The Advisory Boar

By Abhijit Menon-Sen <ams@toroid.org>

The wonders of modern refrigeration

2017-01-14

I have never had a refrigerator that was not subject to periodic power failures. The severity and frequency of the outages varied from several small interruptions per day to extended power failures lasting sixteen hours or more; the former could be ignored, while the latter usually meant throwing everything out and starting afresh.

As I grew up and started working with computers, a succession of power backup devices entered my life, and I eventually became accustomed to “uninterrupted” power, but it was strictly rationed. I was never able to connect anything but the computers and networking equipment to the UPS, and certainly nothing like a refrigerator.

So I have never experienced refrigeration as it is meant to be.

Until now. Thanks to our solar power setup, we have been able to keep our refrigerator running without interruptions for several weeks on end. Suddenly it feels as though we have a magical new refrigerator in which food doesn't spoil. Coriander and green chillies stay fresh and usable for days. Cream skimmed off the top of boiled milk is something we can collect for the rare fettucine alfredo. Our precious cheese collection is something we can enjoy at leisure. These days we don't have much in the way of leftovers, and we can use fresh vegetables from our kitchen garden often enough that we store only a few in the refrigerator, but everything remains usable for an absurdly long time.

Today is a festival that has something to do with a water monster. I'm not very clear about the details, but there's a crocodile (or half a crocodile) involved in some way, and that's good enough for me. So in honour of the water monster, we cleaned the fridge today. Nothing was spoiled, and the dreaded “fridge smell” was very faint. The fridge is now spotless, and the monster is appeased.

Makara sculpture - Jain Museum , Khajuraho India

Sometimes the most mundane of insights can seem profound if it comes from experience: modern refrigeration is pretty nice.

Reading about wireguard

2017-01-12

I have more than a passing interest in VPN software, and have looked at and used many different implementations over the years. I haven't found much to cheer about, which led me to write tappet for my personal use.

I've been reading about Wireguard for the past few weeks, and I really like it so far. It follows through on many of the same goals that I had with tappet, and goes much further in areas important to more widespread adoption. The author, Jason Donenfeld, articulates the project's design goals in this presentation.

Keeping the code small and easy to review was a primary consideration for me (tappet is under a thousand lines of code, not including NaCl). By this measure, Wireguard does an admirable job of staying small at around 15,000 lines including crypto code and tests.

When I wrote tappet, the Noise Protocol did not exist in a usable (or recommended) form. Wireguard's adoption of this framework brings a host of desirable properties that tappet lacks, notably including perfect forward secrecy.

One of my major frustrations with OpenVPN is the extraordinary time it takes to establish a TLS connection on a high-latency link. Very often, when tethered via GPRS, it will retry forever and never succeed. Tappet goes to the other extreme—it requires zero setup for encrypted links (at the expense of perfect forward secrecy). Wireguard restricts its handshake to a single round-trip, which is an entirely acceptable compromise in practice.

Wireguard runs in the kernel, thereby avoiding the need to copy packets in and out of userspace. I didn't care nearly as much about performance. Tappet is fast enough in userspace that it keps up with the fastest link I've tried it on (42.2Mbps DCHSPA+), and I didn't need anything more.

Wireguard accepts multiple peers per interface, while tappet is limited to setting up point-to-point encrypted links. The former is obviously more practical in realistic deployments. (On the other hand, Wireguard is a Layer-3 VPN, while tappet operates at L2 and forwards Ethernet frames instead of IP packets. How much that matters depends on the circumstances.)

I look forward to a time when I can use Wireguard in production.

Ammu embroidered a kitchen towel

2017-01-08

We bought dark kitchen towels to wipe our iron woks, which tend to leave rust-coloured stains—at least temporarily. But Ammu got her hands on one of them, and made it much too pretty to wipe anything with.

Photograph of embroidered kitchen towel

Debian vs. WordPress+Minamaze

2017-01-06

On the twelfth day after christmas, my true love said to me, “This wordpress theme won't let me save any customisations. Can you take a look at it?”

The theme customisation menu in WordPress displays various options in the left sidebar, and a live preview of the changes on the right. You can edit things in the menu and see what they look like, and there's a "Save and Publish" button at the top. But the button remained stuck at "Saved" (greyed-out), and never detected any changes. Nor was the menu properly styled, and many other controls were inoperative.

We found other reports of the problem, but no definitive solution. Disabling certain plugins fixed the problem for some people, but that didn't help us—hardly any plugins were active anyway, and none of the problematic ones were installed.

We looked at network requests for the page in the Chrome developer console, and saw a series of 404 responses for local CSS and JS resources within the Minamaze theme. Here's one of the failing URLs:

http://localhost/wp/var/lib/wordpress/wp-content/themes/minamaze/admin/main/inc/extensions/customizer/extension_customizer.min.js?ver=2.0.0

That /var/lib/wordpress certainly didn't belong in the URL, so we went grepping in the code to see how the URL was being generated. It took us quite some time to figure it out, but we eventually found this code that was used to convert a filesystem path to the static resources into a URL (slightly edited here for clarity):

site_url(str_replace(ABSPATH, '/', $_extension_dir))

(Summary: Take /a/b/c ($_extension_dir), replace /a/b/ (ABSPATH) with a single /, and use the resulting /c as a relative URL.)

ABSPATH was set to /usr/share/wordpress/, but the extension dir was under /var/lib/wordpress/, so it's no surprise that stripping ABSPATH from it didn't result in a valid URL. Not that doing search-and-replace on filesystem paths is the most robust way to do URL generation in the first place, but at least we could see why it was failing.

The Debian package of WordPress is… clever. It places the code under /usr/share/wordpress (owned by root, not writable by www-data), but overlays /var/lib/wordpress/wp-content for variable data.

Alias /wp /usr/share/wordpress
Alias /wp/wp-content /var/lib/wordpress/wp-content

This is a fine scheme in principle, but it is unfortunately at odds with WordPress standard practice, and the Debian README mentions that liberal applications of chown www-data may be required to soothe the itch.

Unfortunately, it also means that themes may not be installed under ABSPATH, which usually doesn't matter… until some theme code makes lazy and conflicting assumptions.

The eventual solution was to ditch /usr/share/wordpress and use only /var/lib/wordpress for everything. Then ABSPATH was set correctly, and the URL generation worked. (We tried to override the definition of ABSPATH in wp-config.php, but it's a constant apparently set by the PHP interpreter.)

In the end, however, I couldn't quite make up my mind whether to blame the Debian maintainers of Wordpress for introducing this overlay scheme, or the theme developers for generating URLs by doing string manipulation on filesystem paths, or the Wordpress developers for leaving static file inclusion up to theme developers in the first place.

Well, why not all three?

Rock paintings at Lakhudiyar

2017-01-01

I remember, as a child, reading about the discovery of the cave paintings in Altamira by an eight-year-old, and her wonder at seeing bison and other animals seeming to dance in the flickering light of her torch.

Despite my fascination with palaeolithic rock art, I had never seen any. I had read about cave paintings at Lakhudiyar near Barechhina in Almora district, the best-known of Uttarakhand's many such sites. It's not far from where we live, but not close enough for a casual visit either. We had an opportunity to stop for a few minutes on a recent drive past Barechhina.

It's not really a cave, just an overhanging rock face; and it's a far cry from Altamira. In fact, it looks a little like it might have been the work of a bored schoolboy waiting for a bus home. But there's an ASI “protected heritage site” notice-board, so it must be legit… right?

Rock paintings at Lakhudiyar, Uttarakhand

Notice the obvious (and accurate) “hairpin bend” road sign in the centre of the image. The paintings are a bit repetitive, and unfortunately the ones closer to the ground are quite worn.

Here's a video that shows more of the rock face, and another that shows the approach to Lakhudiyar.

Debian 8 on the Intel NUC5PPYH

2016-12-31

Hassath's birthday present this year was an Intel NUC5PPYH (with 8GB of Kingston DDR3L RAM and a 250GB Samsung SSD 750 Evo) to stand in at home for her ageing Thinkpad X131E.

It took some time for the machine to reach our remote mountain abode, but we have it working nicely after spending a few hours wrestling with it. Here's a quick summary of our experience (InstallingDebianOn/Intel/NUC5PPYH wasn't really useful).

Display problems

Hassath loves her old Samsung SyncMaster 172s monitor (1024x768, VGA) and resists the idea of a new wide-format monitor. Getting the NUC to work properly with this display took the most time (but none of it was the display's fault).

We connected the monitor to the NUC's VGA port and were greeted with a "Video mode not supported" error on the monitor. The debian installer's text-mode display worked fine after boot, but we couldn't see any of the UEFI setup menus. Fortunately, we were able to sidestep the problem by using an HDMI→VGA adapter that we had ordered “just in case”. Using the HDMI output resolved the display problems with the UEFI menus.

After we installed Debian (8.1 from a USB stick created from the DVD image), X wouldn't start. The intel driver didn't work, and Xorg fell back to the VESA driver, and died while trying to set the video mode. (Also, virtual terminals didn't work at all until we added an xorg.conf snippet to force the resolution to 1024x768.) It didn't work even with the DVI-D input (via another “just in case” HDMI→DVI-D cable) on my monitor.

We stumbled around for a while, but we eventually got it working. The key was to apt-get dist-upgrade against jessie-backports to install a new kernel and drivers (e.g., libdrm-intel1). We also updated the BIOS from revision 0054 to revision 0058, but I am not sure that this was necessary, or even helpful. Xorg works with the new kernel and Intel driver. We didn't bother to check if the VESA driver would also work if we forced its use.

(Aside: we had no UEFI boot-related problems at all. We didn't even need to try the legacy boot option, either for the installation from the USB stick or to boot the installed system.)

Everything else worked

The Ethernet controller is a Realtek RTL8168h, which works out of the box with the r8169 driver. Installing the firmware-realtek package got rid of an “unable to load firmware patch” message, but the adapter worked fine without it.

The wireless controller is an Intel dual band wireless-AC 3165, which required the new kernel from backports (4.8, though 4.2+ should have worked from what we read) and the firmware-iwlwifi package to be installed. It worked fine thereafter.

The audio controller is an Intel "Braswell" 2284, which works out of the box with the snd_hda_intel driver. Audio output goes simultaneously to the headphone connector on the front panel and the glowing red S/PDIF plus headphone connector on the back. We did not try S/PDIF audio (no cable, no devices) or HDMI audio (no audio port on the HDMI→VGA adapter) or recording (no mic—or at least, no mic on my desk).

The Intel Bluetooth 4.0 controller (8087:0a2a) works out of the box with the btusb driver. We were able to pair with an Android phone and a Bluetooth speaker. We were not able to play audio to the speaker, but that is probably not a problem with the NUC, because we didn't manage to get it working with any of our other machines either.

We didn't try the SDXC card slot or the infrared sensor.

Update (2017-01-18): The SDXC card slot works fine. I used it to write a Raspbian image.

Malicious pollution reports

2016-12-30

Before we installed a towel rail in the bathroom, we kept clean clothes on an old newspaper on the washbasin counter while bathing. It kept the clothes dry and kept me entertained while brushing my teeth for several months (I would unfold and refold it differently every few days when the top stories began to seem familiar).

Pollution report malicious, incorrect: Javadekar” dated June 7, 2016 quoted the reaction of the Union Minister for Environment, Prakash Javadekar, to a paper that was widely reported with headlines like “Life expectancy in Delhi has reduced by six years because of air pollution, reveals study”. Here's a clipping:

Pollution report malicious, incorrect: Javadekar

The original paper, “Premature mortality in India due to PM2.5 and ozone exposure”, written by scientists at IITM Pune and published in Geophysical Research Letters, was not immediately available for download. The Minister's scathing indictment shows that he is only too aware of the threat posed by Elsevier journals.

Of course, this is hardly the first attempt to maliciously target India with overblown pollution reports:

Volcanic activity in modern-day India, not an asteroid, may have killed the dinosaurs, according to a new study.

Tens of thousands of years of lava flow from the Deccan Traps, a volcanic region near Mumbai in present-day India, may have spewed poisonous levels of sulfur and carbon dioxide into the atmosphere and caused the mass extinction through the resulting global warming and ocean acidification, the research suggests.

Barely a month after his astute recognition of this pattern, however, a cabinet reshuffle saw Prakash Javadekar reassigned to the Ministry of Human Resources and Development.

(Aside: “Javadekar does a U-turn after questioning pollution study”.)

One month after demonetisation

2016-12-13

A little over a month ago, our Glorious Leader eliminated corruption, black money, terrorism, and poor people in one bold and innovative move by declaring most of the currency in circulation to not be legal tender.

We are fortunate that we can get by without much cash in hand. We eat mostly what we grow, or is grown nearby in the village, and what few additional expenses we have (e.g., milk) have so far been met by the ten— and twenty-rupee notes we had collected to save time by paying exact tolls on the highway.

Our one visit to the nearest bank yielded a two-thousand rupee note and a bag of coins each—the most the branch could spare per person, given that they've received no cash for several days.

In Delhi, Ammu is not so lucky. Her landlord demands the rent in cash, and in exam season, she has had to stand in queue for several hours at an ATM to withdraw a quarter of her rent (which is the maximum one can withdraw in a day). Strangely, the vegetable and fruit sellers in her locality do not accept digital payments yet.

I was looking forward to hearing what the Supreme Court of India had to say about demonetisation, but they haven't said much, because they're busy with matters of real importance to the nation, like how often the national anthem should be played and how straight one should stand to properly demonstrate one's “constitutional patriotism”.

Transferring domains from 123-Reg.co.uk

2016-12-08

A friend had a domain registered at 123-Reg that he no longer wanted. It was coming up for renewal later this month, and he offered to transfer it to me. The domain was not locked, so I asked him for an auth code, and immediately submitted a request to transfer it to Namecheap, my preferred registrar.

The transfer failed, and Namecheap sent me mail saying the domain was locked. I checked, and it was. It had also already been transferred to another sponsoring registrar (Mesh Digital, the company that owns both 123-Reg and Domainmonster). My friend contacted support to unlock the domain, but by then of course the domain had entered the sixty-day period during which it could not be transferred again. I was forced to pay the renewal fee to them, and will now have to retry the transfer after the embargo expires.

I suppose I could think of benign explanations for the above if I tried, but I'm not feeling especially charitable about it.

Decathlon.in: terms of disservice

2016-09-17

I wanted to buy a jacket from Decathlon, so I went to create an account on their site, which involved wading through as convoluted and boring a "terms of use" statement as I've ever seen. (Alas, I can't link to it because it's just in a textarea on the account creation page.)

Most of the terms were unremarkable (obnoxious and officious, but still unremarkable), until I encountered this gem about halfway down.

«11. The Buyers shall be responsible to up keeping the providing information relating to the products proposed to be sold by Us. In this connection, The Buyers undertake that all such information shall be secured in all respects. The Buyers shall not defame the attributes of such products or services so as to mislead other Buyers in any manner.»

I created an account anyway (and the jacket is rather nice), but I didn't want to be responsible for “up keeping” information relating to the products they sell. So I wrote to their customer support to ask what this ridiculous verbiage was supposed to mean. Much to my surprise, they not only responded to my mail, but actually asked their lawyers for a clarification.

I had a word with our legal department and they mentioned that the clause means if a customer has an issue with or an opinion about a product, they contact us first for us to help them with their issue and not post it on social networking sites or the media.

Not being a fan of idiotic and underhand (and poorly-written, to boot) attempts to restrict what one's customers can and cannot say, I tried to delete my account. The terms of service said I could delete my account at any time, but I could find no way to do so on the web site. So I asked Decathlon to delete my account.

First they said they had deleted my account. I could still login, so I wrote back to ask them to delete it again. Then they said that I had registered two accounts (which I had not; I had just changed my name to "ABC" in my profile), and asked me to send them a list of addresses I had used (which I did—one address). Then they stopped answering my mail.

Eight weeks later, I can still login to my account.

Technically, I don't think this post violates their terms of service, because I did contact them for help first. But they do have a stern profanity policy, so here's a little something to help the account suspension process along: What the fuck, Decathlon? You're a bunch of incompetent nincompoops!

Update (2016-12-13): The account still works, but the “you may delete your account at any time” clause has been removed from the terms of use at some point. Of course, the vital “responsible to up keeping the providing information” clause is still there.