Integrating OpenVPN and Yubikey

Integrating Yubikey into OpenVPN is pretty straightforward, first, you need to download the Yubico C client and PAM library. Then, add these three lines into /etc/openvpn/server.conf:

plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn
client-cert-not-required
username-as-common-name

The "openvpn" is the pam module filename located in /etc/pam.d. In client.ovpn, add this line:

user-auth-pass

Now, in /etc/pam.d, create a mapping file for your users. The format of the file is:

username:publicId

Where publicId is the first 12 ASCII characters of your OTP from the Yubikey. My mapping file is called yubimap. Now create /etc/pam.d/openvpn file containing the following line:

auth required /usr/local/lib/security/pam_yubico.so authfile=/etc/pam.d/yubimap id=16
@include common-auth
@include common-account
@include common-session
@include common-password

That's supposed to be it. However I ran into a problem where the PAM authentication spits out this error:

PAM [error: /lib/security/pam_yubico.so: undefined symbol: pam_set_data]
pam_authenticate FAILED for . Reason: Module is unknown

The solution for this is to modify the /etc/init.d/openvpn script and add to the beginning of the file:

export LD_PRELOAD=/lib/libpam.so.0.81.6

And that's all. The Yubikey is now required for OpenVPN authentication.

OpenVPN installation and gateway issues

In setting up my OpenVPN so all traffic goes through the encrypted tunnel, an annoying error keeps coming up:

"Cannot read current default gateway from system"

It took me over an hour to figure out why: The server-bridge parameter should specify the gateway on your LAN instead of the OpenVPN server.

server-bridge 192.168.1.100 255.255.255.0 192.168.1.200 192.168.1.220

In this case 192.168.1.100 is the LAN gateway, not the OpenVPN server (say 192.168.1.50).

On the client side,

redirect-gateway def1
dhcp-option DNS 192.168.1.100

The "def1" in redirect-gateway causes the default route to use 128/0 netmask instead of 0/0 so your original default route isn't wiped out.

On the server side,

push "dhcp-option DOMAIN blah.com"

Pushing the domain to the client seems to cause problems with DNS lookups so that blah.com is used as the domain suffix. For example, looking up www.msnbc.com through nslookup ends up in www.msnbc.com.blah.com.

DNSmasq is running on my gateway, and for some reason pointing the DNS there (via "dhcp-option DNS") seems to avoid the problem. So, everything is working well so far, and now I can create an encrypted tunnel to my LAN whenever I'm mobile and not worry too much about someone snooping my wifi traffic.

Apart from the above issues, the OpenVPN installation and setup was pretty painless. I used JeOS (based on Ubuntu) as the operating system. Installation consists of:

• Installing the OpenVPN package
• Setting up the bridge interface
• Generating the server certificate
• Generating the client certificate
• Creating the scripts to bring the bridge interfaces up and down.

All of the above steps are described in detail below in case the original Ubuntu page is down for some reason. Note that following the steps below results in split-tunneling-- i.e. your internet traffic does not go through the VPN.

Intro/Overview

Overview

OpenVPN is a Virtual Private Networking (VPN) solution provided in the Ubuntu Repositories. It is flexible, easy-to-use, reliable and secure. I'll walk you through setting up a Bridged VPN on Ubuntu 8.04 using x509 certs. Furthermore, I will walk you through general administration tasks.

What is a bridged VPN?

A bridged VPN allows the clients to appear as though they are on the same local area network (LAN) as the server system. The VPN accomplishes this by using a combination of virtual devices one called a bridge and the other called a tap device. A tap device acts as a virtual Ethernet adapter and the bridge device acts as a virtual hub. When you bridge a physical Ethernet device and a tap device, you are essential creating a hub between the physical network and the remote clients. Therefore, all LAN services are visible to the remote clients. My use case was creating a virtual lab for my companies Sale's Engineers so that it was possible to net boot remote embedded clients anywhere in the world.

Setting up the System

Setting up a bridged VPN solution is not hard. However, it does require that you understand how to use the Linux shell and the Linux networking stack.

This entire installation was performed using Ubuntu Jeos 8.04 in a KVM virtual machine but could just have easily been performed on Ubuntu Server. In my configuration eth0 is connected to the internet and eth1 is connected to the network that will be bridged. All of my comments in configuration files are proceeded by two pound signs (##).

Installing the Server

OpenVPN is installed by

sudo apt-get install openvpn bridge-utils

Setting up the Bridge

Now you need to edit /etc/network/interfaces

Commonly, you have a linux server behind a NAT firewall, and you want to provide access to a small network. Your /etc/network/interfaces probably looks something like

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo eth0
iface lo inet loopback

# The primary network interface
## This device provides internet access.
iface eth0 inet static
address 192.168.1.10
netmask 255.255.255.0
gateway 192.168.1.1

We're going to edit this and add a bridge interface. Go ahead and

sudo vi /etc/network/interfaces

After you're done editing it, it it should look approximately like below

## This is the network bridge declaration
auto lo br0  ## start on boot

iface lo inet loopback

iface br0 inet static
address 192.168.1.10
netmask 255.255.255.0
gateway 192.168.1.1
bridge_ports eth0

iface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down 

If you are running linux inside a virtual machine, you may want to add the following parameters to the bridge connection:

  bridge_fd 9      ## from the libvirt docs (forward delay time)
bridge_hello 2   ## from the libvirt docs (hello time)
bridge_maxage 12 ## from the libvirt docs (maximum message age)
bridge_stp off   ## from the libvirt docs (spanning tree protocol)

to restart networking run

sudo /etc/init.d/networking restart

The bridging decelerations here come from the libvirt documentation. I really only understand the bridge_ports directive and the bridge_stp directive. Therefore if you know more than me help me out.

Generating Certificates

Next, we need to generate certificates for the server. In order to do this I will setup my own Certificate Authority using the provided easy-rsa scripts in the /usr/share/doc/openvpn/examples/easy-rsa/ directory. Another alternative is using the graphical program tinyca to create your CA.

Step 1:

• Copy files to the /etc/openvpn/easy-rsa/ directory

  sudo mkdir /etc/openvpn/easy-rsa/
  sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ 

Step 2:

• Edit /etc/openvpn/easy-rsa/vars

  sudo vi /etc/openvpn/easy-rsa/vars

  Change these lines at the bottom so that they reflect your new CA.

  export KEY_COUNTRY="US"
  export KEY_PROVINCE="CA"
  export KEY_CITY="SanFrancisco"
  export KEY_ORG="Fort-Funston"
  export KEY_EMAIL="me@myhost.mydomain"

Step 3:

• Setup the CA and create your first server certificate

  cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
  sudo chown -R root:admin .  ## make this directory writable by the system administrators
  sudo chmod g+w . ## make this directory writable by the system administrators
  source ./vars ## execute your new vars file
  ./clean-all  ## Setup the easy-rsa directory (Deletes all keys)
  ./build-dh  ## takes a while consider backgrounding
  ./pkitool --initca ## creates ca cert and key
  ./pkitool --server server ## creates a server cert and key
  cd keys
  openvpn --genkey --secret ta.key  ## Build a TLS key
  sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
  

Your Certificate Authority is now setup and the needed keys are in /etc/openvpn/

Configuring the Server

By default all servers specified in *.conf files in the /etc/openvpn/ directory are started on boot. Therefore, all we have to do is creating a new file named server.conf in the /etc/openvpn/ directory.

First, we're going to create a couple of new scripts to be used by the openvpn server.

sudo vi /etc/openvpn/up.sh

This script should contain the following

#!/bin/sh

BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV

Now, we'll create a "down" script.

sudo vi /etc/openvpn/down.sh

It should contain the following.

#!/bin/sh

BR=$1
DEV=$2

/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down

Now, make both scripts executable.

sudo chmod +x /etc/openvpn/up.sh /etc/openvpn/down.sh

And now on to configuring openvpn itself.

sudo vi /etc/openvpn/server.conf

mode server
tls-server

local  ## ip/hostname of server
port 1194 ## default openvpn port
proto udp



#bridging directive
dev tap0 ## If you need multiple tap devices, add them here
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"

persist-key
persist-tun

#certificates and encryption
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
tls-auth ta.key 0 # This file is secret

cipher BF-CBC        # Blowfish (default)
comp-lzo

#DHCP Information
ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.10 255.255.255.0 192.168.1.100 192.168.1.110
push "dhcp-option DNS your.dns.ip.here"
push "dhcp-option DOMAIN yourdomain.com"
max-clients 10 ## set this to the max number of clients that should be connected at a time

#log and security
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3

Don't forget to either reboot or run the command below. This will restart openvpn and load the new config.

sudo /etc/init.d/openvpn restart

Getting Clients Connected

This section walks you through creating client certificate and key files, plus setting up a client configuration file. The files can then be used with OpenVPN on a client platform. The described configuration will work with OpenVPN installations of OpenVPN GUI for Windows and Tunnelblick for Mac OS X clients. For a detailed discussion of each, refer to their respective home pages. It should also be compatible with Linux OpenVPN clients.

Generating Client Certificate and Key

Generating certificates and keys for a client is very similar to the process used for generating server certificates. It is assumed that you have already set up the /etc/openvpn/easy-rsa/ directory and updated the /etc/openvpn/easy-rsa/vars file as described above. You should have already setup your Certificate Authority and created your server certificate and keys.

cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
source ./vars             ## execute your vars file
./pkitool client          ## create a cert and key named "client"

Configuring the Client

The client configuration has been adapted from the OpenVPN 2.0 sample configuration file. For Windows, the file should be named client.ovpn and for other operating systems, the file should be named client.conf. The file can be created using vi or other editor that can create plain text files.

The configuration file assumes that there is only one TUN/TAP device configured on the client.

### Client configuration file for OpenVPN

# Specify that this is a client
client

# Bridge device setting
dev tap

# Host name and port for the server (default port is 1194)
# note: replace with the correct values your server set up
remote your.server.example.com 1194

# Client does not need to bind to a specific local port
nobind


# Keep trying to resolve the host name of OpenVPN server.
## The windows GUI seems to dislike the following rule.
##You may need to comment it out.
resolv-retry infinite

# Preserve state across restarts
persist-key
persist-tun

# SSL/TLS parameters - files created previously
ca ca.crt
cert client.crt
key client.key

# Since we specified the tls-auth for server, we need it for the client
# note: 0 = server, 1 = client
tls-auth ta.key 1

# Specify same cipher as server
cipher BF-CBC

# Use compression
comp-lzo

# Log verbosity (to help if there are problems)
verb 3

Place the client.ovpn (or client.conf) configuration file along with the certificate and key files in the openvpn configuration directory on the client. With the above set up, the following files should be in the configuration directory.

client.ovpn
ca.crt
client.crt
client.key
ta.key

For OpenVPN GUI for Windows, the default location for the files is C:\Program Files\OpenVPN\config.

For Tunnelblick for Mac OS X, the default location for the files is ~username/Library/openvpn.

For further instructions, you may consult the official OpenVPN Howto

Windows XP / Vista tweaks

Here's a couple of tweaks that I always do whenever I come across an XP or Vista installation:

1. Disable autorun/autoplay

Ever noticed that whenever a new drive or CD is plugged in, Windows will automatically run whatever that's on the drive, and if it doesn't find any, it tries to find something by popping up an annoying search window? This is how Sony was able to install its rootkit onto unsuspecting users when they inserted their audio CDs, and this is often exploited by viruses.

Disabling autorun/autoplay takes 3 steps:

• Go to this key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDRom and set the Autorun value to 0.
• Go to this key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer and set the NoDriveTypeAutoRun value to 255/FF.
• Go to this key: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer and set the NoDriveTypeAutoRun value to 255/FF.

2. Do you use Vista and annoyed that you have trouble accessing network shares on an XP system?

Open this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

If it doesn't already exist, create a DWORD value named LmCompatibilityLevel and set the value to 1.

3. Are you having trouble using sysinternal's psshutdown or other remote services on Vista?

Open this key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system and set LocalAccountTokenFilterPolicy to 1. Then reboot.

4. XP/Vista can get really chatty with the disk. If you notice XP/Vista accessing the disk WAY too often, try this:

• Prevent XP from updating the last access property on each file it touches by opening this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem, and set/create this DWORD value: NtfsDisableLastAccessUpdate=1
• Disable superfetch by opening this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\MemoryManagement\PrefetchParameters and set EnableSuperfetch to 0. By the way, the meaning for the possible values are
  

0 to disable Superfetch
1 to enable prefetching when program is launched
2 to enable boot prefetching
3 to enable prefectching of everything

Now, isn't that better?

Free large popcorn with large drink at AMC

Download and print the coupon whenever you go to AMC theatres.

BOGO T.G.I.F Coupon

Here's a buy-one-get-one-free coupon for T.G.I. Friday Ask nicely. :)

Using Freeswitch with Gizmo and Google Voice

Gizmo now has support for Google Voice, which means you don't need to use GV's web interface anymore to make outgoing calls. You can configure your SIP softphone or ATA to dial using Gizmo to have free long distance calling within the U.S. Alternatively, you can use Freeswitch to treat Gizmo as a trunk through which you can route outgoing calls.

First, setup the profile as follows:

<gateway name="gizmo5">
<param name="realm" value="proxy01.sipphone.com"/>
<param name="from-user" value="174712345"/>
<param name="from-domain" value="proxy01.sipphone.com"/>
<param name="caller-id-in-from" value="false"/>
<param name="proxy" value="proxy01.sipphone.com"/>
<param name="username" value="174712345"/>
<param name="password" value="apple"/>
<param name="expire-seconds" value="3600"/>
<param name="register" value="true"/>
<param name="register-transport" value="udp"/>
<param name="retry_seconds" value="30"/>
<param name="extension" value="174712345"/>
<param name="codec-prefs" value="$${global_codec_prefs}"/>
</gateway>

Second, add the outgoing dialplan so outbound calls go through the gateway:

<extension name="gizmo">
<condition field="destination_number" expression="^(1{0,1}\d{10})$">
<action application="bridge" data="sofia/gateway/gizmo5/$1"/>
</condition>
</extension>

Now to handle incoming calls from Gizmo.. let's say you want to route incoming gizmo calls to extension "1000"

<extension name="Inbound-174712345">
<condition field="destination_number" expression="^174712345$">
<action application="bridge" data="user/1000@$${domain}"/>
</condition>
</extension>

That's it for freeswitch, now you just need to enter your Google Voice account in Gizmo:



Happy calling. :)

What happenned to BoA?

I must say her American debut is pretty disappointing. The songs are nothing like her Japanese counterpart back in 2002 that made her a star. Her latest single energetic sounds like a recycled Britney Spears song, and even her singing has degenerated into part-human, part-computer-synthesized vocal-- compare this to her first album's Don't Start Now (waay back in 2001) where she was actually singing (and very well). Granted, the video looks nice, and BoA has always been a good dancer, but somehow she lost her "brand" that made her so identifiable.

BoA was, in fact, the artist that got me interested in Korean/Japanese music at all. The very first BoA video I saw-- titled No. 1 -- was fresh, energetic, and unique in its sound. When her next single came out-- Valenti -- I was hooked and trying to get as much information on the Korean and Japanese pop culture. Afterall, when a dance song crosses the cultural and age barrier, something is definitely going the right way (this one though is hard to watch).

So, come on, BoA.. get back to your Asian roots, show those cool moves, and stop being a Britney Spears hack. Make me buy your CDs again at $30 a piece.

Security keys and online password management

If you're like most people, then you probably use the same password for multiple sites, and don't realize how crucial that password is. Take facebook, for example. You might think, "if someone manages to hack your facebook account.. no big deal. I don't have any credit card or financial information on it." But if you're like most people, you probably put a lot of personal information on facebook already, like your birthdate, name, home address, work address, the names of your friends and relatives (your mother's maiden name?). These are all prime information for identity theft. It doesn't take long for a hacker, once having control of your facebook account, to hack your email account (by resetting the password and answering those security questions like where were you born and what's your mother's maiden name... guess where all that information come from?), and from there, hack into your other sites like amazon.com (where you probably do have credit card information stored) and banking sites.

So, the best way is to use different passwords for different sites, and make the password very hard to guess or hack through a dictionary--- for example, instead of using words, use completely random characters. But how would you remember the random passwords to all those sites? There are password management applications like Roboform that plugs into your browser and automatically remembers all your passwords for you. The local database is optionally encrypted with your own "master" password (so lets hope your computer don't get stolen and your master password isn't saved on your desktop in a text file). This works for some people, but there is a disadvantage. If you have multiple computers, it's a hassle to synchronize your password database across multiple computers, and the Roboform license is per machine, so it's relatively expensive to install Roboform on each machine you own-- not to mention that it's not available if you're using a public computer.

The convenient solution to that problem is to use an online password manager, and there are a handful of them--- Billeo, Lastpass, Clipperz, Mitto, mySafeBox, Passpack, etc. The idea there is that your password is encrypted locally on your computer, and they get stored online where it's "safe" and no one can access them except you (not even the "company"). If you take the "company" at their word, all your random passwords at all of your websites are now funneled into a single master password-- i.e. if a hacker manages to get their hands on your master password, then all of your passwords are compromised.

Two things come to mind:

1. The saying, "a chain is only as strong as your weakest link."
2. Hushmail

If you haven't heard of Hushmail, it's a secure email provider claiming that all of your emails are encrypted locally on your computer and your privacy is guaranteed-- i.e. no one would be able to read your email except you. But if you read this article, then you already know that such claims are false. To co-operate with the DEA, Hushmail customized their encryption code so that the password that the user enters to decrypt his mail was secretly sent to their server so they can decrypt them. On one hand, it's comforting to know that terrorists can't use Hushmail to secretly plan a nuclear attack. On the other hand, it's not too comforting to know that your emails aren't private afterall, and that they can be turned over to state agencies at will. If you're planning a national revolution, forget it-- you'll end up getting shot in the face for treason against the state.

But lets assume for the moment that you're not a revolutionist. Using an online password management system leaves you vulnerable as all your passwords are funnelled into a single master password -- now hackers only need to hack one master password to get access to all of your information. This is also assuming that the company itself has no "leaks" and that there are no rogue/disgruntled employees with plans to sell your information to the mafia.

This is where security keys come in.

Security keys like Yubikey, for example, provides an additional authentication factor (imaginatively called "two-factor authentication"), so, in addition to the username and password, you also need to enter a "security key." In the case of a Yubikey, the security key is a very long dynamic password that changes everytime you use it. So, let's say you use this Yubikey on a computer infected with a key logger that captures everything you enter... they would get your username, passsword, and the security key itself... but the difference here is that the security key is valid only once, so if the hackers try to access your account with the same security key, the authentication would fail.

Now.. this is great... except for one thing. Yubikey, so far, isn't supported in many popular sites... facebook, amazon, your local banking site, etc. But one online password service does support the Yubikey--Lastpass. With lastpass's Yubikey support, a hacker won't be able to access your lastpass account without taking your yubikey as well. The disadvantage with lastpass is that the Yubikey support is only available for premium customers-- i.e. you need to pay money. Granted, their premium service is currently $12 a year... but, nothing beats free, right? So, luckily, I found a better alternative to Lastpass: Personal Identity Portal from Verisign.


Instead of using the Yubikey, which is a USB device that you need to buy for $25, PIP can use your cellphone (Blackberry, Symbian-based devices like Nokia and Sony-Ericsson) to access your security key, which changes every 30 seconds (feel like Jason Bourne, don't ya?). The only difference here is that you need to type the security key manually, whereas Yubikey enters the key for you. The advantages of PIP over Lastpass is that 1) PIP doesn't require a browser plugin to operate, and 2) PIP is operated by Verisign, the company that manages SSL certificates for many commercial websites, so you can have much more confidence in its security than small companies like Lastpass, where, for all you know, their whole server infrastructure can be running inside a small closet and guarded by Bob the security officer.

PIP also has additional services over online password management:

1. Free 2GB online space to store your documents
2. Security key support for other sites like Paypal.
3. An OpenID provider.
   

On point 3, clavid.com is also an OpenID provider that supports Yubikey, but that's a different topic for a different time.

Will Obama's health plan make any substantial difference?

I highly doubt it. Read this post, for example, where a woman gave birth via C-section and received a 50k bill... read also the comments that followed. Then compare that with Obama's health care plan and ask, would that plan make any substantial difference?

I, for one, agree with the idea that health care should be socialized -- there are too many problems with the way U.S capitalism work to allow an efficient, private-run health care system. Take, for example, a story I recently watched on the news where a teenage girl was walking along the sidewalk while texting. The sidewalk was under construction, and there was an open manhole in front of her, and-- you guessed it, she fell in. And... yes, you guessed it, her parents is filing a lawsuit against the city for having the manhole out in the open without any visible warnings (e.g. construction tape). The construction workers admitted that they left the manhole unattended for about 10 minutes when the girl fell in. While some might find negligence on the part of the city, I find this lawsuit outrageous and frivolous, for a simple reason: It's a freaking hole in the ground. If you're stupid enough to walk into it, then you deserve what you get.

The U.S civil system meant to protect individual rights and pursuit of happiness has de-evolved and abused to protect the retarded without common sense, and used as a tool by those who are just greedy for money. Think about it, now those workers need to buy construction tape so stupid girls don't accidentally fall into a manhole while texting. Ridiculous. Another example? RIM, the maker of Blackberry devices, gets sued by NTP for violating their patents. You might say, "well, doesn't NTP deserve to get money for their invention?" Invention my ass. NTP is a holding company for patents-- they do nothing but sue other companies who violate their patents. So, think of it this way, one day I wake up with a great idea... I go to the patent office and create a patent for my "invention," then I sit and wait for someone else to implement that idea, and when they do: lawsuit. Someone else does the hard work of making that idea a reality, I just take the money.

This combination of degenerate, ethical decay along with a capitalistic system ripe for abuse is exactly why the healthcare system will never be efficient as in other countries where healthcare is controlled by the government, or, for example, Malaysia or India, where their civil system isn't as "advanced" as the U.S. Healthcare is cheaper there because, for one, the doctors don't have to worry as much about malpractice suits and paying exorbitant insurance premiums, and that's just one facet of the problem of why healthcare costs are so high.

What is Truth?

Discussions related to philosophy and/or religion always interests me, partially because I have an opinion on just about anything and everything. So, this blog post is particularly interesting as it asks the question, "what is truth?" It's not referring to secular truth, or reality as in the words of agent Mulder, "The Truth is Out There," but rather, a truth of consciousness or life.

Truth is fundamental, as realizing the truth leads to a greater understanding of everything in life, such as vanity, pride, faith, honor. When someone asks, "what is love?" the typical response is usually, "love is that 'special' feeling that you have for someone'... but I reply with, "love is faith and honor." This answer is murky because while you have a pretty common understanding of "faith" through a worldly view of religion, what exactly is the meaning of "honor" ? By knowing and understanding the truth, the meaning of "honor" becomes self-evident, and a whole new world suddenly opens before you which reveals the Christian saying, "God is love." At face value, this is nothing but a fortune-cookie statement that most Christian dogmatist say (just as they would say, "Jesus loves you"-- but I reply, "except for those people who goes to hell"), but by understanding the truth, you can see this statement with a new, unfathomable depth, and then you'll realize just how deep the "rabbit hole" really goes.

The realization of truth is characterized by a freedom from inner hypocrisy-- by this I don't just mean the type of superficial hypocrisy where you say one thing but do something opposite (this just makes you a slumdog liar), but a hypocrisy of character where your actions defy or contradict your inner beliefs. For example, have you seen a vegetarian who vehemently refuse to consume any sort of meat for reasons of animal cruelty and driven by a self-righteous motto of "we're evolved human beings, there's no reason to be such a brute", but has no problems wearing leather shoes, eating an egg, or buying a car with leather interior? You kind of get the picture. As another example, I've conversed with Jews who believe in polygamy simply because it exists in the Bible, and therefore his conclusion was that God permits it. I said,"you can't have more than one wife, because when you lust for one, you will commit adultery to the other."-- this contradiction was largely ignored, and he continued to believe in a dogmatic way.

So what is Truth exactly? If you go to other websites, you will get nothing but synonyms (sincerity, enlightenment, blah), or different theories from people who tried to figure it out but never really connected all the dots. I'll tell you exactly what it is: Truth is an inner consciousness. This kind of spark in consciousness is the type that allows one to wake up one day and suddenly ask, "who exactly am I?" or "why am I here?" --- by this I don't mean the type of philosophical inquiries that sometimes pop into your mind when you're bored to tears (what is my soul partner doing right now? gee), but the type of inquiries that will keep you up at night and sweating in a panic. Some people are incapable and will never have this truth, and they will live all their lives in an utterly banal, superficial existence--- like the Stacie Orrico song goes, "is there more to life than just another temporary high?" For these people, the answer is a resounding NO.

A cover for Kindle DX

My "OCTO faux leather slip cover for the kindle DX" arrived today. The amazon reviews were pretty spot on... it's stiff and attractive (!), and pretty much addresses my main concern of the Kindle's screen getting scratched or the buttons getting messed up while tossed around inside my bag. The notch at the end allows you to grab the kindle by the head and pull it out (or push it in). A little bit counter-intuitive since I my initial thought was to push the kindle in head first, but the cover clearly wasn't designed that way since I can feel a depression deep inside that was meant for the keyboard.

I was earlier intent on using the cardboard box that came with the kindle since it's a perfect fit, but it's also fat so the thickness fills up all the valuable space in by bag. So there goes $30. What the heck... a relatively small investment for a $400+ device. Now I just need to read a whole lot to make my investment worthwhile, and before the irreplaceable battery dies. :)

So, yeah. I subscribed to the Wall Street Journal, planning to read the thing daily on my Kindle and be fluent in current events so I can have an intelligent conversation with guys in expensive business suits. I think I've only read 3 issues out of 10 so far. Bummer. I think I'll cancel at the end of the month.