gushi: (freebsd logo)
2017-08-28 10:58 pm

Using fully-validated SSL with sendmail under FreeBSD

The problem:

  1. FreeBSD comes with Sendmail. Sendmail, in order to verify SSL certs, requires a CAPath (i.e. a bunch of split files, one cert per file), with a hash pointing at each file.

  2. The sendmail docs specifically warn against using too large a cafile, which is why you should use the path (arguably a hack, but what are you gonna do).

  3. FreeBSD's ports only contain ca_root_nss, which installs only a single, monolithic .crt file. (i.e. probably too large)

  4. I can't find a good script which will split this file apart (I mean, sure, I can write one) and generate those hashes.

  5. The tool that comes with openssl that does this is called c_rehash -- FreeBSD rips it out of their base OpenSSL install (probably because it's dependent on perl, which is no longer in base). I think the real solution here is that the port for ca_root_nss needs to just have a port-readme that gives you these commands.

The solution:

  1. Install ca-root-nss from pkg.

  2. cd into the /usr/local/share/certs directory

  3. Split up the certs into their requisite files, using the split command: split -d -p 'Certificate:' -a 3 ca-root-nss.crt foo

  4. Remove the first one: rm foo.000

  5. Use a quick for-loop to generate the hashes: for file in foo*; do ln -s "$file" "$(openssl x509 -hash -noout -in "$file")".0; done


pkg install ca-root-nss

cd /usr/local/share/certs

split -d -p 'Certificate:' -a 3 ca-root-nss.crt foo

rm foo.000

for file in foo*; do ln -s "$file" "$(openssl x509 -hash -noout -in "$file")".0; done

Testing it

I did the above, and restarted sendmail, and noticed that now, when I connect to gmail, I get:

Aug 28 22:54:20 <> prime sm-mta[76815]: STARTTLS=client,, version=TLSv1.2, verify=OK, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128/128 Which is great.

One thing we're still always going to hit is that SSL validation will always fail here:

Aug 28 22:54:18 <> prime sendmail[76809]: STARTTLS=client, relay=[], version=TLSv1.2, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256"

because our cert doesn't have "" or "localhost" as common names. No real fix for that, sadly.

gushi: (Bitey Gushi)
2017-08-09 02:33 am

Some crazy puppet tweaking

So, you have a puppet problem: You want to add a line to inetd.conf The thing is, inetd.conf is complicated. It's sort-of a key value store, but it's really like six fields, and the last of those fields is multiple words.

Since, on most of our systems, we dont use inetd at all, we could just as easily stomp down a whole entire inetd.conf:

file "inetd.conf": {
  ensure => present,
  source => 'puppet:///files/mymodule/inetd.conf',
  owner => root,
  mode => '0755'
  notify => Service['inetd'],
service "inetd": {
  ensure => running.

But that locks us out of any future changes we want to make. We could in turn use puppet's "file_line" resource type, but formatting that string gets really annoying.

file_line { 'inetd_tacplus':
  ensure => present,
  path => '/etc/inetd.conf',
  line => "tacacs\tstream\ttcp\tnowait\troot\t/usr/local/sbin/tac_plus tac_plus -i -C /usr/local/etc/tac_plus.conf -U root",

But that's a long line that's a nightmare to read and maintain. And if we change it even a little, it's no longer idempotent. We'd have to keep the old one around, exactly, with an ensure => absent. It turns out that the real answer here is Augeas. Augeas can be complex to figure out, but using the example in puppet's Augeas Docs, we're able to set this all up in a self-defined array. Augeas will create the resource if it doesn't exist, and modify it if it does.

It turns out looking something like this:

  augeas { 'inetd_tacacs':
    context => '/files/etc/inetd.conf',
    notify  => Service['inetd'],
    changes => [
      "set /service[. = 'tacacs'] tacacs",
      "set /service[. = 'tacacs']/socket stream",
      "set /service[. = 'tacacs']/protocol tcp",
      "set /service[. = 'tacacs']/wait nowait",
      "set /service[. = 'tacacs']/user root",
      "set /service[. = 'tacacs']/command /usr/local/sbin/tac_plus",
      "set /service[. = 'tacacs']/arguments/1 tac_plus",
      "set /service[. = 'tacacs']/arguments/2 -i",
      "set /service[. = 'tacacs']/arguments/3 -C",
      "set /service[. = 'tacacs']/arguments/4 /usr/local/etc/tac_plus.conf",
      "set /service[. = 'tacacs']/arguments/5 -U",
      "set /service[. = 'tacacs']/arguments/6 root",

Plus the usual bits to tell this to notify inetd when it's running, and the like. Is this more complex than it needs to be? Maybe, but I couldn't find a good example of this online so I decided to blog it.

gushi: (Bitey Gushi)
2017-05-21 04:57 am

Looks like I've "fixed" jlj.

The reality is, it wasn't broken. It was trying to do a backtick call to the external formatter, which in this case was /usr/local/bin/markdown, which wasn't installed. The reality is, this is crap code with crap error detection. Doesn't use strict or warnings, and tries to badly reinvent what can be done with just a few perl modules. All good now, tho. And this post proves it. I'm using it now!

gushi: (Default)
2017-05-07 08:54 pm
Entry tags:

Looks like jlj doesn't work!

Hrmm, it seems that the not-maintained-since-2006 livejournal client I used to use doesn't work with Dreamwidth.

I've asked on a couple of communities what, if anything, has changed. I'm seeing this list claims that it works, but at the same time, on searching for "Dreamwidth Flat Interface" I'm seeing vague mumblings about the interface being deprecated.

Hopefully someone can help me out.

In the mean time, I'm just posting via web form, which is so blasé.

gushi: (Default)
2017-05-01 03:27 pm
Entry tags:

So I got nerd sniped...

In trying to get php4 (which I've admin'd for many years) running last night -- it occured to me: why not php3? I mean, that's very, very, very dead, right?

Still, the source code was available. I looked at the output of ./configure --help, and came up with something reasonable:

./configure --with-mysql=/usr/local --with-mcrypt=/usr/local --with-mhash=/usr/local --with-ftp --with-gettext=/usr/local --with-zlib=/usr

And then the trouble started. It wouldn't build.

Outright Build Failure

There were a ton of warnings (this always happens with older code), but the show-stopper was:

functions/crypt.c:133:12: error: 'PHP3_MAX_SALT_LEN' undeclared (first use in this function)

In looking through the source code, I found this:

#define PHP3_MAX_SALT_LEN 2
#define PHP3_MAX_SALT_LEN 9
#define PHP3_MAX_SALT_LEN 12

Stupidly, there was no default being set. So, I had to go figure out why.

gcc on a modern system

Most people who have used configure to make a unix program know it to be this roomba-like script that goes and magically discovers how your system works. To save reinventing the wheel, there's now a tool called GNU Autoconf that basically does most of this. But in the old-days, the way configure worked was by basically trying to trick the C compiler into building a small program.

For example, to figure out if the crypto functions were working, the user would see something like:

checking for standard DES crypt... no
checking for extended DES crypt...

But that "no" didn't come up immediately. Instead, the little c program that configure ran was segfaulting.

#line 4184 "configure" 
#include "confdefs.h"

#include <crypt.h>

main() {
exit (strcmp((char *)crypt("rasmuslerdorf","rl"),"rl.3StKT.4T8M"));

You can go ahead and run that program if you like with a modern GCC. It'll complain about "exit" not being properly defined, it'll complain that crypt isn't being included in the right places. Even if it compiles, it'll crash, segfault, and dump core if you try to run it.

So, after manually patching configure to include modern libraries and build the test programs right, it magically started detecting enough crypto functions to let the build work.

That little c program now looked like:

#line 4184 "configure"
#include "confdefs.h"
#include <crypt.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
int main() {
  exit (strcmp((char *)crypt("rasmuslerdorf","rl"),"rl.3StKT.4T8M"));

But there were more failures

If you look at the above, I included a bunch of libraries. Things like zlib, and mysql, and mcrypt. All those have been changing over time, and no longer have the exact same functions they were built with in 1998.

So, I relented: I simply decided to try to get the core functions running as a proof-of-concept.


It built, and I copied the new "php" binary to /usr/local/bin/php3-cgi

When I tried to run a script with it, however, it simply complained at me:

No input file specified

Hacking around the parser

It became clear to me that in the early days of PHP, there was a supplied CGI binary, but it still required some tight wiring into the webserver to work. So, rather than having suphp load it like other versions of PHP, I wrote a tiny wrapper CGI script, that would just call the "php info" functions:

open FILE, "/usr/local/bin/php3-cgi /home/danm/public_html/phptest/3/php.php|" or die "Cannot open PHP";
while (<FILE>) {

It still cryptically complained that there was no input file specified, and then it occured to me that something was telling it it was running as a CGI, but it wasn't picking up on the path. Thus, I cleared the %ENV hash to make it think it was running on the command line. (It still puts out a header and speaks HTML, tho).


What was the point of this. Well, for starters, one of my long-time claims to fame/shame has been: I am not a C programmer.. I've wanted to learn for a decade, and this is a sysadmin who runs critical internet infrastructure talking here. It bothers me a lot. So saying "nope, doesn't work" wasn't acceptable to me. The cost of an afternoon to know I could tackle this was worth it. And it was a nice excuse to get back to blogging.

Having the interpeter lying around isn't actually super harmful, but it's also not super useful. But I learned about C, and about myself. This silly project got me into the zone.

Proof of life

There You Go

gushi: (Default)
2017-04-30 11:29 pm

Making an old version of PHP work

A lot of the people I host are not coders. They don't understand things like php, globally scoped variables, deprecation warnings, database authentication plugins, insecure hash types, or the like.

They know only that they have code that worked fine for a decade, and then Some Jerk Ferrit did something that made their site not work.

Most of this is because PHP, as a language, is a Shit Show. The only reason PHP scripts are not still majorly responsible for most of the botnet activity on the internet is because someone decided to make smart light bulbs with globally routable ipv6 addresses.

Coding in php is like trying to sculpt something in clay, except that people keep dumping ingredients in the clay that change its consistency: sand, water, cement, cheerios.

For an admin, php is a security nightmare: you have 300 users, whose code can all alter each others' files. Oh, and on most webservers? Users can't alter the files PHP created. They're owned by the "www" user.

Shit. Show.

So, because vague reasons, the people who make the PHP language decide that a particular function is not workable in the particular coding style that they feel people should be using at that time. So, somewhere in a README file that nobody actually reads, they say "hey, you should stop using this function, it may go away in the next version".

I hosted several hundred websites at one time -- nobody knew about that README file, which, as far as they knew, were on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard.”

So, a long long time ago, I solved two birds with one stone. I installed a program called "suPHP". What suphp brilliantly does, is sacrifice some of the speed normally present in PHP, by running everyone's PHP scripts as them. It does this by decoupling PHP from the webserver, and winding up a tiny little PHP process to spawn your files.

The unexpected side effect here, is that it can run different versions of PHP for different users.

Now, as far as the operating system is concerned, you can only install packages for one version of PHP at a time, and right now, at the time of this writing, that's PHP56, with a bunch of removed functions and deprecation warnings.

I've been building PHP from scratch for years, tho, and I know how to install a tiny little shadow copy of an older version of PHP where the webserver can get at it.

So, if you were going to go look at: this page, you'll see a php info page that talks about php version 5.5. If you look at this default one, you'll see that it in turn is running php 5.6.

In fact, I even have a separate copy of apache running with the mod_php going on, for my webmail, where I can use the speed.

Best part? You can control it.

If you were to look at this htaccess file, you can see how easy it is to signal to the interperter that you want 5.5. (Normally, apache won't serve .htaccess files out to the world, this one is special). Basically three lines of code:

<FilesMatch "\.php$">
  SetHandler application/x-httpd-php55

In a former life, I let people use this to switch between php4 and php5. RIght now the only handlers are php5 and php55. I could maybe add php54 as well.

That said -- if you possibly can, I advise using upgraded code that supports the latest thing. So if you're running something like Wordpress, please do update. If on the other hand, you have an old copy of Gallery, and it's not being hacked or hammered, and it suddenly broke, the above will fix it.

gushi: (Default)
2017-04-30 12:48 pm

Gmail Ranting

Gmail outright rejects mail from my server delivered via ipv6, but allows it via ipv4.

What this means is that I'm going to have to simply maintain a list of gmail MX AAAA's and pump them into an ipfw reset rule like:

reset tcp from me to 2a00:1450:400c:c02::/64 dst-port 25

On the same note, I am getting continually added to various google groups that send me a bunch of Indian CV's for people seeking employment. Google apparently will anyone be added to a google group without confirmation.

I keep maintaining a procmail rule that looks like this:

* 1^0 ^List-ID:.*
* 1^0 ^List-ID:.*
* 1^0 ^List-ID:.*
# ...more goes here
| /home/danm/

I should probably write a SpamAssassin module that detects this crap, and once it does, rather than filtering the body, detects the list-header and reports as appropriate. (I don't want to reject at SMTP transaction time, because I want the lists to get onto google's radar as a problem that's not simply a delivery issue)

Note: Looks like this journal theme doesn't show the markdown "code" properly. Dammit.

gushi: (tall no good)
2017-04-30 11:56 am

Upgraded to 10.3

TL;DR: If you have a thing that's broken for you, contact me and we'll figure out a fix. If you have a DB-based thing or a PHP-based thing, this is likely.

If you have a thing that's broken for you, contact me and we'll figure out a fix. If you have a DB-based thing or a PHP-based thing, this is likely.

Upgrades last night went well, but a few things are being weird.

BSD Stupidity

  • For some reason, pkg upgrade didn't reinstall proftpd. Easily enough fixed, but if it missed that, it may have missed other things.

  • Mysql didn't get upgraded from 5.5 to 5.6, but all the php stuff was linked against 5.6, so I manually upgraded mysql-server to 5.6 and ran a bunch of upgrade scripts.

  • Stupidly, the FreeBSD installer removed named.conf because BIND is no longer part of the base tree. DUMB. Like, there's no other reason a person would want that file? (Luckily, I had backed it up).

  • Also stupidly, trying to install bind9.11 tries to uninstall zkt. WTaF?

  • Freebsd-update wanting to overwrite my (not MC, CF) was just plain dumb. Same with my ntp.conf. I think I'm just going to globally call a /usr/local/etc/ntp.conf in rc.conf, and let it stop complaining about any local changes.

  • Something tickles the password file that causes pkg's user-manipulations to fail, somehow getting the DB and the textfile out of sync.

  • People had warned me about my disk devices changing names, but as this is a VM with scsi-based vdisks this didn't affect me.

PHP Stupidity

  • PHP no longer likes mysql's built-in "old style" passwords. If you have a site that's DB-based and you've been hosted by me for like a LONG time, I'll need to do some tweaking on the backend for you.

  • PHP's session dir got weird again. I may need to define a startup script to fix perms on that. (Come to think of it, I should define a crontab to do cleanup on that anyway).

  • As usual, there's a number of deprecated and "removed" PHP functions. I'm vaguely contemplating building static versions of older versions of PHP from scratch to try and resolve these. Because I use suPHP, it lets me determine the PHP interpeter at a per-site or even per-file level. In a past life, this let me run php4 and php5 at the same time.

(Yes, an unstable version of php5.4 sticking around is arguably bad, but if it's a thing I only turned on for a given site that was otherwise broken and that site runs only as that user, I consider this fairly low risk).

Future Work

  • I've accepted that there's always going to be a couple of packages I need to build myself. That said, I should act like a proper port maintainer, and maintain "diff" files for them that are easily applied. I might even reach out to the official package maintainers on some of this stuff and see if they can be included.

  • Because this system started life using ports and pkg-classic, my packages have no idea which packages are "automatic" (i.e. were not explicitly installed, but merely installed as dependencies), so pkg autoremove may not work so well for me. At some point, I'll manually audit the dependency tree.

  • Squirrelmail's cert is marked as insecure because it's SHA1. I've put in for a reissue, but Geotrust is taking their sweet-ass time on it.

  • Now that I can support current state-of-the-art crypto, I'll likely do some cert tweaking for those things that use SSL. (Webmin, proftpd, Squirrelmail).

  • At some point, I really want to do a proof-of-concept that lets you accept weaker SSL settings, but redirect to a framed warning page. Because the default behavior of this (connection failed) just sucks.

gushi: (Default)
2017-04-16 03:42 pm
Entry tags:

Things I cannot do with Apple Products


  • Tell my apple TV to turn off my lights via Siri.
  • Bring up an app on my TV to turn off my lights.
  • Use find my friends on my TV.
  • Use find my iphone on my TV.
  • Use the awful "TV Remote" app to turn on my TV.
  • Connect a camera or microphone to my TV so I can use it for Skype or Facetime.

New Macbooks:

  • Use any thumbdrive that's out there without an adapter.
  • Not worry about my power cord pulling my macbook off my desk.
  • Use an apple pencil on a macbook.
  • Use my $1000 thunderbolt display to talk to a modern mac pro.
  • Use the existing cache of magsafe adapters I'd built up.
  • Plug an sdcard in.

(Seriously, would it have killed you to ALSO put a magsafe port on these things? Or make a magsafe-to-usb-c adapter that would permanently live in the mac?)


  • Buy any desktop mac that supports all this new USB-C nonsense.
  • Buy any desktop speakers that I can plug my earpods into and have the mic work.


  • Find a knob that makes the "maximize" button work the way it used to.
  • Not keep a local cache of ALL my mail from my imap server.
  • Use a decent third-party mail encryption app.
  • Control homekit devices via siri on a mac (or via any app?)
  • Sync my MacOS/Time Machine backups to icloud. Or, do over-the-air backups of my phone to my Time Machine server.
  • Use standard OTR Jabber encryption.
  • Sync up which machines I've "seen" a given Jabber messsage on, so I don't have to go "read" a given message on every system.
  • Save a bookmark to the "root" folder of my bookmarks.


  • Ping my watch via control-center from my phone.
  • Have my watch alert me -- noisily, when I forget my phone.
  • Just light up the screen as a flashlight (just...turn it white).
  • Use my watch to control my ipad (which may be tethered to a media center).
  • Get haptics from third-party apps like Waze.
  • Initiate a call ON MY PHONE from my watch. (Any "Hey Siri, Call Bob Smith" will cause the WATCH to make the call).

Family Sharing/AppleID/iCloud:

  • Allow my family members a choice in where they make their purchases from -- the shared card, or their own. (Hint: not all families are the same -- my family is two adults).
  • Allow my family calendar to be shared to non-family-members. Even with an odd nonstandard family like mine, families may want to share their schedule with a maid, or a Nanny, or an event planner.
  • Allow partial opt-in to Family Sharing. (I.e. letting an adult join my family without letting me wipe their device)
  • Merge two appleIDs: I have one for the store and one for iCloud, from back in the day where I was told an appleID must be at I'd love to just have these merged.
  • Use an API to access my bookmarks.


  • Charge my phone wirelessly.
  • Use an external USB camera (like a microscope, or a borescope), either to take pictures with, or just to use the phone as a recorder.
  • Use a apple pencil on an iPhone (prime opportunity to scoop the Galaxy Note crowd, you missed the bus).
  • Use headphones and external power at the same time. (So, Ingress, or long train trips, or flights?).
  • Use both lightning earpods AND headphone-port headphones at the same time (think: two people watching the same movie, wanting independent volume).
  • Use both wired earphones and airpods at the same time.
  • Use my phone to control my ipad's audio.
  • Add non-credit-card NFC cards to Apple Pay.
  • Add basic barcode-based loyalty cards to Passbook/Wallet.


  • Use an app like ODBFusion (which gives me virtual dashboards) on my carplay display.
  • Buy any aftermarket stereo that supports wireless carplay.
  • Use any mapping app besides apple maps.

Some other suggestions for Apple:

  • Give the Mac Mini some love. Give us one with both classic USB ports as well as USB-C. Give us one with just some DIMM slots and an NVME-style hard drive on the bottom.

  • Stop it with the soldered-onboard ram/ssd on your desktop machines. This makes sense on a macbook, perhaps, but it just twists the knife at purchase-time for desktops like the Mini which are designed to be easy to open.

  • Some of us use these machines as servers. Which means supporting some kind of reasonable out-of-band access and remote power-cycle/remote console functions. Either rebirth the xserve, or work with dell to put an Apple SMC in one of their machines but also have full iDrac functionality.

gushi: (tall no good)
2017-01-01 05:16 pm

Looking forward on 2017

So, It's January 1st.

2016 is behind us, and while a year that's become inexorable in its death toll (ranging from People like "Alan Rickman", as well as people close to me like "JBdager" and "Larry"; as well as concepts like "common sense in democracy" and "me having a full colon", and even silly concepts like "MagSafe") falls behind us, all I can do is look forward.

Digestive Health

I'm sitting, at home, attached to a device called a Wound Vac. It's a miracle of the modern age, and is helping my body knit together a wound the size of a plum from surgery to remove a section of colon that contained a tiny hole, that made my life annoying for far too long. I won't share the whole story here, but I'll simply say that things haven't been right for about 18 months.

One of my little goals was to get most of the surgeries completed to solve this problem in 2016 -- before all the copays and deductibles reset themselves, and -- barring further complications, I'd say we've accomplished that.

I'd love to be able to start this day by going to the gym and walking for a couple miles, by going hiking, by being able to say I ate perfectly healthy, by saying I got a ton of work done, but I can't say those things. As I'm still healing, things like "diminished appetite" and "reduced motion" are still in play. Right now the prescription is still "rest with gradual increases in activity" and not "now get out there and go hiking.

Weight Loss

I've been heavy for a long time. I want to fly places and I want to learn to fly things, and I want to be comfortable doing so. I want to live a while. So yeah, whether I do it surgically or with the application of willpower and encouragement from my friends, this is on the agenda.


In a little over a month, I have tickets to fly further than I've ever flown before -- Amsterdam, Brussels, and anywhere else in Europe I care to explore. My day job is paying for this flight, and so I'll be visiting various data centers, as well as a techincal conference there.
There's a number of other trips planned as well. For the past eight years that I've been at my job, I've made the reputation for myself as the "stay at home sysadmin" while my coworkers and colleagues have rounded the globe.

Some of this has been due to body size issues: I'm a heavy person, and most of my weight is in the parts that make airline seats uncomfortable.
To demand equal-time on planes where I'm inconveniencing other customers, or making my company pay more to send me than my coworkers never did seem fair. Some changing tides at work have made it such that my current boss, who isn't nearly as much a fan of travel has taken the helm of Operations, and thus, I get to be the roaming face of F-Root operations.

I've also got a coworker who is amenable to sharing a seat with me, so it would seem that we've alleviated most of the annoyances of air travel, at least until I can rectify body shape issues.

I also really want to do more exploring of the country. I have a bucket-list of places in the terrestrial US that I'd like to get to -- some of which are simply because they're beautiful, and some because of events that happen there.

We love rail travel (and can work perfectly well from a train). I'm well-versed at doing things from the passenger seat of a car, and at some point, I've also got to make an appointment to test out an RV.

A protracted list might be: Chicago for IETF, Vegas for Defcon, Reno for BLFC, The Pacific Northwest just to see friends, and quite possibly a land-trip straight across the US, with a pickaxe-shaped itinerary on the east coast.


I have a number of people around the country who are special to me in various ways. "Get Married" is on the agenda, but so is "get to know other amazing people even better, come what may". Cultivate good relationships. Repair weakened ones. Make things better for everyone.

I've always liked to see my friends like the aliens in the ST:TNG episode "The Nth Degree". (It's the episode where Aliens make Barclay super smart, so he will bring the ship to them and they can meet). It hasn't always made sense to travel to other places, to have to rent cars and hotels, when I've had a reasonable apartment/cars/climate/night-life/culture here in the Bay Areathat I can share with people.

I've built this so perfectly, in fact, that I've got guest rooms, spare keys, even a spare car for folks to use. But it hasn't netted me everyone I'd like to meet. Some people simply don't have the ability to detach from their lives for a week or more that it would take to make a flight make sense.

So, travel factors into this as well.


2017 may or may not be the year I finally leave the bay area, but I'm mostly of the opinion that I've done mostly everything I've set out to while I'm here. I very much enjoy my job, and appreciate that they're accomodating to the point where I can be allowed to do my job remotely.

"Home ownership" is a goal I have before too long, and I don't want it to be here in our perpetual real estate bubble. I don't think that will happen this year, but moving to the place I want to live, renting for a while, as a jumpstart -- while finding the dream house and amassing a down payment, may very much be in the cards.


I've got at least a dozen little personal projects I want to get done.
Things ranging from "get a better blogging engine up on" to car improvement projects to learning to weld to prototyping new hardware I want around the house. Heck, "Getting my Motorcycle Running" and "Getting my Motorcycle License" are two of them. (See how this ties to Travel?).

It's only worth knowing that there's a lot of them, rather than listing them all explicitly here. It's a lot to keep me busy, that's for sure.


Hang on to your butts. It's going to be a good one.

gushi: (Bitey Gushi)
2016-12-31 01:51 am

Open letter to KCI about the Acti-V.A.C

Dear KCI:

Your wound-vac products literally work miracles.  They close wounds in weeks that would otherwise take months, with fewer complications.  That said, I’m an engineer, and because I’ve had weeks to get intimately familiar with some of their shortcomings.  In the interest of a better product, I'd like to share some of them.


The software installed on the VAC is dirt simple for a patient to use, but in the interest of trying to track my own care, I’ve looked at some of the menus.  The UI is a bit strange.

  • Why is the option to switch between patient and clinician mode in the “Help” menu?

  • When I go to view therapy history, why do I only see alarms/errors that actually cause errors to stop, and not routine blockages.  I’d think, as a caregiver, I’d want to see how often a patient (especially a less tech-savvy one) is getting these issues.

  • Why is there no option to view average pressure over a time period, either as a “mark” in the log, or as a bar graph.  i.e. “100 percent of the time was at 125, versus time-averaged therapy at 20 percent, with 20 minutes at the desired level”.  Showing the clinician a score as to how effective the therapy was, with a simple percentage score is super-useful.

  • Worse still, there’s no simple “alarm history” button in patient mode, where I, as a patient, could say to my nurse “okay, this is what happened this morning”.

  • Putting an option in clinician mode where a clinician could note a dressing change, and perhaps the number of foam pieces used, or wound measurements, such that such things were shown in the export and logs, would be wonderful.


  • While this is technically a software function, I would really, really love to be able to see what the expected runtime is on my battery, since the unit doesn’t alert until it hits a critical level.

  • The charging plug for the vac is a nightmare.  In addition to being non-standard, and needlessly polarized, it pops out if you look at it funny.  You’ve added a velcro strip to hold it in place, but as I’ll note below, this is suboptimal.

  • Enabling an option, even in patient mode, that causes the unit to “chirp” every few minutes if unplugged would be nice.  The idea would be, I could press a “silence” button that would suppress that warning, but only until the unit were plugged back in again.  All other low-battery alarms would still be in place.  This would allow me to go out to a medical appointment with the unit in relative silence, but still be alerted if the plug had popped out via random motion.

Carrying case:

The case you guys give out is awful.  Period.  For maybe an extra dollar, here’s what I might do differently:

  • Instead of the permanently attached shoulder strap, add clips so it can be taken on/off the bag.  In addition to making it easier to manage when you are, as I am, mostly couchbound and just take the vac to go to the bathroom, it also would mean that when the hose/power cord/shoulder strap inevitably get tangled

  • The little velcro strip that holds the power cord in currently *only* works by opening the bag.  That is, if you’ve just gotten up to go to the bathroom, and come back and plug your vac in, you have to undo the velcro flap, reapply the strip, and re-close the bag.  To get up again, you have to undo the flap, undo the strip, re-close the bag.  Why wouldn’t you also put a velcro strip on the *outside* of the flap, so this could be a one-step process?

  • If I’m just at home anyway, why not put a velcro strip on the *back* of the bag, so I can velcro the flap in the open position.

  • Wearing my vac like a purse is one useful way of carrying it — I find it somewhat easy to tuck the excess tubing into a sweatpants pocket and mostly conceal it in public.  Supplying an extra strap so it could be worn, say, as a small backpack, or adding a rigid belt-loop so it could be worn on a belt (or perhaps, the shoulder strap for another bag could be put through it, so it’s one shoulder strap to manage, rather than two.

Anyway, these are just my thoughts.  I hope you find them useful and possibly insightful.  Thank you again for making a wonderful product which has definitely changed my life for the better.

gushi: (anthrocon badge)
2016-04-03 02:04 pm

Gushi Rants about Borderlands

Back, nearly a year ago, Kelli and I bought a playstation 3, and I insisted on wanting to try a 1st-generation console because I had ps2 games that I wanted to be able to play. Kelli warned me that there would be problems, and there were -- long after we ditched the console. Still, that first night, Kelli introduced me to Borderlands, which I quickly came to enjoy as an "I'm pissed off and want to shoot things" game.

However, because we had bought at gamestop, we got a 7-day chance to return it at no penalty. So, we backed up the entire contents of the ps3, and reformatted the drive and returned it.

About a month later, when we bought a newer, doesn't-overheat-when-you-look-at-it PS3, we restored from the backup. Borderlands once again showed a save game, that it now refused to load.

We tried everything. Creating a new PSN account (we hadn't used one previously), renaming the data file, moving it to a new profile, every stupid trick on the forums or GameFAQ's. It seemed like either the game developers had delberately made this process obtuse for some reason, or sony had, in their infrastructure.

Okay. Fine. I started over. A second time. With a completely clean profile. Apparently, though, there's another glitch. Even though I was using a NEW character on EXISTING save data, there was still a corruption issue related to trying to use data on a different playstation than the one it was created on.

So now, every time I did ANY achievement, I'd get a pop-up (at the completion of pretty much EVERY mission) stating "YOU DID NOT EARN A TROPHY!" Seemingly, even in places I wouldn't normally earn one.

(Because I hadn't earned it, it was letting me know EVERY TIME AFTER that I could still get (DID NOT EARN) a trophy.

Run over a bunch of Skags? YOU DID NOT EARN A TROPHY. Kill a boss for the third time? YOU DID NOT EARN A TROPHY. Stub your fucking toe? YOU DID NOT EARN A TROPHY.

And for a game with the ability to do live-patches, there’s NO EXCUSE for this shit.

So what the fuck? Why have the ability to back-up/restore at all? And when the saves don't load, why not tell us WHY they won't load? Just plain frustrating bad UI. Don't the playtesters test this at all?

So, my mood visibly annoyed, I started finding other little annoyances in this game.

  • Weapons sorting and carrying. I get that it's a mechanic of game balance to only be able to carry so much, and I guess I also get that it's a mechanic of game balance to not let you have some kind of a 'locker' that you can keep some awesome weapons in that you don't want to carry around, but looking over weapons, it's kind of annoying to sort by, for example, which have the best sights, or which are most stable, or which have the highest ammo capacity.

  • The vehicle system. It's way, way, way too easy to get vehicles stuck places, and at certain levels, speed is kind of your only way out of a tight situation.

  • I've also managed to get my character stuck inside the landscape more than once. Again, totally fixable after ship-time with a simple patch, if the developers would bother once it's out the door.

  • The radar display. For some reason, it can only track one mission at a time, and in that mission, it can only track one potential TARGET at a time.

  • I get it, it's plot, but it would be really cool if I could do a thing for a mission before i actually had the mission. "Hey, go climb this radar tower and throw this switch". You mean that radar tower I was just on top of ten minutes ago when that switch did nothing and I couldn't interact with it at all?

  • The "scavenger" missions. You know the ones. "Hey, go find five pieces of this weapon and you can keep them." The ones that take a tool you've totally relied on throughout the entire game (your radar) and make it lie. Not go blank. Not show a question mark, not show a general area. Just make it lie. So you wind up jumping around where you think the radar tells you to be, until you're trapped inside the landscape. Again.

  • The physics. I don't care who you are, a point blank shot to the face with a rocket launcher should kill you just as well as a hit from 300 yards with a sniper round.

  • Some of the "survival rounds" turned out not to be that at all -- you could totally re-spawn, and walk back into them, mid-challenge, with half of the enemies dead. Which kind of evades the whole point.

All that said, I figured maybe I was reading too much into this -- I started to play it simply as a 'if you don't succeed, level up, and punch things till they die game'. I was playing as Brick, after all, and Brick's main trait is his outright "just storm into it, keep shooting, and you'll probably make it" ability.

So I just ran through, and had fun with the storyline. Don't feel like fighting? Just run. Don't feel like taking out the enemies tactically?
Just berserk. Don't feel like attacking the main boss? Just sneak up behind him and punch him in the ding-ding till he's not alive anymore.
It's immensely gratifying.

And then I came to the game's worst point: the last boss. The vault guardian. A huge tentacle-and-eyeball monster inside a giant pink labia. And all the tactics that had gotten me through the entire game were suddenly pointless. Trapped in the end of the game, with no access to ammo, anywhere, and all the strategy guides suddenly helpfully suggesting one type of ammo or another, or re-speccing my entire character for one specific optimization.

I shut the console off in disgust. And it's stayed that way, ever since.

I think I may, now, finally go play it again, just to see how it finally ends, but it's been my experience that game developers are always under such pressure to ship it and get it out the door, that the endings are always shit.

Was the ending to Super Mario Brothers super good? Or even The Legend of Zelda? How about this classic ending from Karnov?

((Yes, yes, Hideo, you get a gold star, I know there are exceptions.))

I suspect, if I do go back to it, I'm going to have to run around the game (with no more available missions) to randomly kill folks to get stuff to sell to get more cash to buy more stuff to kill the next epic boss. Doesn't seem fun anymore, honesty.

And if I wanted that, I'd just play WoW.

gushi: (Nevar Button)
2014-08-26 11:42 pm
Entry tags:

Tracking down compromised email accounts

Mitigating a Mail Server Attack


A few days ago, I noticed an unusual number of bounceback messages from one specific user directed at email addresses. When I looked inside the mail queue, I noticed that each message had dozens of recipients.

The troubling thing is, looking at the mail logs, I saw the dreaded line

maillog.7.bz2:Aug 18 21:33:08 <> prime sm-mta[80096]: 
AUTH=server, relay=[],, 
mech=PLAIN, bits=0

The AUTH=server bit tells me that rather than a rogue script running here (a not-uncommon thing that happens when you let users run PHP scripts), this was an actual password that got leaked, and was being used to send mail just as a regular user would.

I quickly concluded "compromised account", changed the user's password, and contacted them out-of-band with a new password. Life seemed good.

...then I noticed a second account doing the same thing. Okay, that's weird. Maybe my users have started falling for a really effective phishing scam?

When it happened a third time, a few days later, I recalled the old Ian Fleming quote:

"Once is happenstance. Twice is coincidence. Three times, it's enemy action."

Combat Perl

So, faced with the task of seeing if there were any other users who were affected, I wrote a short little bit of perl code to analyze my mail logs, and spit out each login, as well as the number of times each IP had logged in.

The code looks like this. No, there's no fancy "use Strict" or anything like that. I used YAML as an output format because writing "Dump" is easier than writing a foreach loop to iterate over the hashes.


use YAML;
open FOO, "/usr/bin/bzgrep -i \"auth=server\" /var/log/maillog.0.bz2|";
my @lines = <FOO>;
my %thing;
foreach my $line (@lines) {
  chomp $line;
  if ($line =~ /\[(\d+\.\d+\.\d+\.\d+)\].*authid=(\S+),/) {
        print "ip address $1 authid $2 found in $line\n";

print Dump %thing;

Combat perl output

The code above produced output like what I have here. Note that I've altered all the logins and none of the below actually exist on my system. The IP addresses and counts, however, are real.

--- jim
--- 1 4
--- bob
--- 1
--- moe
--- 10
--- 9 10 3 1 2 3 2 6 1 4 9 2 7 4 2 3 3 4 5 1 2 4 6 4 2 5 2 1 10 3 8 1 4 1 4 3 7 7 7 5 6 2 3 4 3 2 7 13 4 4 1 2 8 5 12 3 8 7 8 2 1 3 3 2 4 6 1 4 5 5 4 4 3 3 5 4 7 1 7 1 8
--- thing
--- 1
--- stuff
--- 2
--- steve
--- 1 1
--- joe
--- 1

So, one of these things is not like the others. It's understandable that a person may have two or three ips in a given period. Their ips change, they're logging on from multiple computers.

Remember that these are ONLY the ip addresses pulled from the sendmail logs. Only on connections where a piece of mail is sent, using SMTP auth.

So, that entry? Yeah, that is that what security researchers call a "snowshoe" attack -- not one server sending hundreds of mails (which would be easy to block), but instead, it's spread out, and even though I now have a list of ips I could block, what we're looking at here is a botnet of otherwise compromised machines on a dozen or more ISPs.

The other thing to note about the entry is that it's a full user@domain entry. Put another way, it's an email address -- one where the LHS (left hand side) just so happens to match the user's actual login.

What was going on here is that the way I (and most people) do SMTP auth in sendmai, there can be a concept of multiple "realms" defined -- for example, to log in against different authentication databases. As I'm not using this feature, the realm and everything after is ignored (but still logged).

As I normally instruct my users to only use the barename to log in, any login using a full realm must be a compromised account.

Notifying the User

So, there's a problem here. While I can easily change the user's password and send them mail, this effectively locks them out of their account and keeps them from getting anything done until we touch base.

What I wanted to do was find a way to block the users who were using the "bad" format, while letting good users go on. I wanted a quick, guilt-free way to block the sending of mail, without breaking the communication link.

What I discovered was a ten year old post in the old usenet group comp.mail.sendmail, here.

With a little bit of tweaking, I had applied that same config to my own sendmail, and had configured a line in the access database to block a test user. The account still worked, but it wouldn't let them send mail. Perfect. I could block "" without blocking "curly". (And yes, this relies on a little bit of obscurity -- but it's a botnet, not monkeys at typewriters, it's only going to try what it knows).

Identifying the source

So, three accounts with relatively secure passwords compromised in a week. What was the common thread? Could these people have all used the same insecure passwordless wifi networks? Is there some newfangled router exploit that mails your traffic all off to the highest bidder?

I spoke to all the users. None of them had fallen for any phishing emails. They were running different OSes, so a password-stealing virus was out. And then it hit me. Like a ton of bricks.

I've recently seen a surge of spam to addresses like,,
The reason?

Well, it's all because adobe sucks at securing your data.
Sometime last year, people were able to download 150 million usernames and passwords from adobe's backend servers. And, as the article I just linked will tell you, those passwords were encrypted weakly, and in a way that all the users had the same encrypted password string, for a given password.

While I'm not 100 percent sure this was the attack vector -- there's been several other leaks that happened (, Linkedin, E-harmony), and about 90 percent sure that this is the likely cause, even if I don't know which site it was that ultimately spilled my users' beans.

gushi: (Bitey Gushi)
2013-08-10 10:46 am

Travelocity Rant and Documentation

I've been in a long-distance relationship for the past few years. As a result, I book quite a bit of travel. The company I've chosen to do this with, is Travelocity. I've spent a LOT of money with them, mainly in flying my friends from all over here to the Bay Area.

  • I've had several occasions where I click on a flight, only to get to the checkout screen and find out that "The Price for this flight has changed". This is frustrating, but not inherently Travelocity's fault -- the airlines have two databases, one for availability and one for bookings, and pricing info differs occasionally.

  • I've had at least a few occasions where I've done several searches for a thing (different days, different times, etc), and have booked a flight...only to find that the flight I have is not the one I thought I booked. On at least one occasion, the answer to this has been "okay, book another flight" -- this has happened with other people in the room who watched me book it and have sanity checked me, but since we don't have a time machine, we may never know.

Travelocity staff: if you want to look over the number of "no-go" flights I've booked in the past few years, please do.

  • I've had one occasion where a flight couldn't be made due to illness, and I had bought Travelocity's insurance. I was told in no uncertain terms that the type of illness (cramps) didn't qualify, and I was out the price of a ticket, PLUS the fee for the insurance. Haven't bought it since.

  • I've occasionally just seen Travelocity's web site loop endlessly and tell me there's no flights, redirecting me back to their home page. I seem to recall it was doing this the night I booked this flight, which is why I used the app. Next time I see this behavior, I'll record it.

The "big issue" happened today.

On July 11th of this year, I booked a flight for my girl Mary Kathryn Williams (known to me as Kat) from Tampa, Florida to San Francisco. On the travelocity website, if you visit with an ipad, it pops up a display that says "Use our app!", so I did. Booked the usual flight. Traveler "Mary Williams". DOB Hers. When it asks for a confirmation email, I choose hers, not mine (because I can always log into the account to see details). Just so I have a record, I take a screenshot of the ipad screen. (My photo stream seems to be my second brain of late).

Trip ID: 631935337643. American Airlines flights 2009/1355. August 9th.

Fast forward to today: I get a call from Kat -- at the airport -- saying "There's a problem -- this ticket's in Dan Mahoney's name". We have tickets to the very last showing of a live concert, tomorrow at 8PM.

I haven't ever seen the confirmation emails, I always send them to her, so I can't say for certain whether it would have been obvious that there was a problem -- after all, my name's likely to be in there somewhere, it's MY ACCOUNT, so this is probably easy to gloss over.

I call travelocity from my desk phone -- and sit on hold for 20 minutes.

I then try them at a different number -- and get past the hold queue in five minutes, to someone who is reasonably easy to understand, but still has an "outsourced" feel. I drop the call from my desk phone.

I explain the situation to the agent that answered. He says "this is up to the airline", and places me on hold for about ten minutes. He comes back on the line and tells me that the airline "has refused" to make the change, and the only thing they can do is try booking another seat.

He checks, quickly, and tells me there's no seats available, at any time today, on any airline, at any price.

I ask him for the number for the American, and hang up.

I call the airline (American) -- get through to someone in about three minutes. Explain the situation. He tells me I need to speak with Travelocity -- and I explain that Travelocity is saying I need to speak with the airline. Since the person who tells Kat if she can get on the plane has a uniform with an American logo on it, and the big flying metal tube says American, I'm pretty sure the airline's the right answer.

The gentleman laughs a bit at this logic "I need to ask my helpdesk about this", and comes back in about five minutes.

He tells me that there's three options, and they're not great options, but they're options.

First, would be to try and move the flight out to a different day, which gives us more wiggle room on this, time to solve the problem. I don't find this particularly acceptable.

Second, is that the person who actually has the call on this is the Airport Manager, and that she can ask to speak to them and get the name change approved. While I might suggest this if I were there to flash my ID and my credit card and say "look, Travelocity messed up", I'm not there to do so.

Third, he tells me, is I can just buy her another ticket. He checks, and suprisingly, he DOES have another slot free for her -- a slot that wouldn't be available to Travelocity's people. Problem is, it's not cheap, since it's basically a same-day flight. $500ish.

I say "Okay, this is a problem I can solve by throwing money at it. You guys take Visa?"

We go back and forth a bit, because initially, he's telling me Kat will need to pay (but Kat has a credit card on my account, so this isn't a problem -- yay for forward thinking), but then the system appears to let him book it. He gives me a confirmation code, I text it to Kat, and life is good.

Finally, he asks me what to do about this other reservation, and tells me that it's my choice on whether he cancels it or not, but that if nobody checks in, and it goes to a "no-go" status, then I'm more likely to be out the money. I agree, and he cancels it.

I call back Travelocity, and get a different agent. I give them the story to date, and say "okay, so I've now got a credit, right?". And they confirm, yes, I have a credit. Which must be used through travelocity and for flight by me on the same airline.

He tries telling me that "the airline holds the credit, not travelocity" -- and I don't understand that. Okay, so I have a credit with the airline. There's presumably some kind of ID they can give me, and step out of the transaction at this point. Right? Wrong.

I'm a heavy guy, and a bit of a libertarian. By flying, I inconvenience other passengers, so I don't fly without a really good reason. I flew out a year ago for Kat's conversion (and a friend hooked me up with First Class travel, which was a world of difference from nearly every point of view). I fly if business mandates it -- once every two years or so, and even then I have my company buy the second seat.

I confirm that in the future, if need be, I can use this credit by calling travelocity (which would eliminate pretty much the convenience of using a web site -- or being able to search multiple airlines for deals.

Ergo, I call my bank, Chase. I explain the situation -- that the app messed up, because there's no possible way I would ever list myself as a traveler, flying out of a city I don't live in, and I initiate a chargeback. Travelocity's software (either on my ipad, or on their site) had a glitch.

They tell me the funds -- $240.80 -- will be back in my account within 12 hours, and thank me for being a customer. Yes, travelocity may dispute this chargeback, but that's why I'm documenting this here.

I've shouted out to Travelocity on Twitter -- I'm still shocked that one can get a message through to customer support and people who are enabled to act faster there than by calling a phone number and speaking to people 1:1.

My advice: You've lost a customer. From now on, we're going to figure out which airline works for us, and book through them.

All you have to do to solve this problem FOR ME is "don't dispute that chargeback". Your app messed up. I'm a techie, I'm good with the computers, and I'm 100 percent certain of what I put in those fields in your app.


@travelocity (still not sure if that should be capitalized) started following me on twitter, and asked me for my trip ID and my phone number. I linked them to THIS ENTRY (which is everything you're reading except this update section), and said "If you still feel we should talk, here's my number")

I was called a few minutes later by someone who...

  • hadn't read the link -- in fact, hadn't even been FORWARDED the link. (Sorry, was 140 characters too much to pass on?). Strike one.
  • Called me Ma'am, more than once, after being corrected.
  • Told me that they'd only grant me a refund if the "footprints from the app reveal an error" -- I guess meaning they're handing this to the dev team. I responded that yes, I'd love this fixed, but they've already lost a customer, and I've already had my bank give me my money back. The best thing you can do, once again, is don't dispute that claim when it comes in.
  • Before hanging up, told me "Thank you for calling travelocity". WTF? YOU CALLED ME! Are you really that incompetent that you can't remember who dialed and who answered?


The show we were going to see has extended its run for another three weeks, so there's a silver lining.

The flight wasn't meant to be: All flights out of Tampa were delayed because of a tornado watch, so Kat would have missed her connection at DFW, and would have gotten the privilege of sitting at the airport until 7AM, so the flight had to be scheduled for the following day, anyway. I don't have a phone number or twitter handle for the entity responsible for tornadoes...but I do hear He's on Google+.

gushi: (Default)
2013-05-16 02:37 pm

How to build wkhtmltopdf 0.9.6 under FreeBSD AMD64

Installing wkhtmltopdf 0.9.6 under FreeBSD

At my day job, our knowledge base software needs a specific version of wkhtmltopdf to work. Further, it needs the version built against a specially patched set of QT libraries in order to do certain critical things (for example, to run headless). If you run ./wkhtmltopdf against a non-patched version, it will issue this warning:


Reduced Functionality:
  This version of wkhtmltopdf has been compiled against a version of QT without
  the wkhtmltopdf patches. Therefore some features are missing, if you need
  these features please use the static version.

  Currently the list of features only supported with patch QT includes:

 * Printing more then one HTML document into a PDF file.
 * Running without an X11 server.
 * Adding a document outline to the PDF file.
 * Adding headers and footers to the PDF file.
 * Generating a table of contents.
 * Adding links in the generated PDF file.
 * Printing using the screen media-type.
 * Disabling the smart shrink feature of webkit.


FreeBSD has a port for wkhtmltopdf, which includes a patched QT, but version 0.9.6 will not build against this patched QT. Thus, we need to build both from scratch.

Further, when attempting to build the patched QT from source, there are at least two active bugs.

First, javascript compilation will fail with a couple of minor type conversion errors.

This is a similar error reported with another piece of software:

../JavaScriptCore/runtime/JSValue.h: In constructor ‘JSC::JSValue::JSValue(JSC::JSCell*)’:
../JavaScriptCore/runtime/JSValue.h:472: error: cast from ‘JSC::JSCell*’ to ‘int32_t’ loses precision
../JavaScriptCore/runtime/JSValue.h: In constructor ‘JSC::JSValue::JSValue(const JSC::JSCell*)’:
../JavaScriptCore/runtime/JSValue.h:478: error: cast from ‘JSC::JSCell*’ to ‘int32_t’ loses precision
make[1]: *** [WebKit/gtk/WebCoreSupport/libwebkit_1_0_la-ChromeClientGtk.lo] Error 1

Patches in this bug listing tell us how to fix it, mostly (the patches are not FreeBSD specific, but the exact nature of the fix is easy to glean).

Second, WebKit seems to suffer a bug (referenced here) whereby it will pick up the system header files (even if you've told it to build with the builtin versions), so it will believe that the list of available functions is off, with an error like:

: undefined reference to `png_set_longjmp_fn'
/data/home/dmahoney/wkqt/lib/libQtGui.a(qpnghandler.o)(.text+0x1b7c): In function `QPngHandlerPrivate::readPngHeader()':
: undefined reference to `png_set_longjmp_fn'
/data/home/dmahoney/wkqt/lib/libQtGui.a(qpnghandler.o)(.text+0x23a0): In function `QPngHandlerPrivate::readPngImage(QImage*)':
: undefined reference to `png_set_longjmp_fn'

It's my hope that I can show how to get this tool, at this specific version, to install, and help others who may hit this. I'm also pasting in the actual compiler output such that people can google for it and find this entry.


It's probably a good idea to make and install this port anyway as it will pull in a bunch of X11 and font dependencies that we may later need, but once it's installed, it's probably safe to "make deinstall" it.

Part 1: wkhtmltopdf-qt

Get the wkhtmltopdf source

We grab the source for wkhtmltopdf at this phase because we need a file from it to get the build arguments for qt. Grab wkhtmltopdf version 0.9.6 from google code downloads page. Since it is a deprecated release, it will not be in the default list. Go here Select "All Downloads" and search for 0.9.6, to get:

Grab this with "fetch" or "wget" or just scp it over to the system.

Get the wkhtmltopdf-qt version you need

There was, at one time, a git repository at: git:// It no longer seems to answer.

Luckily, the repository has been mirrored onto Github.

Clone wkhtmltopdf-qt from this github page, then isolate it down to the 0.9.6 release tag.

%git clone git://
Cloning into wkhtmltopdf-qt...
remote: Counting objects: 563729, done.
remote: Compressing objects: 100% (104214/104214), done.
remote: Total 563729 (delta 455301), reused 563645 (delta 455222)
Receiving objects: 100% (563729/563729), 376.20 MiB | 2.34 MiB/s, done.
Resolving deltas: 100% (455301/455301), done.

(the above took about ten minutes on my very fast connection)

You can see that there are several "tagged" releases of code in this repository:

%git tag -l

So you're going to want to reduce the repository to that version:

%git checkout wkhtmltopdf-0.9.6
Checking out files: 100% (22888/22888), done.
Note: checking out 'wkhtmltopdf-0.9.6'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b new_branch_name

HEAD is now at e63d059... Fix pdf title writeout

(this took 3-5 minutes) Welcome to 2010!!!

Without the output, the two commands you really need are:

git clone git://
git checkout wkhtmltopdf-0.9.6

Patch wkhtmltopdf ### :

There's a trivial change we need to make in the javascript code if we're on a 64 bit platform.

Manually apply this patch, but add a line for PLATFORM_FREEBSD.
So, on line 721 of ./src/3rdparty/javascriptcore/JavaScriptCore/wtf/Platform.h, change:




Do the same on line 712 of ./src/3rdparty/webkit/JavaScriptCore/wtf/Platform.h.

Configure wkhtmltopdf-qt

Per the build guide, you can get the configure arguments by doing cat ../wkhtmltopdf/static_qt_conf_base ../wkhtmltopdf/static_qt_conf_linux | sed -re 's/#.*//'

Then, you get to go into a text editor and put them all on one line.

./configure -release -static -fast -no-exceptions -no-accessibility -no-stl -no-sql-ibase -no-sql-mysql -no-sql-odbc -no-sql-psql \
-no-sql-sqlite -no-sql-sqlite2 -no-qt3support -no-xmlpatterns -no-phonon -no-phonon-backend -webkit -no-scripttools -no-mmx \
-no-3dnow -no-sse -no-sse2 -qt-zlib -qt-gif -qt-libtiff -qt-libpng -qt-libmng -qt-libjpeg -graphicssystem raster -opensource \
-nomake tools -nomake examples -nomake demos -nomake docs -nomake translations -no-opengl -no-dbus -no-multimedia -fast -openssl \
-largefile -rpath -no-nis -no-cups -no-iconv -no-pch -no-gtkstyle -no-nas-sound -no-sm -no-xshape -no-xinerama -no-xcursor \
-no-xfixes -no-xrandr -no-xrender -no-mitshm -no-xinput -no-xkb -no-glib -no-openvg -no-opengl -no-xsync -no-svg -prefix "../wkqt"

(later amended to add -system-png instead of -libqt-png, due to a QT bug whereby QT will use the system header file but build against the bundled lib, thus causing linking errors)

Once you type this, you'll have to type "yes" to accept the GPL. (Yes, GPL code with a EULA). It will run for a few minutes.

Build the library

If all went well, all you should need to do is:

gmake -j3 && gmake install

When this is done, you should have a "wkqt" directory just above your build dir, that has a ./bin/qmake in it (along with some other stuff).

Building wkhtmltopdf itself

This one is shockingly easy, presuming all the rest of the code worked:

cd ../wkhtmltopdf

(I get a warning about WARNING: /data/home/dmahoney/wkhtmltopdf/ Unable to find file for inclusion /data/home/dmahoney/wkqt/lib/QtGui.framework/QtGui.prl, but this seems to be mostly harmless since we're building a headless version.

Then, type make. It should spin for a few more minutes, and if all went correctly, you should have a wkhtmltopdf file in your home directory.

Test it with ./wkhtmltopdf and see if you get a basic help page. If you do, you're probably in business!

Finishing up

If you're going through all this pain for Knowledge Base Manager Pro, copy it to the appropriate directory in your web root, and test it out.

If you're doing this for some other reason -- like, "you like running old, hard to compile code when there's an easy install option", there are self-help groups and therapy for this sort of thing :)

You probably don't need the "wkqt" directory any more, and you can probably also delete all the source files after that.



Compiling Guide:


wkhtmltopdf: wkhtmltopdf-qt:

About the author

Dan Mahoney is a sysadmin in the San Francsico Bay Area. He fixes computers.

gushi: (Default)
2013-03-23 01:23 am

The Smart Radio Rant


The Smart "Highline" radio is an option I paid over a grand extra for in my 2013 Smart Fortwo (a car which I otherwise love). It offers touchscreen CD/DVD/MP3CD player, plus SD card support, bluetooth support, AUX video and audio in. For a brand I've otherwise been incredibly impressed with the design of, this one niggling detail seems to be where the ball was dropped. It's well known that the radio component was basically shopped out to Bosch, a german engineering firm with divisions that make everything from Brake Pads to dishwashers. While not only did Bosch really fail to capture the ingenuity that Smart has shown in other areas, they've mismanaged some features as to make the car less safe (a great example would be that there's no way to turn off the screen!).

NOTE: I should also mention that Smart has an "iPhone Kit" available for use with their stock radio. I haven't used it, nor do I think I have the option to do so. It's a $400 option, plus the install fees, and I don't think it's designed to work at all with the Highline model. From my readings, it's mostly designed to give you some "light" features of the highline radio, plus comes with a dash-mounted dock connector (which means its support stops with the iPhone 4s).

I kind of go on a bit of a diatribe here, but the intention is to actually prepare a list to give to Smart, because it almost feels like this radio was designed by people who don't have to use it. As one of my friends (a software engineer himself) said "I'm an engineer, I am qualified to diagnose broken".

Phone Issues

  • The "highline" radio includes a microphone which is used for interfacing with your cell phone, as well as triggering the voice-activated NAV functions. The microphone is implemented as a "pinhole" in the bottom right corner of the screen. This location is simply a joke. Both voice commands to my phone as well as phone conversations are constantly misheard, even if I shout. I originally reasoned that the microphone is not elsewhere in the car because Smart only wanted to install a single "head unit", but there's a subwoofer under my seat, six speakers throughout the car, a GPS antenna somewhere. Adding one more component can't be that hard.

    Suggested improvement: Mount the microphone directly in front of the driver, either in the dash or up by the visor.

  • Iphone compatibility is damaged. Siri-based phones have been out for nearly a year now, and yet we still don't have a standard button to press to "talk through" to the phone's voice dialing. If I press a button on the iphone I can trigger siri, but because of the microphone issues, I might as well just get a bluetooth headset. Also, at that point it's no longer a "hands free phone" by some definition of the law.

    Suggestion: There's a way to do bluetooth open-channel where you simply connect to a phone's voice-dialing input. The cheesy retro-bluetooth-handset I bought for $20 at Micro Center supports it. Find it and implement it.
    (Note, it took me about five minutes of googling to find it -- it involves sending "AT+CKPD=200" over the command channel to the phone). Apple could also work around this by giving you a "contact" which just calls the siri interface. They haven't. They shouldn't have to. This has been part of the bluetooth spec since the beginning.

  • The device supports two different "address books", one downloaded from the phone and I guess the other is "local" (because for some reason you want a contact that exists in your car but nowhere else?), but the radio just calls them "1" and "2" with no real good explanation. I can navigate through these and choose to call someone, while I'm driving. This was NOT one of the features that was locked out by the "need to be in park" mode. There's a better interface -- my voice -- built into the phone, but Smart is making it hard to use it.

  • Note that siri defaults to having its audio be via the car rather than using the on-phone microphone which can hear me fine three feet away. This is perhaps something apple should add a preference for (use builtin mic for siri, but play output via bluetooth).

  • No access to the contact list in my iphone (this appears to be fixed in IOS 6).

  • When a call is active, the "CALL ACTIVE [NAME]" takes over the screen. That is to say, the NAV disappears, with no way to switch back to it while a call is active. The ONLY trace of the nav when you're on the phone is a single "next turn" indicator, which doesn't even include the road name.

Radio Issues

Where it gets truly annoying is that this device, for which I paid a lot extra, actually fails in several ways to be an actual car radio!

  • For some reason, Bosch felt the need to draw on the screen an actual dial with an actual needle (you know, a thing that any car radio over $50 hasn't had since 8-track players were an option), and made it a "feature" that you can tap on the dial to jump to a given frequency. It's about four inches wide. My finger is about 3/8ths of an inch wide. There are 101 possible FM channels, and I'm ostensibly driving when I'm using this thing. I don't think a brain surgeon or expert gamer could hit the dial that accurately, to be able to use this to jump to a specifically desired frequency. This feature is always visible, but...

  • There are only four presets visible on the main screen -- with no option to jump to the next four (in "dumber" radios, this is accomplished via either having a second FM station (fm2), or by pressing the button twice). Even old car radios from the 1970's with physical buttons had five choices. There is an option to go to a second screen and SCROLL VERTICALLY through up to 25 presets (of which I think six are initially visible, and four of which are your main presets).

    Suggested improvement: add a page two, or second row or presets, or the ability to press a button twice to get a second station. Rip out the stupid analog dial, and give me more buttons.

  • Braindead scan function. (I.e. start jumping stations, stop when I press a button). Even the most basic of digital radios 20 years ago had this!!! I found after a month it and it's buried three menu-levels deep [station list icon, magnifying glass icon, "Frequency Scan"], and doesn't actually show the station frequency when it's doing it, instead only showing the RDS text, which at times is something like "TODAYS TOP HITS!"

    Suggested improvement: (It would be more helpful perhaps to display the PS (programme service) field instead of the RT (radio text) field during this.

    Suggested improvement: put scan-forward and scan-backward buttons on the home screen, right in the same region as the "seek" buttons.

  • No HD Radio. Presumably, this could be because of lack of adoption outside the US (since the smart is sold in more countries than the US).

  • No satellite radio. (Again, sirius and XM are only available in the lower 48), so if you're Bosch and trying to make a radio that works everywhere, I understand that this is a non-starter. Also, one can justify the smart as a "city car" and not needing this option, but I certainly would do a road trip in it.

    Suggested improvement: Make it an OPTION. All you need to interface with a satellite module is an rs-232 and a line-in. The radio already has line-in and USB (and I suspect it's running linux), so I fail to see what's hard about making an expansion module.

  • The RDS text is highly inconsistent in the US (details here, but in many places, the radio doesn't provide the option to display station AND text on a button, unless you manually edit. For example, instead of a button saying "Public", you could say "88.5 (Nati". This happens in the stored station list, in frequency scans, in the four short buttons on the home screen.

  • This is minor, but the size of the frequency display REALLY could be bigger, in lieu of some of the other onscreen cruft.

  • They bothered to put a voice input module in the NAV but not in other modes (at least, that I've found).

  • Occasionally, changing a station will result in a screen pausing for up to five seconds and just saying "RDS SEARCH".

    Suggested improvement: Don't do this. Whatever's causing it, find it and don't make it a blocking operation.

  • Playing audio over bluetooth from an iphone was previously very buggy (not sending track data consistently, not having controls work reliably) but this seems to be much better in IOS 6.

  • Connecting an iphone via the USB port basically forces the phone to think there is an accessory attached. The best way to describe this is to say "try it". It makes using things like Siri problematic at best, it tends to mess with the ability to use third-party-apps (like Pandora) to play audio, although they work if you have the app running before you dock the connector. Since bluetooth is the superior protocol from the point of not-disabling-phone-functions, my workaround for this is to get a "charge only" cable that supplies power, but not data to the dock connector. Putting a second "power only" USB port in the radio would also work well.

Navigation Issues

  • Navigation input is not possible while driving. I understand this is a "safety feature" but the Smart has two seats, and some of us have passengers who can enter our destinations for us. Also, somehow, tapping in an address is dangerous, but having to tap at three different regions of the screen and then scroll though a list of 25 presets is safe? Heck, the car even has a detection mechanism for if someone's in the passenger seat (and handles seat belt alerts and the annoying "passenger airbag off" lamp), that could be used for this.

  • The voice detection for navigation is broken for the same reasons as "phone" above. It works well if you're at a dead stop with no air conditioning running. Otherwise, this potentially useful system is defeated by poor microphone placement, as well as a poor quality microphone.

  • The volume at which the Nav speaks over the radio is difficult to set. I'm not sure exactly what it means, but the setting seems to keep the nav at the same volume, and adjust the radio volume up or down relative to that, on some kind of 1-7 scale. Other systems I've seen have the simple metric of "turn the volume knob when the source is active" (so if you used the volume knob when the nav was talking, it would lower the nav).

  • The NAV is really chatty, such that attempting in my region to listen to a podcast is nearly unlistenable with the level of interruption. We've found hacks for this like putting an address in, but not hitting "start navigation" until we're most of the way there. When I say chatty, I mean at times I'm told every two minutes "keep left to stay on this highway, in point-six-miles, keep left to stay on this highway, keep left to stay on this highway, follow the road until further directions"

    Suggestion: In most other radios, turning the volume knob while a source is running (like while the NAV is speaking) affects that source. Implement that.

    Suggestion: When playing a selection from an ipod such as a podcast or song (over bluetooth or USB cable) it would be helpful to have the option to pause the audio rather than talk over it.

Overall Issues

  • No way to black out the screen without turning it off. Sure, you can drop into the settings and change the contrast manually (to a point), but there's no "display sleep". If you want any kind of entertainment, you are relegated to a glaring 4x6 rectangle in your field of view, all the damned time. You can't do nav with voice-only, you MUST have a screen in your field of view. Note that this is not the same problem you have with a phone in your pocket reading off instructions, or with a store-bought Garmin Nuvi, which you can place face down if you don't want to be distracted.

  • The fact that it's a touchscreen means that by design one has to take their eyes off the road to look at it. There are no "touch cues" to guide the finger to the right location, like you might find on some touchscreen ATM's.
    However, this could be deflected by putting some of the most-used commands in key areas on the Bezel, and by adding some indentations.

  • No remote. Seriously, going to an all-touchscreen interface makes the car radio FAR more dangerous. Even a HANDHELD (or steering-wheel-attached) remote would be useful. (Some thumb-buttons on the front of the paddle shifter, maybe? Something that clips on to the steering wheel, or on to the "wings" of the steering wheel, so we have the option to use them or not?

  • Whenever I turn the radio on, I have to click "OK" to a prompt that looks like "Do not let the system distract you from the traffic situation". I'm sure there's some lawyer that warranted this. However, the radio has video functions in that can only be used in Park. I understand that there's a liability issue here, but if I am doing a road trip with a passenger who wants to be entertained (think: small passengers) then please let ME decide that I think I can keep my eyes on the road if Spongebob is on. Modifying the radio to defeat this feature is as simple as cutting and splicing one wire, but I shouldn't have to.

  • This is admittedly minor, but I often close my glovebox door on the cable when I have my phone plugged into the USB port to charge. Giving me a place to cleanly route the cable without pinching it would be nice.


In case it seems like this is all negative, I should mention that the system SOUNDS great. When I play my music loud, it doesn't distort. Yes, it's six speakers and a subwoofer for a 2-seater car (so a maximum of four ears).
But in a car where everything else is SO well designed, they could do more.

I've noted that there is a new software update for the radio that MAY fix a few things. Let's hope.

gushi: (Bitey Gushi)
2013-03-10 12:37 pm

The fight against spam

The problem

I'm reasonably well-known for being a mailserver-tweaker. I like to tune both my personal mail config as well as that of my server. I actually try to report spam back to the places it's coming from. I participate on the mailing lists that make spamfilters better. I try to be a responsible mailserver admin.

But one of the biggest companies out there has had some users with compromised accounts sending me spam: Yahoo.

Now, this isn't people forging domains -- these are legitimately coming from the Yahoo mailservers, with all the headers matching.

The mails typically consist of a single-link, like this one:


Now, in talking about this, my goal is to get the messages to stop not-getting-hit by the mailfilter. If the messages stop coming out of a trusted host like Yahoo, that's a plus too. (We can blocklist some nowhere-mailhost in guam, we can't blocklist Yahoo). I don't particularly care about the sites getting taken down, they'll just crop up elsewhere. The goals are either that we can better flag the messages, or they stop coming.

On the better filtering front

So, what does one do about a message that's just a link? As it happens, there's actually a tool that lets you check the "spamminess" of a link inside a message body. That tool is called SURBL. It basically looks at the "first level" of the domain, and compares it against known reports of badness.

One of the ways to report URL's to SURBL is via SpamCop, which I typically use anyway to report a lot of my spam that gets past my mail filters. Spamcop accepts mail from my mail filter's "reporting" engine, and then sends me to a web page where I have to look over a message and confirm that "yup, that's spam allright". There's NO way to do this without my intervention, and still have the actual body of the message be parsed (and thus potentially fed to SURBL).

Spamcop does offer a "quick" service that would seem to report the mail servers involved, but which wouldn't act on the links inside the body.

I note that when SpamCop sends my reports along to Yahoo, they do so to a special "spamcop" address, not a general "abuse@" one, which seems to be somewhat broken.

On the "Getting Yahoo to cut it out" front...

Well, while I've already reported the mail to Yahoo via spamcop, I'd like a way to more immediately report these to Yahoo (since spamcop has to wait for me to go hit that webpage), so they can cut off compromised accounts earlier.

RFC2142 seems to state that all people running network operations should support the generally-agreed upon standard abuse alias.

And yahoo does...kinda. When I forwarded them a message that was definitely spam, coming from their systems, I got back a message like this:

Date: Sun, 10 Mar 2013 11:56:13 -0700 (PDT)
Subject: Re: FW: link (fwd)

This is an automated response; please do not reply to this email as replies will not be answered.
To report spam, security, or abuse-related issues involving Yahoo!'s services, please go to

Thank you,

Yahoo! Customer Care

...right, thanks.

Of course, redirects to a general section on with top "answers" none of which are "HOW DO I REPORT SPAM TO YOU". Searching around a bit finally gets this KB article ID: SLN8671, which suggests that:

Every major email provider has a system for reporting spam or junk mail,
and information about spammers is shared across providers. As a result, if
a Gmail user marks a message from a Yahoo! user as spam in a Gmail
account, the report will be sent to us, and we can take appropriate action
when violations occur.  The fight against spam is much bigger than just
Yahoo!, and we partner with other email providers including, but not
limited to Gmail, Hotmail, and AOL to identify spammers and prevent them
from sending mail to or from our accounts. We do not tolerate people that
abuse our services and will take action according to our Terms of Service.

If your email provider does not offer a spam reporting feature, please
submit your report using our contact form"

Of course, the union of "every major email provider" and "SpamAssassin users" is pretty much nil. Note as well that the contact form they link you to is incredibly, incredibly generic, and asks "what VERSION of yahoomail you're using".


So there's the problem. What could Yahoo! do to make this better?

  1. For starters, start accepting abuse mail. As it happens, back in the day Yahoo were one of the pioneers of a technology called DomainKeys and later DKIM. So there's already a legitimate way for them to take any mail sent to them, and see if it's in fact legitimate. Easily. And for anyone ELSE who emails abuse@, maybe THEN give the same response.

  2. Yahoo accounts are being compromised here. I was emailed at an address that was only used for communication with one group -- and the account that mailed me was privvy to that email address. I've seen Yahoo starting to ask people to add a mobile number to their profile to confirm this, but the really quick easy answer here is: when you see an account do this, lock it!. Of course, this would require scanning all mail that a user sends, which may be a new and technically hard thing for Yahoo to do. If only they had some other way to know accounts were doing this. Like my previous point.

I have several friends who work inside Yahoo, even inside their Mail Services group, so I'd love to hear from someone directly as to a better solution.

gushi: (Default)
2013-03-04 07:52 pm

Wordpress is Garbage

I had to do a wordpress password reset for a user today. When I googled how to do this (from the raw database), I got these instructions.

Really cleanly, clearly, well-written.

...except they don't work.

Recently, Wordpress decided to implement their OWN password hashing algorithm. Which means that while it's less immune to rainbow tables of plain MD5, it means ALL this documentation is shot and doesn't work anymore.

Yay for letting your community write your documentation for you.

gushi: (Bitey Gushi)
2013-02-02 11:22 pm

Thoughts and Ruminations on the Brydge iPad keyboard.

So I've been playing with an iPad accessory called The Brydge. This is an amazingly engineered aluminum keyboard that essentially turns your iPad into a laptop. What this really means is that I now have an apple Laptop with builtin cellular broadband and a touchscreen (a product I've been clamoring for for years).

Like my previous entry about iCache's "Geode" product, this product has suffered from some of the Kickstarter issues, and because of the nature in which they've chosen to make their updates available, I can't be sure to know the whole story, but I'll share my own experiences.

Some Caveats

  1. I wasn't a kickstarter backer (I didn't have an iPad when this product was in its kickstarter phase).

  2. While others have complained about shipping speeds, I got noticably faster shipping than normal probably because Brydge is literally one town over from me, in nearby Menlo Park.

  3. I bought the speakerless model because a) it was in stock at the time I needed it and b) Media Playback isn't a major use-case for me, so I can't speak to any audio features.


  1. If you go to their site and watch the video, you'll notice that their original concept had a single-piece hinge, in the center of the unit. They've since switched over to two separate hinges, one at either side, and rather than "clamping" onto your ipad, they rely on a friction grip, accomplished by a couple of silicon inserts that fit into the aluminum hinges. Mine came with the inserts for the ipad 2 preinstalled, and swapping them out for the inserts for the 3/4 was annoying because of the residual adhesive left behind when I pulled the 2-series inserts off.

  2. I've read some reports of missing keys or keys not working (on the various twitter and kickstarter forums). I have experienced nothing like this, the typing is solid as heck on this thing, and the action is very similar to my other apple keybaords.

  3. Brydge made some decisions in keyboard layout that I can't agree with. Noticably missing is an "Escape" key. Some people complain about the size of the right-shift key (it's slightly narrower than most other keys, definitely not a "bar" like on most full-sized keyboards, but as I've been a netbook user for a while, this is nothing new to me, and I adapted quickly. (I also don't have a "standard" typing style, I'm not a home-row typist, so perhaps this means I'm better off with slight differences like this). Where you'd normally find an "escape" key, there's an ipad-specific "home screen" key. Near as I can tell, there's also not a key combo (like FN-homekey) that will cause the Brydge to send "ESC".

  4. Like most keyboards, this one has a hotkey (ctrl-k) that causes it to go into "pairing mode", and this was just plain careless engineering.

    1. They made the hotkey non-changeable, at least as far as I can tell.

    2. They made it a standard keystroke, one that's used in unix programs, and one that other applications might want to accept. Given, most apps won't be looking for it on the ipad, but one of the conceivable uses of a full-sized keyboard is to use the ipad to run SSH, VNC, Remote Desktop, etc.

    3. Considering this keyboard has an "FN" key, they could have utilized that for the pairing keystroke, but they didn't.

    4. They made the hotkey work all the time, not simply at poweron (or within say, ten seconds of poweron). They made it instant, in that even a tap of it works, and doesn't require a hold-down.

    5. They made the hotkey initiate "pairing mode" even if the keyboard is already paired and active.

    6. Hilarity ensues when I mention that in my editor of choice, the alternate keystroke for "ctrl-k" is "esc esc k". Neither of which I can type.

  5. When I wrote to, I found that Brydge wasn't answering email, had no customer service phone number, hadn't updated twitter in several days, and other folks on the Kickstarter forums and/or twitter were also complaining, some going so far as to assume that they had taken the money and run. Since then, they've gotten back to me basically saying "we've passed your feedback on to our engineers", but I'd still like an answer: is the firmware baked-in, or can it be upgraded (considering that bluetooth supports file exchange and push, as well as the fact that the charger is also a USB port).
    To wit, that answer comes down to "do I recompile software to use alternate keystrokes, or do I just sit tight and wait for a fix?"

  6. I'm finding that while this works as a general text-entry device, the navigation around the iPad itself isn't so great. For example, I'm sure I'd love it if there was some kind of alt-tab like keystroke, or the ability from the home screen to choose an app, without using Voiceover as a workaround, so there is a weird combination of typing and pawing at the screen that goes on. For example, the facebook app doesn't have a press-enter-to-send option. Skype occasionally does send-on-enter, other times not. Facebook Messenger (normally an iphone-only app) simply seems to refuse to work with this keyboard.

    Note that this isn't a crack against the Brydge, but against iOS. There are some useful blog posts like this one or even better this one that go into how navigation can be made to work, but Apple could have made this more than an afterthought.

  7. The battery life on this thing is phenominal. I used it (from the factory with no charge) for about two weeks before I thought to even plug it in. And when I did, it went to fully-charged in about a half hour.


  1. The pairing keystroke is by far the single most frustrating item. The fix will come in one of three forms:

    • We won't fix it, find a workaround.

    • There'll be a firmware fix, hold on.

    • It'll be fixed in Brydge 2.0, at which point I give this one to my girlfriend for her ipad (or chuck it on ebay).

  2. Brydge LLC needs to invest in a ticketing system for their support requests, refund requests, and the like. This hard-and-loose startup stuff is damaging their reputation.

  3. A hotfix for the escape key issue is also appreciated, but most SSH apps have an "escape" option on-screen.

Otherwise, it's an incredibly solid product, an outright pleasure to use, and, much like my car (the Smart ForTwo) and my iphone keyboard, it starts conversations. It impresses people, makes other people want one. It sells itself, and the annoyances are mostly an edge-case for the sysadmin, which are unlikely to affect people who want to write stories or send IMs.

gushi: (Default)
2013-01-26 09:14 pm

The sad stories of Kickstarter

About a year ago, I was at a rock concert at the local arena called BFD (Sponsored by Live 105, our local Clear Channel affiliate). It was one of those 20-something-acts in one affairs with five stages, a bunch of indy bands on the outlying stages, and a main stage with a bunch of top acts.

The highlights of my experiences were:

* Seeing Garbage Live, and seeing the connection they have with their fans.

* Seeing Cake live, and seeing a similar connection.

* Realizing that the most technical, gimmicky, and prop-heavy show (Jane's Addiction) was just plain terrible.

However, while I was there I also came across some technologists who had put a project forth on Kickstarter and were doing their soft launch at the venue. This was, after all, in Google's backyard.

The project was the iCache Geode, and it's a brilliant piece of technology: An iPhone case that has a fingerprint reader on the front, a credit card slot on the back, and basically gives you the ability to clone any of your credit cards onto a single, dynamic "geocard": so you need only carry your phone (and ID) and you've got the full compliment of affinity cards, credit cards, and the like. Because I'm a geek and I know quite a bit about the internals of how the readers work, I had a bunch of questions about how such a thing actually works. And their engineers were on site and willing to talk. Their dyanmic "GeoCard" was more than just a smart card; it was actually a credit-card-sized computer that had an antenna where the magstripe would be, and basically "replayed" your credit card when it detected it was being read. It was a *brilliant* implementation, and I geeked out for a good hour picking their brains.

It was bloody cool. I wanted to buy one on the spot, but their ship times were long, and prioritized for their Kickstarter backers, so I held off.

Cut to now.

Their website is up and running, still, but their support desk license seems to have expired. The "checkout" button is strangely absent from the "buy" link on their page. No twitter updates from them, but a whole lot of mentions from Kickstarter backers who are somewhat upset.

For a company that was so strong on social media, and the crowdsourced kickstarter feel, I think a dryup like this is attributable to one of three things:

1) They took the money and went to aruba. I don't believe this happened.

2) They just outright ran out of funds, couldn't secure additional funding despite having an already-developed and strong product, and shuttered.


3) They got patent-trolled, got hit with a cease-and-desist order on prior art, pending a long and drawn-out settlement.

I don't know for sure, but I'm incredibly curious. As I don't have a real stake in this show, the curiosity is nothing more. In my next post, I'll be going into detail on a similar product, where I was in fact one of the lucky ones who got their product, and others seem to be out in the cold.

Stay tuned.

Note: this is my first post using the LJ client for IOS. I tend to prefer the one on my shell account, where I have Markdown to play with. I'll see how things look once the final entry posts.

Posted via LiveJournal app for iPad.