January 28, 2004

VPN = Vehemently anti-Penguin Network

One of the latest problems we've run into in our quest to become a truly enterprise-class Linux company is the face that we have a lot of remote workers. Folks who hack from the comforts of their homes and offices around the planet, from places strange and wondrous all call themselves monkeys. This, of course, means that they need access to resources which live on our network.

Easier said than done.

At first, the BigCorp crew were fairly confident. "VPN," they intoned, invoking mystical TLAs with supreme confidence. "Simple software client. Choice of flavors."

However, as it turned out, all was not well. See, many of our remote hackers live on dynamic IP addresses. Most use some form of NAT on their home networks. The client available for our Nortel Contivity extranet switches is called NetLock, and it's now made by a company called Apani. On the surface, it's just what the doc ordered - a cross-platform piece of software (Windows, Mac OS X, Linux) which allows the user to tunnel into the corporate net.

Problem: This piece of software, despite being distributed teasingly as an SRPM, is in fact a big chunk of binary nastiness hidden inside some wrapper code to talk to the kernel. But it has to be compiled into a kernel module (two, actually) in order to function. And therein lies the rub. It only works with an extremely short list of Linux distros, and then only if you are using bog-standard kernels (it doesn't even like RedHat errata kernels, the silly thing).

Given that our remote workers are developers and testers, they end up running all manner of weird distros and kernels. And some not so weird, but which just didn't work anyway. No go.

After unsuccessfully perusing the list of options amongst the commercial VPN client market (zero) we turned, naturally, to the Open Source software world. OpenVPN, which uses SSL encryption, was a possibility; so was FreeS/WAN. OpenVPN was non-responsive, and while FreeS/WAN could be enticed to work in most cases, it suffered from several problems: one, it was management-intensive (since it couldn't auth using the Corp's native auth solution and hence required X.509 cert generation, distribution, installation and tracking) and two, it simply wouldn't operate from behind a NAT gateway.

bzzzzzzzzt. Thank you for playing. Would you like a nice copy of our OFFICE GAME?

Ah, I hear people shouting, what about Super FreeSWAN? Huh? Hunh?

Well, yes. Except that to work in NAT traversal, it, too, requires a specific kernal patch and recompile. Bzzzzzzzzt.

So there we have it. At present, we're looking at just buying hardware endpoints (little SOHO routers with Contivity logic built in), but those present their own problems. Namely, I can't let people directly in to the network from those, because any time someone opens an 802.11 net in their house behind one of these things, their neighbors can happily surf into my network. Nopenopenopenope.

At the moment, we're looking at setting up a separate DMZ for the VPn endpoint on the corporate end, and then installing a bridge box which users can SSH tunnel through to get to the resources they need - a compromise between access (better than the 'nothing' they have now) and security (that box is still vulnerable, but only to the smaller subset of people who compromise a remote network with one of these endpoints installed).

I'm not sure why this is such an issue, although I have my suspicions. I think that, in point of fact, there aren't that many organizations doing remote linux development that have access requirements for their remote users than go beyond simple SSH tunneling (*cough* NFS sucks*cough*). Or they are willing to accept vulnerabilities or workflow disruptions that we're not. I'm sure many have done this before, but I just can't see how they'd do it without having to make the sort of compromises we are.

Not that the compromises make the task undoable; it's just aggravating. On the other hand, better to find these sorts of problems while dogfooding than when selling the product to the public.

Posted by jbz at 2:53 AM

January 21, 2004

Momma's got a Squeezebox...

Momma's got a Squeezebox, Daddy doesn't sleep at night...
- The Who

The Squeezebox is the second product of the Slim Devices company (http://www.slimdevices.com), following on the heels of the SliMP3. Put baldly, it is a streaming MP3 receiver. Like too few products, however, the Squeezebox is more than the sum of its parts!

The Box

The Squeezebox is a textured plastic device that looks like nothing so much as a super-stealthy clock radio. It is around seven inches across, curved in the back, and the face is entirely taken up by a bright teal vacuum fluorescent display. The right side has a mini-stereo jack, amplified for headphones. The back contains a power supply jack (it comes with a wall wart), a socket for a whip 802.11b antenna, a S/PDIF miniplug optical port, RCA stereo ports, and an RJ-45 100 Base-T Ethernet jack. It weighs all of five or six ounces, not counting the power transformer. It ships with a standard-looking infrared remote control.

The Software

In order to use the Squeezebox, you'll need to have a computer somewhere that is running the SlimServer software, available for download at Slim Devices' website. The SlimServer is most of the 'brains' of the product, and is Free Software - you can download it, use it, modify it. As a result, it has been ported and extended fairly well - there are versions that run on Linux, Windows (of various flavors), Mac OS X, Solaris and various BSDs. It consists of a set of Perl libraries and a web-based interface. It performs two critical functions: one, it allows you to control your Squeezebox (or other stream - more on that in a second) and two, it streams mp3 audio to the device or app that you're using.

Note that if you'd like to try the server software, you don't need a Squeezebox. You can download it and install it, and it will handle as many separate streams as your server computer and network will. I personally use mine not only for running my Squeezebox but for streaming music to my work computer (running XMMS, gag puke choke, or iTunes if I'm on my laptop) and to 'take' my music wherever I go. The Squeezebox talks to the SlimServer using the aforementioned Perl libraries, so when you hit your IR remote, you're really talking to the SlimServer.

If you're a Mac OS X user (as I am) you'll be happy to know that the SlimServer completely groks iTunes. This means if you're running iTunes, and you tell it to do so, it will utilize all existing iTunes tag info as well as playlist information (including the dynamic 'Smart Playlists' that do stuff like offer your top 25 most-played tunes). It doesn't need iTunes (it can keep its own data, and let you construct your own playlists entirely) but if you choose to use iTunes connectivity, you can still manage your own playlists and the like. It just assumes that the iTunes music library is where all your music lives.

What it Does

Put simply, it is the Killer Music App. It makes your digital music available to you from anywhere you have a browser and net connection (SlimServer) or just a net connection and power (Squeezebox). To give you a taste of how well-done this thing is, here is the complete sequence of steps I went through to set mine up once I'd installed the SlimServer:
  1. Plugged it in in another room in my house. It came up and said Free your music!
  2. Then it asked 'Wireless Network?' -I indicated 'yes' using the remote.
  3. It sniffed around, and asked 'Network xxx (my SSID)?' -yup.
  4. Sniff again. 'Server " Navi"?' -...my Mac. Yup.
  5. A moment's pause, then "Ready! Select Playlists:" ...and it offered me a selection menu of all my iTunes playlists.
I hit 'Play' - and music flowed out of my headphones.

While in use, it uses approximately 4% of my Mac's CPU cycles ( PowerMac G4/500DP) and around 25K/sec of bandwidth per active stream.

Why it's so damn cool

...because, for the first time (coupled with my iPod) my music is always with me, anywhere on the internet, and anywhere in my house. I have had six or seven friends around the U.S., and myself at work, and the Squeezebox in my bedroom all pulling music off my Mac simultaneously - no stutter. Although it has to transcode on the fly, it's capable of playing Ogg Vorbis files and a variety of other formats through server add-on modules.

Folks have found out how to use it for other cool stuff, too. There are CallerID modules that display CallerID information on the Squeezebox display; stock tickers, clocks (the Squeezebox is truly a passive device, and despite its resemblance to a clock, doesn't have a local time source), several Windows Media Player remote controls that use the IR remote to control a computer app, library browsers, and apparently at least one RSS feed that someone is working on. It can act as an alarm clock, using the server's smarts, and start streaming at a predesignated time. The display can be turned off (handy when you're trying to sleep) without interrupting the music; there's a local volume control, which is nice.

How's the sound?

Darn good. I encode at 160k or 192k, and the sound out of the device is fairly clean. It does come out at a fairly high line level, so downing the volume can be necessary if you have sensitive headphones and/or ears. There are treble/bass adjustments on the Squeezebox, and the sound it puts out sounds cleaner than that which comes out of my Mac's sound ports (less EM noise, I guess).

What's the catch?

The price, for one. The box is $299 US, which is a bit steep for a dumb component. However, that's around what the Audiotron costs, and this is a much smarter component, with 802.11 onboard, to boot. For another, it's a fairly flimsy looking, odd-shaped box you can't stack - so it looks out of place in a typical home stereo cabinet. The VFD display looks slightly 'cheap' compared to even cheap home stereo gear. It'd be really nice if it could run off batteries, even for a limited time, making it truly portable around the home. There is no onboard speaker (not a big loss, AFAICT). The remote button layout is non-intuitive, and the buttons aren't easily distinguished by touch in the dark.

The Verdict

...a Custodial two thumbs up. I got mine as a present, and hence was not put off by the price. However, I use it every day, and use the server software daily as well to listen to my home audio library from my office. I strongly recommend picking one up, if you have the means. They are so choice.
Posted by jbz at 11:32 PM | Comments (0)

Here Comes the Comedown

Well, it’s official. Us fat people can now join the ranks of intravenous drug users, smokers, and other ne’er-do-wells in one critical way - we’ve been identified as a ‘significant cost to the taxpayer.’ CNN tells us (under the headline ‘CDC: Medical Cost of Obesity $75 billion’) that a report due to be published from that organization will explain how us overweight types cost $75 billion per year in health expenses.


While I understand there are legitimate epidemiological reasons for pursuing such data, in the hands of the news organizations, it simply provides more grist for the relentless ‘CONFORM’ mill. Now, in addition to worrying about the problems my overweight condition causes me, I must now contend with the stigma of wastrel being applied via news service headlines.

One point - if 64% of the adults in the US are overweight, as the study claims, how much ‘more than average’ do overweight people cost the medical health system? How can that ‘average’ be controlled to not account for them? Sure, there are clean statistical methods of doing so - but I feel like I’ve been lumped into the drug user and smoker categories just by this damn headline. While you can argue whether or not food is an addiction problem, it differs from smoking and other drug use in one significant way - namely, we need to eat to survive. The problem of obesity has many roots, but at base, you can’t say that it derives from purely destructive behavior (and before you get on my case for ‘deriding’ smokers and drug users, I will say out front that I enjoy a cigar from time to time).

This, by itself, isn’t a big deal. But there’s this awful trend towards blame-fixing for societal shortfalls - and it’s that form of obsessive fix-the-cost-on-the-individual’s-fault behavior that will, in the end, bring down any system based on collective action, such as ours is.

Posted by jbz at 7:58 PM | Comments (0)

Keep them frontmost...

...the questions that George W. Bush and company have refused to answer. Remember them, repeat them, and demand answers every chance you get.
  • Who outed Valerie Plame?
  • Where are the WMDs?
  • Why hasn't Cheney completely severed his ties with Halliburton, especially given the number of contracts (and scandals) they've been involved in?
  • Why was the 3rd Infantry Division so unhappy with their support and planning in Iraq?
  • What happened to that nice space initiative, and if it was that fragile, why was it pushed as a priority?
  • Precisely when does the PATRIOT Act expire, Mr. President, especially given your administration's attempt to pass PATRIOT II?

...I'm sure you can think of your own. In the blizzard of media glitz and other flashy crapola that all parties are going to snow you under in the coming campaign, find your questions. Hold them tight to you. Cherish them. Wait for the moment.

Then ask them.

Posted by jbz at 1:55 AM | Comments (0)

January 10, 2004

No evidence of Iraq and Al-Qai...oh look, Mars!

Perhaps I'm just a terminal cynic, but I couldn't help feeling that the story on CNN.com of Colin Powell admitting publicly to a complete lack of hard evidence linking Iraq to Al-Qaida both before and after the war and the timing of Bush's GRAND SOOPER SPACE EXPLORASHUN PLANZ wasn't a coincidence.

How was that for a run-on sentence?

The Mars lander had just phoned home. Pictures were flowing back down in grandiose and possibly dishonest color, but gorgeous pictures nonetheless. 'We're back!' enthused NASA Administrator Sean O'Keefe, pouring champagne for the Mars Exploration Rover team on live T.V. Suddenly, Americans turn their attention to space for a happy reason, a good reason; maybe for the first time since Columbia's deep burn.

"Let's go to the Moon! And Mars!" shouts Dubya, outlining a bold plan involving manned space exploration. This from the administration that has kept attempting to smash the NASA budget - advocating a plan that actually seems to make little sense even on first glance. If you're going to Mars, why do you need a base on the moon? Why fight *two* gravity wells to get there? Why bother putting people on the Moon, where every last bit of supply must be shipped up? Why not simply assemble a transfer vehicle in orbit and launch from there?

Well, see, it doesn't really matter. Dubya's Brave New World isn't supposed to have humans actually leave the rock until around 2014 or so - long after he's comfortably retired.

But Colin's admission of complete fraud on the part of the Administration - no WMD, no evidence of them, Valerie Plame's hubby's report, and now no Al-Qaida links - is safely ' below the seam' on the second or third page of CNN, happening as it did the same news day as the announcement. Hordes of Americans ignore the dreary political news and rush happily to the dreams, lapping it up as Dubya tries to cover himself in a JFK/Apollo-esque cloak.

Of course, Apollo may have only happened because JFK got shot, and no-one in Congress dared kill it after that.

Posted by jbz at 2:20 AM | Comments (0)

January 4, 2004

Strange New Worlds

It's 2:33 in the morning here on the East Coast of the United States, and I'm watching a crappy, pixelated webcast feed from NASA TV. There are fifty or more people crammed into a relatively small room, looking intently at screens which are stubbornly showing small calibration squares and static data and not much else. A few hours ago, we waited and agonized with the JPL/ NASA crews as their robot child stopped talking to them for re-entry. I listened to the frightening numbers read off in the quiet nervous room - twelve thousand two hundred miles per hour, one hundred fifty three miles above the Martian surface, preparing to decelerate at up to 6 gee- I chewed nails and watched, preparing to settle in for a long night of waiting and the likely disappointment. The lander phoned home, and we all sighed in relief.

Now we wait; all we know is that the Mars Odyssey orbiter has captured around 24 megabytes of data during its 12-minute overflight of the landing spot, and is preparing to relay the data back to earth.

" Flight, imaging; we had a loss of signal during the transmission and we had to modify the download priority tables, and we're now showing an ETA of hour seven minute 28."

"Imaging, flight; roger. We'll be happy to wait another five minutes for these."

"Flight, imaging; thank you all for your patience."

The wait continues. I have time to get a Diet Coke from the fridge, taking a quick run to the loo before dashing back to my computer and locking my reddened eyes to the screen again. Fortunately, my computer has a nice screen, minimizing my eyestrain.

More waiting. Half the Coke gone.

-there is a burst of noise, and people are jumping up from their seats-

"Wow. Wow wow wow. We're getting pictures, pictures from the surface of Mars - this is, these are thumbnails? That's the first picture-" it looks like a smudged circle and dark shape "-and it's the calibration target."

More cheering.

"Wow." That word will become almost a constant companion. Pictures start to flow in.

Suddenly, there's another burst of cheering - an image has popped up on the screen with a bright band across the top, and it becomes clear even through the crappy webcast - that's Mars. It's a part of Mars humanity has never seen. It's only the fourth time humans have managed to get imagery from the surface of the planet, and the first time from anywhere near this spot.

The Coke is gone, and I'm smiling like an idiot.

More cheering and wows. The mast has extended and a series of images from cameras atop the mast are popping up now - and then, finally, a mosaic is pieced together as we watch, and we are looking out past the black boxy shape of the rover and at a horizon with rocks on it. Final touch: a polar projection, an image assembled to look 'down' from the mast, blending the nine images from the mast cameras.

From a perch six feet above three hundred million miles, I stand and look down on this small voyager as it prepares to go to sleep with the sunset, and I swear it looks back at me with an expression of pride and satisfaction.

This is a good way to start a year.

Posted by jbz at 3:01 AM | Comments (0)