Living without Satellite or Broadcast TV Service

Back in June, I wrote about how I felt like we were being extorted by Dish Network satellite service in regards to HD service.  How they basically told us that we could just take it, or go away.  We decided to go away.

Initially we toyed with the idea of switching back to Direct TV or even to cable, but what we found was that all of them play serious games with their pricing structure.  They all talk up their low, low pricing specials, but those only last for the first year … of a two year contract!  For that second year, we’d be paying what amounted to the same high fees we’d been paying to Dish.  I also found that during our discussions with each outfit, they projected every confidence that we’d eventually cave in and sign up, that there really wasn’t any choice.

They were wrong.  We canceled our satellite service and I hooked up the aerial antenna again. 

For the first couple of days, it felt like they might have been right.  We live in Phoenix, and although there are several tens of DTV stations available, we are apparently in the broadcast shadow of a nearby mountain.  So we only have 7 channels to choose from, half of which are PBS — although I have to admit that with DTV, they do come in crystal clear.

Fortunately, there are other alternatives for watching our favorite shows.  Most everything we want to watch is available on Hulu.com, so we can watch them from our computers.  New shows aren’t always immediately available when they broadcast, but it’s usually only a matter of a few hours, or at worst, the next day before the latest episode is available.

For the TV in the family room I dusted off an old PC I had laying around that just happened to have an S-Video port.  I installed Ubuntu and Boxee on it, connected it to the TV, and picked up an inexpensive pc-remote control from Amazon.

Boxee is an application — available for Windows, Mac, and Linux — that allows you to select and watch TV shows and clips that are freely available across the web.  The servers at boxee.tv continuously check the broadcast network websites, such as CBS and Syfy Network, as well as other websites, like Hulu, to compile an organzied list of television shows, movies, and clips into the Boxee application that can be easily navigated with a remote control.  All for free.

The hard part is connecting up a computer to the TV so these programs can be watched there, instead of from your PC or laptop screen.  Fortunately, D-Link has been working with Boxee to create Boxee Box, a TV appliance that runs Boxee.  The Boxee Box has all the normal TV hook ups built in so it will be as easy to connect to the TV as a DVD or Blu-ray player is.  The Boxee Box is not quite available yet — D-Link is expecting to release it in November, just in time for the Christmas season — but it can pre-ordered from Amazon for about $200.

So we’ve been living this way for several weeks.  We still watch all the shows we’ve become addicted to.  The only thing we do miss is being able to sit in front of the TV and just flip through channels.  On the plus side, we now tend to watch TV with a purpose, and when the show is over, it gets turned off.

I haven’t missed the Satellite service at all.

A short missive on Chronological Usability

I’ve found a blog that really interests me, but want to read all the posts chronological order because it makes more sense that way.  Problem is, almost every blog, including mine, presents the posts in reverse chronological order.  Which is great if you’ve been following along already because the latest entries are always on the main page and at or near the top. 

But when you decide that you want to read them in the order they were posted, it gets rather cumbersome:  You have to locate the first entry, which can be an interesting prospect if they don’t have archives enabled, then you have to read from the bottom of each page towards the top — so you’re constantly reading down the posting, then moving up, past it, to the next one, reading down the posting, moving up, past it, to the next one … and so on.  Then when you get to the top, you usually have to scroll all the way to the bottom of the page again to find the link that takes you to the next page, chronologically.  When that page loads you’re looking at the top of the page again, so you have to scroll back to the bottom of the new page to the last entry, then start the whole process over again.  What a pain!

It’s not so bad when each posting, when viewed by itself, has links to the next/previous posts, because then you can simply read the post, then click to the next one and so on.  A lot more page loads, but easier to navigate.  Unfortunately, many blog themes, or layouts, don’t seem to have these links either — mine included, again.  I think most people just don’t think about it:

What if someone wanted to read my blog in book style, from the earliest posting, until now?  Will it be easy to do?

It’s a part of the user experience, or usability, that seems to get lost when developing the blog or when web-designers develop themes and templates.  But it’s also something that could easily be fixed, either by adding the next/previous links to the page that displays individual posts, or by creating an optional “index” page that sorts the posts chronologically, instead.  Relatively small changes that could dramatically improve the usability of your blog — especially if the contents or subject matter lends itself to being read in date-order.

Although I can’t see why anyone would possibly want to read AlienSplicer this way, I’m going to have to modify it’s layout just in case they do.

What do you think?

The Film Era is Officially Over, Kodachrome has Retired

Steve McCurry, who is best known for his photograph of Sharbat Gula, the “Afghan Girl,” featured on the front page of National Geographic in 1984, had the privileged of shooting the final roll of 36 exposure Kodachrome film to ever be manufactured. Kodak announced last year that it would stop manufacturing Kodachrome film and retire the name brand. 

This final roll was processed at Dwayne’s Photo Service in Parsons, Kansas.  Dwayne’s is the last lab in the world that still handles Kodachrome processing.  Since Kodachrome is no longer manufactured, there are not many rolls still in circulation and Dwayne’s is expected to stop processing it this December.

National Geographic has been following and documenting this last roll of Kodachrome film and is expected to publish both the story and some of the pictures in the Spring of 2011.

References:
kansas.com: Last Kodachrome roll processed in Parsons

Scam offers Tech “Support” by Phone

There is a very short article at MercuryNews by Jennifer Squires of the Santa Cruz Sentinel discussing a growing trend of people receiving scam calls by a purported tech support specialist from Microsoft (or some other large computer company) that offer’s tech support via phone.  However, when people follow their instructions, instead of fixing their computer, they unknowingly end up installing a remote access program that allows the scammer to gain compete remote control of their computer. 

The article discusses an example of someone receiving one of these scam calls, that its’ a growing trend, and that the scammers will sometimes ask for payment for their “service.”

Then she wraps it up with:

People can add themselves to the Federal Trade Commission Do Not Call registry to prevent phone solicitation by calling 888-382-1222.

I’m sorry, but that seems a bit detached from reality.  If someone is going to call you and try to scam you out of something, be it money or the security of your computer, they are NOT going to be concerned, one iota, whether or not your phone number is listed at the FTC’s Do Not Call registry.
 

I hate spammers!

… right-arrow, center-button, right-arrow, center-button, right-arrow, center-button …

I really detest spammers! Most of us give it little thought, but when we receive spam messages, the “sender” is usually a spoofed address. Not spoofed in that it was made up — that’s too easy to test for in many cases — but spoofed in that they use someone else’s email address as the spam message’s sender. … right arrow, center-button … When we receive the spam, that little fact doesn’t mean much to us. But when they use your email address as the spoofed sender, you know it.

… right-arrow, center-button …

Over the weekend, I’ve received several thousand — yes, that was thousand — bounce messages where a spammer had attempted to send their spam to invalid email addresses, to mailboxes that were already full, to servers that correctly identified the messages as spam, to systems that needed some sort of anti-spam confirmation actions, and more for a number of other reasons. … right-arrow, center-button … What these bounce messages had in common was that (1) the original message claimed it came from one of my email addresses, and (2) it had actually originated from Brazil (many of the bounce messages were kind enough to include message headers from the original).

… right-arrow, center-button …

Having to constantly delete messages from my inbox all weekend long was very annoying and I had to be very careful, as it would have been very easy to accidentally delete a real, valid, message from someone that I knew. There’s nothing much that could be done about it, except, perhaps, to create a couple of temporary mail filters to assist with the deleting.

… right-arrow, center-button, right-arrow, center-button …

To make matters worse, the particular email address that had been victimized was one that not only delivered mail to my inbox, but also delivered copy to my PDA phone. … right-arrow, center-button … a small detail I missed until late last night. Although the wave of bounce messages finally trickled off to almost nothing shortly past midnight, I’m still deleting them from the phone, where each one has to be individually acted upon with a two button sequence. It’ll take some time to get them all deleted.

… right-arrow, center-button …

Did I mention how much I loath spammers?

… right-arrow, center-button, right-arrow, center-button, right-arrow, center-button …

Installing NetBSD on a Laptop

NetBSD, an open source version of unix, is my favorite operating system. I regularly use it for web servers, mail servers, firewalls, and anything else where I need to get something up and running relatively quickly. But I haven’t used it on a laptop for several years…not since the days of version 1.3.2. The current version is 4.0.

NetBSD-smallest.jpg Over the last several days, I’ve come to the conclusion that it would be handy to have NetBSD on a laptop. So this morning, I downloaded the installation CD image, burned it to a disk, and installed it on an old HP Omnibook 6000.

This was very smooth and I was happy to find that the network device was recognized as well as both the LCD screen and touch-pad mouse. X, the graphical windowing system, just seemed to work out of the box. A much better experience than when I last installed v1.3.2 on an IBM 755CD many years ago — getting everything working back then was a major struggle.

With the base system installed, I downloaded and installed pkgsrc (package source), the application installation subsystem. I could have installed quite a few pre-compiled packages from CD, but I’m rather old school and like to compile everything myself. This, of course, takes time on a 700MHz system — XFCE, my favorite windowing system, required nearly 9 hours to build along with all it’s prerequisite applications. Not that I had to sit in front of the laptop for that long, I just changed to the xfce4 directory in pkgsrc, and issued a “make install clean” command. Then I could go out to do something else.

Now that I have the graphical environment and a few tools such as Firefox and Open Office installed, the laptop is all set for working on unix development projects or just about anything else while on the go and without having to worry about viruses or other such nasties that are so prevalent on Windows based systems.

Robots, Chairs, and Libraries

For his graduation project at the Design Academy Eindhoven, Jelte van Geest designed the “Take-A-Seat†concept — a robotic chair for libraries. “Take-A-Seat†chairs can be activated by visitor’s library cards and will follow them as they wander about the library, providing an ever-present seat for reading or browsing through a book. Multiple chairs could also be activated by library personnel and would follow the staff member to a lecture area before arranging themselves in neat rows for the audience to use.

Here’s a short video of van Geest’s concept in action:

Just before writting this, I showed the video to Son#2, who immediately broke out into laughter. He said he could see walking through the library, activating every chair can find, then running from one end of the library to the other, screaming and waving his arms, while a stampede of chairs came rumbling along after him. That’s my boy!

I searched the Interweb for more information, but it’s still unclear whether this video was filmed of real “Take-A-Seat†chairs in use, or if it’s simply the equivalent of stop-motion photography in order to visualize his concept.

While researching, I found a robotic chair created by Max Dean as a performance art sculpture — currently on display at Kitchener-Waterloo Children’s Museum (Sept 20, 2007 – Jan 6, 2008). Dean’s chair — definitely not for sitting upon — will fall over into pieces, then carefully rebuild itself before doing it all over again:

Not only is this chair entertaining, it displays some rather sophisticated robotics. It can find all of it’s missing pieces and attach them where they’re supposed to be connected before pulling itself back together again.

But even more interesting, I also found a short article in The Sydney Morning Herald (Australia) indicating that the Macquarie University and the University of Technology, Sydney, were planning to begin phasing in robotic drones as shelvers. Due to the size of university collections, quite a few books are stored in non-public areas of the libraries. The drones would be used to search for and retrieve them as needed. They expect robotic drones to be in use by 2011.

Using robotic shelvers is not a new idea. Roboticists at the University Jaume I in Spain developed a prototype robot shelver in 2004. The robot could navigate itself to a shelf, read book titles, then withdraw a specific book and deliver it to the person waiting. At the time, they figured it would take about another 5 years before robots could realistically perform searching and fetching tasks.

I’d say they were right on target.

Resources
Link: Jelte van Geest (Dutch)
Link: Robotic Chair
Link: Waterloo Regional Children’s Museum
Link: Library drones would put shelvers in a bind
Link: Robots in Libraries

Shrinky Dinks — Now they’re Science!!

When Professor Michelle Khine began working at the University of California Merced last year, she was ready to get started with her research in microfluidic devices, but didn’t have access to a clean-room or the very expensive equipment needed to fabricate the tiny devices.  With no other choice, she went MacGyver on her limited resources and found a different way to make what she needed.

Khine and her team now create their design in AutoCAD, prints it on Shrinky Dinks with a laser printer, and shrinks it in a toaster oven.  The Shrinky Dinks apparently shrink faster than the ink, causing it to bulge outwards — making the whole thing a perfect mold for creating thin, rounded channels in PDMS — a clear, synthetic rubber.

As a demonstration of the usefulness of microfluidic devices created in this manner, they’ve created a functional gradient generator — a simple device that mixes two colors of food-color, creating a rainbow-like color pattern — and that Chinese Hamster Ovary cells can easily flow through them — microfluidic devices are sometimes used in biological research as well.

Atlhough this wasn’t originally her intention, Professor Khine says “This is certainly becoming a major thrust of my research.”

Link: Shrinky-Dink microfluidics: rapid generation of deep and rounded patterns

Moon Colonization and Sovereign Rights: NASA vs The Lunar Embassy

It appears that NASA’s Moon colonization project, currently planned for around 2020, may tread on the sovereign rights of the Galactic Government and the property rights of everyone who has purchased Lunar property from the Lunar Embassy.

I first posted an article excerpt about Dennis Hope and the Lunar Embassy four years ago.  At the time, I thought he had made an interesting use of a loop-hole in the 1967 “Outer Space Treaty,” to which all signing countries agreed that they could not claim sovereignty or control over any of the other planets, moons, or solar bodies in our solar system.  Hope realized the treaty only prevented governments from claiming them, but nothing prevented him, as an individual, from claiming ownership.

So in 1980, he filed a claim declaration at his local courthouse and sent letters to the governments of the United States, the Soviet Union, and United Nations stating his ownership rights and his intention to subdivide and sell parcels of the Moon, Mars, and other planets in the solar system; that if they had a problem with this, they should contact him.  According to the 2003 article, he never heard from any of them regarding his claim. So he setup shop has been selling acreage on the Moon for $19.99, plus $1.51 in Lunar tax, an acre for more than 20 years.

However, I recently learned — gotta love the Discovery Channel — that NASA has begun a long term project to return to the Moon: beginning further exploration to locate rocks that contain water, learning how to extract water and oxygen from them, and figuring out ways to deal with lunar dust, all with the intent of eventually building a permanent outpost or colony.  Their first experiment, looking for water, happens next year.  They expect to have a mostly self sustaining colony in place by 2020.  All very cool stuff.

But to me, this seems to be somewhat at odds with the goals and direction of Dennis Hope and the Lunar Embassy.  Mind you, exploration itself doesn’t seem to be a problem.  The FAQ page of the Lunar Embassy indicates that NASA is allowed and encouraged to explore the Moon and other Celestial bodies — providing they don’t permanently setup shop there.  So I was curious what the “official” stance of the Lunar Embassy was concerning NASA’s planned colonization and asked them about it via their website:

Eric: How does NASA’s new lunar colonization program affect your ownership of the Moon and, ultimately, other extraterrestrial bodies?

Dennis: First of all NASA is an extension of the US Government.  According to the 1967 “Outer Space Treaty,” of which the USA is a signatory, article two states, “No nation by appropriation shall have sovereignty or control over any of the satellite bodies.”  This means no government on Earth may own, control, of have the right to create or effectively enforce laws on these planetary bodies.  So to answer the first question, NASA has no control over what we do with the claimed properties of Dr. Dennis M. Hope in 1980.

Eric: I see that they are planning further exploration, beginning next year, and expect to semi-permanently house colonists by 2020.  Have they purchased land for this colonization or negotiated rights to do so? If not, do you expect to take legal action to enforce your property and rights?

Dennis: We are planning to start building a City on the Moon in 2012.  Again because of the Outer Space Treaty of 1967 they are not allowed to own land.  Their words, not mine.

Eric: I’m also curious of the ramifications if the chosen NASA colony site happens to be on property already deeded to someone else …

Dennis: By the time NASA is funded to create a colony on the Moon we will have been there for 8 years.  The Galactic Government is the governing body for all planets except Earth in this solar system.

That part about building a city is pretty cool.  I double-checked the Lunar Embassy site and found that they plan on building a large pyramid shaped city (enclosed, of course), that would be 3 kilometers wide at the base and a little over 2 kilometers tall.  They expect it to house up to 2 million people!  This is a huge project and would be very expensive — There are apparently other programs underway at the Lunar Embassy that are expected to eventually pay for this extraterrestrial construction job.

While researching the NASA site to see if they would be cooperating with the Lunar Embassy, I found a document from the NASA Oral History Project[PDF], where Edward Frankle is being interviewed by Sandra Johnson on November 18, 2003.  Near the end of the interview, pages 67-70, they briefly discuss ownership of celestial bodies and even mention the Lunar Embassy.  Unfortunately, it’s pretty plain from this discussion that NASA has little regard for Dennis’ ownership claims.

In light of this, I’ve sent off a very short list of follow-up questions to Dennis Hope, but unfortunately, I have not yet received an answer.

I am also trying to find an appropriate person at NASA for a similar list of questions.

Simple VPN Setup on Unix Systems by Tunneling IP Traffic over SSH

With the prevalence of VPN appliances on the market today, this is decidedly an old-school method of creating a VPN link between networks.  However, there are some distinct advantages to using IP/SSH Tunnels that aren’t always available from an appliance.

ssh-ip-tunnel-small.jpg

Most network VPN solutions require both ends of the VPN connection to have static Internet accessible IP addresses.  But for a variety of reasons, it may not be possible for the remote location to get a static IP from the ISP.  In some cases, acquiring an Internet accessible IP may also not be possible.  There may be firewalls or NAT’d (Network Address Translations / Masquerading) gateways between the remote office and the Internet.  Or, simply, Unix servers may already exist at both locations, negating the need to purchase more hardware.

This article describes how to setup and configure a VPN connection via SSH/IP Tunneling between two Unix servers.  The image at right, is a simplified map of an Tunneled VPN network. Click to enlarge.

To implement an IP/SSH Tunnel, a unix system must be available on both ends of the VPN connection.  In most cases, this doesn’t have to be a dedicated machine.  Unless you are planning on having a large number of Tunneled VPN connections, this process can be piggy-backed on a unix system already performing another function, such as file-sharing or the local email server.
ASSUMPTIONS

For the purposes of this document, I’ll make some assumptions about the networks and servers on both sides of the VPN connection.  Both tunneling systems will act as routers for traffic between the networks across the VPN tunnel.

The VPN machine at the Main Office will have the following configuration:
– Server name: mainoffice
– Internet IP: 123.45.67.89
– Local Network: 192.168.3.x
– LAN IP: 192.168.3.11
– Local Default Router 192.168.3.1
– VPN name: vpn-main
– VPN IP: 10.0.0.1

The VPN machine at the Remote Office will have the following configuration:
– Server name: remoteoffice1
– Internet IP is dynamically assigned by ISP
– Local Network: 192.168.5.x
– LAN IP: 192.168.5.11
– Local Default Router 192.168.5.11
– VPN name: vpn-remote1
– VPN IP: 10.0.0.2

We assume that the machines have already been configured, connected to their local networks, and that Internet connections for each network has already been established.  We also assume that all required software has been installed that ssh (Secure Shell) is running on both machines.

For this document, I’ll further assume that both systems being described are running NetBSD, although any version of *BSD or Linux, as well as many unicies, will work with varying degrees of effort.
SOFTWARE

Although the following software is required, it’s installation is beyond the scope of this article.

pppd
The Point to Point Protocol daemon is included as part of the base installation of NetBSD and many other unix operating systems.

OpenSSH
This is also included in the base installation of NetBSD and most other unicies.  If not included with your OS, check www.openssh.com/ for binary installations and/or source code.

pty-redir
This is a small application allocates allocates a pty (pseudo terminal) and redirects
stdio (standard out IO) to that pty.  It can be found in the NetBSD Package System.  It can also be found on the Internet at the following locations:
ftp.vein.hu/pub/ssa/contrib/mag/pty-redir-0.1.tar.gz
bleu.west.spy.net/~dustin/soft/pty-redir-0.1.tar.gz

ssh-ip-tunnel
This is the application that makes VPN over pppd work.  It can also be found in the NetBSD Package System as well as at the following Internet location:
bleu.west.spy.net/~dustin/soft/vpn-1.0.tar.gz

Once both systems, mainoffice and remoteoffice1, are connected to the Internet and all the pre-requisite software has been installed, we can begin configuring them.
CREATE VPN ACCOUNTS

For security’s sake, we have to create a user group and account to manage the VPN connections on each system.  This group and account should NOT have any special access or authority.  As root (Superuser/Administrator) on each system, we can create the group and account with the following commands:

# groupadd vpn
# useradd -m -c “VPN User” -G vpn vpnuser
# mkdir /home/vpnuser/.ssh

This creates the user group ‘vpn’ and a user account ‘vpnuser’ as a member of the ‘vpn’ group.

It’s very important that these are locked accounts.  On NetBSD, this is the default way accounts are created.  On another unix, ensure there is nothing but asterisks (”*”) are in the password field of /etc/shadow.

NetBSD:
vpnuser:*************:1002:1100::0:0:VPN User:/home/vpnuser:/bin/csh

Other unix:
vpnuser:*:11933::::::
ADD VPN IP

Add the IP addresses that will be used by pppd’s VPN interfaces to the /etc/hosts file on both systems:

10.0.0.1   vpn-main
10.0.0.2   vpn-remote1

On the remote server, remoteoffice1, add the Internet IP for the Main Office’s VPN machine to the /etc/hosts file:

123.45.67.89   mainoffice
CONFIGURE SSH

Since the account ‘vpnuser’ is locked, we have to enable Public Key authentication in order for it to login from remoteoffice1 to mainoffice.  On the Main Office machine, mainoffice, modify the sshd configuration file (usually /etc/ssh/sshd_config) to allow Public Key authentication, by removing the comment character from the line reading:

#PubkeyAuthentication yes

So that it reads as:

PubkeyAuthentication yes
CREATE & EXCHANGE SSH KEYS

Now that Public Key authentication is allowed, we must generate a public/private key pair for the ‘vpnuser’ account on remoteoffice1.  As root, enter the following commands:

# ssh-keygen -t dsa -f /home/vpnuser/.ssh/id_dsa -C “remoteoffice1″ -N ‘’
# ssh-keygen -t rsa -f /home/vpnuser/.ssh/id_rsa -C “remoteoffice1″ -N ‘’

Note that we use the “-N ‘’” parameter to generate these keys with empty pass-phrases because we want to be able to manage the VPN connections via scripts.  Requiring the pass-phrase be entered each time VPN is started would be cumbersome at best and make automating the process virtually impossible.
ASSEMBLE & DISTRIBUTE AUTHORIZED KEYS

Once the key-pairs have been generated, you’ll need to assemble the public-keys into a file and transfer it to the server at Main Office.

As root, concatentate the public keys into one file:
# cd /home/vpnuser/.ssh
# cat id_*.pub > public_keys.remoteoffice1

Copy the public_keys.remoteoffice1 file to the mainoffice server.  You can do this either via sneaker-net or by using another account on mainoffice.  Once you have them on mainoffice, add them to the authorized_keys files:

# cd /home/vpnuser/.ssh
# cat public_keys.remoteoffice1 > authorized_keys
# cat public_keys.remoteoffice1 > authorized_keys2

Now, on both systems, mainoffice and remoteoffice1, set the correct ownership and permissions of the vpnuser files:

# chown -R vpnuser /home/vpnuser/.ssh
# chmod 600 /home/vpnuser/.ssh/*
# chmod 644 /home/vpnuser/.ssh/*.pub
CONFIGURE TUNNEL

The package ’ssh-ip-tunnel’ was previously named ‘vpn.’  But since there are numerous methods of setting up a VPN, the developers renamed it to specifically indicate it’s particular VPN methodology.  The name of the files inside the package remain unchanged.  To read the man page for ssh-ip-tunnel, it is still ‘man vpn’.

The configuration for ssh-ip-tunnel is contained in peer files.  On NetBSD, these will be located in /usr/pkg/etc/vpn/peers, but on other unicies, they may be located in/usr/local/etc/vpn/peers or /etc/vpn/peers.

On the Main Office server, mainoffice, create a peer file remoteoffice1 — since mainoffice doesn’t initiate the VPN connection, we only need the most basic configuration options:

#/usr/pkg/etc/vpn/peers/remoteoffice1
SSHUSER=vpnuser

On the Remote Office server, remoteoffice1, create a peer file name mainoffice.  Since remoteoffice1 initiates the VPN connection, this file is a bit more extensive:

#/usr/pkg/etc/vpn/peers/mainoffice
SSH=”/usr/bin/ssh -2″
PEER=server1
SSHUSER=vpnuser
RSAKEY=/home/vpnuser/.ssh/id_rsa
LOCALPPP=/usr/sbin/pppd
LPPPOPTIONS=”call vpn-main”
REMOTEPPP=/usr/sbin/pppd
RPPPOPTIONS=”call vpn-remote1″

Note: the paths listed in these files are correct for NetBSD.  Your paths may differ, depending on the OS you are using.
CONFIGURE PPP

On the Main Office machine, mainoffice, create a PPP peer file:

#/etc/ppp/peers/vpn-remote1
#debug debug debug debug debug
mtu 1500
mru 1500
noauth
noipv6
10.0.0.1:10.0.0.2
netmask 255.255.255.0
linkname vpn-remote1
ipparam 192.168.5.0 # Network on other side of vpn-remote1

On remoteoffice1, at the Remote Office, create a PPP peer file:

#/etc/ppp/peers/vpn-main
#debug debug debug debug debug
mtu 1500
mru 1500
noauth
noipv6
netmask 255.255.255.0
linkname vpn-remote1
ipparam 192.168.3.0 # Network on other side of vpn-main
silent

Notice that the VPN link IP addresses are specified in the PPP peer file on mainoffice, the first file above.
TESTING

To test the configuration, login as root on the Remote Office machine, remoteoffice1, and enter the following commands:

# su vpnuser
{1} ssh -2 vpnuser@mainoffice

You will have to answer “yes” to the “continue connecting” question, but you should then be presented with a shell on mainoffice — the “continue connection” prompt only occurs the first time you log onto a particular system using ssh.

Assuming the above test worked correctly, test the vpn connection too.  Logon to mainoffice as root and enter the following command:

# vpn mainoffice authtest
MONITORING SCRIPT

Now that you can establish a VPN session from the Remote Office to the Main Office, you’ll need a method of monitoring the connection and restarting it as needed.  The following script can be installed on remoteoffice1 and, once started, will monitor the VPN connection and re-establish it if it goes down:

#!/bin/sh
#
# vpnchk -- Monitor VPN Connection and restart as necessary.
#
# A single parameter is required:  vpnchk

#
# Ping REMOTE_VPN_HOST approximately every 10 seconds. Keep track of
# failed pings by incrementing COUNT.  If pings are good, always reset
# COUNT back to zero.  Only take corrective action when the number of
# failed pings reaches THRESH(hold).  Notify root by mail whenever the
# status of the vpn connection has changed.
#
# Eric Fox
# http://fox.phoenix.az.us/
#
##########################################################################
#
REMOTE_VPN_HOST=${1}
MAILTO=root@localhost
#
##########################################################################
if [ “${REMOTE_VPN_HOST}” = “” ]; then
  echo “Syntax: vpnchk
”
  exit
fi
##########################################################################

CHK_TEXT=”call ${REMOTE_VPN_HOST}”

THRESH=3
COUNT=0

while [ : ]; do  # loop forever
  if ping -c 5 ${REMOTE_VPN_HOST} 1>/dev/null 2>/dev/null ; then
    COUNT=0
    if [ -f /tmp/.vpn-down ]; then
      rm -f /tmp/.vpn-down
      MSG=”VPN Connection is -UP-: `date “+%H:%M on %m/%d/%Y”`”
      echo ${MSG} | mailx -s”${MSG}” ${MAILTO}
    fi
  else
    COUNT=`expr ${COUNT} + 1`
    if [ ${COUNT} -ge ${THRESH} ]; then
      if [ ! -f /tmp/.vpn-down ]; then
        touch /tmp/.vpn-down
        MSG=”VPN Connection is DOWN: `date “+%H:%M on %m/%d/%Y”`”
        echo ${MSG} | mailx -s”${MSG}” ${MAILTO}
      fi
      PID=`ps -awwjx | grep -v grep | grep “${CHK_TEXT}” | awk ‘{print $2}’`
      if [ ! “${PID}” = “” ]; then
        for xPID in ${PID} ; do kill -KILL ${PID} ; done
        COUNT=0
        sleep 60
      fi
      nohup /usr/pkg/sbin/vpn fire start &
      sleep 150
    fi
  fi
  sleep 10
done

# end

Assuming the ‘vpnchk‘ script was placed in /usr/local/sbin, simply run the following command as root on remoteoffice2:

/usr/local/sbin/vpnchk mainoffice
NETWORK ROUTING

In order to perform routing, the systems must be able to perform IP forwarding.  On some unices this is on by default, and on others it must be specifically activated.

NetBSD falls into the later category and must have IP Forwarding activated.  This can be done either by recompiling the kernel, or by use of the ‘sysctl‘ command.  For simplicity, the use of ‘sysctl‘ is documented here.

On both systems, mainoffice and remoteoffice1, enter the following command:

# /sbin/sysctl -w net.inet.ip.forwarding=1

Also add this command to the bottom of the /etc/rc.local file on both systems so it will be issued each time the system is rebooted.

On both systems, create ‘ip-up‘ and ‘ip-down‘ scripts to add/delete network routes when the VPN connection starts or has dropped:

#!/bin/sh
# /etc/ppp/ip-up
# Add route for REMOTE_NETWORK
##########################################################################
REMOTE_IP="${5}"
REMOTE_NETWORK="${6}"
if [ ! "${REMOTE_NETWORK}" = "" ]; then
  /sbin/route add -net ${REMOTE_NETWORK} ${REMOTE_IP}
fi
#!/bin/sh
# /etc/ppp/ip-down
# Delete route for REMOTE_NETWORK
##########################################################################
REMOTE_IP="${5}"
REMOTE_NETWORK="${6}"
if [ ! "${REMOTE_NETWORK}" = "" ]; then
  /sbin/route delete -net ${REMOTE_NETWORK} ${REMOTE_IP}
fi

Finally, if these systems are not the default routers for their respective networks, a route must be added to these default routers to route network traffic for each remote site to the local network’s VPN server.

Assuming the default router for Main Office is another NetBSD systems, this can be accomplished by adding the following to the default router’s /etc/netstart.local file:
/sbin/route add -net 192.168.5.0 192.168.3.14
CONCLUSION

Now, with the VPN in place you should be able to ping any machine on the 192.168.3.x network from any machine on the 192.168.5.x network, and visa versa, even though they may be in different offices, cities, or states, or even different countries.  The resources of both offices are now available to everyone as if they were all in the same building.

PSP Replacement needs Replacement

During the first weekend of the year, Son#2 downloaded new firmware for his PSP and attempted to perform an upgrade. But just before the firmware upgrade completed, his PSP’s screen suddenly went black. It had apparently died. When it was turned on, the power light would come on, but the screen would remain blank. It was “bricked,” as we later learned on the Internet.

We googled for hours, searching in vain for way to recover it, but instead found hundreds of horror stories of people who’s PSPs had been bricked, and of the draconian “support” they had received by Sony. Our only real choice was to send it back to Sony for service.

Son#2 had purchased it with “birthday” money from a local Walmart a few months back, so it was well within the 12 month warranty period. However, we couldn’t find the receipt and, being a cash purchase, didn’t have any other documentation Sony would accept as proof of purchase. Comparing notes we were able to narrow the purchase date down to a two week period and a very helpful Walmart Manager was able to locate the purchase in their Transactions database and printed a copy of it for us.

So on January 10th, Son#2’s PSP was shipped off to Laredo, Texas, for repair or replacement, at Sony’s discretion.

Late yesterday afternoon, I received a call from an excited Son#2: his replacement PSP had arrived! He was quite happy to have it back.

Today, less than 24 hours after arriving, the replacement PSP began failing. When UMDs (PSP game disk-cartridges) were inserted, the PSP would attempt to read them, but would fail: disk is unreadable. We tried several times with different UMDs, and always got the same results: the disk would spin up for about 2 seconds, then would stop.

I’ve already called Sony, and this PSP will be shipped back to them tomorrow. Judging from the previous time, we should see the repaired/replacement unit in about two weeks.

While on the phone making arrangements for this machine to go back, the support representative informed me — as they had the previous time — that our original PSP had a 12 month warranty, that replacement PSPs come with a 90 day warranty, and that our effective warranty would be either 90 days or the remainder of our 12 month warranty, which ever is longest.

My suggestion that they extend our original warranty by the 4 weeks Son#2 will have been without his PSP fell on deaf ears. Considering all that we’ve heard about Sony in the news in recent months, I wasn’t surprised.

Domain Name “Add/Drop” Abuse

We’ve all seen them while searching the web. Sites that are comprised entirely of click-advertisements. What I hadn’t realized before, was just how large a problem this is.

Bob Parson, CEO and Founder of GoDaddy.com, writes in his blog, Hot Points, about domain name “add/drop” abuse — the practice of registering a domain name, dropping the registration for a full refund just before the five day Add Grace Period ends, then re-registering the domain and doing it all over again. While the domain is registered, the owner puts up a page on the site that is comprised entirely of advertisement links based on, or loosely categorized by, the domain name. This abuse of the domain registration process can lockup domain names indefinitely without costing the abuser a dime while they turn a potential profit from the advertisement links.

I’ve personally watched as two domain names we’ve been patiently waiting to expire were caught up in this abuse. If we’re very lucky, they won’t be profitable and we’ll get a chance at them again down the road, but if they earn so much as a dime, they can be lost virtually forever.

Bob points out that this form of abuse is on the rise, increasing by 1500% in just one year — nearly 30 million domain names!

He also suggests a likely solution. ICANN (Internet Corporation for Assigned Names and Numbers) currently collects a $.25 fee for every domain name registration kept past the grace period — a fee they are not getting from “add/drop” domains. Bob suggests ICANN change their policy to make the 25 cent fee non-refundable and collect it at time of registration. Although he believes this will cause the “add/drop” abuse to stop immediately, it requires ICANN to take action, something they have historically been slow to do.

Frankly, I agree that this would be a win/win solution to the problem. This small fee would definitely stop add/drop abuse, is not so much as to cause a hardship on a registrant that may make a legitimate error, and would provide a fractional increase of registration fees collected by ICANN due to these occasional errors.

End of Support: Windows 98 and Me

In July, Microsoft will no longer support Windows 98, 98SE, or Me.

In late 2002, Microsoft published a new Life-Cycle Policy, stating that Windows 98, 98SE and Me would reach End of Life in 2003 and 2004. Although these versions of Windows are no longer available, they have continued to receive certain updates, such as security patches, and many people with older computers continue to use them today. However, in July, the risk of continuing to operate computers with these old versions of Windows will increase.

This last January, Microsoft published an End of Support statement, saying that they will no longer be providing support or updates for these versions of Windows past July 11, 2006. Although they indicate that they will continue to provide access to already existing documentation and patches, I suspect it will only be a matter of time before these are also no longer available.

So, what are your options? Microsoft, of course, would have you purchase a new version of Windows, such as XP Home or Professional, to replace your no-longer-supported version. Unfortunately, many of the systems currently running Windows 98/98SE/Me simply don’t have the speed or memory resources required to support XP, or even Windows 2000. Depending on the age of your hardware, you might be able to get away with increasing your memory to 512Mb or greater — I know of a couple of 750MHz Pentium III systems w/512Mb or RAM that are running Windows XP Home, but they tend to run very, very slowly. To get adequate use out of XP, you will probably have to replace your computer.

Whether or not you decide to replace your system, this might be an opportunity to look at an alternative to Windows for your aging machine: NetBSD, FreeBSD, OpenBSD, or one of the many Linux distributions — all of which perform rather well on these older computers as well as today’s hottest systems.

New Critical Updates for Microsoft Products

There are various headlines this weeks regarding Microsoft’s release of new ‘critical’ updates for Windows, Office, and other products. In all, there appear to be patches for 20 different vulnerabilities. Although all but one of the patches are already included in XP Service Pack 2, the one that’s not covers multiple security issues with Internet Explorer.

The most severe vulnerability being fixed is an exploit that would allow an attacker to take complete control over the affected machine, allowing them to remotely run programs — most likely turning the system into a zombie for sending spam or for participating in Distributed Denial of Service attacks on other systems.

Regardless of the version of Microsoft Windows you use, if you haven’t done so in the last couple of days, you should run Windows Update today and at least install the Critical updates. Microsoft has committed to publish updates once a month, but I would recommend you check for updates every week, or turn on Automatic Updates.

Trojan Horse: Downloader.Lunii

Excerpt of “New Trojan program squashes adware” by Paul Roberts on ComputerWorld:

A new Trojan horse program that attacks and removes troublesome advertising software, known as adware, is circulating on the Internet, according to antivirus company Symantec Corp.

The program, called Downloader.Lunii, was discovered on Monday. When run, it attempts to kill off computer processes and delete files used by common adware programs like Powerscan and BargainBuddy. However, Lunii isn’t entirely benevolent. Like other Trojan horse programs, it also modifies the configuration of Microsoft Windows machines and attempts to download files from a remote location, Symantec warned.

This Trojan horse propiates via email. I have maintained for sometime now that executable programs have no business being sent via email. If they were blocked automatically by mail servers, the number of virus, worm, and trojan incidents would drop significantly. It may sound heavy-handed, but this is a very easy solution to implement and is very effective.