Friday, September 27, 2002

LAN (again)

So I am looking on and on for good boxes to route and firewall the internal LAN with. I find that there's this site where all these cheap boxes reviewed and user-commented, and wondered why anyone would ever want to buy the 350 bucks D-link box if all these cheap 150-or-so-tops webboxes are available. Then I realized that the cheapest ones only did NAT firewalling, and the ones that did actually do stateful inspection barely ever allow you to make rules to check the protocol of the packet before forwarding it to a port on a specific machine. Of the cheap boxes, few seems to compare to the sophistication of inspection on my OpenBSD box, and many have problems with keeping up a reliable DSL connection, according to user comments.

The web is so cool, where would I have found an repository of knowledge like this five years ago?


From there I also found an automated service to do a LAN security check, with a pretty thorough set of tests -- not just a standard portscan. They allow you to run the whole test for free but won't tell you of your highest-risk vulerabilities, just that you have them. They will show you your low- and medium-risk holes. So I thought I was pretty safe, anyway, I would only get low-riskers, and ran the thing.

11 high risk problems. I am in the third percentile of the systems they have tested over the last year. I sprung for the report -- I was curious -- by entering my credit card. They called later to say the card issuer wanted a little more info, like my address. Not surprising since I have the you-are-a-loser secured card, I always get this. I gave it, but also asked him if he knew what time it was where I was. He did not. 12:30 AM. We had already gone to bed. Oops, global web!

All the high risk vulnerabilities seem to be not in my firewall but in the web server Dino set up behind it that I forward to for mail/web/ssh, more specifically mostly in the versions of software that allow buffer- and root-exploits. We would never have known had I not found these tests. It was confused by the LISP webserver though, and thought it was a very, very strange IIS server. I should tell them about it.

Tuesday, September 24, 2002

Firewall More

So I have been looking at Firewall applicances. Seems many small businesses have the same problems I do. Linksys is out, because they will not allow creation of a DMZ if you are on a DHCP-client connection, the idea being, presumably, that why the hell do you need to create web or mail-servers if you are constantly switching IP addresses? Well, because the nice people at NoIP, for example, will keep track of your changing IP address and reset their DNS to use it. Heck, they even allow me to circumvent Verizon's braindead port 80 filter.

It was very cool of Linksys to put this user's guide on the web, so I could read it. They may have missed a sale because of it, but it would have been a bad sale, a return. Now I need to find out if either D-link or SMCs boxes will do what I want. I am not inclined to use SMCs since they do virtual DMZs, whatever the hell that is. I am more partial to D-Link's box because it actually has a dedicated jack for a DMZ.

You know, if this headache is taken care of and works well (unfortunatly, it will take a month or two before I have the 350 bucks to spare, we also need to start saving for the annual T-day pilgrimage to Ohio) I'd consider saving some money and putting exonome.com there. Would be cheaper, since Verizon's DSL does not charge me by bandwidth-usage, like my hoster, Webstrikesolutions.com, does.

Sunday, September 22, 2002

I AM NOT A SYSADM

So because we have DSL and Dean has a LISP-based almost-custom webserver and we have a gazillion laptops of our own, I set up my own firewall using an old box and OpenBSD 2.9. I followed the book, I have a three-legged firewall with one locked down internal zone for the laptops to browse over the wireless network and the happydino.com webserver in a DMZ. If you try to webserve, ssh, or mail us, it'll go automatically to the DMZ, the laptops are supposed to only be connecting over channels they open and not the other way round, etc, etc, etc.

It's been one fucking pain after another to figure this out. Everyone out there has their own rulesets for their firewalls, and all the rules in the rulesets work together in intricate ways so it is hard to say, well this rule does only this and this rule does that, no, each filtering set is carefully pieced together. And so I did my own, through trial and error. Every piece of writing on OpenBSD touts how secure it is but is extremely unfriendly towards users who actually don't enjoy being a sysadm and are starting from nowehere. Manpages are terse and hostile to be read by actual humans approaching this new. Setting up 'named' properly took forever because of our needs. Setting PPPoE was a pain, because it breaks in undocumented ways the tricks for hardening the firewall. Everybody has opinions on what to do, but they don't all work together, and I end up borrowing and following HOW-TOs, if I can find them, halfway with every step having to make sure I don't break something new this time.

The result is that I actually don't even know whether my firewall and the computers behind them are actually that secure against attacks -- sure, the portscans show up like I expect, but that's just the portscan -- and I can't seem to modify my ruleset to let the DMZ open a connection to send mail. happydino.com cannot send out mail, just receive it. Never mind what I really shoud be doing, which is setting up ipsec between the firewall and the wireless win2K portables so nobody can read the packets going over the air.

I am useless at this. Useless. It takes forever in between all the reboots I have to do to test things out (No, I cannot just do "sh ./netstart", that actually has a different effect sometimes on my routing than rebooting, and if I don't test by rebooting, the next time I reboot for a real reason it may turn out that my setup wasn't working right. Yes, I am sure it always works perfectly the same for you.), I am not sure what to tweak, and the pages of help are being updated and dwindling because everyone is migrating to OpenBSD 3.1 and writing help documentation for that. I have no idea how to upgrade easily short of re-installing, and since the syntax has changed on many packages, I really. Don't. Want. To. It'll take me two weeks again.

Fuck freeware. It just simply isn't worth my time.

Thursday, September 12, 2002

Florida Voting Mess

So this time the primaries got fucked up. Bad. Voting had to be extended, one precint voted 100% Republican, and affiliations were wrong. All human error you'd say, but the story kept coming back that so many voting touch screen machines were not functioning. Hmmmmm.

(I'm partly plagiarizing myself here from my entry on Plastic.)

As I was reading The Miami Herald link, I could sense there also was a Human Factors problem, I could just feel it. We can these days make a box that can withstand shipping and just switches on. In fact, it is pretty hard not to. And yet all these machines not working, and an article mentioning undertrained operators of what should be an idiot-proof machine... And there it was:

Each device must be booted up with an activator cartridge that must remain in the machine for six minutes. Many workers apparently pulled out those cartridges too soon, crashing the machines.

''A lot of the poll workers were not patient,'' Salas said.

Michael Limas, chief operating officer for Election Systems & Software, which made the machines, claimed that his equipment was blameless.

''When our technicians have gone to polling places, they haven't been repairing machines,'' he said. ``They've had to start the machines over for people.''

He said the failure to properly use the activator cartridges was like ``putting a floppy disk in your computer to copy a large file and popping it out before it's finished.''

Classic. Cla-ssic.

My bet is this machine did not actually give any feedback that it was reading the cartridge properly or that you can shouldn't the cartridge out until it was finished. Five minutes to switch something on is actually a looooong time for what look like glorified televisions. Especially if you have many to switch on in a precinct. Of course people expected 'instant on', just look at all other equipment they use, and what they have to get acomplished. But they weren't getting it.

A human-centered, or humane, interface should manage people's expectations by either not allowing them to not take out the cartridge, or letting them know this initializing is on track and how bad a result aborting would create. To extend the OS analogy, a good UI on an OS won't allow the user to yank out the floppy unless the user is aware of that there will be a bad result (like MacOS; you would have to Cancel the copy and then eject the disk) or at least let you know that the copy was in progress and going well, and show a clean way to abort if necessary (windows, most X11 interfaces, et al).

Blaming operators for not being adequatly trained is the easy way out, but won't do anything to alleviate the problem next time. What is be cheaper, a human-centered machine, or more classes? And it would have averted a PR disaster for the manufacturer: they are now the ones who delivered 'bad' or 'difficult' machines, no matter how much they try to blame operators.

And the mistake is so elementary. No human should need to know to wait exactly or around six minutes to switch something on, the machine should tell them, because the machine knows. No human should need to keep track of what a machine knows, but the machine should help remind the human. I am sure Donald Norman is investigating for a new anecdote as we speak.

- * * * -

I got my values wrong for sending me text messages over LJ, so anyone who sent me a message requesting my new mobile number will probably have to try again. Sorry. I really am, but who knew I shouldn't enter my telephone number with soaces -- just like everyone enters their number on every paper and electronic form out there?

And remember, I don't know from who the message is. Add an SMS number back. Many, many mobile phones actually accept SMS messages as pages.

Tuesday, September 10, 2002

Meetup

Plastic had its first international meetup. I had some trials to find it, including walking for blocks into deserted no man's land in Roxbury, a cab with no clue, checking mapquest, and finally making it late. We were three in total, here in Boston, but had such fun. Turns out we had plenty to talk about, for three semi-strangers.