Archive for the ‘General’ Category

Visiting the UK

Friday, July 25th, 2008

So the cat’s out of the bag, and since I’m no longer able to surprise my mother with my impending visit, I might aswell let everyone know that I’m visiting for a few days next week. I’ll be around on and off between August 1-14.

I’m in the country on business but I also have weekend plans. These include potentially hiking Ben Nevis, and swinging by London, Cambridge, Reading, Winchester, the Isle of Wight, and a few other places. I will start harassing people about meeting up, but in the mean time, feel free to harass me via email if you’re around. It’s also quite possible that I’ll ditch the UK a few days into my second week and spend a day or two in another European country – Ireland is on the list, but so is France, or Belgium, or Germany, or a few other places.

Jon.

Brave New Jon – Animoto Video

Sunday, July 13th, 2008

So I’ve been playing around with Animoto recently, and thought I’d make a video showing some of my escapades over the past 1 year, 2 months, and 28 days since Project Brave New Jon officially commenced.

Brave New Jon started over a girl, but it turned into a giant self re-invention exercise that has seen me go from an inactive size 38″ to a size 29″, and turn into a hiker, climber, and many countless other things that I’ve done over the past year or so of my life. But now may be the time for me to finally accept that the reason for BNJ – the girl involved – is really gone. It’s sad that she’ll never really know what I did over how I felt about her, but that’s life. I wish I knew why it ended, but I’m clearly not supposed to ever know.

High Resolution version: Brave New Jon

Jon.

Stupid Apple iPhone 2.0

Friday, July 11th, 2008

So Apple released the 2.0 iPhone update today…yada yada yada…where’s the Terminal App in the App Store? Where are /any/ useful apps?

Now, before you tell me “but you could just write one and add it to the store” – really? If that’s the case, then where are the countless other apps that have already been written to tweak the iPhone, run a terminal, get remote SSH access, and the like? I suspect Apple has no interest in graciously allowing people to actually use the iPhone like that. Or am I wrong?

This is annoying, but until the App Store has something useful in it, I think I actually have to keep my existing iPhone on a 1.1.3 release. I just hope someone is able to convince King Jobs to add a terminal, or more likely, there’s a crack released for 2.0 that makes it actually useful.

Jon.

My Mazda Miata MX-5 – One year on…

Thursday, July 3rd, 2008

Photos: A year with my Mazda MX-5.

So, this time last year, I was fairly pissed off with the world (mostly over a particular girl) and decided to cheer myself up with retail therapy. After various other craziness, I found myself in a car dealership one afternoon, looking at MX5s.

Now I’d never had a (full) driver’s license in the UK. I’d learned to drive, but never really sorted out the final getting-the-license bit. I relied on friends, family, and UK public transportation for 24 years. But there’s only so long that this lasts you in the US (I’m talking about the ability to drive, even a rental car for an afternoon, not even owning a car), where many activities require some form of vehicular transportation – for example, getting to the office (before the shuttle service we have now existed), which is 37 miles outside of Boston. It was inevitable that I would learn to drive “on the right side of the road” sooner or later, all I needed was a little impetus to get that moving.

The impetus was being really pissed off with the world, over a girl (as begins many a story in life). Within 3 days of her randomly deciding not to see me again for no reason, I’d had a few lessons on US driving, and one week later, I had the passed the testing (no silly many months of waiting list like in the UK, though the standards here are shockingly lower than in the UK – conversely, there the DSA (Driving Standards Authority) is overly anal, out of touch with reality, poorly (mis)managed, and generally a giant government was of time). The first time I drove alone was on a roadtrip to New York in a rental car. The second time was an extreme amount of Californian coastal highway driving, including 74 miles of twisting, winding mountainous roads. That was April.

By June, I was still pretty pissed off with the world (I’d even briefly considered whether to leave the country and go somewhere else entirely – I can now completely sympathize with a certain hacker who moved to Australia), had spent a few weekends tearing up the Californian countryside in rental cars, and decided I needed to get a car. Initially, I planned to be fairly sane, and buy something like a Prius, or an older (but dirt cheap) used car. Then I discovered two things:

1. Insurance in Massachusetts is regulated by the State of Massachusetts (there are changes underway this year, but it’s all largely cosmetic), and auto insurance would cost me at least 3K/year, regardless of my vehicle.

2. There are some surprisingly affordable cars in the US, when you’re used to UK prices – my car in the UK retails for around twice as much as I paid for it, which isn’t particular atypical, though most of the time it’s slightly less.

So, if I was going to pay through the nose, I might aswell have fun while doing it. I started looking at MX5s. Initially, I was looking at older used models, with the older pre-2006 design. But there was really something about the complete redesign for the 2006 model year that did it for me. This model had more class, more leg room, and more cup-holders (everyone knows you should always judge a US car by the number of cup holders). I rented one in California and took it for a spin up the route 1 highway. I liked it. A lot. Even if it was an automatic rental. So, that pretty much made the decision for me. I planned on getting a standard one, 5 speed, with regular interior, which I was almost about to do when at the dealership I noticed another vehicle:

* 2006 Mazda MX-5.
* Under 10K miles.
* 6 speed manual.
* All the extras.

And let’s not forget I’d committed the carnal sin of being super pissed off with the world, and simultaneously being in a car dealership at the same time. These things are known to be bad in combination. I picked it up in time to drive up to OLS last year. Then I had some fun registering the license plate “RED HAT”, because, well, it was available and nobody else had thought to get it first. It amused me.

Last summer was an interestingly, terrifying, Boston driving experience. I was a newly qualified driver, in a almost new car, surrounded by crazy Boston drivers. This meant I never drove in town, would only go to specific places, and I tried to avoid doing anything that would get me lost. Still, I had a lot of fun with the freedom that vehicle ownership gives you – especially a convertible in a New England summer. I drove to the beach (a lot, especially at 4 or 5am to watch the sunrise, and sometimes also in the evening for the inverse), went to my first ever drive-in movie, and did some other local trips like Blueberry picking. I also drove up to Canada the day after getting it.

Time passed, the fall came, and I bought a GPS (complete with optional, extremely pretentious over-done stereotype-in-a-box British accent – not that one, before you think so). This changed my driving experience considerably. Now I didn’t have to be so worried about dying constantly and could just focus on avoiding the maniacs on the road, rather than trying to navigate. And if you don’t think Boston drivers are insane, well, you’ve probably never seen the contrast between American and British drivers first hand. There’s no cup-of-tea niceness here, only bloodthirsty vengeance, a constant need to cut people up, and a desire never to use signals. I started going to other places I hadn’t previously tried to get to in my car – New York, other States, even eventually driving around town, although I still like to avoid doing that – the MBTA “T” is actually far more effective, in many cases.

With the passing of the fall, winter came in, and it was harsh. My low profile sport tires really weren’t much of a match for New England snow, but I was determined to live my Californian driving lifestyle. I’m probably the only person I know who drives around with the top down in January, when it’s -10 outside, wearing mountain gloves. While that’s perfectly possible, and clearing snow from the car to achieve that takes under 30 minutes, driving on snow turns out to be sufficiently more difficult than I had anticipated. I probably had a number of near-calls, and certainly need to look into snow tires for this year’s winter weather craziness. I’ve upgraded my gloves, too.

Anyway. After a year of owning this thing, and my first annual inspection (and insurance renewall…), I’ve decided I made the right choice in a car. Mazda pretty much got this right. Sure, it’s not the S-2000. And yes, that is a very lovely car, but it’s also nearly 20K more than the Mazda, and I’m not sure really whether it’s worth that. The car interior is almost as close to ideal as one could get – though the door cup holders might be better placed. It’s small, but well laid out, the controls are done right, the soft top release is much improved on the older model (to the point where you can put the top down, in moving traffic, using one hand), and even the trunk size is ok, just so long as you advise guests in advance not to bring huge suitcases when they fly in.

On the whole, I’d thoroughly recommend the MX5. I went to my first ever auto show this year also, and saw the latest model before it really started to hit the roads. They’ve really only made a few cosmetic changes – though they do now have Active Stability Control as standard on my model (well, one presumes), the access control is improved, and they’ve slightly tweaked a few cosmetic items…but on the whole, it’s still just about right. Don’t buy it if you’ve got a family or ever like to travel with more than an overnight bag ;)

Jon.

I love SELinux (part IV)

Wednesday, July 2nd, 2008

So I’ve been writing about a couple of weeks as a user of SELinux on Fedora. I thought I’d give an update about the experience.

After a week as a user of SELinux in enforcing mode, I had learned a few things. I had learned that it isn’t always possible (without using command line utilities) to download a CD image and use it to install a virtual machine, or to use an alternate location for virtual machine images, and a number of other (minor) issues. By this, I mean that none of these things can be done trivially by end users or developers who don’t know about commands like chcon, and their use. To many end users, this simply means these (seemingly quite straightforward) activities are now “impossible”, since they simply will not properly understand why they are not working in the way they had intended. In this case the appearance of us being secure has trumped over general functionality.

Late last week, I decided to allow my laptop to apply the latest Fedora updates. I rebooted into the updated environment (new kernel image) and tried to connect to my corporate VPN using VPNC. Although it was able to connect, the connection script generated repeated errors trying to run commands like “ip” and “ifconfig”. So, I spent roughly 6 hours on Sunday night reading SELinux documentation, books, whitepapers, commands, and the Fedora SELinux “targeted” policy itself. I concluded that the update had disallowed the VPNC domain access to the sysnetwork domain in which those various networking commands exist.

Without getting into specifics too much (BZ453236 has my analysis attached), NetworkManager is able to start VPNC because it runs in a system context (which has a specific policy item to allow access to network commands), whereas regularly started tty incantations of VPNC will run unconfined. In that case, audit2allow suggested adding:

role unconfined_t types ifconfig_t

Which was actually in a pending update to the policy (it hadn’t made the changelog so I hadn’t noticed it when skimming recent koji builds). I installed the new build, and lo-and-behold my VPNC worked again. I wasn’t particularly bothered by this experience – I learned a lot about SELinux policy, the different files, and how it all goes together that I’m sure has changed since I looked at this stuff nearly a decade ago. But I’m not blogging about this because of me, I’m thinking about the end-user experience. The user facing this problem might have filled a Bugzilla, and they might even have realized this was due to SELinux (no AVC denial messages given) and tried fixing the problem for themself. But they probably instead decided that something was broken with Fedora and just went away frustrated. Security trumped over functionality of a generic laptop system.

All I can do is hope that, in time, the community will realize the many uses that SELinux has, and the many that it does not. It’s great if you work for the NSA, have lots of servers to protect from the Interwebulous Tubes of the Internet, or are just a paranoid type. In those cases, SELinux has many advantages – especially if you’re running a timesharing system and distrust all of your users, to varying or equal amounts. This is one of many compelling justifications for SELinux to exist in Enterprise Linux products, and as an optional installation item on various other spins of Fedora – for example, for server targets. These are also good reasons to offer end users the option of turning on SELinux, if they desire.

But for the average Desktop user (you know, the type that we, as a community occasionally like to encourage…) SELinux often ostensibly gets in their way. You don’t have to choose to believe this if you don’t want to, but it can’t be managed graphically (that’s where most people will give up), the policy is highly complex (I’ve read bits of it), and what exactly does the average laptop user sitting behind a firewall with only a few non-external-facing Desktop applications need it for anyway? To protect them from themself? In case the guy in Starbucks is a l33t h4×0r? To protect them from a relatively minor subset of possible security attack vectors unlikely to be used against them at home? I’m still waiting to be convinced that it should *always* be on by default.

As a final note, remember that I’m not criticizing the Fedora community, SELinux developers, or other individuals. I’m saying that the end user experience is lacking in a few fixable ways. Mainly by bringing back an obvious option during installation that explains why Fedora offers this feature, and gives users who don’t want it a choice of turning it off.

Jon.

US drink-driving nonsense

Monday, June 30th, 2008

So I saw a commercial yet again tonight advocating that “it’s easy to tell when you’ve had way too many, but what about one too many?”, and “buzz driving is drunk driving”, typical of the tendency in US society towards tolerance of drinking any alcohol before driving a vehicle.

You notice this quite quickly after living in the US for a while. Whereas in many parts of Europe the government warning messages will take a hard line that drinking and driving don’t mix (in the UK, these commercials (UK: “adverts”) can be very graphic in nature, showing actual car crash scenarios – complete with the reality of injury and death), here in the States, people will far more readily drink one or two beers before driving home/wherever. And government warnings follow this trend – they’ll advise you not to drink too much, not to be “over the limit”, but they won’t state Common Sense:

Any alcohol is too much alcohol when driving a vehicle.

I have a simple rule. It’s really very simple, and I wish more people would consider adhering to it also (though I’m not trying to preach to my friends, just the populous in general really). I don’t drink and drive. This means I don’t drink *any* alcohol before driving a vehicle (car or otherwise). Not “just one beer”, but “just no beer”. Yes, this often means that I don’t drink – in case you’ve ever been out with me and wondered why I tend to avoid drinking these days, it’s likely because I might be driving later on. Ordinarily, this means that I will only drink on the weekend, in town, on an evening after I’m done driving for the day. Sometimes, I’ll have a drink or two on a trip, if I’m staying at a hotel and taking some form of alternate transportation.

Now I’m perfectly aware that the configuration of many US towns outside of major urban areas doesn’t lend itself to this philosophy – in a town where the layout relies upon driving yourself home, you’re going to have to use a vehicle somewhere, but that’s what friends are for, and taxis, and liquor stores (UK: “off licenses”) for the purchasing of beverages intended for home consumption. There is no reason to drink a beer and drive home, although I see this happening all the time.

I wish the US would stop caring so much about carding (UK: “IDing”) – “we card because we care” – grandmothers and everyone under 35, stop frivolously wasting taxpayer money prosecuting and ruining the lives of people over 18 (who can legally serve in the army but not buy a beer), and instead focus efforts on educating people as to the dangers of drinking and driving, not “drinking too much and driving”. It’s really very simple to get this right, but will probably never happen.

Jon.

I love SELinux (part III)

Friday, June 27th, 2008

So today, I allowed my laptop to upgrade to the latest F9 packages. Shortly afterward, VPNC could no longer run its connection script to connect to my corporate VPN connection.

I looked for an AVC denial message in my GNOME notification area (it was only later that I’d be paranoid and check that the sealert and friends were actually being allowed to run, which they were), but there was none. And none of the system logs readily showed any SELinux problem, so I decided it wasn’t time to Just Blame SELinux. A half hour of hacking at the VPNC script later, and getting confused why the commands within that script would run via sudo but didn’t seem to be running when called by VPNC, and I had myself an answer. Obviously it must be SELinux at fault, somehow, somewhere, sometime.

Calling setenforce 0 before running VPNC results in no errors and the VPN comes up just fine, whereas turning SELinux back on immediately results in a failure to run the connection script. The RPM itself reports context information that is consistent with that on the actual files, and again, there are no denial messages being reported – running sealert manually would seem to confirm this, and there are no messages in obvious log files. So it comes down to this: something is broken in F9, I can’t yet determine where it is, but a simple update has resulted in SELinux causing yet more pain that it’s ever possibly worth.

I’ve almost learned my lesson. I listened to certain people when they suggested that using SELinux was a great idea, and that doing this on F9 is super cool because it wouldn’t get in the way, and that it’s all great because we can protect ourselves from ourselves and our own evil actions. But all these people have forgotten one minor point – SELinux policy is so complex and/that we get these random failures. This is a highly undesirable user experience for a desktop. I’m about ready, once again, to hurtle SELinux out of the window as far as humanly possible. Way too overly intrusive to be actually useful.

Yes, I’m sure there’s a BZ somewhere, and I could just wait for another set of package updates that I’m sure will resynchronize policy with package, but let’s please notice that in the meantime, Joe User has long since given up and gone out to play with Little Billy and his friends. I’m trying to write these entries here to convey the undesirable user experience, and not whether I personally know enough to work around it. The average Fedora/Linux user doesn’t have 14 years of experience at dealing with this kind of thing.

Time for some (decaf) coffee.

Jon.