Monthly Archives: April 2011

Sydney Visit

4 Replies

I decide to take a visit to Sydney for a weekend earlier this month and haven’t had a chance to get around to putting up the information just yet – so here’s my overdue blog post so that people stop nagging me about it ;-)

In 2011 so far I’ve been to Brisbane and Melbourne, so I wanted to add Sydney to the list of cities I’ve visited – part of me is still toying with a change of scenery and AU would certainly offer that, along with better weather.

 

Friday

First up, I flew in on Friday evening and meet up with my exploring buddy @chrisjrn who also decided that a lone New Zealander would threaten the people of Sydney too much, so came along to keep me under control.

We took the airport train in to the CBD, which is pretty fast and cost effective at around $15 per person, although the trains could do with a bit of cleaning and de-gettoing. :-/

After dumping bags at our dodgy Park Regis hotel, we started off having dinner at the City Extra restaurant down at Circular Quay – the food was mediocre, but the fact it’s 24×7 and right at the waterfront is pretty awesome.

Here's a dodgy looking @chrisjrn with the Sydney Harbor Bridge in the background.

One thing that I always find different about AU, is the cultural practice of paying for dining at the end of the meal, rather than upfront like we do at a lot of New Zealand cafes – it’s handy in that you can easily order more drinks/snacks, but it also means you can’t just get up and go afterwards like you do in NZ.

 

Saturday

The first proper day of exploring was Saturday morning – after waking up and leaving our hotel, we headed out for a coffee from some random in-the-wall place followed by a walk down to Circular Quay to attend the well known “Pancakes on the Rocks” resturant.

Sydney Town Hall (I think?)

Oh no, an Australian!

 

Two good looking objects, one in the foreground, one in the background ;-)

It's hard to get an idea of the scale of the bridge - this shot of the buildings at it's base helps show some of the size off

Pancakes on the Rocks was quite amazing – they have a huge menu of different style pancakes with big servings and topping options.

OMG PANCAKES

NOM NOM NOM NOM

I have to comment on the pricing, I found the meals pretty reasonable at most of the places I went to in Sydney – whilst many of the places I visited were in tourist zones, I found the prices I was paying to be around the same as Wellington NZ (excluding the currency conversion), which reminds me that I think Wellington is getting a bit pricey for what it is lately….

 

After pancakes, we took one of the ferries across the harbor to Manly – sadly I don’t have any good pictures of the larger ferry I was on, but I did get some of the smaller ones.

Ferry racing!

Sydney harbor is much larger than you initially think, and there’s also a section of military harbor space you can see from the boat.

Saturday spend most of the day raining, so we took a bus trip back from Manly to a station, then the train over the Sydney harbor bridge, to see the city without getting soaked wet.

I noticed that you can actually walk or cycle the bridge on regular pathways or even pay for a tour to climb up to the top of the bridge, which would be pretty good fun – if I have time, I’ll consider doing it on a future trip. :-)

Upon the return to Sydney, we visited the Apple store – whilst being a firm anti-Apple, pro-OSS, Android-loving fanboy, it was well worth the visit – Apple truly understands how to make a unique retail experience.

The flagship Apple store in Sydney

About 1/3 of the store floor space is a huge perspex staircase – something that would be unheard of in any other retail environment, but for Apple, this creates an impressive sense of awe at the store.

The shop was packed when we visited, with crowds gathering around tables playing with ipads whilst an Apple employee walked users through an ipad tutorial.

I think the staff really help make it work – whilst there several approached us to ask if they could show us any cool technology or help us in anyway, despite the store being flat out busy – something which would lead to you being ignored in a conventional retail store like DSE.

They also seem to actually know their stuff – something MagnumMac/Yoobee should learn – their staff are so hopeless I had to explain what OS X Leopard was once…. :-/

 

Like any yuppies, after visiting the Apple store, we headed off in search of fancy coffee – which we found thanks to @chrisjrn’s old uni haunt where we had the opportunity to have some siphon coffee. There’s a good write up on how it works and how to make it here, regardless whether you are a fan or not, it’s quite impressive:

Siphon Coffee!

Anything served in a steaming beaker is epic.

The coffee produced is very light, yet has a strong flavor of the beans, without being too bitter – it clearly wasn’t a common order, since the coffee guy then made us some other filter coffee varieties as tasters to please us coffee snobs.

After coffee, we wandered back through town, the chinatown area and then spent the afternoon/evening relaxing at the hotel and had dinner at some dodgy Irish pub.

 

Sunday

The rain finally subsided a bit on Sunday, so we were able to do more of the walking around the city that we had planned.

Sydney has a few older buildings, although nothing like the volume that Melbourne has.

I also had the delightful opportunity to meet fellow New Zealander @tanya for the first time and ended up dragging her along for breakfast at the coffee shop, where I proceeded to eat lots of her scrambled eggs after demolishing mine.

OMG it's @tanya

Be wary of strange Australians offering coffee

After coffee, we wandered back into the CBD, headed to the harbor and ended up taking the monorail around the city. Twice. Because monorails are just that awesome.

MONORAIL :-D :-D :-D

Sydney, viewed from a MONORAIL :-D

@tanya looking fierce on a MONORAIL

Me experimenting with the new front camera feature of my Nexus S.... whilst on a MONORAIL! :-D

After I was dragged off the awesomeness that is the monorail the interesting trip around the city, we said goodbye to @tanya who clearly decided that there were more exciting things to do than spending the afternoon with debating geeks.

@chrisjrn and I wandered along the waterfront around to Circular Quay, a variety of pics from that wander:

Sydney Maritime Museum

Like the software, the company also consumes an entire core for itself. (curse you Symantec antivirus!)

Waterfront - note that the modern glass building (third from the left) is where Google Sydney is now located

Dodgy backstreets of Sydney. And a finger.

"Ah crap, there goes my rental car deposit"

More waterfront. Note the oddly located ugly white tower on the left, clearly before they had good building bylaws.

Re-developed commercial wharves that are now restaurants and pubs.

Some random bridge. No idea what. ;-)

No shortage of steel there....

 

Finally after wandering around for the day, we had coffee with twitter friends @notsarahnz and @felidofractals before heading back to the hotel to collect bags before heading to the station and then the airport.

Tube Train! (Well not quite.... but it is underground!)

Overall, I really enjoyed the visit – not sure if Sydney is somewhere I would live long term (too much sprawl – I’d prefer Melbourne or maybe Brisbane), but it’s certainly a nice/interesting place to visit for a weekend get away.

 

Sony & Identity Theft

Leave a reply

By now most people have heard of the Sony Playstation Network getting hacked and around 75 million accounts worth of information being obtained.

Ignoring the whole fact that someone owned Sony so badly and that they’re not even sure if credit card details got exploited, I want to examine the information that is being stored with Sony.

There are three key bits of information obtained from the breach:

  1. Login credentials of PSN users.
  2. User identify information, consisting of phone number, email address and age.
  3. Possibly credit card information.

The last mention is the most important – obviously any credit card breach is bad (also PCI-DSS compliance, WTF Sony?), but Sony isn’t sure if the card DB has been exposed or not at this stage and is making a general just-in-case recommendation.

Login credentials may be an issue depending how smart you are – if you’re one of those people who uses the same login on every site, this is a clear example of why you shouldn’t, and you can now enjoy changing the login details on every single site you use… (how many more provider compromises does it take till you learn this is bad??)

So assuming you didn’t use credit cards and used unique credentials, this limits the exposure to user identity information – this is causing huge outcry in the media, with some great quotes from different countries police stating how this is going to lead to widespread identity theft.

Which raises the following points:

  • Why are bank and other key systems requiring identification so poorly setup that all that you need is name, age and address to obtain?
  • All these details are already available online for anyone with a bit of sense, it’s hard to keep all this stuff private in the days of social networking.
  • What are the penalties for companies not conducting the proper validation and security checks on people signing up to things like loans?

Sure it’s bad that the information got compromised, but let’s consider that most of the identity information is already public.

Birthdates are easy to get with the widespread popularity of social networking, same for addresses which can be found from domain records, social networking, websites and more, along with contact details.

If this information is enough to then take out a loan or a bank account, then I think those providers have some pretty heavy explaining to do – far too many have sloppy validation checks which don’t reflect the realities of the 21st century.

Just last week, I had to “validate” my home address to obtain a driver’s license. All that’s required to prove my identity is some photo ID and a service bill with an address on it.

Faking a bill is hardly complex, most laser printers will make something that’s good enough to pass any regular inspection, it’s a step that is only going to catch out the most clueless of exploiters.

Wake up companies, seriously….

I know that some providers to take precautions, even when this may lead to some customer inconvenience/annoyance.

  • National Bank (NZ) would refuse to tell me anything about my account, unless I rang them from a number that matched their records for my account.
  • Visiting banks in person often requires photo ID, which can be faked, but takes a bit more effort.
  • My approach in business has always been to ensure a customer was emailing/calling from a known account, otherwise we would call back to confirm requests on their recorded number.

Although some of these approaches are becoming less trust worthy…

  • Email accounts are commonly broken into – because of this, if we get unusual requests or password reset requests, we often call back the client to confirm.
  • With the adoption of VoIP technologies, it’s becoming easier to assume someone’s phone number and send/recieve phone calls on their behalf.

Sadly there isn’t really a truly valid fix, there’s no identification that can be issued that can truly validate people’s identity and secret words or passwords are usually weakened by the fact that humans suck and choose terrible words or reuse them often.

I think the best fix is simply making sure service providers validate information such as ensuring customers have their last invoice & account number before making changes and that financial institutions or credit agencies follow strict security procedures such as photo identification.

Freedom vs Risk

10 Replies

I was having an interesting discussion on twitter this evening, in relation to driving age. Being under 25, the process of leasing a car and getting insurance is quite difficult at times – some places refuse to lease to anyone under 25 and insurance always has large price premiums.

The argument of some, was that statistically speaking, people over 25 have more mature brains and thus are capable of better driving skills and that maybe we should consider making that the legal age limit to drive.

I’m totally against such a suggestion – I’ve been really impacted by the current laws regarding driver licensing, it made it more difficult to run a business, encourages dangerous driving and restricts general freedoms.

NZ has the following stages of drivers license:

  • Learner’s License – must drive with a fully licensed driver (for at least 2 years) and display L plates. You need to pass a theory test to obtain and hold it for at least 6 months before you can progress.
  • Restricted License – limited driving from 06:00 – 22:00 only, passengers only permitted if one of them has had a full license for at least 2 years. To obtain, a practical driving test takes place and you must hold the license for at least 18 months.
  • Full License – unrestricted driving 24×7 with any passengers.

You can apply for a license at a young age in NZ – 15 currently – which I would argue is a bit too young – I actually waited until I was 20 before getting my restricted license, which I needed in order to get a car for business needs.

My problem then is that I had no option to be able to progress to a full license – after driving daily for 6 months, I would consider myself to have as much experience as many who sit the full test after 18 months, but there is no avenue for me to take a test to prove this.

The reason it’s such an issue, is that it started to impact me in business operations:

  • I couldn’t take a staff member in my car to attend a customer meeting.
  • Working late nights at client sides would be a problem, I couldn’t do a 02:00 upgrade and drive home afterwards.
  • It looks poor to customers if you can’t offer them a lift due to the possibility they don’t have a license.

It also impacts me personally:

  • I can’t give my flatmate (who also is restricted) a lift anywhere that we are going to. Yet I would argue that it is FAR more dangerous to have two 20-something males taking separate cars to the same place than it would be for them to share a single car.
  • You can’t take an unlicensed girlfriend/boyfriend anywhere.
  • You can’t pick up elderly or young family members, who instead need to use public transport, which even in a city link Wellington tends to be pretty poor.
  • Young friends who have obtained full licenses often still can’t drive as my passenger since they haven’t held it for at least 2 years yet.

Violating the terms of a restricted license will impose a $400 fine, which is almost 2-3 times as much as running a redlight – an action that I would argue is far more dangerous.

I think it’s a pretty poor system as it is – I’d prefer to see a faster paced process but with more driver education/training in place (my German friends would certainly attest to this being desirable) to enable drivers to move forwards faster by proving they have the skills and comfort behind the wheel.

Raising the limit to 25 would mean that I would be unable to live like a proper adult/member of society until I’m 27 at the earliest – if we consider 18+ to be smart enough to drink, smoke, fight, die, marry, then I think we need to allow them to drive, even though there are some higher risks.

One could argue that we should do anything possible to reduce road tolls, but as a society we have made the choice that freedom comes at a cost, we can’t expect people to live a life where they aren’t allowed to do anything that could be harmful.

I would argue that lifting the age limit to 18 would be reasonable – make it the same as legal adulthood, but imposing anything over 20 would be unreasonable discrimination against younger members of society and put us on an unlevel life quality and business level.

I’d also suggest combining that with some sane limits on engine types and vehicles, 18 year olds don’t need to be driving turbo charged V8 engines – many of the youth crashes tend to be overpowered vehicles, have them on more limited vehicles and perhaps we’ll see less harm.

Of note, I think the focus on driving deaths is actually very poor form by NZ authorities – there are infact MORE deaths by suicide and depression in the youth bracket than there is from driving incidents – something which tends to be overlooked by the media and authorities – if we want to save lives, this might be the first place to start.

Android VPN Rage

3 Replies

Having obtained a shiny new Nexus S to replace my aging HTC Magic, I’ve been spending the last few days setting it up as I want it – favorite apps, settings, email, etc.

The setup is a little more complex for me, since I run most of my services behind a secure internal VPN – this includes email, SIP and other services.

 

On my HTC Magic, I ran OpenVPN which was included in Cynogenmod – this is ideal, since I run OpenVPN elsewhere on all my laptops and servers and it’s a very reliable, robust VPN solution.

With the Nexus S, I want to stick to stock firmware, but this means I only have the options of a PPTP or IPsec/L2TP VPN solution, both of which I consider to be very unpleasant solutions.

I ended up setting up IPsec (OpenSwan) + L2TP (xl2tp + ppp) and got this to work with my Android phone to provide VPN connectivity. For simplicity, I configured the tunnel to act as a default route for all traffic.

 

Some instant deal breakers I’ve discovered:

  1. Android won’t remember the VPN user password – I can fix this for myself by potentially moving to certificates, but this is a deal breaker for my work VPN with it’s lovely 32-char password as mandated by infrastructure team.
  2. Android disconnects from the VPN when changing networks – eg from 3G to wifi….. and won’t automatically reconnect.
  3. I’m unable to get the VPN to stand up on my internal RFC 1918 wifi range, for some reason the VPN establishes and then drops, yet works fine over 3G to the same server.

 

I love Android and I suspect many other platforms won’t be much better, but this really is a bit shit – I can only see a few options:

  1. Get OpenVPN modules onto my phone and setup OpenVPN tunnels for the stock firmware – for this, I will need to root the device, compile the Nexus kernel with tun module support, copy onto the phone and then install one of the UIs for managing the VPN.
  2. Switch to Cynogenmod to gain these features, at the cost of the stability of using the stable releases from Google/Samsung.
  3. Re-compile the source released by Samsung and apply the patches I want for OpenVPN support in the GUI from Cynogenmod.
  4. Re-compile the source released by Samsung and apply patches to the VPN controls in Android to fix VPN handling properly. Although this still doesn’t fix the fact that IPsec is a bit shit in general.

 

All of these are somewhat time intensive activities as well as being way beyond the level of a normal user, or even most technical users for that matter.

I’m wondering if option 3 is going to be the best from a learning curve and control perspective, but I might end up doing 1 or 2 just to get the thing up and running so I can start using it properly.

It’s very frustrating, since there’s some cool stuff I can now do on Android 2.3, like native SIP support that I just need to get the VPN online for first. :-(

I hate Tuesday

2 Replies

Today has been a trial of frustrations and annoyances…. I love IT completely, but sometimes even I have a bad day.

In summary, my day:

  • Personal server has crashed 2x today with no error messages or displayed panics. This is a pretty big deal, since it’s a modern box, runs about 25 of my development virtual machines and is encrypted making a PITA to boot back up, not to mention I use it daily for development and informational purposes.
  • That server also runs the #geekflat network which meant calls from flatmates begging for precious internets.
  • After waiting weeks (months?) for a NIC to be added to a customer server, I discovered that the engineer was trying to install a PCIe card into a totally incompatible PCI slot.
  • A complex script for processing files at a customer site has been broken after the file format changed unexpectedly and needs to be fixed.
  • I found a bug in my perfect code that gave me some very frustrating headaches and which I’ll have to fix.
  • A customer I did support work for a year ago has a number of general desktop issues, claims these are a fault and demanding I fix it seeing as I was the one who installed anti-virus. O_o
  • I got called several times by people for questions that could have been answered by themselves.

All in all, a very frustrating and annoying day. I just hope that tomorrow is better. :-/

The biggest headache is really the problems with the server instability – I rely on that server for a lot of services and having a fault that reports no specific error or message is immensly frustrating.

At this stage, I’m being to suspect some hardware – it could be PSU/CPU/RAM/MB fault which is causing inconsistant stability, but these sorts of issues are extremely difficult to try and trace down, there is nothing in the logs at this stage to indicate.

I might consider switching UPS and maybe PSUs if I need to and see if that resolves the issue – although it’s very difficult to tell since the last time this server had any stability problems was in Jan…

Arhghgh!

Day 23 – Post a review of an application that you use

Leave a reply

This late post is part of my 30 days of geek challenge.

I figured it would be a bit too naracistic to review my own software and a bit boring to review some of my ever day applications, so instead I’m going to do a post about a rather geeky application – KVM virtualisation.

 

About Virtualisation

For those unfamiliar with virtualisation (hi Lisa <3), it’s a technology that allows one physical computer to run multiple virtual computers – with computers getting more and more powerful compared to relatively stable workloads, virtualisation allows us to make much better use of system resources.

I’ve been using virtualisation on Linux since RHEL 5 first shipped with Xen support – this allowed me to transform a single server into multiple speedy machines and I haven’t looked back since – being able to condense 84U of rackmount servers down into a big black tower in my bedroom is a pretty awesome ability. :-)

 

Background – Xen, KVM

I’ve been using Xen in production for a couple years now, whilst it’s been pretty good, there have also been a large number of quite serious bugs at times – combined with the lack of upstream kernel support, it’s given Xen a bit of a bad taste.

Recently I built a new KVM server at home running RHEL 6 to replace my data center, which was costing me too much in power and space. I chose to dump Xen and switch to KVM, which is included in the upstream Linux kernel and is a much smaller simpler code base, since KVM relies on the hardware virtualisation capabilities of the CPU rather than software emulation or paravirtualisation.

In short, KVM is pretty speedy since it’s not emulating much, instead giving the CPU the hardwork. You can then combine paravirtualisation for things like network and storage to boost performance even further.

 

My Platform

I ended up building my KVM server on RHEL 6 Beta 2 (before it was released) and am currently running around 25 virtual machines on it with stable experiences.

Neither the server or guests have needed restarts after running for a couple months without interruption and on a whole, KVM seems a lot more stable and bug free than Xen on RHEL 5 ever was for me. **

(** I say Xen on RHEL 5, since I believe that Xen has advanced a lot since XenSource was snapshotted for RHEL 5, so it may be unfair to compare RHEL 5 Xen against KVM, a more accurate test would be current Xen releases against KVM).

 

VM Supend to Disk

VM suspend to disk is somewhat impressive, I had to take the host down to install a secondary NIC (curse you lack of PCI hotswap!) and KVM suspended all the virtual machines to disk and resumed them on reboot.

This saves you from needing to reboot all your virtual systems, although there are some limitations:

  • If your I/O system isn’t great, it may actually take longer to write the RAM of each VM to disk than it would take to simply reboot the VMS. Make sure you’re using the fastest disks possible for this.
  • If you have a lot of RAM (eg 16GB like me) and forget to make your filesystem on the host OS big enough to cope…..
  • You can’t apply kernel updates to all your VMs in one go by simply rebooting the host OS, you need to restart each VM that requires the update.

In my tests it performed nicely, out of 25 running VMs, only one experienced an issue, which was a crashed NTP process, quickly identified by Nagios and restarted manually.

 

I/O Performance

I/O performance is always interesting with virtualised systems. Some products, typically desktop end user focused virtualisation solutions, will just store the virtual servers as files on the local filesystem.

This isn’t quite so ideal for a server where performance and low overhead is key – by storing a file system ontop of another filesystem, you are adding much more overhead to the block layer which will translate into decreased performance, not so much around raw read/write, but around seek performance (in my tests anyway).

Secondly, if you are running a fully emulated guest, KVM has to emulate virtual IDE disks, which really impacts performance, since doing I/O consumes much more CPU. If your guest OS supports it, paravirtualised drivers will make a huge improvement to performance.

I’m running KVM guests inside Linux logical volumes, ontop of an encrypted block device underneath (which does impact performance a lot) however I did manage to obtain some interesting statistics showing the performance of paravirtualisation vs IDE emulation.

View KVM IDE Emulation vs Paravirtualisation Results

They show noticeable improvement in the paravirtualised disk, especially around seek times… of interest, at the time of the tests, the other server workloads were idle, so the CPU was mostly free for I/O.

I suspect if I were to run the tests again on a CPU occupied server, paravirtualisation’s advantages would become even more apparent, since IDE emulation will be very susceptible to CPU load.

 

The above tests were run on a host server running RHEL 6 kernel 2.6.32-71.14.1.el6.x86_64 ontop of an encrypted RAID 6 LVM volume, with 16GB RAM, Phenon II Quad Core and SATA disks.

In both tests, the guest was a KVM virtual machine running CentOS 5.5 with kernel 2.6.18-194.32.1.el5.x86_64 and 256MB RAM – so not much memory for disk caching – to a 30GB ext3 partition that was cleanly formatted between tests.

Bonnie++ 1.03e was used with CLI options of -n 512 and -s 1024.

Note that I don’t have perfect guest to host I/O comparison test results, but similar tests run against a RAID 5 array on the same server suggests that may be around a 10% performance impact with KVM paravirtualisation which is pretty hard to notice.


Problems

I’ve had some issues with stability which I believe I traced to one of the earlier beta kernels with RHEL 6, since upgrading to 2.6.32-71.14.1.el6.x86_64 the server has been solid, even with large virtual network transfers.

In the past when I/O was struggling (mostly before I had upgraded to paravirtualised disk) I experienced some strange networking issues, as per the post here and identified KVM limitations around the I/O resource allocation space.

Other than the above, I haven’t experienced many other issues with the host and future testing and configuration is ongoing  – I should be blogging a lot of Xen to KVM migration notes in the near future and will be testing CentOS 6 more throughly once released, maybe some other distributions as well.

Now is the winter of my content

2 Replies

It’s suddenly gotten much colder in Wellington (about 13c currently), looks like summer is over and winter is on it’s way.

As weird as it sounds, winter is my favorite time of the year in Wellington – instead of mediocre days, we have crisp, cold evenings, dark nights, snuggling on the couch and in bed, tasty winter foods and more. :-D

The last few days I’ve actually been feeling far more bouncy and happy than normal –  something about me is clearly wired wrong…

I wonder if part of it, is that instead of having dull gray evenings when I leave work, it’s now completely dark – dull gray weather always messes with my moods, whilst I always feel much more active and energetic at night and I don’t feel bad about spending heaps of time inside on my computer.

Anyway, here’s to winter – looking forwards to several months of chilly, dark bliss :-D

 

PS: anyone know any Antarctic based computer programmer jobs going? 6 months of darkness sounds like a dream :-D

Day 22 – Release some software under an open source license that you haven’t released before.

Leave a reply

This late post is part of my 30 days of geek challenge.

I’ve released a bit of software before under open source licenses – originally mostly scripts and various utilities, before moving on to starting my own open source company (Amberdms Ltd) which resulted in various large applications, such as the Amberdms Billing System and centralised authentication components like LDAPAuthManager.

The other day I released my o4send application, which is a utility for sending bluetooth messages to any phones supporting OPP and today I pushed a new release of LDAPAuthManager (version 1.2.0) out to the project tracker.

 

I haven’t talked about LDAPAuthManager much before – it’s a useful web-based application that I developed for several customers that makes LDAP user and group management easy for anyone to use without needing to understand the pain that is LDAP.

It’s been extended to provide optional radius attribute support, for setting additional values on a per-user or per-group, making LDAPAuthManager part of a wider centralised authentication solution.

 

For other open source goodness, all my current open source components developed by Amberdms can be found on our Indefero project tracker at www.amberdms.com/projects/.

There’s a lot that I have yet to release – releasing means I need to validate the documentation, package, test and then upload so I can be sure that everyone gets the desired experience with the source, so it can be tricky to find the time sometimes :-/