Random Developments

From the Orange County Weekly:

Campaigning in 2000, Bush warned that Al Gore would “throw the budget out of balance.” In the past four years, Bush and a GOP Congress blew a 10-year budget surplus once estimated at $5.6 trillion, leaving us with an estimated $5 trillion deficit. According to the Office of Management and Budget, this year’s deficit will run about $445 billion.

With all this talk of podcasting, and this huge amount of (mostly amateur-like) audio and video content becoming available in a convenient format to the whole world, I was thinking about something that I would very much like to have: a way to access radio and TV content generated anywhere in the world, over the Internet, from anywhere in the world. For example, I would love to subscribe, podcast-like, to a feed containing the local nightly news from where I used to live; or to some US shows that are not available outside the US (my SO likes the NBC “Today Show”, for example; I think more along the lines of TechTV); or UK shows, for that matter.

This is possible for some types of content, but not most. For example, I can subscribe to several NPR programs through Audible (I wonder if that sells well…). And it would be useful even for content that is locally available, but inconveniently packaged. I can get the “Tonight Show with Jay Leno” here, but only if I subscribe to Foxtel Cable and get a bunch of channels I couldn’t care less about.

I can get a fair amount of this using bit-torrent and other P2P tools; mostly anything that is popular enough is out there. But this is not a very structured way to get content, and it’s not exactly legal; I’d be willing to pay reasonably well for this kind of service.

I think what I have in mind is a sort of globally-connected Tivo, getting content from anywhere, at any time, for my viewing convenience. I guess we’re headed that way, and will get there eventually; but first we’ll have to wade through a maze of twisty little licensing agreements, all different…

This is how the story ends: our reseller sent us a new release of the software for the firewall (not an official release, though); we installed it, and everything suddendly worked. So, it was actually a bug, and (surprisingly) we got a fix from Cisco in just a few days. And now everyone is happy, and a firewall is going to be installed as planned.

The George W. Bush campaign website is not accessible from outside the USA; do they have something to hide from foreigners? If, like me, you are in some other country, you can access their site via this US-based anonymizer.

Ok, that’s not a very strong reason not to vote for him. So, here goes a better one: in another example of the Bush administration’s view of science, despite objections from the staff of the Centers for Disease Control, information suggesting a link between abortion and breast cancer was posted on the National Cancer Institute website by Bush administration officials. Scientific studies have long refuted such a link. After The New York Times reported the story, the information was taken down. Source: The New York Times, Jan. 6, 2003

This excerpt from an article in the New York Times needs no comments:

In the Oval Office in December 2002, the president met with a few ranking senators and members of the House, both Republicans and Democrats. In those days, there were high hopes that the United States-sponsored “road map” for the Israelis and Palestinians would be a pathway to peace, and the discussion that wintry day was, in part, about countries providing peacekeeping forces in the region. The problem, everyone agreed, was that a number of European countries, like France and Germany, had armies that were not trusted by either the Israelis or Palestinians. One congressman - the Hungarian-born Tom Lantos, a Democrat from California and the only Holocaust survivor in Congress - mentioned that the Scandinavian countries were viewed more positively. Lantos went on to describe for the president how the Swedish Army might be an ideal candidate to anchor a small peacekeeping force on the West Bank and the Gaza Strip. Sweden has a well-trained force of about 25,000. The president looked at him appraisingly, several people in the room recall.

The room went silent, until someone changed the subject.

Read the full article here (it the NY Times website, it’s only available for a fee).

Just for the record, putting a DHCP server behind the firewall did work, as, or course, we did not have DHCP packets crossing the firewall anymore. That is, until we added a second VLAN behind the firewall. With more than one VLAN, we need either (a) to have a DHCP server on each VLAN, or (b) to have interfaces on each VLAN on the same DHCP server, or (c) to relay requests across the firewall. (a) or (b) are fine as long as you don’t have many VLANs, but we do. (c) is perfect, but then we go back to the same issue, which is dhcprelay not working.

The last update from our reseller (and support provider) is that the recommended version is no longer x.x(x.1) but x.x(x.16), and that they’re still waiting for Cisco to release it. I’ll let you know how it goes…

While claiming to be comitted to improving security in airplanes and airports (often with the use of intrusive and humiliating measures, such as secret no-fly lists and “special” handling of “suspicious” passengers), the White House has proposed a 12.6 percent reduction in the Federal Aviation Administration’s budget for the purchase of new air-traffic-control equipment.
The full story is in The Miami Herald (registration required).

I’ll go completely out of character here for a while, but it’s for a good and important cause. From today till election day (Nov 2nd), I’ll be doing a daily post on reasons not to vote for Bush. I know I’m probably preaching to the converted here but, if there’s a chance of having some effect, it’s worth trying.

Today’s reason: U.S. Campaigns for Treaty to Ban Use of Embryo Stem Cells (registration required to read this story). Basically, the Bush administration is pressuring the UN to set up a global treaty banning any therapeutical human cloning, including embryonic stem cell research. Well, I guess that’s a way to make sure the US is not left behind in this branch of science by countries without its religion-based policies…

So, take a firewall module for a large switch made by a five-letter manufacturer that shall not be named (on the other hand, why not? naming it will help people Googling for it. It’s Cisco). Start to plan and test a migration path for all the equipment you already have, so that you end up with everything behind the firewall. Obviously, you don’t want to move everything on the same day.

Next, add to the mix a DHCP server that provides IP addresses to most things on the net, according to a set of rules (each MAC address is allocated the same IP address every time). This server, like everything else, is on the “outside” of the firewall.

Then, just to make sure that you did things right and that you can get traffic to flow across the firewall, you move one PC to the “inside” and try to make it talk to the net. It won’t, because it can’t get an IP address from the DHCP server. You enable “dhcprelay” just as the manual tells you to, correcting for some syntax errors in the examples in the manual, and it still won’t work. So you give the PC a fixed address and try again. Still no go.

After some tweaking with routes and OSPF configuration, voilà, it works! Pings go through, DNS works, even web browsing. So, ok, let’s try DHCP again. But, still nothing. Read manuals, tweak things, read some more. Still nothing. Look at the server, it sees the requests. Turn debug on in the firewall, it claims to be forwarding the replies to the PC. But the PC never sees them.

Ok, let’s bring the big guns out. Mirror a switch port, start ethereal, and look at the network traffic. Ok, there goes a DHCPDISCOVER, but where is the DHCPOFFER? Hmm, and what is this ARP request doing here? The firewall is sending an ARP request to the “inside” network asking who has A.B.C.D, where A.B.C.D is the address of the default gateway for the firewall. Can you see what is wrong with this? Two things: one, the default gateway is in the “outside” network; two, why does it need to ARP the gateway to forward a DHCPOFFER packet? It’s not even addressed to an IP address!

So, quick experiment: take the default route out, and try again. And it works!

Where are we, then? DHCP relaying works, as long as there is no default route set. If a default route is set, the firewall seems to try to do the right thing, but it does it in the wrong way. Seriously wrong.

Time to get support, then. We contact our provider, tell them about the issue and, after a few e-mails back and forth, they seem to understand the problem. The next day they report back saying that there is a confirmed bug that seems to match our situation. The description of the bug is “DHCP relay does not work in customer setting, not reproducible in the lab”. No mention of interaction with default routes. And the software versions in which the bug is confirmed do not match ours. But they do recommend an upgrade to a version that is 0.0.0.1 higher than ours. Ok, we’ll give it a shot. Go to cisco.com, locate the software for the firewall module and, surprise surprise, the latest version available is the one we’re running; the one they recommended is not available.

Another contact with support later, we find out that the version is indeed not available, and they don’t know when it will be. Well, isn’t that great?

In short: dhcprelay does not seem to work in Cisco firewall modules when a default route is set. A bug fix may or may not exist, but we will only know for sure when Cisco decides to release the new version of the software.

If anyone knows of anything related to this issue, please let me know. Meanwhile, I’ll be setting up a new DHCP server inside the firewall.

I wonder if I’m the only person who was disappointed by the new Google Desktop Search that was unveiled yesterday…

The basic idea is great: a desktop mini-application that will allow you to search your own local data with the same completeness we all came to expect from Google. The initial description of the tool is great, as well: search documents, IM chats, e-mails, and even web pages you have visited, even if they’ve changed since then.

The implementation, though, still leaves something to be desired: it will only search pages visited with Internet Explorer (come on, even CERT is telling people not to use IE), e-mails received with Outlook, IM chats on AIM, and MS Office documents (granted, it will search images and plain-text documents as well). And, obviously, it only works on Windows.

Ok, that will be enough for the vast majority of computer users out there. But not for most geeks. I expected more from Google… (well, it’s still beta, and they say they’re “considering” supporting Firefox more thoroughly, so there’s still hope).

Richard Stallman was here in the University today, and I attended his talk on the danger of software idea patents. He’s certainly quite persuasive, and it was a very good talk; sobering, I would say. Despite the jokes every now and then during the talk, this is no laughing matter, and is something that Australians should be worried about (not only software developers; users stand to lose as much as developers and researchers in this issue).

When asked, Stallman mentioned Brazil and India as examples of countries with no software idea patents, but he said it was very hard to say whether they get any economic benefit out of it, at least in the short term. But, as he also mentioned, this is not simply an economic issue.

I believe someone recorded the audio of this talk; if it gets published and I find it anywhere, I’ll post a link to it.

And, lacking that for now, to celebrate the occasion and to open my “podcasting” channel, here goes Richard Stallman singing the Free Software Song. If you have an enclosures-aware aggregator (or an iPodder-like software), this should be downloaded automatically.