Blogospheric Refraction

Hi All…

Here at uni (Room S825, S-Block, QUT Gardens Point) someone started a drawing of some penguins getting alarmed at a Windows Vista logo on one of the whiteboards. Over time, this little cartoon has evolved, and thus I figured I better get a shot of it before it disappears. It symbolises the battles between various operating systems — mainly the OS zealots. Of course, things aren’t really quite like this, there is quite a bit of co-operation between the various platforms, with a few notable exceptions.
Anyway… here it is… enjoy. As always, click the image for an enlarged version.

Hi All… I just received this email… Some may have seen it before, and I could’ve just forwarded it to people, but rather than forwarding an email that’s already been forwarded at least 6 times, complete with the email addresses of everyone involved, I figured I’d post it up here.

A co-worker got a pen stuck inside our printer. He started to try and remove the pen, but I told him we don’t have time for that now, just put a note on the printer telling folks not to use it and then report it to the Help Desk. So he grabbed a piece of paper and scrawled on it. I left before he finished the note.

About 20 minutes later, one of my techs comes in laughing and says he was just in the lobby, saw a piece of paper on a printer and went to investigate. Attached is what he found. Sometimes things don’t always come out the way you want them to…

Hrmm, yes… I’ve heard of people putting their tackle in mighty unusual places, but I wouldn’t rate an office printer as being one of them I’d want to try. Thanks to “Jo” who originally sent the email, and to the chain of people who eventually forwarded it to me (Tim being the last on the chain). Being a bit sore and sorry after a buster on the bus (entirely my fault), I needed the chuckle.

(Update 20080211: During an upgrade of my blogging software, I accidentally lost the photos of the shower… I’ve since taken new ones, of the portable shower, and the new in-house installation.  Click any photo for a larger image.)

Those of you in this part of the world, will probably know about the massive water shortages brought on by the drought. Particularly in Brisbane, where the problem is that dire, that we’re moving to level-5 water restrictions, which means luxuries like washing cars and watering lawns are largely things of the past.

Residents have been asked to keep their showers to 4 minutes or less — but is there a better solution? Well, when camping, we often have to face working with a limited supply of water. Often we have two supplies, drinking water that we bring with us, and washing water that we collect from the campsite. Lugging buckets of water around is no fun, thus it pays for us to be efficient in our water usage.

Camping showers often are overglorified bags with shower nozzles attached to the bottom. Usually there are two types, one is usually is made of black plastic, and is designed to absorb heat from the sun. The other is a bag you just fill with heated water. They need to be suspended overhead, often quite high to be useful. They’re heavy when fully loaded, making hoisting them a challenge, and don’t offer that much pressure. You can also get showers that are powered from a 12v supply, which overcome this issue, but then one must have a car or small SLA battery nearby. None of these are all that useful when not camping either.

Kym Schluter, however, came up with a rather novel idea. Hardware stores sell pressurised weed sprayers which can carry several litres of water. By attaching a suitable hose and nozzle to these, you can build a camp shower which is portable, doesn’t need to be hoisted up high, and provides decent water pressure without electricity. He’s been using this shower for a number of years now, and over time, a number of us have made replicas of it. None of the camping stores seem to be selling these showers — but thankfully, your local hardware store will carry most, if not, all the components you’ll need to build one of your own.

The shower consists of three main parts, the pump pack itself, the hose and the nozzle. The lot connects together using standard hose fittings, allowing you to theoretically use any off-the-shelf trigger hose nozzle. The unit pictured on the left is a 6L pressure pack. A short length of clear 12.5mm tubing connects the bottle to a hose fitting. On the bottle side, plumbing tape is wrapped over the screw thread to seal the gaps. The hose was fitted by heating the end up (place it in hot water for a few secs) then pushing it over the end of the thread. It was then clamped to keep it from slipping off. You’ll find the other end of the tube will neatly fit inside the hose fitting, making a secure fit.

To make the hose, we used some 10mm clear tubing, with a screw-in adaptor fitting on one end, and a standard hose fitting on the other. The thread on the screw-in fitting is wrapped up with plumbing tape and clamped much like the pressure pack, and the other end will generally fit quite securely.

The whole assembly is completed with a standard off-the-shelf trigger nozzle. You can use almost any fitting here, bearing in mind that soaker nozzles tend to loose pressure quickly (<2 seconds). Ideally you’re looking for something with a fine spray. The nozzle pictured here has several settings, the ones that are useful are “centre” (uses a small 2cm ring in the centre of the nozzle), “jet” (produces a 2mm jet of water), “flat” (produces a 5mm×1mm rectangular jet) and “mist”. Your mileage will vary.

I haven’t produced any diagrams of the system, since it’s a pretty simple concept, but I figured I’d pass this idea on. We’re thinking of building one for one of my uncles: my cousin and his girlfriend both see nothing wrong with half-hour showers. This system, you can take as long as you like… you still won’t use any more than 6L water. I’ve found using this unit, I’m able to get everything done with water to spare. Couple this with one of the solar showers mentioned earlier, and you’ve got a green way to keep clean.

Installing an in-house trigger shower

Since posting the above entry… we’ve actually installed a similar shower arrangement in our house.  Using typical washing machine adaptor fittings that you can obtain from any hardware store, you can achieve much the same thing.  You don’t have the 6L limit, which is both a positive, and negative, and you don’t have to pump it.  The photos here show the installation (left), and a close-up of the fittings in use (right).  To use this on a mains supply, you’ll need a water hammer arrester, like the one pictured in the photo — otherwise the water hammer generated when releasing the trigger will push the hose off the end of the fitting.

Hi All…

I’ve just got back from a rather relaxing weekend. Where was I these last few days? Well, rather atypical behaviour for a geek like myself, I ditched the laptop and other I.T. parafenalia, packed up the car, and headded across to Queen Mary Falls, just outside Killarney. This was a basecamp organised by the Bushwalkers of Southern Queensland, we were camped on a private property right up in the highlands just a short drive from Carr’s Lookout.

We got there about midday, having left Brisbane at around 8:00AM, passing through Boonah, and up the long and windy steep road on the way to Killarney. The afternoon was spent pretty much unpacking the rather heavily laiden car (3 adults packed into a 1982-model Subaru stationwagon doesn’t leave much space for comfort). What was immediately apparent when I first stepped outside, was the temperature and strong wind. We were expecting it to be cold, as we were at quite a high altitude, however just how much colder, was a suprise. The wind was blowing pretty much constantly the whole weekend, changing only in direction. I was wise to leave my hat in the car — I don’t fancy doing a Mary Poppins/Flying Nun impersonation.

Day 2 began with a long walk around the Queensland/NSW border fence down to the Killarney gate… a round trip of 17.6km. There wasn’t all that much in the way of photo opportunities, although I tried to get some shots of the countryside in — mostly rolling hills. We managed to get a shot of Mt. Lindsay (see left) whilst having lunch on top of the ridge, although cloud cover meant the views weren’t all that we’d have hoped.

Towards the end of the walk, we were met by domestic cattle on numerous occasions, coming up to check us out, before running off to the other end of the paddock. At one point… where we had lunch in fact, it looked as if the cattle were guarding the track (see right), but it would appear that it was merely animal curiosity — they quickly moved off when we started walking again.

The walk finished a very steep descent (see left) down to where the cars were waiting. This was hard going on the knees, and before long, my feet were sending messages up my spine about it. This was probably the hardest bit of the walk. Definitely not what it was cracked up to be. Nonetheless, we made it… and of course, we were stiff-legged for much of the evening.

Night soon approached, and we gathered around the campfire for another night of bad jokes, stories and other discussions. This of course presented an opportunity to experiment with trying to photograph the flames. Long-exposure photography is an interesting challenge, and one that can give rise to some nice effects when done right, especially with things like flames and waterfalls.

Day 3 started out with the usual sharing of easter eggs… being Easter Sunday. Cereal and chockies for brekky… Eggcelent! Then came the decision of what to do for the day. We weren’t in the mood for a long walk, however there are quite a few tourist spots around to look at, and a few of us had hatched up the idea of doing the Queen Mary Falls walk this day. It certainly sounded better than just laying around. So while the more adventurous (masochistic) ones tackled Wilson’s Peak, the rest of us piled into a few cars and checked out the local sites.

First stop, was Queen Mary Falls (left). There was a little traffic on the path with various other bushwalkers checking out the place, but it was an easy going, graded bitumen path, a stark contrast to yesterday’s walk. I managed to get a few shots of the falls, which weren’t looking at their best due to the dry weather lately. Nonetheless, it was a pleasant walk, well worth the trip.

Along the way we stopped at another lookout, this time for Daggs Falls (far right), and yes, another snap of the falls… there was also a rather interesting monument erected for Samuel and Mary Young, who owned land which included the reserve (inner right).

Further down the road, we looked at Brown’s Falls (left). Again, quite a bit of traffic on the track, but once we got there, it was quite a nice spot. There was some opportunity for photography on the way, with a moth spotted on the way to the falls, and a couple of birds (feathered) spotted on the return (right).

The remainder of the day’s activities were decided over Devonshire tea & scons before lunch. The general consensus was to have a look at the Condamine Gorge. There was no set-up walking path or lookout for this, basically we were walking on private property. We set off from the campsite on-foot after lunch, and soon arrived at the cliff overlooking the gorge. There weren’t that many opportunities for photos, since much of the view was obscured by trees — and none of us were willing to get close enough to the edge to avoid them.

Whilst the views were glorious despite the obstructions, we did manage to get a few snapshots. We also discovered an echidna (right), unsuccessfully trying to remain hidden under a fallen branch. On the return, we also startled a wallaby which took off at high speed — needless to say I wasn’t quick enough with the camera.

That evening, we discussed the days events. For us, it had been windy pretty much the entire day except for when we were in the gorge checking out the waterfalls. We were surprised to learn that the more adventurous group on Wilson’s Peak had enjoyed practically no wind, and glorious views from the top. That said, a lot of the people on that trek were quite keen bushwalkers, and thus someone like myself would likely find themselves way behind the others.

Weather-wise, we had a pretty good trip… but of course, rule no. 1 when camping: it always rains the day you wish to leave. We had some rain overnight, and in the morning on Day 4, cloud descended over the camp (left). To add to this, it also rained a bit that morning… just to make sure. The weather held long enough for us to get everything packed away, but we wound up having to stuff the tent in the car damp — it is presently stretched out in our garage drying out. That said, it was bright sunshine by the time we pulled into Boonah, and the drive home was uneventful.

I didn’t take as many photos as I have on previous journeys, however it was a great trip, and a place I’d be keen to visit in the future. Trips of the entire camp can be viewed on my gallery site.

I just had a rather amusing email… two in fact, come right out of the blue. Not from a relative or friend… but from a webapp.

A few years ago, I developed a very simple and crude webapp called LANPlanner. It was dodgy, it had lots of rough edges, it was coded in about 15 minutes flat in PHP and MySQL… I suspect there are probably some SQL injection bugs somewhere in it, as I was still quite a novice at that time.

Just a moment ago, I got the following email (names censored to protect the guilty)

Date: Sun, 25 Mar 2007 23:14:33 +1000
Subject: Daily Confirmation Status for event "Bradley Lan"
To: user@host.com.au
From: LanPlanner Service at localhost
Cc: XXXX@longlandclan.hopto.org (my email address)

Hi Some One,
This is the current RSVP status for "Bradley Lan".

-------------------- Confirmed as comming:

-------------------- Unconfirmed:

- Some One  is bringing 1 person/people.  (09:52 remaining to confirm)
- Some One  is bringing 1 person/people.  (09:59 remaining to confirm)

I’m amased there are people still using this webapp. E.T. phone home indeed.

Hi All…

I know many of you are in the web development and security arenas… I figured I’d throw this idea up for everyone to have a look at.

Authenticating users on a website can be quite a challenge at times.  Sometimes, HTTP Basic authentication is all that’s required, re-sending the password with each request.  But the problem with this; is that someone can intercept the username and password, thus knows everything needed to establish a new session.

HTTP Digest authentication is good; but MD5 isn’t as strong as other hashing algorithms available, and more importantly, it assumes the server knows the exact password.  But what if you’re hashing the password?  Also, this doesn’t necessarily solve the issue of session hijacking.

Thus what I have come up with, is “Challenge-Response Digest Authentication”.  My rationale for this method of authentication and session management is as follows:

1. Remove the need for the cleartext password to be stored or transmitted.  Using CRDA, only the hash of the password needs to be stored.
2. The remote user still needs to demonstrate knowledge of the password (or rather, its hash)
3. Various aspects of the client, such as the IP address and user agent, are used when generating the hash, making session hijacking more difficult.

So, how does this actually work?  Well, in a web application scenario, it requires JavaScript on the client side to implement the hashing algorithm (in my case, I’ve settled on SHA1).  The initial authentication phase works as follows:

1. Remote client makes a request to log in by requesting the login form.
2. The server generates a session ID, which is the hash of the following (in this order):
   • IP Address of client (from the server’s perspective)
   • Client User Agent
   • A random salt string
3. The server responds by sending back the requested form; Included on the page in the JavaScript code, are values for a random salt and the IP address of the client.  A cookie containing the session ID could also be included — or on more advanced clients, could be determined by the client.
4. On submitting the form, client side JavaScript takes the information provided, and generates a hash of the following data (in this order):
   • IP Address of client
   • User Agent in use
   • The random salt given
   • The username
   • The hash of the password

   The cookie generated earlier is passed back to the server as well so it can look up the salt value.

5. The server receives the session ID (via cookie) as well as the username and response (via HTTP POST), looks up the salt for that session ID, then checks the following:
   • The session ID is valid for the given IP and user agent
   • The response is valid

If successful, the server generates a random nonce value, and passes this back to the client.  The session key to be used from this point forward, is the hash of the following information:

• IP Address
• User Agent
• Random Salt
• Nonce value

The nonce is then updated at regular intervals.  On an intelligent client, the raw nonce value could be passed back right at the start, and stored — the client incrementing it when told by the server.  On a simpler client, the key may get passed back and forward.

For each request after this initial authentication step, a cookie should be passed to the server containing the following string: “SessionID:SessionKey”.

Anyways… those are my ideas.  I know there are problems with this; most notably, is the effectiveness of hashing when you hash something twice.  I know that SHA1 is less effective in this instance — but the question is, how much less effective?  I figure it’s not really enough to be worried about, but then again, I know there are people who work in this field, and thus will know more about it than me.

I’m still tinkering at this stage, I’ve got a small proof-of-concept webapp going that utilises this scheme at a basic level, and I’ll keep poking at it for now, but I’d be interested in hearing other people’s thoughts on whether this would be effective against preventing session hijacking and keeping a site secure.

Financial types wonder why we simple folk find the stock market confusing… Well… it’s little wonder when organisations like Kitco make confusing statements like this…

Hmmm… yes fellas, make up your minds.

Hi All…

At the moment, stresses are running high.  Exactly why, I’m not sure, but it seems everyone is on edge.  And I don’t just mean the Gentoo Development community — I mean elsewhere too.  Everyone seems to be edgy for reasons I cannot fathom.

I’m not going to speculate about what could be causing this stress… I know in my case, the tense atmosphere has had an impact.  I’m nowhere near the point of doing anything irrational like suicide (I know this will create more problems than it will solve), but I am noticing that I’m not in my usual “stable” mental state.  I think in my case, there are a few factors in play…

• At university, I’m doing a subject entitled “Core Project Initiation”, which heavily depends on groupwork.  We have to form groups of 5 people or so, choose a project, find a project supervisor (typically other lecturers at QUT), then work towards implementing a prototype.  The first assessment item, is due this Friday, and more or less requires the group to be formed.  After having two attempts at forming a group fail, I’ve been in contact with the lecturers and am in urgent need to get into a group.  Basically, if by Wednesday, I’m not in a group — I’ll pull out of the subject, it’s just not going to be viable for me to continue.
• Last semester was rather stressful, having had two major stuffups by the university (in one case, a lost exam paper; in a second, a breech of examination procedure), and winding up failing a telecommunications subject for seemingly unknown reasons.  A total lack of feedback was a big factor — there was nothing to suggest I was offtrack, yet, I got a 2 (7-point scale) as my grade for the subject in question.
• I’m still looking around for work.  I’m quite conscious that I’m basically living out of my father’s back pocket — have been for some time now.  This has been playing on my mind a lot lately.  I know that without any work, I can forget passing my degree, I can forget moving out of home at some point.  And luxuries like attending LCA2008 are definitely out of the question.  I’ve applied to several positions over the last few months without success.
• The weather has been rather hot and humid lately, enough to shorten the fuses of most people.  Add to that the fact that Brisbane (like much of Australia) is in drought, and that the dam levels are dropping to alarmingly low levels.
• Then there’s the censorship debate that’s been raging on for the past fortnight on both gentoo-dev and gentoo-core.

Some of these problems are aggrivated by communications issues stemming from my Asperger’s Syndrome.  Stress is not something I handle well, with depression being quite common in such circumstances.  I’m in the happy position that I haven’t needed any medication to keep things under control however — I intend to keep things that way if I can.  Right now, I’ve just detected abnormalities in my behaviour, and thus know something is up.
At this point, I’m certainly not planning on resigning from Gentoo.  My builds for MIPS1 (little endian) are progressing, having just started Stage 2 this evening.  There’s no major issues to deal with at this time, and I hope to have these out soon.  I’ve also picked a fight with µClibc trying to bash out updated stages — managed to mess something up rather badly there, but I’ll hopefully get that straightened out and have some netboot images for you.

Presently, I’ve got stuff in my personal life that needs my attention first.  Thus, I’ll be “away” for the next fortnight whilst things settle down locally.  I’ll be contactable by email, and may be on IRC sporadically — but I don’t expect to be doing a hell of a lot.  I need some time to reduce some of the external pressure, get myself mentally ontrack again.  Hopefully when I return, not only will things have calmed down around here, but people within Gentoo, and perhaps others globally, might have settled down too.

In short, I’ll be around, just laying low for a while.

A federal jury in San Diego has ordered Microsoft to pay $1.5 billion to Alcatel-Lucent in a patent dispute over MP3 audio technology used in Windows.

In its verdict, the jury assessed damages based on each Windows PC sold since May 2003. The case could have broader implications, should Alcatel-Lucent pursue claims against other companies that use the widespread MP3 technology.

– http://news.zdnet.com/2100-3513_22-6161480.html

Ouch… See Microsoft?  This is why we use Vorbis.

Hi All…

Yep, I dusted off my n32 chroot again this morning (it’s 1:22am as I type this), determined to talk some sense into Portage. I figured I’d give it one last time before I invested the time into trying out Paludis (which I may still do yet, I’m hearing lots of good things about it).

So, what’s been holding me up? Well, the issue has been this nagging bug that I couldn’t figure out. Cobalt doesn’t have any n32 stages, let alone NPTL n32 stages. For the most part, I was able to nick the settings out of default-linux/mips/2006.1/generic-be/n32/* copying this into the default-linux/mips/2006.1/cobalt/ directory, and replacing mips64 with mips64el in the CHOST variable.

This worked quite well, but there was still one nagging issue that cropped up when trying to compile various packages, particularly portage itself:

These are the packages that would be merged, in order:

Calculating dependencies... done!
Traceback (most recent call last):
File "/usr/bin/emerge", line 3316, in ?
mydepgraph.display(mydepgraph.altlist())
File "/usr/bin/emerge", line 1650, in display
verboseadd += create_use_string(key.upper(), cur_iuse_map[key], cur_use_map[key],
KeyError: 'elibc'

On further investigation, I noticed that on all the working environments, there was a USE-expand flag: elibc_glibc. This is susposedly set in the base profile, but for whatever reason, my sub-profile transplant seems to have lopped this flag off. Portage would see this, and b0rk when it didn’t know which libc to use. Thus, I tried something… I hacked around it by setting USE="elibc_glibc" in /etc/make.conf then gave it another try. Sure enough, emerge --info now listed the illusive USE flag, and packages started compiling once more.

Right now, I’m rebuilding all the system packages in my chroot (which also has lib64 stuff floating in it). This will hopefully get me to the point of producing a first seed-stage for Catalyst, and will allow stagebuilds to be done for n32 at long last. As for n64? Well, time will tell… it’s certainly a possibility. I’d like to first discover why this USE flag is getting dropped… as setting it in make.conf is not an acceptable workaround IMHO, but it’s better than nothing.

I shall keep you all posted on my progress.