Frank Leonhardt's Blog

 They just don’t seem to work. I’ve spent an annoying hour or so trying to get WOL to work with an HP Microserver – no joy whatsoever. I assumed it must be my code until I tried it on a few other machines but they worked just fine.

Now most of my machines are Realtek whereas HP are using Broadcom (as do the Dells). I’m not saying there’s anything wrong with Broadcom, but whenever I have a weird network problem they have a habit of being at the heart of it. Is it my magic packet? As far as I know it’s supposed to be 48-bits of ’1′ followed by sixteen copies of the MAC address. Does it need a secure-on password? If so, how come you can’t set one in the BIOS.

I’ve asked an HP server expert – update the BIOS. Perhaps, but these are brand new machines of an old design. They either turn on when they receive the packet, or they don’t work and I can’t believe HP didn’t test them. Then again…

I’m told that these do support WOL on Windows, but not if you’re running anything else. On the face of it this is bonkers. Why should the OS the powered-off drive affect anything. The machine is off; the OS isn’t running. Well here’s a theory – before Windows shuts off it puts something in a register on the Broadcom chip to leave it in a WOL state. With the wrong drivers this doesn’t happen. Setting it in the BIOS doesn’t help, because it’s erased by the OS driver. The BIOS doesn’t restore it as the power is killed, but Windows hits the registers differently.

Unfortunately Broadcom doesn’t seem keen on releasing the documentation needed to write proper drivers to anyone other than Microsoft. Is this my imagination? Everyone else publishes the reference material, but Broadcom – can’t find it.

If anyone can throw light on this one, please do. I’m still looking.

Filed by Frank at 01:04 under Technology
5 Comments

Haven’t hard disk drives suddenly become expensive? It’s a world-wide shortage caused by flooding in Thailand, apparently. Yeah yeah, we’ve been here before: Fire in the jungle somewhere causing a loss of chip production, and so on. The problem is that when you looked for a fire in a fab, there never was one – and there aren’t that many fabs around.

Actually, it is true that floods in Thailand have affected some drive production. There are blogs all around the place predicting doom, gloom and providing figures as to what the shortfall might be. People are wringing their hands and predicting even worse supply problems and price rises after Christmas.

I say phooey.

I’m sceptical that the lost production is as high as claimed, and given the rising price of drives, all the HD makers will be ramping up at other facilities in double-quick time. This will lead to over-production pretty soon. The short-term supply shortfall shouldn’t even be seen as there are always lots of drive sitting in warehouses.

But you’re wrong, I hear the cries. If you were right, why is everything out of stock in spite of inflated prices. Panic buying might have an effect on that. If the channel thinks prices are going to rise, they will. It’s a self-fulfilling prophecy if ever there was one. But it has a use-by date. Sooner or later everyone will be sitting on their expensive stock pile and wondering why supplies haven’t run out – and when they do the over-supply will come through the system.

The suppliers aren’t going to quash the rumours, of course. Why should they when everyone further down the chain is paying double for everything in their warehouse.

How do I know all this? I’ve seen it all before.

Warning: Just because this happened in the past, doesn’t mean it will happen in the future. If you lose money based on the above prediction, it’s entirely down to you.

Filed by Frank at 23:39 under Technology
No Comments

When people ask what I do, I normally say I work with computers. “Ah,” they say. “You’re in IT. My nephew is in the same line.” Well actually, no – I don’t do IT and I don’t do the modern version: ICT. I was around long before these terms were coined, and they really don’t apply. IT is all about setting up Windows and writing Macros in Excel (if you’re advanced).  If I say I’m a computer programmer it’s assumed I’m a “web developer”. System programmer doesn’t mean anything to most people; assembler programmer even less.

Then a few years ago I realised what I was – I’m a Computer Scientist. Well I lecture on Computer Science degree courses, ergo I must be. Actually this antiquated term is very appropriate for an antiquated computer person, and if the hat fits…

Back in the 1970’s and early 1980’s we were all Computer Scientists. If you wanted a computer you pretty much had to build it yourself with a soldering iron and a load of chips and when complete, you had to program it. If your employer purchased one of these expensive items ready built, you pretty much had to program it yourself – unless you were an operator, in which case you merely had to understand it. You learned a lot in the process, if you were that way inclined.

These days people want a career in IT, so they do Computer Science courses at University. They’re wasting their time. They learn very little from the university about computer science, and the university is perfectly happy with that. The way computers work is difficult; difficult means expensive to teach and certain to put off students. If you put off students, you get less money. So you need to teach easy stuff.

Easy stuff in Computer Science basically comes down to playing around with luser-land software, animation packages and an SQL query or two – but not too hard. Perhaps write a bit of HTML by hand before moving on to some web page design package.

Here’s the conundrum.

Students = money, but only if they stay the course.

A low pass rate = less money (success is measured in pass rate).

Computer programming is difficult. Most IT students can’t hack it. Therefore it has to be dumbed down to an extent you’d never believe. Those with the aptitude could program before they came on the course; those without it would never learn.

In 2009 the university I taught programming in decided that the need to pass the programming module was affecting their overall pass rate, so they made it optional. Yes folks – you can get a Computer Science degree without being able to write a single line of code. I’d name names here, but I understand this is common practice so what’s the point?

Now I’m not saying I’m unique or even special in understanding how computers work. There are plenty of others of my generation that know as much, if not more. What I’m wondering about is what happens when our generation retires? It’s not possible to go through the learning process we had back then – learning by doing (because frankly, the education system was nowhere near the leading edge).

I believe there was a sweet spot at the end of the 1970’s, where microprocessors had just appeared on the scene and you had to understand things from first principles if you wanted to do anything with them. If you didn’t have to construct a machine yourself, you certainly needed to program it if you wanted it to do anything – and they were simple enough that this was a realistic possibility.

Sitting in front of a modern Windows PC is not the same experience at all. With a PET/Apple/Tandy computer you turned it on and the first thing you saw was a prompt to start entering your program in BASIC. You lived in a programming environment. With CP/M it was only a few keystrokes away. Now we’re presented with a graphic user interface and no programming language whatsoever – just Facebook. The complexity of the Windows API is daunting; more so given that everyone thinks its cool to write stuff using the current favourite object-oriented wrapper library. In order to achieve anything looking like a modern computer program (where the graphic user interface is everything) you have to jump through numerous hoops before you can get started. If I complain, I’m pointed at the application generator – it’ll write most of the code for me, apparently. If you ask what the reams of generated preamble code does, people just shrug their shoulders and ask why you’re questioning it.

In 1998 I found myself writing a system-level utility for Windows inside a large company, and needed to sort an array into alphabetical order. I don’t think there’s a Windows API function, and qsort seemed to be missing from the library, so I consulted the lead Windows programmer across the room. The answer came back to put my strings (one by one) into this file selector structure (as file name), make some call or other to the file selector box and presto – my strings would come back sorted. No, he wasn’t joking. Two minutes later I’d written bubble-sort, for the umpteenth time.

This was thirteen years ago; how much has it deteriorated since then? I’m lucky to be developing software either solo, or with a developer of my generation, so I’m probably insulated against the worst excesses.

So, back to the point: where are we going to get Computer Scientists from? I started on the sweet spot, where it was possible to learn pretty much everything about the computer in front of you – every instruction, every IO register, and every line of the operating system. As computers expanded, our knowledge expanded, built on these early foundations. We can’t do that any more. If we ran a three-year degree course in computing and started from the basics you’d end up with me someone whose knowledge was wide enough to cover a BBC Micro. They’d need another twenty-seven years after that, and by the time they qualified they’d be thirty years out-of-date.

And why should anyone even bother? I can assure you, there’s more money to be made out of IT than Computer Science. The only decent return available if you understand computer fundamentals appears to come from cybercrime – and that’s perpetrating it; no one wants to pay for security.

I’m told that the government plans to bring back an element of programming into the ‘O’ level maths (or its modern equivalent). This is a start, but a small one.

In the mean time I’m watching the other member’s of the OS/2 drinking club fall away and wondering what is to become of us. The draw of Bletchley Park grows every stronger.

Filed by Frank at 22:34 under Politics,Technology
No Comments

That’s IP Expo over with for another year. I’ve never quite get what the show is about, but it’s one I seriously consider attending. It’s lack of focus is probably what makes it intersting. I’ve always suspected that some exhibition organiser kept reading about IP and decided it was a buzzword lacking its own show and started one. Anything connected to an IP network is fair game, and these days this means almost everything.

The Violin memory box is an amazing piece of kit – a massive, high-performance thumb drive connected via fibre channel. They’ve done a lot of work basically striping data across flash modules which boosts performance, avoids hitting the same flash chip repetitively and gives redundancy – I believe they can lose six modules before it bites and its hot swappable.

There were quite a lot of other storage solutions on show, some interesting, some very much the same. One company is using ZFS, which is a technology I’ve had my eye on for some time.

Prize for the fund gadget is Pelco’s thermal imaging camera – at less than £2K for the low-res version it suddenly becomes affordable, and it certainly works well enough. Still on CCTV, someone had a monitor connected to a web cam and some software to identity faces. Spooky. This put a mug-shot of everyone looking at the camera down the side of the screen, recorded how long they were standing there and guessed their sex and age. It actually took ten years of most people, which helped with the feel-good but this technology obviously works and an obvious application is snooping on people looking at shop windows to work out what attracts the right kind of demographic (why else would they have developed it). I should point out that this was showing off the screen – the web-cam and face recognition was a crowd-puller

Another interesting bit of kit is an LG stand-alone vmware terminal. This basicall allows you to virtualise your PC and use them on a thin client. The implications of this for managability are obvious – keep your PC environment in a server room, where it can be cloned and configured at will, and leave a dumb-terminal in the front line. If the terminal breaks or is stolen – no problem whatsoever. The snag? Well the terminals aren’t cheap and they could do with toughened glass.

Filed by Frank at 23:11 under Reviews,Technology
No Comments

I have several groups of lusers who want to be able to set/change their mail vacation settings but aren’t up to using ssh to edit their .forward and .vacation.msg files. I thought I’d write a quick PHP application to allow them to do it in a luser-friendly way using a web browser. If this isn’t what PHP is for, I don’t know what good it is. The snag: you need to make sure the right user is editing the right file.

The obvious answer is to authenticate them with their mail user-name and password pair using PAM. (This is the system that will check user-name/password combinations against whatever authentication you see fit – by default /etc/passwd).

PHP has a module available for doing just this – it’s called “PAM” and there’s even a FreeBSD port of it you can install from /usr/ports/security/pecl-pam. If you want to use it, just “make” and “make install” – it’ll add it to the PHP extensions automatically, but don’t forget to restart Apache if you’re planning to use it there.

You’ll also have to configure PAM itself. This involves listing the authentication methods applicable to your module in /etc/pam.d/. In this case the php module will have the default name ‘php’ unless you’ve changed it in /etc/php.ini using a line like pam.servicename = "php";

Adding the above line above obviously does nothing as it’s the default, but it’s useful as a reminder of what the default is set to. I don’t like implicit defaults, but then again I don’t like a lot of the shortcuts taken by PHP.

The only thing you need to do to get it workings is to add a PAM module definition file called /etc/pam.d/php. The easy way to create this is copy an existing one, such as /etc/pam.d/ftp. This will be about right for most people, but read /etc/pam.d/README if you want to understand exactly what’s going on.

So – to test it. A quick PHP program such as the following will do the trick:

<?php
var_dump (pam_auth('auser','theirpassword',&$error,0));
print $error;
?>

If there’s an entry in /etc/passwd that matches then it’ll return true, otherwise false, and $error will contain the reason. Actually, it checks the file /etc/master.passwd – the one that isn’t world readable and therefore can contain the MD5 password hashes. And there’s the rub…

This works fine when run as root, but not as any other users; it always returns false. This makes it next to useless. It might be a bug in the code, but even if it isn’t it leads to interesting questions about security. For example, it would allow a PHP user to hammer away trying to brute-force guess passwords. I’ve seen it suggested to Linux users can overcome the need to run as root by making their shadow password group or world readable. Yikes!

If you’re going to use this with PHP inside Apache, you’re talking about giving the “limited” Apache user access to one of the most critical system files as far as security goes. I can see the LAMP lusers clamouring for for me to let them do this, but the answer is “no!” Pecl-pam is not a safe solution to this, especially on a shared machine. You could probably persuade it to use a different password file, but what’s the point? If the www user can read it, all web hosting users can and you might just as well read it from the disk directly (or use a database). PAM only makes sense for using system-wide passwords for authenticating real users.

I do now have a work-around: if you want your Apache PHP script to modify files in a user’s home directory you can do this using FTP. I’ve written some code to achieve this (not hard) and I’ll post it here if there’s any interest, and after I’ve decided it’s not another security nightmare.

Filed by Frank at 17:11 under Technology
No Comments