Companies - 4

When I first saw an ad popping from my Windows 7 system tray I was pretty convinced, that my computer had been hijacked, keylogger installed, all my files sent to a Chinese server and police knocking down my door, because my machine is serving cp-pics in a torrent network. Then I realized, that the advertisement is about Nero. A software, that I bought and installed voluntarily. See:

As you can see from the dates on the pictures, that I've been waiting for this to happen again. This time I was ready and could confirm, that the culprit was indeed Nero. It is totally unclear to me, if I agreed to this in end user license agreement, but that's what they are doing. Perhaps I also gave the birth rights of my first born son like F-Secure did in London (see: Londoners give up eldest children in public Wi-Fi security horror show). Anyway, I'm not exactly happy, that they choose to do this. Nobody knows what else are they doing.

By googling, I found out, that I'm no alone with this problem. Nero's own discussion forum has a thread with topic Why do you think it's acceptable to spam people's PCs?, and there is actually removal instructions.

First go to Task Scheduler:

There is an own folder for Nero and in it, there is a NeroInfo running at install time every 2 days. It most certainly does not display ads every time it runs, but there is the master of this botnet somewhere giving instructions on when to run and what to display. Just delete the task:

And finish it off by deleting the files also:

Now it should stay off for a while! This is a fine specimen of paid software screwing you to the ass.

One day I got an e-mail from Google+ saying: "HQ Code Shop Oy hasn't shared anything on this page with you". I was more than puzzled. Sure I haven't shared anything with myself on Google+.

I clicked the link and got to the page. It had a Manage this page -button at the bottom:

It didn't do much good:

All it said was: "We are sorry, but you do not have access to this service. Please contact your domain administrator for access". Aow come on! Why did you have to create a page for something that you don't own and don't let the owner to control!

I went to my Google Apps administration console:

Yes, I have Google+ enabled for myself. However, that didn't change anything. I still was not able to manage my own company's page.

Many hours of surfing the web, reading many absurd attempts to fix the problem, and nothing. Then I went back to the Other Apps -section and started reading the descriptions:

It says "Add or edit your local business listing on Google Maps" next to Google Places -service, which I hadn't subscribed. I enabled that and hey presto! Suddenly I was able to manage the page. Naturally I had to pass the automated phone call test from Google, but I finally got control of my own property.

This is yet another shame-on-you-Google -thing they do while going towards world domination.

My blog has been on a low maintenance mode, due to the fact that I had other engagements. I was moving to a new house which has an FTTH or Fiber to the Home -connection.

The incoming connection is a 1000BASE-BX Ethernet and the connection carries also a IPTV streams in it. Of the given 1 Gbit/s I'm currently purchasing 250 Mbit/s downlink and 50 Mbit/s uplink. This costs me ~60 € per month. Not very expensive for such a quality bit, huh? There is a one-time building cost for 1800+ € for the connection, but that is not slowing me down.

In detail the connection is implemented with an Ethernet fiber to copper media converter and a CATV-module doing IPTV to DVB-C (SD-channels) and DVB-C2 (HD channels) media conversion. During the setup, the fiber-guy first built couple of meters of indoors cabling connected to the thick ground fiber. Indoor fiber connects to a Swedish made Inteno FG500 box. It looks like this:

In the first picture, there are 4 gigabit Ethernet (copper) connectors and a power connector to the CATV-module. Ethernet ports 1 to 3 are routed with a firewall and NAT, but luckily the port 4 is a bridged one and that's the one I'm using. From that I can get a public IP-address directly from ISP's DHCP-server.

The box splits into two halves, CATV and the "regular" Ethernet part. Parts are connected via power and fiber connectors:

The router has internal IP-address of 192.168.1.1 and it contains very typical web-interface for managing the box. Management looks like this:

WAN-parts are configured to copper Ethernet-ports with interface grouping:

It took me a while to figure all this out. It really matters to which LAN-port the cable is connected to. The WLAN-part can be deactivated and I did just that. I dislike those integrated crappy boxes very much, they are unreliable, insecure and what else ... Being a Linux-man I want to use my favorite Linksys and DD-WRT for any wireless needs.

This has got to be the best part of having a FTTH. The speed! Oh my god! Here are some sample results:

When analysing the results, two things come to my mind. First, Speedtest.net and the measuring servers it has don't go beyond 100 Mbit/s in any conditions (the software displays a maximum of 100 Mbit/s in it). Second, when measuring really fast speeds like I have here, the measurements are very unreliable and the results vary quite a lot when running number of tests in a sequence. In all cases, the downlink measurement is never 100 Mbit/s or even near it. 88 Mbit/s is pretty far from 100, or from the 250 Mbit/s what I'm paying. The uplink measurements are even worse. Those servers don't expect to be hit that hard (perhaps they see a DoS-burst?). Finally, ping 0 ms does not sound very reliable either. I'd assume 2-3 ms to be a best reading in the optimal conditions.

I've been running with this connection for a couple days only, but the assumption is that the uptimes it can keep are amazing. An ADSL-connection is pretty stable, but a fiber should be the rock-solid way to go, that's what I'm expecting from it.

Update Oct 2014:

Speedtest.net indeed goes beyond 100 Mbit/s:

I was renewing a SSL-certificate for a customer. They had been using GeoTrust earlier, so I went there. It was the first and most likely the last time I do business with them.

The order process was pretty similar to the competition. A CSR was submitted and all the necessary information was given. After submission there was a thank you -page and they sent an automated e-mail with information that the order is pending, and will be processed after 5 to 7 business days.

After that, nothing. After waiting for 12 days out of with 8 were business days, my patience ran out. I contacted them and requested to expedite the process. Yet another business day passed, and then they called me after 7 in the night and informed, that there was a mistake in the information I had gave them. I corrected the info, got automated e-mail about it and went into yet another wait.

Two more days later they sent an e-mail that the verification call to customer failed. Their mail had the number in it and it was obvious, that they assumed that the customer was located in USA. Even though, the information stated Finland as the country. I got an e-mail about that too.

At the point, when they issued the new certificate, I was surprised. Against all the odds, they managed to verify the customer in less than three weeks. The real suprise was, that at that point their e-mail replies started pouring in. The lag in their e-mail processing was huge. Last of the replies came 6 days after the certificate was issued. It's beyond stupid, that none of the communication I had with them were actually recorded for the purchase process. Apparely all of them went to a distant support site, which has nothing to do with any of their other actions or operations.

Is it just me, or does GeoTrust's way of doing business suck?

A while ago I a friend send a link to Jamie and Adam Tested -YouTube channel. I'm a fan of Mythbusters, so he knew that I'd love their stuff. One of the videos they have there is Inside Adam Savage's Cave: Hacking a Flashlight for Adam's EDC. So, I felt that I should blog about flashlights too.

Last year my old and trustworthy MagLite Solitaire broke down after serving me well for 18 years and I had to get a replacement. My old Solitare became un-fixable due to some sort of stress in the inside plastic parts. They broke down to a number of new pieces that didn't fit anymore. Apparently my key chain with number of keys in it cause stress to a flashlight's guts.

In the above video Adam is doing a hack to his JETBeam. Me as a Leatherman man I went for a Led Lenser (apprently they are owned by same company). Model K2 to be specific. However it turned to be a mistake. The LED is bright, it really is, and the flashlight is really tiny, but its aluminum body is not built to be hung in a key chain and stuffed into a pocket over and over again. It broke after 8 months of "usage". Actually I didn't use the lamp that much, but ... It broke. Aow come on! My previous lamp lasted for 18 years!

Here is a pic of the broken Led Lenser K2 (the short one) next to my new flashlight:

Thankfully my favorite flashlight company is back! I don't know what MagLite did for 15 years or so, but they certainly lost the market leader position by not releasing any new products for a very, very long time. So... after failing with Led Lenser I went back to MagLite. Their new LED-products are really good and I got one of their new releases a Solitaire LED. I'm hoping it lasts a minimum of 18 years!

The way Apple chose to implement changing iCloud-account is far from making any sense at all. The phrase "Delete Account" puts every users' imagination into high gear. By clicking this red button what could possibly go wrong! Does it implode your entire iCloud-account with all the data in it so that everything is gone permanently and forever? Or does it simply disconnect that particular iOS device from the Apple's cloud?

_{Image courtesy of http://assets.ilounge.com/images/articles_jdh/ask-20121114-1.jpg}

Apparently it is the latter one. The user interface is really poorly designed, no matter what. I think the idea was to scare users from testing what happens if they click it.

The discussion-thread in Apple's forums (HT4895 How do I change my iCloud account to my new apple ID?) is one of the sources for confirmation, that it does not wipe your account. It just detaches that particular device from your cloud-account.

To actually change the device to use a new iCloud account is much more tricky, as the article points out. And on top of that, iMessage, Facetime and AppStore still need to re-connect separately. Luckily that's not a big deal at that point.

However, if you combine changing the account with taking a new iPad into use, then you see a flood of e-mail from Apple. The e-mails come from different systems at Apple, but it certainly made me laugh a for a while. There are e-mails from Find My iPhone (my device was iPad), then there are security notifications about Apple ID being used in a new device and when all is set up, there is the welcome to a new device -mail. It would sound like a better idea to switch the account into some sort of changing-devices -mode, but they don't have that yet.

The good thing is that it is possible to change accounts. The bad thing is that they implemented the bare minimum of it.

Danske has a huge ad campaign here in Finland about the new mobile payment system. You can send and receive money simply by using a phone number. I'm not going to dwell into the security issues of such a system today, because what could possibly go wrong! Ok, I'll give them that they have limited the damage by built in a cap of the amount you can transfer, 250,- € per day and 15.000,- € per year. So, in any unfortunate event people are not going to much (if 250,- € is all you have, then ... it's another story).

Anyway. I got the app from the App Store and started their registration process. It's long. It's tedious. It'll drive you crazy. Looks like they don't want your business.

The information they ask during registration:

• First name, last name
• E-mail address
• Phone number
• Credit card number
• IBAN-number of your bank account

Not a problem. I have all of those. But guess who has all the information in the same phone, you're supposed to enter the data. Typically that's not a problem. A simple task switch to password vault software, copy the numbers and back to registration.

Now the idiots who designed and wrote the app expect everybody to know and type long series of input data. Nobody ever does that! That's what the mobile computers are for: they store data and make it possible to copy and paste it between apps. But these design geniuses chose not to use anything standard. If you switch apps between registration, the entire process needs to be started over. Nice! Really nice thinking. The paste won't work anyway, so ...

Definitely this is a good example of now not to write apps.

Over 5 years ago I filed a bug report about GCC crashing during ImageMagick compilation on RHEL 5. Nobody at Red Hat cared about that until couple days ago. Funny thing. At the time I had the issue, I simply kept the old ImageMagick and completed the project with that one. It would have been nice to have a more recent version, but since the new one would not compile, I just forgot about it.

Now the Red Hat guy Jeff is just being stupid. Why would anybody care anymore? Why did he have to do the obligatory works-for-me / need-more-information -routine. Now, at this point its just insulting, since they ignored the issue when it was actually present. Who would use RHEL 5 anymore. Not me.

I covered Google's new & ridiculous e-mail policy in my previous post.

The author of my favorite MTA, Postfix, Mr. Wietse Venema offered a piece of advice to another poor postmaster like me in the official Postfix User's Mailing list "disable ipv6 when sending to gmail?"

The idea is to use Postfix's SMTP reply-filter feature. With that, postmaster can re-write something the remote server said into something useful to alter Postfix's behavior. In this case, I'd prefer a retry using IPv4 instead of IPv6. Luckily the ability of dropping down to IPv4 is already built in, the only issue is to convince Postfix that what Google said is not true. For the IPv6-issue they state that the e-mail in question cannot be delivered due to a permanent error. A status code of 5.5.0 is given in this case. What Wietse suggest is to re-write the 5.5.0 into a 4.5.0 which indicates a temporary failure. This triggers the mechanism to do an IPv4 attempt immediately after failure.

I added following into /etc/postfix/main.cf:
# Gmail IPv6 retry:
smtp_reply_filter = pcre:/etc/postfix/smtp_reply_filter

Then I created the file of /etc/postfix/smtp_reply_filter and made it contain:
# Convert Google Mail IPv6 complaint permanent error into a temporary error.
# This way Postfix will attempt to deliver this e-mail using another MX
# (via IPv4).
/^5(\d\d )5(.*information. \S+ - gsmtp.*)/ 4${1}4$2

Reload Postfix just to make sure the main.cf change is in effect, no need to postmap the PCRE-file.

Effectively the last line of Google error message:

550-5.7.1 [2001:-my-IPv6-address-here-      16] Our system has detected
550-5.7.1 that this message does not meet IPv6 sending guidelines regarding PTR
550-5.7.1 records and authentication. Please review
550-5.7.1 https://support.google.com/mail/?p=ipv6_authentication_error for more
550 5.7.1 information. dj7si12191118bkc.191 - gsmtp (in reply to end of DATA command))

will be transformed into:

450 4.7.1 information. dj7si12191118bkc.191 - gsmtp (in reply to end of DATA command))

And my mail gets delivered! Nice. Thanks Wietse! Shame on you Google!

The short version is: Fucking idiots!

Long version:
Google Mail introduced a new policy somewhere in August 2013 for receiving e-mail via IPv6. Earlier the policy was same for IPv4 and IPv6, but they decided to make Internet a better place by employing a much tighter policy for e-mail senders. Details can be found from their support pages.

For e-mail Authentication & Identification they state:

• Use a consistent IP address to send bulk mail.
• Keep valid reverse DNS records for the IP address(es) from which you send mail, pointing to your domain.
• Use the same address in the 'From:' header on every bulk mail you send.
• We also recommend publishing an SPF record
• We also recommend signing with DKIM. We do not authenticate DKIM using less than a 1024-bit key.
• The sending IP must have a PTR record (i.e., a reverse DNS of the sending IP) and it should match the IP obtained via the forward DNS resolution of the hostname specified in the PTR record. Otherwise, mail will be marked as spam or possibly rejected.
• The sending domain should pass either SPF check or DKIM check. Otherwise, mail might be marked as spam.

First: My server does not send bulk mail. It sends mail now an then. If the idiots label my box as a "bulk sender" (whatever that means), there is nothing I can do to help it.

Second: I already have done all of the above. I even checked my PTR-record twice. Yes, it is in the above list two times using different words.

Still, after jumping all the hoops, crossing all the Ts and dotting all the Is: they don't accept email from my box anymore. They dominate the universe, they set new policies, start to enforce them without notice and fail to provide any kind of support. At minimum a web page to fill in couple of fields to a form to test how they perceive your server and give a result what to fix. But no. They don't do that, they just stop to accept any email.

To provide matching words for their search engine, I post a log entry (wrapped to multiple lines) from my Postfix:

postfix/smtp[6803]: A82C94E6CE:
to=<my@sending.address.fi>,
orig_to=<the@recipient's.address.net>,
relay=aspmx.l.google.com[2a00:1450:4008:c01::1b]:25,
delay=0.76,
delays=0.04/0/0.35/0.37,
dsn=5.7.1,
status=bounced (host aspmx.l.google.com[2a00:1450:4008:c01::1b] said:
550-5.7.1 [2001:-my-IPv6-address-      16]
Our system has detected 550-5.7.1 that this message does not meet IPv6 sending guidelines regarding
PTR 550-5.7.1 records and authentication.
Please review 550-5.7.1 https://support.google.com/mail/?p=ipv6_authentication_error for more 550 5.7.1 information.
qc2si10501687bkb.307 - gsmtp (in reply to end of DATA command))

I'm not alone with my problem. Easily a number of people complaining about the same issue can be found: Gmail, why are you doing this to me? and Google, your IPv6-related email restrictions suck. Most people simply stop using IPv6 to deliver mail to Google. My choice is to fight to the bitter end.

While complaining the un-justified attitude I get from Google, I got a piece of advice: "Why don't you check what Google's DNS thinks of your setup?". I was like "WHAAT? What Google DNS?"

In fact there is a public DNS offered by Google. It is described in article Using Google Public DNS. I did use that to confirm that my DNS and reverse-DNS were set up correctly. I typed this into a BASH-shell:

# dig -x 2001:-my-IPv6-address- @2001:4860:4860::8888

It yielded correct results. There was nothing I could do to fix this issue more. As it turned out, I did not change anything but after a couple of days, they just seemed to like my DNS more and allowed my email to pass. Perhaps one of these days I'll write something similar to my open recursive DNS tester.

Idiots!

This has been in the rumors for a long time. The Finnish pride Nokia chose to exit their Devices & Services branch now that Lumia phones are finally getting popularity. It is kind of a sad day for Finnish ICT-industry as the biggest company divests roughly half of itself with a very cheap price. Lot of people, including me, were waiting for Microsoft to buy out entire corporation. Any business transactions of this size take months to prepare, if not years. So, most of the rumors from early 2013 appeared to be true. Our beloved (NOT!) "mole-man" or "Microsoft agent" Mr. E-flop managed to push the corporation's value down so that his seat for CEO of Microsoft could be granted with this move.

This is also a good day for Finnish ICT-industry, as lot of what-iffing can stop, and people can concentrate doing actually good things.

Bullshit floating around:

• Part of Finnish national identity was lost: Sure thing, Nokia was our own pride and joy, but things keep changing get used to it! After all Nokia did fuck up their own business with having too much pride for not to see what others were doing. Not to mention their horrible reorganizations that managed to completely kill their ability to innovate. I was proud what they did in the 90s and how they ruled the mobile world then, but not how they managed to get too cocky in the 00s.
  
• Nokia was about to go bankrupt: No, according to their Q2 2013 interim report, they had assets for 4,4 billion €, does not sound like bankrupcy to me
  
• Nokia was about to abandon Windows Phone and go to Android: I don't think so, Lumia was starting to sell like hotcakes
• Press is stating that "Microsoft bought Nokia": Idiots! No they did not! They purchased Devices & Services division. Lot of Nokia is still left. Neither did Google acquire Motorola, they just got Motorola Mobility division. There is a difference there.
  
• Nokia should have chosen platform X instead of Windows Phone:
• Apple iOS: really not available
• Blackberry: perhaps, ready platform, low on features, but Nokia guys could have done something with it, not as ready-to-go as they'd hope
  
• Palm / webOS: naah, too old crap, HP was ready to eject it, though. Price would have been cheap, but same story as Blackberry.
  
• Nokia's own MeeGo: Technically superior to anything, the trouble was that they put a lot of money into it, and due to their own organization's mis-management they could not produce anything real in time and decided to sink it. New platform is lacking developer community, though. Ex-Nokia people bought it and formed a new company Jolla.
• Android: Buggy, insecure, totally dominated by Asian companies like Samsung, LG and HTC. Really difficult to create something innovative with cheaper price. Totally out of the question.
  
• Windows Phone: History has proven that Nokia really managed to get it working. Trouble is that Microsoft has very slow development cycle. They're not accustomed working in mobile field at all. Perhaps Microsoft will now detach Windows Phone from Windows completely and allow them to move rapidly.
• Microsoft made a mistake when they did the acquisition: I don't think so. Their PC-business is fading and they really want to expand. Mr. Ballmer has set the vision to be a devices & services business and that's what they bought.
• Finland will lose lot of ICT-jobs: Why would Microsoft move the mobile phone development to Redmond? They have a proven track record of that not working. Also what many people are afraid of, is Microsoft scaling down the mobile business. Why would they do that? They just spent 5,4 billion € for it, why would they kill it after that? So, I don't think this will have a major impact on ICT-workforce.
• Nokia will have a grim future: Well, no. They divested the division not doing any profits. They kept their patent portfolio which is generating 1 billion € revenue each year. They have plenty of money, probably they'll just purhcase Jolla and start doing nice mobile phones again.
  

Well ... you cannot create one. They're just saying that there are "capacity issues" and due to that "West Europe was turned off for new subscriptions a short while back".

Is the old M$ is back? They very conveniently forget to tell you that when you're setting up your storage and servers, you cannot have a web site on top of them. Nice. Wouldn't it be great to know that during setup-phase?

They must be really doing well in Microsoft to treat users that badly. I'm sure that popularity of their service wasn't a surprise to them either. Yet another nice example of bad communication from a big corporation.

This was pretty funny one. I was about to start a Windows Azure 30-day trial on Windows 8 with Internet Explorer 10, but it failed on payment options.

I waited for 10 minutes, but no avail. It was pretty obvious that a failure was imminent after 30 seconds of nothingness. The payment just hangs forever without doing anything. They simply never tested it on IE10. On any other browser I tried it works just ok.

When doing XML-editing, I always use a suitable editor for that. Recently I've been using oXygen XML editor. It has all the features I need, I like it and naturally I bought a license. On a minus side, it is Java-software, and lately I've been disliking Java very much.

A while ago, they released a new version of 15.0. They appropriately informed me about the new version and said to check the upgrade availability. They have a nice reminder -form to check what you purchased from them the last time.

There is one thing they fail to mention. If you purchase today, and don't want to pay extra $100 for software upgrade service, and they release a new version tomorrow, you won't be eligible for a free upgrade. That's how they perceive you, a paying customer, a stupid lamb not to have paid them for a service they don't tell any details about.

There is a huge number of software companies operating on different basis. First you purchase their software. At that point they give you (typically) 12 month upgrade-period free-of-charge. Then at that point, they ask if you'd like their product that much to start paying for a service. You can agree or decline. If you agree, you'll be hoping that they release often enough to get your money's worth. On the other hand, you can choose to purchase updates whenever you feel like doing it. The software company respects you and operates on a honest basis.

I'll be taking my business elsewhere. Any recommendations for a XML-editor?

My cloud storage choice has been LaCie's (the hard drive company) Wuala. The main reason why I did choose Wuala is in their Privacy Policy:

2. Stored Content

Wuala encrypts all your files before they leave your computer. They are encrypted such that only you and those you have authorized can decrypt them. Even LaCie cannot decrypt them unless you have made them public or share them by secret weblink and access them with your web browser. In the latter case, the encryption key is temporarily sent to our web server as part of the URL for the purpose of serving the requested data.

They do exactly like Kim's MEGA. They encrypt everything so that even they can not access it (or at least that's what they claim to do, nobody has yet proven that wrong, though). That is: unless you choose not to encrypt the data, or publish the decryption key, but then it is an another story.

The sad thing is that they use Java on client-side to do the access. Java Runtime has been described as a disease in an article in the Forbes magazine. They're right. It is a disease. In Wuala's own discussion forum there are a number of happy customers pleading to stop using Java.

What really pisses me off is that on my 64-bit Windows 7, the only reason to have a 32-bit JRE is Wuala. All my other software utilizes the 64-bit version I also have installed. Whenever a new JRE version comes out, I need to update both versions. Also I simply cannot use Wuala on all of my computers. For security reasons, I refuse to install Java Runtime into them.

Wuala: Stop using Java now! Please.