Profile

Cover photo
Auke Kok
644 followers|238,403 views
AboutPostsPhotosVideos

Stream

Auke Kok

Shared publicly  - 
 
Adding this to my set of template email responses:

-----

I do not provide private support for open source projects. Please direct all your questions to the public mailinglist instead.

By not asking your question on a list, you deprive:

- yourself the chance of getting great answers from other people that read and post to the list;
- others the chance of learning from the questions and answers posted to the list.

In other words, please do not do that.

Regards,

Auke
9
Måns Rullgård's profile photoDarren Hart's profile photoOndřej Čertík's profile photoSriram Ramkrishna (sri)'s profile photo
9 comments
 
oh oh!  The current market price is unfortunately a secret. :D
Add a comment...

Auke Kok

Shared publicly  - 
 
We went for an easter-egg hunt on our property yesterday with the kids (who loved it, of course), and our fruit trees were swarming, absolutely swarming with pollinators.

The extremely soft and warm winter this year has major drawbacks for water availability and fire risk (my guess is that the fire season technically already is started, except no fires have broken out yet... it's just bone dry in lots of places already).

As a side effect, due to the lack of frost most of the insects have survived en masse. This means good news for those with fruit trees as natural pollinators, so this pear tree will have 40+ pounds of pears again this summer, but my pine trees will be skinned alive by beetles.
13
Hollis Blanchard's profile photoRobert Nesius's profile photo
Add a comment...

Auke Kok

Shared publicly  - 
 
Second Seagate Barracuda 2TB drive failed for me. First one failed after 11 months, this one after 20. I'll have an unused refurb replacement for sale soon - no way I'm putting Seagate back in my raid array...

Tally so far:

Seagate - 2
WD - 1
HGST/Hitachi - 0
2
1
Auke Kok's profile photoDenys Fedoryshchenko's profile photoRobert Nesius's profile photoArun Bhanu's profile photo
6 comments
 
I have a handful of Seagate drives that are holding strong - but they are older. Samsung spinning rust is on my black-list, but I'm very happy with the Samsung SSD I have. 

Thanks for the link, +Fryderyk Dziarmagowski .  That was interesting. 
Add a comment...

Auke Kok

Shared publicly  - 
 
Predictable, but +btsync is now crippleware. A forced version upgrade for all mobile phone users and it's off to /dev/null with it.

Great idea, but forcing people to shell over money and breaking their existing 1-folder sync setup on purpose is not how you should market a version upgrade.

These folks have a lot to learn, still.
2
Auke Kok's profile photoYves-Alexis Perez's profile photo
3 comments
 
“Nice”, indeed…
Add a comment...

Auke Kok

Shared publicly  - 
 
Looking forward to updating my desktop!
 
Xfce 4.12 has been released!
Xfce 4.12 is be the best release ever (yes, we like to party!)! Source : Internet comments. Today, after 2 years and 10 months of work, we are pleased to announce the release of the Xfce desktop 4.12, a new stable version that supersedes Xfce 4.10. This long period can only be explained by how ...
1 comment on original post
6
Add a comment...

Auke Kok

Shared publicly  - 
 
I've been hanging out in #intel  on freenode.net. There's not too many others that stick around, but I've noticed a consistent stream of people looking for "directions". Would be fun if more colleagues and people interested in Open Source at Intel could join me and discuss all the cool stuff we do.
4
Cooper Stevenson's profile photoJani Nikula's profile photoAuke Kok's profile photo
3 comments
 
+Jani Nikula  Have done so several times already!
Add a comment...
In his circles
274 people
Have him in circles
644 people
Zach Brown's profile photo
Crazz Mong's profile photo
Florian La Roche's profile photo
Squiddy's profile photo
Zeno Davatz's profile photo
Eiscafe Jesolo Am See's profile photo
Alex Bradbury's profile photo
Arjun Ditmer's profile photo
Danny ter Haar's profile photo

Auke Kok

Shared publicly  - 
 
I've got a record of ~5000 sshd login attempt IP addresses, anyone know of a website that can convert that into a simple map quickly?

edit: Thanks to Frederik Deweerdt , here's the result:

http://i.imgur.com/v25nm3n.png
1
Jesper Dangaard Brouer's profile photoMax Eliaser's profile photoAuke Kok's profile photoFrederik Deweerdt's profile photo
13 comments
Add a comment...

Auke Kok

Shared publicly  - 
 
Some of you following me know that while during the day time I work on various Linux Distributions for Intel (including, in the past, MeeGo, Tizen etc.). But I've also been involved for a long time with a much more hard-code Linux Distro named "Lunar-Linux".

This is a rolling-release source distro, one that existed before gentoo was cool and before arch made fame to guys like +Greg Kroah-Hartman. Needless to say, I'm a sucker for punishment sometimes.

So while I'm out on paternal leave and the little one is napping (which is a lot, fortunately), I've been eyeballing that Nehalem system with a 3.6.5 kernel and older gcc/toolchain, as it obviously begs to be updated.

Doing a rolling release update spanning a good 2+ years is obviously a disaster, so I literally went from a fully functional system to barely, barely booting in a few hours of time. Fortunately, as long as you can compile code and download source code, you can get out of any mess. And that's what Lunar-Linux does so well - it builds anything you want given your current libraries and headers.

Needless to say, it does take some time to get out of a virtual reinstall. But once you know the 600 or so basic packages needed to make your favorite Linux Distro, you're pretty much chomping away at the list and problems go away pretty fast.

A bit more than a day later (in between errands, dinner times, play times, walkies, and my own night rest) I'm now back on pretty much tip-of-tree on most of my packages. I'm still surprised by the flexibility I have with my own little distro. Not many other distributions actually deliver 1-for-1 dependency choices. Even gentoo doesn't easily allow you to say use pulseaudio for one application, but not another. It sounds as overkill at first, but it helps, if anything, it helps you learn about the packages.

I've often thought of Lunar-Linux as an educational project, especially in the last few years. I've certainly not been as active and honestly it needs very little work to sustain itself at this point.

While I've thought often about replacing it on my main dev box with something else, I just don't see a Linux Distro that allows me to tinker this much and this freely.

One thing I did learn again, by doing this: I will never, ever, buy a system again that requires proprietary drivers to get maximum graphics performance. I'd waste hours trying out various random blobs that full on hang my system, or refuse to compile with the latest stable kernels. Or worse.

Here's to rolling release distributions! ;^)
12
1
Guillaume Ranquet's profile photoAuke Kok's profile photoBhaskar Chowdhury's profile photoJean Bruenn's profile photo
3 comments
 
Yep! I am a big big fan of rolling releases...I have been running quite a few on my lappi from long time.But ,I must confess it gets wired sometimes,it's okay ,we can  fix this ourselves.I mean to say, most of the time I get over it.
Add a comment...

Auke Kok

Shared publicly  - 
 
This is a major effort that needs lots of help from almost every core Linux component out there...
 
Deprecating Old Crypto in a Linux Distro: A tale of something that looked obvious but .. there's a lesson in it somewhere.

While working on my Linux distro project at work, one of the things I recently wanted to do is phase out old crypto.

Yes we all read Bruce Schneider's text and how important it is, but nothing drives it home like reading The Guardian articles followed
by OpenSSL downgrade attacks in the last year or two.

Now, nothing should be defaulting to some of the antique crypto, but the only way to know 100% sure  that the algorithms in question aren't being used, is to just not compile them into the various crypto libraries of your distro.

So.. step 1 was to look at the algorithm list of openssl:

arjan@clr:~$ openssl ciphers

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DH-RSA-DES-CBC-SHA:DH-DSS-DES-CBC-SHA:DES-CBC-SHA




A few things stand out immediately.

RC4. This like seriously predates MD5, and MD5 is already suspect.

DES. Yes really. DES. in 1995 I worked at a company as an intern that made DES chips that you could use to brute force DES. In 1995, when Twin Peaks was on TV  and you measured transistor sizes of a chip in micrometers not nanometers.

MD5. The general consensus seems to be that for crypto, you shouldn't use MD5 anymore. I'm not talking about SHA1, where one can argue that existing uses are still ok, but MD5.

I decided to draw my first line there, stick to the consensus and all that.

The good news is that OpenSSL is very configurable, and it's pretty easy to say

no-rc4 no-des no-md5

on the configure line (and for good measure, I added no-ssl2 and no-ssl3).

At this point, I thought I was on a roll, removing old crypto is easy, lets finish this 15 minute project before the project meeting starts.

So now on to the bad news. And sadly, there is plenty to be had.

openssl does not even compile with the no-md5 option:

make[1]: Entering directory '/builddir/build/BUILD/openssl-1.0.2a/ssl'
In file included from s3_srvr.c:171:0:
../include/openssl/md5.h:70:4: error: #error MD5 is disabled.
 #  error MD5 is disabled.
    ^
In file included from s3_clnt.c:158:0:
../include/openssl/md5.h:70:4: error: #error MD5 is disabled.
 #  error MD5 is disabled.
    ^
....


Ok, so MD5 is technically not insane broken for small packets, and
it's just consensus not so much hard earned proof, so maybe deprecating md5 is a project for another day.

openssl does not even compile with the no-des option:

make[2]: Entering directory '/builddir/build/BUILD/openssl-1.0.2a/apps'
../libcrypto.so: undefined reference to `EVP_des_ede3_wrap'

or when you fix that, it does not pass its test suite (I'll spare you the details). 

Now here I had to draw a line. 20 years ago DES was not secure.. never mind today. I wouldn't  be surprised if someone will chime in and say that their smartwatch can brute force DES in realtime now.
So.. fixing it is.

I suppose the good news is that no-rc4 went just fine.

The success story then, with the list of crypto from openssl after no-rc4 and no-des:

$ openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA

no DES, no RC4.




But, as it was a Monday, the misery only started there (Dave Jones should have taught me that misery is like lawyers, it always comes in pairs).

I threw the no-rc4/no-des package into our build system, and in no time the world came apart on me. Half the distro broke!
Well not half, but several very important pieces.

It turns out that components like curl, libcurl (so anything speaking http), wget, openssh, mariadb, ...

all hard-code DES usage. Now, I'll give curl credit, with creative use of configure options, you can make it not compile DES in, but you can't then make it pass its testsuite.

There must be a lesson in here somewhere.

One, our team will be fixing these projects to not require DES (or RC4), and we'll send those patches to the upstream projects of course.

But more, and this is a call to action: If you're working on an open source project that uses crypto, please please don't opencode crypto algorithm usage.
The algorithm may be outdated at any time and might have to go away in a hurry. 
And if you have to use a very specific algorithm anyway (for compatibility or otherwise), at least be kind and make a
configure option for each algorithm in your project, so that when things go bad (be it in 5 or 20 years), its very feasible to disable the algorithm entirely. 
29 comments on original post
8
Scudder Mead's profile photoAuke Kok's profile photo
2 comments
 
We should actually have these ciphers disabled by default, so indeed it affects every Linux distro.
Add a comment...

Auke Kok

Shared publicly  - 
 
Planting season - it's almost over already. We had 2500 trees or so planted this week, starting quite the transformation of our weed-overgrown pasture. In 4-5 years or so, most of it will be a thick forest, and we'll have to fight the trees to keep the views. For posterity; here is what the views were today, in an absolutely gorgeous 70F+ day up on 1200ft elevation. I ended up walking around in a T-shirt since my sweather was too warm.
10
Nicolas Bock's profile photoAuke Kok's profile photo
2 comments
 
All Douglas Fir. The elevation is prohibitive to many of the other species.
Add a comment...

Auke Kok

Shared publicly  - 
 
This has to be said out loud: +SourceForge  - your download site is THE WORST EVER for anyone doing any form of automation. There is so much wrong with it, I can't even start.

First, you MINDLESSLY redirect http:// requests to https://. Not every `wget` or `curl` has proper SSL checking and so downloads fail needlessly on machines that just need one tarball.

Second, your MAZE of mirrors is utterly useless. Really, I don't give a pijama button about how fast the download goes on my headless VM console login, please please stop trying to make me guess which URL mirror will give me 10kb/s better. I just want the one thing: that tarball I needed.

I realize you NEED advertising to survive, but CAN YOU PLEASE allow me to "copy link location" WITHOUT already opening the download in my browser? I need that 100mb file on that remote VM, not on my desktop. My ~/Downloads/ on my system is littered with downloads that I never wanted. You're actively wasting a gazillion bits this way.

And for the love of the flying spaghetti monster, please stop listing mirrors that don't have the files you link to.

Damn you make life hard for people working on Linux Distributions.
23
2
Sriram Ramkrishna (sri)'s profile photoWolfgang Bangerth's profile photoOld Solus Page (Unfollow)'s profile photowilliam armstrong's profile photo
16 comments
 
Issues like these are why everyone I know has moved their projects off sourceforge years ago...
Add a comment...

Auke Kok

Shared publicly  - 
 
+Darren Hart​​ is a great guy and mentor to work with... This is a great opportunity.
 
Embedded is big at Intel and we're hiring! There is a strong preference for Portland, OR for this position. EDIT: technically, this is a Hillsboro, OR location.
1 comment on original post
5
Max Eliaser's profile photo
 
Seconding this.
Add a comment...
People
In his circles
274 people
Have him in circles
644 people
Zach Brown's profile photo
Crazz Mong's profile photo
Florian La Roche's profile photo
Squiddy's profile photo
Zeno Davatz's profile photo
Eiscafe Jesolo Am See's profile photo
Alex Bradbury's profile photo
Arjun Ditmer's profile photo
Danny ter Haar's profile photo
Links
YouTube
Basic Information
Gender
Male