Category Archives: Linux

Ubuntu 16.04 on Dell XPS 13 9350 (Updated 11/24/16)

4 minutes, 52 seconds

Why upgrade?

After watching my shopmate get one, then seeing The Wirecutter recommend it (as of May 2016) and then seeing Dell upgrade it, I was very tempted to get a Dell XPS 13 and run Linux on it.

The straw that broke the camel’s back was seeing factory refurbished ones with 16GB of RAM, 512GB of disk, an i7, a Dell 1 year warranty and that gorgeous QHD+ resolution (3200×1800) for less than $1,300 on eBay (again as of May 2016). This is is about $700 off of retail for a comparably equipped machine (or a lot more). Though this ships with Windows 10, I figured I could install Ubuntu on it.

Ubuntu 16.04 install

Before pulling the trigger on eBay, I did a lot of reading on the forums about how to install over windows. Specifically, posts like this we’re key. I knew in the BIOS that I needed to turn off Secure boot and switch disk mode to AHCI. Further reading suggested that it might be a real uphill battle to get everything, hardware wise, working.

I’m happy to report that just about everything works under 16.04! I installed it after making an install image after USB boot drive from the .iso. The touch screen doesn’t work after suspend. I was hopeful that the xinput enable/disable trick might fix it, but no such luck just yet. Given that you can’t do single finger scroll and pinch to zoom when touch is working, I’m not too bummed about this.

I was very pleased to see that this cheap USB-C to DisplayPort adapter works great. Though it can’t quite do 4k (resolution shows in “Displays”, but my Dell won’t show an image), it will do all resolutions below that. It works on boot and after repeated hot swaps. The cheap USB to Ethernet adapter worked flawlessly as well, Handy times!

The other pleasant surprise was that the Broadcom WiFi/Bluetooth card also seems to just work under 16.04. Admittedly, I’ve just been using the WiFi with no problems and haven’t tested the Bluetooth.

The trackpad works as well as my MacBook Air trackpad did under 14.04. It looks like there’s some PS/2 vs Native twiddling that might improve palm detection, but I’m happy with it as is given it’s status quo for me.

Software and eBay

There’s a little hiccup with OwnCloud resetting after suspend or WiFi hopping, but this is nothing to do with the XPS 13, and everything to do with 16.04. As well, the version of KeepassX that ships with 16.04 no longer supports the old version 1 flavor of the password safe. It was high time I upgraded to version 2 anyway!

Finally, anyone want to buy an 11″ Air formerly running Ubuntu 14.04, but now with a clean install of El Capitan?

6/2/2016 Update

After having this laptop for a bit now and having made a few tweaks, I wanted to update this post. The first, and most important, change is that I found the Broadcom chip I mentioned above did not “just work”. Though strictly anecdotal, I found that the card had intermittent high packet loss on WiFi and was actually unusable when I went to use my Bluetooth mouse for a few hours. Swapping out the card it shipped with for the Intel 7265 802.11ac one, instantly solved all these problems. The Intal card may have caused WiFi to stop working just once after a bunch of suspend and resumes, but I can’t remember so it must not be that annoying ;)

Two notes on replacing the card: The first is that while the Amazon link cited for this is certainly the right price at $20.99 (as of Jun 6 ’16), it is a bit slow in shipping. The second is that you should totally use iFixit’s XPS 13 tear down guide as a how to for opening this laptop. As well, they cite the online Dell repair manual (pdf), if you want to reference that. And, yes, when iFixit says the bottom of the laptop takes more force to open than you think it should, they’re totally correct!

The other big change is that I installed TLP in hopes of improving battery life. Using the default config out of the box seems to yield good results. However, this is just anecdotal evidence again, nothing scientific.

Otherwise, the general update is that this laptop continues to rock. I use it about 3-10 hours a week, including some intense 4 hour work sessions at the cafe. For full dev environment I run two vagrant VMs on Virtual Box along with Chromium, Firefox and PHP Storm as my IDE. I’m pretty sure I could get 6-8 hours of battery life running these apps if I was conservative with the screen brightness. Some times when I resume it, I’ll see 14 hours remaining in the battery life. It almost always drops down, but still neat to see.

It looks like you can still get this bad boy on eBay for just under $1,400!

8/13/2016 Update

I’m still totally loving this laptop! Seeing my wife get more comfy with her laptop and it’s touch screen, I wondered if I could find a fix for mine under 16.04. After some searching around a found a fix that is…so simple it’s silly. Quickly close and open the lid:

close the lid just to enter suspend state, but then reopen it quickly, so that it stays in suspend state even when the lid is open. Then press power button to wake it up. Then the touchscreen works again!
– xps9350: touchscreen stops working after sleep

After testing this over the last 4 days, I can confirm it works. Coupled with the fact that the OS and Chrome/Chromium handle single finger scroll and pinch to zoom, I’m a happy camper! The icing the cake was finding the Grab and Drag plugin for FireFox. Though pinch to zoom doesn’t work, single finger scroll does. Handy times!

11/24/2016 Update

One my fine readers pointed out that the touch screen under 16.04 has been more properly fixed. This is awesome! This gist on github has all the info you need. Be sure you read the part about using uname -r to get your kernel and make sure it matches on the line that the script is hard coded against. For it it was 4.4.0-45, but for the original author it was 4.4.0-47. As well, it didn’t fully start working for me until a restart.

5/17/2018 Update

Almost exactly two years in and this laptop is still my daily driver! It’s been *super* stable and I’ve had no problems with it. I’m still on 16.04, despite 18.04 having just been released. Also, check out my latest post about USB-C accessories I’m using!

Let’s Encrypt TLS & A+ on SSL Labs

Leave a reply

1 minute, 23 seconds

As you may recall, around here we like our TLS, and we like it rare! I have no idea what “rare” means in the context of web encryption, but you know, that’s the way we like it! We also like it cheap! Even better than cheap (free) is open (libre)! So, put it all together, and you get Let’s Encrypt TLS certs on plip.com and related properties. Yay!

I saw the EFF/Let’s Encrypt crew speak at at DEF CON this past summer, and it was super inspiring. I’d already heard about the project, but it was that much more exciting to hear their talk. I was dead set on cutting over from my old CA, to the new, definitively open, one.

While I was in my server, I went and visited my fave site for secure web server configs, cipherli.st. The only option I can’t run is SSLSessionTickets, as it requires Apache 2.4.11 or later. We’ll get there later with an Apache upgrade.

Put this all together? You get a big fat A+ on SSL Labs. w00t!

Some caveats are that Let’s Encrypt is just in public beta, so there’s some still some kinks to work out. For example, I mistakenly tried to get a cert for a wildcard vhost (eg “*.foo.bar.com”). I got back an error:

An unexpected error occurred:
The request message was malformed :: Error creating new authz :: Invalid character in DNS name
Please see the logfiles in /var/log/letsencrypt for more details.

So, while I shouldn’t have selected the domain to get a cert (Let’s Encrypt doesn’t do wildcard certs), the error was a bit cryptic. Fortunately the fine folks in their IRC channel (web IRC client – #letsencrypt @ Freenode to DIY) quickly pointed out to not use wildcards and that there was issue 1683 already open.

Awesome sauce, thanks Let’s Encrypt!

Using Git on Ubuntu with SSH Tunnels to Mac OS X Host

Leave a reply

4 minutes, 9 seconds

Intro & Prerequisites

Are you using Linux but cannot get your LT2P-IPSEC VPN hosted on your Mac OS X server working? Do you write code on your Ubuntu client and check into a git server behind your VPN? Maybe you should consider ditching the VPN client and using SSH tunnels instead. Really, this will work for any server that’s on the remote LAN that you have SSH access to, but in my case it was the same host as the VPN Server, a mac. As well, this can be any client as well, not just Ubuntu.

In all the notes below, any time you see “mrjones” or USERNAME, replace it with your username. Anytime you see an all caps computer name that’s SERVER_NAME.com, replace it your server’s name. The VPN server, SSH jump host and jump host are all the same.

You’ll need:

An SSH client you know how to configure. For OS X and Ubuntu clients, this is built in. For Windows you can use putty.
An SSH account the remote server which has access to your remote LAN you want to access.
An SSH public key you have put on on your ~USERNAME/.ssh/authorized_keys file on this same remote server.

SOCKS5

You can use SSH to create an SSH tunnel, specifically one that has dynamic ports and hosts as specified by the requesting app – aka a SOCKS5 proxy. To do this, you can use any local port above 1024, but I use 1080. It looks like this:

ssh -D 1080 mrjones@SECRET_DOMAIN.com

In your browser then, for example FireFox, you set up the proxy by:

Preferences -> Advanced -> Network -> Connection -> Settings
Choose “Manual Proxy Configuration”
In the bottom option for “SOCKS Host” put “127.0.0.1” and for port put “1080”

The benefit of setting up a SOCKS5 proxy is that your URLs are the same as if you were on the VPN. This means that when you copy and paste them into/out of IM chats and emails, they just work as opposed to having localhost in them or trailing, odd ports.

SSH Tunnels with agent forwarding

You may still need to SSH to a production machine via the remote server jump host. In order to do this and not have to re-federate your private key the SSH jump host (or generate a new private key on the jump host and then federate that out to the production machines), you can just do this:

ssh -A -t -l mrjones SECRET_DOMAIN.com ssh -A -t -l root SECURE_INTERNAL_SERVER.com

After running that you should have a prompt on SECURE_INTERNAL_SERVER.com as root. This assumes that you have your public on your *local* box added to the authorized_keys of the account your SSHing to on the remote most box (SECURE_INTERNAL_SERVER.com). This is a thing of beauty.

Checking code out with git over SSH

If you’re like me, you need to git clone for repos hosted on your stash/gitlab/whatever server which is only accessible on the VPN or LAN. You can do this with tunnels as well! For me, I use Stash professionaly, so instead of running this command to clone a repo:

git clone  ssh://git@STASH_SERVER.com:7999/path/to/repo.git

You can run this to add a tunnel to the stash host and then clone via a specialized host:

ssh mrjones@SECRET_DOMAIN.com -N -L 7999:STASH_SERVER.com:7999
git clone ssh://git@localhost:7999/path/to/repo.git

subsequent git commands like commit, pull, status etc. work with out modification transparently.

Pushing code with git over SSH

If you’re like me, you need to push using git via awesome git post-commit hooks. You can do this with tunnels as well! Instead of running this command to add your remote:

git remote add live ssh://git@PROD_WEB.com/opt/git/web.git

You can run this to add a tunnel to PROD_WEB.com and then add a specialized remote:

ssh mrjones@SECRET_DOMAIN.com -N -L 2200:PROD_WEB.com:22
git remote add live ssh://git@localhost:2200/opt/git/web.git

subsequent git commands to push new branches work with out modification transparently.

Side note, you can push specific tags using this syntax:

 git push live +TAG_HERE^{}:master

SSH Tunnel manager

DDG gSTM pic

Managing all these tunnels is a total pain. You could create a shell script to do it, but the cleanest way by far is to use a tunnel manager. For me on Ubuntu this gSTM (Gnome SSH Tunnel Manager). This allows you to, with one click, turn on and off all the tunnels listed above.

Caveats

Right now the biggest caveat with this set up is that *ALL* your web traffic goes over the VPN host (this is actually the same as when you’re on your mac based VPN). Further, your browser will not work *at all* with out the tunnels set up, even for any hosts (not same as VPN ;). Which means even if you want to use your browser for non-work when you’re not working, all your browser traffic goes through your VPN server.

As well, if you run a vagrant dev environment, you can not access your VMs via their local Virtual Box IP, as they’re not accessible from VPN server.

You can fix both of these issues by either using a different browser for non work/vagrant hosts or disabling the proxy by flipping it back to “no proxy” back in settings.

I believe that Foxy Proxy might solve this, but haven’t tried it yet!

MultiPressDev

1 Reply

0 minutes, 14 seconds

I’ve just released 1.0 of a github project that easily allows you to develop plugins across multiple versions of WordPress. It uses Vagrant to easily provision an Ubuntu Virtual Machine (VM) which is already running many versions of WordPress. Right now it only supports versions 4.2.1 (latest) and 4.1.4, but you should totally check it out!

MultiPressDev on Gitub

All HTTPS all the time, With HSTS to boot

4 Replies

1 minute, 54 seconds

I’ve been brushing up on my web security best practices recently. OWASP is a great resource for this! One of their recommended best practices is to use HTTP Strict Transport Security (HSTS). This involves redirecting traffic from unencrypted HTTP to HTTPS. However to ensure that no future Man in the Middle attacks happen with the redirect, it’s best to tell the browser to always go directly to HTTPS regardless of the protocol. This, in a nutshell is the HSTS solution.

I’ve updated plip.com and blog.plip.com to be served over exclusively over HTTPS. This is thanks to a *.plip.com wildcard certificate from Global Sign. After setting up Apache to use the certs on the SSL vhosts, I then needed to redirect all traffic away from HTTP. For plip.com, this was a simple Apache rule in the HTTP vhost:

# send everything to HTTPS
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

And then for the blog.plip.com, iThemes had this codex entry about a simple plugin to rewrite HTTP to HTTPS, following the second option on their page. They do caution that this plugin might have performance drawbacks as you’re parsing every post on the fly. You can fix this if you’re running a caching system, like W3 Total Cache, which I am! W3TC recommends you fix slow HTTPS calls by enabling caching of HTTPS: Go to Performance -> Page Cache and check “Cache SSL (https) requests.” Easy peasy!

Now to add the HSTS to the HTTP header. For plip.com this is easy as I have a single PHP header file for the entire site. I just added this line:

header('Strict-Transport-Security: max-age=31536000');

For the blog, I extended the simple iThemes plugin by adding these lines:

add_action( 'send_headers', 'add_header_hsts');
function add_header_hsts(){
        header('Strict-Transport-Security: max-age=31536000');
}

Special thanks to the WordPress Codex on how to set headers as well as a random post over at Hakre on WordPress on how to format the HTTP header in PHP for HSTS.

Plip.com has absolutely zero affect on the big players, and the EFF would never care about giving me a report, but I’m scoring 4 out of 5 on EFFs encrypt the web report:

Plip doesn’t have a data center, but all connections for administration are encrypted.
Plip now, of course, supports HTTPS
Plip now supports HSTS
Plip does not support Forward Secrecy
As Plip uses Google Apps, it supports STARTTLS

Looking at what it takes to set up my ciphers, I’m still gonna shoot for getting a perfect 5 of 5!

Meego 1.2, Meego Laptop and a MacBook Air

1 Reply

1 minute, 40 seconds

As many of you know, I’ve had an on again, off again, and then on again affair with Meego. I love that lil’ guy! You may have expected me to be quite excited about the recent release of Meego 1.2, including a netbook refresh. Since I was running Meego on a netbook, you may have then also expected me to be super excited about the very recent announcement of the ASUS Eee PC X101. This is a 2lb laptop that runs Meego and is expected to cost $200. Sweet!

However, as you may have guessed from the title of this post, I’m not running Meego any more. I’m running OS X on a MacBook Air 11″. I had crossed the threshold of tinkering around on a laptop, to wanting to commute with one every day. Indeed, 2lb was my sweet spot for a laptop. I wasn’t that stuck on the OS as my apps are all cross platform enough. I seriously considered many different netbooks and then the MacBook Air came out. The 11″ was just over 2lb, included a full size keyboard, had a 1366 x 768 screen and a 5 hour battery. It was also insanely small. For a relative paltry $1000, there was simply no laptop, regardless of OS, that had had all of the above features. Period. Though I think the new Eee X101 will be very cool, it lacks the screen resolution of the Air. I briefly considered the Sony Vaio X (no longer available) which met all my requirements, but it was a pretty penny to pay for an Atom processor.

“But if you want something super light, what about a iPad?”, you ask? I do agree, an iPad’s insanely long battery life coupled with 1.3lb weight has some handy uses: a cross country plane ride, long regular commutes where you want to read the news and browse email or need a super light weight video conference rig. But what about when you want to run an IDE? What if you want to compose a 3 page (7,500 character) long email? What if you want to flip back forth between the 3 browsers you have open to check how your code renders? The answer is clear: you need a laptop.

I’ve been super happy with my Air and I wish the best of luck to Meego.

How to spam this blog

Leave a reply

1 minute, 40 seconds

As a follow up to last week’s post (How to comment on this blog), this week I bring you the results of the no-captcha test.

After much spam slipping through reCAPTCHA, I decided to nix a captcha all together. Originally I thought that just requiring a field via javascript and doing no server side checking would work. This was silly of me, of course. The spammers, having the source code of WordPress, would just blindly submit a comment to any post, bypassing any client side JS checks I had in place.

The fix was to create a field that was not known to spammers like the reCAPTCHA is. Further, if it is appended via javascript, then it is even harder to automate. I wrote the simple-math plugin (have a copy!) and implemented it as follow:

Turn off reCAPTCHA
Add a field via javascript
Ask a simple math question, validated in client side JS
Only validate that the field exists, not that the math is right, on the server side

The jury is, and I’m fully vindicated. Here’s the stats:

	Hits	Comment Attempts	Comment Succeses	Attempts per Visit	Defense Success Rate
Feb 6th-12th	1191	57	17	4.79%	70.18%
Feb 12 11pm – Feb 13 10am	58	20	13	34.48%	35.00%
Feb 13th-Feb18th	1204	132	0	10.96%	100.00%

#spamstats td, #spamstats th {padding:4px;margin:5px}
#spamstats td {text-align:center;}
#spamstats tr:hover {background:#ccc}

The important thing to note is twofold. The first is that the average number of raw hits (excluding me, yahoo and google) was the same week to week. Further, the number of attempts went up 200% of which 100% were thwarted (Defense Success Rate). Again, I suspect this is all possible because it’s not easy, nor worth while (it’s OK, plip isn’t a big blog, I know…sniff) to automate spamming against one off solutions like mine.

I should note that I used the free version of Splunk to garner the ad hoc stats for this post. As I was hemming and hawing on whether to count cookies or IPs or hits, it wasn’t worth while to use the old school command line style stats. Splunk scoffs at this level of stats and reporting. Really, it’s above it, but will happily crank out what you ask for it with ease. Here’s a purty graph:

Caveat Emptor: I work at Splunk.

Meego Redux: 1.1 Released

Leave a reply

1 minute, 33 seconds

If you recall, I fell in love with Meego a bit ago. Then, we broke up, and I left Meego for Ubuntu Netbook Remix (UNR). Guess what? Yup, just like the title of this post suggests, I’m back to Meego. Yesterday was their 1.1 release and the netbook flavor with Chrome is ready for the Live USB Key, easy install testing. I skipped over the live USB thing and cut right to the chase to install it over UNR.

I went to go install some of the key apps that I use and bumped into a few problems. I’ll sketch ’em out here in case any one else is an early adopter like me:

No more yum: Well, yum is still available to install, but it’s not there by default. Instead the fine folks at Meego are shipping ZYpper instead. Works just the same, but for the not so distro savvy nerds like me, I had to search around in the forums to figure what was what. Thanks physalis!
KeepassX: The next problem I found was that Keepassx’s download page had 404 links for the fedora packages. When I found that Fedora 12 page DIDN’T 404, I downloaded THAT version of KeepassX. Welp, that version didn’t like the current version of QT that ships with Meebo. Finally, I searched around and found a slightly out of date version at hany.sk
Dropbox: Nothing really tricky here. Their download page has a “Fedora (x86 .rpm)” package. For both KeepassX and Dropbox, it looks like this to install it :
sudo zypper install nautilus-dropbox-0.6.4-1.fedora.i386.rpm

For those keeping tabs, I did do a write up on configuring Meego mail and calendar which appears to all be the same in 1.1 as it was in 1.0. At first blush, it seems a little tricky to set up with Google Apps, where plip.com’s mail is, but we’ll hack away.

Next up: Installing Skype. Happy Meebo-ing!

Update: Skype installed no problem, and QT warning seems to be around fonts. A forum tip around font hinting worked wonders to make Skype and KeepassX look sharp (actually, look anti-aliased).

Jolicloud OS is just Ubuntu Netbook Remix

Leave a reply

0 minutes, 24 seconds

After seeing a post over on Engadget about the new Jolicloud, I decided to check it out. It quickly became apparent that it is just Ubuntu Netbook Remix (UNR) with a different skin and a nice Jolicloud app. Looking at some forum posts and the comments on the above Engadget link, my opinion isn’t too novel or new. What is dissapointkng is that Engadget fronts like this is something more amazing than UNR’s latest release, which I run and like.

Me? I’m waiting for Meego 1.1 which is expected to drop in October.

Google: gmail, mail and calendar sync with Meego Netbook (Google Apps Too!)

Leave a reply

0 minutes, 36 seconds

Recently a reader inquired about how to set up Meego to sync with gmail mail, calendar and contacts based off me mentioning I got it working. I use Google apps for mail hosting at plip.com, so this applies to both gmail and Google Apps (domains that use gmail for their email server). Settings are based off IMAP settings for Thunderbird.

Here’s the steps I took for a clean install of Meego (see matching screenshots below too):