Category: software

Review of OpenVPN: Building and Integrating Virtual Private Networks by Markus Feilner (Packt Publishing)

by Admin

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog. In order to comply with Federal Trade Commission regulations, I am disclosing that he received a free product sample of the item under review prior to writing the review, and that any links to Amazon.com in this article are affiliate links, and if you make a purchase through one of those links I will receive a small commission on the sale.
Cover of OpenVPN: Building and Integrating Virtual Private Networks
Cover of OpenVPN: Building and Integrating Virtual Private Networks

Before I start, let me give you a brief description of what’s in each chapter (this is taken directly from the Packt Publishing web site):

  • Chapter 1 looks at what VPNs are, how they evolved during the last decade, why it is necessary to modern enterprises, how typical VPNs work. The chapter also covers some essential networking concepts.
  • Chapter 2 explains VPN security issues, including symmetric and asymmetric encryption, the SSL/TLS library, and SSL certificates.
  • Chapter 3 introduces OpenVPN. In this chapter, we learn about the history of OpenVPN, how OpenVPN works, and how OpenVPN compares to IPSec VPN applications.
  • Chapter 4 covers installing OpenVPN on both Windows, the Mac, Linux, and FreeBSD. It covers the installation on Linux from the source code and RPM packages. Installation on Suse and Debian is covered in detail.
  • In Chapter 5, an encryption key for OpenVPN is created and it is then used to setup up our first OpenVPN Tunnel between two windows systems in the same network. The key is then copied on a Linux system and this system is connected through a tunnel to the first windows machine.
  • Chapter 6 shows how to create x509 server and client certificates for use with OpenVPN. easy-rsa which comes with OpenVPN and is available for both Windows and Linux is used.
  • Chapter 7 reviews the syntax of the command line tool openvpn, which enables building tunnels quickly. The configuration options of openvpn are covered in detail with examples.
  • Chapter 8 shows how to make the example tunnels created earlier safer and persistent by choosing a reliable combination of configuration file parameters. It then covers how to configure firewalls on Linux and Windows to work with OpenVPN.
  • Chapter 9 focuses on using xca, the advanced Windows tool with which x509 certificates can be easily managed. Its Linux equivalent, Tinyca2, which can even manage multiple certificate authorities, is also covered.
  • Chapter 10 covers advanced OpenVPN configurations, including Tunneling through a proxy server, pushing routing commands to clients, pushing and setting the default route through a tunnel, Distributed compilation through VPN tunnels with distcc, and OpenVPN scripting.
  • Chapter 11 shows how to debug and monitor VPN tunnels. It covers standard networking tools that can be used for scanning and testing the connectivity of a VPN server.

Although this may seem like a strange subject for this blog, I have recently become interested in the concept of Virtual Private Networks (VPN) because of the increasing number of attacks on Asterisk-based system based on spoof SIP credentials. SIP, the most popular protocol for VoIP, is an inherently insecure protocol – it relies on password protection only, and on most Asterisk boxes and in many VoIP devices and software products, the password is stored in plain text. On many systems, the user name is the same as the extension number, so all a potential intruder has to do is start a brute-force attack guessing passwords. The use of strong passwords along with the use of software like Fail2Ban (with iptables) can help minimize the exposure, but in the end it’s still only password protection.

Therefore, my feeling is that it would be much better to restrict extensions to access from within the local network (wherever possible), using the permit/deny fields in FreePBX or some similar mechanism, and then “tunnel” remote extensions through a secure VPN, so they appear to be on the local network.  The VPN could do the heavy lifting for security (even making the actual calls secure, although that wasn’t a priority in my situation).  My problem was that I knew next to nothing about VPN’s, and most of the pages on the Web seemed to assume at least some prior knowledge.  I needed something that would take me from zero knowledge to VPN guru.  Unfortunately, at my age it’s a case of “the spirit is willing but the brain is a bit weak”, so I realized that the “guru” part might not come very quickly (just as a comparison, I’ve been playing with FreePBX since back in the Asterisk@Home days, and there’s still a lot I don’t understand, but for the first year or so I felt totally lost).

Since the folks at Packt Publishing were willing to send me a review copy of OpenVPN: Building and Integrating Virtual Private Networks, I decided to see if I could actually learn anything from the book.  The first thing you need to know is that there are many types of VPN’s out there, and each will only communicate with its own kind, as it were.  The problem with most other tunnels is that they are either not all that secure, or contain proprietary code, or are incredibly complicated to set up and use (or some combination of the above).  OpenVPN has several advantages, perhaps the biggest being that it’s open source (so you can, if you are so inclined, examine the code and make sure there are no “backdoors” built in), that it can be as secure as you want it to be (and it’s not that difficult to make it very secure), and that it doesn’t rely on a third-party service over which you have no control (like one VPN application that touts itself as “zero-configuration”). So of all the VPN methods out there, OpenVPN seemed like a logical choice.

Now, having said that, the book covers its subject in a very logical manner.  Advanced readers (those already familiar with the principles behind VPNs) might find the introductory material in the first chapters a bit tedious, but believe me, it was just what I needed to help me get a grasp on the subject. As you go further through the book, there are many actual examples, first showing how to set up a working VPN tunnel, then how to add additional security, and finally how to troubleshoot connections.  If you are brand new at this, like me, you will probably find that you learn a great deal from the first chapters but find the latter chapters (especially Chapter 10) a bit beyond your comprehension at first.  However, the person who has some networking or VPN experience under their belt may think the first chapters a bit elementary, but will find the real meat they are looking for in the latter parts of the book. Either way, I guarantee you will come away with a greater comprehension of the subject.

The book shows how to install OpenVPN on several platforms (Windows, Mac OS X using Tunnelblick, FreeBSD, and SuSE, Debian, and Redhat/Fedora based versions of Linux), but it seems like some platforms are better covered than others.  A disproportionate number of examples and screenshots seem to be based on a Windows installation, whereas the Mac gets very little coverage. Because there are so many variations of Linux, the coverage there is mixed, although it seems like SuSE and Debian are better covered than Fedora-based versions, which was just a little bit disappointing because most Asterisk and FreePBX systems are based on CentOS, which is a Fedora-based OS. But most of the information in this book is not OS specific, so I didn’t have any real problem following along.

The biggest disappointment for me was in Chapter 8, where the book covers the use of Webmin, but primarily as an aid to administration of the Shorewall firewall.  Many Asterisk/FreePBX systems don’t use Shorewall, but instead use iptables (if they have a firewall on the Asterisk server at all).  But what was really disappointing was that there was no mention of, nor instructions for the use of the OpenVPN + CA module for Webmin (page is in Italian, but here is a description in English). I can only guess that because the book was first released in May,  2006 and version 1.0 of the Webmin module had only just been released in January of that same year, the author perhaps hadn’t had an opportunity to work with the module before the final draft of the book was submitted to the publisher. I hope that if this book is ever updated and republished, there will be consideration given to adding a chapter on the use of the Webmin module to set up and administer OpenVPN. In the meantime, you can find instructions for using the OpenVPN + CA module in The ‘Point and Click’ Home VPN HowTo Guide.

That said, I felt I learned a great deal from this book.  I was able to set up an OpenVPN server (using the Webmin module, but the book definitely helped me understand the purpose of the various options, and when I checked the configuration file that the module generated I was able to spot a couple of things that weren’t the way they should be for my setup and was able to change them) and the Windows client.  It all worked beautifully.

My project now, when I have absolutely nothing else to do, is trying to get the OpenVPN client running on an Asus WL-520gu router that has the DD-WRT firmware installed (I inherited this project from someone else who couldn’t do it).  So far this has proven to be a tough nut to crack – although it should be easy because (if you get the right version of DD-WRT) there is a built-in OpenVPN client with a handy configuration page, it just doesn’t seem to work “out of the box” – and from what I’m reading on the ‘net, for every one person who says they’ve got it working, there are about twenty others who have become incredibly frustrated by the process (example here – note that the original poster says he got it working, but that’s followed by about 16 pages of comments, mostly by people who just can’t seem to get it to go).  It’s a bit strange because the Windows client will work perfectly (indicating it’s not an issue with the server) but the firmware client in DD-WRT just doesn’t seem to work.  If I ever get it figured out, I’ll try to post what I did in this blog, but so far I’ve had no luck.  That, however, is not the fault of the book – in my opinion it’s the fault of the writers of the DD-WRT firmware, who apparently included a half-baked OpenVPN client interface in the firmware (I know, it’s free software so I can’t really complain, but one does wish that they’d taken a bit more care to make sure it worked).

After having read the book, I do feel fairly confident that if I should throw in the towel and decide to dump DD-WRT and install a different firmware on the router (I’m thinking about trying the Tomato firmware with USB support) I would be able to install an OpenVPN client from scratch and make it work.  Probably the main reason I haven’t wanted to do that is because I very much prefer using a GUI to do things, and would like to try to make the OpenVPN GUI in DD-WRT work (even if it requires a little help), but so far that doesn’t seem to be panning out.

But I digress a bit – anyway, if you are wanting to learn about OpenVPN, whether or not you are a rank beginner you will benefit from this book. The numerous examples and screenshots make it almost impossible to fail to get an OpenVPN tunnel up and running (providing you’re not using a questionable firmware client). And, as I said above, the book is laid out in a very logical progression, so I really didn’t feel totally lost at any point (as so often happens when I try to read technical books). Especially in the case where your boss suddenly decides he needs VPN tunneling capability, and wants you to have one up and running in a very short timeframe, this would be the book to get!

OpenVPN: Building and Integrating Virtual Private Networks by Markus Feilner (Amazon affiliate link)

EDIT: This book has been updated and expanded under a new title — see Mini-review of Beginning OpenVPN 2.0.9 by Markus Feilner and Norbert Graf (Packt Publishing)

Improve the Mac’s ability to display colors

by Admin

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which in turn was reposted with the permission of the original author from a now-defunct Macintosh-oriented blog. It is reposted with his permission.

This article was originally posted in January, 2009.

One issue that some Mac “switchers” have encountered is that the colors on the Mac display look just a bit washed out compared to those on a PC. It’s generally not enough of a difference that anyone would complain; in fact, many new Mac users would think it was their imagination, or would attribute the difference to hardware variations (different display or graphics card).

In reality, however, there is a difference, and it is due to a configuration choice made by Apple. There is a page that describes the issue in some depth:

A solution to Mac “Save For Web” colour discrepancies

The gist of the problem is that Apple has chosen to, by default, go with a gamma setting of 1.8, whereas other systems use 2.2 as the default. On the above-mentioned page, it gives this bit of wisdom: “Unless you have a color management expert instructing you otherwise, select a 2.2 gamma and a D65 white point.” However, the white point is not as important as the gamma, and you may wish to use the default white point that has been determined to be right for your display. It’s most important to change the gamma setting, and calibrate the display in the process. How do you do this? By setting up a new color profile. This is fairly easy to do.

First of all, if you are using the “Shades” program (or any other program that gives you software control over display brightness or any other display parameter), go into the program or preference panel and turn it off before you begin this process, otherwise it may fight you at every step of the calibration process, turning an easy task into a really difficult one with less than satisfactory results.

Go to System Preferences, click on Displays, then go to the “Color” tab, then click on “Calibrate”:

System Preferences-Display-Color Tab
System Preferences-Display-Color Tab

Then follow the instructions. BUT, before you change the setting of your display’s contrast (using the control on the display itself), make a note of the current setting. You will be changing it as part of the calibration process but once you are all finished, you may decide that you want to go back to that setting, or something reasonably close.

During the calibration, when you are asked to adjust the monitor’s brightness, it will say to set it to where you can “just see” the oval:

Display Adjustment screen
Display Adjustment screen

The only problem is, Apple’s idea of “just seeing it” and yours might be a bit different. We wound up using a setting that was a bit more than where the oval was just barely perceptible, but still a bit less than where the two halves of the surrounding rectangle started to appear as different, and that seemed to work best. Originally we tried setting it where the oval was just barely perceptible, but then after the adjustments were completed we couldn’t get a monitor setting that we liked (everything was too dark for our liking, particularly on some of the wallpaper).

When you get to this screen:

Target Gamma Selection
Target Gamma Selection

You want to select the “2.2 Television Gamma” because that is the setting used on most non-Apple computers, and therefore that is the setting that most graphics (including those on the Web) are adjusted for. This is the setting that Apple probably should have used in the first place – at least they give you the option to use it, but we think it should have been the default. On the next screen you’ll be asked to select a target white point:

Target white point selection
Target white point selection

We suspect that “D65″ and “Native” are very close on modern displays (perhaps even identical). You can try both and see which works best, or you can just go with the recommendation from the above-mentioned article to use D65.

EDIT: The second time I attempted to do this, the display calibrator crashed before I could save the settings.  If it happens to you, try this: In Finder navigate to Macintosh HD/System/Library/ColorSync/Calibrators/Display Calibrator.app and right-click on the application, then click on “Get Info”, and when the information panel is displayed, you should see a checkbox for “Open Using Rosetta.”  Check that box, and the problem goes away (at least it did for me, and for the people who posted replies in this thread).

When you are all through, you are likely to see color in places that only looked grey or washed out before. That is because Apple’s default color profile and gamma setting tends to wash out certain colors. But, unless you have just acquired your Mac, it will look strange to you, because it’s not what you’ve become used to. You may have to try adjusting the monitor’s brightness and contrast to get something you like. The interesting thing is that whites may seem “whiter” than before and that may throw you a bit, but it will also show how screwed up Apple’s default color profile is. Try it for at least a day or two before you decide you don’t like it. We found that by setting the monitor’s contrast back to the original setting (the one we told you to note in the previous paragraph) and then using the brightness to adjust the monitor for best picture yielded the best results, but your results may be different.

If you decide you really hate the calibrated profile, you can always go back to the default Mac color profile for your monitor, but then you can expect displays on other computers to look strange. Keep in mind that if you’ve gotten used to looking at washed out colors, it may take some time to adjust!

Stop entering passwords: How to set up ssh public/private key authentication for connections to a remote server

by Admin

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which in turn was reposted with the permission of the original author from a now-defunct Macintosh-oriented blog. It is reposted with his permission. Comments dated before the year 2013 were originally posted to The Michigan Telephone Blog.

This article assumes that you are already able to ssh into a remote server using a password (that is, that your account has been created on the remote system and you are able to access it). Here’s how to set up ssh public/private key authentication so you don’t have to use the password on future logins, or so you can use Public Key authentication with MacFusion.

First, open a terminal or iTerm window as we will be using it for most of the following operations. First, navigate to your home directory, and see if there is a folder called .ssh. Note that Finder will NOT show you this directory unless you have it set to show all file extensions, so since we are at a command line prompt anyway, it’s easiest to just type “cd ~” (without the quotes) to go to your home directory in Terminal or iTerm and type “ls -a” (again without the quotes – always omit the quotes when we quote a command) to see if the .ssh directory exists. If it does, go into the directory (”cd .ssh”) and see if there are two files called id_rsa and id_rsa.pub (use “ls -a” again). If either the directory or the files do not exist, you will need to create them.

ssh-keygen -t rsa -f ~/.ssh/id_rsa -C "your@emailaddress.com"

Replace your@emailaddress.com with your email address – this is just to make sure the keys are unique, because by default it will use your_user_name@your_machine_name.local, which might come up with something too generic, like john@Mac.local. It’s unlikely that anyone else is using your e-mail address in a key.  If this process fails with a “Permission denied” error, it might be because SELinux is enabled.  To check that theory, see How to Disable SELinux, which will show you how to disable it temporarily (for testing) or permanently.

Now, from your terminal window on your local system, execute this command:

ssh-copy-id username@remote

You can run ssh-copy-id -h or man ssh-copy-id to see the available options, but normally you don’t need any. In the event your system does not have ssh-copy-id installed, you can instead run the following three commands from a terminal or iTerm window on your local system. Whichever method you use, replace username with your login name and remote with the address of the remote system. Note that you should NOT be logged into the remote system when you execute these – these are run from a command prompt on your local system, and you probably will be prompted to enter your password (for the remote system):

ssh username@remote ‘mkdir ~/.ssh;chmod 700 ~/.ssh’

The above creates the .ssh directory on the remote system and gives it the correct permissions. If the command fails (for example, I’ve had it complain that mkdir isn’t a valid command, even though it is on just about every Unix/Linux system), then either you have copied and pasted the above line and WordPress changed the single quotes to the “prettified” versions (so change them back) or you may have to actually log into the remote system (using a password) and enter the two commands individually (mkdir ~/.ssh followed by chmod 700 ~/.ssh). Then, if you don’t already have an authorized_keys file on the remote system, go back to your local terminal or iTerm window for this:

scp ~/.ssh/id_rsa.pub username@remote:~/.ssh/authorized_keys

The above creates a new list of authorized keys on the remote system (overwriting any existing file with that name) and copies your public key to it.  If you already have such a file and don’t want it overwritten, then you’ll have to manually add the contents of your local ~/.ssh/id_rsa.pub file to the end of the ~/.ssh/authorized_keys file on the remote system.

ssh username@remote ‘chmod 600 ~/.ssh/authorized_keys’

This fixes the permissions on the authorized_keys file on the remote system. Once again, there may be the odd situation where you can only run the command within the single quotes from the remote system.

And, that’s basically all there is to it. If you are the system administrator of the remote system, but you don’t ever plan to login from a remote location as root, then for extra security edit the file /etc/ssh/sshd_config on the remote system (you’ll probably have to be root, or use sudo to do this task). Just use your favorite text editor on the remote system to open the file, and look for a line that says:

PermitRootLogin yes

And change the “yes” to “no”.

If you are still asked for a password after you are finished making the above changes, look for a line in /etc/ssh/sshd_config that says:

StrictModes yes

And change the “yes” to “no”. You’ll need to reboot or restart the ssh server for this to take effect. An alternate, and probably more secure fix is to check the permissions on your home directory – if it is not writable by anyone but the owner, then it should not be necessary to change the StrictModes parameter. For more troubleshooting hints see Debugging SSH public key authentication problems.

The above are very basic instructions for setting up ssh public/private key authentication. There are other ways to do this (including some that are arguably a bit more secure) but we wanted to keep it simple. Hopefully this will help someone who is using ssh, MacFusion, etc. and wants something a bit more secure and less bothersome than password access.

One other note:  If you find the connection drops within a minute or so, particularly after you’ve just purchased a new router, then on the client machine running Mac OS X edit the file /private/etc/ssh_config (under Linux it’s /etc/ssh/sshd_config and I don’t know what it would be called under Windows, or if they even have such a file) and add this line:

ClientAliveInterval 60

If it still stops working lower the timeout to 30. See How to fix ssh timeout problems for more information.

If you find my instructions confusing, try SSH Passwordless Login Using SSH Keygen in 5 Easy Steps.

And, for hints on making ssh more secure (particularly if you permit access from the Internet in general and not just your local network), see this article on Securing OpenSSH (via the CentOS wiki).

How to install Midnight Commander under Mac OS X (the easy way, using Rudix)

by Admin

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.
Mc-screenshot
Image via Wikipedia

EDIT: New article for Midnight Commander users: Fixing Midnight Commander’s unreadable dropdown menus.

EDIT: This article has been revised to show the latest information as of 2012. Note that these instructions probably will not work unless you are running a relatively recent version of OS X. Also, you really should read How to install Midnight Commander under Mac OS X (the easiest way?) before using the procedure shown here!

I have to admit, I am one of those people who dislikes Linux for one major reason: Whenever you ask for help in any online forum, the knowledgeable people all seem to be command-line devotees, and they invariably give you instructions that involve typing long, arcane commands into the command line. I hate using the command line – if I had wanted to use a command line, I’d never have moved away from MS-DOS, and i cannot understand why Linux geeks insist on using it, and on trying to get others to use it.  Even users of Linux distributions such as Ubuntu have found that when they go online asking how to do some function that could easily be accomplished using one of the GUI tools, often some obnoxious twit helpful person will reply by giving a bunch of stuff (that makes no sense at all to the uninitiated) to type in at the command line. One of the things I like most about Mac OS X is that you almost never have to do anything from a terminal prompt if you don’t want to, and Mac users seem to have a healthy disdain for using a computer as if it were still the 1970’s.

Long ago, when I was using MS-DOS, there was one tool that I had to have on any system I was using: Norton Commander.  The original, dual-pane file manager that made it oh-so-easy to do typical file manipulations like copying and moving files, viewing and editing text files, launching executables, etc.  without typing in DOS commands.  Norton Commander was such a great program that it inspired similar programs on other platforms, such as Total Commander under Windows, and the cross-platform muCommander that runs on just about anything (if it has Java installed).  In the Linux world, KDE users have Krusader, and Gnome users have Gnome Commander.

Mac OS X users have a number of choices, including the aforementioned muCommander and Xfolders, both of which are free.  Possibly the best alternative today is XtraFinder, which is excellent and free — it add tabs and other features to the OS X Finder, and can display dual panes in either a horizontal or vertical alignment.

However, despite your best intentions, there may come a time when you find yourself working at a shell prompt.  Maybe you are working with a Linux server, or on a Mac, maybe you can’t get OS X to come up but you are able to get to a terminal prompt (in my early days of using a Mac, this happened to me twice after OS X upgrades). More commonly, you are getting a permissions error on some file and can’t understand why – that’s very rare on the Mac, but it happens, and now you find yourself in the terminal trying to remember how to change permissions or ownership on a file (by the way, in most cases you should be doing this by right-clicking on the file in Finder,  then clicking on “Get Info” in the context menu, and then using the Sharing & Permissions section at the bottom of the information panel. But there are occasions when nothing else seems to work, and you want to go a bit deeper into the guts of the system). It is at those times when Midnight Commander may be the tool you want.

However, up until now there has not been a really easy way to install Midnight Commander on a Mac running OS X (at least not that I’ve seen).  But now, there is a package by Rudá Moura called Rudix, which is described this way:

Rudix features a world class collection of pre-compiled and ready to use Unix compatible software which are not available from a fresh installation of Mac OS X but are popular among other Unix environments. Here you can find utilities, programming languages, libraries and tools delivered as standard Mac OS X packages.

Now, I hear some of you “cut-my-teeth-on-Unix” types screaming, “What about MacPorts? What about the Fink project?”  Those are all well and good if that’s your cup of tea, but they require a much higher lever of Unix “geekiness” to install, and they add a lot of code that the typical user doesn’t need.  Rudix will let you add a whole bunch of Unix utilities if you really want to do that, but if you only want a few needed utilities then the “Custom Install” button in the Rudix installation lets you select exactly what you want, and no more.

So here is how you would install Midnight Commander in Mac OS X, using Rudix:

Go to the Rudix mc: Midnight Commander page. Select the correct package for your version of OS (filename ends in .pkg) and click on the package filename. On the next page, click the package filename again to download it to your computer. When it has downloaded, double click on it to run it. You should see a screen like this:

Rudix - Midnight Commander installer
Rudix – Midnight Commander installer

Click “Continue” and continue to do so until it has been installed. That’s all there is to it!

I should point out that this used to be a much more convoluted process, and there was a much longer set of instructions here explaining it, but all those old instructions are superfluous now.

Once you have installed Midnight Commander, you will realize that you can easily install many other utilities commonly found on Unix/Linux systems, if they are available in the Rudix package list. Personally, I would not go hog wild on this – I’d only install the utilities you actually need, as you need them. One package I typically install is wget, because so many scripts (such as those written in Perl) expect it to be present.

Edit March 28, 2008: I made an interesting discovery tonight.  Normally I use iTerm as my terminal program, and Midnight Commander runs fine in that. What it does not seem to run so well under is the Terminal.app program that comes with OS X. What specifically does not work in Terminal.app, at least on my system, is the mouse.  Under iTerm, mouse clicks get passed to Midnight Commander in the normal manner, but under Terminal.app that doesn’t seem to be the case. Another thing that you can do in iTerm (but not Terminal) is hold down the ⌘ (Command) key and right click on a file to select it. So, for the “best user experience”, so to speak, I’d suggest downloading and installing iTerm, which has a lot of other nice features you’ll probably appreciate (and did I mention it’s free?).

Edit April 1, 2008: If, for some reason, you want to modify the color theme of Midnight Commander, here are a couple of blog posts that show how to do that:

And, the Midnight Commander manual is another good source of information on this subject.

Command line haters of the world, untype!

Recent Posts

Recent Comments

Archives

Categories

Meta

GiottoPress by Enrique Chavez