Let’s Encrypt – getting your own (free) SSL certificates

For those who’ve not been paying attention the Let’s Encrypt project entered public beta recently so that anyone could get their own SSL certificates. So I jumped right in with the simp_le client (as the standard client tries to configure Apache for you, and I didn’t want that as my config is pretty custom) and used this tutorial as inspiration.

My server is running Debian Squeeze LTS (for long painful reasons that I won’t go into here now) but the client installation was painless, I just patched out a warning about Python 2.6 no longer being supported in venv/lib/python2.6/site-packages/cryptography/__init__.py. 🙂

It worked well until I got rate limited for creating more than 10 certificates in a day (yeah, I host a number of domains).

Very happy with the outcome, A+ would buy again.. 🙂

Disable SpamCop reporting in SpamAssassin

If you’ve been using SpamAssassin and have been reporting to SpamCop then you’ll have found overnight that you got a heap of bounces back saying things like:

<devnull@prod-sc-app7.sv4.ironport.com> (expanded from
    <spamassassin-submit@spam.spamcop.net>): unknown user: "devnull"

It turns out that the spamassassin-submit@spam.spamcop.net appears to be something that the SpamAssassin developers set without consulting with SpamCop, and SpamCop have just been blackholing those reports for an unknown amount of time. Last night it went away and so now IronPort are rejecting them which was how I learnt of this. I’m not impressed by what the SA developers did her, it should have required you to put in a registered SpamCop address and not reported if that wasn’t set.

I’ve disabled my SpamCop reporting by commenting out this line in /etc/mail/spamassassin/v310.pre on my Debian mailserver:

loadplugin Mail::SpamAssassin::Plugin::SpamCop

If you use SpamAssassin and don’t have a registered SpamCop account you’ll want to do the same.

Locking Down WordPress Admin and Login URLs

For those WordPress admins who are lucky enough to only access via certain defined IP addresses (IPv4 or IPv6) you can lock down access to the wp-admin and wp-login.php URLs in your Apache configuration with just:

<location /wp-admin/>
    Order deny,allow
    Deny from all
    Allow from ::1/128 1234:5678:90ab:cdef::/64

<files wp-login.php>
    Order deny,allow
    Deny from all
    Allow from ::1/128 1234:5678:90ab:cdef::/64

Hopefully that helps someone!

Mount Burnett Observatory (@MBObservatory) now on Twitter

For almost a year now I’ve been a member of the Mount Burnett Observatory, a community project at the old Monash University astronomical observatory at Mount Burnett in the Dandenong Ranges. It’s great fun with both the original 18″ telescope and new 6″ and 8″ Dobsonian telescopes (some thoughtfully sponsored by the Bendigo Bank for education and outreach purposes).

It’s had a Facebook presence for a while, but nothing on Twitter, so after speaking to the webmaster and the president I’ve now set up a Twitter presence as @MBObservatory.

So if you’re into astronomy and around Melbourne (especially the south-eastern suburbs, though we do have people travelling in from quite a way) and use Twitter please do follow us!

Google Disaster Recovery Paper in ACM

Via Tim Freeman (@peakscale) on Twitter, this very interesting paper on how Google handles disaster recovery planning and testing. Best quote so far:

When the engineers realized that the shortcuts had failed and that no one could get any work done, they all simultaneously decided it was a good time to get dinner, and we ended up DoS’ing our cafes.

They explicitly prevent “critical personnel, area experts, and leaders from participating”, and are prepared to take downtime (and revenue loss) as part of it. They also exposed some interesting issues that wouldn’t have come to light anyway (as these things inevitably will do):

In the same scenario, we tested the use of a documented emergency communications plan. The first DiRT exercise revealed that exactly one person was able to find the plan and show up on the correct phone bridge at the time of the exercise. During the following drill, more than 100 people were able to find it. This is when we learned the bridge wouldn’t hold more than 40 callers. During another call, one of the callers put the bridge on hold. While the hold music was excellent for the soul, we quickly learned we needed ways to boot people from the bridge.

There was also the time they were running low on diesel fuel for a generator and didn’t know how to find the emergency spending procedure, so someone volunteered to put a 6 figure sum on their personal credit card. Probably would do wonders for any air miles they were accruing that way!

On a more whimsical note, there was one comment in the article that attracted my attention, saying:

most operations teams were already continuously testing their systems and cross-training using formats based on popular role-playing games.

gives pause for thought, if it was Call of Cthulhu I could imagine:

I’m sorry, but your data centre has just been eaten by Shub-Niggurath and your staff have all run away or been consumed by her 1,000 young. Take 5 D6 SAN loss and roll on the permanent insanity table.

Though perhaps Paranoia would have been a more appropriate choice, plenty of troubleshooters needed there I suspect..

A Week or so with the Samsung Galaxy Nexus

After a couple of good years with my Nokia N900 I’ve come to the sad conclusion that there’s no future for that platform due to the combined actions of Nokia and Intel – Nokia for dumping Linux and going with Windows Mobile for their smart phones after getting a new CEO (ex-Microsoft) and then Intel through dumping Meego and setting up a partnership with Samsung for yet another mobile Linux platform called Tizen (which at least went for the code first, hype second path, unlike Meego). Intel are now on their third mobile Linux project as there was their Moblin project which was merged with Nokia’s Maemo to form Meego (announced less than 2 years ago) so they have form here as a serial abandoner.

Looking at what is left in the mobile space it was really a no-brainer as neither Windows Mobile nor Apple’s iOS appealed at all, so it had to be an Android phone. The timing was pretty good as Samsung and Google had just started shipping their jointly designed Galaxy Nexus with Android 4 (aka Ice Cream Sandwich or ICS). It has the advantage of apparently being a phone recommended for the AOSP (Android Open Source Program) should I feel the need once my warranty expires – though I can’t find a reference to that now! I ordered an unlocked Galaxy Nexus with 2 year warranty from Mobicity as I didn’t fancy the rubbish that carriers tend to put onto their phones, nor get handcuffed into a contract I didn’t want. As an added bonus Mobicity let you pick from 3 optional accessories for free – I picked the screen protector (the other were either a charger or a bluetooth headset from memory).

As an amusing aside I did try and see if Dick Smith Electronics would price match with Kogan for the Galaxy Nexus as Kogan was far cheaper and DSE was only selling them online, but with a manufacturers warranty (unlike Mobicity or Kogan). Unfortunately DSE declined to do so on the grounds that Kogan didn’t have a physical retail outlet which was a bit rich given that neither does DSE for these phones. But then I found out they are now owned by Woolworths and so I didn’t fancy supporting the largest owners of poker machines in Australia.

Despite the best efforts of UPS (who said it would take 6 days to cross Melbourne having taken 24 hours from Hong Kong – it actually arrived the following morning) I received it intact and on time.

Samsung / Google Galaxy Nexus

I’ve now been playing with it, er, using it in anger for over a week now and so far I’m very happy. I’d have to say the best description of the overall experience is “smooth”. Android 4 seems light years ahead of Android 2.3.3 on my wifes Huaewei Sonic, though part of that will be the fact that it’s just a much more capable phone with a larger screen and much more powerful processor.

Good bits:

  • Auto-language select – it started up in Chinese characters but before I could really wonder how I’d fix that it detected it had an Australian SIM in it and autoconfigured the locale to match.
  • No extra cruft – I’ve not spotted any “extras” from Samsung on the phone – the Market is the standard Android Market, etc.
  • Good size screen – the phone feels much smaller in the pocket than my old N900 due to its narrowness despite it having a much wider screen.
  • Android Market – heaps of apps, though the usual criticism of it not being easy to search for open source applications applies here.
  • Camera – it’s “only” 5 megapixels, but it’s still pretty good (though I’ve not yet figured out how to turn the flash off).
  • NFC – OK, a little bit of a toy at the moment, but there are a couple of apps that will read it and confirm that the reason my Myki and Uni ID card interfere is that they’re the same type of technology and so interfere with each other. As do my credit card and my bank card (same tech again).
  • Compass – my N900 had GPS and accelerometers (as does the Galaxy Nexus of course) but the compass allows neat things like Google Sky where you can just point your phone at the sky and have it show you a labelled view of planets stars and constellations.
  • IPv6 works on Wifi – I know people say IPv6 has worked on Wifi since Android 2.2, but it certainly doesn’t on my wifes Android 2.3 phone. But the Galaxy Nexus seems quite happy on my home network with native dual stack IPv6 courtesy of Internode.

Of course nothing is ever perfect, so here’s my feelings on the bad bits:

  • No real keyboard – I really miss the N900’s physical keyboard, it made typing easy. The on-screen keyboard that Android has is good, and quite usable for SMS, Twitter, etc, but for things like the Connectbot SSH client you can’t beat a real keyboard
  • No NTP synchronisation possible – you can get root on the phone (and void your warranty) but this *really* shouldn’t be necessary!
  • NITZ sucks – whilst it gets the time right the timezone is out by an hour. Probably a carrier issue but I don’t think phones should be relying on it. Had to set it by hand to fix it up.
  • Short notification sounds – a minor nit but the default notification sounds that are used for things like SMS, etc, are really short and quite easy to miss.
  • Not entirely open source – whilst the N900 wasn’t either it does seem to have been more open than Android, and it didn’t try and avoid GPL code at all costs like Android does.
  • No update to Android 4.0.2 available (yet) – so far it appears that Samsung haven’t pushed an Android 4.0.2 update to the region my phone was intended for – though other Galaxy Nexus owners around the world have reported getting updates at other times (including someone at Mobicity where I bought it). I suspect this is just an organisational delay and nothing more serious, but it is annoying. If it wasn’t for the warranty issue I’d consider reflashing the phone with the stock Google firmware for the Galaxy Nexus and pick the updates up directly from them in future.

To finish it off here are three images taken with the camera in the Samsung Galaxy Nexus (as I said I was happy with it), the first one was used on the weather slot as a background by the ABC News people last week!

Melbourne summer morning Swanston St Skyline The Light Side and the Dark Side

Wikileaks confirms AFACT acted as a front for the MPAA in the iiNet case

Via a tweet from iiNet, who were sued by AFACT in the Australian Federal Court, this comment on the case from a US cable released by Wikileaks:

Despite the lead role of AFACT and the inclusion of Australian companies Village Roadshow and the Seven Network, this is an MPAA/American studios production. Mike Ellis, the Singapore-based President for Asia Pacific of the Motion Picture Association, briefed Ambassador on the filing on November 26. Ellis confirmed that MPAA was the mover behind AFACT’s case (AFACT is essentially MPAA’s Australian subcontractor; MPAA/MPA have no independent, formal presence here), acting on behalf of the six American studios involved. MPAA prefers that its leading role not be made public.

It also appears the Australian companies involved needed some persuasion to be involved – I wonder if it involved any of the folding paper/plastic type of persuasion ?

AFACT and MPAA worked hard to get Village Roadshow and the Seven Network to agree to be the public Australian faces on the case to make it clear there are Australian equities at stake, and this isn’t just Hollywood “bullying some poor little Australian ISP.”

They also go into the expected reasons why they picked iiNet – mainly that they weren’t Telstra (they were scared of them).

Google to acquire Motorola Mobility (Updated x1)

Very interesting news, especially given Motorola’s recent sabre rattling about going after patent victims^W income – hopefully this will put the end to that nonsense.

MOUNTAIN VIEW, Calif. & LIBERTYVILLE, Ill. – Aug. 15, 2011 – Google Inc. (NASDAQ: GOOG) and Motorola Mobility Holdings, Inc. (NYSE: MMI) today announced that they have entered into a definitive agreement under which Google will acquire Motorola Mobility for $40.00 per share in cash, or a total of about $12.5 billion, a premium of 63% to the closing price of Motorola Mobility shares on Friday, August 12, 2011. The transaction was unanimously approved by the boards of directors of both companies.

The acquisition of Motorola Mobility, a dedicated Android partner, will enable Google to supercharge the Android ecosystem and will enhance competition in mobile computing. Motorola Mobility will remain a licensee of Android and Android will remain open. Google will run Motorola Mobility as a separate business.

I hope with Google in control we’ll see some better Android devices out there – can we get a real keyboard please ?!?

Update 1:

It appears that patents are part of the reason for Google buying Motorola, but looks like they’re being trailed as defensive according to this TechCrunch article:

During today’s conference call explaining the deal, Page noted that Motorola’s “strong patent portfolio” will help Google defend Android against “Microsoft, Apple, and other companies.” The first two questions on the call went right to the patent issue as well. With Android under attack on the patent front by Apple, Microsoft, Oracle and others, buying Motorola is very much a defensive move as well.

Comment on Social Media and Social Unrest

My good friend Alec Muffett has written on ComputerworldUK about a discussion on the pros and cons of social media in light of the riots in the UK. He puts it really well:

I support that some people might want to use Blackberries to organise riots. If people want to use a cellphone or social media to conspire, that’s fine by me. I also believe that young lovers should be able to whisper sweet nothings to each other in secret, I believe that rape victims should be able to communicate in private, and that pregnant girls should be able to seek abortion advice without state, corporate, or parental eavesdropping. Cancer sufferers should be able to share in private their illness with the people who care for them, and I believe that dissidents should be free to communicate political opinion.

I believe all of these things because I discriminate the ability to obtain privacy from the exercise of criminal intent, and I believe that the ability to have a private conversation – something that 200 years ago was easily guaranteed – is a valuable asset to the individual. Plus I further believe that a state which has been too lazy, too profligate, or too cheap to police what people are doing rather than how they talk about doing it, is in no position to argue that ability or secrecy of communication should be inhibited because the problem is too expensive for them to address otherwise.

This is even more appropriate these days given that David Cameron, the UK PM, has now said:

We are working with the police, the intelligence services and industry to look at whether it will be right to stop people from communicating via these websites and services when we know they are plotting violence, disorder and criminality.

I guess because it worked so well in Tunisia, Egypt, etc…

I would also suggest you watch his video “On Cyberspace, Social Media and Censorship“, recorded before the UK unrest.

Microsoft Patents “Legal Intercept” of VoIP and other Network Protocols

In 2009 some bright sparks at Microsoft decided that they should patent how to legally intercept VoIP (explicitly SIP traffic in the patent) and other network protocols. The SIP attack basically boils down to tweaking the SDP packets to remove an option:

If SIP invite messages are intercepted on their way to the call server or in the call server then the “a=candidate” lines referring to a direct peer to peer voice connection may be removed from the SDP parameters. As a result, the terminating call VoIP entity is not offered local paths and will not respond with them in the answer SDP. This forces the call through the NAT and into the public network where it can be transparently recorded.

But of course this is a patent and so the broad principles are couched in heaps of legal mumbo-jumbo and so what is actually covered is impenetrable.

One interesting point, given recent developments, is:

For example, VoIP may include audio messages transmitted via gaming systems, instant messaging protocols that transmit audio, Skype and Skype-like applications, meeting software, video conferencing software, and the like.

This is long before they bought Skype, but I’m sure that won’t stop conspiracy theorists.. 🙂