Recently, in one of the mail lists I subscribe to (the Austin Wireless Group), a thread was started about the new wifi mesh that's being deployed in some parts of Austin. At the time (a few months back), it received a fair amount of press about how it was going to be a public wifi network and some politicians jumped on to "associate" themselves with the new network. To some, it seemed like the politicians were promising free broadband for all Austin residents, but I'm here to tell you the real details of the mesh from someone whose been on the inside.

First, let me start out by saying that I was (am) the Lead Security Analyst/Engineer on the mesh project. A co-worker and I were responsible for the city's first efforts into wifi by designing and installing the first wifi hotspots in the city parks and most of the first wifi hotspots in city buildings a few years ago. Now, as far as the mesh is concerned, I've been to most of the technical meetings, talked to vendors and approved the security measures utilized in the system. I've got a fairly deep understanding of how this thing works, where it is, where it's going and most importantly, how you and other citizens of Austin can benefit from it.

The first thing that needs to be mentioned is the city's policy on wireless is everywhere it's deployed, it will be a public network. This was a security decision as, at the time when we first started getting the projects, wireless had some real security problems so we approached it from the flip side: Instead of trying to protect the network, we'll use our traditional remote access methods that we trust to protect the traffic. Secure the traffic, not the network. This philosophy also turns out to be beneficial to the public as now every place we install wifi, the public has yet another free hotspot. So feel free to associate and use any wifi signal you see that begins with "COA-Location" as those are the public network's SSIDs.

So now, the city has the mesh. It was born out of the need to promote the World Congress of Information Technology back in May but a savvy CIO also saw the opportunity for a longer term benefit. I wasn't in the first meetings between the CIO and Cisco but from what I understand, the city was wanting to experiment with a mesh network and Cisco was looking to promote their newest mesh system. Cisco stepped up and donated the hardware to kickoff the network by donating 55 (or thereabouts) wifi nodes, the wifi controlling system and the technical experts to get it started. Since WCIT was going to be centered around a few places in town (Austin Convention Center, City Hall, etc), the decision was made to get those areas up first and progress to the other areas of Austin soon thereafter.

At about this time, the first "myth" about the mesh was born. Because politicians were involved, some of them got overly generous with the end goals of the mesh and they led on that this mesh was going to be primarily used for providing Internet access to those people underneath the umbrella. On the technical side, we had always been told and had planned that the mesh would be for facilitating city business and be used as a testbed for future city applications but because of the network's nature (wifi), it would be a public network. The truth, as usual, is somewhere in the middle of these two uses.

It's against state law for the city to sell Internet access. You can thank your wonderful telcos and cable companies for writing the law that prohibits the city from offering Internet access like any other utility like electricity or water. So everything the city does wirelessly, the CIO goes out of his way to meet with those proprietary interests to make sure they understand what we're attempting to do and the plan won't be misunderstood. The mesh, after WCIT, will be primarily used for city business. The public will still be able to get on and use the bandwidth but that will not be its primary function. Large scale powering up of the network runs the risk of violating state law so signal output is kept low so as only to work outside (notice the name of the mesh, the "Outdoor Wireless Mesh Project." Telcos and cable companies do not provide outdoor signals so the project can't be deemed "anticompetitive." But in order to stay anticompetitive, signal strengths must stay low as to dissipate very quickly once inside buildings.)

There are numerous applications coming down the pipe at the City that might be able to leverage the wifi coverage as the connection method. As an example, one of those applications, affectionately called AMANDA, is the new building permitting system where each inspector in the field will have a tablet PC and will be able to issue permits in real time on site with no lines or waiting by the customer. Currently in their testing phase, these tablets are connecting through Cingular's HSDPA as the default transport but over time, as the mesh becomes more prevalent, we'll default the tablets to use wifi first if it exists. And since the city own's the wifi network and the backhaul, over time, this will save the city tens of thousands if not hundreds of thousands in connection costs. And you can multiply that by every new field application the city develops. The potential savings is huge.

Now, because the mesh's primary function is city business, it is being "tuned" for that business. The nodes on the mesh are running at very low signal outputs. Basically you can get a signal while standing outdoors in a clear area but once you walk into a building, the signal disspates very quickly. This is by design and not the true performance of the mesh system (I think that the mesh is only using about 10% of it's full output strength but I'll have to check on that). The point is it's not supposed to be pervasive throughout everyone's homes in the mesh umbrella zone. If you can get a signal, the city is just fine with you surfing away on it. But the city is not in the ISP business and has no obligation to "power up" the signal because it keeps dropping off in your 2nd street condo bedroom.

Personally, I think what you'll see with the mesh over time is coordination of nodes being amped up based on the applications that will be set to use them. This is pure conjecture so don't hold me to this but I can see this as a valuable way to utilize the mesh. As mentioned before, an AMANDA inspector has a few buildings within the mesh that they'll need to inspect that day. We can powerup the immediate nodes closest to those locations so the signal will propogate easily through the walls of the building and then, when the inspections are done, we can power the signal back down again. Using it in this way will allow for the inspector to easily connect to the network yet still not break any state laws for "selling" Internet access.

Another use of the mesh will be to provide ad-hoc connectivity to entities during "disaster" scenarios. Last year, when Katrina hit, the city was setting up temporary and short-term networks for the Red Cross and other national entities in city locations where those networks didn't previously exist. Now, with the mesh, we can just power up the nodes closest to the locations the groups need and there will be no need for the city to run in with the wired + wireless infrastructure that was used in Katrina's wake. That will save the city tons of money in just people power when the next disaster strikes.

In my next post, I'll attempt to discuss the city's plans for eventual mesh coverage. There's plans to roll out the mesh in some areas of Austin that have usually been left behind the technology curve so it brings into the discussion the role a municipal government has in providing Internet access to its citizens. If the discussion on the AWN list is any indication, it should be a lively topic for debate.

Sorry for not getting it up yet but I'll be in another meeting early next week specifically about the deployment schedule so I decided to wait until then to make sure I had the most up-to-date information to publish. In the meantime, if anyone feels like joining in and adding to the content, feel free!

Ok, since I haven't made a post about geek stuff in awhile, I'll give a quick review of what I've been playing around with lately. Now, I've been using Linux as my primary operating system for close to 10 years now. In fact, as soon as I got my MCSE (Microsoft Certified System Engineer) back in '97, I abandoned Redmond and followed my heart and principles and put myself permanently in the upstart OS's hands, destination be damned. Since then, I've been privileged to be part of a Linux startup, part of active local user community and hired in my current job primarily as open source expert (which, in reality, you can't be a good information security analyst without a deep understanding of open source technologies, including Linux). I was the lead engineer for the City of Austin's Linux pilot projects, Open Office trials and first forays into public wifi (which the units we spec'd ran Linux) back in '03. But during most of that time, I had never really recommended to anyone that the average computer user was ready for Linux, primarily because Linux's strength is paradoxically it greatest weakness (it's flexiblity). Oh, sure. It's great from an enterprise standpoint where it's inherent network and multiuser support as well as upkeep far outshine anything from Microsoft. And in the hands of a knowledgeable administrator, a great desktop experience could be crafted together. But now I'm ready to change that policy for the average home user.

Now I've tried just about every combination of window manager and user environment. I'm a huge fan of Mac OSX from the usability and eye candy aspect (I've got a G4 iBook and had a dual proc, dual head G4 PowerMac for awhile as well) and also love it's UNIX underpinnings (FreeBSD). On Linux, I started out using KDE pre-1.0 and quickly moved to my first cherished desktop environment; WindowMaker. I loved the combination of simplicity and eye candy that was available for it (I still have some WM themes up on freshmeat.net). Since KDE 3.0, though, I've pretty much used KDE exclusively, especially when GNOME decided to start "dumbing down" their environment in favor of usability vs. customization. But, just for the fun of it, a few days ago, I changed my desktop over to the latest GNOME in the Fedora Core 5 repository and sparked up my first use of GNOME in close to 4 years.

And the result? In a word: impressive. Now make no mistake about it. I'm a Linux power user by any definition of the term. That was probably the main reason why I stayed away from GNOME as I figured that any environment that limited what I could do on *my* OS just wasn't worth my time. Not to mention the fact that it just seemed that KDE was always ahead of the curve on the all-important eye candy front (that's one of the big reasons for me which separates Linux and Mac from that lame excuse of an OS, Windows).

Since I loaded up GNOME on my meager home machine (P4 1.5Ghz, 512MB RAM, dual head Nvidia+MGA vid cards), I've been impressed by its snappy performance and sharp rendering of fonts and widgets (metacity seems to have come a long way since they made the switch from sawfish oh-so-many years ago). GTK2 (the widgeting library) is light years ahead of the last time I played around with GNOME and GTK, easily rendering colors, buttons and menus with ease. And I have to say that I'm quite impressed with Fedora's array of extras (themes, backgrounds, etc) and the graphical interface to Fedora's software installation and update tool, yum.

I was so impressed with this setup on my home machine that I decided to take the ribbing from my co-workers and load up GNOME on my slightly more powerful work machine (P4 2.4Ghz, 512RAM, Dual head 32MB Nvidia vid card). Now, the thing to note here is the video card. That card, unlike my mix of cards at home where only the Nvidia is 3d capable, allowed me to install a different window manager, XGL. And let me tell you, my friends, *this* is how computing in the 21st century is supposed to be...

Don't let Microsoft's upcoming marketing of Vista fool you. There is nothing in Vista that will even come close to XGL. Besides Vista's bloated hardware requirements, it just doesn't have anything in it close to this functionality. So what is this miracle window manager? It's a hardware accelerated desktop which shows the potential of where this free operating system is going and why Microsoft *really* needs to think about getting out of the "for-pay" operating system market altogether (esp. if the rumors are true that Apple might be working to position OSX as an alternative OS for new PCs). After all, if you can get all of this for free, why would you pay for anything else?

Now, the movies of XGL are impressive, especially considering that it's really just a late alpha to early beta release. But even in this early stage, it's absolutely usable as an everyday desktop. It features "wobbly" windows and menus (windows and menus that shake and distort based on movement or focus), true alpha blending with user defined window transparencies (you can even have different transparency levels on each window), fully rendered drop shadows (I find them better than OSX as you can define how much shadow and offset you like), OSX-like "expose" and fully rendered mini app windows on the alt+tab key combo and the jaw-dropper for most people, the "cube" desktop switcher.

The cube is a virtual desktop switcher and by using that definition, it seems to trivialize it's function. An easy way to think about what it the cube is imagine that your computer screen is just one face of a cube that extends behind your monitor. On each face of that cube, you can have another desktop containing whatever applications running you like. Now, virtual desktops have been part of UNIX for the better part of 30 years but XGL has a major difference; its performance. Because is uses hardware rendering to draw the windows and effects, to quote some of my bretheren in Boston, it's "wicked fahst." And as this video shows, the cube floats in space when you change desktops or grab the desktop with the mouse and the ctrl+alt key combination. Add in the fact that you can customize the picture that goes on the top of the cube and in the background as well as many other customizations (like standing inside the cube looking out instead of looking at the cube from the outside) and you have some major eye candy sure to make your Windows friends weep in envy.

And because this feature is so responsive, it makes this implementation of a virtual desktop switcher worth using. Software based virtual desktops, to me, have always suffered from slowness. So much so that I didn't care to use them. XGL is the first one I've ever used where I can switch desktops and focus an app faster than I can actually think about it doing it.

Now, to be honest, XGL also works just fine with KDE. But the combination of GNOME and it's clean, almost sparse lines with this new functionality as well as GNOME's focus on usability just seems to fit better. It feels leaner and meaner.

But eye candy is great, you might be saying, but what is prompting you to say that Linux can now be used by the great computing masses? Linux's biggest detraction over the years was the supposed lack of applications on the platform. That is no longer the case. Nowadays, you can find an application to do exactly what you need to do natively on Linux or, if you want, probably can run that same Windows app on Linux using Wine or it's commercial counterpart, Codeweavers Crossover. And since Vista will be breaking backwards compatiblity in some ways, you won't be guaranteed that your preferred app will run if you upgrade. Add in that XP is scheduled to be end-of-lifed in 2008, the lofty hardware requirements needed to even run Vista and the RIAA/MPAA pushed DRM (Digital Rights Management) which take your rights away from your legally purchased content, it all adds up to a big fat "why do I need that? And you want me to pay for it as well? Yes, sir... Can I have another?" Geez...

So now I humbly urge you that if you have never given Linux a try, now's the time. There are numerous LiveCD distros available so you can try Linux/GNOME/KDE without damaging your current Windows install. And for those of you wanting to try an XGL-based experience, the only LiveCD I know of is located at Kororaa.org (btw, kororaa is a species of penguin, Linux's mascot) and it is heavily dependent on which video card you have installed. Good luck and let me know your experiences!

Update: Seems that Business 2.0 magazine is recommending *not* to buy Vista when it comes out. From the article:

"Boycott Vista. Keep your old Windows XP PC around. Don't buy a new one. That's the only way we have to let Microsoft know Vista is an overhyped, late, and pointless update to XP - a perfectly fine operating system."

Not exactly a ringing endorsement. Just another reason to give Linux a spin...

Update II: A friend sent me a link (h/t Harris) to another story about the inevitable death of Windows. From the article:

"The Vista saga has two interesting lessons for the computer business. It raises, for example, the question of whether this way of producing software products of this complexity has reached its natural limit. Microsoft is an extremely rich, resourceful company - and yet the task of creating and shipping Vista stretched it to breaking point. A lesser company would have buckled under the strain. And yet while Microsoft engineers were trudging through their death march, the open source community shipped a series of major upgrades to the Linux operating system. How can hackers, scattered across the globe, working for no pay, linked only by the net and shared values, apparently outperform the smartest software company on the planet?"

And it goes downhill from there...

Ok, I don't use Windows as a primary OS and haven't for going on 10 years now (with the exception of a few programs I'm required to use at work, I would never touch it). I find it a terrible OS with a horrible UI and just plain ugly to look at (esp. when compared to Mac OSX and the XGL-based GNOME). So, when designing this site, I followed the Internet standards (CSS, primarily) as they should render the pages the same on all browsers, right? After all, Plone does accessibility and other things like that for you...

So check the screenshots. The one on top is IE 6 on XP Pro; the one on bottom is Firefox on Fedora Core 5. The same page that renders wonderfully on all browsers I've tested (Firefox, Mozilla, Opera and Konqueror on Linux; Safari and Firefox on Mac) renders horribly only on Internet Explorer. I just found that out today as one of my friends who uses IE at work showed me. IE just does not follow standards and so now I have to try and figure out how to get these pages to render right in just IE. I'm very tempted to just put a link to Firefox on the page an just blow off IE. From what I understand, they've supposedly fixed these CSS rendering problems in IE7 so that might be easier than trying to figure out how to essentially send 2 pages. Argh! This just pisses me off!

Please, for the good of the Internet. Ditch IE and download Firefox. Not only will you be more secure but you will have more features to use and will be supporting Internet standards at the same time.

Update: Seems the guys who develop Plone have figured this problem out and put up a CSS page that fixes most of the problems (IEFixes.css). Thanks Jon for pointing me in the right direction. It's still not perfect but it'll do...

Well, I guess this makes it official. The patent can viewed here. This was a long, hard slog for us and especially our patent attorney (Thanks, Jeff!) At one point, we really thought the patent wouldn't go through as it was just taking too long (you can see that the original patent we filed this under was in May, 1999. This particular patent, which deals with our distributed firewall and communication system was filed off the original patent application in July, 2000. So it took 6+ years to get it through.)

Now comes the question, "What do we do with it?" Jon Crain (another of the co-founders of that business) and I have been thinking real hard about that. I've tossed a few ideas out there on starting another business that could utilize some of the claims within the patent and I think we'd both like to go there again someday. Originally, Triptych Microsystems (that was our company) was formed in late 1998 around an idea to build a set-top tuner/DVR/computer atop a full Linux OS (think back in mid-1999 when the Netpliance I-Opener came out and other companies were building limited use Internet appliances at a loss in an attempt to subscribe customers to their Internet service.) Our set-top was different in many ways and some of those differences made it to other companies current products.

For example, one of our differences was installing applications. At the time, most applications on Linux were still being complied but some distributions, like Red Hat and SuSE, were using packages called RPMs. We decided that we could compile all the applications for our platform (which was StrongARM based) and "wrap" the complexity using a GUI through a web-browser (this idea pre-dated any of the now many GUI package managers for example Synaptic or pirutby a good 2 years). In our specific embodiment, the user would open a browser and go to our web site, search for the application they wanted to install and then click on the link provided. Then the application would be installed all off the one-click (which is what our internal name for that service was called, "One-Click.") Now, we don't claim that we "invented," so to speak, that process; that idea grew organically from the Linux commons. But that exact process is still being used today by one of the major distributions, Linspire in their "Click-N-Run Warehouse." We had tons of other ideas for that set-top system (a cheaper "satellite" system that would allow you to watch your recorded videos on another tv in the house using wireless (at that time, 802.11a/b/g wasn't as prevalent and we were designing the system around Symphony/Proxim 56k RF wireless cards. Try shoving a 640x480, stereo video recording through a 56k modem. T'wasn't easy... :-) We also developed a Java-based system management program called in-house "Teresa" (a mashup of the real name Triptych Remote Support and Administration = TRSA). That in it's own right could have had it's own company formed around it (doing remote support and maintenance for Linux machines).

Ultimately, though, we decided to "split out" our unique security system we designed for the set-top, a "distributed" and connected firewall system into it's own distinct product called StrongNet. It was a hardware-based firewall that was designed to be an open hardware / open source unit that we were going to give away. Our business model had us making our money on the backend subscription service. The patent covers this device in its preferred embodiment including the electronics that comprised it and it's unique feature; it was able to "report" back what it thought were attacks to our central expert system. We could then correlate events in that expert system and send out updates to all of our subscribed units to protect against those attacks. An example would be a cracker attempts to crack one of our devices. The attacked device would block and detect the attack, send the relevant attack information back to our expert system using encrypted communications where we would then send the attack neutralizing rulesets back to all our subscribed units using a still-waiting-to-be-patented communications protocol. In this way, each firewall was a node in a million-plus unit and growing distributed firewall. From the expert system, we would be able to see how attacks develop, block DDOS attacks from infected clients behind the firewall as well as notify users when they were infected. It was really a neat system.

We also had a road map that got into next generation implementations of the idea. Gen1 was the projected $30 hardware device that you plugged into your broadband modem (and remember, at the time in late 1999/2000, people were just getting on-board for security protection on their broadband nodes as the saturation of broadband hadn't made it very far). Our business model had us giving as many of those devices away as possible and they would have been released under a "hacker's license" which would have stated you could crack open, tweak, microwave or do anything you wanted with the device if you didn't want the backend security service. The units weren't very powerful or expensive so we figured there would be enough subscribers to make up the difference in our "loss leader" business model. Gen2 was designed to have all of the features of the hardware unit on a few chips. That way we could embed the security service into other products like ethernet cards and routers and vendors could outsource their security needs. Our Gen3 product would be specifically designed for mobile devices using a single, low-power chip that could be embedded in PDA's, mobile phones or any device that needed secure communications.

But, alas, we ran out of angel money in mid-2000 and even though we were doing some heavy talking with industry players, they knew that a small start-up like ours wouldn't survive without that first round of venture capital (we actually turned down a first round because the vulture capitalist wanted 75% of the company for a few million dollar stake. We were unwilling to give up control of our company so we turned it down, keeping our pride but not the doors open.) Over the years, Jon and I decided to keep the security patent applications going (abandoning the other 5 patent applications we had written on such cool things as keyboards with application dynamic key remapping...) and today, one of the two patent applications left finally issued.

We really enjoyed the start-up and are absolutely convinced that had we a little more time, our company would still be in business today with a great little 4th or 5th generation product. We still have our business plan and this idea is still just as relevant today as 6 years ago so if any of you venture capitalists would like to talk, just drop me a line. I've got a great idea on how to combine an IPS with this patent... ;-)