The Past, the Future

17 05 2010

Again, more than a year went by since I last posted on this blog. One reason for the silence was that most of my activity (which mostly consists of random stuff I find or found out) went to my Soup/tumblelog instead. All my longer writing was soaked up by something else which kept me busy last year: In early 2009 I started to work on my diploma thesis to finally finish my studies.

My plan: To create an embedded device working as an IPv6 gateway behind an existing IPv4 NAT router. That is, it was supposed to provide IPv6 connectivity via a tunnel and advertise the assigned prefix to the local network. While that might sound easy to the average linux-savvy geek, this device is supposed to work without reading any manpages and setting up oddly named daemons via weird text files. Plug in the device (which configues itself via DHCP), start up your browser and discover the gateway’s configuration interface without too much hassle (read: using something like Bonjour or UPnP), two clicks, entering a username here and a password there, click Apply and IPv6 is available. Any troubles caused by IPv6? Just unplug the device. That sounded more like the plan.

Additionally, enabling the new protocol without any preparations would expose any existing IPv6-enabled devices (did you know that most network enabled printers do support IPv6 since ages?) to the whole world instead of only the semi-protected local network. So this new device was supposed to offer the same default security a NAT router has (blocking any/most incoming connection while allowing anything going out) but giving the user the possibility to disable (or adjust) the firewall for his own (hopefully protected) endpoint and thus enjoying the advantage of real end-to-end connectivity (yay!). The perfect way to achieve this would be an IPv6-enabled version of UPnP IGD or NAT-PMP, but a browser based configuration interface driving a ruleset based on the client’s MAC address is a start.

September 2009 it was finished: Almost 120 pages (even 170 pages including metadata like the bibliography) describing the OpenWrt-based device. And a new implementation of the firewall as I discovered that the one available in OpenWrt didn’t support IPv6 (the resulting code was recently merged into OpenWrt to replace the existing firewall). Both my thesis and the code are available online.

Another month and a final exam later I got my degree and may now call myself Diplom-Ingenieur (FH).

Friends told me there was a nice summer 2009. Behind my screen I didn’t really see much of it, so yet another month later I was gone south to catch some sun: Gone for a bunch of months to Australia and New Zealand, finished with a stopover to visit some friends in South Africa and Swaziland on the way back home. (When I came back some weeks ago, friends told me there was a really cold winter as well.)

Now I’m back home in Hamburg, pondering over the future. Shall I continue and extend my freelancing or go for an employment at some interesting company? After some thinking I guess it will be the latter. Preferably an open source friendly place which works on embedded and/or networking stuff, somewhere in Northern Germany. There are some interesting places in Germany but it seems like the last criterion could be a showstopper. We will see…

Fight the everyday racism

10 12 2008

Last Friday something happened at the Kulturhaus III&70 which happens every weekend in every bigger city of this world: A bunch of people went out to have some fun but one of them wasn’t let in by the bouncers. Not because he was drunk. Not because he wasn’t dressed decently. Just because he looks foreign.

But this time something was different: The group was a spontaneous meetup of members of the hospex site CouchSurfing. And the one who wasn’t admitted was Kyra’s flatmate. And Kyra decided not to walk away and shut up. Instead she posted to the Hamburg CouchSurfing group, asking for advice, and sent a mail to the place.

The reply was disappointing: Instead of an apology she received an excuse for the bouncer’s behaviour. Obviously there was some struggle between some foreign (probably Turkish) looking people and after that the bouncers decided not to let anybody with a similar cultural background into the place. This is quite a common countermeasure, and while understandable from the bouncer’s point of view, nonetheless discriminating against a lot of innocent people.

But instead of apologizing for the social collateral damage, the mail went on to justify this behaviour based on the increased propensity to violence among Turkish and African people.

Though this is even more discriminating, your average statistics (or your bouncer’s experience) might even endorse this attitude. And granted, there are places with worse door policies. But here we’ve got to have a look at the background of the III&70 and the picture it wants to represent in the public: The III&70 is supposed to be an open meeting point, both cultural and cross-cultural. They host the anniversary party of the Declaration of Human Rights organized Amnesty International Hamburg tonight. Their list of partners include the Festival der Kulturen and the leftish paper taz.

So especially a place like the III&70 with its alleged background and located in a mixed neighbourhood with its own issues should break new ground when it comes to handling violence amongst customers and not turn to racist solutions. Off the top of my head an in-house social worker comes to my mind. Other people might have better ideas, which might even be cheaper.

Back to the issue at hand: While a surreal discussion about the topic emerged (make up your own mind, most the chatter is in English), Kyra decided to contact the so-called media partners of the III&70. It wasn’t a long time coming and taz, Welt and MoPo printed an article and the III&70 had to release the following statement on their website:

Liebe Gäste,

wie jeder von euch jeden Tag und jeden Abend in der III&70 erleben kann, sind wir ein weltoffenes, interkulturelles und integratives Haus. Sowohl unter unseren Gästen, als auch unter unseren Teammitgliedern finden sich Menschen vieler verschiedener Nationalitäten, Religionen, und sexueller Orientierungen. Daran wird sich auch in Zukunft nichts ändern. Kommt vorbei und überzeugt euch selbst.

Gerade durch diese Offenheit kommt es gelegentlich zu Konflikten und Reibereien. Deswegen ist es notwendig schnell und entschlossen gegen jede Form von Aggressivität, Diskriminierung und Mackertum vorzugehen.

Am vergangenen Freitag ist es in unserem Haus zu einer handgreiflichen Auseinandersetzung unter Gästen gekommen, in die unsere Türsteher eingreifen mussten. Obwohl die Situation schließlich geklärt war, war die Anspannung nach wie vor groß. Das kann man zwar verstehen, trotzdem ist es nicht in Ordnung, wenn dadurch andere unbeteiligte Gäste unsensibel behandelt werden.

Dadurch, dass es bei uns keine einfachen Regeln für die Türsteher gibt, entstehen komplizierte Situationen, die in Stressphasen schnelle Entscheidungen von Einzelpersonen erfordern. Dabei können Fehler entstehen.

Wir stellen uns unserer Verantwortung für den Vorfall am Freitagabend und entschuldigen uns bei allen, die sich durch bestimmte Äußerungen oder bestimmtes Verhalten beleidigt oder diskriminiert gefühlt haben.

Da wir an unserer prinzipiellen Offenheit nichts ändern wollen und werden, lassen sich auch in Zukunft komplizierte Situationen und Konflikte nicht vermeiden und diese Herausforderung nehmen wir an. Einfach Lösungen und Antworten sind in diesem Zusammenhang populistisch- sowohl in der Presse als auch in der Praxis.

Euer III&70-Team

Additionally, a personal apology was sent. While both are more a justification as well and especially the last paragraph of the statement shows that they don’t see (or want to admit) shortcomings of the bouncer dictatorship principle and don’t look for a different solution, at least people are now able to form their own opinion. And maybe challenge the self-proclaimed status of the III&70 as an open, cross-cultural meetingpoint so they have to do their homework to live up to that picture.

Or not.

And the moral is? While its all good and fine if you commit time and money for starving children, tsunami victims and other people in need all around the world, you shouldn’t shut your eyes from the everyday racism and discrimination around you. And nothing will change if you don’t make it public: Be it via the classic media, platforms like your local Indymedia, social sites like CouchSurfing or BeWelcome, rating sites like Qype, local politicians or neighbourhood development organizations, or just your own blog. The possibilities are manyfold. Just don’t shut your eyes and your mouth.

I stand corrected

15 10 2008

I always thought with my OpenVPN server running on port 443 I can bypass any proxy or firewall allowing me to connect to HTTPS sites. Well, it seems like at this place there is some transparent proxy in place which actually inspects the TLS/SSL handshake and OpenVPN doesn’t exactly behave like HTTPS. Jabber works though, so it seems like I’ve got to find a way to encapsulate the VPN in a real TLS stream or something. Anybody an idea?

Default X session, please

8 06 2008

Judging from Google it seems like this is quite a common annoyance but nobody really knows how to get around it: If you use KDM as your login manager and temporarily login with a different X session than your default one, KDM will remember this and the next login will use your “previous” session.

That’s a nice feature per se, but annoying if you combine it with auto-login and a heavyweight session type like my dedicated VirtualBox session (more on that another day).

There’s a simple workaround though: Your previous session, is stored in the file ~/.dmrc. Just remove replace (if you remove it, login will fail) the Session option with Session=default in there and make it read-only:

sed -i -e '/\[Desktop\]/I,/\($\|^\[\)/{/^Session=/Is/=.*$/=default/}' ~/.dmrc
chmod -w ~/.dmrc

From now on you’ll always be logged in with the system default.

LVM+ext3 rocks

6 06 2008

I guess this is old news to most people, but I’m still excited: The combination of LVM and ext3 makes it possible to resize a partition while it is still mounted.

The short story:
root@TreeHouse:~# lvextend -L+1G /dev/hd/kubuntu
Extending logical volume kubuntu to 6.00 GB
Logical volume kubuntu successfully resized
root@TreeHouse:~# resize2fs /dev/hd/kubuntu
resize2fs 1.40.8 (13-Mar-2008)
Filesystem at /dev/hd/kubuntu is mounted on /; on-line resizing required
old desc_blocks = 1, new_desc_blocks = 1
Performing an on-line resize of /dev/hd/kubuntu to 1572864 (4k) blocks.
The filesystem on /dev/hd/kubuntu is now 1572864 blocks long.

That took maybe two seconds. Read the rest of this entry »

Better switch off your phone when shopping

19 05 2008

Nice. Times Online reports:

Customers in shopping centres are having their every move tracked by a new type of surveillance that [...] has already been installed in two shopping centres, including Gunwharf Quays in Portsmouth [...].

There’s no reason to worry of course:

Path Intelligence, the Portsmouth-based company which developed the technology, said its equipment was just a tool for market research. “There’s absolutely no way we can link the information we gather back to the individual,” a spokeswoman said.

Nobody would ever think to link your IMEI or IMSI number to your bonus card, your gift card or even your credit card number of course. And if anybody did so, they’d probably put a notice to an easy-to-find place, like an 8pt sign at the entrance or on the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard’.

(A little) too much magic

17 05 2008

How do you know that Linux becomes mainstream-ready? If stuff happens magically and you don’t know where to start debugging of course.

Seriously: I always had some issues accessing my digicam (an Olympus SP-700) from KDE (actually, Kubuntu): The system always first tried to access it via some magic camera device while it actually offers a standard usb-storage device. I always had to cancel the dialog which offered me to use the first one and wait for the second one to appear. Weird but it worked.

Since I upgraded to Kubuntu 8.04,  the workaround doesn’t help anymore. The second dialog never appears. Not even the /dev/sdx-device is created anymore. So it seems like I’ve actually got to start debugging that stuff. My guess is that its a weird clash between the HAL and/or udev and gphoto2. Ie. somehow gphoto2 (which creates those weird camera devices/mounts) thinks it should handle the camera while it is actually not necessary and the default handler would handle it just fine.

But debugging HAL/udev is actually not as easy as looking at some dmesg output. Looking at /etc/udev/rules.d didn’t help, seems like I’ve got to dig deeper and somehow get some debugging output from the daemons working in the background…

But I shouldn’t complain: Debugging got indeed a lot more complicated, almost as tangled as the Windows stuff. But while both systems work in 99% of all cases, in the remaining 1% I can at least have a look at the sources and grep some plain text config files.

Update Madness?! This is Debian!

12 02 2008

I really like Debian. Or (K)Ubuntu which I actually use. And of course apt/dpkg. Great stuff. Almost as good as Portage, with the unbeatable advantage that you don’t have to compile all that stuff on your own :)

But can somebody please explain something to me?

Why does a little update in KDE packages always trigger such an update madness?

Like currently in kdepim:

debian/control: Added Conflict/Replaces on ksync for kitchensync. “ksync” gets shipped with kitchensync now. (LP: #133944)

That’s only two packages. Why do I have to update all the stuff coming from PIM? Actually, why do I have to update at all if its only metadata which was changed?

Or in kdebase:

* Stable release update, support new Flash in Konqueror
* Add kubuntu_9917_flash_xembed.diff, adds xembed support to Konqueror
* Add build-dep on libglib2.0-dev
* Closes LP: #184149

Great, flash should work again. But why do I have to download kdebase-data for that?

One of the reasons Gentoo switched to split ebuilds for KDE was the advantage that you didn’t have to download the whole package again just because only one small app like ksync was changed. Why does Portage manage to do that and the good olde dpkg not? Or does that only happen in gutsy-proposed? Can somebody enlighten me?

To photoshop

31 01 2008

I was just musing if Adobe might soon face the same problem Xerox and Kleenex had: “I photoshop my cat pictures with Gimp!” when I stumbled upon this post at Coincidence.

I guess the same might happen to the brand iPod. If I worked at a department store and somebody asked me for an iPod, I’d ask them first if they really want an iPod or just some kind of MP3-player (where even that term is wrong as most of those also play WMA or Ogg). Reminds me of Sony’s Walkman, though I’m not sure what exactly happened to that brand as they still use it nowadays.

How to secure your URL-redirector

29 01 2008

While I wrote the previous post and did some googling I noticed that the ARD also has one of those pesky URL-redirectors. It is here. Try to attach any URL to the parameter called url, like this one. What’s the problem with redirectors on your website which allow people to redirect to arbitrary pages? There’s an article at Heise Security which explains it quite well (I don’t know whats worse, Google or a news site like the ARD).

So if you really think you need some automagic redirection like this (eg. to count outgoing clicks) please implement at least these easy rules:

  • If its used by a form only (like in the Google case), make sure it works with POST only.
  • If you want to use it in clickable links, check the Referer. Not every browser sets that header, in those cases show a static page which explains the user what is happening and offer him a link to actually exit.

Even more secure is to put every link ever used on your site in a database (you want to track the clicks anyway, right?) and add an id to the URL. Then people can only hop over your site when you posted that link yourself before.

Or just don’t do stuff like that.

Hmm… interesting, this link redirects to port 9185 on Not that this machine was accessible from the outside but if the rest of the CMS is written as bad as this part…