Older blog entries for mjcox (starting at number 94)

My paper on "Security Response and Vendor Accountability for Open Source Software" was accepted for Linux World 2003 in San Francisco and I'm giving a similar talk at Linux for Business in London on the 10th June. The role of the open source vendor is often neglected when folks talk about the security of open source software.

House modifications are coming along well, with updates to the Home Automation security software (a few suprises for any intruder), and some large black marble balls on a rockery out the front. Tracy has been spending a few days pressure-washing the driveway which is fun apart from the occasional lump of sand that gets blasted at random parts of your body. Sand in your nose is quite annoying.

Had an interesting week wading through vulnerability details and the various advisories which never really seem to match the facts. Take one Linux vendor for example who got confused about the Oracle mod_dav vulnerability and, even though they were not affected by the vulnerability, released new Apache mod_dav packages. To add to the confusion their newly released errata packages had actually added a patch which added in the vulnerability. So they started out not vulnerable, but then released a patch which was meant to remove the vulnerability but actually really made them vulnerable. No wonder folks are confused. Wrote a bit of a rant about it in Apache Week this week.

A large number of people came to a party at the house last night and I woke up sweating and wondering how they broke the automated heating system - it should default to 'off' if it breaks. According to the logs some wag decided to set the temperature to 27.5C (although the heating system tried all night it never made it above 25). Need to have some sort of 'party mode' that locks certain operations and perhaps a more sensible maximum than 29C.

It's strangely hard to get the builders that visit the house to give quotes. I'm not sure how I scare them off. After another Saniflow event (some plastic got stuck but Tracy fixed the unit) we decided to get some quotes for fixing up the bathroom, running a proper waste drain, and throwing away those horrible little pumps, or at least making them only deal with one of the toilets so we don't end up unable to do washing each time they break. Unfortunately that involves running a pipe along about 20ft through three rooms and four breezeblock walls. The first quote came in at about double what I expected, so thats put the plans for buying a new espresso machine on hold (a Rancilio Silvia, lovely looking machine). Working toilet and bath or nice coffee? In the meantime it's finally time to get around to taking out a small claim against the sanipump repair folks who, after 12 months, still have yet to return a fixed unit.

Back in December I said how much difficulty I had with Scottish Power and how they should come and ask me why I was switching and try to be nice to me? Well I wonder if they read Advogato as two nice representatives came around to apologise and ask me if I'm sure I'd like to switch. Since I'll be saving £300 a year by switching and they can't match that the answer was no, but at least they now have some valuable data for their marketing department.

More work on Home Automation continues, and I've had a couple of builders in to estimate repairing the various faults in the house. I still need to find time to analyse the vibration in the southern rooms - the magnitude not only varies on temperature (which implies to me some problem with some of the road repairs which are different materials) but also seems to vary proportional to wind speed, wacky!

Back to work on Monday, but this holiday I've managed to avoid getting into doing real work by playing with the home automation system. I've now finished the conversion of all the components to Jabber bots, written a control client, and got all the one-wire Dallas switches and sensors up and running. some screenshots are available

A hope Google extends the shopping idea to the UK; I've wasted too many days this holiday looking for stuff for the house - just trying to find the right table for our kitchen took two days - I just want to search for a round glass 90-110cm table plus four chairs for under 400 pounds and click on 'buy me'.

Just like you have a choice over which vendor you pick for your copy of Apache, in the UK you have a choice over which electricity supplier supplies your electricity. In both cases the end product is the same no matter where you get it. I've got the ability to choose my supplier.

I wanted to switch gas and electricity suppliers after working out I could save over £300 a year with a different company. I was going to switch a long time ago, but with this being a new house it took the current electricity company over 8 months just to *find* which meter was supplying me (they didn't believe me when I told them my meter serial number and came out to check it on three separate occasions!). Anyway this company really isn't happy I'm switching and they want to make it as hard as possible to do so - by sending letters dated 13th December but that mysteriously don't arrive until the 17th telling me I have until the 18th to give them £13 or they'll stop the transfer, having customer service reps who are really happy and helpful up until the point they see you're leaving then making it difficult and painful. Customer service, even when you're leaving a company, is important.

Rather than being hostile they could ask me why I'm leaving, wish me luck, and act efficiently, so that if the new company doesn't work out I'd be happy to switch back to them. Leave me with a positive lasting impression. How about sending me a "We're sorry you're leaving" card in the post perhaps with some tick boxes "what could we do to win you back"? Thats the most valuable marketing data a company could hope for.

All I wanted was a simple way I could record my 40 or so old VHS tapes into MPEG2 video for writing to DVD. After another 4 hours trying to get the Hauppauge PVR card up and running I gave up and went to buy a new motherboard. A7V8X looked like a nice board, felt like a nice board, but also didn't work right with the PVR card. So I think it's time to return the PVR card and wait for some more mature technology to come along (and ideally something that worked with the videolan Linux stuff).

PCWorld stores may be 15-20% more expensive than buying on line but theres nothing like being able to look at something and easily take it back!

Joined EFF. Should have done this years ago.

I decided that my collection of VHS tapes were slowly wearing out along with my 10 year old video player and that I'd do something about it - convert them all to DVD. I've been playing with this in the past but capturing and converting to Mpeg2 just takes so long its never been worth it. Enter the Hauppauge WinTV-PVR 250 which has a hardware MPEG2 encoder on board - basically it can capture, not use up all my CPU, and write out shows in a format I can put straight onto DVD. Sorted.

Well okay, so it has to work with Windows. I have a Windows XP machine that gets used from time to time but I really wasn't expecting to have to spend over 6 hours to get close to having the board working correctly. Along the way I found the reason why my XP machine wasn't booting every time (the Netgear FA311 card doesn't work well with Athalons), why my SB Live! only appeared sometimes (it wasn't sitting flush into the motherboard - ouch), the source of some strange glitches (the iPanel doesn't work well with WIndows XP) and a number of updates for the VIA chipset, ASUS graphics card, AMD bridge, ASUS supplied BIOS, etc etc etc.

So now I have a machine that can almost record videos - it just has an annoying glitch in the audio every minute or two, which the Hauppauge site puts down to the VIA chipset although I followed all the advice, and no reply from tech support yet (only 1 day waiting so far).

My Christmas tree is now X10 controlled, which means the lights go on and off when it's dark but also you can stand outside of the room and use a remote control to dim the lights. I'm not sure what use this is apart from managing to confuse all our guests who think it's spooky that the lights flash each time they say a particular word.

The months just fly by. I ended up spending a lot of time on the presentation and the final paper came in at about 40 pages. I'm pretty pleased with it, see my site for a PDF version. For some reason the paper was not included on the conference CD which really sucks considering I got it in before the deadline (and before some of the other papers that made it on to the CD). Anyway, it's on my site so take a look.

Just back from ApacheCon in Las Vegas; a little more budget than previous years, but all that matters is that the content is being delivered by experts right? Hmmm, well talking of which, I made a serious judgement error on the amount of material in my talk and ended up covering only 75% of what I put in the paper, which sucked. I'd spent a lot of time getting the presentation just right too, so it was a little devestating to find out I only had 30 minutes left with over half the material still to go.

We got some ASF keysigning going on, but the BOF was scheduled for 8am so some of the main ASF folks were not around to take part which was a shame.

We had a good time in Vegas, getting to see all the sights including the Star Trek Experience again, get out to Red Rock Canyon, and still have time to win about $40 on the slots.

Had a cold today so didn't get anything done on my presentation this evening, instead did something that required little work and hacked more Perl for the home automation system. There are now four jabber bots online, a common thread is that you can message them and get some status information, or send information to them to do, also if you've got them listed in your roster they'll send you an update with their status every minute.

At the moment the UPS bot tells you interesting status reports and notifies you of emergency things. The adsl bot tells you about the cable modem link signal strength and so on. The tivo bot is rather cool, it tells you what it's currently watching and a few status indicators, and in return you can pop up a message on the screen or send a message to be viewed in the message centre. The final X10 bot lets you control X10 things in the house, just some lights at the moment. It doesn't yet report the status, that seems not to work.

I'm having problems getting Perl to deal with the parallel ports correctly so I can't get the alarm, SMS or heating controls to work yet. Also these bots are complete hacks and return the information in psuedo-xml (random made up DTD) and I've not thought about messages vs groupchats vs iq oob for the data. Anyway much fun being able to message the living room lights to turn to 30% brightness

So I've been spending some time trying to work out what to do with the home automation components - they're a mess of C and Perl that have no real way of communicating with each other. I found this thing called xAP which is designed for home automation components to talk to each other, but it's based mainly on UDP broadcast datagrams - not something I'd trust to make sure things happened when my alarm was triggered. Plus some of the components already written are under a non-GPL, non-BSD license that prohibits commercial use, yuk.

Anyway the idea was to look for something that would use standard components, where frameworks existed in Perl and C for me to write simple code, and to work on the principle of messaging - the UPS for example would respond to status requests and give you things like the temperature and voltage; with a heartbeat notification with the status included every minute; but with urgent alarms to anyone who registers an interest in getting them. Whats the solution? Jabber! In about an hour I had a jabber server running and a test Perl client doing just that; this thing will rock :)