Currently I’m home for the summer, working* for the same web design startup, but still in my parents’ basement. (Hey, I only just finished my freshman year of college. I’ll be on co-op next summer.) I was talking with my mom early this afternoon and she mentioned something said by someone from our church who works as an IT consultant, specifically one for the Cleveland Heights school district.

I realize many of you aren’t from the Cleveland area, so here’s a quick primer. Cleveland Heights is to Cleveland as Brooklyn and Queens are to New York. There are a few rich areas, but most of it’s pretty ghetto. This particular IT manager got a call one day to go into the school and help clear out the mess from an angry 8th grader who punched an LCD monitor. When he got there he discovered that 12 of the 20 computers there had missing keys. All of them were filthy. The district had also chosen not to pay $50 per box for security software/consulting so the kids pretty much had admin access on the things.

Let’s switch scenes a little bit. Enter Lawrence School – my high school. Through the generosity of a family member I was enabled to go to this school for kids with learning differences, such as ADHD (my case), Asperger’s, dyslexia, what have you. Lawrence is a pretty darned upscale private school. Definitely not elite or anything like that, but it’s also certainly not a public school. Lawrence has a tablet PC program for high schoolers – they give (well, the parents pay for) a tablet PC to each incoming high school student. Lenovo X Series tablets, to be specific. Very nice computers. Over the course of the 2 and a half years there, I saw forks stuck in USB ports, spray painted computers, computers dropped and thrown, and of course, countless kids engrossed in Flash games in the back of the class. Sadly, there were very few times when I saw computers being properly taken advantage of, aside from maybe Microsoft Word being used to write papers.

In my senior year, we had two Senior Superlative winners for “Dynamic Duo.” One of them was “Dan Fuhry and his computer.” Perhaps it was because I was one of about 3 students in the entire school that understood the value of a Thinkpad X series, knew how to put the damn thing to use, and was responsible enough to never get pinked for bumming off classes playing Flash games?

Now, Cleveland Heights is equipping each high school student with a $600 netbook, starting this fall. Do you see something wrong with this picture? Kids in a $20k/yr private school don’t give a shit about their school laptops. Imagine what will happen when they get deployed in the ghetto. This is a disaster.

FACT: Kids aren’t ready to be given free laptops. I was in the classroom with laptop equipped students for 2 and a half years. The abuse of the privilege and the abuse of the physical machines far outweighs the advantages.

That, and we still had to print out everything. No trees saved here!

On the other hand, you do on occasion get the kids that know what they’re doing with computers. I was one of those kids. Having a laptop helped me be a lot more productive in school. So how should schools cater to this minority?

* Nothing came through this week. I seem to have been moved to an on-demand basis after we decided to downsize our operations a bit.

A captive portal is a network that prevents you from accessing the greater world until you authenticate somehow. It’s also called pay-fi in cases where you have to whip out your credit card. Usually this is implemented by having a general firewall rule that intercepts web traffic and diverts it off to a different server which redirects you to a login page. The login page takes down your MAC address behind the scenes and makes sure the firewall is up to date with which MAC addresses are authorized. I’ve found that unfortunately most open source captive portals are too bloated and require extensive reconfiguration of a perfectly good network. So here’s a summary of how I wrote my own captive portal from scratch – maybe you’ll find it useful.

The ingredients, software and hardware wise, are:

• A wireless router. I have the Cisco/Linksys WRT54GL. It should preferably be running open source firmware which gives you the ability to separate your open and private networks. My WRT54GL runs OpenWRT 10.04 “Backfire.”
• A different switch, unless you only have 3 computers and have the aforementioned custom firmware which allows you to make VLANs.
• A box with multiple NICs (the more the merrier) capable of hosting your network. Mine has 3 NICs – one for the external connection, one for my private network, and one for the public captive-portal’ed network.
• Another box (or perhaps the same one as above, but I prefer to keep them separate) that provides the following:
  • A webserver
  • An authentication backend – I’m using Kerberos since many friends have accounts on the server and this allows for some cool SSO capabilities, but you can really use anything you want
• An existing NAT setup working between your private network and the Internet, going through the first box mentioned above.

There are several steps involved with setting this whole beast up but you have the following rough stages:

• Get the webserver and authentication working
• Set and secure the public network (close ports on the WAP and firewall box so users can’t access, for example, the WAP’s web interface or SSH on your firewall)
• Find a way to give the webserver the ability to add and remove computers from the whitelist
• Blackhole traffic to ports other than 80 and 443 from non-whitelisted computers
• Intercept and redirect requests to ports 80 and 443
• Optional: DNS hackery to get Apple iOS devices working

I’ll go over these in order.

Webserver setup

This one wasn’t very difficult because I already had Kerberos and PHP talking. PHP can authenticate to my Kerberos KDC using the kadm5 PECL extension, for which I have made a patch that can get it compiling on newer versions of Kerberos.

Your webserver will be receiving ALL the web pages the user requests. Make sure you use mod_rewrite or something similar to check if the user has already been redirected to your login page. If not, redirect them. Otherwise, the user will just get a 404 error.

Public network

This part is pretty straightforward. Set up an unencrypted network on your WAP, give it a cute name, pick a switch port and plug it into your firewall box. Optionally, but recommended, create a dedicated VLAN for your open network and make the router’s web interface inaccessible from it.

Now you get to do DHCP. Either the WAP’s built-in DHCP server or good ole’ dhcpd on your firewall should do the trick. Pick a subnet separate from the rest of your network – I went with 10.2.128.0/17 and cut the too-large VPN network down to a /17 instead of a /16. Set your firewall to the first IP in this network (10.2.128.1 for me) and configure a DHCP server with this IP as the default gateway.

It doesn’t matter much if you’re running your own DNS server or using those provided by your ISP, but make sure your DNS server(s) specified in your DHCP configuration are accessible from behind your public network even before authentication.

This is a diagram of the network:

Modifying the whitelist (from the webserver)

This is one of the more significant challenges I encountered: giving the webserver the ability to add and remove addresses from the firewall’s MAC address whitelist, without introducing a notorious security flaw that could lead to my firewall being rooted if the web interface were to be hacked. To accomplish this, I wrote a small setuid root program in C that checks its parameters to make sure what’s being given looks like a MAC address and then calls iptables to change the firewall. The program also makes sure that it’s being called only by a dedicated user account on the firewall (wifiauth). Finally I generated a passphrase-less SSH key with access to the wifiauth account and copied it to the webserver.

Mind you, the webserver also has multiple Apache instances running under separate user accounts. Consider doing this if you have ANY other websites on your webserver that could possibly become compromised and gain shell access to your firewall.

When all was said and done, the PHP code inside my authentication script looked something like this:

$result = `ssh -i /home/srv/httpd-accounts/.ssh/fw_wifiauth wifiauth@firewall -- /home/wifiauth/bin/authtool authorize $mac`

Remember of course that you should be sanity-checking $mac before just passing it into a backtick string, since this is executing shell commands!

The source for my setuid program as well as the shell scripts it calls are at the end of this post.

Oh, and how do you get the MAC address from your webserver? Just make sure your firewall box is not NATing the traffic going between unauthenticated clients and the webserver (so that the webserver sees the individual client’s IP address). Then you can do this in PHP:

function get_mac($ip)
{
        return trim(`ssh -i /home/srv/httpd-accounts/.ssh/fw_wifiauth wifiauth@firewall -- arp $ip 2>&1 | tail -1 | awk '{print \$3;}'`);
}

I think Linux distros can vary on who can read arp tables though, so YMMV.

Blackholing unauthorized users

Now you want to set up the firewall rules that intercept and block traffic for unauthorized users. My authentication server runs on ports 4480 (plain HTTP) and 4443 (secure HTTP), so that’s what those two ports are. Here are the iptables rules I’m using:

# Allow traffic going out to the webserver's authentication page
iptables -t filter -A FORWARD -d webserver_ip/32 -i eth2 -p tcp -m multiport --dports 4480,4443 -j ACCEPT
# Allow traffic going out to the DNS server - 4453 is my alternate DNS server for Apple devices.
iptables -t filter -A FORWARD -d dns_server_ip/32 -i eth2 -p udp -m multiport --dports 53,4453 -j ACCEPT
# Drop everything else coming in on the public interface (this may not be eth2 for you)
iptables -t filter -A FORWARD -i eth2 -j DROP
# Redirect port 80 traffic
iptables -t nat -A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination webserver_ip:4480
# Redirect port 443 traffic
iptables -t nat -A PREROUTING -i eth2 -p tcp -m tcp --dport 443 -j DNAT --to-destination webserver_ip:4443
# OPTIONAL - redirect DNS to your alternate DNS server for unauthenticated clients
iptables -t nat -A PREROUTING -i eth2 -p udp -m udp --dport 53 -j DNAT --to-destination dns_server_ip:4453

Make sure you change “webserver_ip” and “dns_server_ip” appropriately.

At this point everything should be basically working. How to test:

• Connect to the wifi network, make sure you have an IP
• Make a DNS query and make sure it works – e.g. looking up “www.google.com” should return a Google IP address.
• Try to connect to anything running on a port other than 80 or 443 – for example an FTP or telnet server. It should time out.
• Try to load a web page. Your request should be intercepted by your webserver. If you get a 404 error, that’s a good sign because it means the firewall is working, you just need to check your redirect code.
• Log in to your web interface. On another computer, shell into the firewall and make sure your MAC got added to iptables (iptables -L | less).
• Once you’re done logging in, try going to a web page. Ideally, your authentication server should detect what the original URL was and redirect you back to that URL once you’ve authenticated. That’s up to you to code that.
• Try connecting to another non-HTTP service like FTP again – it should work!

Guest logins

Wait. Wasn’t the original goal here to give guests access to the Internet? Guests are only around for a little bit. Why permanently authorize them? OK, so maybe you want to, but maybe you’re having a LAN party and people you don’t know are there, or something like that. So here’s a way you can have guest WiFi accounts.

First, come up with a way to authenticate guests. I chose the approach of a password that changes daily. This is the PHP code that generates it:

// Timestamp when today started.
date_default_timezone_set('America/New_York');
$now_local = time() + intval(date('Z'));
$today = $now_local - ( $now_local % 86400 );
$todays_guest_password = hash_hmac('sha1', strval($today), 'SOME_SUPER_SECRET_KEY');
$todays_guest_password = substr(base64_encode(hexdecode($todays_guest_password)), 0, 8);

This will generate a password that changes at midnight every day.

Next, figure out how long you want them to stay on your network. You can either make it indefinite, or use the cron.guestcleanup script in the tarball below to remove guests from the whitelist after so many hours (the default is 3). Add a cron job on your firewall that looks something like:

*/5 * * * *     /home/wifiauth/bin/cron.guestcleanup

Every 5 minutes that cron.guestcleanup script will scan the file /var/lib/wifiauth/guesttab and remove anyone whose access has expired from the firewall.

I’m confused, how is this all working? (and gotchas)

The authorize script puts an ACCEPT rule for the client’s MAC address into iptables BEFORE it hits the rules that blackhole and redirect traffic. This causes iptables to stop processing that packet, approve it and send it on its way. The deauthorize script simply removes the same rule.

One thing to look out for is a reboot of your firewall. If your firewall gets reloaded and you don’t automatically call something like iptables-save on shutdown, chances are clients who have already authenticated will be blackholed again. To solve this, I keep the list of authorized users (guests and people with full accounts) in a MySQL database. If the web authentication page finds their MAC in the copy of the whitelist in the database, it will simply ask the firewall to re-authorize the MAC address without prompting for authentication, display a “whoops” page, and send the user on his/her way. Using a database also allows the people who have full accounts on my network to manage and remove their authorized computers.

Apple iOS devices (optional)

If you have an iPhone or iPod touch you might have noticed the gray “Connecting…” screen when you connect to many public hotspots. The way it decides whether or not to show this is by doing a DNS lookup on “www.apple.com.” So, in order to get iOS hotspot support working you have to fail DNS lookups on www.apple.com to unauthenticated clients.

I did this by setting up another BIND instance running on an alternate port and redirecting unauthenticated DNS traffic to that instance. Then I created a null “apple.com” zone and configured only that instance to use it.

Conclusion

Hopefully you’ve found this post useful – it sure was a challenging and fun project for me. I know it assumes a fair amount of skill level but I’ve done the best I can to explain the more difficult bits. If you get stuck, do ask in the comments and I can probably help you get un-stuck.

Resources

• Patch for the kadm5 PECL extension
• Firewall whitelist/de-whitelist scripts – compile authtool.c AS ROOT with “gcc -o authtool authtool.c && chown root:wifiauth authtool && chmod 4750 authtool”

So I decided to go for the long haul and try to fix the board. That involved ripping it out and reseating a few components, then thermal-greasing the power amp ICs and putting it all back together. It worked for a while, then I put the cover back on the box and the fuses blew when I turned it back on.

4 fuses later I decided it was time for drastic action. I decided to amputate the surround board. Of course, because my life sucks, I cracked an edge of the board that does all the preamp stuff and logic. Preamp’s thus gone now too.

However, the 2 channel power amp, which has two outputs for each channel as with most receivers, still works fine! ^_^ As does the ability to have switched power outlets, which is nice because it means I have a kill switch for the sound system. That can be useful sometimes… like when dealing with roommates or neighbors and an unexpected Flash website with audio that starts playing automatically at full volume. Yeah.

So the receiver will continue to be used as long as it stays in one piece and doesn’t start throwing sparks. And hell, that’s what fuses are there for, right?

Oh wait, maybe I haven’t told you all about Project Hearit. (I named it on the spot.)

Each year I usually have one Big Toy I throw a good chunk of money at. 2007 was the disk array, 2008 was my iPod touch, 2009 was Charlie and this year was audio. Each project is considered “finished” before the next one is started, and I expect each Big Toy to last me several (5-7) years. Project Hearit is composed of the following components:

• ASUS Xonar DX sound card for charlie. Supports 24-bit 192kHz audio. Theoretically. I’ve only seen it hit 96k, but even that’s good enough.
• Front speakers: M-Audio Studiophile AV40 monitors. They’re not as powerful as I would like, but they make excellent front channel (near-field) speakers, which is what they’re designed for. The frequency response is extremely flat and accurate.
• Rear speakers: Pioneer CS-G201WA II hi-fi speakers, circa 1986. I bought then for $8 at a garage sale, then replaced the surrounds (the red things in the picture) using 2 of SpeakerWorks’s excellent repair kit. They get a bit of favoritism, I guess it’s the fact that I put a little more time into them than the other pieces.
• Subwoofer: This was a steal. I got Yamaha’s SW315 subwoofer from Sobongo for $210 including shipping. They didn’t send me a tracking number or order confirmation e-mail at all, so for a short while I thought I’d gotten scammed. Then the thing showed up in the mail 48 hours after I placed the order. 48 HOURS! Who even needs a tracking number when your shipping is that fast? And that was their cheapest shipping option. I wonder if I’d hear the doorbell 5 minutes after clicking “Submit Order” if I went for the more expensive shipping.
• Receiver: The aforementioned Pioneer receiver, which has already received way too much attention on this blog.
• Music creation: I have M-Audio Keystation 88es and Yamaha PSR-270 keyboards mounted on a Hercules stand with an On-Stage Stands second tier installed. Both keyboards talk to the computer with MIDI. The PSR-270 acts pretty much as my MIDI controller and a secondary keyboard for synths and other stuff, and the Keystation is for general playing. You really do get a lot of new possibilities when you add a second keyboard.
• Audio software stack: OK, this one deserves a paragraph instead of an HTML list-item.

So yeah, how does all the software work for this? Well, I have a lot of needs. Multi-channel output, mixing of the center channel (due to my lack of a center speaker, which tends to destroy spatialization for music listening anyway), low latency for the pianos, and a high degree of application compatibility (e.g. Flash). This all considered, I went for PulseAudio configured with a JACK sink. Let’s just skip over the part where I had to build JACK 2.0 because Fedora’s JACK 1.x packages are… jack shit (pardon the pun). Pulse consistently crashed or had buffer underruns after a couple minutes of running with JACK 1.x. Through some sort of miracle, I was able to install JACK2 on top of JACK1 and not have any linkage issues. Pulse’s JACK module sinks perfectly to the underlying JACK server, which has roughly a 10ms latency and also takes audio coming out of Qsynth. Lately I’ve been sending Pulse through JackEQ, which provides the equalizing and mixing functions (remember that center channel?) I lost with Exaile 0.3.2.0 and all its horrible regressions, while keeping latency and CPU load reasonable. The result is relatively solid audio, low latency when I need it, and decent application compatibility through Pulse. Only one program (JACK) talks directly to ALSA, which means that software mixing is done competently.

As of right now I’m liking the setup. We’ll have to see how it holds up to the musical explorations of the next few years…

The following headline was waiting for me in Pidgin this morning, courtesy of Neal Gompa:

A recent study by the Barna Research Group concluded that most Americans under the age of 40 have a negative view of evangelical Christians as a result of the activities of the Christian Right. The study found that many young people viewed the Evangelical movement as homophobic, sexist, and even hypocritical on issues such as capitalism and the death penalty.

OK, so that was a “no shit, Sherlock” moment. I’m a Christian myself, and a rather adamant one at that, but I fall under “most” here. Let me explain.

Right now, there’s an attitude of superiority about Christians. Everywhere I go, even my own church, I see and talk to people that think, passively, that “some people” just suck, and there is an air and attitude of Christianity being a sort of extremely judgmental clique. People that claim to be so smart about their faith that they’ve somehow wrapped their mind around it.

I’m sick of it.

As far as I’m concerned, we’re not supposed to worry about sin being committed by people who are unsaved. Our first priority should be to show them Christ’s love and pray that through divine intervention they would realize their own state of sin. Then once they’re saved, the Holy Spirit, and only the Holy Spirit, can help them get over it.

I hate especially seeing this type of attitude towards homosexuality. Homosexuality, at least physical sexual acts, are undeniably forbidden (at least implicitly) by the Bible. But hold on a second. How in the world can you thump the Bible at someone who does not believe it? There is a book, somewhere, that says that I should not put my curly braces on a separate line when I code. I don’t give a shit, I have my own coding standards, and I believe them to be quite correct. Same thing goes for people who aren’t saved. Get it in your head, folks: they don’t give a shit. And the only one who can make them give a shit is God. Get rid of your pride, and be the hands and feet of the Gospel, and nothing more.

My beliefs on the matter are influenced by the number of friends I have who are GLBT. From my roommate to online friends to CSH friends, I know a lot of people who are gay or bi, and a Lesbian girl or two. Even at the beginning of last year, I expected it to be a struggle. My parents can’t talk with someone who is GLBT without freaking out, at least inwardly. A constant nagging sensation, as such. For a long time, I couldn’t either. Then I realized that it’s just not my concern, and moreover, it doesn’t dictate every part of someone’s personality. In fact, I know exactly zero people who are the flaming homosexuals you see in the pride parades and such. Most GLBT people in my circle of friends know very few. It just shouldn’t make any difference. Those of you who are in the younger (<25) generation will know what I'm talking about. If you're older than that, consider how you versus your parents interacted with black people if you're white or vice versa. You grew up during or after the civil rights movement, Martin Luther King Jr., and the 1970s and all their SOUL POWAH whereas your parents grew up before that. There's a difference, because your parents had to alter their behavior as times changed. It's the same situation for the GLBT community really. Just overlook it. Don't even notice it. I had to pick up my brother from school recently. He goes to a private Christian school a-ways away. A few days later my mom mentioned that she noticed a lot of students at his school are black. She didn't pay any attention to it, just happened to notice. I didn't even notice, and I was there as students were pouring out of the building at the end of the school day. That's how I hope my kids will be with the GLBT community.

That's the main issue of judgmentalism that I see with Christians today but there are others, such as drinking, adultery and other "serious" sins. "For all have sinned and fallen short of the glory of God", says Romans 3:23. Doesn't say anything about "all have sinned, but boy is Joe Blow over there a doozy." The serial killer is right there with the kid that lied to Mommy about the cookie he took right before dinner. Quit throwing rocks in a glass house. If you're ministering to someone and you've gotten to the "you are a sinner" stage, you should be praying and praying that God will give you the right thing to say, and you better be darned sure to realize how messed up you still are, you righteous and holy God-fearing Christian, as you're talking to the other person. I know that my own flaws are too numerous to even name right now. We are flawed, perverted, lying, cheating, stealing creatures, and it is only through God's direct intervention and His Son's willing sacrifice that you and I, the righteous and holy Christians, have any hope whatsoever of not being toasted like the pieces of utter shit that we are without God in our lives. Until you get that down *pat*, you're trying to remove the speck from someone else's eye with a fricking plank in your own.

Hypocrisy is one of the most obvious mistakes anyone can make, and it ruins trust instantly. Think of our Congress members that out of one side of their mouths push anti-porn legislation, and out of the other side go home and spend hours looking at it every night. What do you think of them? They're disgraced - outcast from society. Sounds to me a lot like how Christians are being treated in modern times, and we damn well deserve it. Own up to your own pathetic self. I want to see more Christians doing this. Maybe we can get some traction back.

While we're at it, let's address traditionalism. I was raised in, and continue to attend while not up at RIT, a relatively large (~1,700 members) church whose senior pastor is the host of a nationally broadcast radio program, mainly due to affiliations and connections. Doctrinally, I agree with the church's beliefs entirely. I think a lot of people that go there, judgmentalism issues aside (see above), are devoted followers of Christ. But there's a problem... it's too white. I go to a church up in Rochester known as The Father’s House. It’s a lot more black. I’ll be straight up, I think black people are better at worshiping God. TFH, contrasted with my home church, is much more energetic. It ditches traditional hymns, suits and ties, and the general shy, timid style of churches and replaces with with a rock concert, a pastor in blue jeans that cracks a slightly dirty joke and then immediately follows it up with a home-hitting point straight out of the Bible, and an extremely upbeat, modern atmosphere.

Let’s analyze this a bit. Is it about feeling “comfortable”? I think not. I feel a lot less comfortable when I’m around TFH. I hate, hate raising my hands up when we’re singing. It’s a wildly uncomfortable, embarrassing feeling. But I keep doing it now after acquiring the habit at TFH, because it makes me think about what I’m singing. If I don’t do that, I can just sort of stare at the PowerPoint slides and pass the words directly from my eyes to my mouth, and not route them through my brain to put any thought into what I’m singing. Now, I’ve taken the hand-raising habit back home with me, and it’s even weirder to be one of only about 2 people in a congregation of a thousand doing it, but picking up the habit took the pressure of a challenge from the pastor at TFH, who said, in a nutshell, that if you’re just mumbling the words, you should be doing whatever it takes to make you think about them.

Of course words are important, but the way music is performed is critical too. As a society, we are ready to embrace the style of rock music in worship. I’m talking to you, Bob Jones University (which published all the schoolbooks I used as a homeschooled child), and anyone else who thinks that drums and distortion are a product of Satan himself. If you know me at all, you know that I have a deep passion for music, especially metal. I’m playing Hammerfall right now. Epica and Kamelot will probably come later this evening, and maybe some Lamb of God after that. I listen to it because I think all of it is beautiful – the exercising of God-given talent, whether it is being used for God’s glory or their own. Indirectly it goes to God’s glory, because I use that music to hone my own musical abilities, which I do use for God’s glory. Metal – “Satan’s music” as it is called by many conservatives – is what revived a talent I had barely any reason or inspiration to refine, a talent that God gave me in the past and I felt for several years had been obsoleted by my work with computing and networking.

No musical style or sound is of the devil at all. It is a mere artistic invention by humans, and it can be used for good or evil. There are some pretty credible bands – Becoming the Archetype comes to mind – that are undoubtedly at the heart of the death metal genre, but they are Christian. So as long as your congregation can enjoy that kind of music, you should use it, because it is the creation and rendering of art for the glory of God. Moreover, I think it is an abomination to hold back musicians for fear of them appearing “too flashy.” Colossians 3:23 says, “Whatever you do, work at it with all your heart, as if working for the Lord, not for men.” I think that pretty much sums it up: everyone should wholeheartedly devote the pinnacle of their talent to praise music. The important part is to keep your heart attitude where it belongs. When you, the praise team member, are up on that stage, you are playing your instrument or singing beautifully because it’s the God of the universe you are singing or playing for. Yes, you have a role to lead the congregation in their worship. I’m not saying to add a 32 measure keyboard solo – that would be failure to fulfill the congregation’s need to worship. But play it or sing it like you mean it. Lead by example. If you are congratulated or praised, thank the person humbly, and remind them (and in doing so, remind yourself) that the glory should go to God. If your heart is in the right place, then no matter how heavy, fast, distorted, or complex the music is, I believe completely that putting some leet skillz into your praise music is appropriate.

For about 10 years, my home church hosted a husband and wife who together led the entire media and worship branch. She sang, and he did drums and tech. Before they joined us, they were big. BIG. She sang the songs written for Madonna so that Madonna could learn them. When they joined us, they were held back – ordered to restrain their talents, for fear of taking too much glory for themselves. TFH has done the opposite: when they find talent, they use it. And look where they are – their worship services are brilliant, yet every single person on their worship team, from what I can tell, plays only for the glory of God. I’m on the worship team for InterVarsity at RIT, and we take the same approach: Mark and I are quite similar in musical taste, and we reflect that in our music. We make it a challenge and a piece of art, because God appreciates it. It’s making a joyful noise unto the Lord. I try to make it a point to pray, at least privately, before each service just to ask God to remind me to not take any glory for myself. As far as I’m concerned, I think God wants our all, both our hearts and our actions.

Those are the two biggest issues I have with the modern day Christian community. If you have thoughts, please share them. I’d especially like to pose a question to the GLBT and atheist communities: would you be willing to talk with a Christian about relevant subjects, if you knew that said Christian would be respectful of you and not overstep his/her bounds?

I apologize if you dislike my colorful choice of words in this post. Trying to get a point across. Please overlook it, and appreciate the underlying message. After all, sometimes you need to go out of your comfort zone.

To put it in Prof. Hill’s words, the mainframe market is this big. *holds hands about 3 feet apart* The portion of the market controlled by IBM is this big. *brings hands closer to each other by about an inch* Big Blue controls about 98% of the mainframe market. There are other companies that make mainframes too; HP comes to mind. But for the most part, when people think of mainframes, they think of IBM.

Mainframes are important because of a concept IBM calls RAS: Reliability, Availability and Scalability. Reliability means that failures happen rarely. Availability means that when they do happen, the customer-facing service faces very few or no issues. Scalability means that the machine can grow to fit the needs of your business. IBM emphasizes all three of these with their mainframe products. They pretty much nail all these points with their marketing and then make sure they back it up by manufacturing the entire machine in-house, from the silicon, to the boards, to the chassis, to all the microcode, firmware and software.

Once you buy a mainframe, your company pretty much has it staffed 24/7 with people that know z/OS on a pretty thorough level. Very few people understand every aspect of it, and they all work for IBM, but you also pretty much have a direct line to them, and them to you.

Now we’re getting into the potential for problems.

First off, mainframes have been around for a long time. And so have their operators. Since they’re an entirely different computing platform, something that a person who has only ever used good ole x86 boxes probably won’t understand is that they are different from the very core. It took us ten weeks to learn the most basic bits about how they work – and everybody pretty much flat out bombed the final. But at least we have an understanding of the platform.

Unfortunately, that is lightyears ahead of what your typical CS, SE or networking major knows about mainframes. And that’s when we get to the dangerous waters. Mainframes were much more distinguished and well-known in the 1960s through 1980s, when the personal computer hadn’t quite been refined yet. When the PC took off in the late 80s and early 90s, everyone (including universities) pretty much forgot about IBM’s “other” product as young programmers rushed to learn the newfangled PC and left mainframes to rot. But behind the scenes, mainframe admins in their 30s and 40s were still keeping these puppies up. Nobody realized the longevity of equipment like this. IBM recently threw a party with a client celebrating 15 years of *zero* service interruptions. That’s nothing short of fricking insane, and it does say a bit about what IBM thinks of their customers and their needs.

But here’s where things are getting just plain sticky. You’ll notice that I haven’t shut up about IBM, IBM, IBM here. That’s the problem with the market. Everything is controlled by IBM. If, God forbid, Poughkeepsie or Fishkill gets hit by a nuke, the entire industry would go up in smoke. The platform is extremely closed, proprietary, and well-guarded. Perhaps that has indeed kept it reliable, but it does make IBM itself the single point of failure.

That’s why I don’t think mainframes are going to last. IBM is the only company that’s really into them. They are by nature a great computing platform, and certainly more energy-efficient and secure, but nobody really understands them fully. And so few colleges/universities have classes (much less entire programs) teaching young people about them, that the people who know them thoroughly seem to just be dying off and/or retiring. What happens when they’re gone? I think IBM is neglecting to train young people on them. They have contests such as “Master the Mainframe”, but they just don’t do enough to spark interest.

I think that for now, because most of the market belongs to IBM, IBM should be the one handling the education effort. It should not be the responsibility of universities to teach about a closed, proprietary platform that depends on a single company. What happens when the company on which a substantial portion of the business world depends fails?

Speaking of which, hey Microsoft, how about that Windows thing….

Anyways, this blog and I are nearing its fourth year of existence. We’ve been through a lot together, and it’s been running on WordPress. Not that I dislike WordPress, but there are certain implications to maintaining a CMS and then not using said CMS on your own blog. They call it eating your own dog food, or just “dogfooding” for short. Of course, when this blog started, Enano didn’t exist, and wasn’t mature enough to be used as the codebase for a good blog plugin until about a year and a half ago. This blog may or may not be ported. I don’t want to break URLs, and that’s the biggest issue right now.

So what’s new? Well, for starters, the URL and the theme. I wonder if there is still residual Microsoft Kin artwork in my head. I pulled the current design out of my ass today, and it’s the first time I’ve ever designed a WordPress theme. I did zero instruction reading, so right now at least two things (search and categories) are broken. Anyways, I wanted a new, more Fuhry-like look, something clean and a little boxy, and a shorter URL. So now it’s implemented: fuhry.co.cc/blog/ and the theme which I internally refer to as fuhrylicious but shall remain nameless to you the viewer. *zaps your head with a funky looking laser*

I’m in my 3rd quarter at RIT. Not much comment to make on that, I mean, it’s college. It’s awesome, and we all know that. If all goes well, I’ll be out of here by the time we switch to semesters, working for… well, who knows as of right now… ideally doing information security consulting, research, what have you.

Interestingly enough, I’ve grown a lot as a musician over the past several months. That can be attributed in part to what I know lovingly as Project Double Decker. I’ve found myself commanding both more powerful synth effects on the one hand and more articulate piano playing on the other. I consider both to be vital for any modern pianist, because the former gives you the ability to blend in with a band, and the latter gives you the capacity to stand out, either on your own or by soloing in a band. I’ve built up a lot of strength, timing, and agility especially in my left hand, which has given me the ability to play speed metal-style. All this runs on two keyboards – my new M-Audio Keystation 88es MIDI controller, and my Yamaha PSR-270 which my parents bought for me when I was 9 – and the Fluidsynth/Qsynth/JACK software stack. The result is low latency, (mostly) impeccable sound, and some opportunity for public exhibition. On occasion.

In parallel have my musical tastes expanded. I’ve discovered myself as a metalhead in every possible respect. My playlist has everything from sludgy stuff to speed, power, thrash, death, mathcore, and I’ll stop here but the list is a bit longer. Screw the mainstream, I’ve found my taste.

Other new things in 2010? Dunno, to be honest. I’ve continued to be involved with CSH; this year my major project was known as CANCER, or Clustered Autonomous Network for Cancer Elimination Research. It’s a grid computing facility that can grow and shrink as needed. CSH members will eventually be able to write their own CANCER jobs, submit them to the grid, and have them done faster than any single box could do it. Any idle cores will run Folding@Home. I learned Ruby in order to do the project, and have pretty much everything written except job termination, reissuance, and the scheduler that will coordinate which tasks are run when. CSH’s chairman wants to get some press attention about it eventually, so there’s a nice pretty webpage at the above link. Anyways, CANCER earned major project credit, and thus I’ve attained full CSH member status and will be either a member or an alum for life. It’s cool, because CSH is a great source of innovation (ugh… I used the I-word). I’m proud to be included in it.

As for Enano, we didn’t make it into Summer of Code, but it’s gotten a bit of publicity lately (not that more would not be appreciated ) and we’ve been lucky to see a couple of developers, phirox and Anthony Kosednar, in IRC. Anthony’s working on an Akismet plugin, and phirox has contributed some patches to the core and plugins to enhance PostgreSQL compatibility.

That’s it for today. Check back in soon – maybe, just maybe, I’ll write more.

Maybe.

Not all of the icons are from Visual Studio – some of them are from Fam Fam Fam’s Silk icon set (the same icons I use pretty much everywhere in Enano), which is under the Creative Commons Attribution license (can’t remember which version). But if you use TinyMCE without a custom icon set, beware – your software includes some non-free components.

As for Enano, we’re going to look at putting together a Tango and/or Fam Fam Fam icon set and contributing it back upstream to TinyMCE. We don’t think it’s right that Microsoft’s restrictively-licensed intellectual property be included with free software like Enano. Lots of open source CMSes and blog software might be affected by this, so if you maintain any software that uses TinyMCE, be on the lookout for an update with more freely-licensed icons.

MoxieCode CTO Johan Sörlin noted in his e-mail:

What they say in the Image Library specific to the Office icons we use:

Action icons are used to represent commands in the menu structure. These are most often action verbs, but sometimes are nouns (objects or tools) with actions associated with them, such as Hide or Show. As part of a visual language, the following images (or any part of the images) should be used consistent with, although not necessarily identical to, the usage described below

This is what they say about the Image Library in general in their eula.txt:

Image Library. You may copy and distribute images and animations in the Image Library as described in the software documentation. You may also modify that content. If you modify the content, it must be for use that is consistent with the permitted use of the unmodified content.

Third Party Distribution. You may permit distributors of your programs to copy and distribute the Distributable Code as part of those programs.

Neal also noted to me their use of Firebug Lite and jQuery without documentation of their licenses (BSD and MIT respectively) – including license headers in the source code. This isn’t as serious because they can legally be relicensed, but it does raise some questions.

Update: Firebug Lite is just a bunch of prototypes and it’s about 5 lines of code, so either it’s WTFPL/public domain or Joe Hewitt’s off his nut, the latter of which I seriously doubt. jQuery of course is still MIT, but the TinyMCE folks don’t modify it so they redistribute it with its license unmodified. They have also left the headers in the source code, although you won’t see that unless you download the source archive. Perhaps you should include a 3rd party license list in the About dialog, MoxieCode?

You have my sincerest apologies for the neglect I’ve shown you. For the first time in three years I have failed to update you at the minimum rate of one post per month. I only hope I can make it up to you through this post.

So yeah. I started college (RIT; TS;WRM explanation). Fun indeed. Passed the first round of Computer Science House induction formalities, and on track to make it through fall evals. In other words, I’ve developed a high enthusiasm for the floor where I live, because of the highly social, usually low-pressure atmosphere. And having upperclassmen you can bug by endlessly asking which professors are best rocks.

College so far, fun. Classes are pretty easy, writing papers sucks just as much as I anticipated it would, and I can feel the freshman 15 excitedly gurgling in my gut. I get to wake up at 6AM to register for all my winter quarter classes this coming Wednesday. That should be a blast.

So let’s get down to business: the college necessities. You know, the things you have to buy to replace stuff that just can’t go to college. We’ll start with the monitors.

I loved my ViewSonic A90. Always did. One of the highest-quality CRT monitors I’d ever used anywhere, and it proudly sat on my desk for nearly 2 years (or 3? I forget). Unfortunately CRTs don’t fit too well in a dorm. I had the budget planned out for desperate times such as this, so when the time came it was pretty much a no-brainer: LCDs for the win. I settled on the ASUS VH226H, or rather, two of them. They sport a 1920×1080 resolution per screen, giving me a generous 3840×1080 desktop. The picture is gorgeous as is the 2ms response time, and they quite comfortably handled the 5-hour trip up to Rochester along with the rest of the clan despite my lack of adequate packing material.

Up here I’ve got Nighthawk containing Bigmomma’s 1.1TB RAID5 array, Charlie for desktop stuff, and Scribus as my laptop. I’ve had the chance to learn some really cool stuff, like joining my home and dorm networks transparently using OpenVPN and what life is like on frighteningly fast Internet. Let’s just say the Enano demo should be a tad bit faster. Lord knows what I’ll do when I have to shell out $100 a month for Internet access 1/5 the speed of this in three and a half years – or what I’ll do over the summers. Maybe I should look at getting all my web stuff split off?

Audio has also seen an upgrade here at RIT. I noticed that a lot of people on CSH were using M-Audio’s AV40 studio monitor speakers, and now I can see why. I found a pair for myself – refurbished, $120 – and don’t know how I ever survived without hearing the 16KHz+ range. My music is crystal clear in every respect now. I can’t imagine why M-Audio discontinued these. They’re brilliant sounding monitors with more than adequate power (though you can make them distort if you turn any one thing up too loud) and they complement Logitech’s X-540 sub in a very elegant way. I’m still using the Pioneer amp for the rear channel, now connected to two of my X-540 satellites, as the cheap speakers I got from Goodwill randomly burned out completely. My whole system is quite unportable, but I plan to tote the AV40s along home with me for Thanksgiving along with Scribus and my 320GB USB hard disk with a 1:1 copy of ~/Music.

What’s also nice is the fact that I live down in “the L”, the short hallway section past a 90-degree turn on CSH. The acoustics are perfect for playing loud music at night, and I only have neighbors on one side of me. It’s about 1AM right now and one can probably hear my music three doors down, but nobody cares because everyone’s still up.

Speaking of music, I discovered Marilyn Manson tonight. Recommendations from friends got me to listen to The Golden Age of Grotesque and Mechanical Animals, and I have to say they’re both extremely listenable. I like it: metal/industrial with a touch of electronic is really one of the genres where I feel at home, and that’s exactly what Manson is.

One has to question the sustainability of this practice of purchasing things. I’m pleased to announce that thanks to my good friend Nicholas Byfleet, who has been a companion of mine since roughly 7th grade, I now have a job as a sysadmin and web software engineer with his company, Byfleet LLC. I’m really looking forward to the job, because I’ve been told that I offer a unique skill set to the company and my Linux experience has helped him out with the occasional MySQL crash and Apache configuration typo.

So yeah, so far things have been good. I don’t know when I’ll get around to finishing up Enano 1.1.7… there are a few things that really should be changed before the next release (a Windows specific bug with the wikitext parser and proper server side comment pagination come to mind) and I need to get around to coding them. It’s mostly polished up, there’s just those few annoying to-do items, you know? Patches welcome as always.

NOTE: This guide works on BT3, not BT4. BT4 uses Casper, which means I can’t use it on my USB hard disk (I already have Ubuntu installed.)

In my case, this involved a couple of extra steps. First you want to make sure BT3 is installed on your USB device and booting properly; don’t worry about making two partitions, just make one that is FAT32. For the record, I decided to go with FAT32 for my drive because it works with literally any operating system out there, and because all live Linux distributions can boot from it.

Boot BT3 and identify which drive is yours; for me, this was sdb1. Create your changes file:

cd /mnt/sdb1/BT3
dd if=/dev/zero of=changes.img bs=8M count=128

Note that I used a 8×128 = 1024MB image file here. That’s big (I’m on a 320GB hard disk here) and you might not have that kind of space. Adjust the “count” parameter accordingly. Now format the image:

mkfs.ext3 -F changes.img
tune2fs -c 0 -i 0 changes.img

Finally you need to mount it and create the “changes” directory on it. This is the non-obvious step that causes aufs to fail if it’s omitted; it took a fair amount of reverse engineering for me to actually figure this out.

mkdir mnt
mount -t ext3 -o loop changes.img mnt
mkdir -p mnt/changes
umount mnt
rm -rf mnt

The last step is to edit your GRUB or SYSLINUX configuration file and add “changes=BT3/changes.img” to the end of each “append” line (for SYSLINUX) or “kernel” line (for GRUB). There you should have it – a fully writeable BackTrack 3 installation on your USB device, without having to reformat. Of course, you’ll want to reboot to test your changes.

This drive has presented a fun side project for me: cram as many OSes onto one disk as possible. It’s going quite well so far: I have successfully installed Fedora 11, Ubuntu 9.04 (live only), Knoppix 5.3, Arch 2009.1, and BackTrack 3 all on the same partition (with some Fedora files on an ext3 partition to let me use a huge 8GB overlay). These parallel installations can be tricky because you have to do all of them manually, but they are a cool challenge – especially when you can plug a drive into any random computer and see a menu letting you choose from 5 OSes.

The biggest result of “Re: ImageShack” was the comments I saw, both on my own post and elsewhere. There were some pretty damn good arguments but the view I like the most came from a comment by SyrioForel on reddit:

I think he and some other people missed the point that these are black hat hackers whose sole goal here is to prevent script kiddies from finding out their “secret” exploits. There is no other motivation.

This accusation of selfishness makes perfect sense: they have some exploit that works pretty well, and they want to keep using it for life, so they hate full disclosure. *NIXEDBLOG 3.0 points out that this is a pretty blatant violation of the Hacker Ethic, specifically the part about complete and total access to computers.

The more I read about this group, the more I lose respect for them. They’re really a bunch of script kiddies that know how to advertise strategically. That’s it. I had, admittedly, a bit of respect when they hacked ImageShack, but now I’ve pretty much lost that in light of seeing what their true motives probably are. The same goes for pretty much any hacker group: they’re still just a bunch of script kiddies who fap at the thought of pwning someone’s box.

Here I digress.

I’m in Rehoboth Beach, Delaware right now, on a vacation with my immediate family plus two of my dad’s brothers and their families. Been here since Saturday. I don’t feel like horking down more saltwater taffy so I’m blogging.

Getting Wi-Fi was fun. I installed DD-WRT x86 on Xombie, which was decommissioned as outlined in my welcome post for Charles Manson, in order to allow me to take my Linksys WRT54GL on the trip with me. I’m glad I did, because the Wi-Fi signals around this rental house are pretty weak. Most houses around here are rental houses, so they don’t have Internet access, much less Wi-Fi routers. Luckily I found a couple networks including one that seems to be a legitimately public free hotspot.

The magic of DD-WRT is in the abilities it gives to a single wireless chip. Apparently the firmware for the Broadcom chip in the WRT54GL is fully open source, so DD-WRT has allowed me to configure the router as a client for the hotspot network and as a master for two others – one secured for me, and one (with an SSID of “No Strings Attached”) unsecured for other folks on the street as well as others in my rental house. It works wonderfully because the dual antennas on there easily pick up a signal my laptop and iPod couldn’t dream of using and turn it in to a rather reliable solution for casual Internet access.

The house is really cool too. I’m not staying with my immediate family – they had to separate me from the other four because each of our two rental houses only permitted 8 occupants. So I’m staying with my uncle Doug, his family, his mom, and his wife’s mom and sister, while the rest of my family bunks in another (much farther inland) house with my uncle Jeff and his family. It works out great because I get to share a room with only one other person (my 16-year-old cousin Tim) and the house itself is positively beautiful. It’s old, meaning hardwood floors, solid wooden doors, and an attic not unlike that of the house where I grew up. It is apparently owned by someone, and not just by a real estate agency, which is good because it has kept its old-time charm. It’s even located in a crazy valuable spot: about 300 feet from the boardwalk.

Much to my delight and surprise, I also walked in to find a vintage piano in here, painted in a bright robin’s egg blue to match the rest of the living room, that is surprisingly not only in tune but also possessing a very intricate sound. Being a somewhat adventurous pianist, I’ve gotten a bit of enjoyment out of it. It is missing a couple of keys but I fixed their middle F# and am exploring possibilities for giving some love to D2 for which the hammer is broken off. It looks to be a fun week, as long as the weather holds up.