Thursday, July 28, 2005

RARA telecommunications

The political calculus advances a nanometre at a time. ABC News writes:
Telstra says it may not be able to continue to provide basic services to rural areas.
The company's head of regulatory affairs, Kate McKenzie, says the Government does not provide enough funding for it to meet universal service obligations.

So, at last, Telstra is publically distancing itself from the current regime in which unprofitable RARA services are funded in part from Telstra's profits in other (i.e. city) areas and in part from taxpayers. I have thought for some years that this is about the worst imaginable way of solving the problem because:
  • It impairs Telstra's competitiveness in those markets in which it competes. This curtails the benefits that competition would otherwise provide (ultimately, lower telecommunications costs for the Australian economy) and costs taxpayers money, both in a capital loss sense (lower sale price when Telstra finally is sold, and the impact is enlarged as time before the sale goes on) and as an ongoing expense (as long as the current inefficient service delivery infrastructure is entrenched, the amount of annual taxpayer subsidy required will be larger than it would otherwise be).
  • It entrenches poor, costly service delivery in RARA.
  • It encourages inefficient use of the taxpayer subsidies that are being paid to support USO delivery in RARA because, at present, only Telstra has access to those funds. There is no competitive pressure to cause a reduction in the subsidies required and/or an improvement in service provided for those subsidies.
That this could be happening anywhere in the world would be unfortunate, but it is a tragedy that it is occuring in Australia where the introduction of a full-service competitor (Optus) to transition smoothly and rapidly from government monopoly to market-based solution was not merely conceived, but successfully executed. Despite that, and despite the phenomenal improvement the introduction of competition from Optus (and later others) brought about for city dwellers, the political will to bring the same thinking to bear in RARA does not yet seem to exist.

A thumbnail sketch, for those who don't grasp what I'm on about: switch the RARA USO from being a Telstra monopoly to simply being a government contract which is put out to tender. This would require that the subsidy being paid by tax payers be larger in total, but could, in the short term, be entirely funded by removing the rebate that Telstra currently gets for providing the RARA USO; that is to say, by having Telstra pay corresponding more tax, tax which, if it were any other telco, it would currently be paying anyway. In the longer term, I believe that it would actually make more sense to treat the RARA USO as being a piece of social infrastructure like any other which should be funded from consolidated revenue, i.e. across all taxes, not just a telco-specific tax. My reasoning here is (a) that we don't ordinarily tax utility-constructing contractors (think road-builders) to fund the building of RARA utilities and (b) it is difficult to even identify telcos (is Skype in or out?) and, even when we can, it is near-impossible to fairly apportion USO costs. RARA USO should be treated like any other piece of subsidised infrastructure and paid for out of the taxes extracted from society as a whole, ostensibly to benefit society as a whole.

A further thought: introducing competition doesn't merely expose RARA USO service provision to market-discpilined cost control - although no doubt one or more tenderers would approach the problem from this perspective - it allows for the possibility that competitors could pursue entirely different approaches to the problem. e.g. My guess is that the maintenance of the wire network, notably the "last mile" which, in RARA, could well be the "last 10-100 miles" is the major expense in RARA service provision. What if the holder of the rest-of-Australia (i.e. not Sydney and Melbourne) 3G license could put the spectrum to use not merely (or at least not exclusively) for 3G mobile but for, say, WiMAX. The option then arises for phone handsets in RARA homes and businesses to no longer be attached to the end of a mile (or 10 miles, or 100 miles) of wire. Such an approach would incur some costs in handset provision, but enormous savings in the maintenance of a wired network. As long as Telstra holds a monopoly in RARA service provision, there is no incentive to do this, but the moment that this service provision is put to tender, the opportunity exists for a group of investors to fund exactly this. If such an approach gets up and is cheaper than Teltra's solution, then the nett subsidy paid by taxpayers would actually drop.

Telstra appears to be aware of this analysis too (from another ABC News article):
[Telstra's head of regulatory affairs, Kate McKenzie] says that there should be a model that is "properly funded to ensure the sustainability of those services going forward"
Of course it's entirely possible that Telstra is simply putting out the hat for more money, not advocating the introduction of competition in its comfortable RARA monopoly.

Comments from Queensland Nationals Senator Barnaby Joyce suggest that less charitable interpretation:
"We just reiterate that if you don't believe in the universal service obligation then we should have structural separation so we give everybody a chance to get in there and compete.

"I know that Telstra is not a punter for structural separation and they don't want USO. So what do they want? They want a fully privatised monopoly on the Australian people and they are not going to get that."

I'm not clear on what "structural separation" is, but it sounds something like what I'm describing. It does appear that the good senator is entirely capable of flying off into schoolyard rhetoric though. From the first ABC News article again:
"If [Telstra] were to resign from their USO obligations that means they don't take regional areas seriously and if they don't take us seriously we won't take them seriously and we won't vote for it."
Is he really saying that he'll only vote to lift Telstra's USO obligations if Telstra says that it wants to continue carying them? This is right up there with the lunatic political calculus that I described a few months ago (roughly that, if Telstra is the problem, that Telstra must remain entrenched, impervious to all competitors).

I guess that I'm capable of a little schoolyard rhetoric too.

What intrigues me and inspired me to post today is that, for the first time that I've noticed, Telstra is willing to put some effort into reforming the current RARA USO situation. Now if only some competitors can be emboldened to push competitive proposals, perhaps in co-operation with the NFF if not with the National Party itself, some progress may be made on providing better service to RARA, reducing the taxpayer cost of doing so and freeing up billions of taxpayer dollars that are currently locked up in Telstra shares.

He ain't got no distractions, Can't hear those buzzers and bells...

A Pinball Wizard (remember the song by The Who?), for real: Blind Teen Gamer Obliterates Foes

Sizing geothermal energy availability

I don't know the underlying source for these figures but, from a New Scientist article on estimating nuclear decay's contribution:
Measurements of the temperature gradients across rocks in mines and boreholes have led geologists to estimate that the planet is internally generating between 30 and 44 terawatts of heat.
(N.B.: That's total, not just nuclear decay.) So, taking the middle value, Earth's total geothermal energy generation/release is about 3.7*10^13 watts. So, what can we compare this with? The CIA World Factbook's "World" entry tells us:
Electricity - production: 15.29 trillion kWh (2002)
2002 was not a leap year, so it had 365 days. That's 1.529*10^16 Wh/(365*24) h ~= 1.7*10^12 W or about 1/20 of the Earth's geothermal output.

Presumably much of that energy merely adds a couple of degrees to the temperature of the Earth's crust so I don't imagine that more than a tiny fraction of the total can be productively utilised and I therefore suspect that it'll never account for any signifigant fraction of electricity generation, much less total energy consumption (note that the above figures do not consider oil use in motor vehicles). This is not to say that it won't be useful for specific applications, particularly in areas with ready access to geothermal energy (volcanos, undersea vents, faultlines), just that it will only be a minor source, at least until fossil fuel becomes far less available than it is today. This has long been my intuition; now I have some rough numbers.

Monday, July 25, 2005

SSL keys/certs for VPN use

I've been meaning for a little while to make note of a minimal CA/device certificate setup for use between machines in, e.g., an stunnel or openvpn context where the connections are between devices under shared control.

The setup is simple:



  • A CA key and self-signed cert is generated.

  • The CA does not keep standard CA records, it just issues uniquely numbered certificates.

  • A series of device keys and CA-signed certs are generated.

  • These instructions assume that all commands are performed on the CA machine, so strict secrecy of the device private keys from the CA's standpoint is not be enforced, but can be trivially added by performing the "openssl keygen" and "openssl req" parts of the device's commands on the device and the "openssl x509" part on the "CA" machine.

  • Providing authenticity and integrity (and confidentiality, if device private keys are indeed generated on the CA machine) on the comminucation channels during key/cert initiation is not addressed here, but is certainly required.


So, here's a straightforward script to do the entire exercise with openssl 0.9.7e (per Debian Sarge):



#! /bin/bash

openssl genrsa 1024 >ca.key
openssl req -new -x509 -batch -subj "/CN=My private CA" -days 6000 -key ca.key >ca.cert

openssl genrsa 1024 >dev.key
openssl req -new -batch -subj /CN=dev -key dev.key | openssl x509 -req -days 6000 -CA ca.cert -CAkey ca.key -CAserial <(date +%s) >dev.cert


Notes:




  • For both certificates, the subject Common Name (CN) string must be no more than 64 bytes in length.

  • openssl provides (at least) two ways to generate signed certificates. One is to use its full-fledged CA command "ca". This requires the maintenance of an index, archival copies of all certificates, etc. These are all appropriate functions for someone who is actually operating as a CA, but excessive for the present purpose which only requires that the device certificates all be signed by the same CA key. It is possible instead to use openssl's x509 command as a "mini-CA"; one need only specify the cert (-CA), the key (-CAkey) and the serial number file (-CAserial). The latter is essentially unavoidable, however for the present purpose strict sequential numbering is not relevant; all that is required is uniqueness to prevent choking by peers that notice that sort of thing. (This comes up in particular if the "devices" include web-browsers.) The unix date will do nicely for this purpose. It turns out that openssl is not terribly offended by the difficulty writing to the pipe's output end. (It emits an error, but copes.)

  • Passing the -x509 option to req tells it to self-sign, which avoids the need to pass a CSR to a seperate invocation of "openssl x509" when creating a CA cert.

  • Note that req also has a -newkey option which would obviate the seperate invocation of genrsa, however while this option allows control over the key type (RSA/DSA) of the generated key and where to write it, it does not allow control of the symmetric algorithm used to protect the private key itself and its hard-wired default is something other than "nothing", meaning that a passphrase must be supplied interactively. (Presumably some/all of this can be handled through the configuration file, but seperating the very simple genrsa command seemed at least as good. The latter also provides a "one command to generate each file" script, which also improves readability.)

  • For Debian Woody users, openssl 0.9.6c does not have -batch and -subj options, so a config file is required. It can be provided (as shown below) through an invisible pipe, no actual on-filesystem tempfiles (which, in turn, need cleaning up) are required.


#! /bin/bash

config()
{
cn="$@"

cat <<-EOF

[ req ]
prompt = no
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
CN = "$cn"

EOF
}

openssl genrsa 1024 >ca.key
openssl req -new -x509 -config <(config "My private CA") -days 6000 -key ca.key >ca.cert

openssl genrsa 1024 >dev.key
openssl req -new -config <(config dev) -key dev.key | openssl x509 -req -days 6000 -CA ca.cert -CAkey ca.key -CAserial <(date +%s ; sleep 5) >dev.cert



  • The woody version of openssl is a little more sensitive about writing to the output end of the -CAserial pipe. There is a race; if the pipe is closed after it tries to write, we see the same warning as in sarge ("text file busy"!), but if the pipe happens to close first, openssl actually aborts. Testing revealed failures 50-70% of the time. Adding a sleep eliminated the failures.

Friday, July 22, 2005

Isolated ecosystems

To add to the Antarctic aquifer(s), a "cold methane vent" system previously existed (and still exists, for a little while) under the Larsen Ice Shelf. I had wondered about the supply of energy to deep/isolated underwater ecosystems that weren't in the vicinity of black smokers. It appears that in a number of cases, including what was under Larsen, a methane vent provides a steady supply of energy.

Man is not the only animal to draw energy from fossil fuel :-)

(Paper, published in the American Geophysical Union's newspaper "Eos". via Wired)

De-roofing a bus...

I've not been able to find any pictures of this online, but Reading Buses has outdone itself this time. A double-decker bus containing about 25 school kids was driven into the railway bridge on Loddon Bridge Road. It was moving fast enough at the time that the roof of the bus was seperated from the chassis and pushed several metres towards the back of the bus. Fortunately no-one was killed; four kids were hospitalised. Reports as to the cause vary, but it appears that either or both of the following occurred:
  • The driver took a wrong turn.
  • The driver forgot that he was driving a double-decker bus. Apparently he ordinarily drives a single deck bus on this route.
For a few years I have been, by virtue of being a resident of Woodley, a regular user of the limited, unreliable bus service here. I have seen astonishing incompetence on the part of people who are being entrusted with the lives of their passengers, not to mention gratuitous discourtesy. I am aware of the problems that they are having finding drivers, so can forgive the hiring and retention of discourteous drivers, but drivers who have trouble with any of:
  • Controlling a bus (e.g. keeping the bus on the road)
  • Driving in traffic (e.g. staying between lane markers when in proximity to other vehicles)
  • Navigating (actually following the published route, notably when a diversion is in place; visiting each stop on the route)
  • Remembering what kind of bus they are driving (!!!)
should (a) not be allowed to drive a bus with paying passengers until all of the above skills have been mastered and (b) be banned, for life, from driving a paying passenger vehicle if they fail in any of the above, even once, after they've graduated. I'm advocating a pretty high bar here but, like airline pilots - albeit on a far smaller scale - bus drivers have an awesome responsibility; only exceptional drivers should be permitted to be entrusted with the lives of their passengers, and only while they are capable of performing flawlessly.

(via The Mirror, Reading Evening Post, The Reading Guide, BBC News)

Thursday, July 21, 2005

It's worse than that, he's dead Jim!

Roddenberry, Kelley and now Doohan. All a matter of time.

Wednesday, July 20, 2005

New Antarctic base will ski to safety

How to cope with the ground under a base moving, either "down" (some older bases were gradually buried by snow over a period of years) or "away" (e.g. off the edge of an ice shelf)? Simple, put the entire base on skis.