Category Archives: Indulgence

A Satellite Dream

I had a dream that a guy was having surgery to place all kinds of electronic equipment inside his body, all over, including antennas, so that he could be a satellite.

The doctors were happy to do it, because it was something new. They wrinkled up all the skin around his shoulders and chest with a long, thick wire. He was wincing a little.

He said the only drawback so far is that it gave him scoliosis in a few places in his spine, and he felt heaver and it was hard to move because the metal inside always seemed to move separately from his flesh.

EFF’s Web Browser Tracking Tester – My Results

The Electronic Frontier Foundation (EFF) announced an update to Panopticlick 2.0 — a web-based utility that analyzes your web browser’s current capabilities, settings and behavior as it is visible to outside people, to help you understand how your privacy is maintained.

It’s an interesting question, the issue of privacy, when considering the accessibility and use of so many “free” services. The fact is, our privacy is the currency we often trade in money’s stead.

This growing realization is prompting many people to find ways to start protecting their privacy. This is a challenge, despite whatever means they discover, particularly considering the largest marketing company around, Google, also provides people with the most widely-used web browser, Chrome.

Running Panopticlick 2.0 from the Chrome web browser yielded the following result for me:

Chrome Web Tracking

It’s pretty much exactly what you’d expect. I don’t, however, use Google’s Chrome browser, except when I have no choice, which Google makes sure is often enough. For example, you can’t edit your photos stored on Google unless you use Chrome. You can’t use hangouts unless you use Chrome. Or use Google Voice. And if you’re using Linux, in order to use Chrome, you must give Google root access to your computer by installing Chrome as a system repository.

So I use Firefox for nearly everything that isn’t a Google service, as a sort of compromise. I actually find Firefox is a much better experience for me, too, regardless of ethical considerations. I also use the EFF’s Privacy Badger plugin, which helps thwart tracking. The result of the same test run above with Firefox, using Privacy Badger is the following:

Web Tracking with Privacy Badger

I honestly don’t mind ads on sites, as long as they are not obtrusive or intrusive — or malicious. And Google provides some of the least obtrusive ads out there. However, they also provide some of the most intrusive, in that they know the most about you.

I use Google’s Ads on my site here. Despite getting around 100 or so visits per day, I haven’t made any money from them yet. Not one cent. Yet I’m giving Google the information that you’ve come here to read this. Unless, of course, you’re using something like Privacy Badger to block the ads, like I am. ūüėČ I don’t know how much you could really block using an add-on, if you’re using Google’s Chrome browser though.

As an interesting aside, I ran this test on Microsoft’s Edge web browser. It surprised me! They actually have some partial protection for people going on. Well done Microsoft!

Web Tracking Microsoft Edge

The funny thing is, if you click on “Install Privacy Badger” in Microsoft Edge, you get taken to the Google Chrome store to install a Chrome plugin. The EFF really needs to fix that.

 

Fix Slow Network (NAT) after Debian Wheezy Kernel Update 3.2.0-4

NOTE: This issue was fixed with 3.2.60-1+deb7u3 update that came out in Debian’s security update stream.

Router with FirewallI noticed a few weeks ago that after a Debian kernel update on my Debian-based router, network performance degraded terribly. Linux clients behind this Debian firewall did not seem to be effected nearly as much as the Windows clients — Windows machines could not upload at all to the Internet once this Debian update was in place on the router.

At first I thought it was Comcast, before I realized that it was mostly the Windows machines that had slow network performance. Sometimes download performance was effected as well – some sites just stalling, and Pandora was practically unlistenable.

After searching around a bit, I found an old bug where the network address translation Linux kernel code had been patched for handling the defragmentation of packets that exceeded MTU values, if I’m remembering right. Apparently this “fix” caused a number of problems with the 3.2.0-4 Debian GNU/Linux kernel when it was implemented along with some security updates.

I started playing around with it on my own, and managed to find a Debian bug where a couple patches were available that patched it back. This is very, very good, because the network connection was pretty much unusable if you were using IP Masquerading or NAT as a firewall/router.

The bug is documented on the Debian bugsite, along with the kernel patches. But if you’d like a step-by-step, this is what I did to fix the problem on 2 different routers so far:

Prepare

You’ll need some disk space — probably around 10G free. Always back up — if following these steps results in an unbootable machine for you, don’t blame me. It very well could. Particularly if you don’t pay attention, or know things that I can’t even imagine you don’t know. Which is hard. You’ve been warned. It’s a kernel recompile! I’d say wait for Debian to release it in the channel, but it’s been weeks, and I’m sure some of you have been suffering as much as me.

Install Debian Packages

This is a kernel compile – we’ll be keeping all of Debian’s customizations, along with their current kernel, just with our 2 little extra patches applied. As such, you’ll need some source to compile, and the Debian scripts that automate the Debian Way. It’s a boatload of packages…

# apt-get install devscripts
# apt-get build-dep linux

I know, sweetie.

To The Kernel Source and Patch

I like to do my dirty work in /usr/src – and when doing it, I like to be root, not any of that sudo or fakeroot stuff. So if you’re playing it safe and wise, you’ll need to fakeroot these compiles. I leave it to you. But if you’re willing to be root, here’s the easy:

# cd /usr/src
# mkdir linux-deb
# cd linux-deb
# apt-get source linux

NOTE! You might want to specify “linux=3.2.60-1+deb7u1” instead of just the plain “linux” there. That way you’re sure to get the right version – the version with the problem, that matches with this fix.

As for the patches, I’ll link to the ones provided in the bug report that you can get with wget — I’ve also included them as full text below if you’d rather, in case the cut & paste for these long URI’s don’t work right for you.

If you can these two long lines pasted, you’ll get two files outputted to your working directory that are those patches. Saw this from Teodor Milkov in the bug – thanks Teo!

# wget
--no-check-certificate
"https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=50;filename=revert-net-ip-ipv6-handle-gso-skbs-in-forwarding-pat.patch;att=1;bug=754294"
-O revert-net-ip-ipv6-handle-gso-skbs-in-forwarding-pat.patch


# wget
--no-check-certificate
"https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=50;filename=revert-net-ipv4-ip_forward-fix-inverted-local_df-tes.patch;att=2;bug=754294"
-O revert-net-ipv4-ip_forward-fix-inverted-local_df-tes.patch

Compile Kernel with the Patches

Now you’ll just cd down into the top of your Debian kernel build tree, and apply these patches and compile. This command line is for the amd64 architecture. You maybe have a different one.. ?

And replace that -j 8 with the number of CPU cores you have (or less)

# cd linux-3.2.60
# debian/bin/test-patches -f amd64 -j 8 ../revert-net-ipv4-ip_forward-fix-inverted-local_df-tes.patch ../revert-net-ip-ipv6-handle-gso-skbs-in-forwarding-pat.patch

Now go make some dinner. Do some yoga! Dig in the earth, or paint a room. That will take some time. The first error up top at the very beginning is normal.

Install the new Debian Kernel Package

Now you should have a nice new linux-image-3.2.0-4 deb package file, along with another with debug headers, and just your regular headers. ūüėČ This new Debian package, version-wise, is the same as the one in the main stream, only with a ~test — so I believe we should get newer-versioned kernels automatically when they come out.

Install this deb with the normal

dpkg -i linux-image-3.2.0-4-amd64_3.2.60-1+deb7u1a~test_amd64.deb

It’ll do all your modules and initrd stuff for you, and call your grub menu rebuilder doohicky.

One of my routers failed the install, complaining that it couldn’t make a symlink to the initrd file from / to /boot — that’s because there was no initrd. I solved it by removing my current kernel-image package (ignore the scary warnings if you’re foolhearty) and then running the dpkg -i again on it, where the initrd was made just fine. The other router had no problem with it. Go figure.

Hope this helps some of you if you’re having those terrible network performance problems after that last Debian kernel update. I wish they could get these fixed sooner.

Anyway, here are those patches if you need to cut and paste your own, instead of wgetting from those obnoxiously long URI’s. Just put them in any named file, and then be sure to call them by those names from the test-patches step.

diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
index 7593f3a..e0d9f02 100644
--- a/net/ipv4/ip_forward.c
+++ b/net/ipv4/ip_forward.c
@@ -42,12 +42,12 @@
 static bool ip_may_fragment(const struct sk_buff *skb)
 {
     return unlikely((ip_hdr(skb)->frag_off & htons(IP_DF)) == 0) ||
-        skb->local_df;
+           !skb->local_df;
 }
 
 static bool ip_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu)
 {
-    if (skb->len <= mtu)
+    if (skb->len <= mtu || skb->local_df)
         return false;
 
     if (skb_is_gso(skb) && skb_gso_network_seglen(skb) <= mtu)
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -2588,22 +2588,5 @@ static inline bool skb_is_recycleable(co
 
     return true;
 }
-
-/**
- * skb_gso_network_seglen - Return length of individual segments of a gso packet
- *
- * @skb: GSO skb
- *
- * skb_gso_network_seglen is used to determine the real size of the
- * individual segments, including Layer3 (IP, IPv6) and L4 headers (TCP/UDP).
- *
- * The MAC/L2 header is not accounted for.
- */
-static inline unsigned int skb_gso_network_seglen(const struct sk_buff *skb)
-{
-    unsigned int hdr_len = skb_transport_header(skb) -
-                   skb_network_header(skb);
-    return hdr_len + skb_gso_transport_seglen(skb);
-}
 #endif    /* __KERNEL__ */
 #endif    /* _LINUX_SKBUFF_H */
--- a/net/ipv4/ip_forward.c
+++ b/net/ipv4/ip_forward.c
@@ -39,68 +39,6 @@
 #include <net/route.h>
 #include <net/xfrm.h>
 
-static bool ip_may_fragment(const struct sk_buff *skb)
-{
-    return unlikely((ip_hdr(skb)->frag_off & htons(IP_DF)) == 0) ||
-           !skb->local_df;
-}
-
-static bool ip_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu)
-{
-    if (skb->len <= mtu || skb->local_df)
-        return false;
-
-    if (skb_is_gso(skb) && skb_gso_network_seglen(skb) <= mtu)
-        return false;
-
-    return true;
-}
-
-static bool ip_gso_exceeds_dst_mtu(const struct sk_buff *skb)
-{
-    unsigned int mtu;
-
-    if (skb->local_df || !skb_is_gso(skb))
-        return false;
-
-    mtu = dst_mtu(skb_dst(skb));
-
-    /* if seglen > mtu, do software segmentation for IP fragmentation on
-     * output.  DF bit cannot be set since ip_forward would have sent
-     * icmp error.
-     */
-    return skb_gso_network_seglen(skb) > mtu;
-}
-
-/* called if GSO skb needs to be fragmented on forward */
-static int ip_forward_finish_gso(struct sk_buff *skb)
-{
-    struct sk_buff *segs;
-    int ret = 0;
-
-    segs = skb_gso_segment(skb, 0);
-    if (IS_ERR(segs)) {
-        kfree_skb(skb);
-        return -ENOMEM;
-    }
-
-    consume_skb(skb);
-
-    do {
-        struct sk_buff *nskb = segs->next;
-        int err;
-
-        segs->next = NULL;
-        err = dst_output(segs);
-
-        if (err && ret == 0)
-            ret = err;
-        segs = nskb;
-    } while (segs);
-
-    return ret;
-}
-
 static int ip_forward_finish(struct sk_buff *skb)
 {
     struct ip_options * opt    = &(IPCB(skb)->opt);
@@ -110,9 +48,6 @@ static int ip_forward_finish(struct sk_b
     if (unlikely(opt->optlen))
         ip_forward_options(skb);
 
-    if (ip_gso_exceeds_dst_mtu(skb))
-        return ip_forward_finish_gso(skb);
-
     return dst_output(skb);
 }
 
@@ -152,7 +87,8 @@ int ip_forward(struct sk_buff *skb)
     if (opt->is_strictroute && opt->nexthop != rt->rt_gateway)
         goto sr_failed;
 
-    if (!ip_may_fragment(skb) && ip_exceeds_mtu(skb, dst_mtu(&rt->dst))) {
+    if (unlikely(skb->len > dst_mtu(&rt->dst) && !skb_is_gso(skb) &&
+             (ip_hdr(skb)->frag_off & htons(IP_DF))) && !skb->local_df) {
         IP_INC_STATS(dev_net(rt->dst.dev), IPSTATS_MIB_FRAGFAILS);
         icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
               htonl(dst_mtu(&rt->dst)));
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -381,17 +381,6 @@ static inline int ip6_forward_finish(str
     return dst_output(skb);
 }
 
-static bool ip6_pkt_too_big(const struct sk_buff *skb, unsigned int mtu)
-{
-    if (skb->len <= mtu || skb->local_df)
-        return false;
-
-    if (skb_is_gso(skb) && skb_gso_network_seglen(skb) <= mtu)
-        return false;
-
-    return true;
-}
-
 int ip6_forward(struct sk_buff *skb)
 {
     struct dst_entry *dst = skb_dst(skb);
@@ -515,7 +504,7 @@ int ip6_forward(struct sk_buff *skb)
     if (mtu < IPV6_MIN_MTU)
         mtu = IPV6_MIN_MTU;
 
-    if (ip6_pkt_too_big(skb, mtu)) {
+    if (skb->len > mtu && !skb_is_gso(skb)) {
         /* Again, force OUTPUT device used as source address */
         skb->dev = dst->dev;
         icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);

Impressions of My New Motorola Moto X (not really a review)

Sadly late last week my much loved Nexus 4 phone died. After much testing, it turned out to be a failure of the flash memory on which the system lives, and so the device is fairly well dead.

I’m pretty well determined to keep as close to the stock Android experience as possible. LG is pretty good at that, and they manufactured the Nexus 4, and it was a great price. However, it concerns me when an manufacturer sells me a product that dies less than six months past its warranty. So I am skeptical of LG right now.

That left me considering the Google devices and the Motorola devices. The Nexus 5 looks wonderful, and the price is excellent. I’ve heard many good things about it. And looking through the Motorola lineup, the Moto X stood out as the best option, even above their new “budget” models.

Between the Nexus 5 and the Moto X I was hard-pressed to decide. The Nexus 5 certainly had much better system specifications on paper, but the Moto X was incredibly well-engineered, and creatively so as well.

In the end, the creativity and engineering of the Moto X won out for me, even above the base system specifications. This decision was the more premium, price-wise as well, though not by a wide margin, considering a free bumper case was being included and Google charged a ridiculous price for shipping last time.

When all was said and done, I ended up with a new phone from Motorola, the Moto X, 32 GB of flash memory, a bumper case, an NFC clip that acts as an unlock, and a real walnut wood case, for $475, including tax.

Most satisfactory, except for the fact that I have to buy it at all, because my Google/LG Nexus 4 failed, and I was forced to. I think the main reason I chose the Moto X was because Motorola is the manufacturer, and every Motorola device I have ever owned has worked flawlessly, never dying, and survived everything I dished out to it. In my mind, Motorola has a reputation of reliability and durability, as well as engineering — and they are a company that takes pride in making a solid product as well. But I have to admit, having a real wood case was also a nice selling point.

Anyway, I ordered it, custom made, with walnut, gold metallic highlighting, orange bumpers, my name engraved on it (I never resell), and all sorts of little custom details about the software innards. It arrived before a week was out, and they were excellent about keeping me informed of the billing, build and shipping progress along the way. A completely satisfactory experience.

The Experience

This Moto X, first of all, is much more fluid than my Nexus 4. And the screen, even though it is less resolution, looks better. And best of all, this is the first of the smartphones I’ve owned that actually felt very natural and comfortable to hold in the hand.

Of course, being a Google Android device, it synced itself up all quick and nicely with my contacts once I connected my Google account. And the phone was great at pointing out things you should consider activating or doing as your started to break the phone in, customizing it even further toward your tastes.

I really was surprised at how fast and smooth this phone was. I was imagining that, despite what others had said, I would run into the occasional performance stutter, especially when all the apps were installing themselves as I was trying to do other things. But it didn’t. I don’t know what these Motorola engineers did, but they did something very, very right.

For a while now, I’ve slowly been getting myself used to dictating messages to my Android devices rather than typing them out. Always there is the occasional annoying glitch in its interpretation than you must awkwardly return to manually fix. Happily, one of the first things I noticed was that this Moto X was noticeably superior at voice recognition than my Nexus 4 was, and my Nexus 4 was damn good!

I think I remember reading somewhere that Motorola engineers added a small CPU whose sole purpose was to perform voice recognition. I suppose I should verify this before even mentioning it, but I’ll leave that for you to do, if you doubt my memory as much as I do. If they did, it certainly shows.

I remember thinking, when I first heard of it, how unsettling it would be to have a device that was going to be listening to you at all times. Particularly in an age when so many “true Americans” with “American values” have such a fetish for voyeurism and disdain for any privacy. But my Moto X is sitting right next to me, on the right. I know it hears my clicking keyboards, and maybe a fart. And of course, all the lies I tell myself when nobody is around. But it’s not looming there, like I imagined it might, with its own disturbing gravity of ears. Though perhaps it should. I don’t know.

But what I do know is that I love being able to yell out to it from across the room and have it answer or do something for me. Before, I thought, what a silly feature really. I can just hit the microphone button on the search bar and get the same thing. But there is something very different about it just being there, knowing you can just tell it something, at any time, or ask it something, as if it were actually something… in the room with you.

I think it’s impossible to describe. Just like how it feels in the hand. And just like how things move within the screens. And how it knows when you’re in the car driving, and will read out messages to you if you like, instead. These guys as Motorola thought of a lot of things, and they really did an amazing job bringing those things together into an actual working device.

I suppose it all boils down to, I like this phone. I like the Moto X so much that I’m even a little happy that my LG Nexus 4 died, just so that we could be together now. And I don’t have even the slightest hint of regret that I might be missing something, having chose the Moto X over the Nexus 5. In fact, I’m happy that I did.

Oh, I should also mention the camera. I like taking pictures. From what I was reading earlier, neither then Nexus 5 or the Moto X supposedly have the greatest camera. But I do like this camera better than the one I had on my Nexus 4. It takes beautiful pictures, to me. And the camera app is very fast. In another very clever design decision, Motorola engineers thought to make the camera start when you flick your wrist. I thought, how silly, really. But the thing is, it’s very useful! And it happens fast!

The thing I don’t like about the camera is that it seems very easy to blur the pictures. I think it must not have any image stabilization, or maybe I just haven’t found it to enable yet. So you have to be aware of your hand and body motion as you snap. This is a little bothersome, being so sensitive. Then again, for years with cameras, I had to worry about the same thing – always using the trick of holding your breath when you shoot to keep the lens from any distorting motions.

I would still say that is a minus of the camera. And really, that’s the only minus I’ve found – amongst so many pluses! The most peculiar and delightful thing about this phone is the pluses you never even thought would be there. The biggest being; the Moto X is just so damn comfortable to be around!

This device really is a truly wonderful dollop of engineering and design baked into a sweet package. It is understated, elegant, and intelligent, at all levels, and at any angle. I honestly don’t think I could be happier with a phone. I could just eat it!

My new Moto X with a walnut back! Picture was taken with my no-good Nexus 7 front-facing camera though, with lots of unsightly reflection from the plant's artificial sun.
My new Moto X with a walnut back! Picture was taken with my no-good Nexus 7 front-facing camera though, with lots of unsightly reflection from the plant’s artificial sun.

Creating a Samba 4 Domain Member File Server

Just finished writing up a piece on how to integrate a Samba 4 file server into an existing Active Directory Domain.

The odd thing is creating a Samba 4 server that doesn’t want to be authoritative, but is, instead, subject to another server for auth and permissions.

Not a lot out there I found for just a simple file server. All kinds of stuff for integrating a Linux system to use AD/DC for centralized auth — like user logins to Linux boxes — but not much on just being a file server, that doesn’t need all that extra rigmarole.

Hopefully it will help someone out… ūüėČ