Monday, July 30, 2007

Summer flights are noisier than the rest of the year (and I kind-of like it that way)

I'm on a trip for work, when I usually do more blogging. It's
probably because I'm not with my wife, so I don't have a way to
immediately explain what's on my mind.

I think for the same reason, summer flights are noisier than flights
the rest of the year. I suspect it's because it's because groups --
probably families -- seem to be traveling together more. There are
definitely more kinds flying this time of year. The kids usually seem
to be with older folks that resemble them (probably parents).

I like that families are traveling together and going on trips. As a
proportion of income, airline flights are cheaper than they were when
I was a kid. (So I've heard.) We didn't fly on travel when I was
growing up.

Thursday, July 26, 2007

Security vulnerabilities and the realm of the really-really-hard

Some security vulnerabilities are easy to exploit. E.g., brute-force
guessing of passwords when trying to login to a device that's on the
Internet.

Others are practically infeasible -- like factoring two 20-digit
prime numbers to find somebody's encryption key.

But somewhere in the middle, you the exploits that are really-really-
hard.

One thing I do commonly is setup an SSH server, give it a public IP
address, and setup a firewall to allow only a few specific IP
addresses to login to it. The weakness in this design is that it's
subject to IP spoofing. And it uses reusable passwords.

But is it? To take over, and gain remote access to the SSH server,
you have to login to it. Somehow you have to get into the middle of
the stream.

Let's call those permitted IPs the "clients". To even get a chance to
guess passwords against this SSH server, you'd need to:
-- Know the clients' addresses that are allowed through the firewall
-- Be able to eavesdrop on the traffic from the SSH server and the
clients
-- Be able to prevent the FIN'ing connection traffic for those
connections it didn't start; i.e., interrupt the flow of traffic. If
you just inject a packet with a spoofed IP address toward the SSH
server, when the SSH server responds, it'll go back to the true
client. The true client will usually send a TCP FIN because it's not
a connection that the true client initiated.

Unless you have control of an ISP along the path -- you really can't
do this. Even if you have control of that data, it could be really
hard to get in this one path.

Almost anybody can transmit a spoofed packet. But if you don't have
control over an ISP along the path, all you can do is inject packets.
But if you can't see the SSH response coming back, you can't
participate in the DH key exchange. Your attempt to attack would be
immediately squashed.

This is an example of a security practice that's not the strongest
possible thing, but it's really-really-hard to break.

Wednesday, July 18, 2007

A taste of NYC on the tarmac of RDU

I'm on a flight to New York City right now. This is my first trip where I actually anticipate spending any time in the city. Once, before, I flew in to JFK and drove through Manhattan.

It's funny how, when you board a flight to go somewhere, you start to get the sense of being there by the other people who are going. I imagine that many of the people on this flight are from New York, and bring their Urban attitude, dress, and mannerisms with them.

But, in reality, they might not be from NYC. It makes for a more interesting story if I force them all to be, though. That way, I can match elements of their behavior to my impressions of NYC that i've learned from TV and movies.

Tuesday, July 10, 2007

40 minutes of stretching for every exercise

From http://www.knee1.com/news/mainstory.cfm/318 --

This is a helpful and informative article. But the advice on stretching seems unreasonable:

The artcicle says: "Then do calf, hamstring, quadriceps, hip flexor, waist, glut, back, heel, inner thigh, and trunk stretches, holding each for 20 seconds and repeating six times."

The author lists ten (10) different types of stretches. Each is to be held 20 seconds; so that's 200 seconds to go through the list once. But we're also told to repeat six times -- so that'll take 1200 seconds. That's 20 minutes of stretching.

The article indicates this is recommended prior to running, and after running. That's 40 total minutes of stretching each time you exercise!

Is this really what is intended? Is this the only way to avoid permanent knee injury?

Friday, July 06, 2007

Corporate Espionage

I've gotten suspected of corporate espionage more than a few times. Today was another example, when a rep from Occam Networks got suspicious. Previously, two different VoIP Session Border Controller (SBC) vendors on the same day suspected me, even though my company is on the partner page for one of them.

Somehow the questions I ask equipment vendors must trigger some sense of self-defense. I imagine Why is he asking these things? Is he trying to scope out our product for some competitor? I'll bet he's working for that startup who did the press release last week...

In reality, I do ask very detailed, specific questions. I ask about exact capabilities, about recommended configurations, and sometimes about features they don't have yet, but know they want to have them.

My company is intentionally independent of vendors; we are a firm of professional consulting engineers for telecommunications and other computing systems. We're not here to shill for equipment -- we're here to make systems that actually work. I don't get paid if my customers buy some equipment -- I really only get paid if their system works.

If I'm designing or building a service for somebody, I have to know about its actual capabilities: what it really can do, and what its limits are.

Normal folks who work in IT shops, unfortunately, aren't quite so picky. And so they can end up buying equipment before they know precisely how it will be configured, and whether it has the features they'll need. It's my job, when they hire me, to avoid this fate.

I don't like being suspected of spying. Today, I asked the guy, "are you sharing anything that's confidental, that needs to be protected?" He said he wasn't, and made a RTFM-jab claiming that the information he shared was already on the data sheets available on the web site. It's not, Occam. Your data sheets are full of buzzwords and promises -- not detailed capabilities and limitations.