|
|
 |
|
There are actually a fair number of problems involved with implementing Wi-Fi Protected Access (WPA) on a wireless network, as I've discovered over the past month or two. I've mentioned the missing supplicant problem here before (see my entry for February 5, 2004 entry) and things are getting better: If you're using Windows 2000, WPA Assistant works great and it's a free download. For XP, you can download a free patch containing a supplicant from Microsoft, and it's here. Mac OS/X Panther comes with a WPA supplicant. For other OSes, you'll probably have to pay $40 for Meetinghouse Data's Aegis. This situation should improve over time; I expect an open source suuplicant for Linux at some point, and Win9x, well, let us pray. Another, even bigger and less solvable problem is that the vast majority of existing Wi-Fi products don't support WPA and probably never will. A thin handful can be upgraded through firmware, drivers, or both—but most of that is Wireless-G. If you're all Wireless-B, and if your gear isn't extremely recent, you should abandon all hope of an upgrade. Worse, there's really no such thing as a "mixed security" network. It's either WEP, or it's WPA. A wireless access point is a hub, and it's only got one radio. Trying to mix security technologies in a single AP basically reverts to the least common denominator, WEP. My own situation here was interesting: I was planning on upgrading my entire network to WPA-compatible Wireless-G, and found that Carol's ancient Compaq would not cooperate with any Wireless-G client adapter. This made me grind my teeth pretty hard, but then I tried something: I hung my ancient and venerable Cisco Aironet 340 access point off my sparkling new Linksys WRT54G wireless gateway. The Aironet line defaults to requesting an address from the local DHCP server, so I plugged it into the WRT54G, and it just worked. I configured the WRT54G for G-Only WPA on Channel 1, and the 340 for Wireless-B WEP on Channel 11. Carol's old machine connects through the 340, and my three machines connect through the WRT54G. The two wireless units have separate SSIDs, which is nominally a no-no, but only if you need to support roaming. They play well together, even though the two APs are less than four feet apart. Keep this in mind if you have old hardware that just won't go Wireless-G or WPA: You can have a second network on a different channel running legacy Wireless-B, and everybody can happily network and share a broadband Net connection. |
|
|
Well, it's official: My next book project will be Degunking Email, Spam, and Viruses, and it should come out sometime this fall. It won't be a huge book and it shouldn't take too long to write. I will admit that I have another book project I want to do really badly (and I've spoken with some of you about it) but we need this one to build the Paraglyph product line and extend the Degunking brand a little. There's a lot to say. For example, you can block a lot of spam by searching for the following short strings in a message body: http://www.% These are all real-world (I have the messages where I found them in the deep freeze) spammer obfuscations of the first part of nearly all Web URLs, and because they're obfuscations, legitimate email will never contain them. (The trick is that HTML allows you to substitute a numeric escape like "%77" for an ASCII character like "w"—though nobody needs to go to that trouble but spammers.) However, what we really need to fight spam is something we don't yet have: A client-side spam payload black hole mechanism. In spam-fighting jargon, a "black hole" is a blacklist of IP addresses known to belong to spammers. Spamhaus and SPEWS are the best known—and the most hated, at least in part because they are put together by people so maddened by the spam wars that they will blacklist very indiscriminately, and un-list almost never, even when an IP changes hands. However, the real problem with black holes is that they are server-side spam filtering, which assumes that one solution, one set of banned keywords and IPs, will do for all people. There are actually people (in the medical field) who need to talk about drugs like Xanax and Cialis and Ambien, and a lot of server-side spam filters nuke any message containing those terms. (I wouldn't want to be a urologist trying to work with peers and patients over email these days.) Worst of all, you don't know what messages you're not getting. With client-side spam filtering you can at least spot-check your trash folder. If your ISP does it, well, you have no way of knowing how well their filters are working...or overworking. To me, even one false positive is unacceptable, and therefore, server-side spam filtering is worse than none at all. The Indy components for Delphi contain a DNS resolver component, so creating a utility that builds a database of what domains point to what IPs should be easy to do—and very illuminating. I recently hand-checked a sample of 50 "payload" (within the message body) spam domains, the ones that can't be spoofed without defeating the purpose of the message, and it's amazing how many point to the same block of IPs—or even the same single IP! If a mail client could parse out URLs and resolve them to IPs, we could finesse the problem of bulk domain sales, which allow a spammer to use a domain for a few days and then abandon it. IPs are much harder to come by than domains. A client-side payload black hole would be useful because it would be conservatively maintained—by the user—and remain under the user's control. (Sender black holes are increasingly irrelevant because so much spam forges the "from" field.) Doing the book will be fun. I won't be starting it for another month or so—I need to get into my house, dammit!—but I'll keep you posted as it happens. |
|
|
Ash Wednesday. Lent is not my favorite season. I spent my Catholic youth up to my nostrils in penitential sacramentality, and it's taken me a long time to get over it. I'm mostly there; St. Raphael's parish here is about as close to perfect a Catholic parish as I've seen in my years-long search—and it's Episcopalian. The boundaries are slippery, but there's something called Anglo-Catholicism, and...well, that may have to be an entry for another time. Right now, I'm kind of exhausted, but I wanted to relate a quick story of why I really love St. Raphael's. We went to the small noon service for Ash Wednesday, a quiet, music-less Mass with ashes distributed after the sermon. I hadn't had ashes put on my forehead for a lot of years, nor had I seen a church with the statues and crucifixes covered with violet cloth for even longer—the Romans don't do such things anymore. Carol was acting as acolyte—an adult altar girl—and I was in the pew by myself. It was hard to see something as deeply mythic as the enshrouded crosses without thinking back to my own childhood, and remembering being in the pews with my parents during Lent, with all the statues covered and in the air that inescapable sense of misdirected contemplation that somehow always came across as gloom. As Deacon Edwina made the ashy cross on my forward, whispering, "Remember that you are dust, and to dust you will return," I could only think of my father, who became dust far sooner than the father of a confused and anxious young man should. There were tears on my cheeks as I walked back to my pew, and as I began to kneel again, a little girl in the next pew back (whom I didn't know) reached out and touched my shoulder. "Why are you crying?" she asked, her face full of concern. "I was thinking of my father," I said, trying to smile and failing, "who died a long time ago." She didn't say anything in reply, but she leaned over the pew, put her arms around my waist, and gave me a quick hug. I was thunderstruck. She was maybe nine years old, and I had never seen her before. (Her family goes to the 8:00 liturgy, and we attend the 10:30.) There are times that I find myself thinking that cynicism has won, and we who believe that all manner of thing will (eventually) be well should just pack it in. But at that moment I felt that if a nine-year-old girl will reach out to comfort an old bald guy she doesn't even know, well, the Bad Guys don't have a chance in Hell. And on Ash Wednesday, to boot. The contrarian moment passed, and I felt wonderful all afternoon. What power our children have over us! |
|
|
For reasons still unclear, the book listing for Degunking Windows on Amazon is an utter mess. In recent days I've gotten half a dozen emails from people who have gone to Amazon to look at the book's entry, only to find that (at various times):
|
|
|
Something weird happened to me the other day: I was doing some Web research (ironically, on viruses delivered via spam) when something changed the home page on IE. I don't remember seeing one of those boxes asking permission to change my home page (and I have drive-by installs disabled) but suddenly IE went to some spammer site and started pushing ad pages at me. I ran all the usual checks for viruses and things and found nothing. How it happened remains a mystery, but I know enough about IE to figure it's not evil spirits. No, that was the deal-breaker. I've felt IE to be a little dicey for some time now, if for its ubiquity (and hence its high profile for attacks) if not its security flaws. So I downloaded and installed Firefox, the new small-footprint Web browser to come out of the Mozilla project. I tried Mozilla some time back (yeek, it was well over a year ago, maybe closer to two years) and at the time didn't need most of the stuff that came with it. I'm impressed enough with Firefox that I may now try Thunderbird, the Mozilla email client—and possibly, once again, the whole Mozilla shebang. Firefox (like all the Mozilla projects) is free. It has a built-in pop-up suppressor that works quite well, and a neat search field in the upper right corner with a drop-down list to which I added all the search engines I typically use. The rendering is every bit as good as IE's, and it's perceptibly faster on this pokey old Pentium 550 that I'm using until we get into the new house. If you're nervous about exploits that target IE, I think it's an excellent substitute, and free at that. Highly recommended. |
|
|
We got our "certificate of occupancy" yesterday for the new house. It was actually issued a while back, and sat on some city functionary's desk for almost a month because nobody asked for it: We didn't know it existed, and the builder didn't think we wanted to move in yet. Our banker explained the whole thing to us, and I felt like Dorothy in Oz when he told us that we always had the ability to move into the house—at least once the certificate of occupancy had been issued. We didn't need to close, in a real estate sense. "Closing" in our case is the process of making sure all the bills are paid and all the mechanics' leins are removed from the property to establish clear title with us and the bank. We have actually owned it all along, at every stage since groundbreaking, because the developer has been taking draws from our construction loan. I guess at some level I knew all that, but I've had a lot of other things on my mind. (Ha!) We sanded shelves yesterday and will probably be doing more of that today, tomorrow we'll be sealing grout, and in a few days we'll be having furniture delivered. There's some minor fixup work still to be done (and a mirror to be hung in the bathroom) but it's all pretty routine. To celebrate "getting" the house, I hauled four boxes of electronics parts up there and piled them in the basement. Mine! Mine, right now! (Dogs and tigers pee on things; I have to stack boxes of vacuum tubes as evidence of dominion.) We've already scheduled phone and cable installation, and Carol is interviewing moving companies. Unlike Dorothy, we'll have to do more than just click our heels together three times to get everything up there. It's going to take some work—but at least the work can now begin. (Sidenote: Yesterday, Degunking Windows peaked at #21 on all of Amazon. We beat The South Beach Diet! The Da Vinci Code is in our sights!) |
|
|
A few odd lots before I get back to work on my Wi-Fi book revision:
|
|
|
Way
too much going on today (I've been up since 4:30AM) but I did want to brag
that Degunking
Windows hit #41 on Amazon today, and #1 on the
Amazon list of best-selling computer books. (Amazon stack rankings change
often, so by the time you click the link it may no longer be so.) That's
significantly better than any other book with my name on it has ever done.
So I'm exhausted, but I'm happy. More tomorrow.
|
|
|
I was enjoying it! Egad. Here's a man who grew up in Chicago shoveling snow and hating it, who moved to Rochester NY where he lived for six years, shoveling snow and hating it, and from there to Baltimore, where he shoveled less snow (and for only two winters) but hated it just as much. So how could it be, that after 19 years without shoveling snow at all, I could find myself flinging it with abandon in 8° weather and reveling in the experience? The photo above (taken the day I was shoveling so joyfully) should give you a hint: Here in Colorado, snow is generally beautiful. It doesn't stay around that long, either. There is so much sun here that within a few days, most of the snow is gone anywhere the sun shines, and the streets are dry. Back in Chicago, the snow hung around all winter, getting first gray and then black, and finally (sometime toward the end of March) turning into the most disgusting slush you could imagine, filthy with motor oil, salt, and chunks of pavement carved by endless wheels out of the spring's crop of potholes. In Chicago, winters are so gray that people buy full-spectrum lights to keep from getting suicidal. Here, the sun shines virtually every day, and facial sunburn is an issue even in February. I may get a snowblower eventually—we have a lot of sidewalk, though thankfully not much driveway. However, the exercise was welcome, and the dazzle on the pure-white snowfall was so gorgeous that I was glad for the opportunity. (Yes, my dear sister, you can feel free to razz me about this for the rest of my mortal life!) |
|
|
Henry Guzman alerted me to the fact that Wireless Security Corporation is releasing their Windows 2000 WPA supplicant utility as freeware. The news release is here and the download page for WPA Assistant is here. This at least partly ameliorates the problem I reported in my February 5, 2004 entry: That most Wi-Fi hardware vendors are not shipping a WPA supplicant utility with their WPA-certified client adapters. Windows XP has a built-in supplicant; heretofore, everybody else (including users of the corporate favorite Windows 2000) has had to pay $40+ per seat for a third-party supplicant utility. In my view, that borders on fraud. For those OSes without a supplicant, the supplicant should be installed with or as part of the client utility. Period. I downloaded WPA Assistant but have not tried it yet. We're closing in on closing and it's just making us crazy. I expect to put the utility through its paces this weekend or early next week, and I'll let you know how it goes. Now we just need a free supplicant for Windows 98 and Linux. I'll be watching, but if you spot one do send me a note. |
|
|
One of the things I'm going to do once we're in the new house is establish a media server, which is going to allow us to display our digital camera and scanned photos on our new TV set, and probably watch out home movies there as well, once we have some home movies. (I have four tapes full of the house construction, but haven't converted them to MPEGs yet. All I need is a second—parallel—life to do all this stuff.). The nice thing about servers is that you don't have to fool with them that much, and it's pointless to devote a separate keyboard or display to them. You do have to administer servers somehow, and I've become intrigued with the notion of using a remote control utility to create a "headless" windows system. There are quite a few of these, most of them based on an open source project called VNC (Virtual Network Computing) which has forked into numerous separate implementations, including RealVNC and TightVNC. Probably the best gatherum of VNC information is at the VNC FAQ-O-Matic. It has certainly made my early research easier. With VNC, you can control a Windows system (or a Mac or Linux system for that matter) over a reasonably fast TCP/IP connection, with a (more or less) realtime simulation of the remote desktop. 10-15 frames per second is typical, and more than fast enough for server admin. I have CAT5 cables running throughout my house, so I suspect my home network will be more than fast enough to run VNC—and it's not like I'm trying to play fast frame-rate video games or anything. (Some say you can do that too, though I'm skeptical.) I'm also intrigued by Kaboodle, which is a freeware network management tool that acts as a manager for VNC sessions across a LAN. The VNC technology suggests something even more interesting: A headless wardriving box administered via VNC through a Wi-Fi connection, and mounted literally in the open sunroof of my 4Runner. That way, there'd be no signal loss in coax from an antenna to the computer, since the antenna would be mounted on the box that contains the mini-ITX motherboard itself. It would be nice if NetStumbler ran as a service, but it's certainly possible to load it and run it on reboot. No I/O except for a speaker to honk when it picks up a node. As you can tell, I am veritably itching to get my hands dirty and make metal shavings again. I haven't had a workshop for a year now, and I miss it badly. This would entail some relatively simple sheet metal work, but that's about all, and it would good practice fooling with the Mini-ITX, on which I think there's plenty of room for a good terse book. Quick, where's my drill press and sheet metal shear? |
|
|
Earlier this afternoon, we had Pillar to Post (a house inspection company) come out and go through our new house with a magnifier and a paranoid attitude, to see if they'd spot anything we had missed before hurtling headlong to closing some time next week. They were nothing if not thorough, and left no valve undisturbed and no button un-pushed. As part of that process, they filled our whirlpool bathtub with water...and then pushed the whirlpool button. Erk. Water began gushing furiously somewhere under the tub. Brett (the inspector) turned the jets off, but by the time he did at least ten gallons of water had gushed from a broken pipe underneath the tub, and had gleefully escaped into the heating ducts and down onto the ceiling of the guest bedroom immediately below it. It's a mess. I'm too aggravated and tired to say much more tonight. The builder is working on it. But boy, this whole house endgame is really starting to get under my skin. |
|
|
On the other hand (see my entry for February 5, 2004) Linksys has begun doing something good and literally outside the box: They're using GPL'd open-source code in their firmware. This means that they must share the code with the world at large, and the world has responded by doing a lot of really interesting things, including creating small-footprint installs of Linux that run off the WRT54G wireless gateway. Broadband Reports recently ran a piece on tinkering the WRT54G firmware for improving QoS on VoIP, with links to Sveasoft's firmware mods. The WRT54G is the currently favorite because it's new, and has more internal storage and compute power than older Linksys routers, access points, and wireless gateways. The Linksys "blue boxes" have long been beloved of the hacker (in the better sense of the word) community: See the marvelous insider documentation written by Eric S. Raymond himself. There are some interesting reasons to use an "appliance" like the BEFSR41 instead of trying to do the whole NAT and firewall schtick on a separate Linux box, first of which is that an appliance is generally too stupid to crack, as ESR points out. (You can't get root if there ain't no root to get—I wonder how that might change once Linux-in-a-blue-box becomes common.) There's certainly some upside in it all for Linksys, since the network experts' community is a very thick group, with a high-bandwidth word-of-mouth backbone. Making points with them cannot but generate sales. And of course, Linksys can, if it wishes, take back any or all of the third-party GPL mods and work them back into the "official" firmware, thus taking advantage of free labor from some of the world's most brilliant programmers. Now, guys, how about genning up a good, general purpose supplicant for the Linksys line? Linksys apparently can't (or won't) do it themselves—perhaps they're waiting for the open source community to do it for them. Taking advantage of the open source world without becoming dependent on it: Now there's a tightrope that the commercial world has not yet learned to walk, but may yet. We'll see.Quick update on the house: We're waiting on new garage door panels to replace those damaged by the installer, but once those are installed we will probably close the loan and start our moving plans, even though there are some small fixes still to be done. (And yes, we will hold back funds to be sure they don't get forgotten post-closing.) At left is a photo of our new kitchen, though the bright morning sunlight throws off my digital camera. The photo from my office window really is from my office window: I was standing inside by the window when I took it, looking up Stanwell Street toward Cheyenne Mountain. This will basically be the view from my desk. |
|
|
The morning after superbowl Sunday, one of my regular correspondents wrote to ask if I had seen Justin Timberlake rip one of Janet Jackson's bra cups off during the halftime show. He was breathless about the little silver buzzsaw (or whatever it was) that she had glued over her right nipple. My first reaction was, WTF? As I described in my February 2, 2004 entry, Carol and I were at a superbowl party on Sunday, and we spent the entire duration of the broadcast down in Dean Nelson's family/media room, with the show on his wide-screen TV. There were fifteen people in the room, and as best I know, not a single one saw Janet's buzzsaw. (Not to sweat the young-uns; they were all down the hall playing video games.) I remember glancing at the halftime show every couple of minutes, but each time it was the same collection of indistinguishable, no-talent screamwrithers that populate most of TV ostensibly targeted at young people. I saw (with some satisfaction) that everyone else was doing the same thing I was: We were having a nice supper (as I mentioned, Dean is famous for his Superbowl Chili), hanging out with one another, and completely ignoring the TV. All the nonsense that has gone under the media bridge since then (garment maulfunction? Did somebody dare call it a garment malfunction?!!!?) is simply beside the point. The halftime show was stupid and boring, and nobody was watching. Were it not for the media coverage, I doubt anyone would even have noticed the Justin & Janet show. In the end, she got a PR campaign worth tens of millions for nothing, and the media got reamed royal for substituting bad taste for talent in an effort to prop up ratings as saggy as Janet's...career. Little by little, people roll their eyes and turn the damned thing off. Do we dare to believe we're in the twilight of the TV age? |
|
|
I've been pretty fried at Linksys for some weeks now, and I'm trying to figure out how to deal with it in the update of my Wi-Fi book, which I'm in the process of writing. It could wait until now—but I'm at the point where I'm writing a whole new chapter detailing the new WPA (Wi-Fi Protected Access) security technology, and so time has run out. The problem is this: Although most Linksys Wireless-G equipment is billed as supporting WPA, that's true only for Windows XP. The problem is that WPA requires a piece of software on the client side called a supplicant, which handles the client end of the WPA security mechanism. Why this isn't part of the client adapter firmware I'm not sure, though I suspect that there is a computational burden in WPA that the little embedded processors inside cheap Wi-Fi client adapters just don't have the muscle to deal with. One of the recent patches to XP includes an integrated supplicant provided by Microsoft. Without that supplicant, WPA won't work on Linksys clients under Win98SE or Win2K. Linksys has some obscure small print indicating that on OSes other than XP, you need to provide your own WPA supplicant. Funk Software will sell you one for $50; I don't think there are any other third-party supplicants that Linksys hardware supports. I've always been happy with Linksys gear, but it's hard for me to look past such a completely dorky decision. D-Link has begun bundling a non-XP supplicant with its Wireless-G equipment, and I was kind of expecting Linksys to follow suit, as those two represent the dueling titans in the SOHO Wi-Fi market. But so far, Linksys won't even answer my inquiries, and there's no supplicant on the horizon. The bitchy thing is that although I intend to be honest in my chapter, Linksys can release a supplicant at any point and make me look outdated. I know this is hardly a new problem in the computer book business, but it makes me grit my teeth because it's all so unnecessary. A supplicant is not rocket science. Linksys really knew how to please and hold a customer base. Now I have to wonder if Cisco isn't pulling the strings somewhere. In the meantime, guys, if you want WPA, you better buy D-Link. |
|
|
February has barely begun, but the March issue of The Atlantic arrived yesterday, and I've been half-crazy wanting to curl up in my comfy chair and devour it. Too many other higher priorities, alas, but I stole a few moments to read Cullen Murphy's tongue-in-cheek "Innocent Bystander" column on assembling a secular "Next Testament" that would be to our modern age what the Old and New Testaments were for prior ages, and maybe a few moderns as well. The piece itself was pretty light and not Murphy's best, but it got me thinking: Could we create a sort of secular Ten Commandments that would pass constitutional muster and yet still stand as a moral code for human society? I sat down last night and, well, did it. Didn't need stone tablets, and in fact it lacks the extreme elegance of the original number, but given that we are transitioning from the age of Freedom of Religion to the age of Freedom from Religion, I figured it would be very much in style. So here they are, arranged roughly in order of their importance: The Secular Ten Commandments
|
|
|
Carol and I went to a Superbowl party yesterday afternoon. Don't pass out—it certainly wasn't for the football. Dean and Diane Nelson, our new neighbors up at the house, invited us to their annual Superbowl party, which includes their friends and relatives and few of their close-by neighbors. Dean is a master at making chili, and we had a fine time meeting some of the neighbors a little prior to moving in to our new house. Sports is legendarily not my thang, and I had a good deal more fun talking to some of our neighbors, including one who like me has a Jet lathe and makes a fine side-living selling bronze castings of his sculptures. I glanced at the game now and then, just to see who was winning, but whenever the football action broke for a commercial, it was fascinating how everybody in the Nelson's cavernous media room stopped what they were doing and focused on the screen with rapt attention. I enjoyed most of the commercials, and my top three were the following:
|
|
|
Not much time to even think today, so here's a few odd lots to tide you over until the Bowl is done:
|
|
February 29, 2004:
It
got down to zero last night, and the night before that it was 8° and
snowed. I'm trying to keep the sidewalks in front of the new house clear
of snow, so that the tradesmen won't be tracking it into the house by
the monster bootful. So I was up there the other day, shoveling, and stepped
back for a second when I realized something truly astonishing: 
