pterjan's diary

  Gtk client for HP TopTools P1218A card

From December 19 to December 28 zarb.org main server was down. This server host(s|ed) many things including this blog, Mageia website, PLF, ... The reason why it took so long is that the server is in the south of France, kindly hosted by Lost Oasis and we have no one nearby to physically access it, and in this case we had lost our main raid array.

This server (kindly donated by HP almost 10 years ago) has a remote administration card (P1218A) but it is not really usable for anything except rebooting the machine. The remote console more or less works with some of the java versions from sun, but most of the time it only displays the top third of the screen, until next refresh when it goes black, and misses many keystrokes. This made it unsuitable for accessing the RAID BIOS and finding the problem.

After about a week, for some unknown reason (I could have done it many times over the last 10 years), I thought of looking at the communications between the applet and the management card. Everything was clear text and very simple. The next days I wrote a ruby-gtk client for the card, accessed the BIOS, found that the 4 disks had been marked has failed without errors and were correctly syncronized, and put them back online.

Login
The first (and longest) part was to find how to login and get the session cookie. The exchange looks like:
GET /cgi/challenge HTTP/1.1
<?xml version='1.0'?><?RMCXML version='1.0'?><RMCLOGIN><CHALLENGE>DJRhNVfOWfuB8fS/6PFazg==</CHALLENGE><RC>0x0</RC></RMCLOGIN>
GET /cgi/login?user=FOO&hash=UtPRDzFS36s0jJBgTmtS4JDR HTTP/1.1

Challenge was obviously 16 bytes of data base64 encoded. Response was called hash and was 18 bytes whatever the password is. Given that it was written more than 10 years ago, I supposed it would be md5, even if it only gives 16 bytes.

I then wrote a small ruby application trying various combinations (md5(challenge + password), md5(xor(callenge,password)), xor(challenge,md5(password)), ...) and found that md5(xor(challenge,md5(password))) was giving me the correct first 16 bytes.

I then used an online CRC calculator to find that the remaining 2 bytes are "CRC-CCITT (XModem)".

Console
The other big part was the remote console.

Getting the current screen content is quite easy, it's a GET on /cgi/scrtxtdump (with an optional force=1 parameter).

In my initial tests there was 0x10 between each character so I just filtered them out. I found later that it actually gives attributes for the character (bold, color, ...) and now support the ones I have seen so far.

Sending a keypress is quite easy too, it's a POST to /cgi/bin with data being <RMCSEQ><REQ CMD="keybsend"><KEYS>space separated scancodes</KEYS></REQ></RMCSEQ>.

The result

The code is now online, still very ugly, but hopefuly helpful :)

  Mageia 1 is out!

Almost 9 months ago, Mageia was forked out of Mandriva by many former Mandriva employees and contributors. At that time it did not exist yet, everything had to be done, but we are now happy to announce that it's ready!

The first technical work was to get a build system, and the result is pretty nice. With only 2 build hosts it is faster and more reliable than Mandriva's one, while reusing most of the code. The various improvements could have been done at Mandriva but having to deploy a new one (with less resources) is a good time to simplify the architecture and the code.

Then the massive work: importing rpm packages, fixing them as quite a few did not build, and cleaning them. The result is 7389 source packages (Mandriva has 12390, Fedora has 10283) and mageia 2 will probably have much more as only packages needed/requested by packagers and early testers were included.

More than the number of packages, the interesting data is that they all got built recently, and there are 0 broken dependencies or orphan binary packages! For comparaison Mandriva currently has 4059 src.rpm older than 6 months, 1065 binary packages without matching source, 4756 binary packages with broken dependencies.

Of course this could have bben done inside Mandriva again, but when you see a list of 4756 problems, and spend a week-end fixing 100, the list still look the same size. If you only have a few to fix then you can spend an hour fixing everything! Growing from a sane base is much better and easier than trying to cleanup the huge mess.

Given the amount of work to get everything in place, don't expect much bleeding edge stuff in version 1. No GNOME3, no switch to systemd, ... the goal was to have all the infrastructure and teams setup, and have a strong basis for a great version 2, and I think the result is quite nice!

All the teams did a great job, and thanks to everyone Mageia 1 is now out!

It is available as DVD, LiveCD or dual-arch CD as Mandriva used to be. Enjoy!

  TV Licensing

I received today a scary leaflet titled "It's a criminal offence to watch or record TV without a TV Licence" because I don't have a TV licence (I did not have a TV for about 10 years and don't watch TV on any other device). It says that my address was given to Enforcement Division for investigation. I can get £1,000 fine, they will present evidence if I end up in court, they catch 1000 evaders everyday (which really seem high...)

But then they give me a solution: "End this investigation by buying a TV licence. You can buy it immediately on our website."

Then in small characters they list discounts and say that I can inform them I do not watch live TV, and they may confirm it with a visit.

I felt like if I was facing a mafia trying to scare me enough to make me pay...

It seems to be nothing new, and to quote Wikipedia TV Licensing is managed as a sales operation and its officers are motivated by commission payments. In 2005, a TV Licensing officer was found guilty of false accounting and perverting the course of justice after he deliberately forged the confessions of four people to obtain commission payments.

  News from the last few months

First, I got Internet at home few weeks ago, 6 months after moving here. I expect my online presence to get back to a reasonable level :)

Over the last few months I helped Mageia sysadmin team and did some packaging (but really not much). I am currently working on deploying youri-check on check.mageia.org.

I played with NFC on my Nexus S but did not find anything interesting, my Navigo is not seen but people report their as seen, so maybe this is because mine is a three years old Integrale. My oyster card is seen but I cannot access any data: they upgraded to MIFARE DESFire since last year, and it offers real security. Andate Tour card from Porto is a simple MIFARE UltraLight so I can read everything but I would need to go back there to get useful info to decode it, the only surprising thing is that it does not seem write protected...

I also wrote last week a patch for android to set timezone and allowed wifi channels based on mobile country code for many more countries, if it is accepted it will allow people to see networks on channel 12 and 13 in many countries.

On other news, I will be in Paris for a week at the end of the month but will miss Solutions Linux this year. I will however attend Desktop Summit in Berlin in August.

Ah, and I also adopted a GNOME hacker in February, you should do the same

  Will I be prevented to close my laptop lid with GNOME 3?

I tried to comment on Richard's post but for some reason my comment is still awaiting moderation 1h later while 4 new ones have been posted so I'll comment here too.

Choosing if we want suspend on lid close is not about working around kernel bugs. I have had suspend working for maybe 10 years but have always disabled that.

I want to be able to decide when my laptop should suspend or not. Everyday I move my laptop, for example to go to a meeting, and want to be able to close the lid for transport for a few minutes without disconnecting from IRC/losing my ssh/...

I also sometimes close the lid at night to keep it running in my bedroom until something finishes, which I did not think about first, but a comment from Janne reminded me, so I am not the only one doing it.

When I want to suspend, I use the function key. I don't plan disconnecting the lid switch (which I am happy to have turning off the screen) to please "the UI designers for GNOME 3.0".

  The worst of twitter

I had a look this morning at a trend on twitter, #femalesneedto and couldn't find a word to describe how I felt...

Some sample posts over a few minutes:

• #femalesneedto start giving more fellacios and demanding less cunnilinguses
• #femalesneedto put makeup on everyday just like the kardashians. It's a good look!!! Those girls always be hawt!!
• #FemalesNeedTo Realize That All Niggas Not The Same and Stop Fuckin With These Lame Niggas.
• #femalesneedto to stop kissing other females.
• #femalesneedto give it up more. Come on, is the occasional blow job so much to ask??? Take one for the team every now and again.
• #femalesneedto think about how to make their man happy
• #FemalesNeedTo shut the fck up && listen sumtime. believe it or not, u dont always have the most relevant shit to say
• #FemalesNeedTo need to realize they're not the only one. Theres more out there. #PlentyOfFishInTheSea
• #femalesneedto learn how to shut the fuck up
• #femalesneedto stop saying "I can't, I'm a virgin, its gonna be painful"

  IPv6 availability status

Google is now publishing simple statistics on IPv6 access of its users. This is the percentage of users that are able to successfully connect via IPv6, measured by adding a js trying to connect to a dual stacked host to a random part of search results.

Good news is that the number of people with native IPv6 connectivity doubled since last year. Bad news is that it increased from 0.1% to 0.2%.

  Working for Microsoft

I received a Flickr message from microsoft_contact tonight telling me that I have published some photos under the BY Creative Commons license and "That is why, for its new website, MICROSOFT will offer free downloads of your photos on the following French site www.personnalisez-votre-pc.com to be used as screen savers."

They insist that they will mention my name and put a link to my flickr page and to the licence, and that if I do not object within 15 days it means I am in agreement with these terms.

I fail to see how I could object given that they do more than the license require, but that's nice from them to ask!

I found one here which is BY-SA, not BY. I don't know if they used more.

That warmed me up while being trapped in Dublin by the snow.

  Frustration

First, this post is about my current employer, Google, but this is my personal blog and the views expressed here are mine alone and not those of my employer.

I got quite upset this week while reading news about Google Street View and passwords recording, and few days before, about the tax issue. It is very frustrating that most of them are wrong (including major IT magazines) and very few talk about the real problems. Maybe this is generally true of all current media...

First, about the tax question and the Slashdot news "How Google Avoided Paying $60 Billion In Taxes" that was the basis of various other articles.

It seems no one has read the link, starting with the news author. In brief, the original article states that most (88%) of Google non US sales are handled by Google Ireland, employing 2000 people in Dublin, and not paying taxes in the US because it is an Irish company, while the Google technology was mostly developped in the US. Then it says that because many US company do that, US loses $60 billion per year, in total, not just for Google.

Then there is a second part, about how taxes paid in Ireland are low by using some structure in Bermuda, which is more disappointing in my opinion but strangely people don't focus on that and many articles don't event mention it.

Why do no one read the original article before propagating the news everywhere?

Then the Street View issue. For those who did not follow, here is a summary.

Google Street View cars list WiFi AP and cellular networks while taking photos of the world. This is used by the geolocation service to tell you where you are based on the cells and AP that your phone sees.

Last Spring it was found that some code from an engineer's 20% project had been included in production code without checking what this code was doing. This code was sampling data from open WiFi networks to make statistics on the kind of data, and storing the data. When this was noticed, all the cars were stopped and Google made a public announcement (how many companies would have just erased it silently?).

The total amount of data is 600GB. This week it was announced that after some more analysis by one of the public entities (Google did not analyse or use the data, and waits to be able to delete it after everyone worked on it), some passwords have been found in some of the data fragments. Everyone is shocked that Google stole their password. Who can expect that in 600GB of random data from Internet their would be no password?

Why don't people worry that their neighbor has their passwords and can read their email and access their facebook private videos? They call an accidental collection of the broadcasted data an awful abuse, while I am sure many people already collect that data for doing bad things, just they don't announce it publicly.

Yes, Google should prevent unwanted storage of data, and is working on improving internal process about that, but the real problem is that the confidential data is there and anyone can access it. Why don't journalists use this event to explain people that they should secure their networks?

I feel that everyone is paranoid about Google and is very happy to publish anything, without even trying to check or understand the information.

Being worried about a company knowing that much about you is normal (and good), but that should not prevent journalists to address real concerns on that topics.

Between the time I wrote this and the time I published it, I found a tweet that can explain how many articles are written.

  Update on my new life

It has now been one month (and two days) since I started working at Google.

So far this has been a great experience! Working on a really impressive infrastructure, with a lot of great people and in a very friendly environment. I can not describe anything about how great are some internal processes or technologies, but if you have the opportunity, I definitely encourage you to come working with us and see by yourself.

After two weeks in Kirkland, I will fly to Mountain View tomorrow for a week, don't hesitate to contact me if you are around. (Update It seems I'm staying about 2 minutes walk from Mozilla address, don't know if there are many people there)