Network Field Day 2: Network Boogaloo

Posted on by
5

Guess who’s back?

I’m headed to yet another Tech Field Day event!  This time, I’ll be attending Network Field Day #2 in San Jose, CA on October 27th and 28th.  I read about the first Network Field Day last year and learned a lot about the vendors and presentations from the delegates.  Now, it’s up to me to provide that same kind of response for Net Field Day 2.  The delegate list this time around is quite awe-inspiring for a guy like me:

Kurt Bales Network Janitor @NetworkJanitor
Ethan Banks PACKETattack @ECBanks
Tony Bourke The Data Center Overlords @tbourke
Brandon Carroll BrandonCarroll GlobalConfig @BrandonCarroll
Greg Ferro EtherealMind PacketPushers @EtherealMind
Jeremy L. Gaddis Evil Routers @JLGaddis
Ivan Pepelnjak Cisco IOS Hints and Tricks @IOSHints
Mrs. Y. Packet Pushers @MrsYisWhy

I am humbled to be included in such good company.  The two Packet Pushers, Mr. MPLS himself, the man that beat IOU, the Aussie JNCIE/CCIE candiate, the walking security dictionary Brandon Carroll, and the Network Security Princess herself.  I think my invitation must have gotten confused with someone else’s.

Odds are good that if you are involved in networking at all you already follow all of these people on Twitter and read their blogs daily.  If not, stop what you are doing and follow them RIGHT NOW.  You won’t be sorry.  In fact, this is the first time I haven’t had to start following a Tech Field Day delegate on the list of attendees since I’ve been following these folks for quite a while.

Getting Inolved with Tech Field Day

Tech Field Day is always looking for amazing people to attend events and share in the wealth of knowledge.  There are lots of ways you can add your voice to the gestalt:

1.  Read the TFD FAQ and the Becoming a Field Day Delegate pages first and foremost.  Indicate your desire to become a delegate.  You can’t go if you don’t tell someone you want to be there.  Filling out the delegate form submits a lot of pertinent information to Tech Field Day that helps in the selection process.

2.  Realize that the selection process is voted upon by past delegates and has selection criteria.  In order to be the best possible delegate for a Tech Field Day, you have to be an open-minded blogger willing to listen to the presentations and think about them critically.  There’s no sense in bringing in delegates that will refuse to listen to a presentation from Brocade because all they’ve ever used is Arista and they won’t accept Brocade having good technology.  If you want to learn more about all the products and vendors out in the IT ecosystem, TFD is the place for you.

3.  Write about what you’ve learned.  One of the hardest things for me after Tech Field Day was consolidating what I had learned into a series of blog posts.  TFD is a fire hose of information, and there is little time to process it as it happens.  Copious notes are a must.  As is having the video feeds to look at later to remember what your notes meant.  But it is important to get those notes down and put them up for everyone else to see.  Because while your audience may have been watching the same video stream you were watching live, they may not have the same opinion of things.  Tech Field Day isn’t just about fun and good times.  Occasionally, the delegates must look at things with a critical eye and make sure they let everyone know where they stand.

Be sure to follow Tech Field Day on Twitter (@TechFieldDay) for information and updates about Network Field Day 2 as the date approaches.  There will also be streaming video of the presentations at the Tech Field Day website.  The videos will also be posted in their entirety shortly afterwards.  If you want to follow along on Twitter, you can use the hastags #TechFieldDay or #NFD2 to make comments or ask questions during the presentations.  I usually have a TweetDeck window open and will relay your questions along if no one else beats me to it.  I try to tag all my posts with the #TechFieldDay and #NFD2 hashtags, so if I’m overwhelming you with commentary feel free to filter that hashtag from your feed to keep me quiet.  In the past, I’ve tried to have an IRC channel open during the presentations to allow for real-time communications and feedback for those of you out there that prefer an alternative to Twitter.  Once I have the room setup I will post the details.

Tech Field Day Sponsor Disclaimer

Tech Field Day is made possible by the sponsors.  Each of the sponsors of the event is responsible for a portion of the travel and lodging costs.  In addition, some sponsors are responsible for providing funding for the gatherings that occur after the events are finished for the day.  However, the sponsors understand that their financing of Tech Field Day in no way guarantees them any consideration during the analysis and writing of reviews.  That independence allows the delegates to give honest and direct opinions of the technology and the companies that present it.

Blogging with the Packet Pushers

Posted on by
1

I’ve always believed that everyone has at least one good story in them.  People have anecdotes about funny times in college or goofy stories about their kids.  Tech-oriented people have even more stories that usually revolve around technology gone bad or interaction with non-technical people.  From the amount of studying and learning that tech-oriented people do, it is inevitable that knowledge is accumulated and waiting to be passed on.  The trick with all these stories and knowledge is finding someone to share it with.

Blogging is my preferred method of getting the thoughts out of my head.  Most of my friends an colleagues do the same.  Some of us have established blogs that have been going for a while now.  Others are just starting out.  However, there are even more of you out there with stories to tell and things to share without a blog.  Maybe you have no desire to keep up with the day-to-day drudgery of maintaining a blog.  Perhaps you don’t think you have enough in you to keep writing day after day.  You have even avoided creating a blog because you couldn’t think of a catchy title.  Let me tell you that I’ve got a deal for you that will eliminate all those issues for you.

As many of you know, I’ve been a regular contributor to the Packet Pushers Podcast.  Recently, Ethan and Greg have redesigned the site and started blogging more and more there.  They’ve also decided to open up the doors and invite some guest bloggers to write content for the site.  This is wonderful for those of you that are worried about blogging.  You don’t have to concern yourself with writing once a week.  Or month.  Or even year.  Just write whenever you feel the need to put something out there.  The Packet Pushers will make sure that everything is spelled correctly and put it up on the site.  You can be sure that your post will be seen by lots of visitors, as the Packet Pushers site gets hundreds every day and several thousand a month.  And you’ll get lots of feedback and comments for sure.

How do you get involved?  Send an email to packetpushers@gmail.com with the subject line “I Want To Blog With The Packet Pushers!”  You’ll get an account on the website for creating your post and the rest will take care of itself.  I look forward to see some of you writing on Packet Pushers and sharing all you’ve learned.  Remember, Too Much Blogging Would Never Be Enough.

365 Days of Blogging

Posted on by
2

My last real milestone to hit just came up.  This blog has now been around for one whole year.  I’m shocked to say the least.  I never believed that having a scratchpad for jotting down my ideas about troubleshooting would blossom into this.  Those of you that have followed me for a while know that I tend to flit around technologies from wireless to security to switching and back to posts about Apple computers from time to time (even though I don’t own one).  To see that I’ve been able to keep this going for as long as I have is either a testament to my stubbornness or the large amount of cruft floating around in my head.

My initial ideas about troubleshooting hit a writer’s block wall pretty quickly.  I started posting some things about my CCIE studies and the occasional voice-related article.  It took a couple of months before I started writing pieces based more on opinion than fact.  I was afraid at first.  I’m normally the kind of person that keeps my opinions to myself.  However, it was interesting to put my thoughts and ideas down on “paper” and see what people thought of them.  Opinion pieces don’t require paragraphs worth of console output or exhaustive testing.  Of course, they can also be wrong or inaccurate and subject to debate or correction.  Other bloggers have told me that opinion pieces aren’t for them due to the possibility of angering their audience or fear of rejection.  My advice is to give it a shot on something simple first.  Put your thoughts out there and see what the reaction looks like.  Remember the old adage, “If people agree with everything you’ve said, you aren’t doing your job.”

I find myself spending more time commenting on current events in long form now.  I do get a chance to discuss things on Packet Pushers from time to time, but when something really juicy comes up, I can’t resist adding my voice to the din.  Some of these articles are interesting, others not so much.  I tried my hand at adding some link aggregation pages every week or so but found that I didn’t really keep up with new things like I thought I would.  I really spend a lot more time out in the field doing rather than learning.  I’m not one for going over simple things that are well-documented elsewhere.  I tend to talk about the more esoteric configurations or things that you just can’t find anywhere else.  Those posts are as much for my benefit as anyone else’s.  If I know that I’ve run into a particular situation and I write about it, I know I can always find it here as opposed to sifting through Google for hours on end.  I just hope my readers can get some use out of it too.

I still blog about the CCIE a fair amount.  It feels a little different commenting on it from the other side of the line, but people seem to like reading about all things lab related.  There are a ton of great blogs out there that detail the process that lab candidates are going through and the little gems of knowledge that they unearth from time to time, whether it be revelations about Dynamic Trunking Protocol (DTP) or alias lists or even TCL scripts.  I should probably create a CCIE candidate blog list just so those of you out there that hunger for my CCIE-related material can get your fix from them as well.  My CCIE posts tend to be more on the commentary side and focused on the details in the process rather than the content.  I think it’s more of a way to talk about the things that I see are important to keep in mind besides the ability to remember OSPF LSA types on demand.  A “forest for the trees” approach, if you will.

Once again, I’d like to thank all my visitors and readers for your time.  I appreciate your feedback and comments about everything.  You help me be a better blogger with every post.  It helps me to know that the things I post can be useful.  Tanner Ezell and I discussed the idea that people should provide help and support because they can, not because they’re doing it for fame or recognition.  I like helping people solve problems.  It just so happens that the most efficient way for me to do it is by writing a blog.  The more you wonderful people read it, the more popular and well-known it becomes.  While I appreciate that, know that I’ll still be here plugging away and talking about things even if I’m on page 30 of a Google search.

Dial Plan Considerations

Posted on by
Reply

A Candlestick Phone (image courtesy of WIkipedia)

Dial Plans are probably one of the hardest parts of learning about voice.  I consider it to be just like subnetting for network enginee…rock stars.  There are volumes upon volumes of how to stage and arrange your dial plans to speed call routing and minimize memory usage on voice over IP (VoIP) equipment.  However, there are a couple of things that I’ve found over the course of my career in voice that I want to pass along that I’ve never really found written down anywhere.  Consider these some of the “street smarts” of VoIP.

– Avoid Placing Extensions in the “9XXX” range.  This one seems to be the most popular issue.  No matter if you’re using 3-digit or 4-digit extensions, consider anything beginning with a “9” to be off limits.  There are actually a couple of reasons for this.  First and foremost, “9” is generally used at the PSTN access code (or escape code) for most PBX-style equipment in the world.  It’s also used as the escape code for Centrex phone service.  If any of the extensions on your Cisco phone system start with a “9”, the system will get a bit confused.  The external route patterns on your CUCM/CUCME system all start with “9” and have the “Provide Outside Dial Tone” box checked (at least they should).  If you have an extension that is 9640, for instance, CUCM will not play the pitch-changed PSTN dial tone until the number you are dialing explicitly matches a route pattern with the “Provide Outside Dial Tone” check box enabled.  In this example, if you are calling a long distance number, when you hit “9”, you won’t hear the higher-pitched tone.  You also won’t hear it if you follow with 1, 3, or 1.  Not until you dial the 5th digit of your long distance call that eliminates the above 9640 extension will the caller hear the PSTN dial tone.  While this doesn’t really affect the operation of the system, it really throws the users for a loop when they don’t hear that dial tone for accessing the PSTN.

The other crucial reason for avoiding extensions that start with “9” is to cut down on the number of misdialed emergency numbers (911 or 999).  I’ve talked about emergency numbers before and taking them into account here is just as critical.  I’ve even had to change the PSTN escape code to something other than “9” (like 8 or 7) in order to correct this emergency calling issue.  In those cases, I have to avoid putting extensions in the 9 range and the new code range to keep my PSTN dial tones and emergency calling behavior straight.

– The 1XXX range is your friend.  If you need a number range for your extensions or voice mail ports or other system directory numbers, anything starting with a “1” is a great idea.  Why?  Well, since the very beginning of phone systems two numbers have always been reserved and not used to start phone numbers.  One of these is “0”.  Zero has always been used as a signal to the phone company operator, so no number in the North American Numbering Plan (NANP) starts with a zero.  The other number is “1”.  One is a more curious case.  It turns out that the original “candlestick” phones had a bad habit of sending a fast pulse when they went off-hook.  In order to prevent a ton of misdialed calls, the system was configured to ignore any numbers that started with a “1”.  Again, no numbers in the NANP start with a “1”.  We now use One to signal a long distance telephone call, but that is really the only time it’s used.  If you use the 1XXX range for all your voice mail ports or park slots or even extensions, you never really have to worry about it colliding with other parts of your dialing plan.  If you’re setting up a home CUCME system, like I’m trying to do once I can convince my wife, you can put your extensions in the 1XX range and not need to worry about using a PSTN access code.  I’ll probably write a little more about this once my experiment is up and running.

– Create a local 10-digit dial peer.  I’ve mentioned this in passing once before, but if you still live in one of those areas that hasn’t switched to 10-digit dialing for all local calls, you should probably program an explicit local dial peer.  For example, in central Oklahoma calls are still dialed with 7 digits locally.  However, there are destinations that are not long distance (prefixed with a 1) that use 10-digits.  If you program a standard 10-digit dial peer (9.[2-9]XX[2-9]XXXXXX), when you dial 7-digit local calls the system must wait for the interdigit timeout to expire before dialing the call.  This is because those 7 digits can match two different dial peers (7-digit and 10-digit) and the system doesn’t know which one to use until you let the digit timeout expire, which could be up to 15 seconds.  That time is an eternity to your users.

Instead, until the time when your state figures out 10-digit dialing is what all the cool kids are doing, you should do this little work around.  Configure your regular 7-digit and long distance dialing codes.  Rather than creating a 10-digit route pattern though, just create a route pattern with your 10-digit local area code.  In the above example for central Oklahoma (area code 405), that explicit dial peer would be 9.405[2-9]XXXXXX.  This way, any 10-digit calls will route immediately.  Most of your 7-digit calls should route immediately as well when they match the 9.[2-9]XXXXXX route pattern.  The only issue you might have is if your local NANP prefix (the [2-9]XX part) is the same as your area code.  Chances are slim in that case, so your local calls won’t wait for the interdigit time to expire.  Just be sure to have the 10-digit dial peer for all local calls ready to go on the day you get switched over.  Otherwise you are going to have some confused and angry users.

Tom’s Take

If you are going to be a voice enginee…miracle worker, you are going to spend a lot of time learning about dial plans.  Before you know it, things will just be automatic and you’ll be able to churn them out without a second thought.  If you take my advice above into account as you’re learning about dial plans, you will have a much easier time when it comes to the strange corner cases you might run into like not hearing a PSTN dial tone or interdigit timeout issues for local calling.

Cisco Phone Cheat Codes

Posted on by
10

There are many things in this world that are hidden just beneath the surface that make our lives easier.  Whether it be the Secret Menu at In-n-Out Burger or the good old Konami Code, the good stuff that we need is often just out of reach unless you know the code.  This is also the case when dealing with Cisco phones.  There are three key combinations that will help you immensely when configuring these devices, provided you know what they are.

1.  Unlock Settings – *, *, #.  When you check the settings on a Cisco phone, you’ll notice that you can look at the values but you can’t change any of them.  Many of these values are set at the Cisco Unified Communications Manager (CUCM) level.  However, once common issue is the phone not being able to contact the CUCM server or the phone having the wrong address/TFTP server information from DHCP.  While there are a multitude of ways to correct these issues in the network, there is a quick method to unlock the phone to change the settings.

  • Go to the Settings page of the phone
  • While in the settings page, press *, *, # (star, star, pound) about 1/2 second apart
  • The phone will display “Settings Unlocked” and allow you to make changes

It’s that easy.  There won’t be a whole lot to do with the phone Telephony User Interface (TUI), but you can make quick changes to DHCP, IP address, or TFTP server address entries to verify the phone configuration is correct.  By the way, when putting in an IP address via TUI, the “*” key can be used to put a period in an IP address.  That should save you an extra keystroke or two.

2.  Hard Reset – *,*,#,*,*.  Sometimes, you just need to reboot.  There are a variety of things that can cause a phone to need to be reset.  Firmware updates, line changes, or even ring cadence necessitate reboots.  While you can trigger these from the CUCM GUI, there are also times that they may need to be done from the phone itself in the event of a communications issue.  Rebooting is also a handy method for beginning to troubleshoot issues.

But Tom?  Why not just pull the network cable from the back of the phone?  Won’t disconnecting the power reboot?

True, it will.  What if the phone is mounted to the wall?  Or if the phone is running from an external power supply?  Or positioned in such as way that only the keypad is visible?  Better to know a different way to reboot just in case.  Here’s where the reboot cheat code comes in handy.

  • Go to the settings page of the phone
  • Press *,*,#,*,* (star, star, pound, star, star) about 1/2 second apart
  • The phone will display “Resetting” and perform a hard reset

This sequence will cause the phone to reboot as if the power cable had been unplugged and force it to pull a new configuration from CUCM.  Once common issue I find when entering this code is the keypresses not registering with the phone.  Try it a couple of times until you develop a rhythm for entering it about 1/2 second apart.  Much more than that and the phone won’t think you’re entering the code.  Quicker than that and the keys might not all register.

3.  Factory Reset – “1,2,3,4,5,6,7,8,9,*,0,#”.  When all else fails, nuke the phone from orbit.  It’s the only way to be sure.  Some settings are so difficult to change that it’s not worth it.  Or you’ve got a buggy firmware that needs to be erased.  In those cases, there is a way to completely reset a phone back to the shipping configuration.  You’ll need access to unplug the power cable, as well as enough dexterity to press buttons on the front as you plug it back in.

  • Unplug the power from the phone.
  • As you plug it back it, press and hold the “#” key.  If performed correctly, the Headset, Mute, and Speaker buttons in the lower right corner will start to flash in sequence.
  • When those three buttons start flashing in sequence, enter the following code: 1,2,3,4,5,6,7,8,9,*,0,#.  You’ll notice that’s every button on the keypad in sequence from left to right, top to bottom.
  • Phone will display “Upgrading” and erase the configuration.

Don’t worry if you press a key twice on accident.  The phone will still accept the code.  However, you do need to be quick about things.  The phone will only accept the factory reset code for 60 seconds after the Headset, Mute, and Speaker buttons start flashing in sequence.

Tom’s Take

I find myself using these cheat codes all the time.  Whether I’m correcting a bad TFTP server entry or setting a static IP on a subnet, the ability to manipulate a phone without resorting to using CUCM all the time is very useful.  You can also use these codes to impress your friends with your intimate knowledge of the way Cisco phones work.  Just be careful with that reset code.  About every 1 out of 1,000 times it gives you 30 lives instead.

You Don’t Need Gigabit, But We Do

Posted on by
1

Stacy Higginbotham wrote a thought-provoking article last week entitled “The Elephant in the Gigabit Network Room”.  Therein, she talks about how many providers are starting to bring gigabit connectivity to residential areas for prices in the $200-$300 range.  She also discusses that this is overkill for most customers, as many devices today can’t reach sustained transfer rates above 500 Mbps as well as the majority of the content being provided are low speed, bandwidth non-intensive services like Twitter.  She goes on to discuss that while there may be applications for using gigabit broadband, they are few and far between now and don’t equate to the cost when something like a 25 Mbps downstream cable modem would suffice just as well.

Allow me to disagree here.

I think one of the reasons why this article sounded flawed to me is because is sounds based on the idea that people still use one computer at a time.  The more I thought about it, the more I realized that the supposition that gigabit residential service for a single machine is overkill is indeed correct.  However, that’s where my opinion diverges.  I would argue that today’s residential networks are staring to resemble small enterprise networks with regard to bandwidth usage.

Think about all the things that you are doing with your home networks right now.  Sure, there’s a fair amount of low bandwidth web surfing going on.  We use Twitter to and Facebook to post status updates.  We check email.  We look up things on Wikipedia to win Internet arguments.  If that was it, I would say that even 100 Mbps or 25 Mbps service would be more than you’d ever need.  But go deeper.  We now use Netflix to stream movies to our televisions.  We use iTunes to download content to all manner of devices.  Hulu, Boxee, and Vudu are all clamoring for attention and bandwidth.  Even simple Bittorrent transfers can suck up an entire pipe.  Now imagine all this couple with the blah blah cloud services coming down the pipe.  We even use cloud-ish services today.  Gigabytes of pictures uploaded to Picasa and Flickr.  Video uploaded to Youtube and Vimeo.  Music streaming coming from Google, Amazon, Apple, and anyone else with a handheld device with a headphone jack.  We can even run our household phone system over the Internet.  Not to mention Facetime, Telepresence, and all manner of real-time video communications.  Sounds to me like that little cable modem is starting to get a bit crowded.

Another argument against gigabit networking is the inability of devices to use the full bandwidth.  Specifically, the lack of gigabit wireless networking is pointed out in the article.  Right now, she’s right.  However, with 802.11ac coming down the pipe and WiGig coming to the 60 Ghz spectrum sooner rather than later, I think it’s better if we have the broadband infrastructure in place sooner rather than later.  In the article, it is stated that a generic laptop only hit 420 Mbps downstream in a test.  Okay, so with a little optimization we could probably hit 600 Mbps easy.  Did they test several sites to be sure it wasn’t a transit network issue?  Did they pull from a close FTP server with a high-speed backbone?  Or were they clocking Windows Update?  Most machines will eat any amount of bandwidth you throw at them.  Even if you peaked at 500 Mbps out of the box, that’s still 5 times faster than a 100 Mbps network.  Think about what would happen in your enterprise if you granted users the ability to run gigabit all the way to the desktop.  Files could be transferred faster internally.  Content could be pushed with little effort.  Imagine again what might happen if you then brought those same users back down to 100 Mbps.  You’d have a mutiny on your hands.  When driving on the highway, 80 MPH only seems fast when you get going.  Once you’ve been cruising there for a while, 60 MPH seems like a standstill.  I think that even half a gigabit connection per machine is still amazingly fast, especially when that pipe starts getting crowded as I’ve outlined above.

The final argument is that there is no killer app that necessitates paying such high fees for gigabit service.  One service that is discussed by the author is online backup.  This, however, is dismissed as being too infrequent to be useful to a customer paying a monthly charge.  Let me ask this of you out there: how crazy did the idea of downloading music on the Internet seem when the fastest connection we could muster was 56k?  How about watching movies in our house solely over the internet when 128k ISDN was the fastest kid on the block (that was exorbitantly high priced for its time too)?  Why code an app if you know it can’t work to its fullest potential today?  What about continuous online backup?  If you’ve already got the pipe to handle it why not keep a running backup of your files out in the blah blah cloud?  HD streaming video to multiple devices simultaneously?  What about the burgeoning website designs that seem to be taking more and more bandwidth every day with Flash landing pages, Flash adds, Shockwave menus and more?  If we start running gigabit to our house, I can promise you that there will be apps written to take advantage of those big fat pipes.

Tom’s Take

Yes, running a gigabit pipe into my house would probably be overkill right now.  Despite my protestations to the contrary, my wife realizes that I don’t need to have the ability to instantly download anything and everything on the Internet.  But I also see that as we start placing more and more content and information outside of our computers and in the blah blah cloud, we’re going to get very impatient to get that content quickly.  HD video, 27 megapixel images, and enough MP3s to sink an aircraft carrier stored somewhere in an online vault and we have to have it NAO!  Just because 100 Mbps would do anyone just fine today doesn’t mean that there isn’t a market for gigabit residential service.  It’s like saying that just because we can only drive 65-75 MPH on the highway there’s no need for sports cars that can do 130.  Someone out there will find a use for it if it’s available.  If nothing else, the blah blah cloud providers should be championing us to get the fastest available connections and start storing everything we have with them.  That way, we don’t have to spend so much time worrying about where our stuff is being stored.  We just click it and go.

The Sky’s The Limit for CCIEs

Posted on by
3

First of all, congratulations to Jonathan Topping, CCIE #30002.  He passed back on August 25th, which means that CCIE #30000 passed on the 24th or 25th.  That person is still unknown at this time, but the milestone that it represents is pretty impressive.

I chased my CCIE all the way through the 20000’s.  From reading Ethan Banks’ first blog at CCIE Candidate as he got his number (20655) all the way up until I got mine just shy of the 30k mark, I’ve been entrenched in the lore of things.  30,000 is a big mark.  Sure, CCIE #31025 will be the actual 30,000th person certified, but you can’t ignore the significance of how many people out there have chased their goal and achieved it.  Ethan passed his lab in April 2008, and with a little fudging on the math with the pass rates, it took about 3.5 years to get from 20,000 to 30,000.  Pretty impressive for what some have considered to be the hardest exam in the industry for a number of years.  The rate of passing seems to be accelerating.  It fluxuates from about 50 per week up to 150 per week depending on when the test is being taken and whether changes are rumored to be coming down the pipe soon.

There was a time I can remember people saying that anyone with a 5-digit CCIE number was just too green to be of any use in the industry.  Those same things were said just after Larry Edie passed to become #20000.  I’m sure someone will say that now that we’ve broken through 30,000 as well.  It doesn’t matter in the end though.  CCIE numbers are like grade point averages.  I was worried when I graduated college because my GPA wasn’t as outstanding as those kids that spent every waking minute studying for tests and turning in homework two weeks early.  However, on my first interview I wasn’t asked about my GPA.  They asked about my experience and what I was capable of.  The same is now true of my CCIE.  People are impressed with the certification itself, not the number.  The number only exists to prove you are who you say you are.  It doesn’t matter if you’re #1027 or #31027.  The fact is that you’ve all passed the same rigorous test to achieve your goals.  Sure, Greg Ferro may have had to study Token Ring and Ethan Banks may have had to study ATM, but we all passed a lab exam with requirements and tasks.  I’m sure that the IP tasks on my lab exam will look foreign in 3 years when we’re all running IPv6 and configuring OSPFv3.

Other vendors are starting to see the light, too.  Juniper has lab exams for its Juniper Networks Certified Internet Expert (JNCIE).  Microsoft added practical-type questions to the Server 2008 certification track a while back.  Novell took a shot at a practical exam with the first iteration of the Novell Certified Linux Engineer 1.0 exam.  I still have nightmares about that jewel.  I can see more people starting to look at practical exams at the expert level.  I know they are pain to administer and grade.  They are difficult to study for and the material has to be refreshed frequently.  However, they provide something no written multiple choice test can – experience.  I know that someone who has passed the CCIE or the JNCIE can actually sit down and do the things on the test.  There’s no multiple guessing or subject board to award a certification.  It’s down to merit, plain and simple.

Tom’s Take

CCIE #40000 will probably be certified in March 2013 if the current passing trends stay stable.  Sounds closer than one might think.  Milestones come and go, but the aptitude is always there for those that pass.  Don’t worry about getting vanity numbers like 31,024 or 31,337.  Whatever number you get will be the one 5-digit number you will never forget in your entire life.  Don’t fret over getting a number in the 30,000s.  You’re still a name after all.  The number just comes after it.

If you’d like to lookup some milestone CCIE numbers, I highly recommend Marc La Porte’s CCIE Hall of Fame.  He verifies every CCIE number, so the information there is better than anywhere else on the net.

Ghost in the Wires – Review

Posted on by
1

Anyone who is old enough to remember the heady days of the formation of what we recognize as today’s Internet knows the name Kevin Mitnick.  Depending on who you ask, Mitnick is either a curious computer user that was wrongfully accused of horrendous crimes or he’s the most evil person to ever sit behind a keyboard and is capable of causing Armageddon with nothing more than a telephone.  Of course, the truth lies somewhere in the middle.

Mitnick has written books before that discuss social engineering.  The Art of Intrusion and The Art of Deception are both interesting books for security professionals that talk about the myriad of ways that hackers can exploit trust and other factors to compromise networks and systems.  However, both books lack something.  Deception is written as a series of “what if” methods of social engineering.  Intrusion uses real examples from a variety of sources, but not from Mitnick.  I’m sure there were lots of things that prevented him from talking about his past in these two books.  What people have really waited for though is the story of the World’s Most Wanted Hacker.  Well, wait no longer:

Ghost in the Wires is the autobiography of Kevin Mitnick.  Now that I’ve finished my CCIE studies, I have a couple of hours of free time to enjoy reading something that isn’t a whitepaper or a lab workbook.  I picked this up as soon as it was available on Amazon and cracked it open right away.  I took my time going through it, enjoying each chapter as it built up the story of Mitnick from his early years onward.  As the story progressed more into his social engineering stories and hacking exploits, I found myself spending more and more time reading about them.  I was drawn into the book not only because of the content, but the writing style as well.  Mitnick and his co-author William Simon decided to keep the content at a fairly non-technical level.  Other than a couple of expositions about gaining access via .rhosts files or spoofing IPs, the book as a whole doesn’t really go much deeper than programming a VCR.

What you do get from this book is a sense of what drives Mitnick.  It’s not wealth or fame or anarchy.  It’s the pursuit of knowledge.  Unlike the fame seeking kids today, Mitnick outlines that he only went after the targets he did because of the challenge of breaking into the them.  He didn’t do it to steal credit card numbers or to hold computers for ransom in some strange blackmail scheme.  Sure, he gained from his knowledge by virtue of his unfettered access to the phone company or his ability to clone his cell phone’s ESN whenever he wished.  However, rather than exploit this on a grand scale or sell his access privileges on the Internet, he held on to them and used them as capital only for bragging rights to other hackers.

Mitnick also takes some time to address the “Myth of Kevin Mitnick”, the legend that has grown up and been propagated about his crimes.  Stories of his flight from early prosecution to another country of his “ability” to whistle launch codes into pay phones elicit laughter but also show how the legal system in the early days of person computing was ill-equipped to deal with people like Mitnick that pushed systems to their boundaries and used them for their own purposes.  At times, it seems like the legal system in this book is run by a collection of scare mongers, ready at a moment’s notice to say whatever it takes to keep their suspects locked in solitary confinement and safely away from any form of communication, electronic or otherwise.  The second half of the book details his flight from the federal authorities and the ease with which Mitnick was able to create a new identity for himself.  Back in 1993 he was able to create a string of identities to elude his pursuers.  Today, however, I wonder if it would be as easy as before with all the linking of databases and sharing of information among all the different departments that Mitnick used to set himself up and someone else.  I’m sure it would be a very difficult challenge, which is just the kind Mitnick admits he loves.

Tom’s Take

I loved this book.  I’m a sucker for computer history, especially from someone as famous as Kevin Mitnick.  Yes, he violated laws and treated security procedures like recommendations instead of guidelines.  In truth, his crimes consisted of theft of things like source code or free telephone calls.  He did it because he liked the challenge of getting things he wasn’t supposed to have.  He was like a kid that would take his toys apart as a child to see how they worked.  I can identify with this kind of mentality, as I’m sure many of you can.  Mitnick chose to express this desire in ways that ended up bringing him into conflict with law and order.  In the end, he paid for his crimes.  However, he has paid us all back with the wealth of knowledge that he has shared about his methods of social engineering and computer hacking.  I recommend this book not only to those that are interested in the history of hacking but also to anyone that might ever take a telephone call or use a computer.  A little education about how easily Mitnick was able to gain the trust of unsuspecting people and get them to give him whatever info he wanted is worth the ounce of prevention that it will provide.  If nothing else, you’ll know what a nuclear launch code sounds like when it’s whistled in your general direction.

A Case of Mistaken Identity

Posted on by
1

It appears as though the carefully crafted hierarchy of trust that we’ve built in public key encryption is in danger of unraveling like a cheap suit.  Thanks to DigiNotar, the heretofor unknown registrar for the government of the Netherlands, we’ve got ourselves another fake certificate floating around out there.  This time, they generated a certificate for google.com (yes, the whole domain) back on July 19th.  According to DigiNotar, their certification authority (CA) infrastructure was breached and used to generate the false certificate.  Based on some defaced websites on DigiNotar’s site, there are strong rumors that a foreign government attempted to use the certificate as the catalyst in a man-in-the-middle (MITM) interception attack that would allow nefarious things like GMail to be snooped or search results to be cataloged.

Most security conscious users are already doing the smart thing.  They are removing DigiNotar from their trust lists even as Microsoft, Mozilla, and Google remove the rogue certificate.  I’m in the camp of completely removing DigiNotar from my list of trusted CAs.  I’ve also done the same with Comodo after their little issue with rogue certificate problems a few months ago.  To me, once a CA starts issuing false certificates, they have effectively erased any kind of trust they might have once built up.  Even worse, by admitting that it was a security breach and not an honest mistake on the part of a careless employee or an admin with a grudge they have moved from the realm of carelessness and into the ocean of stupidity.  If the CAs that sign our most trusted pieces of information that identify trustworthy organizations can be so easily compromised, how are we to trust the information we are presented?  Granted, this kind of MITM does require a chokepoint, such as a country with only one or two regulated Internet terminus points.  The risk of something similar happening in a country like the US or the UK is reduced due to our infrastructure, but it’s still something that could cause problems should a certificate like this be issued and then installed by a large ISP.

At Cisco Live, the 15,000 attendees hammered the Interop block providing Internet access to the point where the BGP peerings started freaking out.  Some of our traffic was getting rerouted to Japan.  A few noticed the strange google.co.jp pages popping up but thought nothing of them.  That same mentality causes people to click through certificates without much thought to where they were issued from or whether or not they should be trusted.  Now, compound that with a trusted provider not causing a certificate warning and you’ve got a recipe for disaster.

I think we need to take a hard look at all of these trusted CAs that are issuing certificates like I hand out candy at Halloween.  Someone needs to provide real oversight and not just allow anyone to start signing identities.  If you get caught issuing bad certificates, you should be shut down until you can prove you have implemented strict security measures somewhere other than on paper.  If not, you get shut down and all your certificates get invalidated permanently.  It would suck mightily, especially for a CA that signs government certificates.  However, faced with the alternative, I think a little bit of trouble in rooting out the bad CAs is worth not having to face what could happen.

Tom’s Take

If you haven’t already, rip DigiNotar out of your trusted certificate list.  Just search for your particular OS and there are lots of instructions.  Update your browser, as all the major players have already removed the rogue certificate.  Show DigiNotar that the price of being compromised is high.  Maybe a few people protesting like this is equal to a bucket of water missing from the Pacific Ocean, but the more people that remove that trusted certificate, the bigger the message that can be sent to all these “trusted” companies that they had better keep the keys to their kingdom safe and sound.  The alternative is a situation that doesn’t sit well with me at all.

Sight Beyond Sight – 4 Months of LASIK

Posted on by
3

I had my last major checkup after my LASIK procedure (detailed here) this week.  For the past four months, I’ve been enjoying the benefits of having amazing vision without the need to wear contact lenses or glasses.  I now have 20/16 vision in my left and right eyes, and when I use both eyes I have 20/12 vision.  Since the majority of the healing process has now occurred, I’m fairly certain this this will be my stable vision for a good long while.

Continuing on from my previous post, I can honestly say that the experience was the best thing I’ve ever done.  My worries about night halos were pretty much over-hyped.  I’d heard from many people that bright lights at night had a kind of halo effect that caused driving to be difficult with all the headlights.  I found that while there was indeed a halo around things like street lights or car headlights, it wasn’t nearly as pronounced as I had been led to believe and was quite tolerable.  Now, four months later, even those small halos are practically non-existent.  This is pretty much what I expected, since the halos are usually just artifacts of the incisions made during the procedure and as the eyes heal the halos vanish.

The other side effect that I have is increased light sensitivity.  Imagine walking outside on a day where the sun is shining so brightly that it hurts your eyes to have them open more than just a small amount.  That’s what going outside on bright days feels like to me.  When a flashbulb or bright light gets shined in my eyes, the after effects seem to last a bit longer than they did before.  It’s not that it’s any different that what a normal person might feel in those situations, it’s just a little more pronounced.  I’ve managed to fix the sunlight issue by investing in a nice pair of polarized sunglasses.  Before, I wore sunglasses only to drive.  Now I feel like I need to wear them most of the time when I’m outside in the sunlight.  As for flashbulbs, I think that’s only going to be a real problem when I become a celebrity blogger and TMZ starts following me around with cameras.

Tom’s Take

The big question is: Would you do it again?  Yes, yes, a thousand times yes.  I recommend that anyone capable of getting the procedure done should investigate it.  My wife is going to get it done before the year is out.  My friends are all asking about it and I recommend it without reservation.  Unless you have a medical reason to avoid it, or you just like the look of “brainy specs”, the benefits of no longer needing glasses or contacts far outweighs anything that you could consider a downside.

I don’t rub my eyes nearly as much as I used to.  Before, when I felt my eyes start watering, I had to grab a napkin and blot them, lest my contact pop out or become dislodged.  Now, I just let my eyes water and I find that they aren’t nearly as irritated as they once were.  That might also be due to the notion that I no longer have a hunk of plastic sitting on top of them.  The highest praise that I can give to my LASIK procedure is that I sometimes forget that I had it done.  I just feels natural to me now to not have to worry about changing contacts or tracking down glasses.  If you are thinking about it, don’t hesitate to go out and get more information.  Ask your eye doctor about their opinion of your local options.  And don’t hesitate to get a second opinion.  Your sight will thank you.