Author: Tom Kern

Revenge of the Quarantinewhile

So It’s been a minute…. Like 21 days since the last post and in the last post I mentioned some rather large changes that were temporarily on hold until the whole Covid-19 thing cleared up. Well things with the Covid cloud are finally to a point of clearing up that I feel comfortable talking about what has been going on since the end of February. Settle in, this is going to be a longer post than usual from me.

So a while ago I had a general unease about my home network setup, I’m pretty typical in that I run a private network behind a cable modem that has a single public facing internet routable IP. In addition to this I also typically use some sort of Dynamic DNS (DDNS) system to give my home connection a name I have a actual shot at remembering.

If anyone is curious I really like DYN-DNS, they seem to have the best features to reliability to price that I’m looking for. I’ve also had really good luck with the DDNS re-director included in my Synology RT-2600AC router. Particularly around the use of Lets Encrypt for a SSL cert

OK with all that in mind I was forever getting a million hits on my external IP from places all over the world. This is totally normal, that’s what we call a bot not looking for unsecured devices that open up to the internet. And this is where I started having some pain and consternation, I have a fair number of IoT devices and they live on the LAN network space as my Macs and PC. I’ve run my Macs with drive encryption turned on for a couple of years now, the PC doesn’t have that option (stupid Win10 Home). The PC doesn’t leave the house and I don’t keep any of my cloud document (iCloud and OneDrive) on the PC unless I’m actively working on them. For the PC I’m ok with the risk window of someone stealing it and getting my spreadsheets on what bad movies I watched.

The other side of the coin was my true IoT devices where I couldn’t log into the devices at all to a command line level. Think things like any of your smart thermostats, smoke detectors, door locks, TV’s, speakers, and gaming consoles. All of which I had in my house and still do for the most part. So it became less a matter of if and more a matter of WHEN one of those devices would be compromised.

Ok but who cares if someone hacks your thermostat? Well I do since I pay for the power bill. More importantly though once you have the compromised device on the network that is a foothold and much like cancer once it’s in there it’s a real pain in the ass to do anything other then just cut the whole damn thing out. Especially when you start talking about higher CPU devices like a Xbox One or a Playstation 4 that have X86 chips running branches of commercial operating systems. It doesn’t take much to get TCPDump working on in memory writing to a “/tmp” partition and then exfiltrate that network data out for analysis. Do I sound paranoid… I sure do… why? Because given enough time and automation everything is breach-able.

OK so lets talk risk mitigation (i.e. how much pain and misery am I willing to put up with to secure home network)

  • Remove the IoT devices and get a printer from 2004
    • Nope not happening, some I can get rid of (I’m looking at you thermostat and smoke detectors) but others I’m not wiling to give up (looks longingly at Xbox and smart door lock)
  • Block outbound connections except for internal IP’s from your computers and trusted devices.
    • Nope, I bought these things for remote management of my house… if I do that I still have to poke so many holes in a firewall I may as well just not bother.
  • Buy a second router and put all of the IoT stuff on there and give it a second address space that can’t be accessed by the “secure” side
    • Hey that’s not half bad idea… I don’t think I want to deal with another router but I can do a network firewall.

OK so network firewall one side has the IoT stuff the other side has my secure stuff.

So have you ever tried to look for a consumer grade network router with the capability of doing a firewall between two sets of devices? No? You should… it was frustration in abundance for most of 2019. I did find a number of roll your own solutions using PFSense however those presented the problem of being more admin then I cared to put into the whole endeavor and while rolling your own may be fine for certain folks (and I certainly should be one of them) this is one device where I want to know that my configuration is solid. So I kept an eye out and found a couple of solutions that were close but not quite there.

Flash forward to this month and I finally pulled the trigger on a UnFi Dream Machine from Ubiquity Networks. Is it overkill for what am I doing? Yup sure is… do I regret it? No I do not.

It met my requirements of having a network firewall in place between the IoT side and the “secure” sides of my network. Along with the ability to run multiple SSID’s and VLANs which while tend to be high maintenance to setup don’t require much care and feeding once they are stable. In the course of my research it was brought on multiple occasions by multiple sources that doing this kind of setup would limit functionality between devices on the secure side and devices on the IoT side. I was very ok with this as the only thing that I was really concerned about was that my Sonos speakers and Apple TV work.

  • For the Sonos speakers I found this really excellent walk through from gentleman who walked through the whole firewall rule setup and port opening for the Sonos speakers over here
  • As a side effect of the first rule in the firewall allowing traffic from Secure to IoT, but not back all of my Apple stuff sees my AppleTV no problem.

In concept the biggest difference I have seen is that when bringing up the Sonos app on my phone, it takes about 10 seconds to hook up with the speakers where as before it was sub 2… that is a penalty I’m willing to deal with. The biggest problem I have run into is manually entering the IP address of my Roku TV’s to control them remotely because I block advertisements from the IoT VLAN to the Secure VLAN.

And finally because I like logs and apparently network administration I put two 8 port UniFi network switches on my network as well. To not only have as many things running wired as I can, but to also be able to manage the switches or devices if needed. I’ve been running the setup for a week now and after the initial setup of a hour or so (creating accounts, updating firmware and devices, and getting familiar with the system) I spent probably 10 hours actually configuring VLANS and firewall rules and only that much time because I did it a couple of times from a couple of different sources before I found the walk through that worked for me mentioned above.

So yeah I had a pretty eventful thing there….

Also I quit my job in Phoenix, sold my house, lived with my parents for two weeks, moved to Colorado, and start a new job in a few days. Don’t worry I still do IT stuff at a hospital.

Quarintinewhile….

So I was planning on this to be a post about some big changes… but much like the rest of the country I find my self in a Covid-19 cloud so instead I present the following things…

  • There are a crap ton of Nine Inch Nails concerts on YouTube
  • The Mandalorian is better the second time through
  • Was anyone else hoping for more Federation ships in Picard?
  • Social distancing is a thing with Velociraptors

Auto Pilot

After all of these years I still mostly pick the titles of the entries from whatever music is playing in the background… and well tonight that is Queens of the Stone Age “Auto Pilot”

Some things never change….

I was going to write something, but then a shiny internet object dashed in front of me… and now I can’t remember what I was going to write on. I think it was a treatus on world peace and building a space economy… or it might have been about my personal office setup, which seems to be the main topic of this thing over the last couple of years.

Fun times.

Mexicola… Cochise

Huh would you look at that it’s been 6 months since I posted anything… I’m sure the person who still reads this is shocked. That person would also be the kind of person who names their fantasy football team something “shocking” and use an ephemeral third state of electricity as their online tag.

Yes if you are reading this… you are that person.

Anyway…. since the last post in June, I fixed the monitor situation on the Windows machine… by replacing the windows machine with a new PC. It’s nice to have a gaming PC again. Also widescreen monitors… WHO KNEW?

Anyway happy 19th birthday to the blog that started because I didn’t want to do COBOL homework in the year 2000 (If you don’t have Conan O’Brien and Andy Richter singing ‘In the yeeaaaarrr 22220000000‘ in your head… you are reading it wrong).

So yeah I guess happy holidays, new year, and all that jazz.

SWOL…. swol battery.

I’ve been with out my 2016 MBP for about 48 hours now, I had to take it in for repair on Saturday for a swollen main battery in the chassis.  The repair is a mail out repair, and since I have perfectly good computer sitting next to my Mac, I thought no big deal I’ll just use the Win10 machine for a while.   I’m fluent in Windows and use Windows primarily for my day job but going back to Windows at home after 12 years of Mac at home has me noticing lots of little things. 

First you don’t realize how attached to iMessage you are until you don’t have it on your main computer, having to look at your phone for a conversation rather then it being just another chat app is remarkable when you no longer have it after having it for so many years.  Yes WhatsApp, GChat (until it’s sun setted next year), and Skype all provide a desktop client…. But none work quite as seamlessly between devices or the OS as iMessage does. 

On my Mac I have a little automation script set up to monitor my “~\Downloads” folder and it moves files based upon file type… PDF to a folder on my OneDrive, JPG to a dedicated folder away from the desktop for memes from social media, and larger media files (over 2MB) to a network share attached to a 12TB DAS.  The file automation has been built into MacOS for as long as I’ve used it (since 2007) and it’s been one of those things that has always just made life a little bit easier.  Windows does not have a built-in equivalent; you can download the equivalent service but there is no native equivalent baked into the OS. Which really gets to the larger issue of there is no Windows equivalent of Automator for taking care of bunches of little tasks that we all do during our day and never thing twice about. Also, for the record yes, I still download media… I’m internet ancient, and sometimes I like to miserly with my bandwidth. I still act like I have a 56k connection when I’m paying for gigabit on one line and unlimited data on my cell phone. 

Finally, I don’t think I would have noticed this if I hadn’t been working on a presentation for a conference.  There is no recent documents in the “Start Menu” like there was in Windows 7/8/8.1 I literally just noticed this yesterday.   In MacOS it’s still up in the apple menu where it’s been for almost 20 years.  It’s not a big deal, 99% of the time I open recent files via the app I’m using them in anyway.  Sometimes it’s things like the recent documents that are force of habit that you don’t notice until it’s in your face. 

It’s not all weird on Windows, the Office365 experience is markedly better then on MacOS IMO (and vastly superior to iOS). Which should surprise no one as Office has always been a flagship for Windows capabilities.  I didn’t appreciate how good it was until working on my conference slide deck and writing this post (which I’m writing a draft of in Word, because I like my software to work against me actively).  Little things like word definitions and thesaurus suggestions when I click on words is nice, and the kind of thing I would expect from a modern fully featured office suite on a modern platform.

Most of the mechanical differences I’ve observed between Windows and MacOS are more directly related to the hardware I’m running each OS on…. The Mac is using new NVME SSD and USB 3.1 across the board, while the Windows machine is using a mix of older NAND SSD and spinning disk.  The Windows machine still runs fine from a CPU perspective for web browsing and office work so no real difference in the experience.  The biggest differentiator has to be the monitors! The LG 5k is a great monitor that I don’t appreciate enough… I’m really missing it using 2 Samsung 1080p monitors right now… they are getting the job done, but damn I need to do something about this monitor situation on my Windows machine. 

So those are my differences I found it a bit odd and thought I would document them here since you know I’m writing on here so much…. Why doesn’t a sarcasm font exist yet?     

Second Update….

Turns out I’m still not good about posting…

So uh yeah… pictures are not fixed after all… but the HTTPS is working….

Also a comment on bluehost and their default install of wordpress…. There is so much junk that is pre-installed on this site I don’t know what can and can not be turned off…. so far I have most all of it turned off except for the things I know I need.

I mainly moved because of the cheaper hosting and “free” HTTPS (as opposed to what I would have paid for the equivalent length of hosting and an additional fee at GoDaddy).

It’s all good… says the one guy who still keeps a personal blog in 2019…

Things are a bit different…

You may notice a few things are different now… like the pad lock in the address bar… and the distinct lack of pictures….

In the process of moving… godaddy –> bluehost… still trying to figure pieces parts out… like where the pictures went.

It’s been a more involved process then I anticipated, but I will write more.

Until then enjoy a picture of a recent Arizona sunset

On Ecosystems and Workflow

I could be best described as a “systems guy” I design and build systems to interact and work with other systems. Most of the times the systems are pre-built and I have to just do the interconnecting, other times it’s much more complicated. At home I’ve carried over this philosophy for the most part, I’m so deep into the Apple ecosystem it’s not even funny. You know what stuff truly just works though, so if it works for me then I’m good with it. I have philosophical reasons for not being all in on Google and Microsoft is firmly in the services side outside of Surface and Xbox.

I still maintain presences in Google and Microsoft domains, if you had to ask me which one was primary I would say Microsoft as I actually pay for their services. I have Google because it’s basically a utility for the internet at this point in North America.

With all that being written, I have made some decidedly interesting choices over the years in terms of where to put my ecosystem dollars. On the digital media front I’m iTunes almost 100% except for books, I’m all in on Amazon Kindle for books. In home audio I’ve gone a decidedly “Switzerland” route mainly because there was no Apple entry till late last year, and when it comes to audio I don’t want an assistant I want good sounding music. So SONOS is my platform of choice for the home audio side of things. And honestly their stuff works quite nicely across all mediums and and it sounds really good. Once you buy one, you won’t be able to stop.

So the one place where I’ve looked and haven’t really made a commitment is home automation. Part of it is out of lack of wanting yet more devices on my WiFi, but at the same time the overall ecosystems are becoming robust enough to warrant consideration. When you look at the major ecosystems out in the wild there are three that stand out… Apple HomeKit, Google Weave, and Nest. Nest already has a beach head in my home with a thermostat and a couple of smoke detectors, which other then helping the thermostat figure out when I’m home aren’t much worth the price of admission. Looking at the history I tend to go with ecosystems where there is a solid marriage between hardware and software.

Ecosystems are great until you don’t have any body supporting you or the company discontinues it. At least with hardware there is a chance that your stuff gets sucked up by someone else, but eventually everything dies.