Please Use Protection

Last week we did this thing at work called “Tech Check” (or TekChek, or TechCzech, or something hip-but-actually-not) and I got to help a lot of new students try to get their systems to a minimum standard of functionality for their school year.

This was eye-opening. Viciously eye-opening.

The quantity of people who should be computer literate who were running wildly out of date systems with no anti-virus and no admin password was astounding. It was a combination of not knowing that they should and not knowing how to do so. I am not going to go into details about why these things are important, just quick, easy instructions on how to do it.

So, for anyone who’s reading this, I’m asking you to now, please, for the love of all that’s holy (or not), install A/V and updates and make sure that your user account has at least something for a password. Even if you’re using a Mac, you need to keep your system up to date and have a password.

Windows Instructions

1. Open Internet Explorer and go here: http://update.microsoft.com/windowsupdate. Follow the prompts to install all available updates. Go there over, and over, and over until it says there are no updates left to install. Reboot as many times as necessary. Then go there again, just to make sure.
2. Get anti-virus. If you want great protection, you have to buy it and this is the one I recommend: Eset NOD32. Purchasing a good A/V solution is extremely important if you are using your computer for business at all, and Eset NOD32 provides discounts for multiple computers or multiple years. Please do this right now. If you were unwilling to pay the “extra” money for a Mac, this is one of the costs you chose to bear. If you are unable to shell out $40 / year for a great solution, here’s an adequate, free solution: Avast! Home Edition. It’s not perfect, but it’s better than nothing. Note: lots of businesses and schools will provide anti-virus to their employees, students, etc. Often this will be pre-configured to download updates, run in the background, etc., and may never require you to purchase a license. Check with your employer or school.
   
3. Give yourself a password: Press Ctrl + Alt + Delete and click the button that says “Change password”. It is important that you remember what this password is, so make it memorable. Make it your drivers license number, or your license plate number, or your insurance policy number, or something else that you can have written down that doesn’t look like your password. Here’s an idea: pick something in your wallet that expires regularly, and use something from that (your insurance policy expiration date, for example). Then, every time that expires and you have to get a new one, change your password to reflect the new information.

Mac Instructions

1. Click the Apple logo in the upper left corner and choose “Software Update…” Install all available updates, reboot if necessary, and keep checking until there are no updates left to install.
2. Give yourself a password. Click the Apple logo and choose “System Preferences”, then click “Accounts”, your account should be highlighted with a button that says “Change Password”. It is important that you remember what this password is, so make it memorable. Make it your drivers license number, or your license plate number, or your insurance policy number, or something else that you can have written down that doesn’t look like your password. Here’s an idea: pick something in your wallet that expires regularly, and use something from that (your insurance policy expiration date, for example). Then, every time that expires and you have to get a new one, change your password to reflect the new information.

Please remember that this is just a base level of security meant only to deter the casual intrusion – kinda like wiring your bike to the bike rack. It’s not going to protect you from someone who is dedicated, but it should help you from being one of millions of people who get pwned just because it was so easy.

Also, feedback is always welcome. If you want more instructions for making your computer safe, let me know and I’ll write more documentation.

UPDATE: Eset has a free online virus scanner.

Optimizing Bandwidth for Sites

A typical internet radio station uses 128k of streaming bandwidth. Some use up to 256k.
Podcast downloads can take 100-200k, easily.
System & software updates can use even more.

A few people listening to low-quality internet radio stations is 512k (about 1/3rd) of a T1.
A few people downloading podcasts, is easily another 512k.
A few people downloading system or software updates, and your expensive T1 is all used up.

That’s zero bandwidth for employees clocking in and out, zero bandwidth for customers file transfers, and zero bandwidth for email in and out.

And ALL of those things can be going on at once for any computer or employee.

Call it a modern “tragedy of the commons“.

One thing that you can do if you have a good router/firewall is managing Quality of Service (or “QoS”). QoS is basically giving high priority to things that are important for business (like email, VOIP, incoming FTP, etc.), and low priority to things that are not important (software updates, YouTube, streaming radio, etc.).

This isn’t just for businesses, either. If you use Skype at home, you should make your Skype calls a higher priority than your internet browsing so that you don’t lose call quality while you (or someone you live with) is using the internet.

So, if you can configure QoS on your firewall, here are a few tips:

• Assign QoS by IP address block. Apple, for example, owns the Class A block 17.x.x.x. Unless you do business directly with Apple, you’re probably only ever accessing “17.” addresses for software updates, podcasts, iTunes Store, etc. – all low priority. Unless, of course, you’re using MobileMe.
• Assign QoS by DNS name. Chances are pretty good you’re not doing much business with youtube.com, doubleclick.com, msn.com, espn.com, npr.org, or a variety of other high-use, low-productivity sites.
• Assign by service. Not every firewall allows you to prioritize by service, but most will allow you to do it by port number. Things that should have high priority: VOIP (varies), SMTP (25), FTP (21).

Almost everything else will be fine if you leave it set to the default priority level. Your business (or home) may have other priorities (online gaming, for example), but these are a good starting place. Just make sure you save your router/firewall settings before you start and you’ll be able to undo anything you accidentally screw up.

“Why do we fall down, Bruce? So we can learn to pick ourselves up.”

iPhone 3G Ringtones from your MP3s

Here’s how to convert any MP3 in iTunes to a ringtone that works on your sparklin’ new iPhone 3G:

1. Open iTunes and go to iTunes > Preferences, then choose Advanced at the top, and Importing right below that. In the drop-down for “Import Using:” make sure you have selected “AAC Encoder”. Now choose General at the top and make sure Ringtones are enabled.
2. Control+Click the song you want to use and choose Get Info.
3. Under Options you can specify a start time and a stop time. Ringtones are limited to 30 seconds, so specify the 30 seconds you want to capture. If it’s the first 30 seconds of the song, just specify an end time of “0:30″. Choose OK.
4. Control+Click that song again and choose Convert Selection to AAC. This will convert the song from whatever format you have it in to an AAC (“Apple Audio Codec”) file with an .m4a extension.
5. Control+Click the NEW one you just created – If you forgot which one it is, it’s the one that’s only 30 seconds long – and choose Show in Finder.
6. Quit iTunes.
7. Back in the finder window that you just opened, the .m4a file should be highlighted. Change the extension from m4a to m4r.
8. Re-open iTunes and drag that file into iTunes. It should now show up under Ringtones. Make sure your iPhone is set to sync ringtones and the one you want is enabled.
9. On your iPhone, open Settings, then select Sounds. Specify your ringtone there. You can also assign ringtones to specific contacts by going into Contacts.

Load Balancing and Static NATs

<Heady tech. mumbo-jumbo>

CheckPoint’s Safe@Office firewalls don’t handle load balanced dual ISP configurations properly if you have external IPs static NAT’d to internal machines.

When you connect your first WAN link (WAN1) and set up static NATs for external addresses to reach internal machines, everything works fine. When you set up your second WAN link (WAN2), your internal machines with NAT’d addresses will not be able to use WAN2. If you’re using WAN2 for failover only, this is not a problem (well, until WAN1 fails), but if you’re trying to use load balancing, whenever the firewall routes a NAT’d machine to WAN2, the request will fail – DNS will time out, PINGs won’t come back, etc. You’ll be able to reach anything internal, and you’ll be able to ping the firewall just fine, but traffic beyond that will fail.

If you want to see it in full effect, just disable WAN1 for a moment. Anything that doesn’t have a static NAT will work just fine, but any machine with a static NAT will lose it’s internet connection.

The solution is to set up a static route from any machine with a static NAT. So here’s how to properly set it up:

1. Connect both WAN links and make sure they’re working the way they should – including load balancing the traffic. That’s pretty easy.
2. Now add a network object for the machine you want accessible from outside. If you can find it in your list of computers (Reports > My Computers), just click the “Add” link next to it. You’re adding a single computer; It’s going to have a fixed IP address and you’re going to Perform Static NAT. I gave mine an external IP address from the pool connected to WAN2, but I don’t think it matters. Then just give it a descriptive name.
3. Now click Network > Network Objects and make sure it appears in that list with the correct Static NAT address.
4. Now click Routes at the top and hit the New Route button. For Source, select Specified Network, the network will be the IP address of the Network Object you just created and the Netmask will be 255.255.255.255. Destination is “ANY” and Service is “ANY“. In the next window, for Next Hop IP, choose the WAN link that includes the external IP address that you selected in step 2. Metric doesn’t really matter for something this simple, you can leave the default.
5. Now just test it. Make sure that you have internet access from the Network Object created in step 2. Disable one connection, test again, enable it, disable the other one, test again, etc.

Obviously, you can make it much more complex than this, but this is important information for getting load balancing and static NATs working.

</Heady tech. mumbo-jumbo>