Just an update for those who have assured me that the Prius “would never last” or “would blow up” or whatever.

138,000 miles and counting, doubters, and finally I have had to put on new brakes.  Remember the regenerative braking?  All that stopping power has just gone into the generator.  Hence, the pads don’t get used until about 15 MPH.  also, some people have told me that the battery would start failing long before now and my mileage would tank.  Right now, in 70-degree Minnesota weather (what’s passing for summer this year), I’m showing 52.4 MPG pretty consistently in my normal driving cycle.  That’s even better than my motorcycle.

So, as the sticker in my back window shows, “Eat My Voltage.”

Several people have asked me to describe how I would go about building a sensible home network that would be highly functional, inexpensive, and teach them a bunch about networking technologies while they did it.  Since this is a very do-able project and has several real benefits, I’ve decided to take it on.  So I’ll be writing a few posts to walk you through the process; it’s easier than you might think but of course it can always be made easier, and I’ll try to do that.

What I’ll describe is modular — you can do all of it, or a part of it, depending on your interests.  This isn’t the easiest way to bring the Internet into your home, because I’m assuming that you’ld like to learn how things really work.  But follow this through, and you’ll end up with an industrial-strength bastioned netowrk that looks like it belongs in a company.  And, it’ll be (relatively) cheap.  And I promise, (relatively) easy.

We’ll be using almost exclusively open-source software, relatively generic PCs of whatever vintage you can afford, and some cheap networking components like switches from Best Buy or whoever.  You’ll be running things like Ubuntu Linux, an Astaro firewall, the famous Apache web server (which powers over half the websites on the Internet), the Postfix mail server, and the Bind DNS server.  Cool stuff!

Why do this?  Here’s what the typical “home network” looks like, out of the box:

Not very exciting, nor capable, and actually not very secure as the “firewall” generally blocks incoming traffic but allows rather promiscuous outgoing connections, thus restricting almost nothing, and has no attack detection and prevention beyond blocking “ping of death” and the like attacks.  Plus, of course, the router / AP / firewall is also handling DHCP, DNS caching, and all manner of other things, so if it gets penetrated, everything’s there, you’re toast.

What things will look like when we’re through with our efforts will be like this:

The key here is that the Serious Firewall Gateway will really let you get granuar about which machines in your network get to do what, and to mount some industrial-strength penetration-protection, and by having a DMZ port on that machine you can separate the Internet-facing machine, your web server and mail server, from your internal network.

And on the logical inside, you can have a small server supporting shared files, a caching DNS server, DHCP, shared printing, and whatever else suits your fancy.

Hardware

You will have to buy a few things.  There are three PCs, plus one or two little Linksys or whatever 4-port switches, and some wire.  The switch might also be your access point (AP) for the wireless access.  The modem will be furnished by your ISP.

The PCs need not be particularly powerful or have double-oodles of disk space, necessarily.  Relatively generic grey boxes will do, I’ve used Compaq Penium 3s and Dell Pentium 4s with clock speeds ranging from 700 MHz to 2.8 GHz.  The biggest disks should go on the shared-file server, the fastest machine should be the firewall machine, and hte web / mail server can be surprisingly light.  All this stuff is available on eBay or from the Dell factory store.  Newer desktop PCs in the $500 price range work just fine.  If you can spring for a real server with RAID-5 and so on, how much the better.  But they’re not all that necessary.

A Domain Name

Before you do anything else, get yourself a domain name, like joedoaks.com or the like.  Register it through GoDaddy, very straightforward and $10 / year.  For a setup like this, you deserve your own domain!

What you should already know and have

I’m kind of assuming you already know a little about TCP/IP, DNS, and the rudiments of Internet technology.  But part of this exercise is to help you learn more, so just brief yourself on the basics and you’ll be ready to go.  So, you probably have your personal PC and some way to connect to the Internet.  The first thing we’ll do is build a better firewall, so go shopping for that machine first.  This machine needs to be fairly fast, have as much memory as you can afford, but probably doesn’t need more than 30 GB of disk space.  AND, importantly, it needs to have expansion slots where you can put in two more LAN cards, this is a must.

More in the next installment, where we’ll build the firewall on this machine.

I’ve written a series on Internet malware (see the tags), during which I’ve gotten progressively more pessimistic about the state of the Internet as regards increasingly aggressive malware infections. I’m concluding that people aren’t worried enough about what their computer is up to behind their back. But now I want to spend a moment debunking at the other end of the scale — the currently received wisdom that our kids are at the mercy of Internet-based pedophiles, molesters, rapists, and kidnappers. If you have a short attention span, here’s the answer: they aren’t in any such danger, and they’re skillful enough to defend themselves from these vermin with no difficulty.

Now, part of the reason for this is that today’s younger generation, and I’m talking about kids from 10 to young adults of 25 or so, have an Internet-mediated life that is unbelievably rich and varied, and which they control and manage with considerable skill. If you’re a parent, and you email, fine, but they are light-years ahead of you. They consider email rather dull and lifeless; they text-message with their camera cell phones, they user services like Twitter to broadcast what they’re up to, they forward pictures back and forth from computer to cell phone and back, they have websites and (more importantly) FaceBook sites, they instant message with each other from a variety of devices . . . the list goes on and is actually evolving and expanding as we sit here. And you, who think email is pretty exciting, are going to be able to assess risk for them, and control the situation? Do you Tweet? Come back and see me when you do.

Are they going to be willing to give this rich social environment up because there are a few creeps out there? They are not. At the upper end of this age spectrum, these facilities help kids keep in touch when they go off to college, and then when they graduate, as they again disperse to go find jobs. These kids are keeping in touch on a daily basis, around the world, around the clock, and they love it. At the bottom end, 10 and 11-year-olds far from retreating into their computers, are richening their social environment via the Internet as we used to do, in the days of the ancients, by telephone after school. But they keep it up at their brother’s sports practices, while shopping with their parents, and even right in movies.  They’re glued into multiple social contexts and they shift back and forth instantly.

And at all ages, they experiment with their “selves.”  Here in meatspace, where we are only who we are, we can’t escape ourselves.  But online, kids can, if they’re clever, reinvent themselves — kids make themselves older, or boys try being girls and vice-versa, or pretend to be very much cooler than they are, convince others that they’re really braniacs interested in chess . . .  without having to really be that, or carry it off in real life.  What’s so bad about that?  Just another kind of growing up, I would say.

I think most studies have shown that kids who run off and meet unknown people they’ve come in contact with over the Internet are kids who are already engaging in risky or even self-destructive behavior in real life — the real world drives their Internet bahavior, not the other way around.

So buck up.  Basically, until you are enrolled in Twitter, it’s your kids who are going to be protecting YOU online.

The Russian bear comes roaring back, 15 years after the collapse of the Soviet Union, with an unprovoked attack on the Republic of Georgia to ostensibly look after the interests of the ethnic Russian population of the province of South Ossetia.  This is a conflict that has been brewing since the demise of the USSR, as Georgia has attempted to forge links with Europe and to follow a democratic path to an open, westernized society.  Unfortunately, the Russians still find that kind of thinking unacceptable and decided to act.

And, the worst part is, we can’t do anythinig at all about it, thanks to our misguided advernturism in Iran and Iraq.  Our military is stretched to the breaking point in those two wars, we’re out of money, and — worst of all — the Bush Administration has squandered our moral authority to even decry their little war.  After all, if we can just go and attack a country because we’re wheezed off at their leader and his ideas, why can’t the Russians do the same to a country that borders them?  They’re just imitating us, we who “won” the Cold War.

What have we become, but the old-style Imperialists that the Communists always decried?  Cheny and his henchmen believe that because we won, and because of 9/11, and for whatever other reasons they choose to use, there is some kind of “new reality” that allows these things.  Now, in a most unpleasant manner, we have been introduced to the new reality.

As Pogo the Possum once said, “we have met the enemy and he is us.”  Or, the old saying “power corrupts, and absolute power corrupts absolutely.”

Well, well, well.  Senator Ted Stevens of Alaska, a 40-year veteran of Washington and a Republican anchor in Congress, is caught taking $250,000 in gifts from oil magnates and not disclosing them to the public.  This is Ted “Bridge to Nowhere” Stevens, who prided himself as “the meanest man in Congress,” who once said “a vote against this bill is a vote against Ted Stevens, and I won’t forget it,” and who personalized political disagreements to a level that even Richard Nixon would have found stunning.

This is also Ted “the Internet is a series of tubes” Stevens, who tried, on behalf of cable companies, to give ISPs the right to differentially charge content providers to have access to the ISP’s customers.  This is, of course, an attempted body-blow to the whole concept of net neutrality.  I have always wondered if the cable and phone companies were supporting his campaign; now I wonder how much they just gave him in cash.  Not only does he sell out his constituents for cash, he is willing to bargain away the entire Internet and it’s users, to enrichen himself.  And he’s in his 80s — for gosh sakes how much money does he need?

Over the next few years the whole operating structure of the Internet is going to come under tremendous pressure as various players attempt to monetize it to their own gain, and this particular version of Net Neutrality is just one approach.  Several companies are developing technology to allow ISPs — just the transport guys — to intercept your traffic, profile you, and use that profile to serve interstitial and replacement ads on the pages you request.  And there will be other schemes, the potential amount of money to be made (according to their calculations) is too much to resist.  Unless everybody keeps their eyes open, the Internet of 5 years from now will be a very different place.

For the last month or so I have been dealing with my Father’s final illness and ultimate passing away. At 91, he broke his hip, had it fixed, but ultimately succumbed to the aftereffects of the operation. We will miss him, but his body was very run-down and it was just his time. OK now, during this time he was in the ER twice, on a floor for a week while they adjusted his blood chemistry, had the hip replacement operation, back on the floor for a week of recovery, and 3 days in what was hoped to be a rehab situation, before he died. As is the case with our current health-care cost allocation approach, for him this was covered mainly by Medicare. It was excellent, high-tech care proving we really know how to take care of the acutely ill, especially the elderly. So far, so good.

The next situation is a little different. My daughter Sarah graduates from college in May, and with her graduation she is dropped from our health insurance, which comes through my wife’s work. We can continue to cover her through that policy, but at a relatively large cost, and that cost is large enough that it can only be seen as a considered disincentive to continue it. We can of course get other coverage, and at a considerably lower cost, but also with lower benefits.

But it brings right up to your own doorstep the issue of how your own kids can drop right out of the safety net with no problem. Why should her ability to be able to afford regular health care be dependent on where somebody works? When she graduates from college, is she no longer worth coverage? Why, for that matter, should her health care be dependent on what some company is willing to provide for? I mean, what if she has such high deductibles that a significant accident or illness would bankrupt her, but that’s all she could afford on her earnings? It’s not like she would be too stupid to bother with health insurance. Is this some kind of perverse incentive to force her to get a better job?

Then, in a recent article in Slate, there’s a very good discussion of our distorted focus on certain very low-probability causes of cancers to the exclusion of a focus on common, low-tech ways to dramatically reduce cancers in the public at large. For example, we obsess about asbestos, DES, and cell phones as cancer-o-gens, but ignore human papilloma virus immunization, aflatoxin exposure, or exposure to UV-A which are all vastly worse. Worse, we have had public fights where religious zealots demand that the government NOT immunize their children against HPV, apparently on the theory that to protect them from cervical cancer is to thwart the Will of the Lord God Almighty if they should misbehave and thereby pick up HPV.

Finally, in a complete abrogation of the concept of shared risk insurance, some especially greedy health insurance providers have set up a scheme to remove people who have MS, cancer, or some other diseases that have very expensive medicines from the pool of prescription coverage and charge them ruinous rates for their drugs, many of which literally keep them alive. I on the other hand, get my blood-pressure medicine for nothing — that is, zero — through my wife’s plan. Isn’t this what insurance is supposed to do, spread the risk to everyone? Couldn’t I pay $5 more for mine, so these people wouldn’t have to pay $3,500 per month just to live? Why don’t the insurance companies adjust their rates and just get down to covering people for whatever goes wrong with them?

And the penalties for a mistake are horrendous — miss a day of coverage (after graduation, say) fall down and rupture your spleen, and instant financial ruin. And the benefit of this coverage gap being allowed to happen is . . . what? Who benefits but the insurance companies?

So, seems like kind of a dislocated system. Some people are lucky to have great coverage, some have trouble getting any, there can be inadvertent gaps, and the net-net cost can range from near-zero to bankruptcy, and the difference is almost random — who you work for, whether their carrier has a good plan (and whether the employer chose to offer it), and whether you guessed right and chose the right level of coverage for whatever ultimately befell you. Ditto for this business of “health savings accounts” which assume that you as an individual can somehow predict your medical costs for the year. If skilled professionals at the insurance companies can’t do this successfully for large pools of people, how am I supposed to do so for my own family? What secret skill would save me when I do this? Me, or some delivery-truck driver, or anybody?

Doesn’t really seem to make much sense.

It’s happened in the past, and it’s happening right now: a new technology is undermining an existing business model, and the victims don’t even understand what’s happening. The Recording Industry Giants, lead by the RIAA, are frantico-comically filing lawsuits against individual music downloaders, who they hold responsible for the decline in their music sales. But the real threat to their business is coming from a completely different direction, and here’s a great example.

First of all, if you want to understand the economics of the recording industry through the eyes of a successful recording artist, I would recommend the article “Courtney Love Does the Math.” What you will discover is that the artist gets essentially nothing from CD sales — their only source of income in reality is through touring, and even then the label gets a big slice of everything including even the t-shirts. So when the RIAA beats their breast and brays that they’re just defending the poor lowly artists, that’s drivel. They’re defending the record labels’ income from CD sales, of which the artist gets, as Courtney points out, essentially nothing.

I have also heard this from Jim McGuinn of the Byrds: that after all their million-selling songs, and their platinum albums, he gets “sometimes $2 or $3 a month in royalties” from them. (Sidebar: under the guidance of his spiritual adviser, Jim has changed his name and is now known as Roger McGuinn, but it’s the same guy).

Anyway, here’s why the current Recording Industry, and their enforcement goon squad the RIAA, are doomed, and it has nothing to do with music downloading.

In July 2007, The Artist Now Known Again As Prince issued an album “Planet Earth,” and in the UK, instead of selling it in record stores, he gave it away as an insert in the Daily Mail newspaper. Yes, gave it away. Free. As a result of this, the Daily Mail sold 600,000 more copies of their paper that day (above a baseline circulation of about 2,400,000 copies). OK, good news (so to speak) for them .

Prince, for his part, got from the Daily Mail a payment of $500,000. Now, that’s a goodly amount of money, but the key to this is that it represents about eight times the expected royalties from the album, if it had been sold it in regular record stores over a period of years. And this money didn’t involve the whole existing chain of studios and their captive promotion schemes that end up vacuuming up all the proceeds before the artists see a single nickel. So, money from the music consumers to the artist, directly. Well, via the Daily Mail, but without the whole rest of the industry.

Now you might point out that this is an exceptional case — that Prince is a star artist with a loyal following, and that he has his own recording and production studio, so he needs nothing that the labels anyway, but that same formula doesn’t hold for the vast majority of the artists — and to a great degree you are right. Prince is an exception. But — to the studios — this is an ominous trend, a crack in their dam. Prince has found a way to bypass the current stranglehold of the studios, and he’s blazing the path. The whole country didn’t follow Lewis and Clark into the West right the next year, but eventually they did. Not every artist can do what Prince did next year, but it having been done (like the first 4-minute mile), others will now believe that they can do it too, and they will.

And I won’t even go into the issue of how many new artists can actually get their music promoted by the major studios, who live on a very few superstars and leave everybody else in the dust, promotion agreements or no.

Suing downloaders is truly rearranging the deck chairs on the Titanic. The current model of music financials is dead and it wasn’t killed by some woman in Brainerd.  It was killed by artists like Prince.

If anybody wonders if the hybrid power-regeneration process actually works, here’s some proof.

When you hit the brakes, my Prius turns the electric motor into a generator, and returns the generated power to the battery. As you increase the pedal pressure, it simply increases the field voltage in the now-generator, thus generating more electricity and concomitantly creating more drag. Only if you absolutely jam the brakes on, or reach a relatively low speed (say, about 10 MPH), will it actually engage the hydraulic brakes to stop the car.

Therefore, it should be that your normal braking system is relatively lightly used, especially if you are a relatively careful driver, and the wear on your brake pads should be low.

Having now almost 110,000 miles on my original pads, I went in a week ago to have a brake shop check them out, since I last looked at them about 40,000 miles ago, I figured that they must be almost shot by now. Well, to my surprise, and very much so to that of the brake shop, they found I had by wear-depth almost 50% of my pad life left. So, somewhere around 220,000 miles, I should start thinking about replacing my brakes — for the first time.

Now you’re saying, so what? Brakes are cheap, replacing them is not such a big deal, why do you care? Well, it’s just an index of how much power is really generated over the course of 100,000 miles — power that’s put right back in the battery to use in getting up to speed again, power that is in a normal car just lost as heat. Not such a big deal, but multiply that by 200,000,000 cars and you have the potential for a bunch of savings.

Perhaps that’s one of the keys to all this new focus on conservation: each one of us does a little, but it adds up. Raising the CAFE mileage standards by two MPG doesn’t sound like much, until you multiply it by all the nation’s cars, and then you have ship after ship after ship not coming to our shores with crude oil.

I don’t usually just link to other blogs, but this is a very interesting post in the NY Times regarding the various considerations for approving / disapproving of the current congestion pricing plan the Manhattan. In addition to the general congestion, economy, air quality, etc. issues, including this one,which is primarily economic:

. . . Second, a new coalition of pro-congestion pricing groups, calling itself Communities United for Transportation Equity, presented research suggesting that black and Hispanic riders and low-income riders have the longest commutes of any residents of the New York region. Of the 750,000 New Yorkers who travel more than an hour each way, two-thirds make less than $35,000 a year and only 6 percent make more than $75,000 a year, the group noted, citing an analysis by the Pratt Center for Community Development of Census data.

So, there’s more to it than just what we, as the relatively wealthy (I guess, I don’t feel like it) fixate on, which is oil prices and carbon monoxide. And, of course, the general enjoyment of riding a motorcycle to work. But if the kind of economic analysis that this argument represents actually carries some weight, it bodes well for downtown-restricting regulation in other cities as well. We are, after all, never short of the economically-disadvantaged.

The larger operative question is, I think, would traffic restrictions in a downtown are actually render it a better place, increase commerce, encourage pedestrian traffic, and so on. It would certainly have a beneficial effect on air quality and fuel consumption, but would it have other benefits? That remains to be seen. But if we mean to make our cities more livable, this is something worth trying. Maybe it works, maybe not, but trying something is better than doing nothing.

Here’s my first post dealing specifically with the congestion pricing proposal. For the rest of the posts on bikes, click on the “motorcycles” category in the blogroll.

This column falls under the heading “Ye Gods, What Next?” What we’re talking about here is downloaded viruses / trojans / key-loggers that are served and installed when you simply visit a site bearing them. And mostly these infections bypass current safety measures.

In mid-2007 Google issued a paper entitled “The Ghost in the Browser: Analysis of Web-based Malware” and it’s a very scary read. This paper is the result of a 12-month review of the Google site crawler results, with follow-up verification through the use of an instrumented sacrificial machine that connected to suspected sites and monitored the infections it picked up. This study found a minimum of 300,000 URLs that were bearing infected downloads.

What makes this particular danger so scary, besides it’s stunning prevalence, is summarized as follows:

• They can infect your machine by your just going to the site — you don’t have to consciously download anything extra, the site does it for you;
• These downloads are “requested” by the page you asked to see, hence they bypass firewalls and NAT translation filters;
• Even good sites can become infection vectors, as I discuss below, so it’s only somewhat safe to limit yourself to “reputable sites.” By no means are these hosted only on porn or celebrity-dirt or similar sites, they can be on your local newspaper’s site;
• Just about the only way to protect yourself is through periodic virus scans of your disks, and hopefully by your anti-virus package doing it’s job as they try to land on you, or by turning off scripting in your browser, which will render a large proportion of all websites unusable to you, unless you selectively allow them.

So, where do these infections come from? Google identified four main vectors. First, is web servers which have been compromised by unpatched vulnerabilities in their scripting application engines, and Google attributes this to the complexity of supporting a modern web server, especially ones that serve scripting applications and widgets, and the limited time and resources of harried webmasters and server managers. Critical patches don’t get made right away (or at all) and the bad guys will find those servers sooner or later.

Second, lots of sites these days serve user-contributed content, even including HTML files. Examples of this situation include bulletin boards, forums, and sites that allow comments on articles, video, or other content. If this contributed content isn’t sanitized properly, malware-loading content can easily sit there waiting for you to come along.

Third is a similar situation with third-party widgets, such as “free” visit counters, time-and-temperature displays, cutie little faces that laugh, and so on. Often these widgets are inserted into an innocent page but are served from an external server over which the webmaster of the first site has no control. They may start out innocent, but then (and Google saw this) after some time, even a few years, suddenly starts downloading malware along with the widget code. Voila, infection!

And the forth source is compromised ads. The problem here is syndication: an agency signs up clients whose ads are placed on a site, the clients go to their creative agency, who farms it out to . . . and eventually these ad-slots get in the hands of shady characters who place a little present with the ad — a piece of malware. Presto, infected by the Tampa Bay Online, or the Minneapolis Star-Tribune, or whoever!

Solutions

There are no really great solutions. As an end user end, you can turn off scripting in your browser. Steve Gibson of Gibson Research and the main panelist on the Security Now podcast, has advocated this for a long time. He advocates your turning off scripting in the browser and then specifically allowing it for sites you trust. This is pretty extreme, as Javascript, ActiveX, PHP, and other scripting is used on perhaps70% of all websites, so doing this will pretty much kill that proportion of the Web for you, unless you then specifically allow each site in turn to use scripting. And even this won’t entirely protect you, as third-party widgets and long chains of syndicated ads can still get you on a supposedly “safe” site. So overall, this is a lot of hassle and not completely foolproof.

The other big thing a user can do is to have good, up-to-date virus scanning of incoming objects, which may catch them as they arrive. This is by no means a sure thing, either, as some malware “unpacks” itself after it arrives, which can fool many anti-virus scanners. So it remains important to fully scan your disks at least weekly to find the ones that do get past the initial scan.

The rest of the solutions are the responsibility of server and site managers, people who are already overworked and often missing the boat on current threats. Of course, scripting should be turned of on the browser on any server! A server should have no business running off to miscellaneous websites except for various software package updates and the like, so unlike an individual’s browsing, this shouldn’t be much of a problem on a server.

But more importantly, site managers MUST start taking absolute responsibility for what is getting served on their sites. If they allow contributed HTML content, they must sanitize it properly and fully before it’s posted. They should require that other third-party objects such as widgets be served from their own servers, and sanitized! And the same goes for syndicated ads — one level of syndication is plenty, and ad-placement contracts must contain significant penalties for allowing malware-laced ads to be served. And it would be nice if sites could be certified that they meet these criteria, and that a user could set a preference in their browser to not load sites that don’t have this certification. But I’m sure the bad guys would find a way to bypass this, too.

If we don’t take enough of these steps, we’re in danger of making the Internet so dangerous that no one will want to be there, however interesting or useful it is. And believe me, that IS a danger.