Palm needs every developer to extol the awesomeness of this device and the wholesomeness of the company. They need them to lure people away from the iPhone. Sprint needs every subscriber. If they plan on getting them with the Pre, they need some good apps and a reason to move the early adopters — the ones that want to hack in tethering — over from other carriers.

The beginning of the end, I say ….

Summary: enter the Konami code (up up down down left right left right B A Enter) outside of a textbox, and you get lens flares with clicks and down/up keys. Interesting! Looking through the static javascript, you can see the easter egg code, pasted in here (yes, it’s gonna run off the page):

onloadRegister(function(){var secrets=[38,38,40,40,37,39,37,39,66,65,13],ii=0;function fn(evt){var kk=evt?evt.keyCode:event.keyCode;if(ii==-1){return;}else if(secrets[ii]==kk){++ii;if(ii==secrets.length){new AsyncRequest('/ajax/lensflare.php').setReadOnly(true).setMethod('GET').send();ii=-1;}}else if(ii){ii=0;}}

Now, the GOF is a Nortel piece that uses a custom hash function for the username running and standards-based IPSec VPN. Boo. That means it won’t work with any third-party VPN client. You have to use the Contivity piece of garbage. Bonus that this piece of garbage is written by Apani, and is now no longer actively supported. Double ugh. So here is what I need:

• VPN access to the work network
• Tunneled through SSH
• Ability to redirect DNS lookups through the VPN
• Free, as in speech

What you’ll need to do this:

• Root on a linux server inside the firewall
• Mac on the outside

There, not so hard? Thankfully, the Intarwebs and a little hacking last night delivered the goods. In short, I used OpenVPN, a few scripts, and a little luck. Here’s how.

Server

1. I used Ubuntu Dapper inside a Xen virtual machine. Worked great.
2. apt-get install openvpn openssl bridge-utils
3. cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
4. Follow the directions for generating keys at the OpenVPN HOWTO
5. Copy the keys to the right places, as from the above HOWTO. I put my keys in /etc/openvpn/keys
6. Use the following configuration file for your server. This assumes an ethernet bridge will be built (later) and that you have a DHCP server somewhere on the LAN to give out IP addresses to VPN clients
   
proto tcp-server
dev tap0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
mode server
tls-server
client-to-client
keepalive 10 120
cipher BF-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
7. Create the ethernet bridge Debian-style by adding the following lines to your /etc/network/interfaces:
   
auto br0
iface br0 inet dhcp
pre-up openvpn --mktun --dev tap0
bridge_ports eth0 tap0

8. Restart network with /etc/init.d/network stop and /etc/init.d/network start
9. Now you should still have internet connectivity, and eth0 and a br0 bridge

Client

1. Get and install OpenVPN 2.x. I used Macports, so I just fired up ports like: sudo port install openvpn2
2. Grab and install the tun/tap driver for Mac OS X
3. Reboot, or force install the kernel extensions
4. Make sure you have the client encryption keys from above, and use the following client configuration:
   client
dev tap
proto tcp-client
remote localhost
tls-client
ca /opt/local/etc/openvpn/keys/ca.crt
cert /opt/local/etc/openvpn/keys/mchang.crt
key /opt/local/etc/openvpn/keys/mchang.key
cipher BF-CBC
comp-lzo
nobind
persist-key
persist-tun
up /opt/local/etc/openvpn/tap-up-down.sh
down /opt/local/etc/openvpn/tap-up-down.sh
verb 3

5. Grab the openvpn-tap-up-down.sh script from the bottom half of this mailing list posting, or download it right here: tap-up-down.sh
6. Install that tap-up-down.sh in /opt/local/etc/openvpn and chmod +x it so it can be executed

Fire it up

Now we’re ready to start this thing up, over an SSH tunnel, kind of like describe in this post.

1. Fire up your ssh, tunneling the OpenVPN port like
   ssh -L 1194:vpn.your.domain.com:1194 ssh-gateway.your.company.com
2. Where ssh-gateway.your.company.com is your ssh gateway, and vpn.your.domain.com specifies the tunnel endpoint at the VPN server you have just set up.
3. Turn on OpenVPN on the server like
   openvpn --conf /etc/openvpn/bridge.conf
4. Turn on OpenVPN on the client like
   sudo openvpn2 --config /opt/local/etc/openvpn/client.conf
5. You should see, on both sides, OpenVPN authenticating and then starting up.

Now, you should be able to ping any machine on the remote subnet. I wanted to be able to get to anything on the internal network through the VPN, so I manually added a route to all of the internal network (10.0.0.0/8) through the VPN server’s default gateway. Like this:

route add 10.0.0.0/8 10.49.27.1

Of course, substitue the IP of the VPN server’s gateway to the rest of the network for 10.49.27.1. That, combined with the handy script from Ben Low, allows all DNS lookups for the internal network to go to the internal DNS servers, routed through the VPN.

Some notes:

1. On the server side, everything is pretty much normal. I can’t seem to use the “push redirect-gateway” through this system, as a) either the OS X port of OpenVPN doesn’t support it (unlikely), or b) the gateway information is a little borked as it is going over an SSH tunnel. Either way, I just manually add the route to the default gateway.
2. For some reason, the tap0 driver does not go into DHCP mode by default. You have to force it using the ipconfig program, which is done for you in the tap-up-down.sh script.
3. On the client side, Mac OS X has a very complex name resolution service. Very cool if you get under the hood, as seen in these two threads on the Apple developer mailing list. The end result is that when you get the DHCP lease from the internal LAN DHCP server, the tap0 device gets some service keys that record the DNS servers pushed from the LAN DHCP server. After the tap0 driver comes up through OpenVPN, you can see this by running scutil from the command line, and executing
   get State:/Network/Service/DHCP-tap0
d.show
4. Now, OS X needs to have a SupplmentalMatchDomains key associated with these DNS entries before it will actually consult them as part of the name resolution service. The script does that for you. You can see its effects after the VPN starts up by running scutil --dns

There you go. Now poke holes in your own Great Corporate Firewall!

As it turns out, it is a very standards-based system that uses RADIUS authentication. The key to finding that out was this IEEE conference publication from World of Wireless, Mobile and Multimedia Networks, 2006. Even from the abstract one can see that NESPOT uses 802.1x authentication. In fact, if you read the article, they use this system to authentcate millions of users using very little processing power. It is probably the largest installation of 802.1x authentication in the world, or so they claim.

(Yes, you can register your MAC address with them and then you don’t need to authenticate. But then you’d have to be able to read Korean to click through the menus, and I can’t.)

Since Mac OS X 10.3 (Panther), OS X has had 802.1x support built in to the networking subsystem. All you have to do is enable MD5 authentication, enter your username and password, and blam, you are rocking. Some screenshots of 10.5 (Leopard) below:

1. Turn on Airport
2. Make sure you can connect to the SSID “NESPOT”. You will get an IP address, but you won’t be able to get anywhere but the NESPOT main page.
3. Open System Preferences > Network
4. Choose Airport, then click Advanced…
5. 
6. Choose the 802.1x tab
7. Click the “+” and create a new User Profile
8. Enter your username and password
9. Choose “NESPOT” for the Wireless Network
10. Make sure to check the “MD5″ box in Authentication. I left TTLS and PEAP checked. I don’t know if these are necessary.
11. Click OK
12. Now choose the “AirPort” tab
13. Double click on “NESPOT”
14. Change the Security pulldown to 802.1X WEP
15. Select the “NESPOT” user profile from the 802.1X pulldown
16. Click Add on this dialog
17. Click OK to close out the Advanced… dialog
18. Then click Apply to apply your changes to the Network
19. Now, the Airport status should say Connected, and under that, it should say something like Authenticated via MD5.
20. If that doesn’t happen, turn off your Airport and turn it on again. You might have to go back into the Advanced… menu and edit Airport settings like from #11-#17. For some reason, my Mac forgets this security setting.

Enjoy.

Awesome, I broke it. On my birthday (yes, it is today).

NYT Movie Earnings Visualization

Very cool.

Sampling from this week’s batch of 100+ DVDs newly released, there are some gems, both good and bad. Will Ferrell’s Blades of Glory is out this week. I’ve not seen it, but I’ll put it in the “not absolute crap” column. Heroes: Season 1 probably is in that list too. But Meatballs 4? Probably crap. Who said they could make 2 and 3, much less FOUR?

How about Firestorm / Scorpio One from 1995? “Set in a mining compound in 2024, Firestorm follows a faction of freedom-seeking androids as they take on their repressive human owners.” Wow. Queue it up!

It is interesting to me that movies made in the 80s and 90s are getting released this week. What were they waiting for? I mean, I know I’ve been dying for the DVD release of Ski School (1990), but that’s because I really want to hear the director’s commentary. And who can forget the 1989 cross-dressing comedy smash hit, Nobody’s Perfect coming out on DVD August 28th? Again. Queue. It. Up. Netflix should put up a “number of times rented” counter just for kicks.

But don’t think the DVD pressing world is just limited to live-action movies! You will find, freshly added to my queue, Care Bears: Fitness Fun and Legion of Superheros: Vol 1. Gotta see if they use the carebare stare power!

Of course, now that I’m worked up, I’m lucky to have Yoga to the Rescue. Ahhhh.

All in all, it seems that the DVDs that Netflix gets over time, and the rental activity over time, are both really interesting data sets that need to be visualized in some cool way. Until we get a nice pretty picture, I’ll have to live with my RSS feed. Thankfully, Air Guitar Nation is coming out this week.

Check out the Hipster Olympics at YouTube. Great stuff.

Goes down well with some articles on new (and old) yuppies.