Sunday, 30 October 2016

Sitting Shiva

I had two deaths in the family recently. My great-aunt, aged 99 died, and ladysolly' brother's mother-in-law, aged 97. So I've been to two funerals, and two shivas.

Shiva is a period of a few days after the funeral, where you visit the bereaved. It's a bit like a wake, only with smoked salmon and brioche instead of whiskey and beer. And it's a good opportunity for the family to get together and chat. And cake.

So here's what I learned.

One of my nieces, who is frumm, conforms to the idea that a married woman should always have her hair covered. You thought that was only muslims? But in yiddishkeit, it's slightly different. She covers her hair with a sheitel, a wig. And her wig is exactly the same as her hair, and this is obvious because she has an identical twin sister. So what, exactly, is achieved by her covering her hair with a wig that's exactly the same as her hair? Don't ask me. Although she looked very good, so maybe that's why.

Ladysolly always wears a hat at funerals and suchlike; it's a bit round black hat and it looks very good on her. I wear a hat too, of course, it being compulsory for men to wear something on your head even if it's just a yamulke, and I'm not going to wear my pastafarian headgear at a funeral. So I wear a homburg which is much more dignified than a pasta straining bowl - so much so that I've sometimes been mistaken for one of the rabbis. Although I've never been able to discover the biblical commandment that requires this.

And I heard another story. A relative needed to make kosher her dinner plates and other eating-ware. I didn't hear the start of the tale about why this was necessary, but it was to do with one of her children being frumm. So she contacted the rabbi, and the rabbi said that he could do this for her. He boiled up a big shissel and, wearing heavy gloves, dipped each item into the boiling water for a while. This cost my relative £275, and the hours spent boiling the shissel ruined her cooker. So we discussed that a bit, and another relative related how her mother would bury any offending utensil (for example, if a meat fork had accidentally been used for milk) in the garden. It had to stay buried for a period of time (I don't know how long) and she'd mark it with a plant marker so she'd know when it was OK to dig it up. Although research using Google seems to indicate that the burying idea is completely wrong, although more than one person mentions it.

Anyway, I had schmaltz herring, and smoked salmon, and brioche, and lemon cake, and chocolate cake, lots of coffee and I saw all my cousins and innumerable nephews and nieces, not to mention assorted tiddlers who are too small for me to know their names.


Last night, the clocks went back.

I find this whole exercise of moving the clocks to and fro quite silly. But since everyone else is doing it, I have to.

Many of my clocks did it themselves - every computer, these days, knows about BST and adjusts itself without even telling you. And I have a radio-controlled clock which always sets itself correctly.  It wasn't always like that.

Back in 1984, 32 years ago, I had an IBM PC. And each time you started it up, it didn't know the date, let alone the time. It was January 1, 1980, and you had to tell it otherwise if you wanted your files datestamped correctly.

I had a little utility that I put in my autoexec, so that it ran each time I started up the computer. It read it's own file date and time, and assumed that the date and time was that, and I'd hit the up arrow to tell it that it was tomorrow.

Then the IBM AT had CMOS and a battery, so that once it knew the date and time, it knew it even after a reboot. But the PC clock wasn't an accurate clock, so it wandered off, gradually getting more and more distant from reality. People would say "I spent £1000 on this computer and it can't even keep good time!" Well, it can't make toast either. It's a computer, it's neither a clock nor a toaster.

When I started running Unix, I found out about ntp and time servers. If you do "rdate -s" then your system would reach out across the internet, and get the time from a public time server. I told one of my servers to do that once per day, and I told all my other servers to get the time from that server.

When I first got a Raspberry Pi, I found a familiar situation - it forgot the time each time it was powered up. You can get add-ons to fix that, but I just use my existing time server to get the date and time each time a Pi starts up.

So that's sorted for another six months.

Thursday, 27 October 2016


There is a school of thought that says that in writing, you shouldn't repeat words. As a result, when you read something authored by someone brought up to believe that, they make liberal use of synonyms.

So, for example, if you read an article about Trump (and that's a good source of amusement), you'll find that the Republican party is often referred to as  the GOP.

There's three problems with this. The first is that when I read an article sprinkled with synonyms, I have to pause at each one to translate it. The second is that maybe some people don't know that the term you're using is a synonym, and think that it means something different. But the third is the worst - it's when the writer thinks they're using a synonym, but actually the word has a subtly different meaning, and the reader comes away from the piece with a complete misapprehension of what the writer was trying to say.

Please avoid using unnecessary synonyms. And words that mean the same thing.

Monday, 24 October 2016

Back to the Essex Way

I did the whole of the Essex Way a few years ago, and it was good. This is a revival of part of that series, so I decided to do it.

There were 15 caches along the route, and then I did a dozen more in Epping. I had lunch back in the car, and then went back home.

Sunday, 23 October 2016

Another big bang

30 years ago, I worked in the City, pretending to be a stockbroker. I say "pretending" because I was never able to work out what I was supposed to be doing. As far as I could tell, my task was to make up stories that would persuade people to either buy or sell shares, and surely it couldn't be a crass as that? For a long time, I thought there had to be something rational underpinning it all, but eventually I decided that I couldn't see anything. And not long after that, I stopped being a stockbroker.

But while I was there wearing pinstripes, leather shoes, no braces and trying not to laugh, the Big Bang happened, 30 years ago, 27 October 1986. The floor of the stock exchange became deserted, all trading was electronic. And then we had the Michael Fish hurricane on the night of 15-16 October 1987, which was followed by Black Monday, October 19, 1987, the day that A) stock prices plummeted by several percent and B) trading volumes plummeted to a tenth of previous levels.

What followed was a series of amalgamations between brokers, jobbers, banks and other assorted spivs and barrowboys. The City adjusted to the new rules and carried on as before, except they didn't need so many people (including me).

It's all electronic now.

Think about that for a moment, because if everything is electronic, it really doesn't matter where people are located. Except that where they are located, affects what rules and regulations they have to comply with.

With the EU, there's a single market. So if you can trade in one country, you can trade on an equal basis with the other 27. If you're authorised to be a bank in the UK, then you can equally be a bank in 27 other countries.

And then Brexit.

Suddenly, if you're authorised to be a bank in the UK, you aren't authorised to be a bank in 27 other countries.

So, imagine you're on the management board of a large bank that trades internationally. If you're based in the UK, you aren't authorised to do financial stuff in the EU. The obvious solution is to relocate. And you're not going to wait until the day before Brexit Day.

We don't know yet what Brexit means. Yes, Brexit means Brexit, ho ho ho. What a useless definition. There's an important question - will the UK still have access to the single market? Because the cost of that, will be the abandonment of control over immigration from the EU to the UK. And some people are saying that the referendum vote to leave the EU, was a vote to stop uncontrolled immigration from the EU (although that certainly wasn't on the voting slip that I put my X on, so I don't know how people can say this).

If Brexit means control over EU immigration (and, by the way, Theresa May wasn't able to control non-EU immigration when she was Home Secretary, so what hope of doing so in future?) then it means leaving the single market, because the EU isn't going to let us eat the beans and leave the brussels.

And if we leave the single market, then the City will up sticks and move. Probably to Germany, maybe to Brussels. Or possibly to Ireland, where they have an educated english-speaking population very near to London.

Now you might think "Good riddance, it's the banksters who caused the financial crisis", although actually it was the politicians who caused it by insufficient regulation of the finance industry, because you can't expect banksters to refrain from chasing profits. But actually, we'll be just as dependent on the banks in future as we are now, because banking is a necessary service in any economy.

The difference will be that the taxation revenue that the country gets from the financial service industry, will also relocate.

And the City London contributes £67 billion per year in taxes to the government's handbag. Which makes even the famously non-existent $350 million/week on the side of the Brexit bus look puny.

Saturday, 22 October 2016

Internet preservation

The internet has become important. If a situation arises whereby I cannot do my VAT return, civilisation will fall. And I'm not being sarcastic here; if I, and everyone else, cannot pay our taxes, cannot access our banking, cannot use our credit cards, then the problem is immense.

The recent attack on DYN, was an attack on the DNS infrastructure of the internet. My experience was that my inability to access the HMRC VAT-paying site, was a DNS problem. I know this, because I tried to use nslookup on the domain I was trying to get to, and DNS didn't work.

The attack was caused by a DDoS. A zillion compromised computers were all accessing the DYN site, which was thereby unable to cope with the load. Clearly, this issue needs to be dealt with, because if I can't pay my VAT, the government can't function.

It's rare that I would say that government has to take action - I much prefer governments to be inactive, or incompetent, or both. I've been lucky with that so far. But in some matters, government action is actually needed.

For example, food safety. Before regulation, you could add anything you like. You could add water to milk, which at least doesn't make it less safe. You can add brick powder to chilli powder. And you could add all sorts of poisonous things to food.

The market can't fix this; it has to be legislation. So we have food safety legislation all over the world now; the things you eat are safe, and if they aren't, someone can go to prison.

The electricity that magically emerges from your wall; it has to be 240 volts and 50 hertz. If one day it came out as 1000 volts, that would blow all your fuses and ruin many appliances. So it's regulated.

But I'm not advocating that the internet be regulated, because that's probably not possible. It is, however, possible to regulate the sale of appliances.

Electricity can kill. I've had a couple of 240 volt electric shocks, and that was only in one hand, and it hurt. A lot. So the safety of electrical appliances is regulated. For example, anything being used outside the house, has to be protected by an earth leakage circuit breaker. That's to stop people from killing themselves with electric lawnmowers.

Likewise cars; there's a legal safety requirement, and an annual test for safety. And gas appliances, and so on and so on.

We need the sale of internet-connectable appliances to be regulated to meet a minimum safety standard. For example, there should not be hardcoded passwords that leave an entire brand of products vulnerable. Right now, internet-connectable appliances (such as "smart light bulbs", cameras or toasters) aren't required to have any internet safety. The thinking is, why would anyone hack my toaster? The problem is that if you hack ten million toasters, then you have a bot army that can DDoS the internet into a smoking hulk.

Unfortunately, we have in charge of our governments, people who haven't a Scoobie. So this probably won't happen until the problem gets so bad that we're devolved back to pigeon post.

Friday, 21 October 2016

Four Pies

In my office, I have four Raspberry Pies. On runs the Geocaching Robot Arm, one monitors my front garden and road outside, one drives a seven inch screen (which wants a 12 volt power supply, isn't that handy?) showing me a continuous update of the usage of my 100 mbps line, and the fourth one drives a 17 inch screen that shows the details of line usage.

I've just reorganised the way they're powered. Before, it was a mish-mash of different power supplies, reflecting the fact that these systems have evolved over the last few years. Now I've rationalised things.

I have a computer - a rather small box, which I used to run several terminals on the same screen. A few years ago, the power supply in that failed, and because it's such a small box, it can't take a standard PSU (ATX power supply). So I put a standard ATX power supply on top of it, and led the wires inside. This is what is technically known as a kludge. What I realised just yesterday, was that the same ATX power supply could be used more widely.

I have another computer that I use as my main workstation. Several months ago, the power brick failed for the monitor (a lovely big 27 inch screen, 2560 by 1440 pixels). I looked on Ebay for a replacement power brick, couldn't find one, then realised that all it wanted was 12 volts. The answer is obvious. So I take 12 volts from the ATX supply, and it powers the monitor just fine, meaning I won't need to shell out a couple of hundred pounds for a replacement monitor.

The big change was the Pies. I'm using PoE, Power over Ethernet. In an ethernet cable, only two of the four pairs are used for data. The other two pairs just aren't used for 100 mbit ethernet, only for gigabit, which I'm not using in my office.

So I bought a bunch of PoE splitters, £1.24 per pair on Ebay. I'm using four of them, they're connected to the 12 volt line on the power supply, and to an ethernet switch.

At the other end of the ethernet cable, I put the other half of the splitter, so now the same cable is carrying the ethernet data, and the power. But hey, you're thinking, that's 12 volts, and the Pies want 5 volts. If I sent five volts down the ethernet cable, by the time it got to the Pies, the voltage would have dropped, and since the lengths of cable are different, the voltage drop would be different. So I put 12 volts down the line, and at the end where each Raspberry is, I put a voltage converter  with included voltmeter, to step the 12 volts down to 5.25.

The Pi wants less than 2 watts (under half an amp at 5 volts). So the 12 volt line will be transmitting under 0.2 amps, and the PoE spec says it can handle 1 amp. Still, I put a 5 amp fuse at the end where the PSU is, and that's carrying four Pies and the screen, which I reckon would be about 2 amps total - I had a car fuse that blows at 5 amps, left over from a bike project.

So now all my cabling is nice and neat, and I've dispensed with three power supplies that have gone back into my box of bits.

I can't do my VAT

It's that time of year again. Four times per year, I have to fill in the VAT form that tell HMRC how much money they're going to take from me to waste on things other than beer. So I went to the HMRC web site and  clicked on "start now".

After a long pause, it redirected me to and I was told "Site unavailable".

So I tried to ping it. Nothing. So I checked that the DNS was resolving, with "nslookup". Nothing. Clearly, something catastrophic has happened (I'm trying not to rejoice prematurely); maybe some benevolent deity has hurled lightning at the HMRC computer, which I imagine as being a Sinclair Spectrum, sitting in a dark cupboard. I can dream, can't I?

I abandoned the attempt to do my VAT, and went back to it a while later. Either they've fixed whatever had gone wrong, or else they rebooted the Spectrum. I logged on, they sent the 6 digit code to my phone, and I filled in the VAT form. They owe me, because I pay EU non-UK VAT via the VAT Moss system, and I shudder to think what's going to happen after Brexit, because whether the Brexit is hard, soft or medium, you can bet your bippy that it will be different and I'll have to change my software and procedures to accomodate it.

My VAT is done for another three months.

... later ...

I think the problem was a massive DDoS attack against a DNS provider..

Wednesday, 19 October 2016

300% utilisation

I knew that I had a problem when my bandwidth monitor started to tell me that about three times as much data was flowing along my line as was possible. Obviously, the monitor had to be wrong.

I very quickly tracked the problem down - the system drive on the main server was failing. Lots of read and write errors. And that's very annoying, it was a new install; I opened the plastic wrapper on the drive a couple of weeks ago.

And then things got worse.

I tried checking the cables, I tried rebooting, nothing helped. Clearly I had to replace the drive.

First, I switched the load onto a backup server. That's very easy; I just change a couple of lines on my firewall, and all accesses are directed to the backup server.

Then I tried to replace the drive.

My first idea was to use a 2.5 inch Sata SSD, because the server (a Dell Poweredge R805) has a couple of slots at the front for 2.5 inch Sata drives. But the server wouldn't acknowledge that it was there, and when I opened up the server, it was obvious why. The slots for the drives were there, but there was nothing connecting them to the mainboard. I'd need an interface card, and it would have to be a Dell branded card, and the cost would be astrological.

So my next thought was, replace the drive with another new drive. I then spent an hour on that. There's only one Sata connector on the mainboard, so I used that for the DVD drive I use for installing Linux. The drive to install on, would be connected to an interface card that lets me put Sata drives on a PCI-E interface. But that didn't work, because the Linux installer refused to recognise the drives.

And then things got really tricky, because I had to leave to go to a family event. My aunt Kit died a few days ago, at the age of 99, and she was one of my favourite aunts, so we went to the funeral and then back to her daughter (my cousin) for a major nosh-up. So for the next six hours, my backup server carried the load (and hardly anyone noticed).

When I got back, I had a plan. First, I connected the DVD drive to a USB port. Then I removed the PCI-E cards, so all I had was that DVD drive, and the drive I wanted to install Linux on, connected to the motherboard Sata port.

That worked! And several minutes later, I had Fedora Linux version 24, 64-bit on the hard drive. So I replaced the PCI-E cards, connected up the other drives, rebooted and everything was fine. And I have a list of things to do to configure the server the way I want it, and a copy of all the files that I needed to do the configuration.

So about an hour later (plus a couple of hours messing about fruitlessly before the family event, plus six hours at the family event) the server is up and running nicely.

Monday, 17 October 2016


Trump has started to claim that the election is being rigged.

And a poll has revealed that 41% of voters think that the election could be stolen from Trump (73% of Republicans believe that, and 17% of Democrats).

So what's going to happen when Hillary wins? Will Trump gracefully acknowledge defeat, and wish her well for the future? My feeling, based on how he's behaved over the last year, is that he won't. He'll scream that the election was rigged. Because the alternative - that he's a loser - isn't acceptable to him.

So what will the 35% of the electorate that voted Trump do. Will they accept defeat gracefully? I hope they do. But there's other things to consider, which are difficult for we British to comprehend.

The first is the existence of 300 million guns in private hands. One nutcase with a gun can do quite a lot of damage; a million people with guns can do a hell of a lot of damage. And there's a lot of Americans who believe that one important reason they are armed, is so that they can stop government doing bad things.

The second is the American attitude towards revolution. They glorify the events of 1776; they call it "The Revolution". The last time we British had a revolution was 1688, and most people won't even have heard of it, it was so politely done. 

The third is that there's a fair number of Americans who want to revisit their civil war, only this time they want it to end differently.

So would Trump incite violence? He has form. He promised to pay the legal fees of supporters who attack protesters at rallies. "There may be somebody with tomatoes in the audience. So if you see somebody getting ready to throw a tomato, knock the crap out of them, would you? Seriously. Okay? Just knock the hell—  I promise you, I will pay for the legal fees. I promise, I promise. It won’t be so much ’cause the courts agree with us too."

And then in another speech: “If she gets to pick her judges, nothing you can do, folks,” Mr. Trump said, as the crowd began to boo. He quickly added: “Although the Second Amendment people — maybe there is, I don’t know.” For we British who might not be able to decode this, Second Amendment is the right to bear arms. Meaning guns.

Trump is probably not stupid enough to call for a revolution explicitly. But he could say things that some people will interpret as a call to arms; something that he can deny meant that.

This could get messy.


Democracy is the way we settle important questions. It's not a good system, but as WSC said, all the others are worse.

But that isn't always true. Some questions shouldn't be decided by a democratic vote.

This was made obvious to me by a debate on usenet (35 years ago, that was like a big internet forum) in the newsgroup alt.comp.virus (which was the forum about computer viruses). We had various debates there; the one I have in mind was about the technical characteristics of a particular virus.

I was posting having disassembled and analysed the virus, so I knew what it did, although there was, of course, the possibility that I'd made a mistake. But some 30 or 40 people joined in on this debate, and then one guy summarised the arguments by counting how many people said "X" and how many said "Not X". And he concluded that since there was a majority saying "X", that X must be true.

I'm sure you can see the fallacy there. You cannot decide the truth of Pythagoras's Theorem by taking a vote.

I wonder how many people support "Science must fall"?

Saturday, 8 October 2016

Good morning!

Or, as the French would say, "Bonjour".

My firewall was reporting a whole bunch of UDP accesses from to, and it was, of course, blocking them. But I wondered what this was all about, and decided to investigate. is a non-routable (private) IP address, because it starts with 10. The "149.14" means that it's an address got via DHCP from my main DHCP server. In other words, it's a device based on my DMZ that picks up its IP address from another of my servers.

The is a mystery. My "innermost" network starts with 192.168, which is also a private, non-routable address, but I don't have a device at that address. Furthermore, why would a device on my DMZ go looking for a device at that address?

So I googled.

Googling doesn't always produce the answer straight away. The first stop was, which is a technical forum ... with a difference. I read halfway down the article that Google found, then burst into giggles. "lds" = "Latter Day Saints" = Mormons.

"No other software should be purchased or installed on Church computers unless it is approved by the stake president, is appropriately licensed, and does not interfere with the operation of or compromise the security of the Church software and data already on the computer." which is fair enough. :

And then " Other then it needs to be password protected and not uploaded to 3rd party servers, no. However, I would involve the Bishop in who is getting the information and what the information contains."

Can you imagine what it must be like for those tech support staff, having to get a Bishop involved when they have a support issue? What does the Bishop do, pray for guidance?  Yes, I can see that even a church needs appropriate computer security; I'd guess that many churches use computers to do their accounts and suchlike. But involving the Bishop?

So after getting past this distraction, I found some useful information. I think it has to do with Apple's Bonjour, which is how Apple devices find other things on the network, and the device doing the looking was indeed ladysolly's iPhone.

Rather mundane and uninteresting, but I would never have found the LDS tech web site without it, and discovered the role of LDS Bishops in their tech support.

Friday, 7 October 2016

Lorem ipsum dolor sit amet

I don't get much spam in Latin, so I actually read this one. 

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum

Sadly, it's nonsense. It's pseudo-latin, like Caesar adsum jam forte.

Oh, you didn't know that one? It's one of the best things I learned in my Latin class.

Caesar adsum jam forte
Brutus aderat
Caesar sic in omnibus
Brutus sic in at

Anyway, "Lorem Ipsum" is called "Greek text", because it isn't Greek. It's used by printers and web-makers to indicate that some text should go here, but it hasn't been authored yet.

Tuesday, 4 October 2016

Riding the Ridgeway

I went out today for a long bike ride; mostly along the Ridgeway where it crosses the M4. I found 42 caches, but I had a lot of trouble with my rear inner tube. It kept creeping round, and in my experience, that leads to a valve blowout when it gets bad enough. And sure enough, that's exactly what happened. It's a failure that can't be fixed with a puncture repair kit. Fortunately, I carry a spare inner tube, and that kept me going.

I really have to solve this problem of inner tube creep. I tried talcum powder, but although I have a very nice smelling inner tube, it hasn't fixed the problem. But I have another idea, which I'll try tomorrow,

Monday, 3 October 2016

ASA 5510

My ASA 5510 firewall arrived, and it's lovely! It's faster than the Pix 515E; it has more memory, a faster processor, and gigabit interfaces. I swapped it for the 515E today, and it went in very easily. I just copied the configuration from the 515E almost word for word, and it's now humming away happily.

But to me, it's just a more advanced Pix.

Sunday, 2 October 2016

Packets from Erewhon

When I look at my firewall logs, I see a whole bunch of attempted accesses that I can't explain. They look like this:

Deny udp src dmz: dst inside: by access-group "inside_access_out"

Deny tcp src dmz: dst inside: by access-group "inside_access_out"

Deny tcp src dmz: dst inside: by access-group "inside_access_out"

I'll explain - udp and tcp are the main two kinds of packet that float around the internet.
"dmz" is a region of my network that I allow limited access to from outside; "inside" is a region of my network that doesn't allow any access from outside. All my "dmz" addresses start with 10, all my "inside" addresses start with 192.168.

IP addresses starting with 10 or with 192.168 are non-routable. Packets with that address or destination shouldn't be able to even reach my firewall.

And yet the Pix firewall is reporting that packets originating in my dmz (from IP addresses that don't have computers) are trying to get to IP addresses in the "inside" region, to IP addresses that don't have computers.

So packets originating from Erewhon, are trying to get to Nowhere, and are being blocked. I'm not worried by this, but I wish I knew how this was happening.

Great Repeal Bill

Theresa May says she'll trigger Article 50 by March 2017. That means we leave the EU two years after that. At last we'll be free of all those pettifogging regulations about food safety and employment conditions ... but no.

The Great Repeal Bill will convert existing EU regulations into UK law. We still won't be allowed to sell cheese with listeria or send children up chimneys.

We still don't know what The Powers That Be plan to do about immigration from outside the EU. Or from the EU. Or whether we'll still be part of the single market.

I keep hearing that the referendum result means that we voted to control immigration.

No, it doesn't mean that. It means we voted to leave the EU. Anything more than that is just an invention by the axe-grinder.

Saturday, 1 October 2016

Seven inches

I bought a couple of seven inch screens, and they arrived yesterday. I'm using them to monitor my 100 mbit line traffic.

These cost about £18, and are intended for in-car use, for example, for reversing cameras. So they run off 12 volts, and use a composite video input.

PC power supplies give a 12 volt line, so that feeds the screen. The 12 volts also feeds one of those little £1 voltage step-down devices, which lowers it to 5.3 volts, and that goes to a Raspberry Pi. The version 1 Pi has a composite video output, isn't that handy? Later versions don't have that.

I do the display by using "montage" to create the graphic as a bmp file, then ffmpeg to convert it to an 800 by 480 framebuffer file. Then it's just a matter of copying that file to /dev/fb0. And it looks great. I have one in my office, and one in the data center.

I found a nice bargain on Ebay, and I got four 17 inch LCD monitors for £63. I'm not exactly sure what I'll be using them for, but I do use a lot of screens.

Another bargain I got recently is an Cisco ASA 5510 firewall. ASA is what Cisco did after the Pix. The command language is pretty much the same, but the 5510 has a much higher capacity than my current Pix 515E, which I'll use as an in-place backup, because if my firewall goes down, everything goes dark.