Geeks in Paradise | Brian Chee » February 2008

February 12, 2008 | Comments: (0)

Once upon a time there was an arp entry

TAGS: Testing notes

So a short story for you…

…once upon a time I was hosting a research server behind my firewall and had done one-to-one NAT to hide and protect it…however, the researchers decided they wanted their own firewall and moved down the hall, but were still using the same “public address” for their server…things were kinda ok, weird slowdowns and such came and went but we couldn’t put our fingers on it…well today I swapped in my super duper faster firewall that went from a 100mb/sec uplink to a gigabit uplink and from a VIA processor to an Intel Xeon with multiple Caveum encryption processors….about a 100 fold increase in throughput possible…well now the researcher’s itty bitty NetGear FVS-318 (max 1mb/sec WAN) was never able to provide an arp response fast enough to the upstream switch, and all requests to that server kept going to my firewall, which kept saying that the server wasn’t there….sigh…when I finally killed the address objects for the server, everything sped up and I’m sitting here with egg on face….

The moral of the story is that you should never put off doing cleanups, not even if folks are screaming at you...this little cleanup chore actually has costed me quite a bit of time tracking down a red herring slowdown...that was just a cleanup job left undone...

sigh...

/brian chee

Posted by Brian Chee on February 12, 2008 04:01 PM

February 01, 2008 | Comments: (0)

I object to RFID payment schemes without positive acknowledgment!

TAGS: Industry Trends

 

Technologists object to U.S. RFID passports - Jul. 13, 2006

<Start soap box>
I just got my replacement American Express Blue for Business credit card and to my dismay I found that Amex has given up on smart card tech and has instead led us down the primrose path with their "ExpressPay" RFID based technology. With MasterCard touting their "Tap and GO" payment system (also RFID) and now Amex, did these folks read about the problems that the US Gov is having with RFID's in passports? (Technologists object to U.S. RFID passports - Jul. 13, 2006 )

Here's my bitch...there is a VERY good reason why high security facilities demand that you have positive acknowledgment of a card swipe for entry. It's just too easy for someone to lose a card or have it stolen. Now with an RFID someone with just a bit of kit can walk through a crowd (occasionally brushing up against folks) and harvest RFID information. Heck even if the information is encrypted, it can still be gathered for bulk decryption later. (See how well the DVD encryption worked!) So for proximity entry cards, you not only swipe/wave your card, but you must also punch in a challenge code (pin). This way a stolen card can't be used to get access to our nation's secrets. Heck, many new keypads even use OLED's under the keys to change the positions of the numbers so that someone can't just dust the keypad.

So I've written a real letter to the American Express folks asking them to get their head examined; but in the mean time I've taken a hammer to my new card (sniff) to destroy the RFID chip. Just as a bit of history, in the very early days of eCommerce, American Express lured me into becoming a Blue member by being one of the first to put into place verbiage in their user agreement saying that they will protect me from Internet fraud if I signed up. hint hint hint... Hey Amex! Do the same thing for the RFID and maybe I'll just quietly request a new card and stop destroying your investment. Better yet, make the person scan a finger or type in a pin code.

Oh yeah, I'm far from the first to raise my hackles on this subject...check out this for a rant on using the RFID to track what products you might be looking at in a store...very big brother if you ask me...

Lastly, to my congressional representatives...please make sure that if you choose RFID for a national ID, make sure that it requires my explicit acknowledgment to the intrusion. Or better yet, if you want a way to ensure that the ID isn't fake, why don't you talk to Gavin Jancke at Microsoft Research? His 2D color bar code can't be read unless you take it out of your wallet, and can contain enough information that you can embed an RSA signature in it. Don't you think this might be a more acceptable plan to folks that would like to maintain a bit of privacy?

<end soap boxing>

Posted by Brian Chee on February 1, 2008 01:05 PM