Latest Blog Entries

Article posted on Jan 7

When exactly did I become an adult?

• Posted by Ryan Finnie on January 7, 2012, 12:59 am

2011 was an interesting year, tax-wise. And by "interesting", I mean there is now a large sign on my back yelling "audit me". I went from filing a 1040EZ every year to starting a company that was originally designed to be a wrapper around a few hundred dollars in Google Adsense revenue, but inexplicably became a bona fide consulting company. 1099s, business expenses, travel expenses, home office square footage deductions, self-employment tax, etc, etc. And that's on top of the two actual employers I worked for during parts of the year. I'll be owing, big time. (Hypothetical IRS: "Why weren't you making scheduled anticipated tax payments like a good little business taxpayer?" Me: "Hey, it surprised me as much as it did you.")

An actual conversation with a tax advisor in November:

"Do you have any employees?"
"My company's logo is a dinosaur riding an atomic bomb, Slim Pickens style."
"So, no then."

• 1 Comment
• Posted in Uncategorized

Article posted on Dec 26

Quick tip: Pythagoras for the lazy

• Posted by Ryan Finnie on December 26, 2011, 7:30 pm

I occasionally plug this into Wolfram Alpha:

a^2+b^2=c^2, a/b=16/9, c=27

Click the "approximate forms" solution to get the width and height (a and b) for a rectangle where you know the diagonal (c) and the ratio (16/9). a or b can be specified at the end instead of c if you know the width or height.

I most often use this when I need to get the physical width and height of a monitor panel that I know the diagonal size of (since nearly all monitors are advertised by their diagonal panel size). With that information and the resolution, you can figure out the physical DPI of the monitor. (Not to be confused with the effective DPI of the operating system, which is used for things like converting font points and ems to pixels, and is usually independent of the monitor's size and resolution: 96 DPI for Windows, 72 DPI for Mac OS, and 75 or 100 DPI for X11 historically, though many Linux distros are preset to 96 DPI today.)

• Leave Comment
• Posted in Uncategorized

Article posted on Dec 24

2ping 1.2 released

• Posted by Ryan Finnie on December 24, 2011, 1:32 am

2ping 1.2 has been released, adding ping-style mdev/ewma statistics:

• Added exponentially-weighted moving average (ewma) and moving standard deviation (mdev) statistics to the summary display

2ping is a bi-directional ping utility. It uses 3-way pings (akin to TCP SYN, SYN/ACK, ACK) and after-the-fact state comparison between a 2ping listener and a 2ping client to determine which direction packet loss occurs.

• Leave Comment
• Posted in Uncategorized
• Tags: 2ping

Article posted on Nov 24

Reno Charter QAM channels

• Posted by Ryan Finnie on November 24, 2011, 8:51 pm

Today I hooked up my cable line to my TV to see if clear QAM is still available on my account (it is), due to wanting to watch today's NFL game on CBS, since the owner of the local CBS station (KTVN) and Dish Network are currently in the middle of a bitter dispute, and KTVN is currently not available on Dish.

After the game, I spent some time poking around, figuring out which channel was which by cross-referencing guide data. I've compiled a complete list of clear QAM channels on Charter, as well as the channel ID map to the Zap2It guide list. I used to do this when I had a Windows Media Center with an HDHomeRun; hopefully it'll be useful to others.

This list is current as for 2011-12-22, and is subject to change. Also, if you can figure out what Charter Digital channel the ShopNBC channel maps to, let me know so I can update it. It was the only channel I wasn't able to figure out.

Update (2011-12-22): The major network stations have moved to their "traditional" locations. They also have Charter-provided descriptive IDs in the form KXXX_HD. I'm not sure if they're doing ATSC-style virtual remapping from their old QAM locations (and my TV isn't telling me), or perhaps they've gone all digital and have actually moved them down into the lower channels. Either seems likely. I've retained the old QAM channel, just in case they are virtual remaps. Also, KRNSCA (CW), QVC and TBSP have appeared on the 78 channel.

002-001 HD KTVNDT (KTVN_HD) (was 105-195)
004-001 HD KRNVDT (KRNV_HD) (was 090-187)
005-001 HD KNPBDT (KNPB_HD) (was 090-185)
008-001 HD KOLODT (KOLO_HD) (was 105-193)
011-001 HD KRXIDT (KRXI_HD) (was 100-205)
078-245 SD KRNSCA
078-250 SD QVC
078-254 SD TBSP
087-236 SD KAME
087-237 SD KRXI
087-244 SD TWC
090-184 SD KNPBDT2
090-186 SD KNPBDT3
090-189 SD KRNVDT2
091-212 HD KRENDT
092-340 SD IONSATP
100-300 SD KRXIDT2
101-022 SD (Charter guide overlay)
101-369 SD KRRILP
103-267 SD KNVVLP
103-269 SD K52FF
103-274 SD (ShopNBC)
103-292 SD RENO
103-293 SD SPARKS
103-295 SD LOOR216
103-296 SD TMLC
104-190 HD KAMEDT
104-207 SD KAMEDT2
105-194 SD KOLODT2
105-196 SD KTVNDT2
111-381 HD TWCHD
117-127 SD (Charter PPV preview)
127-283 SD TVGNP
127-297 SD WASHO

• 1 Comment
• Posted in Uncategorized

Article posted on Sep 25

Introducing twuewand

• Posted by Ryan Finnie on September 25, 2011, 3:26 pm

twuewand is a true hardware random number generator, written in about a hundred lines of Perl.

No, really.

You can stop laughing now.

First, a little history. This is greatly simplified, and specific to Linux, but the concepts are somewhat universal. Linux has three entropy pools. The first is a hidden, primary entropy pool that directly or indirectly receives entropy from several main sources, described later.

The secondary pool feeds from the primary pool, and is used to drive /dev/random. /dev/random is blocking, meaning if both the primary and secondary entropy pool exhaust, reads from /dev/random block until more entropy is generated.

The third pool is the urandom pool, and functions almost exactly as the secondary pool, but drives /dev/urandom. The key difference is while the urandom pool can draw from the primary pool, it can also reuse entropy to avoid blocking in the case of pool exhaustion.

Now, entropy is gathered from several sources to directly feed the primary pool: keyboard and mouse timings, interrupts, disk activity, and entropy fed back from the other two pools, directly or indirectly. However, consider a server. Most of the time it receives no keyboard or mouse activity, and the interrupts and disk activity are theoretically predictable. But the primary pool can also be influenced by writing to the other pools, and modern Linux distributions take advantage of this. Upon shutdown, a number of bytes are read from /dev/urandom (usually 4096 today) and written to a state file. When the computer is booted again, the OS reads this file and writes the bytes back to /dev/urandom. This isn't exactly completely restoring the state pre-shutdown; remember there are other sources of entropy (including the disk activity needed to read the file), so writing the same 4096 bytes back to the urandom pool merely influences the urandom pool and the primary pool, resulting in entropy that is unpredictable from boot to boot.

Now, consider a LiveCD or a diskless workstation. Without the ability to introduce dynamic entropy from a previous session, the predictability increases a lot. If the computer had a hardware random number generator, we wouldn't have this problem. The hardware RNG could be queried directly, or it could be used to influence a pseudo RNG like the system Linux uses. But very few computers have hardware RNGs, and almost zero consumer-level computers do.

Or do they? Every computer actually has two hardware random number generators, which can be combined to get a stream of random numbers. They are the CPU itself and the real-time clock (RTC).

twuewand is a truerand implementation, first invented in 1995 by D. P. Mitchell. It relies on the fact that the CPU and RTC are physically separate clocked devices, and therefore time and work are not linked. twuewand's operation is very simple. It sets an alarm for sometime in the future (by default 4 milliseconds, as determined by the RTC), and then starts flipping a bit between 0 and 1 (work performed by the CPU). When the alarm is reached, the bit is taken. Voilà, random bit. It then repeats this process for as many bytes as needed.

This process produces a stream of truly random bits. An attacker can alter the amount of work performed by the CPU by introducing his own work during the same time period, but it still does not affect the output in a predictable way. However, this stream is still prone to bias. So after a certain number of bytes are collected, it is run through a cryptographic hash digest, by default SHA512, or MD5 if Digest::SHA is not installed. The hashed data is then output. This "whitens" the data, hopefully decreasing bias while retaining randomness.

twuewand could be used as a primary source of random data, but its primary purpose is intended to be an entropy pool seed. In Linux, you would execute:

twuewand $(cat /proc/sys/kernel/random/poolsize) >/dev/urandom

I wrote twuewand a few weeks ago when I first learned of truerand. truerand is an interesting concept, but it's actually almost never used in the real world anymore. The reason it was invented was to add another source of entropy to entropy pools, but the discovery of the benefits of saving pool data to reintroduce after reboot mostly made it unnecessary. But remember, this source is not available to LiveCDs and diskless workstations. I wrote twuewand for use by Finnix during startup, but hit a major snag. Namely, it's slow. Each bit takes a minimum of 4ms to generate, and that adds up. Generating 4096 bytes takes over 2 minutes. So I'm not going to have Finnix run it during startup, at least not for the full 4096 byte pool size. Perhaps 8 bytes by default, which will take a little over a quarter of a second. It's not as cryptographically secure as filling the entire pool, but it's better than nothing. Either way, twuewand will at least be available in the next version of Finnix if you desire to use it.

(If you don't get the "twuewand" name reference, go watch The Princess Bride.)

• Leave Comment
• Posted in Uncategorized

Article posted on Aug 22

ThinkPad X200s, one year follow-up

• Posted by Ryan Finnie on August 22, 2011, 12:05 am

A year ago, I bought a Lenovo ThinkPad X200s. I boldly proclaimed that it's the best laptop I've ever used, much better than the X61, and combining all the features of a T60 and an X-series subnotebook.

So what's changed in the last year? Absolutely nothing. No plastic has chipped off, all of the LRF (little rubber feet) are still attached, the keyboard is still fully functional, the hinge is still solid, and it's just as tight as when I bought it. The only damage is the palmrest ThinkPad logo had separated its layers, leaving just the silver backing (which is still on amazingly tight). And this is despite the extra torture it received. I did a lot of traveling in the last year, and it's always come with me.

I've got a keeper.

(The Ubuntu sticker hasn't fared as well, but admittedly that is aftermarket.)

• Leave Comment
• Posted in Uncategorized

Article posted on Aug 20

Prius update

• Posted by Ryan Finnie on August 20, 2011, 6:40 pm

A few weeks after I installed a tow hitch on my 2009 Toyota Prius earlier this year, I went down to southern California to go camping in the Mojave desert and the tow hitch became handy. Close to our site, I got stuck in a sand dune. Thankfully a truck was nearby (our camp was mostly comprised of Burners, and we treat the outing as a mini Burning Man in the spring, but the area is also frequented by motocross bike and quad riders due to the trails), and they looped a tow chain around my tow bar and easily pulled me back to stable ground.

Earlier this month I replaced my tires. The OEM tires on the GenII Prius (Goodyear Integrity) were better than the GenI (Bridgestone Potenza RE92, which would pop if you looked at them funny), but I was disappointed at only getting 25,000 miles out of them. I replaced them with Yokohama Avid Touring-S tires, and I'm very pleased with them so far. Handling is noticeably improved, the tires don't squeal as bad on coated paint (Reno covers its road paint with a protective coating to increase life, much like the paint you would use to cover a garage floor), and gas mileage is about the same as before.

Today I added the trailer wiring harness to my car (T-One 118505). I bought it shortly after I got the trailer hitch, but it's been sitting uninstalled in the back of my car until today. Installation was easy, and required a socket wrench set, a thin flathead screwdriver, some velcro to mount the wiring box, and some electrical tape to attach the wire runs to existing wire runs. I routed the trailer wiring plug under the spare tire, through a rubber grommet at the bottom of the well, and zip tied it above the hitch with a little slack. You can't even see it unless you take it out.

One word of advice: Do not follow the instruction provided by the wiring kit and try to disconnect the negative terminal of the (12v accessory) battery. On the GenII Prius, it's not meant to be done this way. Instead, there are two snap-out harness locks that connect the car's components to the battery. Undo those instead. Then continue to follow the instructions: ground the white wire of the wiring harness kit to the appropriate ground screw, take the red plastic cover off the top of the positive terminal of the 12v battery, unscrew the accessory terminal mount, remove the fuse from the wiring harness kit, attach the yellow wire to the accessory terminal mount, and re-insert the fuse. Then you may reattach the snap-out harnesses to the battery.

Again, I don't plan on actually towing with the Prius, but having the wiring mount is nice to have, just in case. I also bought a trailer wiring test plug (a small device that plugs into the wiring mount and has several LEDs corresponding to left turn, right turn and brake) to make sure installation was done correctly.

• 2 Comments
• Posted in Uncategorized

Article posted on Aug 13

Mobile Rickroll Appliance 6.0 released

• Posted by Ryan Finnie on August 13, 2011, 1:56 pm

Last week, I attended Defcon 19 in Las Vegas. This year was a pretty good year. It was held at the Rio which was not without problems, but the hotel rooms were nice, the conference space was much larger than any previous year, and overall it was a much better experience that the Riviera from the last few years.

At the last minute before I left for Vegas, I found and revived the Mobile Rickroll Appliance 6.0. The MRRA 6.0 is something I created in 2008, modifying a WRT54GS running OpenWRT with some custom iptables and dnsmasq configuration to make a self-contained Rickrolling platform. The result was hilarious:

(Since then, the sped-up Rickroll video has been replaced with a normal speed one, but otherwise the functionality is exactly the same.)

This year I re-flashed my WRT54GS and took it to Defcon. Before the conference began, I headed to Fry's and picked up a 7.2 Ah 12v battery (the narrow kind used in some UPSes) and various cables and adapters to go from alligator clips on the battery side to the barrel plug on the WRT. The result was a truly mobile (though heavy) Rickroll appliance that could be stored in my backpack.

That Friday morning, I took it to the opening ceremony and talks. At home, the ESSID was "Common Area", but for Defcon I named it "cellshare", to make it look like someone had mobile hotspot enabled on their phone. The MRRA 6.0 is configured so when someone is Rickroll'd, the big front status light will flash for 5 seconds, then turn solid orange, giving me a quick status indicator. This is done by a web bug CGI on the HTML page, which also logs the time since boot (the WRT doesn't have a battery-saved RTC and the MRRA 6.0 doesn't have internet access, so real time is not possible), the HTTP user agent and the HTTP referer (which in this case is what the victim was originally trying to go to).

Over the next 3 hours, I managed to Rickroll over 100 people! Most victims were iPhone users. On the plus side, the way iOS checks for captive portal support, the Rickroll web page will pop up immediately upon association with the AP; they don't even have to open Safari. The downside is the MRRA 6.0 uses FLV, and the iPhone doesn't support Flash, so all they see is a big box and a message saying they've been Rickroll'd. Future releases may use some sort of MP4 solution.

Of the remaining victims, most were laptop users. Most of them were Windows 7 running IE, though a large minority were OS X (you tend to see a lot of Macs at Defcon). Of the sites people tried to visit, cnn.com was the most popular, followed by google.com, facebook.com and apple.com.

Sadly, the battery pack only worked for just over 3 hours. The battery had a capacity of 7.2 Ah @ 12v, and the WRT lists a draw of 1000 mA, so I was expecting a life of at least 7.2 hours (hopefully longer, since I was guessing the 1000 mA figure was max draw, not typical). After 3 hours, the WRT just stopped powering on. The small LED on the barrel plug adapter was still lighting up, but the WRT just would not work unless I was using the wall wart. I suspect it was one of two things. I made no attempt to charge the sealed lead acid battery after buying it from Fry's, so I have no idea what its current capacity was. That possibly combined with a small voltage drop as the battery discharges may have created a voltage that was low enough the WRT didn't like, but still enough to power the barrel plug adapter's status LED. Despite this being Defcon, nobody in our group had a multimeter handy.

Still, I consider the project a success. If you were at any of the first three talks on Friday and got Rickroll'd after associating with "cellshare", I'd like to hear from you!

This weekend I took my original code, modified it for current OpenWRT (the OpenWRT on my WRT was from 2008), re-rendered the Rickroll video to fit on a 4MB WRT device (the original code would only fit on an 8MB WRT -- WRTSL54GS or early WRT54GD -- which are uncommon), and packaged it up. That's right, now you can build your very own Mobile Rickroll Appliance 6.0! Download the tarball, extract, and read the README, which will give you all the info you need to get set up.

• 3 Comments
• Posted in Uncategorized

Article posted on Jul 27

rsnapshot

• Posted by Ryan Finnie on July 27, 2011, 9:59 pm

At my former employer, we had an in-house backup system for backing up Unix servers. It was called speede, and it offered a much better way of maintaining disaster recovery backups than other methods such as tape. Multiple snapshots were taken, by taking the old snapshot, coping it to the new snapshot using hardlinks, and running rsync from the backed up host to the new snapshot. Since rsync works (by default) by copying changed files to a temp file, deleting the old destination file and moving the temp file into place, it cleanly breaks the hardlink without affecting the data in the old inode. The net result is you have multiple snapshot directories that look like completely independent directory trees, but are space efficient since the majority of the files share the same inodes between snapshots. If you have 200MB of data in snapshot 1 and 5MB of files change between snapshot 1 and snapshot 2, only 205MB is stored on disk.

(Apple uses the same type of process for Time Machine, by the way.)

speede was started sometime in 2002. I started at the company in 2004, and took over development of it in early 2005. Over the next 6 years, a lot was added, such as run concurrency, more granular options, etc. It was an awesome system. We even planned on releasing it in 2009 as open source, but company politics put an end to that in the 11th hour (we were in the process of getting acquired by another company at the time).

After that, I decided to do a semi-cleanroom re-coding of it and instead releasing that, calling it bahlgs ("Backups Are Hard, Let's Go Shopping!"). Unfortunately, that became one of my "90% done, just need to finish the other 90%" projects, and it was never released.

I had heard about rsnapshot awhile ago, which did nearly the same thing as speede. But I never looked much into it, since we had an elegant system that did exactly what we needed.

I ran an early dev copy of bahlgs on my home router / server, backing up a few home servers, my colo box, my Linode, etc. Today I upgraded my home server, using it as an excuse to reinstall the OS at the same time. Rather than setting up that copy of bahlgs again, I decided to take a better look at rsnapshot.

It seems to be pretty decent, and would be capable of functioning as a replacement for my home backup system. But at the same time I was thinking back to my previous employer, where I maintained a datacenter of approximately 150 servers. And I realized that rsnapshot wouldn't have worked for that use:

speede created snapshot directories in the format snapshot-YYYYMMDD-HHMM, with a symlink from current to the latest snapshot. rsnapshot uses a format like daily.0, where "daily" is the type of snapshot and "0" is an incrementing integer, with 0 always being the most current. That avoids the need for a "current" symlink, but makes it harder to see what dates correspond to which snapshots.

speede had hardcoded logic for the last N daily backups, plus the first snapshot of the month. It's something I wanted to make more configurable, but it served our backup needs. rsnapshot allows for a configurable number of hourly/daily/weekly/monthly snapshots, which is more configurable, but the runs are not connected to each other. That is, if I choose to do daily and monthly snapshots, the backup is run twice on the day the monthly snapshots are run.

speede had concurrency support, allowing for a maximum number of concurrent rsyncs (6 by default), and hosts could be placed into concurrency groups with separate concurrency limits for them. For example, limit group "vmhost5" to 2 concurrent rsyncs, since if all 6 runs happened to be against guests of VM Host #5, it would impact all guests on the host.

rsnapshot seems to have no concurrency support. That would be a killer for my old employer, where we had three backup servers, each running 6 concurrent rsyncs, backing up about 150 servers, and it would still take about 8 hours each night. This can be partially mitigated in rsnapshot by using multiple configuration files and dividing the servers up into multiple cron runs done concurrently, but speede was smarter and used a queue system so one large backup wouldn't hold up others.

I'm definitely not putting down rsnapshot. It seems very useful, and even has features that would have been nice for speede, except I never got around to coding them into speede myself (such as pre/post per-backup scripts). But again, I'm not lamenting not taking a look at rsnapshot when I was with my old employer, since the lack of concurrency support would have been a deal breaker.

Both speede and rsnapshot are coded in Perl, so I may look into adding the "missing" functionality myself, and submitting it upstream. But for now, I think I'll install rsnapshot at home.

• 1 Comment
• Posted in Uncategorized

Article posted on Jul 3

My four year old TV

• Posted by Ryan Finnie on July 3, 2011, 7:49 pm

The 4-year extended warranty on my 37" LCD TV expired in February, which is actually somewhat of a relief. See, the manufacturer (Olevia) and retailer (CompUSA) are both out of business, and the extended warranty was through CompUSA. They sold the contracts to a third party, and probably by now they've been sold yet again. So I'd have to find out who holds the contract, contact them, wrestle with a mismatched serial number (it broke a month after I bought it, so I had to send it to the manufacturer, who replaced it -- the replacement has worked fine since then), and box it up and ship it somewhere (as opposed to taking it to CompUSA if they were still in business).

Now with the warranty expired, if it dies I can simply grumble and buy a new one. That being said, I have no desire to replace it. 4 years ago, it was a steal at $800, when similar models were easily double that. Today, a similar model is probably less than half that. But it works fine, does the job, oh, and the color matches my TV stand.

• Leave Comment
• Posted in Uncategorized