Octopodial Chrome

Stuff that Made Sense at the Time

The Personal Weblog of Bob Uhl

Saturday, 06 August 2011

Fifty unlikely Linux users

No-one runs Linux, right? Well, not quite: here’s a list of fifty Linux users you might not expect. From our own government, to foreign states, to aircraft, to some of your favourite websites, Linux is everywere.

Why not give Ubuntu a spin today?

Friday, 17 June 2011

Lightweight Portable Security

I just discovered Lightweight Portable Security a Linux distribution released by the US Air Force. The idea is that it’s a system which boots from a CD or flash drive and works entirely in volatile memory—thus any malware is unable to survive a reboot.

They even have an LPS-Remote Access which is the only way to access government systems without government-furnished equipment. That’s pretty cool!

It’s a nifty idea, particularly for folks who have to travel and use unknown hardware a lot. Of course, a true paranoid would develop his own version of LPS, not use one from the Air Force.

Thursday, 16 June 2011

How to install Linux Mint on an encrypted volume

One of the few things I miss about Fedora when using Ubuntu and related GNU/Linux distributions is the ease of setting up fairly complex disk partitioning schemes. I’m a big believer in disk mirroring (to protect against hard drive failure) and in encryption (to protect against data loss due to hardware theft), and Ubuntu requires use of an alternate, text-based installer while Linux Mint doesn’t even do that much.

Fortunately, this is Linux, which means I have all the tools I need to get this to work. Many thanks to this guide from 2008, which provided the base instructions.

Note that I do not set up software RAID (mirroring) in this case, as these instructions are for a laptop. If you want mirroring, my advice is to build two partitions on each mirror, one for /boot and one for the mirror volume, then build an encrypted volume atop the mirrored volume; add that encrypted volume to a volume group; and finally build logical volumes in that volume group.

A note about naming: throughout these instructions I refer to rootvg as the root volume group. This is fine for small installations; however, if you ever move disks between computers that also have their own group called rootvg, this causes trouble (generally, failure to recognise the new physical and logical volumes). For that reason, in practice I usually name my volume group with some unique name, perhaps related to the hostname.

  1. Boot from Linux Mint Katya DVD
  2. Open the terminal from the menu (lower left-hand corner). Install the Logical Volume Manager with sudo apt-get install lvm2.
  3. If this drive has previously held unencrypted data:
    1. Open a web browser and visit some site to generate some entropy; install and play some games too.
    2. sudo dd if=/dev/urandom of=/dev/sda bs=1M & sleep 5; while sudo pkill -USR1 dd; do sleep 60; done (make sure to continue web browsing and playing games—when unattended, leave some music or videos playing)
  4. Format the hard drive: sudo fdisk /dev/sda. Create a 512M primary partition 1 for /boot (no BIOS that I’m aware of supports booting from an encrypted disk, so your boot partition must be plaintext) and then an extended partition 2 for the rest of the disk, with a logical partition 5 filling it. I’m sure there’s a GUI to do this too, but the command-line is easier and quicker.
  5. Create an encrypted volume: sudo cryptsetup luksFormat -c æs-cbc-essiv:sha256 -s 256 /dev/sda5 (if you get an error, run sudo modprobe dm-crypt; sudo modprobe æs-i586 to install the crypto modules)
  6. Activate the new volume: sudo cryptsetup luksOpen /dev/sda5 cryptpv
  7. Create an LVM physical volume on the encrypted volume: sudo pvcreate /dev/mapper/cryptpv
  8. Create a LVM volume group: sudo vgcreate rootvg /dev/mapper/cryptpv
  9. Create a logical volume for your swap (virtual memory): sudo lvcreate -L 4G -n swaplv perique (where 4G is twice your RAM).
  10. Create a logical volume for your root filesystem: sudo lvcreate -l 100%FREE -n rootlv rootvg
  11. Format your boot partition: sudo mkfs.ext2 /dev/sda1
  12. Format your root partition: sudo mkfs.ext4 -j /dev/mapper/rootvg-rootlv
  13. Install Linux Mint as usual; the installer should detect the partition and logical volumes. Make sure to use the advanced partitioning tool. Format /boot as ext2; format / as ext4 (the reason for formatting them earlier is so that the installer doesn’t get confused; I reformat in case the installer uses any special options). Do not use the swap as swap; the installer will be confused and believe that it is a physical volume. If others will have unsupervised login access, consider encrypting your home directory as well.
  14. Mount the new root on /mnt: sudo mount /dev/mapper/rootvg-rootlv /mnt
  15. Mount the new /boot: sudo mount /dev/sda1 /mnt/boot
  16. Change root (this makes the current process think that /mnt is /—which is another way of saying that it makes it appear that you’re working inside the freshly-installed system): sudo chroot /mnt
  17. Mount special filesystems: mount -t proc proc /proc; mount -t sysfs sys /sys; mount -t devpts devpts /dev/pts
  18. Update the list of available software: apt-get update
  19. Install LVM2 on the freshly-installed system: apt-get install lvm2
  20. Update the cryptography table: vi /etc/crypttab
    cryptpv /dev/sda5 none luks
  21. Update the filesystem table: vi /etc/fstab
    /dev/mapper/rootvg-swaplv none swap 0 0
  22. Updated the list of modules installed in the boot-initialisation ramdisk (this may actually be overkill nowadays): vi /etc/initramfs-tools/modules
         dm_mod dm_crypt sha256_generic æs-i586 
  23. Build the new initramfs: update-initramfs -k all -c
  24. Unmount the special filesystem: umount /dev/pts; umount /sys; umount /proc
  25. Exit the chroot jail: exit
  26. Unmount the boot filesystem: sudo umount /mnt/boot
  27. Unmount the freshly-installed root filesystem: sudo umount /mnt
  28. Format the swap logical volume: sudo mkswap -L swap -f /dev/mapper/rootvg-swaplv
  29. Reboot: sudo shutdown -r now

After following these instructions, you should have a fully-encrypted root volume running Linux Mint.

Thursday, 06 January 2011

Ninety-seven things every programmer should know

Here’s a list of 97 essays for programmers, each written by a different author. They look pretty interesting, and the ones I’ve read seem pretty smart.

Wednesday, 15 September 2010

Unix as Literature

My acquaintances know that I work in computers; my friends may know that I’m a Unix sysadmin; my close friends might actually know that Unix is a computer operating system. What few if any of them know is why I use Unix, why I love using it and why I will not own a computing device without it. It boils down to the fact that I do not merely use computers; I wield them to some end—and there has not been an OS which has combined mainstream success and wieldability like Unix has.

Way back in the Dark Ages when I was in college, Thomas Scoville noted that Unix afficianados are a different sort; I think this is why. We don’t just use some code someone else wrote to make the computer do something he thought of; we write our own, to make the computer do something no-one ever thought of before. We don’t react to some foreseeable problem in some predetermined manner; we prevent the foreseeable problems from occurring in the first place, and discover new ways of resolving the unforeseeable.

A computer which doesn’t empower me in that way is merely a device. I might use it as I do a toaster, a screwdriver or a phone, but I will never live in it as I do on a command line.

Saturday, 13 March 2010

How Unique Is Your Browser?

The Electronic Frontier Foundation have a neat tool out: the Panopticlick. Many folks don’t know this, but every time you visit a web page your web browser sends lots of information to the web server you’re talking to—stuff like what web browser you’re using, what sort of pages you can read, which plugins you have installed and so forth. This is necessary in order for the remote web server to answer you appropriately. But it can be used to identify you.

How? Imagine that your web browser is just describing you: it might say that you have brown hair, blue eyes, fair skin, a mole on your left cheek, a slight limp, prefer wearing plaid shirts, never wear a hat, have a birthmark on your left ankle and so forth. None of those data are unique: the world is full of brunettes, full of folks with blue eyes and so forth. But there’re not that many brown-haired, blue-eyed, left-cheek-moled folks out there—and still fewer have fair skin, and fewer still have a slight limp, and fewer still have birthmarks on their left ankles.

Why does this matter? Well, it matters in the same sense that fingerprints matter. Every time you touch something, you’re leaving fingerprints—and every time you visit a website you’re leaving a fingerprint. Pretty nifty, huh?

Saturday, 16 January 2010

Why mailx Doesn't Do Windows

Gunnar Ritter, maintainer of the commonly-used mailx program, explains why it’s not available on Windows. It’s an interesting tale of how the kluges deep within that semi-operating psuedo-system mean that even in 2010 design decisions made in the Seventies afflict Windows.

They afflict Unix too, of course, but generally our design mistakes were smarter than Windows’s design mistakes. Even in error we’re better.

Wednesday, 12 August 2009

One Hundred Questions

Here’s a nifty list of 100 interview questions for developers. I can’t say that I can answer them all, but I know most…and will learn the rest.

Friday, 03 July 2009

London Stock Exchange Abandons Failed Windows Platform

You just can’t ask for a better headline than this. It looks like the London Stock Exchange, having lost a packet due to using Microsoft and Accenture technology, has decided to call the whole thing off. No word yet on what the replacement will be, although Linux is one option.

Not that Linux—or even Unix—is necessarily the best option. There are even better OSes out there, for example any mainframe OS. The remaining midrange OSes like IBM i might not be a bad fit either.

The problem with Windows is not simply that it’s shoddy: all software has bugs, generally lots of them (Lord knows Linux has plenty). The problem is that it’s not resilient to those bugs, and that one has a great deal of difficult working around those bugs and flaws. Unix really isn’t that great in and of itself but one can extend it and massage it into shape; Windows isn’t that great (although the operating system itself—I don’t mean the user interface—might actually be better), but what you see is more or less what you’re going to get.

Tuesday, 23 June 2009

More Lisp Packages

I’ve added more packages to my repository:

An anti-aliased vector rasterization library
A TrueType parser
A library for creating PNG files
A vector rasterization library which wraps CL-VECTORS

If you use Common Lisp to do graphics work, maybe these will be of some assistance.

Thursday, 18 June 2009

Announcing the Octopodial Chrome Yum Repository I have packaged many Common Lisp packages for Fedora 11. Furthermore, I have set up a Yum repository to make it very easy to install Common Lisp packages. All you need to do is grab the repository RPM and install it. If using Firefox then Package Kit should open automatically; if using a command line you can install with:

rpm -ivh octopodial-chrome-11-1.fc11.noarch.rpm

From then on you can install new software as normal, using yum on the command line, Add/Remove Software in the GUI or whatever your normal install method is.

The following software packages are currently available:

Public domain utilities for Common Lisp
Charset encoding/decoding library for Common Lisp
RFC 1521 base64 library for Common Lisp
A portable multithreading library for Common Lisp
Common Foreign Function Interface for Common Lisp
Portable chunked streams for Common Lisp
Unification layer atop Common Lisp’s pathname functions
"Virtual" bivalent streams that can be layered atop real binary or
Common Lisp library for editable sequences
A web server written in Common Lisp
Cryptography library for Common Lisp supporting many cyphers,
Common Lisp Interface Manager, a protable GUI for Lisp
Simple MD5 library for Common Lisp
Simple library to parse numbers from strings
Portable Perl-compatible regular expressions for Common Lisp
RFC 1521 rfc2388 library for Common Lisp
Common Lisp Interface Manager, a protable GUI for Lisp
Simple library to split a sequence on some delimiter
PostgreSQL for CLSQL, a Common Lisp SQL interface
Common files for CLSQL, a Common Lisp SQL interface
Common Lisp interface to OpenSSL
SLIME Lisp-side server
Ensuring consistent FEATURES across Common Lisp implementations
Extremely thin compatibility library for gray streams
A portable TCP/IP (and later on maybe UDP) socket interface for
Common Lisp HTML markup library
X11 interface for Common Lisp
Superior Lisp Interaction Mode for Emacs
Compiled elisp files to run slime under GNU Emacs
Elisp source files for slime under GNU Emacs
Compiled elisp files to run slime under XEmacs
Elisp source files for slime under XEmacs

Please pass this information on to anyone who uses Common Lisp on Fedora.

Tuesday, 16 June 2009

Disney Destroys Net Neutrality

A fundamental principle of the Internet is that all hosts are peers, that is, there is nothing fundamentally different about your laptop or Time magazine’s web serving computers: each is a computer; each can run the same software and communicate in the same way; neither is privileged over the other.

Net neutrality is an important implication of this principle. Basically, all hosts on the Internet have the same access to resources as any other host. That doesn’t mean that one can’t charge people for different types of access (e.g. online subscriptions to the Wall Street Journal), but it does mean that one can’t forbid some hosts from trying to talk to you while allowing others to do the same.

The big entertainment corporations hate the idea of net neutrality, as it means that they actually have to convince their customers to purchase their wares; they prefer a model like basic cable, where every subscriber pays for BET or Nickelodeon regardless of whether he wants it. They would like to form partnerships with ISPs, charging all of an ISP’s customer in order to provide content that only a few use.

Disney is the first to actually go ahead with this. It doesn’t matter whether or not I want to use their sports website (let’s put it this way: I have never watched a sports game on my computer, and I don’t expect to ever watch a sports game on my computer); my ISP is paying Disney no matter what—much as a shopkeeper might pay a mafioso—and thus I am paying Disney a little bit of money every month.

Note that this has nothing to do with sports. It could be a service I like—maybe something about homebrewing, or about politics, or whatever: it’s outright wrong to sell access at the ISP level rather than at the customer level.

Although it is rather neat that this involves Disney. Another online commentator noted that Disney is to culture what thyroid cancer is to metabolism. It’s appropriate that The Mouse be behind this latest instance of a monopolist abusing its position.

Monday, 15 June 2009

Running Lisp as a Linux Service

One of the truly wonderful things about programming in Common Lisp is that the system is complete interactive: the programmer can manipulate anything at run time, including the language itself. This is a really powerful technique—but how does one preserve the state of the system between reboots? And how does one get an image-based Lisp system to play nice with Linux’s system service model?

Well, John Wiegley published a great technique a few years which I’ve adapted for Tasting Notes. It’s remarkably simple: create a user to run the system as (just like other services like PostgreSQL or httpd); then create a standard init.d script to run the system. The really clever thing he does is start the system itself, a Swank listener and a kill port. Starting the system is self-explanatory, but what about the rest?

Swank provides a live connexion to a running Lisp system via which one can interact with the system’s internals. It’s pretty cool, and Wiegley’s method gets the job done. So far this is pretty standard stuff; I’ve used it in my own software.

The really clever bit is this bit of code here:

(sb-bsd-sockets:socket-bind socket #(127 0 0 1) *kill-port*)
(sb-bsd-sockets:socket-listen socket 1) (multiple-value-bind
(client-socket addr port) (sb-bsd-sockets:socket-accept socket) (let
((stream (sb-bsd-sockets:socket-make-stream client-socket :element-type
’character :input t :output t :buffering :none))) (princ "Saving
core and shutting down…" stream) (terpri stream))

  ;; Close up the sockets (sb-bsd-sockets:socket-close client-socket)
  (sb-bsd-sockets:socket-close socket))

What this does is wait until someone connects to *KILL-PORT*, then proceeds to shut down the system, kill all threads and cleanly exit. Smart and very simple: all the shutdown script has to do is telnet $KILL_PORT and the software shuts down.

Finally, it calls SB-EXT:SAVE-LISP-AND-DIE to save the current Lisp environment to a file; the next time it starts up it will run that image, so the software’s complete history is saved.

All in all, extremely nifty; I ported Tasting Notes to start using it this weekend.

Saturday, 13 June 2009

How to Get H.264 Working with Totem and Firefox

Apple uses H.264 for a lot of its trailers; unfortunately Fedora doesn’t come with it out of the box. Fortunately it turns out that ffmpeg (available from RPM Fusion) does support it, so all you need to do is run sudo yum install ffmpeg-libs gstreamer-ffmpeg and life is good.

Fedora 11

Last night I upgraded to Fedora 11. I have to say that I’m impressed! It’s the first Fedora upgrade in a long time which went in quickly and cleanly, without any problems that had me tearing my hair out, which was a problem with past releases (and I—a professional sysadmin and geek—had trouble then you know that normal people did). Overall, Fedora 11 looks more like a polishing release than a feature release: for the most part, things look & behave the same, but they do it better, with fewer bugs.

The latest GNOME desktop looks even nicer than before, with clean lines and subtly eye-pleasing colours. It’s an improvement on the last, which was itself an improvement over previous versions. Session state appears to be working again, which is good (it was broken in Fedora 10).

I was able to get SBCL, PostgreSQL and CLSQL easily installed and got my beer tasting notes site back up and running very easily.

Likewise for the rest of this website and for all the other programmes I have installed on this computer. All in all it’s been a remarkably pain-free—even enjoyable—upgrade experience.

I can recommend the upgrade whole-heartedly. For those of you stuck on broken, proprietary, freedom-hating OSes: now’s the time to switch over. It’s worth it, really.

Monday, 08 June 2009

Unix Turns 40

As most of my readers know, my day job is as a Unix system administrator for a large outsourcing company. What’s Unix, the non-technical among you might ask. Well, basically it’s just about the greatest computer operating system to achieve widespread use (there have been better or more interesting ones, but they never really took off). It turns 40 this year. Kinda funny that I work on something almost nine years older than I am.

Kinda sad that the computing world hasn’t adopted anything better in the intervening decades either.

Saturday, 16 May 2009

PGP Key Transition

Due to recently discovered vulnerabilities in the SHA-1 hashing algorithm, I am transitioning from my old PGP key to a new one. My old key was:

pub 1024D/47740A63 2001-06-26
Key fingerprint = 347A 5D07 607B 6D88 6882 5F64 4361 EBDA 4774 0A63

My new key is:

pub 4096R/A65E2454 2009-05-16
Key fingerprint = 0113 A3F5 598B 51C2 4D24 950B EC98 693D A65E 2454

An easy way to import the new key is to run gpg –fetch-keys http://www.octopodial-chrome.com/~ruhl/A65E2454.asc to fetch it from my webserver; alternatively you could fetch it from MIT’s public keyserver with gpg –keyserver pgp.mit.edu –recv-key A65E2454 .

If you already know my old key, you can verify that the new key is signed by the old one with gpg –check-sigs A65E2454. If you don’t already know my old key, you can check the fingerprint against the one above with gpg –fingerprint A65E2454.

If you’re satisfied that you have the correct key and that you trust it and me, you can sign my key with gpg –sign-key A65E2454

If you _do_ choose to sign my key, it would be very useful if you would upload the signatures, either by emailing to me with gpg –armour –export A65E2454 | mail -s ’OpenPGP signatures for A65E2454’ eadmund42@gmail.com or by sending them to a key server with gpg –keyserver pgp.mit.edu –send-key A65E2454 .

Please feel free to contact me if you have any questions. Sorry for the inconvenience, but it’s the price we must pay in order to have security.

Many thanks to Daniel Gillmor for his quick guide to making the transition.

Tuesday, 05 May 2009

Software as a Craft

Bob Martin proposes that software development teams model themselves after craft guilds, with a master programmer supervising journeymen programmers who supervise apprentices. Not only that, but computer science degrees would be replaced by apprenticeship in most cases. He demonstrates that such a team would be fairly inexpensive and could be highly productive. It’s an intriguing idea.

My big concern with eliminating college is simply that higher education expands the mind. But is it really necessary to spend $200,000 between the ages of 18 and 22 in order to expand one’s mind? Perhaps that’s really just a luxury for the rich.

Wednesday, 25 March 2009

Why Free Software Rocks

The Guardian uses lots of free software to run their website. Recently, they discovered a bug, tracked it down, fixed it and submitted the patch to the developers. Were it proprietary software, they would have discovered it, but would have been unable to track it down or fix it, and the odds are that their vendor would not have considered it a high priority.

Free software rocks.

Monday, 23 March 2009


I recently discovered Craiglook, a mashup which adds a nifty search interface to Craigslist. For example, all bikes for sale within 20 miles of Denver. Might be more useful than the normal Craigslist.

Wednesday, 04 March 2009

Using Microsoft Excel Corrupts Genes

Well, that title is a bit alarmist, but it’s true: Excel corrupts gene names and Riken identifiers in spreadsheets. I have to ask: if you’re doing anything important, why are you using Microsoft software to do it?

Saturday, 24 January 2009

Happy Birthday Macintosh!

The Apple Macintosh turns twenty-five today. I still remember how amazing it was when Dad brought one home, and how much cooler the Mac, and Mac software, and Mac people, were than any other computer of the time. We boys spent hour upon hour playing Deja Vu and Dark Castle, making pictures in SuperPaint, writing papers and so on.

I’m a Linux geek now, but I’ll always have a certain soft spot in my heart for the classic black-and-white all-in-one Macs.

Wednesday, 14 January 2009

Unix Time to Hit 1234567890

Computers generally track time as the number of units of time (e.g. second or milliseconds) since some date (called the epoch); Unix counts the seconds since 1 January 1970 at 00:00:00 GMT. Well, at 23:31:30 on 13 February 2009 it will be 1,234,567,890 since the epoch.

Yeah, I’m just a bit of a geek…

Friday, 12 December 2008

Apache, SELinux and CGI Scripts

Tonight I upgraded to Fedora 10, which was relatively less painful than such upgrades have been in the past. One big problem, though, was getting Blosxom working. Try as I might, I kept on getting errors in /var/log/httpd/error_log stating Permission denied: exec of ’/var/www/blosxom/bin/blog’ failed.

After lots of playing around, I discovered the solution: just run chcon -t httpd_sys_script_exec_t /var/www/blosxom/bin/blog. It turns out the in the latest Fedora SELinux has pretty fine-grained controls and needs to be told that it’s okay to execute CGI scripts. Not a big deal, but not friggin’ documented anywhere!

Anyway, if you’ve been having this problem, there’s the solution.

Sun Mon Tue Wed Thu Fri Sat
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30      
Oct Nov Dec

Powered by Blosxom | Subscribe with Bloglines | Listed on
BlogShares | Blogarama - The Blog Directory | Technorati Profile

MEgalopolis font courtesy of Smeltery.

This is my blogchalk:
United States, Colorado, Englewood, Centennial, English, , Robert, Male, 21–25, Free Software, Society for Creative Anachronism.