Sunday, November 11, 2012

Nicomachean Ethics (Pt. 1)


Time for a good old-fashioned blogmentary! In this series, I'm going all the way back to ancient Greek moral philosophy. Most of my previous readings in ethics have been more-or-less contemporary, with a side of Hume, Kant, and Mill. While I'm not a fan of confusing philosophy with history of philosophy, this Aristotle fellow keeps popping up in current, actively-defended philosophy. He's resilient! I decided it's high time to get acquainted with Aristotle's ethics beyond the popular quotes I've encountered elsewhere.

So you understand where I'm coming from, I have a very goal-oriented view of morality. Descriptively, morality arises from deeply-held human values. Normatively, moral truth arises from a fitting application of decisions or policies to the way the world works. This means I have a decidedly practical rather than mystical view of morality. In the not-so-helpful language of metaethics, "cognitivism," "success theory," "anti-realism," and "hybrid expressivism" should put you in the right neighborhood.

I will be using Robert C. Bartlett and Susan D. Collins' new (2011) translation, as pictured above. They pursued formal equivalence—as opposed to dynamic equivalence—to provide readers with a less filtered experience of Aristotle's wording. Think NASB instead of NIV or CEV, if you're familiar with Bible translations (and their acronyms!). I have no set plan on how much to write per original text or even if I'll comment on the whole thing. So long as I find the material interesting and worth discussing, I will. Finally, I encourage you to pick up a paperback copy for yourself. The Kindle edition has a typo in the first sentence and takes away from the excellent footnotes on nearly every page.

Series Links

Book I, Chapter 1
"Every art and every inquiry, and similarly every action as well as choice, is held to aim at some good. Hence people have nobly declared that the good is that at which all things aim."
Quite an opening line. The first sentence calls out for elaboration. Given an art, inquiry, action, or choice, what is the good being targeted? The second sentence is, intriguingly, hedged. Aristotle isn't flat-out saying all things aim at "the good." He's putting a common view on the table and expressing some sympathy for the people who take that view. It's one thing to say all things aim at "some good"; another to say all things aim at the same good. Even if they do, is this common good so abstract that we can only call it "the good"?

Aristotle immediately raises a difficulty with this noble declaration: how can all things aim at the same good when there are different types of things aimed at? As he puts it, "there appears to be a certain difference among the ends." Some ends are direct. The end of shipbuilding is the production of a ship. Other ends are indirect. The end of building warships isn't just the production of a warship, but of winning a war.

When one end is pursued as a means to a more encompassing end, Aristotle calls the encompassing end "naturally better" and "more choice-worthy." I'm less sure. Take bread-making, for example. The immediate end is the production of a loaf of bread. A further end is to alleviate hunger. Does this necessarily mean the work of alleviating hunger is better than the action of baking bread? Bread isn't the only way to take care of hunger; opening a can of beans could do the job. A person might value bread-making in itself, over and above its use as a hunger banisher. In other words, bread-making might have both instrumental and final value. (Or instrumental and intrinsic value, if you're not hip to Korsgaard).

I'm wary about pushing all value for one activity into its encompassing activity because it can lead pretty quickly to single-value ethics such as Mill's grand goal of aggregate happiness or Rand's grand goal of extending one's own lifespan. While we may value such broad ends and engage in many activities that promote them, I think it's a mistake—an error in judging human psychology—to empty all other values into such pools. The error is especially clear in Ayn Rand's case: we need to live to experience life, but what makes our lives worth living is more than just the time spent.

Book I, Chapter 2
"If, therefore, there is some end of our actions that we wish for on account of itself, the rest being things we wish for on account of this end, and if we do not choose all things on account of something else—for in this way the process will go on infinitely such that the longing involved is empty and pointless—clearly this would be the good, that is, the best."
Freshmen programmers who don't understand the need for a base case in recursive functions should be ashamed of themselves. The ancient Greeks knew this stuff! (They also put your middle school Geometry skills to shame.) Anyway, I still think Aristotle is wrong to ignore the possibility of multiple ends in the "on account of itself" category. But since he thunders on past that, what is his grand goal? ...the political art. Huh? I didn't see that coming, but it does make sense of this edition's beautiful cover art.

Aristotle lists activities such as economics, warfare, and rhetoric which can all be understood as supporting politics. Today we might say that all things are done for the good of society.
"[T]he good of the individual by himself is certainly desirable enough, but that of a nation and of cities is nobler and more divine."
Why not say that the good of nations and cities is subordinate to the good it produces for individuals? It will be interesting to see how Aristotle handles situations where what's good for the state is very bad for some individuals. Or when what's good for individuals is irrelevant to what's good or bad for society.

Book I, Chapter 3

This chapter argues for approaching political science in a rough—rather than an unduly precise—manner.
"The noble things and the just things, which the political art examines, admit of much dispute and variability, such that they are held to exist by law alone and not by nature. And even the good things admit of some such variability on account of the harm that befalls many people as a result of them: it has happened that some have been destroyed on account of their wealth, other on account of their courage"
Oh what a relief! He admits there are problems when civic good or other virtues are pushed to the extremes without considering their effects. Maybe he was familiar with Greek tragedies? This should have prompted some reflection on his part. If your great all-encompassing good can have bad effects, isn't this a flashing clue that you have the wrong fundamental good...or at least not the only fundamental good?

After some snappy characterizations of mathematicians and youngsters, Aristotle praises an attitude of patience when learning. He says his teachings are pointless for people who just follow their passions unreflectively, but of great benefit to people who "fashion their longings in accord with reason and act accordingly." This makes me ask myself, "When was the last time I allowed learning to shape my actions, and not just to justify them?" Honestly, not long ago, considering I participated in the political art just this week and made a different choice than I did four years ago.

Thursday, November 8, 2012

What's Going On?

I'm closing down a tech notes blog I started in May 2008 and moving the current top four posts here. Together, they've gotten over 12k hits from Google searches. Why do this? I have barely used the tech blog in the last year and I don't like sites that are stagnating, decreasing property values, etc.

Besides, I've already increased this blog's official tagline to include librarianship. Might as well throw in technology for a full mix of the issues I write about. Note to self: write a fascinating post on the philosophy of library technology.

If you're wanting more general philosophy, don't worry! I plan on blogging through a book again soon. Just trying to decide between a few candidates (and finish final papers for Fall semester).

Ubuntu Server Text Mode

[Originally posted June 5, 2012]

Ubuntu Server supposedly lacks a GUI, but it still uses FrameBuffer by default. I was seeing the following error on a picky Dell monitor when booting to a fresh install of Ubuntu 12.04 LTS:
Out of range signal.
Cannot display this video mode,
change computer display input to 1600x1200 @60Hz
Disabling FrameBuffer
  • Boot off the installation CD and use rescue mode.
  • Open the file:  /etc/modprobe.d/blacklist-framebuffer.conf
  • Append the line:  blacklist vga16fb
  • Save the file and exit, then run:  update-initramfs -u
  • Reboot
Credit to this guy for showing me the fix.

Text Mode GRUB

I didn't like my video signal going out of range during the GRUB stage, so...
  • Open the file:  /boot/grub/grub.cfg
  • Uncomment the line:  GRUB_TERMINAL=console
  • Save the file and exit, then run:  update-grub
  • Reboot

Outlook Certificate Warning With Exchange 2007 or 2010

[Originally posted January 10, 2011]  

After installing a third party certificate in Exchange 2007 or Exchange 2010 (for Outlook Web Access and similar services), some Outlook clients may suddenly start complaining:

"The name of the security certificate is invalid or does not match the name of the site."

Here's the relevant Microsoft article. If you have trouble understanding it on the first read, I'll paraphrase!

The Problem

Exchange '07 and '10 automatically generate a self-signed certificate with the fully qualified internal name of the mail server. Outlook 2007 (and possibly Outlook 2010) clients connect to Exchange using — by default — the server's internal name. When the name the client uses and the certificate match, no problem! There's also no problem for Outlook 2003 clients because they don't bother with the certificate.

But what if you replace the Exchange certificate with one that references the external name of the server? 'mail.contoso.com' instead of 'mail-srv.contoso.local', for example? Well, you get the error above!

Expensive Fix

If the new certificate includes Subject Alternate Names, you could include the internal name as one of the alternates. This internal name will be externally viewable to anyone who likes to read certificate details, if you care about that.

The Usual Fix...

The other way to make the warning go away is to instruct internal Outlook clients to look for the mail server under its external name (e.g. 'mail.contoso.com') and make sure internal DNS resolves to the internal IP of the mail server.

...And Its Downside

You'll need to run "split DNS." Create a forward lookup zone on the internal DNS server for the external domain name. LAN clients which try to reach anything that ends in '.contoso.com' will receive their answers from the internal DNS server. Be careful! If you forget to add, for example, 'www.contoso.com' to the internal version, LAN clients may lose access to the company website.

Check Current Values

To be on the safe side, make a record of the relevant Exchange settings before changing them. This process will also help familiarize you with what's going on in the next step. Open Exchange Management Shell. Type the following queries, then note the information on the lines specified:

> get-clientaccessserver | fl

Note the value for 'AutoDiscoverServiceInternalUri'

> get-webservicesvirtualdirectory | fl

Note the value for 'InternalURL'

> get-oabvirtualdirectory | fl

Note the value for 'InternalURL'

(Exchange 2007 only)
> get-umvirtualdirectory | fl

Note the value for 'InternalURL'

Hopefully, the values are all the same for these!

Change To the External Name

Assuming...
Internal name is 'mail-srv.contoso.local' and
External name is 'mail.contoso.com'.

> Set-ClientAccessServer -Identity mail-srv.contoso.local -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml

> Set-WebServicesVirtualDirectory -Identity "mail-srv.contoso.local\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx

> Set-OABVirtualDirectory -Identity "mail-srv.contoso.local\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab

(Exchange 2007 only)
> Set-UMVirtualDirectory -Identity "mail-srv.contoso.local\unifiedmessaging (Default Web Site)" -InternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx

Then either reboot the server, or open IIS, browse to application pools, and recycle 'MSExchangeAutodiscoverAppPool'.

Shrew Soft VPN Client with Juniper/Netscreen IPSEC

[Originally posted July 30, 2010]

Shrew Soft's VPN client is free and remarkably cross-platform. I needed it for Windows 7 notebooks. While there's already a nice write-up on how to configure a preshared key with XAuth scheme, my particular situation called for separate preshared keys for each user and no XAuth. So that's the (relatively!) simple setup I'll be documenting here.

A bit of history: Juniper Networks purchased Netscreen in '04. The Netscreen brand continued to be used on Firewall/VPN devices for several years following that (which is when I earned technical certification on them), but these are now simply Juniper "Secure Services Gateway[s]." I'll call the device the "firewall" to stay neutral. Screenshots are from a NS5GT; details may vary slightly.


Sample Parameters

Obviously, these won't actually work. The 'X's stand for unspecified numerical values.

192.168.1.0 /24 — Business LAN
10.X.X.X — Firewall public IP
roadwarrior — User name
corporation.inc — Business URL
1234567895 — roadwarrior's preshared key


Routing

Routing on the Netscreen should already be set up unless this is the first VPN configured on the firewall. Something along these lines should work:

untrust-vr entry
IP/Netmask — 192.168.1.0 /24
Gateway — trust-vr
Interface — -

trust-vr entry
IP/Netmask — 192.168.1.0 /24
Gateway — 0.0.0.0
Interface — ethernet1

And if there isn't already a name for the LAN subnet, add it to Objects->Addresses->List->Trust->New.

Address Name — corporation.inc LAN
IP/Netmask — 192.168.1.0 /24
Zone — Trust


User Setup

Objects->Users->Local->New

User Name — roadwarrior
Status — Enable
IKE User — Checked
IKE ID Type — Auto
IKE Identity — roadwarrior@corporation.inc



Phase 1 Setup

VPNs->AutoKey Advanced->Gateway->New

Gateway Name — roadwarrior P1
Security Level — Standard
Remote Gateway Type — Dialup User
User — roadwarrior
Preshared Key — 1234567895
Use As Seed — Unchecked
Outgoing Interface — ethernet3


Click Advanced.

Mode (Initiator) — Aggressive
Enable NAT Traversal — Checked
UDP Checksum — Unchecked
Keepalive Frequency — 20
[Authentication Section] — None


Click Return, then Ok.


Phase 2 Setup

VPNs->AutoKey IKE->New

VPN Name — roadwarrior P2
Security Level — Custom
Remote Gateway — roadwarrior P1


Click Advanced.

Security Level — Custom
Phase 2 Proposals:
* nopfs-esp-3des-md5
* nopfs-esp-3des-sha
* nopfs-esp-aes128-md5
* nopfs-esp-aes128-sha
Replay Protection — Checked
...the rest of the settings on this page shouldn't need changing from default:
Transport Mode — Unchecked
Bind to — None
Proxy-ID — Unchecked
Local (and Remote) IP/Netmask — 0.0.0.0 / [blank]
Service — Any
VPN Group — None
VPN Monitor — Unchecked
Source Interface — Default
Destination IP — 0.0.0.0
Optimized — Unchecked
Rekey — Unchecked


Click Return, then Ok.


Policy Setup

Policies.

From: Untrust
To: Trust
Click New.

Source Address — Dial-Up VPN
Destination Address — corporation.inc LAN
Service — Any
Action — Tunnel
Tunnel [VPN] — roadwarrior P2
Tunnel [L2TP] — None


Click Ok.


Shrew Soft Access Manager — General Tab

Host Name or IP Address — 10.X.X.X (True value at Network->Interfaces->edit[ethernet3]->IP Address)
Port — 500
Auto Configuration — disabled
Address Method — Use an existing adapter and current address


Shrew Soft Access Manager — Client Tab

NAT Traversal — enable
NAT Traversal Port — 4500
Keep-alive Packet rate — 15
IKE Fragmentation — enable
Maximum Packet size — 540

Enable Dead Peer Detection — Checked
Enable ISAKMP Failure Notifications — Checked


Shrew Soft Access Manager — Name Resolution Tab

All unchecked. Of course this sort of thing can be set up if you prefer. I'm using it for a simple case which does not need DNS.


Shrew Soft Access Manager — Authentication Tab

Authentication — Mutual PSK

Local Identity subtab
Identification Type — User Fully Qualified Domain Name
UFQDN String — roadwarrior@corporation.inc


Remote Identity subtab
Identification Type — IP Address
Address String — [blank]
Use a discovered remote host address — Checked


Credentials subtab
Preshared Key — 1234567895


Shrew Soft Access Manager — Phase 1 Tab

Exchange Type — aggressive
DH Exchange — group 2
Cipher Algorithm — auto
Hash Algorithm — auto
Key Life Time limit — 86400
Key Life Data limit — 0
Enable Check Point Compatible Vender ID — Unchecked


Shrew Soft Access Manager — Phase 2 Tab

Transform Algorithm — auto
HMAC Algorithm — auto
PFS Exchange — disabled
Compress Algorithm — disabled
Key Life Time limit — 3600
Key Life Data limit — 0


Shrew Soft Access Manager — Policy Tab

Maintain Persistent Security Associations — Unchecked
Obtain Topology Automatically or Tunnel All — Unchecked

Click Add.
Type — Include
Address — 192.168.1.0
Netmask — 255.255.255.0


Click Ok, then Save.


...now try connecting. When it fails the first time, check the log entries on the firewall. When those are unclear, see the blog post immediate prior to this one on detailed VPN troubleshooting.

Basic Setup for Wyse ThinOS + Windows Terminal Server

[Originally posted February 23, 2010]

Consider this a quick start guide for a particular scenario: you want multiple Wyse ThinOS terminals to automatically log into a Windows Terminal Server with terminal-specific user accounts.


In this example, the user accounts "Front Desk" and "Utilities Console" are already configured on the Terminal Server (or its domain). Here's what needs to happen when one of the thin clients is powered on:
  1. Client looks for DHCP services and configures basic network parameters. (Client IP can be dynamic.)
  2. Client checks DHCP option 161 and finds the static IP address of the FTP server.
  3. Client logs into the FTP server anonymously and runs /wyse/wnos/wnos.ini which contains the settings for all Wyse ThinOS clients.
  4. wnos.ini includes a line which causes the client to look for /wyse/wnos/inc/[MAC].ini where "MAC" is its own MAC address. This contains client specific settings, e.g. "Front Desk" credentials. Either wnos.ini or [MAC].ini will instruct the client to connect to the Terminal Server.
Note: The Terminal Server, DHCP server, and FTP server may all be the same host or three separate hosts. Or a 2 / 1 split. It just doesn't matter.

Terminal Server Setup

Make sure the user profiles are set up correctly on the Terminal Server by using any RDP client.

DHCP Setup

Check the scope options on the DHCP server. For Windows 2003 Server, this will be under [Server]->Scope->Scope Options->Configure Options->General tab->Available options. Option 161 is not defined by default, so it will probably not be on this list.

To define a new DHCP option in Windows 2003 Server, right click on [Server] and select Set Predefined Options. Click Add.

Name: Wyse FTP Server
Data Type: String
Code: 161
Description: FTP Server for Wyse ThinOS Clients

(Only the Code value is vital.)

DHCP services may need a restart. Go back to the scope options, enable the newly defined option, and enter the IP address of the FTP server.

FTP Setup

Use any familiar FTP server. The following just needs to work:

> ftp [FTP server]
> Name: anonymous
> Password: anonymous
> cd wyse
> cd wnos
> ascii
> get wnos.ini
> cd ini
> get [MAC].ini

Both wnos.ini and [MAC].ini are going to be plaintext configs. Feel free to make test versions with any content to make sure the FTP is working right.

Example Network Values

User: Front Desk
Pass: easyPass8
MAC: 0123456789AB

User: Utilities Console
Pass: easyPass4
MAC: 1023456789CC

Domain: toasterco.local

FTP IP: 192.168.1.40 (not used in the configs below, to avoid paradox)

Terminal Server IP: 192.168.1.50
Terminal Server Name: Legion-srv

Example wnos.ini

AutoLoad=0
AutoPower=yes
SignOn=no

include=$mac.ini

connect=rdp \
icon=default \
description= "Legion-srv" \
host=192.168.1.50 \
Fullscreen=yes \
Reconnect=yes \
Autoconnect=yes

Example 0123456789AB.ini

connect=rdp \
description= "Legion-srv" \
host=192.168.1.50 \
icon=default \
username="Front Desk" \
password=easyPass8 \
domainname=toasterco.local \
Fullscreen=yes \
Reconnect=yes \
Autoconnect=yes

Exit=all

Example 1023456789CC.ini

connect=rdp \
description= "Legion-srv" \
host=192.168.1.50 \
icon=default \
username="Utilities Console" \
password=easyPass4 \
domainname=toasterco.local \
Fullscreen=yes \
Reconnect=yes \
Autoconnect=yes

Exit=all

Final Comments

The line "include=$mac.ini" in wnos.ini will cause execution to jump to the individual config file if the MAC match is successful. The line "Exit=all" at the end of an individual config will stop execution. Otherwise, it would return to the general config file and individual settings would be overwritten.

Wyse Support has plenty of reference documentation covering these config file options and many more. Don't even have to log into the support site to access this material. Yay for that.

Thursday, November 1, 2012

Monthly Picks

On the first day of each month, I will be posting about papers I've found interesting in Philosophy or Library & Information Science. I'll try to make sure at least one is accessible to everyone.

Adriaans, P. (Oct 2012). Information. Stanford Encyclopedia of Philosophy.
[link] freely accessible

International Federation of Library Associations and Institutions (Aug 2012). IFLA Code of Ethics for Librarians and other Information Workers.
[link] freely accessible