Some know that I like to show off my neat little Thinkpad x200s for its boot time; so far under 5 seconds (from bootloader to X) using Gentoo, OpenRC, and Enlightenment. I wanted to try systemd for a while but never really was in the mood to do the actual work. The video inspired me to actually give it a try now.
Installing systemd is incredibly straight-forward, just read the gentoo-wiki articles and make sure you have your "init scripts" (or .service files in systemd jargon) ready. Enough talk, just let me finish with this: I was utterly impressed how well systemd works and I'm looking forward to it replacing all other init systems currently out there (including OpenRC which I actually liked). But look for yourself:
Linux version 3.1
systemd version 37
udev 175
Linux -> systemd: ~1s
systemd -> e17: ~1s
e17 -> ready: ~1.5s
If you have questions or need config files, just ping me via mail/jabber/irc.
]]>The title is not only one of my favorite Dream Theater songs (if you can call 23 minutes a song) - here it also means that my favorite time of the year is coming. And yes, apparently you can go skiing in October. :)
2300m:
3200m:
Now, off to Sweden.
]]>This is part two, Convergence.
Convergence replaces the certificate authorities (CA) used traditionally in SSL by an independent distributed authorities, called notaries.
It totally ignores the CA that issued a sites certificate and instead checks the certificate over all activated notaries. These can be added, removed or disabled on personal preference; so you don't have to trust a bunch of faceless corporations which are each a SPOF in the whole concept(!), but can instead trust a number of notaries working together.
This can be one of your own servers in your LAN (providing no MITM security towards the internet), another one of your servers reachable over the internet, and the server of people or organizations you may or may not trust all over the world.
Than you can decide if it is enough for you if only one notary validates the requested certificate - bad idea, perhaps even a little worse than the CA system. However, the default is to gain a majority validation. This means every active notary will be checked and if most of them (to be exact, the simple majority) validate, convergence accepts the certificate. The last option is to only accept absolute concensus of all notaries, what makes authentication fail if one notary either gets the wrong certificate or is not reachable.
I think convergence is a great idea.
The concept is well-thought, the implementation is solid and a pleasure to use. Even usually painful self-signed certificates work like a charm because convergence doesn't care about CA's. You are always in control, which of course means you have to make sure you have a number of notaries that can be trusted.
Of course everything is open source and so far the addon as well as the notary-server are constantly under (very active) development. It is easy and reasonable to run your own notary, for yourself or for others. It is largely written in python, and light on (very reasonable) dependencies, so if you feel like participating, I don't see any reason why not.
Long story short: great concept, great implementation: get it!
]]>I did so because it is neat hardware, I needed to replace my home-server - and mainly because it is supported by Coreboot. Unfortunately, it turns out that there is no version with a socketed BIOS chip out there (and resoldering a SOIC16 socket isn't easy) despite some pictures showing it. Even more unfortunate was that it turned out that flashrom didn't support flashing the board either.
The reason for this is, that AMD's Soutbridge 700 series makes noise on the SPI bus with its IMC (Integrated Microcontroller), so you can't safely flash because data gets corrupted.
Luckily AMD has recently released a new version of the SB700/SP5100 register datasheet that documents how to turn the IMC off, and Frederic Temporelli has already added support which is waiting for inclusion in flashroms inbox: 1/2 and 2/2.
I haven't tried it out yet, but I'll do so in the next couple of days.
]]>Let's start with Web Of Trust (WOT).
In contrast to some of the other things I plan to take a closer look at, WOT is not related to transport security or any cryptographic methods to ensure site integrity.
It actually works like Mandatory Access Controls (MAC) with a user centric (as apposed to a system centric) approach.
WOT is a combination of client side software, usually a brower plugin (who would have guessed :P), and a central database that contains per-domain based ratings, provided by users as well as "trusted sources". The latter are (well-known) security sources, such as blacklists from security vendors, and similar material.
The browser plugin, which exists at least for Firefox and Chrome, is available under GPLv3. It checks every domain, that is either querried or linked to, against the WOT central database and aquires a rating based on the previously mentioned sources.
Feedback is given to the user via an easily visible graphical indicator (green = good, yellow = so-so, red = bad, grey = no rating yet), as well as an warning dialog (per default) that shows up on untrusted sites.
It can also be set to block access to unwanted sources, e.g. as a porn-filter.
The ratings are based on an algorithm, partially comparable to mechanisms such as Google's pagerank: It doesn't only count and divide the ratings to generate an average; instead different sources have different weight, and if there are only a few ratings and maybe not the most credible ones, no general rating is given at all.
All in all, I'd say WOT can be very helpful.
However, you really should consider if the service is worth the loss of privacy, as every domain is transmitted to WOT servers along with your IP which makes you relatively identifiable. This usually happens only once per domain, as it is cached afterwards; also, only the domain, not the URL is transmitted. You should take into account, that your IP and all domains you access are logged on the route multiple times anyway, at your ISP at first, but at several routing points as well - so this is clearly a cost--benefit equation you have to do for yourself.
I would however recommend this service to each and every user that has trouble detecting which sites are bad, that includes subscription traps (largely a German problem I guess, here called "Abofalle"), and Freeware download sites. I think here clearly the downsides are neglegible so I would - and will - recommend this to people like my mother.
Lastly, the company behind WOT is in legal trouble with some US companies which claim, that the algorithm behind the WOT rating, is flawed. This is, in my opinion, the proof, that the algorithm works pretty well. If hosters of dubious sites use the courts, it generally means they haven't found an easy way to manipulate their ratings. And as the "crowd" ratings get the higher weight, no source credible enough to improve ones rating can be bought.
]]>Overall the concept of trusting a hand full of companies out of good will is just stupid. Each and every one of them is very susceptible to single hackers or small groups of hackers, not to mention foreign agencies and more importantly local agencies with proper funding or even a "legal" way to mess with certificates.
So, what is a solution that works? Learn from filesharing. To this day a lot of filesharing networks have been put down due to the SPOF nature they share with the CA companies. A single target which can compromise the whole network and system. What followed was decentralization - and with so many other systems (from network architecture over source code management and storage systems) that prove how good this works, this clearly is the way to go.
So what's out there to accomplish this? Sadly: nothing that works out-of-the-box and/or everywhere. But there are some concepts:
Sadly, all of those come with some effort and are not available for every browser, let alone on every machine. I will evaluate these and probably other solutions in the next time, and report back.
Update: I forgot to mention this before: the whole situation is actuall that bad, that google decided to hard-code certificates (or probably their fingerprints) in Chrome, something Noscript apparently does, too. This is a horrible concept, but it seems the only way to make the CA system work as it is.
Of course, in the long run, it would mean, that every single certificate would have to be hard-coded in every single browser(engine) and every CA would have to be distrused. Certainly no system that is desirable.
]]>Anyway, while it might be overkill for me, I'm finally on real hardware (and OVH is ridiculously cheap) and while it isn't failsafe in any way, I'm much more comfortable by being able to maintain it myself completely.
As you can see, my old blog is also gone. I could have restored the backup, but I wanted to move from blogofile 0.7 to 0.8 for a while and never had the time and motivation to do so - so I decided to just restore my few posts and set up blogofile 0.8 with the simple-blog profile from scratch. I'm currently working on the templates and the CSS to make it look decent again, but this may take some time, as I plan to finally learn more cool CSS stuff (one of which I already started to implement, thanks to a hint from josch). It's really amazing what you can do with CSS nowadays, finally there is no more reason to do any design in html.
]]>Until very recently Firefox had a very "old-school" versioning scheme: Major.Minor.Bugfix Bugfix-releases happened rather often, usually about once a month. Minor releases happened every few months, Major every few years. I don't need to explain what bugfix releases were for. Minor releases usually introduced minor new features like support for new web standards, minor UI changes, and bigger improvements on existing features. Major releases happened very rarely and usually introduced big UI overhauls, major feature additions and support of a bigger range of web-standards.
So what did this mean for support of actual websites and web-applications? I will tell you: Nothing. Besides adding support for new stuff, there hardly ever were any deprecations and regressions. If your website worked in 1.x, it probably worked just as well in 4.x because the standard didn't change. Maybe it looked a little worse because the standard changed a little, or the implementation behaved a little different.
Let's come to the new and current system, that's meant to stay, at least for a while: The new scheme is: Major.Bugfix It's generally more of a rolling-release cycle. Every new feature, no matter how small or big, is implemented in a new major version. These are released on a regular, scheduled, basis that targets on getting a defined set of features in and get it released in time. Bugfixes are applied between releases to keep the current release secure. Any new release will automatically deprecate the last one. There won't be bugfix-releases for old majors like there used to. So what did this mean for support of actual websites and web-applications? I will tell you: Nothing. What worked in the last Major, will work in the new Major - but not necessarily vice versa. If it doesn't, it's a bug. Web applications and websites may not be browser specific. We used to have that in the corporate world and everyone knows: it sucks, and it is wrong.
Enough with the explaining, let's go take the criticism on the model and describe why it is invalid:
No they don't. If anything, they were broken before
Updating is more difficult
No it isn't. Updating works the same way for new major releases as it did for old minor or major releases
Addons break
That's partially true: addons contain a version mask to indicate with what versions they were tested and should work. Until now addon developers usually set a wildcard like 4.* This kept addons working even after new minor releases. What you didn't know: minor releases could break the addon api, and make addons not work properly! Setting the wildcard makes it run on untested versions, so why not do it now, too? If it breaks it has to be fixed, that's how it used to be, that's how it will be. Also, there is a new addon-api for simple addons (named jetpack), which will remain more stable and keep a lot of the updating trouble away.
Users will do fewer updates and not receive security updates
Not true. Updating has been as intrusive as it is now, and there are always people who are not willing to update. Nothing's changed.
Distributions will have a hard time updating
No they won't. Every minor release had to be tested as intensive as every major has to, now. With big applications like Firefox, there has to be some trust in upstream, because it is impossible to do a full review and a full function test for new releases - major or minor - anyway.
Companies will have a hard time keeping up
Not true. As I already explained, web applications cannot be browser dependent. If they are, they are broken. Most of those company web applications are not actually web applications but horrible mutants only used internally. They never did actually run on Firefox and on any non-stoneage Microsoft browser. If they worked in Firefox, they will likely continue to do so. As with distributions, it is impossible to do a full review on any new major or minor version, so there is no impact at all.
Companies won't be able to roll out a new release with the short cycle
Conclusion: It's time people, and companys, are getting real. The way and the pace the web develops today, there is no room for legacy. Chrome introduced the rolling-release strategy to the browser world, and apparently it works. With this (well, and a lot of marketing), it pulled a huge share of the Firefox market share (to remind you: IE users don't switch to Chrome, FF users do.), so apparently their strategy is valid. Until today firefox had trouble getting new standards supported. Not because the developers are too lazy or slow, solely due to their release politics with a over-a-year release cycle for new feature releases. It was time to act and they did. The reason why people don't adapt to new web standards and great things like WEBM isn't because Microsoft doesn't support it. For years and years nobody cared about Microsoft when it came to new cool things, because they are slow and don't support them anyways. Companies that use Firefox use it because it's not ancient, has cool features and people like it. They might still use IE for their broken apps, but their users hate it. While IE9 is very recent because even Microsoft moved to a new release strategy it's already pretty much outdated and will remain so, because Microsoft now does the old Mozilla strategy. New features come in new versions, but they make the horrible mistake to keep ancient-to-be versions, i.e. IE9 supported. By claiming to support IE9 for the next 8 years, the encourage companies to roll out broken web applications. They don't have to be standard compliant, but to work in IE9 (not in 6,7,8, not in 10, not in any other browser), and that's exactly what they will do. An interesting side effect is that tech companies will have to use 2 browsers again, because their customers expect nice standard compliant websites that work in their browser, and IE9 it won't be. So employes will have to use IE9 for intranet stuff and FF for their companys official websites/applications. And it will be FF, no matter if they release every 6 weeks or not - not IE10, or 11, because they need to keep it at 9.
So people, get real yourself. Be happy they did the change, be happy they don't support old versions and force you to use old websites and non-standards (like Flash), and be happy they force your distributor and your company to keep up, because you get a shiny, recent browser and a better web for it.
]]>I recently bought Flea bike lights by Blackburn. In fact, I bought a set a while ago already, but I lost one of the lights. This is easier than I thought because those things are damn tiny, and I'm not even sure if I lost it on the bike or somewhere else.
As I was pretty happy with the devices, I decided to replace the missing one and got myself a new set; this time the 2011 edition in contrary to the 2009 I had before.
There are two main differences introduced in 2010 and 2011: The USB-Charger was introduced in 2010 and replaces the included battery-charger so you can recharge the lights on any 5V DC power supply over an USB port. New in 2011 is an additional led under the lights buttons that shows the charging state.
Here's a picture showing the new USB-Charger on the left and the old battery charger (that can be attached by magnets to any standard battery) on the right:
The chargers attach to the devices by 2 magnetic pins that are quite strong, so you can safely put it in any USB port without fearing it might fall off, and you can attach any battery without having to care if the contacts are attached right. What's really amazing however is, that the charging electronics is inside the lights housings so you can use any DC source from about 1 to 5 V without any additional electronics. It even allows to attach a solar panel with USB connector (Blackburn themselves offer one, but there's a ton of other similar devices on the market). With the 2011 edition the new colored LEDs indicate the battery status and also when charging is complete.
Here's the complete set including straps and USB Charger: 
As you can see on the pictures, the back-light has a clip that is not only used to attach it to one of the straps, you can also clip it to a belt or backpack which I find useful (great if you have a big backpack that might hide a light attached to the saddle, or if you're hiking without a bike at all). If you pull the strap tight enough, it works well and you can attach the light safely, and it stays in place.
The front light has no clip, only a rail for the strap. Here too, it has to pulled tight so the light keeps in place. It doesn't hold nearly as well as a proper hard mount, but due to the low center of gravity and the light weight it usually stays in place well enough.
Every light has a couple of modes:
For the front light, it is normal, high, flashing, off, toggled through repeated pressing of the button. The back light has normal, flashing, chase and off.
The normal mode is usually good to be seen and to light the road if it's not totally dark. In the high setting it is surprisingly bright and well enough to see in total darkness. Of course it doesn't compare at all to 20 times as big, 40 times as heavy and 5 times as expensive lights with multi-Watt LEDs and so on, but it a) doesn't claim so and b) isn't made for that. I've seen a number of reviews and opinions that state that the Flea sucks, because it isn't as bright as their 200 EUR lamp with a 1 kg heavy battery pack - if you expect that, move along and get real. If you drive in darkness for several kilometers every day and don't want to charge twice a week, these lights aren't for you. If you bike for fun and need a pair of good, light and practical lights, or just a backup light, try the Flea.
I've made some photos in total darkness, no artificial light (besides the Flea) around, no moon and clouded sky without stars, to give you an impression how bright the lights are.
The pictures are slightly overexposed, so they seem a little brighter than they actually are, but it still is close to how you actually would see it:
I guess people like pro/con lists (at least I do), so here it comes:
Pro
Con
As usual, more pictures in my gallery.
]]>Currently Digikey is still the only reseller for it and it seems they are permanently out-of-stock since the Pandaboard is for sale. Anyway, over a month ago I decided to just order it, even though I don't really had enough time for it, because it seemed it could take some months.
Anyway, now it is here, as usually deliveded by FedEx in the blink of an eye. They did not even charge the usual import fees (EUSt) - it probably did not actually go through customs as a development kit.
As everyone seems to do unpacking pictures, videos and so on, I don't bother, but there are some nice pictures of the device in my gallery.
Anyway, it comes in a box and is very lonely because there is nothing else in it (what is good!).
You just need a 5V powersupply to get it running - according to the wiki it should even be possible to get power over the mini-USB port, though I haven't tried that yet.
]]>