squid reverse proxy: improving your ssllabs score

April 30th, 2015


Quality ramblers rejoice!  I’m back for a rare quality ramble.  Articles for sorting out SSL configs are aplenty if you’re after nginx or Apache, but for squid they’re sadly lacking.  So here we are.

I have a client who has some pokey old squid reverse proxies.  They’re running on RHEL5 with Squid 2.6.something and openssl 0.9.8e.  Encouraging the client to upgrade those is another battle, but making the most out of what we’ve got does give us a  nice challenge.  And being a low baseline means that if you have newer packages, you too can bump your ssllabs score up.

So first of all, what’s ssllabs?  It’s an online tool hosted and maintained by Qualys, who use it to drum up business for themselves, but they also freely share it.  You can use it to perform some security testing against any secure website that’s accessible on the internet, and you can find it here.  I’ve been aware of this tool for a while now, but I found it really came into its own after the Heartbleed and POODLE vulnerabilities.  It gives a manglement friendly output too, which helps when you’re submitting Change Orders.

So an initial test against a handful of my client’s URL’s was pretty grim reading: F grades across the board with a laundry list of major issues reported.  And it was even worse after I compared them to their peers, most of whom had been paying attention to website security.  Now, I should point out that the client’s website security isn’t strictly my responsibility, but I am responsible for the Squid config and the underlying OS, so there’s an overlap there between myself and the web services team.  They didn’t seem interested in keeping tabs on security, so I simply got proactive.  Over time I’ve nursed it up to the B level shown, with a couple more tweaks due to go in soon to cater for the CRIME attack and to begin fixing Forward Secrecy.  Beyond that, we need an upgrade to get a new version of OpenSSL and TLSv1.2.

With that background in mind, let’s get to it.  First of all, a typical https_port line in /etc/squid/squid.conf might look like this:

https_port  443 accel defaultsite=someinternalhost vhost cert=/etc/squid/CertAuth/supersecret.crt key=/etc/squid/CertAuth/supersecret.key options=NO_SSLv2 cipher=DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA

Well, that’s going to get you a lot of alerts.  But let’s look at some of the other alerts that you’ll find in your ssllabs report:


Some of these are recommendations, others we simply cannot deal with as our hands are tied by an old version of OpenSSL, but we can deal with some of them.  Firstly, Heartbleed: if you haven’t updated OpenSSL, do that NOW.  Next, Forward Secrecy, also known as Perfect Forward Secrecy.  To mitigate this, you need to generate a dhparams.pem file, like so:

openssl dhparam -out dhparams.pem 2048

Note1: the Java clients in the ssllabs test will complain, because they can’t support more than 1024bits.  On balance: two old Java versions vs everything else… when people should be upgrading Java?  Exactly.  You can choose to generate a 1024 bit pem file though, if you want.  You’ll just weaken Forward Secrecy across the board.

Note2: I have opted in this example to go for 2048bits, but really, you can go for 4096 if you like.  You’ll only break one extra version of Java.

Because we already have our certs in /etc/squid/CertAuth, that seems as good a place as any to store it.  And then we append it to each https_port line in our squid.conf file.  While we’re here, we also want to make some changes to the ciphers and disable SSLv3 and RC4.  We can borrow a decent list from an Apache-based article here.  So ultimately, each https_port line should now read like this:

https_port  443 accel defaultsite=someinternalhost vhost cert=/etc/squid/CertAuth/supersecret.crt key=/etc/squid/CertAuth/supersecret.key options=NO_SSLv2,NO_SSLv3,CIPHER_SERVER_PREFERENCE cipher=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 dhparams=/etc/squid/CertAuth/dhparams.pem

You’ll note a few changes: firstly, we’ve added NO_SSLv3 to mitigate POODLE.  I put that one in on day 0, it took the Checkpoint boys three weeks to catch up!  We’ve added CIPHER_SERVER_PREFERENCE, and put in a complete cipher suite going from strongest to weakest.  We’ve also outright disabled the RC4 cipher to mitigate BEAST, and the EXPORT ciphers to mitigate FREAK.

Note that in the old environment that I’m working in, openssl 0.9.8e doesn’t support half of these ciphers, which is fine – it’ll ignore the ones it doesn’t recognise.  This really means that we’re getting our squid.conf file ready to be essentially plug and play when a new RHEL6 or RHEL7 squid platform is stood up.

Finally, TLS Compression.  In newer versions of squid, you should be able to add NO_Compression to the options line, but in older versions like I have, we can use an Apache trick.  Append the following to /etc/sysconfig/squid:

# Disable TLS Compression

and then restart squid:

service squid restart

And there you have it. A pretty wordy article, resulting in a couple of copy-pastas and you’ll have your squid config in a better position. You can then move-on to the nice-to-haves like HSTS and OCSP Stapling.

Good luck!

The difficult task of explaining extreme rage

April 23rd, 2014

On 8 November 2012 the NSU was notified of a 10 month old re-screened baby diagnosed with a hearing loss that should have been detected at screening. The baby was identified as one for whom the screener had screened both of her own ears. The hearing loss is bilateral and classified as a severe to profound sensorineural loss. Clinical advice regarding the delayed diagnosis is that the age of the child at diagnosis is still early and any impact on the social, language and other
development of the child would be small. The baby is to have a cochlear implant at 12 months old.


The baby was identified as one for whom the screener had screened both of her own ears.

OK.  Right.

The baby was identified as one for whom the screener had screened both of her own ears.

My eyes danced over the words one last time as my brain seemed to be taking its time in absorbing them and extrapolating their meaning.  I had been given a copy of the delightfully named “Quality improvement review of a screening event in the Universal Newborn Hearing Screening and Early Intervention Programme” document from the NZ Ministry of Health, dated December 2012. I had it a day in advance of its public release, so I was reading it, and had managed to get to page 18 (or, page 19 in the above linked version).

And suddenly… I felt… odd.  You see, I knew for a fact that “The baby” was my daughter, Addison.

What is the angriest you’ve ever been?  Stop and have a think about that for a moment.  I mean, sure, we may get disgruntled at people who leave their trolleys in the middle of the fruit and veg section of the supermarket, or the morons who sit out in the overtaking lane on the motorway or expressway, cruising along and holding up traffic. But I don’t mean that casual misanthropy that many people experience every day as they sweat the small stuff.

If I was to list an escalating scale of rage, it would go roughly something like this:

  • Uncomfortable
  • Disgruntled
  • Cross
  • Mad
  • Angry
  • Pissed off
  • Furious
  • Road Rage
  • Red Hot Rage
  • White Hot Rage
  • Blackout Rage
  • “Going Postal”
  • Grabbing a rifle and finding a belltower
  • Where I was on 30 Jan 2013

That it’s taken me this long to write about it should also be telling.  But allow me to backtrack, to flesh out the story.

Late December, 2011.  My partner, Kerrie, and I, were expectant parents and had gone through the usual nesting activities.  The last trimester had been tough for all parties, as Kerrie had had some health issues, but we had great support from our families and friends, and due to Kerrie’s issues, we were able to select a date and time to deliver via elective c-section.  So there’s that silver lining, I suppose.

Anyway, immediately after your baby arrives, you have a sub-conscious “mental check-list”, or at least I did.  It goes something like this:  Umbilical cord cut?  Check.  Looks like me and not the milkman?  Check.  Birthing suite doctors are happy?  Check.  All fingers and toes present?  Check.  And so on.

As I didn’t have enough leave built up for any sort of paternity leave, I was at work a day or two later when the newborn hearing screener arrived in Kerrie’s hospital room, blurted a series of words at a million miles a second, woke Addison up, punched a few buttons on the machine that she’d brought into the room, said that everything was ok and then left.  Kerrie didn’t think much of it, soothed Addison back to sleep and tried to get some sleep herself.  She later told me what had happened, to which I simply assumed that the job was done right by someone in a rush, and added another check to my mental check-list.

Hearing test passed?  Check.

A couple of days later we took Addison home and went about our lives, struggling through the usual adjustment period; To the shock of sleep deprivation, feeding, changing nappies etc.  I had created a white noise CD using some freely available tracks and purchased a small stereo for Addison’s room.  We figured it was working, because she was sleeping quite well.  It might have helped us too, hissing away through the baby monitor, but you really don’t sleep normally in those first three months.

When Addison was about 9 months old, we received a letter from the Hutt Valley DHB, stating that they’d found a flaw in their testing method and that they were encouraging parents to bring their children in to be retested.  We initially dismissed it, thinking that Addison was hearing perfectly fine.  She would turn to face us when we entered a room, and seemed to be reacting to our baby babble, so as far as we could tell, she was a fully hearing baby.  But I later sat behind Addison and clapped my hands loudly.  I got no reaction.  My heart sunk, but just a little.  I’m a realist – it could simply be glue ear, I reasoned.

But suddenly there was a big, red question mark on my mental check-list.  And that didn’t sit right with me.  Plus what would we have to lose by taking her back to be re-screened?  At least half an hour of our time?

Two tests with the Audiologists at the Hutt Hospital later, and we had our diagnosis.  Almost immediately, we were introduced to our Advocate of Deaf Children (AoDC) – someone from the Ministry of Education who helps and guides parents of deaf children.  We were given a stack of information brochures, and a couple of DVD’s.  Moulds were taken of Addison’s ears, and she was fitted with high power Hearing Aids (HA’s).  We were told that they would not give her access to language, but it was important to do whatever was possible to keep the auditory nerves working.  Until, at least, we were able to recover from the shock, and make an informed choice forward.

Our daughter is profoundly deaf.  She could be sitting on a runway and she might be able to hear a nearby jet’s engines.  Might.  Turns out the human brain is very good at compensating – Addison had been turning to face us due, probably, to seeing a shadow move, or feeling vibrations in the floor.  Or even sensing pressure changes in the air.

Then we were told that New Zealand only funds one Cochlear Implant (CI).  If we wanted a second one for her, we’d need to raise NZ$50,000.  Neither our Audiologist or our AoDC had informed us of this with any malice whatsoever, hell we had probably asked a question prompting that answer, but it still felt like being kicked when I was down.

And I was dumbfounded, too.  I mean, depending on your beliefs, we were either created with or evolved two ears for a reason, right?  Surely two CI’s made sense, then?  How is it, that New Zealand, a first world country, was denying access to what any reasonable person would assume (and which I’ve since confirmed) would be medical best practice and care?  Especially for its most vulnerable citizens?  Yes, New Zealand isn’t perfect, but I’d never, ever, thought that I could be ashamed to be a New Zealander.  Until that moment, and every time I dwell on it now.

Many parents in this position grieve.  I know one who cried for a week when she found out that her child was profoundly deaf.  On a pre-op visit to our surgeon, there were a bunch of med-students who happily played with Addison, and our surgeon asked us “Have you grieved yet?”  Which took me aback at first.  But individuals react to shock in different ways, and there is no one true, correct way to react.  And no one way is superior to another – whatever your natural response is, is very likely the right one for you.  Kerrie didn’t take it well, at all.  I, on the other hand, initially felt very numb, but quickly shifted to an attitude of “right, let’s get on with it.”  I’ll admit that I’ve had tearful calls home to Mum about silly things like heartbreak, but not that phone call.

What happened next is a bit of a blur, but the media were there to document some of it.  I started a givealittle fundraising page, a few parents and advocates who had been through this before got in touch with me and offered their support and advice, and we were published in the DominionPost on 21/12/2012.  And on 01/02/2013, a day or two after I had read the report, we were published again.  It fudged my quotes slightly, but the gist of it was simmering away underneath.

Mr Blundell said the report had left him angry and struggling to understand why anyone would fake results for a newborn baby.

While the Hutt Valley District Health Board had been great in helping Addison, he felt it should have told him her test was faked. “It is frustrating that they weren’t 100 per cent upfront.”

You read that right.  The moment I found out that Addison’s hearing screener had tested her own ears instead of Addison’s was when the words “The baby was identified as one for whom the screener had screened both of her own ears” finally registered in my brain maybe half a second after I’d first read it.  There were, of course, other things to get mad about in the report.  Like the fact that several other screeners around the country had done the same thing.  Or that the same had happened in the UK a few years earlier, and recommendations from that incident had not been adopted by NZ.  The report also noted that some of the screeners were disgruntled: they felt that they were over-worked, under-appreciated, under-paid and not given due respect from midwives.  Without being too dismissive: suck it up and join the club.  Most working people have those feelings, but not all of them get a $50k per year part time job after a two week course.  Yes, it was only 8 out of approximately 108 screeners who had stuffed up, and obviously most of the screeners were working hard, doing their job right and finding it to be rewarding work.  But that’s still a high percentage of unprofessional bad apples, especially for such a role.

So there was a lot for me to be mad about, but only one thing to take me over the edge.  And, like that, I’ve segued back to the topic of my rage.  Words like livid, furious, and ropeable simply can’t express just how angry I was.

So what was the experience like?  Somewhat ironically, everything went silent.  Except for the thumping of my pulse, which seemed to get louder and faster.  I shook violently for a couple of seconds as I shifted gears through the stages, but somehow I redlined, skipping the levels that would have had me lash out and/or go on a homicidal rampage.  Or at the very least, trash my office.  Soon, my breath got shallower, I felt light-headed, and my computer monitor seemed to oscillate in colours through what little tunnel-vision I had developed.  The pulse that had been pounding away in my head like a furious steam engine from hell had crescendoed and was calming.

And then I found myself sitting there, sipping on my cup of tea.  The world could have been melting down around me in nuclear Armageddon, and I’d have been content with that, in the moments before I was disintegrated with a psychotic smirk on my face.  I wanted the world to burn.  It was by far the scariest sensation I’ve ever had, and trust me, I don’t want to do it again.

I don’t remember how long I sat that like that, or the come-down, not even vaguely.  But writing this out tonight, it seems like there’s a sort of bell curve of coherence in the rage scale.  Possibly there’s room for an option beyond what I experienced, perhaps it’s vengeance, considering that the reaction gets more conscious and calculated in the later stages.

Epilogue, of sorts:

The day that the above article was published, our Audiologist read it and immediately called me.  She explained that the reason we weren’t told was because at the time of Addison’s diagnosis, all of the thousands of test results that had been performed nationwide were still being poured over with a fine tooth comb, and that there had been an extremely small space between completion of that review and the release of the report.  She reiterated what the report said: that the screeners at fault who had been interviewed had all claimed that they’d done nothing wrong.  She then explained that without an admission from the screener at fault, that they couldn’t say with 100% certainty, either, that the screeners had tested their own ears.  What they could tell, though, as highly experienced and educated Audiologists, was that the results submitted for a lot of children certainly were not the ears of children.  They were the ears of adults.  And the liklihood of the screeners submitting another adult’s ears was realistically slim, which leaves a 99.999% probability that the screeners were testing and submitting their own ears.  Also, in some cases, it was standard practice for a screener to test their own ears each time they started their test machine, in order to compare to a known test result.  Because of this, it was easy to match that known test result to the results submitted for some children.  I’d calmed down by the time she called me, so I absolutely appreciated her call and explanation.

We were also published on 19/03/2013, 21/03/2013, and 23/04/2013.  Long story short, HVDHB underwrote the cost of the second implant.  With help from my medical insurance, and generous donations from local Hutt Valley Rotary clubs, the Stokes Valley Freemason’s Lodge, the Croft Funeral Home, and not to mention dozens of anonymous (and some not-so anonymous) donations via givealittle, we were able to get Addison’s second implant at the same time, and pay it off in full.  Addison has just gone one year since her switch on, so she is one year old in hearing age.  Her language development is coming along nicely, both auditory and sign.  We have good expectations of her continued development, will continue to pay forward the help that we got, and we will continue to advocate for funding for bilateral CI’s.

We haven’t received an apology from the Ministry of Health or the Minister of Health, by the way.

The Pakeha Party

July 9th, 2013

So I’ve come out of blogging retirement for this one. News yesterday is that some guy wants to start-up a Pakeha Party. And, rightly, his motivation was the Mana Party’s bizarre policy to give preferential treatment to Maori for housing loans. Owning a house doesn’t necessarily help people get out of poverty. What it does do is gives responsibility, and removes all that stressful meddling from Housing NZ. Whether that’s good or bad for Maori and NZ is debatable.

But the Pakeha Party crowd take it a step further. Yes, I understand that the creators of this idea are very likely taking the piss, and in a few days will start saying things like “we wanted to start a discussion that’s overdue in this country”, but they’ve really stirred up quite a crowd – notably mostly Cantabrian – and they’re demanding equal access to everything that Maori get. No matter what it is.

So for all you people clucking your tongues in tune with them: Fine.

You can have the reduced access to healthcare coupled with the increased risk of diabetes, heart disease, obesity, and around 8 years less life expectancy.

You can have the tail end of decades of institutionalised racism, cultural repression and social neglect which has kept your people over-represented in all manner of statistics such as unemployment, crime rates, living below the poverty line, poor educational outcomes and poor educational participation.

You can have the increased harassment from Police, and the heavier hand of the law. (Yes, you’re more likely to be pulled over if you’re brown, and you’re more likely to go to jail than your not-brown criminal peers, and if you do go to jail you’re more likely to get a longer jail sentence. Not as bad as in the States, say, but still measurable here.)

You can have rightful access to affirmative action opportunities. But your penance for daring to use these opportunities to get yourself out of the vicious cycle of social malaise is that your countrymen – who should know better – will unjustifiably deride you, hate you, and bring out the worst in themselves to attack you. They’ll conveniently ignore the fact that similar opportunities are available to them, and other groups.

Or you could pay a worse price, you could become one of them; a Baula Pennett type who uses such opportunities to advance and improve their lives, only to turn around and deny those same opportunities to those who could use them.

You can have all the historical injustices too. And there are too many to list. I like the one where your ancestors fought and died in two world wars, for their country, and upon return, their fellow servicemen were gifted farms by the government. Nobody in their battalion – who made it back – got shit. Wrong coloured skin, you see.

Yes, you can have all of these things and more! And I tell you what, if you lot had these things, they’d be fucking fixed overnight. And then we could “move on as one people”, the usual mantra of a pack of morons who don’t understand the irony of their constant battling against giving a hands up: the delays caused by this only put the goalposts further away.

I’m neither Pakeha or Maori. I’m not a born again Maori, I’m not Ngati Urban so the ‘plastic’ label also doesn’t apply and I’m clearly not a Hori Hardcore. I’m a New Zealander with heritage on both sides, and I think the lot of you should hang your heads in shame. Doesn’t matter which party you support or which side of the political spectrum you’re on. When you subscribe to ignorance, racism, xenophobia and garden variety “bashing those worse off than you”, you’re engaging in un-kiwi behaviour. You dishonour your country, and yourselves.

Published – 2012 version

June 28th, 2012

Lovage – Lifeboat

Long term readers may recall that back in April 2008, I wrote a letter to the local newspaper and despite my best efforts to put in cheekiness, it was published. I’m not really big on writing letters to the papers, but every so often there’ll be something I’m passionate about being discussed, so I’m compelled to put in my 10 cents. Here’s the latest one, again the editor allowed it even though it far exceeded the word count guidelines, this time it was the first letter published, and I’m published alongside Sir Bob Jones!

A letter to the editor regarding the Lower Hutt Cross Valley Link

Click for a larger version (2 Megs)

Also, I was rather pleased by Linux Mint 13’s handling of the scanning of this. I plugged in my scanner expecting to have to fart around installing xsane etc, but nope – I fired up Simple Scanner, my scanner had been detected and a few clicks later I had a 1200dpi master copy.

Article Tags>>

Is your Linkedin password leaked?

June 7th, 2012

Pink Floyd – Keep Talking

News has been spinning around the net that over 6 Million passwords from Linkedin have been leaked.

The general advice is to change your password, but what if you want to check that your password is on the list? You should still change your password anyway, but there’s nothing stopping you from checking. Here’s how (Linux is assumed, adjust to suit your OS):

Method 1:
Put your trust in this website.  I didn’t, but that’s not to say that they’re not legit though: www.leakedin.org

Method 2:
Download the list of leaked passwords from here: www.mediafire.com/?n307hutksjstow3 (116M)  It’s just a list of hashed passwords, no other information seems to have been leaked.

While that downloads, calculate your hashed password e.g.

echo -n password | sha1sum
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8  -

It seems that the crackers are marking passwords they’ve successfully worked with (up to the point of this version of the list) by zeroing out the first 5 chars, so we can do this with sed:

echo -n password | sha1sum | sed -r "s/^(.{0})(.{5})/\100000/"
000001e4c9b93f3f0682250b6cf8331b7ee68fd8  -

When the file has finished downloading, give it a cursory virus scan:

rawiri@minty ~ $ clamscan Downloads/SHA1.txt_1.rar
Downloads/SHA1.txt_1.rar: OK

----------- SCAN SUMMARY -----------
Known viruses: 1248587
Engine version: 0.97.3
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 116.25 MB (ratio 0.00:1)
Time: 3.675 sec (0 m 3 s)
rawiri@minty ~ $

Cool, now with the file unrar’d, we simply search for the password hashes using grep:

rawiri@minty ~/Downloads $ grep 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 SHA1.txt
rawiri@minty ~/Downloads $ grep 000001e4c9b93f3f0682250b6cf8331b7ee68fd8 SHA1.txt
rawiri@minty ~/Downloads $

Because the example password is a dictionary word, the second hash is basically guaranteed to be found.

Method 3:
Give me your hashes and I’ll check for you, honest 😉

As it turns out, my password is in fact on the list, so I’ll be changing my Linkedin password ASAP.

Do we hate all ‘Maoris’?

May 20th, 2012

My brother Tamati linked to this article on his Friendface feed. Below is a copy and paste of my response… I may add to it and flick it towards the related discussion on Reddit.

He’s an ignorant asshat who is simply regurgitating the rhetoric that’s typical of his generation. Of course his statements are racist because they’re directed at a particular race (I ‘meh’ that term, because truly there’s only one race – the human one, e.g. http://www.youtube.com/watch?v=08VCkyG_C2s ). A statement can be positively racist like “gee, those Jews are good at finances!” or “golly, those Islanders are good at sporting activities due to their genetic predisposition for athleticism and great strength!”

Facts are facts though: Maori were one of two signatories to the Treaty of Waitangi. They are therefore one of the two founding peoples at the point of the founding of this nation by the signing of our incumbent and reigning founding document.

Maori then got shafted outside the terms of the agreement. WWI and II left thousands of whanau without male role models, which was severely damaging to the Maori societal structure, the effects of which we still see today in over-representation in crime/abuse statistics and especially in the gangs – traditionally filled by fatherless Maori males who, without traditional male guidance, started getting into trouble, got shipped off to borstals and became disenfranchised and disconnected from both sides.

Then there was the decades of cultural repression. Granted, Maori didn’t have it as bad as say, Native Americans or Australian Aborigines, but they didn’t exactly get their just dues either.

So what have we seen in the last 20-30 years? A resurgence of an almost extinct culture and language, wrongs being righted, and Affirmative Action (aka Positive Discrimination) policies being put in place to give impoverished Maori the opportunities to rise out of their rut. Net result is that Maori are gaining their rightful share as a founding people of this nation.

I want everybody to be a New Zealander just as much as the next ignant-honky-ass-mofo, but grievances have to be settled first and everything has to be in its rightful place, and that’s going to take time.

What chumps like him need to realise is that getting people out of poverty leads to growth and subsequently a stronger New Zealand. Just like bottoms-up economics but with fringe benefits like general societal improvements. Things happen to tend to favour Maori because they are a founding people and, especially in terms of intra-tribal investment (e.g. healthcare, runanga, scholarships) it’s because that’s the tribe’s money to do with as they bloody well please.

What really irks me is upset Uni students bitching about Maori classmates – “how dare they use opportunities that are available to them! And how dare their tribes invest tribal money in them in order to ensure a higher rate of education amongst its people and hopefully to have wider returns in terms of getting other tribal members better off… THE CONCEIT OF THESE SAVAGES! I’m going to turn my jealousy into uninformed racism and ignorance instead of doing something ironic like educating myself on the facts. Uni library – pah!”

Interestingly, if you turn around and say “oh my local AOG church gave away a scholarship but it pretty much only goes to an islander”, these same complainers wouldn’t have a problem.

Finally, the NZ Bill of Rights (Section 19,2 specifically) puts it in law that people like him who are basically against Affirmative Action can fuck.right.off:

“Measures taken in good faith for the purpose of assisting or advancing persons or groups of persons disadvantaged because of discrimination that is unlawful by virtue of Part 2 of the Human Rights Act 1993 do not constitute discrimination.”

Actual finally: I hate the term “Maoris”, because it just shows the ignorance of the speaker/author, and to read it’s like the equivalent of nails on a chalkboard. Te Reo does not have an s in its alphabet and does not pluralise like English does. The Te/Nga differentiation is one of the simplest Maori lessons…

On giving your Facebook password in an interview

March 21st, 2012
Royksopp – Miss It So Much

Yeah, I know it’s been a long while since I last posted.  There’s some catching up to do, and once I get a good dose of motivation I’d like to link this blog with my WordPress and Faceboook profiles in some limited way.  But right now I have something to get off my chest and this gives me an opportunity to test Blogilo.

Earlier today, one of the recruitment agents who has worked hard to ensure that I remain employed, linked to this article and asked the following on LinkedIn: 

What are your views? Most people seem to google potential employees already. Something to be aware of. With the way privacy settings keep changing, you would be wise to check your Facebook settings on a regular basis. If you read the fine print you will find some apps have allowances to access your own facebook inbox which I promptly deleted! It also begs the question as to whether an online persona is truly indicative of the actual person.

This is something that I’m fairly passionate about, so I responded thusly:

Outside of double checking your privacy settings and generally just making sure that your name ‘Googles well’ so that you improve your chances of getting to the interview, all I can say is that yeah; the Facebook Terms of Service are clear. Section 4, Clause 8 and I quote:

“You will not share your password, (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.”

The real questions then are: Are you comfortable, as a job applicant, working for a company that clearly has no issues with attempting to force (or forcing you), under duress, to breach your contract with Facebook? What does that say about how they’ll conduct themselves during your employ? Their ethical and moral compass? And is that the kind of employer you want to lend your loyalty to? (realistically it’s probably just some HR type on a power trip, not a complete reflection of the employer, but I digress)

And anyway, as someone who works in IT and is entrusted with passwords to seriously important kit, what does it say about you if you hand over your own passwords so readily?

I haven’t been asked yet in an interview to either login to facebook or cough up my details, but if I were prompted to do so, I’d decline and explain why. If they insist, I’d simply stand up, thank them for their time and leave. From there it’s either a thankful and explanatory email to the potential line manager + head of HR if you really wanted the job, or a complaint to the Department of Labour, or you write that job off your list of potentials and move on.

This is also one reason why I’m a fan of linkedin – it allows you to draw a solid line between your professional and private lives. If an interviewer wants to know how I conduct myself professionally (i.e. what actually matters to the employment relationship) then they’re more than welcome to look at my linkedin profile.

I won’t be forced to show them my private information though, not because I necessarily have something to hide, but because it’s none of their business. That and I don’t want to work for a company that has the deluded belief that how I conduct myself in my private life has a direct correlation to how I conduct myself professionally. It’s just like mandatory drug testing: Generally speaking, provided the employee’s productivity and professional conduct isn’t impacted, what they do on their own time is their business and their business alone.

By the way, this was discussed on Reddit today. There’s plenty of comments with American specific legalese, but mostly some interesting points and stories:


I then went on to look further at the ToS and added this:

Oh, and I’ll just add the following extra terms from the Facebook Terms of Service:

Section 3, Clause 5 is a nice one:

“You will not solicit login information or access an account belonging to someone else.”

Section 3, Clause 6 is arguable, depending on how insistent the interviewer is:

“You will not bully, intimidate, or harass any user.”

And Section 3, Clause 12 just ties it up in a neat bow:

“You will not facilitate or encourage any violations of this Statement.”

You don’t need to be a lawyer on this one: Interviewers asking you to login to Facebook are in the wrong.

So there you have it. If you’re asked to give your Facebook login during an interview, you don’t have to, as you’re being asked to breach your agreement with Facebook under duress.

Thoughts so far about Blogilo… easy to setup, but the visual editor doesn’t like breaking out of blockquotes.  I think this post will require a bit of manual intervention from the wordpress interface…

Installing Amahi Linux on the Acer A340

July 23rd, 2010

Royksopp – A Higher Place

I recently moved house, to move in with my girlfriend. To make things simple, I sold my old HTPC (a first gen Mac Mini, slightly warmed over and with a 1TB external drive) and home theater to the mates whose flat I was departing.

This leaves me with nowhere to store the copious amounts of porn… errr… linux iso’s that I download. I couldn’t be bothered building something from scratch, and really wanted something that was relatively simple for me to administrate and with low power consumption. Granted I could have chucked a spare Via Epia motherboard with a SATA card into a spare case and I’d have been pretty much done with it, or resurrected my Shuttle. Instead, I got a suave looking Acer Easystore H340 with 2x 1TB drives:

The first problem I have with it is that it comes with Windows Home Server, and I’m thinking of petitioning Acer for a cashback on that. Windows is dandy for gaming but for anything else… no thanks. Plus being a Linux admin I simply can’t and won’t allow that shit in my house (except, of course, for the woeful Vista that I tolerate on the girlfriend’s laptop). And on top of that you need to install management software on a Windows box to set it up, something my girlfriend quite fiercely would not allow. Windows, LOL:

So as a BSD guy at heart I checked out FreeNAS, and decided it was probably mismatched given the hardware specs, though ZFS capability is appealing (albeit basically useless in my case, with my 32bit restriction). Openfiler is much of the same. What I was really after was something that I could pretty much replace WHS with, while tying in with my current BSD and Linux work, as well as being able to hook in with my homebrew modified Wii. Then I found Amahi. It’s beta, it’s not perfect (i.e. I don’t agree with the use of MySQL in the Greyhole subsystem, I’d prefer Postgres for anything where security of data is involved) but it’s pretty damned promising.

Ok, so here’s how I installed it. Windows heads at this point need to realise that Linux has a hidden strength – the ability to move a boot drive from PC to PC, and provided the hardware is friendly – i.e. the same architecture, it’ll just work ™. The same with Windows will tend to screw with the HAL and you’ll get BSOD’s.

First, I removed the boot drive and chucked it into a spare box, an Iwill XP4 Evo with a SATA card. As the specs of the Acer are conservative (Intel Atom, 2G of memory), I went with the 32bit version of Amahi. (Also note: At the end of the post I show how you can modify a PCI-E x16 graphics card to run at PCI-E x1. You could just do that and install Amahi straight on to the A340. The instructions I give won’t work, but they’ll give you a guideline. Standard disclaimers, YMMV’s etc apply)

Then I followed the instructions written by a no doubt devilishly handsome fellow on the Amahi forums. (Hint: it was me!)

Then, with Amahi booted and running, I issued the following command:
rm /etc/udev/rules.d/70-persistent-net.rules

Then I vi’d /etc/sysconfig/network-scripts/ifcfg-eth0 and removed the HWADDRESS line, and edited ONBOOT=no to read ONBOOT=yes.

We do the above so that when Amahi next boots, it will pick up the first ethernet interface and assign it the device name “eth0″. If you’re after a more descriptive explanation, look up udev in google. Then I issued a halt, waited for the Iwill box to poweroff, then I plugged the boot drive into the Acer box, which I then fired up. Et voila!

Now for some advanced tips:
1) You’ll notice the led’s aren’t right. Do this (adjusting to suit, e.g. get the latest version from here):

yum -y install gcc-c++ libudev-devel
cd /tmp
wget http://bitbucket.org/adaptation/mediasmartserverd/get/5654cec4f4d1.zip
unzip 5654cec4f4d1.zip
cd mediasmartserverd/ && make
mv mediasmartserverd /opt
chmod 755 /opt/mediasmartserverd
echo "# start our led daemon" >> /etc/rc.local
echo "/opt/mediasmartserverd -D" >> /etc/rc.local
./opt/mediasmartserverd -D

2) to add another drive, use cfdisk followed by mkfs.ext4 /dev/sdb1, followed by hda-diskmount. This may require some prereq installs:

yum -y install pmount fuse fuse-libs ntfs-3g

3) … probably more to come!

Now, this wasn’t without its issues. But only because of my own stupid fault – I thought I’d shorted the debug jumper but I’d actually shorted the CMOS clear jumpers. FAIL. This set the BIOS date back to something like 2007, Fedora was then complaining about file timestamps being way out of whack and it was subsequently demanding a fsck.

A permanent fix may exist in Network Console on Acid, but for now I had to get the headless Easystore some VGA capability. Balking at the $200 cost and lead time of a debug card, instead I went to a local PC store and petitioned them for any cheap/faulty PCI-E video cards they might have. They sold me a GeForce 8500GT with a dodgy HSF for NZD$30, little did they know that I had a plan.

A couple of drops of sewing machine oil in the bearings sorted out the HSF. I then used my hand nibbler and cut it physically to x4, but that didn’t work. So with some electrical tape I knocked it back to 1x, and that did work. Along with a USB keyboard, I was then able to see that the drives needed a fsck and sorted that out. In the future I’ll pick up a cheap low profile card and make this a permanent addition to the box.

So, that’s it for now. I’ll no doubt update this post and any subsequent ones, but hopefully this helps, and good luck if you decide to try out Amahi :)

And for good measure I’ll say it again: ALL STANDARD DISCLAIMERS APPLY! I’m all care, no responsibility. :)

Sorry commenters… blame the spammers

July 23rd, 2010

Eclipse – Pink Floyd

I’ve had to crank up the requirements to post a comment here, it looks like the spammers are going nuts :(

Steve Jobs: X marks the spot

July 17th, 2010

Steve, you marked the spot with an O, not an X.



� Previous Entries