Packetizer Logo
 

Paul E. Jones' Blog

Intel's Next Unit of Computing

December 2, 2012

Intel released a really cool new device called the Next Unit of Computing. It's a small 4x4x2" box that packs the power of an Intel Core i3 processor. It has three USB ports, two HDMI ports, a gigabit Ethernet port, and consumes very little power as compared to normal a desktop machine.

It's designed to be mounted right on the back of a display using the supplied VESA mounting bracket, turning any display device into a computer.

It was not made for the technically challenged, though. At the same time, one does not have to be a hardware expert, either. It is sold as a kit, and one has to buy the memory and storage separately. While that was expected, what was not expected is the fact that the kit is shipped without a power cord to go from the power brick to the wall. I had to make a run to the local CompUSA to get one of those.

It uses an mSATA drive for storage and can hold up to 16GB of DDR3 RAM.

I purchased a 128GB mSATA drive and 4GB of RAM for mine. Total cost was about $440 for the NUC, storage, RAM, and power cord.

I've only had it running a few hours, but this thing is awesome. I installed Linux on it and replaced one of my aging Linux machines. I use Linux machines in my house to provide various network services, including DHCP, TFTP, and DNS, and use the devices when writing software on Linux, including AES Crypt. These devices also handle storage functions for me, allowing me to back up data to Amazon S3.

I don't have a monitor or keyboard connected to the box. It's just a tiny little box connected to the network that I access via SSH that serves a useful purpose for me and my family.

Another great feature with this device is that it consumes far less power than the desktop it is replacing. The desktop I was using was not a monster machine: just a low-end Dell Dimension. Even so, I could tell from the display on my UPS that the box consumes far less power.

So, I save space in the house, the machine runs way faster (since it's solid date vs. traditional hard drives), and save energy. What's not to like? Very cool box.

Permalink: Intel's Next Unit of Computing

Frustrating Customer Service Agent at AT&T

November 30, 2012

On October 8, 2012 I went to my local AT&T store to get a prepaid SIM card. I just needed an extra phone for about 4 months with just voice service. The representative at the store suggested that I just add a line to my current monthly plan, since I'd probably save money that way. He said he'll waive the activation fee and the contract period for the new line. So, rather than paying for $25/mo for the prepaid card, I could pay just $10/mo using my existing plan (plus taxes, 911 fees, etc.) In all, I could probably save 50% that way. He made a kind offer to do that, but likely because I've been a customer of AT&T a long time.

He printed out the service summary sheet and marked through the things that were waived. You can see that below.

Though this was the agreement we had, I was charged the activation fee on my bill this past month. Oh, well. Mistakes happen, right? So, I called AT&T to get it corrected.

The lady was absolutely horrible. I don't think she necessarily believed me, speaking down to me as if I was a peasant. She really had a condescending tone to her voice. She told me, "We'll waive the fee this one time, but we'll put a note on your account and if you add another line, we will not waive the fee again." So, now she's is doing me a favor? Or was this a threat? I can't tell which. Between the tone of voice, suggestion she's doing me a favor "this one time", and the threat that AT&T will never extend an offer to waive an activation fee again, I got mad.

Sometimes, I really, really hate AT&T. Working in the communications business, I have a number of friends who work for AT&T and I've worked with their engineers on projects. The company has many good people, but representatives like this battle ax are what frustrate customers and drive them elsewhere.

Permalink: Frustrating Customer Service Agent at AT&T

Dell has a "Dismal" Third Quarter

November 16, 2012

One of my favorite companies is Dell. I’ve been using Dell computers now about 20 years and love the computers Dell makes. Unfortunately, my love for Dell certainly did not translate into enough money to help the company this quarter. For that matter, I can safely report that not one penny of my money went to help the company this quarter. However, I did buy some nice tablets! They just were not Dell brand devices.

For its part, Dell still has a solid business. Even so, it is seeing sales decline and it’s not only because we are in a “post-PC”era. Dell seems to be ignoring its non-enterprise customers entirely. Briefly, Dell has issues in a number of areas:

  • The order system is not very flexible and it is virtually impossible to customize machines
  • The order system does not provide accurate descriptions for some options it does offer
  • I cannot figure out how to order physical media for Windows!
  • Customer support people are clueless or just read scripts
  • Dell has no cool laptops to rival the Macbook Air or Asus Zenbook

While the enterprise customers make up a large percentage of Dell’s revenue, I assume, I also know many, many people who buy machines for use at home and have some influence over the purchase of machines in SMBs.

For its part, Dell has tried to bring some innovative tablets to the market and they now have an ultrabook. Still, they apparently cannot match the engineering of Asus and Apple in terms of building some really thin machines that look really good.

I really do wish Dell the best of luck. I like the company. It still makes good computers. However, when I can go to Best Buy (yuck!) and get a machine that looks better and has more-or-less the same configuration, that means Dell has dropped the ball. Dell, I bought my last laptop at Office Depot! Why was I forced to buy my laptop off-the-shelf at Best Buy? Your quarterly results do reflect your inability to execute in areas that matter.

Permalink: Dell has a "Dismal" Third Quarter

Buckyballs to be Discontinued

October 31, 2012

That was the email I received today from Buckyballs. I suppose they sent that message to me since I have purchased products from them before. This is truly sad for a number of reasons.

And, in case you are not familiar with what Buckyballs are, they are magnetic desk toys. Basically, they're a bunch of little high-powered magnets in the shape of little balls about 5 millimeters across. They are designed to be a desk toy much like many of the other geeky toys many of us engineers tend to buy and have sitting around our offices. The difference with these, though, is that they are high-powered magnets and, if swallowed, they can cause serious internal injury and require surgery. Because of that, Buckyballs labels their products with some very strong warnings. They tell you not to put them in your nose or mouth or to swallow them. I think there are about five such warnings on their packages, including the outside package and the container they provide to house the balls.

Even though these warnings exist and in spite of the fact that these desk toys are not marketed to children, the US Consumer Product Safety Commission decided in its infinite wisdom to force the company to stop selling the products. However, the reason I felt compelled to blog about this was the way they went about it. Buckyballs had been working with the CPSC to do whatever they could to address concerns. But, the CSPC really did not care to work with them. They had already made up their minds and within about 4 hours after Buckyballs submitted a safety plan at the request of the Commission, the Commission sent out a notice that they were suing the company and they reached out to retailers to urge them to stop selling the “dangerous” product. And, nearly every retailer complied.

Buckyballs had this to say:

In 2010, The Consumer Product Safety Commission approved the safety program we currently have in place. Now, after more than two years, they're saying our extensive measures aren't enough and we should be put out of business. Out of more than half a billion magnets sold, the CPSC reports less than two-dozen incidents with our products. While even one incident is too many, we stand by our comprehensive safety program and believe responsible adults should still be able to enjoy Buckyballs® and Buckycubes™.

With their sales channels effectively shut down, the looming threat of legal action, etc., Buckyballs decided to stop selling the magnetic balls and cubes at the center of the CPSC’s complaint. What this will likely mean for the company is that it will go out of business. This was, after all, their primary product. Without it, their revenue stream is gone. We can thank the Commission for putting those people on the street.

And while product safety is important, I personally feel the Commission went too far on this one. There are many hazardous things that can hurt children. Out of the billions of products sold, a few incidents are truly a low percentage. Most importantly, it does not reflect a flaw in the product. Rather, it demonstrates that the purchasers were irresponsible. Children get hurt seriously every year from all kinds of things that adults should keep out of the reach of children.

To think a company can be put out of business at the hand of a 4-person panel without the due process of law is hardly the American way.

Permalink: Buckyballs to be Discontinued

Verisign's Hashlinks

September 13, 2012

I received an email from one of my domain registrars advertising with great fanfare a new "service" from Verisign called "Domain Hashlink". I don't know exactly how they expect to make money with this, but they said this about the service:

A new navigation tool from Verisign that lets you replace long and difficult-to-remember URLs with shorter, more consumer-friendly vanity URLs; e.g. example.com#keyword

They call it a tool, but also call it a service. They even have retailers who will sell the service! I get the idea of having something like "keywords" to take visitors to specific pages on your own site, but to call this a service and have people selling it? Who would pay for this?

It took me just a very few minutes to get this working:

https://www.packetizer.com#h323

There is a very small JavaScript program I wrote called hashlink.js. This queries the server to see if there is a link that matches a known value. If it matches, the page is replaced with the associated URL.

I'm not even sure why Verisign wants to use the hash character. This character has a specific purpose in URLs, and this is really not within the spirit of the original purpose.

It also seems somewhat unreliable. The JavaScript code only runs when the page is initially loaded. I noted in Chrome that if I load a page without using a HashLink and then add one, Chrome will not reload or execute the JavaScript code. If I hit refresh it will.

So in replicating the "service", what I did was create something very similar that uses the @ character. Here's an example:

http://www.packetizer.com/@h323

This is much more reliable, because this always results in a redirection or a 404. You cannot return a 404 when using the hash character, because there might actually be something in the web page itself that needs that hash. Besides, what would one return in a 404? Suggest the main page is not found? That's horrific.

As I said, the HashLink idea is a bit odd and does not work perfectly well. I wish they had used something like the "@" approach. Any number of characters would have worked.

Permalink: Verisign's Hashlinks

Basis for Apple vs. Samsung Decision

August 27, 2012

This past week, a jury of nine people convicted Samsung of infringing the patents of Apple. There were a number of patents that Apple claimed were infringed. Per CNET, the devices and patents were numerous. In a nutshell:

  • ‘381: “rubber band” effect when reaching the bottom of a document (“look and feel”)
  • ‘915: ability to differentiate between single-touch and multi-touch, just like Microsoft’s older surface computing table (how Apple got this patent in the face of prior art, I do not know) (“look and feel”)
  • ‘163: double tap on screen to enlarge and center portions of the screen (“look and feel”)
  • D ‘677: related to the front face of the iPhone (“design”)
  • D ‘087: related to the general outline (“design”)
  • D ‘305: the icon arrangement in a grid with round corners (“look and feel”), like the Palm Pilot, Windows Mobile, and Apple Newton from years ago

It is impossible for me to say which of these “inventions” are truly inventions. That said, I largely do not agree with “look and feel” patents. Often, “look and feel” is a matter of current fashion. It’s what’s in vogue. I certainly feel that way about icon arrangement and the look of icons, scrolling, etc.

The “rubber band” effect is an interesting effect, but that’s what it is: an effect. It is not an invention, really. Computer graphics students have for years been creating programs with bouncing balls and such that behave in a similar way. So what was “invented” was not the bouncing effect, but the application of that effect to scrolling. So is that an invention?

I think similar arguments can be made for most, if not all of these patents. Apple has truly created a revolutionary platform, but what was revolutionary was bringing together a powerful operating system, applications, and an app store, all while making it as simple to use as possible. Apple did not create the first mobile phone. Apple did not create most of the graphical user interface elements and concepts. Apple did not create the first operating system, and certainly not the first powerful mobile operating system. What Apple did was package it well and market it extremely well.

One has to wonder whether these user interface and design patents are even valid. Consider where the U.S. patent system originated. It came about due to Article I §8 of the U.S. Constitution which says, “Congress shall have the power … to promote the progress of science and useful arts, by securing for limited times to authors and inventors the exclusive right to their respective writings and discoveries.”

Exactly where does a user interface design fit into writings or discoveries? I would agree with a design patent that describes the process of creating a particular kind of material or shape through a complex manufacturing process, the process for which had to be discovered through scientific research. However, a “rubber band” effect, icon arrangement, and aluminum edge around a glass screen hardly falls into that category.

Exactly how does the patent system that allows for such patents in any way “promote the progress of science or useful arts”? The answer is that it does not.

Apple’s bold entrance into the mobile communication space has significantly impacted the market and I applaud them for leading the revolution. At the same time, awarding these kinds of patents to Apple does not help to “promote the progress of science”. Rather, it serves just the opposite. Apple did not need those patents to become the wealthiest company in the world. However, it can use those patents to prevent anyone else from attempting to create competitive products. In so doing, it is the consumers – the public – that suffers. We want Apple to continue to innovate and we want Samsung and others to push the envelope. That is how technology progresses in all industries.

In any case, it is very interesting to see how the basic concepts of promoting science and useful arts has mushroomed into the complex copyright and patent system we have today. Now, we have cartoon characters like Mickey Mouse protected for some 70 years beyond the death of the inventor, copyright assigned to things other than writing or useful arts (the latter including music and movies), and patents awarded on the arrangement of icons in a grid pattern.

Permalink: Basis for Apple vs. Samsung Decision

Amazon "Add-Ons" are Idiotic

August 26, 2012

Perhaps the title is a bit strong, but I was frustrated when trying to order an item on Amazon tonight only to be greeted with a message that the item I wanted to order was an "add-on" item and that Amazon would not ship that item unless I ordered at least $25.

What are "add-on" items? They are items that, per Amazon, "would be cost-prohibitive to ship on their own". For those who are not Amazon Prime members and normally pay for shipping on items, these "add-on" items cannot be ordered separately, but will ship for free with your $25 or more order. Sounds good? Perhaps, except that you cannot even pay Amazon whatever the "cost-prohibitive" amount to ship it. Amazon simply will not sell those items by themselves, unless you buy $25 worth of the "add-on" items or something that cost $25 total.

What about Amazon Prime members? For those who do not know what Amazon Prime is, "Amazon Prime is a membership program that gives you and your family unlimited fast shipping, such as FREE Two-Day shipping to street addresses in the contiguous U.S. on all eligible purchases for an annual membership fee". But what are "eligible purchases"? Those are:

  • Millions of items sold by Amazon.com
  • Over 100,000 eligible items on AmazonSupply.com
  • Many items that are fulfilled by Amazon

It's a great program, but what are the items that are not eligible? Well, Amazon lists those and they are:

  • Items fulfilled by Amazon Marketplace sellers
  • Magazine subscriptions
  • Personalized gift cards
  • Any item that doesn't have a message indicating that it's eligible for Prime on its product page

I visited Amazon today to purchase a short HDMI cable. I had purchased this same cable a couple of years ago. It was Prime Eligible then. Now, though, Amazon will not let me buy just the 0.9 meter cable for $4.99, because it's classified as an "add-on". I can't offer to pay for shipping, either. Amazon also tells me "FREE Two-Day Shipping for Prime members when buying this Add-on Item", but that's of no comfort since I cannot order it.

Just to show how dumb Amazon's "add-on" item idea is, while I cannot order the 0.9 meter cable for $4.99, I can order the 6 meter cable for $5.49 and get free 2-day shipping. Amazon: I'd gladly pay the extra 50 cents and get the shorter cable!

I appreciate the fact that some items might cost more to ship than Amazon would earn, but to offer absolutely no option to pay the cost it would take to get it out of the "cost-prohibitive" bucket is silly.

Is Amazon losing its touch?

Permalink: Amazon "Add-Ons" are Idiotic

DNSSEC Paves the Way for Better TLS Security

August 20, 2012

Everyone is familiar with the padlock that appears on the address bar in the web browser indicating that the communication session is secure. However, few people understand the technology behind that padlock, namely the Transport Layer Security protocol (TLS), or what a digital certificate is. It is those digital certificates that is the subject of this blog post.

For years, a small group of companies have served in the capacity of Certificate Authorities (CAs). The companies, along with makes of web browser, form the Certificate Authority / Browser Forum. It’s a fairly exclusive club, really. They purposely limit the number of certificate authorities so as to ensure that the price people pay for digital certificates is at a price that allows them to make money. Oh, and of course, to provide “trust” in some way. Gaining membership into this exclusive club is hard. Suppose you want to establish a new business to be a root certificate authority. In order to do that, you must “actively issue certificates to Web servers that are openly accessible from the Internet using any one of the mainstream browsers”, as in you must be in the business already. It’s a bit of a chicken and egg problem. One cannot actively issue certificates if the web browser makers do not “trust” you and you cannot gain their trust unless you are a root certificate authority.

Not only is the CA/Browser Forum mostly a club that tightly controls who can trust whom on the Internet, largely for the financial benefit of the members of the Forum, the whole system is, in fact, flawed. If you visit a web site that claims it is secure, can you really trust the certificate presented? The fact is, there has been more than one casewhere a digital certificate was issued by a certificate authority in error. How can this happen? It’s possible because, until recently, DNS has had no security applied in practice, for one. Second, people are able to get into corporate email accounts. Anyone can create create a public/private key pair for the certificate. A hacker just needs to trick a certificate authority into signing it. Usually, this requires only that the person verify that they own an email address at the domain, usually one of the few the certificate authority believes to be an administrative address.

Now that DNSSEC is here, a better way exists to secure browser communication or other communication that utilizes TLS. Rather than create a certificate and have it signed by a certificate authority, a domain owner can create a certificate and place a signature of that certificate into the domain’s DNS. Since all DNS records are signed by the domain owner and DS records created by the domain owner are inserted into the registrar’s DNS servers, it is possible to trust those records. RFC 6698 defines precisely how to do that. Essentially, one creates a self-signed certificate and inserts a signature of that certificate in DNS as a TLSA record. For example, suppose one creates a certificate for www.example.com on port 443 (standard TLS port) and wishes that to be trusted by browsers. One would create a signature of that certificate and insert a TLSA record like this:

Source Code

_443._tcp.www.example.com. IN TLSA 1 1 \
    C3E2885170FB937E45FCE92CCEE01904A3EE3248156FCD7B945F38994A1F9496

It will take a few years before browsers and other TLS clients start using DNSSEC and TLSA records, but the technology now exists. This is significantly more secure than today’s certificates, since domain owners are in complete control of certificates. No longer is there a risk of a certificate authority issuing a bogus certificate. Domain owners can easily cancel certificates by simply removing the associated TLSA records in DNS.

Permalink: DNSSEC Paves the Way for Better TLS Security

Configuring DNSSEC on Your Domain

August 17, 2012

DNSSEC is the standard for providing security for your domain name in order to protect it from attackers who want to intercept communications by directing web browsers, email servers, etc. to destinations other than the correct destination. Enabling DNSSEC is actually very straight forward. I’ll explain the steps for those who use BIND to provide DNS services, as that’s one of the most popular DNS servers on the Internet.

The first step is to generate a pair of keys. The first key is called the “Zone Signing Key” (ZSK) and it can be created using this command (replace “example.com” with your domain name):

Source Code

dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com

Next, you need to create a key called the “Key Signing Key” (KSK). It is created using the following command:

Source Code

dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK example.com

Note that the -b flag indicates the number of bits of security.

These two commands will produce four files:

  • Kexample.com.+005+30578.key
  • Kexample.com.+005+30578.private
  • Kexample.com.+005+13262.key
  • Kexample.com.+005+13262.private

The format of the filenames is “Knnnn+aaa+iiiii.{key|public}”. The value “nnnn” refers to the domain name you are securing. The value “aaa” refers to the cryptographic algorithm used. In the example above, 005 refers to RSA/SHA-1 (per RFC 4034). The “iiiii” is a key identifier, which is just a 16-bit value that identifies this particular key for this particular domain.

Next, you concatenate the .key files to the end of your zone file, like this:

Source Code

cat Kexample.com.+005+30578.key Kexample.com.+005+13262.key >>example.com.zone

Now, you have to “sign” your zone file like this. To do that, you need to identify which of the keys refers to your KSK and ZSK. If you took notice of the file names created after executing the key creation commands above, you’d know. Otherwise, just look at the file in a text editor and you’ll see which one. In our example, we’ll assume that “Kexample.com.+005+30578” is the ZSK and “Kexample.com.+005+13262” is the KSK. You’ll then execute this command:

Source Code

/usr/sbin/dnssec-signzone –o example.com -N keep -k Kexample.com.+005+13262 example.com.zone Kexample.com.+005+30578

This will result in the creation of a file called “example.com.zone.signed”.

Now, you just have to make a few small adjustments to the /etc/resolv.conf file. Here are the important changes:

Source Code

options {

    ...

    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

    ...

}

...

include "/etc/named.root.key";

...

zone "example.com" IN {
    type master;
    file "example.com.zone.signed";
    allow-update { "none"; };
};

...

Place both the example.com.zone and example.com.zone.signed into the directory where BIND keeps its zone files. Restart named and/or issue these commands:

Source Code

/usr/sbin/rndc reload
/usr/sbin/rndc flush

At this point, your DNS server is ready to go. However, your registrar must have an appropriate “glue” records in place. Usually, these records are DS records. Fortunately, those records are generated for you automatically by the “dnssec-signzone” command. You will see a file called “dsset-example.com.” with the DS records inside. All you have to do is insert those into your registrar’s DNS, much like you might assign your name servers. The procedures for doing this vary by registrar, so I cannot explain the procedure. However, it’s not so hard once you find the right place. The registrar should validate that everything is working properly before activating the DS records. One would not want an incorrect record in place, as that would break the trust chain established via DNSSEC and thereby “break” the domain resolution.

ICANN has list of registrars now supporting DNSSEC. Not all of them do and they certainly do not support DNSSEC for all TLDs. So, it is best to check with your registrar before going through all of the steps and being disappointed.

If you wish to validate that DNSSEC is working properly, you can use the “dig” command on Linux machines like this:

Source Code

dig +topdown +sigchase example.com

That command will report success or failure in the trust chain. Alternatively, visit DNSSECReport.com and perform a basic test via the web.

One last point to make is that it is recommended that you re-sign your domain at least every 30 days. It's not necessary to generate new keys, but merely re-sign the zone file. (Note that if you did decide to change the key used to sign the domain that you need to ensure that you properly handle the key rollover. Otherwise, for a period of time some DNS servers might assume your domain's signature is invalid. DNSSEC Key rollover is a whole other topic.)

Permalink: Configuring DNSSEC on Your Domain

Making Sense of AT&T's New Data Plans Rates

July 18, 2012

AT&T announced today that it will be offering shared data plans called "AT&T Mobile Share" so that people with multiple devices can share data across those devices. Quite often, it's families that would benefit from sharing data, which was the case when "family plans" were introduced in order to share voice minutes.

Voice minutes and text messaging are unlimited with these news plans. This suggests that AT&T realizes that lower-cost VoIP alternatives exist, so there's no point trying to compete in the voice space. So rather than compete, AT&T will force customers to pay for the voice/text by charging a flat fee per phone, regardless of usage.

The new data sharing plan allows families to pool bandwidth as they did voice before, but the prices are not really cheaper than paying for individual plans. For example, if one has a 3-phone family plan at $70 with unlimited text and 2GB of data per phone, the total price is $70 + $30 (text) + $25 * 3 (data) = $175. Under the new pricing, the unlimited voice/text + 6GB of data would cost $195. But voice is unlimited, right? Who cares? The subscriber was probably OK with the limited voice minutes.

Anyway, here is the price breakdown:

How many people will actually save money with these new plans?

Permalink: Making Sense of AT&T's New Data Plans Rates