Got Covid

April 23, 2022 | etbe

I’ve currently got Covid, I believe I caught it on the 11th of April (my first flight since the pandemic started) with a runny nose on the 13th and a positive RAT on the evening of the 14th. I got an official PCR test on the 16th with a positive result returned on the 17th. I think I didn’t infect anyone else (yay)! Now I seem mostly OK but still have a lack of energy, sometimes I suddenly feel tired after 20 minutes of computer work.

The progression of the disease was very different to previous cold/flu diseases that I have had. What I expect is to start with a cough or runny nose, escalate with more of that, have a day or two of utter misery with congestion, joint pain, headache, etc, then have it suddenly decrease overnight. For Covid I had a runny nose for a couple of days which went away then I got congestion in my throat with serious coughing such that I became unable to speak. Then the coughing went away and I had a really bad headache for a day with almost no other symptoms. Then the headache went away and I was coughing a bit the next day. The symptoms seemed to be moving around my body.

I got a new job and they wanted me to fly to the head office to meet the team, I apparently got it on the plane a day before starting work. I’ve discussed this with a manager and stated my plan to drive instead of fly in future. It’s only a 7 hour drive and it’s not worth risking the disease to save 3-4 hours travel time, or even the 5 hours travel I’d have saved if the airports were working normally (apparently a lot of airport staff are off sick so there’s delays). Given the flight delays and the fact that I was advised to arrive extra early at the airport I ended up taking almost 7 hours for the entire trip!

7 hours driving is a bit of effort, but sitting in an airport waiting for a delayed flight while surrounded by diseased people isn’t fun either.

Joplin Notes

April 22, 2022 | etbe

In response to my post about Android phones without Google Play [1] I received an email recommending Joplin for notes on Android [2].

Joplin supports storing notes on a number of protocols including Nextcloud and WebDAV. I setup WebDAV because it’s easiest, here is Digital Ocean instructions for WebDAV on Apache [3]. That basically works. One problem for my use case is that the Joplin client doesn’t support accounts on multiple servers and the only released way of sharing notes between accounts is using the paid Joplin Cloud service.

There is a Joplin Server in beta which allows sharing notes but that is designed to run in Docker and is written in TypeScript so it was too much pain to setup. One mitigating factor is that there are “Notebooks” which are collections of notes. So if multiple people who trust each other share an account they can have Notebooks for personal notes and a Notebook for shared notes.

There is also a Snap install of the client for Debian [4]. Snap isn’t my favourite way of doing things but packaging JavaScript programs will probably be painful so I’ll do it if I continue using Joplin.

Android Without Play

April 20, 2022 | etbe

A while ago I was given a few reasonably high-end Android phones to give away. I gave two very nice phones to someone who looks after refugees so a couple of refugee families could make video calls to relatives. The third phone is a Huawei Nova 7i [1] which doesn’t have the Google Play Store. The Nova 7i is a ridiculously powerful computer (8G of RAM in a phone!!!) but without the Google Play Store it’s not much use to the average phone user. It has the “HuaWei App Gallery” which isn’t as bad as most of the proprietary app stores of small players in the Android world, it has SnapChat, TikTok, Telegram, Alibaba, WeChat, and Grays auction (an app I didn’t even know existed) along with many others. It also links to ApkPure (apparently a 3rd party app installer that “obtains” APK files for major commercial apps) for Facebook among others. The ApkPure thing might be Huawei outsourcing the violation of Facebook terms of service. For the moment I’ve decided to only use free software on this phone and use my old phone for non-free stuff (Facebook, LinkedIn, etc). The eventual aim is that I can only carry a phone with free software for normal use and carry a second phone if I’m active on LinkedIn or something. My recollection is that when I first got the phone (almost 2 years ago) it didn’t have such a range of apps.

The first thing to install was f-droid [2] as the app repository. F-droid has a repository of thousands of free software Android apps as well as some apps that are slightly less free which are tagged appropriately. You can install the F-Droid app from the web site. As an aside I had to go to settings and enable “force old index format” to get the list of packages, I don’t know why as other phones had worked without it.

Here are the F-Droid apps I installed:

Kdeconnect to transfer files to PC. This has some neat features including using the PC keyboard on Android. One downside is that there’s no convenient way to kill it. I don’t want it hanging around, I want to transfer a file and close it down to minimise exposure.
K9 is an Android app for email that I’ve used for over a decade now. Previously I’ve used it from the Play Store but it’s available in F-droid. I used Kdeconnect to transfer the exported configuration from my old phone to my PC and then from my PC to my new phone.
I’m now using SchildiChat for Matrix as a replacement for Google Hangouts (I previously wrote about how Google is killing Hangouts [3]). One advantage of SchildiChat is that it keeps a notification running 24*7 to reduce the incidence of Android killing it. The process of sending private messages with Matrix seems noticeably slower than Hangouts, while Google will inevitably be faster than a federated system (if only because they buy better hardware than I rent) the difference shouldn’t be enough to notice (my Matrix servers might need some work).
I used ffupdater to install Firefox. It can also install other browsers that don’t publish APK files. One of the options is “Ungoogled Chromium” which I’m not going to use even though I’ve found Google Chrome to be a great browser, I think I should go all the way in avoiding Google. There’s no description in the app of the differences between the browsers, the ffupdater web page has information about the browsers [4].
I use Tusky for Mastodon which is a replacement for Twitter. My Mastodon address is @etbe@mastodon.nzoss.nz. Currently Mastodon needs more users, there are plenty of free servers out there and the New Zealand Open Source Society is just one I have contact with.
I have used ConnectBot for ssh connections from Android for over 10 years, previously via the Play Store but it’s also in F-droid. To get the hash of a key from a server in the way ConnectBot displays it run “ssh-keygen -l -E md5 -f /etc/ssh/ssh_host_ed25519_key.pub“.
I initially changed Keyboard from MS Swiftkey to the Celia keyboard that came with the phone. But it’s spelling correction was terrible, almost never suggesting words with apostrophes when appropriate and also having no apparent option to disable adult words. I’m now using OpenBoard which is a port of the Google Android keyboard which works well.
I’ve just installed “primitive ftpd” for file transfer, it supports ftp and sftp protocols and is well written.
I’ve installed the mpv video player which plays FullHD video at high quality using hardware decoding. I don’t need to do that sort of thing (the screen is too small to make it worth FullHD video), but it’s nice to have.
For barcodes and QR codes I’m using Binary Eye which seems better than the Play Store one I had used previously.
For playing music I’ve tried using the Simple Music Player (which is nice for mp3s), but it doesn’t play m4a or webm files. Auxio and Music Player Go play mp3 and m4a but not webm. So far the only programs I’ve found that can play webm are VLC and MPV, so I’m trying out VLC as a music player which it basically does but a program with the same audio features and no menu options about video would be better. Webm is important to me because I have some music videos downloaded from YouTube and webm allows me to put a binary copy of the audio data into an audio file.

Future Plans

The current main things I’m missing are a calendar, a contact list, and a shared note taking system (like Google Keep). For calendaring and a contact list the CalDAV and CardDAV protocols seem best. The most common implementation on the server side appears to be DAViCal [5]. The Nextcloud system supports CalDAV, CardDAV, web editing of notes and documents (including LibreOffice if you install that plugin) [6]. But it is huge and demands write access to all it’s own code (bad for security), and it’s not packaged for Debian. Also in my tests it gave me an error 401 when I tried to authenticate to it from the Android Nextcloud client. I’ve seen a positive review about Radicale, a simple CalDAV and CardDAV server that doesn’t need a database [7]. I prefer the Unix philosophy of keeping things simple with file storage unless there’s a real need for anything else. I don’t think that anything I ever do with calendaring will require the PostgreSQL database that DAViCal uses.

I’ll give Radicale a go for CalDAV and CardDAV, but I still need something for shared notes (shopping lists etc). Suggestions welcome.

Current Status

Lack of a contacts list is a major loss of functionality in a phone. I could store contacts in the phone memory or on the SIM, but I would still have to get all my old contacts in there and also getting something half working reduces motivation for getting it working properly. Lack of a calendar is also a problem, again I could work around that by exporting all my Google calendars as iCal URLs but I’d rather get it working correctly.

The lack of shared notes may be a harder problem to solve given the failure of Nextcloud. For that I would consider just having the keep.google.com web site always open in Mozilla at least in the short term.

At the moment I require two phones, my new Android phone without Google and the old one for my contacts list etc. Hopefully in a week or so I’ll have my new phone doing contacts, calendaring, and notes. Then my old phone will just be for proprietary apps which I don’t need most of the time and I can leave it at home when I don’t need that sort of thing.

Converting to UEFI

April 1, 2022 | etbe

When I got my HP ML110 Gen9 working as a workstation I initially was under the impression that boot wasn’t supported on NVMe and booted it from USB. I found USB booting with legacy boot to be unreliable so decided to try EFI booting and noticed that the NVMe devices were boot candidates with UEFI. Making one of them bootable was more complex than expected because no-one seems to have documented such things. So here’s my documentation, it’s not great but this method has worked once for me.

Before starting major partitioning work it’s best to run “parted -l and save the output to a file, that can allow you to recreate partitions if you corrupt them. One thing I’m doing on systems I manage is putting “@reboot /usr/sbin/parted -l > /root/parted.log” in the root crontab, then when the system is backed up the backup server gets any recent changes to partitioning (I don’t backup /var/log on all my systems).

Firstly run parted on the device to create the EFI and /boot partitions, note that if you want to copy and paste from this you must do so one line at a time, a block paste seemed to confuse parted.

mklabel gpt
mkpart EFI fat32 1 99
mkpart boot ext3 99 300
toggle 1 boot
toggle 1 esp
p
# Model: CT1000P1SSD8 (nvme)
# Disk /dev/nvme1n1: 1000GB
# Sector size (logical/physical): 512B/512B
# Partition Table: gpt
# Disk Flags: 
#
# Number  Start   End     Size    File system  Name  Flags
#  1      1049kB  98.6MB  97.5MB  fat32        EFI   boot, esp
#  2      98.6MB  300MB   201MB   ext3         boot
q

Here are the commands needed to create the filesystems and install the necessary files. This is almost to the stage of being scriptable. Some minor changes need to be made to convert from NVMe device names to SATA/SAS but nothing serious.

mkfs.vfat /dev/nvme1n1p1
mkfs.ext3 -N 1000 /dev/nvme1n1p2
file -s /dev/nvme1n1p2 | sed -e s/^.*UUID/UUID/ -e "s/ .*$/ \/boot ext3 noatime 0 1/" >> /etc/fstab
file -s /dev/nvme1n1p1 | tr "[a-f]" "[A-F]" |sed -e s/^.*numBEr.0x/UUID=/ -e "s/, .*$/ \/boot\/efi vfat umask=0077 0 1/" >> /etc/fstab
# edit /etc/fstab to put a hyphen between the 2 groups of 4 chars for the VFAT filesystem UUID
mount /boot
mkdir -p /boot/efi /boot/grub
mount /boot/efi
mkdir -p /boot/efi/EFI/debian
apt install efibootmgr shim-unsigned grub-efi-amd64
cp /usr/lib/shim/* /usr/lib/grub/x86_64-efi/monolithic/grubx64.efi /boot/efi/EFI/debian
file -s /dev/nvme1n1p2 | sed -e "s/^.*UUID=/search.fs_uuid /" -e "s/ .needs.*$/ root hd0,gpt2/" > /boot/efi/EFI/debian/grub.cfg
echo "set prefix=(\$root)'/boot/grub'" >> /boot/efi/EFI/debian/grub.cfg
echo "configfile \$prefix/grub.cfg" >> /boot/efi/EFI/debian/grub.cfg
grub-install
update-grub

If someone would like to make a script that can handle the different partition names of regular SCSI/SATA disks, NVMe, CCISS, etc then that would be great. It would be good to have a script in Debian that creates the partitions and sets up the EFI files.

If you want to have a second bootable device then the following commands will copy a GPT partition table and give it new UUIDs, make very certain that $DISKB is the one you want to be wiped and refer to my previous mention of “parted -l“. Also note that parted has a rescue command which works very well.

sgdisk /dev/$DISKA -R /dev/$DISKB 
sgdisk -G /dev/$DISKB

To backup a GPT partition table run a command like this. Note that if sgdisk is told to backup a MBR partitioned disk it will say “Found invalid GPT and valid MBR; converting MBR to GPT forma” which is probably a viable way of converting MBR format to GPT.

sgdisk -b sda.bak /dev/sda

AMT/MEBX on Debian

March 31, 2022 | etbe

I’ve just been playing with Intel’s Active Management Technology (AMT) [1] which is also known as Management Engine Bios Extension (MEBX).

Firstly a disclaimer, using this sort of technology gives remote access to your system at a level that allows in some ways overriding the OS. If this gets broken then you have big problems. Also all the code that matters is non-free. Please don’t comment on this post saying that AMT is bad, take it as known that it has issues and that people are forced to use it anyway.

I tested this out on a HP Z420 workstation. The first thing it to enable AMT via Intel “MEBX”, the default password is “admin”. On first use you are compelled to set a new password which must be 8+ characters containing upper and lower case, number, and punctuation characters.

The Debian package “amtterm” (which needs the package “libsoap-lite-perl“) has basic utilities for AMT. The amttool program connects to TCP port 16992 and the amtterm program connects to TCP port 16994. Note that these programs seem a little rough, you can get Perl errors (as opposed to deliberate help messages) if you enter bad command-line parameters. They basically work but could do with some improvement.

If you use DHCP for the IP address the DHCP hostname will be “DESKTOP-$AssetID” and you can find the IP address by requesting an alert be sent to the sysadmin.

Here are some examples of amttool usage:

# get AMT info
AMT_PASSWORD="$PASS" amttool $IP
# reset the system and redirect BIOS messages to serial over lan
AMT_PASSWORD="$PASS" amttool reset bios
# access serial over lan console
amtterm -p "$PASS" $IP

The following APT configuration enables the Ubuntu package wsmancli which had some features not in any Debian packages last time I checked.

deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates universe
deb http://us.archive.ubuntu.com/ubuntu/ bionic universe

This Cyberciti article has information on accessing KVM over AMT [2], I haven’t tried to do that yet.

Links March 2022

March 31, 2022 | etbe

Anarcat wrote a great blog post about switching from OpenNTP to Chrony which gives a good overview of how NTP works and how accurate the different versions are [1].

Bleeping Computer has an amusing article about criminals who copied a lot of data from NVidia servers including specs of their latest products [2], they are threatening to release all the data if NVidia doesn’t stop crippling their GPUs to make them unsuitable for crypto currency mining. I don’t support these criminals, but I think NVidia should allow people who buy hardware to use their property as they choose. If cryptocurrency miners buy all the NVidia products then NVidia still makes the sales, they could even auction them to make more money.

NPR has a disturbing article about the way execution by lethal injection works in the US [3]. It seems that most people die in an extremely unpleasant way. It makes the North Korean execution by anti-aircraft gun seem civilised.

The DirtyPipe vulnerability is the latest serious security issue in the Linux kernel [4]. The report of how it was discovered is very interesting and should be read by all sysadmins. SE Linux will not save you from this as the vulnerability allows writing to read-only files like /etc/passwd.

Politico has an insightful analysis of Putin, it’s not good news he wants to conquer all territory that had ever been part of a Russian empire at any time in history [5].

The Guardian has an informative article about the EU’s attempts to debunk Russian propaganda about Covid19 [6]. Fortunately the sanctions are reducing Russia’s ability to do such things now.

The Guardian has in interesting article about a project to use literary analysis to predict wars [7]. Funded by the German military but funding was cut after it was proven to work.

The Fact Act is a proposal by David Brin for political changes in the US to involve scientists and statisticians in an official advisory role in the legislative process [8], it’s an idea with a lot of potential.

Technology Review has an interesting interview with the leader of the NSA’s Research Directorate [9].

In 2008 the EFF posted a long and informative article about the RIAA’s war against music fans [10]. I had followed a lot of the news about this when it was happening, but I still learnt some things from this article that I hadn’t known at the time. Also considering past legal battles in the context of the current situation is useful. As an aside all the music I want to listen to is now on YouTube and youtube-dl works really well for me.

The 1952 edition of Psychiatry: Journal of Interpersonal Relations has an interesting article On Cooling the Mark Out [11] which starts about how criminal gangs engaged in fraud try to make their victims come to terms with the loss in a way that doesn’t involve the police. But it goes on to cover ways of dealing with loss of status in general. The layout is hacky with words broken by hyphens in the middle of lines as it appears to have been scanned from paper, converted to MS-Word, and from there to PDF. But it’s worth it.

The Internet Heist by Cory Doctorow is an insightful series of 3 articles about the MPAA (MAFIAA) attempts to take over all TV distribution in the US [12].

Wired has an interesting exerpt from the book “Spies, Lies, and Algorithms: The History and Future of American Intelligence”, by Amy B. Zegart [13]. Interesting summary of the “open source intelligence” systems (which have nothing to do with “open source” as free software). But it would be interesting to have an “open source” intelligence organisation along similar lines to “open source” software. The guy who tracks billionaire’s private jets is an example of this.

Feedburner Seems to be Dying

March 29, 2022 | etbe

Many years ago Feedburner was a useful service. It proxied the RSS feed of your blog and gave you analytics of what happened with it. Now feeds using Feedburner randomly give HTTP error 404s. The Feedburner Twitter account is inactive and recommends that people Tweet at Google instead. It seems that Google wants to get rid of the service and random 404s probably aren’t a high priority for them.

I’ve just gone through the config for Planet Linux Australia [1] and changed as many Feedburner URLs as possible to direct feed URLs. I did this by loading the Feedburner feed, getting the URL for the site, and then guessing the feed URL (usually just appending “/feed” to the domain name).

I recommend that everyone abandon Feedburner, it’s not reliable enough to use and doesn’t seem to have any active support.

[1] https://planet.luv.asn.au/

Hangouts Replacement

March 28, 2022 | etbe

Google is currently in the process of killing Hangouts. Last year Hangouts was quite a nice IM system with integrated video chat and voice calling. Now they have decided to kill it and replace it with “Google Chat” and “Google Meet” both of which are integrated with the Gmail app on Android. To start getting people off the old platform they have disabled video and audio chats with more than 2 people in Hangouts. To do a video call you have to use Meet which has a worse user interface and isn’t integrated with text chat, so if in a text discussion someone says “let’s have a video call” you have to open a new app. Meet also doesn’t appear to have a facility to notify group members that someone has joined a group call so it’s required that Chat (or something else) is used to tell people they can join Meet.

Many of my relatives use Hangouts because they are forced to have it installed on their Android phones and because it worked quite well. Now it doesn’t work well and will soon be going away. So another option is needed.

I’m considering Matrix as a replacement. Matrix has a good feature set and is being worked on a lot. The video conferencing is through a connection to a Jitsi server and is well integrated giving functionality more like Hangouts than Chat/Meet.

For the LUV Matrix server the URL https://luv.asn.au/.well-known/matrix/client has the following contents:

{
  "m.homeserver": {
    "base_url": "https://luv.asn.au"
  }
  "jitsi": {
    "preferredDomain": "jitsi.perthchat.org"
  }
  "im.vector.riot.jitsi": {
    "preferredDomain": "jitsi.perthchat.org"
  }
}

This specifies the Jitsi server to be used for chats started from that Matrix server. The PerthChat.org people seem to be leading the way for self hosted Matrix in Australia. Note that other people shouldn’t link to their Jitsi server without discussing it with them first. I only included real data because it’s published on the web so there’s no point in keeping it secret.

The Flounder free software users’ group [1] uses Matrix a lot. We will probably discuss Matrix at the next meeting on Saturday.

There is also Element Call [2] which is apparently more integrated with Matrix (and also newer and possibly buggier). Jitsi works and we can change to a different service easily enough at a later time.

Reading Glasses

March 28, 2022 | etbe

About 4 years ago at a routine eye check the optometrist recommended that I get reading glasses. Apparently I’m old enough that my eyes are losing their ability to focus at different distances to having different glasses for close and remote objects (EG reading and driving) is necessary for good vision.

The optometrist asked me the distance that I use for reading and I indicated a distance that is good for books and phones (about 20cm). So I got a pair of glasses that worked well for that but didn’t work well for the vast majority of my close work which is computer monitors. I found that I could use my reading glasses with my laptop when lying in bed if I had the laptop on my chest with the keyboard touching my chin, which is a reasonable position for watching TV but not for much else.

About 2 years ago I had another eye check which determined that the glasses for long distance were good and got reading glasses designed for objects about 80cm away which worked well for monitors and were usable for watching TV.

Recently I accidentally broke my newer pair of reading glasses and discovered that the older pair now works for distances of about a meter. So it appears that I have become significantly more long sighted over the last 4 years.

Wayland

March 25, 2022 | etbe

The Wayland protocol [1] is designed to be more secure than X, when X was designed there wasn’t much thought given to the possibility of programs with different access levels displaying on the same desktop. The Xephyr nested X server [2] is good for running an entire session from a remote untrusted host on a local display but isn’t suitable for multiple applications in the same session.

GNOME supported Wayland by default in Debian since the Bullseye release and for KDE support you can install the plasma-workspace-wayland which gives you an option for the session type of KDE Plasma Wayland when you login. For systems which don’t use the KDE Plasma workspace but which have some KDE apps you should install the package qtwayland5 to allow the KDE apps to use the Wayland protocol. See the KDE page of the Debian Wiki [3] for more information.

The Debian Wiki page on Wayland has more useful information [4]. Apparently you have to use gdm instead of sddm to get Wayland for the login prompt.

To get screen sharing working on Wayland (and also to get a system that doesn’t give out error messages) you need to install the pipewire package (see the Pipewire project page for more information [6]).

Daniel Stone gave a great LCA talk about Wayland in 2013 [5].

I have just converted two of my systems to Wayland. It’s pretty uneventful, things seem to work the same way as before. It might be theoretically faster but in practice Xorg was fast enough that there’s not much possibility to appear faster. My aim is to work on Linux desktop security to try and get process isolation similar to what Android does on the PC desktop and on Debian based phones such as the Librem 5. Allowing some protection against graphics based attacks is only the first step towards that goal, but it’s an important step. More blog posts on related topics will follow.

Update: One thing I forgot to mention is that MAC systems need policy changes for Wayland. There are direct changes (allowing background daemons for GPU access to talk to a Wayland server running in a user context instead of an X server in a system context) and indirect changes (having the display server and window manager merged).

etbe – Russell Coker

Linux, politics, and other interesting things

Author Archives: etbe