Community Matters

Peter Schütte is a local photographer here in Portland who does wonderful Oregon Photo Workshops – if you are a beginner or a more advanced photographer, check out his site and the classes that he offers. They are a lot of fun and extremely instructional – I certainly have learned a lot from him and can’t wait to find the time again to go to another workshop this summer.

I’ve already done his Central Oregon High Desert Safari, the Portland at Night and the North Coastal Photography workshops (and a couple others that I’m forgetting right now). Definitely worth it.

Thanks for visiting!
I hope this was helpful - if not, please leave a comment and let me know why! Were you searching for something else? Did I miss an important aspect?

After seeing hosting providers offer Atom based dedicated servers I started wondering how they are doing that? A pile of EeePCs? Unlikely.

Turns out there are a couple of companies offering blade servers with Atom blades – one is SERVER8 in Italy which seems to have a very smart approach – off the shelf Micro-ATX or Mini-ITX motherboards, including Atom-based motherboards can be used in a custom 6U case following the Open Blade spec.

SuperMicro offers 1U Atom-based servers and has announced an Atom-based blade server as well. There are do it yourself 1U rack mounted servers available. And I’m sure there are more similar offerings out there.

In general I guess server processors are the better fit for servers – but for this interesting niche market of people who want a dedicated server but don’t need a ton of performance (i.e. for things like hosting your own blog) these atom-servers could really be the perfect solution.

After posting about hosting your own blog a couple of days ago, one of my co-workers pointed out to me an interesting new trend that he has seen… more and more server hosting providers offer entry level servers based on Intel Atom motherboards at prices that start to compete with virtual private servers.

That’s an interesting use of the Atom processor (which I tend to think of as the netbook CPU). But for many typical blog hosting scenarios a system like this offers plenty of performance with all the advantages of having your own dedicated server – and really good prices.

InterServer offers a dedicated server (cutely named “VPS Buster”) for $39/mo. Others offer similar pricing. Nice.

(and no, I don’t get money from linking to them, sadly. It was just the cheapest that I found in a few minutes of googling – feel free to comment if you see better deals elsewhere)

I have never hosted any of my personal blogs anywhere else. And every time I talk to people who do I am happy that I was never tempted. There are way too many issues with doing that. Lack of control would be my number one concern. I want to be able to decide which OS I’m running, which version of the web server, which libraries I have available. Which blogging software and which version of it. Etc.

If you host with Blogger or Typepad or even on Wordpress.com you are restricted to the versions someone else is willing to give you. You can’t change the underlying blogging tool, can’t install a new library – often can’t even install a plugin.

The other day I started hosting my wife’s blog. That brought it home to me. You want a development blog? Sure, no problem. Let me add another WordPress instance under a different hostname. You need the GD library? No problem, apt-get install php5-gd and that’s taken care of (I decided to run Debian on my servers quite a while ago). There’s a problem with xyz? Let me take a look in the log file. Very powerful. Very liberating.

Yes, some of the hosters like Dreamhost allow you something almost as good. With lots of choices and lots of control. But still, you’re in a jail – it’s just bigger and more flexible. The only way to really control what you are doing is to host the blog yourself. On a VPS or (like this blog) on a dedicated server.

The alphas showed some of the work done on the underlying technologies – things around fast boot, battery optimizations, etc.

The beta for the first time shows the new user experience. This is not just another client OS – and definitely not a Windows 95 lookalike (which way too many Linux client OSs still are).

Check it out on the Moblin site.

This is a topic that I have been tossing around for a while. The fact that I gave a presentation about this at this week’s SambaXP conference in Göttingen has forced me to put some structure around my thoughts.

Single sign on is a commonly listed goal in the IT industry. You authenticate once and then have access to all kinds of applications or services via the net. This sounds good, but of course it comes at a price. The damage that can be done if your credentials are compromised increase dramatically if they can be used in many places.

A simple example. Let’s say you use your login credentials to also be able to access your email account. That’s wonderful – one less username and password to remember. But unfortunately a number of email clients (or email retrieval apps like getmail or offlineimap) have no convenient way to securely store your credentials – or are easily fooled into handing these credentials to a proxy server. Which suddenly exposes your “general pass key” to your account to an attacker.

Of course you can use SSL encryption on your email protocol (e.g., imaps) to make man in the middle attacks harder – but that only works if you have signed certificates and a correctly built and trusted CA in place with the CA certificates installed on all clients. Which gets a little harder with the proliferation of mobile clients. For example, when using your favorite email client on your Android phone (or Nokia N71, or…), who hasn’t clicked ‘accept’ when asked to verify the authenticity of an SSL certificate provided for the server that wasn’t signed with a key that’s installed in the client’s CA keychain. You may have looked at the certificate to make sure that it looked sane – but did you verify it?

That’s a huge risk when allowing authentication with typical username / password based single sign on credentials on internet-facing servers. Yet that’s a very common practice.

So what can you do? One school of thought is “just don’t do it”. Have separate credentials for all services, force distribution of CA certificates, enforce SSL or SSH as a minimum requirement to connect to any services and basically device and conquer the risk. But frankly, that makes mobile clients far less attractive, interaction with network facing applications and services more difficult and generally reduces productivity. And in the end, if users are forced to use too many distinct username / password combinations they tend to use simple algorithmic passwords (or simply write them down somewhere in clear text).

Another alternative is to look at ticket based systems like kerberos and the way they handle credentials. Kerberos (and it’s implementation in Microsoft’s Active Directory) encrypt all traffic and use a rather smart system to prevent man in the middle attacks. Assuming strong passwords (to prevent the well documented offline password guessing attacks) you can create a decent sign on system that can be used with mobile clients – assuming the client software stack includes the necessary code to authenticate against A/D – which unfortunately is not universally the case today.

Ideally for each account with a service provider you as the user would be able to pick how to authenticate – using a ticket authority of your choice – potentially with different identities between different services, potentially with the same. This way you could control which services share the same ID, ensure that all authentication is secure and at the same time make it easier to manage these identities securely in a mobile device.

Samba is a widely used open source implementation of the necessary pieces of A/D. It allows clients to authenticate against Active Directory servers or other kerberos based authentication servers and then only distribute tickets (that don’t include the actual credentials) to authenticate against services. One downside of using Samba’s model of implementing the different components of MSRPC as monolithic applications instead of APIs is that it makes it harder to use in this context (providing authentication services in the mobile world); also, Samba has gaps in its support for the full breadth of A/D (missing some of the SSPI providers).

Still, it’s a good start. An alternative could be Likewise Open as it matures. Kirshna and his team certainly are focused on a complete implementation of the necessary APIs – but the mobile client isn’t their focus area, either.

The discussion after my presentation showed some interest in the community to tackle the problem, but of course this will require the service providers and the device vendors to cooperate as well. But first more people need to understand the underlying problem that needs to be solved…

As part of my brief set of posts on getting Linux systems (and sometimes Macs) connected to wireless networks beyond WiFi, here’s a quick post on what’s different when connecting to Vodafone.de with their prepaid CallYa SIM in a Huawei USB stick (this is actually a stick that I bought in London for the O2 network – just switch out the SIM… one of the nice things about GSM based networks).

The first few problems that I ran into shouldn’t affect most people, but just in case… be warned, if you have setup your system to use Vodafone.uk in the past, you are likely to have incorrect settings laying around in conf files…

Once those are removed, plug in your modem and simply create a new connection under Network Manager / Mobile Broadband. Set the APN to event.vodafone.de (this is important – contract SIMs use web.vodafone.de but that doesn’t work with CallYa SIMs). You can type in your PIN in that dialogue as well, that way the system doesn’t ask you for it after every reboot. All the other information is optional or not needed – except for the phone number; the usual *99# does the trick.

Go to the Network Manager icon and click on the new connection you created (it should show up under Mobile Broadband, assuming your modem got recognized correctly). Once the connection is established (the NM icon changes to a broadcast tower) open a web browser and navigate to any arbitrary web page. Vodafone will redirect you to a page where you can pick whether you want to purchase 30 minutes, an hour or a day’s worth of “unlimited” internet. Once you went through that process, everything should work. If I tried to open an ssh connection (or something else) before doing the magic web page thing the system occasionally got confused…

After sitting on the sidelines for a long time I finally figured “what the heck” and started to use Twitter.

You can find me as dhohndel.

Disclaimer on top (so no one can claim they didn’t see it): I’m obviously not necessarily an objective observer here. I work for Intel and have been involved with the Linux Foundation and its predecessor organizations for many many years. But this is my blog – unrelated to either organization (so if you quote me, please keep that in mind).

Some people might think the blog post at the New York Times that Intel hands Moblin over to the Linux Foundation is an April Fools joke. But even though the headline is a little unfortunate, the content of the article is correct: In order to make it easier for more people to get involved in Moblin, Intel has asked the Linux Foundation to take over the stewardship of the project.

This does not indicate any reduction in Intel’s effort on Moblin (quite the contrary, actually). Nor does it mean that dramatic changes are coming to the short term development plans. On the technical side it’s the same engineers doing the same impressive work.

But neither is this just a symbolic act – this really means that the Linux Foundation – a “nonprofit consortium dedicated to fostering the growth of Linux” (quoted from their About page) is hosting the project and will run it in a way similar to many other open source projects. The role of contributors will be determined by their merit to the project; which means that non-Intel engineers will hopefully soon step up into leadership roles. This is important for the pace of adoption of Moblin in the industry and (based on my conviction that true open source development is a huge advantage) this will cause the pace of innovation to increase even more. And it is something that would have been much harder to implement if the project is seen as only “Intel’s Linux OS”.

So to me this is great news. And from what I am hearing the same is true for many in the Linux community who have watched the first signs of life of Moblin with growing excitement. With the release of Alpha 2 a short while ago the traffic on our developer list has noticeably picked up – as has coverage in the press. And frankly, Alpha 2 barely scratches the surface of what Moblin will deliver.

Next week at the Linux Foundation Collaboration Summit I will host a Moblin track and I am very much looking forward to discussing what all this means with the attendees.

I’ve posted about getting 3G modems to work under Linux before. But trying to get the UK version of the Huawei E220 to work (actually, O2’s website claims it’s an E160 and Linux can’t decide whether it’s an E220 or E270) I ran into some surprising problems.

First, the dumb one. Contrary to US CDMA 3G modems, the European HSDPA ones need a SIM card. Took me a while to realize that I had to rip open the “software package”, find the SIM card and install it.

Duh.

After that it’s the usual dance – plug it in, wait for the option driver to recognize it (I’m running a 2.6.29 kernel but it should work with the stock kernels as well – this is not a particularly new chip), then wait for Network Manager to realize it’s there (tends to take a while, some times several minutes). I tried this under Fedora 10 but I hear that it works very much the same under Ubuntu.

Oddly enough, Network Manager displays TWO entries for this Mobile Broadband modem. And trying to use the second one causes things to hang for about a minute or so. And even using the first one only works every three or four tries (have not been able to figure out why – it just claims that it can’t connect) – but it does work after a while and creates a connection. Simply keep trying.

Now comes the ugly part. Since there’s no client software, on Linux you need to magically go to the right site to top off your account. So bookmark https://mobilebroadbandaccess.o2.co.uk/index as that’s where you need to go (more or less all other addresses simply give you a Connection Refused – it might have been smarter to implement a redirect here, but who am I to tell O2 how to do their job.,,)

But if you think this was stupid, it gets even more brain dead from here. Depending on your credit card issuer you might get redirected to a different site to do online fraud protection – and in my case, that site was NOT on the white list and gave me once again a Connection Refused error, preventing me from completing the transaction.

O2’s setup is actively (and successfully) thwarting my attempts to give them money. They should get an award for that.

The only workaround I could figure out was to connect through some other means, purchase a “top it up” product and then restart the O2 connection and voilà things work nicely.

But of course you run into that same problem every time either your data limit or time limit for your pay as you go account is reached.

What an exceptional display of shooting your own foot…

Update: turns out that T-Mobile is selling exactly the same modem for their version of pay as you go mobile broadband (which is called “web and walk”). And their flavor creates a different challenge. You appear to have to connect to the USB stick once using their Windows tool before it is willing to work. The error messages vary (I tried a hundred different things), but once you connect to the modem with the Windows tool everything works as expected; you don’t even have to connect to the 3G network from Windows – just starting the “web and walk manager” application appears to do the trick.

If you want to be able to use both of them simply create two different profiles in Network Manager; one with m-bb.o2.co.uk as APN for the O2 stick and the other one with general.t-mobile.uk as APN for the T-Mobile one. The rest of the information can be the same: Number is *99#, username and password are irrelevant (but have to be set to something). If you name these two network connection profiles “O2″ and “T-Mobile” then Network manager uses these names when you plug in the USB stick – it can’t tell the two modems apart, so you need to do that manually when you connect – just click the corresponding entry in the Network Manager drop down.