Toll-Fraud Prevention on Cisco Voice Gateways

Apr 3 18:06:31.532: //81/00F539C80300/CCAPI/cc_process_call_setup_ind:

>>>>CCAPI handed cid 81 with tag 0 to app "_ManagedAppProcess_TOLLFRAUD_APP"

 This line, from the output of a debug voice ccapi inout, on a new voice gateway in our Denver office, caused us several hours of hair-ripping frustration. There's not much about it on the Google, yet; at least not much we could find. This post by Guilherme Villarinho (translated) on the Portugese-language Avvid.net pointed us in the right direction.

Beginning with IOS 15.1(2)T, Cisco introduced a Toll-Fraud Prevention feature. The feature defaults to not connecting calls from a VoIP source that isn't trusted. Trust is defined by IP either by trusting individual hosts or subnets.

I don't really see the value of the feature, as it's described, and we decided to disable it with the following commands:

voice service voip      
   authenticate trusted no ip address

If you can think of a reason to enable it, though, I'd love to hear it.

Moving from Yojimbo to Evernote

I made the decision a couple days ago to move from Yojimbo to Evernote. I’ve been a pretty big user of Yojimbo since the end of 2007, and I have just shy of 500 items in my library. I really haven’t been looking forward to doing this[1].

Last night, I realized that left to my own devices, I’d put this move off forever. My entrenched usage was going to prevent me from ever actually switching. I’d become very comfortable with my everything bucket. The only way to handle this was like a Band-Aid; do it quick and get it over with in one motion.

Unfortunately, I’ve never been good at ripping Band-Aids off, and I treated the move much the same: a painful series of small (and often repeated) motions that only served to increase prolong the discomfort. If you’re thinking about doing this, learn from my mistakes.

Making the Move

Here’s what you’ll need to do to make the move:

  1. Move your Encrypted notes. I moved mine to Secure Notes in 1Password.
  2. Delete your Encrypted notes from Yojimbo.
  3. Buy at least a month of Evernote Premium[2]. The last thing you want is to hit that data transfer limit mid-transfer[3].
  4. After you purchase the upgrade, quit Evernote, then launch it again. Apparently Evernote only pulls your account status on launch.
  5. Optionally, move your serial numbers. Again, I moved to 1Password.
  6. Run this AppleScript.

The script worked great for me, once I made pretty much every mistake I listed above. As always, this is what worked for me, but your experience might be different. I hope that nothing goes wrong for you while making the move, but if it does, I at least hope that different things go wrong.


  1. Partially because I just enjoy Yojimbo. But the lack of cloud sync, and the sporadic release cycle really made me think that Yojimbo just wasn’t getting the love.  ↩

  2. If you have a really big library (more than a gig), you’ll want to break the transfer up into chunks, and spread it over several months. Which sucks. I don’t know of a way around this. Maybe try contacting Evernote support prior to moving.  ↩

  3. For every item you add once you’ve crossed that data transfer threshold, Evernote throws a modal alert. When you click “Ok” on the alert, it opens a webpage trying to sell you Evernote Premium. I had about 120 modal alerts to deal with. Just buy it up front.  ↩

FiOS With an AirPort Extreme

I have FiOS, and I’m pretty happy with the service. The FiOS router, however, pretty much sucks. There’s been long-standing reports of a limited NAT table on the Actiontec routers, which leads to some pretty significant performance degradation over a relatively short period of time. I’ve noticed that it becomes overwhelmed when I’m streaming short shows from Netflix on my second-gen AppleTV, or long YouTube videos, and I’m not even bringing up what it’s like if I watch a feature-length flick. A temporary fix is to reboot the Actiontec router that Verizon provides, but after a day or two we’re back in the same boat.

Further, the router has limited uPnP and Bonjour support which leads to flaky AppleTV streaming from computers or other iOS devices. Bonjour printer discovery just doesn’t work, nor does ePrint discovery. And the overall wireless signal isn’t great. Again, the router sucks.

The fact that I noticed these issues, researched the root cause, and am inclined to fix the issue puts me into a very small group of people. And and most of us in this group would solve it the same way: use your own router. Sadly, it’s not an easy thing to do. Some features of the FiOS TV service, like Video on Demand and Remote DVR scheduling, run on an IP network across coax cable, called MoCA. The MoCA network uses the Actiontec router to get to the Internet for Video on Demand and as a connection point for the remote DVR manager (both using the iPhone/Android app and the FiOS website). So the Actiontec needs to stay online, connected to the coax network.

Marco Arment has a pretty good rundown of how to use your own router, but since he doesn’t have FiOS TV service, he stops short of a full solution for those of us who want our Video On Demand and remote DVR scheduling (from the iPhone/Android app or the web site) to continue to work. I’ll show you how I handled this.

Disclaimer: Follow my instructions at your own risk. Seriously. Your. Own. Risk.

Ingredients

  • ONT (Optical Network Terminal): The big white box that Verizon installed in your house. Mine is in my basement. It’s where the fiber terminates in your home and is converted to other media (phone, coax, and ethernet).
  • Actiontec router: I have the standard-issue MI424WR.
  • Primary Router: The one you want to be your primary router when we’re all said and done. I’m using an AirPort Extreme[1]. I’m going to assume you are, too.
  • NAT Router: You’ll need another (Yes, a third router) to do NAT translations from the MoCA network to your LAN. I picked up a Linksys E1000 from Amazon, and installed DD-WRT[2]. I’ll assume you’ve done the same.
  • Several (at least 4) straight-through Ethernet cables. Don’t pay crazy prices for them. They’re cheap from Monoprice, or really easy to make.

There’s no reason this shouldn’t work with other routers or software. I’ve tested with the AirPort Extreme and the E1000 running DD-WRT, so I’m documenting as such, but you could very well run other hardware and software while applying the same concepts.

Process

The design of the network is complex for your typical home network. But, if you’ve read this far, you’re a geek and we often have atypical setups. Don’t worry, you’re among friends, here.

I used this post as a starting point, but I made a few modification for ease-of-installation and scalability.

Let’s start with the ONT. Out of the box, your Actiontec is plugged into the coax port on the ONT, and there’s nothing plugged into the ONT’s ethernet port. Verizon actually leaves the ethernet port disabled, unless you call them to have it turned on.

In the end, you’re going to leave the Actiontec plugged into the coax port, but you’ll have Verizon turn on the ethernet port. The ethernet port will connect to your AirPort Extreme’s WAN interface. One of the LAN ports on your AirPort Extreme will connect to the WAN port on your E1000, which will have one of its LAN ports connected to the WAN ethernet port of the Actiontec. It’ll look like this:

 Network Diagram

Network Diagram

Preparation

  1. Before getting started, if you have any outstanding issues with your service, call Verizon and resolve them, now. You’ll need to start with a system that’s working exactly as designed.
  2. If you haven’t already, enable the Remote DVR feature with Verizon. You if you’re using an AirPort router as your primary, you won’t be able to enable the feature after we’re done. If you’re using another router, you’ll need to spoof the WAN MAC address of the Actiontec on your primary router to be able to enable the feature later on. The easiest thing to do is enable it ahead of time.
  3. Read this post and have your internet connection moved from the coax port to the ethernet port.
    • Since you’re getting started with the Ethernet activated, you’ll have the coax port and WAN port on the Actiontec connected to the coax and ethernet port on the ONT, respectively.
  4. Read this post from beginning to end, at least once before getting started. Like I said, it’s complex. It’s worth taking the time to understand what you’re doing.

You’ll need to document the following before getting started. Here’s a subnet calculator to help out.

Device Interface Value
FiOS Service Public IP Address                                 
Public Subnet Mask
Public Default Gateway
AirPort Extreme WAN MAC Address
LAN MAC Address
LAN Network
LAN IP
LAN Subnet Mask
LAN Default Gateway
LAN Broadcast Address
Reserved LAN IP for E1000
Reserved LAN IP for Actiontec
NAT Router LAN MAC Address
WAN IP Address
WAN Subnet Mask

Now, we’ll start the step-by-step configuration.

AirPort Extreme

  1. Boot up the AirPort Extreme and connect your computer to one of the LAN Ports. You’ll obtain a DHCP address.
  2. You’ll want to create DHCP reservations for the E1000 and the NAT you’ll be creating. They’ll both be reserved to the MAC address of the WAN interface of your E1000. (I used 10.0.1.5 for the E1000, and 10.0.1.6 for the NAT). See the image below. 
  3. Click on the “Advanced” gear icon at the top of the window, then on the Port Mapping tab. Create a port mapping rule that looks like the image, below.[3] Name it whatever you want, but don’t advertise the service using Bonjour.
  4. Update the router.

DHCP Reservartions

Port Mapping

E1000

  1. Disconnect from your AirPort and plug into one of the LAN ports on the E1000. You’ll get a DHCP address.

  2. Browse to the E1000’s management interface (the Gateway address you pulled from DHCP).

  3. Connect the WAN port of the E1000 to a LAN port of your AirPort Extreme. The E1000 should pull the DHCP address you reserved for it (in my case, I reserved 10.0.1.5). (Look in the upper-right of any page).

    Under Security > Firewall, disable the SPI Firewall.

  4. Under Administration > Management, scroll to “Remote Access” and enable Web GUI Management.[4]

  5. At this point, your computer should be able to ping the AirPort Extreme by pinging the E1000’s WAN interface gateway address (which is the AirPort Extreme - 10.0.1.1).

  6. Under Setup > Basic Setup, scroll down to Network Setup and assign the E1000 an IP address in the same network as the public IP.
    1. Set the Gateway IP to the LAN IP of the AirPort Extreme.
  7. Now you’ll do the one-to-one NAT. The goal of this is to eventually present the Actiontec on the network created by the AirPort Extreme with an IP address on the AirPort’s network, allowing the Actiontec to get to the Internet.
    1. Put your computer on the network created by the AirPort, and browse to the E1000.

    2. Under Administration > Commands, you’ll see a text field, and several buttons. You use the text field to enter commands used by the router for different functions. The first series of commands you’ll need is a startup script that logically splits the WAN interface into two subinterfaces. One for the E1000, and one for the NATed Actiontec.

      Fill your values into the script below:

      # Save Statup
          WANIF=`get_wanface`
          ifconfig $WANIF:1 [Reserved IP for E1000]  netmask [AirPort LAN Netmask] broadcast [AirPort LAN Broadcast]
          ifconfig $WANIF:2 [Reserved IP for Actiontec] netmask [AirPort LAN Netmask] broadcast [AirPort LAN Broadcast]
      

      Mine looks like this:

      # Save Statup
          WANIF=`get_wanface`
          ifconfig $WANIF:1 10.0.1.5 netmask 255.255.255.0 broadcast 10.0.1.255
          ifconfig $WANIF:2 10.0.1.6 netmask 255.255.255.0 broadcast 10.0.1.255
      

      Click “Save Startup” button to save the script as a startup script.

    3. Now we need to add a firewall script that will translate the NATed address of the Actiontec to the DHCP external IP address that the Actiontec will be expecting[5].

      Again, fill your values into the script below:

       # Save Firewall
          iptables -t nat -I PREROUTING -d [Reserved IP for Actiontec] -j DNAT --to-destination [Public IP Address]
          iptables -t nat -I POSTROUTING -s [Public IP Address] -j SNAT --to-source [Reserved IP for Actiontec]
          iptables -I FORWARD -d [Public IP Address] -j ACCEPT 
      

      Mine looks like this:

      # Save Firewall
          iptables -t nat -I PREROUTING -d 10.0.1.6 -j DNAT --to-destination 50.50.25.25
          iptables -t nat -I POSTROUTING -s 50.50.25.25 -j SNAT --to-source 10.0.1.6
          iptables -I FORWARD -d 50.50.25.25 -j ACCEPT 
      
  8. Click “Apply Settings” then “Save”.

Actiontec

  1. Connect your laptop to the Actiontec and log into its web interface.
  2. Under My Network > Connection Properties > Broadband Connection (Ethernet), you’ll set a static IP, using the same IP it has pulled from Verizon via DHCP. Make sure to set the appropriate DNS servers, as well[6].
  3. Connect the WAN Port of the Actiontec to a LAN port of the E1000.

AirPort Extreme

  1. Connect the ethernet port of the ONT to the WAN port of your AirPort Extreme.

You should be cooking with gas, now, kids. Test everything, including internet access on the AirPort Extreme network, on the Actiontec network. Video on Demand, and remote DVR scheduling.

Once everything is working the way you want it, disable wireless on the E1000 and the Actiontec.


  1. If you buy stuff from any of these Amazon links, I get a little kickback.  ↩

  2. Installing DD-WRT is a tricky process, and it varies by model. Here are the install instructions for the E1000, but you should read everything you can about this and be thorough. Take your time. Don’t rush it. Come back when you’re done.  ↩

  3. Port 4567 is supposedly open to permit Verizon to remotely upgrade the Actiontec Router. I’m not really down with that, and I’ve since removed the portmap, effectively blocking Verizon’s access into the Actiontec. I’ve noticed no ill effects since doing this, but YMMV.  ↩

  4. Thanks to Justin Bowers for help making the documentation more usable in the real-world.  ↩

  5. We’ll assign the Actiontec’s WAN IP statically in a bit.  ↩

  6. I chose to use OpenDNS, seems a little slower than the Verizon-provided DNS. I’m still not sure if I’m going to stick with it.  ↩

Banning a Site from Top Sites on Safari

We came across an issue with one of our web apps where users running Safari on OS X were spawning hundreds of unterminated sessions. It was killing our servers. It only took a couple minutes of investigation to figure out that the culprit was the Top Sites grid when a user opens a new tab. Now the question became how to stop it.

Since this is a Software as a Service installation, we couldn't exactly muck about in code to kill unterminated but inactive sessions. Someone proposed (and temporarily implemented) a method that blocks based on user agent string. Not a very user-friendly solution, but it keept everyone else running while we figured out a better fix.

My idea was that I knew if you went into edit mode on the Top Sites page, and clicked the "X" on one of the thumbnails, that site would never come back onto the list again. I figured that if we could just write to the list, it should be easy to permanently keep the web app off Top Sites. I just didn't know where to do that.

A couple hours of defaults read commands, and a few trips to Google turned up the best solution I could come up with. It's not exactly as clean as I'd like, but it seems to work well enough for us, until we can get our vendor to limit the number of concurrent sessions per user.

I created a shell script which we can push out to the user computers. The script does the following:

#!/bin/bash

# This script is to ban a URL from appearing in the Top Sites in Safari
# since Top Sites was spinning up hundreds of unterminated sessions per user.

killall Safari                  # Kills Safari                          

echo "Removing Safari Caches"
rm -rf ~/Library/Caches/com.apple.Safari/Caches.db
rm -rf ~/Library/Caches/com.apple.Safari/Website\ Caches

echo "Clearing Top Sites List"
defaults write ~/Library/Safari/TopSites.plist TopSites '{ }'

echo "Banning URLs from Top Sites"
defaults write ~/Library/Safari/TopSites.plist BannedURLStrings -array-add http://yoururl.com/watever/
defaults write ~/Library/Safari/TopSites.plist BannedURLStrings -array-add http://www.yoururl.com/whatever/

I don't like that I can't politely quit Safari from the commandline without installing some additional software. Additionally, I'm not really clear why I have to add the URL both with and without the "www." when Safari doesn't seem to have to do that when it automatically adds to the Banned URL Strings array.

Finally, I'm not too cool that I have to clear the whole Top Sites array before making the edits. While I don't have anything pinned there, I can see a situation where someone uses Top Sites as a quick way to get to their favorite sites, and any change there might be a big deal.

"This is apple puppy USA"

The best spam message I’ve seen in ages. This is the quality stuff we used to get when spam was still novel! As received by Nick:


From: MN NABI CHOWDHURY robert.schumann.20@gmail.com

Subject: CUTE MALTESE PUPPY FREE FOR AS AN XMAS GIFT FROM US

Date: November 16, 2011 4:04:42 AM EST

To: robert.schumann.20@gmail.com

Bcc: XXXXXXXXXX@XXXX.com


CUTE MALTESE PUPPY FREE FOR AS AN XMAS GIFT FROM US



Breed: Maltese

Sex: Male

Birthdate: 07-04-2011 (4 Months)

Champion bloodlines: No

Champion sired: No

Shipping area: Worldwide

Current vaccinations, Veterinarian examination, Health certificate, Health guarantee, Travel crate

Additional information: SHE is tiny micro tcup maltese and has doll face.

Her is 450g now. This is apple puppy USA

808-392-4268 GET BACK FOR MORE INFO AND PICS AND MANUAL.




Regarding those Hardware Checklists

Link: Regarding those Hardware Checklists

A new sales rep for a product we use told me yesterday that the iPhone 4S was a “Failure”. I laughed and said we’d talk in twelve months, and that I’d put money down that twelve months from now the iPhone 4S would still be the best selling phone on the market. Because the iPhone 4 was, 15 months after it’s release, the best selling phone on the market. If I’m right, that would be some failure.

Yankees win the AL East.

And the MLB Geeklet shows some cracks.

Add

 s/<td\ class=\"first\">y-<a href=\"\/index.jsp\?c_id=[a-z]\{2,3\}\">//g

to the geeklet command (I put it at line 4), and the first line that was ugly is again made readable!

Jobs’s greatest creation isn’t any Apple product. It is Apple itself.

John Gruber. That’s all that needs to be said. An amazing man.

The worst, most dangerous person to America is clearly Paula Deen. She revels in unholy connections with evil corporations and she’s proud of the fact that her food is fucking bad for you. If I were on at seven at night and loved by millions of people at every age, I would think twice before telling an already obese nation that it’s OK to eat food that is killing us. Plus, her food sucks.

Anthony Bourdain (via jeffrock)

Apple Tax, Eh?

Link: Apple Tax, Eh?

Ben Brooks on Monica Chen and Joseph Tsai’s report on the cost of manufacturing “ultrabooks”; super-thin, small but powerful notebook computers along the lines of the MacBook Air.

In short, you can’t build them to match the specs of Apple’s machines without raising the price above Apple’s offerings. In other words, the MacBook Air is priced very well.

Lowercase Date Geeklet


Hey Jehan,

I'm a huge fan of your work with geeklets and I'm using your MLB standings geeklet now. I've actually modeled my desktop after your Baltimore one that you put on Flickr in May. (Except I'm a Nats fan).

Anyway, my question is how did you get the date to display in lowercase? I cannot find a script that does it and its bugging me. Any help would be greatly appreciated! Thanks again for your work!

-Luke 


Hey, Luke! Thanks for the kind words! The geeklet is pretty simple. It’s just:

date '+%A, %B %d' | tr A-Z a-z

Hope that helps. Also, I’d love to see your desktop. Baseball themes in the wild make me happy, even if they aren’t black & orange.