Poojan (Wagh) Blog

Requests for comment

Archive for the ‘Desktop Computing’ Category

Mesh WiFi Recommendations

without comments

Mid-2020 Recommendation

So if you are in the market for a mesh WiFi solution, which one should you get? It depends on whom you trust.

WireCutter rated Eero the best. But Eero is owned by Amazon, so consider whether you trust Amazon. Synology also has a good name with tech enthusiasts; and it has a good upgrade path. WireCutter considers it their 2nd best WiFi router (outside of mesh), and you can add up to 6 mesh devices later; that said, WireCutter says the setup is more complicated than Eero.

If it were me, I would probably go with Synology. They are well-known in other network device markets. They also have a good track record of updating their routers (for security, etc). While the setup may be more complicated, I like that you can add more devices in the future.

I have seen many other tech-enthusiasts go with Google/Nest WiFi. (I bought my WiFi equipment from someone who was selling it because he bought the Google WiFi solution.) But Google has a history of dropping products, and I worry that WiFi could be next. Finally, WireCutter said it was behind Eero in performance.

Gory details and discussion follows.

Introduction

With many people having work-form-home constraints, I have received a few questions about at-home WiFi equipment. I have gone through dozens (dozens, I tells ya) of different WiFi systems in my house: Buffalo, Linksys, D-Link, Western Digital, TP-Link, D-Link (again). Some of this was my own doing: when things went from 802.11g (WiFi 3) to 802.11n (WiFi 4) to 802.11ac (WiFi 5), I upgraded my setup. (I will at some point switch to WiFi 6, but probably not for another 5 years or so.)

Here’s what I have learned along the way:

  • The best setup is to have multiple access points, each having a wired connection back to the main router. This is what I call wired backhaul.
  • You do want 5 GHz WiFi (especially 802.11ac AKA WiFi 5). It does not penetrate nearly as good as 2.4 GHz WiFi. But (because 2.4 GHz travels farther and because there are fewer channels), 2.4 GHz is more congested: your neighbor’s WiFi is interfering in your house on 2.4 GHz.
  • Powerline Ethernet connections are not rock solid. In some cases, they are better than WiFi, but it really depends on your house construction (as does WiFi).
  • Extenders don’t work. There is most likely an incompatibility with your router and some other manufacturer’s extender. It’s better to go with a centrally-managed system made from one brand (AKA a mesh system).

If you’re in the market, I recommend a mesh WiFi system with dedicated backhaul. What is dedicated backhaul? It is a separate channel and separate radio that can do the meshing. What that means is that each WiFi access point (each satellite that you put in your house) has two radios: Radio B connects back to the main router. Radio A is what services your laptop/desktop/Roku/cell-phone/etc. (I call laptop/desktop/Roku/smartphone the user traffic.)

Backhaul

Dedicated backhaul means that the satellite (Access Point) can service user data and relay it back to the main router simultaneously. It has 2 wireless links to do so. However, there’s a problem with distancing: you still need to put the satellite in the range of the main router. Here’s are a couple of crudely drawn pictures showing the problem and solution:

Problem Case: the satellite (Access Point) is placed too far away form the main router; it cannot receive/send a signal to the main router.
Mesh Case: the satellite (Access Point) is placed within the wireless range of the main router. It can connect and create its own signal farther than the original main router.

This is a little worse than what I do myself, which is wired backhaul:

Wired Backhaul Case: the satellite (AP) is connected with a wired (Ethernet) connection to the main router. So, it does not need to be within wireless range of the main router.

What’s the difference? In the mesh configuration, you have to place each access point within the range of another access point. In the 2nd picture, you can place access points outside the range of each other. And, in fact, it’s preferred that they don’t overlap. (Non-overlap causes less interference and makes it clearer for the user device which network to connect to.)

Corner Cases

You can pretty much stop reading at this point. The next few scenarios are pretty unlikely.

Now, what if you set up things like so?

Daisy Chained Case: Traffic from rightmost access point must pass sequentially through each access point to the left to make it to the main router

Each radio can hop as many times as necessary to get to the main router. So, it’ll probably function. But it won’t work well. The reason is that AP1 inherits all the traffic from AP2 and AP3. This multi-hop adds delay to user traffic. Delay causes slowdown: both perceived slowness and actual reduction in data rates. This setup can also over-burden the satellites, because they are sending traffic in both directions on their backhaul radios. Finally, the backhaul channel can get congested from the proximity of multiple satellites.

I have simplified things a bit in the above diagrams: there are really 3 networks: the main router’s user network (blue), the satellite user’s network (green), and the wireless backhaul network (shared between the main router and sarellites). But the wireless backhaul on each device will have roughly the same extent as the blue/green network, so I didn’t clutter the pictures separating that detail.

From a user’s perspective, there is only one network in all of the above. Both the main router and satellite will appear to have one WiFi network. The user’s laptop (for example) will switch between the blue and green networks as necessary. The technical jargon for this is that both the blue and green networks should have the same WiFi name (SSID) and password (security credentials), so the user’s devices will see them as the same. They will be on separate frequencies, though, to prevent self-interference of the radio signals.

Recommendations

Now, for my recommendations. Most consumer solutions are primarily made to work as a mesh, not with wired backhaul. While you can do wired backhaul, it’s not something that really comes out-of-the box. So, I’m not recommending it unless you know what you’re doing. (In which case, you probably wouldn’t be asking me for advice.)

To plan this out, you need to know how far your WiFi propagates. If possible, you’ll want your main router somewhere centrally located. And the access points (satellites) concentrically located. For example, if you have a 2-story house with basement, put the main router on the 1st (ground) floor. Put a satellite in the basement and one satellite on the 2nd floor.

But where on each floor is a trickier question. If you place satellites directly above and below the main router, they will be as close as possible. But maybe that’s not where you have an outlet. And in some cases, the routers and satellites will be optimized to broadcast horizontally but not vertically (not directly above and below).

Really getting to the bottom takes a little bit of measurement. If you have an Android device, I recommend using WiFi-Man by Ubiquiti to map out your current situation. Start near your router and walk away. Go upstairs, downstairs, etc. You will see the signal change. You can get a crude map for where the signal propagates and where it doesn’t. Based on this information, you can decide where to place your satellites. And hopefully, the new router will have around the same radiation pattern as your old one. (There is an Apple version of this app, but I do not believe it has the same signal strength function. A google search for similar apps showed an iOS app that had too few reviews for me to recommend it here.)

I should say at this point: I don’t own a mesh system. So, I had to resort to some web researching. You should take the following advice with a grain of salt. A lot of the above is taken from a WireCutter article on Mesh WiFi. This article also corroborates my experience above. In fact, you should at this point read through the article for more detailed testing on all the mesh options out there.

Written by PoojanWagh

June 7th, 2020 at 9:56 pm

Posted in Desktop Computing

Tagged with ,

My Password Setup

without comments

So, I’m basically making this post so I can share with friends/family. In this post, I will explain what I do for managing passwords, including two-factor authentication (2FA), and give some options for getting 2FA. Before I do that, I will explain how I got to the conclusion on what I am using.

For those that don’t know me, I am not a security expert. You should do your own research (and maybe consult the security experts out there). I could be wrong about some of my conclusions. And more generally, what might work for me might not work for you.

Also, the scope of what I explaining here is only for my personal accounts. My company (and most out there) has an IT policy for work accounts.

You can skip past the Intro, if you don’t need convincing on why reusing passwords is insecure. Also, I put my recommendations right up-front in the Bottom Line section, if you don’t want to read the whole article.

Bottom Line

My bottom line recommendation is to look in to the following combination and see which one works for you: something to manage your password, and something for 2-factor rolling codes (OTPs).

For managing passwords, you can go with a hard-paper notebook (where you write passwords down and you never store them on a computer) or a password management app, such ass KeePass, Bitwarden, or LastPass.

For getting 2-factor rolling codes (OTPs), you can go with a device such as a YubiKey or an app such as Authy, Microsoft Authenticator, or Google Authenticator.

Intro

There have been a lot of password leaks lately. I mean, a lot. This multitude of leaks culminated in a meta-dump of everyone’s password. That is, someone compiled many of the previous leaks and put them into one big password dump. As a result, if you’ve been using a password for any amount of time, and if any of the sites you used practiced sub-par security practices, your password is probably available on the Internet.

(You can check here. Just enter an email and it will likely show which of the many breaches your password appeared. Alternatively, you can enter a password here and it will show you if that password was in a data dump. But I’ll save you some time: yes, your email and password are available online.)

Now, one solution is to use unique passwords, and don’t share them between websites. In this case, even if one of your favorite websites leaks their users’ passwords, you only have to worry about someone hacking your account on that site.

Unique passwords solves most, but not all the ways people can gain access to your account. Most experts recommend a 2nd factor called one-time-passwords (OTPs) to use in combination with unique passwords. OTPs are basically a rolling code that changes with time.

Remember that there can be a huge profit motive to someone hacking your account. They may want to get your LinkedIn network, your FaceBook contacts, or your financial institution. Taking these two steps can make these attacks much more difficult.

Incidentally, similar recommendations are being provided to US officials participating in elections, albeit with Google’s own hardware product.

The Limitation with Passwords

If you want to create unique passwords for each site, you’ll need to create a lot of passwords. And you probably want to use either a notebook to write them all down, or a password manager to store them (in a secure, encrypted format).

This unique password is a reasonable solution. But, it does suffer from a significant problem: someone could impersonate a website. If, for example, I wanted to go to real cat video site but typed the address in wrong. I mistakenly go to fake cat video site. Fake cat video site has completely impersonated real cat video site. Unless I paid very close attention to the web address, I would not know the difference.

I then type in my password (unwittingly) to fake cat video site. Now, they have my password. They have complete access to my account at real cat video site. They can do whatever they want with that password–including delete my videos, or even replace them all with dog videos.* The problem with passwords is that they are static. Once you’ve handed it out, the cat is out of the bag.

This website imitation is easier than you think online: fake cat video site can pass all traffic through to real cat video site without you knowing. They don’t actually have to copy the information; they can simply forward every request and return every answer. This attack is known as a man-in-the-middle (MITM) attack. Passwords can’t help you with them.

2-Factor Authentication

To mitigate this deficiency, most experts recommend something in addition to the password, a second factor. This is called 2-factor authentication (2FA).

The simplest and most obvious way to add a 2nd factor is to add a rolling code: that is, an extra code that changes with each login attempt. With this rolling code, if you log in to fake cat video site with your password and rolling code, they get access to your real cat video site account only once. They can do some damage, but they do not have permanent access. If they try to log in again, they will need a new rolling code.

There are many ways of getting such a rolling code. One of the most convenient is to use an authenticator app, such as Authy, Microsoft Authenticator, or Google Authenticator. (All of these use a common standard, so you can use any of these with most sites that support a rolling code authentication app.)

These methods uses your phone to create the rolling code (which changes every 30 seconds or so on an app on your phone). For many people, this is a safe enough option. There are flaws with this method, but it really is a very good compromise between convenience and security. If you are going to do nothing else, enable 2-factor authentication using an app.

The problem with app-based authentication is the scenario where you lose physical control over your phone. Or you install an app or download something that compromises your phone. More generally, if someone has access to your phone, you can’t count a security app on your phone to really be a 2nd factor. That 2nd factor app (if it sits on your phone) really becomes more of formality in logging in to an app on your phone.

That said, if you lose your phone and someone has the ability to unlock it, there are much bigger worries than them logging into a specific app or trying to steal a specific account.

The official name of the rolling code is one-time-password (OTP). I use an OTP wherever I can. However, I don’t use an app on my phone to store it. See the next section.

What I Do for OTP

I use a YubiKey for one-time passwords (OTP).

The reason I like the YubiKey is that it allows you to store/generate a one-time password on a hardware device: the small YubiKey itself (which fits on a keychain).

In addition, the YubiKey solves another problem: it’s independently portable. I generally have it on my keychain, where all my keys are. And most people are used to keeping their keys secure. In my case, I duplicate my credentials to two keys. One is a USB-C key (usable on my phone and recent computers) and the others is a regular USB-A key (for backup). So, I have a backup YubiKey that stays at home.

You do need to plug the YubiKey in to your phone or computer to read the codes, but this is done securely: only that single code gets passed through your phone/computer and onto your screen. No one can steal the secret code that generates all the codes; it is protected within the hardware of the YubiKey itself.

I also do create backup/recovery codes and print them out. These allow me to log in if I lose both my YubiKeys. (Or if they get corrupt.) I don’t store the backup codes on a computer. They are hard copies and kept in a fire-proof envelope. (Most sites, including FaceBook, allow you to create backup codes.)

What I do for Password Manager

There are many options for software-based password managers. The one I use is KeePass 2. The reason I use it is that it’s free (open source), has options for Windows, Linux, and Android. (I’m not sure about Apple/iOS, but I’d guess there’s a solution there.) And cloud sync is optional. You can store it on a single device, and that device does not necessarily need Internet access. The downside is that if you do want to sync it across devices, it takes some configuration.

Other Options for Password Management

Paper Notebook

While I don’t use a paper notebook—I like the convenience of having a software password manager—they are a good solution. It’s the cheapest (in terms of up-front time and money) solution.

You probably have a notebook lying around your house. If not, take a look at books on Amazon written by Lourdes Welhaven. The only thing to be careful of is that you generate good passwords, which are hard to guess. Your brain is pretty bad at doing random. So, here’s a systematic way using dice (if there are no restrictions on password length). If there are restrictions on password length, go here or here. Incidentally, password-generation is a place where password-management apps really shine.

No one can hack into your computer and steal your trove of passwords, if they are not on your computer. That said, people hacking a regular Joe’s computer doesn’t seem to be the way passwords are leaking–or at least it isn’t the only way. It is, in fact, the websites we use that seem to be the weak link. Every time a website gets hacked, your password at that website spills on the internet.

Other Password Management Apps

There are quite a few other options if you want to for a cloud-bases service. I’ve heard good things online about BitWarden and LastPass. I don’t have any direct experience with any of these, but I have come across many good comments about BitWarden.

I did try BitWarden very briefly on my Android device, but I kept KeePass because the Keepass2Android App has an extremely useful feature: you can set it up as a software keyboard in Android. It can then enter your username/password in other apps with a button on the screen.

The SecurityNow Podcast is sponsored by LastPass, and I generally am comfortable with their recommendations; they seem to have a decent vetting process for their sponsors.

Note that the Have I Been Pwned site I linked in the intro is sponsored by 1Password.

Other Options for OTP

Authenticator Apps are pretty neat. You set it up once by scanning or typing in a long code given by the website you want to use it with (FaceBook, Microsoft, Snapchat, etc). There’s a different code for each.

Then, after setup, it generates a rolling number that’s needed every time you log in. What’s nice is that the apps conform to a standard. So, you can have one app installed for all your different websites.

I have heard Authy. Authy is multi-platform (Windows/iOS/Android) and will sync across platforms. Google Authenticator is equally good, but it doesn’t sync your OTPs across platforms. Similar with Microsoft Authenticator.

One could make the case that OTP’s should be unique to the device they are on, but for most people, the convenience of setting Authy up once is worth the risk. There are those, however, that disagree: using an authenticator app is better than nothing, but a dedicated hardware security key is much better.

Google also has their Titan security key solution, which is hardware-based. I have not done any analysis comparing it to YubiKey. I just know the YubiKey supports many standards and does whatever I need it do do. I started with YubiKey many years ago and never saw a need to switched. I also have a cautious opinion of Google solutions because their repeated exit from markets.

SMS for Two-Factor

I really don’t like this option, and I wish companies would stop providing it. (Especially banks, where this seems to be prevalent.)

Once again, I am no security expert, but experts don’t like it and SMS has failed in the past.

* I am a dog person (too), but people like their cat videos.

Written by PoojanWagh

March 28th, 2020 at 11:00 pm

GTD with Python, git, vim, and asciidoc

with 2 comments

I recently detailed the high-level setup of my latest GTD roll out. This follow-up post has a high “geek factor” and contains the details of how I do this using computer automation (Python scripts).

Read the rest of this entry »

Written by PoojanWagh

June 1st, 2009 at 8:19 am

iPhone vs iPod Touch

without comments

Over at CNN: “Microsoft’s Zune HD to debut this fall” – SciTechBlog, John D. Sutter asks why anyone would chose the iPod Touch over the iPhone. I’ll tell you exactly why I bought my wife an iPod touch rather than an iPhone:

  1. Monthly fee: The $70/month the AT&T bill for the iPhone is steep. It’d be worth it if she needed that connectivity…
  2. Tethered mobility: … however, she doesn’t really want connectivity when she’s not around the house. She’s cool with checking email when she gets home.
  3. I’ve heard the iPhone is great device, but not a great phone. Yeah: it’d be more convenient to have the all-in-one portable device platform and phone together. However, I’ve heard from numerous people (none of whom are allegiant to Motorola) that the iPhone isn’t terribly good as a phone. In truth, I never really found out why: call quality, user interface, etc. However, the suboptimality of the phone stuck in my head.
  4. It pretty much runs everything the iPhone does: the iPod touch pretty much runs every app that the iPhone runs, so she’s really not giving up anything.

In fact, I wonder if people tend to by the iPhone because they don’t know how capable the iPod touch is.

Written by PoojanWagh

May 28th, 2009 at 3:25 pm

Posted in Desktop Computing

Tagged with , ,

How not to go back in time using git (equivalent of svn revert)

without comments

Update: I recovered my lost commit by following the directions here. In addition, I had to create a branch from this commit using chekcout -b. I then switch to the master branch and merged the temporary branch into master

It has been written posted that git revert is not the same as svn revert. That’s true.

However, there have been suggestions that the equivalent is git reset --hard commit. I just did this. It isn’t good. Luckily, I didn’t lose muchany data. However, doing a --hard means that you reset the index back in time, too–not just your working copy.

I’ll admit that I don’t understand git very well. I’m not entirely sure (now that I’ve gone back in time) how to bring myself back to the future.

Essentially git reset means that you want to get rid of changes in your repository: not merely go back in time, see what things looked like, and move forward in time.

Anyway, a safer thing (for me to have done) would be git checkout commit.

The git manual specifically says:

–hard

Matches the working tree and index to that of the tree being switched to. Any changes to tracked files in the working tree since commit are lost.

Wonder if I’m too feeble to be MacGyver and need a James Bond. On the other hand, now that I’ve learned this lesson, maybe I’m better off sticking here.

Written by PoojanWagh

May 18th, 2009 at 10:12 am

Posted in Desktop Computing

Tagged with

Picture-by-Picture: Setting up Mercurial with WikidPad

without comments

I’m personally using Git to version-control my WikidPad files. However, Mercurial (and especially TortoiseHg) is equally well suited for this function. In many respects, Mercurial is simpler to use than Git. The only shortcoming I had with Mercurial is that there’s no managed branches; to branch, you create an independent copy of the whole repository (clone it).

Nonetheless, for most people, Mercurial will not only suffice but give quicker rewards than Git.

I don’t use Subversion for this purpose, because subversion has a centralized approach which requires a repository, separate from a working copy. Importing, merging, branching, etc., with subversion is a bit of a hassle. This “hassle”, of course, is purely personal taste; others will (strongly) disagree. In fact, for many other purposes, I strongly prefer Subversion to Mercurial/Git/etc.

Goal

By the time you’re done with the following steps, you should be able to:

  1. Place a WikidPad Wiki under version control
  2. Commit changes as files change
  3. Revert to prior versions Read the rest of this entry »

Written by PoojanWagh

October 21st, 2008 at 12:34 am

Setting up Pidgin for Google Talk behind an http proxy (web proxy / corporate firewall)

with 3 comments

I use Google Talk at work mainly to post to social networks (army.twit.tv, identi.ca, twitter.com, yammer.com). It is possible to receive notification using Google Talk (which is just a Jabber/XMPP instance), but I find that too intrusive to what little work I get done.

  1. Run pidgin (if not already) and select Accounts->Manage

  2. Select Add to add another account:

  3. Select XMPP for the protocol type:

  4. Fill out the form as follows with gmail/gtalk username & password; domain is gmail.com; Resource is (optionally) Work:

  5. Click advanced button. Select old (port 5223) SSL. Select 443 for port number. Server is talk.google.com. Fill out http proxy (for example, wwwgate0.example.com, port 1080) & http-proxy username & password (not likely the same as your gmail username/password):

This works because http proxies generally allow ports 80 (http) and port 443 (SSL/https) through. They generally disallow other ports. Luckily, google’s jabber server (talk.google.com) accepts connections on port 443–and they are SSL (encrypted) connections, so that’s good, too.

Written by PoojanWagh

October 13th, 2008 at 3:11 pm

Useful Firefox extensions versus Google Chrome without RSS

without comments

Just for kicks, I’ve been brainstorming whether I can replace FireFox with Google Chrome.

The answer is no, but more accurately, almost. I’ve made a list of FireFox extensions that I live by. Namely: Read the rest of this entry »

No Firefox-style extensions for Chrome (for a while)

without comments

I was quite excited to adopt Google Chrome as my primary browser. Immediately, I missed the “Read it Later” extension. I looked into whether an extension communicty had sprung up yet. (Who knows; there are apparently themes available already.) Unfortunately, I found the following in the Chromium (the open-source group formed to develop Chrome) FAQ:

FAQ Chromium Developer Documentation:

Q. How can I develop extensions for Chromium like in Firefox?

A. Chromium doesn’t have an extension system yet. This is something we’re interested in adding in a future version. Note that Chromium does support NPAPI-style “plugins”, such as Adobe Flash and Apple QuickTime.

Unfortunately, this is a deal-breaker for me (and likely for a lot of people). Guess I’ll have to be patient.

Written by PoojanWagh

September 9th, 2008 at 5:33 am

Posted in Desktop Computing

Dell Inspiron Mini 9 Details

without comments

From Dell Inspiron Mini 9 Details:

Runs Intel Atom N270 & Intel GMA 950.

$350 for Ubuntu 8.04 w/ 4 GB SSD.

$400 for XP Home w/ 8 GB SSD

$450 for XP Home w/ 16 GB SSD

Written by PoojanWagh

September 8th, 2008 at 1:27 pm

Posted in Desktop Computing