draining the world\’s beer supply one pint at a time

During my visit to my parents in Wales last week, my dad took the opportunity to “drag” me to the Apple Store in St David’s 2 to help him buy an iPad for my mum – replacing a netbook she uses solely for occasional skyping (usually on my dad’s monster laptop) and looking through pictures of her grand kids.

After I helped him get the right model, he sat down at the instore training/setup table to get started while I visited the genius’ to get the shattered glass back of my wife’s iPhone 4 replaced.

I rejoined him to listen to the spiel and I was highly impressed with the store employee’s handling of 3 new-iPad users…. right up until the “one more thing” – which was an instruction on how to “close the apps running in the background”. Although I wasn’t in enough of an argumentative mood to point this out, I did explain that it was bullshit to my dad on the way out.

I thought no more of it other than an excuse to blog about it at some point, but then at a pub with my brother talking about calendar apps, I saw him open notes, type some text, hit home and then double-tap, tap-and-hold and kill the notes app (which was the only thing in the multitasking bar). twice.

I promised him some links explaining why this isn’t a problem, even though he thinks he sees better battery life. So here they are.

I thought perhaps this was just UK stores being months behind the US in getting the misinformation, but it seems this misinformation is still rampant at least in the northeast. (which prompted me to actually get around to documenting this experience).

I’m fed up of the spam comments that sneak past Akismet. I’ve switched to requiring authentication and closing comments after 14 days. Not that there’s been much content on this site recently.

It’s that time of year again, when I realize how little I’ve posted on the blog.

I’m walking again for the Jimmy Fund Walk. My 2011 donation page is here: http://www.jimmyfundwalk.org/2011/jcapayne

Please see: Last year’s post where I outlined my reasons for walking.

If the world were just, I wouldn’t feel the need to write this.

After almost 2 years of subtle hints from my wife and much less subtle nagging from my parents whenever they saw pictures or caught a glimpse on a video chat or just thought about it, I finally relented and with the assistance of my brother in law and father in law, ran the cables between the TiVo, bluray and wii through the fake wall instead of across the mantle piece. It’s not like I’d had the fake wall put in just for that purpose… Oh wait, that’s exactly why!

Any way… 2 HDMI, 1 composite and 1 component+audio (future) and I reran the cable coax through the conduit I’d also had put in for this purpose to the basement

1 month later, both HDMI ports magically stop working in the middle of the day.

TV was bought from Circuit City 2 years ago.
TiVo Series 3 was bought from Tweeter about 2 1/2 years ago.
Samsung Blu-Ray was bought from Circuit City last year.

As both Circuit City and Tweeter no longer exist, I’m out of luck for store support, so I go to Best Buy and buy an expensive HDMI cable (no other kind exist in the Best Buy universe…. newegg usually has good deals) and test the blu-ray with my upstairs TV with success. The TiVo has component output so I hook that up to the cable that I ran and that works, so I’m pretty sure the problem is with the TV.

After a little more procrastination, I finally call Hitachi customer support (shockingly, 1-800-HITACHI)… and this brings me to the point of this post.

WOAH. One ring and I get through to a real cheerful person who listens, asks if other inputs are working, and after checking the software version on my TV, recommends a software upgrade (I’m 10 versions behind). After suggesting that I call every 6 months or so and ask for an upgrade, she takes my name, address and we chat about the wonders of software upgrades on consumer devices and we’re done. “You should have the card by the end of the week, any problems just call back”. One support person, soup-to-nuts, no “I’ll just put you on hold” no hold music AT ALL. For a company with a product range of the size of Hitachi, I’m beyond speechless…. I’m moved to blog

Of course, I’m still waiting to find out if the software upgrade fixes my problem. I’m betting on expired certificates.

Wow.  It’s been more than 6 years since I reported (and provided a patch) a bug in Net::Patricia, and I’m still getting requests for the patch. It occurred to me that rather than search my email every time I get the request, why not just post it here?

I don’t think I could even find the original email thread now, but the bug is pretty well documented in the CPAN page for Net::Patricia:

The match_string method ignores the mask bits/width, if specified, in its argument. So, if you add two prefixes with the same base address but different mask widths, this module will match the most-specific prefix even if that prefix doesn't wholly cotain the prefix specified by the match argument. For example:

   use Net::Patricia;
   my $pt = new Net::Patricia;
   $pt->add_string('192.168.0.0/25');
   $pt->add_string('192.168.0.0/16');
   print $pt->match_string('192.168.0.0/24'), "\n";

prints "192.168.0.0/25", just as if you had called:

   print $pt->match_string('192.168.0.0'), "\n";

This issue was reported to me by John Payne, who also provided a candidate patch, but I have not applied it since I hesitate to change this behavior which was inherited from MRT. Consequently, this module might seem to violate the principle of least surprise if you specific the mask bits when trying to find the best match.

The fix is not even one line. The patch is below.


*** libpatricia/patricia.c~     Wed Oct  4 16:41:35 2000
--- libpatricia/patricia.c      Tue Mar  5 11:42:23 2002
***************
*** 614,620 ****
 #endif /* PATRICIA_DEBUG */
       if (comp_with_mask (prefix_tochar (node->prefix),
                           prefix_tochar (prefix),
!                           node->prefix->bitlen)) {
 #ifdef PATRICIA_DEBUG
             fprintf (stderr, "patricia_search_best: found %s/%d\n",
                    prefix_toa (node->prefix), node->prefix->bitlen);
--- 614,620 ----
 #endif /* PATRICIA_DEBUG */
       if (comp_with_mask (prefix_tochar (node->prefix),
                           prefix_tochar (prefix),
!                           node->prefix->bitlen) && node->prefix->bitlen <= bitlen) {
 #ifdef PATRICIA_DEBUG
             fprintf (stderr, "patricia_search_best: found %s/%d\n",
                    prefix_toa (node->prefix), node->prefix->bitlen);

I’m getting quite irritated by the complete lack of useful information on securing wired networks via 802.1X.   I think it’s worth sharing some of the issues and solutions or work-arounds for a multi-vendor environment, which I’ll do over a series of posts.

Plenty of security vendors will describe how to setup their solutions in a single-vendor environment, but that doesn’t match the real world.  I’ll start by listing out some components from a multi-platform environment.  Subsequent posts will describe issues with each of the various components and key configuration points.

Client environment: Windows XP, Mac OS/X (10.4 and 10.5), Linux (Ubuntu LTS).

IP phones: Avaya 96xx, Cisco 79xx

Switches: Cisco 6500, 3750 and 3650

Firewalls: Juniper SSG (relevant for future NAC deployments)

RADIUS: Microsoft IAS, Infoblox, Juniper Infranet Controller (for future NAC deployments)

Issues:  more machines than network drops at desks, authentication should be transparent to users, re-imaging machines, printers/scanners/etc, “stale” CRL from “root” CAs.

Whilst I feel that TACACS+ is a much better AAA solution for administrative access, it seems harder and harder to find documentation on how to do things, particularly on the server side.

For instance, with Juniper’s screenos when they added TACACS+ support, they documented how to add the config to the firewall, but the details on having to create a new service and set priv levels were left to a KB entry after the fact.

tacacs.org is now available to collect server side snippets, hints and tricks.

Contact me for details on how to contribute.