Newest laptop has some USB 3 ports, and one USB 2, which I’m thankful still exists. USB 3 isn’t quite fully backwards compatible. Sure, all the old USB devices work when plugged into a working USB 3 port, but the key point there is it has to be a working USB 3 port.

USB 3 controllers (xhci) differ from USB 2 controllers (ehci) from the host computer’s viewpoint. Drivers for ehci won’t work with xhci. At all. No driver, no port, no back compat.

Where does one find ehci drivers, but no xhci drivers? In my BIOS. External keyboard doesn’t work at the truecrypt boot prompt unless it’s plugged into a USB 2 port. In VMWare. USB passthru only works for devices plugged into the USB 2 port. Anything plugged into the USB 3 ports is simply invisible to VMWare, at least until they update their own USB driver to handle xhci as well. (Update: The recently released Workstation 9 and Player 5 are supposed to support USB 3. I haven’t upgraded yet.) In OpenBSD or any other operating system not yet updated to include xhci.

The situation is somewhat analogous to gigabit ethernet. It, too, had back compat with fast ethernet, in that you could plug it into a fast ethernet switch and everything worked. But you can’t generally use whatever fast ethernet driver you had with a new gigabit adapter. It’s a little simpler with USB, since the controller interface is fixed and doesn’t vary by manufacturer.

There are some completely logical reasons why xhci controllers shouldn’t provide ehci interfaces, but at least for now, it’s important that hardware continue to include some USB 2 ports. Something to consider when looking at hardware that includes only USB 3 ports, like the newest Macbook Air. My BIOS appears to have an option to turn the USB 3 port into a USB 2 port, which may be an effective workaround, but then I’d lose the ability to get super speeds from USB 3 devices. Untested.

Less than a week after my T430s arrives, Lenovo finally announces real availability of the X1 Carbon that I gave up waiting for. And then they announce the T430u as well, which seems a lot like the T430s, but is even slimmer. One review of the X1 claimed it had an IPS screen, which would have been a major regret for me, but others claim the screen angles are only ok. I wonder which is true. I did look a little closer at the performance numbers, and the 17W i5 appears to struggle against the 35W version. More so on the graphics side it appears. There’s just not enough headroom to allow the CPU to turbo up to max speeds consistently. Both models come with buttonless clickpads. Not sure I’m ready to make that leap.

Regrets? Not really. I’m not sure what advantage the T430u offers. It still weighs the same four pounds, and the s model is plenty slim for me. Reduced functionality for no weight reduction. The X1 is harder to disregard. I’m going to tell myself I wouldn’t have been happy with the performance of a low voltage CPU.

The newest addition to my stable of laptops, the Thinkpad T430s. I replaced the factory hard drive with a Samsung 830 SSD, 256GB, so I’ll review that too.

more...

After deciding a 3G tethered internet connection wasn’t enough (though honestly it kind of was, I just miss Amazon videos), I signed up for Comcast xfinity cable internet service. (Sidenote: I like the name xfinity. It’s a little cool, not trying too hard, suggests the future is now. That kind of thing.) I bought my own modem (uBee 3513) to avoid the bonus rental charge. Waited for my self install kit to arrive. Open it up to discover it’s... 3 feet of coax cable. Thanks. I could have gotten the ball rolling days ago if I knew that’s all you were shipping me.

more...

No, it’s not a game. LevelUp is yet another payment system to compete with credit cards. The competition is more on the merchant side, since clients still need a credit card to pay, but the way it works is you link a credit card to your account, get a QR code, and then flash that at the camera phone next to the register to pay. It’s very fast, especially when compared to any transaction involving a rewards card. I like it a lot, even more so since I carry my phone more places than my wallet. (I think you could even just print out the QR code and carry it around on paper, but I haven’t tried that.)

more...

Finally gave in and ordered a new Thinkpad T430s. Hasn’t arrived yet, but man what a frustrating experience. First, as mentioned before I was kind of waiting for the X1 Carbon, but that gets old after a while. The slim T model seems like a reasonable compromise and the price has come down some recently. (I’m expecting the X1 to cost a fortune and have a month long wait for shipment even then.)

Speaking of price, the worst part was that every couple days Lenovo changes their prices. The “web” price is always about half the retail price, but then there’s some “day ending in a y” 15% promotion code that changes. And then various discounts on this component or that component. This time around, I got the bay battery, but had to buy it separately because the battery sale only applied in the “Accessories” section, not on the regular configuration screen.

Also, as I discovered only after purchasing, and only by reviewing the service manual, the i7 upgrade apparently also gets you a Thunderbolt port instead of DisplayPort, but nowhere is that mentioned on the web site.

Almost went with the 15-inch Samsung 9 series, but decided that a full power CPU is nice, and full sized VGA and ethernet ports are necessary. The extra half pound shouldn’t be so bad, and I remain suspicious of Samsung’s keyboard. Even if I haven’t yet tried the all new and improved Thinkpad keyboard, I think it’s a change I can live with.

I recently spent a little time fixing and improving realloc in OpenBSD. In addition to the short commit messages, here’s a longer explanation of the changes that gives more background and a better understanding of both malloc and OpenBSD.

more...

Lots of fuss recently over how one should store users’ passwords in a database. One angle that hasn’t received much attention, and which I myself hadn’t thought much about, is how to store cookies such as auth tokens. I’m assuming for this post that we’re using the technique of generating a random string, setting it as a cookie, and then saving a copy in the database. When the visitor returns, they send the cookie and you compare with the value stored in the database. (Some frameworks set an HMAC signed token instead; they should be safe from the problem I’m about to describe.)

The problem is that these tokens are equivalent to passwords. They let anyone who has one login. If someone steals your auth token database, they can login as any user, just as if they had stolen a plaintext password database. They also may be vulnerable to a timing attack during comparison, depending on what you do and who you believe. The solution is to treat them just like passwords. Hash them before storing in the database. Just once should be enough; if your tokens aren’t at least 128 bits of random data, you have other problems. Then every time you get a cookie from the user, hash before looking up in the database. Now if someone steals your database, they have a lot of work ahead of them trying to recreate the token they need to submit to login.

Alternately, using HMAC signed cookies should be sufficient, but there have been several vulnerabilities related to their implementation, so I remain cautious.

The new Apple Macbook Pro released today reminded me I want a new Thinkpad. Unfortunately, Lenovo seems determined to convince me I’d rather have a Mac. I currently own and use two Thinkpads, a big T60 and a tiny X200s. I’d consider replacing either one or getting something in between. My first concern is that the Thinkpad’s legendary reliability is slowly becoming the stuff of legend not reality. And there’s nothing either with a nice 1400x1050 screen or as lightweight. But I’ll probably get by, even with the new keyboard.

more...

With the conclusion of the rthreads hackathon a short while ago, the OpenBSD Journal ran a series of interviews with some of the participants. I figured I’d add a little more to the story, although there’s not really anything new to say. My involvement with rthreads has been pretty minimal recently, but I’ll start from the beginning. Like I said, nothing new, but sometimes it’s nice to have the whole narrative in one piece.

more...