Friday, June 27, 2014

Home Networking with FIOS - Don't cross the streams.

As you may remember from my article Adventures in Home Networking, we very badly wanted to get out of using Cablevision. They'd agreed to a price to provide service to our home, but then consistently billed for significantly more per month then the agreed-to price. We got the NY Public Service Commisssion involved, but every month's bill turned into a new argument with Cablevision with the PSC insisting that they accept the payment of the agreed-to amount. Cablevision would accept the payment and leave the service connected, but rebilled the unpaid difference the next month as an amount past due. There were some months they'd insist they hadn't received the payment and we'd have to get a 3-way call between the bank, Cablevision and the PSC to establish that Cablevision indeed had collected the previous month's money from the account and then mis-placed it.

We got tired of that monthly argument, and looked for alternatives. The hard part was finding Internet service. Given Internet, it is easy to get phone service (e.g. Vonage or MagicJack), and there are non-cable alternatives to television service (e.g. DIRECT-TV and Dish satellite service). We had tried Hughes Satellite Data service as an Intenet Service Provider, but found it to be expensive (limited data transfer allowed per month), high latency and noticeably prone to dropping packets. We concluded that Hughes would not be a good substitute as an Internet Service Provider for our home. As I described in that January, 2014 article, we also worked out how to put our home on AT&T's Mifi service (cellular LTE data service). The problem we had with it was again limited data transfer allowed per month, $10/GB for overages. It was fast enough, and seems reliable enough, but at $52/month base, is somewhat expensive. It also had the irresistible temptation to take the access point along when traveling out of the house, but that would leave the house without service while the Mifi was on the road. In the end, we kept the Mifi box and grudgingly pay the $52/month just for the convenience of having Internet access while away from the house. (Well, the other rationalization of the $52/month is that it ensures that I have Internet service even if my home's ISP is out of commission. It's not just that I'm addicted to blogging. I use the Internet for work too). Cablevision, of course, sings a song about having Wifi hot spots in many places. But our experience with those is that often the signal is too weak to be usable. e.g. there is no Cablevision Wifi at our house. If I go down the block, there is Cablevision Wifi in the nearby park. At our local supermarket, there is a signal if you walk out to the sidewalk near the street, but inside the store you are out of reach. Similarly, at some of my doctor's offices, there is a signal out at the street, but inside at the reception desk, the signal isn't strong enough to be reliable. The Mifi box is more secure (uses your own WEP password for encrypted Wifi) then Cablevision's unencrypted Wifi and AT&T Mifi seems to work well even inside low-rise buildings such as are common here in the suburbs.

So, after running out of alternatives, we decided that we'd drop Cablevision and go with Verizon FIOS even though it wasn't going to save us any money. The one advantage seems to be that FIOS includes Jimmy Swaggart's Son Life Network which my wife enjoys. If you want to hear a disgraced minister sing hymns, maybe you'll like it too. It's probably easier to enjoy if you simply reject those repeated charges of cavorting with prostitutes as "obviously" false (New Orleans and Los Angeles). If I was providing a sound track to go with this paragraph, I think I'd opt for the Beach Boys "California Girls". I'm just not creative enough to produce a mix of that and some suitably religious ditty. Not that it is in any way a religious ditty, but how come it seems so rare that the radio ever pairs up California Girls with "Back in the USSR"?

It probably helped minimize any shock from the bill that the price negotiation with FIOS was done by me, not my wife, so we came away with more realistic expectations of what the bill was really going to be. Verizon loves to tack unpleasant surprises onto the bill. e.g. unless you ask, the prices they quote don't include things like $27.98 "Taxes, Governmental Surcharges and Fees" and $25.55 "Verizon Surcharges and Other Charges", but the bill includes those. The first 3 months of service also carry an extra $49.99/month "Activation Fee". There were still surprises to be found by careful inspection of the bill. My wife is flummoxed by the notion of keeping an address book organized by name so you can find people's contact information. Her habit is to write the info on scrap paper, which she then loses, so she repeatedly calls 411 to get the number again. In one month that was 30 calls to 411 at $2.49/call. I keep pleading with her to learn how to use Google, but that just turns into my having to do it for her and getting peeved when I recognize that I'm looking up the same information as I'd given to her before. I wrote some of the contacts into a bright orange address book and she acts surprised every time I show her that she already had the information there.

Video problems with FIOS

The other bad surprise, in our 2nd month bill, was $156.03 for a service call we'd placed with Verizon. Multi-room DVR playback to rooms remote from the actual DVR was unreliable. They sent a guy out to trouble shoot the problem, but he didn't fix it and he didn't write it up as a Verizon problem, so they billed us for an hour of labor. I protested and they did deduct the labor and the tax on the labor from that month's bill. We found more ways to demonstrate the video problem and called for yet another repair visit. The 2nd repair guy was unable to fix the problem too, but we learned a little from chatting with the guy while he was here. In the world of Cablevision, so far as I can discern, data service and television service are quite separate, sharing the same physical cable but traveling in separate channels. But with FIOS, each television set-top box gets an IP address. Some television services depend on being able to talk via the Internet router to get video to the set top boxes. Remarkably, the Verizon service folks don't have any kind of protocol analyzer or even a simple bit-error-rate monitor to give them visibility into what is doing on the home network.

The first repairman's visit wasn't without value. He noticed that our HP printer was assigned IP address 192.168.1.100. This had been our household's long standing convention, so any PC could know how to reach the printer without needing DNS or something complicated to find it. But 192.168.1.100 thru 192.168.1.150 are "reserved" by Verizon for use by their set-top boxes. Oops. So I reassigned the printer to be 192.168.1.99 and adjusted the configurations of each of our PC's accordingly. This did make access to the printer more dependable, without having to fuss with power cycling it after a period of disuse, which had been the state of things since we switched to FIOS. But it didn't get rid of the problem with multi-room DVR playback. We'd also found that the FIOS video tutorials, which are short video-on-demand clips from some central server of theirs also had similar problems of occasional stalls and pixelization in playback. The 2nd repairman saw the problem happening and after examining the router configuration opined that we just had too many devices on our home network for the level of service we'd subscribed to. (Our service is their 50/25 speed. For more money, we can have more bandwidth, but since I'd seen the whole house [excluding FIOS video, of course] doing fine with LTE cellular data service via AT&T Mifi, I didn't think that was a good explanation of what was wrong). To the fellow's credit, he did take the time to disconnect portions of our home network from the router until the problem went away. At that point I had to accept that the problem somehow lay with our home network, though further trial and error would be needed to find the real problem.

So, at this point we had as our only instrumentation, that when the problem wasn't present, we could watch Verizon FIOS training videos without a problem, and that when the problem was present, that a few minutes of playing the training video would result in pixelization and stalled playback. I set about through trial and error to find which of the wires he disconnected mattered. My first suspect was the long cat-5 cable to the router in the garage apartment. The dog had occasionally chewed on that cable and we'd taped it up and it seemed to work well enough, but I certainly wasn't prepared to swear the cable still met all cat-5 specifications. I plugged it back in to the FIOS router and the picture stayed clear, so it wasn't that cable. Only other cat-5 cable I knew about was one that runs through the attic to get to the rear bedroom where the printer resides. Puzzler was that while doing my wall crawl to reconnect things, I found 2 cables running up to the attic. What was the additional cable? Took some more crawling in the rear bedroom to figure it out. Turns out we had 2 cat-5 cables running from the front bedroom to the rear bedroom. Once upon a time, one was for the PC in the rear bedroom and the other was for the printer, but now the PC and the printer are connected to an inexpensive 100-base-T switch so the 2nd cat-5 cable to the room is unneeded. Mistakenly, both cables were plugged into the Verizon router in the front bedroom, and both were plugged into the switch in the rear bedroom. That's just plain wrong. I don't think it ever bothered the Linksys router that used to be in the front bedroom, but the FIOS router showed video playback problems unless you disconnected the erroneous 2nd cable from the router to that 100-base-T switch. Oops. Mixing video playback in with the mostly non-realtime Internet data traffic apparently got fouled up by the wiring mistake. What a pity that Verizon didn't have appropriate tools for their field support people to really find this problem. Anyhow, now that the extra wire is disconnected, things have been much better with the multi-room DVR.

More FIOS Woes - You Own the House Wiring

But we did have other FIOS problems. Cablevision ran a coax cable to a "cable modem" in the front bedroom. There were 2 phone jacks on the cable modem that provided our house phone line and our fax phone line. FIOS doesn't work that way. FIOS mounted a big white box on the outside of the house and ran the fiber to that box. They also installed a large UPS on the wall inside the house and ran power from the UPS to the white box on the outside wall. They then re-used Cablevision's coax cables to connect a coax cable from the FIOS box to the various TV's via a splitter box on the outside wall just below the FIOS box. There is no "cable modem" box as we had with Cablevision, but the Verizon Internet router has a coax connection of its own that it uses to talk to the FIOS network, including the settop boxes. The outside FIOS box also has about 8 phone jacks in it. So, Verizon ran 2 phone lines from those jacks to ancient NY Telephone demarc boxes on the outside wall, to tie the 2 phone lines to the ancient inside house wiring. The deal as I understood it was that as long as Verizon provided dial tone at the demarcation box, that any remaining phone problem was a "house wiring" problem and is only covered by Verizon if you pay them a ridiculous monthly surcharge.

After a particularly rainy Spring night here, the Fax machine lost it's dial tone. I know I had a corded phone around the house, but darn if I could find it. So we traipsed off to Walmart where for $6 I bought a nearly feature-less corded phone. It looks sort of like an old Trimline phone, but I found the base is just a place to set down the handset. The wire from the walljack runs straight through the base and into the handset. The touchtone keypad, ringer, etc. are all in the handset.

Armed with my corded phone, I could verify that things were funky at the demarc boxes. For starters, the boxes weren't labeled with current phone numbers, but worse, the installer had hacked around some problem in at least one box so the modular jack for test access wasn't working at all. So we arranged for a service visit for the coming Monday for Verizon to look at lack of a dial tone on our 2nd line.

More FIOS Woes - the Fragility of the Fiber from the Pole to the House

But Friday, before we ever got to that Monday service visit, something happened to our FIOS service. We lost everything - TV, phone and Internet. Verizon, contacted via cell phone, agreed to send a repair guy out on Saturday. The FIOS box has an LED in it to tell the repairman if the fiber is delivering a signal to the FIOS box. It immediately told the repairman that there was no signal. Alas, he arrived on a truck with ladders, but the fiber drop cable to our house is connected to the distribution fiber mid-span, between 2 telephone poles, so the junction is only accessible with a "cherry picker" truck.

From the ground, something looked dangly at that junction, but nothing was actually laying on the ground. So we waited for them to dispatch a cherry picker truck with a buddy of the repairman's to help him. Once that arrived, they determined that something had severed the junction from the distribution fiber to the drop fiber. So they had to replace the drop fiber. This was surprising to me as this is now my 4th drop fiber in the short times I've had FIOS service. The first drop fiber was installed much like this one, but drooped a little low over the street. One day a large cement mixer truck drove down our street and managed to knock down our fiber and the one to the house next door too. So Verizon sent a repair crew to replace the fibers to our homes. They sent 2 trucks, one for each house, but they decided to work together. The lady with the ladders worked the house end of the job and the guy with the cherry picker truck worked out by the poles on the street. I was impressed with the result. At the house, the fiber came off a board sticking up from the peak of the house's roof. It then flew super high across the street direct to the pole at the corner. It was well clear of any trees and certainly too high to ever get struck by a passing truck on the street. Beautiful looking installation. Alas, it was no match to Hurricane Sandy. Fiber #2 ended up on my lawn after Sandy passed through. Annoyingly, Cablevision's coax to our home survived the storm just fine. Since we were off of FIOS by the time of Sandy, we only had Verizon out for a non-emergency clean-up call to get their fiber off of my lawn. Of course, when we resumed FIOS service this Spring, the installer had been told this was a simple re-connect of a previous customer. Lots more to the job than he'd expected. He installed drop-fiber #3. It ran from the board at the roof peak through the trees to the mid-span point where drop fiber #1 had been attached to the distribution plant. I think the board at the peak added enough height that #3 was going to be safe from passing trucks. But the community center opened up and installed a driveway under the distribution span. The guy who installed drop fiber #4, opined that maybe a school bus turning into the community center disturbed the distribution fiber enough to jostle our drop-cable into failing. He put in a request for the outside plant people to come around to raise the distribution cable a smidge where it crosses the driveway, but I didn't see them come to do that. We'll just have to wait and see how long drop fiber #4 lasts.

The Internet tells me that I'm not the only FIOS customer having repeated service calls for fiber repair.Hungry Ants Knock Out FIOS Service ... Again. I can only assume that these problems are evidence that fiber to the home is new technology and there will be some time before they gain enough experience to work out the Field Engineering kinks to make this reliable. The price of repeatedly replacing the drop cable presumably is enough motivation to encourage Verizon to eventually get it right. The Mifi box and my cell phone at least make it tolerable when we have an occasional day of no FIOS service. Of course, there is the annoying whining sound of my wife complaining when she misses an episode of General Hospital, but so it goes.

When the fiber connection to the outside FIOS box was restored, I asked the Saturday repairman to look at the problem of no dial tone to our Fax machine. He advised that the white FIOS box is now the point of demarcation. He verified that there was dial tone available on lines 1 & 2 at the FIOS box, but that means the crappy old NY Telephone demarc boxes are now part of the house wiring that is my responsibility.

So I looked and found on the house a disused demarc box that then had a phone line running back to the rear bedroom. My wife reminded me that some years ago her Aunt Dolly had lived in that rear bedroom and had a phone line of her own. Aunt Dolly has long since moved out of here and is now deceased. We attended her funeral this Spring. So, I snipped the wire off the old NY Telephone demarc box and ran it into line #2 inside the FIOS box. I added a new modular jack to the spot where that line comes into the rear bedroom and then ran a phone cable from that modular jack to the Fax machine. Voila, the Fax machine has dial tone again and we're using less of the ancient house wiring then we'd been using before.

The future of FIOS??

There's some evidence that Verizon is unhappy with their return on investment in converting their distribution network from copper to fiber. e.g. Wall Street Journal: Verizon to End Rollout of FIOS and DSL Reports: Verizon Again Confirms No Future FIOS Expansion. Will the day come when they try to close down their fiber business? Seems unlikely to me, but we do live in "interesting" times.

I've got to wonder where are the regulators in the process of Verizon making non-aggression pacts with the cable television companies. e.g. Verizon’s Anti-Aggression Treaty With Big Cable May Be the End of FiOS. I really think it is better for the economy when the cable companies have at least one competitor in every neighborhood, preferably one with a different technology and the fire in the belly to want to rewire the country to fiber. Verizon once upon a time had that fire, but now, like AT&T, seem to have lost their sense of direction. Too bad!

Cross the Streams?

I keep forgetting that Ghostbusters was an increasingly long time ago (1984). When our FIOS video problems turned out to be from the mixing of Internet traffic and FIOS video packets, Egon's warning about the dangers of "crossing the streams" immediately sprung to my mind. If you haven't seen Ghostbusters recently, you really should rush out and rent it. But thanks to Youtube, we can give you the relevant clips from the movie. First, the scene where Egon warns "Don't cross the streams!" And, second, the climatic scene where the team makes a slight change of plan and deliberately crosses the streams. A bit of a spoiler, but you still really should see the whole movie.

Message In a Bottle

If you know someone who maybe knows someone in Verizon who'd be in a position to officially react to this note, please pass along the link to this article. I'd be delighted if my woes actually got to the ears of someone who could be properly embarrassed at the lack of network diagnostic equipment in the hands of the Verizon field support staff, or the need for improved field engineering of drop fiber installation and could maybe nudge Verizon in the direction of actually doing something about it.

Sunday, June 22, 2014

How Secure is Your part of the Internet?

Problems with Internet security have been much in the news lately as our homes have been getting more and more connected to the Internet with the growth of the Internet of Things. Please note that I'm one of those people who make a distinction between the terms hacker and cracker.

Image borrowed, without permission, from http://ariefuchulz.blogspot.com/2012/02/hacker-vs-cracker.html, apparently the blog of Arief ucHulz.

A specific recent report that caught my eye:

Until We Fix Our Connected Homes, Crackers Will Keep Screaming At Babies

The simple conclusions offered by that article is that if your home is connected to the Internet, to be secure you should:

  1. Take care to set secure passwords on all your devices. Leaving the manufacturer's defaults are just asking for intruders to come by.
  2. Register your devices with their manufacturer so the manufacturer can get in touch with you about security updates. Unsaid is that such registration will open up your e-mail inbox to a likely flood of promotional e-mail (a.k.a. spam).
  3. Keep your device's firmware/software up to date. Unsaid is that not all devices can accommodate updates, and not all manufacturers put much effort into providing updates on old products. Maybe the manufacturer no longer makes that product. Maybe the manufacturer no longer supports that product. Maybe the manufacturer has gone out of business.

The article mentioned briefly that the homeowner had "secured" their home's router that connected their home devices to the Internet. I wished that article had explored that statement in a little more depth. "Securing" a router is quite an essay topic in itself. If you have a router connecting your home to the Internet, please stop and consider how secure is it?

  1. Have you set a secure password so only you have administrator access to your router?
  2. Assuming your router provides you with Wifi (wireless Internet connectivity), have you configured the router to have a serious, non-default password protecting your Wifi network from intruders? There's more than one choice available for Wifi Encryption. Which Wifi encryption option have you picked? If you picked WEP, you'd be well-advised to switch to WPA2. There's freely available software that anyone with a notebook PC within range of your Wifi signal can run (e.g. Automatically crack Wifi with only 30 seconds work. I offer the link as an example, but haven't actually tried to follow that page's instructions myself). The software needs only to listen to your WEP-encrypted traffic for a short time and it will then reveal what the password is that your Wifi network is using. In other words, WEP encryption isn't at all secure if faced with anyone who wants to intrude on your wireless network.
  3. And now we get to the hard question: What is your router configured to do with incoming traffic from the Internet? If the router rejects all packets coming from the outside world, it isn't going to be much use. If you use your browser to visit a web page, you send out packets requesting the web page and web page's server sends back packets that tell your browser what the web page says. If you configured your router to reject those outside packets, you'd likely be most unhappy with your router's behavior.

    Most routers will let you accept only traffic that comes in reply to packets that you sent out to the Internet and that covers most cases. But there are ugly cases where, for example, you initiate an FTP connection and the remote FTP server replies using a different port than the one that you used to initiate the connection. If your router is configured to reject packets that don't look like replies to traffic that you initiated, you're likely going to have trouble doing FTP file transfers.

    A stickier problem is do you ever want to access your home Internet from elsewhere? For example, some folks have home security systems (or perhaps a baby monitor) and want to be able to check in on it from their travel PC while away from home. Almost certainly that requires the router to be configured to allow outside Internet traffic, traffic that isn't in reply to inside-traffic, to come into your home. How secure is your home network to outside traffic coming from a wannabe intruder?

You can try to secure your home, device by device.

Consider, for example, the HP Inkjet printer in my home, an HP 7410 all-in-one printer/scanner/copier with built in Wifi capability. When we first set it up, we put it in a room that didn't have wired ethernet available so we configured it to use that built in wireless capability. Worked wonderfully. Then as I became aware of how easy it was to break WEP encryption, I decided to reconfigure our home router to use WPA2 encryption. Surprise! The HP 7410 printer's built in Wifi support only knew how to handle WEP, not WPA2. I looked into how to upgrade the firmware of the printer, but so far as I can see, the firmware of that printer is permanent, not updateable. Now, for all I know, I could go out and get a new printer that has WPA2 support, and probably has other advantages like, perhaps a faster printer speed and just maybe less expensive ink. (well, I can dream, can't I?). But this printer still works fine, so I'd feel guilty throwing it away just because it doesn't support secure Wifi. So, instead, I grumbled and bought a long Cat-5 cable so I could have a wired ethernet connection from the router to the room with the printer. For less than $10 we also added a wired 8-port 100-base-T ethernet "switch" to that room so we could easily connect all the devices in that room to the wired network. I talked a bit more about my home network back in January. See: Adventures in Home Networking

Barry Shein, one of the early pioneers of the Internet as we know it today, recently posted this note to Facebook:

Internet security is so bad because it was never particularly designed to be secure.

I've been on the net since the 1970s, involved in its technology and politics. I don't remember anyone ever saying or promising "and it has to be secure, right?" until the 1990s.

What happened is in the 1990s a bunch of people figured out how to make A LOT OF MONEY off the net, or save a lot of money, same thing.

But most of their plans required the net to be secure.

So security became a BIG ISSUE. Ok.

It's like coming to a river in your car and thinking hmm, maybe I can just slap some wings on this thing and fly across.

The power of the net is that it enables everyone to share information very easily and very widely.

Now, re-read that sentence with security in mind.

If you aren't uncomfortable yet, I've got more for you to read. Shortly before Barry posted that cautionary note on Facebook quoted up above, he posted on Facebook:

If you try to engage me in a conversation about computer and network security and I don't know for a fact you're an expert I'm going to check whether you read this article. And if you haven't I will politely ice you out.

Everything is Broken

Now there are many different opinions as to what you should do. I don't have the energy or time this morning to track down exact references for what Richard Stallman suggests, but at the risk of mis-reporting what he has in mind, I'll tell you what I think he has said:

  1. Don't trust software that you can't examine and modify on your own.
  2. Don't allow untrusted 3rd parties to have control of the software on your devices. e.g. allowing auto-updates of your PC by Microsoft, Apple,Adobe, Oracle (Java) and Google (Chrome, Android) is imprudent. Even if you trusted the software after careful evaluation of it yesterday, how do you even know what the software you are running today will do?

The trouble with "trust no one!" is that you are cutting yourself off from much of the world. And even if you insist on only running software where you can examine the source code, you likely are only fooling yourself. There's too much software in layers and layers for you to have any hope of being able to detect security problems. Security problems can be quite subtle and hard to recognize. Consider for example the recent brouhaha over the security of OpenSSL in its Debian implementation. The source code was all open and freely available, but it took years for anyone to notice that a security bug had been introduced into the code. The xkcd comic had some good jibes at the security of other open-source systems: http://xkcd.com/424/.

I'll go so far as to suggest that if you refuse to allow auto-update of the software on your devices, you are doomed to never being able to keep anywhere close to current on the latest security updates. There are just too many of them and they come out too often to try to track them by hand. And you'll have a hard time convincing me that the reason you insist on tracking them by hand is you want to research what each one is about before you install it. Good luck with that!

And then there's the problem of web-services like dropbox, gmail, Google drive, Google docs, Facebook, ... Pearltrees, and the list goes on. Generally, you don't get to see the source code that implements those services, and often you have no control over when that service implementation is updated. At some point you have to decide which suppliers you are willing to trust. Stallman will tell you that Facebook surely doesn't belong on that trusted list. My wife has no Facebook account and insists that no one should share her picture or name there. Her children don't buy into that "no Facebook" policy because it would cut them off from keeping in touch with their friends.

I could go on and on, suggesting that you look into "Virtual Private Networks" for securely allowing connections from the outside Internet into your home. But you pretty much have to trust somebody to do the right things to protect you.

But who can you trust? 12 biggest baddest [known] software backdoors of all time. "all time" in that title underestimates what the future could hold. And the article isn't very keen to point out that it is only talking about known backdoors. Goodness knows what unknown backdoors are lurking out there.

In closing, here's a 17 minute TED talk that defends "hackers" as a necessary part of the Internet eco-system. The talk doesn't draw a distinction between hackers and crackers, but so it goes.

Hackers: The Internet's Immune System.