blog.scottlowe.org

Unable to cope with the slow performance of Cyberduck any longer (even though I love everything else about the application), I started looking at other Mac FTP/SFTP clients.  Since performance was the key driving factor causing me to seek a new client, I thought it would probably be important to perform some informal performance comparisons between the major candidates—Interarchy, Transmit, and Fetch (and, for reference, Cyberduck as well).

First, the parameters of the test:

• The source system was, of course, a Mac.  Specifically, a MacBook Pro running Mac OS X 10.4.8 with all available and applicable updates installed.
• The destination system was a server running ESX Server 3.0.1.  It looks like ESX Server 3.0.1 uses OpenSSH 3.6.1p2.
• I transferred an ISO of Windows Server 2003 R2 x64; the file was about 592MB in size.  I deleted the file from the destination server after each transfer.

The results of the test were as follows:

Transmit 3.5.5: 39 seconds
Fetch 5.2: 39 seconds
Interarchy 8.2.2: 29 seconds
Cyberduck 2.7.2: 9 minutes 53 seconds

I hadn’t truly realized just how much slower Cyberduck was until I ran this test.  The difference is quite dramatic.  As you can see, the test results between Transmit, Fetch, and Interarchy were pretty close; Interarchy edged the others out but only by a small margin.

Given that the performance is pretty much the same between the three replacement candidates comes down to aesthetics and features.  I love the Kerberos support in Fetch (I’m a Kerberos fan—in case you hadn’t noticed by all the articles I write about leveraging the Kerberos support in Active Directory for cross-platform integration), but really don’t like the interface.  Likewise, Transmit is nice, has a Quicksilver plug-in and a Dashboard widget, Keychain support, Spotlight integration, etc., but something about the interface doesn’t seem to fit.  I’m not sure what it is.  This is not a knock against Transmit or Panic; I paid for and use Unison, Panic’s Usenet/NNTP client.

Interarchy’s interface has its quirks, but I suppose I’m getting used to them now because I don’t notice them as much.  I just found and installed the Interarchy Quicksilver plug-in yesterday, which solves one complaint, but I still wish Interarchy would expand its Growl support.

Each of the apps has its advantages and disadvantages, as you can see.

What would be the ideal solution?  The ideal solution would be a way to tune Cyberduck’s performance so that it was in the same ballpark as the other applications (not necessarily faster, just in the same general area).  I don’t suppose anyone has any performance tuning tips for Cyberduck?

The idea behind del.icio.us is great, but for me it becomes truly useful using a “rich client” instead of a web browser.  For a long time, Cocoalicious has been that “rich client,” offering a combination of native Mac OS X technologies with the web services offered by del.icio.us.  Unfortunately, it appears as though Cocoalicious is no longer under active development, and so I’ve gone seeking other solutions.

There are quite a few bookmark managers out there for the Mac, but not so many that offer integration with del.icio.us.  Likewise, there are a number of utilities that offer to make posting to del.icio.us easier (Pukka and Postr come to mind) but don’t necessarily offer the bookmark management functionality upon which I rely.  So far, I’ve only found two applications that have the right balance of functionality.

The first of these is WebnoteHappy.  It looks as if WebnoteHappy originally started out as “just” a bookmark manager; del.icio.us support seems to be an add-on rather than an integral part of the application itself.  Nevertheless, WebnoteHappy does have a couple of things going for it:

• It supports integration with NetNewsWire, my RSS reader, so that I can post URLs directly from NNW’s context menu.  (Currently, only Cocoalicious, Pukka, Postr, and WebnoteHappy appear to be supported.)
• It supports AppleScript.
• It supports Smart Folders to group bookmarks according to tags, description, or notes.

The best part of del.icio.us, to me, is the tags.  This is where WebnoteHappy seems to be the weakest.  I can’t browse my bookmarks by tags (although I could create a Smart Folder based on tags), there’s no tag autocompletion, and when posting to del.icio.us via WebnoteHappy from NNW I’m not given the option to assign any tags (indeed, I’m not even given the option to share the bookmark via del.icio.us).

The second application is a relatively new application; it’s called Socialist.  Socialist appears to be built from the ground up to be a “rich” del.icio.us client.  The relative immaturity of Socialist is showing up in some areas, though:

• No AppleScript support.
• No integration with NNW.  (Granted, the list of supported applications is fairly small, but this is a feature I use regularly.)

Fortunately, Socialist does support tags, and does provide a way to browse bookmarks via tags.  The current release doesn’t support browsing via multiple tags or tag autocompletion, but supposedly those features are in the next version of the software (which is due out soon).

Each application has its own unique strengths and weaknesses, and both are lacking some features that I would love to see:

• Growl support (to provide a Growl notification when a URL is successfully posted to del.icio.us)
• AppleScript support (so URL management tasks can be automated a bit more)
• Spotlight integration (ability to search URL and note text from the Spotlight menu)

Of course, I already mentioned browsing via tags (including the ability to select multiple tags and see only the bookmarks tagged with all the selected tags) and tag autocompletion.  If NNW integration isn’t possible, then the ability to at least pull the contents of the clipboard into the new bookmark sheets in each application would be good.  An entry on the Services menu would be handy as well.

Any other products out there I should be considering?  Anyone have any feedback on one of these two products?  I’d love to hear from real-world users on what they like or don’t like about either of these two applications.

VMware touts VMware HA as a means of providing failover protection for virtual machines:

VMware HA is a feature-rich product that continuously monitors all physical servers in a resource pool and restarts virtual machines affected by server failure.

Well, that’s all well and good, but does it actually work?  I’m here to tell you, “Yes, it does.”

This isn’t as striking an example as running mission critical apps for a multimillion dollar venture and VMware HA saving the day, but it is an excellent example, in my mind, of how well VMware HA works.  It works so well, in fact, that you may not even notice it working.

In my lab at the office, I have VMware HA and VMware DRS running on a cluster containing two hosts running ESX Server.  On that foundation runs a number of VMs providing various services to the lab.  I had been out for a few days working on-site with customers, and when I came back into the lab this morning everything seemed fine.  It wasn’t until later in the day, when I finally launched the Virtual Infrastructure (VI) Client and connected to VirtualCenter, that I realized one of my ESX hosts had crashed.  VMware HA had stepped in and automatically restarted all the VMs on the second host, and the other engineers who were there when the failure happened said they didn’t even notice the failover.  Had I not logged in to the VI Client, I wouldn’t have even known that I had a host failure.  It was that seamless.

<aside>Yes, a proper monitoring solution would have alerted me right away to this failure, and it could have been rectified much sooner.  I know that.  But this is a lab, not a production environment.  Besides, the point here is that the lab’s virtual infrastructure was resilient enough to sustain a hardware failure and continue providing services, not to berate me for the lack of a monitoring solution in the lab.</aside>

What’s more, after I resolved the issue with the dead ESX host and brought it back online, VMware DRS kicked in and automatically rebalanced the VM load across the two hosts, just as advertised.

Is that cool, or what?< ?p>

I’d gotten turned on to Cyberduck as my primary FTP/SFTP client after really getting into Growl, the global notification system for Mac OS X.  The application I was using at the time, Fugu, didn’t have Growl support.  Cyberduck did, so I switched, and I’ve been using Cyberduck ever since.

I like the Cyberduck interface; it seems to make sense to me and I’ve never really run into any major compatibility issues (seems like I ran into one minor problem after an upgrade of OpenSSH on one of my servers, but that problem was quickly resolved as I recall).  The Growl support is, of course, excellent, and Cyberduck also offers a veritable laundry list of features—integrated support for Spotlight, a Dashboard widget, Keychain support, multiple windows, etc.  It even comes as a Universal binary.  (The features are far too many to list here; refer to the Cyberduck web site for complete information.)

Sound like a great application?  It is—if you don’t need to transfer large files.  Since I started out just using Cyberduck to move some small web pages back and forth to my web server, these were mostly small files and I didn’t really notice any performance hit.  Sure, it seemed a bit slower than command-line SFTP or SCP and it seemed to be a bit of a memory hog, but I figured it was just GUI overhead and thought no more about it.  For what I was doing at the time, it worked fine.

Recently, though, I’ve been needing to transfer much larger files to and from some SFTP servers on my local LAN.  How large?  ISO images ranging from 300MB to 600MB, sometimes multiple ISO images at a time.  Generally, the file transfers will complete, but they are just plain slow.  Almost painfully slow.  So slow, in fact, that I’ve been driven to looking at alternatives.

I’m currently evaluating Interarchy.  While the interface is a bit quirky (although I suppose that is due to being predisposed to an interface like Cyberduck’s), the performance is astounding.  I can transfer multiple ISO images in minutes, not hours as with Cyberduck.  It’s almost unbelievable.

I have yet to decide whether I’ll just buy Interarchy or if I’ll evaluate two other potential candidates, Transmit and Fetch.  Both applications have gotten good reviews, but—being the UI stickler that I am—neither of them sports as modern a UI as Interarchy (I really like the unified toolbar look).

My primary complaint with Interarchy is the price.  Sixty bucks seems a bit high for this type of application; both Transmit and Fetch (other options to replace Cyberduck) charge about half that.  Of course, the other applications don’t offer the same set of functionality that Interarchy offers, either.  But will I actually use that functionality?  Amazon S3 support is great, but will I really use Amazon S3?  I don’t have a WebDAV server, so is it worth paying for WebDAV support?  Is it worth paying for network tools that duplicate functionality already in the base operating system?

What do you think?  If you are a Fetch, Transmit, Interarchy, Fugu, or even Cyberduck user, please post in the comments and tell me what you think.

I spent the entire day trying to create a professional looking network diagram for a customer who recently installed an iSCSI-based SAN (a Network Appliance storage system, by the way).  I didn’t want generic rectangles and boxes; I wanted nice icons.  Preferably vendor-specific icons.  Is that so much to ask?

I visited Graffletopia, which is to OmniGraffle (I use OmniGraffle Professional) what Visio Cafe is to Visio.  Unfortunately, I wasn’t able to find very many helpful stencils.

Realizing that OmniGraffle Pro (OGP) reads/writes Visio XML files, I thought then that I might be able to export Visio stencils into a form that I could use on my Mac.  Alas, no; OGP wouldn’t read them.  Finally, I settled into manually creating my own OGP stencils from selected items in the Visio stencils, and was finally able to piece together a diagram that was decent.  At some point I may post the OGP stencils I’m creating for my own use out on Graffletopia for others as well, provided the original author is amenable to the idea.

In the meantime, I’ll continue plugging away at laboriously converting Visio stencil items to OGP stencil items.  Here’s the process I’m using:

1. Place a single item from a Visio stencil onto a blank Visio diagram and save that diagram as a PNG image.
2. Move the PNG image to my Mac and copy the contents of the PNG to the clipboard.
3. Paste the image into a stencil in OGP.  Tweak the size, connection points, etc., until I’m satisfied.
4. Repeat as needed.

Given that VMware Fusion’s ability to drag-and-drop from the guest back to the host isn’t working (Did it ever work?  Or am I imagining things?), step 2 above is more laborious than it should be.  Oh well, it could be worse.

Is there a faster process for this?  Anyone know?

While setting up a Network Appliance storage system today for a customer, I ran into a situation that was a bit puzzling for a moment.  I needed to change the IP address on the storage system’s clustered controllers, but in order to do that I needed to edit some files in the /etc directory on the root volume.  Normally, that wouldn’t be a big deal; I’d just mount the root volume (vol0) via CIFS or NFS from my MacBook Pro and go from there.

However, in this particular instance, the customer hadn’t licensed the CIFS and NFS protocols because this storage system would be used strictly as an iSCSI target for a VMware ESX Server deployment.  That meant there would be no mounting the root volume this time.  So how does one go about editing files in the Data ONTAP CLI?

Excellent question.  The answer is the “priv set advanced” command.  Rightly so, NetApp warns you that running “priv set advanced” exposes functionality that can be dangerous; don’t muck around in there or you’re likely to find yourself with a non-functional NetApp storage system.  However, with a bit of caution, the advanced commands are just what we need in this situation.

The advanced command set includes useful commands like “ls” (to list the files in the /etc directory, for example), “rdfile” (think of “cat” or “more” from a Linux/UNIX system), and “wrfile” (for redirecting standard input to a text file).  While there’s no text editor per se, these three tools can get us most of the way there.

So here’s how I used the advanced command set to change the IP addresses of the storage system:

1. Enabled the advanced command set with “priv set advanced.”
2. Displayed the current contents of the /etc/hosts file with “rdfile /etc/hosts”.
3. Created /etc/hosts.new (containing the contents of /etc/hosts with the changes I needed) using “wrfile /etc/hosts.new”.
4. Verified the contents of /etc/hosts.new using rdfile.
5. Renamed /etc/hosts to /etc/hosts.setup using “mv”.
6. Renamed /etc/hosts.new to /etc/hosts using “mv”.
7. Rebooted the storage system for the change to take effect.

Upon the reboot, the storage system was now using the new IP addresses requested by the customer.  Problem solved!

This procedure allows Linux-based systems to authenticate against Active Directory.  We use Kerberos for authentication, LDAP for account information, and Samba to help automate the process along the way.  When this process is complete, AD users can be enabled for use on Linux systems on the network and login to those Linux systems using the same username and password as throughout the rest of Active Directory.

These instructions are designed for use with Windows Server 2003 R2.  If you are looking for information on using Linux with a previous version of Windows, please refer back to this article.  The only significant changes in the process involve the mapping of the LDAP attributes; otherwise, the procedure is very similar between the two versions of Windows.

Preparing Active Directory (One-Time)

Enable Editing/Display of UNIX Attributes

Based on my research, it appears that the partially RFC 2307-compliant schema is installed with Windows Server 2003 R2; this means that the schema does not need to be extended to include UNIX-specific attributes such as uid, gid, login shell, etc.  However, while the attributes are there in the schema, there is no way to edit those attributes, and these attributes must be populated correctly in order for this process to work.

The easiest way to enable the editing of these attributes is to install the “Server for NIS” component on at least one domain controller.  This will cause a new tab, labeled “UNIX Attributes,” to appear in the properties dialog box for users and groups.  You’ll use this tab to edit the UNIX-specific attributes that are required for logins to Linux-based systems.  Please note that due to the way this tab is displayed, you’ll need Schema Admin privileges in order to install the “Server for NIS” component on your domain controller.  (More information on this issue is available here.)

You could just as well use LDP, LDIF files, ADSI Edit, or any number of other methods to display and edit these attributes.  To make this process as seamless as possible, however, you’ll want to integrate the management of these attributes into Active Directory Users and Computers using the method described above.

Create an LDAP Bind Account

You’ll also need to create an account in Active Directory that will be used to bind to Active Directory for LDAP queries.  This account does not need any special privileges; in fact, making the account a member of Domain Guests and not a member of Domain Users is perfectly fine.  This helps minimize any potential security risks as a result of this account.

Prepare Active Directory (Each User)

Each Active Directory account that will authenticate via Linux must be configured with a UID and other UNIX attributes.  This is accomplished via the new “UNIX Attributes” tab on the properties dialog box of a user account.  (Installing the “Server for NIS” component enables this, as mentioned previously.)

After all the user accounts have been configured, then we are ready to configure the Linux server(s) for authentication against Active Directory.

Prepare Each Linux Server

Follow the steps below to configure the Linux server for authentication against Active Directory.

1. Edit the /etc/hosts file and ensure that the server’s fully-qualified domain name is listed first after its IP address.
2. Make sure that the appropriate Kerberos libraries, OpenLDAP, pam_krb5, and nss_ldap are installed.  If they are not installed, install them.
3. Be sure that time is being properly synchronized between Active Directory and the Linux server in question.  Kerberos requires time synchronization.  Configure the NTP daemon if necessary.
4. Edit the /etc/krb5.conf file to look something like this, substituting your actual host names and domain names where appropriate:

   [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
   
   [libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_realm = true
    dns_lookup_kdc = true
   
   [realms]
    EXAMPLE.COM = {
     kdc = host.example.com:88
     admin_server = host.example.com:749
     default_domain = example.com
    }
   
   [domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM
   
   [kdc]
    profile = /var/kerberos/krb5kdc/kdc.conf
   
   [appdefaults]
    pam = {
      debug = false
      ticket_lifetime = 36000
      renew_lifetime = 36000
      forwardable = true
      krb4_convert = false
    }

5. Edit the /etc/ldap.conf file to look something like this, substituting the appropriate host names, domain names, account names, and distinguished names (DNs) where appropriate.  (Please note that the nss_base_group line should not be broken across two lines when you edit it; it has been wrapped here for readability.)  (Note:  These schema mappings assume that you are using the newer schema extensions provided by Windows Server 2003 R2.  If you are using SFU 3.5 instead, you will need to use the schema mappings described here.)

   host 10.10.10.10
   base dc=example,dc=com
   uri ldap://server.example.com/
   binddn ldap@example.com
   bindpw adldapbindpw
   scope sub
   ssl no
   nss_base_passwd dc=example,dc=com?sub
   nss_base_shadow dc=example,dc=com?sub
   nss_base_group dc=mydomain,dc=com?sub?
       &(objectCategory=group)(gidnumber=*)
   nss_map_objectclass posixAccount user
   nss_map_objectclass shadowAccount user
   nss_map_objectclass posixGroup group
   nss_map_attribute gecos cn
   nss_map_attribute homeDirectory unixHomeDirectory
   nss_map_attribute uniqueMember member

6. Configure PAM (this varies according to Linux distributions) to use pam_krb5 for authentication.  Many modern distributions use a stacking mechanism whereby one file can be modified and those changes will applied to all the various PAM-aware services.  For example, in Red Hat-based distributions, the system-auth file is referenced by most other PAM-aware services.  Here’s a properly edited /etc/pam.d/system-auth file taken from CentOS 4.4 (some lines have been wrapped for readability; do not wrap them when editing the file):

   #%PAM-1.0
   # This file is auto-generated.
   # User changes will be destroyed the next time authconfig is run.
   auth     required   /lib/security/$ISA/pam_env.so
   auth     sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
   auth     sufficient /lib/security/$ISA/pam_krb5.so
   auth     required   /lib/security/$ISA/pam_deny.so
   
   account  sufficient /lib/security/$ISA/pam_unix.so
   account  sufficient /lib/security/$ISA/pam_krb5.so
   account  sufficient /lib/security/$ISA/pam_succeed_if.so
       uid < 100 quiet
   account  required   /lib/security/$ISA/pam_deny.so
   
   password requisite  /lib/security/$ISA/pam_cracklib.so retry=3
   password sufficient /lib/security/$ISA/pam_unix.so nullok
       use_authtok md5 shadow
   password  required  /lib/security/$ISA/pam_deny.so
   
   session  required   /lib/security/$ISA/pam_limits.so
   session  required   /lib/security/$ISA/pam_unix.so

7. Edit the /etc/nsswitch.conf file to include “ldap” as a lookup source for passwd, shadow, and groups.

At this point we are now ready to test our configuration and, if successful, to perform the final step:  to join the Linux server to Active Directory for authentication.

Test the Configuration

To test the Kerberos authentication, use the “kinit” command, as in “kinit <AD username>@<AD domain DNS name>”; this should return no errors.  A “klist” at that point should then show that you have retrieved a TGT (ticket granting ticket) from the AD domain controller.  If this fails, go back and troubleshoot the Kerberos configuration.  In particular, if you are seeing references to failed TGT validation, check to make sure that both your Linux servers and AD domain controllers have reverse lookup (PTR) records in DNS and that the Linux server’s /etc/hosts file listed the FQDN of the server first instead of just the nodename.

<aside>Some readers and some other articles have suggested the use of the AD domain DNS name in the /etc/krb5.conf file instead of an AD domain controller specifically; I recommend against this.  First, I believe it may contribute to TGT validation errors; second, it is possible to list multiple KDCs (AD DCs) in the configuration.  Since the only major reason to use the AD domain DNS name instead of the DNS name of one or more DCs would be fault tolerance, then it doesn’t really gain anything.</aside>

To test the LDAP lookups, use the “getent” command, as in “getent passwd <AD username>”; this should return a listing of the account information from Active Directory.  If this does not work, users will not be able to login, even if Kerberos is working fine.  If you run into errors or failures here, go back and double-check the LDAP configuration.  One common source of errors is the name of the LDAP bind account, so be sure that is correct.

Join the Linux Server to Active Directory

This is the final step.  Don’t try this step until you’ve successfully tested the configuration.  After this step is completed, you are finished and AD users will be able to login to Linux-based systems (assuming the AD users have been properly configured for Linux logins).

To join the Linux server to Active Directory, follow these steps:

1. Verify the Samba configuration.  Be sure the following settings are specified in /etc/samba/smb.conf:

   workgroup = <NetBIOS name of AD domain>
   security = ads
   realm = <DNS name of AD domain>
   use kerberos keytab = true
   password server = <Space-delimited list of AD DCs>

2. Use “kdestroy” to destroy any existing Kerberos credentials you may have; then run “kinit <Domain administrative account>@AD.DOMAIN.NAME” to get a Kerberos ticket for an account that is a domain administrator account.
3. Run “net ads join” to join the Linux server to Active Directory.  This command will automatically create a computer object in Active Directory and add the appropriate SPNs (service principal names) to the computer object.  In addition, it will populate the local Kerberos key table (/etc/krb5.keytab, by default) with the correct entries for authentication against Active Directory.

Only one small detail remains:  how to deal with home directories for users logging into Linux systems.

Deal with Home Directories

Unlike Windows systems, home directories are required on Linux-based systems.  As a result, we must provide home directories for each AD user that will log in to a Linux-based system.  We basically have two options here:

• Use the pam_mkhomedir.so PAM module to automatically create local home directories “on the fly” as users log in.  To do this, you would add an entry for pam_mkhomedir.so in the session portion of the PAM configuration file.
• Use the automounter to automatically mount home directories from a network server.  This process is fairly complicated (too involved to include the information here), so I’ll refer you to this article on using NFS and automounts for home directories.  This has the added benefit of providing a foundation for unified home directories across both Windows and Linux systems.

(There is a third option as well:  manually create home directories before users can log in.)

Once you’ve settled on and implemented a system for dealing with home directories, you are finished!  UNIX-enabled users in Active Directory can now login to Linux-based systems with their Active Directory username and password.

What’s not addressed in this article?  Password management.  In this configuration, users will most likely not be able to change their password from the Linux servers and have that change properly reflected in Active Directory.  I’ll try to work on that for version 5 of the instructions.

I hope you find this information helpful.  As always, feel free to post corrections, additions, or suggestions in the comments below.

To help make it easier to find the various Active Directory integration articles I’ve written, I’m including links below to the latest version of each article.  As new versions of an article are published, I can simply update this link to point to the new version.

I’ve grouped the integration articles according to product below.

Linux

Latest version for Windows Server 2008 (“Longhorn”)

Latest version for Windows Server 2003 R2

Latest version for Windows 2000 Server and Windows Server 2003 (pre-R2)

SuSE Linux Enterprise Desktop (SLED)-specific version

Solaris 10

Latest version for Solaris 10 x86

Firewalls

Latest version for Cisco PIX VPN

Latest version for WatchGuard Firebox VPN

VMware ESX Server

Latest version for ESX Server 2.5.x

Latest version for ESX Server 3.0.x

OpenBSD

Latest version for OpenBSD 3.9

Networking Equipment and Protocols

Latest version for 802.1x

Latest version for Cisco IOS

As new articles are published or existing articles are revised with new versions, I’ll update this post accordingly.

Some security vulnerabilities in VMware ESX Server have been disclosed in the last few days.  Secunia released this advisory on multiple vulnerabilities; the related vulnerabilities include flaws in the bundled versions of OpenSSH, OpenSSL, and Python that come with the service console (which, as you may already know, is a modified form of Red Hat Enterprise Linux).

A patch to address these vulnerabilities is available for the affected versions of ESX from the VMware web site; the links for the ESX 3.0.0 and ESX 3.0.1 patches are below.

Patch for ESX 3.0.0:
http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html

Patch for ESX 3.0.1:
http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html

One of the vulnerabilities mentioned in the Secunia advisory above pertains to incorrect SSL key permissions; more information on that issue can be found in this VMware KB document.  This issue also affects some of VMware’s hosted products, such as VMware Server, VMware Player, and VMware Workstation.

In addition, a possible cross-site scripting exploit has been uncovered in Apache, which is used by ESX Server.  VMware provides more information on the possible exploit on their web site.  In addition, more information is available on the CVE candidate entry.

In case you’ve been hiding under a rock and haven’t yet heard (is that possible?), Apple today announced the iPhone:

http://www.apple.com/iphone

GSM/EDGE, Wi-Fi, and Bluetooth…runs an embedded form of OS X…super-slick user interface…it’s enough to make a gadget geek like me salivate.

If the iPhone works half as well as claimed, it will be a tremendous device.  If it works as well as claimed, it will be a revolutionary device.

So, yes, I don’t technically need one…but I sure would like to have one.