I watched three movies recently.

The Dark Knight Rises

Hero defeats Bad Guy. What’s next? Hero fights Son of Bad Guy. Really? Hey, remember when the Joker made the people of Gotham participate in a social experiment game? That was really edgy, let’s do that again! Probably wouldn’t have been so bad with more Batman being cool and less Bruce Wayne moping about.

The Bourne Legacy

Let’s have an operative of a secret government project befriend a lady in distress and run away with her. What really disappoints here is that you only get half a movie. The other half of the time we’re watching news footage about the events of The Bourne Supremacy. Do I care about Pamela Landy climbing into a car? Not in this movie. Then we cut to Edward Norton shuffling some files around on a table to remind us, hey, look how many different secret programs there. See how imaginative we are.

Underworld Awakening

Especially after the third Underworld movie, I think expectations were set pretty low, but as far as sequels go, this is actually pretty good. It introduces new good guys and new bad guys, and they aren’t generic clones of the previous generation. It’s vampires versus werewolves, for sure, and of course the ultimate bad guy is even more ultimate, but now the humans are somewhat involved and they updated the look to a more futuristic urban environment. Also, the occasional daytime scene. More unique ideas here than in the above two movies combined.

First off, don’t use VirtualBox. It’s terrible for running OpenBSD. I’ve had zero problems with VMWare Player. I installed using an OS type of FreeBSD, though it doesn’t seem to matter much. (This post was written against Player 4. Player 5 may sort out the networking issues. It provides a few more options in the machine configurator.)

more...

Newest laptop has some USB 3 ports, and one USB 2, which I’m thankful still exists. USB 3 isn’t quite fully backwards compatible. Sure, all the old USB devices work when plugged into a working USB 3 port, but the key point there is it has to be a working USB 3 port.

USB 3 controllers (xhci) differ from USB 2 controllers (ehci) from the host computer’s viewpoint. Drivers for ehci won’t work with xhci. At all. No driver, no port, no back compat.

Where does one find ehci drivers, but no xhci drivers? In my BIOS. External keyboard doesn’t work at the truecrypt boot prompt unless it’s plugged into a USB 2 port. In VMWare. USB passthru only works for devices plugged into the USB 2 port. Anything plugged into the USB 3 ports is simply invisible to VMWare, at least until they update their own USB driver to handle xhci as well. (Update: The recently released Workstation 9 and Player 5 are supposed to support USB 3. I haven’t upgraded yet.) In OpenBSD or any other operating system not yet updated to include xhci.

The situation is somewhat analogous to gigabit ethernet. It, too, had back compat with fast ethernet, in that you could plug it into a fast ethernet switch and everything worked. But you can’t generally use whatever fast ethernet driver you had with a new gigabit adapter. It’s a little simpler with USB, since the controller interface is fixed and doesn’t vary by manufacturer.

There are some completely logical reasons why xhci controllers shouldn’t provide ehci interfaces, but at least for now, it’s important that hardware continue to include some USB 2 ports. Something to consider when looking at hardware that includes only USB 3 ports, like the newest Macbook Air. My BIOS appears to have an option to turn the USB 3 port into a USB 2 port, which may be an effective workaround, but then I’d lose the ability to get super speeds from USB 3 devices. Untested.

Less than a week after my T430s arrives, Lenovo finally announces real availability of the X1 Carbon that I gave up waiting for. And then they announce the T430u as well, which seems a lot like the T430s, but is even slimmer. One review of the X1 claimed it had an IPS screen, which would have been a major regret for me, but others claim the screen angles are only ok. I wonder which is true. I did look a little closer at the performance numbers, and the 17W i5 appears to struggle against the 35W version. More so on the graphics side it appears. There’s just not enough headroom to allow the CPU to turbo up to max speeds consistently. Both models come with buttonless clickpads. Not sure I’m ready to make that leap.

Regrets? Not really. I’m not sure what advantage the T430u offers. It still weighs the same four pounds, and the s model is plenty slim for me. Reduced functionality for no weight reduction. The X1 is harder to disregard. I’m going to tell myself I wouldn’t have been happy with the performance of a low voltage CPU.

The newest addition to my stable of laptops, the Thinkpad T430s. I replaced the factory hard drive with a Samsung 830 SSD, 256GB, so I’ll review that too.

more...

After deciding a 3G tethered internet connection wasn’t enough (though honestly it kind of was, I just miss Amazon videos), I signed up for Comcast xfinity cable internet service. (Sidenote: I like the name xfinity. It’s a little cool, not trying too hard, suggests the future is now. That kind of thing.) I bought my own modem (uBee 3513) to avoid the bonus rental charge. Waited for my self install kit to arrive. Open it up to discover it’s... 3 feet of coax cable. Thanks. I could have gotten the ball rolling days ago if I knew that’s all you were shipping me.

more...

No, it’s not a game. LevelUp is yet another payment system to compete with credit cards. The competition is more on the merchant side, since clients still need a credit card to pay, but the way it works is you link a credit card to your account, get a QR code, and then flash that at the camera phone next to the register to pay. It’s very fast, especially when compared to any transaction involving a rewards card. I like it a lot, even more so since I carry my phone more places than my wallet. (I think you could even just print out the QR code and carry it around on paper, but I haven’t tried that.)

more...

Finally gave in and ordered a new Thinkpad T430s. Hasn’t arrived yet, but man what a frustrating experience. First, as mentioned before I was kind of waiting for the X1 Carbon, but that gets old after a while. The slim T model seems like a reasonable compromise and the price has come down some recently. (I’m expecting the X1 to cost a fortune and have a month long wait for shipment even then.)

Speaking of price, the worst part was that every couple days Lenovo changes their prices. The “web” price is always about half the retail price, but then there’s some “day ending in a y” 15% promotion code that changes. And then various discounts on this component or that component. This time around, I got the bay battery, but had to buy it separately because the battery sale only applied in the “Accessories” section, not on the regular configuration screen.

Also, as I discovered only after purchasing, and only by reviewing the service manual, the i7 upgrade apparently also gets you a Thunderbolt port instead of DisplayPort, but nowhere is that mentioned on the web site.

Almost went with the 15-inch Samsung 9 series, but decided that a full power CPU is nice, and full sized VGA and ethernet ports are necessary. The extra half pound shouldn’t be so bad, and I remain suspicious of Samsung’s keyboard. Even if I haven’t yet tried the all new and improved Thinkpad keyboard, I think it’s a change I can live with.

I recently spent a little time fixing and improving realloc in OpenBSD. In addition to the short commit messages, here’s a longer explanation of the changes that gives more background and a better understanding of both malloc and OpenBSD.

more...

Lots of fuss recently over how one should store users’ passwords in a database. One angle that hasn’t received much attention, and which I myself hadn’t thought much about, is how to store cookies such as auth tokens. I’m assuming for this post that we’re using the technique of generating a random string, setting it as a cookie, and then saving a copy in the database. When the visitor returns, they send the cookie and you compare with the value stored in the database. (Some frameworks set an HMAC signed token instead; they should be safe from the problem I’m about to describe.)

The problem is that these tokens are equivalent to passwords. They let anyone who has one login. If someone steals your auth token database, they can login as any user, just as if they had stolen a plaintext password database. They also may be vulnerable to a timing attack during comparison, depending on what you do and who you believe. The solution is to treat them just like passwords. Hash them before storing in the database. Just once should be enough; if your tokens aren’t at least 128 bits of random data, you have other problems. Then every time you get a cookie from the user, hash before looking up in the database. Now if someone steals your database, they have a lot of work ahead of them trying to recreate the token they need to submit to login.

Alternately, using HMAC signed cookies should be sufficient, but there have been several vulnerabilities related to their implementation, so I remain cautious.