Monday, October 22, 2007

New Gadget #13

My latest gadget is an update on a previously reported gadget.

This week I bought the latest and greatest Western Digital Passport external hard drive. A drive with a honking 250GB of space on it in the same packaging that my older 120GB and later 160GB drive used. In fact side by side with my prior 160GB drive you can't tell which is which:

Interestingly, they came out with this quick enough that they are still using the 160GB retail packaging with just a sticker over the 16GB on the front of the package. When I first looked at the back of the package (which listed only 120GB and 160GB) I was worried about a bait/switch from the retailer. However, that wasn't the case, it was a real deal.

The drive comes formatted with a FAT filesystem and has software for doing automated backups and synchronization with your primary hard drive. I immediately reformatted it for NTFS so I could use encryption and such on the drive. I don't need the backup or synchronization stuff as I use this drive as an extended primary drive rather than a backup drive. I use rsync to backup my system (including the WD drive) to my server regardless of my location (remote or at home).

Some who have used this device have complained about the fact that it sometimes won't work in their USB port. WD does document that it requires a full power USB port (though I can't find any documentation on exactly what is a full power USB port and how do you know you have one). I have had problems when I plug this device into some ports and found that on my laptop only one of the ports works reliably. Even the ports on my external powered hub are not sufficient to power the device alone. So when at home using the hub, I use a Y cable that grabs power from a second USB port to power the WD drive. I'm not sure where I got the cable, it was lying about in my USB cables collection, but WD does sell one.

The only other thing is that I suggest you buy the slipcase sold by WD to protect the drive when on the road. I had one lying about from my 160GB drive, so I just used that one.

Tags : / / / /

Sunday, October 21, 2007

Subversion end-of-line style

In my work with the Liberty Alliance, I'm the editor for several documents in the upcoming Advanced Client specification set. We use subversion as our source code revision control system.

Recently, when I was working on a new draft of the specs and committing a set of files that included a number of Visio drawings and the equivalent Encapsulated Postscript file images, I ran into problems. After all the files were uploaded during the commit, which failed with the error message:

svn: File "xxx.vsd" has inconsistent newlines svn: Inconsistent line ending style

A quick look at the file and I saw that the files had the typical windows line terminator CRLF rather than the UNIX typical LF. So I hand edited the file removing the CRs and tried the commit again. The same thing happened just with the next file in the list. So clearly this was going to go on for each file. So I did what any other UNIX weenie would do -- entered a one line shell script for loop on the command line using tr to delete the CRs in each file.

This got me past the problem and the commit succeeded. However, I was not totally satisfied as I wasn't sure that if they could be edited in Visio with these changes. So I dug a bit deeper into the problem looking into Subversion.

It turned out that subversion has attributes on files, one of which is "svn:eol-style". In this case, the files I was working with had gotten this attribute set to "native" which on the UNIX system I was on would be "LF". Not good for a file from Visio. I thought about changing the svn:eol-style to CRLF which would get around my specific problem at this time (until Visio changed their file format), but the better solution ended up being to just delete this attribute on the file with the following command:

svn propdel svn:eol-style *.vsd *.eps

Then I copied in the files from my Windows partition (where they still had the CRLFs) and committed the files without a problem.

Tags : /

Tuesday, October 16, 2007

Checking in too early

Like most airlines, United has, and strongly encourages the use of, an online check-in tool so that passengers can check-in for their flight before leaving home. This is seen as a win-win situation for everyone. United gets the user to do the manual labor of checking in and paying for the paper stock for printing the boarding pass while the user gets to avoid check-in lines at the airport.

I am a big fan of using this and typically check in near the limit of 24 hours before departure. I check in this early in part so that I don't forget to check-in in the mad rush out of the house on the day of my flight and in part so I can check to see if there's a better seat available at check-in.

However, this has led to one problem. On several recent flights, I was upgraded sometime between my early check-in and my departure for the airport. Because I was already checked-in in coach, I was unable to select a seat in the first class section. Theoretically I should be able to un-check-in and then re-check-in, or I should be able to get the customer service people to do the same for me, but neither worked and I had to wait till I got to the airport and the gate agent opened the flight at the gate (even the Red Carpet Club agents were unable to help me).

Moral of the story: If you're on the upgrade list, don't check in till you're close to leaving for the airport.

Update (10/21/07): Not learning from my own mistakes, I checked in around 11:30 PM the night before a flight to Tokyo as it appeared that there was no chance that it would clear before leaving for the airport in the morning (it was a 12:41PM departure). Of course, I was wrong and the upgrade cleared at 5:03 AM. But, since I was already checked in, I couldn't select seats in business class. Checking the site (by the usual trick of trying to purchase a business class ticket) showed that there were still 4 seats open including a coveted aisle seat (8D). By the time I got to the airport and checked in, the only seat left was 13E (a middle seat). Hopefully you'll learn from my mistakes better than I do.

Tags : / / /

Sunday, October 14, 2007

A broken Washer

This is a long story, feel free to just cut to the end.

A little over a year ago, we bought one of Sears top-of-the-line washing machines (the Kenmore Elite Oasis Canyon) for several reasons including that it was EnergyStar compliant while also being very large (so we could do our laundry in less loads while saving energy).

We really like the washer. It does a great job on our clothes, does it quickly, and does lots and lots of clothes at the same time, while also being very efficient at doing small loads.

However, we didn't like the fact that the thing just up and died mid-load with no sign of life in it. None of the lights were lit, none of the buttons did anything. On top of that, the lid was locked and there was nothing I could do to unlock it, so our clothes were stuck in there. Power cycling it did nothing (though I was able to use a meter to verify that it was not only getting power, but also consuming some small amount of wattage). Just in case you're wondering, no, the there was no surge on the line as the weather was clear (we're in the middle of a drought) and I have UPSs all over the house which beep like crazy for any power line problems -- none of that happened, so I'm pretty convinced it was not a surge.

Of course, the warranty was over (1 year) and, given that it was a top-of-the-line system I thought it wouldn't be necessary to buy the extended warranty (especially since they almost always are a waste of money). So the repair was going to be on us.

We called Sears Home Repair and they couldn't schedule someone to come out and fix the washer for 2 weeks. When he did get here, he determined that the electronics module behind the console was bad, ordered a replacement and scheduled someone to come out and install it (another 2 weeks later). This at a cost of $346.77.

The part came in a few days and since I didn't want to wait another week to get a working washer (we had already been to the public laundromat once) I tried to install it (something not all that unexpected if you read my blog). However, the cover over the board was screwed down with 3 screws and had 2 locking tabs. I was unable to get the locking tabs to release no matter what I did. I gave up and decided to wait for the repair guy to show up.

This past Thursday he shows and he had the same problem with the tabs and ended up cutting them off. After installing the board, the washer was still dead. He then said that the problem was most likely the main electronics unit (motherboard to the rest of us) and ordered one with "Emergency" delivery and scheduled a return visit the following week. He also noted that the replacement board was a different part and therefore they probably had fixed something in there. This at an additional cost of just under $300, bringing the total to $625.25. Needless to say I was NOT happy.

I poked around on the web and on Sears own site, found several people who had complained about this same exact failure just after the warranty expired. It seems like this was more of a general problem than a unique failure.

Armed with all of this information, I called customer relations and after about 40 minutes on the phone I was asked if they could call me back. I was hesitant because I was afraid of not getting a call and having to start over, but I went along with them. About an hour later, she called back and said that she had found that the electronics were covered by a 2 year warranty and the repair would cost us nothing (and she arranged for a refund of the initial charge on the first visit).

The part came in on Friday and since I didn't want to wait another week for a working washer, I decided to install it myself. This was a bit more complicated than the first board as it had many wires running about, but I took a few pictures so I could verify where all the wires should be and off I went. After about 15 minutes, the module was in, the washer was all back together and magic, I had a working washing machine. Of course, I was again proud of myself for doing the repair (though it was much easier than when I replaced the LCD on my camera).

One thing I did note once I had the washer working again: when I do a load a bleach load of whites on hot, steam comes out around the lid of the washer. Some of this steam could leak into the area with the electronics if the seals aren't tight enough. It was a similar load/settings on the washer when it died.

Things to learn from this

  • The squeaky wheel definitely gets the oil. It was only after calling and talking to 3 people at customer relations did I get to someone who magically said "oh, that should be covered by warranty". I do have to admit that I can't find any such warranty statement with the documents for my washer, but I'm happy to get the part fixed.
  • I was amazed about how little trouble-shooting was done on the phone prior to rolling a truck. Dell is a pretty good example for how to do this right, they will work quite well over the phone to figure out the exact problem to save a truck roll if possible. A little diagnosis over the phone and they would have known that the problem was with the electronics and could have sent the parts so that the unit would have been fixed the first time (note that Dell will even let you install the parts if you feel comfortable doing so -- which I've done several times for keyboards and such stuff).
  • Sears definitely has a problem with the electronics module for this unit. When something like that happens to a car, they do a recall, or they do a proactive warranty extension to keep their customers happy. Sears doesn't appear to be doing this and that's problematic given that they risk loosing a customer who is buying their top-of-the-line (probably widest margin) goods.
  • The lid-lock should release when power is removed from the machine. Having it stay locked like that meant that we were unable to remove our clothes from it until the repair guy came and took the machine apart (and the lid was still locked when he was done, but we did get our clothes out).

Update (10/21/07) - apparently things were not as well worked out as they appeared. The service guy still tried to come out to my house for the installation of the part even after I had twice called to tell them that I had installed the part and they had said something to the effect of "Cool, then no need for us to come out. I'll cancel the service call". The service guy said he still had to come out to collect payment. I told him that customer relations had said that this was a warranty repair as the electronics were warrantied for 2 years. He went off the check on this and called me back about a half our later saying that that was a parts-only warranty and that since I had installed it myself that voided the warranty and that I would have to pay both for the service call and the parts. I told them to give it a shot, but that there was no way in hell I was going to pay for this work. We'll see how this works out.

What I can't understand is how Sears is showing that they have no interest whatsoever in smoothing things over with a customer who has routinely purchased their top-of-the-line appliances. Ruining a relatitonship like that over $65 or so just doesn't make sense to me, but that's what they appear to want to do.

Tags : / / / /

Saturday, October 06, 2007

The Case for Federation and SSO

To date, the vast majority of real-world federation roll-outs have been internal or enterprise type deployments. Things like an enterprise authenticating its users out to an outsourced provider (such as a Fidelity 401K, or AOL's Radio Service). Yes there are many exceptions to this general statement (you can see many of them on Liberty's Adoption Page), but that is the general view of the industry and I certainly don't knowingly use federation in any cross-provider operations.

The time has come for federation and Single-Sign-On to be adopted in a more general fashion. I say this for many reasons and hope that the various vendors and providers out there will not be stubborn and/or resistant about it. I think this is valuable to parties that will wish to assert identity. I think this is valuable to the people who will accept identity federations and I think this is valuable to the users themselves.

When I say it is valuable to the user, I don't mean the often quoted "that way you can reduce the number of passwords you need to remember" -- though I still think that is a reasonable benefit. The real value for the user is that they will be able to share their data across multiple providers without the need to give their credentials to the other party.

Examples that already exist today include:

  • On LinkedIn, if I want them to pull my contact information from my contact book in several mail services (e.g. GoogleMail, HotMa il, etc.) I have to provide LinkedIn with my username and password on the mail service. LinkedIn logs in as me (either through their web interface and does screen scraping, or directly via an exposed web service) and extracts my contacts. Since I gave them my login information, I'm hoping that they don't do anything wrong with the data (like expose it), and that they don't mis-use the access to my account (e.g. sending spam in my name).
  • On Etrade, when I want to setup a new bank account for transferring funds from my Etrade account, one of the options provided is for ETrade to be provided with my username and password for online access to my bank account so that they can verify that I have control of the account and that it is in my name. Like LinkedIn, I'm hoping that they don't do anything wrong with the credentials while they have them (and in the case of ETrade, hoping that they do not store them like they claim they won't do).

I could go on with this list, but you get the idea. The user is already federating their data together across different providers. It's just in a very broken way that can lead to cascading security failures as any security failure at one site can lead to security failures at other sites.

With federation, I wouldn't need to give my credentials to LinkedIn. My mail provider could also differentiate the access provided (letting LinkedIn see the set of contacts that I chose to share with LinkedIn without being able to send mail in my name or being able to change contacts). LinkedIn could maintain that federation so that they could periodically check for updates. A break-in at LinkedIn would mean that someone could perform the same operations that I've already OK'd for LinkedIn -- get the data that LinkedIn already has -- so no additional exposure.

Why would GMail, HotMail, or even my bank, want to do this? First off, they are already doing it in an insecure way (I can always give my login credentials to the other party) and with the expanded access at their service. This would be a much better solution from a security and least priviledge point of view.

Another issue that might be raised with regards to the service providers is why would they want to expose a web service with this data. In many cases that's a new thing for them to do. But I think it's worth it becuase today, when they don't expose such an interface, theh other parties just walk though their standard user web interface and do screen scraping of the data -- I'm sure that data via a web page is more costly than exposing it through a programmatic web service.

Of course, LinkedIn would want to do this as they already do, but within the restricted capabilities of today that open them to some liability as well (should my data be misued at their site).

While I spoke heavily about LinkedIn in this post, this clearly applies to any and all cases where I want to do things across sites -- this is becomming more and more important in the Web2.0 world more interesting applications join togetether information from various parties. I can see how Dopplr would want to access my LinkedIn account to get my list of friends to pre-populate my traveling buddies rather than me having to establish new connections. I can also see how Dopplr would want to get access to my United Airlines itineraries so that they could auto-populate my trips.

The list goes on and on and it's a win-win-win for everyone, users and providers.

You might then have the decision as to what token format one should use for the federation and what web services structure one should use for the service access. I, of course, would recommend SAML and Liberty's Identity based Web Services Framework (ID-WSF), respectively, but that isn't as much the issue as is getting this up and running for the users.

You might notice that in this case, I haven't been advocating a large Circle of trust with centralized IdPs. Most of the examples I gave were point to point federations where, essentially, the relying parties and the IdPs were the same entity. The advantage with this model is that you have no need for extended business agreements so it's much easier to roll out. I do think that as more and more people start adopting and using this, it will be a natural evolution to environments where there are separated IdPs and Relying Parties, but we don't need to start there.

Tags : / / / / / / / / /

Wednesday, October 03, 2007

A painful Vista

My Dell Latitude D830 came with Microsoft Vista which, for the most part, has seemed like a prettied up XP without a lot of added useful functionality nor a substantial increase in stability. At the time I upgraded, I wrote that I was like so close to buying a Macbook Pro. I am sorry to say that I regret that decision even more today.

What got me to that stage? Well, it's a long painful path and to be honest, I'm not at the stage (yet) that I'm ready to just give in and replace my fairly new laptop.

The problems all started about 2 months after receiving the laptop. On July 14th, the day before I left for a trip to Shanghai, my email program (Thunderbird) locked up. When I restarted it, it still had problems and wouldn't pull mail from nfthe server, so I shutdown and restarted the computer.

During the reboot, the OS decided a chkdsk of the NTFS filesystem was necessary and it found and fixed many problems. When I got back to the running OS, all of the files that were actively open at the time I cleanly shutdown the system were gone. Totally gone. Not in the found.* directories (the NTFS equivalent of the UNIX lost+found directory).

Luckily I had the data backed up earlier that day as well as an offline backup on an external drive from a week before that. Since I was taking off for Shanghai, I copied both backups onto my system so I could pick the files (as I wasn't sure if the backup earlier that day wasn't corrupt as well).

I was able to get up and running again on my way to Shanghai without a problem and things were working fine. I assumed it was just some freak accident.

About a month later (mid-August) the same thing happened. This time I dug into it further and found that there had been a series of events in my event log (both then and back in July). It seems the problem starts with an NTFS event (which is flagged as an "Error" rather than a "Critical" event) with the event code of 137. The message from the event was extremely helpful... NOT!:

The default transaction resource manager on volume D: encountered a non-retryable error and could not start. The data contains the error code.

Microsoft's online help for the event was no help:

Results for: Microsoft product: Windows Operating System; Version: 6.0.6000.16386; ID: 137; Event Source: Ntfs;

No results were found for your query. Please see Search Help for suggestions.

Googling on "Default transaction resouce manager" found little results as well, but there was at least a possible link to another's problem. Apparently some had discovered that Acronis True Image had led to similar problems. I had installed Acronis Disk Director to reorganize my disk partitions, so I uninstalled it to see if that would alleviate the problem. And, of course, I did the same restoration process to get back all the lost files.

I did find one interesting discussion on resource managers in Vista, but that didn't provide any information that would help solve my problem.

Given that the error message just showed up in the event log (and in both cases, was close to 24 hours before the system crashed -- allowing me to open/use many files that disappeared), I added an event alert task which would send a message to the console should this error occur again. This is really important so that you can catch the problem as it starts, minimizing the potential damages.

Things went well for about another month and then it happened again in Mid-September, so it clearly wasn't the Acronis product. I was busy getting some heavy work done, so i didn't have the time to explore the problem other than to restore the files again.

About a week later, it happened again. This time it started going into an almost daily problem, sometimes happening again just after I had fixed things and ran chkdsk to fix the problems.

The pain had passed the threshold and I decided to do a total reinstall of the system. Prior to doing that, I did a complete backup. I copied my data files to a portable drive. I ran the extensive system diagnostics including the full suite of hard disk diagnostics to see if there was some form of a hardware problem. All diagnostics passed.

So, this past weekend, I reinstalled vista. I've been installing each of my former tools (there are many of them) and so far, so good. Given that this didn't turn up until I had had the computer for about 60 days the first time, I guess I won't know for sure if I've gotten around the problem till early Dec.

And, of course, I went and added the event task to generate a message should this occur again.

Wish me luck!

Tags : / / / / / /