So I make it through the renewal process, which required generating a new CSR (Certificate Signing Request) for a brand new certificate from the server since the original one had a bit length of 1024 and GoDaddy only accepts 2048 to 4096 bit lenghts (this is a new requirement). After completing the process and getting the certificate installed, I got a nice helpdesk call from a user this morning who has a Centro: “SSL certificate not accepted due to possible expiration.  Check device date & time and re-sync.”

Joy oh joy, exactly what I’d been looking for, another problem and wasted time!

OK, enough sarcasm (but really, can you ever have enough?). Time for Google and Daryl Hunter from the Church IT Roundtable! Although GoDaddy auto-renewed my SSL certificate, I was actually contemplating buying one of their UCC certificates to be ready for when we went to Exchange 2007. Fortunately I read Daryl Hunter’s post about Exchange 2007 without UCC certs, and stuck with the regular certificate for now, because per Palm KB article 43375, certificates with Subject Alternate Names (SANs), such as UCC certs, are not supported at all on Palm devices (“SSL v3 certificates which rely on the Subject Alternate Name field to do load balancing across virtual site names do not work with Palm OS devices.”). So a UCC cert isn’t even an option for me, but it’s cheaper to do Daryl’s method anyway! For now I don’t have to worry about it, since I just have Exchange 2003 for now, and that’s not the present issue (but we will likely be on Exchange 2007 or Exchange 2010 by the time the certificate expires). Additionally, the same article (which has a tool for installing new trusted root certificates on some Palm OS devices–but I didn’t want to mess with touching every single Palm OS device here! And, the tool works on Windows 2000 or XP only, not Vista (and I’m sure not Windows 7 either)) specifically states that, “GoDaddy Class 2 certificates do not work with Palm OS devices.” Time to drop GoDaddy!

Daryl’s favorite SSL certificate vendor (and now, mine too!) is RapidSSL Online. They sell certificates from RapidSSL.com for $17.95 per year (or cheaper, for multiple years), and they’re single root certificates (which menas you don’t have to install intermediate certificates on your server). While RapidSSL Online is cheap, RapidSSL.com directly has a 30 day trial certificate you can sign up for to test for a month, and this is the way I went. When that certificate expires I’ll be purchasing a multi-year certificate from RapidSSL Online, but I wanted to make sure it would work, and it does! I don’t know for sure, but it appears that RapidSSL.com is the company holding the root certificate, while RapidSSL Online is either a reseller or a sub-company of the parent selling the certificates at a discount (the RapidSSL.com certificates aren’t expenive but still cost a lot more than from RapidSSL Online!). Either way, RapidSSL Online claims that their RapidSSL certificates are issued by RapidSSL.com so they should be the same (I haven’t made a purchase yet), and Daryl Hunter has used RapidSSL Online successfully for years across multiple installations.

I generated a new CSR for a new certificate, again (just like I had to do for GoDaddy). I installed the free certificate on my Exchange server’s IIS (I also then exported it and imported the .pfx file onto my ISA 2004 firewall since it does the authentication up front for external clients, but that’s a pretty unique case and in most cases you want this done on the Exchange server). They were right, it’s just a single root on the certificate, signed by Equifax! I had my Palm Centro users (two had complained by this point) try syncing again. It worked! My iPhone also works fine still, and I haven’t had any negative reports from the four Palm Pre users here either. None of my users have Windows Mobile, and my one Blackberry user connects though Blackberry Professional Server rather than with ActiveSync.

So, adios GoDaddy SSL; fortunately they will refund all but $15 of my certificate (for processing since it was issued), and I’ll still come out ahead with RapidSSL Online (GoDaddy was $60 for two years, while RapidSSL Online is only $70 for five years!).

One thing I’ll have to be careful of when I go to Exchange 2007 is that once I use Windows Server 2008 to generate the CSR, it appears I will need to go to extra pains to make sure the CSR is in Printstring format instead of UTF-8, as Palm OS doesn’t support UTF-8 certificates either (Server 2003 uses Printstring by default). Daryl located this useful post while helping me troubleshoot: Ranting about Palm Centro Versamail ActiveSync and SBS 2008. Useful info, I’m sure I’ll be going back when it’s time to renew next time and Server 2008 is in place. By then, I hope we are Palm OS-free; although I loved my Treo 600 and Treo 650 both, the web is littered with forum and blog posts from people who have SSL issues with Palm OS devices (the Palm Pre and Pixi are much more flexible and up-to-date with the Palm WebOS). I was happy GoDaddy “just worked” in the past, frustrated that they “just didn’t work” this time, and happy to save money and move to a company that’s quicker/faster/easier!

Today there are two final tests (each venue can pick one) where the stream is run for a couple of hours to the venues to make sure things are going smoothly. Last week there were some various hiccups that they found and fixed and this past Monday the test went very smoothly. We ran the afternoon test (the other is tonight) today in our Youth Center where we’re hosting the event and just after the official test, I decided to test our bandwidth with Comcast. I kept adding streams until I was streaming the 2.5Mbps (highest available) stream seven different times! Bandwidth peaked at over 18.5 Mbps downstream with all those streams running at the same time! And I think we had some bandwidth to spare (this is on our Comcast Business internet connection). Our connection is rated for 16 Mbps down and 2 Mbps up, while I’ve seen speed tests recently as high as 30 Mbps down and 4.5 Mbps up. Certainly the almost-19Mbps speed seen here is excellent and above our rating!

I’ve posted a bandwidth graph showing our internet connection’s utilization (also on TwitPic):

Cacti Graph - Town Hall For Hope Test 7x 2.5 Mbps Stream

Comcast Fun

Of course we almost missed the test this morning because someone cut our main Comcast tap this morning just before it went under the parking lot to our building. You can see the actual cut cable (and a part of my shoe) in the picture I uploaded to TwitPic earlier. This caused a four-hour internet outage (8am to noon) that I managed to get back up once I realized (thanks to some prompting from our awesome Facilities Director Mike Moore) that the other end of our building has a completely separate cable tap from Comcast for the TVs on that end of the building! That tap was unharmed so I moved the modem to that IDF and plugged into the tap. I adjusted some VLAN configuration settings to put the firewall’s WAN port on a private VLAN with the modem’s LAN interface (it was plugged in directly before) and tada, at 11:58 am (two minutes before we were scheduled to test the Town Hall For Hope stream) the internet came back!

Comcast did come out later (during the Town Hall For Hope test in fact) and repair the cable that was cut. I’ll be moving the modem back after hours; the TVs are working so I’m going to assume the modem will be fine back on its original line as well. I’m really glad we had that second tap though, because we would have had to push the Town Hall For Hope test off until tonight when the youth group uses the room we’re using, and we wouldn’t have gotten as good of a test. And kudos to Comcast for their fast response to our issues, even though they weren’t the cause.

So, today didn’t quite go as planned, but given the issues I think we had plenty of successes. And I’m not going to worry about blocking free wifi or other bandwidth use during the Town Hall event tomorrow night; since we’re only doing one stream I think we can handle it! In fact, I just realized that if we overflow that Youth Center venue for some reason (which I doubt we will not because it’s not going to be a big event, but because there are so many other churches also hosting it), there’s no reason we can’t handle adding a feed to our main sanctuary as well if necessary. I like being prepared. Just keep the backhoe’s away from the property!

I have a few things I’d like to publish here that won’t fit on Twitter and will be easier to reference here than on IRC where I still may have discussed some of it already (in the #citrt channel). Now to find the time! Hopefully soon. Poor neglected blog… :-) Maybe with such a cool new backend I’ll post more often. Not that I posted at all while running the betas and release candidates…

Yep. That’s right. In case Firefox, Opera, and Safari all don’t satiate your burning desire to be rid of Internet Explorer (even if it is improving with age, after it started to ripen at least), Google said they are releasing the beta of a new web browser called Chrome today, Sept. 2nd, 2008. It’s been in development for two years, and they’re beta-testing it with thousands of webpages automatically after each build. How? Well, they have this little archive of webpages stored somewhere… :-)

They accidentally leaked the news a bit early but have now come clean and written a blog post announcing it, and have released the original leaked “comic book” describing the project, which will be open source and they claim has pulled from both Mozilla (Firefox) code and Apple’s Safari WebKit rendering engine. The comic book is very descriptive and indicates that each tab of the browser will run in a separate process, which will reduce memory usage over time and allow multi-threaded JavaScript, as well as allowing individual tabs to crash without taking down the whole browser. If this works as advertised, a few tab-users I know (with myself as the number one offender!) may flock to this quite a bit faster than users have moved to, say, Flock. Sorry, couldn’t resist…pun fully intended :-D

I, for one, will be grabbing the beta ASAP and taking it for a spin. As long as rendering is consistent enough to not intruduce more headaches for web designers (basically, standards-compliant, kind of ), I’m excited to see if it lives up to its claims! And I love testing new software. I’m always amazed at the things I haven’t thought of yet, that others have. Nowhere is it easier and quite flexible to showcase stuff like that than in software! Just bang a few keys, hopefully in the right order, and you have something new. The only thing easier? Web design (which is correspondingly more limited most of the time). Of course, both can be done very badly…

Now I’m rambling. But this is unexpected and exciting news! I would say, don’t knock it ’til you try it, and read the comic :-)

So far it’s holding up to the abuse and none of the systems have been hacked that I know of! At our recent Volunteer Dinner, the workstations served double-duty as aquariums. Well, I put an ocean-with-fish screensaver on each system to help complement the overall ocean party theme. It worked pretty well! I didn’t take any photos, but the screensavers are still installed. So you can expect pictures of a re-creation in the next ten years, unless the computers are replaced before that. Ha ha.

We’re sorry, but your Gmail account is currently experiencing errors. You won’t be able to log in while these errors last, but don’t worry, your account data and messages are safe. Our engineers are working to resolve this issue.

Please try logging in to your account again in a few minutes.

Very strange. Even more strange is that I can log into one of my Google Apps for Domains accounts just fine, just not my main Gmail account.

Update at 10:30 pm: Seems to be working fine now. Not sure how long it was actually down. Around an hour or less from what I saw, but who knows how long before I checked it went down, and how soon in the interim it came back up.

I ran into a small issue with the SteadyState/Firefox setup that was a relatively easy fix: Firefox tried to update itself and the theme when new versions came out. Why it does this as a limited user when it can’t run the upgrade (for the program itself; the theme should work if it weren’t locked down) is beyond me, maybe I’ll file a bug report or something. Anyway, to get rid of the upgrade reminder, I logged in as Administrator and installed the Firefox program upgrade. Then I unlocked the profile and disabled Disk Protection, logged in as the locked down user, not not locked down, and upgraded the theme. Then I changed the Options (Tools->Options->Advanced->Update) and unchecked all of the automatic update options. Now updates won’t automatically (try to) apply, and I don’t even have to worry about security holes much because of the Disk Protection feature. I also took the opportunity to install the Auto Reset Browser extension and disable the old auto-restart mechanism (see below for the reasons).

Accessing Firefox Settings

To get to the Firefox settings, because of the R-Kiosk extension disabling menu access, I had to use the Firefox (safe mode) option from the Start menu, tell the statup box to disable add-ons and restart, and then it came up with no theme and no extensions active. I made my settings changes, installed the Auto Reset Browser extension, re-enabled the theme and the R-Kiosk extension, and restarted. Back to normal, with all changes made!

Firefox Auto-Restart Method

Paul Marc left a comment on my original post asking about how I made Firefox auto-restart if closed and on idle. I was using a batch file called start.bat that I found online, but I can’t seem to locate it again with Google (I recall it took some searching to find originally as well). I’ll have to grab the bookmark off of one of the computers I set it up on when I am able.

It seemed like it was a great solution when I set it up. However, I had several issues crop up in actual use. Sometimes it would get “stuck” in a loop of starting unending new Firefox windows as fast as the computer would open them. The only solution was to log off or restart (or kill the script, but the Task Manager won’t open under lockdown!). This only happens sometimes, and I’m not exactly sure why, but it makes the system unusable when it does happen.

I have made the above changes on three of the four computers (the last one isn’t switched yet because I ran out of time), setting them to not use the start.bat file, and instead installing the Auto Reset Browser extension in Firefox. It restarts the browser after every five minutes idle. The downside is, if a user closes the browser manually, it doesn’t reopen automatically. There is one icon on the desktop though, to open Firefox, so I don’t think this will be an issue, although it’s not as nice as the original solution when it worked correctly. And either way, closing manually or on idle, Firefox still runs the Clear Private Data option I had set up (per my original post) to get rid of the prior user’s cookies or other saved information.

Network Connection Details

In my original post, I neglected to include details of the network connections for the locked down systems. It’s pretty simple: stick the computers on the same VLAN (wired) as the free Wi-Fi internet access. I added each system’s MAC address into the Nomadix gateway so it doesn’t ask for a username or password, and I can control bandwidth on a per-computer basis (they don’t have much). The free Wi-Fi is firewalled so only OpenDNS can be contacted over the DNS ports, so they are subject to the OpenDNS adult site blocking we have in place, just like everyone else.

PassPack gives you a free account (did I mention it was free?). You create a user ID, a passphrase, and a Packing Key, all distinct. PassPack creates an encrypted container using your Packing Key, which is encrypted on your web browser using JavaScript and standards-based encryption. Only this encrypted “bundle,” without your Packing Key, is then stored on the PassPack servers. Want a password? Log in, enter your Packing Key if it’s timed out (5 minutes by default, up to 15 minutes), find the relevant account alphabetically, by tag, or search (all very Web 2.0 and AJAXy-smooth), and click it to…reveal your login name and a scrambled-looking (unreadable) password field. Click in this field and use the Ctrl+C keyboard shortcut to copy the password, and paste in to the site in question (URL also saved as an option to make it easy). This means the password never appears on the screen, it’s just stored directly in your clipboard, and you don’t have to retype it.

So you can copy and paste the password, so what? Well, they also have an auto-login bookmarklet you can save in your browser. Save the URL of the login page along with the password at PassPack, and then just click the Open and Login link within PassPack to open the website in a new window. Then, click the “PasssPack It!” bookmarklet you previously set up. If the site has been “trained” before (even by another user), it fills in the username and password fields and clicks Login to get you into the site! If it’s not been trained for this site, you are walked through a very simple process of clicking the bookmarklet, clicking the username field, then the password field, then the Login button to train the system. So far out of about twenty sites, only two have had issues and not been trained successfully (a Plesk 7.5 dedicated server control panel and the ZoHo group of sites, including the Church IT Podcast Wiki, were the malfunctioning sites, which have been reported to PassPack); these can still have their login information memorized like any other account, on- or off-line, they just won’t auto-login with the bookmarklet.

The folks at PassPack have implemented a few other nice features besides the slick and speedy interface and somewhat novel readable-only-by-you encryption scheme:

• They have a nice anti-phishing setup in place to prevent your PassPack credentials from being phished easily.
• If you keep the site open, it functions offline and can be saved to their server the next time you connect (it also auto-saves if you don’t disable this option).
• One-time keys are available for you to print out and carry with you. If using a public internet terminal, log in to PassPack with one of these one-time-use keys, and copy-and-paste the scrambled password you need. Then you never have to type a usable password into the insecure computer (for PassPack or the target site).
• Export and Import of your data, in unencrypted format, if you wish to switch between other password-saving applications that also give you access to your data in text format.
• Backup and Restore of your encrypted data, so you have a copy on your computer in addition to on their server (you choose whether the backup will use your regular Packing Key or a unique one).
• They will generate a unique password for you to use when registering a new account somewhere, which they will of course remember for you.

You may be wondering where this Packing Key thingy comes from. (I can hear you now, “David, this thing is awesome, sign me up, but what the heck is a Packing Key anyway?!”) PassPack has some of the best help I’ve ever read, which is even available contextually when you click Help within the site. They handily have an answer about Packing Keys and why they’re so handy. They do a much better job of explaining that and just about everything else about the service than I could, given that they wrote it and I’ve just used it for a day. But I’ve found it to be exciting, apparently secure, well-designed, and actually fun.

It should go without saying that besides the great interface, being able to access your passwords from any web browser very easily, along with the off-site storage, is probably the single biggest benefit to using PassPack over a Windows utility. Even the auto-login bookmarklet it cross-platform, cross-browser code and is a simple JavaScript bookmark — no need to install a Firefox Extension, IE Add-In, or any other code running on your machine outside of JavaScript.

I do see one potential downside: their Terms of Service contain several limitations (yes I read it! Well, the parts they highlighted at least…):

1. You are not allowed to store information about financial accounts (banks, etc.), although this may be legal CYA considering I don’t know how they could possibly enforce this given they don’t have access to your data.
2. If you don’t login at least once every six months, your account is “inactive” and they delete everything.
3. You only get 32k of storage per account (they estimate 75-100 entries worth of entries), with no upgrades available yet. Accounts active before August 1st (missed it by less than two weeks, darn!) got 128k of storage (150-200 estimated entries).

I’m sure PassPack intends on offering upgraded service with more storage at some point, but those three conditions may limit my use of their service, and possibly yours. I know I have 23 entries already saved, and I’ve barely scratched the surface with the quantity of online accounts I maintain. It’s at least worth a shot in my opinion. If you like the concept and want an alternative, Clipperz is worth a look, it’s also free and PassPack even has a comparison of their two services. It doesn’t do the anti-phishing stuff like PassPack but it does have many other similar features, which I have not tested extensively. They also do not prohibit the storage of financial details and actually provide a template to hold credit card and bank account information. They also keep the data from leaving your browser unless it’s encrypted so they have no access when it’s on their servers.

Overview

Our new youth facility now has a four-computer internet café. I’ve already written twice about my plans and research leading up to implementation, specifically about computer lockdown software. A couple of weeks ago, I mentioned briefly that we had changed course and decided to use Microsoft Windows SteadyState as our lockdown software of choice, mainly due to the price (free!).

We (Dutch volunteer Jeroen and I) were physically installing the computers/monitors/etc. in the youth lobby area when I thought, “hey, Microsoft just released some updated lockdown software, let’s try it out.” We hadn’t yet purchased the Fortres Grand software, although I had it approved. So I downloaded SteadyState, installed it, and messed around for a few minutes. It was so easy, even my mom could do it! Well, okay, I’ve been teaching her computers for a while and I might still have to walk her through this one over the phone, but I have no doubt she’d make it work :-) The installation went smoothly, the lockdown options (we wanted pretty much the tightest lockdown possible) were easy to select, and the hard disk protection (which discards changes on reboot) was easy to enable and control from within the main SteadyState console. I haven’t had experience with Microsoft’s old Shared Computer Toolkit, but from what I understand it was more difficult to combine all the options together into one functional system, and they appear to have fixed all of this in SteadyState.

Lockdown Features

In the SteadyState console, there are three items under Global Computer Settings: Set Computer Restrictions, Schedule Software Updates, and Protect the Hard Disk. The Set Computer Restrictions option lets you change things such as whether to display the last username in the logon screen, prevent users from writing to USB drives, turn the Welcome Screen on and off, and other miscellaneous things that affect the whole computer, not just particular user(s). I turned most of these on. I’m not writing this with access to the computers I set up, so I’m going from memory on this (and everything else) but if you have any questions about specifics please leave a comment!

You can create or import users/profiles that SteadyState can then manage with a selection of lockdown options going from low to high security, but at each level it just selects a more restricted subset of the detailed options and lets you customize away. This is similar to the functionality of the Fortres 101 software. All we tested was the highest security possible, locking down almost everything and only allowing the Mozilla Firefox executable to run. However, we did have to allow command prompt access to get the Firefox auto-restart trick below to work, although with the GUI and keyboard shortcuts this locked down, no one should be able to access the command line except through the batch file the Firefox shortcut links to for this trick to work.

Testing the lockdown settings to find the right mix can be a bit tricky because you must save the settings, log out, log in as the limited user, test, log out, and log back on to the administrative account again. It’s tedious, but once you have what you want, you can duplicate the settings more easily on other systems. The Export/Import Profile function works, but it imports a default user profile with the lockdown settings. Be careful with this, because it means you must wait until after you import a user into SteadyState from an exported profile before logging in and doing any customization to their desktop (display options, Start Menu positioning, etc.) as any customization you’ve done will be deleted if you import a user over top of your existing user! Found this out the hard way — once :-)

Firefox Does Its Own Privacy Work

Firefox has some great options for “Clearing Private Data” such as cache, cookies, history, saved passwords, authenticated sessions, etc., which for most Firefox users is either a manual option or something it prompts you to do when you close Firefox. Because of the multi-user environment, we instead set the options, available through the Firefox Tools->Options panel, to automatically clear private data when the browser was closed, with no prompting. That way someone logged into Gmail, Hotmail, Facebook, or lets face it, MySpace (one site I still refuse to sign up for :-) will be logged out when Firefox closes, safe for the next person to use. Let’s face it, these are teenagers we’re talking about here — do you think they’re going to remember to log off? Not likely in the vast majority of cases.

I found a batch file with some Google searching (I’ll have to re-locate it and post an update if anyone is interested) that, when run via a command line or a shortcut and passed the path to a .exe file, runs the file but monitors it and if the process ends, it restarts it automatically. So Firefox is in the Startup folder in the Start Menu, but run with this batch script. When someone closes Firefox, it clears their data, is automatically restarted, and goes back to the youth homepage automatically, ready for the next user!

But what if people don’t close the browser? We set up a Scheduled Task to kill the firefox.exe process after 5 minutes of the computer being idle. Same effect as the user closing the browser, and it automatically reopens still. This is a touch buggy, as occasionally Firefox will instead of reopening once, reopen window after window after window after window…and of course the computer is so locked down you can’t kill the process manually. It requires a logout or restart to fix. This is still on my “to track down” list, but it’s the last little piece of the puzzle, and generally it works fine. I’m sure it’s an issue with either the batch file, the scheduled task, or both interacting somehow.

Thematic Full Screen

The theme we chose for Firefox is called NASA Night Launch. It’s a beautiful theme, which shows an awesome shuttle launch shot as the blank background before a tab finishes rendering, and has equally nice toolbar backgrounds and a custom throbber (the top-right icon that moves while a page is loading, if you didn’t know). The grays and blacks in this theme look wonderful with our current homepage, www.infusionstudents.com, as well as the black LCD monitors mounted to the wall (pictures to follow later). A new version of this theme was released on July 22nd, after we set up the computers, so I will consider upgrading the theme at some point soon.

To make the slickest looking interface possible, we applied the R-Kiosk extension to Firefox to force it into fullscreen mode when it starts, getting rid of the title bar and any non-themed borders. We did apply the change to user.js that provides the navigation menu so the address bar and back/forward function. It looks really good with this extension combined with the theme!

While looking to see what the theme and extension we used are called, I just ran into an extension called Auto Reset Browser that for some reason I’ve never seen before. It looks like it might be a more elegant solution to my earlier problem, but I don’t know if it will help keep Firefox open if someone manually closes it. I will have to investigate further as time allows.

Disk Protection

SteadyState’s disk protection option, which you must enable separately from the policy lockdown settings, basically makes the hard drive immutable for most purposes. Do anything, reboot, and you’re back where you started last time. Fortres Grand’s Clean Slate product has similar functionality. Microsoft has made what I hear are improvements (compared to the Shared Computer Toolkit) in this functionality in that you enable and disable this option from the SteadyState control console just like all the policy options. Give it some time to make a cache file for the temporary disk changes, reboot, and the disk is protected.

The nicest thing is, if you’re an Adminstrator running SteadyState, and you log in, install a new program, and reboot — oops, if the disk protection was on you’d lose all your changes! You can unlock the disk for a time in the console, however. But the best option Microsoft added was a modification to the Log Off screen, prompting you that disk protection is on and giving you the option to discard all changes — or, keep the changes, restarting to merge the cache onto the hard drive automatically. That’s a no-brainer option that will continue to save my behind as I update these systems in the future I’m sure, long past initial setup! I’ve already used it for a few tweaks here and there.

No Manual Needed

SteadyState scores high marks for ease of use; I’ve still not read the manual and only referenced the help file (which opens automatically with the console) a few times. (Well, I did use the manual to refresh my memory while writing this post, but only because I don’t have access to the real systems at the moment. And this is the first time I’ve even opened it.)

Physical Installation

I don’t currently have any pictures of the computers handy, so I will leave photos and a description of the mounting process (which comprised more than 50% of the entire operation) to a future post.

Yet Another Alternate Option

In very related news, I did received a reply, although a bit late for me and not really a fit anyway at this point (due to the cost), from when I emailed and asked the guys at the Casting From The Server Room podcast for a reminder of what software they had run across as a Deep Freeze competitor. They mentioned it (CompuGuard CornerStone) in an old episode which I couldn’t remember, and their “show notes wiki” had been lost without a backup. Thanks for the response, guys! Always good to check out alternative options and at least keep abreast of what’s available in the future. They replied to my question back in March on the air, but I missed three episodes in an otherwise unbroken string of probably 30-40 of their episodes I’ve listened to without skipping (wouldn’t you know it was in one of those!), and when I grabbed the back-episode to check out I heard my name again (they’ve mentioned my comments twice in more recent shows since — and inspired the new last name pronunciation guide in my About David page)!

They are using St. Bernard for the block list, the company that makes the iPrism for corporate content filtering. I’ve had some contact with them recently (watched an online live demo and gotten some quotes — the demo was impressive but not worth the time given the price of the quote vs. our budget) and they seem to be a classy company, near the top of the choices for premiere content filtering.

OpenDNS also allows you to put your custom image on the block page (for their typo correction, not just the content filtering). Their service is already being put to use in several churches, but I can’t help thinking this will bump that trend right on up! Andrew Mitry at Anchorite switched from OpenDNS to ScrubIT in March (it sounds like he either used OpenDNS before or liked it, hard to tell from that post), while at the same time commenting that OpenDNS appeared to be more mature (an assessment I’d fully agree with). This is the first time OpenDNS has responded with a content filter on this level however. In my experience (and I’ve corresponded with several of the OpenDNS staff including owner David Ulevich), OpenDNS doesn’t do something unless it can be done right, and going with a large provider like St. Bernard for their list sounds just like something they’d do.

Now, to test extensively! Detailed reporting (especially at the user or internal IP level) is really the key component missing from this service, since you can add your own blocked domains as well. I also don’t see a way to override specific blocked pages if you run into a site categorized incorrectly (although OpenDNS is known for adding additional control features later on). And, while it will catch direct-access porn and other adult content, it can’t do much for direct-IP access sites, or a bigger threat, open proxies (possibly the most well-known being Google’s own English-to-English translator, among hundreds of others) since it’s not doing URL filtering or any content inspection, just DNS blocking. But it’s a good first line of defense, at an even better price. Our free wireless internet is getting switched over post haste!

The news is tragic, but there’s always been a passion sparked in me when I hear of people stepping up and using technology in heroic efforts to assist with emergency situations. Ranging from listening in to the Amateur (Ham) Radio “severe weather net” on my handheld ham radio during thunderstorms, hailstorms, and tornadoes to the scramble to get everything in place for to handle a high-volume website in real time for something like this, it causes an itch I haven’t been able to personally scratch, but I enjoy living through the experiences vicariously. Part of me wonders if someday I’ll be in the wrong place at the right time to lend a hand — something that both excites and terrifies me. Fortunately, as Christians if we take a step back, we should realize that even in a high-stress situation, whether it’s our life in danger or someone else’s, God is in control and all we can do is the best we can do. Keep up the good work in all its forms. And at the least, pray for Kelsey Smith’s family, friends and community in the meantime.

Thanks to Alan Shimel, my first source for this news (reading Google Reader feeds on my Treo at red lights on my way home — post coming very soon comparing two feed readers!).

It’s just what I was looking for, and I’m looking forward to using this a lot in the near future! Great timing, and I learn so much new stuff every Church IT Podcast I can’t recommend it highly enough if you’re in Church IT!

Right now, content filtering on the public wireless is being provided by ScrubIT, a free DNS-based filtering service. Not bad but not as much control or information as I want; it’s a temporary solution (and I haven’t been given an account at ScrubIT yet, so I have no control at all). Matthew Irvine has a couple of excellent posts on his new blog, techlesia, talking about the open source SmoothWall Express firewall and DansGuardian content filter. I have a bit of Linux experience, dabbling at best, but not anything extensive enough for me to set up DansGuardian on a production machine, although I might play with it virtually (SmoothWall Express, if we needed a firewall, might be an option since it is plug-and-play, but we already have ISA 2004). The company SmoothWall has a commercial version of both products, with the content filter called Corporate Guardian, and from the preliminary pricing I’ve found it appears to be much, much less expensive than most of the commercial filtering boxes I’ve researched so far, which translates into “actually affordable.”

I think the Corporate Guardian looks the most promising, since they turn DansGuardian into a commercially-supported product, with the main benefit being that it’s plug-and-play, in addition to blacklist and updates subscriptions. Everyone wins. However, their evaluation terms concern me a bit. The terms state, in part, “You may not communicate the results of your evaluation with other companies, organizations or persons not employed by your company or organization, unless this has been agreed in writing beforehand with SmoothWall.” They also state that after the evaluation, you will “Not make public any notes, analyses, computations, studies or other documents prepared as part of this evaluation unless this has been agreed in writing beforehand with SmoothWall.”

Why does this concern me? Well, I want to share my findings with you on this blog, and these terms say I have to get their permission first. This seems to run counter to the company’s open source products philosophy, and makes me think they are scared of how their product compares to other similar products if someone were to write a review on their blog, for instance. Sure, I could ask for permission to write a review, but if it’s not positive, why would they let me post it? They can do what they want, but I’m not very happy with these particular terms and I’m seriously debating whether or not it’s worth giving up my ability to comment on my findings in order to evaluate the software beyond the claims they make on their website. Is anyone else using SmoothWall’s commercial products, and if so, are you limited in your ability to comment on your company’s use of the products similar to the terms of the evaluation terms, or does that clause go away after you’ve made the purchase?

Thanks Matthew for getting me started on this particular content filter! If I can get past the terms above I’m willing to give it a shot and maybe save some serious money in the process. Or I may find that the open source versions are functional enough and easy enough to set up for my needs; now I just have to find the time to test it.

Thanks to a post from security blogger Martin McKeay that was my first warning!