Getting home in 2009

I can sit in a club and decide I want to go home. I can pull out my mobile phone from my pocket, visit a certain website and book a taxi home. I receive a text message when my taxi is near, then stand outside and hop in. This clever use of basic-for-2009 technologies impresses me somewhat. This is what technology should be about!
It may cost a bit more than trying to hail a black cab, but I really appreciate the freedom of paying a couple of quid more for a near-enough chauffeur service. And of course, it avoids having to take a night bus.

Catalyst 6500 Supervisor 32 modular software

I’m on my way back from a few days in Milan, setting up a network for one of our customers. Standard equipment – a pair of Cat6504Es, some ASAs, a couple of ACE4710 load balancers.
As usual with anything I haven’t used before, problems occur. The biggest and most infuriating wasn’t the failed Sup32 (which was eventually replaced by Cisco after quite some work on our supplier’s behalf), but the fact I couldn’t get the Sup32 to boot from the image I’d downloaded.
Here’s what happened – each time I booted, the boot image loaded and spewed the following:
MAC based EOBC installed
Waiting (slot 1) for supervisor to come online in other slot. iteration
= 0

Next Retry will be done after 6 seconds
This repeated for what seemed like an eternity, then the Supervisor crashed and rebooted.
What fixed it? It turns out I had a modular image copied in to flash, not installed. That's not amazingly obvious, especially as the modular image has -mz in its name, and the image I wanted has -jz.
See this article on Cisco IOS Software Modularity on for more information.

Antivirus and Encryption

Like many highly computer literate sons, my parents occasionally call on me to fix their computer.  This can be anything from “I turned it off and it won’t boot up again” meaning “The hard disk has failed”, to “I can’t get my email, it comes up with a certificate error”, meaning I’ve forgotten to renew the SSL certificate on my mail server.
This week, my father send me a text message to say neither he nor my mother could receive email – but they could send it fine.  I didn’t see any attempts from them to connect in my mail server’s log files, and they said they didn’t see any error messages.
This morning, I found some time to ask my mother to set up a reverse VNC connection to my desktop at home (I can’t remember what people did before VNC – maybe we installed pcAnywhere, or maybe we hopped on a car or train).
Here’s the key piece of information that was missing that I found out this morning – “We installed Kaspersky and email stopped”. D’oh! That piece of information is really important – I did something, and something else happened.
Further investigation showed that my parents installed Kaspersky as Barclays on-line banking suggested it, but then they uninstalled that, and installed AVG, but still couldn’t get email.
What caused the problem? It’s quite straightforward. POP3 doesn’t attempt any form of encryption at all, so I force people to use TLS when picking up mail from my server. It stops the very small risk of somebody finding out an email password by capturing packets, but it also encrypts all the messages being downloaded. I use SSL certificates from CACert which they provide free, and the whole system works better than self-signed certificates, but not quite as well as a full-bodied certificate from a widely-recognised CA.
AVG and Kaspersky intercept outgoing POP3 traffic, if asked, and scan it. They do this by proxying connections through their software, which can’t understand the TLS connections and so waits patiently rather than throwing up an error. The result is the mail client does nothing – no errors and no timeouts. A software stalemate.
This started me thinking – how long before encryption becomes a widespread way for malware starts to use SSL connections to bypass network-based antivirus services? You can’t disable encryption as it’s a form of security, but it’s also a form of stealth. One encrypted TCP connection looks just like the other, and there’s simply no efficient way to scan apart from right at the very edge.

Adventures with 64-bit

I had a pair of 500Gb Seagate drives.  They served me well for a couple of years, but they’ve been getting steadily closer to the dreaded 100% full mark over the last six months.
To celebrate the release of Ubuntu 9.10, I treated myself to a pair of shiny new Seagate ST31500341AS drives. Popped them in to my machine, fired up the 64-bit Ubuntu installer and… wow – my machine is much much faster.
Now I need to get to grips with all the little gotchas of running a 64-bit desktop, such as Google Gears and Flash requiring some fun and games to work properly.

Scott Capurro

I was lucky enough to be invited to the Royal Vauxhall Tavern tonight to see Scott Capurro with Vix and Alan.
Scott is hilarious – I think I’ve laughed myself hoarse.
I didn’t think I’d end up spending my Thursday evening in a sing-along with Heather Small, or listening to how Alan Davies bit a vagrant’s ear whilst insanely drunk after a wake.
Also, minor news – I have Ubuntu 9.10, but I’m going to reinstall my desktop machine on to a pair of 1Tb drives – I need the extra space.

Ubuntu 9.10

I took the plunge and upgraded from Ubuntu 9.04 to Ubuntu 9.10 on my work laptop. The process was incredibly smooth, and there’s not much to it apart from that.  I’m crossing my fingers and hoping the dbus problems with 3G dongle PPP connections have gone away.
I am waiting for some free time at the weekend and a pair of 1Tb hard drives before I take the plunge and install the 64-bit version on my desktop at home.

Cisco IOS 15.0(1)M

I am never one to fear something new – except perhaps a new release of a JVM.
Some weeks ago, I decided it would be a good idea to upgrade one of my home routers to IOS 15.0(1)M – seeing as I paid enough for a maintenance contract, I’m entitled.  Ever since that day, I’ve been unable to ssh to the router with an access-class applied to the VTY lines.  Every time, it refuses my connection, but allows it without an access-class.
This morning, I stumbled upon the answer – put ‘vrf-also’ at the end of the access-class line: access-class 99 in vrf-also. This only matters if you’re running VRF Lite, as I am, because I have a separate firewall and ‘clean’ and ‘dirty’ VRFs.
Never fear something that’s new – expect breakage, and expect to learn.