thisisthehabit

... it's a simple phone OS plus a web browser and some Google services.

It lacks some pretty fundamental things you'd expect from a smartphone.

• Ability to browse and view local files on phone memory or SD card, eg open HTML files, PDFs, etc
• An IMAP client that can delete messages, mark them as read on the server, etc
• Any ability at all to support corporate private CAs, since it can't import new CA certificates
• Any client certificate support for secure mail and intranet access
• Decent sync and backup facilities to a laptop/PC. Oh, wait, you only use Google services, right?
• ... and that's only what I found in a half-hour of running an emulated Android phone in the SDK while trying to figure out if it was a reasonable replacement for my dying Symbian S60 N95 (answer: no!).

This is Google's fancy new phone platform? Call me again in a few years, once you've grown up a bit - right now, even the iPhone OS is a more solid choice.

Why does NOBODY bother to support X.509 client certificates properly? They're a weak, poorly implemented afterthought in many systems if they're supported at all.

• Microsoft Windows: Perfect support, needs PKCS#12 (.p12) format. Most 3rd party apps (subversion, mozilla apps, etc) use own cert stores rather than the OS's for no good reason.
• Mac OS X: Limited support in OS keychain. No support in OS services like Apple Mail (IMAP+TLS, IMAPs, SMTP+TLS or SMTPs), WebDAV over HTTPs, etc so nfi why they bothered adding support to keychain. Some apps have their own support, eg Mozilla apps via NSS, but OS has none and apple apps have none. No 3rd party apps seem to look in system keystore.
• Linux systems: All major SSL/TLS libraries have support, but there's no system-wide or desktop-wide keystore or key management. Netscape security suite apps have good support but must install cert in each app. GnuTLS, OpenSSL apps must implement own cert management but can support - very app dependent. Real support inconsistent - eg Subversion supports, but many svn front ends don't handle cert prompts; Thunderbird supports via NSS; Evolution supports via NSS but has broken nss init code (I have a patch for it waiting for merging); etc. Overall painful but usually usable.
• Symbian (Series 60) phones: Support is perfect in OS and apps. Very smooth.
• Sony Ericsson phones: Seem to have no concept of client certificates, treat request for client cert by remote mail server as an SSL/TLS error.
• Windows Mobile phones: Basically perfect from all reports.
• Apple iPhone: Decent client cert store support. Unclear how much access 3rd party apps have. Used for safari; unclear if used for mail too. Oddly, better than Apple's desktop products.
• Android phones: are a near-total information void. Apparently it's just assumed you'll use Google's services, not (say) your own secure mail server with your work. Because, you know, who needs confidentiality anyway? If you download the SDK and phone emulator, you'll quickly find out that not only does the OS lack any way to import a client certificate or use one in negotiation, but it lacks any way to even import new CA certificates. That's stunningly, jaw-droppingly pathetic. Of course, this is a phone with a read-only IMAP client so it's not clear what, exactly, it's meant to do...

Sigh.

... are two of my favourite things. I do, admittedly, have a great many "favourite" things.

Phở

I've been playing with my pressure cooker. Having made a yummy chicken stock and turned it into fairly successful chicken and corn soup, I thought it was time to tackle something trickier.

Attempt one: wow, I don't often make things that bad. I didn't finish it. Insipid, and somehow kind of chalky. Ick.

Attempt two: took the lid off the pressure cooker and thought "yup, that did it" as the awesome cinnamon + star-anise + garlic + chilli smell punched me in the face. Silly happy dance time.

Experimental cooking is fun.

Cello

I saw FourPlay at the Fly By Night in Fremantle on Friday. They were awesome. Literally jaw-dropping, as those with me on the occasion can attest to. Those folks are astonishingly good with their instruments (a violin, two violas and a cello) when playing conventionally, but ... they're not very conventional. The creative variety with which they all used their instruments was astonishing and seriously impressive. They would've been great foley artists if they weren't such amazing musicians. Banjola is only the beginning.

As well as being incredibly good - and creative - with their instruments, as a group and as individuals they're interesting and delightful composers and arrangers too. Both their original and adapted music is fascinating.

I can't recommend them enough. Alas, they don't come to Perth much, but it's well worth keeping your eye out, especially since the tickets were only $25 each. They usually play at the Fly By Night, which is a pretty reasonable venue.

The only downside of this particular performance was the sound engineer they Fly By Night had on. I can only hope he was a stand-in on short notice. He was terrible. The band at several points were throwing oh-my-god glances at each other. He totally missed strong signals from band members to turn them up/down during or between songs, managed to make them sound kind of muffled for some of their songs, and evenmanaged to create feedback in the last set. Despite this attempted murder of music, the band sounded fantastic throughout most of their performance.

Fantastic show. Their recorded music really doesn't do them justice, especially if what you've heard is their earlier covers like Enter Sandman.

(I only wish the show hadn't conflicted with Friday night hangouts with folks I haven't seen in way too long)

• User calls. "How do I make a PDF smaller to email it" ?
• Me: [talks user through PDF optimiser]
• User: it still doesn't work, it comes back to me.
• Me: Odd. Did you have a look at the file size?
• User: No. [looks] It's exactly the same as the old file. 2.5 Mb.
• Me: Hmm, that's not very big. Got the bounce message? Have a look and see what the error is.
• User: Its in my trash. [looks] blah blah unknown address
• Me: Well, that's a hint, then.
• User: Guess so :S

The point? You don't have to be technically savvy to use simple problem solving skills, whether with computers or anything else. Instead, people seem to jump to a random conclusion, or at least one that's been the right answer one or more times in the past (but not always), try that, and get stuck.

I don't get it. I'm honestly puzzled and confused. We learned this stuff in primary school, right? Simple problem solving is a basic life skill. Why is it that so many people can't, or won't, do it?

Sure, they're often scared of computers and "turn their brain off" to an extent, but I see this all the time in other areas, technical and non-technical, to the point where I wonder how some people manage to live day to day.

Anyone want:

• A couple of different sizes of pine bookshelf
• Up to four off-white armchairs (very comfy)
• Some white deck chairs.

They're all just outside Perth city, off Lord St north of the freeway. Details on request.

There also might be a 24 inch CRT monitor (like this but without the hood and colourmeter) going later, though it's not a sure thing yet. Mention if you'd be interested. It's a great monitor, but do be aware that it's incredibly heavy - something like 40Kg - and not small.

Now ... I'm going to slip into blessed unconsciousness for a while.

Modern Linux systems actually have a central certificate store. It's a bit lacking in management UI so far, but it works, and you can use it instead of loading your PKCS#12 certificates into every app you use manually.

First, import your certificate into the GNOME keyring with:

gnome-keyring import /path/to/certificate.p12

Install the libnss3-tools package (containing modutil).

Now exit every application you can, particularly your browser and mail client. Kill evolution-data-server too.

Find all instances of the nss security module database on your homedir, and for each one (a) test to make sure it's not open and (b) install the gnome-keyring PKCS#11 provider in it. The following shell script snippet will do this for you. Just copy and paste it onto your command line:

for f in $(find . -maxdepth 5  -name secmod.db -type f  2>/dev/null ); do
  echo "Testing: `basename $f`"
  if fuser `dirname $f`/cert8.db >&/dev/null; then
    echo -n "In use by: "; fuser `dirname $f`/cert8.db; echo " - Skipping"
  else
    modutil -force -dbdir `dirname $f` -add GnomeKeyring \
            -libfile /usr/lib/gnome-keyring/gnome-keyring-pkcs11.so
  fi
done

Now all your NSS-based apps should know about gnome-keyring and use the gnome-keyring certificate store.

If you use Evolution and want client certificate support, patch evolution-data-server as per GNOME bug 270893 to enable that too. It'll use gnome-keyring automatically.

camel-tcp-stream-ssl.c:
-	/*SSL_GetClientAuthDataHook (sslSocket, ssl_get_client_auth, (void *) certNickname);*/
+	SSL_GetClientAuthDataHook (ssl_fd, (SSLGetClientAuthData)&NSS_GetClientAuthData, NULL );

The device you see on the right is actually the devil. Or, at least, it's close enough if you are a system administrator.

It is a single piece of hardware that controls your access to business-critical programs. Lost the dongle? Whoops, no classified ads in the newspaper this week. Dongle broke? Ditto. Dongle fried by a computer malfunction or power fault? Ditto. Computer stolen? Ditto.

What's even more fun is that as computers move on and older interfaces become obsolete, it becomes hard to even find a computer you can plug the dongle in to. Most machines don't have parallel ports anymore, so parallel dongles like this one are a big problem. At least that can be worked around using USB adapters.

Of course, then you run into exciting issues like XP being unable to allow 16-bit code access to the parallel port. The program would work fine on XP, but for the stupid bloody dongle. So you're forced to maintain legacy hardware or waste time on complex emulation/virtualisation options just to get the program working, when it'd be just fine but for this dongle.

So, if you are ever offered software for any reason that requires a dongle, just say no.