Craig Box's journeys, stories and notes...


Archive for the ‘Technical’ Category

Waikato Linux Users Group nominated for New Zealand Open Source Ambassador of the Year

Sunday, September 30th, 2007

The shortlist of nominees for the New Zealand Open Source Awards has been released, and I'm glad to announce that the Waikato Linux Users Group (WLUG) is a finalist.

WLUG was nominated for the "Open Source Ambassador" award, and is sandwiched between Lynne Pope, who was involved with a Mambo portal for Hurricane Katrina victims, and Peter Harrison, past president of the New Zealand Open Source Society.

The idea of a user group is a strange thing. We must assume that user groups are strictly in the computing field, because as we know, the only two fields that refer to their participants as 'users' are computers and drugs. (Side note: there's a movement for everything, even if only a Facebook group: a call not to use the word 'user', and some discussion on alternatives.)

A definition of user group I found online is "a voluntary group of users of a specific computer or software package, who meet to share tips and listen to industry experts". Sounds innocuous enough. It's somewhat similar to what would be named a 'professional society' in other fields, where you get together monthly and listen to a speaker.

WLUG started out as a mailing list for people with a common interest in the Linux operating system. For readers like MY MUM, Linux is a free operating system (an alternative to Microsoft Windows), which can be freely downloaded, installed, changed and redistributed by everyone. It runs everything from Google to cellphones. It's always been popular with universities and computer geek people, and it's got a reputation for being difficult for the regular person. A users group lets people who know, help out those who don't.

From the list, WLUG grew into a group that had regular monthly meetings, and then, thanks largely to the effort of first President, Daniel Lawson, to an incorporated society.

WLUG wiki thumbnailIn my opinion, the single biggest success of WLUG was the wiki. Started by Perry Lorier in 2002 (Wikipedia, which was founded in 2001, looked like this around the time, and was really still just a twinkle in the eye of people wanting to chronicle every TV episode ever), the WLUG wiki quickly grew. Over time, it became a huge knowledge base of arcane problems and solutions, as well as FAQ-esque documents, full guides to how to do things, local knowledge, and opinion-laced commentaries and debates (no neutral-point-of-view policy here!).

Perry credits me with a lot of the initial growth of the wiki, because I had just started my first job out of Uni at the time, and was asking a lot of questions. Whenever someone pointed me at the means to find out an answer, they also suffixed "please wiki it" - thus, a knowledge base was born. I'd like to turn around and mention Matt Brown and John McPherson, two very smart guys who did most of the maintenance of the software: Matt ended up as the Debian phpwiki maintainer after fixing bugs in our installation, spearheaded the license change to Creative Commons, and along with his wife Kat, gave us the design we have today: and John not only brought Waikato University's Greenstone search to our wiki (again, before Google made it easy to provide website search), but wrote the WLUG library software also. I went to both Matt and John's weddings; a friendship fostered in part by our shared involvement in the group.

Also deserving of mention here is Aristotle Pagaltzis: a Greek/German gent, who, in his words, "came here for a Google hit on SSHNotes [and] decided to stay for the rest of the content". He's spent countless hundreds of hours adding, editing and tidying up our content, making pages read less like a conversation and more like an article. We've never really "met" him, but he's one of the family.

As the wiki concept caught on with others, WLUG's niche has been less well-defined. Our topics were loosely "things related to the group" and "things related to Linux": at one point, our ClamAV page was the official ClamAV wiki, and we're the somewhat official chronicler of New Zealand's internet history. In fact, I started this blog mostly because I had lots of little pieces of Windows sysadmin information I wanted to put on the web somewhere, but it didn't really fit on a Linux site. But now every open source project has its own wiki, and if you find an answer to a question, there's normally a "more correct" place to put it. We're not just a footnote though: as members, old and new, keep doing cool things, they keep putting them in the wiki. For more information, there's a wiki history page.

Alan and Perry help someone install Linux on their laptop at the 2005 WLUG installfest.The group has done lots of other things: we run servers, arrange installfests, promoted Linux and Open Source through events like Software Freedom Day, and have continued to have a monthly speaker on an interesting topic. Greig McGill, Linsday Druett and Ian McDonald all served a year as President. Jamie Curtis also deserves mention here for keeping us with a room to meet in, and always pitching in to help with events.

Most of the people I've mentioned have, at one time, been students of Waikato University. A lot of people with a background that suits Linux come to Waikato for the strong Computer Science program. Some stay longer, some move on. I say "we" in this article, even though I don't live in NZ at the moment - many of the people who have moved on still keep in touch, and feel a pride and ownership in the continued success of the LUG.

User groups are whittled away at by increasing usability (you don't have to be a genius to install Linux any more) and the instantaneous availability of information on the Internet. Specifically for Linux, more people are using it for their work, but at the same time, those people don't have the time or inclination to meet up once a month. It also just happened to be a moment in time thing: a good group of committed people were around. As people grow older and do things like move overseas or get married (or just that old men like Kyle don't like to go out to meetings on a cold night), numbers will decrease. Others will step up to take their place, and the old hands are always happy to help, if only for the knowledge that what they contributed to is bigger than any one of them, and worth keeping alive.

New president (and long time committee member) Bruce Kingsbury will be representing the group at the awards dinner, but should we win, it will be due to the success of everyone who's ever been involved with the LUG.

No window decorators in Compiz in Ubuntu Gutsy

Sunday, September 23rd, 2007

I just upgraded an Ubuntu machine from Ubuntu Dapper to Gutsy. For starters, don't do this. The supported path is D -> E -> F -> G, but I'm hax0r, so I wanted to do it in one step. It's possible, but took a lot more effort than it was worth.

Gutsy has Compiz as default, but the upgrade left me with no window decoration (borders, title bar, etc). I did what I thought was deleting my entire GNOME prefs/gconf tree, but still didn't get a fix. I did find the answer eventually: re-enable the decorator plugin.

You can do this, and enable a good bunch more also, like so:

gconftool --set /apps/compiz/general/allscreens/options/active_plugins \
--type list --list-type string \
'[gconf,png,svg,decoration,wobbly,fade,minimize,cube,rotate,zoom,scale,move,place,switcher,screenshot,resize]'

This hard to find answer was bought to you by Brice Goglin's blog.

Standards NZ get it 100% right

Friday, August 31st, 2007

I would like to take a moment to divert from the travel nature of this blog and express my satisfaction that Standards NZ has voted "no with comments" to the fast-tracking of Microsoft's new "OOXML" document format as an ISO standard.  I also need to offfer my congratulations to the NZOSS, particularly new president Don Christie, Matthew Cruickshank and Chris Daish for their efforts in presenting a clear, technical and rational case as to why voting "yes" would have been a bad idea.

A "no" vote doesn't mean saying "get lost, Microsoft" or not standing up for innovation: they're saying "Here's all the areas your proposal falls down in: fix them and get back to us".  A very important comment is "There's already an open document standard, why not just use that?"

They're also not saying "never", Microsoft want to fast-track the adoption: why can't they wait in line, like everyone else?

I'm not an open-source shill: I'll rattle off the standard "MCP, writing this from Windows, worked as a Windows sysadmin for almost 5 years, sometimes C# programmer" etc - but the point here was Microsoft could have worked with others, implemented an open standard, and probably not lost any sales of Office 2007 in the process.

NZOSS is clearly going places under its new leadership, and it's unfortunate I'm not in NZ to be able to contribute!  (Also, it seems you really have to be in Wellington to make the differences that matter... oh well, at least it's not Auckland!)

New camera

Wednesday, July 4th, 2007

You can't take a picture of your new camera, with your new camera.

Instead, you can document the first picture your new camera ever took:

First picture ever with new camera

It's the Canon S5 IS (S1, S2, S3, S5 - where'd S4 go?), and yes, 48x zoom is plenty to see the hairs on Pete's nose.

S5 IS camera

Fixing the password problem on small business networks

Thursday, June 28th, 2007

I've been involved in commercially supporting Windows networks for almost 5 years now, having dealt with a hundreds of users across dozens of different companies.  Most of the clients we support are "small businesses", which makes sense, as it is quoted that as 97.3% of private enterprise in NZ is small/medium sized, accounting for 49.4% of private sector employment.

These companies, in the most part, don't have the infrastructure for a large, homogeneous IT environment.

And you know what?  They couldn't care less.

They make do with what they always have - buying PCs piecemeal, having Office 2000 on some PCs and Office 2003 on others, and - the kicker - knowing everyone else's passwords, instead of sharing data.  Even though products like Microsoft Exchange allow you to do things like delegate access to someone else's mailbox, they still claim they need to all have their passwords set to 'password', or documented in a book, in case they need to sit at someone else's PC.

People don't do what PCs suggest they should do. No one really wants the multi user functionality that PCs have now.  In small business, people want to be able to use the line-of-business application, a web browser, and access their own e-mail and files. They might like the idea of having some personalisation (some care for it, some don't), but overall, having to log out as you and log in as me takes longer than the effort required just to use the application as set up on your profile.

So, as a sysadmin, I want people to use strong passwords.  I have to wean them off the idea of needing someone else's password to get at their data.  And I want to work how they work, not how I think they want to.  They want the desktop you use when you're filling in for someone to look like it did when they were learning over the first person's shoulder.

The primary solution put forward by Microsoft is "roaming profiles", where you can log into any machine, and have your applications loaded.  Say you've got a shortcut to Word 2003 on your desktop, and you roam that profile to a machine with Word 2000 on it.  Doesn't work.  Good for volume licensed customers with the same software on all PCs, but not good for us.  Doubly bad when you look at how people actually work - the accounts clerk has MYOB and payroll software installed, some managers will have banking software for authorising transactions, sales people may have a line-of-business application that analysts don't need, etc.  It's not worth ensuring that the software is on everyone's machine, it means unnecessary licensing costs, and in the case of things like payroll software, people want to know it's not available to everyone.

So, roaming profiles are out.

When someone is away, their mail and phone are diverted, but their PC sits there unused, or someone has to sit at the desk - they try and find the icons you used to click, but their new profile doesn't have the shortcuts, or the per-user registry keys required for some random application.

Let's look at some other possible solutions:

Terminal services or Citrix MetaFrame

Put everyone on a thin client and make everyone use a central server.  Good plan, large investment required, takes a lot of time to change from an office of fat-clients to a thin-client environment, and not all SME apps are TS friendly.  Also, if you scale to needing more than one TS, then you're back at square 1 with needing the apps to be in synch across two machines.

Virtual machinery

Abstract the access away from the machine - have a bunch of passwords all able to unlock the same machine.  Wasteful.

Change someones password temporarily if you need to use their account

Tried this.  At present, there is no way for the Administrator to change someone's password, store the original hash, and set it back at a later date.  I think it's worth implementing though.

Cheat biometrics

Biometric sensors, like the fingerprint scanner on my T60 laptop, can be 'cheated': in an office of 10 people, with 10 fingerprints able to be stored, why not store everyone's fingerprint on everyone's computer?  Requires buying a scanner for everyone's PC.

Insecure machine accounts, delegated access to data

Why not have everyone have a 20 character password, but have a single password for logging into the machine in the morning?  You could have a "machine user" account on each machine, and delegate e-mail access for everyone necessary to the machine.  A bit more administrative overhead but a possible solution.

Craig's "Silver Bullet" answer

My favourite suggestion is delegating access to your profile, or your profile/PC combination.  This is what Exchange lets you do now with e-mail - why not extend this to user accounts also?  Presumably, the component (a "GINA") that that handles authentication for the fingerprint reader, could be made to start loading another account, separate from the one you entered the password for?

Therefore, we can have a 1:1 mapping of people to passwords, so no-one ever has to know anyone else's, and then we can have a 1:many between computers and users, without needing messy multiple profiles.

Anyone see any problems with this approach?  If not, why haven't you written it yet?  Look perhaps at pGina as a base. My (ex-)small businesses will pay.

Cool shit for cheap. Support a good cause!

Monday, June 25th, 2007

Note: this stuff is all sold.

Today's cool shit you can get for cheap:

  • IBM X220 4U tower server
  • IBM X232 5U tower server
  • IBM X346 2U rack server w/Windows 2000 SBS
  • IBM X300 1U rackmount server
  • IBM X225 4U rackmount server
  • Compaq Proliant ML350 G3 w/Windows 2000 SBS
  • IBM X200 4U rackmount server
  • 3Com OfficeConnect VPN Firewall
  • Cisco C1912 Catalyst 1U Rack 24x10Mbit/2x100Mbit
  • Farallon Ether10-T Starlet/16 Rackmount Hub
  • HP LaserJet 1000
  • Pleaides USB 2.0 / LAN disk enclosure

FoamyEspecially cool is the G3 server, which has its hard drives packed like this.

This should be the last run of servers we sell before I leave IT Partners. Also, be warned that the X200 is my personal machine, and the more you bid on it, the more money I can put on the bar at my leaving party!

Album distribution

Saturday, June 23rd, 2007

Guess what year that acquiring music from the Internet really came into its own...

MP3 album distribution

USB devices and drive letters

Friday, June 22nd, 2007

A year ago, I ranted about the fact that Windows will map a newly added USB drive on the first available drive letter, even if there's a subst'd or mapped network drive on that letter.

Kyle pointed me to USBDLM, the USB Drive Letter Manager. This is a piece of software that, as well as working around this bug, will allow you to ensure that bad USB devices are always mapped to the same drive letter. It's free for personal or educational use, but costs for commercial use. Not that it's really a solution - Microsoft, this is a simple bug that you could fix today. It is an exercise for the reader to get Raymond Chen to tell me why it's not as simple as I think.

Mongrel upload progress problem - cause found

Friday, June 15th, 2007

Per my previous post on upload progress in Rails, I can now confirm:

The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA.

Which means, cat site.cer chain.cer Equifax_Secure_Global_eBusiness_CA-1.cer site.key > site.pem.

I've backported Pound to Ubuntu Dapper, from Debian Testing. Dapper only has 1.0, which might work, but the configuration has changed beween 1.x and 2.x, which makes the examples incorrect.

SpamAssassin 3.2.0 backport for Ubuntu Dapper

Wednesday, June 6th, 2007

I've built packages for SpamAssassin 3.2.0 for Ubuntu Dapper. They are available in my firewall repository with the dependencies (libnet-dns-perl, libnetaddr-ip-perl, libmail-spf-perl):

deb http://ubuntu.hs.net.nz dapper firewall

If you use this repository, you'll get a new version of ClamAV, and some other packages also. Beware.

It was a bit of a mission to build, but made easier with the Prevu tool. This is like pbuilder for backports, and anyone doing anything with backports should use it. You can use the 0.4.1 release on Sourceforge on Dapper.