Saturday, March 31, 2007

mac vs PC vs Linux

Apple has a series of funny commercials comparing the Macintosh with a PC running Windows. They are very well written and presented. I recommend viewing them for the amusement value (view them here - but you need Quicktime).

Novell has produced a few short parodies of those adverts, they don't have the same production quality but are well written and not nearly as cheesy as I had feared (view them here). Novell's ads are in OGG and MP3 format.

Update: A comment pointed me to this site which has other parodies of the Mac adverts. There is quite a bit of bad language and the parodies will offend some people in several ways. But they are amusing and do make some interesting points.

hybrid Porsche

The April 2007 issue of the RACV magazine announces that Porsche is working on a hybrid vehicle. It seems that the award-winning Lexus hybrid vehicle has demonstrated the value of hybrid petrol-electric technology for performance vehicles and that Porsche want to catch up.

The trend seems to be towards all vehicles that are desirable being available in either hybrid or Diesel variants, and we'll probably see hybrid Diesel vehicles on Australian roads soon.

Thursday, March 29, 2007

Trusted Solaris vs SE Linux

Karl MacMillan writes an interesting review of a Sun article about SE Linux. Not only does he correct errors in the Sun article but he also summarises some of the features of SE Linux design and terminology that we use. If you are interested in computer security and want to learn some of the basic concepts then Karl's review is worth reading.

questions regarding SE Linux

I just received a question about SE Linux via email. As I don't want to post private messages containing material that's globally useful I'll answer through my blog:

> other than strict and targeted policies......other policies like
> RBAC, MCS, Type Enforcement are also are these policies
> implemented

The two main policies are the strict policy and the targeted policy. The strict policy is the earliest and was originally known as the sample policy (but was given the name "strict" after targeted was developed).

The strict policy aims to give minimal privileges to all daemons. The targeted policy aims to restrict the programs that are most vulnerable (network facing daemons) and not restrict other programs (for ease of use). There is currently work in progress on combining those policies so the person who compiles the policy can determine which features of strict they desire.

RBAC means Role Based Access Control. The strict policy assigns users to roles and the role then limits the set of domains that can be entered. For example the user_r role does not permit the sysadm_t domain so a user who is only permitted to enter the user_r role can not perform sys-admin tasks. Like many terms RBAC is used in different manners, some people consider that it means direct control by role (EG role user_r can not write to /dev/hda), while SE Linux has a more indirect use of roles (role user_r can not run programs in domain sysadm_t or any other domain that allows writing to type fixed_disk_device_t - the type for /dev/hda). You may consider that the strict policy supports RBAC depending on which definition of the term you use.

Generally the targeted policy is not considered to support RBAC, although if you consider a role to merely be a container for a set of accesses that are permitted then a SE Linux domain could be considered a in the RBAC sense. I don't think of targeted policy as being a RBAC implementation because all user sessions run in the domain unconfined_t which has no restriction. I think that to be considered RBAC a system must confine user logins.

Type enforcement is the primary access control mechanism for SE Linux. Every object that a process may access (including other processes) has a type assigned to it. The type of a process is known as a domain. The system has a policy database which for every combination of domain, type, and object class (which is one of dir, file, blk_file, etc - all the different types of object that a process may access) specifies whether the action is permitted or denied (default deny) and whether it is audited (default is to audit all denied operations and not audit permitted operations).

MCS is a confidentiality protection mechanism where each file has a set of categories assigned to it. The set may be empty, may contain all 1024 categories, or any sub-set. Each process has a set of categories that determines which files it may access. File access is granted if Unix permissions allow it, if the domain-type model allows it, and if MCS allows it (on an MCS system). I have just had an article on MCS published in Linux Journal.

MCS is an optional feature for people compiling Linux from source or for distribution vendors. For Red Hat Enterprise Linux, Fedora, and Debian the decision was made to include it, so the strict and targeted policies for those distributions include MCS.

There is another policy known as MLS. This is a policy build that comprises the strict policy plus Multi-Level Security. Multi-Level Security aims to give the highest confidentiality protection and comply with the LSPP (Labeled Security Protection Profile - roughly comparable to B1) Common Criteria certification. It would be possible to build a targeted policy with MLS but that wouldn't make sense - why have the highest protection of confidentiality with anything less than the highest protection of integrity?

As for how the policies are implemented, I'm not about to write a tutorial on policy writing for a blog post, I'm sure that someone will post a link to a Tresys or Fedora web page in the comments. ;)

> there r some packages of linux in which some changes has been made
> to support linux......for eg:- coreutils, findutils

That is correct. Every program that launches a process on behalf of a user at a different privilege user (EG /bin/login, sshd and crond) and every program that creates files for processes running in different domains (EG logrotate creating new log files for multiple daemons) needs to be modified to support SE Linux. Also ls and ps were modified to show SE Linux contexts as well as the obvious programs in coreutils.

> 'Z' is the new thing that have been added to most of the
> utilities......wherever I search I get the changes made only in few
> utilities like ps, mv, cp, ls
> Can u help me by giving all the changes made in each of the utilities.....

Unfortunately I can't. This has been identified as an issue and there is currently work in progress to determine the best way of managing this.

Wednesday, March 28, 2007

death threats against Kathy Sierra

The prominent blogger and author Kathy Sierra has recently cancelled a tutorial at a conference after receiving death threats.

Obviously this is a matter for the police to investigate - and the matter has been reported to them.

It's also an issue that is causing a lot of discussion on the net. The strange thing is that a large portion of the discussion seems based on the idea that what happened to Kathy is somehow unusual. The sexual aspect of the attacks on Kathy is bizarre but campaigns of death threats are far from unusual in our society. The first post I saw to nail this is the I had death threats in high school blog entry. Death threats and campaigns of intimidation are standard practice in most high schools. After children are taught that such things are OK for six years straight it's hardly a surprise that some of them act in the same manner outside school!

But I don't expect anything to change. Columbine apparently didn't convince anyone who matters that there is a serious problem in high-schools, I don't expect anything else to.

I can clearly remember when I first heard about the Columbine massacre, a colleague told me about it and explained that he barracked for the killers due to his own experiences at high-school. While my former colleague probably had not given his statements much consideration, any level of support for serial-killers is something to be concerned about.

This is not to trivialise Kathy's experience. But I think that discussion should be directed at more fundamental problems in society instead of one of the symptoms. If the causes are not addressed then such things will keep happening.

Tuesday, March 27, 2007

Xen and eth device renaming

Recently I rebooted one of my Debian Xen servers and suddenly all the Ethernet devices which used to be eth0 in the domU's became eth1.

vif = [ '', 'bridge=xenbr1' ]

I used to have the above as the interface definition and for domU's that had only a single interface that worked well (if there is only one interface then it should be eth0). However in a recent etch update this changed, so I had to use ifrename as documented in my previous blog post. It's annoying when things break because a reasonable assumption which previously worked suddenly stops working.

Even if the bug in question (if it is regarded as a bug) is fixed I'll keep using ifrename, it doesn't do any harm.

Monday, March 26, 2007

Save Babe

There's an advertising campaign at the moment opposing cruel treatment of pigs, the web site is at . They have rented advertising space at train stations to publish the URL.

One thing that they don't mention is the health issues related to factory farming. It makes sense to concentrate on one message at a time and they are concentrating on animal cruelty. But probably more people will be concerned with the risks of disease, parasites, and anti-biotic resistant bacteria present in meat produced from the factory farms.

Also wild boar tastes better!

Sunday, March 25, 2007


Currently many people have Google advertising on their web sites, it may even be that a majority of the serious Internet users host Google advertising. Given that Google is already writing a cheque every month to many people, it wouldn't be difficult for them to change the amount in response to a funds transfer request. Depositing a cheque in a foreign currency can incurr $25 in bank fees (that's what the Commonwealth Bank of Australia charges me), this is a great impediment to international trade in small values. When Google already has an office in a country and writes cheques in the local currency it would be very easy to have that cheque include funds transfers too.

One significant advantage of Google payments would be the fact that Google doesn't write cheques for less than $100, so someone who earns $2 per month through Google adverts will be waiting a long time before they get a cheque - but if someone has an item that costs a small amount of money (EG an online service that costs a few dollars a month) then the user would be enticed to use it.

Currently many people don't place Google adverts because they believe that it would take them an unreasonably large amount of time to reach $100US. But if they could spend the money in small increments on other online services then it would be more enticing.

It seems to me that Google is the only organization that is both capable of running an International online small-payments system and which would be trusted by most people.

If you like this idea please post a comment.

Saturday, March 24, 2007

images for a web site

When I first started putting pictures on my web site I used to delete the originals (at the time I only had a 3.2G hard drive in my main machine and used CDs for backup so I didn't feel inclined to waste too much space). The problem is that I optimised the images for viewing on displays of the day (when 1024x768 was high resolution and I tried to get pictures down to 800x600 or less whenever possible). Also the program I was using at the time for scaling the images didn't do it nearly as well as the Gimp does now.

Now when putting pictures on my web site I keep the original JPEG's in a safe place so that if there are future changes to common display technology, net connection speed (particularly the speed of my server) or of technology for scaling and compressing images then I can re-do them to get a better result.

When saving images with Gimp I enable "Advanced Options", this allows me to set a floating-point DCT method this saves about 400 bytes on disk and apparently gives a better image quality too - it's not noticably slow on a Pentium-M 1.7GHz so they should probably make it the default. The next "Advanced" option to change is to turn off "Save EXIF data" (saves 1.9K) and "Save thumbnail" (can save almost 5K depending on the image).

The next thing to do when saving a JPEG is to enable the "Show Preview in image window" setting. This allows you to adjust the image quality while seeing the resulting image as well as the size, so you can determine which combination of file size and image quality is best for you. This is much easier than saving
a file and then running an image viewing program to inspect it!

As an aside, it would be convenient if the Gimp would reposition it's "Save as" dialogue to not occlude the image window and would enable the preview option by default on machines with reasonably fast CPUs.

Thursday, March 22, 2007

power saving

Adrian von Bidder made an interesting post in response to my post about Spanish wind power. He correctly points out that power sources that have seasonal variations and which may vary during the course of a day can not be used as the sole power source.

The ideal design would be to have wind power stations that are designed to have a peak power that is greater than the expected use for the country. Then when wind power is slightly below peak the entire use for the country could still be satisfied.

There are a number of power sources that can quickly ramp up, this includes hydro-electric and gas-fired power stations. Such forms of power generation could be used as backup for when wind and solar power are limited. Incidentally one thing to note about Solar power is that it is most effective during the day in summer - which is when there is the highest demand for electricity to run cooling systems. There is also an option for having the sun heat up rocks which can be used for generating electricity at night or at periods of peak demand. So eventually we could have all our energy needs supplied by solar and wind power.

If wind power was designed to exceed the demand at windy times there are a number of ways that it could be used. The first thing to do is to implement billing systems that vary the cost according to the supply. This information could be provided to customers via X10 (or a similar technology). Home appliances could take note of this information and perform power-hungry operations when it's cheap. Your freezer could cool itself to -30C when electricity is cheap and allow the temperature to rise to -5C when it's expensive. You could program your washing machine to start when electricity becomes cheap - usually a few hours delay before starting the washing is no inconvenience.

Ideally home power generation from solar and wind sources would be used. There is significant loss in the power lines that lead from power plants to the consumer, so there are efficiency benefits in generating power locally. A wind turbine for a home will give highly variable amounts of power, and the electricity use of a home also varies a lot. So batteries to store the power are required. When you have local battery storage you could use your batteries to power your home when electricity is expensive and use mains power when it's cheap. Also if it was possible to feed power back to the main grid then home battery systems could be used to help power the main grid at expensive times (if the electricity company reimburses you for putting power back in the grid then you want such reimbursement to be done at the highest rate).

Adrian also mentioned turning devices off when leaving home. It is common practice in hotels that when entering your room you will insert your key in a holder by the door which acts as a master switch for all lights and some other electrical devices (such as the TV).

This same idea could be adopted for home use, not based on key storage (although this would be an option) but instead on a switch near the front door. Push a button and all lights turn off as do human-focussed appliances such as the TV and DVD player turn off (not the VCR), etc. There could also be a night option which would turn off the TV, DVD player, and most lights. Obviously at night you want bedroom and bathroom lights to still work but many things can be turned off.

This is all possible with today's technology, small changes to usage patterns, and spending a little more money on technology. Currently you can get a basic solar power system for your house for about $10,000. That isn't much when you spend $300,000 or more buying the house!

thinkpad back from repair

On Tuesday my Thinkpad was taken for service to fix the problem described in this post.

The problems I described were overheating, wear on the keyboard (from a minimum of 8 hours a day 7 days a week use) and a missing rubber foot on the base. The statement of work includes a replaced system-board, keyboard, CPU fan, and "cover(s)" (not that I can see any difference in that regard). No new rubber foot. Also they upgraded the BIOS.

It's interesting to note that in the list of "diagnostics performed" they listed "HDD" - of course I removed the hard drive before giving it to them.

Anyway 2 days turn-around is pretty good service and I'll ask them to post me a new rubber foot so I can stick it on myself.

The IBM support team were quite helpful about this and now have a set of misc small parts being couriered to me - it may arrive tomorrow or Monday.

It's a minor annoyance that they didn't fix everything when they had it, but shipping me a set of small parts is great service. With a bit of luck I'll get some other parts that will be useful to me at some future time too. ;) My Thinkpad leaves warranty in a few months and I'll be on my own for all future repairs.

For the first time I am actually considering paying for extra warranty support. I think that I'm one of the more expensive IBM customers in terms of warranty support. I typically go through one keyboard and one system-board per Thinkpad that I own. I guess that IBM make the most money from managers who have laptops always sitting on their desk. People like me who take their laptops everywhere, use them extensively, and wear things out (doing what laptops are designed to do) would be less profitable.

Wednesday, March 21, 2007

Spanish wind power

The latest news is that Spain has wind power as it's main source of electricity. The second largest source is nuclear and the third is coal. This is due to some particularly windy weather recently, but Spain is also a world leader in both manufacture and installation of wind power systems.

Other countries should follow their lead. Wind power is very cheap once it's installed, there are minimal ongoing costs and when things go wrong the scope of the problem is very small (unlike nuclear power plants which have the potential to contaminate large areas).

Sorry no link, this news is too new to be indexed by google.

mixing CPUs

Recently I bought a HP DL385 Opteron server at auction. It has an Opteron 265 1.8GHz dual-core CPU and is designed for SFF (Small Form Factor) SAS disks.

A friend told me that S-ATA disks would work in it and so would a faster Opteron CPU. I bought 3 S-ATA disks which work fine in a RAID-5 array. Unfortunately when I tried booting with the second CPU installed the BIOS said that it detected a CPU speed mismatch and would halt.

If anyone knows of a way of swapping Opteron 265 CPUs so that I can get a pair at the same speed then please let me know. I'd prefer to swap the 1.8GHz one for a 2.2 GHz one if possible, but the other way is also an option.

Sunday, March 18, 2007

Debian and Google Summer (Winter) Of Code

Debian is participating in the Google Summer Of Code (or Winter if you are in the southern hemisphere).

It would be good if we could get a SE Linux related project in. If you are interested in doing some SE Linux work (or other security related work) in this regard then please let me know. I'm interested in helping mentor for such projects.


This weekend I went to the Ballarat install-fest, mini-conf, and inaugural meeting of the Ballarat Linux Users' Group (BLUG).

This was the second install-fest, the first one was quite successful so it was decided that there was demand for a second. I suggested that what we should do is get some of the more experience members of LUV to attend and give talks about their areas of expertise and make a mini-conference. I also suggested that we
hire a large vehicle to take a number of people to the meeting. Both my suggestions were accepted.

So on Friday evening I was in a Kia XXX with five other people from LUV on our way to Ballarat.

On Saturday we had the install-fest. We started at about 10AM, there were about a dozen people getting help installing Linux and many more attending the mini-conf and just hanging out. For lunch we had a BBQ. In the afternoon I gave a talk on SE Linux and then a brief impromptu talk on Poly-Instantiated Directories while the next speaker was setting up their laptop.

At the end there was the inaugural meeting of BLUG. The president was appointed, and there were some brief discussions about when to schedule meetings. I suggested that BLUG meetings should be either the day before or the day after LUV meetings to increase the incidence of speakers from other regions attending both meetings, my suggestion was being seriously considered at the time the meeting adjourned - LUV is a larger group and has better ability to get speakers from other regions. It was also agreed that a
weekend combined LUV and BLUG meeting would be arranged twice a year.

I traveled back to Melbourne by train which was cheap at $9 and comfortable. There was even a power point in the carriage (which I didn't use as my laptop was charged and the location was not convenient). For the next such event I'll try and arrange a group to travel on the train together.

The next thing to do is to find other regional centers in Victoria where we can do the same thing. Bendigo might be a possibility.

Also if you are a member of a LUG in a city please consider the possibilities for helping form a LUG in a regional center that's nearby. I would be happy to provide whatever advice I can to help people replicate this success in areas surrounging other cities, so please email me if you have any questions.

Saturday, March 17, 2007

fluorescent lights and why it's worth saving resources

A common criticism of fluorescent lights is the inability to use dimmers, as mentioned in Julien Goodwin's blog.

However with some thought at the time the lights are installed this problem can be solved. The first thing to keep in mind is that an infinite number of levels of illumination (analogue scale) is not really required. In most cases two or three levels should do.

If you have two compact fluorescent lights that use 5W and 10W then you have the options of 5W, 10W, and 15W. If you have a large room to light (such as a lounge room) which needs 30W of fluorescent lighting for full illumination then you could have six 5W globes dispersed and have anything from one to six of them turned on to give different levels of illumination.

Of course if you don't plan electrical work then it's easiest to just use incandescent lights in those areas. As long as the areas that use the most light for the longest time have fluorescent lighting it shouldn't make too much difference.

In response to a post on Planete Beranger, saving energy DOES matter. Sure you saving a few KWh isn't going to make much difference on it's own, but when a million other people do the same it all adds up.

The lack of public transport in the US causes more problems for the country than just environmental damage. It hurts the economy by making it more difficult for people to get to work. It will hurt the defence forces in the (unlikely) event of an invasion (trains are the best way of moving large numbers of troops, heavy weapons, and military supplies. It also hurts the national interest in decreasing the ability to react to civil emergencies. For example the entire population of New Orleans could have been evacuated in time using a single platform of a European station. If every city had multiple stations that had a reasonable number of platforms and multiple redundant train lines then evacuating civilians and bringing in emergency equipment and workers would be very easy. In the Netherlands train lines often run on top of dikes, this means that the dikes are very strong (if they can sustain the weight of a freight train then they aren't going to be washed away by a wave) and that trains can still operate while flood waters are rising. If New Orleans is to be rebuilt to it's former glory then the Americans should consider a similar design.

Large cars are a temporary issue. As fuel prices rise people will choose smaller cars. Also hopefully people will start to realise that 4WD and SUV vehicles are actually less safe than cars and stop buying them for perceived safety.

The Chinese government doesn't worry about the same environmental issues, however they have more agressive targets for renewable energy use than most countries. It's not a matter of being nice (they aren't), but of looking out for their own self interest. It's a pity that the governments of the US, Australia, and EU countries have not yet done the same - but it will happen eventually.

As for supermarkets using open fridges, if the vent the heat outside the building then it will be just part of the building air-conditioning system. Every adult dissipates about 100W of heat when at rest, when shopping it would be more than 100W. Get 100 people in a supermarket (not the peak business time) and 10KW would have to be removed by the A/C system without counting heat from lights (fluorescent lights dissipate about half their energy as heat, they are much more efficient than incandescent lights but much less than LEDs),
and heat from other machinery.

Finally, if you want to see changes in government policy then join your local Green party!

Friday, March 16, 2007

are Thinkpads meant to run 24*7?

My Thinkpad has started to run hot recently. If I do anything CPU intensive then it will heat up to >80C and then turn itself off. When idling it seems to stay at about 60C when the ambient temperature is about 24C.

It used to not be like this, a couple of years ago I cracked a GPG pass-phrase by using my Thinkpad (as well as a few other machines) to run a brute-force attack lasting a few months. So a couple of years ago I could run at 100% CPU time for months on end and now I can only do that for a few minutes.

It seems that my Thinkpad may have accumulated dust in it's fan from years of running 24*7. I run my Thinkpads 24*7 so that they can download email and large files while I'm asleep, because Linux suspend options have been lacking until recently, and because I use my laptop for a large portion of the day.

The problem I am having is similar to what I had with a previous Thinkpad. Are Thinkpads unable to handle 24*7 operation?

Thursday, March 15, 2007

worse than fossil fuel?

I just read an interesting blog post from December 2005 about the environmental impact of bio-fuels. It makes some really good points that should be studied by everyone who is interested in protecting the environment.

However this doesn't mean that bio-fuels are inherently bad, just that some methods of production are bad.

The blog claims that reusing oil that had been used for frying would cover 1/380 of the fuel used for road transport in the UK. There are some technologies that have been recently invented to process farm and industrial waste into oil, some of which are already in production in the US. The volume of farm waste (and equivalent waste from restaurants) would significantly exceed the frying oil from restaurants and converting waste plastic into fuel would add even more. I'm sure that these sources of fuel from waste would add up to at least 1% of the current transport fuel use.

A better train system has the potential to halve the use of fuel for transport (or better), when living in Europe I never considered owning a car, the trains were so good and the car parking was so bad that it wasn't worth doing. A combination of less cars and the cars being driven less would significantly reduce fuel use.

Hybrid vehicles and vehicles with smaller and more efficient engines could halve the use of fuel again (or better). Diesel hybrid cars that are currently being tested use as little as 1/4 the fuel of current petrol cars. Add further technological improvements such as the six-stroke engine and we could be looking at something better than four times the current fuel economy of cars.

I don't think it's unreasonable to assume that a combination of a good public transport infrastructure, fuel efficient vehicles, and government incentives for using both could reduce the transport use of fuel by a factor of 8. This would mean that fuel produced from restaurant, farm, and plastic waste (which I conservatively estimate at four times the volume of used frying oil) could account for more than 8% of the fuel supplies. The EU wants to have 5.75% of fuel oil to come from renewable sources, it seems to me that this is possible without importing any bio-Diesel from developing countries!

Electric cars could of course significantly decrease the use of fuel oil too. A Prius+ (Prius modified to take mains power) would be an ideal vehicle for me. I rarely make long journeys and rarely make multiple journeys in one day so I could use mains power most of the time. I estimate that with a Prius+ I would use no more than two tanks of petrol a year.

Then of course there's the issue of market protection. It seems that every first-world country has a farming lobby that convinces the government to pay them to produce more crops than they can sell at market rate. Instead of subsidising food that is sold to other countries such government money could go towards subsidising development of bio-fuels. The US subsidy of corn production is a classic example of this, corn syrup can be easily fermented and distilled to make fuel - much better than eating the nasty stuff!

SE Linux on /.

The book SE Linux by Example has been reviewed on Slashdot.

The issue of Perl scripts was raised for discussion. It is of course true that a domain which is permitted to run the Perl interpreter can perform arbitrary system calls - it can therefore do anything that SE Linux permits that domain to do. This is in fact a demonstration of how SE Linux does the right thing! If you want to restrict what can be done when executing the Perl interpreter then you can have a domain_auto_trans() rule to have Perl run in a different domain.
Restricting Perl (as used by one particular program) is actually easier than restricting a complex application run by users such as Firefox. Users want to use Firefox for web browsing, local HTML file browsing, saving files that are downloaded from the web, running plugins, and more. Granting Firefox access to perform all those tasks means that it is not restricted from doing anything that the user can do.

A claim was made that a novice users would not understand how to use SE Linux. The fact is that they don't need to. I know many novice computer users who are running SE Linux systems, it just works! It's more advanced users that have to learn about SE Linux because they configure their machines more heavily.

The essential difference between path-based access control and Inode based access control is that the standard Unix commands to control file access (chmod, chown, and chgrp) all operate on Inodes. If a file has 1000 hard links then I can restrict access to all of them via a single chmod or chcon (the SE Linux command that is comparable to chmod) command. AppArmor does things differently and implements an access control model that is vastly different to the Unix traditions. SE Linux extends the Unix traditions with Mandatory Access Control.

Granting different levels of access to a file based on the name of the link which is used is a horror not a feature.

I wrote this as a blog entry rather than a /. comment because my lack of Karma means that less people will read my /. comments than my blog.

things to do for the environment

I got the idea for this from Ben Hutchings.

A. Copy the list below to your own journal and

Bold the actions you are already taking
Underline the actions you plan to start taking
Italicize the actions that don't apply to you

B. Add one (or more) suggested action(s) of your own

C. Leave a comment here, so that she can track the meme to your journal, and copy your suggested action(s) back to my master list.

  1. Replace standard incandescent light bulbs with compact fluorescent light bulbs
  2. Choose energy efficient appliances - I'm documenting the power consumption of my computers
  3. Wash clothes in cold(er) water - Colder than what? I suspect this is based on American machines that are controlled by mixer valves rather than using a thermostat.
  4. Turn the thermostat of your hot water tank down to 50°C (125°F) - this is a good safety measure anyway
  5. Install a programmable thermostat (or turn the heat down over night and when you're out of the house)
  6. Register with the [Canadian Marketing Association's] Do Not Contact Service to reduce the amount of junk mail delivered to your house. - Substitute MPS.
  7. Eat less meat (particularly feedlot beef) - For practical purposes I'm vegetarian, with occasional exceptions.
  8. Walk, bike, carpool or take public transit as often as possible - I'm writing this on the tram
  9. Make sure you know what can be recycled in your area, and try to recycle as much household waste as possible
  10. Compost using an outdoor compost bin or an indoor vermicomposter
  11. Clean or replace filters on your furnace and air conditioner
  12. Buy local, organic or fair trade food where possible
  13. Reduce air travel - pity that long-distance trains suck in Australia
  14. Wrap your water heater in an insulation blanket
  15. Use a clothesline instead of a dryer whenever possible - don't own a clothes dryer, hanging up clothes inside near a heater works on cold days
  16. Plant a tree - pity my trees are dying because of the drought / climate change
  17. Buy fresh foods instead of frozen
  18. Keep your car tuned up and your tires inflated to their optimal pressure - also minimise driving. I drive about 5000Km per year.
  19. Use biodegradable dishwashing liquid, laundry soap powder, etc.
  20. Drink tap water (filtered if necessary) rather than buying bottled water - remember the Benzene incident...
  21. Turn the tap off while brushing your teeth
  22. Unplug seldom-used appliances and chargers for phones, cameras, etc., when you're not using them - the power use is small so I only do this for rarely used chargers.
  23. Plug air leeks and drafts around doors and windows with weatherstripping
  24. Switch from disposable to reusable products: food and beverage containers, cups, plates, writing pens, razors, diapers, towels, shopping bags, etc - I've done this for most things, could improve though.
  25. Consider garage sales, Freecycle, eBay, or borrowing from friends/family before buying a new tool or appliance - second-hand and refurbished computers are so powerful and so cheap that you don't need to care about the environment to do this.
  26. Reuse bathwater, maybe to flush the loo, water the garden, etc.
  27. Make sure your roof is well-insulated. - I think it is, but as tenants it's not really our choice.
  28. Always wear a jumper/sweater and socks indoors unless it's warm enough outdoors to go without both.
  29. Run your vehicle on biofuel/sustainable fuels
  30. Set up a grey water barrel to use when clean water isn't necessary - grey water should never be stored. It contains chemicals that are used as food for bacteria.
  31. Put grey water on your garden immediately without storing it.
  32. Install tanks to collect rain-water from your roof for watering the garden, washing your car, etc.

Wednesday, March 14, 2007

getting big changes in Debian

Erich Schubert comments on the issues relating to getting big changes into Debian. This is something that I had also noticed. I started work on SE Linux in Debian in 2001 and continued it actively until 2003 when I joined Red Hat. Less than a year after I joined Red Hat there was a Fedora release with SE Linux fully integrated and shortly after that there was a release with SE Linux on by default. The reason for this was that Red Hat management supported the idea of SE Linux and everyone had to accept it. There was no option for a package maintainer to refuse to support SE Linux.

Recently in a discussion on debian-devel one DD (who I won't name in this blog post) advocated removing SE Linux support from dpkg. I then asked him whether he had the same attitude towards non-executable stack
(Exec-Shield/PaX/OpenWall), Poly-Instantiated directories, and PIE executables. When he expressed interest in having those features I pointed out that one of the enemies of security in Debian is the fact that every person controls their little area and has no requirement to work towards common goals (apart from the most obvious ones of making the system work).

This means that instead of having a little cooperation from other developers anyone who wants to get a significant change included will have to fight hundreds of battles.

SE Linux is a classic example of this. Debian could have had SE Linux support long before Fedora, but instead it gets it long afterwards.

The same battles occur with regard to all the other security measures I mentioned (and some others I didn't). We could made Debian the most secure Linux distribution, there are many people who have the skills and the interest in doing so.

If you want features such as exec-shield, then you are missing out - largely because the people with the skill and time to work on them are too busy fighting trench-warfare rather than actively coding.

Now while I strongly object to most incarnations of the "you can't force a volunteer to do anything" meme that infects Debian I do agree that we can't force developers to write new code. We can however strongly discourate an antagonistic attitude towards new features. If someone proposes a feature
that you don't plan to use but which doesn't hurt you then there's no reason to attack - you can just ignore it. If someone sends in a patch that adds a feature which is requested by many people but you personally don't use, then if it has little or no down-side (linking against a couple of shared objects as is the case for many SE Linux enabled programs provides no measurable overhead) and the code is good it should be merged!

The real problem is that some DDs are more concerned about what is best for them personally (in the most short-term manner) than about what is best for the users.

Tuesday, March 13, 2007

old drivers

This morning when walking through a shopping center car park on my way to work a grannie came fairly close to squashing me. She accellerated her Mazda 323 backwards as hard as possible and hit a purple Magna. The back ends of both cars were seriously damaged, and the Mazda (which received the worst damage) was possibly a write-off (it doesn't take that much damage to make an old car an insurance write-off). The damage was surprising given that there was only about 4 meters between the cars before the crash, the roar of the engine however did indicate that full accelleration was being used. The area between the vehicles was where I had just walked a few seconds earlier...

I phoned the police and waited until they arrived. They might end up forcing her to have a driving test, but it's most unlikely that she will lose her license. One of my relatives passed such a test more than 10 years after I refused to ever be a passenger in his car.

What is needed is periodic testing of all drivers with the same standards as used for initially getting a drivers license (currently the standards are much lower). I would probably have to practice my parallel parking before such a test (it's something I hardly ever do) but I expect that I wouldn't have any difficulty in passing - as would all good drivers.

Sunday, March 11, 2007

creating a new SE Linux policy module

Creating a simple SE Linux policy module is not difficult.

audit(1173571340.836:12855): avc: denied { execute } for pid=5678 comm="" name="hostname" dev=hda ino=1234 scontext=root:system_r:postfix_master_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file

For example I had a server with the above messages in the kernel message log from the spf-policy program (run from Postfix) trying to run the "hostnme" program. So I ran the following command to generate a .te file (SE Linux policy source):

dmesg|grep spf.policy|audit2allow -m local > local.te

The -m option to audit2allow instructs it to create a policy module. The local.te file is below:

module local 1.0;

require {
class file execute;
type hostname_exec_t;
type postfix_master_t;
role system_r;

allow postfix_master_t hostname_exec_t:file execute;
Then I used the following commands to create a policy module and package it:
checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod
The result was the object file local.pp and in intermediate file local.mod (which incidentally can be removed once the build is finished).

After creating the module I used the following command to link it with the running policy and load it into the kernel:

semodule -i ./local.pp

nerve action - sound vs electricity

Leon Brooks linked to this article claiming that sound not electricity travels through nerves.

When you put a moderate voltage through your body it will cause muscle action (try putting 1000V at low current between fingers of the same hand for safety). The original experiment that suggested that electricity is used involved applying a shock to the legs of a dead frog (see the Wikipedia entry for Luigi Galvani).

For this claim about sound to be valid the electric shocks would have to cause sound in the nervous system. Also sound impulses would have to trigger nerve action (IE the "brown note"). AFAIK neither of these have been proven.

Saturday, March 10, 2007

another visual migraine

Late this afternoon I had a visual migraine while driving. I was driving west and the glare from the sun was making it difficult to see so I didn't realise that I was having a migraine until I stopped. When I finished my journey and went inside a reasonably dark room I started seeing flashes of light (which weren't apparently bright enough to be noticed when outside). After about an hour the visual effects went away but I still felt weird for the rest of the day.

Friday, March 09, 2007

SFF disks

I recently bought a refurbished HP DL385 server at auction. It turns out that it takes SFF (Small Form Factor) disks and has the ability to take 8 hot-swap disks (not bad for a 2U server).

The machine supports SAS disks and S-ATA disks as well. So the next thing to do is to buy a bunch of S-ATA disks for it.

When I got the machine it reported that the battery for the write-back cache on the RAID controller could not be recharged and needed to be replaced. Apparently this is a firmware bug and I can fix it by upgrading the firmware on the machine. Of course I need to buy some disks so I can do an OS install first.

As an aside it's amazing how cheap some of the Opteron servers are at auction nowadays.

Wednesday, March 07, 2007

features of BMW 5 and 7 series

I was reading the brochure about the BMW 530i Touring (which seems to be the BMW name for what is known as a "Station Wagon" in Australia or an "Estate" in Europe). I looked at the brochure on the "Touring" because I am interested in a Station-Wagon - the Sedan version of the 5 series is almost the same in every way other than size and shape.

Here are some of the interesting features:
Adaptive headlights, they turn in to a corner when the car is cornering (showing where you are about to go instead of showing you the scenery off the road) and the high-beam switches off when an oncoming vehicle is detected.

Head-up display for speed, navigation, and other driver-relevant information.

Park distance control (PDC). Gives audio and visual alerts when you are about to hit something at low speed.

Eight air-bags of which only the necessary ones will inflate in a collision, and the inflation power will be determined by the severity of the collision.

Dynamic stability control (DSC), traction control, corner brake control, and more. Described as "all of the known features of DSC".

Seat-belt pre-tensioners in the rear and pyro-technic tensioners for front seat belts.

Rain sensor that turns on headlights, and optional head-light washers.

According to it's brochure the 7 series has bumpers that regenerate their original shape in collisions of speeds up to 6Km/h and a tire defect indicator. Apart from that there doesn't appear to be much benefit over the 5 series apart from more luxury features.

To get the PDF files from BMW Australia (without following my links which BMW will probably break soon) you have to fill in a form with "contact details". To enter that form you need a browser that works with their javascript (which means not Konqueror) so that you can enter your postcode and be prompted with a list of suburbs that match the post-code. The second-last page of that process allows you to download PDF files and it seems to indicate that your data will not be stored if you don't continue past the stage where you download the PDF files. It would be good if BMW could get smart and make their PDF files as easy to download as Mercedes does.

In terms of safety features it seems that the 7 series offers little over the 5 series. By comparing the brochures it seems to me that the Mercedes S series (as described in my previous blog post) has many more safety features than any BMW. Assuming that the BMW documents are accurate they don't seem to compare well with the Mercedes S class. From a quick search on (the best web site for buying used cars in Australia) it seems that the Mercedes keeps it's value better than the BMW - other people apparently share my opinion of the relative merits of the cars.

In future posts I'll summarise the features of some other cars that I consider interesting.

Tuesday, March 06, 2007

reading email on a tram

This morning there were two or three classes from a local primary school on board my tram taking up all the seats (mostly three children to a seat).

So to answer some email and write blog entries I had to sit in a stair-well. Melbourne trams are symmetrical so that they can just change direction at the end of the line (unlike some other trams - the Amsterdam tram line 10 that I used to catch has a circle at each end of the line for the tram to turn). Being symmetrical means that the doors on the left side of the tram are used for passengers to get on and off, and the doors on the right are locked - so the right stairwell is a place you can sit to use a laptop if all the seats are taken.

While I was sitting on the floor some women started talking about me, I heard comments such as "he's answering his email", "it must save a lot of time, he could do half an hour of email on the way to work", and "he must work for an Internet company - look at his shirt" (I was wearing an Intel shirt given out at LCA 2007). At that point I decided to briefly explain the work I do, there's a limit to the amount of time I can refrain from joining the conversation when people are standing around me and talking about me.

They didn't seem to understand enough to enable me to explain anything about Linux.

Monday, March 05, 2007

presentations and background color

In response to my last post about using laptops for presentations it has been suggested to me that using white (or a very bright color) as the background color can help some displays synchronise with the signal. I haven't had an opportunity to test this but it seems likely that as most computers are configured with a white background nowadays the display hardware is optimised for this case.

Another benefit of a light background is that it provides more ambient lighting to the room where the presentation is held. If all the lights are turned off (sometimes there is no dimmer switch) then the radiant light from the screen is the only form of illumination for the room.

Finally with the way the current generation of beamers work there is less heat trapped in the beamer if there is mostly white on the screen. This will hopefully decrease the incidence of hardware failures during lectures (which unfortunately are not uncommon in my observation).


Based on a comment on this blog entry I did a quick survey of the color scemes, black on white, yellow on blue, and white on green. Black on white got the most votes with some people saying that yellow on blue was most aesthetic while black on white was easiest to read ("clear and boring" was one comment).

One person pointed out that the light diverges slightly so black on white makes the letters look smaller while white on black makes them look bigger. My response to this is to use a slightly larger font.

last beard post

On Tuesday the 23rd of January I shaved off my beard after spending 107 days growing it, see above for the final beard pic. It was an interesting experiment and it's something that I recommend trying, but I couldn't keep it.

Having a beard is more effort than being clean-shaven. Eating is more difficult when you are trying to keep your beard out of your food. If you get the full beard (as I did) then the moustache at the sides of your mouth will get into your food (particularly bad for ice-cream). I guess that the benefit of having a waxed moustache would be that the wax would keep it out of the way of the food - the waxed moustache wasn't just an issue of style!

Madduck suggests that when you drink Guinness you "push your lips past the head and draw up only the dark stuff". Of course that won't work if you have a moustache as you don't want a moustache that's soaked in beer!

Immediately after cutting off my beard I didn't shave for almost a week and experienced much less discomfort than I had preveiously experienced when not shaving for that period. I think that having been used to having a beard an amount of hair that would previously annoy me is not noticable. Also it
seems that the hair was initially softer after I cut off the beard. Maybe shaving somehow makes the hair grow tougher.

When I had the beard I thought that I hadn't adjusted my body image to match, as every time I looked in the mirror I felt surprised to see it. Once it was gone my new look initially seemed more odd to me than my previous appearance, and it took me a number of weeks to get used to not having a beard.

When shaving off my beard I decided to do it in stages, firstly I did a "goatee" cut and then just a moustache. The moustache is a little lop-sided, but I was in a hurry and didn't plan to keep it for long.

Sunday, March 04, 2007


You might expect that a vaccine against a disease that causes cancer would be widely embraced as soon as it was proven safe. If the disease in question was transmitted by contaminated food or water, sneezing, or most of the other ways that diseases spread then it probably would be widely accepted.

However recently there is a recently released vaccine against Cervical Cancer. The virus in question is only transmitted sexually. Apparently 80% of women in the US will catch it before the age of 50 (so it's obviously not scaring people away from unsafe sex).

There is a strong Christian lobby against the vaccine, their idea is that if sex doesn't cause debilitating and/or fatal conditions such as cervical cancer then their daughters will have less reason to avoid it. The fact is that religious people are statistically more likely to practice unsafe sex (see this link) so it seems unlikely that preventing one of the STDs that religious people might catch will affect the amount of unsafe sex.

One thing that seems strange about the entire discussion is that no-one has raised the possibility of vaccinating boys. Vaccinating boys could lead to the virus being eradicated. Even if an eradication attempt fails it will help save some of the Christian girls.

Saturday, March 03, 2007

the word "beamer"

Martin F. Krafft blogs about looking for advice on buying a "beamer". He describes the word as meaning a projector in Germany (it also means the same in the Netherlands).

Since the time when I lived in the Netherlands I have been using the word in English, most people immediately understand what it means, and I believe it's a better option than the word "projector". The only possible confusion in this regard is the term Beamer is slang for a BMW car. But it's pretty rare to talk about cars and computer display methods in the same sentence so this shouldn't be a problem.

meeting people at Linux conferences

One thing that has always surprised me is how few people talk to speakers after they have finished their lecture. A lecture might have many questions and the questions may be cut off, but when the speaker leaves the room they will usually do so alone.

When I give lectures at conferences I'm always happy to spend more time talking to people who are interested in the topic and disappointed that so few people choose to do so. It seems that other people have similar experiences, there have been several occasions when I have invited speakers to join me for lunch and no-one else has shown interest in joining us.

Usually the most significant factor in making someone offer a talk at a Linux conference is the opportunity to teach other people about the technology that they are working on. People with that motivation will take the opportunity to teach people at lunch, dinner, whenever.

Linux Conf Au
has an event called the "Professional Delegates Networking Session" which is regarded by some people as the way to meet speakers (about half the delegates don't attend so the ratio of speakers to delegates is significantly better than at other conference events). But it seems to me that it's more efficient to just offer to buy them dinner. When I worked for Red Hat the maximum value for a gift I could accept was $100US, I expect that Red Hat has not changed this policy since then and that most companies that employ speakers at Linux conferences have similar policies. $100US is more than a meal costs at most restaurants that are near a Linux conference.

If I was a manager at a company that sent employees to a Linux conference I would first send email to some speakers who were working in areas of Linux development that were related to the projects that the employees were working on. I would ask the speakers if they would be interested in having dinner bought for them by my company and give them the option of bringing one or two friends along for a free meal (the friends would probably be people who work in similar areas).

Friday, March 02, 2007

spare tires

The following letter was published in the RACV Magazine. The Royal Automobile Club of Victoria is a driver advocacy organization that provides roadside assistance and insurance. The fact that they published my letter means that the idea can't be totally wacky so I'll blog it. ;)

There have been many mentions recently in RoyalAuto about space-saver spare tires. Some manufacturers claim that they are to save weight which seems to be a benefit for the driver.

I wonder if most drivers really need a spare tire. For my own driving I only have a flat tire about every second year and I almost never drive outside the metropolitan area. Given how rarely I call for road-side assistance I think I would be better off without a spare tire and with the option of having the RACV deliver one for me if I needed it.

I expect that the time taken to deliver a spare tire would be greater than that required for a regular road-side assistance call, and that it might count for more than a regular assistance call, but given that the cheapest roadside assistance package has 8 calls a year I expect that most years I would still use less than half my quota of calls.

Not having a spare tire would save some weight (and therefore fuel) and would provide a little extra cargo space.

Also it seems to me that small cars are unlikely to ever be driven outside the area that is serviced by the RACV and similar organizations. For a small car the lack of a spare tire in the car design would offer a significant improvement to cargo capacity. If the RACV and other organizations endorsed and supported cars without spare tires then the car manufacturers could design small vehicles with more cargo capacity and less fuel use.

Thursday, March 01, 2007

Mercedes S class and car safety

The S Class Mercedes has some really interesting safety features, see this 6.8M PDF file for details. If you are interested in technology then you want to read it just to learn about all the cool features - it's got more technology than a Prius!

The S class includes the following features to protect the occupants in the event of a crash:

  • Tire pressure monitors
  • Electronic Stability Program (ESP) to selectively apply the brakes to reduce the risk of skidding
  • Active suspension
  • Pre-Safe is a management feature that recognises a potential collision by the steering and braking patterns of the driver and prepares the vehicle for an impact. This can involve adjusting the sun-roof, the seat-belts, and the driver's seat position to prepare for impact, closing the side windows, and inflating air chambers in the sides of the seats.
  • Head rests that automatically adjust in the event of a rear impact

The following features reduce the risk and/or severity of a crash:
  • Night view (infra-red) display gives a display of potential obstacles ahead without dazzling oncoming traffic
  • Distronic Plus is a brake assistance package that includes automatic braking based on radar surveillance of the traffic ahead
  • 4Matic is a new feature that combines AWD with the traction-control feature that has become common on all expensive cars. This means that when any combination of wheels starts to spin on water or ice the brakes will be applied to them so that the wheels that have good grip can still be used for acceleration.

After a crash there are more safety features that can help you:
  • The engine can be automatically turned off after an impact and if necessary the fuel supply can also be cut
  • The hazard lights and emergency interior lights can be automatically activated
  • The side windows can be partially lowered, if your car lands in water deep enough to submerge it then you MUST open the windows as soon as possible - otherwise water pressure may make it impossible to open the doors - people forget this so it's good to have an automatic feature
  • Automatic door unlocking after an impact (good for rescuing unconscious occupants)
  • Cutting points marked on the windscreen and rear window for the benefit of emergency workers who need to cut the roof off with the "jaws of life"

These features are documented as being available in the latest S Class, I haven't investigated what is available in the cheaper models and I'm not even sure where to find information on the safety features available in older models (a second-hand E class is more in my price range). But if I won the lottery a S class Merc would be high on my list of things to buy!

If you know of other cars that have a similar set of safety features to the S class and cost less then please let me know.

I will probably write a blog post about the BMW safety features in the near future. I couldn't do so immediately because the BMW web site sucks. They have a form for me to fill in contact details so that they can post me a brochure (I want to read it NOW ONLINE). The form doesn't like my postcode and refuses to proceed (it should at least have an option for them to contact me via email or phone).