Planet Linux Australia

Syndicate content
Planet Linux Australia - http://planet.linux.org.au
Updated: 1 hour 22 min ago

Hamish Taylor: Stupidity with passwords

Fri, 2015-10-23 14:28

We all know and understand how important passwords are. We all know that we should be using strong passwords.

What’s a strong password? Something that uses:

  • lower case characters
  • UPPER CASE CHARACTERS
  • punctuation, such as !@#$%^&*()<>?”:{}+_
  • and should be 8 characters or longer

So, to put it mildly, it really annoys me when I come across services that don’t allow me to use strong passwords. If I possibly could, I’d boycott these services, but sometimes that’s just not possible.

For example, my internet banking is limited to a password of between 6-8 characters. WTF?! This is hardly a secure password policy!

Another financial service I use is limited to 15 characters and doesn’t allow most of the punctuation set. Why? Is it too difficult to extend your database validation rules to cover all of the character set?

Ironically, I didn’t have a problem with Posterous, Facebook or Twitter (and others) in using properly secure passwords. So, these free services give me a decent level of security, but Australian financial services companies can’t. It’s stupidity in the extreme.

Hamish Taylor: Three Ubuntu 11.10 annoyances

Fri, 2015-10-23 14:28

A while back I posted up a few of the issues I was having with Ubuntu 10.04 “Lucid Lynx”.

I’m now using the latest version (for the next few weeks), Ubuntu 11.10 “Oneric Ocelot”. And while it works well on my new laptop, it suffers from three pretty annoying issues.

  1. IPv6 and Network Manager. I am experiencing regular wireless drop outs when I enable IPv6 on my router. When I disable IPv6 on Network Manager it is perfectly stable again.
  2. For most USB keys, write speeds are really slow. And I mean excruciatingly slow. USB HDDs seems to be OK. The issue seems to be in the way that Ubuntu deals with caching.
  3. Sandy Bridge power draining. This is a well known and documented issue, with fixes that have been issued (to be incorporated into the 3.3.x kernel). They are not being integrated into the current version of Ubuntu (which uses the 3.0.x kernel), but are being backported into the next version, 12.04 (which will use the 3.2.x kernel).

These things are quite frustrating, and while I am pretty confident that the power issues will be resolved, I really hope that the other problems are addressed for the next version which is due 26 April 2012. From those bug reports and blog posts, it looks like they will be, which is heartening.

Hamish Taylor: Test

Fri, 2015-10-23 14:28

Test post

Hamish Taylor: A call to “standardised user account requirements” arms

Fri, 2015-10-23 14:28

We need to have a standard for management of user accounts.

Given the number of high profile companies that have been cracked into lately, I have been going through the process of closing accounts for services I no longer use.

Many of these accounts were established when I was more trusting and included real data. However now, unless I am legally required to, I no longer use my real name or real data.

But I have been bitterly disappointed by the inability of some companies to shut down old accounts. For example, one service told me that “At this time, we do not directly delete user accounts…”. I also couldn’t change my username. Another service emailed my credentials in plain text.

To protect the privacy and security of all users, an enforceable standard needs to be established covering management of user accounts. It needs to be applied across the board to all systems connected to the internet. I know how ridiculous this sounds, and that many sites wouldn’t use it, but high profile services should be able to support something like this.

Included in the standard should be:

  • the ability to completely delete accounts (unless there’s some kind of legislative requirement to keep, and then they should only retain the data that is absolutely necessary)
  • the ability to change all details including usernames
  • a requirement to encrypt and salt the password (that covers the credentials in plain text issue noted above)
  • determine the minimum practicable data set that you need to maintain an account and only ask for that. If there’s no need to retain particular account details, don’t collect them. For example, I’ve never been contacted by phone by any of these companies so why was I forced to enter a phone number?

This is a short list from my frustrations today. Please comment to help me flesh this out with other things that should be done on a properly supported user account management system.

And please let me know of your experiences with companies that were unable to properly protect your privacy and security.

Hamish Taylor: Back to WordPress!

Fri, 2015-10-23 14:28

I’ve given up on Blogger and returned to WordPress. I’ll update the look and feel from the defaults and try to update it a bit more often!

Hamish Taylor: My new laptop!

Fri, 2015-10-23 14:28

In May 2010, I posted about what I thought were some pretty underwhelming specifications for laptops.

I have bitten the bullet and upgraded to a laptop with 1366×768 display resolution anyway.

But on a 13.3 inch screen. So it actually works pretty well.

It is a system worth about $2500 that I got for around $700. And no, it didn’t fall off the back of a truck! It fell off the back of the Dell Outlet Store.

Specs:

  • Dell Latitude E6320
  • Core i5-2520M
  • 4GB RAM (although as an ‘Enterprise’ system, it came with Windows 7 32-bit, so only 3.2GB is visible to Windows. Fixed that by dual-booting Ubuntu 64-bit)
  • 250GB HDD
  • Wi-fi
  • Bluetooth (which I personally think is next to useless)
  • Backlit keyboard (which I think is the BEST thing ever!)
  • 6 cell battery

It’s also mil-spec hardened (or something) which means that it’s almost child-proof!

It does 1080p video and with 4 cores (2 physical and 2 virtual ‘hyper-threading’) video editing works well. Really well.

I want to post up a full review at some stage, but it may not be soon.

Hamish Taylor: In an ideal world … how to change my address

Fri, 2015-10-23 14:28

Recently I moved house.

I  hate moving. Not just for the having to pack everything into boxes at one end then then unpack everything at the destination (which for this move I didn’t have to do!), but mostly because I have to go through the pain that is changing my address.

It turns out that I interact with a lot of organisations, from finance institutions (banks, credit card companies, car insurance, house insurance, health insurance, etc), to official organisations (driver licencing, Medicare, electoral, organ donor register, etc), to community (Red Cross blood donor, 3RRRFM, etc) and mundane organisations (Costco, etc). And that’s just a fraction of them.

I was thinking that, rather than having to fill in what feels like a million forms and waste time that could be spent being a productive public servant or dad for my kid, why isn’t there a central contact details database that I update once? I’m sure that smarter minds than mine have considered this, but I think an opportunity exists for some organisation (government or private) to do this. In the day and age of ‘over-sharing’, are people still averse to putting their address, phone number and email details into a central database? Login security could be addressed using two-factor authentication, such as used by Google Authenticator, or sending a one-time code via SMS or email.

Many services, such as Twitter and Facebook, are set up to authorise other apps to access them. An example of this is when I used my Facebook account to sign up for Freecycle which operates as a Yahoo Group.  I ‘authorised’ Facebook to talk to Yahoo. I’ve also authorised Twicca on my Android smartphone to talk to my Twitter account.

In the same way, in this theoretical single contact details database, I could let the various companies and organisations that I interact with, access my updated contact details. Maybe they could poll this database once a week to look for updated details. I understand they’d have many different backend CRM systems so there may be some manipulation required, but nothing that’s too hard to fix with a bit of scripting.

I could also remove their access when I cease using their services. If I’m not longer banking with Bank A, then I revoke their access so they can’t find out how to contact me.

Does this sound sensible or silly? If sensible why hasn’t Google or someone done this already?

Hamish Taylor: Idea from BarCamp Canberra #barcampcbr

Fri, 2015-10-23 14:28

Yesterday I went to the second half of BarCamp Canberra 2012 (I was busy in the morning and couldn’t make it).

As per usual for a BarCamp there were many great ideas being discussed. Someone (Craig?) suggested that we all go home and write blog posts about our own great ideas.  So here goes …

My ideas is this: to build a website to facilitate the transfer of mobile phone credit from people who have a surplus to people who need it.

My wife and I are currently using Telstra pre-paid and every so often when it gets near the expiry date, if there’s any unused credit we transfer some (or all) of that to the other account. Telstra call this ‘CreditMe2U’ and my understanding is that it can be used on any post- or pre-paid accounts. There’s a few limitations, such a maximum of $10 per day and some limit per month.

I see the site facilitating someone posting up that they need, say $5 credit. Anyone should be able to do this for any reason. The request could be as little as just a phone number and an amount.

Someone else, who has surplus credit, would transfer them some credit from their account, and then mark that the transaction has happened. This ensures that the requester doesn’t get flooded with credit transfers and multiple people who have surplus credit don’t end up  helping just one person. The requester would also not be able to make another request for 24 hours (based on phone number).

I would be reluctant to require people to register for accounts, as I think that would kill it entirely. It should be able to be truly anonymous. I would also be really keen to see that the site is not indexed in any way (robots.txt, archive.org exclusions, etc), so that numbers can’t be linked with requests.

I’m not sure if carriers other than Telstra have this option, but it’s worth investigating.

While there would be obvious ways to ‘game’ this system, and it’s not a fully thought through idea, it could become so with some feedback. So, what do you all think?

Hamish Taylor: Fun with JavaScript!

Fri, 2015-10-23 14:28

Hoping someone can help me with this JavaScript problem. I’m trying to pass an array to a getElementById with the purpose of making multiple cells in the table take the class. I can get it working with one array location but not with more than one. Please help!

<!DOCTYPE html>

<html>

<head>

<title>Title</title>

<script>

function changecolors(redsarray,yellowsarray,greensarray,graysarray)

{

var redsarray = new Array();

redsarray[0]=’r1_c1′;

//redsarray[1]=’r1_c2′;

var yellowsarray = new Array();

yellowsarray[0]=’r2_c1′;

//yellowsarray[1]=’r2_c2′;

var greensarray = new Array();

greensarray[0]=’r3_c1′;

//greensarray[1]=’r3_c2′;

var graysarray = new Array();

graysarray[0]=’r4_c1′;

//graysarray[1]=’r4_c2′;

document.getElementById(redsarray).className=’red’;

document.getElementById(yellowsarray).className=’yellow’;

document.getElementById(greensarray).className=’green’;

document.getElementById(graysarray).className=’gray’;

}

</script>

<style type=”text/css”>

.red {background-color:red;}

.yellow {background-color:yellow;}

.green {background-color:green;}

.gray {background-color:gray;]

</style>

</head>

<body>

Content …

<table border=”1″>

<tr>

<td id=”r1_c1″>

r1_c1

</td>

<td id=”r1_c2″>

r1_c2

</td>

</tr>

<tr>

<td id=”r2_c1″>

r2_c1

</td>

<td id=”r2_c2″>

r2_c2

</td>

</tr>

<tr>

<td id=”r3_c1″>

r3_c1

</td>

<td id=”r3_c2″>

r3_c2

</td>

</tr>

<tr>

<td id=”r4_c1″>

r4_c1

</td>

<td id=”r4_c2″>

r4_c2

</td>

</table>

<button type=”button” onclick=”changecolors()”;>Button</button>

</body>

</html>

 

Hamish Taylor: Follow up: The woeful state of communications in Australia’s capital city

Fri, 2015-10-23 14:28

In January 2011, I posted about my experiences in trying to get an internet connection provisioned at my new home

I am now posting from our Internode naked DSL connection. To be honest, this has been working for many months, I have been slack in posting this follow up!

The Telstra guy did come back and install the line. But only after we ordered a full phone line, dial tone and all, at around $30/month. Not to mention the $299 installation fee.

After that was installed, Internode activated the ADSL. Even that took multiple calls to get the technicians back to the exchange as things went wrong.

After that was all sorted out, it was then converted to a ‘naked ADSL’ service. Effectively cancelling the dial tone service.

The rampant stupidity of the Australian communications system is truly breathtaking. And expensive. What should have been a very simple thing to get going – a naked ADSL line – proved to be extremely difficult and expensive.

But now we have Internode naked ADSL and NodePhone. Finally.

(As an interesting side note, we retained our Melbourne based phone NodePhone (VoIP) number. When the Mitchell chemical fire occurred the other day and half of Canberra was on alert, we received a call on the VoIP number, as it is registered at this address. Both mine and my wife’s mobile phones are through Optus, also registered at this address and didn’t get an SMS or call. Either the emergency alerting system or Optus messed up there. I’d be guessing the latter.)

Unfortunately, we are so far away from the exchange that we only get around 500 KB a second (half a MB a second). Back in Melbourne, close to the exchange, I was getting 2.2 MB a second, so around four times faster).

But at least we have it

OpenSTEM: Mirobot v2 Robotics Kits and Soldering Kits Available

Thu, 2015-10-22 18:30

The Mirobot v2 logo turtle robotics kits will be here shortly. These are the updated version of the kits we have been using at primary schools (year 4-6) this year in our Robotics and Programming workshops. The new model doesn’t require little pegs any more, the structure now holds itself together with a beautiful designed slot mechanism. Kudos to Ben Pirt for an awesome design!

The robot frames are made of lasercut MDF, and the circuit board is Arduino controlled. All aspects of the design is open and available. The robot can be used to draw, but now also comes with bump sensors and line following capabilities. Communication is through wifi over a raw or web socket. There are a number of programming and control options, from Scratch-style visual systems to a brand new Python library!

By default the v2 comes with a pre-soldered circuit board, but especially for OpenSTEM Ben is offering a non-soldered PCB so we can continue doing the soldering part with classes also. We have found this to be both a great enabler for students, as well as teach that people can build things almost from scratch. But you choose… we keep both the soldered and un-soldered kits. Either way, this is a great project to do with your kids at home, quite a few parents of students that do our workshops also continue in this way.

If you order now, we’ll still be able to include you in the first shipment!

Now for Electronics Soldering! If you or your children want to also do some soldering but don’t have the necessary tools yet, we now have sets available. We assemble our own classroom soldering kits ourselves from a number of sources, as sets found in shops have flimsy or awkward stands. We use a solid steel stand, that also features a wire cleaning ball – this works much better than a wet sponge and it is much easier to maintain. We also include a number of other useful items.

You can order the soldering kit together with a Mirobot kit, or on its own.

Shipping of orders including Mirobots will be in November. This is likely to be our final Mirobot order this side of Christmas, so we do recommend you order now if you want to have the kit available over the holidays.

James Morris: LSM Mailing List Being Archived Again

Thu, 2015-10-22 16:27

Several folks noticed that all of the known LSM mailing list archives stopped archiving earlier this year.  We don’t know why and generally have not had any luck contacting the owners of several archives, including marc and gmane.  This is a concern, because the list is generally where Linux kernel security takes place and it’s important to have a public record of it.

The good news is that Paul Moore was finally able to re-register the list with mail-archive.com, and there is once again an active archive here: http://www.mail-archive.com/linux-security-module@vger.kernel.org/

Please update any links you may have!

David Rowe: Modems for VHF Digital Voice

Thu, 2015-10-22 12:30

I’ve been thinking about modems for a VHF FreeDV mode. The right waveform and a good demodulator is the key to high performance. However it would be nice to make some re-use of existing FM VHF radios. So is it possible to come up with a waveform that can pass through legacy FM radios, but also be optimally demodulated with a SDR?

My first guess was that the problem with legacy radios is the 300Hz High Pass (HP) pass filtering. So I came up with a waveform with has no DC. Brady pointed out this was Manchester Encoding (ME), used in all sorts of applications for just this problem. Each data bit is Manchester encoded to two bits, so a 2400 bit/s bit-stream becomes a 4800 bit/s bit-stream that is then 2FSK modulated. Turns out the ME-2FSK signal doesn’t have much low frequency energy so passes happily through the audio pass band filtering of regular FM radios.

Here is a block diagram of the idea. We have the option to demodulate the signal using a legacy analog radio or, with higher performance, an optimal FSK demod:

This is what the spectrum of the ME-2FSK looks like at the output of the analog FM demodulator before high pass filtering. Notice how there is not much energy beneath 300Hz? So we are not going to lose much due to the 300Hz HP filter.

Here are the time domain modem signals before and after the 300Hz High Pass filter. Pretty similar.

The ME-2FSK scheme works OK in my simulation, so I think it’s possible to squirt 2400 bit/s through a $40 HT with acceptable modem performance using 2FSK. This means we can do VHF FreeDV using your laptop/SM1000 and a $40 radio, and it will work just as well as existing VHF DV modes, and even pass through analog repeaters.

Real gold would be a way to send 4FSK through a HT, that (if you have a SDR) can be optimally decoded at a much lower Eb/No. Unfortunately I couldn’t work out how to do that. For optimal 4FSK you need the tones spaced at the symbol rate Rs. This means -1.5Rs, -0.5Rs, 0.5Rs, 1.5Rs, which won’t fit into 5kHz deviation with Rs=4800. So how about Rs=2400? Well when I tried Rs=2400 through the FM demod the modem appears to be 3dB worse that Rs=4800. I’m not sure why. Possibly deviation, as I get the same results with the 300Hz HP filter removed. Or maybe I messed up the simulation. Oh Well. Working backwards, this suggests one reason the ME 2FSK waveform works so well at Rs=4800 is greater deviation.

Moving to the optimal 4FSK demod approach, here are the outputs of each filter from an optimal 4FSK demod. The pretty colours represent the different filter ouputs. The lower plot is the decimated filter outputs, after sampling at the ideal timing instant.

I’m inclined to use both 4FSK and ME-2FSK. We could run ME-2FSK on links with legacy radios and 4FSK on SDRs that support optimal demodulation. That 6dB Eb/No for optimal 4FSK, combined with Codec 2 running at a lower rate, is a huge gain over current analog and DV systems.

Summary of Candidate VHF Waveforms

I’ve now played with quite a few modem waveforms, and have compared them in the table below. Eb/No is for a BER of 2%, which is roughly where Digital Voice codecs fall over. There are two Eb/No figures, one for an ideal demodulator, the other when using a demod that works through a legacy FM analog radio.

Waveform Eb/No (ideal) Eb/No (FM) Comment Read More PSK 3.0 na requires linear PA, complex coherent demod GMSK 5.0 9.0 requires “data” port, complex coherent demod [1] [2] 4FSK 6.0 na simple demod, good fading ME-2FSK 8.5 12.0 simple demod, good fading, $40 HT! DMR 4FSK na 11.0 standardised [3] AFSK-FM na 16.0 As used in APRS [4]

The complexity of the demods required for coherent PSK and GMSK is not a show stopper, as we only have to write GPL modem code once. However coherent demodulation means other sources of “implementation loss” such as phase recovery that make the ideal performance hard to achieve. Non-coherent mFSK is rather simple in comparison, we just need a fine timing estimator. Less to go wrong. No phase estimation means fading will have less impact than coherent PSK/GMSK. Fine frequency offsets won’t bother us. mFSK is, however less bandwidth efficient.

GMSK coherently demodulated or through a legacy FM radio looks pretty good, but does require a “data port” with unfiltered access to the FM modem. So no $40 HTs.

Note the distinction between ideal non-coherent 4FSK, and the 4FSK modem used by DMR and similar Digital Voice modes like C4FSK. The latter are not optimal waveforms, and in our simulations under-perform by around 6dB. We can’t find any explanation of why these waveforms were chosen for DMR or C4FM. I am guessing that have been developed with the specific use of legacy FM radio architectures or reduced RF bandwidth in mind.

Running the simulation

I set up a bunch of simulations of various combinations so they all have about 2% BER:



octave:224> mancyfsk

Rs=4800 2FSK ideal demod

  EbNodB: 8.5 BER 0.023

Rs=4800 2FSK analog FM demod, not too shabby and pushes 2400bit/s thru a $40 HT!

  EbNodB: 12.0 BER 0.021

Rs=2400 2FSK analog FM demod, needs more power for same BER!  Che?

  EbNodB: 15.0 BER 0.027

Hmm, doesnt improve with no 300Hz HPF, maybe due to less deviation?

  EbNodB: 15.0 BER 0.027

Rs=2400 4FSK ideal demod, nice low Eb/No!

  EbNodB: 6.0 BER 0.025

Further Work

It would be great to test the work above in the real world, for example get the ME-2FSK modem software into a form that we can do calibrated noise (or MDS) tests on a real FM radio.