconfig to get the ip address of the Pi. Make a note of this address we will need it for the following steps.
Using SSH – if you are already an avid SSH user skip to the next paragraph, if not stay with me I am going to give you two simple ways.  On a Mac open your terminal – shortcut way is Press Command and Space start typing the world terminal and hit enter.  This will bring up a strange white box that will feel foreign to many Mac users.  In the terminal type – ssh pi@ip address of your raspberry pi – it will prompt you to accept the key just hit Y and enter the password you changed in the boot menu or enter raspberry if you forgot to change that default password. On a Windows machine there is no default SSH client so you need to download a client.  The client that I recommend is putty and can always be found here - http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html - putty has a GUI enter you Pi’s ip address, username, and password and get connected.
Now – we now have a fully functional Pi that is running Linux and providing us with a shell via SSH.  The next two commands you are going to be typing in your sleep and wishing that every operating system that you use contained – sudo apt-get update – and once that completes – sudo apt-get upgrade.  These two wonderful commands will scour the internet repositories for updates and then apply them in the second step, this keeping your Pi running with the newest software available.
I know this seems like a lot, or maybe I am just wordy.  Now we are ready to continue on.  There are 3 files we need to download that we are going to need later.
1. The installer for Hamachi http://secure.logmein.com/labs
If you haven’t used logmein before – be ashamed be very ashamed.  Instead of going to the download page you will be presented with a login page.  Login, open the link again and then you will see the LogMeIn Labs page.  Click on Hamachi for Linux which at the time of this writing is in Beta.  Hit learn more to see the list of software versions.  The one I had the best success with was the file under ARM (processor type in the Pi) that ends with .tgz  This is a tar file that is to be downloaded to your workstation and then copied to the Pi and installed from.
2. The installer for Webmin (an admin tool that comes in handy)
Go here http://webmin.com and click on Debian Package there is only 1 webmin package for all processor types it is not picky.  Once it downloads it is time to get installing.
Open your favorite secure ftp client I prefer Cyber Duck on the Mac and WinSCP on the windows platform. Configure the client to connect to the Pi the same way you connected using SSH – we are using the same service on the Pi and the same basic protocol just some different features that it offers.  The folder you connect to by default is the home folder of the Pi.  When you connect via SSH or SCP you will be presented this folder first for whichever user you authenticate as.  It is a good practice to create a folder here for storing your files.  I usually go with source, but call it whatever you like.  Just right-click and create the new folder, dragging your files over and dropping them into the newly created folder.
After the file copy completes. We can install the Hamachi VPN service.  Back in the LogMeIn webapp you can access Networks, and My Networks.  This is where you create and name your Hamachi Free VPN connections – up to 5 computers.  It is best to create for our purposes a Mesh network topology and add you laptop or other computers that you want to proxy/VPN traffic on. Knowing your login name and network name will be very important shortly.
To get the Hamachi client extracted and installed first return to your SSH session and navigate to your software install directory use cd source or whatever you named it.  CD stands for change directory in Linux, Mac, and Windows.  The command is similar in all of them.  You can use cd .. to back up one level or pwd (Mac and Linux) to know exactly where you are in the file system.  Inside of the source folder you will see logmein-verison number information-armel.tgz.  This is the file we will need type sudo tar –xvf and the .tgz filename.  We use sudo to run commands as the root user – similar to administrator on a Windows machine.  Tar is used to expant the tarball file we are working with.  Once the process returns you to the prompt use ls to see what you have created and cd to move yourseld into the new folder.  When you do ls now there are several files, the one we are interested in is install.sh to execute this file use the command sudo ./install.sh to start the install.  If you did’t already know using the tab key on the keyboard will autocomplete filenames and commonly used commands in most operating systems.
The install will complete and we are ready to join our Hamachi network.  First run sudo hamachi this will show you that the Hamachi program is running and connected. Next is sudo hamachi attach “email address you use for LogMeIn” and hit enter this  will set your Pi to reference your LogMeIn account, next use sudo hamachi join “Name of the network you created”.  This will prompt your for your Hamachi network password, if you it great, if not no problem.  Return to the LogMeIn portal and to the My Network section and you will see the new machine at the top of the list.  If you haven’t altered the default hostname of the Pi it will appear as raspberrypi.  Edit it and move it into your Hamachi network.  It should rapidly appear in the Hamachi window on your laptop or desktop.
Now we are ready to install the proxy server.  This part is a breeze do to the amazing apt command.  Simply type sudo apt-get install privoxy and hit enter.  This will install the software and configure it.  We only need to make one minor change once the install completes.  Answer Yes to any question that pop up during the process.  Once you are returned to the command shell type sudo hamachi to view your hamachi IP address, write it down we are going to need it in the next step.
The privoxy service needs to know that it will be contacted on it’s Hamachi IP address.  We can define this behavior in the config file for privoxy using nano, a simple text editor for Linux.  There is the more powerful vi, but this is for beginners not seasoned Linux veterans.  First use this command cd /etc/privoxy/ to take us to the privoxy files use sudo nano config to open the config file as the root user (so that we have rights to change it).  We have to find the space that needs editing so the simplest way is to hold down control and press w for the search command and search for localhost:8118 – go to the line below this one and mirror the syntax of the line above with localhost like this:
listener-address        hamachi ip address:8118
The space between the listen-address directive and the Hamachi IP address is a tab not a space to enter it that way.  The 8118 is the TCP port we will be using to connect with.  Once you have the edit in there properly control X to exit and answer Y for yes to save and exit.
Now we need to restart the privoxy service – sudo service privoxy restart will take care of it from the command line. Most Linux services can be restarted so that they can affect changes to config files without the need for a reboot unlike some operating systems… windows. Now with the service restarted configure one of your browsers to use the Hamachi IP address as the proxy IP and enter the port as 8118.  If you can connect to the internet you are now browsing across your VPN, but for a real test you are going to have to leave the comfort of your computer room to test it.
The final step for this article is to get WebMin installed.  This is a great little utility for administrating Linux machines.  It would be most helpful to set a root password. By default on Debian machines they do not use the root account much. To set this password use sudo passwd root and follow the prompts to set this password.  Make note of it and keep it safe.  Move back to the folder where we put the install files cd /home/pi/source/ as in my previous example.  To start the webmin install sudo dpkg –I webmin-version-number.deb  This will start the dpkg (debian package utility) installing the .deb (debian package) installing but it will not complete.  There are several other files that WebMin needs to run.  We are going to cheat and have the operating system find them for us.  Once the WebMin installer errors out there will be several missing packages.  I picked one called apt-show-versions (it doesn’t really matter which) and entered sudo apt-get install apt-show-versions after this completes I ran sudo apt-get –f install this command will find the dependencies for installed software and install them.  When it competes it will tell you the login URL for your webmin instance.  You can use the Hamachi IP just don’t forget the HTTPS:// in the front and the port :10000 at the end of the URL. When presented with the WebMin login page give root for the username and the password that you configured earlier in this paragraph.
Now you have a handy utility machine that can be accessed safely from virtually anywhere that you have internet connectivity.  As I use the Pi more I hope to create more post showing how I am making use of my ultra cheap computer to make my computing more fun.

Social Engineering Call

So this afternoon I got a call from a strange number – 248.562.1268. When I answered it was an Indian fellow who told me he was calling from tech support to help my computer. He said the last time my computer went online that it downloaded a virus and he wanted to help me fix it. At this point my day was made. I have been hoping that they would call me because I wanted to see what website they were directing unsuspecting users to. He told me I needed to be in front of my computer, which I wasn’t, so that he could help me. I got a scrap of paper and took notes and pretended to play along. He wanted to know what version of windows I was running before we got started. I said Windows 7 so he would keep going. First he wanted me to hold down the windows key and press “r” on the keyboard, this is the shortcut for the “Run” box on Windows. He phonetically spelled out “prefetch” so I played along and he said all of the files in there were virus files and to delete them all. Next he said to type “eventvwr” which launches the Windows Event Viewer. I said ok I have it open. We wanted me to scroll through the even viewer for the first red icon I could find I said I found one. He asked for me to read the number out beside it. I just said a random number, I said 5000. He says this is a very grave situation you have 5000 virus files on your computer. I will have to connect remotely to take care of the situation. In my opinion they would be doing a great job in building confidence with a user that was unaware of what they were doing. This call lasted almost 10 minutes before I was even to the exploit part of the call. Of course a lot of that was me saying “huh”, “what” and “could you say that again”. We spoke two very different dialects of English. He wanted me to visit www.360pcsupport.com at this point I could not go any further as I did not have a computer handy, nor was I about to visit it…. so I said I am very sorry I have another call on the line please call back later. So far he has not called me back but I really hope they do. I want to see where else he wanted to take me from one of my sandboxed workstations. If anyone else gets a call from them please let me know I want to see if there are any other links I need to add into our web filtering system to block. This was way too much fun.

Amazing Slow Motion Photography

I saw this linked from an article I was reading and had to share it. It is some pretty amazing slow motion if you like that kind of thing. Turn the resolution up all the way and watch full screen.

Removing WordPress Malware

This week I had a friend contact me about a wordpress site he had built distributing malware. He had tried to clean it up and the malware was really persistant so he asked me if I would like to take a look at it.  I opened the site and noscript instantly warned me about scripts trying to run.  Opened up the ftp to the site and saw that the index.php file was huge.  Surfed around inside of the directory structure and index.php inside of the wp-admin directory was also quite large.  In Googling around there was no definitive guide about how to remove infections like this so I thought I should write up my findings if I was able to get it cleaned up.

Thankfully I was able to get it cleaned up so here is how I did it.  First I downloaded the most recent wordpress install from their site and unzipped it.  I copied up all the files from the freshly unzipped folder to the folders on the ftp site overwriting the index.php files and javascript (.js) files too.  Then I changed the permissions on the index.dat files to keep them from getting overwritten again.  I found that as fast as I could copy the files back they would get overwritten.  Using my ftp client I right click on each index.dat file and went to File Permissions and changed it from 644 to 444.  This disallowed the system from changing the files.

Permissions set to 444 from 644

Next I had to find what has causing the reinfection of the site.  I was now able to open the wp-admin panel and login.  I went straight to the plugins section of the control panel and disabled all of the plugins.  From some of the posts I had read there were lots of comments about rouge plugins causing this problem.  I wrote down a list of the plugins and went back to my FTP client.  There were several plugins in the ftp folder that were not listed in the admin interface.  I renamed these folders immediately and started googling the plugins that were in the folder.  One of them was “ToolsPack” I had already observed several other users lamenting the problems with this plugin.  It is basically a plugin that download and installs Malware for you.  While that is very helpful it is not really what most users were looking for.  Another plugin was just a random string of characters, it was also renamed.  Typically I just add a .bad extension to the end of all suspect files/folders until I am sure they are ready to be deleted.  Another good place to look is in your MyPHPAdmin control panel.  Navigate into your database as shown in the picture below and find the Active Plugins in the wp_options table.  If you see any in there that are suspect remove them.  Just remember that a semicolon separates each plugin statement.  It is important to get the formatting correct or you could experience problems.  Check out the image of phpMyAdmin from one of my sites.  Click on the image to see it in it’s original size so you can read the annotations.

phpMyAdmin

phpMyAdmin

Once the rouge plugins are disabled, the index.php files are set to a permissions level of 444, and you are feeling better about the site you should use one of the free virus scanners out there to double check your work.  This site – http://sitecheck.sucuri.net/scanner/ will do a free virus scan of your site.  I see no reason at this point to pay $89.99 for them to clean up a malware infection.  After cleaning up one like this I think I would be happy to take someone’s $89.99 to do another one.  It is not that bad if you are comfortable with the tools involved, ftp, a text editor, and a web browser with no script (to prevent infecting yourself).  After Sucuir pronounces your site clean use the ftp client to delete all of files you marked as suspect with a .bad extension (or however you delineated them from the production files).

One other tools that I used, but that is not always available to everyone is grep.  This is an amazingly powerful *nix tool and I only know a smidgen about it.  Here is how I used this in looking for broken code in this instance.  You can either download the entire infected site via ftp, or if you have ssh access to the server you can use grep to search from bad data in files.  In this case I opened the broken index.php files in notepad and found the text that was part of the virus.  It started out with “Math.Pi” and then a long string of Base64 encoded javascript.  From the command line I entered

grep -r -l “Math.Pi” .

Grep invokes the program, -r searches recursively, -l lists the names of the files where the text is found.  The string of text you are searching for belongs in the quotes, and finally a period at the end of the line and hit enter.  Output will appear below to show you  where the text is found.  You have to be specific and careful.  PHP is a programming language and the text you select to search for could be needed.  Download a fresh copy of any files you think are suspect to compare against.  I downloaded the .zip of the wordpress version that was installed in this case and I downloaded and extracted all of the .zip files for the plugins and themes that were installed.  This allowed me to search and compare the original intended code with what was running live on the site.  I am not a programmer, but it was very clear when I found the bogus code that I had found it.  Here is a screenshot of the code that I found and knew was instantly bad with little programming background.  Keep in mind that the text extends well out of the image shown.  Several of the lines that are cut off were over a thousand characters long.

Infected PHP code

I hope someone else finds this helpful.  It was frustrating as I looked for resources and there were lots of fragmented guides and forums where one or two of these ideas were mentioned but not one that covered all of these different ways to look for and repair a malware problem like this.  If nothing else it can serve as a reminder to me the next time I encounter one of these infections.

 

 

Offline Post from Jordan

* I wrote this offline before I left Jordan. I have just gotten around to posting it today *

Offline Post

I am writing this post now but I will not get to post it until I get back to the states. The hotel we are staying at wants 22$ US for usage of the Interwebs… I just don’t see it. Anyway I can get onto Facebook and the like from my phone, and I could type this entry on there, but I don’t want to fight with autocorrect trying to fix my intentional misspellings of words and constant uses of multiple periods…

Anyhow it has been a good trip. We have slayed the dragons that brought us here and documented how these dragons could be re-slayed should they appear again. We have also eaten great food and had some great conversations with the expatriates we have encountered here in Jordan. I am absolutely in love with the concept of “teatime” and wish we could bring it to America. Taking a break every day at 10 for tea, hummus, zatar, fresh flat bread, olive oil, and preserves is a great way to break up the morning. I plan on taking back some zatar and tea to share with the folks back home. If nothing else maybe we can institute teatime at my house, even if it is only once a week on Saturdays.

The funniest part of this trip had to be the night that an elderly Bedouin woman took up with my traveling partner during dinner. We entered the restaurant and ordered some chicken sandwiches and potato wedges through wild hand gesticulations and pointing. After we ordered the young guys running the front of the café indicated for us to sit. They spoke much more English than we did Arabic so they were asking us questions about America and what we ate and so on and so forth. We were having a good time and then the elderly woman appeared and we were having a great time. She came out into the food prep/dining area and started talking to the boys behind the counter and us. We tried to help her understand what we didn’t speak Arabic. I think she understood but didn’t care. She was talking to us and kept saying Americans, Americans and laughing and patting us on the shoulders. She couldn’t have been a day under 80.

We were watching the food be made and the guys were trying to get us to move to some different seats so they could corral her somewhere else. This was obviously not what the lady was wanting. She took her cane and wacked the nearest boy to her, and for an old lady she had a swing. She could have been at least a prospect in AAA ball. With that he left her alone and she pulled up a chair and joined us for dinner. She just sat there laughing and talking to us like we could understand. We were there nodding and smiling like we had a clue what was going on. We offered her some of our pile of fries and she declined. The boys brought her a Pepsi, which she would not accept until they told her it was from us and then she was ok with that. It made her even happier and she wanted to talk to us more. Finally she relented and joined us in our potato wedges and ate some salad that came along with our sandwiches that we were not going to eat.

It was an adventure we will not soon forget. Especially Ted, he tried to take her picture before we left and she brandished the cane ready to pop him with it. He quickly responded with replacing the camera in his pocket, and apologizing profusely. We all said goodbye and we headed back. Today we are getting ready to travel back to the states on a flight late tonight.

The other thing that has constantly amazed me this trip is the driving here. Ted has described drivers here as using the road to express the inner child or some such craziness. At one time there were lines on the road, they have faded, and with them the understanding of what the lines meant also faded. Drivers just move from lane to lane with no signal no mirror check, just a honk of the horn and they start moving. The fact that we have not seen more accidents is dumbfounding. The cars are like water filling every small unused spot of the asphalt. The snow that is falling today just compounds this. We have seen people building snowmen atop their cars and driving slowly to maintain their precarious placement, groups of teenagers stopping in the road for a snowball fight, and distracted drivers drifting all over the road because they are paying more attention to the falling flakes than the cars ahead. On our previous trip here the driving amazed me, but when you add in the snow it is almost impossible to describe.

Anyway it is almost time to go home. It has been a good trip here but I am ready to be back home.

Al Mafraq Jordan and Adventure eating

So I am back in the middle east this week on a semi-surprise trip, it is the middle of the week so I thought I would update on how things were going. Getting here was an adventure. We took 3 flights to get here so that meant lots of changing planes. We flew to DC first and that was easy and then from there on to London Heathrow. That airport is an absolute maze. We had just enough time to grab a coffee and rush to the next plane. I am glad we did not try to check our baggage because we would have arrived sans pants if were were not carrying our own baggage to that flight, or the next one. From Heathrow we were off to Amman and then a short drive later we were here.

Our trip here has been really productive so far. We have fixed a lot of issues, and solved several provlems for the users. I think everything should be wrapped up nicely by the time we leave at the end of the week. Today we were on the way to lunch and hitting the scan button on the radio in an attempt to find something in English. Low and behold we happened upon a radio station playing something completely unexpected… George Strait. That was amazing right there, then next it was Carrie Underwood and then came some old twangy country that neither of us could identify. It was a great laugh. The station apparently plays country every day from 1 to 2pm. So we may have to take a late lunch tomorrow as we so we can hear some music from home. When we went to dinner they were playing some light rock from the 80′s which made me want to skip dinner… Dinner was another round of what I like to refer to as “adventure eating”.

Adventure eating is where you go into a restaurant in a country where you speak none of the language and just order something off of the menu at semi-random. So far this trip we haven’t struck out. We get them to bring us a menu and we do some pointing and hand gesticulations to indicate portion size and then they bring us something to eat. You never really know what you are going to get. Sometimes it is excellent, and sometimes it is scary and you smile,act polite, and eat a candy bar from the stash in your bag. The food here in Jordan has been amazing. We have had pizza that was great, lots of grilled chicken, fresh veggies, and loads of this wonderful flat bread that I have not been able to find a replacement for in the states. Adventure eating is probably my favorite part of my travels. Each new place presents new and interesting foods to try. It is getting late here so it is time to get some sleep.