Find the thread

John Gruber writes, à propos of Apple Stores:

Advertising alone can’t convince customers that products are nice, because all ads claim every product is great. You need to see things, to touch and try them, to truly believe.

This is true. However, advertising does have the ability to convince consumers that products are not nice. For instance, I heard an advert on the radio for a new smartphone, which cited as features (from memory) "dual-core processor, one gig of RAM, Super AMOLED display, and Gorilla Glass". Leaving aside for a moment the question of whether anyone cares about the first three features, let's just reflect on that last one: the Gorilla Glass.

Does anyone doubt that Corning's Gorilla Glass is only a feature to be called out by name because the iPhone has it? The problem is that the makers of this non-Apple phone confused cause and effect. Consumers by and large don't care or even know about Gorilla Glass. They care about its effects, but it's not something they'll go looking for. The only consumers who will be attracted to a smartphone because it includes Gorilla Glass are people who have already made up their mind not to buy an Apple product or can't afford one, but still know the specs to Apple products by heart. Is that really the market you want to get into?

The wider point though is that I am seeing a trend in smartphones towards PC-like advertising, quoting detailed hardware specs and software versions up front, specified to eight decimal places. From my admittedly unscientific sample of Android phone owners, very few of them could even tell me which major release their phone was running: Ice Cream Sandwich, Jelly Bean, or whatever code name the developers should have had the good sense to keep to themselves.¹

iOS users have no problem referring to versions by number, again for those who care - although my anecdotal evidence suggests that a higher percentage of iPhone users do actually know and care what OS version they are running. Once again, though, don't confuse cause and effect. If Apple started running TV adverts all covered with Intel Inside stickers, mega^W gigahertz numbers (showing my age there), and goodness knows what, consumers would be entirely turned off. Even PC manufacturers barely do that any more, not least because the speed wars have calmed down a lot in the last decade.

Apple's competitors consistently learn the wrong lessons. If you have to copy from Apple, at least copy the right things. Including Gorilla Glass in your product is good, but that alone is not going to cause people to line up around the block for it. Work on the user experience, on the compatibility, on generally making your device something people will want to take out and use even when they don't have to. Focus on the details; it's never "good enough" for devices that people use as frequently as phones, that have to live in the real world of pocket lint and damp air, and that have to be instantly available and stay available for long periods of time.

And I'll still buy my next phone from Apple.

There has been an interesting conversation going on over the last few days. The starting point was Brian Katz' post about Herding Kangaroos, and the follow-up, Where's Waldo.

The gist of Brian's post is this:

The world is truly full of boogey men and if someone desperately wants your data there is very little you can do to stop them in most instances, you may be able to slow them down but that is probably it. The issue I have with this locking down of the enterprise is that it affects the business.

[…]

If users aren’t given the right tools, they find what they need anyway and give it to everyone else who wants/needs it long before you have a chance to put a stop to it. It becomes very difficult to play the Where’s Waldo game every day.

Everyone's Waldo

I agree, for the most part. I've been a sysadmin, and I cut my teeth adminning for a department of smart-aleck developers who all needed the root password / security exceptions / special firewall rules / extra disk quota to do their jobs, so the notion that we could have perfect security if only we didn't have to deal with all those pesky users definitely strikes a chord with me.

The problem that IT faces is much the same as the entertainment industry faces. Not only must the security measures in both cases be sufficiently inobtrusive that users don't find it easier just to circumvent them, but at some point you have to give users access to the content you're trying to protect. Just as all those FBI piracy warnings on DVDs have to (eventually) end and let you watch the film, all the encrypted location-sensitive token-based secure content lockers have to let users view the files at some point. Once users have the content, no clever technology is going to prevent someone from doing something IT doesn't want them to do.

Violations can be impressively low-tech. One ex-colleague, a sales guy, printed out his presentations, and then used the same print-out for multiple customer engagements - complete with slides under NDA, embargoed roadmap details, and confidential details on other customers he had previously used the same printout with. How does your Enterprise Solution prevent that?

Or what about users giving up their passwords for candy bars, or entering them in online "password security checkers", or clicking on the link in that e-mail pretending to come from the help desk?

In the end it's not about the device, it's about the users. Technical fixes will only get you so far. Focusing on the people who bring their iPads to work and ignoring the guy walking out the door with a sheaf of dog-eared printouts - but corporate-issued laptop and phone - might follow the letter of the infosec policy, but it's certainly missing the spirit.

Explain to people what your goal is, why it's important (to them), and make it easy for them, and most of them will go along. The ones who won't have other problems anyway.

Generally I prefer apps on my iDevices to web pages or "web apps". I like the offline access to historical data, I like the streamlined navigation, and I like the fact that interesting navigational concepts don't kill Safari with megabytes of JavaScript and CSS.

There is one thing that I hate about apps: they all insist on opening web pages inside the app.

Don't do that, not even if John Gruber likes it.

For one thing, Safari has all the cookies, and I don't want to log in to things all over again just because I tapped on a link in an app rather than going through the browser. For another, Reader mode only works in real Safari, not embedded Safari. Finally, all my useful bookmarklets are also only available in Safari; things like "Save to Instapaper", for instance. Even Flipboard, possibly my very favourite iPad app, does this: if you're reading something and you want to bookmark it so that it will persist after you close Flipboard, you have to first "View on Web" and then "Open in Safari". At least these days you can "Read Later" directly from Flipboard without having to back all the way out to Safari, but waiting for developers of other apps to adopt your app is a major stumbling block for adoption of new useful apps.

Images are fine inline, but complete web pages should go to Safari, full stop.

A change will be needed in how Safari manages tabs for this to work. Either it needs a limitless number of tabs, to be managed like the iOS app list, or it needs a warning when opening a new tab will cause an existing one to be closed.

One other feature I want for iOS 7 is a central router for URLs, so that for instance everything to do with twitter.com gets sent to the Twitter app, no matter where it comes from. Some app developers seem to be onboard with this idea; twitter.com now displays a bar along the top of the page offering to open the current view in the native Twitter app, but Google+ and Facebook don't. This leads to the sort of idiocy we see in this screenshot, where clicking on a link in the Google+ iPad app spawns an embedded browser which does not have my G+ ackles.

No, grazie.

This then triggers another rant of mine because Google in their wisdom send you all their content in the local language of wherever their geo-IP code thinks you're located, instead of, oh, for instance
respecting HTTP
Accept-Language
headers.

At least Google seem to have fixed another pet peeve of mine, where the menu with all the different language options was itself localised. While one of the less-publicised benefits of a classical education is the ability to identify Αγγλικα in the menu when browsing from a beach bar somewhere in the Cyclades, this works less well in Riyadh or Bangkok.

Go on, now find English.

Nowadays there's a nice "Google is also available in English" popup pretty much everywhere, so there's less call for appending
/ncr
to Google URLs. Progress, finally!

The good news is that things are moving in the right direction, as we can see in the examples of Flipboard and Google, but if the Daring Fireball is issuing plaudits for apps that reinvent their own wheel^W browser, maybe continued progress is not a given.

Some of the hottest topics right now are Mobile Device Management (MDM), and Bring Your Own Device (BYOD). BYOD was memorably redefined by Vittorio Viarengo on stage at VMworld 2012 as SYOM, which stands for Spend Your Own Money.

Today however I want to talk about the intersection of those two topics. BYOD is not new; even before laptops were a general-issue item, I was building unofficial machines at work out of scavenged parts to run Linux on. Plenty of people brought their own machines from home, even back then when it was a pretty major logistics challenge.

Techies could not easily be prevented from doing things like reinstalling their corporate-issued devices or adding unofficial devices to the network because they were often the same people who were in charge of enforcing any rules. In other words, they either had the root password to do their jobs, or they were the drinking buddies of the people who did. Since installing Linux on a repurposed desktop was probably the absolute least amount of mischief these people could get up to with that sort of access, since they knew how to stay much safer than average users even on unofficial systems, and since far from interfering with their jobs, all this often made for happier and sometimes even more productive techies, the Powers That Be tended to turn a blind eye.

I was into it before it was cool

With the arrival of devices as light and as simple as iPads and iPhones, this behaviour has moved from being something a few techies might do to become something anyone might do. I still remember the day my mother, a woman who would invite me to lunch just so she could dictate a few e-mails to me and get me to format and print out some bills for her, asked me a question about her iPad, and I gradually understood that she had upgraded the thing to iOS6 on her own, completely unaided. Until then, I would have stated with confidence that my mother was about as likely to update an operating system as to take up competitive unicycling. This was something different, opening up new capabilities to a very different audience.

With that change in audience came a marked change in attitudes. Suddenly BYOD was visible, because people would show up to meetings with iPads or flagrantly non-company-issue MacBook Airs (yes, that would be me), and so suddenly it was a Problem.

In the Enterprise world, for every Problem there is a Solution, or sometimes a Suite. However most of these Solutions are very short-sighted. The whole reason I went out and Spent My Own Money on a MacBook Air when my employer had bought me a perfectly good Dull was that a) the Air weighed about as much as one of the Dull's hinges, so I could actually carry it without one shoulder ending up lower than the other like some fakir, and b) the Air was not weighted down with all the Security Solutions that meant the (quite powerful) Dull took half an hour from boot to when I could actually use it.

Forcing employees - the most dedicated employees, the ones who spend their own money in order to do their job better - to place that yoke back on their own necks is like the cliché of the drunk looking for his keys under the streetlight, even though he lost them somewhere else, because "that's where the light is". The problem isn't my unofficial MacBook, the problem is that my corporate-issue laptop is unusable.

Thou shalt not have a life

MDM applies specifically to mobile devices, such as iPhones or iPads. Many of these are also brought in by employees, although that tide is beginning to turn as the Blackberry loses its grip on enterprise mobile customers. The problem is that where controls on an open device like a laptop can be fairly fine-grained (write-protect this directory, block that port, prevent services from starting, and so on), with phones the granularity is much lower. Often it's limited to preventing installation of particular apps entirely.

Phones and tablets are even more personal than laptops. Just because I volunteer to read my business e-mail on a device, you want to prevent me from installing Dropbox and sharing pictures with my family? No thank you!

Split personality

One solution which has been proposed is to have "personas" on the device, so that at work the phone goes into work mode and only lets you do work things, and at home it locks up all the work content and lets you do personal things. The problem is that we don't live our lives that way any more. My Twitter feed is about one-third work ("look at my company's cool product"), one-third personal ("guess where I am this week!"), and one-third mixed (friends met through work, professional conversations spilling over into conversations about beer, and so on). Should Twitter be blocked, filtered, or left alone? What about Facebook? Hey, what about Foursquare? Isn't it a security risk to know which customers' offices I'm visiting, or which colleagues I'm travelling with?

Get off!

Look, very little of what I do has wider relevance. If a competitor were to get hold of the sort of documents I might be likely to put in my Dropbox, I seriously doubt it would have any effect whatsoever on their planning. The worst thing that might happen if my entire laptop got leaked is that some customers get annoyed because their name gets associated in public with my employers' without their approval, or perhaps some analysts get miffed because information got out before their turn in the briefing schedule. Our stock price would be completely unaffected.

There are maybe a dozen people in the typical company with access to that type of data - M&A plans, that sort of thing - and a few more who hold data that, while not sensitive in itself, is legally protected - personal data on employees or customers, material that is subject to shareholder or SEC disclosure rules - but there are few enough of these people that they can be handled as an exception, without getting in everybody else's way.

There's an old joke about a CEO meeting his CIO and CFO. The CIO is asking for more budget for training his staff. The CFO asks: "What if we train all our staff, and then they leave?". The CIO shoots back: "What if we don't - and they don't?".

Treat your employees like adults, and most of them will behave like adults. The ones who won't will figure out ways over, around or under any walls you care to erect, so you might as well empower the good eggs instead of annoying them.

On my third trip to Bilbao, I finally made it to the Guggenheim. It's a fantastic building, and being set in a rather drab town (sorry, Bilbainos!) only enhances the contrast of the shiny titanium curves of its exterior.

Many people had told me that the draw was mainly the building itself, and the art collection was so-so. However I had a couple of hours free on this trip, and since I was staying in a hotel literally across the road from the museum, I would have felt guilty if I had passed up the opportunity to look around one of the most famous museums in Europe.

The first impact is very positive. The atrium is just as spectacular on the inside as it is on the outside. There are also a couple of curvilinear terraces jutting out from the facade and into a water installation - something about fog, I gather, but the pool was drained on my visit. There were some outdoors sculptures, though - colourful oversized chrome tulips by Jeff Koons (who else?) and another chrome sculpture by Anish Kapoor.

The ground floor galleries house selections from the Guggenheim's permanent collection, plus a large space dedicated to a series of installations by Richard Serra, entitled The matter of time. The Serra installation is actually fascinating: a series of complex steel shapes, formed by the projection and intersection of ellipses, spheres and tori. Visitors walk through these huge curving or spiralling shapes, and the changing radii together with the isolation from the rest of the gallery combine to induce disorientation and even, in some cases nausea. I was certainly disoriented by some of the spirals, although the most famous Snake was perhaps less impressive in combination with the other pieces than it would have been on on its own.

As for the collection, I fell in love with a piece by Gerhard Richter, entitled Seestueck (Seascape). Richter has painted an apparently traditional seascape view, but looking at it more closely reveals the sort of movement and blur artifacts that a photograph might contain - all exquisitely rendered in a hyper-realist style which makes Richter's work a true commentary on visual perception, not just an abdication of ability and training.

I was less enthralled by a series of fourteen paintings by Georg Baselitz, all variations on the same subject and sharing the title Mrs Lenin and the Nightingale. Described as "a masterpiece of European painting", the series left me distinctly underwhelmed, to the point that I took a single turn around the room and left. Much was made of the materials and of the fact that Baselitz apparently paints with the canvas upside-down or with his feet. The results do not argue in favour of this method.

The same contrast as I found between these two artworks was on display upstairs, where the entire floor had been given over to an exhibition on Hockney. This was my first time viewing Hockney paintings de vero, and I had tried to refrain from judgment until I had done so because I had understood that the scale was a large part of the appeal of the pieces. However, the only advantage that the large (in some cases, very large) scale brought to me was that it was easier to appreciate the composition from afar, without being distracted by the frankly juvenile technique and colour palette up close. Nowhere was this made more clear than in the room given over to variations by Hockney on the 17th-century Sermon on the Mount by Claude Lorrain. In a fit of misjudged bravado, the curators had hung the original side by side with Hockney's attempts to replicate it. The results did much to reinforce my existing preference for pre-modern painting, as the technique, composition, and evident anatomical study which had gone into the earlier work were entirely missing from Hockney's garish and over-sized caricatures.

The third floor was closed at the time of my visit for the preparation of a series of architectural installations, which unfortunately also meant that I was unable to visit a small collection of Schiele. The fact that visitors were not informed up front that both the fountain installations and one-third of the interior galleries were closed was less than satisfactory on the part of the Guggenheim's management, but the entry fee was reasonable enough (eight euros) that I felt that I had got my money's worth, regardless.

What I saw at the Guggenheim Bilbao reinforced my previous opinion that painting as an art form is in serious trouble. Large-scale installation such as Richard Serra's and Jenny Holzer's are often striking, while contemporary abstract sculpture often plays with light and texture in fascinating ways. Other pieces like Joseph Cornell's found-object boxes defy easy categorization, but remain entirely original. Painting, though, appears to have become unmoored from culture and generally accepted notions of beauty. Nowadays artists like Baselitz seem to take perverse pleasure in their ability to * epater la bourgeoisie*; the problem is that while this might have been worth doing a hundred years ago, these days the bourgeoisie is quite capable of getting its shocks on its own. The art world therefore is at risk of turning into a completely self-referential clique which is simultaneously baffled and secretly pleased at the disinterest with which the public treats its members. If institutions such as the Guggenheim - and indeed the artists whose works are exhibited there - are to survive as anything other than a desiccated carcass hinting at former glories, they will need to engage with this disconnect and address it head-on.

I admit to being a bit bemused about all the kerfuffle over brogrammers and whether drinking at tech events might be excluding people who don't drink. My first reaction was along the lines of "pish posh, they're just over-reacting". However, I thought a bit further in the topic, and realised that I may have been a victim of my own perspective (or lack thereof).

Allow me to give an example. I happened to run into one of my employer's partners in France, and asked after one of his employees whom I had trained. I was surprised to hear that my trainee had gone though two customers and was now at a third site, which finally seemed to be working out for him. I expressed surprise, as he had been an exemplary student. The partner looked at me a bit oddly, as if I were being slow, and said, as if it was the most obvious thing in the world: "yes, but he's black!".

This floored me. It had not escaped me that the guy was black; it's not the sor
t of thing you can miss, as he is extremely black (the ace of spades comes to mind), but his French is un-accented and his technical skills are well above average. The colour of his skin was to me a convenient way to point him out to someone in a crowded room; I might say "the black dude" much as I would say "the blonde girl" and think about as much of it.

In the same way, my feminist mother was the one who pointed out to me that I was working for a woman. Once again, it had not escaped me that my boss is female, but I had not made the association that I was working for A Woman and that this was out of the ordinary. She's a cool person who gave me a job when I asked her for one, and that's about it. All this started me wondering whether I might just be living in a happy bubble. Sure, I might not be racist/sexist/bro-ist, but my track record also tends to indicate that I'd be the last to know if it were going on around me.

There is also my suspicion that a certain proportion of the heat and noise around these issues is manufactured outside the core audience. During a previous foray into blogging, I asked my flat-mate at the time, who was black (and indeed still is, not having pulled a Michael Jackson in the meantime) whether I should write black or Black. His response was that only white (or White?) people would worry about something like that.

All that said, racism and sexism have their use as a signal flare indicating IDIOT HERE. Most other opinions, bone-headed as they may be, might have some sort of justification, but there's a line, and I've never yet gone wrong by writing off people who cross it.

My personal recipe is that everyone should chill out. Interesting and worthwhile people are few enough on this fallen world, without limiting the pool by how much sun-lotion they need, whether they sit to pee, or whether they might enjoy a social drink (or ten).

Thoughts?

Since everyone's doing it, here are my daily essentials, or everyday carry.

In the pic, clockwise from top right: Tumi Laredo Jefferson messenger bag, Vodafone mifi, Altoids, go-bag of cables and chargers, Just Mobile AluPen stylus, hotel pen, Cross passport and card wallet, Tumi Alpha money clip/card holder, D&G sunglasses, house keys (including USB "key" and Swiss Tech Utili-key) on The Bridge keyring, RSA dongle with office keys and more USB storage, iPad (in Incase folio) with Skullcandy Lowrider earphones, iPhone 4s (in Sena case), Jawbone Icon Bluetooth earpiece, MacBook Air 11" (in Incase shell).

The Tumi bag took ages to find, but was well worth it and is the best bag I have ever owned. Still looks great after a couple of years of daily use - so good, in fact, that in a Tumi store in Orlando the staff commented on it and gave me free Tumi-branded leathercare products!

A few people have made fun of all the cables, saying that how Apple got the MacBook Air so small was by making you carry everything around in a separate bag. So OK, there are VGA, HDMI and Ethernet dongles in there, plus a USB hub, which would not be needed with other laptops, but it still weighs a lot less than the Dell 6500 I had before this, or even the 4300 which some people are getting at work now, even if you add these dongles to the scales.

The mifi is a great invention, to the point that when I do eventually get around to replacing my first-gen iPad 3g I can't see any reason not to just get the wifi-only version. I just wish Vodafone would come up with some sort of reasonable deal for roaming between different Vodafone national networks, as this is still a big issue in Europe.

The Utili-key has never got a second look from airport security, and has saved my bacon a few times. It did cause me to leave my keys behind in Paris once though, when I loaned someone the Utili-key and left the key-ring on the conference room table... Fortunately I managed to recover them the next Monday when I was back in town!

The Lowriders get replaced with Bose Quietcomfort 15s for long flights, but the Lowriders fold up small enough to be an everyday convenience. The QC 15s clip on to the outside of the bag with a carabiner, which is fine for a quick dash through the airport but would get old quickly as a daily addition. Plus, the mike on the Lowriders' cord is great for voice conversations if the Jawbone's battery runs out or I need to cover the other ear.

I need a different case for the iPhone. This Sena case was what they had in the Apple Store when I got the phone, and knowing my own clumsiness, I got what they had. However this case covers the camera while leaving the corners uncovered, and is just a bit unwieldy to use every day. Suggestions welcome!

Since I want to be able to disparage it scientifically and with knowledge aforethought, I downloaded the Windows 8 Consumer Preview.

First off, and already quite questionable: the first download users are offered is actually an installer which will run on a live Windows 7 install and irreversibly upgrade it to Windows 8 CP. Excuse me? Why in the name of Great Cthulhu would I ever want to do that? Fortunately it's also possible to get ISOs, so that is what I did.

The free VMware Player makes it super easy to try out a different OS for a while. I was already using it to power my nostalgia trip into BeOS (you can actually download a pre-configured image from here
- how cool is that?).

Once the ISO is downloaded, Windows 8 installs pretty quickly. It wants a Windows Live! account for the default login, so I used mine and signed in. At this point you get the now-famous Metro UI, with all its various tiles. Behind this there is actually a normal Windows desktop, which apart from the absence of a Start menu would not be too unfamiliar even from Windows 95. The Metro tiles replace the Start menu, or at least its launcher functions, but more on that later.

I decided to spend my time in Metro, since that is the main innovation in Windows 8 as far as I can tell. It quickly becomes apparent that this is by no means a desktop UX model, though. On a 26" monitor running at 1920x1200 pixels, the wasted screen real estate is horrific. I usually spend most of my customization effort in trying to cram more information onto the screen at any given time. Metro, with its drive to full-screen everything, is the antithesis of that model.

The apps look nice enough, although it took me a moment to figure out that a lot of functions require the "charm key" (Windows+C). Just pressing the Windows key takes you back to the Metro tiles, while a lot of app customization options, not to mention features like the control panel, only appear after pressing that "charm key" combination.

One annoyance is that IE is not the same in Metro as in the old-style desktop. For instance, Flash works on the desktop, but not in the full-screen Metro IE. This sort of minor inconsistency is par for the course from Microsoft, but it shows the pitfalls inherent in trying to create a unified user experience.

The main reaction to all this is "meh". Why bother with this thing? We live in a world which includes the MacOS and all manner of X-based Linux desktop environments for desktop PCs, not to mention of course Microsoft's own efforts in that direction. On the tablet side, there's iOS and Android, both doing a pretty decent job already. What extra sauce does Windows 8 bring to the party?

Leaving aside Metro, which all desktop users will be eager to do after about five minutes, this is a Windows 7 service pack, if that. Metro might be a good fit for tablets, but not if it has Windows Vista crouching in its guts the way this preview does. Installing any of the millions of existing Windows apps sounds great in theory, but what actually happens is that each app creates several new tiles: the app itself, the uninstall icon, and the various other "helpful" icons that all apps seem mandated to install these days. It's one thing when this cruft is hidden several levels down the start menu, but if it's all going to be out in the open, things are going to get messy fast.

And if Windows 8 doesn't include the Windows desktop everywhere, then what's the point of unifying the desktop and tablet interfaces? A mouse pointer has an enormously greater level of precision than fingers, so any interaction model which has to cater to both will end up being compromised.

Tablets and desktops have different form factors and use cases. While there is a case to be made for some convergence, as Apple is showing with increased sharing between iOS and MacOS, I think Windows 8 takes that convergence a bit too far, and the result is half-baked. It's a pity, because I do like the Metro UI - just not on my desktop PC.

I've done all of this before, but that was a long time ago, and when it came to doing it again, I realised I had forgotten all of it and had to start over. Therefore, for the benefit of my future self and anyone who is trying to do the same thing, here is how to set up a FreeBSD box to act as a firewall and caching name server for its local network.

First things first, you need the hardware. I went with an Intel Atom CPU, because this box runs 24x7 and I wanted something that wouldn't eat too many watts. I sat that in a D525 micro-ATX board and put that in an Antec Mini-Skeleton case. If you haven't seen one, here's what it looks like:

The fan on the top is pretty quiet, and lights up blue if you want.

I added a second network interface because one of this machine's jobs is to act as firewall, and off we go.

I'm running FreeBSD because it is as close to a hassle-free OS as I know. It also lets me keep in practice at running a real, non quiche-eating OS, plus has the added benefit of freaking out anyone who asks to use my computer. Between FreeBSD and the keyboard with blank key-caps, most people bail out without even trying.

First things first, I need to get the server to talk to my ISP and to provide IP addresses to the local LAN. On FreeBSD, this is super easy. Just add the following to
rc.conf
:

 ifconfig_rl0="DHCP"

 ifconfig_re0="inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255"

 dhcpd_enable="YES"

 dhcpd_ifaces="re0"

 pf_enable="YES"

 pflog_enable="YES"

 gateway_enable="YES"

 named_enable="YES"

 named_auto_forward="yes"

 named_auto_forward_only="yes"

The first line instructs the
rl0
network interface to request its configuration via DHCP. The second line gives a fixed address to interface
re0
.

I wanted a firewall that would let me talk to the outside world, but would not allow any inbound traffic. Since my ISP NATs traffic unles you pay them lots, there is no downside to a complete lock-down. I went with pf, purely because it's hard to replicate in iptables the artistic intent of a pf rule that says
pass out quick on $cheap_gin
. The pf firewall is enabled by the
pf_enable=YES"
line in
rc.conf
, and configured with
pf.conf
. Here's my firewall setup:

 ext_if = "rl0"

 haus_if = "re0"

 haus_ips = "192.168.1.0/24"

 wifi_ips = "192.168.3.0/24"

 priv_nets = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

 table <firewall> const { self }

 set loginterface $ext_if

 set skip on lo0

 set skip on plip0

 #antispoof log for $ext_if inet



 scrub in all

 nat on $ext_if from $haus_if:network to any -> ($ext_if)



 block all

 block drop in quick from urpf-failed

 block drop in quick on $ext_if from $priv_nets to any

 block drop out quick on $ext_if from any to $priv_nets

 pass out on $ext_if proto tcp all modulate state flags S/SA

 pass out on $ext_if proto { udp icmp } all modulate state

 pass in on $haus_if from $haus_if:network to any keep state

 pass out on $haus_if from any to $haus_if:network keep state

Simples. I have my two interfaces,
rl0
and
re0
, respectively the one facing teh internets and the one facing the house LAN. Everything from the outside gets dropped, including anything spoofing an address which should be internal, and everying from the inside gets passed, whether to the outside or to another internal network.

Now everything in the house can talk to the internet. Next, DHCP and dynamic DNS. The DHCP server, dhcpd, is started with the
dhcpd_enable="YES"
line from
rc.conf
. This enables the server, and then
dhcpd_ifaces="re0"
, which forces it to listen only on the internal interface. Having dealt with rogue DHCP servers before, I don't want to be guilty of unleashing one. The DHCP server is then configured with
dhcpd.conf
:

 option domain-name "dashaus.lan";

 option domain-name-servers 192.168.1.1;

 option subnet-mask 255.255.255.0;



 default-lease-time 600;

 max-lease-time 7200;

 authoritative;



 ddns-update-style interim;

 ddns-domainname "dashaus.lan";

 ddns-rev-domainname "1.168.192.in-addr.arpa";

 log-facility local7;

 update-static-leases on;

 do-forward-updates true;



 subnet 192.168.1.0 netmask 255.255.255.0 {

      range 192.168.1.2 192.168.1.200;

      option routers 192.168.1.1;

 }

The house domain is
dashaus.lan
, and this is the authoritative DHCP server for the domain. In addition, any device that gets an IP address from this server also gets its hostname resolvable under
dashaus.lan
. This is great for not having to remember which access point has 192.168.1.15, or where the NAS is now. Sure, I could do it with hosts files, but then I'd have to update those, and iOS doesn't do hosts files anyway, so this is better.

Of course this doesn't work alone - you also need a DNS server. I enabled it simply by adding
named_enable="YES"
to
rc.conf
.

And here is my
named.conf
:

 options {

      directory       "/etc/namedb/working";

      pid-file        "/var/run/named/pid";

      dump-file       "/var/dump/named_dump.db";



      statistics-file "/var/stats/named.stats";

      listen-on       { 127.0.0.1; 192.168.1.1; };

      disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";

      disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";

      disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";



      include "/etc/namedb/auto_forward.conf";

 };



 acl dashaus{

      192.168.1.0/24;

      127.0.0.1;

 };



 zone "." { type hint; file "/etc/namedb/named.root"; };

 zone "dashaus.lan" {

      type master;

      file "dashaus";

      allow-update {

           dashaus;

      };

 };



 zone "1.168.192.in-addr.arpa" {

      type master;

      file "dashaus.rev";

      allow-update {

           dashaus;

      };

 };

There's nothing particularly funky going on here. The acl directive specifies that only clients with an IP address in that subnet can update their DNS records. Here are the zone files:

 $ORIGIN .

 $TTL 86400      ; 1 day

 dashaus.lan             IN SOA  skeletor.dashaus.lan. root.skeletor.dashaus.lan. (

                            20011955   ; serial

                            3600       ; refresh (1 hour)

                            900        ; retry (15 minutes)

                            3600000    ; expire (5 weeks 6 days 16 hours)

                            3600       ; minimum (1 hour)

                            )

                    NS      skeletor.dashaus.lan.



 $ORIGIN dashaus.lan.

 $TTL 300        ; 5 minutes

 Apple-TV                A       192.168.1.11

                    TXT     "31da5805e31cba162785449fe301a035f2"

 beast                   A       192.168.1.5

                    TXT     "31140c046d012654084168c75af137a956"

 Claras-iPad             A       192.168.1.31

                    TXT     "31d7c4fd01cef4e2f76a201fdaa8a6e56c"

 dashaus-nas             A       192.168.1.4

                    TXT     "31d02895fbe37aebe514fc5f5bd685b703"

 demonic-iPad            A       192.168.1.14

                    TXT     "31e907692c02809efc782ef4fd60568712"

 Demonic-iPhone          A       192.168.1.7

                    TXT     "312d530aa18c5c3f8da67f54b9a35a938d"

 HPB1251A                A       192.168.1.9

                    TXT     "31a9b7ff798848034e2cf14e05aa6f7648"

 $TTL 86400      ; 1 day

 skeletor                A       192.168.1.1

Skeletor is the server's name, for obvious case-related reasons. Here's the reverse file:

 $ORIGIN .

 $TTL 86400      ; 1 day

 1.168.192.in-addr.arpa  IN SOA  skeletor.dashaus.lan. root.skeletor.dashaus.lan. (

                            20011704   ; serial

                            3600       ; refresh (1 hour)

                            900        ; retry (15 minutes)

                            3600000    ; expire (5 weeks 6 days 16 hours)

                            3600       ; minimum (1 hour)

                            )

                    NS      skeletor.dashaus.lan.



 $ORIGIN 1.168.192.1.168.192.in-addr.arpa.

 $TTL 300        ; 5 minutes

 11                      PTR     Apple-TV.dashaus.lan.

 14                      PTR     demonic-iPad.dashaus.lan.

 31                      PTR     Claras-iPad.dashaus.lan.

 4                       PTR     dashaus-nas.dashaus.lan.

 5                       PTR     beast.dashaus.lan.

 7                       PTR     Demonic-iPhone.dashaus.lan.

 9                       PTR     HPB1251A.dashaus.lan.

This is from a running instance, so you can see the AppleTV, a couple of iPads, an iPhone, the NAS, Beast (my Windows box), and the printer, each with its own IP address. I assume the wifi APs aren't showing up because they haven't refreshed recently, but they're working so I am not going to mess with them!

Last step: as this stands, clients can recognize each other, but Skeletor itself can't resolve other local clients. This is inconvenient if you want to export an X session to yourself and can't remember your IP address. The problem is that the ISP-facing interface is configured via DHCP, so
resolv.conf
gets over-written every time dhclient refreshes - every 1800 seconds, or every half-hour.

The way to fix that is by writing
dhclient.conf
:

 interface "rl0"

 {

      prepend domain-name-servers 127.0.0.1;

      supersede domain-name "dashaus.lan";

 }

This adds the local DNS server before the ones supplied by my ISP, and forces unqualified hostname searches to use the house domain instead of going to the internet.

Now if I could just get an X server running... Everything looks good, but actually starting X puts my monitor to sleep. This looks like a sync out of range issue, but I cannot figure out how to fix it. The really frustrating thing is that I cannot get back to a text console to try again, I actually have to reboot. Fortunately I can get in via SSH to pull logs and do a safe reboot, but it's still far from ideal. The X client is fine - if I fire up an X server somewhere else, I can export apps just fine, which is how I was able to fail
at configuring Totem.

Any X-on-FreeBSD gurus, hit me up!

I have been trying off and on again to get one of my computers to act as an AirPlay client, that is, so that I could stream content from iPhones and iPads to their screens. The reason is that upstairs I have an AppleTV, but the downstairs TV isn’t able to talk to anything. It’s an older TV – doesn’t even speak HDMI – which is why it was demoted to a backup. However, since it’s just on the other side of a wall from my desk, it’s tethered (via DVI or VGA) to the Windows box.

I used to run Boxee , and all was well. Boxee has a nice iOS remote, which gives my first-gen iPod Touch something to do with itself, and also has an extremely nice feature in a bookmarklet which lets users save videos straight from YouTube or whatever to their Boxee queue. The problem is that Boxee have, in their wisdom, decided to discontinue development of the downloadable version of Boxee in favour of their BoxeeBox hardware. This is a nice enough device, but it’s not worth three AppleTVs in my estimation, especially for a couple of hours’ use a month, which is what I would give it.

Watching local content is as easy sending iTunes over to the secondary monitor and driving it with the Remote app when I want to watch something, but this doesn’t help with YouTube. There is Leanback mode , but that requires more solutions, like the Remote Mouse app, to drive it.

I tried playing with Clik , which is commendably simple: visit the website, it flashes up a QR code; scan the QR code with the iPhone app , and you can browse videos on the iPhone and play them in the browser window. It doesn’t deal with subscriptions, though, and a big goal of the exercise is to be able to watch videos from the /Drive channel, so it’s not ideal.

Next I tried getting one of the computers to act as an AirPlay host. First I tried Windows, simply because the cable already reaches that box, so it requires the least amount of effort. AirMediaPlayer is nice and free, but only lets me view photos, not video – it doesn’t even show up as a host in video or audio mode. That seems to be the only free solution, so that’s Windows out.

Next we try the Mac. This is less than ideal because my Mac is a MacBook Air, so it would require connecting two cables (no HDMI, remember?) each time. However, I assumed that in the Apple world someone must have hacked AirPlay. Sure enough, Erica Sadun had – but it doesn’t work for me.

Finally I got desperate and tried FreeBSD. The Totem player has a plugin for AirPlay, so full of hope I spent quite a lot of time downloading Totem and sorting out its dependencies, then getting Git and its dependencies, and finally found that… it doesn’t work: Totem-WARNING **: Error, impossible to activate plugin ‘AirPlay Support 1.0.2′. Joy.

So it looks like that’s it. Unless something changes, I’m going to wait for the Raspberry Pi and try that. Any suggestions, drop me a line.