Friday 28 December 2007

The eircom Master Socket

Have you ever wondered what lurks inside the master telephone socket that eircom provide?  Surprisingly little, as it turns out.  Here is a photo of the insides of one of them:-


Photograph of the inside of an eircom master socket


(click on the photo above for a bigger version) 


The circuit diagram of the master socket is:-

Circuit diagram of the eircom master socket


There are two sets of three connectors.  The connectors are labelled L1, L2 and R.  Each connector is directly connected to its counterpart on the other side via a breakable link on the circuit board.  The breakable links are tracks on the circuit board which run between pairs of oblong holes (visible in the photo above on the far right-hand side).  I think the idea is that two lines could be delivered via the same socket by breaking these links (although I have never seen or heard of this being done).  The (two-wire) eircom line is connected to L1 and L2.  L1 from the left-hand side connects directly to pin 6 on the RJ11 socket and via the breakable link to pin 4 in the RJ11 socket.  Similarly, L2 from the left-hand side connects directly to pin 1 on the RJ11 socket and via another breakable link to ping 3 in the RJ11 socket.  Since pretty much all modern telephones only connect to pins 3 and 4 of the RJ11 socket, this is really all you need.  For historical reasons, there is a 1.8uF capacitor connecting L1 on the left-hand side to the R pin on the left-hand side.  This is connected to pin 2 directly (and pin 5 via another breakable link) on the RJ11 socket.  This provides a separate ringing signal for (old) phones that need it.


Apart from the capacitor, the only other component on the circuit board is a 470K resistor.  Between R and L2.  This (in series with the capacitor) provides a load which eircom can use to test the line remotely when there is nothing else connected (even at a few tens of Hertz, the impedance of the resistor will dominate that of the capacitor).


 I had expected to find some sort of surge arrestor or something like that in there but there isn't one (the equivalent BT master socket has a surge arrestor, but is otherwise identical internally - although obviously the socket is physically different).


 Practically speaking, you can ignore the R pin completely...I think pretty much all modern telephones will derive their own ringing signal from the line and don't rely on it being delivered separately from the master socket.  So the only significant connections in the master socket are these:-


Essential connections in the eircom master socket


The idea is that the eircom line will connect to L1 and L2 on the left-hand side (I think these are labelled S1 and S2 in newer sockets) and you will connect your own internal wiring to L1 and L2 on the right-hand side.  Then, in the event of a fault, it is easy to isolate your internal wiring from the bit eircom are responsible for (thus avoiding a costly call-out charge if you haul out and eircom engineer to a fault which turns out to be with your internal wiring !). 

There are stories told of old modems which require you to snip everything except pings 3 and 4.  I have only come across it twice in my long and distinguished career fiddling with such things.  I can't claim to have a clear understanding of exactly why this is (sometimes) necessary...I have been offered several conflicting explanations.  I think it is to do with some (cheap and nasty) modems shorting some pins together internally.  If anyone would care to volunteer an explanation I will update this article accordingly.

Thursday 20 December 2007

The source of all network and security problems finally identified!!!

[This post is a slight departure from my stated policy of trying not to increase the average level of inane wittering on the Internet any further by keeping my opinions to myself in this blog, but this particular insight is just too penetrating not to share it with the world. Like all of my opinions, it is - of course - entirely correct ;-) ]


I have had an epiphany. I now know what causes pretty much all network problems: GUIs. At first blush, this may sound like a slightly sweeping statement but I have come to believe in it very deeply. Stick with me here and I will explain why.

Take today for example: Myself and one of my esteemed colleagues squandered an hour of our lives dealing with a guy in a secondary school where we support the Internet router. His Internet access was broken. I'll spare you the long and painful details of the hour...suffice it to say that by the end of it we determined that there was a server sitting between his 140 snotty, insolent teenagers and our router. It took a startlingly large fraction of that hour to glean from this barely-adequate specimen of humanity that this server even existed. We also figured out that - somehow - the server was at the core of the problem. After a conversation reminiscent of having teeth pulled, our hero volunteered that - infact - there had been a change to the server that morning: he had uninstalled Microsoft ISA server off it !! Somehow - and it completely eludes me how anyone can be quite this gormless - it never entered his head that perhaps uninstalling the proxy/firewall software off the server separating the hormonal masses from the Internet router might be somehow related to his current predicament (140 horny teenagers separated from their porn supply and becoming increasingly antsy about it).

So, how do I extrapolate from this to my theory about GUIs being the root of all evil ? Well, if that server had been a Linux server, there is no way on earth that this guy would have taken it upon himself to touch it. The slightly arcane (yes...I admit it) Linux command-line has a way of scaring off people like this who really need most of their brain power just so they remember to breathe regularly and are taking huge risks by trying to apply their limited stock of intelligence to anything else. In short, command-lines have a way of making things appear a little harder to do than they actually are and therefore act as a built-in safety-net, preventing "special" people from trying to do things they are simply not equipped to do. GUIs, have exactly the opposite effect: they allow the dimmest of knuckle-dragging troglodytes to poke and prod at things they don't really understand until eventually they manage to break it.

I formulated a more limited form of this theory some years ago when I formed the opinion that Checkpoint Firewall-1 was the source of all security problems on the Internet. When I first started working in the field of data security I could never really understand how hackers seemed to be able to waltz past the best of access lists and firewalls as if they weren't there. How could it be that the hackers were all so clever and the developers of firewalls were all apparently dribbling idiots ? Then, one day, I was on-site with a large multinational customer watching the guys in there trying to get an application working through a Checkpoint firewall. So, they fired up Checkpoint's very lovely GUI and they added the rule they thought should do the trick. It didn't, so the relaxed the rule a little further. It still didn't, so they relaxed it a little further again, and so the cycle continued through several iterations until eventually the application did work and the "firewall" was reduced to the functional equivalent of a piece of wire. At that moment I understood for the first time that security holes were rarely caused by weaknesses in firewalls and far more often caused by mental deficiencies in those charged with configuring them. I also understood that the GUI was at fault: Checkpoint's (lovely) GUI makes it very easy to set up rules without the bothersome inconvenience of having to have the remotest understanding of what the hell you are doing. If they had a PIX rather than a Checkpoint (these were the halcyon days before PIX Device Manager, when all was right with the world), this would not have happened. The only thing I didn't grasp at the time was exactly how generally-applicable the GUI theory was.

Thursday 12 July 2007

Adventures With Windows Vista and the svchost CPU Hog

System tray icon showing 50% CPU utilisationImagine my dismay when my new, fast-everything-dual-core-with-tons-of-RAM PC suddenly started running at around 50% CPU utilisation more-or-less constantly, even when it wasn't supposed to be doing anything. You just don't have these problems with Linux ;-) . Anyway so began the detective-work.

Most of the CPU utilisation appears to be Kernel-space:-

Graphs showing CPU utilisation


The obvious place to start is to find out which process(es) are doing the damage:-



Pretty consistently the culprit seems to be svchost with a process ID of 1468...it is running steadily at around 50%.


So what is it doing ? Microsoft's Knowledgebase article 314056 says:-



The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging.

Easier debugging my ass. Anyway, it goes on to give some information about how to find out what this particular instance of svchost is doing. The command:-

tasklist /svc /fi "pid eq 1468"

shows exactly which services are running under this particular process ID:-

tasklist /svc output


So it only remains to figure out which of these services has gone awry. A little bit of guesswork comes in here, matching the abbreviated names from the output above to services. This isn't too difficult. All I had to do was stop the services listed one-by-one until the CPU utilisation dropped to zero. At it turned out, the culprit was the "TapiSrv", the Telephony service. This wouldn't stop when I asked politely (which was a bad sign all by itself) and when it was the only one remaining the CPU utilisation was still at 50%. When I forcibly killed the svchost process from Task Manager the CPU utilisation finally dropped to 0%.

Hindsight is wonderful. It turned out that the reason the Telephony service wouldn't stop was because it depended on the Fax service and it was the Fax service that was really stuck. Once I had figured that out it dawned on me that the problem began around the time I was (unsuccessfully) trying to send a Fax to my bank to berate them for their stupidity (but that's a whole other blog entry). I have worked around the problem for the moment by disabling the Fax service and all is well again (by Windows standards, at any rate). I haven't yet got around to working out what is wrong with the Fax service (the urgency has passed...I found another way to beat up the bank !)

Sunday 3 June 2007

Effect of Camera Aperture on Depth of Field - A Demonstration

This is a neat demonstration of the effect of camera aperture on picture depth of field. All of these photos were taken at the same time with decreasing aperture (or increasing f-stop if you prefer).





f/5.6
f/5.6





f/6.3
f/6.3





f/7.1
f/7.1





f/8
f/8





f/9
f/9





f/10
f/10





f/11
f/11





f/13
f/13





f/14
f/14





f/16
f/16





f/18
f/18





f/20
f/20





f/22
f/22





f/25
f/25





f/29
f/29





f/36
f/36

For those who are curious about such things, the pictures were all taken with a Nikon D50 fitted with a Sigma 18-200mm zoom lens. According to the EXIF information in the original images, the focal length when the pictures were taken was 65mm (and I have no reason to doubt it !!).

Sunday 27 May 2007

SCART connection from DVD player to TV blanks the TV picture

The problem: when my cheap-n-cheerful 14" Philips portable TV was connected to my even-cheaper-n-just-as-cheerful Bush DVD player, the screen on the TV was completely blank when trying to watch ordinary TV. Sound came through OK, but no picture. Disconnecting the SCART cable or plugging out the DVD power cable cured the problem, so it was pretty apparent that the problem was something being sent up the SCART cable from the DVD player to the TV.

SCART pinout SCART pinout (female connector seen from the front). Image is taken from Wikipedia.




After a visit to Wikipedia (source of all wisdom) and a bit of poking around with a multimeter, I found a 2.5v signal from the DVD player to the TV on SCART pin 16, even when the DVD player was turned off. This should tell the TV to expect RGB (rather than composite video) from the DVD player but appears to have a negative side-effect. Snipping pin 16 in the SCART cable has cured the problem.

Friday 25 May 2007

IPSec problems between Cisco PIX and WatchGuard Firebox

OK...this is my first useful post to this blog.

I have spent the better part of the day trying to diagnose an IPSec connectivity problem between a Cisco PIX (version 6.3.5) and a WatchGuard Firebox of some kind (I have no visibility of it). The problem turns out to be rather subtle, so I thought I would share it here.

The configuration on the PIX is fairly standard (IP addresses have been changed to protect the innocent !):-

crypto ipsec transform-set Esp3DesMD5 esp-3des esp-md5-hmac
:
:
access-list VPNToFirebox permit 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
:
:
crypto map VPN 60 ipsec-isakmp
crypto map VPN 60 match address VPNToFirebox
crypto map VPN 60 set pfs
crypto map VPN 60 set peer 2.2.2.2
crypto map VPN 60 set transform-set Esp3DesMD5
crypto map VPN 60 set security-association lifetime seconds 86400 kilobytes 8192
:
:
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth no-config-mode


The ISAKMP (Phase 1) SA establishes just fine, but the IPSEC (Phase 2) SA never comes up. Watching the debug information on the PIX, here's what happens:-


ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (basic) of 8192
ISAKMP: group is 2
ISAKMP: encaps is 61433
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS


The key is the "encaps is 61433" line. What this should say is "encaps is 61443" which is the (old, pre-RFC3947) encapsulation ID for ESP via NAT Traversal. As it is, the PIX has no idea what "61433" is supposed to be and the SA negotiation fails.

Here's what the debug output looks like when talking to another PIX (which sends the correct ID):-


ISAKMP (0): processing SA payload. message ID = 177759204
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 61443
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (basic) of 8192
ISAKMP: authenticator is HMAC-MD5
ISAKMP: group is 1
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,


Here the encapsulation ID is correct and the tunnel comes up.

The problem only arises when NAT is detected on the path between the Firebox and the PIX...otherwise there is no need to encapsulate the ESP inside UDP.

References

Hello, World

Temptation has got the better of me. I have a blog. This will be a source of some mirth to those who have suffered through my several diatribes about a certain class of self-important, highly-opinionated person who believes that they somehow make the world a richer place by filling it with their random flashes of cerebral diarrohea. Bloggers, in other words.

I have a good excuse. I figure a blog is a viable substitute for a memory and that is how I intend to use it. I have little intention of banging on about Iraq (and the activities of the evil warmongers there), politics (even though yesterday was election day in Ireland), religion (which I am generally in favour of up to the point where it calls upon me to actually be good) or sex (which I am generally in favour of up to the point where it calls upon me to actually be good). That’s not to say that I definitely won’t impose my view about all of those things on the world, but it isn’t the main idea. Rather, the plan is to use this as a way of writing down lots of stuff that I figured out once and will probably need to figure out again at some point long after I have forgotten how I did it the first time.

You can thank/blame (depending on your perspective) John Dunn for inspiring me to actually do this since it was the arrival of his blog (to which I will link if he ever makes it public ;-) ) that finally pushed me over the edge. I feel certain that his comment will be found below before too much longer.

If, in a spirit of benevolence and generosity, you feel compelled to follow me down the path towards being a blogger, I highly recommend WordPress. I found it very easy to set up (it really did take only 10 minutes) and it is real a pleasure to use.