Commercial software "support"
pumpkinhead
[info]thisisthehabit
The Anchor Networks head sysadmin has an opinion on commercial support for software that's pretty similar to mine - it's garbage. Both of us have learned this from painful experience.

The post is well worth a read if you're in a sysadmin/tech line of work. It mirrors my experiences with several vendors very closely, except that this particular case doesn't include any inter-vendor buck-passing or blame games. There's a reason more and more of the systems at work run on software I have source code to and can rely on myself to maintain - because that way, things actually get fixed.

If you think Anchor's experience with dedicated commercial support organizations is bad, you should try contacting tech support for incredibly expensive commerical software you've licensed and asking them to support their product! I've had totally disinterested or completely useless support from vendors of ten thousand dollar software packages. After all, just because I paid for it doesn't mean I should expect it to work as advertised or expect them to be interested in fixing bugs, right?

Adobe, Quark, MYOB, Apple. This means you.

Anyway, the downside of doing all the support work in-house is that you need to have the skills to undestand and run the systems you use. You can't run a DNS server if you don't understand DNS, can't run a mail server if you don't understand IMAP,SMTP,POP3 and TLS, etc. However, given that vendor support seems to be totally useless except for problems a retarded monkey could figure out, it's beyond me how people with no understanding of the systems they work with ever get anything done, whether or not they're paying for support.

Maybe they don't? It'd explain a lot about many of the businesses I work with...
Tags: ,

The best eBook reader for Linux is currently....
pumpkinhead
[info]thisisthehabit
Microsoft Reader run under WINE.

Sigh. Not only is it the best, it's practically the only one unless you're content with fixed-format PDF. Few eBooks are available in, or reasonably convertable to, HTML, and even if they were there aren't any HTML renderers that can do half-decent H&J. None at all can hyphenate even poorly, and justification support tends to be limited to clumsy expansion-only justification that is ugly and not very nice to read.

So, to get a decent result one would basically have to hand-convert a plain text or HTML format book (possibly after pdf-to-text conversion) to TeX and typeset it for a particular display. That's not exactly a nice, convenient way to sit down for a good read. Even then, unless you use pdftex and read with Adobe Reader it won't even remember your place!

By contrast the Microsoft Reader .lit format is fairly widespread, supports automatic and somewhat decent H&J (though nothing on TeX / InDesign ), remembers your place in each book in the library, tracks and manages the library without forcing a particular on-disk structure on it, supports easy drag-and-drop of a book onto the program even from Nautilus, etc. It's friggin' emulated* Windows software that hasn't been updated or improved since it was practically abandoned by MS in 2003 and it's still better than anything available natively for Linux.

The situation is just as dire for Linux-based ( and Symbian-based ) phones and tablets. Given the spread of Qt to more and more devices, as well as all major platforms, I'm increasingly tempted to start work on a Qt-based reader with decent H&J, library management, place tracking / bookmarking / margin notes, etc. But how can there not be something out there already? Am I just blind, or is there really a gaping hole this big in free software capabilities?

Any suggestions? Anyone interested in working on one?

* I know, I know; I just don't care that W.I.N.E.

Kill me mk II - Glandular Fever
sleepycat
[info]thisisthehabit
Throat infection day 4 Glandular Fever. Kill me. I get 2 hours pain-reduced sleep from ibuprofen, 1 hour from paracetamol. Yes, it's safe to interleave them, for which I'm eternally grateful. You wouldn't think something like this would be so spectacularly, unrelentingly painful.

There's a rent inspection today, and I've been good for nothing much, so Molly's been slaving away heroically on the garden (since the property manager has a real thing about it) and the house. Thankfully we both did a lot of housework before her 30th, but that doesn't mean there's not plenty to do. She's been amazing, and has repeatedly shooed me inside when I stagger out to try to help. Being so stoic about it all and looking out for me at the same time - well, I'm sure impressed.

property manager grumbling again )

Ocean trash
pumpkinhead
[info]thisisthehabit
I went for a walk along to the end of the main Koh Tao beach. The end past the boat piers, the part that isn't full of dive shops and restaurants.

It's absolutely covered with washed-up rubbish. Rubber bands, polystyrene food trays, drink bottles, plastic twine, more cigarette butts than you've seen in your life. I had a chat to a lady who was operating a windsurf/catamaran hire operation down that end of the beach, and she said the reason the main "tourist" beaches are clean is because the operators clean them daily. It's kind of sad to see.

On the other hand, she says much of the rubbish comes from the mainland. When the mainland floods in the rains it pours down the rivers into the ocean and the prevailing currents/wind wash some of it up here.

I did my little bit, and it's good that operators do clean things up to reduce the load staying in the ocean, but it's clearly a tiny part of what's going out there every day. Nasty. Most of it appears to end up here.

Tao
pumpkinhead
[info]thisisthehabit
Night diving rocks. Way less disorienting than I expected and awesome fun. Saw a nice big barracuda, sea urchins out and feeding, all the coral polyps open to feed. Sweet stuff.

It really shows that Koh Tao isn't a marine reserve. Compared to Ningaloo it's dead and in particular there's not much larger fish life. Coral damage is also apparent, probably due to high boating and diving activity plus fishing - and careless divers. I don't feel great about indirectly being a part of that damage, though I'm certainly not careless when diving and don't do direct damage.

Thinking of doing some enriched air dives now I've improved my air consumption a little.

Haven't done much but dive here so far. Today's going to be quieter so I figure I'll hire a pushbike and cruise around a bit.

We've had a couple of strong rain squalls recently. The squalls are incredible to be out in - they come out of nowhere and drench the place with rain driven by sudden gusts that then just vanish leaving the place saturated but peaceful again. Going diving in one was awesome. It pushed the dive boat around so hard we ran aground against some rocks (oops) and all had to stand on one side of the boat so the captain could maneuver it off the rocks ;-) . Then for the dive we had to swim hard to the bow of the boat and hang on to the anchor line because the wind and the surface current it created was pushing us back quite quickly. Going from that wild surface with the rain pelting down on you to the unchanged peace only a couple of meters under the water was amazing - and flipping over to look up at the rain-thrashed chop above was more so. Very cool.

As well as the diving, I'm loving the freedom to do my own thing, not have to plan much or in detail, the flexibility to occasionally change my mind without fuss or upset, and the ability to just go and do things. Paul and I can sort things out so painlessly - it's frickin' sweet. Hell, we only have the one room key and we're both out different places much of the day, but it's proved easy to handle mostly because neither of us stress about it. We just get on with it - and neither of us are going to be hugely pissed if we can't get into the room for a couple of hours either; we can just go do stuff for a bit. I'm absolutely loving it. I can feel myself relaxing and unwinding, though a few things are still stressing/worrying me some.

Koh Tao
pumpkinhead
[info]thisisthehabit
Anyway, I'm finally feeling human again after an epic first day here (up > 40 hours, on plane/bus/boat for 15 of those, then catch-up/party with my brother on the island) and liking the diving.

Two days, four dives. Sweet. After lunch and a nice long nap I'll be off for a night dive, which I'm absurdly excited about.

Koh Tao is nowhere near as cool as Ningaloo / Exmouth as far as diving goes - and I apparently had an extra-sweet run even for Ningaloo. Here the operators aren't as polished and professional ("no, no, depth gauge not work", "it's just a small leak, leave the tank turned off until you dive"), the instructor I'm with has a bit of a bored get-it-over-with attitude, and the crowd isn't that interesting. There are also hordes of divers, of which I'm admittedly currently one. It's still pretty frickin' sweet, though, what with being a pretty tropical island and all. The food doesn't hurt either.

Crystal Dive, who I'm diving with currently, are fairly decent. OK gear, good consideration of safety and maintenance within a few limits they set (eg: they don't give a crap if the depth gauges on the regs work or not). There's proper safety/emergency gear (ample oxygen, medkits, etc) on board the boats, they take roll calls on the boat, etc. Not perfect, but pretty good.

Oh: In absolute proof of my stupidity, I went down with my phone on the first dive today. Yes, that's my work's spare phone I borrowed because I went swimming with my own while on a dive course.

Gone fishing^Wdiving
pumpkinhead
[info]thisisthehabit
I'll be back from Ko Tau on the morning of the 10th of September. My phone will remain reachable for emergencies, and I'll get my email occasionally.

There are windsurfers, catamarans, and of course lots of sweet dive spots. *bounce**bounce**bounce*

Wind power
pumpkinhead
[info]thisisthehabit
This was initially a comment in response to a question of themink17's, but became somewhat longer than fits a comment so I've moved it here.

Why is wind power useless for most places? )
Tags:

Google Android is not a smartphone OS
pumpkinhead
[info]thisisthehabit

... it's a simple phone OS plus a web browser and some Google services.

It lacks some pretty fundamental things you'd expect from a smartphone.

  • Ability to browse and view local files on phone memory or SD card, eg open HTML files, PDFs, etc
  • An IMAP client that can delete messages, mark them as read on the server, etc
  • Any ability at all to support corporate private CAs, since it can't import new CA certificates
  • Any client certificate support for secure mail and intranet access
  • Decent sync and backup facilities to a laptop/PC. Oh, wait, you only use Google services, right?
  • ... and that's only what I found in a half-hour of running an emulated Android phone in the SDK while trying to figure out if it was a reasonable replacement for my dying Symbian S60 N95 (answer: no!).

This is Google's fancy new phone platform? Call me again in a few years, once you've grown up a bit - right now, even the iPhone OS is a more solid choice.

Tags: ,

Client certificate WTF
pumpkinhead
[info]thisisthehabit

Why does NOBODY bother to support X.509 client certificates properly? They're a weak, poorly implemented afterthought in many systems if they're supported at all.

  • Microsoft Windows: Perfect support, needs PKCS#12 (.p12) format. Most 3rd party apps (subversion, mozilla apps, etc) use own cert stores rather than the OS's for no good reason.
  • Mac OS X: Limited support in OS keychain. No support in OS services like Apple Mail (IMAP+TLS, IMAPs, SMTP+TLS or SMTPs), WebDAV over HTTPs, etc so nfi why they bothered adding support to keychain. Some apps have their own support, eg Mozilla apps via NSS, but OS has none and apple apps have none. No 3rd party apps seem to look in system keystore.
  • Linux systems: All major SSL/TLS libraries have support, but there's no system-wide or desktop-wide keystore or key management. Netscape security suite apps have good support but must install cert in each app. GnuTLS, OpenSSL apps must implement own cert management but can support - very app dependent. Real support inconsistent - eg Subversion supports, but many svn front ends don't handle cert prompts; Thunderbird supports via NSS; Evolution supports via NSS but has broken nss init code (I have a patch for it waiting for merging); etc. Overall painful but usually usable.
  • Symbian (Series 60) phones: Support is perfect in OS and apps. Very smooth.
  • Sony Ericsson phones: Seem to have no concept of client certificates, treat request for client cert by remote mail server as an SSL/TLS error.
  • Windows Mobile phones: Basically perfect from all reports.
  • Apple iPhone: Decent client cert store support. Unclear how much access 3rd party apps have. Used for safari; unclear if used for mail too. Oddly, better than Apple's desktop products.
  • Android phones: are a near-total information void. Apparently it's just assumed you'll use Google's services, not (say) your own secure mail server with your work. Because, you know, who needs confidentiality anyway? If you download the SDK and phone emulator, you'll quickly find out that not only does the OS lack any way to import a client certificate or use one in negotiation, but it lacks any way to even import new CA certificates. That's stunningly, jaw-droppingly pathetic. Of course, this is a phone with a read-only IMAP client so it's not clear what, exactly, it's meant to do...

Sigh.

Tags: ,

i1Pro *bounce* *bounce*
pumpkinhead
[info]thisisthehabit
I have a fancy new spectrophotometer. *gleeful* *bouncing* *of* *joy*. The i1Pro (i1Basic package) will finally let me do all sorts of cool print and photographic colour calibration as well as much better display profiling.

(Note that the i1Basic doesn't enable anything but monitor calibration with the mfgr software - you need to use 3rd party software, pay extra to enable additional features, or buy the more expensive i1Xtreme package for $LOTS).

I'll be using it for work too. At any sane colour-sensitive workplace (like a newspaper) work would've bought one since it's less than two grand, but not my work, no.... Ah well, at least I have one to play with now, and maybe once they see the results they'll pony up for some software upgrades for me.

(Of course, literally three days after I bought the i1Pro, Graham Gill, who develops Argyll CMS, announced support for the much cheaper ColorMunki spectrophotometer ... but hey, the i1Pro is a much better instrument so no harm done.)

I got the instrument cheap (ish) - at AU$1500 ex GST and shipping compared to the AU$1800 quoted price. X-Rite force you to buy through exclusive local dealerships that add a huge markup, so while the US price is US$995 for the same instrument (AU$1200 @ current rates) you can't just order from the US. They won't ship it to you. You can use a US remailing service but X-Rite won't register it and won't support it outside the US - and neither will the AU distributor. You can't get it recalibrated etc without a painful amount of effort.

The AU dealership tries to claim it "adds value" ... but they don't do local advanced tech support, don't have any techs or offices outside metro Sydney, ship the instruments off to the US (3-4 week round trip) for calibration, and don't even keep spares in stock. So what value, exactly, do they add?

In other words, X-Rite are rip-off artists. Unfortunately they buy out all their competitors (like GretagMacbeth) so they're the only game in town. Like Quark, they'll suffer for their customer-hostile attitude and parallel import restrictions eventually, but right now they're in the "raking in the dough" phase.

If you buy something from them, do not pay list price. Negotiate. Hard.

At least, unlike Quark, X-Rite's product quality somewhat justifies their prices if not their international sales practices.

Time to resume wandering around measuring emissive spectra of light sources...
Tags: ,

Dealing with dell can be pretty nice
pumpkinhead
[info]thisisthehabit
"Yeah, I replaced your LCD as well, I wanted to do it just in case it was the problem not the LVDS cable, and anyway it had a few bright spots on it. This one is nicer."
Tags: ,

Phở and cello
pumpkinhead
[info]thisisthehabit

... are two of my favourite things. I do, admittedly, have a great many "favourite" things.

Phở

I've been playing with my pressure cooker. Having made a yummy chicken stock and turned it into fairly successful chicken and corn soup, I thought it was time to tackle something trickier.

Attempt one: wow, I don't often make things that bad. I didn't finish it. Insipid, and somehow kind of chalky. Ick.

Attempt two: took the lid off the pressure cooker and thought "yup, that did it" as the awesome cinnamon + star-anise + garlic + chilli smell punched me in the face. Silly happy dance time.

Experimental cooking is fun.

Cello

I saw FourPlay at the Fly By Night in Fremantle on Friday. They were awesome. Literally jaw-dropping, as those with me on the occasion can attest to. Those folks are astonishingly good with their instruments (a violin, two violas and a cello) when playing conventionally, but ... they're not very conventional. The creative variety with which they all used their instruments was astonishing and seriously impressive. They would've been great foley artists if they weren't such amazing musicians. Banjola is only the beginning.

As well as being incredibly good - and creative - with their instruments, as a group and as individuals they're interesting and delightful composers and arrangers too. Both their original and adapted music is fascinating.

I can't recommend them enough. Alas, they don't come to Perth much, but it's well worth keeping your eye out, especially since the tickets were only $25 each. They usually play at the Fly By Night, which is a pretty reasonable venue.

The only downside of this particular performance was the sound engineer they Fly By Night had on. I can only hope he was a stand-in on short notice. He was terrible. The band at several points were throwing oh-my-god glances at each other. He totally missed strong signals from band members to turn them up/down during or between songs, managed to make them sound kind of muffled for some of their songs, and evenmanaged to create feedback in the last set. Despite this attempted murder of music, the band sounded fantastic throughout most of their performance.

Fantastic show. Their recorded music really doesn't do them justice, especially if what you've heard is their earlier covers like Enter Sandman.

(I only wish the show hadn't conflicted with Friday night hangouts with folks I haven't seen in way too long)

Tags: ,

Problem solving
pumpkinhead
[info]thisisthehabit
  • User calls. "How do I make a PDF smaller to email it" ?
  • Me: [talks user through PDF optimiser]
  • User: it still doesn't work, it comes back to me.
  • Me: Odd. Did you have a look at the file size?
  • User: No. [looks] It's exactly the same as the old file. 2.5 Mb.
  • Me: Hmm, that's not very big. Got the bounce message? Have a look and see what the error is.
  • User: Its in my trash. [looks] blah blah unknown address
  • Me: Well, that's a hint, then.
  • User: Guess so :S
    • The point? You don't have to be technically savvy to use simple problem solving skills, whether with computers or anything else. Instead, people seem to jump to a random conclusion, or at least one that's been the right answer one or more times in the past (but not always), try that, and get stuck.

      I don't get it. I'm honestly puzzled and confused. We learned this stuff in primary school, right? Simple problem solving is a basic life skill. Why is it that so many people can't, or won't, do it?

      Sure, they're often scared of computers and "turn their brain off" to an extent, but I see this all the time in other areas, technical and non-technical, to the point where I wonder how some people manage to live day to day.

Tags: ,

Maginot line
pumpkinhead
[info]thisisthehabit
Peter Thrush of ICANN recently commented that the Australian Internet Filter proposal is akin to the Maginot Line of WWII French fame. We all know how well that worked.

This is a surprisingly good analogy. The Maginot line presumed that the attacker would do what was expected of them, and wouldn't take the defenses into consideration when planning what they were doing. In much the same way, the Australian internet filter presumes that if it blocks what people do now, they won't change their behavior to circumvent the blocking with trivially available tools and techniques like encryption, tunneling, outside proxies, etc.

We already know that's an invalid assumption - not only is it rather contrary to general human nature, but it's being seen over and over in China with the Great Firewall. This despite the fact that China's Great Firewall is much more restrictive than Australia's is ever likely to be even under the most moralistic, conservative, idiotic government. Let's not forget, also, that in China it can be unhealthy to circumvent blocks that prevent you from accessing or posting information that's not meant to get around ... something I don't see becoming the case here.

So - in much more hostile circumstances, people still just waltz through the Great Firewall. Heck, I've done it myself - I had a workmate in China who needed unfiltered access, and it was the work of a few seconds to help him set up an encrypted SSH tunnel to a proxy on work's servers from which he could get to whatever websites he liked and do so undetectably. It's not even possible to tell that the encrypted data is web browsing data rather than something else.

Once again, it's clear that the only way the internet filter can work is if it's a whitelist. If a site isn't approved, you can't access it. If a protocol can't be inspected and content-filtered, it's blocked. No encryption of any sort may be used. Even that's imperfect due to cracking of whitelisted sites and use of them for proxies, etc.

It's a dumb idea. Why are we still wasting time and taxpayer money on such blithering idiocy?

Free stuff
pumpkinhead
[info]thisisthehabit

Anyone want:

  • A couple of different sizes of pine bookshelf
  • Up to four off-white armchairs (very comfy)
  • Some white deck chairs.

They're all just outside Perth city, off Lord St north of the freeway. Details on request.

There also might be a 24 inch CRT monitor (like this but without the hood and colourmeter) going later, though it's not a sure thing yet. Mention if you'd be interested. It's a great monitor, but do be aware that it's incredibly heavy - something like 40Kg - and not small.

Now ... I'm going to slip into blessed unconsciousness for a while.

Tags: , ,

Rebuilding debian/ubuntu packages
pumpkinhead
[info]thisisthehabit
This post is mostly a note-to-self reminder, but might be quite handy for other Debian / Ubuntu users. )

Getting central certificate management working on modern Linux
pumpkinhead
[info]thisisthehabit

Modern Linux systems actually have a central certificate store. It's a bit lacking in management UI so far, but it works, and you can use it instead of loading your PKCS#12 certificates into every app you use manually.

First, import your certificate into the GNOME keyring with:

gnome-keyring import /path/to/certificate.p12

Install the libnss3-tools package (containing modutil).

Now exit every application you can, particularly your browser and mail client. Kill evolution-data-server too.

Find all instances of the nss security module database on your homedir, and for each one (a) test to make sure it's not open and (b) install the gnome-keyring PKCS#11 provider in it. The following shell script snippet will do this for you. Just copy and paste it onto your command line:

for f in $(find . -maxdepth 5  -name secmod.db -type f  2>/dev/null ); do
  echo "Testing: `basename $f`"
  if fuser `dirname $f`/cert8.db >&/dev/null; then
    echo -n "In use by: "; fuser `dirname $f`/cert8.db; echo " - Skipping"
  else
    modutil -force -dbdir `dirname $f` -add GnomeKeyring \
            -libfile /usr/lib/gnome-keyring/gnome-keyring-pkcs11.so
  fi
done

Now all your NSS-based apps should know about gnome-keyring and use the gnome-keyring certificate store.

If you use Evolution and want client certificate support, patch evolution-data-server as per GNOME bug 270893 to enable that too. It'll use gnome-keyring automatically.


Getting GNOME Evolution to offer a client certificate for IMAP SSL/TLS
pumpkinhead
[info]thisisthehabit
GNOME Evolution isn't noted for its client certificate support. Entries in the bug tracker about it have rotted for years, and it has absolutely no acknowledged support whatsoever. Most other mail clients have had client cert support for years if not decades.

Unfortunately, Evolution is quite attractive in other ways - calendar integration, LDAP address books, etc. Unlike Thunderbird (especially when large images are involved) it also has acceptable performance over remote X11 connections.

So - I'd rather like to be able to use Evolution, but it's client support ... isn't.

It turns out, though, that Evolution uses the Network Security Services library from Netscape/Mozilla . It's used, among other things, for IMAP SSL/TLS support. This library does support client certificates; after all, Thunderbird and Firefox support client certificates and they do their crypto through NSS.

Is it not then possible to introduce a client certificate at the libnss level, so Evolution doesn't even know it's doing client certificate negotiation during its hand-off to NSS for SSL/TLS setup?

Why, yes, it is, and it takes one line of code in camel-tcp-stream-ssl.c to do it.

camel-tcp-stream-ssl.c:
-	/*SSL_GetClientAuthDataHook (sslSocket, ssl_get_client_auth, (void *) certNickname);*/
+	SSL_GetClientAuthDataHook (ssl_fd, (SSLGetClientAuthData)&NSS_GetClientAuthData, NULL );

Dongles are evil. E.V.I.L.
pumpkinhead
[info]thisisthehabit

The device you see on the right is actually the devil. Or, at least, it's close enough if you are a system administrator.

It is a single piece of hardware that controls your access to business-critical programs. Lost the dongle? Whoops, no classified ads in the newspaper this week. Dongle broke? Ditto. Dongle fried by a computer malfunction or power fault? Ditto. Computer stolen? Ditto.

What's even more fun is that as computers move on and older interfaces become obsolete, it becomes hard to even find a computer you can plug the dongle in to. Most machines don't have parallel ports anymore, so parallel dongles like this one are a big problem. At least that can be worked around using USB adapters.

Of course, then you run into exciting issues like XP being unable to allow 16-bit code access to the parallel port. The program would work fine on XP, but for the stupid bloody dongle. So you're forced to maintain legacy hardware or waste time on complex emulation/virtualisation options just to get the program working, when it'd be just fine but for this dongle.

So, if you are ever offered software for any reason that requires a dongle, just say no.

Getting a Rainbow CPlus or Sentinel CPlus working under XP )
Tags:

Home