My body hates me. Last night, I completely failed to get any sleep due to some kind of bizarre insomnia, so at 5:15am this morning, in a very uncharacteristic fashion, I decided to go for a run because there wasn’t a heck of a lot else to do, and I figured that it would get my system moving again after spending many hours lying about doing nothing.

What it’s actually done is make me more tired, which is a shame – because today is going to be a full day, since I got to work at 7am, will probably work till five, and then, to add insult to injury – when I really ought to be crashing into bed at about – oh – two minutes past the time I get home, I’ve got a Karate lesson this evening, followed by cooking dinner for me and three of my friends, including a girl that I quite like.

There’s just no way this can end badly!

I’m baaack.

Well, I never left. So here’s the deal, I’ve moved into a new flat, that’s on dial-up only, and I can’t be bothered setting up a LAN anyway, because I’m never at home in the evenings, and if I desperately need ‘net access, I live just across the road from work. This is because somewhere along the line last year, I managed to get a fairly fast-paced social life, so I now spend large chunks of my time out of the house anyway. And – since I spend all my time at work on a computer, the last thing I want to do when I get home is sit in front of the computer.

However, I’m told that people do actually read this, and that they miss me, so I’m going to continue writing stuff, and it’ll be good practice for me, since I intend to get into writing some stuff again (dunno when exactly), which will be good, because although I’ll be at home, I won’t have that instant ‘net access to distract me all the time.

That Pocket PC review is coming. Any time now, I promise.

I know the comments are broken. I’ll try and fix them today some time, I promise!

Zero7 meets Morcheeba

I discovered Dawnraiding, by Rose Smith the other year, when my brother lent me a DVD of stream rips containing the track Life Changes. Having duly waited six weeks for my stuff to get here from Amazon, I finally got to plug it into my CD player.

It’s pretty good.

More to the point, she’s English, which seems to mean that the Lyrics and music are balanced out, rather than one over riding the other all the time.

Balanced is a good way of describing the CD in general. This is definitely a chilled out CD, but it’s not a CD to make you go to sleep. Most of the tracks have their own distinctive flavor, although a few are a little bit monotonous, they work as good background music. I’ve yet to have the CD long enough for it to grow on me, so these are my first impressions.

Selected Tracks:
Life Changes (2)
On the Run (7)
Get Thy Bearings (8)
The Party (9)

One of the central points about Linux (technically Unix, but lets face, these days, the bulk of code, in terms of lines written, is written on, and for Linux first and foremost), is the philosophy of using many small tools that do one thing very well to accomplish a much bigger task. This is a good philosophy, and most practical IT works on this philosophy – for a given value of ‘small tool’, most people wouldn’t call an SQL server ‘small’.

Linux (again, this probably applies to most all Unix/*nix/POSIX systems, but since I lack any real experience with them, I’m going to stick to talking about Linux) goes quite far in this regard. As anyone whose ever experienced dependency hell will tell you, there’s a large degree of modularity in the software that makes up Linux. This is fine. Monolithic libraries tend stagnate, due to human inability to keep everything in their head at once. So we end up with libraries that do ogg, other libraries for flac, a couple for mp3, and eventually the gstreamer people get annoyed and write a interface that encapsulates a whole bunch of similar but different interfaces for different formats. This is also good.

*Somewhere, someone decided that it was way too much work writing a C program every time they wanted to grab a few lines out of a file or byte stream for some one-off parsing, and thus, grep was born. This sort of thing eventually beget perl, and lots of lazy people – 99.999% of all programmers that ever lived – were a lot happier.

Unfortunately, this is about where things start to go wrong. String a bunch of tools together with unix pipes works really well for byte streams, and parsing information out of text files. It’s not quite so hot when it comes to more complex things attaching a SQL backend to it’s TCP layer. That’s a silly example, and probably quite difficult to do, but it’s not far off from what many people have tried to do in the past. With any really complex system, things will go wrong, and it’s very hard to debug a graphical system that spits it’s internal error messages as free form English to a byte stream some where. See if you can spot the the bad use of scripting and unix pipes.

• Get a list of the last 15 times the user ‘edward’ logged into a system. ( last |grep edward|head -n 15 )
• Get a few values from SNMP and passing them to a C program to render into a graph. (See rrdtool)
• Run a nightly backup from one system to another. (rsnapshot)
• Run an entire set-top-box multimedia system for Video, TV, and music. (Freevo)

The chief differences between the first three examples and the fourth isn’t the use of the GUI, though that is a key difference it appears that way. It’s that the applications in question are interactive. Indeed, in a scripted, non-interactive environment, piping commands together, and dumping a whole bunch of errors to a byte stream (aka. a text file) is incredibly useful for debugging. Piped commands going bad in the middle of an interactive application, either plastered in the middle of application – which is annoying at best, and intimidating at worse. The alternative is to hide them – which is what most X11/GUI applications do, which can lead to really important messages like ‘this command will overwrite your home directory’ being piped to /dev/null. This is a bad thing.

Fortunately, we have a solution to this. It’s called using the API the library programmers gave you. Even if you insist on using an interpreted language like python, there’s a good chance some kind soul has attached an API in the language of your choice to the C library of you’re chosen tool. Remember kids, wrapping a gtk-python script, or a collection of bash powered zenity commands around cdrecord** and the mkisofs tools does not a nero replacement make. Do it in a real language, with proper bindings! Otherwise we end up with disgusting travesty that is the freenx server.

* – This isn’t even close to being historically accurate.

** – Except that last I checked, cdrecord was a CLI only application, for a bunch of debatable reasons I’m not touching right now.

Kerberos works! I finally got round to converting most things over at work to use Kerberos for authentication. Kerberos was one of those things I tackled way back in November ’04 when I first started at my current place of work. The only problem was that I bit off way more than I could chew at the time. I tried to do the whole nine yards right off the bat. Convert the development and mail server from Redhat to Ubuntu and set up a real firewall on a seperate computer. Centralize the logins, home directory access, and directory information across all three platforms using kerberos, AFS, ldap and Samba. To make things really secure, I would have had to SSL everything, including the LDAP servers, and IPSec everything for unencrypted traffic. This didn’t quite go as planned, since it turns out that trying to implement all this on one platform without really knowing what you’re doing is quite hard. In the end, I had to throw out most of my original planning and stick with LDAP for directory information AND password authentication, and use NFS for the file sharing to the *nix platforms, and eventually install samba on the main file server when we got in our Windows Application terminal server a few months later.

I haven’t been too happy with this, since NFS just isn’t secure, since it requires you to ‘trust’ your client workstations. This is pretty darn easy to spoof, and given that I’m required to allow laptops access to the network, I’m less than ecstatic the use of NFS. LDAP isn’t much better. It’s fine if you can trust all the hosts and network involved (such as localhost only, or SSL’d traffic between trusted hosts), but again, isn’t really a complete solution. The end result is that you’re trusting root on your workstations again – although SSL goes a long to fixing this by using public key certificate authentication.

Kerberos is the answer to the first piece of the user authentication puzzle. Essentially, with Kerberos, the only trusted machine is the central authentication server(s). It allows you to have untrusted workstations, and even untrusted application servers. The users password is never transmitted in the clear, and third party application servers never get to see it. Microsoft uses it as the basis of their Active Directory authentication for Windows 2K/2K3, and almost every other Single SignOn service is based on it one way or another. The other cool little trick is that you login once at your your workstation, and then any other kerberos enabled service you access from that workstation, you are instantly authenticated to that service. This is incredibly nifty. Apache supports this through the Mod_auth_kerb module. In PHP, the authenticated user will automatically show up with a global variable called $_SERVER["REMOTE_USER"] set to something like ‘edward@COMPANY.CO.NZ’. If the workstation accessing the webpage doesn’t have kerberos directly installed, a standard fallback authentication request using the normal HTTP form is used, that access that same backend kerberos servers.

Anyhoo, I managed to get all this installed across Linux and Mac in the past couple of weeks, and I’m slowly replacing remaining LDAP users. The nice thing is that Linux services that don’t support Kerberos but do support PAM can still interface to the kerberos authencation database, albeit without the automatic authentication niftiness. I’ve got a couple of web applications to convert over, and Samba, which the current version in Warty segfaults on when attempting to use Kerberos for authentication – Ubuntu Breezy is expected to fix this – and then I can finally toss LDAP as an authentication method.

Recently I’ve had a bit of a call to buy the CD’s for some of the more common things I listen to. Things have changed since I was a poor student. Back then, $35 was a fair chunk of my income. Now it’s a night out. I think it only fair to start buying some of the albums I listen to. I’m still not 100% sure that allofmp3.com is morally legitimate. It’s a very odd feeling to think of me buying CD’s again.

Unless you’ve been living under a rock recently, you’ve probably heard the term “Peak Oil” being bandied about.

If you have been living under a rock, you’ll still have noticed the price of petrol sky rocketing. I haven’t sat down and done some extrapolation, but I’m guessing easily NZD$2.00/L by Christmas, and $5.00 by same time 2008 – possibly more. That oil will hit $100 a barrel by the end of the decade is a damn near certainty.

What happens after that is a little less certain. Currently, there’s two extreme view points. The optimistic one is that the first world, and eventually the second and third world will continue to live in our air-con’d-commuting-one-tonne-vehicles-to-work mode for the rest of the foreseeable future until we discover fusion and we all get our air cars.

At the the other end, is the cynics who are damned sure that we’re going to run of all recoverable oil by about say, 2010 – give or take a few years. The vision of the future here is that we’ll all be forced back to an agrarian existence, and that very likely, someones going to nuke someone over the little precious black gold remaining, and from there, it’s back to the stone age.

In truth, I think it’s somewhere in the middle. It’s pretty obvious that we’re using oil way too fast. It should be fairly obvious that abiotic oil, if it does exist, clearly isn’t going to supply the world with enough oil for six billion people to burn it like the Americans* do. But even if that were possible, it’s pretty obvious that pumping that much CO2 into the air just isn’t a good idea.

The irony is that the thing that arguably got us into the mess in the first place, will, given enough time, pull us out again; Greed, and it’s all-grown-up son, capitalism.

As we come over the peak of an oil field, we start to spend more and more energy to extract a unit of energy from the ground. In economic terms, this is known as an increasing marginal cost. As a result, on a global scale, when significant percentage – say, more than half – of the oil fields in the world hit this peak, the price of oil starts to go up quite markedly. Sound familiar? However, because oil production is an excellent example of macro-economics, we get to see supply and demand in action – and this is where the unknown comes in.

If demand for oil proves to be completely inelastic, that is – we all keep consuming roughly the same amount regardless of the price, then we will run out, and me and my bretheren will take my Primera and go MadMax styles for a while.

If the the demand for oil is relatively elastic – we might just pull our collective asses out of the frying pan and through the fire. Elastic demand means that as the price goes up, we consume less.

As a basic example, a very inelastic good is food. Up to the limits of our income, we will continue to buy food. Conversely, iPods are a very elastically demanded good. If the price of iPods goes up, purchases will drop rapidly.

At a guess, oil is probably somewhere between the two. We need oil to power a large chunk of our society, but at the same time, there’s a lot of inefficiencies and unnecessary use in the system. Assume**, for the sake of argument, that the bulk of oil production is used directly in transportation by motor vehicles. As the price goes up, discretionary use of oil will go down. Things like Wendy’s missions to Auckland, and ‘going for a drive’, will be the first to go. Alongside will be the obvious car pooling options. My flatmate and I work in the same building, so it makes sense to carpool. As the weather’s cleared up, we’ve started to walk to work. Next, people with the same destination or origin will start to carpool. As the price starts to skyrocket, courier companies will start to quote things like ‘when there’s enough deliveries in your area’, and biking will become more common than driving. Telecommuting will doubtless becomes far more common. I already see more people taking the bus.

International trade will be high on the list of things to suffer. It will no longer be economic for China to manufacture clothes and other low price items for the first world, since the sheer cost of moving jeans across oceans will make to much more economically viable to fabricate them here. In New Zealand, expect to see many more wool clothes and, depending on the result of the legislative battles, hemp. Don’t expect to own much in the way of polyester clothing beyond 2010. Trade is unlikely to die out completely. We’ve been trading for centuries with nothing but wind and muscle power, and computer chips pack of lot of value per mass.

As the price of oil goes up, and oil power becomes unviable, local communities and cities will start to turn to what ever solutions they can find. Although modern communications will mean that technical knowledge can flow fairly easily, the increasing effective trade distance will break mono-cultures that once spanned thousands of kilometers into pieces, and we’ll start to care less and less about the culture of the guy at the other end of the continent.

How long will this take? It depends on two variables. How much oil we have left. How fast we consume it, and how fast the worlds population and it’s leaders react to these changes. I wish you all the best.

* Depending on who you ask, the USA consumes somewhere between 25% and 35% of the worlds oil supply.

** I’m very aware this is not true.

Regular readers of this site may have noticed that updates this year have been somewhat lacking. I have written several pieces that just never made their way on here because on rereading, I judged them unsuitable. The real reason is that I’ve just been hella busy.

The job I got last year means I have money. Money means the ability to do stuff, and for a variety of reasons, I actually have a social life now, as opposed to pretending I do, and feeling sorry for myself when I was reminded that I didn’t.

At the start of this year, I kind of fell into the role of leading a cell group. As quick guide, a cell group is something along the lines of a home group, bible study group, or church social group. It’s called a ‘cell’ group because it grows, and then splits, like a living cell. There’s a whole bunch of other biological / Christian parallels, but I won’t go in to them here. This leadership stuff has been incredibly good for me, both in my Christian walk, and for growing my social skills. I’ve had the benefit of an excellent co-leader who sadly leaves for Ireland very soon, leaving me to actually take most of the responsibility. I did ask for another co-leader, but it seems that God has other plans – mostly along the lines of me taking real responsibility for the group, rather than pawning it off on other people all the time.

I may joke, but there is real work involved in this. There’s boring and mundane stuff like maintaining phone lists, and working out where the next weeks location will be. There’s brain wracking stuff, like trying to come up with yet-another-study, and there’s frustrations, when of the thirteen people that you emailed, only two show up on a given night. There’s being woken up at 2am because you’re the one they call when they don’t know who else to turn to. I know that God has a massive hand in making anything of this nature happen, but I also know from my own bone weariness that I’ve put a fair share of effort in as well.

But it’s worth it. Things like knowing you have a bunch of people you can call at any time for prayer or help. Having Christians around me at the same point in life (post-study, single, not married, not intending to), who can commiserate and support me during my hard times. A bunch of people that we can hang out with, not just in meetings. When I blew it one week with other stuff, and had to announce there was no study written, no worship planned, I had no idea who was on supper, nor did we have a venue, the group rose to the challenge, and people volunteered to take care of everything. That was exceedingly cool. It’s taken time to get here though, the start of the year it was a complete mess. New members have come, and I had the privilege of bringing a solo-Christian into a group of people where he instantly felt at home and is rising to take his place as a leader of the next cell we split off. This has been an absolute blast.

This all takes time. And that’s why SRWOFB has been essentially left in the dark. I just haven’t had much time.

It occurred to me, having read a bunch of other blog type things, that I don’t quite fit the mold. I refuse to talk about work or my flat in detail. I do this for a good reason – people at these places have the Internet. There’s a good possibility, though not probable – that these people will Google theirs or my name at some point. I’d rather not destroy a friendship over something inadvisable I said six months earlier just because I was in a snarky mood. Nor do I want to get fired, because I disagreed with boss on something that I decided to air in public.

About three months ago, I started going to Ceroc lessons. In a nutshell it’s a combination of Latin and Jive dancing, where you don’t have to worry too much about where your feet are going. It’s also tonnes of fun, looks way cool, and everything looks harder than it really is. I finally got my butt along to a dance party on Friday night, instead of just the usual practises. Now I’m kicking myself for not attending one earlier. I got to dance and talk with many beautiful woman, and improved markedly in those four or five hours. It also makes you talk to many different people in a short space of time, and forces you to be proactive in approaching people. If you’re shy, like I still can be too often, this is a Good Thing.

So it looks like I’m writing documentation. I’m waiting for a greenstone collection to build on some PPC box in Hawaii, and I really really should write some documentation on the installation of Cyrus we maintain for clients. The problem is that Cyrus is a horribly documented piece of crap. I’d really prefer to use something like Courier-IMAP like I did on the internal mail server, because it just freaking works. I’ve had to use Cyrus-IMAP because of it’s support for virtual domains.

I was forced to use LMTP to transfer between Exim (MTA) and Cyrus because there was no alternative. LMTP is one of protcols that no matter how well supported it might be, is nevertheless, obviously a hack to fill a hole that should never be there in the first place. The whole point of a nicely intergrated SMTP/MTA server like exim is that mail, once accepted, gets written to the same place the IMAP server reads it’s data from. Instead, I’ve got some BS where Exim decides if the mail is acceptable, then transfers it using local loopback to the IMAP server using LMTP. This does work, but it still feels like an ugly hack. Further more, it uses Yet Another Bloody Authentication System called SASL (http://en.wikipedia.org/wiki/SASL) (Simple Authentication and Security Layer), which is unusable by anything else on the system. Given that MySQL doesn’t use PAM or LDAP, this means I have no less than FOUR authentication system on the system (Unix passwd files, LDAP, MySQL, and SASL).

… Ten minutes later…

Courier DOES support Virtual domains. Feck! This information would have been a lot more useful six months ago when I set up the server originally. However, plans are in the pipeline to replace the current client server with one at a provider that doesn’t suck, so I’ll get the opportunity to replace this horrible setup with Debian Sarge + Exim4 + LDAP + Courier-IMAP. Yay.

Use LDAP – everywhere you can. You can thank me later. You should pass off authentication to something like kerberos if you don’t fully trust your servers (and you shouldn’t, unless they run on the same server, and/or you have complete control over all of them), but there is something beautiful about having one system for holding all your information about users, groups, passwords, access controls, hosts… Samba supports it. Windows supports it. Unix supports it. PAM, the mother of all authentication in Unix supports it. And if that wasn’t enough, although I hate to play the authoritative card here, but if IBM, Sun Microsystems, Novell, and Microsoft* all decide to use the same system, you probably should consider it as well.

* It’s probably worth pointing out that Microsoft’s Active Directory is essentially LDAP, plus Kerberos for authentication, an SMB server for file sharing, and some nice interface stuff to string it all together. I’m willing to go out on a limb and bet that in an AD setup, the DNS and DHCP servers get their information from LDAP as well.

Gods, I feel like crap. I’m staring at this filled roll I made, and feeling unable to eat. I do not want the roll. I don’t want anything, not even water.

This was not the plan. This is my healthy weight, and I intend to stay here, not starve myself, but I cannot physically bring myself to eat.

Maybe it’s the caffiene. I started drinking coke again last week when I failed to get enough sleep, and had tests and assingment due on top of work. I’ll force myself to not drink coke or V, get a few nights of good solid sleep, then I’ll be right.

I hope.

There might be something wrong with me.

I had a muffin at break today, and it felt like cheating.

I weighed in this morning at 84.1 kg. About two months ago I weighed in at 91 kg. About February last year when my flatmate bought a pair of scales, I was edging over the 100 kg mark. The best way to describe me then was ‘chubby’. Nervousness and frustration at my last job drove me to eat snack food all day, and drink beer when I got home drove me over the triple digit mark. The lifestyle of sitting in front of the computer drinking coke all day kept me there.

Remember this? At that point, I was on 90kg, ten kilos lighter than two months before. This time, the weight loss happened when I stopped walking to work, and taking a third of my normal portion size. I no longer feel the need to walk five kilometers every day exercise, I already have the muscles, so weights, crunches, some lunch time walking, and the reduced calorie intake takes care of the rest.

While I am one of the biggest Linux zealots out there who doesn’t shove it down peoples throats, I’m painfully aware that all too often that sometimes the closed source versions of software are better than the open source offerings.

However, occasionally, and more and more often, I’m pleasantly surprised to find an open source piece of software that hands down beats the living crap out of the closed source counterpart.

I had this experience this week when my boss asked me to install a VPN. Given that most people have Windows or Mac boxes at home, I decided that installing a server that worked with the default L2TP/IPSec client that ships with Windows 2000/XP.

This turned out to be a horrible mistake. I’ll say this now; L2TP/IPSec is one of those things that just makes you sit up and say “What kind of crack were you guys smoking when you designed this protocol?”. One of the more stupid aspects of it’s design is the hoops you have to jump through to make it tunnel through NAT, because the designers thought it would be a good idea to force the encryption certificate to be attached to the IP address of the interface the target IP. Tough shit if your VPN concentrator is not on the same piece of hardware as your NAT firewall, and/or in our case, don’t have a Verisign signed certificate for every single piece of hardware.

I appreciate that this isn’t the fault of the people who designed IPSec, and that the L2TP protocol didn’t originally have these issues, but surely engineers designing the VPN solution to ship by default with the worlds biggest desktop operating system that prides itself on being easy to use must have thought “Hang on one second, this thing is a royal PITA to set up, perhaps we can do better?

Apparently not. I spent the better part of three days pissing around with this crap at work, and at the end of the third day, I was no closer than apt-getting a few packages on the server.

On the fourth day, I got to work, and in a profound sense of disgust, threw out most of what I had, and went looking for something else. Enter OpenVPN. I had this baby talking to the server and producing useful error messages in about ten minutes flat, and connected and working a few hours after that. Most of the time I spent getting my head around public key infrastructure and signed keys. I appreciate these things are necessary, but wow, someone could explain it easier.

The most beautiful things about OpenVPN include; Support for Windows, Linux, Mac, BSD, and Solaris – and heres the kicker – the same configuration files are used on all platforms. The icing it’s ability to use UDP ports, and magically allow multiple people to connect through the same UDP port. This avoids the meltdown problem when you stick TCP over TCP.