Perpetually Bored

Without the slightest trace of shame, I consider myself being very good at troubleshooting technical issues that arise on my own systems. I can dig rather deeply, analyze process calls and determine which program is loading what module that’s faulting. I pride myself at being able to solve issues without resolving to reformatting, which in my opinion, isn’t a real solution.

However, when someone rings and tells me, “my computer just blue-screened on me”, I find myself at a lost on how to react. More often than not, I find myself unable to come to a solution remotely.

I’ve been running this through my head because, you guessed it, I received just one such call tonight. I believe a large part my problem is due to the fact that I know very little about what goes on in other people’s computers. Contrast this to my own setups, where I am cautious of, and maintain and a good inventory of what applications I install. Thus, when an error occurs, it is significantly easier for me to backtrack and reproduce the problem.

Another contributing factor is freedom of action. I have full control over my own systems and even the network it resides within. This kind of liberty is often not present when dealing with other people’s computers.

To make complicate matters, people do poorly when it comes to describing the exact problem they’re facing. Having the exact error message, especially in blue screen situations, can go a long way in solving the problem. Although most aren’t very specific, some error messages put a high probability on the fault being hardware related other than software (PAGE_FAULT_IN_NONPAGED_AREA comes to mind), greatly narrowing down the source of the problem.

I’m curious as to how others respond when another individual highlights a problem to them. How do you go about gathering as much information about the situation and the events leading up to it as possible in order to make a few educated guesses as to where the problem lies? Is there is standard operating procedure that you follow?

Apple CEO Steve Jobs told WSJ staffers to ditch Flash and replace Flash-based content with other web standards—a move that’s doable, but not necessarily trivial.

via Steve Jobs to WSJ: ditch “dying” Flash technology.

I’m seldom in agreement with Apple’s philosophy of doing things. However, this is one bold move that I applaud and would want manufacturers to follow.

The trouble with Flash is that, like the less popular Java, it is essentially an external application that is being embedded in a web page. Having to depend on an external application is bad for security. It is my belief that executable code should never cross from the browser on to the desktop for no good reason. What’s more is that the use of Flash goes against one of the fundamentals of the web: accessibility. Content in Flash is encased in its own container and not text-searchable. If a website is designed entirely in Flash, there is no way for a search engine to index the content of it, neither is there a way to link to a specific page within that flash content. You can’t point a hyperlink to a particular frame of Flash content.

It’s time that we took up the axe against Flash and replace it with newer and web-friendlier technology, such as HTML5 and JavaScript. I’m glad that at least one company sees the problems behind Flash and is taking decisive action to move the world away from it.

Intel Atom is a powerful little platform for it’s cost.  It works well as an office productivity or Internet access desktop, as a Home Theatre PC (HTPC) for watching and recording videos, storage server, and a even a small network AD server. Another area it can excel is as a home/SME router.

I’ve ceased using commercial routers aimed targeted at the home segment for a number of years now. What made those routers unfeasible was the growing bandwidth available to home user and the popularity of peer-to-peer, meshed, file sharing – where a large number of connections would be made simultaneously to grab various parts of the same file from different users. The earlier home routers with their low memory and processing capability couldn’t handle the load, and enterprise routers were, and still are, out of the reach of my financial capability.

That was when I turned to building my own. I started refurbishing an old computer with additional network cards. The system with I replaced today ran on an Intel Pentium III 450 MHz processor with 256 MB of ram, and had been for a number of years.

At the simplest level, any computer with more than one Ethernet adapter can be used as a router. On, Linux, routing can be done through iptables, on Windows, either through Internet Connection Sharing or Routing and Remote Access on consumer and server variants of the operation system respectively. However, there are Linux-based distributions which are designed with the sole purpose of turning a PC into a dedicated router which can rival commercial offerings in terms of performance and features. One such example and the one that I’m using is m0n0wall.

Lately, my old setup has been giving me issues, which I attributed to a failing power supply. Replacing it wasn’t the best of idea since the system was old, really old. This was the opportunity to get rid of and replace the system. A new one wouldn’t cost very much, and the much lower power draw of the Atom was welcomed too. It was the perfect system for the task.

I did some shopping, and although some manufacturers, such as Gigabyte, do offer Atom boards with dual GbE adapters, none of those models made it to the local market. In fact, they’re relatively few Atom models here in Singapore. I had to settle for the Asus AT3GC-I, which sports a dual core Intel Atom 330 processor with a single GbE port, resulting in me having to purchase an additional network card, filling up the only PCI expansion slot available. The 2 GB of RAM that I bought was a huge overkill, but the stores were only carrying 1 GB and 2 GB DDR2 memory, and the cost between the two was a mere $2. Add in a mini-ITX case, and I was almost ready to go.

Since m0n0wall takes up only a mere 10 MB of space, I decided to skip the hard disk. Instead, I opted for a 4GB USB thumb drive as the primary storage medium. It was the lowest capacity one I could find.

Assembly was a breeze, and was the easiest one I’ve done to date. The motherboard fit right into the case, and since the only peripheral I have is one expansion card, it was all very straightforward. No issues with lengthy graphics card that wouldn’t fit into the casing, nor a billion front panel chassis connectors to deal with.

For m0n0wall installation, I downloaded physdiskwrite 0.5.2 and the generic-pc-1.3.img from http://m0n0.ch/wall/downloads.php. Opening the command prompt on my Windows 7 PC with Administrator rights, I inserted my newly bought thumb drive in, formatted it, and began writing the m0n0wall image to it by executing the following.

physdiskwrite –u generic-pc-1.3.img

I was displayed a list of the drives available and selected my thumb drive as the destination. One-sixth of a minute later or under, it was done. I plugged the thumb drive into my Atom system, did a few changes in the BIOS to set it as the default boot medium, and booted. The picture below shows the initial boot.

I spent the next half hour or so copying over my configuration from my previous set-up, and the hour after that rearranging some furniture and re-doing cabling. The beauty of m0n0wall is that it can be used right out of the box if you have no need for more advanced features such as traffic shaping. There really is little configuration.

I still maintain that the system is an overkill. Under load, memory and CPU usage hardly crosses 5%. However, a lesser powered system, such as one of Soekris Engineering’s offerings, would have cost just as much or even more. I’m extremely happy with my new setup. Before I end the article, here’s another pictures, from the rear, where you can clearly see the 4GB thumb drive which would be permanently plugged in as the boot medium.

Previously, I mentioned about ridding myself of clutter. Being a modern day geek, I’m also a digital packrat rather than physical one. I have a staggering amount of approximately 2 TB worth of data consisting of movies, application installers, pictures, music and a ton of other stuff. I dedicated most of this weekend to clearing up my digital storage, ditching a large number of TV episodes that I would never intend to re-watch, for example. The minimalistic approach to living doesn’t end at the realm of physical belongings.

The cost of storage is not what it seems, despite the plummeting cost of hard drives. Although US$50 will net you a 500 GB drive these days, which may seem to work out really cheaply at $0.10/GB, that cost only covers the basic storage of data, and does not take into calculation the maintenance and upkeep for that bit of data. The cost per gigabyte when the upkeep is taken into account is much higher.

What do I mean by maintenance of data? To insure data against loss either through human fault (e.g. accidental deletion) or mechanical fault (e.g. faulty hard drive) or natural disasters (e.g. fire breaking out at home), that bit of data needs to be backed up on various levels. For me, this is done through a combination of redundant storage technologies for the live data, local backups and offsite backups.

Assuming I have a file of 50 MB, the amount of space required to maintain that amount of data rapidly swells by at least a magnitude of 3 (one original, one local backup and one at the offsite backup location). Furthermore, at each location, versioning, that is to say, keeping multiple different copies of the file at different points in time, might need to take place if I frequently modify the file. This is to allow me to recover the original if I made changes to the file that I come to regret later. Even if I keep the copies through the use of an extremely efficient differentiation algorithm that only store the changed portion of the file rather than creating an entirely new file, that further adds on to size. My 50 MB file maybe taking up to 160 MB at this point, spreading across various storage platforms, some more expensive than others. Offsite backup through an online provide is notoriously expensive, for instance. At this point, the cost per gigabyte rapidly swells.

Despite the general mentality (largely propagated by storage providers themselves) that on modern day computer, there is no need reason to delete anything, that notion is detached from the truth.

If Linus Torvalds can still rely on a text-based email client as his primary form of communication, and yet achieve so much, do I really need all these new medium of communications that has been offered to us in the recent years?

I have a 12 Mbps internet connection at home through the coaxial cable network, which serves as my primary means of communicating with the outside world, and well, survival. I also have a mobile phone with both a voice and data plan, and an additional mobile line with just a data plan. I have push email on my mobile phone, my contacts are pulled from Google Apps Premier through MS Exchange ActiveSync and additionally, I can also choose to leave an IM client open constantly, all subjected to the irregularities of network coverage, of course. That’s ubiquitous connectivity wherever I go.

I’ve been reevaluating my finances recently, and have come question if the amount spend on that level of connectivity is justified. In reality, I keep in touch with only a tiny subset of the people I come across daily, countable using the fingers of one human hand.

I haven’t made a single phone call for chatting purposes since early this year when my base was quarantined due to H1N1, and I send/receive less than 30 text messages on average monthly. Do I really need that voice plan, and instead, can I do VoIP if I really had to make a call? I could. What’s that mean? I could drop the voice plan and have an additional $30 a month in my pocket.

So that leaves me with two data plans, well, I could just drop of them. Combined with the above, that’s $50 a month saved.

I’ve been using technology with the ‘because I can’ mentality, rather than question myself if I really do need them. If this were an IT department, I would have invested in a lot of infrastructure with little or negligible practical value, and essentially, done a whole lot of bad budget management. Good IT management is not about jumping head first into the next bleeding edge technology, but rather, evaluating and them and getting only what is essential.

Yet another adventure in Linux land. This time, it was largely due to issues with iptables.

First of all, installing vsftpd was rather easy. Issuing aptitude install vsftpd with superuser privileges was all. Configuration didn’t take all that much work either, but it dragged on due to this being my first time and having to look up the manual.

The configuration for vsftpd is located at /etc/vsftpd.conf. Out of the box, vsftp allows anonymous read access. The first order of the day was to disable that by changing the variable.

anonymous_enable=NO

Users in vsftpd can either be local accounts, or vsftpd specific ones. I used local accounts to save myself the hassle since all my local accounts have their permissions set correctly already and what not.

local_enable=YES

By default, all user accounts (including local) are only granted read access. Adding the following line enables write and modify permissions.

write_enable=YES

At this stage. vsftpd is configured and ready to run. However, if you’re behind a firewall, some additional configuration needs to be done to allow vsftp listen and pass through it. To the novice who is inexperienced with iptables like myself, this turned out to be quite an adventure. Before we get to that however, it is imperative to understand how FTP works.

FTP works in two modes, active and passive. A detailed and extremely useful explanation of the difference between the two can be found on http://slacksite.com/other/ftp.html. Briefly, in active FTP, the client initiates a connection to the listening server’s control port, and when data transfer is required, the client opens up a port and lets the server know via the control channel which port on the client side to send the data to. Thus, it requires the client open a port in the listening state. This doesn’t quite work if the client is behind a firewall or NAT. In passive FTP, the client initiates the connection to the server’s control port. The server then dynamically opens up another port and lets the client know this port number via the control channel. The client would then initiate a connection to this port for data transfer. In summary, active FTP requires an open port on both the client and server side, and passive ftp requires two open ports on the server side while none on the client’s.

While the server listens on port 21 constantly for incoming connections, and we can specify that as such in the firewall, the dynamically created port creates an issue since it’s open only when required, and is usually a random port in a port range. Having all these ports constantly open is not feasible as it’d be a security issue. To get around this, the firewall has to be stateful react accordingly.

Two things need to be done. First, add the stateful rule in iptables.

-A INPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT

Next, we’re going have to enable the module that allows connection tracking for FTP so that our stateful rule would work. This can be done simply by running modprobe ip_conntrack_ftp as superuser. In order to make command permanent however, we need to add it to the /etc/modules file so that it runs on startup.

Took a bit of work, but we now have a fully functional FTP server. My adventures in Linux land continues.

My Dell Inspirion 6000 is an aging laptop dating back about 4 years. It runs on an Intel Pentium 1.6 GHz processor with 2 GB of DDR2-667 RAM, an ATI Radeon Mobility X300 and a 5400RPM 80 GB hard drive. Windows 7 x86 went on it today, replacing the old Windows XP that it has been running. It was very usable, even more so than Windows XP, I dare say.

The installation took about 20 minutes, with the slow timing attributed to the slow hard drive. Graphics and WLAN drivers were obtained from Windows Update right after the installation completed and hit the desktop. Within 45 minutes from inserting the Windows 7 DVD into my drive, I had Office 2007, FoxIt Reader, Windows Live Messenger, FileZilla, KeePass, Wireshark and Eraser installed, almost a fully functional system for the stuff I do on my laptop. Since Windows 7 has a build in a firewall that supports both incoming and outgoing filtering, I didn’t need to install a 3rd party firewall, which are notorious for having a huge negative impact on system performance.

My old notebook is comparable to a modern day netbook, and if the netbook market is what Microsoft has in mind with it’s release of Windows 7, it would definitely find acceptance in it.

Previously, I wrote about how not having signed drivers can be quite a pain on a 64-bit Windows system. I remedied that and made it less of a pain today.

Microsoft provides a set of tools in it’s Windows Driver Kit for the test-signing of drivers to be used for development purposes. What this means in simple terms is that it provides a way for the self-signing of drivers, and thus, getting the system to accept it as though it were digital signed by MS. This would avoid having to disable driver signature enforcement on start-up each time.

To begin with, download the Windows Driver Kit, and install the build environment and tools. Once that is done, launch the x64 Free Build Environment shortcut from the shortcuts created in the start menu with administrative rights. In my case, I made a folder consisting of my extracted raid drivers which look like this:

rr174x.cat
rr174x.inf
rr174x.sys

Now, to create the test certificate, we run the following:

makecert -r - pe -ss PrivateCertStore -n CN=mythokia.net(Test) TestCert.cer

Where mythokia.net(Test) can be replaced by any name. ‘Suceeded’ would be echoed upon successful execution of the above. That being done, we proceed to install the certificate on the machine as a Trusted Root Certificate Authority and Trusted Publishers so that items signed by this particular certificate would be recognized.

certmgr /add TestCert.cer /s /r localMachine root
certmgr /add TestCert.cer /s /r localMachine trustedpublisher

‘CertMgr Succeeded’ should be echoed for each. Now to sign the drivers with our certificate. This can be done either by signing the catalog file (one with the .cat extension), and/or the embedding the signature directly into the binary. From Microsoft’s explanation, drivers loaded at boot time are required to have their signatures embedded in the driver’s binary file itself. Unsure if signing just the binary is sufficient, I went ahead and did both.

signtool sign /v /s PrivateCertStore /n mythokia.net(Test) /t http://timestamp.verisign.com/scripts/timestamp.dll rr174x.cat
signtool sign /v /s PrivateCertStore /n mythokia.net(Test) /t http://timestamp.verisign.com/scripts/timestamp.dll rr174x.sys

Watch the output to see if both were successful. We’re almost ready to install the driver now, but one last twist. The bootloader has to be configured to allow for the running of test drivers. We issue this:

bcdedit -set TestSigning on

This adds an unobtrusive watermark to the bottom right of the screen that says ‘Test Mode’ that I can live with. Besides, I run my server headless anyway, except for the occasion RDP into it.

Now all that is done, we can finally install our self-signed driver like you would a normal driver. No more manually disabling the enforcement of digitally signed drivers every boot up.

Once again, these steps are detailed, and a lot more thoroughly so on MSDN, but here’s the rough guide to the self-signing of drivers for use on Windows x64 systems. I can finally remove that keyboard from my server.

After replacing yet another failed disk in my raid array this weekend, I replaced the Windows Vista installation on it with Windows Server 2008 R2, released last week.

I overlooked one important factor before installing Server 2008 R2 on it – I did not have signed drivers for my HighPoint 1740 raid controller. I had assumed, and wrongly so, that the drivers which had worked on Vista x64 would continue to do so in Server 2008 R2 (Win 2008 R2 is only available in x64 flavors), which is only partially the case.

On all x64 versions of Windows, drivers have to be digitally signed. I guess the logic behind this is for reasons and stability and compatibility. You could however, still force an install of a non-signed driver. The result however, could be some annoyance.

Afte the installation of the raid drivers, Windows refused to start and instead, booted into a recovery state. It was only then that I discover that although most drivers that worked under Vista/Server 2008 will work on Windows 7/Server 2008 R2, the signature is only valid for the particular version of the operating system they’re signed for.

To get around this, driver signature enforcement would have be disabled at each start up. The way this is done is to hit F5 right after the BIOS POST screen and before Windows start, and then hit F8 to bring up the advance options, and select disable driver signature enforcement. Troublesome.

There is yet another alternative, which I have not explored. The Windows Driver Kit provides a way to self-sign drivers for testing purposes. The MSDN article on how to go about doing this is here. I’ll have to look into it when I more time at my disposal.

I had the opportunity of doing some work in a HR-like department recently which handles the manpower administration for a military unit. It is one of those rare places in the military where you get see technology, in the form of computers systems and networks, being employed.

A particular subset of the work there involves generating reports for soldiers being released from service. The system involved doing data entry from a couple of different documents into a web-based form, and the downloading the completed report in a word document, and then opening the document and doing a lot of formatting, before finally printing it out. Then do the similar for maybe about a hundred over documents. In other words, it’s a laborious job, and one that would likely qualify for an entry on thedailywtf.com.

When the process was being explained and shown to me, voices in my head sighed. Coming from a sysadmin/programming background, one important thing you learn is to automate whatever you can, especially repetitive tasks such as this. This was a prime candidate for scripting action, and an area where Visual Studio’s integration with MS Office could be set to good use. It’s a pity that the computer was locked down rather tightly without any chance of doing so though.

Sad.