The BFC Computing Weblog

For folks who are running the current development, or soon-to-be-just-released Fedora 11, you might find Firefox to be very crashy. It's not because it's the semi-controversial 3.5b4 version (which is excellent), it's because of a buggy library.

I'm running it with the Tree Style Tab and NoScript extensions, and can get a crash half the time when Session Restore is running, and almost all the time when I allow a site in NoScript.

If you run firefox from the console, so you get the debug messages, you'll see:

cairo-ft-font.c:554: _cairo_ft_unscaled_font_lock_face: Assertion `!unscaled->from_face' failed 

when the crash happens. I tracked this down through the Mozilla and Freedesktop bug systems to a problem with the Cairo graphics engine improperly disposing of fonts which it didn't own, for which a fix was incorporated last December. However, the version of Cairo shipping in Fedora 11 is older than that.

So, I applied the simple patch, fixed up the .spec, and put up some new RPM's for i386 and an SRPM for hackers and x86_64 users to build (rpmbuild --rebuild cairo-1.8.6-3.fc11.src.rpm).

I haven't tried cross-compiling from i386 to x86_64 before, and --target=x86_64 doesn't work, so if anybody can tell me how to do that short of learning mock, please leave a comment and I'll put up RPM's for that too.

The Redhat bug is here. Hopefully it gets accepted soon.

This is a neat enhancement to postfix for reducing spam by attacking its economics: making sure it speaks SMTP properly.

A spammer gets paid by the message delivered. So, it's in his interest to flood them out as quickly as possible. Because of this, they rarely implement mailers which negotiate the SMTP connection politely - they simply open the TCP connection and start sending.

When an SMTP client doesn't respect the proper-back-and forth postfix expects, it'll flag it as unauthorized 'pipelining' - for example when multiple messages are sent in succession, but which would otherwise be OK.

We can take advantage of this by forcing the issue, and increasing the odds a spammer will make this mistake by waiting just a second between establishing the TCP connection and telling the spammer we're ready to take mail. A loaded mail server may behave this way anyway, so it's not outside the norm and the resource consumption is minimal, but it attacks the economics of spamming.

In your main.cf file, you would add to smtpd_client_restrictions something like this:

          smtpd_client_restrictions =
                  permit_sasl_authenticated,
                  permit_mynetworks,
                  check_client_access hash:/etc/postfix/access-client,
                  sleep 1,
                  reject_unauth_pipelining
          
          

We accept all of our own users' connections (interactive ones, perhaps) right away, and if the sender is totally unknown to us, we wait for just a second. Then we reject any unauthorized pipelining. The log will show something like this:

May 6 10:49:00 mailhub postfix/smtpd[8965]: NOQUEUE: reject: RCPT from unknown[10.1.2.3]: 403 4.5.0 spamtarget@example.com: Recipient address rejected: Improper use of SMTP command pipelining

when the spammer attempts to just send.

It's worth noting that this method may not scale to very large installations, as those one second delays may be too much. But for the average-sized postfix install, it can make yet another dent in the spam deluge. Where it does consume 'too many' resources, one must weight the cost of computing resources vs. the time cost of dealing with yet another spam.

I've been using streaming video solutions more, since we pared back our satellite TV package at home and have been saving the Netflix allotment for the kids.

But streaming performance has been lacking for me. I've frequently experienced [buffering] and [recalculating bandwidth] messages, and having streams just stop dead and freeze up.

I wondered if Comcast might be playing games, since they have a history of doing so and this competes with one of their other products, so I decided to check out Google's tools that measure this possibility. Comcast is clean.

But the tools did help me find the actual cause: my TCP buffer receive size was set too low. Their network diagnostic tool revealed that 80% of the time my system was responsible for causing the delay, and only 20% of the time was the network at fault. After rejecting many forum suggestions I found as bizarre, I came across a decent O'Reilly article, which linked to an LBNL site with this recommended setting (for Mac OS X):

          sysctl -w net.inet.tcp.win_scale_factor=8
          sysctl -w kern.ipc.maxsockbuf=16777216
          sysctl -w net.inet.tcp.sendspace=8388608
          sysctl -w net.inet.tcp.recvspace=8388608
          

This increases the send and receive buffers to 8MB each and adjusts the kernel ipc buffer to accommodate. The first line is obsolete as of at least 10.4.11, which my video streaming system is on.

The last three lines above are a good way to test, and for permanence, create a file, /etc/sysctl.conf , with just the parameters, like this:

          kern.ipc.maxsockbuf=16777216
          net.inet.tcp.sendspace=8388608
          net.inet.tcp.recvspace=8388608
          

After setting that, my videos are all streaming without errors and the Google test shows that now the network is my delay 80% of the time and my client side none.

Recent OSX (10.5.x) and Linux (2.6.17) have TCP buffer autotuning which might, in some cases, make the above unnecessary. The Linux version only sets 4MB buffers, though, which may or may not be enough depending on your bandwidth delay product. Some experimentation may be in order, look up the proper variables for your kernel version, the above is only tested on xnu 8.11.1.

To verify the Fedora 10 package downloads, you need the new key they're signing the Fedora 10 packages with, but it's only included in the -release rpm which you don't want to install on some other machines, say your repository mirror.

This works:

rpm --import 'http://pgp.surfnet.nl:11371/pks/lookup?op=get&search=0xBF226FCC4EBFC273'

I wonder why this is different than the -newkey key. Anyway, don't take my word for it, check the signatures to prove it for yourself.

I got a spam today advertising a 'virtual conference' called CISSE 2008. Apparently they compiled at least part of their spam list by harvesting the Mozilla Bugzilla database. Their address harvester had trouble with basic e-mail parsing but got enough of my address there to positively identify the source. It's apparently organized by:

          Tarek Sobh, Ph.D., P.E. 
          CISSE 2008 General Chair 
          Vice President for Graduate Studies and Research
          and Dean of the School of Engineering 
          University of Bridgeport                 
          Bridgeport, CT 06604, U.S.A.                
          

I don't know the school, but it got a .edu and the credentials above look real.

I'm curious if anybody reading here has heard of this. I'm sending an e-mail to find out if the credentials assigned are real and if so what theory of rights they have for harvesting the Mozilla database.

Update: I received a response saying that the e-mail list is built from the advisory committees' members personal contact lists. I replied that my address that was targeted exists only in relation to BMO, I don't use the address anywhere else (the words 'bugzilla' and 'mozilla' are in the address). I'll update again when I hear more.

Folks running their own local yum repositories using cobbler will have to add new repos to get continued updates, the ones signed with the new signing key.

This isn’t hard, simply pick your mirror for f8 or f9 and add it to cobbler like the following:

cobbler repo add --mirror=http://mirror.anl.gov/pub/fedora/linux/updates/8/i386.newkey/ --name=f8-i386-updates.newkey
          cobbler repo add --mirror=http://mirror.anl.gov/pub/fedora/linux/updates/9/i386.newkey/ --name=f9-i386-updates.newkey
          

and then edit your fedora-updates-newkey.repo file to point to your local software distribution host. Assuming you have a cron job installed cobbler will start your downloads when it next syncs.

Remember, this will get you 8-ish GB of updates per release, so make sure you need to do this. Assuming you do, the Fedora Project will be updating removal of the old signing key automatically, so get this done before they do that or your nightly security updates may stop coming in.

Some e-mail systems, notably Earthlink, employ a challenge-response system whereby when you send a user an e-mail you get a response asking you to fill out a form to allow your e-mail to go through.

This is improper behavior because spam filtering is your problem (just like I filter my spam) and you’re pushing your work back on me.

It becomes an n^2 problem if everybody employes this kind of system, so it’s not a scalable behavior. Supporting this kind of system creates a moral hazard, so, if you’re using one of these systems you’re not going to get mail from me.

DRED has published its ’Broadband Action Plan’ with recommendations on how to improve the penetration of high speed Internet service in NH. I attended a session in Plymouth last year to provide input on the plan.

Overall it’s a good report. I’m especially impressed with its recommendations to get State out of the way for access to land and towers, permitting, etc. Also, predictable, uniform, and competitive access to utility poles is a very important issue. They recommend the creation of a government office to oversee this work, but don’t set a recommendation for when that would would be finished. It may be necessary but this issue ought not be used to grow government in a permanent manner. This kind of communications infrastructure has the potential to really streamline government, so it’s probably a net-win to have the office. They’re asking for $100,000 for each of the next two years to fund the office, so it’s necessarily limited as currently proposed. A citizen of NH might expect to pay a dollar over the next few years to fund it.

I’ve noticed that Burlington Telecomm has been having revenue shortfalls and the ECFiberNet project, which I had high hopes for, has apparently abandoned the core attribute that made it exciting - that it would be self-funded, and has gone asking for bond money instead. That was always the uncreative option, but the private model made ECFiberNet free of coercion. That is to say, government-run models don’t appear to be very healthy, but where the government can act to get out of industry’s way or improve its monopoly grants we should welcome its action.

Following up on my March 2007 article Conflict of Interest at Comcast, in excerpt:

Odds are those high-traffic users are downloading video. … This is directly in competition with Comcast’s other, main, business, providing video services. The amount of traffic they’re killing at (~250GB/mo) is probably just about what you need to replace a Comcast video service.

the FCC yesterday ruled:

Comcast had an “anticompetitive motive” because it delayed and blocked peer-to-peer files through applications such as BitTorrent. Such files often are high-quality video that might otherwise be watched and paid for on cable television.

and ordered Comcast to behave. As I noted earlier, this mirrors a previous decision about DSL companies monkeying with VOIP traffic.

Twittervision is combines Tweets and geo coding to show a realtime display of what people are Twittering. It’s quite a beautiful thing to watch, especially the 3D view.

I guess I wasn’t aware that Twitter fed all updates to third parties, so that’s something important to be aware of - it’s not just your followers who are seeing your updates.

I’m not sure it’s actually useful, but it certainly is neat, so probably it is useful to somebody.

I wonder if Twitter will be coming up with a trademark licensing program to allow apps like this to live peacefully.