Friday, November 16, 2012

Automatic connection to VPN server in Ubuntu Precise 12.04

Ubuntu Precise 12.04's NetworkManager service can be used to access VPN connections, and can be configured to connect at boot-time without having to add any additional packages to the system. Using the following script, I access my FreeBSD OpenVPN server (configuration was covered in a previous post) at boot time.

Save the following script to /etc/NetworkManager/dispatcher.d/02vpn :
#! /bin/bash


activ_con=$(nmcli con status | grep "${REQUIRED_CONNECTION_NAME}")
activ_vpn=$(nmcli con status | grep "${VPN_CONNECTION_NAME}")
if [ "${activ_con}" -a ! "${activ_vpn}" ];
    nmcli con up id "${VPN_CONNECTION_NAME}"
Don't forget to mark the script as executable with chmod
chmod +x /etc/NetworkManager/dispatcher.d/02vpn

VPN_CONNECTION_NAME should correspond to whatever VPN connection you have configured using Network Manager. If, for some reason, you can't configure VPN connections in Network Manager, you may need to install the appropriate plug-in:
apt-get install network-manager-openvpn network-manager-openvpn-gnome

Sunday, November 11, 2012

"Life-changing" VIM plugin: "Screen"

Eric Van Dewoestine's Screen plugin for VIM is terrific. Not only is the plugin "life-changing," but it's also an exceptionally easy to install, and should serve as an example for other VIM plugin developers.

If you use VIM and enjoy the command line, make sure you check it out. I think this plugin is much better and far more intuitive than 'conque shell.'

Special hint: try pressing control-A control-A when the embedded shell is displayed.

If you don't use VIM, here's why you might want to try it:
  • You are a touch typist
  • You want to move around extremely rapidly in files without taking your fingers off of the keyboard
  • You want to do incredibly powerful bulk edits

Sunday, October 21, 2012

Google Voice Poetry

The coolest feature about the Android is its excellent voice recognition capabilities. I like to send it difficult or unintelligible syntax, and I appreciate how the software seems to understand part-of-speech and grammar so well that it makes complete sentences out of what I dictate:

You'll have to wait for the Apes to happen
They keep some noise
The evening has no eyes
Nothing undoing the drawers in the middle of this s*** shoe box

I think that, somewhere on the Internet, a microcontroller is crying.

Product review: Republic Wireless Defy XT 557

I admit: I'm a luddite. Although I worked as a mobile software developer for several years, I'm one of the last to acquire a smart phone. But now, I am the owner of a Motorola Defy XT, thanks to Republic Wireless. I guess that it's about time that I joined 2010 (my previous phone is a Verizon Samsung SCH-U620).

Frankly, I'm kind of pissed off that this has happened. Nobody does voice calls any more. Everyone seems to want to live a quiet, silent life of text messaging. When I ride mass transit, people look at each other when they make voice calls. I was very happy with my itty bitty Samsung device with physical buttons that fits conveniently in my pocket, but not happy with the prospect of paying $60 per month for a data package that I deemed useless. Republic Wireless' voice roaming onto 802.11 wireless networks was just hackerly enough for me to appreciate their innovative business model, and actually want to try out their service.

I can do everything that I can do on the smartphone better on my netbook computer. As I've attempted to let the smartphone take over my life, I've noticed that it takes me a lot longer to communicate with others. I suppose that the smartphone thing is pretty cool for people who don't regularly touch type, but the lack of a physical keyboard is a serious drawback.

However, the ubiquitous 3G data roaming onto Sprint's network within the greater Los Angeles area has been superb. I'm very impressed with how easy it is for me to do simple email communications and web browsing on the small platform. That stated, if I amortize the cost of the device out over one year, the device costs me $43 per month. At that price, it is extremely competitive with any existing Verizon wireless plan, and I have all of the features that I could possibly want. Plus, any dead zones that I regularly encounter on USC's campus are filled in with Republic Wireless' ability to roam onto wireless networks.

Overall, I'm really impressed with the product. My only quibble is that I cannot unlock / root the phone, because the SPC / MSL numbers don't seem to be readily accessible, although it's probably just a matter of time.

Monday, October 15, 2012

Setting up OpenVPN on FreeBSD

I've found a few tricks to help improve OpenVPN setup on FreeBSD. First off, there's a reasonably good PERL script that makes the process a bit easier. Install security/ssl-admin.

Next, set up your /usr/local/etc/openvpn/server.conf file:

proto udp
port 1194
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem

# Makes a local area network available to other clients
# This could be the IP block of your home network
push "route"
ifconfig-pool-persist ipp.txt
user nobody
group nobody
keepalive 10 120
status openvpn-status.log
verb 4
crl-verify /usr/local/etc/openvpn/crl.pem

Edit /usr/local/etc/ssl-admin/ssl-admin.conf.default and save as ssl-admin.conf in the same directory. Examples for the United States are shown below:

Next, use the ssl-admin tool to create server certificates. Launch ssl-admin. You're presented with a "user-friendly" menu, but the menu requires knowledge about ssl certificate exchange. This knowledge isn't really necessary in order to set up a server. When the program initially executes, it will automatically ask you to create a certificate authority (CA) identity. Make sure you encrypt this certificate with a password. Next, choose options dh, and option S. Option S will prompt you for an "owner name." To make things less confusing, type "server" as the owner name.

Once these certificates have been generated, you'll want to copy them into your OpenVPN configuration directory:

cd /usr/local/etc/ssl-admin/active
sudo cp server.crt server.key ca.crt ../prog/crl.pem ../dh2048.pem /usr/local/etc/openvpn/

Edit /etc/rc.conf and add the lines:
# OpenVPN Server openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/server.conf"

Configure your firewall to allow traffic into OpenVPN. If you use ipfilter, add the following lines to your /etc/ipf.rules file and then restart the ipfilter service:
# OpenVPN
pass in quick on XXXX proto udp from any to any port = 1194 keep frags
Now you should be able to start the OpenVPN server.
/usr/local/etc/rc.d/openvpn start

Server configuration is complete! Now you can create certificates for clients. I suggest creating  /usr/local/etc/openvpn/client.conf:
dev tun
proto udp
resolv-retry infinite
remote-cert-tls server
ca ca.crt
cert client.crt
key client.key
verb 3

Make a symlink so this configuration is included in the client configuration archive:
ln -s /usr/local/etc/openvpn/client.conf /usr/local/etc/ssl-admin/packages/client.ovpn

Using the ssl-admin tool, choose option (4) to create certificates for a client. The script will prompt you for another owner name -- choose something that is descriptive of the remote host so that you can figure out what certificate is for what host.

When the script asks you "Can I move signing request (xxxx.csr) to the csr directory for archiving?", choose Yes. After the script creates the certificate for the remote host, choose option (z).

Although this blog post will get you started, some of the methods used are dated. Apparently Ubuntu 10.10 now allows import of  pkcs12 .p12 files. Essentially, these files replace the archive created by ssl-admin's option (z).

Monday, September 10, 2012

Concatenating PDF files using Windows Shell Add-ons

I was tasked with finding a good utility that would allow me to highlight a number of PDF files in the Windows Explorer, and then right-click to concatenate (combine) the files together to form one large PDF file.

PDFTk, the PDF toolkit, does this very well from the command line; however, the prospect of using a command-line tool is daunting to the average user.

I found a FANTASTIC tool called pdftk4all. It functions as a very easy-to-use front end to pdftk. Plus, it integrates a plethora of common features into a series of logical, easy-to-use contextual menus. As a programmer, one of the best features of this program is that its source code includes a very simple example of how to create cascading contextual menus for the Windows Explorer shell.

As best I can tell, there is truly no reason to purchase Adobe Acrobat.

Thank you to Maarten Veerman for PDFTK4ALL!

Sunday, September 9, 2012

A requiem for SharedCopy

The Internet did not shed a single tear this week at the demise of one of my favorite websites. I found Chew Choon Keat's SharedCopy to be incredibly useful, but it is now dead -- the website has disappeared, without a trace. I've scoured the search engines looking for information about the fate of, but nobody has said a peep. Along with the death of this website comes the disappearance of any information that I had saved using their excellent web annotation software.

This is yet another argument for using locally-developed, open-source tools to manage your own data, rather than using "the cloud." When will I learn?

Saturday, September 8, 2012

Getting spellchecking to work in LibreOffice / FreeBSD

I recently recompiled the LibreOffice port in FreeBSD and discovered that spell checking was not working. I installed textproc/en-hunspell and textproc/en-aspell and all was well.

PC-BSD 9 -> FreeBSD Notes

I've been using PC-BSD 9 for a while, and I got sick of having only PBI (push-button installer) software installed, opting for a more traditional BSD experience of dependency hell. Here are a few tips for the uninitiated (notes for noobs) -- to help you get away from PC-BSD PBI updates and into FreeBSD source-centric happiness.
  1. Use portmaster to upgrade packages. It's really the way to go. In order to get portmaster, you can use the command: portupgrade -PN portmaster
  2. The first time you upgrade your packages, browse /usr/ports/UPDATING. When you update your packages, this is the first place to look when something doesn't compile. After you finish with your update, NOTE THE DATE OF THE UPDATE somewhere. That way, the next time you upgrade packages, you don't have to look through the entire /usr/ports/UPDATING file.
  3. Accelerate your life. Tell FreeBSD to find and use the fastest mirror site:
    1. portmaster ports-mgmt/fastest_sites
    2. /usr/local/bin/fastest_sites > /usr/local/etc/ports_sites.conf
    3. echo '.include "/usr/local/etc/ports_sites.conf"' >> /etc/make.conf
  4. PERL updates are funky. When updating PERL, you'll need to update the many PERL packages that are already installed on your system. The p5-XML-SAX- packages are temperamental because p5-XML-SAX-Expat modifies a file that is contained in p5-XML-Parser. I haven't bothered to understand the problem well enough to write a definitive tutorial here. You'll also need to update all p5- ports, as well as print/foomatic-db-engine because it, too, contains a PERL package.

  5. Make your fonts pretty. Everyone uses LCDs these days, so go download some patches to better support your eyeballs. The patches at allow FreeBSD to use subpixel antialiasing. The only port that I needed to patch in order to make both Firefox and LibreOffice look beautiful was the freetype2 package.
  6. Update your kernel for the latest fixes. If you decide to update your kernel (at this point, there are lots of bugfixes in 9-STABLE), try SVN: 
    1. svn checkout svn:// /usr/STABLE
    2. mv /usr/src /usr/RELEASE
    3. ln -s /usr/STABLE /usr/src
  7. Do all your configs at once. When using the Makefiles in /usr/ports/..., all you need to do is make config-recursive. portmaster apparently does this by default; I haven't yet figured out how to cause the tool to prompt with all of the configs (maybe using the -P option has something to do with this).

Friday, August 31, 2012

Product review: Plato's Habanero-Infused Olive Oil

Plato's Habanero Infused Extra Virgin Olive Oil (750 mL / 25.36 Oz, Mild)Plato's Habanero-Infused Spicy Olive Oil is a real treat. To date, my favourite pairing is to use the stuff on sandwiches; in general, it's just really really good on bread. Another great thing about the stuff is that you can adjust the 'spiciness' of a food just by adding more or less of the product.

As a supertaster, I really had never been a fan of olive oil because I thought that it tastes bitter and woody. I didn't know that olive oil can be sweet, fruity, and have a pleasing fragrance. My friend Mike has started a company that sells an infused extra-virgin olive oil that really surprised me. 

Give it a try!

Sunday, July 22, 2012

Howard Miller Accuwave DS Manual

Here's an operating manual for a Howard Miller Accuwave DS "radio-controlled" clock.

Of particular note is the fact that the device does not work very well in California. As such, you must be patient to set these clocks manually -- they seem to need to "struggle" for an hour or so before you can manually adjust them.

Update 3/13/2014: Since the daylight savings time switch, my clock reset itself about four times, frequently setting itself 20 minutes behind the correct time. I determined that the issue was caused by a low battery.

A great way of shrinking image-heavy PDF files

I recently had to cut a huge PDF file down to a reasonable size; the images that were included in the original document were huge. I found the following GhostScript commands to be very helpful. They downsample the images without changing any of the associated text.

gs -q -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -dPDFSETTINGS=/ebook -sOutputFile=output.pdf -f input.pdf

One can get images to be smaller with a few tweaks:

gs -q -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -dDownsampleColorImages=true -dColorImageDownsampleType=/Average -dColorImageDownsampleThreshold=1.0 -dColorImageResolution=36 -sOutputFile=output_smaller.pdf -f input.pdf
 UPDATE: For e-ink readers, often times, color images are a waste. Here's a way to convert color to grayscale (greyscale?):
gs -q -dNOPAUSE -dBATCH -sOutputFile=grayscale.pdf -sDEVICE=pdfwrite -sColorConversionStrategy=Gray -dProcessColorModel=/DeviceGray -dCompatibilityLevel=1.4 -f color.pdf

Saturday, July 21, 2012

Beer Review: New Belgium La Folie Sour Brown

I'm a fan of sour beers. I find them to be exceptionally easy to drink; they settle my stomach and leave me feeling relaxed and very comfortable. That stated, I had some La Folie at Lucky Baldwin's last night, and I was extremely impressed. The flavor evolves from a pungent sweet-sour cherry, and then mellows on the palate to form a creamy, rich, nutty aftertaste that lingers deliciously. I think this beer is probably the best offering that I have sampled from New Belgium -- even better than their excellent 1554. Find it on tap at Lucky Baldwin's in Old Town Pasadena!

Tuesday, July 17, 2012

LibreOffice's "Automatic" text color isn't black in Ubuntu 12.04 Precise!

After using Ubuntu 12.04 Precise Pangolin for some time, I noticed that one of the applications that I use all of the time -- LibreOffice -- was not using black (#000000) as the "Automatic" (default) text colour for new documents that I created. This is extremely annoying because I like to copy and paste text into documents and use the "Clear Formatting" feature. Unfortunately, this causes the text to revert to a light grey (gray) colour: #3C3C3C. Yuck!

There is a solution, however. Benjamin Drung (bdrung) wrote Ambiance," and change the default colour to black. To fix the problem:

  1. Open the gtk theme for Ambiance
  2. Search for ntext_color
  3. Replace #3C3C3C with #000000
Re-load LibreOffice; problem solved.

Why LibreOffice uses the GTK theme system to determine its "Automatic" colour is beyond me; this seems like a very irritating "feature."

Wednesday, May 16, 2012

Dynamic DNS update Python script, for use with a home gateway device

I use the free ZoneEdit service to keep a dynamic DNS entry up-to-date. I also now use a Netgear WNDR4000 wireless router to connect to the Internet through my cable modem.

I have authored a script that uses HTTP basic authentication to grab the IP address from my router, compare it to the last polled IP address, and update ZoneEdit with the new IP if it has changed. I have this script set to run every minute.


import urllib2, re, tempfile, os

# User variables - change these to fit your router



# Returns a string containing webpage contents
def fetch_webpage(location, username, password):
  passman = urllib2.HTTPPasswordMgrWithDefaultRealm()
  passman.add_password(None, location, username, password)
  authhandler = urllib2.HTTPBasicAuthHandler(passman)
  opener = urllib2.build_opener(authhandler)
  return urllib2.urlopen(location).read()

s=fetch_webpage(router_webpage, router_user, router_passwd)
pattern = re.compile("IP Address.*?([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})", re.DOTALL)
m =
newip =
if debug: print "Current IP Address: " + newip

filename = tempfile.gettempdir() + "/router_ip"
flags = "r+"
if not os.path.exists(filename):
  flags = "w+"
f = open(filename, flags)

oldip =

if (cmp(oldip,newip) == 0):
  if debug: print "Old IP is the same (" + oldip + ")"

  web_result = fetch_webpage(''+zoneedit_host, zoneedit_user, zoneedit_passwd)
  if debug: print web_result

Monday, February 6, 2012

Make your GeForce GT 520 (or any Nvidia) video card sip power

I recently acquired an HP ProLiant Microserver N40L to replace my old giant mid-tower RAID box. Now that FreeBSD 9.0-RELEASE has integrated ZFS v28 for several months, I decided to migrate away from OpenIndiana 151a and enjoy FreeBSD's Linux binary compatibility, more up-to-date software selection, and a broader install base.

I imported my GeForce GT 520 video card into my new ProLiant microserver. The video card can be adapted to a "low profile" PCI slot by replacing the bracket in the front of the card. I disconnected the card's fan because it was loud, annoying, and making the dreaded "my bearings are out" screeeeeeeeching noise.

The GT 520 supports two digital monitors -- one connected via HDMI, and one via DVI. After enabling the commercially supported 'nvidia' driver by adding nvidia_load="YES" to /boot/loader.conf and generating a suitable xorg.conf file by running nvidia-xconfig, I was able to run nvidia-settings and watched my card idle at 85 degrees C. My power meter measured my system's idle consumption in X11 to be 80 watts. I also noticed that the PowerMizer showed that my card was operating at the maximum performance level.

After a bit of research, I discovered how to force the card into low-power mode. I added the following boldfaced lines into my /etc/X11/xorg.conf file:

Section "Device"
  Identifier     "Device0"
  Driver         "nvidia"
  VendorName     "NVIDIA Corporation"
  BoardName      "GeForce GT 520"
  Option  "RegistryDwords" "PowerMizerEnable=0x1; PerfLevelSrc=0x2222; PowerMizerDefaultAC=0x3"
This tells the card to enable PowerMizer; 0x2222 stands for "fixed frequency on battery and on AC" (byte 0x22 is for fixed frequency, 0x33 is for adaptive frequency, MSB is for battery), and the default power profile on AC is the lowest level (0x3 is lowest power, 0x2 is medium power, and 0x1 is high power).

I rebooted, and measured my card's idle temperature at 48 degrees C and idle power consumption in X11 to be 70 watts. This is a ten-watt power savings -- and remember, I disconnected the GT 520's fan.

The GeForce GT 520 is a great choice for anyone wanting to attach one or more DVI monitors to a low-power or passively cooled workstation.

I do not recommend ATI cards because configuring them to dual-head in Solaris or BSD environments has been nothing but a headache for me.

Saturday, January 21, 2012

Very cool: Overlaying video on encrypted HDMI connections

Overlaying video on encrypted HDMI connections


[bunnie] is up to his old tricks again. He successfully implemented a man-in-the-middle attack on HDCP-secured connections to overlay video in any HDMI video stream. There’s a bonus, too: his hack doesn’t use the HDCP master-key. It doesn’t violate the DMCA at all.

HDCP is the awful encryption scheme that goes into HDMI-compatable devices. Before HDCP, injecting video overlays or even chroma keying was a valid interpretation of fair use. [bunnie] thinks that HDMI devices should have the same restrictions analog devices have, so he decided to funnel his own video into his TV.

The build uses the NeTV, a handy and cheap FPGA board with an HDMI input and output. [bunnie] got the FPGA to snoop the HDMI bus and decide if a pixel needs to be changed or not. This isn’t much different from what researchers in Germany did a few months ago, but unlike the academic security researchers, [bunnie] gives you a shopping list of what to buy.

As an example of his work, [bunnie] implemented something like a ‘tweet ticker’ on HDCP-encrypted video. There’s very little the NeTV setup can’t do from chroma keying, filters, or simply dumping the HDMI stream to a hard disk. Check out the slides from [bunnie]‘s talk to get better idea of what he did.

[PAPPP] found a video of the talk in question. Check that out after the break.

Filed under: video hacks