Month: January 2009

The consumer loses once more

DRM strikes again. This time, apparently, the PC version of Gears of War stopped working. This time it seems to be caused by an expired certificate.

Even though I do not play Gears of War, I take issue in this because of a multitude of problems:

First, it’s another reason where DRM does nothing to stop piracy but punishes the honest user for buying the original – no doubt, the cracked versions of the game will continue to work due to the stripped out certificate check.

Second, using any form of DRM with any type of media is incredibly shortsighted if it requires any external support to work correctly. Be it a central authorization server, be it a correct clock – you name it. Sooner or later you won’t sell any more of your media and thus you will shut your DRM servers down, screwing the most loyal of your customers.

This is especially apparent with the games market. Like no other market, there exists a really vivid and ever growing community of retro gamers. Like no other type of media, games seem to make users to want to go back to them and see them again – even after ever so many years.

Older games are speedrunned, discussed and even utterly destroyed. Even if the count in players declines over the years, it will never reach zero.

Now imagine DRM in all those old games once you turn off the DRM server or a certificate expires: No more speedruns. No more discussion forums. Nothing. The games are devalued and you as a game producer shut out your most loyal customers (those that keep playing your game after  many years).

And my last issue is with this Gears of War case in particular: A time limited certificate does not make any sense in this case. It’s identity that must be checked. Let’s say the AES key used to encrypt the game was encrypted with the private key of the publisher (thus the public key will be needed to decrypt it) and the public key is signed by the publishers CA, then, while you check the identity of the publishers certificate, checking the time certainly is not needed. If it was valid once, it’s probably valid in the future as well.

Or better: A cracker with the ability to create certificates that look like they were signed by the publisher will highly likely also be able to make them with any timed validity.

This issue here is that Gears of War probably uses some library function to check for the certificate and this library function also checks the timestamp on the certificate. The person that issued the certificate either thought that “two years is well enough” or just used the default value in their software.

The person using the library function just uses that, not thinking about the timestamp at all.

Maybe, the game just calls some third-party DRM library which in turn calls the X.509 certificate validation routines and due to “security by obscurity” doesn’t document how the DRM works, thus not even giving the developer (or certificate issuer) any chance to see that the game will stop working once the certificate runs out.

This is lazyness.

So it’s not just monetary issues that would lead to DRMed stuff stop working. It’s also lazyness and wrong sense of security.

DRM is doomed to fail and the industry finally needs to see that.

Managed switch

Yesterday I’ve talked about configuring a VLAN in my home network.

VLAN is a technology using some bits in Ethernet frames to create virtual network segments on the same physical network, but just go ahead and read the linked Wikipedia article as it’s more detailed than what I would want to go into.

To really make use of VLANs, you are going to need at least one managed switch (two in my case). I knew this and I was looking around for something useful.

In the end, I ended up with two HP ProCurve 1800-8G’s: I wanted something that has at least 8 ports and was Gigabit capable as I was feeling the bandwidth cap on the previous 100M connection between shion and my media center when streaming 1080p content.

That’s something I hope to solve with the 1G connection, though the drobo may still be the limiting factor here, but theoretical 480Mbit is better (where are the MacMinis with the Firewire800 interface?) than the 100MBit I was constrained to with the old setup.

The ProCurves are fanless, provide 8 ports and have a really nice web interface which is very easy to use and works on all browsers (as opposed to some linksys things which only work with IE6 (not even IE7 does the trick)). Also, the interface is very responsive and it even comes with an excellent online help.

With only 10 minutes of thought going into the setup and another 5 minutes to configure the two switches I was ready to hook them up and got instant satisfaction: In my server-room I plugged a test machine to any of the ports 2-7 and got onto VLAN1 (the internal network). Then I plugged it into port 8 and promptly was on VLAN2 (as evidenced by the public IP I got).

I have only three minor issues with the configuration of the two switches so far:

  1. They come with an empty administration password by default and don’t force you to change it. Now granted, on a switch you cannot do as many mischief as on a router or worse, a NAS or access point, but it’s still not a good thing.
  2. They come preconfigured with the address 192.168.2.10 and DHCP disabled, practically forcing you to configure them locally before plugging them. I would have hoped for either DHCP enabled or, even better, the possibility of configuring them using RARP. Or they could provide a serial interface which they do not.
  3. To reset them, you have to unplug them, connect port 1 with port 2 and restart them. While this prevents you from accidentally resetting them, the procedure is a pain to do and when the time comes that I will have to do this, I’ll probably have forgotten the procedure.

But these are minor issues. The quick web interface, the excellent online help and the small fanless design make this the optimal switch once you have advanced requirements to fulfill despite not needing more than 8 ports.

There’s a larger 24 port cousin of the 1800-8G, but that one has a fan, so it was no option in my case – especially not in the sideboard where I’m now at the end of the 8 port capacity.

Life is good

Remember last week when I was ranting about nothing working as it should?

Well – this weeks feels a lot more successful than the last one. It may very well be one of the nicest weeks I’ve had in IT so far.

  • The plugin system I’ve written for our PopScan Windows Client doesn’t just work, it’s also some of the shiniest code I’ve written in my life. Everything is completely transparent and thus easy to debug and extend. Once more, simplicity lead to consistency and consistency is what I’m striving for.
  • Yesterday, we finally managed to kill a long standing bug in a certain PopScan installation which seemed to manifest itself in intermittently non-working synchronization but was apparently not at all working synchronization. Now it works consistently.
  • Over the weekend, I finally got off my ass and used some knowledge in physics and and a water-level to re-balance my projector on the ceiling mount making the picture fit the screen perfectly.
  • Just now, I’ve configured two managed switches at home to carry cable modem traffic over a separate VLAN allowing me to abandon my previously whacky setup wasting a lot of cable and looking really bad. I was forced to do that because a TV connector I’ve had mounted stopped working consistently (here’s the word again).

    The configuration I thought out worked instantly and internet downtime at home (as if somebody counts) was 20 seconds or so – the TCP connections even stayed all up.

  • I finally got mt-daapd to work consistently with all the umlauts in the file names of my iTunes collection.

If this week is an indication of how the rest of the year will be, then I’m really looking forward to this.

As the title says: Life is good.

pointers, sizes

Just a small remember for myself:

If

TMyRecord = record
  pointer1: pointer;
  pointer2: pointer;
  pointer3: pointer;
  pointer4: pointer
end;
PMyRecord = ^TMyRecord;

then

  sizeof(TMyRecord) <> sizeof(PMyRecord)

So

  var rec: PMyRecord;

  rec = AllocMem(sizeof(rec));

is probably not a sensible thing to do (at least not if you intend to actually put something into that space the pointer points to).

At least it began breaking very, very soonish and consistently once TMyRecord got enough members – too bad though that I first looked at the completely wrong space.

Nothing beats the joy of seeing a very non-localized access violation go away after two hours of debugging though.

Tunnel munin nodes over HTTP

Last time I’ve talked about Munin, the one system monitoring tool I feel working well enough for me to actually bother to work with. Harsh words, I know, but the key to every solution is simplicity. And simple Munin is. Simple, but still powerful enough to do everything I would want it to do.

The one problem I had with it is that the querying of remote nodes works over a custom TCP port (4949) which doesn’t work behind firewalls.

There are some SSH tunneling solutions around, but what do you do if even SSH is no option because the remote access method provided to you relies on some kind of VPN technology or access token.

Even if you could keep a long-running VPN connection, it’s a very performance intensive solution as it requires resources on the VPN gateway. But this point is moot anyways because nearly all VPNs terminate long running connections. If re-establishing the connection requires physical interaction, then you are basically done here.

This is why I have created a neat little solution which tunnels the munin traffic over HTTP. It works with a local proxy server your munin monitoring process will connect to and a little CGI-script on the remote end.

This will cause multiple HTTP connections per query interval (the proxy uses Keep-Alive though so it’s not TCP connections we are talking about – it’s just hits in the access.log you’ll have to filter out somehow) because it’s impossible for a CGI script to keep the connection open and send data both ways – at least not if your server-side is running plain PHP which is the case in the setup I was designing this for.

Aynways – the solution works flawlessly and helps me to monitor a server behind one hell of a firewall and behind a reverse proxy.

You’ll find the code here (on GitHub as usual) and some explanation on how to use it is here.

Licensed under the MIT license as usual.

Bugs, Bugs and more Bugs

I love my job. Ever loved it, always will love it.

But if you ask me what the most annoying aspect of it is, then I would answer you that it’s stuff always breaking all around me.

Whatever I do, there is no guarantee that any defined thing will work like it’s expected to, it will break from one moment to another or it will never work. There are hardware failures, OS failures, software failures – each and every day I lose at least one or two hours due to stuff not working or suddenly stopping to work.

Let me give you an account of what happened since the beginning of 2009:

  • When installing two previously configured servers at a collocation center, one didn’t start up at all (opening and reclosing the case fixed that) and the ESX server on the other machine refused to connect to the VMWare license server despite a working TCP/IP connection between them which turned out to be a missing host file entry despite connecting via IP-address.
  • One day later, Outlook on a computer of someone I’m looking after the PC a bit decided to trash the .PST-file and I had to remotely guide (on the phone) the person to restore it from the backup.
  • Yesterday, my Firebug suddenly stopped working. At least the console-object wasn’t any longer available in my scripts and the console itself didn’t work. Reinstalling the Addon helped (WTF?)
  • One of my two Vista Media Center PCs suddenly stopped to play any video file, despite me not doing updates on these machines to prevent stuff like this from happening. To this date I have no idea how to fix this.
  • My Delphi 2007 installation just now decided to stop displaying the online help. Trying to fix that by reinstalling it ended with an Error message containing title and content of “Error”, but not after first completely uninstalling Delphi with no way of getting it back (you know… “Error” again). This was fixed by removing D2009 and then reinstalling 2007 and 2009 – a process that took 2 hours of installation time and another three to figure out what’s going on.
  • When I was frustrated enough and wanted to vent (i.e. write this post), my WordPress just now decided to do something really strange to the layout of the “Add New Post” page which made it impossible to post anything. Disabling Google Gears and restarting the browser helped.

Our everyday technology is becoming more and more complex, thus causing more and more strange problems, requiring more and more knowledge and time to work around them. If we continue on that path, sooner or later it will be impossible to keep up with fixing problems popping up.

That will be the day when I’ll hopefully live on some island way off the net and all this stuff.

Monitoring servers with munin

If you want to monitor runtime parameters of your machines, there are quite many tools available.

But in the past, I’ve never been quite happy with any of them. Some didn’t work, others didn’t work right and some others worked ok but then stopped working all of a sudden.

All of them were a pain to install and configure.

Then, a few days ago, I found Munin. Munin is optimized for simplicity, which makes it work very, very well. And the reports actually look nice and readable which is a nice additional benefit.

Apache parameters

Like many other system monitoring solutions, Munin relies on custom plugins to access the various system parameters. Unlike other solutions though, the plugins are very easy to write, understand and debug which encourages you to write your own.

Adding additional servers to be watched is a matter of configuring the node (as in “apt-get install munin-node”) and adding two lines to your master server configuration file.

Adding another plugin for a new parameter to monitor is a matter of creating one symlink and restarting the node.

Manifestation of a misconfigured cronjob

On the first day after deployment the tool already proved useful in finding a misconfigured cronjob on on server which ran every minute for one hour every second hour instead of once per two hours.

Munin may not have all the features of the foll-blown solutions, but it has three real advantages over everything else I’ve seen so far:

  1. It’s very easy to install and configure. What good is an elaboration solution if you can never get it to work correctly?
  2. It looks very nicely and clean. If looking at the reports hurts the eyes, you don’t look at them or you don’t understand what they want to tell you.
  3. Because the architecture is so straight-forward, you can create customized counters in minutes which in the end provides you with a much better overview over what is going on.

The one big drawback is that the master data collector needs to access the monitored servers on port 4949 which is not exactly firewall-friendly.

Next time, we’ll learn how to work around that (and I don’t mean the usual ssh tunnel solution).