Skip to content

Classical Mechanics Rule

In the entry I Bit My Tongue Off, I spoke about getting thoughts on my brain and needing to let them out. Well, this hypothesis is one of those things. It has had me bouncing ideas off people all day. It has had me reading up on physics, which I have not studied since Nuke school in 1992. It has wormed its way so far around my brain that I just climbed out of bed to write about it.

I do not know if my hypothesis holds water or not. I do not know if it is even an original idea or not, but it is stuck in my head and so I have to try and find out. Let me start by stating the hypothesis again.

Hypothesis: The faster an object is moving relative to a source of energy/force, the less influence said force exerts upon the object.

At this moment, to me, it really is not a hypothesis. More of a postulate (meaning it is a given, a natural fact). But it disrupts so much of the world of physics that I can not assume it to be a fact. Even I am not so arrogant. Ok, maybe I am. So allow me to explain what this hypothesis implies.

Quantum mechanics is a sub-field of mechanics in the realm of the physical laws (physics), the other being Classical mechanics. Quantum mechanics deals with really really tiny things (atomic level and below), while Classical mechanics deals with normal sized things. Basically, everything you can see falls under classical mechanics, everything too tiny to see falls under quantum mechanics, and they both have entirely different rules.

The reason for these two sub-fields is that when physicists (like Einstein) try to explain the behavior of atomic sized particles they run into road blocks with the classical mechanics (the laws and theories people like Newton came up with). The rules seemed to not apply, such as how an electron can just fly around the nucleus of an atom without a degrading orbit (i.e. why doesn't the electron get sucked in by the electromagnetic force of the nucleus). Like good scientists, they made up new rules: Quantum Mechanics. And rather than dealing with absolutes (or things that make sense), quantum mechanics deals mostly with probabilities (or guess work).

Yes, I know; that is a little over simplified and not completely accurate. Bite me.

The implication of this hypothesis is that the classic rules (Classical Mechanics) apply to really tiny things once again. It means that time is linear (no more spacetime). It means that faster than light travel is possible. It means there is only one universe. And it means if you can get going fast enough, you can travel straight through a planet without messing up a hair on your head. Pretty cool, right?

The thing that has really kept this thought going in my head is that all of the evidence I can find to support quantum theories also support (prove) this hypothesis. Even better, the stuff I can find that throws a wrench in quantum mechanics support this hypothesis. I have to go with Occum's Razor on this one.

Let's just cover one of the founding principles of quantum mechanics: stable electron orbits. According to classical mechanics the electron should get sucked in by the nucleus of an atom because of electromagnetism. They don't, so obviously classical mechanics don't apply. Unless you throw in the above hypothesis and then things start to make sense with classic physics.

1. Fact: Electrons travel extremely fast. They travel even faster in an atomic orbit than free flowing. Let's call the speed of an electron M.
2. Fact: Electrons are negatively charged. Protons in the nucleus of an atom are positively charged. This generates an electromagnetic field producing a certain amount of force. Let's term this force X.
3. The amount of force applied to an object varies with things like distance to the source of the force, etc. Let's call the actual applied force on an object A
4. As M approaches zero (0), A approaches 100% of X
5. As M approaches infinity, A approaches 0% of X

The faster the electron travels, the less the electromagnetic force can influence the electron. Electrons do not travel at 0; they travel very fast relative to the nucleus of an atom. Considering the base strength of X is not super strong and with the electron traveling at electron speeds, A has barely enough influence on the electron to keep it in any kind of orbit at all. Just enough force under normal conditions.

Electrons also do not travel in consistent orbits, but the nice thing about an orbit is that the speed relative to any given point on the edge of a nucleus varies. As an electron gets closer to the nucleus, its speed relative to the closest point of the nucleus increases; farther away and it decreases. This provides for a natural adjustment to the change caused in A due to varying the distance between electron and nucleus.

In layman's terms: if you are standing still, I can reach out and grab you with my hand and pull you towards me. If you are walking past me at 3 mph, it is more difficult to do. If you are running at 50 mph, I will probably just break my hand trying. Not an exact comparison, but enough of an analogy that the point should come across.

Anyway, that is the basis of the hypothesis. It explains a lot more than what I have here, but this will work for the time being.

Please tell me where this hypothesis is wrong or what I am missing. Thank You.

Spacetime and Quantum Mechanics

Hypothesis: The faster an object is moving relative to a source of energy/force, the less influence said force exerts upon the object.

Can some physicist explain to me what is wrong with the above hypothesis (postulate) and why it doesn't get rid of quantum mechanics and spacetime entirely? Thank You.

Herbert 1701 Species C Generations 3 & 4

Thus far, Herbert has come along a fair ways during the Evolution Project. From a simple solar engine circuit, to a species with sensors and the capability of movement. In the world of robotics this really seems like a simple thing. In the world of evolutionary robotics this is a huge change. An artificial robotic life form that "just is," to one that is capable of self-sustaining behaviors. That really is huge.

The self-sustaining behaviors are still limited in Species C Gen 2. While Herbert moves towards brighter light sources, it will run into problems in the event of shadows or darkness. Once again we wind up with little comatose Herberts.

The reason for this behavior is the nature of the photodiodes in Herbert's circuitry. When there is minimal or no light hitting each photodiode the current flow to the NPN transistor base (ZTX1047A) is negligible, resulting in the transistor not turning on. Effectively Herbert goes to sleep when there is too much of a shadow over its sensors, regardless of how much energy it has in reserve (the capacitor). Not exactly a high survival genetic trait.

Evolution Project - Herbert 1701 Species C Generation 3 SchematicHerbert 1701 Species C Generation 3 is the solution to this problem. The addition of resistors in parallel with the photodiodes ensures that current will always flow to the transistor bases. This means that while Herbert has energy, the motors will turn and Herbert will continue on in its never ending quest for brighter light. How much the motors will turn depends on the size of the resistors used: too large of values and there is not enough current, too small of values and the photodiodes are effectively removed from the circuit. It is a balancing act that is determined by the characteristics of the photodiodes. While I am certain there is an electrical formula to determine the proper value, I used the trial and error method to come up with a value of approximately 50k ohms.

The next area of improvement for Herbert is in the form of additional senses. Species C Gen 3 possesses the ability to move toward brighter light sources, but will happily charge headlong into a wall and make a futile attempt to move the wall while expending all its energy.

Evolution Project - Herbert 1701 Species C Generation 4 SchematicCombating this overly ambitious and self destructive behavior, Herbert 1701 Species C Generation 4 develops a rudimentary sense of touch. As can be seen in the schematic, this rudimentary sense of touch occurs through the addition of two momentary (normally open) switches. In the robotics world these are generally termed tactile sensors. When one of these tactile sensors is triggered it causes near full current flow to the base of the corresponding NPN transistor, bypassing the photodiodes and, hopefully, causing Herbert to turn away from the object it touched.

A little side note here. When it comes to parts for solar robots, I almost always purchase from Solarbotics. Their prices are fair, their customer service is exceptional, and their quality is generally excellent. They are the premier for solar robotic supplies. As much as I love the company, I hate their omnidirectional tactile sensors. Perhaps it is just me, but I can never assemble these things to work well. And at $4.50 a pair, they are too expensive for me to be screwing up as often as I manage. Instead of trying "to get it right" any longer, I have created my own style of tactile sensor, which is basically the exact reverse of the Solarbotics tactile sensors. I will be posting a tutorial on the creation of these tactile sensors shortly, which I feel are less expensive overall and easier to assemble correctly, each and every time.

Returning back to Herbert, you may have noticed a lack of bread boarding for these two generations. That is because I have begun creating a fully functional artificial robotic life form with this species. This means using etched PCBs and actually soldering in parts. But rather than limit the PCB to a single generation, I have opted to include space for the components of generations four, five and six. So please ignore the through holes and solder pads that contain nothing in the following pictures (ignore the solder job as well, it was the only class I missed in Nuke school).

Evolution Project - Herbert 1701 Species C Generation 4 Circuit Evolution Project - Herbert 1701 Species C Generation 4 Circuit

Should anyone so desire it, the ExpressPCB board layout can be accessed here: Herbert 1701 Species C Generation 4 PCB

If you decide to etch your own board, three circuit boards will fit on the standard RadioShack 2-sided copper PCB board and I have included the ExpressPCB board layout for printing both sides onto transfer film here: Herbert 1701 Species C Generation 4 Double Sided PCB Print Out

Lastly, the electrical component part list can be downloaded here: Herbert 1701 Species C Generation 4 Parts List. All of the connector components are not required if you wished to solder each to the PCB directly (labeled "OPTIONAL" on the sheet). I'm on a budget, so I reuse what I can by using connectors.

A Few Site Changes

I love Serendipity. The word and the blog. Going through and making changes to this blog has been so simple thanks to all the work the developers have put into the core product and the plugins. There are a few things I have had to tweak in the PHP code, but that is only because I like to make it "all my own."

For those of you who could not tell already, I did in fact decide to go with the sticky entry to provide a quick blurb for new visitors. I have also opted to whore myself out and throw up the Google AdSense plugin. If all of my readers decide to click an advertisement I could probably afford to pay for 20 seconds of my monthly web hosting bill. Sweet. That aside, I am quite happy that it has been showing advertisements related to networks and security, as opposed to porn. Of course I think I disallowed porn advertisements when I setup my AdSense account, so that might explain it.

Speaking of whoring myself, you might also notice I changed the picture of me in the right hand corner. That is the most recent photo of myself from all of two days ago (there is one from yesterday someplace, but I don't have it yet). A new photo just in time for me to have cut my hair off and make the new photo no longer accurate. Good stuffs.

Computer Security 101 - Part 4 - LAN

Continuing the outside-in approach to security, once you make it past all the routers, firewalls and Demilitarized Zones (DMZ) you eventually come upon the local area network, or LAN for short. Stop! Hold it! Router? DMZ? Why didn't this stuff get covered? How can we possibly move on when I just mentioned two things that were not covered on the way in from the Internet?

The short answer is that they were covered, just not spoken about directly. As I mentioned during Part 3, a firewall is a specialized router. If you are using a router as part of your security approach, you are using it as a firewall. As to the whole DMZ thing, well that is just the area of a network that lies between the Internet and your local network. This is usually the "optional" network port off of a firewall or, ideally, the space between an external firewall and an internal firewall. There. Happy now?

For the majority of computer networks out there, your entire network is your LAN. A good chunk of companies have wide area networks (WAN) of one flavor or another, but with technology the way it is these days, the wide part has gotten really thin. Without a geographic map for a guide, it has become increasingly more difficult to tell the difference between a local resource and a remote resource. In effect, a WAN should be treated as just another segment of your LAN.

You might have noticed that the word segment was a link up there. That's because segment is an important word when it comes to LAN security and I wanted to make sure everyone knew what it meant. The first definition listed will do. A segment is just a section or part of the whole. Nothing overly technical about that. It is important because segments are what help secure a LAN.

In order to understand this, we need to delve into a little technical mumbo-jumbo. All networks have some sort of addressing scheme, Internet Protocol (IP) addressing is the most common (FYI, there is NO SUCH THING as TCP/IP addressing, there is only IP addressing), so we will use IP addressing for this example. Every device on a network has some sort of address attached to it, again, usually an IP address. In order to talk to a device from your computer you need to have that device's IP address. With me so far?

There are three main ways to get a device's IP address. The most common method is through domain name service resolution (DNS). DNS is the IP address resolution method of the Internet and most networks. It basically works like calling telephone directory information to get a phone number. Your computer knows to dial 411 when it needs an address; the DNS server is the operator that answers 411 and tells your computer what the IP address is for a given device.

A second, older method of getting an IP address for a device is through WINS resolution. WINS has been made obsolete by DNS, but there are some networks out there that continue to use it for one reason or another. WINS works in the same way as the DNS-operator analogy above.

The last method of your computer finding an IP address (that it does not know already) is to send out a broadcast. Most network communications are unicast, meaning one device to one device. Basically like a normal phone call. Broadcast is a scream out to an entire network segment, meaning one device to every device. It is comparable to a mom in the grocery store whose 4 year old has wandered off to the cereal isle. Everyone knows little Timmy is missing.

Broadcasts might be good to find little Timmy in a grocery store, but on a network they tend to be bad. When mom screams out "Timmy" in that oh-so-shrill voice of hers, EVERYONE stops what they are doing and looks up. Broadcasts on a network are the same way, every device has to take the moment to recognize the broadcast and either ignore it, or respond. The primary security problem is in that response, notice I did say primary though.

We'll use another example to see exactly what the problem with that response is. In this example Timmy is a little mentally slow (all the screams from his mom melted his brain), but he is carrying a knapsack with $1,000,000.00 in it (Timmy is very strong). Timmy is someplace in a clothing store; in order to get that cool million bucks you just need to find Timmy. Clothing stores are generally wide open areas, with little to block sound, so when you yell out, "Timmy," he is going to respond back with a nice loud, "Here!" As I said, he is a little mentally slow, so he'll respond to anyone saying his name. One million dollars in the bank later and you are a happy camper.

Now what if Timmy was someplace in a multi-floor, multi-company office building? Walk through the front door, yell out for the kid, and you are not getting anywhere. Oh, you might get really lucky and find him standing there in the lobby, one finger in his nose, the other scratching who-knows-what; but given the number of floors, companies and rooms, the odds are against you. Makes it a lot more difficult to find that million dollar prize. Also, the more you wander the building yelling out for Timmy, the more likely someone is going to take notice and have you escorted away by security.

Relating Timmy's story back to your network, if your LAN is one big happy segment (the clothing store) with all the devices on that same segment and a hacker gets onto your LAN, it makes his life really easy to find the million dollars by using broadcast shout outs. If you divide your network up into multiple segments (the office building), you just made the hacker's job a lot more difficult. Just like with the office building, the more the hacker has to wander your network to find something, the better a chance of getting caught or, at the very least, leaving a nice trail of breadcrumbs back to them.

The second security problem with broadcasts is that everyone looks up to see mom screaming before ignoring her again. It is only an instant of time, but imagine if the grocery store was full of 1000 screeching mothers looking for Timmy. Not much shopping is going to get done in that grocery store. That is the equivalent of a broadcast attack on a LAN. Not very common, but it has happened and will bring a network to a screeching (pun intended) halt. Segmentation helps with this as well.

The better you can isolate sections of your network from one another, the more secure your LAN becomes. This is done by using subnets, which is the IP address way of breaking up a network into segments. You can think of a subnet as a telephone area code, limiting which numbers are available before you have to change to another area code. In order to do this, and make it count, you will have to use switches instead of hubs (if you are not already). You will also need to ensure your switches are not set to forward broadcast packets (usually the default setting), but are set to relay DHCP requests to a DHCP server (as needed).

Subnets can be either physically broken up networks or more practical Virtual LANs (VLAN). In the physical world, you would decide that everything attached to Switch-A belongs to Subnet-A, Switch-B to Subnet-B, etc; and then place some type of routing device between each. That can mean a lot of pieces of physical hardware. Explaining VLANs fully is a bit beyond the scope here, but using VLANs (which most modern switches support) you divide up each switch into multiple subnets based on different criteria; usually the jack number on the switch (for untagged) or with tagging. As a result of not needing tons of extra hardware, VLANs are a much more practical approach to segmentation.

Through proper network segmenting you can not only provide for a more secure LAN, but also speed up network traffic across your network. If you know accounting uses only one server and little else, you can move that server directly to the accounting subnet. You can also control what information is passed by a DHCP server to each subnet; allowing you to set everything from which DNS server a given subnet uses, to stopping Internet traffic for one particular subnet. Combine that with the above broadcast scenarios and segmentation becomes a very good thing for increasing your LAN security.

Tweaks and Changes. Oh My!

I've started the process of changing around the site in order to get it more "Andrew Friendly". Nothing overly drastic, but sometimes things get broken (such as last nights attempt at installing the Mobile Output plugin) and I figured I should provide some forewarning for future breakages. I have also run a complete backup of both the frontend files and the backend database, just to be on the safe side.

My hope is to get all my back-dated changes up on the blog over the next week, including some sort of "About Me" page. I have not decided yet, but I am leaning towards a sticky entry that explains I Am. When? for newcomers who happen to wander over this way. With a few billion people in the world, there have got to be a couple of people left out there who don't read my blog. I think it would be nice to present them with a short blurb in the form of a sticky post.

I also need to find a new picture for over there -->

Stay tuned and keep your fingers crossed for me.

Herbert 1701 Species C Generations 1 & 2

Sensors are a very import biological component and yet they are something that get skimped upon when it comes to the field of robotics. Skimped upon not in terms of cost, but more in terms of volume. This does not pertain to the current evolutionary cycle of Herbert; it is just something I wanted to mention. I promise I will get back to that gripe at some future date, for now we have a new species of Herbert to uncover.

The addition of Herbert's first two little sensors has opened a whole new world to the poor little critter. Where once there was only darkness, now there is darkness and light (and a bunch of shades in between). What's more, it is a focused light; the very light spectrum that breaths life into Herbert. This new found sense should logically be used for something, and in the very simple organisms that have been the Herbert 1701s, it can be.

Herbert 1701C-1 SchematicEnter Herbert 1701 Species C Generation 1. Now that we have previously determined which came first (that being senses), Herbert has been able to evolve into that which came second: movement. Gone are the trademarked (and traditional) green LEDs of Herbert past; replaced with the simplest robotic form of movement: the motor. Biologically, the wheel is something that is far from simple, but when it comes to electromechanical life the wheel is where it is at.

Herbert 1701C-1 Breadboard
The bread board version of Herbert now seems to lose something once movement has been added, however it still serves as a suitable test bed for initial circuit layout. It also shows us the basic function of Herbert Species C Gen 1; the more light each sensor receives, the faster the corresponding motor turns. Pretty simple, yet a little on the inefficient side.

Herbert 1701C-2 SchematicThe phototropic world is a very energy unfriendly one. Sunlight provides a source of energy to life forms each day, but pound for pound it is not high on the scale of power level. This would be one of the reasons you do not see many trees walking around (there is that one oak, but besides him, not many trees at all). With the addition of the ability to move comes the additional need to not only make the most efficient use of the energy Herbert has, but also to conserve a little more of that energy. Herbert 1701 Species C Generation 2 accomplishes this task through the use of a few different components.

Herbert 1701C-2 BreadboardThe first change is in the value of R2, up from 740K to 820K resistance. This changes the activity voltage range for Herbert to an "on" value of 3.24V and an "off" value of 2.09V. Only a slight increase in voltage as a result, but for bringing a motor out of a stall condition during startup, it helps. In case you do not know, a stall condition is the state where the motor is not turning. Because of Newton's silly little laws of physics, an object at rest tends to stay at rest. This means it takes a little more oomph to get the wheel turning. It also means that once the wheel starts turning, it takes a little less energy to keep it going along. Wasn't that fun and interesting information?

Speaking of stall conditions, because you didn't just get more information than you needed, there is a second changed out component in Gen 2; the primary capacitor, C1. The value of C1 was increased from 1000uf to 4700uf, giving Herbert around 4.7 times more energy reserve to help avoid those pesky stall conditions. It also means it will take Herbert a little longer to fully charge up that capacitor before his brain turns on and says "We have energy, let's roll out!"

The last difference between Generations 1 & 2 is the transistors. As previously mentioned with Species B Gen 2 & 3, the transistors used in a circuit can make a difference in the circuit's efficiency. Herbert 1701 Species C Gen 2 takes this one step further. Gone are the 2N2907 and 2N2222 BJTs, replaced with ZTX968 and ZTX1047A BJTs, respectively. The replacement transistors provide for much greater efficiency under low voltage conditions than any of the previous transistors the Herbert species made use of. David Cook did a complete comparison in his Bipolar Transistor H-Bridge Motor Driver article. The results of his testing were actually a huge eye opener, but you can read all that for yourself.

With the completion of Species C Gen 2, Herbert is getting closer to something that more closely resembles the common views of biological life. Herbert is also getting closer to a critter that I will actually be building out, as opposed to merely bread boarding. Not quite there yet, but soon it will be. And then there will be nothing that can stop Herbert! Muahahahahaha! Ahem. Sorry.

Herbert 1701 Species B Generations 4, 5 & 6

When last we left our hero he was trapped behind the age old conundrum: "Which came first, the chicken or the egg?" Mere seconds from impending doom our hero deftly cracked open the egg into the flour and used the concoction to batter-dip the chicken, resulting in the beautifully prepared fried chicken that now rests upon the serving platter. We rejoin our hero as he sits down to enjoy a well earned feast.

Enough of that goofiness. The real question here is: Which came first, the movement or the senses?

Up to this point in the Evolution Project our artificial life forms have been very simple creatures capable of little more than gathering energy, knowing when enough has gathered and expending said energy. Actually nothing "little more" about it; that is all they have done. I think it is time for evolution to change all that.

Movement would be a phenomenal thing at this point. Movement would provide some action to observe and make the ALs more "lifelike". Obviously, movement needs to come first. And with movement, the little Herberts could go forth and wander the world as the free spirits they were intended to be. Until they wandered into a shadow that is; and eventually they all would. Then for all intensive purposes the little Herberts would slip into comas never to be heard from again.

Evolutionarily, movement on its own is a bad thing. Movement expends lots of energy. Movement brings life forms to danger not otherwise present. Movement also brings a life form to an energy source or allows it to flee from danger. The difference between good and bad is the addition of senses.

Senses tell a life form something about its environment. They provide information. While senses, or sensors as the case may be, on their own can gather information, without a means to act on that information the sensors are useless. But they are not harmful. They may expend a bit of extra energy or none at all or even generate energy on their own. Either way it is inconsequential compared to the energy used from movement, especially movement without purpose; and far less dangerous. "Which came first" are the senses. Any other way and the species would have died off.

The next logical step, or maybe illogical step, for Herbert would be the development of some type of sensor to better understand the world around it. Being that Herbert is a phototroph of sorts it would stand to reason that part of its physiology would become more sensitive to light patterns as the species evolved, eventually becoming something akin to a light sensor.

Herbert 1701 Species B Generation 4 introduces this concept in its design with the addition of photoresistors (or photoconductors or CdS cells). CdS cells change the resistive quality based upon the amount of light that falls on the cell. As the resistance changes (decreases for more light, increases for less light), the amount of current that reaches the base of each 2N2222 transistor changes, which in turn changes the amount of energy that passes through each transistor and the ajoined LED.

One of the problems with CdS cells is they are notorious for inconsistencies from one cell to the next. To combat this problem, our Herbert generates an adaptation seen already in the Herbert 1701 A Species with the addition of a balancing mechanism (obviously that gene was passed on). This allows a more equal distribution of energy flow across both LEDs than through the CdS cells themselves.

There is one further problem that the addition of the CdS cells creates. Herbert is a phototroph, meaning it generates its energy from light (the actual definition includes conversion of CO2 and water, but for this phototroph will do). The solar cell that Herbert uses, like the majority of solar cells out there, are more sensitive to the near infrared spectrum of light. The further away from the 850nm mark, the less energy the solar cell generates.

Why is this important? The CdS cells that Herbert 1701B Gens 4 & 5 have are most sensitive to the visible light spectrums, somewhere around 520nm. So while they can detect light, it is not the most efficient detection of light; and in some cases completely useless detection. Herbert 1701 Species B Generation 6 solves this problem by adapting the light sensors once again to something more specific to its needs: photodiodes.

Replacing the CdS cells with photodiodes provides a few advantages to Herbert 1701B Gen 6 over previous generations. The first is the more focused light detection found in the photodiode, in this case around the 850nm spectrum. Second, photodiodes generally react faster to changes in light levels than do CdS cells. This means Herbert 1701B Gen 6 is quicker on its feet, umm, board than Gens 4 & 5. The third is that photodiodes, which are placed in a circuit reversed in polarity from a normal diode, not only provide the needed sensitivity to light, but they also generate a small amount of energy. In a creature that needs to be as power conscious as possible, this is a big plus.

As the amount of light passed over each sensor varies, so too does the amount of current that can flow through the paired trademark green LED that Herbert uses to expend energy. In the plant world, this would be the equivalent of a leaf turning bright green in the sun and brown in the dark. Except in Herbert's case, the leaf does not fall off and die, merely waits to reenter the sunlight.

Oh. Almost forgot. It was the egg. Seriously.


I know I am a little behind in the times, but a few weeks ago I discovered the Fox television show House. To be honest, it was actually the reruns on USA. I've known about the show since the first commercials started appearing on the Fox network during an episode of Family Guy or the Simpsons or some such thing; I just had no desire to watch another medical drama.

There have been a million medical shows on television and if you watch the network lineups it actually seems like the medical industry is in competition with the law enforcement sector to see who can get the most number of television shows produced each year. The majority only last a short while. Some of these shows I have watched (both on the medical and law enforcement sides of the line), most I skip over completely. For me, some work great (CSI as an example), while others fail miserably (CSI Miami as an example).

House is one of those shows that work great for a number of reasons, and despite being late to the show I am going to cover them. For anyone who has seen the show, the number one reason it works so well is the main character, Dr. Gregory House, played exceptionally well by actor Hugh Laurie. How can anyone not love House? He has all the qualities everyone looks for in a friend. He's antisocial. He's outspoken. He's arrogant. He's brilliant. He's self righteous. He's almost always right (can you really be self righteous if you are actually right all the time?). Now that I think of it, those qualities do remind me of someone. Hmmmm. Not sure who. It's right there on the tip of my tongue. Oh well, if I think of it I'll let you know.

The second reason House works so well is that the show is about the people and their interactions. While their interactions mostly focus around a medical topic, it is not about the medicine. It's also not about the drama (like E.R. was after the second season). It's the people. M*A*S*H was like that, and everyone loved MASH.

Another way House is like MASH is that despite having a continuing storyline, or rather continuity in the storyline, you do not have to watch every episode in order to enjoy the show. You can catch a brand spanking new episode and it is enjoyable. Flip the channel and watch an episode from two years ago, still enjoyable. I currently have no idea when or why the first team left (or was fired or whatever), but I get to continue to enjoy every episode without knowing. It's a nice thing.

My last reason that I enjoy House, and this is an Andrew twist and the real reason for this blog entry, is that you could replace the entire medical setting with an Information Technology setting and it would be exactly the same show. Get rid of the lab coats, switch the medical jargon for technology jargon, and swap out people patients for computer patients. The rest stays the same, which gives me something I can relate to.

House's team consists of several specialists, and as he actually explains during one episode, "you pick your specialist, you pick your disease." The same thing happens with IT specialists when dealing with any computer issue. In the end, it takes a diagnostician (someone whose specialty is that they are not specialized) to figure out the real problem and solution.

Of course as an IT show it would never work. No one would watch it. The moment someone said "corrupt hard drive" during an episode, the viewer's eyes would glaze over and they would change the channel. A doctor on television says "Cyclophyllidea" and people sit up to pay attention all the more. Yet everyone knows what a hard drive is, but how many of you know what Cyclophyllidea is? By the way, it was actually on an episode of House.

I was told by a friend that the real reason it wouldn't work as an IT show is because doctors are glamorous while IT people are not. What is not glamorous about the top richest people in the world for the last 20 years? None of them were doctors, most were IT people. Name two famous doctors. Most people can't, but they can all name Steve Jobs and Bill Gates. We have them. Right? Fine. Maybe Bill Gates is not sexy or glamorous. Ok, he's definitely not. Maybe doctors are. At least on television they are. And maybe an IT drama on television wouldn't work.

What did we learn from all this? Well, I like the show House. I will continue to chuckle to myself over replacing medical jargon with tech jargon as I watch the show. And I should change my title to "Information Systems Diagnostician", as it would solve my whole problem of not being specialized.

Computer Security 101 - Part 3 - Firewalls

When it comes to computer and network security, I believe in an outside-in approach. Start as far away from your computer as possible and work your way back, putting up as many roadblocks in the way as you can. This approach has served me well in the past, and will likely continue to do so in the future. And so we will continue delving into computer security at the network perimeter with the firewall.

Before we begin I should point out that passwords were covered first and foremost due to their very nature. That is to say, everything has passwords of one sort or another. Firewalls included. So it would have been negligent of me to not cover passwords first. Now we can move on. Thank you for your patience.

There are a lot of people out there who do not know what a firewall really is, let alone understand what it does. This group of people includes many IT professionals, even very seasoned professionals. I often get a look of disbelief during technical interviews when I am asked about experience with a particular firewall or another, because I always respond with something along the lines of "a firewall is a firewall."

Usually my resume is directly in front of them and lists my Check Point Certified Security Administrator NG, Cisco Certified Network Associate, and Certified Information Security Manager certificates; as well as a plethora of various hardware that I have worked on (such as PIX or Watchguard firewalls). So when the person across the desk asks me if I have experience with a Sonic firewall, well, "a firewall is a firewall" is about as polite an answer as I can give. Sometimes I just blow the interview right there and go into sassy mode. But I digress.

A firewall is a firewall is a firewall. Period. Some are better than others, but they all do the same basic thing and are configured the same way. The interface might be different, but just because one car has a digital speedometer does not make it any more difficult to drive than one with a standard needle (analog) speedometer. Let's dive in to what that same basic thing is.

In the beginning we had routers. Routers route network traffic. Then someone said, hey, let's make a specialized router that does the same thing, only less of it, call it a firewall and charge additional money for it. Thus the firewall was born.

If you were to think of your network as a company, with the computers as departments and the software running on the computers as people; firewalls would be the mailroom. Any type of parcel has three things that are readily available to be seen: 1) The address the parcel was sent to, 2) The address the parcel came from, and 3) How the parcel was delivered (FedEx, UPS, USPS, etc). A good mailroom looks at these three things and determines what to do with the parcel. Simple and easy.

A mailroom example of what is taking place with that parcel: A letter arrives addressed to the CEO of the company, there is no return address, and the letter arrived with a bulk mail (USPS) stamp on it. What do you think the mailroom is going to do with that letter? Were I a CEO, I would fire a few people for delivering junk mail to me; thus the mailroom might trash the letter outright or they might decide to deliver it someplace else, say the CEO's secretary (sorry, administrative assistant). It really would depend on the instructions given to the mailroom, right?

Next a big brown box arrives that is addressed only to the company itself. The box arrived via UPS ground. A good mailroom is going to look at the packing slip to find a little more information. They immediately notice the parcel arrived from Dell Computer Corp, and move the box on down to the IT department without a second thought.

Mailroom gets a letter for Jane Smith, well there is no Jane Smith here: RETURN TO SENDER. And the mailroom never accepts C.O.D. parcels.

This is exactly what a firewall does. It is behaves like a good mailroom staff with instructions on what to do with each parcel that arrives; only it deals with data as its parcel. There are three things that are readily available to a firewall: 1) The address the data is sent to, 2) The address the data came from, and 3) What port the data is being delivered on. Simple and easy.

Configuring a firewall is about the same as giving instructions to the mailroom. "Only allow marketing to send out bulk mailers." "Anything that comes in from Dell goes to IT." "Only John can send out packages using the freight company." Etc, etc. The only differences are in what the address looks like (hint, it's an IP address instead of a postal address) and instead of saying "UPS Next Day Delivery," we use port numbers.

The bulk of setting up a firewall comes before you even touch it. Before you can set it up, you need to know what the instructions are going to be. The best instruction is always return everything to sender that comes in and don't let anyone use the stamp machine to send out. In firewall terms, this is "deny any any". It should always be your starting point; everything else gets built on top of that and creates a pecking order for what happens with the data parcels. This works for a firewall just like a mailroom: John can use the stamp machine. You are not John; therefore you get denied the use of the stamp machine.

Coming up with the instructions to give the firewall are relatively easy, but usually takes a few minutes to do. It involves a little research to see what software applications are used to do what on your network. This includes sending and receiving email, browsing the web, running a SageTV placeshifter server or playing online games. If something needs to talk to the Internet, it needs a rule for the firewall. You just need to figure out (look up) what those rules need to be.

A few simple guidelines for setting up rules:

1) Permitting all outgoing traffic is a very bad thing. So don't do it. Spend the 15 minutes to find out what traffic needs to go out and to where.

2) If you have a dedicated email server, it should be the only thing on your network that can send or receive email. That is to say that POP3 (port 110) and SMTP (port 25) should only be permitted to and from that server.

3) If you do not have a dedicated email server (meaning you get your email from your ISP) you should block incoming SMTP & POP3, and allow outgoing SMTP & POP3 **ONLY** to your email provider (these are the addresses that look like that you put into Outlook when you setup your email account).

4) If you have a dedicated DNS server, it should be the only thing on your network that can send out DNS lookup packets (port 53).

5) If you do not have a dedicated DNS server you should only allow outgoing DNS traffic to go to your ISP's DNS server (your ISP gave you this address someplace).

6) Unless you handle your own DNS services for an Internet server, you should block incoming DNS requests.

7) Explicitly stating where any outgoing traffic is going to is a very good thing. If your game requires port 9110 to be open, then only allow port 9110 to be open with an outbound address of the game server.
You can't surf porn without allowing web traffic, so odds are you will want to allow outgoing HTTP (port 80) and HTTPS (port 443). Not much you can do there, but it does provide a big loophole. Other programs use these ports to bypass firewalls, and that is a bad thing. The fix is an Application Layer Firewall. If you are setting up your firewall for home use, don't worry about it. If you are doing it for a company and you have not yet purchased your firewall, or have the budget to "upgrade" your firewall, get an Application Layer Firewall.

Continuing the mailroom analogy... A fruit basket arrives addressed to Gertrude in Accounting delivered by the flower delivery guy. Every company accepts deliveries from the flower delivery guy. The flower delivery guy is HTTP on Port 80. So the mailroom rushes that fruit basket over to Gertrude, only instead of pineapples, the fruit basket contained pineapple grenades. Boom. Poor Gertrude. And poor everyone in Accounting.

An Application Layer Firewall is like if the mailroom X-rayed every piece of mail that came through there. More so, they were allowed and required to open every parcel that comes and goes to take a quick peek to make sure the package is what it says it is. That is exactly what an Application Layer Firewall does, because the Internet is chock full of people trying to send pineapple grenades to Gertrude; and Gertrude (bless her little heart) is trying to send socks to her nephew in Utah using the company's UPS account.

A last note on firewalls, primarily for corporate IT people: Two firewalls are better than one. The best setup for a firewall is to have an external firewall that handles incoming traffic, such as allowing traffic to your web server, and a second internal firewall that handles outgoing traffic. The external firewall can be in drop-in mode (meaning it knows all the external IP addresses that your company uses, but is not performing NAT translations, just filtering). The internal firewall connects to the external firewall, gets one of those external IP addresses, provides NAT translations (using that external IP) and should be an Application Layer Firewall. More internal firewalls are even better, but two should suffice. Between the two firewalls are your outside only services (web servers, email forwarders, porn, etc). You can even get creative and place honey pots between them, but that is a bit beyond the scope here.

Firewalls are as complicated as you want to make them, but really you should be making them very simple. Keep in mind that a firewall performs the same tasks as a good mailroom. If you do your homework to determine what traffic you need to allow (port numbers), where the traffic should be coming from, and where it should be going to; then you have 99% of what it takes to setup a secure firewall. The other 1% is just punching in that information.