Thursday, December 17, 2015

Notes About IPTables

This is going to be a completely nerdy post. You've been warned.

I recently changed my Internet connection at home to fibre! Which is brilliant and fantastic and ... I'm cheap. So instead of going out and buying a router, I decided instead to use a pi to do it. I landed on my Banana Pi with a USB Ethernet adapter only to find that it was SLOW. Damn USB and Ethernet.

So I then brought a BPi-R1 to deal to the problem. I've still saved some money (I think a off the shelve jobbie was around the $200 mark whereas the BPi-R1 cost me around $150. I didn't realise the New Zealand dollar had dropped against the US dollar). Whoops. Thus, this post. I gain some value back by learning something:

What this is all leading to though is the fact that I finally had to learn a little something about IPTables. If you've never heard of it, this post might not be for you. It's the frontend to the firewall (netfilter) in Linux.

It was a bit of a struggle with very few explanations being around. So here's my attempt to get rid of some of that pain:

Anyone who tells you that it's easy is lying. It's not easy. The information out there is often inconsistent. For example, the terms "table" and "chain" seems to get confused and used interchangeably. So let's get this straight. A table is not a chain and a chain is not a table.

The tables I needed to concern myself with were the filter table and the nat table.

The next really confusing bit. LOADS of pages talk about using the command:

 iptables -L

This doesn't list out all of your rules (and the output is pretty much useless anyway). So here's the thing... When you use the iptables command, and you don't specify a table, you're using the filter table. So 'iptables -L' ONLY lists out the filter table.

Instead, you're much better off using:

 iptables-save  

Or, if you want it to be a little less... blerg (the comments and information you don't need), use:

 iptables-save | sed 's/\[[0-9]*:[0-9]*\]// ; /^#/d'  

So for all of this talk about tables and chains... what does it really mean? Well... the table names don't really seem to mean a great deal. They give you a sense of the purpose of the chains BUT the way traffic goes though the various set of chains isn't implied by the table name.


In this diagram, PREROUTING is part of the nat table. INPUT, FORWARD and OUTPUT are part of the filter table and POSTROUTING is part of the nat table. Confused?

Let's go through that diagram. When a packet comes in, a routing decision is made. Is that packet intended for the machine the firewall is on? If it is, it goes to the INPUT chain. Otherwise, it goes to the FORWARD chain. When a packet is going from the firewall machine out, it goes through the OUTPUT chain.

We need to make some decisions. When we're talking firewalls, we're talking about protection. In my case, I chose to only protect my network from the Internet. I don't really care what traffic is going out.

Which means I've already already got my first 3 rules! (They're not technically rules - they're policies. But let's not let that get in the way of our sense of accomplishment)

 iptables --table filter --policy INPUT drop  
 iptables --table filter --policy FORWARD drop  
 iptables --table filter --policy OUTPUT accept  

By default, drop packets going to the INPUT chain (if not matched by a rule), drop packets being forwarded (ditto), and 'accept' (allow to pass through) anything going outwards.

For the rest of this document, I'm going to be using:
  • lanDev as my LAN device in the rules. This will normally look something like eth0 or eth1 etc. On the Banana Pi it's eth0.102 OR br0. Totally irrelevant. My set up is likely to be different from yours.
  • wanDev as my WAN (Wide Area Network i.e. Internet) device.
  • 1.1.1.1 as an example internal IP address. In reality, this will normally be something along the lines of 192.168.0.1, 172.16.1.1 or 10.1.1.1.
  • 2.2.2.2 will be our external IP. If you've got a dynamic IP, read right to the end of this post.
  • I've kept the long form of the commands to make it clear what we're doing i.e. all of the examples specify the table they're using rather than relying on the default.
This hopefully makes it a little clearer.

Next we need to allow the computer to talk to itself (it does this more often than you'd think on the loopback - lo - device).

 iptables --table filter --append INPUT --in-interface lo --jump ACCEPT  

And because I don't want to limit the server from the internal network, I also do the same thing with my internal network:

 iptables --table filter --append INPUT --in-interface lanDev --jump ACCEPT  

If I wanted to harden this up a bit, I could:
  • Lock down the IP addresses that can talk to the server:

    iptables --table filter --append INPUT --source 1.1.1.0/24 --in-interface lanDev --jump ACCEPT 

    This allows anything with an IP address between 1.1.1.0 and 1.1.1.255 access to the router.

    If I wanted to lock down those addresses a little more, I could use the "iprange" extension (I tend to think of it as a module given that you use '-m' on the command line to use an extension):
     iptables --table filter --append INPUT --match iprange 1.1.1.100-255 --in-interface lanDev -j ACCEPT   
    
  • Or ONLY give access to particular services, i.e. ssh:
    iptables --table filter --append INPUT --source 1.1.1.0/24 -in-interface lanDev --protocol tcp --dport 22 --jump ACCEPT 
And finally, we want the Internet to be able send information back to the router BUT only when we've initiated a connection of some kind (when visiting a web page, I want the web page to be able to load):

  iptables --table --append INPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT   


Here we use the conntrack extension to make a match on state. The router can tell which packets are part of an established or related connection.

Let's set up NAT (Internet Sharing). Everyone clear on what NAT is and does?

The needed rules are:

 iptables --table nat --append POSTROUTING --out-interface wanDev --jump MASQUERADE  
 iptables --table filter --append FORWARD --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT  

The first rule does all the real magic. When a device on your local network sends out a packet, the IP address is changed to the external ip address. When a packet comes in, the router then changes the IP address back to that of the local device.

Remember how we dropped everything by default in the forward chain? The second line there just does what we did with the INPUT chain i.e. if it's part of an established or related connection, let it through.

The other thing you'll probably need to check is that IP forwarding is enabled in the kernel. Edit /etc/sysctl.conf and uncomment or add the following line:

 net.ipv4.ip_forward=1  

This will take effect when you reboot. To enable it immediately, run the following:

 sysctl net.ipv4.ip_forward=1  

Now we have a router that's relatively locked down and is doing some routing!

You may have read previous posts where I talk about CG-NAT. The evilness of it meant that I couldn't use my system the way that I normally do. Which is to say that if I'm on holiday or working somewhere away from home, I normally remote into my system. This saves me maintaining multiple development environments.

I spent another $50 on getting a static IP. Basically, I always have the same address when connecting to the Internet and it gets me past the CG-NAT stuff. Neat! (Except that it probably makes it a bit easier to track me).

What if I want to run a service on my router? I would need to open a port:

 iptables --table filter --append INPUT --protocol tcp --dport 80 --jump ACCEPT   

To enable remote access to my system, I needed port forwarding. Say I want to connect to a web server externally from the Internet. To do this, I need the following rules:

 iptables -t nat -A PREROUTING -i wanDev -p tcp --dport 80 -j DNAT --to 1.1.1.1:80  
 iptables -t filter -A FORWARD -p tcp -d 1.1.1.1 --dport 80 -j ACCEPT  

This tells the PREROUTING chain to send traffic on port 80 coming in from the wanDev device to port 80 on 1.1.1.1 and the FORWARD chain to accept traffic coming in on port 80 destined for 1.1.1.1.

I could (but it seems pointless) only accept NEW connections and rely on the earlier "ESTABLISHED, RELATED" rules to continue the connection. To do this, I would replace:
 -A FORWARD -p tcp -d 1.1.1.1 --dport 80 -j ACCEPT  
with:
 -A FORWARD -p tcp -d 1.1.1.1 -m conntrack --cstate NEW --dport 80 -j ACCEPT  

The other thing to note is that the external port doesn't have to match the internal one. Imagine I want to listen to ssh connections on port 12345 but I want to still run ssh connections on 22 internally. In which case, I would use the following rules:

  iptables -t nat -A PREROUTING -i wanDev -p tcp --dport 12345 -j DNAT --to 1.1.1.1:22   
  iptables -t filter -A FORWARD -p tcp -d 1.1.1.1 --dport 22 -j ACCEPT   

Not content with that, I went a step further. The problem with all of this is that the forward porting doesn't work from inside my own LAN. That means that there are differences to how I access things externally.

Imagine you're using a Dynamic DNS service like noip.com. That way you don't need to memorize your IP address (it's an absolute godsend if you have a dynamic IP). From inside my own LAN, I'd be able to use that address to access the various services (the machine I ssh into isn't the same machine hosting the web page for example).

To do this, I need the following rules:
 iptables -t nat -A PREROUTING -p tcp -s 1.1.1.0/24 -i eth0.102 -d 2.2.2.2 --dport 80 -j DNAT --to-destination 1.1.1.1:80  
 iptables -t nat -A POSTROUTING -p tcp -s 1.1.1.0/24 -o eth0.102 -d 1.1.1.1 --dport 80 -j SNAT --to 2.2.2.2:80  
 iptables -t nat -A PREROUTING -p tcp -s 1.1.1.0/24 -i eth0.102 -d 2.2.2.2 --dport 12345 -j DNAT --to-destination 1.1.1.1:22  
 iptables -t nat -A POSTROUTING -p tcp -s 1.1.1.0/24 -o eth0.102 -d 1.1.1.1 --dport 22 -j SNAT --to 2.2.2.2:12345  

Uh oh! We've actually needed the external ip address! Which, if you have a dynamic IP,  you don't always know. I'll address that in a second.

We need to save our rules and make sure they are loaded. These instructions are for a debian based system though I think Arch Linux uses the same method. I'm pretty sure this won't work on a Redhat based system where they don't use the /etc/network/interfaces file for network configuration.
Save the rules:
 iptables-save > /etc/iptables.conf  

To tell the network configuration to restore those rules before bringing up the network, edit /etc/network/interfaces and add the line:
 pre-up iptables-restore < /etc/iptables.rules  


If you have a dynamic IP and you're using port forwarding from inside your own network:

This is where things get tricky. The problem is we won't know what the IP address will be until AFTER the interface is up. To get around this (I'm not sure if this is the recommended way, but it's a solution) we'll need to create a script.

By now you should have a file in /etc called iptables.conf. We need to remove the stuff that's reliant on having an external address to it's own file. We should be able to do this by running:
  echo '*nat' > /etc/iptables-extIP.rules ; grep '2.2.2.2' /etc/iptables.rules >> /etc/iptables-extIP.rules && sed '/2\.\2\.2\.2/d /etc/iptables.rules -i  ; echo 'COMMIT' >> iptables-extIP.rules

This:
  • Copies out all of the lines relevant to the external IP address to a file called /etc/iptables_extIP.rules and makes that file suitable for iptables-restore.
  • Removes those entries from /etc/iptables.rules.
Now we need to change that external IP address to something we can easily search for:
  sed 's/2\.2\.2\.2/EXT_IP/' /etc/iptables-extIP.rules -i

And finally, we need to run create a script to fill in these bits after the WAN device is up. Create a script in /etc/network/if-up.d/extIPRules with the following contents:

 #!/bin/bash  
 wan_device="wanDev" #replace with the name of your external device i.e. ppp0  
 iface=$1  
 if[ "$iface" == "$wan_device" ] ; then  
    ext_ip_addr=$(ip addr show $wan_device | grep inet | egrep '([0-9]{1,3}\.){3}[0-9]{1,3}' -o | head -n 1)  
    sed "s/EXT_IP/$ext_ip/g" | iptables-restore -n  
 fi  
(This is untested. If you do try this and it works, please let me know in the comments.)

Make it executable:

 chmod +x /etc/network/if-up.d/extIPRules  

And it should "Just Work™". If it doesn't, let me know in the comments and I'll try and update this post with any corrections that are needed.

Monday, November 30, 2015

Let's Talk About Education!

Education. The portfolio that sees MP's in hot water more often than not. The election promise that gets people salivating. The "thing" that we're all passionate about!

Lately I've been finding myself highly sceptical about IT training in general. Particularly for kids. On the electronics side of it, we get:

"Here's a robot kit! Build a robot"

And computers? Let's learn pointers everyone! It's a.... Wait.... what? What problem do they solve?!?

Here's the problem. They're prescriptive. If we think education hasn't changed since the 60's (how often do education presentations start off with a photo of a classroom from the 50's and a photo of a classroom now?), go into, ironically, one of the fastest moving fields and see how it's taught.

It's appalling.

The problem with kits? They're prescriptive. You attach the wheel here, you plug this bit in here and away you go! You've just made yourself a robot? How does it work? you ask. Well... shut up and play with your robot! Look! You can program it!

The net effect is that you get quite particular character types striving in the field. The real valuable people are those who can hear/see it prescriptively, apply it exploratory (apply it to a problem) and think creatively (taking what they know and apply it in novel ways). BUT the ones who succeed only need hear the words "industry standard" or "best practise" and that is the solution.

There's another problem that comes with this: Gender inequality. Yep. That old chestnut. The way that IT is taught encourages a gender inequality. That's the way things have always been done.

Going back to my programming example above, it could be taught in the following way:
Say we need to store similar information (we'll call these "blocks" of information). Like a database. Only we don't want to keep going back to the database. We're not sure how much information we're going to store. It depends on the data. Dealing with arrays is hard work. The stupid things want to be a size and stay that size in which case we have to create an all new array with added information.
How would you handle this problem?

And then bring it back to a solution. Okay, so some really clever folk came up with this idea of "pointers". At the end of the blocks of similar information, what if you could "point" to the next block of similar information? That way, if you need to add another block, you just get the pointer on the end of the last block to point to it.
Easy. Instead of the time spent having to reexplain pointers because there's no real understanding of why you'd use them, a deeper understanding is created because it's applied to a real problem. It allows time for a few novel ideas. It describes "linked lists" which is awesome for moving into Python. It encourages discussion.

If you don't know what a pointer is, don't worry. They're not used terribly much; most modern programming languages have gotten rid of them all together.

And electronics? What if you could put a bunch of stuff on a table, ask the kids what they want to build (elaborate. If it's a robot, what do they want the robot to be able to do?), and facilitate it in terms of learning how to find the information to do what they want. This is generally what we (makers) do as adults anyway. I've been regaled with pictures of food a friend of mine made in his homemade sous vide. AND IT'S AWESOME!!!

Confident learners, not ones who can recite what has been said to them, but rather, those who are confident to not only learn but also apply their knowledge, creates confident people. When my monitor blew up a few days ago, while my first reaction was a curse at the heavens, my second was to pick up a screwdriver to have a look. A few forums later, I identified the capacitor that was likely blown (I had missed the leak on my visual inspection), and ordered the parts needed (a fuse and a capacitor - well less than $10 worth of parts to get my 10 year old, still worth around $400 monitor working). While I was thinking about it that day, I asked myself "What do people normally do in this situation?". The privilege of empowerment struck me. Most people would throw the monitor out and go out looking for a new one. I want other people to have the empowerment to be able to solve the problem.

In other words... if the education isn't empowering... is it really education?

Saturday, November 21, 2015

Breaking the Internet

Back in the early 90's, a problem was discovered with the way we connect our computers to networks. The address space was (is) going to run out. Groups were put together to come up to a solution to the problem and by 1998 there was a protocol established called "IPv6". In 2004, revisions were made. The solution, in its entirety, has been fleshed out.

In the meantime, not all devices are connected to the relatively new "Internet". The problem was that while a household might have multiple devices, they could only receive a single line. A single address...

"Not a problem", you might say, "I can just 'share' the connection with the other computers". The way this is done is to use a reserved address space for inside your home/workplace, the same address space that can be used by your neighbours, and then to use something called NAT (Network Address Translation) to talk to the Internet. Essentially, it makes a computer, sitting between your 'computers' (tablets, phones, laptops etc.) and the Internet, responsible for receiving information from your internal network, changing it so that looks like it owns it all, and then send that information to the Internet and vice versa.

It's a solution but it breaks something. The end-to-end principle. That is, every device should be able to talk to every other device. There are solutions to this. The main problem here is one of "ports". If I want to run a web server, I need to be listening to requests on port 80 and port 443. Which means, that on that computer between me and the Internet (we'll just call this a router from here on in), I need to tell it where to send any requests to port 80.

Not that big a problem.

Let's get back to that great big problem from the beginning of this post. We're running out of addresses. The problem was defined. A solution proposed. And it was all done well before it actually was a problem. And NOW, we're running out of addresses. We haven't run out yet, but we're fast getting there.

It's now toward the end of 2015. We've got a roadmap and we've had it for quite some time! We can fix this thing! And this is where it all gets a little bit hinky:

In order to implement the IPv6 standard, it takes a whole lot of new equipment. Not a problem IF the issue it solves is being taken seriously. Investment can be made in new equipment and the business can continue to operate. However, if the new equipment is seen as an expense, rather than an investment, where is the motivation to spend that money?

Here's where we're at. ISP's need some way to reduce the number of addresses they're using because they haven't made that investment. IPv6 isn't really gaining any real traction because the investment hasn't been made. There needs to be a solution.

And here's were things get weird. That thing? The NAT stuff? The stuff that's useful for your own network? What if that were done on a larger scale? And that's exactly what's happening. Rather than use a long term solution, it's cheaper to just break the Internet!

The big difference between what an ISP is doing what you're probably doing at home through a humble little box that sits in a corner somewhere with a few flashing lights is the scale and amount of control.

If I wanted to run a web server, it was possible. I would just say to that little box "I'm expecting something on this port. Please pass it to this machine when you get it". But I'm not dealing with a humble little box anymore. I'm not dealing with just my network. Instead, the ISP rules the roost and they're dealing with a network that consists of my neighbours (people in my city/country). So asking them to pass on a packet that I'm expecting is a no go.

That end-to-end stuff? It might affect someones bottom line!

I've, for a long time, had a problem with the idea that somehow anything I choose to send is less valuable than what I receive. The Internet was meant to be a level playing field. All traffic was meant to be treated equally. But an ISP is essentially saying to me that my content is less valuable because I'm a home user. I'm meant to consume! Not produce! Now, ANYTHING I generate is worth even less. Either I pay more, to get my own address where I used to be handed one out every time I connected, or I can't make a choice to host my own stuff.

Tuesday, November 10, 2015

Wordpress Notes

I've noticed that someone has been reading my Wordpress notes. They're kind of old and I think I can probably do better. I've been doing quite a bit of stuff in php and javascript of late and so with a better understanding, and if there's some interest in me doing so, I may do another wordpress notes post.

Sunday, November 8, 2015

Understanding What We Don't Know (A post about feminism)

Recently I ended up in a conversation on Facebook about "Feminazi's".

Actually - I should back that right up. A few years ago it was pointed out that my behaviour sucked. In the worst possible way. You see, we tend to have this whole thing of "I don't rape and I don't abuse woman therefore I must be innocent". And it all leads to #notallmen.

We've got to identify the fact that we're setting ourselves a really low bar. Not doing something is sooo much easier than actually doing something. Sure, I felt suitably uncomfortable when, at a conference, someone came up to me and started doing a whole "it's a bit of a sausagefest here" thing. Do you want do know what I did? I politely made an excuse and left the table. The other guy, who I thought was the penishead's friend, did the same a few seconds later.

So someone pointed out my behaviour to me. That my behaviour was entitled. And it took me a few uncomfortable months to think about this critically. I am an ignorant fool. I don't know anything. I always saw myself as part of the solution but I was never doing anything that helped.

If I get worked up about it, imagine living it.

I even started to judge some of those that I know and love setting a higher bar. Do they understand the issue at hand? Do they REALLY support woman? I did realise that we're insulated by those we know and love. They make excuses for us. It's in the culture but it's essentially sort of a form of Stockholm syndrome.

Same conference, a couple of years later, and there were anti-feminist sentiments. In one session, a guy had spoken up first in a session about sexism in the IT industry. Guys. Stop it. Stop right now. Whenever you've got something to say, stop and think, "Do I understand the problem?". Here's the truth. We would do well to stop and listen and try not finding reasons why we're not "that" guy.

The problem in this case? It's a culture. It's EVERYWHERE. It's the culture we live in, it's in the music and television, how interactions are done or not done, it's in the attitudes in every day interactions. It's a thousand and one cuts EVERY SINGLE DAY.

So when you then see things about guys getting upset because they're "not part of the problem" or they're "innocents" and they get it because "they support woman", and why are the feminazi's picking on them? They don't get it. They don't know what they don't know. They think they know, but they don't. It's a bit (fuck it: exactly) like hearing someone say: "Why are you so angry? Stop it. You're hurting my feelings".

Woman have a right to be angry.

Let's back pedal again. Scope. This isn't a few people feeling aggrieved. This is more than half the population. Daily. A thousand and one cuts. We're not just talking about systematic aggravations like lack of pay parity (and stop it with the bullshit self serving "career choices" argument. It's a douchebag argument and you know it). We're talking about everyday interactions and communication styles. Next time a heated debate is going on, look around you. Where are the woman? Are they waiting permission (I witnessed this at a conference. A few woman actually had their hands up) for their turn to speak? Have they walked away?

So if you're feeling attacked because someone's saying "men suck", well... there's a reason for that...

We don't know what we don't know.

Saturday, September 26, 2015

Creating Chromebook Recovery Media on Linux

This should have been really easy. Like REALLY REALLY easy. Go and look up the instructions and you find out they have an app in Google Chrome for it. Cool, open up chrome, install the app, and find that it only supports Windows and Mac OSX.

Sigh.

Further down the page I found a "how to do this in Linux" (or something to that effect) link which downloads a script and tells you to change permissions and run it as root. And it fails...

So here's what to do. The reason the script seems to fail is that the file it uses to decide what image to download seems to have changed format or something. So, download that file.

 wget https://dl.google.com/dl/edgedl/chromeos/recovery/recovery.conf?source=linux_recovery.sh  


This is the tricky bit. In a text editor (or using less or whatever), you need to find your model, or at the very least, make a reasonable guess to the correct model. If your chromebook is showing a sad chromebook face with a USB stick, then it's relatively easy. At the bottom of that screen if shows the hw identifier. It'll be something like ALEX ALPHA-DOGFOOD.

If you don't have that screen, you can probably just do a "powerwash". Instructions are here.

When you do a search, that model number should find something in a "hwimatch" block. Lower down in the stanza, you'll see a "url" block. Download that file. i.e. something like:

 wget https://dl.google.com/dl/edgedl/chromeos/recovery/chromeos_7077.134.0_x86-alex-he_recovery_stable-channel_alex-mp-v4.bin.zip  

Unzip that file:

 unzip chromeos_7077.134.0_x86-alex-he_recovery_stable-channel_alex-mp-v4.bin.zip  


Make sure your usb stick is unplugged and run the following command:

 ls /dev/sd?  

Plug the usb stick in, wait a couple of seconds, and then run:

 ls /dev/sd?  

again. The device that has shown up is the usb stick. Now run:

 sudo dd bs=4194304 of=/dev/[usb_stick] if=[image file] conv=sync  
 sync ; sleep 1 ; sync 

And that's it! The recovery media should now be written and ready to use.

Thursday, September 24, 2015

The Race

Imagine you've been promised a big horse race with only 4 spots open.

Trainers may submit horses to enter and a committee exists to whittle those entrants down to 40, and then another group, the race organizers, pick from that 40 to give you the final 4.

This is a huge race! Everyone in the country has an stake in it. The list of 40 is fine but when it comes to the 4, things get a little hinky.

You're told that there are 4 horses, but there's only 3. One of the horses has been submitted and picked twice. The other 2 horses are sad affairs. One appears to be blind and tends to stand on the spot, whereas the final horse is missing a couple of legs.

Betting begins and people moan about the lack of choice. In reality, it's a single horse race. The leader of the organisation has already stated which horse he "thinks" will win before the final 4 were picked and has even gotten an irrelevant celebrity to state the same opinion.

Is this a fair race?

Due to public pressure, a fifth spot is opened up and a horse, who has kind of become a symbol for choice, is added.

The people are suddenly happy that they've gotten this "5th" choice. But if the race was fixed in the first place, and out of those "4" there was only 1 real choice anyway, a 5th "choice" isn't a 5th choice at all. 5th would imply that there were 4 other choices when there was only 1. It's a second choice...

Sure, the number of choices have doubled, but the nation was promised a 4 horse race. We're still short by 2.

Friday, September 11, 2015

Getting Familiar With Syria

Without the Daily Show with Jon Stewart I've been feeling a little bit lost in terms of International news. It says a lot of me that I rely on a comedy channel for news though, to my credit, I do tend to use it as a launching board i.e. I go and read up on the events portrayed on the show that pique my interest.

So when I saw a photo pop up on social media of a kid lying dead on a beach, I cried. It was horrific. Along with that photo, there was lots of "posting pictures of dead kids on FB is not cool" and cries of "that's shock porn!". So I decided it was time that I had a look at what the hell is going on there.


The extent of my knowledge: Back during the Arab spring, Syrians called for the resignation of their president. Unlike all of the others though, he didn't step down. He instead responded militarily. This is where I think the media often goes wrong. Rather than keeping with a story that's on a slow burn, we're treated to stories about what was trending on social media that day. Or we get to see someones next attempt of breaking some sort of record. Stuff that just doesn't belong on the news is on the news front and centre. It wasn't that long ago that I started this blog as a annoyed "that's not news!" outlet (5 years?). Does anyone know what's going on in Zimbabwe? Fiji? Even Christchurch? After the initial "holy crapballs on toast" response, we don't get much follow up.

And ISIS/ISIL/IS (whatever the abbreviation is now) have taken over areas in Iraq and some place else - which turns out to be Syria.

What are the bits that I was missing? Well... Things erupted into a big arse civil war. Rather than being the government against protestors, it turned sectarian with various rebel groups, ISIS, having originated in Iraq, being but one.

So we've now got various rebel groups fighting each other, the Syrian government trying to keep some sort of control via military means. There's be use of chemical weapons which has involved the use of sarin, chlorine and ammonia though the government blame the rebels and the rebels the government (though I'm pretty sure the jury is in on this one. The government's stockpile has been dismantled though there have been some more reports). The large scale bombing is mostly done by the Syrian armed forces (government) though the rebels have employed suicide bombings.

This all leads us to refugees... There are people, not involved in the fighting, in danger of their lives, in the middle of a war zone where "control" can suddenly change overnight and individuals/families persecuted for silly things like the religion they follow or what sect of Islam (or is it better described as tribe? I'm really not clear on this point) they are. The sane response is to try and find safety. Away from the fighting. Remembering that this started back in 2011.

Honestly, I'm disgusted. The response to refugees has been horrendous. If a simple photo had me in tears, it's the things that I associate to being a New Zealander being completely trampled upon by a morally bereft ruling party that keeps me up at night. We had a reason once to be proud. Now... I honestly don't recognize this moralless, neoliberal place I'm seeing around me. It's a no-brainer. EVERY OTHER party in parliament have stood on the side of taking in more refugees. And our PM's compromise is to take in an additional 600 refugees over 3 years. Just 200 more a year for 3 years.

Australia, with it's detention centres and associated human rights violations, have offered to resettle 12,000 refugees. This is a Tony Abbott government we're talking about. Putting NZ to shame on humanitarian issues...

Germans and Austrians (individuals) are driving over the border to Turkey to transport refugees while food and shelter is being set up around train stations. Mean while, homes earmarked for refugees in Germany have been victim to arson attacks.

Okay... a picture of a dead child might bruise your sensibilities. The callous attitude toward real people trying to find safety injures mine.

Pray I never meet Winston Peters. I'm not good at violence, but for that special penis head, I'll give it a good go. It would be for my country I'd be fighting...

Thursday, September 10, 2015

Picking a Banner

Something occurred to me today about NZ's flag referendum.

I'm not sure I've said much about Tangleball. Initially we referred to it as a "creative space" so as not to get tied up in the negative press around the term "hacker". i.e. traditionally they're called "Hacker Spaces".

So when it came to picking a name, these names were kind of chucked around. Hacker.... Maker... Brain... Mind.... etc. All of the obvious suspects. But nothing felt right. If I remember it rightly someone jokingly said we needed something different. Original. Unused and undefined. Like Tangleball. Or something. And suddenly there was a movement. There were those who hated it. And those who fought tooth and nail for the name.

Jump forward to now. We have this opportunity to change our flag. To have a discussion about our identity. And what do we get? 3 designs based upon the NZ sporting icon of the silver fern, and something that looks kind of like a monkey's butt.

They didn't go that next step when choosing a design. There wasn't the "So there are the usual suspects. How about something different?" step. And this, in essence, is what we're all a bit upset about.


Two of the designs are exactly the same except for a change to one of the colours used, a koru gone terribly wrong, and the NZ Trade and Enterprise logo.

While we're being told that the silver fern is about more than just sports, looking at the history of if, and it's usage now, it seems a bit of a stretch.

The silver fern first became a symbol in 1886 and applied to a sports uniform in 1888. Nowadays it's used almost exclusively in relation to sports. The NZRU (New Zealand Rugby Union) own the copyright to the traditional silver fern logo. The New Zealand netball team are called "The Silver Ferns".

Sure, it shows up in other places. Mostly branding (fernleaf butter), logos (NZ Trade and Enterprise) and previously on money (the now no longer in use $0.01 coin). This should not distract from the fact that when we see it, we instantly think "sports".

It'd be like the England flag being replaced with the three lions. While it represents some people of England - probably quite a large proportion of them - it doesn't say anything of their culture unless their culture revolves around football violence.

Those of us not in the "we have things to be proud of and that we identify with that are not rugby related" camp are more than just a little miffed. While the majority will probably win with what's been dubbed the "Weetbix" design or the very similar (same) design with black instead of the red, not due to popularity but more so out of an unwillingness to be in that group that doesn't win (this happens during elections as well i.e. the polls say X is going to win so I will vote X), the miscontents out there have become split though the result is likely to be the same.

One side of this split is saying "Give us this option":

Whereas the other side are saying "Why do we need a flag change at all?"

I didn't like the red peak at first. Hell, I didn't like the name "Tangleball" to begin with either. But it's the most abstract, "let's build a national identity under this" flag that could have been a possibility. At the very least it's a cry of  "give us an option that isn't a fucking fern".

Of course, it's reliant on being able to make it an option. The prime minister, John Key, specified his preference for the fern before the final 4 were announced and articles everywhere keep pointing out that a local sports star (a rugby player) expressed the same preference. The PM has stated that he will not drop one of the other designs (seriously... did we really need two of the same flag?) in favour of this one nor is he willing to go through the law change needed to offer up a 5th choice.

The end result? While one camp, those who want the red peak, acknowledge that the old flag, being a symbol of a bygone colonial past, needs to go, will likely vote for the old flag to stay over any of the other designs offered. Noting that only 3 other countries currently have the Union Jack as part of their flags (ignoring Great Britain which is an odd one i.e. England, Scotland, Wales and Northern Ireland have their own flags):
  • Tuvalu
  • Australia
  • Fiji
With Fiji wanting to remove it and other two in no real hurry.

Those who think this whole process has been a vanity project for the PM to establish his legacy as a rugby loving leader, will also likely vote for the flag to stay the same.

However, the PM has ensured that there's no chance of  a split vote. What's twice as expensive as a referendum? 2 referendums! The first to decide the most preferred of the limited 4 options (they're not options if they feel all the same with a token one thrown in there), and the second to decide between that design and the current flag.

Will it be a close vote? It's hard to gauge via social media. The people I tend to talk to are the ones who happen to agree with me about this being a farce.

What it all comes down to for me though: What is our national identity? Is it tied into sport? How about the things in our past we were most proud of? In no particular order, these are the things that I think have shaped who we are and how we see ourselves:
  • Our willingness to look after each other.
    • From 1935 to 1949, the first Labour government of NZ established a welfare state. Policies that would set a tone for this country and its policies right up until the 1980's. Michael Joeseph Savage, the PM at the time, is one of our most revered prime ministers.
    • In 1893, NZ became the first self-governing country in the world where all woman had the right to vote in parliamentary elections.
    • The Treaty of Waitangi. While relations are somewhat strenuous and often shrouded in media inspired "What do the Maori people want now?!?" sentiments, it is to be noted that the Treaty of Waitangi is given due recognition most of the time. In fact, it's this recognition that allows the Maori to cover our arses from unscrupulous governments (water rights when selling off power plants for example).
  • Our stance against nuclear weapons. In 1984, David Lange, then PM of The Labour Party (and drinking buddy of my grandfather), signed the New Zealand Nuclear Free Zone, Disarmament, and Arms Control Act banning nuclear propelled vessels in NZ waters (though strangely, does not ban nuclear power plants on NZ land).
  • The Springbok Tour. In 1981, the NZ Rugby Union agreed to the then apartheid South African rugby team, known as the Springboks, to tour NZ. While the government was appealed to to stop the tour from happening, the government chose not to let politics get in the way of sport (separation of government and sport... interesting). This at least proves that there is a large proportion of NZ who are more than willing to put ethics before sport.
Meanwhile, looking at NZ's history to the Rugby World Cup (there is a point to this, I promise), NZ has won 2. 1987, at the first Rugby World Cup, and 2011. Already, thus far, there has been a newspaper article branding a punter a "traitor" for betting against the All Blacks in the upcoming rugby world cup.

Is that the national identity our flag is meant to convey?

Thursday, August 20, 2015

What's Going Wrong with the Genetically Modified Food "Debate"

The whole GMO (Genetically Modified Organism) debate is a farce. We keep pretending that GMO's are either bad or good. But it's an umbrella term. So why the hell don't we talk specifics? GM corn is not GM soy.

So when scientists are talking to us about how safe GMO's are, we're hearing that ALL GMO's are safe and that science is infallible. When we hear that we're safe, we're only talking about our health. What effect do they have on the environment? High intensity single crop farming has an effect on the environment whereas a more natural and less damaging approach is to rotate your crops (you grow corn one year, tomatoes another year etc.).

What happens if GM corn is found to have adverse effects on our health? This has happened before.

When vitamin deficiencies were linked to certain diseases, such as scurvy, the thought was to essentially carpet bomb your system with vitamins. It was then discovered that excess levels of vitamin-A and vitamin-E increase the likelihood of particular types of cancer.

There's loads of shouting about Monsanto. Who incidentally, are the only ones really benefiting from the GMO debate. While people are calling each other Monsanto shills and paranoid hippies, no one is talking about Monsanto's practises around patents. Farmers can not save the seeds from a Monsanto crop for replanting the following year. Farmers who break this rule are sued. This is where it gets interesting though:

Corn is a really interesting case because cross pollination happens really easily. At the top of each corn plant is a tassel which contains the pollen. Those stringy bits at the end of your corn cob receive the pollen. Each of those strings corresponds to a kernel and the nature of that kernel is dictated by the pollen that string receives. A bit of a wind is all that is needed. (Which is why you can get loads of different types of corn on a single kernel i.e. black and white corn on a single cob is quite ornate).

Imagine you have two farms side by side who are growing corn. One farm is using Monsanto's patented corn. The other isn't and relies on being able to save seed and grow it the following year. Monsanto can sue (it doesn't matter if they win or not because the nuisance is already enough to convince a farmer to pay for their seed) the farmer who doesn't use Monsanto seed because the saved seed contains Monsanto's patented seed by virtue of corn's pollination method.

Add to all of this the fact that we aren't privy to the information needed to make informed decisions. Imagine you go and do your research on GMO soy and decide that you prefer not to expose yourself to it. You can pay a premium (small runs, and possibly lower density growing rather than higher expense) for GMO free foods, or avoid anything with soy altogether.

One of the main reasons capitalism simply doesn't work is that we're not given the information needed to be able to make decisions around the products that we buy. Talk to any right winger about this and they'll do that whole "expense" thing that always has me imagining a infomercial actor failing at everyday tasks. i.e. "it'll cost soooo much money and that'll be passed onto the consumer. And they'll bring up out of context examples such as "may contain traces of peanuts" as if traces of GMO's is instant death i.e. the reason so many products have that particular warning is that peanuts (a legume) and nuts may have serious immediate consequences in small doses so any factory line processing different foods, only some of which contain nuts or peanuts, contaminates all other foods processed on that line.

We could insist on a supply line indication. i.e. default all ingredients that are likely to be GMO to having a GMO status, marked in the ingredients (it's not a branding, it's informing), and if the supply line can be confirmed i.e. the farmers mark their crops, and that information is sent down the line. Trace amounts could be ignored (no serious immediate consequences for trace amounts).

The real pity about all of this is that it could create a market differentiation. The reason I wasn't keen on NZ adopting GMO crops wasn't so much that I had any real objection to it, but that it was an opportunity to further the clean green image and create new markets by exporting GMO free foods. Smaller quantities sure, but a branding that could bring in higher prices.

Meanwhile, due to dairy intensification, our clean green image has fallen by the wayside while our branding seems to be all about short hairy footed people.

Wednesday, August 5, 2015

Privacy in Education in a Networked Age or: How I Learned to Live with the Bomb but Accept that it Might not be to Everyone's Taste

It's here. The information highway. Everything we do on the Internet is now logged and tracked. That pretty Gmail interface, with it's unobtrusive targeted text advertising, must at some point scan the contents of your emails in order to pick up words to come up with that targeting.

Expand that out to ANYWHERE that there's targeted advertising. All of that content is scanned for your convenience. What do we get for it? In the case of Gmail, I get spam filtering that I would never be able to accomplish on my own. I am not the customer. I am the product. Even if I turn off advertising via an adblocker, that scanning is still going on. That information is still going somewhere. My movements are known. As scary as that is, I have agreed to those terms.

But what if you're not old enough, and (or) don't have the capacity, to be able to make informed decisions about privacy? Hell... who are those terms and conditions really written for? And who has the time to read them?

Unfortunately schools might not be our friends here.

While they're scrambling to find real benefits of various services (blogging for engagement in writing through "authentic audience" and giving monitored free rein gives "authentic voice"), privacy concerns can fall by the wayside in a "Just click that checkbox there and that button there and we're up and running!".

But worse than that, as ownership models change to 1:1 where the devices may be taken home as opposed to school owned held on school premises assets, privacy may be invaded by the schools themselves.

Anything that allows a teacher to view what's going on on a student's machine in the classroom without looking over their shoulder is something that can also view what's happening on that machine outside of the classroom.

Do teachers have a right to know what's happening on a student owned (or rather, owned by their parents) device in places where they have an expectation of privacy? In the relative safety of their own homes or in their bedrooms for example. Isn't this equivalent to having a camera, controlled by the teacher/school, pointed at their monitor at all times?

Is big brother really just the giant faceless corporations where our data is stored "in the cloud", subjected to a whole tangle of jurisdictions and various laws?

Even when that jurisdiction is known, the big champions of privacy, MEGA.co.nz, are able to, at the very least scan the individual file names of the information stored there. There's more than enough to be concerned about.

Add to this concerns about the right to be forgotten. In 2006, Argentina and the EU established laws around "the right to be forgotten" which requires search engines to remove indexes to certain information. That information is not gone. It's just not searchable. The BBC has now started publishing a list of their links that have been "forgotten" due to some silly practises around it.

How is this relevant in an education discussion? Imagine you've grown up in a world that's full of computers. Cellphones just always were (except when they weren't - when dinosaurs roamed the earth). Learning is done on computers (in the same way that my generation couldn't imagine learning without paper. Boy did that change teaching). That time that you over shared something when you were 12 and funny things were happening to you...

You could, if you happen to live in the EU or Argentina, make a request for Google to remove that content from their searches. Hell, you could even chose to "delete" that content from a service.

Wait a minute though... when you delete that content, is it really deleted?

Facebook have time and again tried changing their terms and conditions to allow them to use any "IP content" put on there, non-exclusive, transferable, sub-licensable, royalty-free, worldwide license, in perpetuity. It's only through the efforts of a few people who actually read those terms and conditions, and kick up a fuss about it, that has made them relent and grants them those rights (except the "in perpetuity") until you delete the content (except when that content has been "shared with others and they have not deleted it").

What about other services? Facebook's got a lot of users and thus a lot of eyes keeping track of what they're doing. What happens for services where there isn't that critical mass of people limiting the power these companies grant themselves? Can that content be removed? Shouldn't children have a "right to be forgotten" as my, and earlier, generations did? Hell, all I needed to do was change schools. Side note: This, incidentally, was the only way I was given permission to write in pen. I never did earn my "pen license" in primary school.

Finally, we get to the elephant in the room: Imagine kids were given the option to opt out. Schools didn't essentially force a student to sign up to a service without understanding the privacy issues they might face if they did sign up. If this is the way that teaching is now done, and there's a student who refuses to sign up to it... Would that be like a student refusing to look at a whiteboard due to the fumes of whiteboard markers or a blackboard due the dust? Is their concern over their own safety less important than a teacher's/school's choice in media of teaching?

I offer absolutely no answers here... It's one of those amazingly difficult problems, which at conferences seem to be dominated by "Faceless Corporation" comments. In a room full of educators, no one wants to hear "Who's going to protect the children from you?". Who is asking the REALLY tough questions?

That one I do have an answer to...

In 2011, the NZ Labour Party made a campaign promise to invest $75,000,000 in establishing 1:1 programmes encompassing 31,000 students (A pilot scheme). These questions weren't being asked then and still aren't being asked now.

Thursday, July 23, 2015

Is it Time to Ditch Google Chrome (and Chromium)?

I'm going to start off this post by saying that I LOVE Google Chrome browser on lighter weight machines. It's a fully featured browser with decent resource management.

And for deployments it's a dream! Compared to Mozilla Firefox, it's simple to administer.

I don't use it on my own desktop machine except for the occasional bit of testing on the platform. The problem?

Your web browser is no longer JUST a web browser. It's now an application platform. Google Chrome, in particular, is nasty on this front. While Firefox is completely open source, Google Chrome only pretends to be. I don't mean just the proprietary things like the Flash Plugin BUT also whatever Google decide to install and enable (as plugins).

It gets worse though. This blog post describes a scenario whereby Google were able to ignore the user's very specific instructions not to update. In other words, Google can change absolutely any policy and effectively take control. If you're a Linux user, you probably understand how amazingly terrible this is.

To those of you who don't quite understand this:
You buy a door. As part of buying that door, that door is updated. But one day you go to head out only to find that the door has been updated and now the hinges just won't work. You're not able to go back to the door that did work... You eventually, after much searching around, find a version of that same door that does work, but in order to avoid a situation where you're stuck inside your home, you decide to stop the door from being updated. The supplier of the door says "that's fine. All you have to do is use the lock and it'll be fine". A few weeks later, you find that your door is suddenly a different colour and the lock is gone.

It's hard not to feel violated when someone can just walk into your "home" (computer) without your permission. How much do you trust that someone?

It wasn't that long ago that Google started listening through your microphone. The crux of this is that the voice recognition software is not in your computer. It's instead, on the Internet. So in order for the "OK Google" keywords to be recognized, everything picked up by the microphone is sent to Google over the Internet to see if 'OK Google' is ever said.

So not only have Google removed the locks from your door, they've also bugged the place.

Now, this isn't normal. Google may claim it is. Others may argue the point about "forced updates" though if a setting has been set that is documented as stopping a particular activity and that activity happens anyway (phoning home to Google), Google are not working in good faith.

Oh, and also note, you are not safe while using Chromium either.

Thursday, May 28, 2015

MT7601 on Raspbmc

I brought myself a whole bunch of wifi dongles off aliexpress to sell though the condition on people buying a lot of them was reliant on them being suitable to use on Raspbmc.

Unfortunately they don't work straight out of the box and so I set about trying to get it working. On my desktop it was really easy (mostly).

 sudo apt-get install build-essential linux-headers dkms -y  
 wget http://ppa.launchpad.net/…/mt7601-sta-dkms_3.0.0.4-0~201502…  
 sudo dpkg -i mt7601-sta-dkms_3.0.0.4-0~201502051732~rev18~pkg2~ubuntu14.10.1_all.deb  

So the reason I didn't bother adding the ppa... Well... a dkms package is source code with some configuration files to make it recompile every time a kernel is installed. Which means, it should work regardless of what version of Ubuntu I'm no. Unfortunately, the ppa doesn't contain packages for 12.04 - which is no problem whatsoever. Just download the package and install...

Which means the dongles aren't completely useless. And on to Raspbmc. I started to look for information and was kind of disappointed by a lot of it. People had managed to compile it but hadn't left instructions as to how they managed it - instead providing binaries for particular version.

Others were running into much the same problems that I was and going around in circles not really getting answers. So I decided I needed a script. So the binary could be provided, for quick and easy installation, but also, giving others the ability to compile the binaries themselves should the need arise.

The REALLY neat thing about this script is that it sets up an environment that should be suitable for other modules as well. The first part of this script could be split off into kind of a universal "build an environment for compiling modules" thing...

And yes... I get the chicken and egg thing... You require the Internet in order to run this script... There's no way around this.

 #!/bin/bash  
   
 DRIVER_DOWNLOAD="http://cdn-cw.mediatek.com/Downloads/linux/mt7610u_wifi_sta_v3002_dpo_20130916.tar.bz2"  
 #Might not be needed but... if you don't have enough space on your SD card and you've got a mounted USB drive on the pi,  
 #this makes it use that instead... Comment out the next line if you just want to use pwd.  
 MOUNTPOINT="$( df | grep "^/dev/sd" | sed 's/ */ /g' | cut -f 5,6 -d " " | sort -h | head -n1 | cut -f 2 -d " " )"  
 HEADERS_DOWNLOAD="http://www.mirrorservice.org/sites/raspbmc.com/downloads/bin/kernel/linux-headers-latest.deb.gz"  
   
 CURRENT_KERNEL_VERSION="$( uname -r )"  
 DRIVER_FILENAME="$(basename $DRIVER_DOWNLOAD)"  
 if [ -z "$MOUNTPOINT" ] ; then  
  $MOUNTPOINT="."  
 fi  
   
 if [ "$( whoami )" != "root" ] ; then  
  echo "Must run as root"  
  exit 1  
 fi  
   
 #install the compiler (hopefully this is enough to get what you need).  
 if [ -z "$( dpkg -l | grep build-essential )" ] ; then  
  apt-get install build-essential -y  
 fi  
   
 if [ ! -d "$MOUNTPOINT/mt7601" ] ; then  
  mkdir "$MOUNTPOINT/mt7601"  
 fi  
 cd "$MOUNTPOINT/mt7601"  
   
 #download kernel source. It's just chucking into the current working dir for now... mainly because I'm excessively lazy  
 KERNEL_VERSION="rpi-$( echo $CURRENT_KERNEL_VERSION | cut -d. -f-1,2).y"  
 echo $KERNEL_VERSION  
 wget https://github.com/raspberrypi/linux/archive/"$KERNEL_VERSION".tar.gz  
 if [ ! -d src ] ; then  
  mkdir src  
 fi  
 tar xvf $KERNEL_VERSION.tar.gz -C src  
 KERNEL_DIR="$MOUNTPOINT/mt7601/src/linux-$KERNEL_VERSION"  
   
 #I know.. this next bit seems really dumb.... just for a single file.... Apparently these headers aren't suitable for
 #building wifi drivers BUT has the Module.symvers file that we need...
 if [ ! -d headers ] ; then  
  mkdir headers  
 fi  
 wget $HEADERS_DOWNLOAD -P headers  
 cd headers  
 HEADERS="$(basename "$HEADERS_DOWNLOAD")"  
 ar x "$HEADERS"  
 tar xvf data.tar.gz ./usr/src/linux-headers-$CURRENT_KERNEL_VERSION/Module.symvers  
 cd ..  
 mv headers/usr/src/linux-headers-$CURRENT_KERNEL_VERSION/Module.symvers "$KERNEL_DIR"  
   
 #Prepare...  
 rm "/lib/modules/$CURRENT_KERNEL_VERSION/build"  
 ln -sf "$KERNEL_DIR" "/lib/modules/$CURRENT_KERNEL_VERSION/build"  
 exit 0  
 cd "$MOUNTPOINT/mt7601/src/linux-$KERNEL_VERSION"  
 make mrproper  
 zcat /proc/config.gz | sed 's/CONFIG_CROSS_COMPILE.*/CONFIG_CROSS_COMPILE=""/' > .config  
 make modules_prepare  
   
 #now deal to the drivers... Change this part down if you want to use this script for other wireless drivers 
 cd "$MOUNTPOINT/mt7601"  
 wget $DRIVER_DOWNLOAD  
 tar xvf "$DRIVER_FILENAME" -P src  
 cd src/mt7601*  
 make  
  
 #Make a package so that you can you share the binary with others and to make it easy to remove if necessary.
 mkdir -p package/etc/Wireless/RT2870STA  
 cp RT2870STA.dat package/etc/Wireless/RT2870STA  
 mkdir -p package/lib/modules/$CURRENT_KERNEL_VERSION/kernel/drivers/net/wireless/  
 chmod 755 package/lib/modules/$CURRENT_KERNEL_VERSION/kernel/drivers/net/wireless/  
 cp os/linux/mt7601Usta.ko package/lib/modules/$CURRENT_KERNEL_VERSION/kernel/drivers/net/wireless/  
 chmod 755 package/lib/modules/$CURRENT_KERNEL_VERSION/kernel/drivers/net/wireless/  
 mkdir package/DEBIAN  
 echo '#!/bin/bash  
 depmod -a $CURRENT_KERNEL_VERSION' > package/DEBIAN/postinst  
 chmod 555 package/DEBIAN/postinst  
 echo "Package: mt7601$CURRENT_KERNEL_VERSION  
 Version: $(echo $DRIVER_FILENAME | egrep -o "([0-9]\.){3}[0-9]")  
 Architecture: armhf  
 Maintainer: script by Nevyn Hira <nevynh@gmail.com>  
 Section: admin  
 Priority: optional  
 Description: Ralink MT7601 binary drivers specifically for Raspbmc" > package/DEBIAN/control  
 dpkg -b package "$MOUNTPOINT/mt7601/"
 dpkg -i "$MOUNTPOINT/mt7601/package"

At the moment the script doesn't do any sort of clean up.

Professionalism

I think the word "professional" is overused in ALL the wrong contexts. "You will act in a professional manner". Forgetting of course, that within certain contexts, a "professional manner" means to drop your pants and get fucked or get down on your knees and "be the hover".

So, I propose to you, that whenever someone says something as infuriating and stupid as "act professionally", that you all pick the profession that best suits the situation.

Someone being a complete wank? Dominatrix's get paid right? Whip 'em till they say the safe word (just don't tell them what the safe word is and change it every so often to keep them guessing).

Actually... the dominatrix example works in all sorts of places. Yell at 'em till they're feeling humiliated. Order them into nappies. Sure, it's not the only way to act professionally, but it's probably the most fun/apt.

Friday, April 24, 2015

Dear Mr Prime Minister - An open letter to an abusive leader of this great country of ours

Dear Mr Prime Minister,

We deserve better.

On the 22nd of April, a blog post revealing months of bullying and harassing behaviour exhibited by you, toward a waitress, was posted on a blog. And public opinion erupted.


But let's be really clear here. What you did, is abuse someone. You used your position of power to continually, over a number of months, abuse and harass someone. Even upon learning that she didn't like it, you continued to do it, despite your statements after the facts of the behaviour came out.

I draw you attention to this passage from the original blog post:
As he approached me he thought it would be fitting to raise his hands high and make scary, suspense sound effects, like the music from the movie Jaws that we all know so well, and still gestured as if to reach behind me. As he towered overhead I slunk down, cringing, whilst Bronagh told him to “leave the poor girl alone”. I looked him in the eye and asked “is it self defence, with your security here, if I have to physically stop you from touching me?” and he countered, with a smile, “defence against what?.
That would seem to me that you've been caught out in a lie. You claim that when you realised, you apologised... immediately. That it was all in banter... You continued the behaviour, continued to make light of it, after you knew she viewed you as predatory. Why else the Jaws reference?

Your lack of remorse is concerning. You did not just over step the mark or cross the line. You left the line/mark well in the distance. What you did was not just weird. It was an abuse of power. You are not just exhibiting some child-like quality. You are displaying predatory behaviour. It was not just creepy. It was abusive and bullying.

2 bottles of wine, and a quick apology while running out the door followed by media statements telling us that it was little more than banter is not an apology. It does not begin to  make up for what you did to that poor girl or how you made her feel.

I've been finding this whole sordid affair somewhat depressing. It almost seems like we as a nation do not understand what abuse and bullying looks like. It looks like what you did and what you're continuing to do. The media does not change that. And if they did, can you imagine the consequences to our nation? A huge step backwards in terms of equality as more and more people feel justified in their abusive and bullying behaviour because... it was just banter (The Prime Minister said so).

How about you show some real remorse? And perhaps a public apology to go with it? How about you show us that you can be a leader as opposed to an Alzheimers riddled bully and abuser?

Regards,
Nevyn Hira
(A concerned, proud, though now embarrassed, citizen of New Zealand).

As he approached me he thought it would be fitting to raise his hands high and make scary, suspense sound effects, like the music from the movie Jaws that we all know so well, and still gestured as if to reach behind me. As he towered overhead I slunk down, cringing, whilst Bronagh told him to “leave the poor girl alone”. I looked him in the eye and asked “is it self defence, with your security here, if I have to physically stop you from touching me?” and he countered, with a smile, “defence against what?” - See more at: http://thedailyblog.co.nz/2015/04/22/exclusive-the-prime-minister-and-the-waitress/#sthash.tF2lYMmm.dpuf

Monday, April 6, 2015

When Is Helping Not Helping?

I've been known to occasionally curse nerds. It's not that I don't like nerds, but often I come across what I would describe as "fucktardary". Basically, don't kick someone then tell everyone that you're helping them. This has come up a couple of times over the last few weeks on Facebook.

In one I was expressing a disgust for Let Me Google That For You and I was shocked and stunned that someone was not only defending it's use, but also stating that he saw it as empowering people i.e. "Give a man a fish".

This isn't helping. It's patronizing. If someone is asking for help, and you want to help, help them. Don't be patronizing. Be patient and actually help them. Perhaps give them a search term they could use or link them to a Google search result. More likely than not, they're going to get angry at you if you're patronizing. You don't get to be a patronizing prat and feel proud of yourself for doing it.

The next occurrence was a conversation about needing to do something and the only way that works, apparently requires a certain environment (Windows). To which I got a response asking "Why aren't you using Linux?". Because the requirement is to do it in Windows... Which had been stated. That's not helping. It's not even close to a helpful suggestion.

So let's get this clear. If you want to help someone:
  • It shouldn't be patronizing.
  • It should involve talking about the problem rather than preference.
  • It should be patient.
If you can't manage these things, then don't chime in. It's not that hard really. Alpha geeks are probably the worst at getting this right. I was surprised when I found someone who I helped on a daily basis say to me that she appreciated that I never made her feel stupid like others. I was surprised by this. It doesn't take much to be helpful. To empower. To add value. I tend to find myself chastising myself if I get it wrong. What could I have done better? Where did the conflict stem from? How can I approach it differently next time?

Alpha nerds are the worst! And I've even found myself leaving online communities for this reason. It just seems that bad behaviour is somehow normalised and the steaming heap of excrement is hidden under the guise of "help".

Friday, February 13, 2015

More Musings on Raspbmc

This a follow up to this post.

I spent a couple of hours trying to figure out why the shared database had stopped working... The problem? My raspberry pi versions had gotten out of sync. One updated, the other didn't.

Given that Raspbmc uses it's very own idea of an update system, this isn't trivial. So, my number one tip: If you are running multiple pi's and they are using a shared database, and it's all working fine, turn off updates.

If your Raspbmc versions have gotten out of sync, you're going to need to ssh into your Raspberry Pis and run the following:

 sudo rm /scripts/upd_sys/*.sh  
 sudo wget http://svn.stmlabs.com/svn/raspbmc/release/update-system/getfile.sh -P /scripts/upd_sys  
 sudo wget http://svn.stmlabs.com/svn/raspbmc/release/update-system/cdn_env_prep.sh -P /scripts/upd_sys  
 sudo rm /scripts/upd_hist/kver  
 sudo rm /scripts/upd_hist/xbmcver  
 sudo rm /scripts/upd_hist/svcver  

After that reboot. It may be tempting to do it from ssh, but it seems better to do it from the GUI. You'll need to do this on EVERY Raspbmc Pi running Raspbmc using the same database in order to get their versions all to the current version. After that, turn off updates.

As great as Raspbmc is, it is a broken system... Their reinventing of the wheel isn't really doing anyone any favours. What would make sense is providing their own apt repository and providing a solid upgrade path from Rasbian...

Monday, February 9, 2015

Picking A New ISP

I've found myself raging at Orcon ever since I switched my Internet to them.

It's been a whole thing... Initially, the install happened just after the billing cycle so for one month, I ended up paying twice for the same services. Not strictly Orcon's fault, but frustrating nonetheless.

Then, when the switch over did happen, there was a problem! Back with the Chorus guy to the cabinet. THEN there was still a problem. While I had Internet, I didn't have phone. Another couple of weeks wait..

Fast forward a month or so and there's some dicking around with the phone lines that resulted in a SSSSLLLLLOOOOOOWWWWW connection.. again. So I email Orcon and get a "have you tried turning it off and on again?" response. Not cool...

A ½ phone call that resulted in a factory reset router (COMPLETE pain in the arse as I then had to configure the router to my network again - get it on the right subnet, configure the leases in the DHCP server, sort out forwarded ports etc.) and finally it got escalated.

And that's when the communication stopped. Completely. No word from Orcon at all.... until a couple of weeks in. Chorus had put a line from over the road, to a junction point and I was getting Internet at about half the rate that I had before. They seemed to be continuing trying to fix the problem (rather than sharing a line). Chorus started digging up the footpath, and then Orcon sends an email saying that it's all fixed now!. Wait... what? Chorus are still out there, Orcon didn't contact me when the shared line went up, and Chorus hadn't switched me back over to our original line. Screw you Orcon! Fail for communication!

In the meantime, I get an invoice from Orcon (I've paid for 3 months by this stage and have had 1 incident free month)...

Anyway, so the phone/Internet goes down for half a day while Chorus switch me back to my line. It's about 1Mbps higher than the shared line.... So around 60% of what it was...

And finally, they send me an email basically saying "You're on an old plan. But don't worry because we'll switching you to a new plan! Your base rate is now $95". Queue much cursing as I try to find the base rate I have been paying. I find something about $65.22 with some comment about it excluding tax... but I can't find a base rate. I'm assuming the base rate is the cost for the basic services before the addons (phone bits and pieces). The email also includes a "you'll see the change in your invoice" which just has me cursing. That's a great big "we're doing shit, we're not telling you how we're changing (just what) and we won't tell you how much of an effect that has until we charge you for it".

That cursing has changed to "fuck you Orcon" and a great big "I need to find a new ISP".

But here's the thing... An ISP isn't an ISP anymore. They're also telecommunication companies...

So there are few basic questions that don't really get answered:
  • Do they provide phone over copper?
  • Do they provide phone over a SIP service?
    • If they don't, why aren't they partnering up with other providers like 2talk?
    • Do you need to provide your own SIP gateway or do they provide it?
  • How do you make comparisons?
Phone services aren't easy to compare. What do you get for your money? Is national calling included? And what's with the limits on that? i.e. 1 hour / national call free.

The alternative is having 2 separate providers:
  • SIP
  • Internet
The problem with SIP providers though... they feel like a great big giant backwards. Each plan seems to have monthly limits on the areas you call (local minutes, national minutes etc.).

Soooo.... does anyone out there have any suggestions?

Thursday, January 22, 2015

Lessons Learnt

How many industries do this?

Imagine the conclusion of a big project, or an event... Everyone's had a week or so to recover, and it's now time to break it down and figure it out.

What is it?

Well... I guess you could call it a "debrief", only, it's a lot bigger than that. You get EVERYONE into a room together. You take as long as you need. You make sure that EVERYONE talks about:
  • Anything that went particularly well.
  • Anything that went wrong.
  • Possible solutions for avoiding or mitigating the things that went wrong.
  • How to maximize the things that went well.
  • Where improvements can be made.
Why is this important?

Well... instead of leaving a project only to repeat past mistakes, it's helpful to turn it into a learning exercise. You get to learn how other people felt about it in comparison to how you were feeling about things. You figure out how to make the next iteration even better. I see it as professional development.

Is this common practise though? There's this whole thing against any sort of negativity and, by extension, critical thinking. But people who poke holes in things are making informed choices - they're trying to figure out what's wrong with a decision. The decision they come to is going to be THE most scrutinized of all the choices. But it also looks like they're trying to cast down the idea.
It takes a thick skin. In the case of a project, something's probably gone wrong that you feel responsible for. Perhaps it was a break down in communication between your team and another.

If you only look at the rainbows, and not the rain, chances are you're missing out on a whole lot of learning. It's that learning that you should be taking away with you. That's the positive that you miss out on by ONLY looking at the positive... and to me, that's a far worse negative than anything that might come out of looking over the negatives....

Tuesday, January 20, 2015

Photocopier - Proof of Concept

I was asked to photocopy something for someone and so I decided, given the state of my MFC (Multi-Function Center - photocopier, fax, printer) device, I'd do it using a scanner and printer. The reasoning for this is that I can, eventually, use a Raspberry Pi and it's GPIO to give me a modular, extensible photocopier.

Extensible? you ask... well... It occurred to me that I only have a flatbed scanner, but at some stage, I might want to add a multipage scanner. Or I might want to switch to a colour printer (though my black and white, very fast, laser printer does me quite well for the time being). Or I might want to add a display of some description and have a scan to email facility. And if there's a display anyway, then the ability to print off multiple copies would be brilliant.


So, on my desktop computer, I put together this script. All I need to do is to set up a Raspberry Pi with Raspian, hook up a button to the GPIO, and have it run this script whenever the button is pushed. Oh, and probably have a blinky LED to tell the user when the scanner is still scanning...

 #!/bin/bash  
 SCAN_COMMAND="scanimage"  
 SCAN_DESTINATION="plustek"  
 WIDTH_MM="210"
 HEIGHT_MM="297"
 RESOLUTION="150"
 WIDTH_INCHES="$( echo "scale=3;$WIDTH_MM/25.4" | bc )"
 HEIGHT_INCHES="$( echo "scale=3;$HEIGHT_MM/25.4" | bc )"
 SCAN_PARAMETERS="--mode Gray -l 0 -t 0 -x $WIDTH_MM -y $HEIGHT_MM --resolution $RESOLUTION"  
 PRINTER="FS-1030D"
 photocopy_cmd="$SCAN_COMMAND -d $SCAN_DESTINATION $SCAN_PARAMETERS | pnmtops -width $WIDTH_INCHES -height $HEIGHT_INCHES -imagewidth $WIDTH_INCHES -imageheight $HEIGHT_INCHES | lp -d $PRINTER"
 eval $photocopy_cmd  

If this script is going to be used by anyone else:
  • You need to have sane and cups installed.
  • To get the printer name run:
    • scanimage -L
  • To get the printer name run:
    • lpstat -p -d
  • The dimensions (WIDTH_MM and HEIGHT_MM) are obviously in millimeters (the dimensions there are for A4). It does a conversion to inches (damn Americans and their imperial system).
  • If you want colour copies, in SCAN_PARAMETERS change:
    • --mode Gray
    • to
    • --mode Color
  • If you're finding it slow, trying turning down the resolution (though 150 seems to be a pretty good setting).
I'm planning on running this on a Raspberry Pi which I'll have set up with my tv server (I suspect I've found my problem with that though need to do some testing - for which I've had to order a couple of parts).