Sunday, June 21, 2015

Acer Chromebook 15 external drive encryption & other solved problems

I have two important things that I cannot do on ChromeOS so I have to install Ubuntu via Chrubuntu - openvpn and encryption. Chrubuntu isn't going to be supported since C720. Crouton is basically ChromeOS kernel allowing you to install Ubuntu software, so it didn't work just like Chromos. Now solutions to both are available and I can move on to the cloud.

The easier is encryption of external drive. Last time I tried ecryptfs on chromeos it didn't work. I have only seen questions and no body say they worked it out. Until I found that one guy did the same as I did but it worked. I don't know which model he used. So I did it and it worked. Of course you need to be in developer mode so you get the proper linux shell.

So it's the same as in Ubuntu or any linux I suppose:
#mount -t ecryptfs .encryptedfolder decryptedfolder
I like to separate the encrypted files and hide this folder. Use all the default parameters and it will be fine, or just remember what parameters you used when you encrypt. For the first time mount, ecryptfs will warn that you may be mistyping, and offer to save something so it can check next time. You have to say no to work. The directory to write to doesn't exist in ChromeOS or the permission isn't right. If you say yes it is an error and the mount will fail. That's it. I saw all my old encrypted files in the usb drive. If I get hold of my old developer mode C720 I will try it again.

Now for the VPN. You have to find a provider that supports the subset of openvpn that chromos demands. I settled for L2TP. It's could be as secure as openvpn, but somewhat slower. But the problem is, you have to login first and then start the vpn. So somebody monitoring you on your ISP knows your email address. Maybe the login credentials are encrypted, but Google have your clear IP anyway to connect to your email ID.

SSH on chromos works and you can use it as a proxy before you login Google. But I can't find ssh providers. My vpn provider once supports ssh but now they advise against it. So I ran openvpn on my dd-wrt router. Login to Google. Stop the router vpn. And start the L2TP. You don't want to run openvpn on the router because the processor is not as powerful and that all traffic is encrypted. Ideally one SSID should be the vpn channel while the others are clear. Nothing works from the net, or I don't understand a bit. Establishing a VPN with PrivateInternetAccess is already an achievement. It will be a story for another day.

I would have settled for hiding some less important files. With a simple option on the file manager, the hidden files can easily be seen. Windows does not honor the dot, neither does the TV. So I turned on the hidden flag of the usb drive partition. All OS works except for Chromos! It is Linux but ignores the hidden flag. So I create 10 hidden folders and with 10 hidden folders inside each, and so on. I just need a link to the folder where the real things are. In linux you just need a symbolic link inside your private directory pointing to the folder in the external drive. It's the same in Chromos except that the Files manager don't show links!!! I thought of using the Chrome browser with the file:/// protocol. It's perfect. But the browser only knows how to handle file types that it knows. For X265 vidoes, the video player doesn't do anything. You can use the x265 player from chrome store, but you have to type a deliberately difficult path name every time.

Though the vpn steps sound complicated, but being linux, you can script it. Chromeos even comes with the iconic vi editor! Without logging in or entering guest mode, you can ctrl-shift-right-arrow to get to shell. Then run the script:
#ssh root@192.168.1.1 'sh /tmp/openvpn/start'
The start script is my custom persistent script on dd-wrt. There is also a stop script.

I think the C740 at 11" doesn't sell. The same C720 with a maybe 20% faster CPU? I could have got a new C720 for $150 at black Friday last year. The new very cheap chromebooks aren't options. The C720 is one of a kind with super performance for that price. Newer chromebooks in the same class have worse processor, worse screen and non SSD storage. The reason to buy the chromebook 15 is the full 1080p and better IPS screen. The processor is somewhat faster just to be sure. Also 2GB memory and 16 GB never cause problem for me, but double that for about $100 is a no brainer, now that I'll be moving to the cloud and replacing my desktop.

The iCore option for C720 and others is expensive. I looked at bench marks in the past because I do video recoding from time to time. You can hire a fast machine at Amazon just to do that but it takes time and money to move the video back and forth. Now I don't do recoding anymore and myself is the benchmark. The C720 meets all my needs and I don't need anything faster. And I won't go for anything slower.

One thing that surprise me is H.265 codec. You can play mkv files on chromebook with that codec using the X265 app. But ... ! The app says the processor is not fast enough for real time! What? I just paid some $300! It seems fast enough but I can see "artifacts" clearly on the screen, like a patch of bad or blurred skin. It's only 720p ! Of course H.264 mp4 1080p videos are playing perfectly on all my chromebooks. So I don't expect that at all with a faster cpu. But the cpu should be able to handle that. Just that the app is not exactly native to chrome, not sufficiently optimized and the sound coding AC3 is the weaker link. Fortunately there's few x265 videos around.

The other video thing is that nothing on chromeos plays wmv. People suggested to run Android app on chrome. Some say it works but not anymore for me.

Have you noticed that Google is killing Linux & Firefox deliberately or otherwise. Chromebook is good because there is never a Linux portable at a reasonable price. It's a low volume custom business. Ubuntu One and Firefox sync can't compete with Google. Ubuntu One had to shut down. Firefox sync for me didn't work all of a sudden, only to find out a lot later that they are claiming to have redesigned it. I never bothered trying it.

Ubuuntu itself is breaking up. There have been constant updates for the same things over and over. I think they are struggling. But ibus still doesn't work for me. Basically I can't type if I am not using English. In a way you can regard the killer app for google is the google input if you need any language other than English and similar European languages. At the least, I am not aware of any spell checker that keeps your custom dictionary in the cloud. Google doesn't do that as such, but in the form of intelligent input.

The newer versions of Ubuntu and Firefox are grinding to a halt in my older desktop (with an excellent monitor). Before that using Chrome browser is a bit of a hassle. But not anymore. Chrome is actually faster and crash less in Ubuntu. Maybe I have too many extensions on Firefox but don't think it's the main cause. I think they are making the software fat with features to compete, bring down performance on older machines in the process.


Thursday, March 5, 2015

In defense of the traditional side mirror adjustment

I wrote the last post as a supporter of the newer side mirror adjustment. I've been doing it for while, but only partially. I didn't see much of my own car's back, and the traditional blindspot is reduced. I was doing OK until I discovered ultra mini cars!

Since I research into the newer blindspot elimination method, I was so sure, and therefore written the last post.

After going all the way, here's the problem I have, mostly wasn't mentioned by the single guy who opposed the newer method.

For the old method, the rear mirror gives you a broad view of the situation. The centre view of the mirror is enough. For the new method, the extreme sides of the mirror is very important, that's where you see the cars right behind you before they appear at the side mirrors. The problem is, in most cars the rear mirror is partially blocked by seat rests. It is worse at night as cars become light spots at the four corners.

In the old method, you do not need the rear mirror to change lanes (though you have to check it first). In the new method, you should. If you see nothing in the side mirror, a car may still be moving fast into view. That is killing your neck and use much more time. Imagine that I have a mile to cut through 8 lanes at an 80 mph traffic congestion.

In the practical world, depending on which country you drive, half of the drivers don't see your signalling to change lane soon enough, 10% will let you through, while 40% will try to block you. Now you need very much to see the cars you are trying to pass. You have to continuously watch their reaction to your signals. They may accelerate, slow down to give you sufficient space, or doing anything else as if you never signalled. In the new method, the best case is that you don't see anything on the side mirrors, and checking on that direction that there's nothing on your blind spot. It's uncomfortable, like not watching your enemies.

In tight spaces, it's more comfortable to have a reference to your car to judge if you have sufficient space to pass, and you can see the other car as you are passing. The new method don't give you that, you see nothing.

Because of these reasons, I'm going back to the traditional method, looking for other ways to eliminate blind spot to make changing lane a pleasure. The problem of blind spot mirrors is that, you don't want to glue something on your mirror of your brand new spot car!

Friday, February 27, 2015

Blind spot elimination side mirror adjustment

There is a newer side mirror adjustment to eliminate blind spot for a decade now. There is one guy who is very vocal against it. I'm sure if he is still that much against it or he just don't want to withdraw the articles he submitted to the internet.

I have this renewed interest because ... I'm horrified about the smallness of the new cars! Those two seaters shorter than a Mini! Horrible! And often those drivers have insufficient confidence who use others as a speedometer, by following you synchronously for miles at your traditional blind spot!

First, that guy assume that if you flip left and right, there is all that is to it. No. I have to go home daily on a 8 lane freeway / motorway after dust, in a traffic jam moving at over 80 miles per hour. I have to cut from the outermost lane 8 (carpool) to exit the freeway in about a mile. And many of the other "cars" are humv sized SUV's with bright LED's glaring into your side mirror. And they don't signal if they don't see the need to. When they signal, it means move over, I'm coming.

I drove on several continents and I experienced all the international aggressive, incompetent driving styles on my way home.

That guy is not comparing apple to apple, and piles up all the reasons he can think of to support himself. This is obvious when he's talking about backup! WTF! Now if somebody created an accident on the freeway, it's not just a bump on the door, but a pile up of biblical proportions at 80 MPH. Honestly, I didn't do parallel parking and not even reverse parking for so long that I think I will fail any test. If you really need the side mirror for perfect parking, fine, but who cares. The car is mostly stationary and you have all the time to look around 360 without the side mirror. If you hit anything, it will be just a scratch.

I don't think he got the geometry right. I was looking for more scientific and geometric explanations so as to set the side mirrors perfectly. But youtube users seemed to have done a better job. Anyway, the new blind spot is a narrow triangle with your side back door on one side and extruding to the other lane. In theory, a short motorbike can hide in that zone. But practically, being in that zone at high speed is a dead wish - extreme tail gating - and it doesn't depend on how your side mirrors are adjusted. If you want to pass right at the lane marking line, you would not stay on the dead zone and suddenly accelerate. 

If he wants to talk about human nature, I tell you what, my wife never use the side mirrors! And it's not just her. When driving tests are easy, the side effect is that you can pretend to check the blind spot without understanding what to look for. If you look over your shoulder without seeing anything the examiner will give you a tick.

I can assure you that many drivers turn their heads to make sure that they don't create an accident during lane change. That's not bad when there's plenty of space ahead. But the problem is that people don't signal when they see the lane is free to take. So when you do everything that's right, and in the middle of changing over, you will find that somebody in front of you is also moving over to the same lane from the other side, without signalling.

The traditional way isn't fool proof if you do everything right. There is the pillar blind spot between the rear and front side windows. Practically, you can only see clearly cars that pass your side rear door. Small cars can still hide in the blind spot without being detected.

The guy talked about different cars, trucks, vans. This is rubbish. I don't even see if the traditional way claims to be one size fit all. I can't say about trucks, but it is your responsibility to see if it works for your vehicle.

Yes, there are cheap blind spot elimination mirrors as add-ons. But the problem is, if you don't know how to set the side mirrors in any methodology, you are not going to be able to set these aids correctly, or even buy the right mirrors.

My wife will never let me see how she drives, to avoid me telling her what is the correct, safe way. She never adjust the side mirrors - she don't know how to and she don't use them anyway. You may wonder what her driving instructor taught her. I think if your student is a total failure, you may want to teach her something that she feels her money spent is worthwhile. She talked about how to claim the lane for herself out maneuvering other drivers, when she don't even know how to use the mirrors, admen.

Some people obviously don't really understanding the newer adjustments or they didn't even try. Basically, for the traditional method, looking over the shoulder is vague. How far back an angle you need? The newer method didn't claim that you don't need to look. A comfortable side glance over the shoulders guarantee that you won't miss anything. It makes the obvious more obvious. Hopefully my wife will notice something there even if she doesn't adjust the mirrors herself.

You can't change lanes using the side-mirror alone. But that's not wrong on the method itself, it's transitional.

I saw a cyclist who is very much against it because they are often hit by car doors. I would say it's a already problem with the old method. For the newer method, if you bother to look, and you can't see your side door, you will find a way like turning your head when the car is stationary. I don't see how you will want to over take a parked car along the curb. Any passenger may hit you. For the driver side doors, I always make sure they are not opened to the on coming traffic. Cars and cyclists are not any different. If you don't open the door all of a sudden, you should be able to catch anything moving with any proper adjustments.

That comes to the point of awareness all the time. The fact is, people often drive 4 hours or more at weekends, and over 7 hours on vacation. It's a good point but you can't expect everybody to do it all the time. And also the drivers who follow you at the blind spot so if the cops are catching speeders, they will not be the first.

As for motorists who can sneak around your car close at high speed, they already have a solution. 10 out of 10 have a exhaust louder than a siren. You just can't miss them.

Sunday, February 1, 2015

Parental control using DD-WRT

As I have told you last time, I switched back to DD-WRT. The reason is that it is easier to go back to, and you can flash other 3rd-party from there.

Before I went to another firmware, I thought over it carefully because ... DD-WRT just doesn't work for MAC filtering. I went back to the stock firmware but the IP phone went dead! I'm not going to waste my time.

Also I have a rather complicated (and cheap) setup, with a client bridge to increase range, a powerline network to penetrate the walls into the garage, and a 2nd old router to serve the corner rooms and use twice the bandwidth!

If I flash another firmware the IP phone may not work again so I linger on DD-WRT a bit. The main problem is that the officially recommended version for my router isn't recommended by the community. This is well known but I don't know. How can I know? This is horrible. There's no update all these years. Of course there's no motivation for the few guys in charge to update things several years old.

I flashed the community recommended version and the MAC worked. Then I looked a bit more if I can do parental control effectively. The stock firmware and all the others like Tomato have easier to use GUI I suppose. DD-WRT is basically a complicated list of things it can do.

But how do I know what to do? I only knows what I want - parental control. There are a lot of tutorials on the DD-WRT site but I guess no parental control. That's the problem. Parental control is actually complicated and open ended, so you have to know exactly what you want in order to have a chance of finding the tutorials you need.

First, everybody have a few devices. I thought of adding host names to MAC's before starting to manage them. But it can't be done, so I didn't even try to control anything for a long time. The stock firmware gave me the idea - to add hostname you need to do static IP address. In DD-WRT, I never got the idea of linking static IP to adding host name to MAC's.

I have a few static IP's but all are setup on the host side. It's rather different on the router side. Basically it can be still automatic (DHCP) but you can assign a static IP to any host MAC and label the host your way. You can mix the static and dynamic IP ranges. So if you just change the dynamic assigned IP to a static one, you got your host labelled. But this is not under the initial DHCP setup but under Services - DHCP Server - Static Leases. This should be under newbie tutorial otherwise how do I know? Depending on your browser, you just need to cut and paste around the MAC. It is easy to guess the few unknown IP's remaining by eliminating once host at a time. Before that, the fastest way seems to be looking at the MAC at the host, and type the full digits into the access control box. Terrible.

Now since you have static IP, so it is just easier to use static IP access control rather than the MAC.

Now parental control starts but never easy. You want kids to use OpenDNS and such, while parents have no limitations. But Google made it very simple to change DNS on Chromebooks. You can ban other servers but then it's very inconvenient when you want superuser global access on that machine, to download and install something for example. Also if kids know how to change DNS then they might know how to change IP's etc.

The basic need is to have one SSID for restricted access and another for non-restricted access. I saw this need time and time again but it's not a simple switch in DD-WRT. May be it should be.

Also, if kids suddenly finds that they suddenly need a banned website for homework, there should be a simple way to grant temporary access all by themselves over the phone, without needing someone to login to the router and run some commands. OpenDNS used to take forever for the rules to update. Now it says a few minutes but I doubt that. Immediate is better.

Interestingly, my stock firmware has one SSID and one extra for guest. DD-WRT can have as many virtual access point (SSID's) as you want.

Unfortunately for multiple SSID to work with different DNS, you need the terrible horrible iptable commands. They seldom work, particularly if the poster says "something like this".

The tutorial that works is called "Multiple WLAN" in the DD-WRT tutorials. Each SSID is a WLAN (or sort of), and if you don't install multiple of them, all the SSID's will be bundled on the same WLAN with the same DNS of course.

For DD-WRT, the interface vlan1 represents all the LAN sockets at the back of the router. (For older routers it may be called vlan0.) The eth1 interface is the physical access point (phyiscal SSID). Each additional virtual access point (additional SSID's) is given interfaces wl0.1, wl0.2, etc.

By default everything should be on the same network so vlan1 and eth1 are bridged into br0 interface. You can see this on Setup>Networking. So iptables won't work on individual interfaces since perhaps they are already bridged. Only the bridged interfaces will work. And when you separate the WLAN's (or the SSID's), the only easy way I see is using the DD-WRT GUI building new bridges. So everything will be bridged and there's no reason not to work on the bridged interfaces only.

The instructions for adding bridges are good and working. So I'll will skip and talk about the things you may need to do differently.  By default you have

192.168.1.1 (network)      br0 (bridged ) = vlan1 (ethernet connections ) + eth1 (wifi)

If you add more VAPs (SSIDs), it will be
192.168.1.1    br0 = vlan1 + eth1 + wl0.1 + wl0.2 + ...

For me all the shits already setup, with static IP's and such, went through wifi eth1. (Powerline adaptors, client bridge and repeater.) So for me it's easier to separate the only LAN connection, the PC. So the 1st bridge I created is:

192.168.2.1  br1 = vlan1
You can only take out one interface at a time unless perhaps using the commands. All the other interfaces will be left on br0.

I need one wifi VAP for adults, so
192.168.3.1 br2 = wl0.1

You may need another VAP for guests with different settings.

The iptable commands for forcing DNS works. You just need to pick the DNS address and bridge number. By default, hosts in different bridges (WLAN) cannot access each other. So I need to set br1 (my PC) to be able to access br0 (my router and all the shits). The iptable commands work, but cannot penetrate deep into the subnet br0 when I have client bridges, repeaters, and such.

Now when I need to give somebody unrestricted access, I can give them the password for a VAP without OpenDNS. I can take it back by simply changing the password, the SSID or deleting it.

Now for more parental control, I can restrict the host IP's with a time table, say no messaging on the phone after light out.

One more thing I wanted to do is to setup VPN on just one VAP. So I can switch VAP to get VPN instead of connecting and disconnecting the VPN server, that takes time. However, I find out that OpenVPN will be slow on the router just because the clock rate is a lot lower on the router. So it's not worth it.

But I wanted to protect my IP on the guest VAP. I can use a simple VPN as a proxy or full openvpn because speed is not important. Openvpn is always a little tricky. The servers may want to do it one way but the clients may do it differently. For example chromebook is seldom supported. Servers in the world are fairly standard but clients behave differently - Linux clients and Window clients are slightly but critically different on at least one point. It took me a while to figure out that servers push some options on clients but only works for Window clients.

DD-WRT is differently tricky so the instructions never works. Basically if the config files for Linux works it should work for DD-WRT. However, since you cannot store or edit the config files at will so you need DD-WRT to help write the config files. But DD-WRT's help is not direct edit at all. You can't add more options (in my newer version) or delete options that DD-WRT force you to. For example most servers use (and DD-WRT setup) key files to login but some use username and password. So everybody goes their own half way but do not meet up. It's a hindrance. If OPENVPN works with the right options, then there is the dreadful iptables that may or may not work.

Monday, January 26, 2015

DD-WRT overrated

DD-WRT was so overrated that when I replaced my broken wifi router I flashed with DD-WRT and hope to use the extra features one day. But just when I needed the features, they don't work or won't work out for me. I have been using DD for nothing.

DD may once been useful. The firmware is basically written by the chipset makers. A few manufacturers can save a lot without hiring firmware engineers by using DD-WRT. Range extenders and repeaters once cost more than a router. Now everybody can get a cheap personal one and set all they like. Depending on your hourly rate, it doesn't worth to tweak DD-WRT. Just buy the feature off the shelf. For the same reason, it isn't worthwhile to find good uses for old routers by putting DD in it.

Once manufacturers started to add non-router features into routers, because it's a low power, always-on internet device. This is not any more. People don't need file servers that much because of the cloud, like Dropbox and Google Drive. Also a router can't do encryption on the fly. Print server is absolutely obsolete because of Google Cloud Print. Once you can put a private digital telephone exchange into it. The only good reason is that you can have a free phone with Google Voice. Now that's gone. If you need a private exchange you better buy a different box and save yourself a lot of trouble. Also with Android stick computers, set top box, and internet ready low power device like Raspberry, it's hardly needed to get into the router for anything.

There are major disadvantages of DD. First, it can't catch up with chipset makers. There are only a few contributors to DD and they don't work together. A cost reduced new version of a well known router can use a totally different chipset and the DD guys need to take months to support it, if ever.

I never know the intended users of DD. It's absolutely not for home users though you may find something useful in it. Home users don' t need that much feature and they need easy UI to do it. System admins can't use it that much because if they make use of the wide array of features, finding support of it is a nightmare.

To be specific, if you use OpenDNS for parental control, you need to set the DNS servers and then add a command elsewhere. So I never have control until I just happened to discover that I can access to any URL I wanted on my kids computer.

Even a couple of years ago parental control on stock firmware became easy to use. You can find the MAC from current connections, give it a name and then set restrictions. You never need to look at the MAC on the device, nor type the MAC. And it easy to change since you can recognize the name instead of the MAC. The so called "simpler" DD-WRT alternatives such as Tomato all have that. As a home router you must have parental control and must make sure that average parents know how to set it with ease.

Version control of DD is a nightmare. No body cares what the features are. They only care about their router model. Instead of listing by models, they list by build. You can't just buy a router and look up the version for it. Each router have a recommended firmware version for it but it's so outdated that the recommendation is not recommended.

For the same reason, each version/build have a feature matrix like 10x10. The only reason for that is because the memory size of routers are limited and vary greatly across manufacturers. So for the smaller size routers you have about 10 versions to pick depending what feature you want. Again if you list the versions suitable for a specific router life will be easier.

The recommended version for your router isn't recommended, that is not the worse. The worse is that it doesn't work. I set up a MAC filter restriction and it doesn't do anything. So I doubt if it actually block all the protocols it claimed, or anything it claimed.

For my story, I flashed DD to the new and old router. All is good because I don't need much. At the time I think I may add a PBX, file server and BT down loader. Also print server. Then I find out that actually the huge firmware that I flashed still can't do the job. I need optional extras. The situation is far far worse than DD-WRT itself. There's is the right way, and the right way take two. And then you need older USB drives formatted exclusively for Linux. Nothing make sense for me so I didn't do anything. Just brought an overpriced older router for nothing.

But then it work well and so I though I can get extra old router for a few dollars and use up all the bandwidth and channels around my spacious house and yard with few neighbours. But then the same old router I brought has a different chipset than the one I have, and it has so small memory that DD-WRT can't even load on it. Nothing else can flash into it, except for a pure command interface.

Finally I need to setup parental control, then I found out that the official recommended build doesn't work. Some say that MAC isn't reliable and some say that any other build should work. So after careful research, I decided to go with an improved version of the stock router firmware.

It's easy to flash. The UI is so much nicer, and the parental control is so much easier without typing the MAC. The problem is, my IP phone can't stay register for long, meaning that I have no phone. My phone is connected to a wireless bridge, and there are a lot of other things connected to it too.

So I don't trust any improvements by outsiders. I revered to the stock firmware and it's easy. But then the same situation happens. "Features" on the stock firmware got copied to the "improved" version.

Then I decided to try Tomato. They are actually not simpler, but feature rich command line openwrt plus UI from the stock firmware. Then I found out that you have to use Windows utility to flash it. Then I found out that it's easier to flash DD-WRT first and "upgrade" flash again to Tomato.

Then I decided to give DD-WRT another try and find out the actually recommended build. The flashing procedure don't work seamlessly. After almost bricking the thing, I succeed in having DD again, thought a slightly later version. The phone works again.

The MAC restriction works but then those connections coming across the bridge doesn't. Because the router don't see the original MAC. I can set the MAC restriction on the endpoint, the wireless access point that is just an old router. But this router can't give out IP's so it doesn't work for the MAC too. Hard luck.

I can try something else like openwrt with other UI's. But I think they will be the same for the MAC filter and my phone may not work again.

Now I have to rethink it again. The main thing is that repeaters can half the bandwidth and it doesn't work well across multiple walls. Dual band may be easier to partition but higher frequency band have less range. Increase the power or a larger antenna is out of the question because of health concerns. Power is measured in log scale. You have to double the power to have some effect and 10 times is noticeable. Also, sometimes reducing the power works better because of multi path interference indoors. Those powerline extenders is good for penetrating walls but they are less stable unless you never use those electrical sockets.