Huawei Symantec recently introduced their SAN, NAS, and security offerings for the United States market

Surprise! Huawei Symantec has arrived in the United States, ready to take on the midrange storage and network security market with a line of devices that have proven their worth in the international market for three years. I sat down with the company’s management at Storage Networking World and quizzed them on their plans and aspirations for growth.

Introducing Huawei Symantec

It’s important to get one thing straight right off the bat: Huawei Symantec Technologies Co., Ltd (Huawei Symantec) is neither Chinese telecom giant, Huawei, nor American storage and security powerhouse, Symantec. It is an entity unto itself, formed in 2008 as a joint venture of the two but managed independently. And Huawei Symantec USA (HS USA) is a wholly-owned subsidiary of this China-based operation rather than a simple sales or marketing engine. Huawei Symantec USA is akin to NEC’s American operations rather than a global subsidiary like HDS or an integrator/reseller.

Huawei Symantec was created to commercialize the enterprise storage and server hardware of Huawei and the enterprise software offerings of Symantec, but blessed with its own independent 4,000-strong engineering, marketing, and sales force.

This independence is sometimes evident, though perhaps not in HS USA’s initial product offerings. They will enter the market with three products in two lines:

• “Oceanspace” storage:
  • S2600 “Low-End” Fibre Channel/iSCSI SAN array (see this technical whitepaper for more)
  • N8300 unified SAN/NAS array
• “Secospace” security:
  • Secospace USG2000BSR/HSR router/security appliance

Huawei Symantec has a much-broader product range, however, including VTL and PACS storage, cloud storage solutions, SSD drives, and SAN arrays on the storage side (all part of the Oceanspace line); UTM, Anti-DDoS, VPN, and IDS systems for security (referred to as Secospace); as well as servers. The HS USA team confirmed to me that they intend to broaden their product portfolio in America by bringing additional products to market in the near future.

Although these initial products are based on Symantec software, this is not the case for the entire product line. The Oceanstore VTL appears to use FalconStor software, for example, and Huawei Symantec has created hardware and software components that are distinct from both of its famous parents.

What’s In A Name?

I imagine that the famous names attached to this organization might prove to be both a blessing and a curse. The Symantec name carries cachet in the enterprise IT space, much of it inherited from Veritas along with proven products like Storage Foundation, NetBackup, and Enterprise Vault. Although less familiar to Americans, Huawei is a giant in the data centers of the Far East, with thousands of engineers and customers worldwide. But many will undoubtedly draw conclusions about these parents’ motives and strategies and apply these to their child, Huawei Symantec.

I discussed the entry of HS USA with Symantec staff as well, and they stressed that the new company is not driven by (or coordinated with) their management in Mountain View. Their reaction to the new products appeared to reflect the curiosity and interest they might direct towards any new storage or security company that leveraged their products. In short, Symantec appears supportive but disconnected from HS USA. Although they share a name, Huawei Symantec is not an attempt by Symantec itself to enter the enterprise storage array and security appliance market.

The Huawei name and roots in China may prove somewhat perilous, however. Members of the United States Senate and NSA recently moved to block Sprint Nextel and AT&T from using Huawei telecommunications gear, and some of the IT managers I spoke to at Storage Networking World were similarly worried. They expressed skepticism about the build quality and engineering of Chinese products in general and wondered aloud if Huawei Symantec would meet enterprise standards in terms of localization and customer support. And every end user I spoke to was confused about the company’s relationship with Symantec in particular.

Stephen’s Stance

I have been watching Huawei Symantec’s growth for the last few years, and the company’s entry into the United States market has great potential. Huawei Symantec has proven itself on the international stage and brings tremendous engineering and financial resources to the midrange storage and security market. It leverages the contributions of its famous-name parents but enjoys autonomy to go beyond this base.

Make no mistake: Although this is not just another storage startup, its success is not a foregone conclusion. Localization of products, support, and sales is perilous, and every market is littered with examples of failure. Huawei Symantec must act quickly to build strong relationships with resellers, who have traditionally been the gatekeepers of the midrange storage and security market. They must also move aggressively to localize product marketing and develop collateral and strategies to support their new American customers. And they must reach out to educate the market about their relationship with Huawei and Symantec and their engineering credentials.

© sfoskett for Stephen Foskett, Pack Rat, 2010. | Huawei Symantec Enters The United States Storage and Security Market
This post was categorized as Enterprise storage, Gestalt IT. Each of my categories has its own feed if you'd like to filter out or focus on posts like this.

I had switched from Dreamhost to Slicehost back in February to improve reliability and performance, but the meagre 256 MB of RAM in my virtual private server (VPS) “slice” proved insufficient. The time had come to completely redo my core hosting infrastructure. After some experimentation, I have settled on a simple two-server configuration based on Ubuntu Linux, MySQL, and lighttpd. I thought it would be a good idea to document this new configuration, as well as my previous experiments, for posterity.

If you’re interested in setting up a web site as outlined here, I recommend Slicehost. They’re not the cheapest, but their VPS servers are fast and reliable.

History

My web hosting environment has transitioned over the past six months. I had relied on shared hosting from Dreamhost for almost a decade, with my servers sharing infrastructure and management with thousands of others. This worked fine until I began to see significant traffic increases since creating this blog. Shared hosting just didn’t cut it once I had more than a few thousand pageviews per day.

I tried Dreamhost’s interesting and very flexible virtual private server capabilities, but could never get them working reliably. Plus, the core networking and storage performance of the Dreamhost infrastructure left something to be desired. After much research I switched to Slicehost, an all-VPS provider that has recently been acquired by Rackspace. Although they are not the cheapest or most flexible, Slicehost is a very professional service with good support and excellent infrastructure and connectivity.

I had been using a single 256 MB slice to host my entire site, and had managed to get everything well with lighttpd and MySQL, but this configuration ran into serious performance issues once traffic built again. Once I passed 10,000 pageviews per day, which happened quicker than I hoped, it was again time to upgrade.

Server Configuration

My core question was whether to go with a single 512MB or two 256 MB slices. Would resource contention in a single server be outweighed by the extra available RAM? After consulting with the experts, I decided that it was time to separate the database and web servers.

A multi-server setup delivers performance, reliability, and future capability.

As illustrated above, the database and web servers communicate via a high-speed private network, a standard Slicehost component. I created extremely restrictive iptables firewall policies to control access to both servers, disabling almost all communication. The database server in particular is inaccessible except from the web server, and even then only allows MySQL and public key ssh. Both servers are running bare-bones versions of Ubuntu 9.04.

MySQL Configuration

MySQL is much happier on its own dedicated server. It makes excellent use of its own query cache and operating system buffers and has very little disk access at all. Query performance immediately jumped, and site performance noticeably improved.

My only change to my.cnf was to enable the query cache. This works great on my 256 MB slice:

# Enable query cache
query_cache_limit       = 2M
query_cache_size        = 32M

I’m not a believer in security through obscurity. Sure, you can use a special high MySQL port, but by then you’ve probably lost anyway. Regardless, set up iptables to only allow access from your web server’s private interface using the -s parameter:

# Allow connections on our MySQL port
-A INPUT -p tcp --dport mysql -s 10.176.x.x -j ACCEPT

It’s a pretty simple configuration, but it works well. MySQL is humming along without much paging at all, using the entirety of the 256 MB available for caching. I haven’t had to resort to any tricks to keep the performance up.

One more configuration suggestion: Use a unique username and password for each database application and grant access only to that user on the private network interface. That way, your risk is segmented to a single database should an intruder use a SQL injection or something similar.

For example, say you were configuring the database “myblog_wp” for the user “me_myblog” with the password “123456abcdef”. You use the web server’s private interface address, 10.176.x.x as well so it is harder to get in even if your firewall is breached.

mysql -u root -p
Enter password:
mysql> grant all on myblog_wp.* to 'me_myblog'@'10.176.x.x' identified by '123456abcdef';

All set!

Basic Lighttpd Configuration

Back on the web server, we configure iptables to only allow connections to lighttpd on port 80 and ssh on whatever port you decide. Again, some suggest using a high port for ssh, but if you’ve configured sshd correctly then using an obscure port number is more likely to be a hassle for you than keep anyone out. Here are some good settings for /etc/ssh/sshd_config:

PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
X11Forwarding no
UsePAM no
UseDNS no

This forces all logins to use established public/private key pairs rather than passwords. Protect your keys and you’re in good shape. Key passphrases are a very good idea here! You’re also disallowing root in any case, since you’re using sudo for all administrative tasks, right?

Next we need to set up lighttpd. I’m using the basic packaged versions for ease of maintenance rather than building my own. I also loaded the stock versions of php5 and mysql-client which integrate nicely. I used to use eaccelerator but didn’t love having to recompile it myself and had some mysterious lockups with it running. So I went with XCache, which is developed by the same fine folks who created lighttpd.

sudo aptitude install mysql-client lighttpd php5-xcache

Why not use Apache? I actually tested Apache with my site before deciding to use lighttpd. I was able to tweak it to run in 256 MB of RAM by limiting the number of worker processes created to 4, but Apache just couldn’t handle the site load. Connections were stacking up and pageviews dropped as people gave up. Lighttpd with XCache is blindingly fast and fits in my 256 MB RAM envelope nicely.

The only real issue I have with lighttpd is that configuration is entirely different from Apache and remains less well-supported. It doesn’t use with .htaccess files, for example, and rewrites use a unique syntax.

Lighttpd for WordPress

Here’s a basic virtual server for /etc/lighttpd/lighttpd.conf for a WordPress domain:

$HTTP["host"] =~ "^(blog\.)?yourdomain\.com$" {
  server.name = "yourdomain.com"
  server.document-root = basedir + server.name + "/blog"
  url.access-deny = ( "wp-config.php" )
  dir-listing.activate = "disable"
  url.rewrite-final = (
    # Exclude some directories from rewriting
    "^/(wp-admin|wp-includes|wp-content)/(.*)" => "$0",
    # Uncomment to exclude Google FriendConnect files
    # "^/(canvas.html|rpc_relay.html)" => "$0",
    # Exclude .php, robots.txt, favicon.*, and sitemap.xml files at root from rewriting
    "^/(.*.php|sitemap.xml|robots.txt|favicon.*)" => "$0",
    # Handle WordPress permalinks and feeds
    "^/(.*)$" => "/index.php/$1"
  )
  accesslog.filename = basedir + "/" + server.name + "/log/blog.access.log"
}

This configuration accomplishes many of the important tasks of WordPress configuration. Most importantly, it works!

1. Permalinks and feeds are correctly redirected so no ugly index.php is used
2. Critical directories like wp-admin and files like robots.txt still work
3. Your wp-config.php file is explicitly protected
4. Directory listings are disabled
5. A site-specific access log is used (like Apache)

I’d love feedback on this configuration! One weird thing I’ve not yet figured out is how to use a site-specific error log. I haven’t configured pretty MediaWiki links in lighttpd yet, but imagine a similar configuration would work there.

© sfoskett for Stephen Foskett, Pack Rat, 2009. | Setting Up a Multi-Server Web Hosting Environment
This post was categorized as Personal. Each of my categories has its own feed if you'd like to filter out or focus on posts like this.

IT infrastructure is following consumer technology out of the data center glass house and into the wide world

Dave Hitz over at NetApp poses a very interesting question: What is the ten-year trend in information technology that we are currently building to? He supplies these historical examples:

• 1982-1992: A computer on every (business) desk
• 1990s: Networking all those computers

He then goes on to suggest three ten-year trends that we might currently be living through:

1. Cloud/Outsourced Computing
2. Server Virtualization
3. Flash Memory

Although I agree on the importance of these three to enterprise IT, I don’t think they’ll be seen as the megatrends of this decade in hindsight. I suggest that, more than anything, we are witnessing a wholesale shift from information tied to place/device to information mobility. Cloud computing, server virtualization, and even flash memory are all contributors to this massive trend, along with the user-side trends of the post-PDA mobile phone, 3G data, social web services, and connected home.

What Is Mobility?

The meaning of mobility, to me, is expansive. It doesn’t just refer to taking a copy of your data with you, ubiquitous connectivity, or portable devices. Mobility is a new paradigm of computing.

• Your data no longer “sits” in one place – your data lives out there in the network!
• Your applications no longer “live” on this device or that – your applications live out there in the network!
• Your productivity environment no longer requires a particular piece of hardware – you expect to be productive everywhere on every device!

This doesn’t sound strange to the modern Internet user. We have completely accepted the role of Google, Facebook, Yahoo, Wikipedia and the rest in our personal lives. Just as they did in the early days of the PC, business people have transitioned these concepts into the professional world – witness Salesforce and LinkedIn! In all cases, we have endorsed the idea that certain types of information want to live in the cloud because it makes them better!

Once you’ve used these services, old-fashioned email, contact management, encyclopedias, maps, and the rest seem incredibly limiting. A GPS system that can’t update its maps seems antiquated, and we want it to have real-time traffic data, too. An iPod that needs to be physically connected to a PC to add music or applications is simply unacceptable. Time- and place-shifting technologies like TiVo To Go, over-the-air podcast downloads, and Slingboxes reset our expectations about availability and choice of entertainment, but they are mere symptoms of our changing perceptions. We want mobility of data, applications, and platforms, and we are getting it.

Consider two truly revolutionary platforms: the iPhone and the netbook. In both cases, we knowingly accept limitations in the name of portability, knowing that the cloud will give us what we can’t hold in our hands. These devices are limited in ways that would seem inconceivable just a few years ago: Apple has locked their platform up tighter than any in history, and netbooks are too small, underpowered, and cheap in all senses of the word. But we love them because they get us where we want to go, which is up and out!

Mobility and Enterprise IT

The concept of mobile data, applications, and devices is just as applicable to enterprise IT infrastructure as it is to personal technology. Some enterprise data must be kept close to the vest, especially where privacy laws and litigation concerns are applicable. But there is certainly a vast pool of corporate data that wants to be out working in the field! Setting this data free is the enterprise equivalent of the mobility megatrend!

Cloud computing is hype. Server virtualization is hype. Flash storage is hype. XaaS is hype. Web 2.0 is hype. But once the cloud of hype passes, we will be left with solid technologies to enable mobility and transform corporate computing. Why should corporate email have to punch through your firewall? Why should the intranet be limited to internal or VPN users? Why can’t customers interact with a (limited/controlled) set of your corporate records? Salesforce showed us that roaming users (sales teams) need greater access than most IT staff were ready to build. What if we applied the same ideas to other data types?

Many companies are already doing this. Microsoft offers a variety of internal/external services for their customers through Live (see Connect, for example). Many companies are using mail and productivity applications in the cloud from Google, MessageOne, and Zimbra. Backup and archiving as a service to mobile users is widespread (see Iron Mountain Connected and Mozy). And more and more corporate PR relies on blogs, twitter, and social networking sites. Corporate security and legal types are worried about data “escaping” from the eggshell of control they exert, but this cat is out of the bag. Enterprise IT will never be the same!

It comes down to a single core question that IT folks ought to have been asking themselves all along: What should be held internally and what should be let loose? We already “outsource” many non-core corporate functions. Sometimes we do this for cost reasons. But the most effective outsourcing decision is when a third party will do a better job, offering levels of expertise or service that an internal group could never realistically reach. We already buy enterprise software to leverage outside development (remember, this was not always the case!), so why not also buy enterprise services? Corporate-grade outsourced email, groupware, sales automation, and the like is not only more robust and less expensive than internal systems, they enable a disconnected, mobile workforce.

Today, I Was Angry

I bought a new album from Amazon, but I forgot to sync my iPhone with my laptop, so it was sitting at home when I wanted to listen to it in the car. Then I couldn’t find a colleague’s phone number because he moved to a new company and my address book didn’t automatically update. And I couldn’t review a presentation because I needed a special account to access a corporate document system behind a firewall.

These little accomplishments would have seemed like miracles just a few years ago: I remember the joy I felt ten years ago when I could read a web page offline on my Palm Pilot using AvantGo; I was amazed when I first fired up 802.11a wireless networking and could work anywhere in the office; I was gleeful to be able to take 5 GB of music with me on the train. But all this is past. Today, I want to access my portable data and work anywhere. We are in the midst of a revolution in the mobility and ubiquity of computing.

See my posts on Gestalt IT for similar enterprise IT infrastructure commentary

© sfoskett for Stephen Foskett, Pack Rat, 2009. | Ten-Year Trend: Mobility
This post was categorized as Apple, Computer History, Enterprise storage, Everything, Personal, Terabyte home, Virtual Storage. Each of my categories has its own feed if you'd like to filter out or focus on posts like this.

Does data encryption throw storage efficiency out the window? Not always!

One of the great ironies of storage technology is the inverse relationship between efficiency and security: Adding performance or reducing storage requirements almost always results in reducing the confidentiality, integrity, or availability of a system.

Many of the advances in capacity utilization put into production over the last few years rely on deduplication of data. This key technology has moved from basic compression tools to take on challenges in the fields of replication and archiving, and is even moving into primary storage. At the same time, interconnectedness and the digital revolution has made security a greater challenge, with focus and attention turning to encryption and authentication to prevent identity theft or worse crimes. The only problem is, most encryption schemes are incompatible with compression or deduplication of data!

Incompatibility of Encryption and Compression

Consider a basic lossless compression algorithm: We take an input file consisting of binary data and replace all repeating patterns with a unique code. If a file contained the sequence, “101110″ eight hundred times in a row, we could replace the whole 4800-bit sequence with a much smaller sequence that says “repeat this eight hundred times”. In fact, this is exactly what I did (using English) in the previous sentence! This basic concept, called run-length encoding, illustrates how most modern compression technology functions.

Replace the sequence of identical bits with a larger block of data or an entire file and you have deduplication and single-instance storage! In fact, as the compression technology gains access to the underlying data, it can become more and more efficient. The software from Ocarina, for example, actually decompresses jpg and pdf files before recompressing them, resulting in astonishing capacity gains!

Now let’s look at compression’s secretive cousin, encryption. It’s only a small intellectual leap to use similar ideas to hide the contents of a file, rather than just squashing it. But encryption algorithms are constantly under attack, so some very smart minds have come up with some incredibly clever methods to hide data. One of the most important advances was public-key cryptography, where two different keys are used: A public key used for writing, and a private key to read data. This same technique can be used to authenticate identity, since only the designated reader would (in theory) have the key required.

Cryptography has become exceedingly complicated lately in response to repeated attacks. Most compression and encryption algorithms are deterministic, meaning that identical input always yields the same output. This is unacceptable for strong encryption, since a known plaintext attack can be used with the public key to reveal the contents. Much work has focused on eliminating residues of the original data from the encrypted version, as illustrated brilliantly on Wikipedia with the classic Linux “tux” image. The goal is to make the encrypted data indistinguishable from random “noise”.

What happens when we mix these powerful technologies? Deduplication and encryption defeat each other! Deduplication must have access to repeating, deterministic data, and encryption must not allow this to happen. The most common solution (apart from skipping the encryption) is to place the deduplication technology first, allowing it access to the raw data before sending it on to be encrypted. But this leaves the data unprotected longer, and limits the possible locations where encryption technology can be applied. For example, an archive platform would have to encrypt data internally, since many now include deduplication as an integral component.

Why do we prefer compression to encryption? Simply because that’s where the money is! If we can cut down on storage space or WAN bandwidth, we see cost avoidance or even real cost savings! But if we “waste” space by encrypting data, we only save money in the case of a security breach.

A Glimmer of Hope

I had long thought this was an intractable problem, but a glimmer of hope recently presented itself. My hosting provider allows users to back up their files to a special repository using the rsync protocol. This is pretty handy, as you can imagine, but I was concerned about the security of this service. What happens if someone gains access to all of my data by hacking their servers?

At first, I only stored non-sensitive data on the backup site, but this limited its appeal. So I went looking for something that would allow me to encrypt my data before uploading it, and I discovered two interesting concepts: rsyncrypto and gzip-rsyncable.

rsync is a solid protocol, reducing network demands by only sending the changed blocks of a file. But, as noted, compression and encryption tools change the whole file even if only a tiny bit has been altered. A few years back, the folks behind rsync (who also happen to be the minds behind the Samba CIFS server) developed a patch for gzip which causes it to compress files in chunks rather than in their entirety. This patch, called gzip-rsyncable, hasn’t been added to the main source even after a dozen years, but yields amazing results in accelerating rsync performance.

The same technique was then applied to RSA and AES cryptography to create rsyncrypto. This open source encryption tool makes a simple tweak to the standard CBC encryption schema (reusing the initialization vector) to allow encrypted files to be sent more efficiently over rsync. In fact, it relies on gzip-rsyncable to work its magic. Of course, the resulting file is somewhat less secure, but it is probably more than enough to keep a casual snooper at bay.

Both of these tools are similar to modern deduplication techniques in that they chop files up into smaller, variable-sized blocks before working their magic. And the result is awesome: I modified a single word in a large word document that I had previously encrypted and stored at the backup site and was able to transfer just a single block of the new file in an instant rather than a few minutes. My only real issue is the lack of integration of all of these tools: I had to write a bash script to encrypt  my files to a temporary directory before rsyncing them. I wish they could be integrated with the main gzip and rsync sources!

If you are interested in trying out these tools for yourself, and if you use a Mac, you are in luck: Macports offers both tools as simple downloads! Just install macports, type “sudo port install gzip +rsyncable” to install gzip with the –rsyncable flag, then type “sudo port install rsyncrypto” and you’re done! I’ll post more details here if there is interest.

© sfoskett for Stephen Foskett, Pack Rat, 2009. | Compression, Encryption, Deduplication, and Replication: Strange Bedfellows
This post was categorized as Enterprise storage, Personal. Each of my categories has its own feed if you'd like to filter out or focus on posts like this.

You can never be totally secure, but basic precautions like this simple cable lock for laptops can help

This is part of an ongoing series of longer articles I am posting on Sundays.

In this digital age, it is easy to overlook the critical element of physical security. Put simply, it is often far more efficient to steal or gain access to a physical object like a laptop or flash drive than to break into a computer system. And despite the sanitary and controlled environments many mobile employees often travel in, risks to personal safety are real. Therefore, it is sensible to consider the physical security needs of the road warrior.

Protecting Your Data

Road warriors love gadgets, but so do thieves. According to a 2008 Ponemon Institute study for Dell, over 12,000 laptop computers are lost in US airports each week, and 70% of these are never reclaimed. Other studies have shown similar losses at public places like restaurants, hotels, and parking lots. Thumb drives, portable hard drives, and smart phones share the top of the most-stolen list with laptop computers.

Portable drives are particularly easy to snatch

Because these are often crimes of opportunity, the simplest protective measure is to keep these devices under ones personal control at all times. Never ask a stranger to watch your bag, and do not leave computers or peripherals unattended in conference rooms or hotels.

Special care is needed when passing through airport security: Never put your laptop or other valuable items through the scanner first, since you may be delayed while passing through the metal detector. Instead, place them in the middle or rear of your items so they will remain inside the x-ray machine until you emerge on the other side to retrieve them.

Most hotel rooms have safes available, and these should be used whenever you must leave your laptop or other valuables behind. Although they are not foolproof, they are much more secure than car trunks, cable locks, or bell desks. If a safe is not available or is too small, use a Kensington-type lock to secure your laptop computer to a bulky and sturdy object like a desk. These will not stop a determined thief, but should be enough to discourage a snatcher.

Protecting Yourself

Many of us wrongly assume we are safe in the familiar surroundings of offices, hotels, airports, and restaurants. The rolling suitcase, airline ticket, and laptop bag marks us as targets even in these environments, and serve as enticing evidence of loot to be had.

One of the best ways of protecting one’s safety when traveling is always to be aware and prepared. Get directions ahead of time instead of asking, staring at your PDA or GPS, or driving around. Consider whether your surroundings put you at risk: Select hotels in safer neighborhoods or where access is more controlled. Avoid public transportation when toting cumbersome bags, even if you would happily take the bus or subway alone. Spending a bit more money is preferable to losing your valuables or coming to harm.

When you are away from the office or hotel, dress like a local and watch out for too-friendly strangers. Most people are helpful to others, but avoid those who ask prying questions of offer extravagant services. Con-men often prey on travelers, waiting near hotels, airports, and offices. For example, never take an un-licensed limousine or taxi since these nearly always end up being more costly or risky than desired.

Business travel can be enjoyable, but one must always be careful to avoid becoming a victim!

© sfoskett for Stephen Foskett, Pack Rat, 2008. | Physical Security for the Road Warrior
This post was categorized as Personal. Each of my categories has its own feed if you'd like to filter out or focus on posts like this.

Sprint USB EV-DO + Cradlepoint personal hotspot = sweet!Default password = bad!

As I posted the other day, my new Cradlepoint PHS300 3G router is just awesome, and I would happily recommend it to anyone. If you do get one, however, be sure to change the default password immediately. The seemingly-strong password is worse than insecure – it’s available to anyone who asks whenever the router is powered on!

Let’s back up, though. When I first set up the router, I was impressed by how simple it was. Turn it on and its Wi-Fi LAN appears almost immediately. Connect to the LAN and your browser is redirected to the router’s management interface (at 192.168.0.1).

I was happy to see that, unlike nearly all router manufacturers, Cradlepoint does not use a default password. Rather, each router has its own unique password – the last six hexadecimal characters of the MAC address, which is printed on a sticker on the bottom of the unit. At the time, this seemed much better than the big manufacturers, which tend to use the easily-guessable “admin” or another short, simple-to-crack word.

But the Cradlepoint also uses the last three characters of the MAC address as its default Wi-Fi SSID. So three of the password’s six characters are broadcast constantly to anyone who cares to see, regardless of whether they are even connected to the LAN! This literally makes the password 4,096 times easier to guess. My router’s SSID was “PHS-28a”, and the password was “02828a” – see the problem?  Amazingly enough, though, this isn’t the worst problem!

Most people know that DNS servers translate domain names (like “blog.fosketts.net”) into IP addresses (like “208.113.206.204″). But Ethernet networks (including Wi-Fi) use a different addressing scheme, and IP addresses themselves must be translated into a MAC address (like “00:30:44:02:82:8a”) before it can transmit data. Any connected client can use a command line program called arp to look up a MAC address, which means they can simply ask the router for the MAC thus discover the password. See my password in that example? But wait, it gets worse still!

Cradlepoint suggests setting a connection password, which will keep people from using its 3G connection but will do nothing to prevent them from using arp to find out the router’s password. Smarter people will turn off the SSID broadcast or use a WEP password, which will keep them from connecting to the router’s Wi-Fi network. Although this will stop the arp attack, the password is still vulnerable. See, the address is included as part of every Wi-Fi packet in plaintext, and as any wardriver will tell you, it’s simple to snoop on Wi-Fi packets. So the router is continually transmitting its password, whether one is connected or not. One would need to figure out the WEP password in order to connect, but there are techniques that allow this, and the attacker would then be able to use the administrator password to reconfigure the router.

The Cradlepoint also supports WPA/WPA2, which is much more secure than WEP and would dramatically improve the situation, but not all devices support it. But the real solution is much simpler – change the administrator password to something much more secure. Sadly, most people won’t do any of this – they’ll leave the password as it is and thus leave their router totally open to attack.

But let me just take a moment to beg those who read this post: Don’t ever use a MAC address as a password!

© sfoskett for Stephen Foskett, Pack Rat, 2008. | MAC Addresses Are Bad Passwords
This post was categorized as Apple, Terabyte home. Each of my categories has its own feed if you'd like to filter out or focus on posts like this.

The glorious Victorinox Swiss Army CyberTool 34: Geek's best friend or security's worst nightmare?

Aah, security. It seems that, in the last decade, the balance between liberty and security in the United States has tilted rather strongly, to the point that we expect to be scanned and have our possessions confiscated before entering buildings. Such was the case when my family and I made our pilgrimage to the Empire State Building in New York, separating me from my beloved Victorinox CyberTool after 10 years of loyal service. It’s a good thing they took it away, too!

I had planned on using the built-in pozidrive, Torx, and Phillips (#0 and #1) bits to dismantle the building and take it home with me. The pliers and scissors might have helped there, too. And since they didn’t confiscate (or really even thoroughly check) my bag, the corkscrew, bottle opener, and can opener might have allowed me to get wild with the Chardonnay and Vienna sausages while I was working! Good thing it packs a toothpick and tweezers, too, since those things can be dangerous. And if anyone tried to stop me, I would have had my choice of 1.5″ or 2.5″ blades to “defend” myself!

Or perhaps I could have used the tiny screwdriver to fix my glasses and the scissors to snip the end off of my kids’ drinking straws to make it easier for them to enjoy lunch. Either way, we’re all safer now that my CyberTool is forever in the hands of the professionals on 34th street. Just don’t let them know that Amazon delivered a new Onyx CyberTool 34 last week!

© sfoskett for Stephen Foskett, Pack Rat, 2008. | Empire State Building: 1, Swiss Army Knife: 0
This post was categorized as Personal. Each of my categories has its own feed if you'd like to filter out or focus on posts like this.

Curious about the current state of SAN technology?  Stephen Bigelow of TechTarget interviewed me (last summer) about SAN options, and the video is now live on their BitPipe site.

Topics covered include combined iSCSI and FC SANs, ups and downs of modular storage and oversubscribed switches, next-generation SAN management applications, storage virtualization, and best practices for SAN design.

Here’s a snip – the three best practices for SAN design are as follows:

1. Choose reliable high-quality hardware
2. Build dual redundant networks
3. Protect management interfaces

Watch the whole video (it’s 17 minutes long) and let me know what you think!

© sfoskett for Stephen Foskett, Pack Rat, 2008. | Where the SAN Stands
This post was categorized as Enterprise storage, Personal. Each of my categories has its own feed if you'd like to filter out or focus on posts like this.

As a liberal-minded person, I tend toward the libertarian with regard to social issues, and especially technological ones. But although lots of the TSA policies annoy me, I’m frankly just too scared of missing my flight to “join the resistance” as it were and stand up and question some of the idiocy.

But here are the things I’d like a straight answer from the TSA about:

• Why are some airport x-ray scanners so much more or less sensitive than others? I always wear my wallet and watch through, and usually my belt, but the other day I accidentally left my V-Moda Vibe headphones and a steel business card case in my pockets with nary a beep. I must have had a pound of metal on me!
• Is toothpaste a liquid? I got yelled at in Philly that it didn’t need to be in “the bag”, and yelled at in Denver that it did! And yet, I accidentally left a tube in my backpack for a year without a question…
• They tried to explain the 3-ounce liquid thing.  I just don’t buy it.  And (not that the TSA has anything to do with this) I have a hard time understanding why no one makes a 3-ounce tube of toothpaste!  It’s 1.3 or 4.4, as far as I can tell!
• Why scan uniformed, ID-toting airline personnel and airport employees?  They could kind of do whatever they want with us anyway, so let’s just let them through, ok?
• What’s up with this new “dump out all your electronics” rule?  The bomb squad was once called on me (BOS, terminal B) due to my proliferation of mouses, external drives, power supplies, retractable cords, etc…  I’m what’s known as a road warrior, and I don’t want to have to dump out all of my stuff!
• Why can I put most items in one bin, but my laptop has to be in a separate one alone?

Aah well, maybe we’ll get some answers.  Or maybe it’ll just be a new place for flyertalkers to complain!

© sfoskett for Stephen Foskett, Pack Rat, 2008. | TSA Blog Ignites Vitriol
This post was categorized as Personal. Each of my categories has its own feed if you'd like to filter out or focus on posts like this.

Now Hifn has purchased Siafu, which will only increase acceptance of this much-needed element of the storage puzzle.  John Matze and the rest have done a terrific job of pushing encryption in the small business segment, and this should get their stuff accepted more broadly.  Plus, it might just spread John’s non-security iSCSI expertise more broadly, and that’s always a good thing.

© sfoskett for Stephen Foskett, Pack Rat, 2007. | Hifn Buys Siafu
This post was categorized as Enterprise storage. Each of my categories has its own feed if you'd like to filter out or focus on posts like this.