Friday, November 30, 2007

The Modem Free Generation

Wow, how time does fly. We now have, at least in the US and elsewhere, our first generation of Internet users that have no idea what a real modem sounds like. For these folks, this is the closest they'll ever get to one.

While I'm not as old as the photo above by any means, my first modem was an external U.S. Robotics 2400 bps (generously loaned to me by a friend's father whom I later bought a more affordable Gould 1200 bps modem from), so I suppose, in a way, even I was late to the game.

Sure, with Caller ID we still have modems in our phones (at least until end-to-end SIP can do away with all that) and xDSL is still really a glorified analog modem but they are stealthy. Poll a random nine year old on the street with a modem carrier audio sample or ask if they've ever cursed when they forgot and set ATM2 instead of ATM0 or ATM1 and you'll get a blank look (and probably a scream for mommy to come and take them away from the scary crazy guy though a few smart top-of-their-class nine year olds, just starting their introduction classes to CCIE certification of course, might think I'm talking about this which is at least in the right vein).

I've yet to see an xDSL modem that has a speaker (let alone supports the AT command set) and rarely do I hear the caller ID carrier unless I'm on a really cheap phone and pick up the phone fast enough.

Maybe we can bring it back in vogue by customizing our mobile phone ring tone to sound like the good old days. And, demanding that xDSL modem vendors, add speakers. On other hand, there aren't too many of these around anymore either. And, man, were those things slow.



Wednesday, November 28, 2007

Improving the Snom IP Phone Retrieve Button Functionality

(Otherwise entitled "Getting the Snom Retrieve Button To Work Even When There Are Only Old Messages to Retrieve")

If you use Snom IP phones, you may have discovered, as I recently did, that the Retrieve button doesn't work, at least by default, unless there are new messages in the mailbox. If the user wants to listen to a saved voicemail, they are out of luck and have to dial the special voicemail extension directly. The Retrieve button just sits there and does nada.

This created some confusion in a recent installation since folks learned to use the Retrieve button to access voicemail and then later, after a day or so of use, wanted to listen to voicemails they had saved. :-) Sure, I had set-up an extension to dial the voicemail system directly (intended for when people were out of the office) but it was pretty silly to have two different ways for users to get used to accessing their voicemail, depending only on whether they had new messages or not.

I poked around a bit and the fix was very simple.... In the web management interface go to Setup->Identity X-->Mailbox and set it to your internal mailbox extension.

(As an aside: I am overall pretty happy with the Snom 320 IP phones. Be careful what firmware revisions you are running -- stay away from 7.x unless you know what you are doing and keep things consistent across your installation).

Monday, November 19, 2007

Another Submarine Telecommunications Cable Coming to San Luis Obispo

Over the years I've tried to keep an eye on the in-region activities related to submarine communications cables (and cool map here) . So it's with some interest that I've watched announcements and rumors during the last 18 months or so about several new cable projects. I've been waiting to see official filings to see if any would be added to the pile of cables that already come into San Luis Obispo county. It looks like we've got our first new addition to the area...

A recent California State Lands Commission filing seems to confirm that the backers of the Asia America Gateway Cable Network are serious about proceeding. They have pooled over $500M to build the network and plan to have it live sometime between Q4 2008 and Q1 2009.

The AAG will land in eight Southeast Asian countries before landing at the existing US West Coast AT&T landing station at Montana De Oro, in unincorporated Los Osos (approximately 15 miles outside of San Luis Obispo city). San Luis Obispo county already hosts other Trans-Pacific cable landings, at the same AT&T landing station as well at the Pacific Crossing station in Grover Beach (there are a total of at least six active submarine cables in the area, others are now dormant or very old used solely for research purposes, a bit more info here).

The eight countries, other than the US, where the AAG will have landing points are Malaysia, Singapore, Thailand, Brunei Darussalam, Vietnam, Hong Kong, the Philippines, and Guam. Besides the US West Coast the cable will also make a stop in Hawaii. In total it will span over 20,000 km (approximately 12,400 miles).

While other cables already go to Northern Asia, this will be the first direct submarine cable network between Southeast Asia and the United States. It also is coming online in time for the apparent retirement of two first generation Asia-Pacific cable systems, the APCN and TPC-5 (reference in press releases for the AAG but haven't found a direct source to verify this).

"The AAG is intended to provide an alternative and a more secure link for traffic from the region to the USA. This low risk route was designed to avoid the volatile and hazardous Pacific Ring, thus mitigating the effects from natural disasters like earthquakes and tsunamis, which have previously damaged submarine cable systems, resulting in major disruptions to international Internet links."
AAG appears to be, at first glance, a point-to-point design, rather a (redundant) ring. Though, from the sounds of it, the intention is that existing paths (Northern) on other cable networks will be used to complete the ring for carriers that desire redundancy.

Recently, other near-by Pacific submarine cable networks have also announced upgrades:

Sunday, November 11, 2007

VOIP Troubleshooting With (the free) Wireshark Packet Analyzer

Wireshark is a network protocol analyzer. Some may recognize it by its former name, Ethereal. It's free (and open source), runs on multiple platforms (including Windows and Linux), and actively developed. For those doing VOIP installations or troubleshooting existing installations, the latest release has some very handy VOIP specific support.

It will create visuals representing captured SIP and associated RTP connections. You can drill down by clicking on specific spots on the graph to pull up the associated packet(s). You can generate reports (as well as graph) jitter, bandwidth usage, etc. Various ways of displaying the data to get a better idea of what's really going on.

The screen captures at the beginning of this post are from Wireshark. They show a graph of a VOIP (SIP) call (and a half) between two Snom SIP phones attached to an Asterisk-based PBX (the green/blue/purple image). And an analysis of the associated RTP session (including packet loss, jitter, delay). WS can even playback captured VOIP calls (at least if using PCM/G.711/ulaw).


PCI: It's Alright to Question the Auditors

"It's alright to question your PCI auditor. This isn't about getting out of doing things that really should be done. It's about making sure you aren't unnecessarily wasting money, period. Ask them to justify their findings and recommendations. And seek a second opinion (from another auditor or a security expert) if need be."
A bit back a (then prospective) client came to me while going through a PCI audit. They'd been informed by their auditor (VeriSign in this case) that they needed to segregate off a group of servers. Fair enough. The catch was they were also being told that this needed to be done using a second firewall, in order to be compliant, even though their existing firewall had more than enough interfaces to configure additional distinct security zones. The proposed second firewall would be under the same administrative control and offer no greater granularity in security policy enforcement. In short, it wasn't a terrible idea but it didn't seem very value enhancing either.

The client had an inkling that this shouldn't be necessary. They had further discussions with the auditor to no avail. In the interest of time and manpower, they went ahead and bought another firewall. I was called in later to integrate this and some other changes into their network. One of my first questions was "Why are we doing this?". After hearing a bit more of the background I still felt firm in my conviction that either (a) we weren't getting the entire story and thus even with a second firewall I wasn't sure we were meeting the requirements or (b) there really wasn't sufficient grounds to add a second firewall when the isolation could be done completely adequately on their existing firewall by shifting around the topology a bit to utilize available interfaces and adding some new access rules.

My view was that the assessor had a specific ideal model in mind and wasn't really listening to the arguments given thus far. This was even though those arguments weren't against the server isolation being suggested. The only disagreement was over how to get the end result.

In the interest of time I proceeded with preliminary integration plan development that included the second firewall while recommending a continued push that the auditor needed to justify their recommendation more specifically. Over the course of the next several days, after the client had gotten input from myself including points to bring up and gained additional confidence in their original inkling that the extra firewall was unnecessary, the auditor shifted gears and said implementing the requested isolation on a single firewall was acceptable.

At this point I'd only spent several hours on this project. There was no longer justification for the purchase of a second firewall and the changes required to isolate the servers were far simpler. Even though my client had already purchased the second firewall prior to my involvement, they could now return it, sell it off, re-deploy it elsewhere, use it as a spare, etc.. The expense of engineering and labor for a more complex integration effort was avoided (plus, the long-term costs of having another piece of equipment to maintain, an added failure point, and a more complex topology to troubleshoot).

There are something like one hundred or so assessors that work with the PCI Council to do audits. Each has their own strengths, weaknesses, and agendas. Some are relatively pure-play professional services providers while others sell their own security software and hardware (and, yes, often related to assisting you in gaining PCI compliance). Assessors are allowed to recommend their own services and products as solutions to problems that come up during audits (though they are not supposed to require their use in order to pass). The PCI DSS standard isn't specific -- which is actually a good thing since every environment is different -- so there's much open to interpretation at both the end-user and the auditor level. Finally, all auditors are human and make mistakes as well.

Bottom line: it's alright to question your PCI auditor. This isn't about getting out of doing things that really should be done. It's about making sure you aren't unnecessarily wasting money, period. Ask them to justify their findings and recommendations. And seek a second opinion (from another auditor or a security expert) if need be.


Thursday, November 8, 2007

PCI Revisions, Adding Application Software Requirements

The PCI Security Standards Council announced another building block to set of payment industry security standards. This one covers applications -- specifically those developed and then distributed to third parties -- that handle credit card data. A draft has been released (not publicly) for review. Final release is expected in a few months (Q1 2008). Official press release here. The official FAQ is here.

The new standard (called PA-DSS) is based on Visa's existing best practices for applications which can be found here (scroll down to the bottom and you'll find a link to the document or just click here). Thus, even though the new standard isn't released, one can get a preview by reading through that document.

Some more coverage here and here.

Key Points:

  • Does not apply to internally developed applications by merchants (but these are subject to PCI DSS still)
  • Based on existing Visa "Payment Application Best Practices"
  • Will be publicly released in Q1 2008
(I would also anticipate that a future revision of this standard, or a similar counterpart, will come out covering in-house applications).


Tuesday, November 6, 2007

177 Megawatt Solar Project in SLO County Announced

PG&E and Ausra just announced a 177 megawatt solar thermal power plant in San Luis Obispo County. It will cover one square mile (640 acres) near the Carrizo Plain. Nifty!

The local paper has a good article here. It will be built on private land. Other coverage here, and elsewhere.

Ausra projects that the power plant will create over 350 skilled jobs on-site during construction, and an additional 100 permanent jobs in the area. The plant will burn no fuel, use minimal water, and have no air or water emissions.
The CPUC application and related documents are here and here.

It sounds like the deciding factor as to the location was the similar to what come up when deciding where to build a data center. You can build one in all sorts of places, but proximity to {major fiber routes, transmission lines} can be a deciding factor because it determines whether the project will have a reasonable cost and ultimately be a success.
John O’Donnell, executive vice president of Ausra, said the site identified for the plant, north of Highway 58, is ideal for the project.

“In developing large solar power plants, the biggest problem is not finding the sun or the land, but finding a place where you can transmit the power,’’ O’Donnell said. “And one of the real shaping things in serving PG&E is looking at the California electric grid and for places where we could put power into the grid. The Carrizo Plain is a major transmission line. That was one of the biggest drivers.’’


Although these agreements dwarf the deal with Ausra, New Energy Finance analyst Nathaniel Bullard said that Ausra is well-positioned.

Other solar thermal energy projects such as Solel’s Mojave Solar Park, to be constructed in California’s Mojave Desert, will be far away from populated areas and the electric grid. Ausra’s plant, to be located about ten miles north of Carrizo Plain National Monument, may get less sun than the Mojave Desert, but it will be directly under a PG&E transmission line, O’Donnell said.

Ausra’s proposed plant will only need “850 feet to connect,” said Bullard. They’ll be able to “tap right into the electric grid. It’s a lot less expensive and it speeds up the process.”

The high cost of the feeder and trunk lines required to connect to the grid from a long distance are often well outside of a smaller developer’s range.


Monday, November 5, 2007

Thinking In Percentages Not Absolutes (Investing)

Question: Which hurts your investment portfolio value the most?

  • You own $10,000 worth of a mutual fund representing the Nasdaq Composite index. The Nasdaq Composite, which opened at 2,795, drops by 200 points by the time the market closes today. Headlines scream about a large market loss.
  • You own $10,000 worth of stock in a company, which opened at $8.00/share and falls to $7.20/share by the time the market closes today.
Choose your answer. In the next day or so I'll post my answer, an explanation, and why I highlighted this scenario.

Friday, November 2, 2007

Web Form Silliness and Inefficiency

Why o' why do I continue to come across web forms that ask for my phone number, in a free form field, that then error if I enter dashes ("805-555-1212") because they require re-input without any dashes ("8055551212"). Isn't this the age of computers? Can't we be bothered to write the extra line of code to let humans input the data in the way most familiar with them? Can't we store the data generically and process it as appropriate for input/display? Aren't computers supposed to make data management easier? Wouldn't allowing the human to enter the data in a more familiar way reduce typos and errors?

The latest culprit was

Do any of YOUR web forms do this? Check now before you say no. :)

P.S. And, while I'm on the topic, why do we even bother asking for the state if we've already got the zip code? Heck, ask for the zip first and auto fill-in the city field too (I realize zip code to city mapping is sometimes erroneous, that's why I suggested just auto-filling the field, so the user still has the ability to edit it, on that one). Can't this all be looked up automatically? There are database downloads, web services, and CD-ROMs that make this information available, right? Why make it harder for people to do business with you? Why increase the chance of data errors?