LinkedIn and MTU settings for Linux systems

For reasons quite above my understanding, some (including mine) Linux systems are unable to access LinkedIn. Symptoms include hanging forever in the login page, i.e. you could access the authentication page, reading some and yours profile, but cannot do anymore.

This could fixed by issuing, as root:

ifconfig eth0 mtu 1360

(assuming that you reach the Internet via eth0).

It’s quite a strange setup, indeed. The only other time I had to do something like that was when I was trying to reach a Moodle server, that we had put on a LAN connected to the Internet via an ADSL consumer connection; the server was reachable from each customer of the same ISP but stuck for everyone else, everytime the poor guy requests a page whose size is more than or reaching the TCP/IP maximum payload (I guess this is for some kind of NAT magic/MPLS black magic/Peering sorcery that happens only for customers outside the AS).

I’m pretty sure that LinkedIn is not using a customer ADSL to connect itself to the Internet, and that they are seeing a constant loss of Linux customers due to this issue, which is very difficult to spot.

Filed under: network , fedora, linkedin, linux, mtu

Still waiting for a good e-book reader

Almost every year, several years now on, starts with the declaration that it will be the year of the Linux desktop. Although we are making some progresses in developing a competing platform for desktop PC (including releasing of some malware via a screensaver application) we are not seeing such widespread adoption, and probably we won’t see as the hot spot today is in cloud computing, virtual desktop, web-oriented operating systems and whatever.
But another prediction could be done, that this year could be the year of the e-book reader. At least for me, as I have pondered a lot whether I should buy one of these during these holiday season. But I regret to avoid this expensive self-gift, as I am not seeing a device that does all and only all it should do. The portable music audio market took off when Apple released the iPod, as it does only one thing but very well, not from the technological point of view (it’s always an MP3, so a relative good sound quality) but for the interface itself, that let people do what we want to do: choose and building our music library, arrange and playing it the way we want. This extremely good design seems not happening until now for the e-book reader market.
What should I expect to find in a e-book reader? I’ve thought this sort of list:

• a 9-10 inches display: a 6 inches display is too small to comfortably read a page, i.e. it will contain few words and, as a result, it will force to turn pages more frequently; also, a 9-10 inches allows to zoom the text, so it makes the device adapting to myself and not the contrary;
• a touchscreen interface, as I am already read books using also my hands, and I do not want to use a stylus, that could easily get lost and it will make things unnecessarily clumsy;
• the ability to make notes, which would be expecially useful for tech books and documentation;
• the design principle, deeply rooted in the device, that I am the owner of my books, and I could do with them whatever I want to, including reading, taking notes, making summaries, lending and borrowing;
• some kind of wireless connectivity so I could move books to and from the device without setting a physical connection (that, nevertheless, should be available);
• ability to read technical documentation, i.e. something available in a PDF format but designed and developed with an A4 paper format in mind;
• an integrated dictionary, and something on the big and complex side (not an “First English Dictionary” but more the Webster) letting me to pinpoint a word and obtain its definition with a simple gesture;
• a price not over 300 euros (400 $), as otherwise the time it takes to repay the investment would be several years.

Even not including the price limit, there are no devices in the market with all these features: most e-book readers have a 6 inches display, the Kindle is deeply integrated with the Amazon DRM (which could let to disaster like this), or some features are missing (the dictionary) or bad-implemented (stylus instead of the touchscreen).

It seems to me like designers are so satisfied with the e-Ink technology that they simply refuse to work more on the interface, empathizing thinks like the battery lasting (“you could read 10,000 pages before recharging”) and not the most fundamental interaction with the device (“you can make notes, export them, share them with your friends”). It’s so bad, because as the result of these I’ll be forced to continue buying books and printing documentation, which pollutes a lot and requires a lot more trees to be sacrificed on the altar of knowledge.

Filed under: Uncategorized , e-book reader

Google’s namebench and your name server

Google has recently announced its own public DNS server, responding at IP address 8.8.8.8 and 8.8.4.4 (how nice). Also, they released Namebench, a Python tool to compare DNS performances.

Namebench basically determines your current DNS setup, some DNS you could use according to your ISP and geographic region, and tests them against also, of course, Google Public DNS.

Each DNS server is tested on the resolution of the most popular 10,000 site names, according to Alexa web survey. Each DNS test is done in parallel with the others, so network latency spikes are more evenly distributed.

I gave it a try, to meausure how fast Google DNS server is, how well my ISP performs and how good is the local DNS I’m using.

Namebench produces a lot of data, in the sake of clearness I show here only the graph of the response time, trimmed to the first 200ms of response time: each resolution taking more than 200ms is out of the graph.

In all the graphs, you see that almost every DNS does a lot of caching: cache plays a role in reducing to almost zero the response time, and after a cache miss the response time increases almost linearly, as the DNS server must perform a recursive query to give the answer to the client.

I made three run of Namebench, to see how much the cache plays a role for my local DNS server, which is the standard BIND shipped with Fedora 11, configured as a caching nameserver, without chrooting.

On the first graph, you could see that my local DNS resolves about 10% of the requests extremely fast: these requests get an answer from the local cache or require little interaction with external (root) DNS nameservers. All others requests require some network interaction, and the response time increase linearly. Take into account that all the graphs are for responses requiring up to 200ms, so there are not the unlucky interactions where my local DNS take 1800ms to give an answer: the local DNS has the worst performances in these (rare) cases.

The second graph is for a run made immediately after the first, to see the effect of local DNS cache filling: about 25% of the requests are now satisfied by the cache. In this run Namebench has replaced UltraDNS with the DNS of the University of Basilicata, Italy.

On the third graph, the cache for the local DNS plays the same as the second run, so there is a cache saturation effect. The local DNS is not suffering from memory saturation, so there is not point in increasing the local cache size by the max-cache-size directive.

There is something more in the graphs. Response curves have the shape of a constant (near zero) time for some of the queries, which means that the caches are massive, then the responses time grow linearly as the data in the cache are expired and the queried name server must contact the authoritative name servers doing a recursive query. Also:

1. Google Public DNS has a cache hit for almost 50% of the requests, and for a cache miss the response time is dominated by the network time (from the DNS server point of view, i.e. the time it takes to do a recursive query) but this time is almost constant;
2. OpenDNS response curvers are initially linear, which could means that the network path for reaching OpenDNS servers is not as optimized as Google’s path, but after that the cache is here to do its job;
3. My ISP DNS (labeled as Wind2-IT) has usually good performances, probably more because the network path is its friend, it’s entirely possible that the cache is not so big;
4. Local DNS suffers when, to fulfill a request, has to made some recursive queries, as these are usually carried over UDP and the local router is not higly optimized for UDP NATting (educated guess).

It is important to stress that the tests are made over the list of the 10,000 most popular websites: it’s probably the only way to have a benchmark of the general use, but if you visit just some a bunch of sites (as it’s usually the case) you must consider how much these results could apply to your environment. Also, these websites are all treated equal, while clearly popularity plays a role every time you deal with a cache.

These benchmarks have shown that my current setup (a local DNS) is the best, but when a cache miss occurs, and there are a lot of recursive queries to be made, the local router (and it’s UDP NATting function) is the bottleneck. Nothing to worry about, but an interesting sight to get.

Generally speaking, it’s fair to say that Google Public DNS is quite a good infrastructure, a fierce competitor both to an ISP DNS provided (which has the big benefit of the network latency) or OpenDNS (which is now several years in place).

Filed under: network , dns, google, namebench, opendns, performances, ultradns

Convert a .NRG file into an .ISO file

An .nrg file can be easily converted in a ISO 9660 file by skipping it’s initial 150 2048-blocks:

dd if=image.nrg of=image.iso bs=2048 skip=150

Filed under: Desktop , convert, iso, nrg

MSI WIND Webcam for Fedora 9

MSI WIND has an integrated webcam, to configure it on Fedora 9 you’d better  have the latest firmware installed, available from MSI website. I’m not sure that this is actually required, but this is my configuration.

Check now that you have an uvcvideo kernel module installed:

lsmod | grep uvc

you should get something like this:

uvcvideo              49928  0
compat_ioctl32    5120    1   uvcvideo
videodev              29824   1   uvcvideo
v4l1_compat       15876   2   uvcvideo,videodev

If such, your webcam is probed but not correctly configured. To do so, type:

rmmod uvcvideo

modprobe uvcvideo quirks=2

You can test that everything works by using mplayer to display the webcam output:

mplayer -fps 15 tv://

Now, you can make changes permanent by editing /etc/modprobe.conf to add this line (the file does not exist if you have just installed the system, so create it):

options uvcvideo quirks=2

and test that works at the next reboot.

Links:

Linux UVC Forums

Filed under: fedora , fedora, msi wind, webcam

Install Fedora 9 on a MSI WIND

I’ve recently bought an MSI WIND U100, it came with a pre-installed Windows XP and I started to install Fedora 9 on it, I will keep Windows as it could be useful in some environments, but my interest is in having Fedora running.

First step is in installing Fedora over it, the 80 GiB disk conveniently ha three partions, the first is for recovery, the second has Windows XP, so I splitted the third for a tiny boot partition (which is requested by Anaconda, altough BIOS is capable of booting from anywhere) and a large LVM volume, where I carved out a root partition and an encrypted home partition, a security wise solution as it’s a notebook which means that has the tendency to be shipped away from its legitimate owner. The LUKS passphrase used for the home directory was strong, so I can use a weak and distinct password for the system user.

Installation requires a Fedora respin that you can find here. I picked up a USB pen drive, then I use the livecd-iso-to-disk (yum install livecd-tools) to make it bootable. The process does not destroy any data on it, and at the installation prompt I gave linux askmethod, to choose the installation source (I opted for a HTTP based installation).

The installation went smooth, later I customized the system to have compiz installed (I can made very impressive presentation with it!) and updates are flowing. The only problem I’ve noticed is that sometimes on boot the system hangs at the ACPI discovery phase, don’t know why.

Filed under: fedora , fedora, msi wind

Disabling Firefox “Download Completed” notifier

It’s the clumsy, irritating window-ish and useless pop-up that appears on the right bottom corner after a download is completed.

It’s useless, because I can monitor downloads by opening a file manager window in another workspace. It’s irritating because when it appears, it prevents my to click on the workspace switcher (usually I have Firefox open on a workspace, and move to others when needed).

Thankfully, it could be disabled, by entering about:config on the address bar, then searching for browser.download.manager.ShowAlertOnComplete and setting it to false.

Filed under: Desktop , download manager, firefox, irritating pop up windows

HTTP cannot be longer used for authenticated web sites

If you are an user of a web site that requires authentication (which means, basically, every site) you usually access it from a network you don’t have control over it, i.e. you don’t know, besides many other things, which DNS server the infrastructure guy has chosen and which version it’s running.This means that you can be exposed to the well known Dan Kaminsky’s DNS hijack attack (you can actually check for this).

Leveraging on this vulnerability (it’s still plenty of DNS that haven’t fixed) it’s possible to implement a man in the middle attack at the application level, stealing your cookies from the authenticated HTTP session: ladies and gentlemen, please welcome CookieMonster. You are exposed even if your login page is protected via HTTPS, as the auth-cookie will be passed in cleartext in every subsequent HTTP interaction.

This worst case scenario requires a flawed DNS implementation (better, a DNS implementation following the original and flawed DNS protocol) so you can be reasonably safe if you always control your DNS or at least can have some trust in the guys that are operating it, but if you are a roaming user you are completely exposed.

So, as you are a competent Linux user, you could fix this in a very simple way: install a DNS caching webserver and use, as your primary DNS, something you could trust.

If you cannot do this, you must ask to your web application provider to fix this issue (some have already done this, as an example you can force all WordPress administration pages to be accessed only via HTTPS, and I’m writing this blog entry via HTTPS so it works).

If you are a system administrator, you must check and eventually fix your DNS implementation, and probably you should take a look at an SSL accelerator, because your connection peers (i.e. users accessing web sites under your control) could be from every possible insecure networks, and my 2 cents are that this man in the middle attack will be only the first of a new kind based on an interaction of different levels on the TCP/IP stack.

Filed under: network, security , dns, http, security, session hijacking

How to be dishonest and live happy

It’s simple, write something like this.

The bottom line is: Debian is far more secure than RHEL and Fedora, not due to technical reasons but for their development model. When Debian’s openssl was compromised, they immediately issued a warning, told their users what to do, whilst Red Hat and Fedora were obscure, pointless and corporate-minded.

Dude, you are forgetting that it’s entirely possible that the Debian’s openssl security bug could have been the patient zero, and actual compromise of Red Hat’s server could have been happened starting from a stolen passkey. Also, you are forgetting that, being Red Hat a corporate with some billions cash (of course, they have so much money because it’s plenty of stupid people like me that pay them for their services) they were forced to work closely with law enforcement agencies such an intrusion could occur, and when FBI reaches the crime scene they are not primarily interested in sending an e-mail message on the mailing lists to tell them “ehy, we are here to save the day!”.

Filed under: oss, rhel , debian, fedora, fud, openssl, red hat

Fedora 9 bluetooth file sharing: I’m missing my menu

In Fedora 8, people that want to send a file from their cell phone to Linux via bluetooth have to connect their bluetooth dongle, click on the bluetooth icon to join the ad hoc network, and then on the “Internet Menu” (if I remember correctly) there was a “Bluetooth File sharing” that does exactly what it means.

Ok, it was not a very well integrated solution, but it seems to me that in Fedora 9 there’s a serious usability problem.

Here and now, there is no longer a “Bluetooth File sharing” menu item, instead you have to click on the “System Menu”, then the “Preferences” sub-menu, then the “Internet and Network” and finally you find two items, “Bluetooth” and “Personal File Sharing”, where you defines how to deal with Bluetooth.

It takes some time to figure that this is the intended procedure, i.e. that the disappeared “Bluetooth File Sharing” menu item was not disappeared due to a missing package, but as a result of a new design. Shouldn’t be better to allow for a “fake” menu item that tells the user about the new procedure? Or to add a button to the Bluetooth icon (that promptly appears after connecting the bluetooth dongle) where to fix and control how to send and receive files?

Filed under: fedora , bluetooth, usability