last beard post

day 107 (last) of the beard
On Tuesday the 23rd of January I shaved off my beard after spending 107 days growing it, see above for the final beard pic. It was an interesting experiment and it’s something that I recommend trying, but I couldn’t keep it.

Having a beard is more effort than being clean-shaven. Eating is more difficult when you are trying to keep your beard out of your food. If you get the full beard (as I did) then the mustache at the sides of your mouth will get into your food (particularly bad for ice-cream). I guess that the benefit of having a waxed mustache would be that the wax would keep it out of the way of the food – the waxed mustache wasn’t just an issue of style!

Madduck suggests that when you drink Guinness you “push your lips past the head and draw up only the dark stuff“. Of course that won’t work if you have a mustache as you don’t want a mustache that’s soaked in beer!

Immediately after cutting off my beard I didn’t shave for almost a week and experienced much less discomfort than I had previously experienced when not shaving for that period. I think that having been used to having a beard an amount of hair that would previously annoy me is not noticeable. Also it seems that the hair was initially softer after I cut off the beard. Maybe shaving somehow makes the hair grow tougher.

When I had the beard I thought that I hadn’t adjusted my body image to match, as every time I looked in the mirror I felt surprised to see it. Once it was gone my new look initially seemed more odd to me than my previous appearance, and it took me a number of weeks to get used to not having a beard.

final goatee picture

final mustache picture

When shaving off my beard I decided to do it in stages, firstly I did a “goatee” cut and then just a mustache. The mustache is a little lop-sided, but I was in a hurry and didn’t plan to keep it for long.

what defines a well operating planet?

day 59 of the beard

At OSDC Mary Gardiner gave a talk titled The Planet Feed Reader: Better Living Through Gravity. During the course of the presentation she expressed the opinion that short dialog based blog entries are a sign of a well running planet.

Certainly if blog posts respond to each other then there is a community interaction, and if that is what you desire from a planet then it can be considered a good thing. Mary seemed focussed on planets for internal use rather than for people outside the community which makes the interaction more important.

However I believe that planets are not a direct substitute for mailing lists. On a mailing list you can reply to a message agreeing with it and expect that the same people who saw the original message will see your reply. Blogs however are each syndicated separately so a blog post in response to someone else’s blog should be readable on it’s own. A one line post saying “John is right” provides little value to people who don’t know who John is, especially if you don’t provide a link to John’s post that you agree with.

On Planet Debian there have been a few contentious issues discussed where multiple people posted one-line blog entries. I believe that the effective way to communicate their opinions would either be to write a short essay (maybe 2-3 paragraphs) explaining their opinion and the reasons for it, or if they have no new insight to contribute then they should summarise the discussion.

I believe that a planet such as Planet Debian or Planet Linux Australia should not only be a forum for people who are in the community but also an introduction to the community for people who are outside. AOL posts don’t help in this regard.

One final thing to note is that blogs already do have a feature for allowing “me too” responses, it’s the blog comment facility…

PS Above is a picture of day 59 of the beard, it was taken on the 5th of December (I’ve been a little slack with beard pictures).

economics of a computer store (why they don’t stock what you want)

day 39 of the beard

In some mailing list discussions recently some people demonstrated a lack of knowledge of the economics of a shop. Having run a shop for a few years (an Internet Cafe) I have some practical knowledge of this. I will focus on small businesses in this article, but the same economic principles apply to large corporations too.

When running a shop the main problem you have is in managing stock. There are two ways of getting stock, one is to have wholesalers give it to you for a period in which you can try to sell it and you pay for it when it’s sold, this is probably quite rare (I don’t know of an example of it being done – and probably no retailer wants to talk about it in case they lose it). Often retailers consider themselves to be privileged if they are permitted to pay for hardware one month after they receive it! The more common way of getting stock is simply to buy it and hope you can sell it in a reasonable period of time (often the wholesaler will offer to buy the stock back at a 10% discount if you can’t sell it).

To buy stock you need money, this can come from money that has accrued in the business account (if things are going really well) or from a mortgage taken out by the business owner if things aren’t going so well. For small businesses things usually don’t go so well so the money used to buy stock is borrowed at an interest rate of about 7% or 8% (I’m using numbers based on the current economic conditions in Australia, different numbers apply to different countries and different times but the same principles apply). The ideal situation is when there is money in the company bank account to cover the purchase of all stock, this means that the cost of owning stock is that you miss out on the 5.5% interest that the money will get in a term deposit.

Almost all stock has a use-by date of some form. Some items have a very short expiry (EG milk used to make hot chocolate in an Internet cafe, some have a moderate expiry date (computer systems become almost unsellable in about 18 months and lose value steadily month after month), but in the computer industry nothing has a long expiry date.

Let’s assume for the sake of discussion that you want to run a small computer store that is open to passing trade (this means that you must have stock for an immediate sale). Let’s assume that all items of computer hardware lose half their value over the period of 20 months at a steady rate of 2.5% of the original price per month (I think that most computer hardware loses value faster than that, but it’s just an assumption to illustrate the point).

The next major issue is the profit margin on each sale. If you can make a 20% profit on a sale then an item that has lost 10% of it’s value while gathering dust in your store will still be profitable. However the profit margins on computer sales are very small due to having a small number of major manufacturers (Intel, AMD, nVidia, ATI, Seagate, and WD) that have almost cartel positions in their markets and there being little to differentiate the stores apart from price. I have been told that 3% profit is typical for retail computer hardware sales by the small companies nowadays! Now if the stock will lose 2.5% of it’s value per month, you pay 0.5% interest per month and you make a 3% profit then if an item remains in stock for a month then you lose money. So on average (by value) you need to have stock spending significantly less than a month in your store. Cheap items such as low-quality cases and PSUs can stay in stock for a while. More expensive items such as new CPUs and the motherboards to house them must be moved quickly.

What’s the first thing that you do to reduce stock? You can keep stocks low, but there is a limit to how low you can go without losing sales. The next thing to do is to not stock items that customers won’t often buy or items where there is a similar item that you can stock as a substitute. The classic example of this is hard drives, a customer will want a certain capacity for a certain price – if their preferred brand is not in stock they will almost always take a different brand if it has the same capacity at the same price. Stores often advertise prices on multiple brands of hard drive in each capacity, but often only try to keep one brand in stock.

Of course this is a problem for the more fussy buyer. If you want to buy two identical parts from the same store on different days you might discover that they don’t have the stock on the second day and that they instead offer you something equivalent. Not only do retailers have issues with managing their investment in stock but wholesalers have the same problem. So if a retailer runs out of WD drives and discovers that their preferred wholesaler has also run out of WD drives then they just buy a different brand – most customers don’t care anyway.

There are some companies I deal with that have a business model based on services. One of them sells hardware to customers at cost, but charges them for the time spend assembling them, transporting them, etc. The potential for a 3% profit on the hardware isn’t worth persuing, they prefer to just charge for work and also save themselves the sales effort. Another company I know operates almost exclusively on the basis of ordering parts when customers request them (but still make a small profit margin on the sales), this means that the customer can be invoiced as soon as the hardware arrives. The down-side to this is that wholesalers have the same stock issues and they sometimes have excessive delays before the wholesaler can deliver the hardware.

Dell is the real winner out of this. As they operate by mail-order they don’t need to have the stock immediately available, they have a few days to deliver it which gets them time to arrange the supply. They can also have a central warehouse per region which reduces the stock requirements again. A 3% profit on items that rapidly decrease in value makes it almost impossible to sustain a small business. But an organization such as Dell can sustain a successful business at that level.

Of course the down-side for the end-user is that Dell doesn’t want to have too many models as that just makes it more complex for the sales channel. Also they have deals with major suppliers which presumably give them deep discounts in exchange for not selling rival products (this is why some brands of parts are conspicuously absent from Dell systems).

10 years ago there used to be a small computer store in every shopping area. Now in Australia there are a few large stores (which often only have a small section devoted to computers) and mail-order. There seems to be much less choice in computer hardware than there was, but it is much cheaper.

PS I’ve attached a picture of day 39 of the beard.

a good security design for an office

day 32 of the beard

One issue that is rarely considered is how to deal with office break-ins for the purpose of espionage. I believe that this issue has been solved reasonably well for military systems, but many of the military solutions do not apply well to civilian systems – particularly the use of scary dudes with guns. Also most office environments don’t have the budget for any serious security, so we want to improve things a bit without extra cost. Finally the police aren’t interested in crimes where an office is burgled for small amounts of cash and items of minor value, it gets lost in the noise of junky burglaries, so prevention is the only option.

Having heard more information about such break-ins than I can report, I’ll note a few things that can be done to improve the situation – some of which I’ve implemented in production.

The most obvious threat model is theft of hard drives. The solution to this is to encrypt all data on the drives. The first level of this is to simply encrypt the partitions used for data, support for this is available in Fedora Core 6 and has been in Debian for some time. The more difficult feature is encrypting the root filesystem, encrypting root means that important system files such as /etc/shadow are encrypted. Also if the root filesystem is encrypted then an attacker can’t trivially subvert the system by replacing binaries. An unencrypted root filesystem on a machine that is left turned off overnight (or for which an unexpected reboot won’t be treated seriously) allows an attacker to remove the drive, replace important system files and then re-install it. If the machine is booted from removable media (EG USB key) which contains the kernel and the key for decrypting the root filesystem then such attacks are not possible. Debian/unstable supports an encrypted root filesystem, but last time I tried the installer there did not appear to be any good support for booting from USB (but given the flexibility of the installer I think it’s within the range of the available configuration options). I have run Fedora systems with an encrypted root filesystem for a few years, but I had to do some gross hacks that were not of a quality that would be accepted. With the recent addition of support for encrypted filesystems in Fedora it seems likely that some such patches could be accepted – I would be happy to share my work with anyone who wants to do the extra work to make it acceptable for Fedora.

Once the data is encrypted on disk the next thing you want to do is to make the machines as secure as possible. This means keeping up to date with security patches even on internal networks. I think that a viable attack method is to install a small VIA based system in the switch cabinet (no-one looks for new equipment appearing without explanation) that sniffs an internal (and therefore trusted) network and proxies it to a public network. This isn’t just an issue of securing applications, it also means avoiding insecure protocols such as NFS and AoE for data that is important for your secrecy or system integrity.

An option for using NFS is to encrypt it with IPSEC or similar technology. AoE can be encrypted with cryptsetup in the same way as you encrypt hard drive partitions, it doesn’t use IP so IPSEC won’t work but it is a regular block device so anything that encrypts block devices will work. I have been wondering about how well replay attacks might work on an encrypted AoE or iSCSI device.

Security technologies such as SE Linux are good to have as well. An attacker who knows that a server has encrypted hard drives might try cracking it instead. A thief who has stolen a laptop and knows that it has an encrypted drive can keep it running until future vulnerabilities are discovered in any daemons that accept data from the network (of course if you have enough technology you could sniff the necessary data from the system bus and from RAM while it’s running – but most attackers won’t have such resources). I have considered running a program on my laptop that would shut it down if for a period of 48 hours I didn’t login or un-blank the screen, that would mean that if it was stolen then the thief would have 48 hours to try and crack it.

Prevent access to some hardware that you don’t need. If you allow the system to load all USB drivers then maybe a bug in such a driver could be exploited to crack it. Remember that in a default configuration USB drivers will be loaded when a device is inserted (which is under control of an attacker) and the device will use data from the attacker’s hardware (data of low integrity being accessed by code that has ultimate privilege). Turning off all USB access is an option that I have implemented in the past. I have not figured out a convenient way of disabling all USB modules other than the few that I need, I have considered writing a shell script to delete the unwanted modules that I can run after upgrading my kernel package.

Once these things have been done the next issue is securing hardware. Devices to monitor keyboard presses have been used to steal passwords. The only solution I can imagine for this is to use laptops on people’s desks and then store them in a safe overnight, unfortunately laptops are still quite a bit more expensive than desktop machines and consequently they are mostly used as status symbols in offices. Please let me know if you have a better idea for solving the key-logging problem.

For servers there is also a problem with keyboard sniffing. Maybe storing the server’s keyboard in a safe would be a good idea.

Security monitoring systems are a good idea, unfortunately they can be extremely expensive. There has already been at least one recorded case of a webcam being used to catch a burglar. I believe that this has a lot of potential. Get a webcam server setup with some USB hubs and cameras and you can monitor a small office from all angles. When the office is empty you can have it GPG encrypt pictures and send them off-site for review in the case of burglary. You could also brick the server into a wall (or make it extremely physically secure in other ways) so that the full photo record would be available in the case of damaged phone lines, and to give more pictures than the upload bandwidth of an ADSL link would allow (512Kb/s doesn’t allow uploading many pictures – no-where near the capacity of a few high-resolution web-cams).

This is just a few random thoughts, some things I’ve done, some things I plan to do, and some that just sound like fun. I expect comments telling me that I have missed some things. I may end up writing a series of articles on this topic.

PS I’ve uploaded day 32 of the beard (which was taken yesterday). Last night at a LUV meeting I was asked to stand in front of the audience to show them my beard. I had imagined that they might have seen it enough through my blog, but apparently not.

Sell a Band

day 29 of the beard

sellaband.com has an interesting business model. If you want to make money from your band you can sign up to their site and create a web site with some sample tracks. Then wait for 5,000 believers to each pay $10 for a share which grants the band a recording contract. The $10 gets them a share of advertising royalties (which seems extremely unlikely to recover the $50,000) and also a first-edition CD from the band ($10 is cheap for a CD). If there is an unpublished band you like then all you need to do is to find 5,000 people who can each spare $10.

The main advantage of the site seems to be as a central advertising point. Sure it would be better to record your own CD and sell it for $10 per copy (which is not difficult to do with little expense nowadays), but finding the 5,000 people who want to pay will be difficult.

It’s a pity that sellaband relies extensively on Flash, so I can’t use their site. Maybe someone else will copy the idea and use standard web pages that display in all browsers.

PS I’ve attached a picture of day 29 of the beard.

religious requirements for free software development

day 24 of the beard

Relgions commonly require contributions to charitable causes and helping other people. Developing free software without expecting a reward seems to fit that criteria.

If my primary religious belief (atheism) turns out to be incorrect then I am certain that whatever deity might exist would want me to do Free Software development.

It seems to me that denying people the ability to contribute to Free Software development or forcing them to use proprietary software is therefore an infringement of their rights to freely practice their religion.

Prisoners should be permitted to do Free Software development. Kevin Mitnik was prevented from using computers while incarcerated and after being released (which is wrong in so many ways). It has been recently announced that pagan prisoners in the UK are being given time off prison duties for haloween. I think that allowing free software development for people who believe that it is a religious requirement deserves at least the same protection.

Also government agencies should not require the use of MS file formats or IE for communication.

PS Day 24 of the beard is depicted above.

god on my side

day 21 of the beard

Today I saw the movie God On My Side by Andrew Denton. It’s an interesting movie about the televangelist industry in the US. I expected it to be about the shonky frauds who harm people, there was one scene in the start of a televangelist claiming to cure diabeties (a very dangerous claim that often results in serious injury to the victims of such frauds), but mostly it was about serious evangelists and not about the frauds.

What was scary was the level of advocacy of Armageddon. These people seemed very determined to have a great war between the US and Russia (haven’t they realised that the USSR doesn’t exist any more?). They advocated taking all possible measures to defend Israel (not ruling out the use of nuclear weapons) and didn’t want any compromise with Palestine (no land for peace – after all peace gets in the way of Armageddon).

One insightful comment by an evangelist pointed out that many Christians have gone wrong in their advocacy in being based on what they are against rather than what they are for. It’s a sad trend that most Christians are not able to express any positive things that they are for and only focus on things that they oppose. On most occasions when they say they are for something it is really a disguise for being against something else, EG supporting Family Values means oppressing homosexuals, preventing freedom of speech (bad language), and banning abortions (even for rape victims).

I am looking forward to the DVD release of this. I’m sure that the out-takes and some further footage post release will be interesting.

Above is the day 21 beard picture.

planets and day 19 of the beard

day 19 of the beard

I notice that Planet Linux Australia has been changed to not list the feeds URLs, instead it displays the HTML pages for the blogs.

I believe this is a bad idea as some people want to get a list of feeds for the blogs that are aggregated without having to visit all the blog sites and do it manually. One of the many reasons for doing this is for a blog server that has intermittent net access, it might be down at the moment which prevents me from adding it to my feed list. Another reason is that some people (such as me) want to automatically get a list of all feeds from the planet to add to their own personal planet configuration.

I am blogging this not to criticise the administrators of Planet Linux Australia or even to inform them (I have already send them an email). My point is to prevent other people from doing the same thing. At this time I am not sure whether this change in Planet Linux Australia was deliberate, a result of a bug in Planet, or a mistake in configuration (maybe a default changed unexpectedly).

Another planet related surprise that I received today was to notice that my blog appears to have been removed from Planet Fedora. I’m not sure why this happened, one possibility is that removing my blog was regarded as the solution to the problem of it displaying incorrectly (the better solution being to upgrade the Planet software as was done on Planet Debian). Another possibility is that my post about Gratis vs Libre was regarded as criteria for removal. If my blog was removed from Planet Debian or Planet Linux Australia then I would be able to ask the administrators about this (they have email address links conveniently located). Planet Fedora has no such link, so I guess I’ll have to wait for a blog comment to find out.

I’ve included a day 19 beard picture, I was planning to do one yesterday but a design meeting for a VOIP project ran late and I ran out of time. I’ll write a post about VOIP in the near future.

blogging and self-promotion

day 15 of the beard

Are blogs and conference speeches inherently about self promotion? If so is that a bad thing?

Recently I mentioned my Planet configuration on a mailing list where most people don’t track new technology. Some people viewed blog entries for the first time as a result of this and then claimed that blogs appeared to be mostly about self-promotion.

It seems to me that people offer conference speeches to promote technology that they believe in (which often equates to self-promotion as such people are well known to be associated with the technology in question), for promoting themself or their own business, or to promote the company that employes them. Of these categories of talk the worst ones are those which are given to promote a company, it’s especially bad when a talk starts with “the guy who was supposed to give this talk was called to a client so I’m doing it instead” – this indicates how much the company cares for the quality of the talk. Someone who is promoting themself will care about doing a reasonable job. Someone who promotes their favourite technology will usually give a great talk! But corporations rarely get the idea that a good quality talk which makes little mention of their products is the most effective advertisement. Of recent times Google seems to be the best example of a company which gets this idea, at many conferences there are Google employees giving talks about various technologies not directly related to Google operations without any direct sales pitch. Everyone who attends such talks gets the message – Google has hired many smart people and has them working on cool things.

It seems that blogs are often written with similar motivations to conference presentations but with no control over the topic and less quality control. The difference of course is that a blog doesn’t get a forum the way a talk which is accepted by a conference will. So a corporate blog has to be really good to get readers.

PS I’ve added the day15 beard picture to this entry, it was taken on the 22nd of October, but I had only just got around to GIMPing it and uploading it.

new hybrid Camry

day 12 of the beard

Toyota in the US has released a hybrid Camry which seems to be the larger Prius that many people have wanted. Since it’s release the Prius has been greatly desired by people who like technology and the environment. The only down-side to the Prius is that it is a small car and doesn’t have as much room for baggage or passengers as you might desire.

The new Camry Hybrid has the Continuously Variable Transmission (CVT) that gives the Prius it’s smooth ride, the keyless start (optional), DVD navigation via a large screen, six airbags, and tire pressure monitoring.

The above review states that the test car shuddered when the engine started and made odd mechanical noises. It’s not indicated in the article but I suspect that the car may have been an early production test model rather than the type of car you will get if you actually buy one. The Prius I drove did not shudder or make any odd noises (in fact hardly any noise that I could hear). Maybe if I drove a Prius in a country area I would hear some noises, but in the city (which the Prius is designed for) the Prius didn’t make any
engine sounds I could here. I expect that the hybrid Camry will perform as well as the Prius in this regard.

The review describes the hybrid Camry as giving 35mpg with a driving pattern that was not the most fuel efficient, that is roughly 6.7 liters per 100Km which is more than the quoted rate for some small cars. The four-door Smart cars are advertised as using 5.8L/100Km and Diesel allows even better efficiency. But if you want the space of a Camry then 7.1L/100Km is fairly good, especially considering that you could reduce that by driving more slowly. Also we have to consider that the primary aim of the Prius design (and presumably the design of the hybrid Camry) is to protect the environment by reducing the poisonous emissions, this may reduce the fuel efficiency slightly (the aim of reducing emissions is not always compatable with the aim of reducing fuel use).

There are apparently 3.785 liters to a US gallon. A US mile has 1760 yards and a yard is apparently 0.9144m, so a US mile would be 1760*0.9144 = 1609 meters or 1.609Km.

3.785*100/1.609/X

To convert MPG (the US measurement of fuel use when based on a US mile and a US gallon) to L/100KM (the Australian way of measuring fuel use) you use the above formula (where X is the MPG rating). I included this information here because I couldn’t find it anywhere else.

I was going to post this before but was side-tracked by the flash issue.

Also I’ve included a beard picture for day 12 (yesterday).