One of the latest problems we've run into in our quest to become a truly enterprise-class Linux company is the face that we have a lot of remote workers. Folks who hack from the comforts of their homes and offices around the planet, from places strange and wondrous all call themselves monkeys. This, of course, means that they need access to resources which live on our network.
Easier said than done.
However, as it turned out, all was not well. See, many of our remote hackers live on dynamic IP addresses. Most use some form of NAT on their home networks. The client available for our Nortel Contivity extranet switches is called NetLock, and it's now made by a company called Apani. On the surface, it's just what the doc ordered - a cross-platform piece of software (Windows, Mac OS X, Linux) which allows the user to tunnel into the corporate net.
Problem: This piece of software, despite being distributed teasingly as an SRPM, is in fact a big chunk of binary nastiness hidden inside some wrapper code to talk to the kernel. But it has to be compiled into a kernel module (two, actually) in order to function. And therein lies the rub. It only works with an extremely short list of Linux distros, and then only if you are using bog-standard kernels (it doesn't even like RedHat errata kernels, the silly thing).
Given that our remote workers are developers and testers, they end up running all manner of weird distros and kernels. And some not so weird, but which just didn't work anyway. No go.
After unsuccessfully perusing the list of options amongst the commercial VPN client market (zero) we turned, naturally, to the Open Source software world. OpenVPN, which uses SSL encryption, was a possibility; so was FreeS/WAN. OpenVPN was non-responsive, and while FreeS/WAN could be enticed to work in most cases, it suffered from several problems: one, it was management-intensive (since it couldn't auth using the Corp's native auth solution and hence required X.509 cert generation, distribution, installation and tracking) and two, it simply wouldn't operate from behind a NAT gateway.
bzzzzzzzzt. Thank you for playing. Would you like a nice copy of our OFFICE GAME?
Ah, I hear people shouting, what about Super FreeSWAN? Huh? Hunh?
Well, yes. Except that to work in NAT traversal, it, too, requires a specific kernal patch and recompile. Bzzzzzzzzt.
So there we have it. At present, we're looking at just buying hardware endpoints (little SOHO routers with Contivity logic built in), but those present their own problems. Namely, I can't let people directly in to the network from those, because any time someone opens an 802.11 net in their house behind one of these things, their neighbors can happily surf into my network. Nopenopenopenope.
At the moment, we're looking at setting up a separate DMZ for the VPn endpoint on the corporate end, and then installing a bridge box which users can SSH tunnel through to get to the resources they need - a compromise between access (better than the 'nothing' they have now) and security (that box is still vulnerable, but only to the smaller subset of people who compromise a remote network with one of these endpoints installed).
I'm not sure why this is such an issue, although I have my suspicions. I think that, in point of fact, there aren't that many organizations doing remote linux development that have access requirements for their remote users than go beyond simple SSH tunneling (*cough* NFS sucks*cough*). Or they are willing to accept vulnerabilities or workflow disruptions that we're not. I'm sure many have done this before, but I just can't see how they'd do it without having to make the sort of compromises we are.
Not that the compromises make the task undoable; it's just aggravating. On the other hand, better to find these sorts of problems while dogfooding than when selling the product to the public.
Momma's got a Squeezebox, Daddy doesn't sleep at night...
- The Who
The Squeezebox is the second product of the Slim Devices company (http://www.slimdevices.com), following on the heels of the SliMP3. Put baldly, it is a streaming MP3 receiver. Like too few products, however, the Squeezebox is more than the sum of its parts!
Note that if you'd like to try the server software, you don't need a Squeezebox. You can download it and install it, and it will handle as many separate streams as your server computer and network will. I personally use mine not only for running my Squeezebox but for streaming music to my work computer (running XMMS, gag puke choke, or iTunes if I'm on my laptop) and to 'take' my music wherever I go. The Squeezebox talks to the SlimServer using the aforementioned Perl libraries, so when you hit your IR remote, you're really talking to the SlimServer.
If you're a Mac OS X user (as I am) you'll be happy to know that the SlimServer completely groks iTunes. This means if you're running iTunes, and you tell it to do so, it will utilize all existing iTunes tag info as well as playlist information (including the dynamic 'Smart Playlists' that do stuff like offer your top 25 most-played tunes). It doesn't need iTunes (it can keep its own data, and let you construct your own playlists entirely) but if you choose to use iTunes connectivity, you can still manage your own playlists and the like. It just assumes that the iTunes music library is where all your music lives.
Folks have found out how to use it for other cool stuff, too. There are CallerID modules that display CallerID information on the Squeezebox display; stock tickers, clocks (the Squeezebox is truly a passive device, and despite its resemblance to a clock, doesn't have a local time source), several Windows Media Player remote controls that use the IR remote to control a computer app, library browsers, and apparently at least one RSS feed that someone is working on. It can act as an alarm clock, using the server's smarts, and start streaming at a predesignated time. The display can be turned off (handy when you're trying to sleep) without interrupting the music; there's a local volume control, which is nice.
While I understand there are legitimate epidemiological reasons for pursuing such data, in the hands of the news organizations, it simply provides more grist for the relentless ‘CONFORM’ mill. Now, in addition to worrying about the problems my overweight condition causes me, I must now contend with the stigma of wastrel being applied via news service headlines.
One point - if 64% of the adults in the US are overweight, as the study claims, how much ‘more than average’ do overweight people cost the medical health system? How can that ‘average’ be controlled to not account for them? Sure, there are clean statistical methods of doing so - but I feel like I’ve been lumped into the drug user and smoker categories just by this damn headline. While you can argue whether or not food is an addiction problem, it differs from smoking and other drug use in one significant way - namely, we need to eat to survive. The problem of obesity has many roots, but at base, you can’t say that it derives from purely destructive behavior (and before you get on my case for ‘deriding’ smokers and drug users, I will say out front that I enjoy a cigar from time to time).
This, by itself, isn’t a big deal. But there’s this awful trend towards blame-fixing for societal shortfalls - and it’s that form of obsessive fix-the-cost-on-the-individual’s-fault behavior that will, in the end, bring down any system based on collective action, such as ours is.
...I'm sure you can think of your own. In the blizzard of media glitz and other flashy crapola that all parties are going to snow you under in the coming campaign, find your questions. Hold them tight to you. Cherish them. Wait for the moment.
Then ask them.
Perhaps I'm just a terminal cynic, but I couldn't help feeling that the story on CNN.com of Colin Powell admitting publicly to a complete lack of hard evidence linking Iraq to Al-Qaida both before and after the war and the timing of Bush's GRAND SOOPER SPACE EXPLORASHUN PLANZ wasn't a coincidence.
How was that for a run-on sentence?
The Mars lander had just phoned home. Pictures were flowing back down in grandiose and possibly dishonest color, but gorgeous pictures nonetheless. 'We're back!' enthused NASA Administrator Sean O'Keefe, pouring champagne for the Mars Exploration Rover team on live T.V. Suddenly, Americans turn their attention to space for a happy reason, a good reason; maybe for the first time since Columbia's deep burn.
"Let's go to the Moon! And Mars!" shouts Dubya, outlining a bold plan involving manned space exploration. This from the administration that has kept attempting to smash the NASA budget - advocating a plan that actually seems to make little sense even on first glance. If you're going to Mars, why do you need a base on the moon? Why fight *two* gravity wells to get there? Why bother putting people on the Moon, where every last bit of supply must be shipped up? Why not simply assemble a transfer vehicle in orbit and launch from there?
Well, see, it doesn't really matter. Dubya's Brave New World isn't supposed to have humans actually leave the rock until around 2014 or so - long after he's comfortably retired.
But Colin's admission of complete fraud on the part of the Administration - no WMD, no evidence of them, Valerie Plame's hubby's report, and now no Al-Qaida links - is safely ' below the seam' on the second or third page of CNN, happening as it did the same news day as the announcement. Hordes of Americans ignore the dreary political news and rush happily to the dreams, lapping it up as Dubya tries to cover himself in a JFK/Apollo-esque cloak.
Of course, Apollo may have only happened because JFK got shot, and no-one in Congress dared kill it after that.
Now we wait; all we know is that the Mars Odyssey orbiter has captured around 24 megabytes of data during its 12-minute overflight of the landing spot, and is preparing to relay the data back to earth.
"Imaging, flight; roger. We'll be happy to wait another five minutes for these."
"Flight, imaging; thank you all for your patience."
The wait continues. I have time to get a Diet Coke from the fridge, taking a quick run to the loo before dashing back to my computer and locking my reddened eyes to the screen again. Fortunately, my computer has a nice screen, minimizing my eyestrain.
More waiting. Half the Coke gone.
-there is a burst of noise, and people are jumping up from their seats-
"Wow. Wow wow wow. We're getting pictures, pictures from the surface of Mars - this is, these are thumbnails? That's the first picture-" it looks like a smudged circle and dark shape "-and it's the calibration target."
"Wow." That word will become almost a constant companion. Pictures start to flow in.
Suddenly, there's another burst of cheering - an image has popped up on the screen with a bright band across the top, and it becomes clear even through the crappy webcast - that's Mars. It's a part of Mars humanity has never seen. It's only the fourth time humans have managed to get imagery from the surface of the planet, and the first time from anywhere near this spot.
The Coke is gone, and I'm smiling like an idiot.
More cheering and wows. The mast has extended and a series of images from cameras atop the mast are popping up now - and then, finally, a mosaic is pieced together as we watch, and we are looking out past the black boxy shape of the rover and at a horizon with rocks on it. Final touch: a polar projection, an image assembled to look 'down' from the mast, blending the nine images from the mast cameras.
From a perch six feet above three hundred million miles, I stand and look down on this small voyager as it prepares to go to sleep with the sunset, and I swear it looks back at me with an expression of pride and satisfaction.
This is a good way to start a year.