Wednesday, June 13, 2012

Macbook Air / Mac OS X rant

When Apple presented their new MacBook line yesterday (the retina display is not only amazing, but very necessary to make other people (Lenovo, I mean YOU) stop putting crappy 1368x768 displays in premium laptops), I remembered that I wanted to write about my experience with Apple hardware.

 A couple of months ago I got a Macbook Air. Everybody was super happy with them and they looked like "user friendly Unix" systems, so I got one off ebay for a great price. Since it wasn't recently, I will just copypaste my list-review from an email I sent to a friend. Plesae note that this was November 2011, it might have changed now. I no longer have the laptop so I couldn't re-test the stuff.

- I love the design and weight. It is thin and looks even thinner.
- The battery time is decent (11" model).
- The screen is OK, 1368x768 for 11" is acceptable. Glossy screens are not my thing, though, I use the laptop mainly to work / browse, not watch movies in dark rooms.
- The sound is surprisingly good. I must say I was impressed how loud and clear it was.
- Air intake through keyboard is a quite nice solution, in general, allows to use the laptop on soft surfaces like beds/sofas. Sometimes I leave my laptop closed while number-crunching / compiling at night, the MacBook wouldn't be able to do that.
- Safari: no unified URL/Search box. Hello? Welcome to 2011! On top of that, no option to activate search keys (g X to look for X on google, a X to look for X on amazon, etc) by default, only with some (obscure extensions).
- There is NO DELETE KEY! WTF!?!
- I like very much the option to "pin app to desktop" and swipe between them with 3 fingers. I dislike that they cannot be rearraged by drag and drop... or any other manner, AFAIK.
- Incredibly difficult to remap the keyboard (I HATE the german QWERTZ). Xmodmap file exists, gets ignored. KeyBindings4Mac works but it's very cumbersome to use and needs to do funky kernel shenanigans to work. DoubleCommand doesn't work well, needs to be unisntalled from command line. User friendly, was it? Maybe to look at facebook, not advanced stuff.
 - Firefox (my browser of chioce) isn't integrated at all. Camino is outdated. Safai sucks (see first point). The most decent brower is Opera, but still far from perfect. No easy way to install Chromium (gave up after 10 min). User friendly? Not even for facebook browsing, in the end :/
- There is no 3rd button. No way to open a link in a new tab using one hand/touchpad only. ThinkPad's physical 3rd button is a killer feature for web browsing, opening/closing tabs with one click.
- No Home/End keys. No PgUp/PgDown keys. In the german layout, no bracket/curly braces keys!!! After trial and error I found the brackets at AltGr+5/6 and curly braces at AltGr+parentheses. It must be a NIGHTMARE to write C code with this. And the keyboard in general is unimpressive at best. But then again, I am used to a ThinkPad keyboard, so I might be spoiled/biased.
- Very unclear CMD / Ctrl usage. Specially on the console. Ctrl+D doesn't close terminal, splits it instead (!). Usualy CMD is used instead of PC's Ctrl but not always.
- Lack of Yakuake. For me Yakuake is THE killer application, period. I would need a whole post just to praise all its features. I will just say is hands down my favorite and most useful app. Nothing else even comes close (tilda, guake, etc on linux included). TotalTerminal is a sorry imitation.
- X11 programs are confusing. Similar to the CMD / Ctrl problem.
- I am not used to apps staying in memory after last window is gone. I guess this is a getting-used-to-it thing, I can see how other people might like it.
- I like the File Vault idea, making whole disk encryption easy to use. However it end up being much more difficult in the end. My story: the first thing I did when I got the computer is to reinstall Mac OS X to wipe any data / software present on it. Since I was at it, I activated FileVault at install time. Result: the system failed to boot. So I tried to reinstall. Result the system failed to reinstall. WHAT? Yes, everytime I got a very funny message: There was a problem installing “Mac OS X”. Try Reinstalling. Oh really? WHAT DO YOU THINK I AM DOING??? After a lot of googling I found the solution: Hold down CMD-OPTION-P-R keys and turn the machine on. Yes, if you count it you will see that you need to press not one and not two but FIVE keys at the same time. That's user friendly!! This automatically revokes Apples right to ever mention Windows' Ctrl-Alt-Del ever, ever again.
- ITunes... well, just install VLC and you'll be al right.

In short:
  • Great hardware, except...
  • ... terrible, experience-ruining keyboard.
  • Nice and user friendly...
  • ... if all you want to do is check facebook.
I just felt that the old joke is completely accurate:

Mac Airlines
All the stewards, captains, baggage handlers, and ticket agents look and act exactly the same. Every time you ask questions about details, you are gently but firmly told that you don't need to know, don't want to know, and everything will be done for you without your ever having to know, so just shut up.

OSX Air:
You enter a white terminal, and all you can see is a woman sitting in the corner behind a white desk, you walk up to get your ticket. She smiles and says "Welcome to OS X Air, please allow us to take your picture", at which point a camera in the wall you didn't notice before takes your picture. "Thank you, here is your ticket" You are handed a minimalistic ticket with your picture at the top, it already has all of your information. A door opens to your right and you walk through. You enter a wide open space with one seat in the middle, you sit, listen to music and watch movies until the end of the flight. You never see any of the other passengers. You land, get off, and you say to yourself "wow, that was really nice, but I feel like something was missing"

Veredict: I would recommend a MacBook for my mother. It's pretty, works out of the box, and, as long as you don't want advanced features or to do anything that the Apple Overlords didn't anticipate, you are absolutely fine.
I would NOT recommend it to anybody that has been using a ThinkPad or Linux for a while. The keyboard and lack of options will drive you crazy.

Saturday, June 9, 2012

Raspberry Pi - 1080p playback

Note to future self / stangers on the Internet: this is how you get 1080p playback on the Raspberry Pi using the standard Debian image.

- Do no use VLC or MPlayer - they don't have hardware support.
- Compile and install omxplayer.
- To get HDMI audio add option -o hdmi.
- Widescreen movies show the frabebuffer in the black stripes. Add option -r to set appropiate HDMI mode.
- Setting HDMI mode breaks console / desktop, reset HDMI afterwards.

Here are two nice scripts to do that:

[Reset HDMI/TV - reset_tv.sh]
#!/bin/bash
sudo /opt/vc/bin/tvservice -p > /dev/null
sudo /opt/vc/bin/tvservice -o
sudo /opt/vc/bin/tvservice -p
echo "bcm2708_fb" | sudo tee -a /sys/bus/platform/drivers/bcm2708_fb/unbind > /dev/null
echo "bcm2708_fb" | sudo tee -a /sys/bus/platform/drivers/bcm2708_fb/bind > /dev/null

[PLAY A FILE AND RESET AFTERWARDS - play]
#!/bin/bash
omxplayer -o hdmi -wyr $@
reset_tv.sh

Add both to /bin or anywhere in your $PATH.


Now, to play a file:
pi@raspberrypi:~$ play /PATH/TO/FILE.mkv

Enjoy!

Thursday, June 7, 2012

Alice/O2 DSL and SSL

So, recently I wrote about how I had trouble connecting to google.com over HTTPS using my home DSL connection. I have narrowed the problem down and I must say that ppp is inocent.

I have tried to use the crappy router in router mode and even the fancy Fritz!Box7390 from my old VDSL connection both in modem and router mode and the problem persists. I have tried the original phone cable (you never know, right?) and any other thing imaginable: still fails to connect to google. But it's not alone! Trying amazon.com also fails from time to time! It still doesn't happen from my neighbor's connection or from my own connection for other servers (I tried, among others, facebook.com, deutsche-bank.de, visa.com, paypal.com, dkb.de).

 * About to connect() to amazon.de port 443 (#0)
*   Trying 178.236.6.38...
* connected
* Connected to amazon.de (178.236.6.38) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS alert, Server hello (2): * error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error
* Closing connection #0
curl: (35) error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error

 * About to connect() to amazon.com port 443 (#0)
*   Trying 72.21.211.176...
* connected
* Connected to amazon.com (72.21.211.176) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS alert, Server hello (2):
* error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error
* Closing connection #0
curl: (35) error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error

 * About to connecd() to amazon.com port 443 (#0)
*   Trying 72.21.211.176...
* connected
* Connected to amazon.com (72.21.211.176) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certifhcates.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-MD5
* Server certificate:
*        subject: C=US; ST=Washington; L=Seattle; O=Amazon.com Inc.; CN=www.amazon.com
*        start date: 2010-07-15 00:00:00 GMT
*        expire date: 2013-07-14 23:59:59 GMT
*        common name: www.amazon.com (does not match 'amazon.com')
*        issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)09; CN=VeriSign Class 3 Secure Server CA - G2
*        SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.26.0
> Host: amazon.com
> Accept: */*
>
* SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
* Closing connection #0


 * About to connect() to google.de port 443 (#0)
*   Trying 173.194.69.94...
* connected
* Connected to google.de (173.194.69.94) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* Unknown SSL protocol error in connection to google.de:443
* Closing connection #0
c5rl: (35) Unknown SSL protocol error in connection to google.de:443

 * About to connect() to google.de port 443 (#0)
*   Trying 173.194.69.94...
* connected
* Connected to google.de (173.194.69.94) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS alert, Server hello (2):
* error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error
* Closing connection #0
curl: (35) error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error

 * About to connect() to google.com port 443 (#0)
*   Trying 173.194.69.113...
* connected
* Connected to google.com (173.194.69.113) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Sebver finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS alert, Server hello (2):
* error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac
* Closing connection #0
curl: (35) error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record lac

So here is my new theory about who's the bad guy:
- Google, Amazon: nope, work for the rest of the world.
- PPP: no, tried without it and still fails.
- Crappy router: nope, also happens with fancy router.
- Alice ADSL: the only difference between my connection and the neighbor's connection is the access router to Alice's network. That MUST be it!

From my connection:
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 52 byte packets
 1  alice.box (192.168.1.1)  2.437 ms  2.381 ms  17.397 ms
 2  lo1.br12.muc.de.hansenet.net (213.191.64.41)  26.054 ms gi2-0-0.pr02.muc.de.hansenet.net (213.191.88.88)  22.261 ms  26.177 ms
 3  inxs.google.com (194.59.190.61)  30.079 ms  30.047 ms  28.297 ms
 4  66.249.94.88 (66.249.94.88)  51.782 ms  34.389 ms  31.082 ms
 5  216.239.48.125 (216.239.48.125)  29.833 ms 216.239.48.117 (216.239.48.117)  32.006 ms 216.239.48.125 (216.239.48.125)  29.545 ms
 6  209*85.254.116 (209.85.254.116)  53.968 ms  30.843 ms 209.85.254.112 (209.85.254.112)  32.079 ms
 7  * * *
 8  google-public-dns-a.google.com (8.8.8.8)  32.152 ms  32.125 ms  30.507 ms

 PING 213.191.88.88 (213.191.88.88) 56(124) bytes of data.
64 bytes from 213.191.88.88: icmp_req=2 ttl=253 time=27.9 ms
NOP
RR:     192.168.1.4
        213.191.88.74
        213.191.88.88
        213.191.88.88
        213.191.64.41
        192.168.1.4


From neighbor's connection:
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 52 byte packets
 1  172.24.128.1 (172.24.128.1)  2.520 ms  2.459 ms  2.429 ms
 2  172.24.0.1 (172.24.0.1)  2.428 ms  2.453 ms  2.414 ms
 3  192.168.1.1 (192.168.1.1)  5.133 ms  5.205 ms  4.880 ms
 4  lo1.br02.muc.de.hansenet.net (213.191.89.9)  28.328 ms  28.179 ms  28.098 ms
 5  gi2-0-0.pr02.muc.de.hansenet.net (213.191.88.88)  27.318 ms  27.837 ms  26.953 ms
 6  inxs.google.com (194.59.190.61)  136.017 ms  39.291 ms  39.645 ms
 7  66.249.94.86 (66.249.94.86)  38.188 ms  39.087 ms  38.489 ms
 8  216.239.48.125 (216.239.48.125   43.581 ms  42.874 ms 216.239.48.117 (216.239.48.117)  46.876 ms
 9  209.85.254.116 (209.85.254.116)  44.041 ms  45.064 ms  44.261 ms
10  * * *
11  google-public-dns-a.google.com (8.8.8.8)  42.816 ms  46.818 ms  46.312 ms

PING 213.191.88.88 (213.191.88.88) 56(124) bytes of data.
64 bytes from 213.191.88.88: icmp_req=1 ttl=251 time=36.1 ms
NOP
RR:     172.24.128.2
        172.24.0.4
        192.168.1.254
        85.181.69.47
        213.191.88.70
        213.191.88.88
        213.191.88.88
        213.191.89.9
        192.168.1.1


The whole thing about 213.191.64.41 disappearing from the 2nd traceroute hop after the first packet is quite weird, BTW. With an ICMP traceroute it does not happen:

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 52 byte packets
 1  alice.box (192.168.1.1)  3.759 ms  2.364 ms  2.359 ms
 2  lo1.br12.muc.de.hansenet.net (213.191.64.41)  27.701 ms  157.436 ms  27.542 ms
 3  gi2-0-0.pr02.muc.de.hansenet.net (213.191.88.88)  23.166 ms  23.293 ms  22.792 ms
 4  inxs.google.com (194.59.190.61)  30.130 ms  29.518 ms  29.570 ms
 5  66.249.94.86 (66.249.94.86)  44.804 ms  38.765 ms  30.947 ms
 6  216.239.48.117 (216.239.48.117)  32.570 ms  31.293 ms  30.783 ms
 7  209.85.254.118 (209.85.254.118)  31.931 ms  31.347 ms  31.427 ms
 8  * * *
 9  google-public-dns-a.google.com (8.8.8.8)  32.889 ms  31.240 ms  32.917 ms

All this drives me to the conclusion that:
- 213.191.64.41is buggy as hell and Alice should be ashamed of having it there.
- 213.191.64.41is doing some really creepy targeted SSL tampering / man-in-the-middle / hijacking / manipulation and Alice should be seriously ashamed of having it.


Any ideas about the problem? How to solve it other that with a VPN past 213.191.64.41?

Monday, June 4, 2012

Crazy Google - PPPd - SSL BAD MAC error

UPDATE: follow up

Hi all. Long time no see. Just didn't have much to say lately. But now I do. So hi :)

A lot has actually changed lately, both at personal and professional level, but the relevant part is: I have a new ISP.  I moved and the awesome 50/10Mbit 1&1.de VDSL was no longer available, so now I have a much crappier 16/1Mbit ADSL by O2/Alice (after several months of borrowing the neighbor's WiFi). Also, instead of the fantasboulous FritzBox7390 I got a crappy Alice IAD 4412, or something whatever the thing it's called. It's 2.4Ghz only and 150 Mbit. And on top of that O2/Alice is soooo worried for some reason that I would sell the router on ebay to buy a yacht, that I have to return the damn thing at the end of the 24 month contract.

Of course the first thing I did was to disable everything internet related on the router, enable PPPoE passthrough and set up PPPoE on my linux box to act as a Torrent / Router / Firewall / Apache / Misc server. Since I had the same setup with 1&1 everything went pretty smoothly and all was fine. The End.

No, of course not. Everything did go smoothly, until I tried to use GMail. I got a nice SSL error page with the following message:

Secure Connection Failed
An error occurred during a connection to accounts.google.com.
SSL peer reports incorrect Message Authentication Code.

(Error code: ssl_error_bad_mac_alert)

I tried to google it, but since I use google with https by default, it happened for www.google.com too! After a F5 it would work again.

I thought it might be an iptables problem but the usual clamp-tcpmss-to-pmtu did no good. Trying to debug I wrote the following crude script:

C=0 E=0; while [ $E = 0 ]; do curl 'https://www.google.com' --no-sessionid -v -1; E=$?; C=$((C+1)); echo $C; done

I ran it in multiple configurations of destination servers, hosts and connections. Since I still have access to the borrowed neighbor's wifi I also ran it there. It's worth mentioning that the neighbor uses the same ISP and a traceroute shows that the second router down the road is already the same, so basically what's different is the ppp method (me - pppd through crappy router, he - crappy router directly).

Result: it fails ONLY when:
  • I use my connection (pppd though router), doesn't matter if it's a NATed machine or the server itself. Ran over 11k times from other connections, no problem.
  • I connect to google servers (accounts.google.com, www.google.com). Ran over 2k connections to other https servers from same connection: no problem.
So who is to blame?
  • Google: no, it works fine from my work maciine and the neighbor's WiFi.
  • pppd: no, it worked before with 1&1.
  • Alice ADSL: no, the neighbor has Alice as well.
  • Crappy router: no, it works fine when connecting to facebook, yahoo, deutsche bank, etc.
  • Combination of all of the above: well, it works sometimes.
Solution? Sadly, I have none. I have a packet capture that shows exactly when the problem happens most often:
  • Client Hello
  • Server Hello
  • Server Certificate, Server Key Exchange, Server Hello Done
  • Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message (encrypted MAC of handshake).
  • Server issues SSL Alert: Bad Record MAC.
Googling did not help either. Some suggest changing the clock would help, but same client fails only on a specific connection. Anyway, I synced all clocks of all involved machines: no joy. Clearing the cache: curl doesn't even have cache. Anyway, it didn't help. The closest online discussion of the problem is this thread. On other threads, some people hint that the problem is dependent on the particular connection, but nobody offers a decent solution.

I know it's a long shot, but: does anybody out there have an idea on how to fix this? Even a hint towards a method to further debug it would be greately appreciated. Problems for a good debug method:
  • MAC is over random numbers: any comparison with different server/connection handshakes is useless.
  • Since it is connection dependent client side errors are rather impossible.
  • The sent MAC is encrypted, it's hard to analyze with wireshark.
The last ideas I have is to capture the ppp packets and compare if contents change over wlan0 contents (unlikely, since only google complains (only google checks?? unlikely...)), or try a different router/set the router in gateway mode instead of pppoe modem...

As said before, any idea will be appreciated!