Improving Home Energy Usage

Posted on January 20, 2013 by Dave

A few months ago we had an energy audit performed by Next Step Living courtesy of the Mass Save Home Energy Services program. They identified several areas where we could improve including adding an addition layer of insulation in our lower attic and sealing the airgaps at the top cap of our interior walls. They even installed a low flow shower head at no cost at the completion of the free audit. The quote for the work to improve our insullation layer came in at a cost of $1,219 but the cost to us was roughly $305 due to subsidization by the state for this program. Needless to say, the Mass Save program was an incredible deal and provided significantly more value per dollar than working with our previous contractor, who – two years previously – added cellulose insulation in the upper attic and into the walls at a cost of nearly $6,000. The Next Step Living contractors identified and repaired the shoddy work performed by that previous contractor in the upper attic where they had not dammed the air conditioning unit and had blocked the exterior vents in the attic with the insulation they had blown in over the existing decayed insulation.

We also considered the free installation of solar panels offered by Next Step Living through their relationship with SunRun – however the penalties for exiting the contract at 10 years amounted to roughly 40% of the cost of an outright purchase of the equipment (roughly $25,000 after tax credits and rebates – $2000 through Mass Save) – and those early termination fees would not be applied toward a purchase of the equipment already installed on the house.

We’re also looking into ways to decrease our electricity consumption, which is somewhat out of control with 3 kids in the house that have a hard time turning off lights when they leave a room or finish traversing a hallway. We have CFL bulbs in many of our fixtures, but they contain mercury and frankly are not as efficient as LED based lighting. Massachusetts utility customer can purchase LED lighting at a discount at estarlights.com courtesy of the relationship established by the Mass Save program

The Next Step Living contractors also provided us with quite a bit of collateral including an energy savers guide with some good information that is replicated out on EnergySavers.gov in a PDF format.

Posted in Energy Efficiency | Tagged | Leave a comment

Optimizing VPN in a Mixed Cloud & Office SMB Deployment

Posted on October 9, 2012 by Dave

I’ve been considering deploying an open source VPN for a few years now. A little over a year ago we moved our mail, web, directory, and some data services for both my family and my business up to Amazon Web Services (AWS). As my company requires more remote work, a need to support secure access to the company’s internal network for remote workers became apparent. I wanted to go with open source, but the solution would need to meet the following criteria:

  • Support more direct real time monitoring at a lower level integrating across cloud and office computing resources
  • Provide controlled remote access via VPN to internal compute resources from any remote network
  • Establishing a centralized VPN service leveraging my AWS footprint as a gateway
  • Allow for more secure web access for workers by allowing redirection of all internet traffic through their VPN connections while they are connected at remote locations
  • MS Windows XP & 7, OS X, Linux, and Unix computers must all be able to connect through the VPN
  • Access via smart phones and tablets is highly desirable – I want to move with the market as hardware shifts to a smaller physical profile

OpenVPN had the best review in regards to overall management and had a capability of routing across networks on either side of the VPN connection. OpenVPN supports MS Windows as well as Linux and Unix variants – making it a great fit for my workforce. They also provide hosted solutions that are simpler to configure with less administrative overhead, however very small businesses will find that the cost of that solution supports a fair amount of over-provisioned compute capacity that could be shared with other services on a custom cloud configuration. The configuration of a custom instance allowed for certificate based authentication and leveraged revocation lists that tie everything in with my existing certificate base easily and seamlessly without giving up control of my certificate management infrastructure. Further investigation revealed a lack of native iOS support, however the GuizmOVPN application allowed connectivity to the OpenVPN if I were willing to jailbreak the iPhone to install the application. This led me to consider use of another VPN solution that could enable access through the most popular smart phone in use by my staff without jailbreaking the phone.

OpenSWAN appeared to be a good candidate as well with a proven compatibility with iOS, being based on L2TP and IPSec based technology. After a preliminary review of the more common configuration approaches listed in various websites, I developed some concerns regarding the use of single factor / password based authentication to gain access through OpenSWAN. While password authentication is subject to brute force attacks, certificate based authentication requires an attacker to first get a valid certificate that has been previously configured for the VPN and is generally much more secure as a consequence. In addition to my security concerns, I could not immediately find an example configuration to dynamically route across subnets on opposite sides of the connection to grant users appropriate access to computers on either side of the connection. Later, I found a reference at the gadget blog that seemed pretty promising but I have not yet had the time to independently verify the approach listed therein.

I resolved to set up both VPNs to verify this perception of functional gaps in each solution and measure the level of effort in maintaining the VPN infrastructure. I found that the OpenSWAN VPN solution did in fact allow for certificate based authentication, and could be easily configured for password based authentication following some moderately complex instructions. I was ultimately unsuccessful in verifying the configuration for OpenSWAN with an iPhone 4 running iOS 6 – further investigation in the forums showed that the negotiation for the connection had changed over time after the release of iOS 4 and, while several work arounds were proposed to address those changes, none worked in my configuration. Another possible option is StrongSWAN, referenced in the serverfault blog which I have yet to attempt on my network configuration. OpenVPN, on the other hand, proved to be much simpler to configure by making minor adjustments to examples found online and was easily verified in minutes after taking an hour or so to work through the basic configuration and customize the certificate configuration to leverage my internal certificate authority.

Ultimately, OpenVPN appears to be the best open source solution for a SOHO business to deploy VPN services for their work force in terms of overall simplicity and reliability of the configuration. The certificate based authentication does require manual installation of those certificates on every connecting client device and there are a number of additional steps required on the client to complete configuration. I have successfully scripted the creation of the certificate bundle and the server side configuration file to simplify configuration to the point where the user must only supply the machine name and then install the bundle on and configure the client. OpenSWAN, on the other hand, was proving too complex to configure and too difficult to script effectively.

The challenges in configuring the VPN for iOS and the changes Apple has made to the negotiation of the connection through their native tools on iDevices also leads me to believe that iPhones / iPads are not the best device for SOHOs requiring access via smart phones to their office networks via the VPN. The forum and blog entries I reviewed indicated that Apple is very discriminating in allowing vendors access to their VPN APIs making them more suitable for enterprise products from Cisco and other commercial vendors while open source solutions are left with marginal or no access to development resources or denied placement in Apple’s app store. Conversely, Android has a native application for OpenVPN which is very highly rated. Small businesses looking to provide VPN access to mobile users should likely encourage the use of Android phones or devices if they see a heavy need for VPN access by a mobile work force that primarily leverages smart phones or tablets.

Posted in Cloud | Tagged , , , | Leave a comment

Social Networking the BM (Brick & Mortar)

Posted on August 19, 2011 by Dave

I’m sitting in the local Dunkin Donuts writing a blog entry on my iPhone – not really a remarkable event. I guess the remarkable part revolves around the question “Why Dunkin Donuts?” as I am – without question – a die-hard Starbucks drinker (pause to sip the toasted almond they don’t serve at Starbucks).

Points. My wife is kicking my ass – she has 39 more points than me and I really just can’t live with that. No – not DD loyalty or anything like that – but foursquare points. Foursquare has been around for a while, but for those of you not conversant with the social networking scene, it doesn’t stop at MySpace, Facebook, & LinkedIn. Foursquare scores your travels based on new experiences, loyalty, and generally getting out and participating in life. Somehow – perversely – I believe this actually will tip a few dollars over to small businesses as people play the social game and try to outscore their friends by picking up new venues. Hopefully we don’t see the occasional mugging from people over-riding their better judgement and checking in to places they aught not be in (think I need a grammar social network…)

Of course, as I’m writing this Chris is texting me to ask me when I’ll be home – which is after I pick up a few more points. That’s the other side of this, which de-personalizes the experience – I should be out with my family getting points. But the last time we did that Chris was checking in right along with me and I couldn’t get ahead – sigh.

Closing and heading home – there’s a Stop & Shop on the way – wonder if we need milk…

20110819-173720.jpg

Posted in Social Networking | Tagged | Leave a comment

Berlin Experience 2011

Posted on March 26, 2011 by Dave

In March 2011 I traveled back to Germany for the first time in nearly 15 years and for the first time was able to experience Berlin. I stayed near the city center while I was rolling out a new pharmacy benefit platform under subcontract through Medco to the German government.

We had one of the best meals at Zur Gerichstaube towards the end of the project

Posted in Travel | Tagged | Leave a comment

Linksys Cable Modem Upgrade

Posted on January 1, 2009 by Dave

Linksys Cable Modem Upgrade

I called my cable operator a short time back to change my bundled plan and discovered – much to my surprise – that I could move from 10MB download to 20 MB for less money. After thinking long and hard on this for all of half a second, I told the cable operator to ahead and provision my account for the new service.

After getting off the phone, I reset my cable modem – a Linksys BEFCMU10 – and restarted the network interface, ready to download at a blindingly fast 20 MB. I got on my favorite bandwidth testing site and found that I still topped out at 7.8 MB. I recycled and tried again with the same results.

I called the cable operator and asked whether or not the provisioning was completed. Oh yes, they assured me. So I checked the supported modem list and found that my Linksys was no longer supported. I asked if the DOCSYS version might be causing the problem, as my modem was 1.2 and upgradeable to 2.0, and they thought it might be – so I decided to contact Linksys for a new ROM.

First I checked their website for a ROM – nothing was available or even indicated I could update the ROM, even though the box and manual indicated it was upgradeable. So I sent an email to Linksys support asking for the instructions and got an immediate response. It indicated Linksys was not responding to support emails any longer, but did refer me to an online chat link – among other channels.

So I fired up Firefox on my Linux machine and pulled up the link – I got a blank screen area where the Java applet would have uploaded if I was running the 32 bit version of the OS that runs the proper JVM. I decided to call on a phone instead, and you’d probably guess at this point that the phone service in their support organization was on par with the email support – you’d be right.

So now I’m getting a little irritable and am checking the newsgroups and googling for upgrade experiences. Apparently, nobody has had a successful upgrade experience, they have only experienced severe frustration in their attempts to do so. If anything, Linksys has been consistent in their refusal to provide the firmware upgrades their packaging and literature imply to be available. Have these guys even heard of “Bring Your Own Modem” service? Who do they think is responsible for those modems?

So I decided to hunt down a windows machine and give the support group another chance on IE. What followed was a very painful discussion where the call center employee didn’t understand the difference between firmware (the software on the modem) and the driver (the software interfacing to the OS kernel. They ultimately refused to support the upgrade channel they documented in the user guide and continually insisted that the cable company was responsible for upgrading the firmware on the cable modem I purchased at Best Buy.

Linksys Support Call Log

Love Jane G. (29832): Hi, my name is Love Jane G. (29832). How may I help you?
David: I need to upgrade the firmware on my cable modem – the ISP has no responsibility for this as I purchased the modem at a retail outlet
David: The model is BEFCMU10 v3
Love Jane G. (29832): The modem does not have firmware to upgrade, David.
Love Jane G. (29832): You mean its driver?
David: It currently has version 1.1.2.0.3 of the firmware
Love Jane G. (29832): Where did you see that?
David: I run this through the cdc_ether driver in the linux kernl
David: 192.168.100.1 – page shows the detail of the modem config
Love Jane G. (29832): Actually, for modems, it is the driver.
David: doesn’t reveal how to upgrade the firmware
David: This needs to be upgraded to DOCSIS 2.0 firmware
David: Box says it’s compatible – I’m assuming Linksys is providing upgraded firmware if they’re claiming compatibility
Love Jane G. (29832): With that concern David, you have to contact your ISP for that.
David: My ISP is not responsible
David: They did not provide me with the modem
Love Jane G. (29832): It is only the ISP that can update the DOCSIS for the modem.
David: Why can I not do this myself? My ISP claims no responsibility for a modem I bring to the relationship.
David: ???
Love Jane G. (29832): David, as I have said, you have to contact your ISP when updating DOCSIS of the modem.
David: And when they say they cannot do so as the modem was not provided by them? How do I get my 20M service which is now limited to 7M?
David: Can I return this to Linksys and have another modem provided that is compliant?
Love Jane G. (29832): Let me check that concern, David.
David: Thank you
Love Jane G. (29832): Thank you for patiently waiting, David.
Love Jane G. (29832): I am still verifying that concern.
Love Jane G. (29832): May I know who your Internet service provider is? Do you have a cable or DSL connection?

David: RCN – cable connection
Love Jane G. (29832): David, may I know why you want to upgrade the DOCSIS?
David: To improve bandwidth from 7M to 20M
David: The literature in the manual claimed up to 45M
Love Jane G. (29832): You did not meet the standard of your ISP for that? What bandwidth does your ISP gave?
David: 20M
David: They upgraded the bandwidth on my account 2 fold with no visibile improvement, I checked around and found that firmware upgrades to DOCSIS 2.0 can address many of these issues
Love Jane G. (29832): Updating the DOCSIS does not necessarily do that, David.
David: But it may –
Love Jane G. (29832): And again, updating the DOCSIS is an ISP concern already.
David: Signal strength was good, TCP windows are reasonable (1500) – my neighbors weren’t home (no bandwidth shared – it’s time to try upgrading the firmware
Love Jane G. (29832): What do you mean, your neighbors weren’t home?
David: Cable modems share bandwidth – lack of bandwidth may be attributable to high usage over the shared concentrator on the outside line. My neighbors weren’t online, hence the concentrator was dedicated to my usage (unless their running servers – I know them not to be so sophisticated)
Love Jane G. (29832): Your neighbors are wireless, right?
David: Two are on the RCN cable modem service, wireless or wired home networking seems immaterial to me.
Love Jane G. (29832): David, the bandwidth from the modem will be lessen if there a long connection of cables to the router.
Love Jane G. (29832): Aside from the modem, do you have the wireless router?
David: The modem is connected to the server from which I run most of my apps via a USB cable – this has nothing to do with my wireless router – that runs a separate subnet. The cable length of the RC45 cable from the telephone pole directly to my modem is perhaps 120 ft.
David: The USB cable connecting the modem to my server is less than 6 feet long
Love Jane G. (29832): Sorry for that. Again, DOCSIS upgrade is for ISP concern.
David: Cat 5e cabling suffers a signal loss in runs longer than 100 feet – all my cat 5 cabling is less than 100 feet
David: Can I exchange the cable modem with one from Linksys that supports DOCSIS 2.0?
David: Will Linksys stand behind their claim of DOCSIS 2.0 compatibility as documented in their user guides, datasheets, and literature?
David: Can you force my ISP to upgrade the modem?
David: I need a solution here.
Love Jane G. (29832): Yes. It does support but you have to contact your ISP with that.
David: And will you guarantee that they will perform the upgrade? Are they a Linksys channel partner?
Love Jane G. (29832): No.
David: I need a solution – can you get a supervisor or manager on?
Love Jane G. (29832): Sure.
David: Thank you
David: Please ask them to review the thread before responding…
Love Jane G. (29832): I have actually confronted my superior with your concern and again that will be referred to your ISP.
David: Will you manage closure of this problem with the ISP, or will I be stuck bouncing between your help desks?
Love Jane G. (29832) Has Disconnected

They terminated the chat session without providing any viable options to upgrade the ROM or any hint of concern for providing customer service and I terminated my relationship with Linksys as they had pretty much proven to me that they do not stand behind the claims they put in their product literature. It was incredibly disappointing, considering some of the positive experiences I’ve had upgrading my Linksys wireless router’s firmware, which was very straightforward.

So back to Best Buy I went, reward certificates in hand, to get myself any cable modem that did NOT have the Linksys brand associated with it. I found a nice little Motorola cable modem for $5 more than the cost of the Linksys sitting next to it on the store shelf, but I figure “What the heck, support is worth the extra money if I can postpone a hardware upgrade a few more years.” When I got home, I called my cable company and switched the provisioning to the new DOCSYS 2.0 modem. I restarted the network and tried the bandwidth test again – 7.8 MB. Okay, this was not a DOCSYS issue.

When I had called the cable company earlier to provision the Linksys modem, they had suggested that I connect it to the computer through an ethernet port rather than through the USB port – but I refused as I wanted to keep the ethernet ports open for home networking. So I checked it out – I freed up an ethernet port and connected the cable modem through it. On running the test again I was happy to see that it was now 18.2 MB! On further investigation, I found that the cdc-ether driver for the kernel only supported uhci, which limited the bandwidth on the USB to 12 Mb as opposed to an ehci connection which would have allowed 480 Mb.

So now I’m running short an ethernet port, but 12 MB higher on Internet bandwidth – an acceptable compromise. Still, I am incredibly disappointed in Linksys and will never purchase a product from them again.

Posted in IP Networking | Tagged | Leave a comment