And now for something completely different...

A little humour at this festive time...

---

Phone Menu at the Mental Health Institute

Hello, and thank you for calling the Mental Health Institute

If you are obsessive-compulsive, press 1 repeatedly

If you have multiple personalities, press 2, 3 and 4.

If you suffer from post-traumatic stress disorder, press 5 but do it v-e-r-y- s-l-o-w-l-y and carefully.

If you are dyslexic, press 6. Now press 9. Now press 6. Now press 9. Now press 6.

If you are delusional, press 7 and your call will be transferred to the mothership.

If you have short term memory loss, press 8. If you have short term memory loss, press 8. If you have short term memory loss, press 8.

If you have schizophrenia, listen very carefully and a small voice will tell you the number to press.

If you have a nervous disorder, fidget with the hash key until a representative comes on the line.

If you are co-dependent, ask someone to press a number for you.

If you are depressed, don't bother to press any numbers. No one will be able to help you anyway.

If you are paranoid, you don't need to press anything. We know who you are, we know what you want, and we know how to reach you.

If you suffer from low self-esteem, please hang up because all our operators are too busy to talk to you.

---

Christmas Carols for the Insane

1. Schizophrenia - Do You Hear What I Hear?
2. Multiple Personality Disorder - We Three Kings Disorientated Are
3. Dementia - I Think I'll Be Home For Christmas
4. Narcissistic - Hark The Herald Angels Sing About Me
5. Manic - Deck the Halls and House and Lawn and Streets and Stores and Office and Town and Cars and Buses and Trucks and Trees and...
6. Paranoid - Santa Claus is Coming to Town to Get Me
7. Borderline Personality Disorder - Thoughts of Roasting on an Open Fire
8. Personality Disorder - You Better Watch Out, I'm Gonna Cry, I'm Gonna Pout, Maybe I'll Tell You Why
9. Attention Deficit Disorder - Silent Night, Holy, ooh look at the froggy - Can I have a chocolate? Why is France so far away?
10. Obsessive Compulsive Disorder - Jingle Bells, Jingle Bells, Jingle Bells, Jingle Bells, Jingle Bells, Jingle Bells, Jingle Bells.

End of the year

While the calendar year still has more than a week to run, for many of us, the Winter Solstice is a time of reflection, and marks the end of the year on a much older calendar. Half way between Samhain and Imbolc, the shortest day (and longest night) of the year is traditionally a time for renewal of hope -- in the certainty that the light will return, that the days will lengthen, and the power of the cold is slowly weakening (although often, some of the worst weather follows the solstice.)

This has been a year of many transitions and inflexion points, both for myself and some around me. I've learned a few lessons, and have had to grapple with some challenging topics, some of which are previous topics in my blog. Business has had its ups and downs (especially with the extreme delays in decision-making by some customers), but I haven't ever regretted leaving my last job, more than seven years ago, and running my own company (for the third time.)

Another characteristic of the solstice is that everything around us in Nature is showing signs of death or decay. Trees have lost their leaves, grasses and plants have died away, many birds and small animals have disappeared. But all is not what it seems, because we know that the green shoots of spring are not far away. Gradually, the ground squirrels and hedgehogs will come out of their hibernation, and the birds will return, along with the insects, frogs and lizards. I guess there is a lesson there, although it doesn't make it any easier to climb stairs, or get out of a nice warm bed on a chilly morning. Perhaps it's because we all have slightly different rhythms, and suspect the renewal of spring isn't always an option.

Still, I feel that our beliefs and internal dialog are important characteristics of making our journey through life a positive one -- the old Hermetic axiom, "As a man thinks, so he becomes."

Wild Geese -- A Poem by Mary Oliver

You do not have to be good.
You do not have to walk on your knees
For a hundred miles through the desert, repenting.
You only have to let the soft animal of your body
love what it loves.
Tell me about despair, yours, and I will tell you mine.
Meanwhile the world goes on.
Meanwhile the sun and the clear pebbles of the rain
are moving across the landscapes,
over the prairies and the deep trees,
the mountains and the rivers.
Meanwhile the wild geese, high in the clean blue air,
are heading home again.
Whoever you are, no matter how lonely,
the world offers itself to your imagination,
calls to you like the wild geese, harsh and exciting --
over and over announcing your place
in the family of things.

I don't often quote poems on my Blog, but this one is pretty good, and reflects my mood today quite well. Happy Eid to all Muslims, as they celebrate the end of Ramadan.

Significant Increase in SPAM leading up to holiday period

Update August 2008: even more spam...

It's August 2008, and the level of spam I get in my Gmail account is reaching record levels. The picture speaks for itself -- basically, that represents 3.6 spam messages per minute, every minute for 24 hours, for the past month.


-----------------------
I've noticed a huge upsurge in the amount of SPAM reaching my mailbox, especially in the first two weeks of December. Unfortunately, this seems to have co-incided with a Joe Job against two of my mail domains, lanifex.com and gillingwater.org. I don't see these attacks as personal, since it's unlikely any Spammers would even bother to target me, but it's irritating having to deal with all the spam.

Fortunately, most of the heavy lifting is taken care of by Gmail, whose dedication and skill at intercepting spam borders on the miraculous. My current spam count for the past 30 days (according to the Gmail Spam folder) is 29,712 messages -- which I think must be some sort of record. That's an average of 41 messages arriving per hour.

Not all of the messages are directed at me -- due to the Joe Job, many of them are simply bounces from other people's mail systems, either with a spam trap challenging for a human response, or due to the mailbox being full. Oddly, many of the messages claim to be from "jerusha.davie@lanifex.com", a name which doesn't seem to be in Google. Unfortunately, I get all the bounces because my domain will collect any unknown user mail, and forward it to me--I guess I like to know what's going on. I just wish that a lot more mail server administrators would refrain from sending Bounce Messages for mail that has already been rejected as spam, since 100% of the From: or Reply-To: headers are certainly forged.

The risk here is that some legitimate email will be intercepted, although Gmail has a very good record of false positives, so I'm happy to accept the residual risk after mitigation -- but I will occasionally trawl through the spam folder, in case something slipped by that I wanted to see. A related risk is that Gmail will start sending all bounce messages to the spam folder -- making me miss a genuine one.

If only Gmail had some form of Cacti graph, so we could see the spam versus genuine mail on a time-series display, with history. I guess I could write something, but don't really have the free time. Still, I feel that nearly 1,000 messages per day arriving as SPAM means my spam to mail ratio is around 99% -- surely some kind of record?

Food origin labeling

I noted with disappointment the recent decision by the New Zealand Government Food Safety Authority not to require compulsory country-of-origin labeling . Yet again, this is something that the Australians do better, as they have in so many areas. Perhaps we should consider moving to Australia as so many other New Zealanders are doing, especially considering the apparent economic advantages enjoyed across the Tasman, which is why nearly 10% of New Zealanders seem to prefer living there. Even better, let's just invoke a little-known provision of the Constitution document which established Austrialia's states, and add New Zealand onto the list. (After all, prior to the Treaty of Waitangi, NZ was governed as part of New South Wales from 1840-1841.) I guess one advantage of political or national union is that we could put an end to the ignominious defeats of our national Cricket and Rugby teams, by competing at the State level rather than as our own country.


I'm also very much a supporter of Genetically Modified Organisms (GMO) in food -- but ONLY when the food and products prepared using GMO ingredients are clearly and correctly labelled, so that consumers have a choice. Included on the label should be some sort of unique identifier for transgenic items, which can then be identified in a publicly-available database.

Personally, I'm not afraid of responsible genetic modification of food products -- as long as there is disclosure, and the possibility of informed debate on the topic. Let the market decide -- but also the various governments should heavily fine and prosecute companies who try to hide the truth. The danger comes when governments intervene for what appear to be solely economic reasons.

Ordinary consumers, such as myself, are hardly equipped to make correct Risk Assessments in relation to the potential dangers of GMO foods--we rely on our government Food Safety bodies to do this job on our behalf. The risk here is just how much will the Food Safety authorities be swayed by economic arguments from the major agri-businesses -- who are more concerned with returning profit to their shareholders than the safety of their foods, let alone the unintended ecological impact, on which the jury is still out.

The Convergence of Physical and IT Security

I've been thinking extensively about the on-going convergence of Physical and IT Security, especially within a corporate context. Many companies with whom I deal have a Security Manager of some type, who usually reports to the Chief Information Officer -- or just an IT Manager, who in turn reports to the Chief Financial Officer. Unfortunately, the corporate environment in Central Europe is still rather under-developed, as there are few organizations which recognize the role of Chief Security Officer (CSO) -- so that very few people with responsibility for compliance, corporate governance and security performance monitoring are at a C-level reporting grade.

Conversely, the importance of physical security is quite well understood, although often not well-implemented. In Austria, physical security is usually just a function of the Building/Object Management group, and is staffed by people who understand about locks, keys and door systems -- but not necessarily about principles of least privilege, and four-eyes oversight.

In my opinion, the international trend is towards a rapid convergence of both types of security, especially in terms of applying similar standards, methodologies and 24x7 operational monitoring. A recent customer of my company has done good work in implementing centralized monitoring of dozens of distributed locations, collecting a diverse range of output from devices such as alarm controllers, fire suppression and monitoring equipment, door access controllers, UPS (Power Supply) controllers, and even Camera Digital Video Recorders.

By centralizing all of this information in one command and control centre, the company is better able to respond to problems, and encourages early detection of potential crisis situations. As a secondary goal, convergence can allow for cost reduction, by having a single 24x7 threat response monitoring centre, who can be charged with both IT Security and Physical Security monitoring. After all, the computer doesn't care whether the intruder is detected in a LAN, or in the warehouse at 3 a.m. -- the incident response action and escalation paths will be much the same (although different personnel may be involved.)

But collecting information centrally isn't enough. You also need correlation, which means a clear understanding of the process workflow behind the security events -- and this starts with a detailed Risk Assessment, to identify the threats and their signatures. For example, security cameras act as a deterrent, and can be useful in post-incident forensics, to help identify perpetrators. But properly used, they can also detect intrusions, to trigger incident response much earlier. Naturally, cameras can be defeated -- for example, it's possible to adapt a DVD-recorder laser diode into a battery-operated laser pointer which can permanently blind most off-the-shelf security cameras (and incidentally, this can be used as a non-lethal weapon against unprotected security personnel, as it can cause instant blindness too.)

Therefore, the vigilant security manager has to prepare for such scenarios, through regular posture assessment and tiger-team testing, as well as drills and security-related staff training. Appropriate counter-measures need to be selected, and then constantly reviewed and improved. Ultimately, security is a demanding and continuously-changing battleground of strike and counter-strike, where we must always assume that the attacker is smarter, better-funded and more highly motivated than ourselves. We can only wait, prepare, be vigilant, and constantly assess our readiness -- and challenge our imaginations to anticipate the next moves.

Television : A Modern Sophist's Mirror

"For it is a false assertion that the sense of man is the measure of all things. . . The human understanding is like a false mirror, which, receiving rays irregularly, distorts and discolours the nature of things by mingling its own nature with it" [Bacon 1620, xvi].

Modern television is by many to be considered solely a form of entertainment -- a mechanism for television channels to deliver their true product to customers, i.e., consumer attention for advertisers. I feel however that it has a different meaning, where we can use the TV shows that someone professes to enjoy as a kind of Socratic mirror, in which is reflected the true intentions, ideals, likes and fears of the viewer.

So, what are we to make of the current plethora of television shows which grace our TV screens (or Bit Torrent trackers?) Can we learn something about our Western culture (I am confining myself to the current "Rex Artis" or cultural hegemony of the USA and its satellites in Australia, UK, New Zealand and even Canada) by identifying the themes which rise to the surface?

Perhaps TV writers are like the Delphic pythonesses, drugged on the steady stream of residuals emanating from the crevices of Producers' nethers, while mining insights and visions which are served symbolically in the context of a 45 minute sit-com or a 22 week story arc. Jung's collective unconscious suggests that we share a deep connection with all other humans at some level, which may be addressed through the historically unprecedented sharing of compelling stories by millions of people simultaneously (or time-shifted as the "Must-See TV" hour precesses across the time zones.

A dark place

One of the most psychologically revealing shows of recent years has to be Showtime's Dexter. My wife cannot bring herself to watch it, but I find it oddly compelling -- the story of a deeply damaged serial killer, struggling to be a productive and happy member of society, while cleaving to a unique moral code which allows him to act on his darker impulses, killing only those who "deserve it." As Florida is one part of the US where executions are common place, it makes sense for Dexter to pursue his career there. The show has excellent production, great acting with believable characters and compelling stories, with characters you care about. The recent and ongoing writers' strike fortunately didn't interfere with completion of the current series, with a finale which hit one out of the ballpark. I wonder however if people enjoying Dexter are measuring themselves against his clearly-defined ethical standards, or whether they continue to lead an unexamined life.

Heroes and Villains

Season One of Heroes was fantastic. Season Two was somewhat hit and miss, with Tim Kring admitting that there were pacing issues, and regretting an emphasis on the romantic angle, which fell somewhat flat. (I still loved the Hiro storyline though, as he is my favourite character.) The premature end of Season Two, yet another casualty of the Writers' Strike, didn't do much to rescue the show, but it's still not going to stop me from watching Season Three, whenever it arrives. The show itself, when we look beyond the great special effects and cool ideas, seems to be telling the same stories about relationships, families, secrets and lies which make for great viewing anytime. Ultimately all characters seem to be linked in various ways, and the struggle especially of the HRG to keep his family together, is simultaneously bathetic and profound.

Who's on First

As one raised in the shadow of Dr. Who stalking my nightmares, I have a fondness for the Timelord from Gallifrey. Even if we exclude the delectable Billie Piper, and some of the more dodgy scripts from the past few seasons, there have been some amazing stories -- especially "Blink", "Girl in the Fireplace" and "Empty Child." So, what does this tell us? I think it informs us with a sense of the connectedness of history -- that those people who make up are past are somehow still there, beyond the liminal "now", trapped in the amber of the past but potentially visitable by anyone with a TARDIS, or perhaps via a Shamanic journey. While it's always fun to see the aliens and other planets, the best stories seem to involve people, and mysteries as yet unsolved.

Guilty Pleasures

Californication. David D. just does it for me. Excellent, funny writing, with yet another po-mo take on the importance of family and relationships. I'm not sure I would go so far as Hank Moody did for Charlie, his wing-man and friend, but it makes compelling TV. Writers writing about writers with issues seems to too-strictly follow the dictum "write what you know", however it's also fun following all the cultural references, especially for fans of the late lamented Warren Zevon.

Another recent discovery which has rapidly appeared on my "Must Watch List" is "Curb Your Enthusiasm", by Larry David. I can't believe I missed such a great show until its sixth season, and will definitely add the DVD Box Set to my Christmas wish-list. Its tales of a hapless middle-aged neurotic Jewish guy, with a talent for misunderstanding and a Black Belt in Passive Aggression, make Curb very funny indeed, if sometimes a little edgy.

My curmudgeonly qualities are encouraged by the delight that is the sarcasm of Dr Gregory House, M.D. The perfect antidote to generations of past TV doctors, we have a vicodin-addicted cynic whose use of the Socratic method would impress any would-be sophist.

Journeys Into Redemption

Many stories deal with journeys -- through space, seeking a new home (such as the reincarnated Battlestar Galactica), or through time, such as Journeyman (perhaps an updated Quantum Leap with better grooming?) The recent made-for-TV movie Razor showed us just how good BSG became up until the Pegasus story arc, but recent episodes have left me somewhat disappointed (except for the ones with Lucy Lawless.) Come back Dr Baltar, all is forgiven! Sometimes the mirror to society symbolism is a little heavy-handed, but certain viewpoints might require a higher degree of philosophical water-boarding before its intended audience gains a further measure of self-insight.

Journeyman gives us a more mysterious Dr Beckett, traveling without conscious volition into his past and that of others, having to live by his wits and work out, along with the viewers, just what the heck is going on -- while also trying to prevent his family life from fracturing. I have hopes this show won't jump the shark, due to the quality of the writing, but am not certain that the network can refrain from interference.

Honourable Mentions

There are a number of TV series which have moved, inspired or simply entertained me in the past couple of years. Onto this list, I would like to add the following:

• Flight of the Conchords -- Kiwi cultural cringe at its New York best.


• Stargate Atlantis -- consistent Canadian SF fare, with occasionally interesting themes.


• Blood Ties -- nice retelling of Tanya Huff's vampire/detective crossover


• Bones -- excellent production values with some great stories, and on-screen chemistry in abundance


• Pushing Daisies -- takes risks, but they sometimes pay off. Eccentric, quirky, oftimes amusing.


• Aliens in America -- not what you might think. More "Family Values meets a Muslim" than X-Files.


• American Dad -- cartoon, but more Adult Swim than Roger Ramjet. Edgy animation (but not as bad as Drawn Together.


• Daily Show with Jon Stewart -- together with the Colbert Report, two of the first casualties of the Writers' Strike. Sadly missed.


• My Name is Earl -- endearing retelling of the nature of Karma for Rednecks. Appealing, sometimes appalling.


• Dresden Files -- wonderful books, nicely translated to the screen, cancelled in the first season.


• The IT Crowd -- inspired British nerd silliness. Have you tried switching it off and on again?


• Painkiller Jane -- started with a nice premise, but soon jumped the shark.


• Numb3rs -- one of the few shows I have included in a university class I taught.


• Burn Notice -- smart, funny, educational story about an ex-spy trying to get on with life.


• The Sarah-Jane Adventures, Torchwood -- two spin-offs from Dr Who.


• Primeval -- short-lived British time-travel mystery, with dinosaurs and intrigue.

BBC's Planet Earth

I just have to write about the BBC series "Planet Earth", which was released last year on DVD. This is a fantastic series, which was two years in the making. Narrated by respected naturalist David Attenborough, and produced by the BBC together with Discovery Channel and a Japanese broadcaster, this series is one of the best nature documentaries I have ever seen. Filmed almost entirely in High Definition (HD), this series takes various themes in each program, including fresh water, oceans, caves, grasslands, etc.

The quality of the visuals, with breathtaking aerial shots, plus amazing action sequences, simply outclasses any other documentary I've ever seen. The DVD extras includes several "behind the scenes" interviews, which shows the impressive dedication and sheer hard work the crew of filmmakers had to go through. With the addition of sound effects, beautiful orchestration, and Attenborough's hypnotically calming delivery, the whole series is chock full of interest facts and discoveries. Who knew there was a massive mountain of bat guano deep inside a cave, with some of the largest colonies of cockroaches ever found? Or the stark beauty of snow leopards stalking Markhor in the Himalayas?

The series is probably best seen on a high-definition system (Blue Ray or HDTV), but even on standard definition DVD, it's an impressive piece of work, which highlights the tremendous variety of life on our beautiful planet. This is must-see TV, and should be compulsory viewing for all children everywhere.

The China Syndrome: Update on (alleged) Google Adwords Click Fraud

As you may have read in my previous blog entry on this topic, I am convinced that Google's Content Network is not really the best place for advertisers to submit their ads, at least until they understand some of the issues.

Specifically, I recommend avoiding certain countries for placement of ads -- which of course doesn't mean that you won't get clicks from those countries (because you will if the click fraud is organized), it means instead that your ads won't be served to end users originating from those countries. The actual location of the Web servers hosting the ads is irrelevant. The web is such an international place, that the location of the server is often different from the location of the beneficial owner.

Today, I received an email and call back from Google UK, who kindly undertook to look into my complaints. I have to say that it is a pleasure to do business with the people at Google, as they know their stuff. Professional and courteous to a fault. This was in response to my informal request to the Google Country manager, Dr Karl Pall, who forwarded my concerns to the Google UK Public Affairs Manager, who in turn passed me on to a very knowledgeable Adwords specialist, Patrick Singer. I am still waiting for a response to my support request to the Google Adwords Quality Control team, which I expect will come next week.

The upshot of the call was that Google has done a lot of work to improve its transparency of reporting for advertisers. Specially, the newly introduced Placement Report is able to show which web sites were used to host the ads that I paid for. Together with the Campaign Report (which showed an average Invalid Click Rate of 10.66% (with up to 25% on one campaign), I was able to identify the source sites for most of the traffic which I consider fraudulent. Unfortunately, there doesn't seem to be an easy way to identify which country or region generated traffic on specific referring sites, at least without some manual correlation.

Unfortunately, Google didn't agree with my assessment that most if not all of the China-originating clicks were fraudulent, although I agreed to wait until the full results of the Quality Control team are available next week. I do note that some of the suspicious Web sites had a 50% CTR -- with one site having 100% CTR, which I find remarkable! (It's almost as if the site was generated by a Web server designed for someone to click on the ads.... hmmmm.....)

So, the bottom line -- I continue to be impressed by the resources that Google are throwing at this. The Adwords Reports have tremendous depths, and would repay serious study -- but it's almost a full time job to master this business, and tuning the ads for the best effect would be a valuable service. (There are probably consultants who do this.) Unfortunately, I am still not convinced that any of the Content Network Clicks are valid, at least for certain countries and regions.

My hope is that the Google Quality Control team can "follow the money" -- to see if there is any pattern as to the financial beneficiaries of this apparent fraud. I am sure I'm not the only one affected by this. Sadly, my company's investment in Google Adwords has yet to yield a single valid lead, despite spending nearly 2,000 Euros with Google -- at least based on my knowledge of all sales communications and email enquiries. My next step is to add some sort of conversion tracking, i.e., some type of click-through form for collecting lead information, so I can add some more detail into the Google Reports.

Time Machine Fun

This week I learned more about Apple's Time Machine. My wife's iMac needed to have its motherboard replaced, due to the capacitor plague. Kudos to Apple for extending the warranty to cover this issue, as it meant that we didn't have to pay for the replacement. Co-incidentally, a Grundig HDTV Satellite tuner failed recently due to the same problem (I opened the case, and saw the signs of the capacitor leakage.)

One of the consequences of the replacement of the motherboard is that the MAC address of the network card has changed. And this means that the external USB drive being used for the Time Machine backup was no longer recognized, since it appears that Time Machine embeds the MAC address in the drive identifier for the backup archive.

To resolve, there is probably some way to edit the MAC address, but I didn't bother. Instead, I noted that the USB drive was still using the Master Boot Record (MBR), therefore I decided to re-partition the drive with the Apple Partition Map, which is best used with the PowerPC-based iMac. I then used the "Change Disk..." option under the Time Machine panel of System Preferences, and started a new full backup, which corrected the problem, at the expense of some older backups.

Massive organized Google Click Fraud in China

I have evidence of massive and organized abuse of Google's AdWords program, especially based in China. This is certainly not a new problem. Bruce Schneier blogged about Google's Click-Fraud problem last year in Wired -- although he focuses on two types of click fraud, whereas my own case seems to be a third type, no doubt driven by human click-farmers rather than 'bots. There's also an excellent article on this problem in Business Week, which specifically mentioned the Chinese connection.

Last month, I spoke with Dr Pall, country manager for Google here in Austria. I conveyed to him my concern, that as a small business advertising with Google's AdWords program, I simply didn't trust the results I was seeing, especially when I found that I was spending hundreds of Euros via the Content Network portion.

This month, I decided to collect some real numbers on the extent of this problem, to pass on to Google (to date, I didn't get a response.) Specifically, I set up some new ads for real products and services that my company provides -- products with a very specific and limited market focus. I deliberately enabled the Content Network option, and waited to see what would happen.

I didn't have to wait very long, as the screen shot below shows.



This activity occurred within a couple of days of my ads being activated. I find it very interesting to see that 100% of the click-throughs to my site are directed via charged Content Network -- which means every one of those clicks cost me money, and earned money for the Web sites which hosted the ads at the time. Not a single click came from a search. And the majority came from 42 different cities throughout China -- which of course means not a single one is genuine.

The bottom line -- be very cautious when enabling Google's Content Network. Watch it closely, and especially don't enable it in China (India also shows some evidence of fraud, but on a smaller scale.) I am hoping that Google will be open about this problem, to restore confidence in their advertisers after last year's settlement.

I will be doing some further analysis, and will post the results in my blog. I'd also be interested to hear from others who have seen similar patterns. Note that I don't think this problem is unique to Google -- probably, it is also prevalent with other advertisers. I really like Google's way of doing business, and will continue to do business with them -- but I feel that more needs to be done to stamp out such obvious gaming of the system, which costs money for no return and wastes valuable time.

Google -- what are you doing about this?

Technical HowTo: High Availability Monitoring, Part 1

This blog entry is going to be quite technical, so people with a sensitive disposition might want to skip ahead to other entries. O.K., you've been warned!

My goal here is to describe the process of setting up a Monitoring system for a High Availability network security appliance. Specifically, this is work for a customer, who is going to implement one of our AGORA systems (see my earlier blog from this week) in a High Availability configuration. A specific feature of this monitoring system, is that it should detect failure of a primary system, and switch to a secondary automatically, according to a set of rules.

Now High-Availability means different things to different people. In my case, I interpret it to mean any system which when correctly implemented, will reduce the probability of a systems failure. As a system is made up from different parts, we isolate those subsystems which are most likely to fail, and put measures in place to detect or prevent this failure.

My goal here is to develop a network-based monitoring sub-system, which will continuously monitor and measure performance of the target system, and to activate special counter-measures in the event of a subsystem failure. I plan to use off-the-shelf components wherever possible, and especially open-source tools running in a Linux environment (although not all tools selected are of this type.) I believe this approach will be helpful to document, in case others want to adopt a similar approach, and you can learn from my mistakes.

First is to choose to development environment. I am going to develop within a VMWare appliance, which is a Virtual Machine. By doing this, it will be easier for the customer to implement at their own site. I happen to be using a MacBook Pro for this work, but it could easily be an Ubuntu Linux or even Windows XP box. Some of the features and tools I plan to implement include:

• Cacti -- used for time-series graphing of various metrics. In particular, useful for showing trends.


• SmokePing -- a nice Cacti-based tool to show network latency. Network performance is of particular interest.


• Perl -- the general purpose scripting language for writing new functionality


• XAMPP -- one of my favourite bundles of Apache, MySQL, Perl and PHP


• Mon/Nagios/Hobbit -- select from one of several network monitoring tools


• VMware -- used to run a virtual machine, for portability


• CentOS -- the version of Linux I chose for running the monitoring system inside the VMWare

I considered using a solution such as keepalived, but thought that might be more complex than I need. Plus I like re-inventing wheels...

Preparing the Development System

My first task is to connect to our VMWare server, and build the development environment. This box is stored in our data centre, and only provides access via SSH. Therefore, I am going to tunnel in via SSH, using VNC to get access to the graphical environment.

For the Mac OSX, I have chosen to use "Chicken of the VNC" as my VNC client. Because I need to tunnel in via SSH, I chose to open a terminal window, and type in the command directly.

ssh root@vmware-dev -L 5901:localhost:5901

I then connect to localhost port 1 in the VNC client, which will then tunnel to the remote system. Entering the password, and I am faced with the screen shot below.

Now I use the interface of the VMWare server, and tell it I want to create a virtual machine, using the Red Hat Enterprise Linux 4 template (which is closest to CentOS.) I choose also only 640 Mb of RAM (this machine will be running as a Web server, but I won't install X11.) I don't need a physical CD, as I have downloaded the ISO images of the CentOS onto the VMWare server, and just need to mount the image as if it was the CD drive. I switch on the VM, and it boots immediately into the CentOS installer.

I run through the installation options, selecting mostly the defaults. I made the VM with only 8 Gb of disk, so I have chosen a minimal install. I'll add the other stuff I need later. My first step however will be to use YUM to install any required security patches and updates for the minimal install, then download and install my Web environment, XAMPP. I will also add the VMWare tools, as these are important if I want the system to have good time synchronization (which is important for security applications), because NTP and friends don't play together nicely with Virtual Machines due to clock tick latency correction.

Here are the commands used:

wget http://www.apachefriends.org/download.php?xampp-linux-1.6.4.tar.gz
yum update

There was around 48 Mb of updates for the CentOS packages -- mostly new versions of tools and the kernel, with a few minor security issues.

See the Apache Friends web site for details on installing XAMPP. Just follow the instructions for improving its security, and make it run from startup by using chkconfig to add it to the processes to be run upon a reboot (after symbolic linking into /etc/init.d).

Smokeping

My first choice was to install Smokeping, by Tobias Oetiker. It's a great tool for visualization of network behaviour, which is an important part of any network-based services. I simply followed the comprehensive installation guide. Later, I found a more friendly Smokeping install guide here.

For convenience of the reader, I will paste below the commands needed. I decided to use binary distributions, rather than building from source, to save installing to many prerequisites in the VM.

yum install libart_lgpl
yum install perl-Time-HiRes
wget http://dag.wieers.com/rpm/packages/rrdtool/rrdtool-1.2.23-1.el4.rf.i386.rpm
wget http://dag.wieers.com/rpm/packages/rrdtool/perl-rrdtool-1.2.23-1.el4.rf.i386.rpm
# Note both RPMs have to be installed with a single command, to avoid a dependency loop
rpm -Uvh rrdtool-1.2.23-1.el4.rf.i386.rpm perl-rrdtool-1.2.23-1.el4.rf.i386.rpm 

wget http://downloads.sourceforge.net/echoping/echoping-6.0.2.tar.gz?use_mirror=heanet
yum install curl

I'll continue this in Part 2.

Inemuri

I came across a real gem while browsing the BBC News web site today. Japanese culture contains the delightful concept of "inemuri" (居眠り), which translates as napping or dozing. What's interesting about it is that it is culturally acceptable, in certain circumstances, to fall asleep in meetings or other social gatherings.

Apparently, it is intended to show that you sacrificed much of your regular sleep in your work, and is considered a type of macho display -- "look how hard I work, because now I cannot stay awake!" Naturally, like many Japanese traditions, it is not for everyone -- only those of superior social status can afford to indulge in front of their underlings, or those who have little status at all.

Now, I just need to figure out how to incorporate this into the university classes I teach.... hmmmm....

AGORA Audit Compliance Appliance

I'm really excited about the AGORA Audit and Compliance Appliance which my company has developed, and which is starting to see some traction in the market.

The idea actually came from one of our large Banking customers. It's a simple idea (as some of the best ones are), but one which we haven't really seen elsewhere on the market. The "elevator pitch" is as follows:

Your company or bank has just outsourced some key IT activities -- e.g., application development or database administration. It made sense financially, and you're covered by SLAs, so you know what service you can expect. But you no longer have real control over who is doing what, and when, to your customers' data. A firewall or VPN solution doesn't really help, because it's designed to only keep out unauthorized persons -- but the outsourced company have full access, so how do you track what they doing?

Some systems, like Oracle, let you turn on database auditing -- but if you outsource the DBA function, then your DBA can turn it off. So most of the time, you just have to trust people -- until something goes wrong, some critical table is dropped, or some vital information leaks -- and then you're stuck, because where do you start investigating?

This is the business problem solved by AGORA -- it's a secure application gateway appliance which sits between your internal systems, and the authorized persons who need access, that keeps indelible records of all activity -- down to the level of scanning the network protocol in real-time, and recording all keystrokes or SQL queries sent by the external administrator, transparently and with no noticeable impact on performance. It supports SSH, Oracle SQL*Net, Microsoft SQL TDS, HTTP/HTTPS, Telnet, FTP and even X11 protocols. This means that all traffic is captured in separate files, linked to the uniquely-identified user who started the sessions.

A separate auditor user role can login via the Web interface, and review audit logs of the various sessions managed by the system. The workflow management is integrated with a built-in trouble ticket system, so audit logs of access to a service can be linked to specific problems or activities. We also tie the sessions in with specific VPN-authenticated users (we support Check Point VPN, Open VPN or even pre-shared SSH keys for authentication of users.)

We've recently added plug-in modules for supporting HTTP and HTTPS auditing, which also tracks all files which are up or downloaded from a remote Web server. Our latest version of the software will include SSH session audit (which includes the possibility to play-back sessions in real-time), as well as X11 sessions. The system does its work by protocol inspection of every packet -- extracting the audit-relevant information, associating it with a specific two-factor authenticated user, and writing it to a secure tamper-proof logging system, including packet payloads (such as SQL commands or SSH terminal sessions.)

We're planning to offer the AGORA system as a Hardware Appliance for high-performance requirements -- but it's currently available as a software installation, or as a VMWare virtual appliance. When installed on a VMWare server, the same functionality is available, but with slightly reduced performance possible (depending upon the hardware.)

The system uses email and web interfaces to communicate with its users -- typically, for example, a support technician (such as a Database Administrator or DBA) will receive an email informing them of a trouble-ticket which has been opened against one of the many production databases they are responsible for. An email will go to the support co-ordinator for the company, who will assign it to the next available technician with the appropriate access rights. Upon receipt of the email, the technician can then click on a Web link, which opens dynamically a port on the firewall (accessed through the VPN) which gives access to the relevant service. This starts the audit session, and also keeps track of when activity occurs (which is very useful for SLA verification.)

Naturally, because the system is ticket-based it blocks access to resources for which no ticket is available -- and also includes the possibility to restrict access to specific time periods -- and will automatically close access when the ticket expires.

In summary, this is a great tool for organizations that need to provide positive auditing of access to critical or sensitive internal resources by outside users (such as DBAs or developers), without requiring special logging to be enabled directly on every resource. With the increasing requirements of Basel II, ISO27001 and Sarbanes-Oxley for compliance programs, such an audit appliance will become essential in every large enterprise.

Digital Rights and the right to be paid

A recent article in the International Herald Tribune by computer scientist and composer Jaron Lanier argues the case for a new model of compensating artists, writers and other creative types. Despite an earlier advocacy for Internet piracy, he now admits he was wrong, and that the promise of the Web to increase opportunities for getting paid for creative output has not materialized.

In my view, the situation is not as dire as he implies. Yes, there are many writers who would like to earn a living from the Internet, but it's simply not going to happen, due to the huge numbers of "wannabes", and limits to the demand for paid content. Aggregation services tend to function as filters for quality -- in much the same way as publishers trawl through piles of submitted manuscripts, looking for the hidden gem that might turn a profit -- but ultimately, the market will decide.

Simple economics suggests that not every writer can be paid for their writing -- there are simply too many of them, and a huge influx of enthusiastic amateurs has made it even more difficult for good writers to have their voice heard. Fortunately, I believe that the filtering mechanisms will adapt naturally as the ecosystem develops, as we already see many fine writers are featured on Blogs such as BoingBoing, Salon, Technorati and even Digg and Kuro5hin.

Whether these writers make money is an interesting question, which cuts to the heart of Lanier's thesis -- that the advertising model (as supported by Google's Adwords) is not enough to earn a decent living, and that some other micropayment model is required to solve the problem of the "free rider." Technically, such systems exist, but tend to live behind "walled gardens" (such as AOL), or are burdened with restrictive Digital Rights Management (DRM), such as Amazon's popular new Kindle e-Book reader.

For me, the more interesting issue is that the content providers -- or more specifically, the publishers -- haven't yet come to terms with the demands of its customers. Currently, many of us watch TV which is laden with excessive advertising, that disrupts our enjoyment of great programs like "Dexter" and "Heroes." Increasingly, however, there is a new generation of Internet-literate scofflaws who spurn the advertising, and prefer to trade (mostly illegally) in high-definition digital downloads of their favourite TV shows and movies.

As this trend increases, advertisers will see a decline in their revenues, leading to attempts by studios to be more restrictive with DRM -- an effort which is doomed to fail, for good technical reasons. Their only hope is to adapt their business model (as Apple's wildly-successful iTunes has shown can be done with music), so that consumers have more choice over what they download--and pay a fair price for content which is not locked down with DRM that restricts their options for viewing the shows they want to see.

Ultimately, it may be that a reputation-based system may evolve (such as Cory Doctorow's "Whuffie") -- but I'm not holding my breath. History has shown that artists and writers need some support from the wealthy to create their best works--but that until we achieve a post-scarcity economy, there will always be a surplus of artists and writers (however talented) starving in a garret.

Media Center selection update

My latest thinking is that I will probably buy either a Sony PS3 or Microsoft XBOX 360 as a Media Center. The real issue is going to be DIVX/XVID support. There are rumours that both Sony and Microsoft have finally recognized that support for these codecs in their player firmware is important to some customers. Sony has apparently added a patch in the latest firmware to support selection of this type of file -- but there is no firm date on when it will be able to play them, so I will wait until that turns up before making a decision.

Also of some interest is whether NAS storage (e..g, SAMBA mount) could be used with either system. We'll see....

Dance Review: The Beggar and the Bird

Dances with Birds

A drama of self discovery in movement, pantomime and special effects.

It was a chilly Thursday night at the Odeon Theater in Vienna, as the lobby thrummed with anticipation. Nearly 250 people had turned up for the premiere of "The Beggar and the Bird," a Dance and Music performance created by New Zealand Choreographer, Amber Stephens. Together with musician Natalie Jean-Marain, and dancer Albert Kessler, Stephens has produced an original story that entwines soaring vocal improvisation with pyrotechnic displays of Modern Dance energy.

Upon entering the grand portico of the Odeon Theater (formerly an agricultural trading exchange, complete with fluted marble pillars and elegant staircases), the audience found themselves viewing a broad stage, flanked on either side by two mysterious seated plaster figures – apparently the chrysalises from which some strange female figures had recently emerged. A tall banner of newspaper clippings of an actress’ life hung at stage left, while a wheeled mirror waited in the wings. A small group of musicians huddled silently at the rear, accompanied by an elegant singer, seated on a tall stool.

From her first moments on stage, Stephens led us into the interior life and feelings of each character she played. First on stage was the Diva, so upright in posture, silently miming her daily superficialities, while allowing us to glimpse the loneliness beneath the mask. Clad in a simple cocktail dress, she conveyed through gestures and facial expressions the reality of the unreflected life, diverting but shallow.

The story introduces a range of characters, in a transformative journey that leaves each affected by their interactions. The Diva is world-weary, a woman of ambition and power, capable of art, yet selfish and sometimes cruel. In an impressive display of on-stage metamorphosis, the Diva then changes into the Beggar. Initially restrained, the dancing becomes more frenetic, arms gyrating, with twirls, rhythmic breathing, dips and falls, as an insistent drumming begins to be heard.

Events begin to take a darker turn, when the Beggar meets its Shadow – Albert Kessler – who leads the Beggar down paths of power and control, which culminate in obsession, and the total abjection of the Bird, cast down into an emotional well, from which only the newly-awakened compassion of the Beggar can rescue it. The Shadow mirrors the darker side of the Beggar, engaging in a physically demanding pas de deux of puppetry and power, with great leaps, rolls, martial jabs and lifts, as well as much floor work.

Some loss of self seems to be a prerequisite for the classical journey of self-discovery, charting unknown territories of one's internal world, to discover its deeper meaning. This journey is not without missteps, as we learn when the Diva meets the Bird – played by Jean-Marain – whose wings materialize in subtle vocalizations and static poses, aided by a costume of silver and feathers.

Like Kate Bush's Aerial, Jean-Marain invents a language of birds, with its “Kirikeeks” and “Kurruuuuu” cries, evoking the lilt of a forest-dwelling bird-of-paradise. The Beggar, dances to these songs – as Stephens dances patterns that mirror the soaring voice of Jean-Marain. This interaction between Beggar and Bird is the core of the performance, as the Bird sings and the dancer reflects them in motion, a sound-driven marionette. Soon, however, the flow of influence is reversed, and the Beggar delights in exercising control over the Bird's song – with disastrous consequences for the Bird.

At the climax, the Shadow is reintegrated, the Bird redeemed, and the Beggar arises, transformed –ready for the next stage of a journey reflecting the labyrinth of our own life changes. The stunning finale, sung with English lyrics by Jean-Marain, lifts the energy and leaves an impression of serenity and self-acceptance.

Written and choreographed by Stephens, who remained throughout on stage, the work incorporates elements of modern dance, Brazilian capoeira, floor work, hip-hop, and allusions to classical ballet, all performed to a high technical standard. The music, performed live on guitar, piano and extensive percussion, hinted at Shamanic drumming, Arabic motifs and Spanish flamenco themes, emphasizing the different stages of the story, and deftly supporting the high-energy levels of the two dancers. The sparse staging included a curious mirror through which the dancer passed parts of her self, as if seeking to reflect on her actions.

The mystery of the plaster bodies was only resolved at the end of the performance, when a large screen behind the musicians showed the process of applying plaster to the dancer, which hardened and then was shed as if emerging from a cocoon – an apt metaphor for the transformation which we had just witnessed.

The performance had been a huge challenge, the creative team acknowledged later, with hundreds of hours of rehearsals, and the management of extensive details of costume design, staging, musical composition, choreographic research and improvisation. In the end, the work seemed more than justified, and was well received by the audience. The team plans to take the show abroad, to Dance and Arts festivals around the world over the next few years, as well as producing variations of the story in other media, to retell the modern myth of the Beggar and the Bird in different forms.

Disclaimer: The writer contributed the Website design for this performance, but has no beneficial connection with the performers.

"The Beggar and the Bird" 
Odeon Theater
Nov. 8, 2007
Choreographer/Principal Dancer: Amber Stephens
Music/Singer: Natalie Jean-Marain
Dancer: Albert Kessler
Website: www.beggarandbird.com

First Impressions

Just for fun, I thought I'd post another picture of myself onto this Blog. Many people think they know me -- but some might be surprised by what they see in the picture.

The weapon in my right hand is a Czech-made copy of an AK47, with bipod rest. In my left hand is a 9mm automatic pistol. The picture was taken in 2005, somewhere in Slovakia.

Return on Security Investment (ROSI)

Earlier this year, I prepared a presentation for a Security Conference, which includes a concept which I think other readers might find interesting. It's the "Return on Security Investment." Basically, the idea is to perform a Risk Assessment, and to calculate the probabilities of occurrence of various scenarios which can cause losses or other damage.

Next, you determine the most appropriate controls to mitigate or eliminate those risks, and determine their costs. For example, if you know that there is a 2% chance that the annual Spring rains will bring major floods, and you have a house near a river, you might expect that repairs of the damage caused by flooding could cost you 100,000 of your local currency. You consider various options for protecting your house, e.g., installing flood defenses, diverting the river, putting in basement pumps, etc.

Given that a 2% chance annual event is likely to occur at least once in 50 years, we can then analyse whether investing in counter-measures -- i.e., security controls -- is going to cost us more than the event itself. Assuming we normalize the monetary unit per time value of money (Net Present Value), a single loss event cost of 100,000 means an average cost per year of 2,000 (recall we expect this event at least once every 50 years.) So, if the capital and operational (CAPEX/OPEX) costs of the controls are more than 2,000 currency units, then it's probably not a good investment for us.

In which case, our next step would be to try to transfer the risk -- i.e., by finding an insurer who would sell us 100,000 worth of flood insurance coverage for say 1,800 units per year -- which would be a good financial decision, based on Return on Security Investment (ROSI.) Of course, our insurer would be likely to be using a similar basis of calculation -- but they have advantages of scale and usually superior sources of information on risk, and therefore may well offer a better price.

In the final analysis, the worst thing we can do -- is to do nothing, and hope for the best.

Media Center Extenders

At home, I've been running a Pinnacle ShowCenter 200 (older model), which has been fine for the past year or so -- until last week, it suddenly stopped displaying any of the text in the menus. This was really wierd -- the system would boot just fine, showing the logo, and the showcenter logo in the upper right corner -- but the names of TV shows would not appear at all.

At first I suspected this was due to a recent upgrade of the Linux-based back end -- I'm using the Linux MTPCenter, which has done a great job running with Lampp on my Ubuntu system. I recently upgraded to MTPCenter 2.0, and thought this might be the issue -- but I saw the menus from the later version for a few days, and downgrading still failed to show the menu items.

A related glitch is that the fast forward capability used to show the percentage -- but this does not display (although it works just fine.) The strange thing is, I can navigate through the menus by sound, and by looking at the MTPCenter through a standard Web browser -- and the programs stream just fine. My guess is the character generator for the fonts might be broken -- I've tried everything with the ShowCenter that I can think of, and also tried hacking on the CSS in the MTPCenter to change font displays and background, but with no results.

Anyway, I decided to replace the Pinnacle with something with more capabilities. My ideal Media Center should be able to do the following:

1) Stream MP2 Video, MP3s, DivX and XVID
2) Stream from Internet Radio (e.g., ww.sky.fm.)
3) View pictures from network storage
4) Work with Linux
5) NOT require a Windows box anywhere
6) Use a remote
7) Output to HDMI or at least component with up to 1080p to my HD TV
8) Handle AC3 audio, and at least Dolby 5.1
9) Handle MKV wrappers
10) Maybe in future play either from BlueRay or HD DVD.
11) Noiseless low temperature operation
12) I don't want to spend more than 250 Euros, or "roll my own."
13) I don't want DVR or recording functionality

So, I started looking around for some options.

I first got interested in the XBMC Open Source application, which looks really cool. It does most of what I need, but only seems to work on the original Xbox (and not the Xbox 360 or Elite), which means that I won't be able to use HDMI output, or even plug in a HD DVD in future.

I considered the Sony PS3, but am not clear on whether or not it can play DivX or XVID. My guess is it's probably a "no" -- and I don't really like Sony as a brand, although getting the BlueRay drive is tempting.

I also considered the AppleTV, or even a small Apple box, but the former lacks the decoders I want, while the latter is too expensive -- and both lack HDMI (although realistically speaking, DVI output would probably suffice.)

So there are still some more options.

First up is the Xbox 360 with optional HD DVD. A little expensive, but there is the benefit of getting access to games like HALO -- but who has time for games these days? -- I barely have enough time to watch Heroes or Prison Break! I don't like supporting Microsoft anyway, although I could *console" myself (nasty pun that) with the thought that each Xbox sold is a loss for M$. I also don't like the way that the XBox 360 enforces code signing and other nasty DRM stuff, and am not aware of a simple "mod" for the 360 which won't invalidate the warranty. So that's out.

Next option is a Mac Mini. I bought one of these for my father, and he seems to use it, but not for TV. The output is DVI I think, but no HDMI -- although probably good enough. While I like Apple boxes (we already have three at home), I can't really justify spending the 600 Euros it costs here in Austria for the smallest model. So that's off the list for now, at least until I win the lottery (which isn't going to happen, since I don't buy tickets!)

I don't really want a box with a built-in hard drive, since I have enough disk space on other machines. I'm using my Ubuntu Box as my TV and media file server, running SAMBA and Azureus, and therefore simply want a box which streams over the LAN, without using Microsoft software anywhere if I can avoid it.

Looking around I found the Linksys DMA2100.

Also interesting is this D-Link box, which is only 180 Euros -- but I'm not sure if it also has a wired LAN, as well as wireless. Well, it will come out at the end of November, so we'll see. There also seems to be a US version, with different specs: the Dlink DSM-750, which looks nice, although more expensive, and I don't know if it will be available in Europe.

Time Machine on older PowerBooks

A trap for young players (yes, me!) with implementing Time Machine on older Powerbook machines.

Leopard will install and run just fine -- and you can plug an external drive into the USB port, and backups will work -- but it's totally impractical, because certain older Powerbook models have only USB 1.1, rather than USB 2.0 -- which means it's very, very slow.

My recommendation -- if you have an old Powerbook, then try to get an external drive that uses Firewire rather than USB.

Using Apple's Time Machine

I've been using OS X 10.5 (Leopard) for a few days, and felt I'd share some of my findings, mainly with regard to Time Machine.

I purchased a family pack, and have upgraded  four Macs successfully so far.   In my view, Time Machine is a great idea, and worth the price of admission alone, especially for those who haven't done backups before.

Personally, I use Mozy for my basic backup needs, but like the possibility of additional layers of backup which Time Machine provides.  

So, there are a couple of things I discovered:

1. It is possible to trigger Time Machine manually.  Simply hold down the "ctrl" key, then click the Time Machine icon in the dock -- a menu will pop up, which contains the item "Back Up Now".   This is documented in the online help.

2. Time Machine will not activate itself (apparently) when running on a Mac Book Pro, if running on battery power.  It will wait until mains power is connected, and then schedule itself.

3. Time Machine doesn't handle encrypted files well.  Specifically, it won't backup individual files stored in an encrypted file system -- instead, it will backup the entire file system.  This is not too surprising, considering that backing up the unencrypted files would be a security risk.  I guess Apple will be working on some workaround for this, but I don't see an easy fix, due to the key management issues.

4. Time Machine apparently does not use encryption, or even compression, for files stored on the backup device.  This is a deficiency in my view which should be corrected in the future, or by third-party add-ons.  Naturally this is a user issue -- because the typical user would be unable to deal with the key management issues.  I think Mozy has a reasonable approach in this regard, but it's up to each person to decide how to manage encryption keys.

5. The caveat regarding encrypted file systems also applies to virtual machines, which I believe are treated as a monolithic whole -- it's not easy to imagine how this can be otherwise, especially if the virtual machines (I use Parallels, but it also applies to VMware) are not running.  Maybe VM vendors will expose their file systems to the fsevents mechanism which harvests file changes in future, and allow Time Machine to selectively back up only changes in the guest operating systems -- after all, FAT32, NTFS and ext3 formats are well-known.

6. It seems the 5160 build of Parallels has an issue with running VMs which are restored from Time Machine.  I was able to cause my OS X to kernel panic when trying to run a WinXP which I restored.

Helping startups get started

I decided on a new project for 2008 -- helping Internet startups to get started.

I've prepared a paper about this on my static web site: http://www.gillingwater.org/.  

Here's my pitch:

I'm a high-tech entrepreneur and University lecturer, living some 15 years in Vienna, with the experience you need. I have a business license, a well-used MBA, and several years as a “Geschaeftsfuehrer” in Austria. I have taught and mentored many young business men and women over the years, and continue to enjoy teaching and sharing ideas.

I have started three high-tech companies – computer manufacture (1982), Internet Service Provider (1990) and IT security consulting (2001). Two of them are still operating, but no longer need my full attention – so I have time to work on new projects starting in 2008.

I can advise you and your team on business strategy, help draft business plans and budgets, design your infrastructure, review your marketing campaign and solve your technical or people issues.

I can guide you through the legal and taxation issues within Austria and the CEE markets, or can explain the finer points of TCP sliding window side effects within tunnelled protocols – and many questions in between, too.

I'm not expensive up front – I'm willing to work for equity plus operating expenses in your company, but don't plan to be your primary investor – I'll leave that to the V.C. specialists and private equity funds. I'll also be happy to sit on your Board of Directors, and take the lead in presentations to customers or potential investors, if you wish.

My primary goal will be to make your ideas succeed, and articulate your vision in a cost-effective and realistic approach to the market – while insulating you from the dull details of setting up a business in Austria (or Slovakia if you prefer.) I can hook you up with specialist Legal and Taxation advice, and also assist with customer acquisition (on a “commission” basis.)

Dance performance by Amber Stephens

A fellow kiwi living here in Vienna is a choreographer and dancer, who is premiering a major new production next month. Titled "The Beggar and the Bird", it will be performed on 8 November 2007, at the Odeon Theater in Taborstrasse, Vienna, Austria.

For more details, check out the web site: http://www.beggarandbird.com. Should be worth a look.

Developing with the Nokia N800

I decided to begin some simple development with the Nokia N800. Nothing particularly original -- just an attempt to port a few useful programs onto the platform, so I decided to blog the progress (and problems) I encounter along the way, in case anyone else wants to give it a go. Feel free to learn from my mistakes!

The first challenge I encountered is that the development environment for Maemo.org requires Linux, but I'm running OSX on a MacBookPro. No problem really -- I also run Parallels, so I have created a new virtual machine, in which I am installing Ubuntu 6.06.
It may be possible to port the development tools to the underlying Free BSD on which OSX is based, but I don't want to bite off more than I can chew at present, and I have more development experience with Linux than OSX anyway.

1. First step: start Parallels, then use "File|New" from the menu to create a new virtual machine. I selected "Typical", OS Type "Linux" and OS Version "Debian Linux," which I expect should work fine for Ubuntu. I accepted the defaults of 256 Mb of RAM, and 32 Gb of disk, which I can always increase later if necessary.
2. Next step is to insert the Ubuntu 6.06 CD-ROM, which is bootable as a Live CD. After starting, it goes into a desktop, with an icon saying "Install." I double-click this, and go through a standard install sequence, for which I take all the sensible defaults. This takes about 30 minutes, to copy all the files from the CD-ROM with the emulation running in the background.
   
3. After rebooting the Ubuntu VM (with the CD-ROM ejected), I then start an online Ubuntu upgrade, to ensure a clean environment. I may have to add some of the GNU tool chain, which probably doesn't come standard with the Ubuntu.
   
4. Next, I take a look at some of the prerequisites. I know that the Nokia N800 uses Maemo, so I visit ed there to find that I should use the latest release, known as Bora. This in turn points me to Scratchbox Apophis, which seems to be a cross-compilation toolkit. The Scratchbox installation instructions tell me that I need root access, particularly if I want to set up the Debian repository for apt-get.
   
5. On my Ubuntu system, I edit the file /etc/apt/sources.list, and add the line
   

   deb http://scratchbox.org/debian ./

   Personally, I use vi (being very much old-school UNIX). Don't forget to "sudo su -" first to get root access. Then I run "apt-get update", to update my repository list.
   
6. After the update, from the command line I can begin to install the packages, using these command:
   

   $ apt-get install scratchbox-core scratchbox-libs

   This is around 215 Mb of disk space.
   
7. Belatedly, I read the instructions for installation of Maemo's Bora, and found the recommendation to use the installer script. Naturally, this doesn't tolerate an existing install, therefore I had to remove the one I just installed.
   

   $ apt-get remove scratchbox-core scratchbox-libs

8. Next, I download the correct installation script, e.g.:
   

   $ wget http://repository.maemo.org/stable/bora/maemo-scratchbox-install_3.0.sh
   $ sh ./maemo-scratchbox-install_3.0.sh -d     

9. The script does a number of checks, then downloads and installs the necessary packages, including scratchbox.
   
10. First problem found: the install script is expecting a utility called "GNU ar" (an archiver), which is missing in the default Ubuntu install. Therefore, I interrupted the installation script, and installed the "binutils" packages to satisfy this dependency:

    # apt-get install bin-utils     

11. After the script downloads all the files it needs, it runs an installation script, and terminates.
12. The next step is to create a scratchbox user with the command "/scratchbox/sbin/sbox_adduser paul yes", then login with the command "/scratchbox/login". This means exiting from the "sudo su -" with Control-D. The script recommends logging out then back in again as your regular user, but I just used the command "newgrp sbox", and permissions were correct.
13. Now we get to the installation of the Maemo Bora, which can be done by downloading and running this script:
    

    $ wget http://repository.maemo.org/stable/bora/maemo-sdk-install_3.0.sh
    $ sh ./maemo-sdk-install_3.0.sh
    

14. Now I have the next problem. The SDK seemed to install just fine, but we have an issue with the installation of the Nokia components. Apparently, this needs need to be done for two different environments: the X86 and the ARMEL. By default, the SDK seems to begin in the X86 environment, e.g.:
    

    sbox-SDK_X86: ~] > fakeroot apt-get install maemo-explicit

    The above command runs just fine. The problem I had was when I tried to switch to the ARMEL environment. I did this with the command "sb-menu", then chose SELECT to activate the target "SDK_ARMEL". Fine so far, but when I try the command:
    

    [sbox-SDK_ARMEL ~] > fakeroot apt-get install maemo-explicit

15. This is the error message:
    SBOX_CPUTRANSPARENCY_METHOD not set
    I am guessing I messed up the sb-menu, by accidentally going into the SETUP menu. There seems to be a setting there for CPU_TRANSPARENCY, but it's not clear how to fix it. I experimented for a bit by using the sb_menu to reset targets, but realized I have no idea what I'm doing (which is very typical for me, being a "bear of very little brain.") Therefore, I was pleased when I exited from the scratchbox, and ran the installer again with the -y option to reset the existing targets, which seemed to do the trick. It downloads the rootstraps again, but it's only time and bandwidth.
16. Again, I logged in to the scratchbox, then selected each target, and ran the install for maemo-explicit, as well as the update. This seemed to run just fine, for both targets.
17. Step 4 of the installation process talks about Xephyr. This needs to be installed outside of the development scratchbox, on the host system. Unfortunately, I am running a stable version of Ubuntu, and the command proposed: "apt-get install xserver-xephyr" simply doesn't work, presumably because it's part of the unstable distribution of Debian.
18. To correct this problem, I had to edit /etc/apt/sources.list, and uncomment the "universe" repositories, run "apt-get update", then was able to run the above command successfully to install Xephyr.
19. To test Xephyr, I used the command line which starts up the X Windows display, naturally in the correct size for the Nokia N800:
    Xephyr :2 -host-cursor -screen 800x480x16 -dpi -ac &
    
20. Now everything should be working as expected, so to test this I logged into the scratchbox, set my terminal environment, and ran the test environment:
    

    $ /scratchbox/login
    [sbox-SDK_X86:~] > export DISPLAY=:2
    [sbox-SDK_X86:~] > af-sb-init.sh start
    

And here is the result:

Nokia N800 First Impressions

I was pleased to receive delivery of the new Nokia N800 Internet tablet on Friday, just before the weekend. It's a sweet device, smaller than I expected, but with some great functionality.

I won't add to the many reviews for it, but rather will focus on the items which I think are missing, and suggestions for improvement.

• OpenVPN -- this client would be helpful for securing connections over WLAN, since WEP and WPA aren't really secure enough
  
• Bluetooth for headsets
• USB improvements -- when I connect the N800 to the Mac, it doesn't allow browsing of all folders -- it just shows the plug-in media
• Definitely some sort of calendar/appointments/contacts database, with online synchronization with Gmail
• A Samba client would be excellent, especially for streaming music from SMB shares
• Some form of UPnP synchronization with music streaming servers on the local LAN would be nice
• an app for taking still images or movies
• the media player definitely needs plugins for codecs. It can't handle the latest MPEG video format used by my Sony camera (although the videos play fine with VLC and Quicktime)
• the USB device seems to function as a server -- but I wonder if you can add external storage?
• Connecting from a Macbook with Bluetooth works, but the N800 doesn't seem to have any useful services, to allow browsing or sending files, unlike other Nokia devices such as the N73
• I'd love to see the N800 able to share an Internet connection (Ethernet) with the Macbook, via WLAN or Bluetooth. It seems to manage this with the Nokia N73 -- this should work, I think, if the Macbook can provide an IP address and routing/NAT, so I suspect this is do-able.
  

A walk in the park

One of the advantages of working for a company with enlightened policies is that it is "dog friendly." At least three of the staff have taken advantage of this, occasionally bringing their dogs to the office, and I tend to do this most often. In fact, the dogs are more often in the office than not, as they enjoy meeting people, and going for walks. My two dogs are of the Border Terrier breed, which is a hardy yet affectionate variety of pedigree, with the character of a mutt. They've been with us for eight years now, and act as unofficial "morale officers", greeting everyone who comes to the door, and snorking any spare items of tasty food which might accidentally fall to the ground.


Today in Vienna is a chilly 8° Celcius, with strongs winds but occasional sunshine -- ideal for a walk in the nearby Prater, one of Vienna's largest parks. It's a beautiful scene, stark and sere, with a few forlorn leaves waltzing past in the winter sunshine. Yes, that really is my clumsy thumb visible in the lower left corner of the image -- it's not easy to make a clean picture with two dogs straining at the leash.

The Prater is famous for the giant Ferris Wheel, or "Riesenrad", which featured in the Orson Welles classic movie, "The Third Man." It can just be glimpsed through the trees above, in an aspect which reduces its apparent "wheelness."

The main road leading in to the Prater is the "Hauptallee", which is lined with Horse Chestnut trees, now denuded of leaves. Each tree is sleeping for the winter, its photosynthesis enzymes largely inhibited by the cold.

Evolution and photosynthesis

A simple question occurs -- why do leaves fall (from deciduous trees?) What evolutionary advantage is conferred by this loss? One answer might be that the leaves could cause snow to accumulate more heavily in the branches, leading to breakages and subsequent diminution of the trees ability to photosynthesize in spring. Or perhaps the leaves represent a potential energy loss, due to the temporary breakdown of photosynthesis, and therefore this burden is reduced, because otherwise the task of maintaining circulation to all of the leaves (I'm assuming sap is circulating along with water to keep the leaves moist) could eat into the tree's stored glucose energy reserves. As an illustrative example, evergreen trees have a different leaf structure, which doesn't support snow accumulation in the way that a broad, flat leaf from a deciduous tree might. Evolutionary biology is fun, especially when you have no idea about what it all means....

Walking in the park is a great time for thinking, and reflecting on strategies and choices I face, in business and personal life. I find that maintaining a connection with the natural world of trees and parks (however nebulous) is helpful as a grounding process, to ensure that my decisions are optimal (as far as I can tell.) A brisk walk certainly helps with the oxygenation of the brain, although dogs are less interested in the speed of a walk, focusing more on the stops along the way, and the accompanying smells and opportunities to mark territory.

Grumpiness and Insecurity

I'm a little grumpy this morning, after pulling a muscle during weight training before breakfast. Then I found my company car park was occupied, which means regular trips to refresh the paid parking on the street. So I'm in the mood to tackle a topic which may raise a few hackles.

In recent months, I've been reading and thinking on the topic of atheism. First, I've been reading Richard Dawkin's excellent book, "The God Delusion." I really enjoy the writer's style, and find his arguments cogent, logical and well-founded in reality.

Digg presented a link to the Rational Response Squad, a young group of militant atheists who are challenging other atheists to "come out" on Youtube by blaspheming their religion of choice. While I understand their motivation, I'm not sure that it's the most productive approach, although it will certainly increase their media exposure -- which is why I guess they're not using their real names. I was brought up in a nominally Christian culture, and have attended a variety of churches on many occasions, but I don't feel it's necessary to denigrate other's choice of belief.

An obscure New Zealand theologian, Lloyd Geering, became well known for being tried for heresy by the Presbyterian Church. He rejects supernatural explanations of the divinity of the historical character of Jesus, yet remains a church minister and nominal Christian, while being as close to atheism as most Christian churches will tolerate (although this does seem to be an increasing trend among the thinking Church-goer.) His auto-biography, "Wrestling with God", is worth a look as the life story of an interesting and thoughtful thinker.

Dawkins has provided a useful scale of unbelief:

1. Strong theist. 100 per cent probability of God. In the words of C. G. Jung, 'I do not believe, I know.'
2. Very high probability but short of 100 per cent. De facto theist. 'I cannot know for certain, but I strongly believe in God and live my life on the assumption that he is there.'
3. Higher than 50 per cent but not very high. Technically agnostic but leaning towards theism. 'I am very uncertain, but I am inclined to believe in God.'
4. Exactly 50 per cent. Completely impartial agnostic. 'God's existence and non-existence are exactly equiprobable.'
5. Lower than 50 per cent but not very low. Technically agnostic but leaning towards atheism. 'I don't know whether God exists but I'm inclined to be sceptical.'
6. Very low probability, but short of zero. De facto atheist. 'I cannot know for certain but I think God is very improbable, and I live my life on the assumption that he is not there.'
7. Strong atheist. 'I know there is no God, with the same conviction as Jung "knows" there is one.'

I'm probably around a 6 on the scale, but may change as I near death (despite recognizing the flaws inherent in Pascal's Wager. :0)

If I were to apply a label, I guess I might call myself a Bright.

My own tendency is towards a more Buddhist philosophy, which interestingly has much in common with modern atheism, rejecting supernatural explanations for phenomena, and denying the existence of "miracles." While some Buddhists may worship the Buddha as a divine being, I believe most of us view him as an enlightened man, who left behind a very effective and powerful philosophy. I certainly equate the traditional view of a Sky-Father (Odin perhaps?) with more recent innovations such as the Flying Spaghetti Monster, who seems to have just as much evidence of existence.

Faith is the keyword most often used by religious apologists, in order the justify their irrational thinking, and of course Dawkins sees this as a species of disorder -- a "faith sufferer" being one who has been infected by a powerful virus of the mind, a "meme." However, I feel that faith is a word that we should not allow to be wholly appropriated by the Christian, Muslim, Hindu or Jew -- as I have faith in the evolutionary capacity of humanity to adapt to even the difficult conditions which our overuse of natural resources has caused. I particularly admire Dawkins' spirited advocacy of the Great Ape Project, which proposes a type of United Nations Rights Charter for higher animals, such as gorillas and orang-utans. As a vegeterian since 1978, I share many of the views of the Project's founder Peter Singer, who propounds an ethical yet humanist view of the world which seems very Buddhist to me -- the idea that we can have compassion for all living creatures.

Birth of a Blog

Despite being around on the Internet since the mid-1980's, I have resisted the temptation (until now) to wax prolix in the new medium, thinking that my views offer little that is original, thoughtful or even entertaining.

That changes now. I'm ready to inflict my writing on a hypothetical audience, and open up some streams of opinion, neurosis, occasional insight and more frequent venting. As I approach later middle age, I consider that I have earned the privilege to cast a curmudgeonly eye over the events, follies and long term trends that occur within my limited area of competence.

Writing is a solitary pursuit, and no doubt will reveal more about the preoccupations and insecurities of the author than is desirable, or even tasteful. However, I am happy to hold forth on some of the subjects that I like to study (and occasionally teach), including:

• Information Security
• Web Design
• Risk Management
• Atheism vs. Religion
  
• Mathematics
  
• Buddhism
• Golf
• Life in Austria
• New Zealand
  
• Contemporary Music
• Science Fiction/Fantasy
• Astronomy/Astrophysics

I don't claim to be qualified in any of the above, but somehow have found my way into teaching courses at Webster University in Vienna, Austria. My students kindly pretend a keen interest for hours at a time once a week (classes are usually from 6 p.m. until 10 p.m.), and suffer from my occasional digressions while I should be teaching Mathematics for Computer Science.

I've just returned from a month of travel around New Zealand (my Ur-Heimat), where my lovely wife and myself have been catching up on relatives, friends and making new friends (and perhaps occasional enemies.) The EnZed weather in January 2007 was generally good, but Southland found a few days of cold and rain, as usual. Tourism has been NZ's number one source of revenue in recent years, and I believe it will continue to grow. As a Gedankenexperiment we began planning a hypothetical future tourism-related business, wherein we might conduct guided tours around NZ for wealthy foreigners who want to learn more about connecting to the land in a spiritual way.

In our view, most NZ natives who haven't lived outside of the country for a significant period of time don't realize just how special the land is, and that it's possible to share this special quality with visitors who might be very experienced travelers. Kiwiland is geographically a very young and active country, and is one that is most recently settled by human beings, and their co-colonizers, the mammals (especially the large numbers of sheep, cattle and other farm animals -- all major contributors to carbon emissions.)

What does it mean, to connect to the Land? (I use the term partly shamanistically, recognizing a non-specific animism.) First, birth in a country doesn't in my view automatically lead to a deep connection with the land that sustains it. My own birth took place far from New Zealand, but I believe I made the connection anyway, after growing up and living there for many years. Part of connecting to the land means developing an appreciation for it, and a respect for the natural order of things. Perhaps this may be but a Thoreau-inspired reverie, but my feeling is that the natural world is part of the human condition, regardless of the reckless confinement of cities. A great privilege for those living in New Zealand is the great ease with which its denizens may "go bush", disappearing into forests or mountains, swimming in the sea, walking the beaches and bush trails, even climbing the mountains or sailing on its waters. This is an experience which is denied to almost none, due to its great accessibility. For some, the connection is made quickly, requiring only occasional refreshment, for others they may require frequent and extended stays outside of the cities -- while sadly some never seem to make the connection at all.

What is this connection of which I write? Perhaps a growing awareness of interconnectedness -- that we are in some way an eternal part of the land that sustains us, in every important sense we arise from the land, are sustained by it, and will return to it in due time. Most human beings think that conception leading to our birth is all that we are -- but the raw materials required come from the food we eat, which in turn arises from the land in its own way. The most commonly occurring metal in our body is calcium, which in turn is found in the earth that grows our plants, and feeds the cattle that we (some of us) eat. No human being can grow without that mineral, therefore we are ultimately dependent upon the good regulation of the land.

Reviewing the above paragraphs shows me how easy it is to go off-topic. Fortunately, having your own Blog means there isn't any topic which is really off-topic. This experiment may falter, and result in just a few forlorn entries, bereft of substance. Or, hopefully, it might act as a trigger to help me with some other writing projects.

My original intent for this Blog was to provide a series of views on Information Security and Risk Management. I chose the term "security-risk" as a reminder that the heart of information security is the art of Risk Management. Recent years have seen best practices in security codified as standards, including BS7799 Parts 1 and 2, then ISO17799, finally becoming the new ISO27001 et seq. standards. Risk Management as a discipline in Information Security Management is becoming increasingly important. For more on these themes, check out this white paper on deploying an ISMS.

A secondary goal is to raise awareness of Risk Management (RM) and Risk Assessment (RA) techniques and tools within the IT industry. Most European Banks are already being driven by voluntary compliance with Basel II recommendations for Operational Risk Management, while Sarbanes Oxley has established a baseline for corporate governance in North America. Unfortunately, a casual inspection of news reports shows that many SMEs and large corporations still don't get it. It's simply not enough to buy the latest generation of firewall appliances, or readily accept the glib assurances of software and operating system vendors. Security has to be managed as a business process, which requires commitment, energy and intelligence, and a willingness to learn from the mistakes of others.

In summary -- this should be an interesting ride. There will be a few digressions along the way, but I can promise you a few relevant on-topics posts, and even an occasional shared insight, if one should surface.

cheers!