New Firewall Didn’t Cut It

The plan for the apartment network was to have more than one internal segment so I could partition off traffic where I wanted to. But to do that requires a firewall with more than two interfaces. Your basic Linksys just isn’t going to cut it. So I recently purchased a Soekris 4501 based m0n0wall firewall on eBay. I took the time this afternoon to get it configured and run some tests.

Configuration Ping (ms) Download (Mpbs) Upload (Mbps)
m0n0wall, default configuration 20 10.42 2.82
m0n0wall, interface polling 20 10.31 2.76
Laptop wired to netgear GbE switch wired to Linksys WAP/Router * 19 30.53 2.71
Laptop wired to Linksys WAP/Router 18 30.87 2.77
Laptop wired directly to SB6120 modem 18 36.06 2.82

* This is the configuration I’ve been using lately, so the m0n0wall was hopefully going to match it for performance…

Two things are immediately obvious after these test. 1) Comcast is capping my upload speed at about 2.8 Mbps. 2) The m0n0wall firewall just isn’t going to cut it. Since the native connection (the bottom config) is pushing 36 Mpbs, it’s bad enough that the Linksys cuts me down to 30 Mbps. The features of the m0n0wall would be nice, but at least on the Soekris 4501 hardware, the performance hit is just too extreme. So for now it’s back to the drawing board…

Wow, thanks for the warning about spam…

So I posted my email address on twitter in an @-reply to someone, and a few minutes later I got this automated spam message…

from	Emails @ Risk <emails.at.risk@gmail.com>
date	Fri, May 7, 2010 at 3:18 PM
subject	Emails use in Twitter

Dear dthvt

We have found that your email is shared in tweets. We advise you to hide 
your email from spammers by sharing email address as an image or hide it 
behind a url.

Visit  us at : http://emails-at-risk.appspot.com?e=sbao to find how you 
can do this.

Happy Twitting !!!
"2 million  emails are sent every second. About  
 70% to 72% of them might be spam and viruses."

<sarcasm> Oh wow, thanks for the unsolicited email warning me about the dangers of unsolicited emails! I’ll definitely click that link you sent me! </sarcasm>

Eat shit and die.

Who Owns Your Content?

With so many platforms out there for hosting content, it’s easy to wonder why I bother to run my own blog on my own server. But then the recent move by Apture to disable their “Live Editor” feature reminds me why it’s all worth while.

If you’ve never used Apture, it’s a set of scripts you can install on your blog (or website in general) and use to embed content like images or youtube videos on your pages. One of the neat features of Apture is that you could actually use their “Live Editor” to add content to your page after it was published. I never tracked down the exact mechanism, but the basic idea is that their servers store all the embedded objects for your page, and when your page gets loaded the Apture script automatically checks their server and then embeds the images, videos, etc. dynamically.

Long story short, if you use Apture’s “Live Editor” feature, those links, images, and videos only show up because a server owned by Apture tells them to. Apture’s recent email included the following tidbit:

If you previously added Apture links to your posts using the Apture Live Editor (triggered by hitting the “e” key on your keyboard and inserting links into previously published posts) they will continue to render on your pages. We will do our best over time to keep them rendering, but if you notice missing links please do not hesitate to reach out to us on Get Satisfaction or via email.

That sums it all up – if Apture were to ever go bankrupt or otherwise stop supporting your page via their server, your “Live Editor” images, videos and links would disappear. If you use their pre-publishing solution (where the links and objects are directly embedded in your webpage by you), this isn’t a problem. So I’m not saying to steer clear of Apture totally, just be aware of your risk.

This type of thing highlights the risk we all face to losing the content – whether that be pictures, videos, or blog posts. Make sure you understand the platform you chose to host your content, or you may get an email someday telling you that the site is going down and your content is going with it…

Joke of the Day: CompTIA Database Outage

I passed my CompTIA Security+ certification on July 24th. For those of you not familiar with CompTIA, they offer certifications in a number of IT related subjects – Server+, Network+, Security+, etc. When you pass a certification, the testing center prints out a confirmation page for you to take home. Five days later, you can login to the CompTIA website and request your official certification letter with the fancy seal.

At least, you could before CompTIA’s database crashed. They’re apparently going to be down through the end of the month. That’s a pretty solid two months after I took my test. It’s also a complete joke! CompTIA should be embarrassed to so publicly lose access to their data like this. The company that certifies your IT people on how to manage systems apparently couldn’t be bothered to do it right in-house.

I emailed CompTIA’s press contacts for their input on this story, but got no response other than to confirm the phone number listed on their outage page.

Good job, CompTIA.

Facebook App Bullshit

Capture

I really get annoyed by the fact that I can’t even look at an app on someone’s profile without granting that app access to my info. I want to read an “Interview” on a friend’s profile, but I can’t see what she answered without adding it to my own page. That’s just viral privacy invasion.

Of course, Facebook’s app platform allows any app to add stories to my newsfeed. So I can’t read anything I want to read, but I get spammed with bullshit about mafia wars, “You friend completed the blah blah blah quiz”, and fantasy farm league.

It’s like the perfect storm of stupidity… but it’s still better than MySpace.

I <3 U - Thank God for Technology!

Long distance relationships suck, but I have to admit that with cell phones, text messaging, Twitter, Facebook, TokBox and IM things are a lot better than the first long distance relationship I ever had. When I went to college and was dating my high school sweet heart, phone conversations cost $0.21 per minute, US Mail was the only way to write and we probably only talked three or four times per week.

Now, Cindy and I talk multiple times a day via text and cell phone. We can keep up with each other’s day via Twitter and Facebook. There’s hardly a time or place that we can’t reach out to each other and stay in touch, even when I’m much farther away than I was in college. As humans, we don’t tend to notice incremental change, but stopping to ponder how much communication has changed in 15 years really makes my mind boggle.

And that’s a good thing, because decreasing the cost of communication has all kinds of good effects. But the best effect for me is that I get the chance to find and love a girl like Cindy. 🙂

Latest Toys

Latest techno gadget acquisitions:

I have to admit that the Google Voice system is pretty awesome, but I find that I probably have a limited use for it. The biggest feature is that it can ring multiple numbers at once to find you wherever you are. This is great if you want it to try your office, home, and cell together to try to track you down. Unfortunately, I don’t have an office or a home number, so really all it does is forward to my cell. But there are some other neat features like automatic voice mail transcription to email that I’d like to try out.

The D300 on the other hand is a unqualified success, as I expected. Took some test shots with it tonight, and the focusing is fast and the 51 point auto-focus is a big improvement over the D200. The main reason I bought it though? Self-cleaning sensor! My D200 has had chronic problems with dust, pollen, and other stuff getting on the sensor. Hopefully the D300 signals the end of those problems. I’ll be taking it and the D200 to New York City next week. The D200 is going to be Cindy’s “training camera” while I get more familiar with the D300. So look forward to updated photos in the coming weeks!

Rant: Who watches the watchers?

Computer security can be an arcane subject, especial for the “uninitiated” who don’t know what phrases like “risk mitigation”, “threat profile”, and “single-loss-expectancy” are talking about. But a lot of computer security boils down to fundamental ideas about trust and security that we’re used to in the real world. This week at work I was handed a very frustrating example of these fundamentals.

In security jargon, we talk about “controls” – especially “technical controls” vs. “procedural controls”. Let me break that down into plain English for you. Procedural control basically means “we told someone not to do a bad thing, and we trust that they’ll listen to us.” Technical control means “we don’t have to trust someone, because the system won’t do the bad thing even if the person wants to.” In the security world, technical controls are almost always preferable, since they allow your organization to take someone’s trustworthiness out of the equation.

A simple real life example of these two types of controls are locks on doors. In some situations, for example college roommates who grew up together, locking doors isn’t necessary because the people involved are trustworthy. But in another situation, the exterior door on your apartment, you can’t trust the other people and you demand a reasonable lock to secure your living space. And in further extremes, like protecting weapons or biological agents, the people involved are trustworthy but the possible damages are so high that strong locks and other controls (guards, video cameras, fences, etc.) are required.

As you can see from the examples, just because the people involved are trustworthy doesn’t mean systems with lax controls are adequate. If the risk of damage is large, prudence demands that we design a system that “watches the watchers” so to speak.

The example from work wasn’t nearly as dangerous as biological agents. But it was all the more frustrating because I had pointed out the ease with which the operations team could implement better controls on their patching process just a few days ago. Then yesterday it came up that the swing shift operators had installed software patches on the wrong boxes – an error facilitated by the lack of technical control and the attitude from the operations leader that the problem was “reminding the swing shift guys they shouldn’t patch those machines.”

No, the problem is you aren’t even willing to learn from your mistakes and implement new controls even after you’ve been burned once…

Hypocrisy Watch: Internet Monitoring

Apparently Senators Schumer and Graham are upset enough about Iran’s efforts to monitor it’s citizens’ Internet activities that they want to ban Seimens and Nokia from future contracts with the federal government. According to Graham…

“The Internet has proven to be one of the strongest weapons in the hands of the Iranian people seeking freedom and trying to chart a new destiny for their country. Companies that provide technology to the Iranian regime to control the Internet must be forced to pay a heavy price.”

Why aren’t the Senators going after NSA’s activities in the Pinwale program with the same fervor? Or is it only wrong to meddle with the Internet when you’re not the US government?

Clearly Screwed

The Clear Registered Traveler program was a service that basically collected a bunch of information about you, ran a background check, then gave you a card that let you skip to the front of the security line at 20 airports around the country. Since Dulles International Airport was one of them, I signed up for the card a little over a year ago. I’d had good experiences with it, and renewed it for $179 in May this year.

Then on June 22nd, Clear abruptly announced that they were closing operations effective immediately. (News which I learned about via Twitter before I learned about it from Clear’s customer service email. Viva la revolution!) The first order of business was to call American Express and dispute the charge from Clear. Clear has since announced that they won’t be issuing refunds due to the “financial condition of the company”. (In other words, they be broke.) This is why you should always use a credit card for purchases, kids. It’s a lot easier to dispute a charge on a credit card than a debit card.
Anyway, the more disturbing thing about the Clear closure is that they have a huge amount of personal information about their customers – iris photos, fingerprints, names, addresses, social security numbers, credit card numbers, etc. It’s really their most valuable asset – to a prospective purchaser or to a hacker. I reviewed their privacy policy again the day I found out about the closure, and it seems to indicate that they can’t sell the data. But as this Wired article points out, the policy isn’t explicit about what happens if the company is liquidated or acquired.

So now I’m wondering if I should try to get an injunction against them transferring all my personal information to a third party… Good luck with that, right?