| < | June 2010 | |||||
| Su | Mo | Tu | We | Th | Fr | Sa |
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 | |||
I tend not to blog much (or at all) about what I do to pay my bills (safer in terms of NDAs and probably only of interest to a very narrow set of people). My latest professional transition is a bit too interesting to leave undocumented though.
After spending nearly four years at Thomson hacking network stacks, I thought I'd take on something radically different. Since Monday, I'm consulting for QinetiQ (aka Verhaert Space) hacking on fitness machines to be used in space.
I don't think it's possible to make a more radical transition.
This may be my first project where all the calculus and physics I studied will come in useful. I'm surprised with how quickly it all came back to me.
The new commute will be a bit expensive in terms of books (I estimate needing two books a week) but I think technical thrills are worth that.
I'll go back to writing travel adventures and general complaints again now.
My trusty x60s is "written off" this year, so it was time to get a new machine. Blatant consumerism and all that.
Unless you drink the Apple kool-aid and are able to put up with their programmer-unfriendly keyboards (though that's gotten better of late), ThinkPads are still the only reasonable choice for a laptop. The logical successor to x60s was the x200s.
While I'm generally very happy with the machine (it's even lighter than the previous one and the nine-cell battery lasts even longer - about 10 hours, PXE just works, suspend/resume just works, it still has a proper nipple instead of a silly touchpad -- basically, it's still a ThinkPad) Lenovo made some really strange design decisions this time round.
I have basically come to terms with the idea of "wide screen", even though it's unnatural and crazy. I find myself using :vsplit more than split, but I still think it's nuts.
This particular model comes with an Ericsson F3507g Mobile Broadband Minicard, which is a very fancy gadget. I haven't tried it yet, because I don't have a spare SIM, but it brings an amazing collection of radios with it. It also adds a privacy concern: "theft deterrents" in the BIOS. I don't particularly want my laptop reporting my location (there's a GPS radio in it) to anyone who listens at all times.
Presumably, these things need operating system support and I can turn them off in the BIOS, but how do I know they're really off? Time to spend some more quality time with the bootloader to make really sure.
Overall, I'm very happy with the new gadget. It does what I need it to do and will presumably do it until it's written off.
I'm still trying to decide what to do with the x60s now. Other than the keyboard, which is predictably beaten up, it's in fairly good shape. Probably donate it to a school or a geek in the larval stages.
Android-based phones use a lot of databases in the sky to determine where people are. Not only does it use tower information, it also uses information from nearby access points. Presumably, Google has a small army driving around all over the world, noting access points it finds. Maybe they're the same people who also take pictures of every building they see?
Today, my phone suddenly decided that I was in Beijing. Strange, I thought. I had no recollection of getting on a plane, the air was breathable and the people around me didn't look particularly Chinese. Indeed, there was overwhelming evidence that I was not in Beijing.
A short while later, my phone decided that I was in Brest. The one in Belarus, on the border with Poland not the one in France, or the one in Germany, both of which are at least in the same timezone as where I really am.
From Beijing to Brest in under ten minutes and yet, I don't think I went through any wormholes. In fact, I was quietly sitting at my desk near Antwerp.
Highly entertaining.
Of course, the building I'm sitting in contains an unusually high number of access points. Usually more than fifty, sometimes more than a hundred. Have Google's location soldiers been a bit too thorough collecting data near factories where wireless access points are built? Or do the databases get confused when you give them too much data? No idea. I don't think the databases or the source code used for location are publically available.
There are a number of interesting drawbacks to the phone thinking it's in the wrong location. It gets the weather (very) wrong, but I can look outside to know what the weather is like. It also helpfully adjusts the clock to its perception of local time. This would be annoying if I used Google Calendar or a similar application which (stupidly) keeps times for events local to where you add the event to your calendar, rather than local to where the event will take place. Certain websites also feel they should speak to me in a different language (and in this case, different scripts too).
Unfortunately, while you can tell the phone not to use wireless location at all, you can't tell it that you want GSM location but not WiFi location. While WiFi access points move around (possibly quite a bit) between manufacture and deployment, GSM location is a bit more deterministic.
Because the access points may move again, there's probably not much point in reporting the access points and their real location to Google. It would be much more useful to have the option to selectively disable sources of location information with more granularity.
I am realistic (cynical?) enough to know that turning location detection off probably adds zero privacy benefit to compensate for the reduced functionality (getting the right time as soon as you get off a plane, for instance) that I just leave it on.
If you're on the run for agents of an Evil Repressive Government, the first thing you need to do is ditch your mobile phone. Buy a new one (cash) if you really need to call someone. Or use a pay phone.
[I had never heard of the word "tethering" in this context until I started fiddling with this. Who came up with that silly word?]
After spending an inordinate amount of time getting my contacts into my HTC Hero phone without sharing the contact details of everyone I know with Google, I now want to start doing other useful things with it. Like reading my email.
Unlike "web 2.0" denizens, I'm not prepared to put my brain through a blender or take other drastic measures to reduce its functionality to convince myself that a tiny touchscreen interface is a good way to read email, let alone try to force email through a webserver or a crippled IMAP client. I have a lot of email and a perfectly functional mail client running in a screen somewhere reliable to get to it.
It's been a while since I had to pair a new device with my laptop and I discovered that the dbus-damaged Linux Bluetooth stack has become even more broken of late. It now requires me to run an undocumented bluetooth-agent application, which takes my pin in argv where it can conveniently be seen by anyone else who happens to be using my machine (which is no one, but still, you wonder what kind of people design software like this).
When I finally got the HTC Hero paired with my laptop, I discovered that its Bluetooth stack is more than a little handicapped:
[635] (luggage:/home/philip)# sdptool records 00:23:D4:xx:xx:xx
Service Name: Voice gateway
Service RecHandle: 0x10000
Service Class ID List:
"Handsfree Audio Gateway" (0x111f)
"Generic Audio" (0x1203)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 1
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Handsfree" (0x111e)
Version: 0x0105
Failed to connect to SDP server on 00:23:D4:xx:xx:xx: Connection refused
Note the conspicuous absense of "Dialup Networking" (0x1103).
How can they sell a (very expensive) "smart phone" in 2009 which doesn't even support the very basics of Bluetooth? I have a feeling they may be running the same tooth-decaying Bluetooth stack as my laptop. How very disingenious.
Time to void my warranty and figure out how to fix this.
Frustration.
Roadworks be damned. As I was biking to the station this morning, I had a somewhat unpleasant encounter with a car. I'm not quite sure whose fault it was, the roadworks made the situation somewhat ambiguous, but we'll assume that since the girl driving the car was more shocked than I, it was probably her fault. Who cares about assigning blame anyway?
Looking back, it must have been rather amusing. I smashed into the car basically face first and managed to bite my lip and bruise my chin. Other than that, I only dented my ego slightly and the front wheel of my bike is not entirely straight anymore.
Assuming neither of us was travelling at anywhere near the speed of light, I estimate the amount of kinetic energy being turned into "damage" was on the order of 1700J. v² really is a bitch.
Bruises heal fast.
This weekend, my bank (Citibank -- yes, they still exist) decided to implement a new online banking system. For some obscure reason, they decided that relying more on JavaScript would be a good idea. That seems to be a common trend among the crazy people who develop for "the web", so I'm sure I can forgive them for that.
I can't however, forgive them for the incredible stupidity that went into the password validation the webbies put in place. For online banking, I like to use a secure password. My password consists of many characters and I chose them from all over the ASCII table. It always worked fine too. In the new online banking system however, a JavaScript "alert" happily informed me that it couldn't validate my password and wouldn't even bother to submit the form so the backend could have a go.
Since I was reasonably confident that the backend would be quite happy with my password, I decided to try to get around the JavaScript madness. I must say that my respect and admiration for the crazy people who develop for "the web" has increased quite a bit during this ordeal. Not only do they target a completely ridiculous platform, they also have to put up with unbelievably awful tools.
Mozilla Firefox has a "JavaScript Debugger" extension. Unlike every other debugger, it doesn't appear to contain the functionality to set the program counter. If it did, I could just have set a breakpoint on the function that checked the "format" of my password and then set the program counter just after that function and be on my way.
The relevant bits of the function that check the format of passwords are:
var pwdPattern3 = /[^(0-9a-zA-Z)]/;
if( pwdPattern3.test(document.SignonForm.password.value) ){
alert(pwdFormat);
document.SignonForm.password.focus();
return false;
}
Fairly stupid. I would love to know what the developers of this were smoking! Just changing that regex to match characters which don't appear in my password would do the trick though.
But how can I change this regex? It took me ten minutes to discover that the JavaScript debugger has a tiny little box in the bottom left corner containing an unsorted (!) list of what they call "local variables". That pwdPattern3 doesn't look very "local" or even "variable" to me, but I'm sure that's a JavaScript thing more than anything else. To change it, I had to double click the name of the variable, which then popped up a modal window on another workspace than the one where I had the debugger running.
Very userfriendly guys.
In the end, I got past the check though. It only took me an hour or two. I will try to report this bug tomorrow, but I have a feeling that will be even more difficult than working around it. Operators at banks' call centres are not selected for their technical abilities. In the mean time, I also changed my password (which required working around a similar check, hiding in a different file -- I would hate to maintain this software) so I don't have to go through this ordeal every time I want to pay someone.
To end this rant on a positive note: once logged in, Citibank's online banking system still works well for me. It runs (mostly, except for the JavaScript) serverside and doesn't try to look "fancy". Pity it doesn't work in w3m anymore, but I guess I'll have to learn to live with that.
This time two weeks ago, I was in a tent somewhere near Cribs Creek on the West Coast Trail. This time last week, I was in Victoria, digesting a very tasty dinner. Today, I am at work, catching up with hundreds of emails.
Painful.
One of the first emails I read was from my travel agent, informing me that United has kindly cancelled the direct flights I was booked on in September between London and Denver. My cunning plan to get into the US without going through ORD was foiled again. To add insult to injury, United felt that 45 minutes would be plenty of time to change terminals in Chicago.
Wondering what they were smoking, I called United's Belgian phone number and was rather surprised that it was answered on the first ring by a gentleman in Bangalore. Very friendly chap but decidedly unhelpful. He wasn't even able to tell me what they were smoking.
Luckily, Connections continues to provide the excellent service I've come to expect from them and they were able to put me on an earlier flight in under five minutes on the phone. Unfortunately, they couldn't tell me what drugs United were on either. Regardless: if you're looking for a good travel agent in Belgium, I can highly recommend them.
Now for more email... And perhaps trying to see if anything still compiles.
I was reminded today that laptop hard disks really are unreliable. For some reason, my laptop disk just "gave up" earlier today. I have no idea why, but suddenly while I was working, it felt I should be allowed at my data anymore.
This does not please me. At all.
Happily, I have backups of pretty much all my important stuff -- in fact, I don't keep much important stuff on my laptop in the first place. Unhappily, my last backup is a couple of days old and seems to lack some configuration bits.
sigh
I've been back to work since returning from Tokyo on Monday. Busy busy.
Unfortunately, I have had to cancel my talk at the UKUUG spring conference at shorter notice than I would have liked if I were organizing the conference because of some unmaskable other demands on my time. sigh
Back to hacking now though. I hope to have some time this weekend to look at the shiny hardware I picked up in Tokyo. :-)
Unless you've been living under a rock, or you don't run a DNS server, you must have noticed quite a lot of queries for "." over the last couple of days.
This NANOG thread sums it up nicely:
http://www.merit.edu/mail.archives/nanog/msg14553.html
If your nameserver is configured correctly (not responding to queries for zones you're not authoritative for), the only real problem with this attack is that syslog will be polluting your logfiles with "query denied" entries a couple of times every second.
This gets old quickly.
I happen to have a PF firewall sitting in front of my nameserver:
table <ddos_targets> { \
# list of hosts
}
block drop in quick proto udp from <ddos_targets> port != 53 to any port 53
Using pfctl -t ddos_targets -T add ... I can easy add more hosts to the table when they start filling my logfiles. Firewalls can make life so easy.
Copyright © 2005–2010 Philip Paeps
All rights reserved.