Next draft

April 1st, 2014

I just uploaded the next draft (v10) of my book on EHR systems. I included a chapter on business cases, and expanded quite a bit on the document tree structure.

You can find a diff file for version 10 there as well, if you want to focus on the changes.

Update May 13, 2014: I stupidly linked to a particular draft in the above post. A much better link is this:

http://wehlou.com/ehrbook/draft.pdf

…which always points to the most recent draft. Currently I’m on draft 15 and will upload 16 later today.

Sorry about that piece of bad information.

EHR, the book

March 25th, 2014

Back in January, I began writing a book on the Electronic Healthcare Record. Not how they work (they don’t), not just what’s wrong with them (most everything), but mainly going back to basics and figuring out what they are really for. Or should be for, more accurately.

Current systems are a marvel of bad design and misunderstandings of purpose. I’m trying in the book to figure out why, and what to do to improve on things. The contents range between the medical and the technical, taking side roads into politics, both the office kind and the real kind.

The contents are mainly based on the Swedish situation, but I welcome any input on how it is elsewhere. If I can be made to understand the differences, I’ll only be too happy to take that into account in the text.

I’m hoping with this book to make the stakeholder ask the right questions, else there is no hope we’ll ever get the right answers.

From today, I’ll publish my latest draft weekly (if I can keep it up) at:

http://wehlou.com/ehrbook/draft.pdf

I’ll welcome any comments in any form, but you’ll have to email them to me at martin@wehlou.com, or even better, post them as messages on our forum. You can register for the forum at:

http://vard-it.com/vi

The intention is to have it ready for publication sometime in June 2014. I’ll publish it under our own name through one of the publish on demand sites.

SRX100 Junos dynamic VPN, Win7, OSX, VPNTracker

March 3rd, 2014

(Update March 6, 2014: The Junos “standard” proposal actually includes 3DES in both phase 1 and phase 2, still making it hard for VPNTracker to connect. What we need to do is create a custom proposal for each phase with only AES in it. I updated the text to reflect that.)

So this is what I needed to accomplish: get one single SRX100 running Junos 12.1X44D20 to have a site-to-site VPN to another SRX100, while also having a dynamic VPN working with both Windows 7 clients and Mac OSX 10.9 clients. And I succeeded, except not for free. I’m not mentioning the site-to-site setup in what follows, since it does not interact with dynamic VPNs.

The SRX100 has a Windows VPN client built in, such that if you connect with a Win7 machine, it lets you log in using a web interface, then offers you a download of the Junos Pulse client, already completely configured for that SRX100. This works like a charm. The problem is that there is no Junos Pulse client for OSX, which I think is really weird. I love Juniper, but man, what’s up with this?

The client everyone recommends for this is VPN Tracker, a pretty expensive piece of very nice software from Equinux. But, of course, even though VPNTracker supports a truckload of firewalls, the SRX series is not among them. The software is very configurable, however, so even though there’s no guide, there’s a way.

First, take the lazy way and fire up the J-Web interface to the SRX100 (yes, I know, I lost all cred by doing this, but having to choose between self-respect and actually having a life, I finally crumbled, left the command line and took to the browser). To my defence, the J-Web interface is actually pretty darn good, at least compared to the Netscreen interface on the SSG5.

From experiments and a lot of searching on the interwebs, it’s clear there is a problem somehow with the DES and/or 3DES algorithms with the SRX100 and/or VPNTracker. They just can’t negotiate a phase 1 proposal, with VPNTracker failing in phase 1. The solution is to set the SRX100 to not use DES or 3DES, by selecting “Standard” in both “IKE Security Level” and “IPSec Security Level”.

The solution is to create a custom phase 1 proposal and phase 2 proposal that does not include DES or 3DES. In the SRX configuration, do:

set security ike proposal ike_prop_aesonly description "reduced proposal for vpntracker"
set security ike proposal ike_prop_aesonly authentication-method pre-shared-keys
set security ike proposal ike_prop_aesonly dh-group group2
set security ike proposal ike_prop_aesonly authentication-algorithm sha1
set security ike proposal ike_prop_aesonly encryption-algorithm aes-128-cbc
set security ike proposal ike_prop_aesonly lifetime-seconds 86400

set security ike policy ike_pol_wizard_dyn_vpn proposals ike_prop_aesonly

Don’t forget to remove the policy-set standard you had from before. The “ike_pol_wizard_dyn_vpn” can have another name on your system, of course.

and…

set security ipsec proposal ipsec_prop_aesonly description "reduced proposal for vpntracker"
set security ipsec proposal ipsec_prop_aesonly protocol esp
set security ipsec proposal ipsec_prop_aesonly authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec_prop_aesonly encryption-algorithm aes-128-cbc
set security ipsec proposal ipsec_prop_aesonly lifetime-seconds 3600

set security ipsec policy ipsec_pol_wizard_dyn_vpn proposals ipsec_prop_aesonly

Also, choose group 2 in IPSec Perfect Forward Secrecy (I haven’t experimented with other values here). With these choices, there’s no use of DES or 3DES. Note the IKE Preshared key and Remote Identity values. In the next screen, you choose users and stuff, and I’m not going to show you mine. Nothing there has a bearing on this description anyway.

SafariScreenSnapz028

So, with this set, first try to log in using Win7, download the Junos Pulse client and connect. This should work without anything else but your login credentials that you set in the screen “Remote Users” (that I didn’t show) in the VPN Wizard on the SRX100.

Now, back to VPNTracker. In the “Basic screen” of your connection setup, you enter the following:

VPN Tracker 7ScreenSnapz002

And in the second, “Advanced”, you enter the following:

VPN Tracker 7ScreenSnapz004

Notable items in the first of the two screens (“Basic”) are:

  • Network configuration: “Mode Config”
  • Identifiers, local: “FQDN”, with the “shoehorn” name you entered in the SRX100 VPN Wizard as “Remote Identity”
  • Identifiers, remote: “Don’t verify”

Notable items in the second (“Advanced”) screen, where we take care to only select the algorithms included in the Junos SRX100 “Standard” set, which is AES-128, SHA-1, and DH Group2 in both phase 1 and phase 2, and DH Group2 for PFS in phase 2:

  • Exchange mode: Aggressive
  • Phase 1 encryption: AES-128 only
  • Phase 1 hash: SHA1 only
  • Diffie-Hellman: group 2
  • Phase 2 encryption: AES-128 only
  • Authentication: HMAC SHA1 only
  • PFS: DH Group 2

There’s one last, hard to find, little detail: you have to change the ike-user-type on the SRX100 from “shared-ike-id”, as the wizard generated it, to “group-ike-id”, through the commandline on the SRX100, assuming your SRX100 VPN Wizard generated the gateway name to be “gw_wizard_dyn_vpn”, which it probably did, like so:

set security ike gateway gw_wizard_dyn_vpn dynamic ike-user-type group-ike-id
commit

Interestingly, you don’t have to change your remote identifier in any way, neither in the SRX100 or the VPNTracker. From now on, you can connect.

Now, amazingly, you can connect with VPNTracker from OSX 10.9 while at the same time using the Junos Pulse client from Win7. All you have to do now is cough up $100 or $200 for VPNTracker (depending on version).

The SRX100 comes with a default two simultaneous dynamic VPN connections. You can get five connections with an extra license (SRX-RAC-5-LTU) for around $150, but I don’t know if that leaves you with a total of five or seven simultaneous connections.

Which new Mac Pro? The old one.

December 15th, 2013

So with the new Mac Pro coming out, I’ve been torn between getting one of those or live with my old Mac Pro early 2008 for a while longer. Now, just estimating the price of the new Mac Pro, adding in a Thunderbolt drive storage and two Thunderbolt screens, the sum is way beyond what I can credibly argue myself into. And I’d be stuck with something that has much more processing power than I could invent excuses for, while still being a first generation product.

After a lot of arguing with myself back and forth, I decided to try to speed up my old Mac Pro with SSDs. I also have a bootcamp Win7 I would like to preserve if possible, which seems to preclude using regular SSDs, unless I use a lot of them. The solution seems to be a Fusion Drive (combined SSD and hard disk), where the bootcamp partition ends up on the hard disk proper.

The SSD I bought is an OWC Accelsior E2 480 GB PCIe card, and I combined it with one of my “old” Seagate Constellation ES.2 2 TB drives into a 2.1 TB Fusion Drive with a 300 GB Windows partition. I can access the Win7 through Parallels as a virtual machine, but without any speedup from the SSD (since Win7 is in its own partition), but right now I can’t boot from it. I moved it using Winclone, so I’m waiting on a response from them on how to proceed. Worst case, I can skip bootcamp, I don’t really need it.

But for all the other virtual machines through Parallels, and all the other software and files I have, the machine has become unbelievably snappy. The Fusion Drive has about 1 TB of applications and data on it, so the SSD part should be able to handle most daily tasks, once it balances out right. But already, I’m seeing some fantastic speedups.

Just to make you envious, see the screenshot that follows. Theoretically, I should be getting 800 MB/sec, but I’m pretty happy with what I’m seeing. Can’t really see how much faster the machine can get in actual handling. Seems it boots apps and opens files as fast as the screen can be written. Almost.

BlackMagic Disk Speed Test on Mac Pro 2008

BlackMagic Disk Speed Test on Mac Pro 2008

As a comparison, the test data from the “old” ES.2 2TB 7200 rpm drive that contains my old home folder, and which is still in one of the slots of the Mac Pro:

Disk Speed TestScreenSnapz002

In short, for a fraction of the money a new Mac Pro would cost, I got most of the benefit of one by adding this PCIe SSD card. (Nope, I have no relationship to OWC other than as a happy customer.)

The next step would be screens. I’ve got two 24″ Cinema displays, but with their 1920×1200 resolution, they’re getting cramped, especially when using the interface builder and storyboards in XCode. I’m still thinking it over, what to do about that. I already have an ATI Radeon 5870 card in the machine, so it should be able to handle bigger screens fine.

Southend Enterprises scam

September 3rd, 2013

Just this afternoon I got a call from “iAssist” who wanted to fix my computer, since it had malware, or was out of support or something. It was the regular fare with them taking over my computer to “fix” it for me. So I let him do just that.

While I “doddered” around and “tried” to boot my computer, I opened an old XP I have for experiments under Parallels, booted up my ScreenFlow screen capture, did a system snapshot, and then let him have at it. He’d called me on our home number on a DECT phone, so it took me a while to figure out how to get the sound, but finally I simply held a little Olympus hand recorder next to my ear, and that’s pretty good. Had to make him wait, mumbling something about having a prostate problem or something, while I got out the recorder, located batteries and got it started.

The whole thing is 34 minutes. The first 6 minutes or so are silent, then 2-3 minutes of only my voice (I’d turned the Olympus the wrong way up… duh), then after that it’s pretty clear. Note that the sound is offset by 10-20 seconds, so some places may look weird.

What he was after, once he got me, a “living alone 74 year old man who only uses his son’s old decrepit computer (seven years old computer) every sunday” (really; he asked me twice if I lived alone), hooked up was selling me an extended support for Windows and all my machines for only 3200 SEK for five years. That’s $500 by the way. Once I got to the screen where I had to enter my billing info, I quit the charade. After telling him twice that we were in a virtual machine and I had recorded the whole thing, he just hung up.

In the recording, you’ll see my name, street address, and phone number; that’s what he typed in. The email, I gave him (momo..something at hotmail.com, couldn’t think of anything better at the drop of a hat).

As far as I can figure out, iAssist (and LogMeIn) have nothing to do with this, but Southend Enterprises almost certainly do. That’s the “PCSupport” page I’m supposed to enter my payment data into. I found other people on the net reporting on this shady company.

I posted the whole recording on youtube, if someone wants to see them do this thing and hear this guy’s piercing and ennervating voice. It’s pretty boring, but maybe someone gets a kick out of it.

One really, truly, funny thing is that somewhere along the way, there’s a Parallels dialog box that pops up and says “Parallels tools are installed”, and he just clicks it away. I can’t locate it from the video, and I don’t want to watch it all again. Somebody told me it’s at 26:50 approximately. Also, there’s the “Parallels Shared Folders” icon in the upper left corner of the desktop, and even that didn’t tip him off.

 

So today I got a followup call from Customer Satisfaction at Southend Enterprises. Really. To hear if my machine worked fine today. Turned into two five-minute talks, where it’s pretty clear the guy (not the same guy as yesterday) either really is a fine actor, or (more likely) has no idea what he’s doing. But “persistence” is clearly his middle name.

The audio is even worse than yesterday’s recording. Maybe I should set up a rig to record these “artists” better, if this goes on. Here it is:

Buying books is such a mess

August 2nd, 2012

Buying books is such a mess right now, at least if you try to switch over to eBooks in one form or another. Let’s see what we have here.

Kindle

Kindle has the advantage of running on Kindle devices, Windows, OSX, iOS, whatever. Books are also usually cheap on Kindle, even though there are examples where the electronic version is actually more expensive than the paper version. The problem with Kindle is that it’s a proprietary and DRM’d format, and that doesn’t feel right. Non-technical litterature without illustrations are pretty nice on Kindle, but anything with code, drawings, or images sucks big time. Reading programming books on Kindle, at least on iOS and OSX, the platforms I use, is horrible.

iBooks

I’ve never bought a book on iBooks. They may be fine, I don’t know, but since iBooks, an Apple product, doesn’t run on OSX (and how sick is that), I wouldn’t invest in any book on that platform. The books are also more expensive than on Kindle, while being just as DRM challenged.

Protected PDF

APress used to sell protected PDF books, and it was really shitty. You had to use Adobe Acrobat to read them, with all the limitations, such as not being able to read them on the iPad. They fixed that by switching over to unprotected PDF. Several other publishers still use protected PDF, but you have to really scrutinize their sites to discover this vital fact. I’m avoiding doing any business with these people.

Online reading

I have to include online repositories such as O’Reilly bookshelf. I have access to a limited form via ACM, but it’s pretty shitty. The interface to the book is based on a Flash browser plugin, making it difficult to navigate. And, worse, it doesn’t work when you’re offline.

Plain PDF

I’ve found three publishers that sell unprotected PDFs, or at least they are not mandating that you use Adobe Acrobat; any PDF reader, including Goodreader and OSX Preview, is good enough. The only thing these guys do is sprinkle the document with the name of the purchaser, making it really easy to see who gave away copies to the torrent sites. I find this totally acceptable. The three publishers I’ve found are Pragmatic Bookshelf, Apress, and O’Reilly. Somewhat disturbingly, O’Reilly charges almost double for their eBooks as compared with Kindle for the same titles, which irks me enough to not buy the books I would normally have wanted to buy.

What a mess this is

You end up with some of your books on Kindle, some in Dropbox (where I put the unprotected PDF files), and some on your physical bookshelf. The advantages of carrying around a laptop or iOS device with all the books on it, are huge, though. PDF files can also be easily searched, even from Spotlight on OSX. Luckily, the three publishers I mentioned, publish enough good titles that I can simply ignore the rest, at least as far as modern programming goes. I actually think that this is the model that will dominate in the long run, at least as far as technical books are concerned.

Mountain Lion for free?

August 2nd, 2012

I’ve downloaded and installed Mountain Lion (10.8) on several machines now, but I never paid for it. No, I didn’t pirate it, I got it from the App store, but it never gave me a chance to pay. Looking up the transaction in the App store via iTunes, I see this:

In other words, I did “buy” it, but got it for nothing. Officially. What I don’t get is why. I’m just guessing here, but since I’m a registered developer on the same account, and I’ve run the developer previews, that earns me a free release version as well. (Note that the 10.8 above is not a developer preview, but the released public version.)

Nice gesture, Apple. Unless it’s an error. If so, I really don’t mind paying for it; it’s not exactly expensive.

Beware of Network Solutions

May 8th, 2012

…in particular if you’re a European company. I got an invoice ten days back with VAT added from them. Went and checked my account and there’s a VAT field there now, empty of course. So I filled it in and filed a support ticket about it. Waited a week, filed a new support ticket, more upset, especially since they promise response within 24 hours. This morning I got a phone call from them that they can’t refund the VAT. The guy claims they’ve sent out a notification about this in email.

Ok, maybe they did, but Network Solutions is sending out so much spam all the time, that if there was a notification about a VAT field being added to the account, there’s no way I would have seen that. Occasionally, other US companies charge VAT when they shouldn’t, but they’ve always been able to refund that once they get the number. Not so Network Solutions. Too lazy, too greedy, or simply don’t give a shit, I don’t know.

In short, they’re more expensive than other registrars, their customer support is crap, they spam me, so why do I keep using them? Good question, I see no reason.

Invisible failure

March 4th, 2012

Today I noticed the RAID utility icon in the dock and I couldn’t remember having started it. Weird. Clicked on it and this is what I see:

(Click the image for full size.)

Oh, sh*t, a drive just died. “Just” died? No, not really, it died a week ago, and I didn’t notice. That’s not good. Normally, RAID Utility pops up at start to tell you something is going wrong, but what happens is that with Snow Leopard all apps restart in the state they were when closed down, so RAID Utility gets covered by all that other stuff. Any dire warnings are hidden, unless you look for them.

What RAID Utility should do is scream bloody murder, bounce the dock icon, send emails, create Growl popups, any and all of that, but it does none of them. Considering that running on a degraded RAID set is actually several times more risky than not running on RAID at all, the system really should take notifying the user more seriously.

A week… could just as well have been a month or until the next drive failed. Now let’s see if I get a new one from Seagate before another one goes titsup. Checking my backups as we speak…

A platform too many

January 25th, 2012

With the new iBooks and iTunes U app, I’m missing a piece of the puzzle. Just as truckloads of schools have given the kids MacBooks, Apple rolls out the new textbooks to iPads only. Are we supposed to switch over the schoolkids to iPads now, and lose the OSX apps they use?

It would seem logical that iBooks and iTunes U would be available in versions for OSX as well, but there’s no sign of that. Or is Apple planning on running iOS apps on OSX in something like the iOS simulator? What’s going on here? As it stands now, it makes no sense.