You may not know this, but I am a huge PowerDNS fan. This may be because it is so simple to use, supports different databases as backends or maybe just because I do not like BIND, pick one.

I also happen to live in Germany where ISPs usually do not give static IP-addresses to private customers. Unless you pay extra or limit yourself to a bunch of providers that do good service but rely on old (DSL) technology, limiting you to some 16MBit/s down and 1MBit/s up. Luckily my ISP does not force the IP-address change, but it does happen from time to time (once in a couple of month usually). To access the machine(s) at home while on a non-IPv6-capable connection, I have been using my old (old, old, old) DynDNS.com account and pointing a CNAME from under die-welt.net to it.

Some time ago, DynDNS.com started supporting AAAA records in their zones and I was happy: no need to type hostname.ipv6.kerker.die-welt.net to connect via v6 — just let the application decide. Well, yes, almost. It’s just DynDNS.com resets the AAAA record when you update the A record with ddclient and there is currently no IPv6 support in any of the DynDNS.com clients for Linux. So I end up with no AAAA record and am not as happy as I should be.

Last Friday I got a mail from DynDNS:

Starting now, if you would like to maintain your free Dyn account, you must now log into your account once a month. Failure to do so will result in expiration and loss of your hostname. Note that using an update client will no longer suffice for this monthly login. You will still continue to get email alerts every 30 days if your email address is current.
Yes, thank you very much…

Given that I have enough nameservers under my control and love hacking, I started writing an own dynamic DNS service. Actually you cannot call it a service. Or dynamic. But it’s my own, and it does DNS: powerdyn. It is actually just a script, that can update DNS records in SQL (from which PowerDNS serves the zones).

When you design such a “service”, you first think about user authentication and proper information transport. The machine that runs my PowerDNS database is reachable via SSH, so let’s use SSH for that. You do not only get user authentication, server authentication and properly crypted data transport, you also do not have to try hard to find out the IP-address you want to update the hostname to, just use $SSH_CLIENT from your environment.

If you expected further explanation what has to be done next: sorry, we’re done. We have the user (or hostname) by looking at the SSH credentials, and we have the IP-address to update it to if the data in the database is outdated. The only thing missing is some execution daemon or … cron(8). :)

The machine at home has the following cron entry now:

*/5 * * * * ssh -4 -T -i /home/evgeni/.ssh/powerdyn_rsa powerdyn@ssh.die-welt.net

This connects to the machine with the database via v4 (my IPv6 address does not change) and that’s all.
As an alternative, one can add the ssh call in /etc/network/if-up.d/, /etc/ppp/ip-up.d/ or /etc/ppp/ipv6-up.d (depending on your setup) to be executed every time the connection goes up.

The machine with the database has the following authorized_keys entry for the powerdyn user:

no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding,no-user-rc,\ 
command="/home/powerdyn/powerdyn/powerdyn dorei.kerker.die-welt.net" ssh-rsa AAAA... evgeni@dorei

By forcing the command, the user has no way to get the database-credentials the script uses to write to the database and neither cannot update a different host. That seems secure enough for me. It won’t scale for a setup as DynDNS.com and the user-management sucks (you even have to create the entries in the database first, the script can only update them), but it works fine for me and I bet it would for others too :)

Update: included suggestions by XX and Helmut from the comments.

TL;DR: {fqdn, "jabber.die-welt.net"}.

So, how many servers do you have, that are still running Squeeze? I count one, mostly because I did not figure out a proper upgrade path from OpenVZ to something else yet, but this is a different story.

This post is about the upgrade of my “communication” machine, dengon.die-welt.net. It runs my private XMPP and IRC servers. I upgraded it to Wheezy, checked that my irssi and my BitlBee still could connect and left for work. There I noticed, that Pidgin could only connect to one of the two XMPP accounts I have on that server. sargentd@jabber.die-welt.net worked just fine, while evgeni@golov.de failed to connect.

ejabberd was logging a failed authentication:
I(<0.1604.0>:ejabberd_c2s:802) : ({socket_state,tls,{tlssock,#Port<0.5130>,#Port<0.5132>},<0.1603.0>}) Failed authentication for evgeni@golov.de

While Pidgin was just throwing “Not authorized” errors.

I checked the password in Pidgin (even if it did not change). I tried different (new) accounts: anything@jabber.die-welt.net worked, nothing@golov.de did not and somethingdifferent@jabber.<censored>.de worked too. So where was the difference between the three vhosts? jabber.die-welt.net and jabber.<censored>.de point directly (A/CNAME) to dengon.die-welt.net. golov.de has SRV records for XMPP pointing to jabber.die-welt.net.

Let’s ask Google about “ejabberd pidgin srv”. There are some bugs. But they are marked as fixed in Wheezy.

Mhh… Let’s read again… Okay, I have to set {fqdn, "<my_srv_record_name>"}. when this does not match my hostname. Edit /etc/ejabberd/ejabberd.cfg, add {fqdn, "jabber.die-welt.net"}. (do not forget the dot at the end) and restart the ejabberd. Pidgin can connect again. Yeah.

So you probably heard that I have that little new project of mine: QiFi the pure JavaScript WiFi QR Code Generator. It’s been running pretty well and people even seem to like it.

One of its (unannounced) features is a pretty clean stylesheet that is used for printing. When you print the result will be just the SSID and the QR code, so you can put that piece of paper everywhere you like. That works (I tested!) fine on Iceweasel/Firefox 10.0.12 and Chromium 25.0. Today I tried to do the same in Opera 12.14 and it failed terribly: the SSID was there, the QR code not. And here my journey begins…

First I suspected the CSS I used was fishy, so I kicked all the CSS involved and retried: still no QR code in the print-out.

So maybe it’s the QR code library I use that produces a weird canvas? Nope, the examples on http://diveintohtml5.info/canvas.html and http://devfiles.myopera.com/articles/649/example5.html don’t print either.

Uhm, let’s Google for “opera canvas print”… And oh boy I should not have done that. It seems it’s a bug in Opera. And the proposed solution is to use canvas.toDataURL() to render the canvas as an image and load the image instead of the canvas.

I almost went that way. But I felt that urge need to read the docs before. So I opened http://www.w3.org/html/wg/drafts/html/master/embedded-content-0.html#dom-canvas-todataurl and https://developer.mozilla.org/en-US/docs/DOM/HTMLCanvasElement and started puking:

When trying to use types other than “image/png“, authors can check if the image was really returned in the requested format by checking to see if the returned string starts with one of the exact strings “data:image/png,” or “data:image/png;“. If it does, the image is PNG, and thus the requested type was not supported. (The one exception to this is if the canvas has either no height or no width, in which case the result might simply be “data:,“.)

If the type requested is not image/png, and the returned value starts with data:image/png, then the requested type is not supported.

Really? I have to check the returned STRING to know if there was an error? Go home HTML5, you’re drunk!

Okay, okay. No canvas rendered to images then. Let’s just render the QR code as a <table> instead of a <canvas> when the browser looks like Opera. There is nothing one could do wrong with tables, right? But let’s test with the basic example first:

Yes, this is 2013. Yes, this is Opera 12.14. Yes, the rendering of a fucking HTML table is wrong. Needles to say, Iceweasel and Chromium render the example just fine. I bet even a recent Internet Explorer would…

That said, there is no bugfixworkaround for Opera I want to implement. If you use Opera, I feel sorry for you. But that’s all.

Update: before someone cries “ZOMG! BUG PLZ!!!”, I filled this as DSK-383716 at Opera.

Some time ago, the QR Code Generator – WiFi Access made quite some noise on the mighty Internet. Sure, it is cool to be able to share your WiFi-access with someone by just showing him a QR code he can scan on his phone and the phone will auto-connect to the WiFi. But I get a strange feeling telling someone I do not know my WiFi credentials. No, I do not mean my guests, I know them. I mean that shiny web-service that will generate a QR code for me.

The geek in you will now say: “So? Open up a terminal, install qrencode, pipe it the string WIFI:S:<SSID>;T:<WPA|WEP|>;P:<password>;; and you got our QR code”. Yeah, that works. But was it one or two semicolons at the end? And was it really just WPA even if my WiFi uses WPA2? Oh and how do I encode that umlaut again? I do not want to remember this.

Thus, without too much rumble, may I present you: QiFi – the pure JS WiFi QR Code Generator. QiFi is a QR code generator for WiFi access in pure JavaScript. It will generate the QR code on your machine, in your browser, not leaking your precious credentials to anyone (but your guests). Don’t trust me? Read the code. Fork the code. Host the code yourself.

I hope you will find QiFi at least slightly useful ;-)

Do you deliver your mail with maildrop? If not, this post is only for your “amusement”.

My mailserver runs Postfix as MTA and maildrop as MDA, a pretty common setup I’d say. And it happens that maildrop supports quota. It supports it so good, that I have no idea how to disable that support, but I also actually never cared, as my user database declares each user has 10GB quota for mails (courier’s authtest says “Quota: 10000000000S“, so does the configuration). And 10GB should be enough for everybody, right?

Well, so I thought until I noticed that my Icedove indicated a 99% full mailbox and shortly afterwards maildrop stopped delivering mails with “maildir over quota“. Looking at the maildirsize file in my maildir, I noticed that the quota is set to 1410065408S, a mere 1.4GB. Where does this number come from? The proficient reader will quickly see that 10000000000 mod 2^32 = 1410065408, so this is actually an integer overflow happening somewhere in the code handling the maildirsize file (read: in maildrop). A short dig through the Debian BTS revealed a bug from 2003, saying exactly the same. The bug also indicated, the issue is fixed since maildrop 2.5. A short cowbuilder run later, I had a maildrop_2.5.5-2_i386.deb, installed it and after the next mail delivery, my quota was at 10GB as it should.

TL;DR: If you run into strange “maildir over quota” errors with maildrop on Debian Squeeze, get a newer maildrop (or backport that single patch to Squeeze’s maildrop).

Vodafone hat offensichtlich einen lustigen Webseiten-Assistenten, der bei der Navigation auf der Seite behilflich sein soll. Wenn sie meinen, dass ein solcher Assistent nötig ist, sollten sie vielleicht das Geld mal in einer bessere Webseite und nicht in so einen komischen Service stecken, aber meinen Spaß hatte ich dennoch:

Alexander: Hallo! Ich helfe Ihnen gerne bei der Navigation auf der Vodafone-Website. Was kann ich für Sie tun?
Sie: sind sie ein mensch? :)
Alexander: Nein.
Alexander: Ich bin echte Person.
Alexander: Was kann ich für Sie tun?
Sie: Mir sagen, warum ich heute früh eine E-Mail bekommen habe, ich soll meine neue E-Mail Adresse bestätigen.
Alexander: Auf Ihr Anliegen komme ich gerne zurück
Alexander: Klicken Sie bitte auf „Ja“, um für den Chat ein neues Fenster zu öffnen. Sie können dieses Fenster dann frei auf Ihrem Bildschirm verschieben, so dass Sie auch die Website gut sehen.
Alexander: Danke, und nun zu Ihrer Frage:
Alexander: Was möchten Sie genau machen?
Sie: Mit einem Menschen sprechen.
Alexander: Ja.
Sie: Und jetzt will ich wissen, warum meine E-Mail Adresse angeblich geändert werden soll.
Alexander: Handelt es sich um eine MobileMail- oder DSL E-Mail?
Sie: Was ist die Wurzel aus zwei zum Quadrat?
Alexander: Ich bin nicht so gut bei der Mathematik :-)
Sie: Deswegen wollte ich ja auch mit einem Menschen und nicht mit einem Roboter sprechen.
Alexander: Ich bin ein Vodafone Mitarbeiter und sitze vor einem Computer, falls Sie das meinen.
Alexander: Wie kann ich Ihnen helfen?
Sie: Sie könnten meine Frage von vorhin beantworten:
Sie: Mir sagen, warum ich heute früh eine E-Mail bekommen habe, ich soll meine neue E-Mail Adresse bestätigen.
Alexander: Es tut mir leid. Ich habe aus Sicherheitsgründen keinen Zugriff auf Ihre Daten, da ich nur für die Navigation auf unserer Vodafone-Website zuständig bin.
Sie: Hatten Sie denn wenigstens die Möglichkeit in der Zwischenzeit rauszufinden was die Wurzel aus zwei zum Quadrat ist?
Alexander: Um das zu klären, wenden Sie sich bitte direkt an die Kollegen in der Kundenbetreuung. Rufen Sie mit Ihrem Vodafone-Handy einfach kostenlos die 12 12 an oder aus anderen deutschen Netzen die 0 800 172 12 12.
Alexander: Meine Kollegen dort helfen Ihnen gerne dabei.
Alexander: Entschuldigen Sie bitte. Dazu kann ich Ihnen Online nicht behilflich sein. Wenden Sie sich bitte an unsere Kollegen von der Kundenbetreuung.
Alexander: Kann ich Ihnen zu Vodafone Website behilflich sein?
Alexander: Sind Sie noch bei mir?
Sie: Nein, Sie können mir nicht behilflich sein, haben Sie gerade doch selber gesagt.
Alexander: Wenn Sie keine weiteren Fragen mehr haben, danke ich Ihnen und wünsche Ihnen einen angenehmen Tag.
Alexander: Falls später doch noch Fragen aufkommen, sind wir jederzeit für Sie da.

This especially goes to planet.debian.org: SORRY!

My WordPress thought it is a great idea to deliver empty (no date, no link, no content) posts, randomly, and planet started to post everything as new as it took the feed. I still haven’t reenabled all the plugins, but it runs stable for several hours now and I’ll try not to break it again.

As almost every year, I attended MRMCD in Darmstadt two weeks ago. I think MRMCD is one of the nicest Chaos events we have in Germany, keep on rocking, guys!

This year, the usual hacking was enriched by a nice concert of tengrylab and pornophonique.

If you missed the event, or want to replay it in your head, have a look at my pictures of some strange hardware and the bands playing their tunes (both also mirrored in my mrmcd2012 flickr set).

I will be moving soon and would like to replace my current NAS with something smaller, quieter and less power-hungry. Currently my NAS is dorei with an AMD Athlon II X2 240e and two 3.5″ SATA2 disks. It’s a nice machine, but I do not use its whole power and it’s too bulky for the new place.

So, what do I really need?

• Debian, obvioulsy
• 2 (or more) SATA ports
• 1 GigE port
• preferably hardware crypto support (Intel AES-NI, VIA PadLock, etc)
• enough power (CPU, RAM) to run the two disks in RAID-1 with dmcrypt and LVM (I do not need 200MiB/s, but 60-80 would be nice)
• still enough power to run some mutt, irssi, mpd, icecast2 while idling

And what could I get?

• VIA LN10000EG, x86, 1GHz VIA C7, only 2xSATA1, only FastEthernet, “only” 1GiB RAM possible, fanless, has hardware crypto, pretty old, I could get one used from a friend almost free
• Qnap Turbo Station TS-219P II (or other TS-219…), ARM, 2GHz Kirkwood, 2xSATA2 + 2xeSATA, 1GigE, 512MiB RAM, 3xUSB2.0, not fanless, seems to have hardware crypto, about 280€ at Amazon
• Synology DiskStation DS213 (or other DS21x), ARM, 2GHz Kirkwood, 2xSATA2 + sometimes eSATA, USB3.0, not fanless, seems to have hardware crypto, about 270€ at Amazon
• ASUS NAS-M25, ARM, 1.2GHz Kirkwood, 2xSATA2, 3xUSB2.0, GigE, not fanless, no idea whether hackable enough to run Debian, about 150€ at Amazon
• (update) HP ProLiant MicroServer N40L, x86, 1.5GHz AMD Turion II Neo, USB2.0, GigE, not fanless, seems to run crypto at about 60MB/s, about 200€ at Amazon
• (update2) excito B3, ARM, 1.2GHz Kirkwood, 1xSATA2, 1xeSATA, 2xGigE, fanless, would love to see some crypto information, about 300€ at Amazon
• (update3) Zotac ZBOX nano VD01, x86, 1.2GHz VIA Nano X2, 1xSATA2, 1xeSATA, GigE, not fanless, VIA hw crypto, about 140€ at Amazon

What shouldn’t I get?

• something self-built would be expensive (about 200€ for CPU and board only, meh)
• all those nice CuBoxes, CubieBoards, PandaBoard,Trim-Sliceand what else is out there seem to have either only one (e)SATA or only FastEthernet or even both
• the (really nice) Mele A1000 has also only one SATA and only FastEthernet

So, dear Lazyweb, tell me where to spend my money, please! Are the Kirkwoods capable of doing LVM-on-DMCrypt-on-RAID1? Are there new Atoms that are capable of such a setup (my old Atom 330 stops at about 20MB/s)? Or should I stop worrying and switch to punch cards?

First of all, allow me to say that I am a more or less passive Twitter user. Yeah, my profile page says I have almost 4 thousand tweets since I joined Twitter in June 2009, but most of them are either retweets or forwarded messages from identi.ca and Google+. Very few are actual Twitter-only conversations. You could say “drop that shit and use only free services” now, but Twitter has the same problem as ICQ: it was the first (widely adopted) service of that kind and still has the most users. For me this means I can reach more people and receive messages from more people (this is why I still have an ICQ account and did not switch to Jabber/XMPP-only). And this is also the only way Twitter can die: it has to lose users.

But this is today, the status-quo. Twitter is about to change how messages can be distributed around the web. Radically. And I really hope they will choke and die. Preferably painfully but not necessarily slow.

I do not want to repeat all those posts with rumors that Twitter wants to force the users to see their promoted tweets by forcing the clients to stricter display rules etc. That has been said. It is most probably true, but it has been said.

I want to speak about two other usecases which will be killed in the future.

1. Embedding tweets in websites

As far as I know I am not the only one who likes his tweets to be displayed somewhere on the personal website. As my site runs WordPress and writing plugins for WordPress is so dead simple, I wrote a plugin that fetches my timeline as RSS and displays it as a widget: wp-statusnet-widget. I have chosen RSS over JSON back then for one simple reason: WordPress does the job for me. Using fetch_feed I am able to fetch and parse a remote feed in a breeze, using WordPress’ internal caching mechanism etc. For JSON I would have had to write all this by myself (parsing JSON in PHP is easy, though). I do not like to write code which may contain mistakes and errors when I can rely on a perfectly working codebase. But now Twitter kills the RSS and Atom API because these “are infrequently used today”. Okay.

Switching to JSON would be a bit of pain, but doable. With one tiny exception: Twitter has decided to hide all JSON endpoints behind OAuth. They do this because it will “allow us to prevent abusive behavior” and help “further understand how categories of applications are using the API”. Both are lies. Given wp-statusnet-widget is open-source, I would publish its OAuth key on the internet and every jackass could copy and abuse it. Or I would not ship a key and every user would have to go through the burden of acquiring their own key, destroying all the possible statistics Twitter wants to get. Oh and I would have to get OAuth working in the first place, which means more code that can contain bugs, even if there are many OAuth libraries for PHP that I could embed (and track their updates, yay).

TL;DR: there won’t be any Twitter support in wp-statusnet-widget when Twitter will switch to the new 1.1 API.

2. Following people without having a Twitter account

I know a bunch of people who do not want to have a Twitter account. Their reasons may vary but they have one in common: they use their regular feed reader to follow interesting accounts on Twitter. This won’t be possible with the new API. And I am pretty sure this won’t be a reason for them to get a Twitter account.

Both killed usecases mean a smaller reach for a single tweet and the people still using Twitter. When there are fewer minds to reach, why not stop using Twitter and go somewhere else? Which means less content and even less reach. Vicious circle, huh? Please die inside it, Twitter.