Monthly Archives: September 2010

A step up from Minority Report interface.

Posted on by
1

OK so the real life Minority Report interface did not do it for you?

Well lets try a bit of Brain control!

OK so its not perfect yet, but I have been following these over the years and they are getting better and faster to respond year by year. I remember when the most they could flip the colour of the screen by thinking about a CAT?! To think it can learn an action in 8 seconds, and if its any think like Voice recognition software, I know from experience practice really does make perfect.

I still think there’s a long way to go yet, but we are getting close to being able to sit at our desk and control objects on the screen with our mind.

However I think the use I would most like to see the research go to first if for helping disabled. Controlling wheel chairs is only the beginning, Imagen those people with diseases like Stephen Hawkins, who currently can only communicate by moving his eye lids. Returning some ones ability to move is a great thing to be able to do, but returning some ones ability to communicate would be something truly amazing.

Plus I want one cause they look cool!!! 😉

DevilWAH

Download article as PDF

Setting up Lock and Key

Posted on by
Reply

I remember searching around for ages looking for this solution a few years back, so I thought I would share it with you. Bear in mind that there are much more secure solutions around, such as 802.1x port based authentication. However these require a lot more setting up, not to mention the kit to support it. For what it is “Lock and Key” is one of these ideas that does exactly what it says on the tin..

So what exactly is it that “Lock and key” does any way. The idea behind it is to allow you to on demand open up access between subnet / networks. May be it is clearer if we look at the following digram.

Figure 1

In Figure 1 we have the IT PC’s, the users PC’s, the servers and the DRAC cards all on separate networks. If you have not come across DRAC cards before, they are an additional card that can be fitted to Dell servers, that have there own redundant NIC, if the server should crash, you can connect to the DRAC card and force a hard reboot among other things. Very useful for remote management of server! However as you can image not some thing you want to allow users near!!

So looking at the digram above you may place an access list on the incoming traffic from the user network (192.168.20.0) to block any access to the DRAC network. While leaving the IT admin PC’s able to reach them. But what happens if you are at a users PC, the server has crashed and you need to reboot it? This is where the “Lock and Key” idea come in.

By using a dynamic Access list along with the user name auto command. you can on the fly open up the blocking access list you have created to allow the PC you are working on have access to the Drac network.

First we need to set up the a dynamic IP access list under global config, remember this access list has to be applied to the interface connection to the user PC’s, we will be applying it in the “in” direction.

ip access-list extended Lock-key
dynamic Dracacess timeout 60 permit ip any 172.64.20.0.0 0.0.0.255 log
deny  ip any 172.64.20.0 0.0.0.255
deny ip any 172.16.10.0 0.0.0.255
permit ip any any

So before “lock and Key” is active users are prevented from accessing the IT unit PC’s and the Drac network, but have access to every thing else.

Next we set up the user we are going to use as the “Key”

username Dracs secret CISCO
username Dracs autocommand access-enable host timeout 15

So here we set up the user Drac and add the auto command to run when they log in. The 15 minute time out here is the idle time out. However as we have set an absolute time out above in the access list its self, this will log out the user after 60 minutes if they are active or not.

Lastly we need to go in to the interface that faces the users network and assing the Access list, and set the VTY line for telnet access and to use the local user database. so from global config again.

interface <ID>
ip access-group Lock-key in

exit

vty 0 15

transport input telnet

login local

exit

Now to use it is simple, from a users PC start a telnet session with the router, at the user name and password prompt users the user name of Drac and password configured. The connection will be droped by the user but you an extra line will be added to the access list along the lines of.

permit ip host xxx.xxx.xxx.xxx 172.64.20.0.0 0.0.0.255 log

Any you user PC now has access as long as it is sending data or until the limit of 60 minutes.

Of course you may not like using telnet and it is possible to use SSH (but then the user PC needs a ssh client installed), you can also change the port that the router listens for telnet or SSH on a VTY line. You can also apply the auto command to the VTY line so any one who logs on through that VTY line will trigger the lock and key. If you do this then you will need to set up some VTY lines to use one port with the autocommand config, and some other VTY lines to use a different port with out the autocommand. Other wise you will not be able to mange the router!!!

This Link covers some more examples.

As I said at the beginning there are much better ways to do this, 802.1x as i mentioned is just one of them and some thing I will cover in more detail soon.  But for a small/medium size networks, where cost is an issue, but you still want to add an extra bit of security. They are a nice way to restrict users, while allowing network admins to carry on working efficiently away from there desks.

DevilWAH

Download article as PDF

Roller coaster of a day out.

Posted on by
Reply

Well just back from a very nice day at the theme park near home :), Parents very kindly looked after our lovely baby so wife and I could have our first trip out alone. What a feeling of release to be able to walk around with out having to worry about the baby and knowing she was OK.

My wife has decided that she is not to keen on rides that accelerate from 0 to 80mph in 2 seconds! But apart from that great fun.

But now back to wireless, before adding some more quotes and a new techno blog.

DevilWAH

Edit: updated menu to contain links to the categorise. Now all I need is for WordPress to allow me to put the link categories in the menu to 🙂

Download article as PDF

USB Security Issues.

Posted on by
Reply

The US defence officials have recently released information about a security breach they suffered back in 2008.

Pentagon USB breach

It seems some one placed a USB flash drive in to a government computer that contained malicious code placed on it by a forigen intelligence agency. This spread to other systems and opened up the Defence network to allow data to be transferred to rogue servers.

USB seems to have become the new medium for spreading virus and malware, and to be honest its hardly a surprise. Many companies seem to react to the growing security threats by creating stronger and stronger network gateways. In many cases these become so secure and so restrictive that they prevent the staff they are designed to protect, from actual carrying out there jobs.

And then the problems really start, people start to despair at the work provided service and will carry out the downloads at home and bring them in on there USB sticks. Completely circumvention the security policies in place.

There is of course the option to restrict access to only authorised USB devices, but to actual set this up is a major headache, and a large cost is involved. Especially when the Client PC’s are spread over a number of sites and you don’t have complete and utter control over them. Also by restricting the USB devices you hit the same issue as when you lock down the firewalls. People unable to carry out there jobs effectively.

It’s surprises me the number of times a valid request from a user to run an application or run some java code, gets turned down with a “its against company security policy”, when what the help desk engineer really means is ” I don’t know what the security policy is and I don’t have the time to look in to this for you fully to see if we can help”.

When “security policies” effect the efficiency in how some one can do there work, or even worse push people to find ways around them, then there is a problem with them. Good security policies, and set ups should be invisible to the end user, they should also be implemented in such a way that when users have valid reasons that cause them to come up against them, there are clear processes of how to take it forward for quite and decisive resolution.

Losing your users confidence in this area, and they will go from helping to being the major week link in the system. Many companies seem to see there security policy as a fight against the stupidity and malicious activity of there user, shutting them out of this loop of IT. Rather the users should be a central part of the policies, when you think that a huge % of breaches are caused by user “error”, there education should be where at least some of the money that funds the security should go.

I know at home using some common sense I have managed to survive many years now with out any security issues with only a basic consumer hardware firewall (linksys), and some well known free virus software. Where as friends and family regularly hit issues despite having paid for every virus scanner under the sun.

Spending 10’s of thousands of pounds on software to block USB devices, and more on IPS scanning, and still more on you hardened firewall, you will still never cover all the bases, while giving your users the freedom they need, and as soon as they hit that wall they will look for ways around it.

Making a network secure is easy, making a secure network that is usable… That what require the skill.

DevilWAH

Download article as PDF

A day off.

Posted on by
Reply

Well any one who actually comes to this blog would have noticed I was away yesterday.

There was good reason for this, we had a welcome to the world party for my 3 month old daughter. Was a wonderful day, full of friends and family to hold the baby for us, so my wife and I could relax 🙂

But back to business today, got some QoS to revise tonight and have a few other bits I want to discuss.

And it doesn’t matter if no one actual reads this blog.. I was reading today that the more you talk to your self the more intelligence you are (new scientist magazine), and boy do I talk to my self. Maybe its because I am the only one who can put up with listing to me?

Any way of to do the washing up and hang the washing out, back later.

DevilWAH

Download article as PDF

Now that’s Old

Posted on by
Reply

Today I have not really done interesting IT stuff, but I did happen to see a artical on long lived organism.

To put this in to prespective the oldest person on recourd is a lady by the name of Jeanne Calement who passed away aged 122 in 1997. However compared to other things this is hardly being born..

Animals don’t do so well in terms of long lives, the oldest recorded tortoise is in the region of 175 years and the oldest clam was though to be around 400 at the time if its death (in a lab as it was being measured). For the real old stuff you need to look at plants and bacteria.

I am sure you have heard of the Bristlecone pines, some of which are known to be over 5000 year in age.

Clonal plants, where a single plant self clones to produce a never ending and unbroken chain of life, have been found that a several tens of thousands of years old. In these cases the original plant growth will be long dead, but they still form some impressive stats.

One in particular is an underground forest in Africa, these trees are completely buried with only the tips of there branches above the soil. Some of these clonal species are over 13,000 years.

A Honey Mushroom in eastern Oragon US is not only 2,500 years old, but is also over 8 square kilometres making it one of the largest organism alive at 605 tons.

But this pales next to Pando (meaning I spread), this is a single Quaking Aspen in Utah USA. with 47,000 stems (each looks like a single tree) connected via one gigantic root system, this single organism is thought to weight in at over 6000 tons. Estimate of age put it at between 80,000 and 1million years old. There is debate over if it is still truly one organism but what ever it is one mammoth tree..

But for the oldest single organism that is no a clone of an original and has been living continuously for its life, Bacterium are where you need to look. You will find some claims of 250 million year old bacteria, but what they mean is spores that have been in a dormant state for 99.99999% of that time, which it really cheating a bit.

But the siberian actinobacteria, that live in permafrost have been shown not only to be 500,000 years old, but also activate in DNA repair, there is even some evidence of them metobilising nutrients from there surroundings.

To think of it another way, these individual bacteria have lived in the ice covering the permafrost of Siberia, when humans first started to venture out of Africa and move across Europe to eventually spread ourselves all over the world. These permafrosts are now melting and as they do these bacteria will die…


View The Oldest Living Things in the World in a larger map

The natural world is a crazy place, maybe next time I will tell you about how it is possible for a bumble bee to fly, it puzzled scientists for years!

Enjoy the weekend

DevilWAH

Download article as PDF

Slip Streaming XP,

Posted on by
Reply

Today I was upgrading some from windows 2000 to XP, and 99% of the upgrade I was able to do over the network. The only part I needed to go out to the PC was due to the network card not getting picked up correctly. While the PC is in the building next door this is not really an issue. But the next block are on some farms a mile or so from the main site.

The system I was using to install is straight forward.

First copy the i386 folder from a windows XP CD to a network drive and make it available via a share. The users who will be running the install needs read access to this folder.

Second go in to your group policy editor and create a new policy called “upgrade XP”

Edit this policy and chose User Configuration  –> Software Settings.

Right click software insulation and chose new –> package.

in the box that pops up browes to the i386 folder on the share and choses the Winnt32.msi file. Click OK.

Now when you log on to a windows 200 PC, and either the user or the PC has that GP applied to them, by going in to add/remove programs and then clicking Add new Programs, you will see the upgrade to XP insulation.

But as I said the big problem is the default XP CD does not have many network drivers and many PC’s although will run the upgrade will not be able to connect to the network, requiring a you to visit the PC’s with a pen-drive and a copy of the correct drivers.

Many years ago I remember slip streaming office on to an XP CD, and I remember at the time it was a right pain and took me for ever to get it working, requiring manually editing config files and many attempts before I got it to run. But knowing that slipstreaming drivers is possible I thought I would take a look at how things are now.

All I can say is Nlite, This tool has come on massively and even tough it has not been in active development for a while now, it still does every thing you need. Where are before slipstreaming was copy this there, edit this file, run this, copy that back there……

Now the process is simple.

Install nlite.

Copy your XP insulation CD in to a folder on the hard drive.

Run nlite and point it to the folder.

Chose what you want t0 add/remove, drivers, packages, set up default settings…

Decided if you want to build the boot-able ISO image

Click GO.

Nlite

And its all done for you…

If you still do install from disk and you find your self having to do the same tidy ups after every install, slipstreaming is a great method to automate the process.

Now I can upgrade the PC’s remotely and they pop back on to the network after a reboot to let me complete the upgrade, going to save a few miles of travel 🙂

Old but still useful.

DevilWAH

Download article as PDF