Richi's blog

Category: Uncategorized

  • let’s encrypt

    I never bought a commercial grade SSL certificate for my private website, but I used free ones before. Usually from startssl. While it worked, the process was cumbersome. And then when I wanted to renew, my browser showed a warning that their own certificate was out of order.

    When the letsencrypt initiative (supported by mozilla and the electronic frontier foundation) announced it’s goal to make website encryption easier available we all cheered. Last week I finally received an eMail stating my domain was readily white-listed in the beta program. So I took some time and followed their process. It was not always self explanatory, but the ncurses program offered some help. Within a couple of minutes, I had a certificate ready to use. The only thing I did not like, was that if the process transmitted my private key to the server, there was no way of noticing other than actually read the code. I don’t think it did, but I prefer to be certain about these things.

    To have my website protected, all I had to do was adding the file location that the utility program provided to the apache site configuration.

    Now the bigger work was moving everything to my new server and adapt all the URL’s. Moving the blog was already more work than I expected. It was not a simple export and import. First I had to get the wordpress importer plugin working. The media files are not included in the exported file, and have to be moved manually. Some older blog posts still referenced the old gallery which I wanted to replace with piwigo for a while. So in addition to moving the piwigo gallery, I also had to move lots of photos from the old gallery, and adjust the references in the blog.

    Some web apps are not moved yet and will follow. Finally I plan to redirect all http addresses to https.

    On the nice side, I could use the new certificate to secure my new email server. I can’t remember when was the first time, but about once every two years I attempted to set up my own email server in the past. Setting up a web server is much simpler. But with the mail servers there was always some problem left that left me not confident enough to really use it. But this time I found a good tutorial that actually worked. It’s geard towards a raspberrypi running raspbian, but worked just fine on my nuc running ubuntu.

  • an exact clock for a vintage car

    Since I drive my vintage XJS not too often, I disconnect the battery. This is to prevent if from going flat before I want to use it the next time. Of course it would be better to install a special charger for classic cars. But there is no outlet in the underground car park. The car starts when I want to use it, so one could say: mission accomplished. If only there was no clock in the dashboard.  It doesn’t run when the battery is disconnected. Having to adjust the clock every time is not the solution I was looking for.

    My first idea was to get a DFC77 radio clock with hands, and put it inside the case of the original dash clock. All the clocks that had hands were too big to fit into the case. So I ordered a small module with an LCD. The problem was that it had good reception at home, but not inside the car. The long waves seem to have a hard time penetrating the Faraday cage of the car body.

    The next option that delivers exact time over the air is GPS. So I ordered a cheap GPS receiver from China, and built a prototype with an AtMega microcontroller and a small OLED. The prototype kind of worked, but after the first drive, the GPS module failed completely. So I ordered a better one from an AdaFruit reseller in Switzerland. This module still works very well, but I found out the hard way that it needs a very clean power source. The next problem were random failures and reboots of the micro controller. This turned out to be caused by memory overruns. They are harder to detect on a micro controller  than on a regular computer. The display needs a framebuffer in RAM, and for the GPS I need enough space to store and parse the full NMEA sentences. I tried to reuse and re-initialize the same memory for every reading, but that didn’t work out. Neither didn’t I find a similar controller with more RAM. If I was going to produce a number of devices I would for sure use a better controller, but as it is a one off prototype, I just used two AtMegas. One for the display, and one for the GPS.

    GPS has no reception in tunnels and underground parking garages. So I planned to implement a simple counter that just increases the time when GPS reception was lost. But then I decided it was not important enough. Instead I wanted to proceed, and have the device ready in the car. But I couldn’t resist to display a leaper for when there is not reception.

    In a classic car, everything should be in original condition, so I didn’t want to destroy the original clock. Instead I was looking to buy a used clock that didn’t have to be in working condition. The ones I found in Switzerland were too pricey for only the case. So I found one on ebay for £22 that was shipped from the UK.

    The problem that remains is that the OLED sometimes initializes with a random dot pattern and stays that way until the next power cycle. It happened more when I had it connected directly to the main battery. But since I connected it the the dash back light, it never happened again. So maybe it is important how fast the voltage increases when power is switched on.

    As usual, the code is on github.

    image20150625_202655132 image20150625_201613328 IMG_2636 IMG_2638

  • the infinity mirror

    Lately while browsing through thinkgeek, I stumbled upon the infinite dungeon corridor. It looks cool, but they still have no affordable shipping options. That got me thinking that it should be possible to make an infinite mirror with the kids. It didn’t take long to find a recipe for how to go about it. Finding a mirror was easy, but regular window glass is a bit harder these days. The first try was with plexiglass that I had laying around. The effect was really bad, because it had a matt finish. When I asked for real glass, I got security glass. Trying to cut it to the right size, it disintegrated into a thousand tiny parts. So it was plexiglass again, this time with clear finish. I also was not sure about the window film. I bought the film that is used to taint the car windows. An LED stripe was readily available and waiting for a new purpose.

    The kids were involved in all construction steps. Cutting the wood for the case, drilling, screwing, sawing, cutting the mirror, tacking the LED stripe … But one thing was entirely up to them: Usually those infinite mirrors have the two windows relatively close. But to be in the style of the dungeon corridor, I created the case with some room where the kids could paint what should look like the walls of a castle.

    The effect is not as good as we would have liked it to be. I’m not sure if it is because of the plexiglass, the increased distance or the wrong type of window film. But it works, and was fun to construct. Most importantly the kids learned not just how to construct such a thing, but also about optical illusions, and how light behaves.

    IMG_2639 IMG_2647

  • Targeted advertising

    It was about two months ago when I first noticed an advertisement on some random web page that contained an image of a vintage Jaguar XJS. It was not exactly the same model as I have, but very close. Judging form the bumpers and trims it also seems to be a HE (High Efficiency), as the second series was called. But the wheels are different. The advertisement was for an online auction platform for cars. I immediately assumed it must me a targeted ad. I was impressed that they must be able to dynamically select the type of car they want to show. How many polished pictures would they have readily prepared?

    Last week, the same advertisement appeared in the printed edition of 20min, the largest free commuter newspaper in Switzerland. Now this could not be targeted any more…

    2015_09_20minRicardoXJSWerbung

  • ScroogeCoin

    After a long pause, I just started attending a MOOC again. It’s on Coursera, from Princeton and it’s about BitCoin. In one of the first lectures the teacher goes through some simple hypothetical digital coin concepts. I don’t know if the lectures are publicly available piecewise, but as a whole they are at youtube. Jump to minute 50 for scroogecoin.

    Name property problem
    GoofyCoin signed receipts double spend
    ScroogeCoin centralized blocks corruption
    BitCoin fully decentralized solved

     

    ScroogeCoin reminds me a lot of the blockchain projects a lot of big financial institutions announced over the last few months. They talk about permissioned blockchains. That sounds like exclusive access and centralized control. BitCoins inclusiveness is one of the important characteristics, and I hope enough people recognise it as such.

    BlockChain

  • When VISA doesn’t work

    I used to order stuff from dealextreme on a regular basis over the last few years. Like many other customers I asked them to accept BitCoin payments. But that didn’t happen so far. So we are left with the payment options from the last century for the time being. It used to work acceptably so far … until about a month ago, when my payments suddenly started being declined. The same VISA debit card used to work with dx before, and it remains working with other merchants. Of course I checked the balance. I dont keep much more on that account than I expect to need in the short term. But $250 should suffice for a $200 order, so the problem has to be somewhere else.

    Dx states it on their page unmistakeably that all payment problems are not their fault, and that people should consult with their issuing bank. So I contacted them first. They couldn’t find anything about the declines in their logs:

    There are no transaction attempts on your card for the merchant
https://eud.dx.com, not on July 27th or after.
In those days I can see transactions at merchants X, Y, Z - which all
look like they are still pending and waiting to be completed
(a few months ago we updated our payment processing system to
adhere to settlement standards).

For some reason it looks like the payment authorization never reached Us..
When a payment takes place (when you use your card), what happens
first is that the merchant informs Visa, Visa then informs our card
issuer, and the card issuer informs us about a new transaction on
your card. We then hold the corresponding funds from your wallet.
Then a few days later, the merchant settles the transaction
(ie. broadcasts to the network whether the transaction was
completed or not), and we use that information to complete your
transaction. What is strange is that the authorization for your
purchase at https://eud.dx.com either never reached Us, or never
left the merchant's system.

Because you've been able to use your card in the past few days,
I'll dare to say that there's nothing wrong with your card - rather
it seems like a glitch with this particular merchant.

    So I asked the card processing intermediary. They had no means of secure communication. I found it hard to believe that a financial institution can only communicate with their customers over unencrypted cleartext eMail.  However, I got similar results:

    Please be informed that we could not find any decline on your card at our end,
which means it could be an issue with merchant end.
We request you to check with the merchant regarding this.

    Finally I went back to dx and got this answer:

    sorry for that.
but our related staff told us your bank reject the payment.
that is not our problem.

    From all I learned so far, it seems like VISA is the problem here. But I don’t have a contact or a direct relationship with VISA. It is routed over shady ways through an unknown number of intermediaries. The best explanation that I can come up with is that the transactions triggered some kind of fraud alert and were thus blocked. Is that how they deal with the lack of a secure system? They just randomly block transactions! With no way of recurse, such false positives are really annoying for their customers.

    So what do I learn from this? When there are too many intermediaries in the loop, there are more chances for errors and errors are harder to find, let alone fix. With BitCoin, there are no middlemen and a lot less things that could go wrong. I have been using BitCoin whenever possible for the last four years. Nothing alike ever happened with BitCoin, in fact this would be unimaginable with a peer to peer blockchain system. I’m really looking forward to leave all those ancient  payment methods behind…

    Ironically, I read this story the same day I got the last answer from dx.

  • Verifying downloads

    Last week I stumbled across a post from last year, where somebody described how it was impossible to download an important infrastructure program securely on Windows. My first reaction was of course to pity the poor souls that are still stuck with Windows. How easy is it to just type apt-get install and have all the downloading and validation and installation conveniently handled for you.

    Today I was going to set up my new server. First I downloaded the current iso file from ubuntu.com. Before installing it onto an USB stick, I thought about this blog post again. Actually I should validate this ISO! I knew before, but I usually didn’t bother. So I gave it a try. I had to search a bit for it on the download page. The easiest is if you manually pick a mirror. Then you will find the hash sum files in the index page. Some websites along the way were encrypted, others were not. The downloads themselves were not. But that didn’t matter since the hashes were GPG signed. I don’t have to do this all too often, so I  just followed the community howto. My downloaded iso file was valid, so I moved on installing it.

    The hardware is actually from computer-discount.ch. For quite some time I was searching for ways to buy computer equipment with BitCoin. The American big name tech companies that accept BitCoin either do it only outside of central Europe, or don’t deliver here. So I was quite excited to find this company from Ticino. The experience so far is very good.

  • How much luggage fits into a vintage grand tourer?

    Our camper has an engine problem, so we had to look for alternatives for this years summer holiday. We looked at last minute offers, but bringing all our own food to Greece didn’t seem like such a good plan. The kids wanted to sleep in a tent anyway, so we went to Tenero in the Italian speaking part of Switzerland. We were too hesitant to look for a camp in Italy after spending a night on a horribly disgusting camping in Porlezza a few years ago. With the camper, the space for luggage was never really a problem, but this time everything had to fit inside the Jag. I told my wive to pack only the most necessary things. Men and wimen have different standards as to what is important to bring on a holiday and so I ended up squeezing all this into the small car:

    • two adults and two children
    • a four person tent
    • a foldable camping table with seats
    • a foldable camping grill
    • sleeping bags and camping mattresses for all of us
    • a giant and a regular suitcase
    • four small backpacks and a regular sports bag
    • a small body surf board
    • a box with dishes and cutlery
    • ten liters of water and a bag with food
    		 →

    This was actually the first holiday in 13 years where I didn’t bring my paraglider. But  after the impressive list above, there was just no more room left in the car.

    The camping in Tenero was great. It was clean by my wive’s standard which is quite an accomplishment. The camping has a sandy beach to the lake which was also clean and had perfect temperature.

    Being so close to the famous hydroelectric dam where James Bond jumped from, we had to visit the Verzasca valley. The water and the stones were marvellous. But it was very hot for hiking.

  • connecting home securely

    It has been probably close to a decade that I run a small server at home. At first it was only because I could not find a web hosting company that would serve my fcgi libwt apps at an affordable price. Then I added this blog to it. In the meantime I added a lot of other stuff as well. One of the more important things became ssh. Not only for remote shell sessions, but also for securely copying files and tunneling. In fact I use ssh tunnels instead of a more traditional VPN.

    Discovery

    Static IP addresses are expensive in Switzerland. So I used dyndns from the start. At first the free offering, and then switched to a paid plan long before they discontinued the free offering. Just last week I received a note that they grabed the annual fee from my (scheduled to be deactivated) credit card. Generally I strongly dislike services that automatically grab money from my accounts. They didn’t even mention that the fee doubled. That’s one side of the story, the other is that dyndns is an American company. They could take my domain name hostage without even telling me.  So there has to be a better alternative. In fact there is one. It’s good technology wise, but not generally available to the unintroduced yet.

    DyName for namecoin

    I wrote about namecoin in a previous blog post. One of its main uses is a censorship resistant domain name registration. And the simple python script from DyName is to namecoin what dyndns and ddclient are to traditional domain names. Just prepare your registered name to include a dd entry, edit your config file, and call the script periodically from cron. That way you separate the private key where your name is registered from the hot wallet on the server. My provider used to reassign new ip addresses more frequently, now it’s about once every two months I would guess. The transition with namecoin was very smooth the last two times. I have a script that queries namecoin for the current ip address and then connects. There are dns resolvers and browser plugins or even public dns servers that would resolve namecoin domains. My experience with them was not as smooth as with the namecoin core itself. But I’m sure these parts will improve as well. So, with namecoin we have high confidence, that the ip address is correct that we are connecting to, but it can’t protect against man in the middle attacks. SSH has means to protect from that. The ssh client has a list of known ip addresses or host names and corresponding key fingerprints. But after an ip address change, there is no entry for the new destination, so ssh prints an error message and refuses to connect until you accept to add a new entry to your known_hosts file.

    ssh known hosts

    When you search for the error with your preferred search engine, you’ll find advices to delete offending lines in your known_hosts file. This of course is not what we need here. Just accepting to add a new entry the next time you connect would circumvent the protection against MITM that ssh provides. Since we already have the key fingerprint from the previous address, there is another more secure solution. If you have only one entry in your known_hosts file, you can skip the next few lines. Maybe you know which fingerprint is valid, for example because the file already contains a couple of lines with the same key fingerprint because the ip address changed a couple of times, and you just accepted it.

    If you are not sure, which fingerprint you need, ask the server what it provides:

    $ ssh-keyscan 85.3.164.135
# 85.3.164.135 SSH-2.0-OpenSSH_6.7p1 Ubuntu-5ubuntu1
85.3.164.135 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE7WE5vtqSxUnQRX5CjOzEzUAdewqHRV5MXcSCQcylcKanpnDHRE4yVlEn770MFP6EfJ61ukdNYMDnSO9eoRiZY=

    Now search for this fingerprint in your known_hosts file, and copy the whole line. On the new line, you replace the first hash with the actual new ip address in clear text. You could leave it like that, but you can also hash it with the following command.

    $ ssh-keygen -H -f ~/.ssh/known_hosts

    After writing all this I started wondering if it would be possible to keep the host key on an external hardware device like a NitroKey or a YubiKey. I already keep my client key for authenticating to the ssh server on one of these.  That’s something to find out in a future post maybe.

  • ubuntu phone will be great, but it is not yet

    The BQ Aquaris ubuntu phone that I waited for so eagerly was delivered today. Full of anticipation I unpacked it and switched it on. After playing with it for a while the excitement turned into dissatisfaction. I hate to say it, but on a phone the solid base and polished user experience is not enough, some basic functionality is required as well. Rough edges are much harder to work around on a phone than on a computer with a regular keyboard. Let’s face it, most people who opt for ubuntu phone want to some degree escape the freedom hating ecosystems prevalent on the big platforms. Yet instead of welcoming users with freedom loving functionality, the phone is loaded with Google, Facebook and Twitter apps.
    As long as you don’t expect anything from it, it’s a pleasant experience. Knowing that it’s based on debian packages gives me great comfort. The touch interface and the settings dialogs are very nice. Yet it is lacking basic PIM and email functionality.

    Phone

    Nowadays one could consider the phone functionality not the most important part of a smartphone anymore. I first had to have my SIM card cut to the smaller form factor. Text messages seem to work nicely. Phone calls work fine. MMS messages were automatically configured to look up on a website by the carrier. I don’t know if the phone would support them propperly, but that’s a feature that I rarely use anyway.

    Contacts

    When opening the contacts app, I was greeted with the question if I wanted to sync with Google. Hell no! If I did, I would have stayed with Android. But that seems to be the only option other than having a standalone address book and typing in everything by hand. I could not find an option to sync my CardDAV address book. Lots of people complained badly about this, so it got medium priority. There is a complicated workaround using evolution sync. That way I got my address book synced from the commandline. An entry in crontab keeps it synced.

    Calendar

    Basically the same as contacts, except that the calendar app was not pre-installed and had to be fetched from the app store. I configured syncevolution from the commandline the same way as the address book, including crontab. But the calendar does not properly synchronize. It pushes appointments I create on the phone. But it doesn’t fetch them from the server. I will have to do some more debugging here.

    Email

    There doesn’t seem to be a standard email client. Instead it ships with a GMail app. People complained that there was no IMAP support whatsoever. At least I could find an email client in the app store called Dekko. The bad thing however is that instead of connecting to the email server it just hangs for an hour. When I try it without encryption, it appears to work. I can send mails, but it won’t fetch them. Another IMAP account works well, just not the one that is most important for me. Mails from my main account were fetched exactly once. Before and after that, all I get is the following error message: “Too many invalid IMAP commands”
    Update: It took some manual editing of the config file to get it finally working.  Now I’m looking forward to support for notificatoin about new mails, but that is less important in comparison.

    Bluetooth

    Connecting to the Jabra headphones was simple as always, and the sound quality is good. But I didn’t manage to connect any of the four bluetooth keyboards I tried. Also the yubikey does not work as an external keyboard, so at first I thought it might be a general HID problem. But when I connect a USB keyboard, that works.

    BitCoin

    The BitCoin client from the app store is not usable for real life. It doesn’t work with qr codes, and has no key backup functionality. I can work around the missing key backup, by manually copying the file “/home/phablet/.local/share/org.sambull.bitcoin-app/ubc.wallet” to a safe place, but qr code reading is really a must. Even if there was a qr reader app, pasting in the bitcoin app is missing.  I might have to resort to a web wallet for some time.
    There is a webapp for coinbase already in the store, so I tried this one first. I can scan the qr code from out of the browser by automatically launching the camera app. The picture is then uploaded to the server for the qr code reading. This seems to be common practice, but of course it is way inferior to having an app where you can move your camera until it successfully reads the qr code. But after I enter the amount and click “next”, I get a white screen, and the web app won’t respond any more. A coinbase support representative told me he had the same with safari mobile, and using the back button helped. There is no back button in the webapp, so I tried it in the browser. “Back” landed me on another white page, and “forward” led to an error message.
    The next web wallet I tried was xapo. Since I use their debit card, it would be convenient. But their send page has no qr functionality.
    So I moved on to greenaddress. I almost succeeded. If it wasn’t due to the defunct email. They sent me a 2FA code to my main email address, which unfortunately doesn’t work on the phone yet.

    XBMC remote control

    I was releaved to find more than one XBMC remote in the app store, and some are even better than what I had on Android.

    News

    The rss reader and the news scope make for a pleasant appearance. They find my preferred rss feeds without needing the exact URL For podcasts, I had to install PodBird. It works fine for audio podcasts. It also downloads video files, but won’t play them.

    Apps

    I seem to remember that they planned to be able to run android apps on ubuntu phone. But it appears those plans were abandoned a long time ago. Hence naturally for a new platform the selection of available apps is very sparse. Seems I will have to live without some apps I used frequently on Android such as SBB, 20min, MeteoSwiss… All this information and functionality is also available on the respective websites. The apps are just more convenient.

    APT

    Part of the reason why I wanted a ubuntu phone is the underlying debian package system. I maintained an ubuntu chroot system image on my android phone so that I could perform some tasks on a full blown shell. But it always was quirky at some points and a second class citizen all along. So I wanted the ubuntu shell to be a first class citizen. Indeed you can start a terminal which behaves very well. The keyboard is missing tab and arrow keys though. You have access to apt, or so it seems at first. when you actually want to install something you see error messages about some lock files. To get around that, one needs to enable developer mode in the phone settings and remount the root file system as readwrite. But then came something disturbing:

    $sudo mount -o remount,rw /
$sudo apt-get update
$sudo apt-get install git tig nmap htop pcsc-tools gpgsm gnupg-agent
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.
Statusinformationen werden eingelesen.... Fertig
Package git is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'git' has no installation candidate
E: Paket tig kann nicht gefunden werden.
E: Paket nmap kann nicht gefunden werden.
E: Paket htop kann nicht gefunden werden.
E: Paket pcsc-tools kann nicht gefunden werden.

    WTF is going on here! A repository that is missing crucial packages? Mixing repositories with ubuntu propper is probably not a great idea. I don’t know yet what to do about that.
    People on IRC confirmed that rather than changing the root filesystem, it’s better to have a chroot of ubuntu proper for the additional tools. This is what I had on android and hoped it would no longer be necessary on ubuntu phone.

    GPG

    gpg and gpg-agent were already installed. Udev is running as well. So after adding an udev rule and configuring the gpg-agent, I was able to use my YubiKey neo in OpenPGP mode for ssh authentication and similar tasks. This is great news, as it was one of the soar points with my old phone.

    GPS

    The phone comes with a mapping app pre installed. It looks decent, if finds the addresses, displays maps and calculates routes, everything online as it appears. What it does not however, is displaying the current position, which is crucial if you want to use it for navigation. On the internet I found people claiming that the GPS on the Aquarius doesn’t work at all, or very badly. There is some commandline program for analyzing GPS reception, which I plan to try.
    Update: The utility confirmed that the GPS is not able to get a fix, not even on a mountain with clear sky.

    SPOT Connect

    The SPOT Connect is a satellite messenger that I use for cross country paragliding. In contrast to other live tracking systems it also works in areas without GSM reception, as it transmits the current location directly to the GlobalStar satellite network. They have an app to control it for Android and iOS, but not yet for ubuntu. I told them two years ago that it would be nice to be able to start tracking on the device itself without having to do it in the app. Now that I just lost that app support, I asked them again what options I have. But as with lots of big companies, I have the impression the support staff has a database with answers and no means to escalate feature requests or even bug reports from customers. Then I remembered a site that I found two years ago when I got the device, where a guy reverse engineered parts of the comms protocol. And sure enough I got the python utility running inside my chroot environment on the phone. That allows me to send custom ok messages, but I have yet to find out how to start tracking.