OpenSolaris 2009.06 first impressions

I still run Solaris 10 (update 6) on my home server, but this might be the release that makes me jump to OpenSolaris, at least at home (Oracle 10g wouldn’t run on 2008.05 last time I tried at work). A few things I noticed:

  • xterm-color is finally recognized as a valid terminal type
  • It supports Apple’s Bonjour autoconf out of the box, which is helpful in dhcp-only environments

Microsoft at its scumbag tactics again

I seem to be late to this party, but one of the security updates for Windows XP (.NET 3.5) silently installs a Firefox plugin that:

  1. tells every web server you visit which version of the .NET framework you have, in my case

    Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)

  2. allows websites to install software on your desktop using ClickOnce, a mechanism so abysmally stupid in its insecurity it gives ActiveX a run for its money.

Screen shot of the Microsoft .NET Framework Assistant add-on

The reason why Microsoft is doing this is to increase penetration of its also-ran Silverlight competitor to Flash for the 20-30% of Windows users who use Firefox instead of Internet Exploder. To make matters worse, the plugin uninstallation button is grayed out. A Microsoft staffer has published instructions on removing this on his blog.

This behavior is of course completely unacceptable. Perhaps Adobe will now join the line of Microsoft-bashers at the European Commission.

Update (2009-10-18):

Good news: Mozilla responded quickly to block this piece of malware. That should also disable Silverlight altogether. Two birds with one stone.

I decided to take action and wrote a letter (PDF) to EC Commissioner Neelie Kroes, apparently the only person in the world who has the cojones to confront Microsoft about its practices.

APIs for SSDs

I attended the OpenSolaris Storage Summit in San Francisco. Unsurprisingly, SSDs dominated the proceedings. Sun is touting its hybrid storage pool approach, where SSDs are used to accelerate the ZFS Intent Log (ZIL), a journal, and the L2ARC read cache, to get most of the benefits of SSDs without having to store an entire dataset in expensive SSDs. The presentations on the page are worth having a look into.

Andrew Leventhal commented on how using disk-oriented APIs to access SSDs makes as little sense as using cassette tape adapters to connect an iPod to a car stereo. Sure, it works, sort of, as a short-term compatibility mode, but you are not using the potential of the device. Fusion IO makes SSDs that are connected to the PCIe bus directly and get 5x better performance than the best SATA drive, the Intel X25-E, but it uses proprietary drivers. In one of the video presentations distributed in the conference, Andy Bechtolsheim mentioned he thought a memory channel model is a better fit for the hardware, as the block-device model and all the legacy assumptions behind it is holding back databases from using the full power of SSDs.

A modest suggestion – there is such an API available already: memory-mapped files. In an ironic full circle, an abstraction meant to simulate random access memory on rotating media is actually the best fit to the actual device characteristics. There are also obvious benefits such as DMA.

Why is enterprise IT so inefficient?

A few months ago, my former EuroNet colleague Niels Bakker was visiting SF. He works for AMS-IX, the Amsterdam Internet Exchange, which is the world’s largest by volume of traffic, and mentioned they work with a mere 25 employees.

Today, I was attending a presentation by Don MacAskill, the CEO of photo-sharing service SmugMug. He has 2 sysadmins managing well over 300 servers.

At the same time, you hear about the astronomical costs of corporate IT departments: data centers that routinely cost hundreds of millions of dollars, plethora of staff delivering pitiful results and systems that have user interface even a novice coder could beat in a single day of coding..

Why is this so?

You have the usual suspects:

  • Dysfunctional top-down corporate cultures, specially when decisions are made on political grounds, i.e. which vendor plays golf with the CIO (or CEO). Often the grunts on the ground know what needs to be done, but are defeated and dispirited by years of failing to budge the bureaucracy.
  • Use of poorly manageable software like Windows
  • A culture of fire-fighting that eschews automation.
  • Risk aversion leading to excessive redundancy. I still cannot understand how Red Hat gets away with its outrageous pricing on RHEL 7.
  • In most large corporations the concentration of financial responsibility in a separate department means most employees, including sysadmins, do not feel empowered or responsible for looking out for the company’s money. The bean counters, on the other hand, lack the knowledge required to find the cost savings.

One would think the new economic reality would force a reckoning. It would stand to reason that most companies would institute policies of procuring open-source software first, and only purchase commercial software on an case-by-case exception basis, with tough questions asked. This is still novel enough to make the news.

Parallelizing the command-line

Single-thread processor performance has stalled for a few years now. Intel and AMD have tried to compensate by multiplying cores, but the software world has not risen to the challenge, mostly because the problem is a genuinely hard one.

Shell scripts are still usually serial, and increasingly at odds with the multi-core future of computing. Let’s take a simple task as an example, converting a large collection of images from TIFF to JPEG format using a tool like ImageMagick. One approach would be to spawn a convert process per input file as follows:

for file in *.tif; do
  convert $file `echo $file|sed -e 's/.tif$/.jpg/g' &

This does not work. If you have many TIFF files to convert (what would be the point of parallelizing if that were not the case?), you will fork off too many processes, which will contend for CPU and disk I/O bandwidth, causing massive congestion and degrading performance. What you want is to have only as many concurrent processes as there are cores in your system (possibly adding a few more because a tool like convert is not 100% efficient at using CPU power). This way you can tap into the full power of your system without overloading it.

The GNU xargs utility gives you that power using its -P flag. xargs is a UNIX utility that was designed to work around limits on the maximum size of a command line (usually 256 or 512 bytes). Instead of supplying arguments over the command-line, you supply them as the standard input of xargs, which then breaks them into manageable chunks and passes them to the utility you specify.

The -P flag to GNU xargsspecifies how many concurrent processes can be running. Some other variants of xargs like OS X’s non-GNU (presumably BSD) xargs also support -P but not Solaris’. xargs is very easy to script and can provide a significant boost to batch performance. The previous script can be rewritten to use 4 parallel processes:

ls *.tif|sed -e 's/.tif$//g'|gxargs -P $CPUS -n 1 -I x convert x.tif x.jpg

On my Sun Ultra 40 M2 (2x 1.8GHz AMD Opterons, single-core), I benchmarked this procedure against 920MB of TIFF files. As could be expected, going from 1 to 2 concurrent processes improved throughput dramatically, going from 2 to 3 yielded marginal improvements (convert is pretty good at utilizing CPU to the max). Going from 3 to 4 actually degraded performance, presumably due to the kernel overhead of managing the contention.


Another utility that is parallelizable is GNU make using the -j flag. I parallelize as many of my build procedures as possible, but for many open-source packages, the usual configure step is not parallelized (because configure does not really understand the concept of dependencies). Unfortunately there are too many projects whose makefiles are missing dependencies, causing parallelized makes to fail. In this day and age of Moore’s law running out of steam as far as single-task performance is concerned, harnessing parallelism using gxargs -P or gmake -j is no longer a luxury but should be considered a necessity.

The value of over-the-counter service

My primary computer is a dual 2GHz PowerMac G5 until I can upgrade it with a Nehalem Mac Pro, most likely around the end of the year or early next year. I bought it in 2004, along with a 23″ Apple Cinema HD (the old pinstripe plastic bezel kind with an ADC connector). Unfortunately, about a year ago the CCFL backlight on the monitor started turning pink from old age, and thus unusable in a properly color-managed photographic workflow.

I used that as an excuse to splurge on a humongous (and agoraphobia-inducing) HP LP3065 30 inch LCD monitor after reading the glowing reviews. The two features that sold me were the enhanced color gamut (the only way to improve that would be to get a $6000 Samsung XL30, something I am not quite prepared to do), and the fact it has 3 built-in DVI ports, so it can easily be shared by multiple computers (assuming they support dual-link DVI, which unfortunately my basic spec Sun Ultra 40 M2 does not). The fact it was 25% less expensive than the Apple 30″ Cinema Display helped, of course.

About 6 months ago, I discovered there was a fine pink vertical line running across the entire height of the monitor, roughly 25 centimeters from the left. Since I primarily use that monitor for photo (the primary monitor for Mail, web browsing or terminals remains the Apple), at first I worried there was a defect with my camera. I managed to reproduce the problem with my MacBook Pro (they have dual-link DVI, unlike lesser laptops), and called HP support (the 3 year HP warranty was also an important consideration when I purchased).

My first support call in November 2007 went well, and the tech told me I would be contacted to arrange for an on-site exchange. This is a seriously heavy monitor and I did not relish the idea of lugging it back to FedEx, so getting premium support for a business-class monitor sounded an attractive proposition. Unfortunately, they never did call back, and as I had other pressing matters to attend to involving international travel, I just put it out of my mind (it is a very subtle flaw that is not even always visible).

I only got around to calling them back a few weeks ago. Unlike in November, I was given the run-around with various customer service reps in India until I was finally routed to a pleasant (and competent) tech in a suburb of Vancouver (the US dollar going in the direction it is, you have to wonder how much longer before HP outsources those call centers back to the US). The problem is not with Indian call centers, in any case, all but one of the CSRs were very polite (I suspect Indians learn more patience as they grow up than pampered Americans or Europeans would). The problem is poorly organized support processes and asinine scripts they are required to go through if they want to keep their jobs. In any case, the Canadian rep managed to find the FRU number and also told me someone would call to schedule an appointment. Someone did call this time, to let me know the part was back-ordered and they would call me when it becomes available.

This morning, as I was heading for the shower, my intercom buzzed. It was a DHL delivery man with the replacement monitor. I had to open the door to him in my bath robe. Naturally, nobody at HP bothered to notify me and had I left earlier, I would have missed him altogether.

One of the great things about Apple products is that if you live near an Apple store, you can just stop by their pretentiously-named Genius bars and get support for free (though not free repairs for out-of-warranty products, obviously). I now have a fully working HP monitor again, so I suppose I can’t complain too loudly, but the Apple monitor with the sterling support looks like the true bargain in hindsight.

Push recruiting

As I was debugging why feedparser is mangling the GigaOM feed titles, I found this easter egg on the WordPress hosted site:

zephyr ~>telnet 80
Connected to
Escape character is '^]'.
GET /feed HTTP/1.0

HTTP/1.0 301 Moved Permanently
Vary: Cookie
X-hacker: If you're reading this, you should visit and
apply to join the fun, mention this header.
Content-type: text/html; charset=utf-8
Content-Length: 0
Date: Thu, 20 Mar 2008 23:36:17 GMT
Server: LiteSpeed
Connection: close

Connection closed by foreign host.

Knowing how to issue HTTP requests by hand is one of my litmus tests for a web developer, but I had never thought of using it in this creative way as a recruiting tool…

Adobe “Creative” Suite 3, a mixed bag

I installed Adobe Creative Suite 3 on my home PowerMac and my MacBook (the license allows you to install it on two computers as long as they are not in simultaneous use). The only real reason I upgraded is to get a native Intel version. I have barely started using it already and I already have peeves:

  • Bridge looks butt-ugly, is even slower than before and with a more amateurish interface than ever
  • The install procedure is incredibly annoying and Windows-like. There is no justification for an install procedure that chokes if the beta was not uninstalled officially (although I have to give some brownie points due to the fact the cleanup script is written in Python).
  • The icons are aesthetically bankrupt. What kind of credibility does Adobe think it has with creative people with such an astoundingly lackluster effort?
  • Barely installed and already in need of software updates. The widespread availability of fast Internet connections is no excuse for shoddy release management or a “we’ll patch it post-release” mentality. Speaking of which, the only proper time to interrupt users with a software update dialog is as they are quitting the application, not by getting in the way of whatever task they are trying to get done by starting up the app.
  • Don’t clutter my hard drive with legal drivel in twenty different languages. It’s called “Creative Suite”, not “Boilerplate Suite”.
  • All the tie-ins to paid add-on services like Adobe Stock Photos or Acrobat Conferencing are incredibly obnoxious, just like those for MSN or .Mac.
  • JavaScript in Acrobat is a big security and privacy risk, and should be disabled by default.
  • On the plus side, thanks for making a “Design Basic” edition without all the despicable Flash garbage in it. I would actually pay more for the Basic version than for the supposedly premium one infected with Flash and Dreamweaver.

Update (2008-01-01):

It seems Adobe has also crossed a serious ethical line by building in spyware to track on whenever a user starts a CS3 application.

As far as I am concerned, this is the last straw and I will actively start looking for substitutes for Adobe products as soon as I return from my vacation.

Update (2008-01-02):

It seems Adobe does not collect the serial number after all. The apps should nonetheless never call on the Internet except possibly to check for updates. For people like myself who have static IPs, the IP address itself could be used to correlate the analytics with personal information.

Is Vista a piece of unalloyed garbage?

As far as I can see, the answer is yes.

About a month ago, my two-year old Windows PC game machine started crashing every two minutes in NWN2. This proved the last straw, and I decided to upgrade. One of the games I have, but seldom play is Oblivion, which is graphically gorgeous, but chokes on anything but the most powerful hardware at ordinary resolutions, let alone my Apple Cinema Display HD’s 1920×1200, and cutting-edge video cards are no longer available for the AGP bus in any case.

I looked around for packaged solutions from systems integrators, specialized gaming PC companies like AlienWare, and Dell. Contrary to conventional wisdom, it is still much cheaper to build a PC from components than to buy one from a major vendor, $1500 vs. $2500 minimum. Part of the reason is that the vendors flag anyone wanting the absolute best video card as a “cost is no object” customer, add all sorts of expensive components that make no sense in a machine that will only ever be used for games, like fancy DVD burners or flash card readers to jack up the profit margins. As if anyone in his right mind would use a Windows computer for serious work like digital photography…

My configuration is the following: a relatively quiet Antec Sonata II case, an Abit KN9 Ultra motherboard, an AMD Athlon x2 5200, 2GB of Kingston DDR-800 RAM, a humongous nVidia GeForce 8800GTX video card, a 500GB hard drive and a basic DVD-ROM drive.

When it came to choosing the OS, after much trepidation I opted for Vista Home Premium because the 8800GTX is one of the few cards that support DirectX 10, which is a Vista-only feature. I knew Vista would embezzle half the processing power of one core in DRM code that is actually working against my interests, but then again nobody in his right mind would use DRM-ed formats, whether Microsoft or otherwise, to store their music library, so the damage would be limited. Also, Vista comes with “downgrade rights” which allow you to legally install the previous version of Windows.

Vista comes in an attractive copper-colored DVD that is actually quite elegant. Its color scheme is also far superior to the molten Play-Skool set monstrosity that is XP. When I started the Vista installer, I was pleasantly surprised by how quickly it dealt with hard drive formatting (the previous Windows I installed myself is Windows 2000, which will insist on a time-consuming full format instead of the quick format used by the XP or Vista installers). The good impression lasted for all of five minutes. After the inevitable restart to complete installation, the screen promptly dissolved into a scrambled red-and-white screen of doom (I did glimpse a blue screen of death shortly before it rebooted). The diagnostics were completely unhelpful, as could be expected. When the operating system cannot even install itself, you have got to wonder…

Dejectedly, I fished out a Windows XP install DVD. it would not accept the Vista serial number. So much for downgrade rights. Of course, since the package was now opened, no hope for a refund either. I ended up buying a copy of Windows XP, which installed without a hitch. Of course, I still had to install the video drivers, but it did not crash half-way through the install procedure. And Oblivion is now playable without agonizing stutters every two paces.

The 8800GTX is very recent hardware, which did not even have non-beta Vista drivers when I installed it, so I could understand the OS falling back to SVGA mode. There are no other really exotic components here, certainly nothing than XP SP2 could not deal with and therefore Vista should as well. The machine is also well within the recommended minimum configuration (although some experts now advise 4GB of RAM as a realistic minimum for Vista). Crashing during install, when a five year old OS like XP handles it just fine, is simply unacceptable in my book. Even Solaris 10 Update 3, an OS notorious for its limited hardware support, installed without a hitch. Despite the ten man-millennia Microsoft invested in this lemon, they apparently could not be bothered to test the installer.

Conclusion: unless you buy a computer with Vista pre-installed, avoid it like the plague until SP1 is out, just like Intel.

Post scriptum:

Actually, I would not even recommend a PC with Vista preinstalled, as it has terrible backward compatibility. It will not run Office 2000, which is what my company has, for instance. Joel Spolsky has an excellent article on how the new, bloatedly bureaucratic Microsoft lost its way by sacrificing backward compatibility on the altar of useless marketectures. Perhaps they are just trying to force-upgrade people to Office 2007. They should beware: unlike 2002, people have credible alternatives now.

Update (2007-08-30):

The paper about how Vista eats up CPU on DRM has been criticized by the generally reliable George You. My point about the inability to even install on a modern machine that XP has no problems with remains. In any case, having the operating system constantly eat up CPU on tasks I do not want it to, whether it is 7% or 100% of one core, is still morally no better than a parasitic botnet.

The operating cost of a home server

Like many people, I keep a server running at home 24/7. In my case, it’s an old but relatively quiet Compaq Evo D315 AMD Athlon XP2000 PC with 1GB of RAM, 750GB total disk space and running Solaris 10. It serves as my personal email server (Postfix and Dovecot), to run Temboz, and miscellaneous auxiliary services like DNS, SNMP or being a staging point for off-site backups via rsync. All in all, very light usage, less than 5% average CPU utilization.

I have a Kill-a-Watt power meter measuring the load on that shelf, and the server, along with other devices on standby power, consumes about 160W. At PG&E’s marginal rate of $0.13 per KWh, that comes to $180 a year, or half the cost of the machine itself. I am thinking of upgrading to a machine with 6 750GB or 1TB drives in a 4+2 redundant RAID-Z2 configuration for reliable backups (the current setup runs on ZFS for snapshots but has no provisions for drive failure). I will definitely look at power consumption more closely in my decision process

Update (2007-08-25):

I ended up getting a Sun Ultra 40 M2 dual-core AMD Opteron workstation with 6 additional Seagate 750GB drives. It is remarkably quiet and consumes only 160W, which is pretty good since it does have 7 drives spinning inside. ZFS benchmarks at 160MBps sustained disk I/O…

Inserting graphviz diagrams in a CVStrac wiki

CVStrac is an amazing productivity booster for any software development group. This simple tool, built around a SQLite database (indeed, by the author of SQLite) combines a bug-tracking database, a CVS browser and a wiki. The three components are fully cross-referenced and build off the strengths of each other. You can handle almost all aspects of the software development process in it, and since it is built on an open database with a radically simple schema, it is trivial to extend. I use CVStrac for Temboz to track bugs, but also to trace changes in the code base to requirements or to bugs, and last but not least, the wiki makes documentation a snap.

For historical reasons, my company uses TWiki for its wiki needs. We configured Apache with mod_rewrite so that the wiki links from CVStrac lead to the corresponding TWiki entry instead of the one in CVStrac itself, which is unused. TWiki is very messy (not surprising, as it is written in Perl), but it has a number of good features like excellent search (it even handles stemming) and a directed graph plug-in that makes it easy to design complex graphs using Bell Labs’ graphviz, without having to deal with the tedious pixel-pushing of GUI tools like Visio or OmniGraffle. The plug-in makes it easy to document UML or E-R graphs, document software dependencies, map process flows and the like.

CVStrac 2.0 introduced extensibility in the wiki syntax via external programs. This allowed me to implement similar functionality in the CVStrac native wiki. To use it, you need to:

  1. Download the Python script and install it somewhere in your path. The sole dependency is graphviz itself, as well as either pysqlite2 or the built-in version bundled with Python 2.5
  2. create a custom wiki markup in the CVStrac setup, of type “Program Block”, with the formatter command-line:
    path/ –db CVStrac_database_file –name ‘%m’
    • Insert the graphs using standard dot syntax, bracketed between CVStrac {dot} and {enddot} tags.
For examples of the plugin at work, here is the graph corresponding to this markup:
digraph sw_dependencies {

temboz [fontcolor=white,style=filled,shape=box,fillcolor=red];
python [fontcolor=white,style=filled,fillcolor=blue];
cheetah [fontcolor=white,style=filled,fillcolor=blue];
sqlite [fontcolor=white,style=filled,fillcolor=blue];

temboz -> cheetah -> python;
temboz -> python -> sqlite -> gawk;
temboz -> cvstrac -> sqlite;
python -> readline;
python -> db4;
python -> openssl;
python -> tk -> tcl;

cvstrac -> "" -> graphviz -> tk;
"" -> python;
"" -> sqlite;
graphviz -> gdpng;
graphviz -> fontconfig -> freetype2;
fontconfig -> expat;
graphviz -> perl;
graphviz -> python;
gdpng -> libpng -> zlib;
gdpng -> freetype2;


Another useful plug-in for CVStrac I wrote is one that highlights source code in the CVS browser using the Pygments library. Simply download, install it Setup/Diff & Filter Programs/File Filter, using the string _pathto/ %F. Here is an example of Pygment applied to itself:

#!/usr/bin/env python
# $Log:,v $
# Revision 1.3  2007/07/04 19:54:26  majid
# cope with Unicode characters in source
# Revision 1.2  2006/12/23 03:51:03  majid
# import pygments.lexers and pygments.formatters explicitly due to Pygments 0.6
# Revision 1.1  2006/12/05 20:19:57  majid
# Initial revision
CVStrac plugin to Pygmentize source code
import sys, pygments, pygments.lexers, pygments.formatters

def main():
  assert len(sys.argv) == 2
  block =
    lexer = pygments.lexers.get_lexer_for_filename(sys.argv[1])
    out = pygments.highlight
    block = pygments.highlight(
      block, lexer, pygments.formatters.HtmlFormatter(
      style='colorful', linenos=True, full=True))
  except ValueError:
  print unicode(block).encode('ascii', 'xmlcharrefreplace')

if __name__ == '__main__':

Troubleshooting Windows remotely

Unpaid computer tech support for relatives is not a popular topic among geeks. It is very much a reality, however, specially in Indian communities with extensive extended families like mine. Some of the griping is churlish considering all the favors your family cheerfully does for you, and we probably have it better than MDs who are constantly bombarded with requests for free medical consultations.

At first sight, I would be better off if my relatives had the good sense to ditch Windows and get a Mac instead, but that would in fact compound the problem because I would get even more calls for help from people who are having a hard time dealing with very basic issues on an unfamiliar platform. Mac OS X may be better integrated and secure than Windows, but contrary to popular opinion it is not that much less crash-prone. All computers are unnecessarily hard to use in the first place. I doubt very much the computer industry will mend its ways and put human-centered design first, more likely than not the problem will be “solved” by the progressive eclipse of generations born before widespread computing, the rest of us having perforce adapted to these flawed tools.

A big part of the problem is doing “blind” support over the phone where you don’t see what is going on, and often the person in front of the screen is not technical enough to know what is significant and how to give you a useful and actionable description of what is on screen.

To its credit, Microsoft added remote assistance functionality in Windows XP. Explaining to users how to activate it is a challenge in itself, however, and in any case you need another Windows XP machine to provide the support. I still run Windows 2000 in the sole PC I have (used exclusively for games nowadays) and it makes such a racket I am almost viscerally reluctant to boot it up.

The best solution is to use virtual network computing (VNC), a free, cross-platform remote control protocol originally invented by the former Olivetti-Oracle-AT&T labs in Cambridge, UK. I often use VNC to take control of my home Mac from my office PC or my MacBook Pro. Indeed, VNC is integral to Apple Remote Desktop, Apple’s official remote management product for large Mac installations. There are even VNC clients available for PalmOS and Windows CE so you could remote control your home computer from a Treo. Having VNC running on the ailing PC would allow me to troubleshoot it efficiently from the comfort of my Mac.

Unfortunately, there is still a chicken-and-egg effect. I once tried to get an uncle to set up UltraVNC on his PC and do a reverse SSH forwarding so I could bypass his firewall. It took the better part of an hour, and barely worked. Surely, there has to be a better solution.

One such solution is Copilot, a service from Fog Creek software that repackages VNC in a form that’s easier to use. It is somewhat expensive, however (although that can be seen as a feature if the people calling for help have to pay for it and thus have an incentive to moderate their requests).

Another one that shows some promise is UltraVNC SC, a simplified version of UltraVNC that is designed for help desks (here is a more friendly walkthrough). Unfortunately, it shows a very clunky dialog that makes sense in a corporate help desk setting, but is too confusing for a novice user, and it uses UltraVNC extensions that are not compatible with most other VNC clients like the one I use most, Chicken of the VNC.

In the end, what I ended up doing was to take the source code for the full-featured UltraVNC server, rip out all the user interface and registry settings from it, and hardcode it to open an outgoing connection to my home server on TCP port 5500. There isn’t anything on the server listening on port 5500 by default, but I can open a SSH connection to it from anywhere in the world and use SSH reverse port forwarding to connect port 5500 to wherever I am. This neatly sidesteps the problem of firewalls that block incoming connections.

The resulting executable is larger than SC, but still manageable at 500K (vs. 950K for the full version), and requires no input from the user beyond downloading it and running it, thus triggering all sorts of warnings. It’s not good practice to teach users to download and run executables, but presumably they trust me. After the VNC session is finished, the program simply exits (as evidenced by the disappearance of the UltraVNC eye icon from the toolbar

If you want to use a setup like mine, it’s easy enough for a technically inclined person:

  1. You could download my executable at, open it in a hex editor (or even Emacs), search for the string and overwrite it with the name of the machine you want to use instead (I left plenty of null bytes as padding just in case). Make sure you are overwriting, not inserting new bytes or shrinking the string, as the executable won’t work correctly otherwise.
  2. Or you could download the modified source code I used (UltraVNC is a GPL open-source project, so I am bound by the license to release my mods). Edit the string host in winvnc/winvnc/winvnc.cpp (you can also change the reverse VNC port from its default of 5500 if you want), and recompile using the free (as in beer) Visual C++ 2005 Express Edition and the Platform SDK. My Windows programming skills are close to nil, so if I could do it, you probably can as well.

To use the tool, put it up on a website, and when you get a request for help, SSH into the server. On UNIX (including OS X), you would need to issue the command:

ssh -R5500:

Please note I explicitly use rather than localhost, as the former is always an IPv4 address, but on some systems, localhost could bind to the IPv6 equivalent ::1 instead.

On Windows, you will need to set the reverse port forwarding options in PuTTY (or just replace ssh with plink in the command-line above). After that start your VNC client in listen mode (where the VNC client awaits a connection from the server on port 5500 instead of connecting to the server on port 5900). You can then tell the user to download the executable and run it to establish the connection.

Some caveats:

  1. The leg of the connection between the PC and the server it is connecting to is not encrypted
  2. Depending on XP firewall settings, Windows may ask the user to authorize the program to open a connection
  3. At many companies, running a program like this is grounds for dismissal, so make sure whoever is calling you is asking for help on a machine they are authorized to open to the outside.

I hesitated to make this widely available due to the potential for mischief, but crackers have had similar tools like Back Orifice for a very long time, so I am not exactly enhancing their capabilities. On the other hand, this makes life so much easier it’s worth sharing. Helping family deal with Windows will still be a chore, but hopefully a less excruciating one.

Update (2007-03-23):

You can make a customized download of the executable targeting your machine using the form below. Replace with whatever hostname or IP address you have. If you do not have a static IP address, you will need to use a dynamic DNS service like DynDNS or No-IP to map a host name to your dynamic IP address.

Gates opening new Vistas

Bill Gates announced yesterday he is progressively going to disengage himself from day-to-day participation in Microsoft over the next two years, to concentrate exclusively on his foundation. However questionable Microsoft’s business practices may be, they are no worse than Standard Oil’s. The Rockefellers or Carnegie bought social respectability by endowing institutions for the already comfortable. No matter what the IRS may claim, donating to places like Harvard in exchange for naming rights does not qualify as charity in my book.

In contrast, Gates’ humanitarian work has been remarkable — his money is comforting the truly afflicted of this world, like sufferers of leprosy or malaria. His example is highly unlikely to be emulated by Silicon Valley’s skinflint tycoons (Larry Ellison, Steve Jobs, I’m looking at you). The latter conveniently convinced themselves their wealth is due entirely to their own efforts, never to luck, or government funding in the case of the Internet moguls. This leads to the self-serving belief that they are absolved of any obligation to society or to those less fortunate (in both senses of the term).

This decision is not entirely unexpected. Microsoft has been floundering for the last several years, and has accrued severe managerial bloat, something the ruthless and paranoid Bill Gates circa 1995 would never have allowed to continue. There is remarkable dearth of insightful commentary on the announcement. My take is that the harrowing and humiliating process of the DoJ anti-trust trial proved cathartic and led him to review his priorities, even if the lawsuit itself ended up with an ineffective slap on the wrist.

Some equally interesting reading coming out of Redmond: Broken Windows Theory, an article by a Microsoft project manager on the back story behind the Windows Vista delay, with some really interesting metrics. Apparently Vista takes no less than 24 hours to compile on a fast dual-processor PC. It has 50 levels of dependencies, 50 million lines of code (one metric I personally find meaningless, as you can get more done in one line of Python than in a hundred lines of C/C++). His conclusion is that due to its scale, Vista could simply be structurally unmanageable. Certainly, the supporting infrastructure, as in automation tools, code and dependency analysis, project management et al. ought to be a project in itself of the same scope as, say, Microsoft Word.

When I worked at France Télécom in the late nineties, they were reeling from the near total failure of Frégate, a half-billion dollar billing system of the future project (another interesting metric: two-thirds of billing systems projects worldwide end in failure). The grapevine even devised a unit of measurement, the Potteau, after an eponymous Ingénieur Général (a typically French title with roots in the military engineering side of the civil service) involved in the project. One potteau equals one man-century. It is deemed the unit beyond which any software project is doomed to failure.

Vista involved 2000 developers over 5 years. That’s over 100 potteaux.

Put whiny computers to work

I have noticed a trend lately of computers making an annoying whining sound when they are running at low utilization. This happens with my Dual G5 PowerMac, the Dells I ordered 18 months ago for my staff (before we ditched Dell for HP due to the former’s refusal to sell desktops powered with AMD64 chips instead of the inferior Intel parts), and I am starting to notice it with my MacBook Pro when in a really quiet room.

These machines emit an incredibly annoying high-pitched whine when idling, one that disappears when you increase the CPU load (I usually run openssl speed on the Macs). Probably the fan falls in some oscillating pattern because no hysteresis was put into the speed control firmware. It looks like these machines were tested under full load, but not under light load, which just happens to be the most common situation for computers. The short-term work-around is to generate artificial load by running openssl in an infinite loop, or to use a distributed computing program like Folding@Home.

Load-testing is a good thing, but idle-testing is a good idea as well…

Taming the paper tiger

A colleague was asking for some simple advice about all-in-one printer/copier/fax devices and got instead a rambling lecture on my paper workflow. There is no reason the Internet should be exempted from my long-winded rants, so here goes, an excruciatingly detailed description of my paper workflow. It shares the same general outline as my digital photography workflow, with a few twists.


The paperless office is what I am striving for. Digital files are easier to protect than paper from fire or theft, and you can carry them with you everywhere on a Flash memory stick. As for file formats, you don’t want to be locked in, so you should either use TIFF or PDF, both of which have open-source readers and are unlikely to disappear anytime soon, unlike Microsoft’s proprietary lock-in format of the day.

TIFF is easier to retouch in an image editing program, but:

  1. Few programs cope correctly with multi-page TIFFs
  2. PDF allows you to combine a bitmap layer to have an exact fac-simile with a searchable OCR text layer for retrieval, TIFF does not.
  3. TIFF is inefficient for vector documents, e.g. receipts printed from a web page.
  4. The TIFF format lacks many of the amenities designed in a format like PDF expressly designed as a digital replacement for paper.

Generating PDFs from web pages or office documents is as simple as printing (Mac OS X offers this feature out of the box, for Windows, you can print to PostScript and use Ghostscript to convert the PS to PDF.

Please note the bloated Acrobat Reader is not a must-have to view PDFs, Mac OS X’s Preview does a much better job, and on Windows Foxit Reader is a perfectly serviceable alternative that easily fits on a Flash USB stick. UNIX users have Ghostscript and the numerous UI wrappers that make paging and zooming easy..


You should process incoming mail as soon as you receive it, and not let it build up. If you have a backlog, set it aside and start your new system, applicable to all new snail mail. That way the situation does not degrade further, and you can revisit old mail later.

Junk mail that could lead to identity theft (e.g. credit card solicitations) should be shredded or even better, burnt (assuming your local environmental regulations permit this). if you get a powerful enough shredder, it can swallow the entire envelope without even forcing you to open it. Of course, you should only consider a cross-cut shredder. Junk mail that does not contain identifiable information should be recycled. When in doubt, shred. Everything else should be scanned.

Forget about flatbed scanners, what you want is a sheet-fed batch document scanner. It should support duplex mode, i.e. be capable of scanning both sides of a sheet of paper in a single pass. For Mac users Fujitsu ScanSnap is pretty much the only game in town, and for Windows users I recommend the Canon DR-2050C (the ScanSnap is available in a Windows version, but the Canon has a more reliable paper feed less prone to double-feeding). Either will quickly scan a sheaf of paperwork to a PDF file at 15–20 pages per minute.


Paper is a paradox: it is the most intuitive medium to deal with in the short-term, but also the most unwieldy and unmanageable over time. As soon as you layer two sheets into a pile, you have lost the fluidity that is paper’s essential strength. Shuffling through a pile takes an ever increasing amount of time as the pile grows.

For this reason, you want to organize your filing plan in the digital domain as much as possible. Many experts set up elaborate filing plans with color-coded manila folders and will wax lyrical about the benefits of ball-bearing sliding file cabinets. In the real world, few people have the room to store a full-fledged file cabinet.

The simplest form of filing is a chronological file. You don’t even need file folders — I just toss my mail in a letter tray after I scan it. At the end of each month, I dump the accumulated mail into a 6″x9″ clasp envelope (depending on how much mail you receive, you may need bigger envelopes), and label it with the year and month. In all likelihood, you will never access these documents again, so there is no point in arranging them more finely than that. This filing arrangement takes next to no effort and is very compact – you can keep a year’s worth in the same space as a half dozen suspended file folders, as can be seen with 9 months’ worth of mail in the photo below (the CD jewel case is for scale).

Monthly filesThere are some sensitive documents you should still file the old-fashioned way for legal reasons, such as birth certificates, diplomas, property titles, tax returns and so on. You should still scan them to have a backup in case of fire.

Date stamping

As you may have to retrieve the paper original for a scanned document, is important to date stamp every page (or at least the first page) of any mail you receive. I use a Dymo Datemark, a Rube Goldberg-esque contraption that has a rubber ribbon with embossed characters running around an ink roller and a small moving hammer that strikes when the right numeral passes by. All you really need is a month resolution so you know which envelope to fetch, thus an ordinary month-year rubber stamp would do as well. Ideally you would have software to insert a digital date stamp directly in the document, but I have not found any yet. A tip: stamp your document diagonally so the time stamp stands out from the horizontal text.


Much as it pains me to admit it, Adobe Acrobat (supplied with the Fujitsu ScanSnap) is the most straightforward way to manage PDF files on Windows, e.g. merge multiple files together, insert new pages, annotate documents and so on. Through web capture OCR, it can create an invisible text layer that makes the PDF searchable with Spotlight. There are alternatives, such as Foxit PDF Page Organizer or PaperPort on Windows, and PDFPen on OS X. Since Leopard, Apple’s Preview app has included most of the PDF editing functionality required, so I take great pains to ensure my Macs are untainted by Acrobat (e.g. unselecting it when installing CS3). See also my article on resetting the creator code for PDF files on OS X so they are opened by Preview for viewing.


If you are storing a backup of your personal papers at work or on a public service like Google’s rumored Gdrive, you don’t want third-parties to access your confidential information. Similarly, you don’t want to be exposed to identity theft if you lose a USB Flash stick with the data on it. The solution is simple: encryption.

There are many encryption packages available. Most probably have back doors for the NSA, but your threat model is the ID fraudster rummaging through your trash for backup DVDs or discarded bank statements, not the government. I use OpenSSL’s built-in encryption utility as it is cross-platform and easily scripted (I compiled a Windows executable for myself, and it is small enough to be stored on a Flash card). Mac and UNIX computers have it preinstalled, of course, do man enc for more details.

To encrypt a file using 256-bit AES, you would use the command:

openssl enc -aes-256-cbc -in somefile.pdf -out somefile.pdf.aes

to decrypt it, you would issue the command:

openssl enc -d -aes-256-cbc -in somefile.pdf.aes -out somefile.pdf

OpenSSL will prompt you for the password, but you can also supply it as a command-line argument, e.g. in a script.


Backing up scanned documents is no different than backing up photos (apart from the encryption requirements), so I will just link to my previous essay on the subject or my current backup scheme. In addition to my external Firewire hard drive rotation scheme, I have a script that does an incremental encryption of modified files using OpenSSL, and then uploads the encrypted files to my office computer using rsync.

Retention period

I tend to agree with Tim Bray in that you shouldn’t bother erasing old files, as the minimal disk space savings are not worth the risk of making a mistake. As for paper documents, you should ask your accountant what retention policy you should adopt, but a default of 2 years should be sufficient (the documents that need more, such as tax returns, are in the “file traditionally” category, in any case).


The original question was about fax. OS X can be configured to receive faxes on a modem and email them to you as PDF attachments, at which point you can edit them in Acrobat, and fax it back if required, without ever having to kill a tree with printouts. Windows has similar functionality. Of course, fax belongs in the dust-heap of history, along with clay tablets, but habits change surprisingly slowly.

Update (2006-08-26):

I recently upgraded my shredder to a Staples SPL-770M micro-cut shredder. The particles generated by the shredder are incredibly minute, much smaller than those of conventional home or office grade shredders, and it is also very quiet to boot.

Unfortunately, it isn’t able to shred an entire unopened junk mail envelope, and the micro-cut shredding action does not work very well if you feed it folded paper (the particles at the fold tend to cling as if knitted together). This unit is also more expensive than conventional shredders (but significantly cheaper than near mil-spec DIN level 5 shredders that are the nearest equivalent). Staples regularly has specials on them, however. Highly recommended.

Update (2007-04-12):

I recently upgraded my document scanner to a Fujitsu fi-5120C. The ScanSnap has a relatively poor paper feed mechanism, which often jams or double-feeds. Many reviews of the new S500M complain it also sufffers from double-feeding. The 5120C is significantly more expensive but it has a much more reliable paper feed with hitherto high-end features like ultrasonic double-feed detection. You do need to buy ScanTango software to run it on the Mac, however.

Update (2009-01-21):

I moved recently, and realized I have never yet had to open one of those envelopes. From now on, all papers not required for legal reasons (e.g. tax documents) go straight to the shredder after scanning.

Update (2009-09-08):

The new ScanSnap 1500 has ultrasonic double-feed detection. I bought a copy of ABBYY FineReader Express for the Mac. It used to be only available as bundled software with certain scanners like recent ScanSnaps, or software packages like DEVONthink, but you can now buy it as a standalone utility. It is not full-featured, missing some of the more esoteric OCR functionality of the Windows version, batch capabilities and scripting, but works well, unlike the crash-prone ReadIRIS I had but seldom used.

Update (2009-09-22):

Xamance is a really interesting French startup. Their product, the Xambox, integrates a document scanner, document management software and a physical paper filing system. The system can tell you exactly where to find the paper original for a scanned document (“use box 2, third document after tab 7”). In other words, essentially the same filing system I suggest above, but systematically managed in a database for easy retrieval.

It is quite expensive, however, making it more of a solution for businesses. I have moved on and no longer need the safety blanket of keeping the originals, but I can easily see how a complete solution like this would be valuable for businesses that are required for compliance to keep originals, such as notaries, or even government public records offices.

Credit card receipt slips and business cards are problematic for a paperless workflow. They are prone to jam in scanners, have non-standard layouts so hunting for information takes more time than it should, and are usually so trivial you don’t really feel they are worth scanning in the first place. I just subscribed to the Shoeboxed service to manage mine.They take care of the scanning and for pouring the resulting data in a form that can be directly imported into personal finance or contact-management software. I don’t yet have sufficient experience with the service, but on paper at least it seems like a valuable service that will easily save me an hour a week.

Update (2011-01-13):

I finally broke down and upgraded to a ScanSnap S1500M (we have one at work, and it is indeed a major improvement over the older models). In theory this is a downgrade as the fi-5120C is a business scanner, whereas the S1500M is a consumer/SoHo model, but with some simple customization, the integrated software bundle makes for a much more streamlined workflow: put the paper in the hopper, press the button, that’s it. With the fi-5120C, I had to select the scan settings in ScanTango, scan, press the close button, select a filename, drag the file into ABBYY FineReader, select OCR options, click save, click to confirm I do want to overwrite the original file, then dismiss the scan detection window. One step vs. nine.

Update (2012-06-19):

For portable storage of the documents, I don’t bother with manually encrypting the files any more. The IronKey S200 is a far superior option: mil-spec security and hardware encryption, with tamper-resistant circuitry, potted for environment resistance and using SLC flash memory for speed. Sure, it’s expensive, but you get what you pay for (I tried to cut costs by getting the MLC D200, and ended up returning it because it is so slow as to be unusable).

How to show respect for your readers

Blogging is often seen as a narcissistic pursuit. It can be, but the best bloggers (that is not necessarily synonymous with the most popular) put their audience first. To do that, you need to know it first. Most blogs have three very distinct types of readers:

  1. Regular visitors who use web browsers and bookmarks to visit. If the page doesn’t change often enough, they will get discouraged by the lack of changes and eventually stop coming. You need to post often to keep this population engaged.
  2. People who come from a search engine looking for very specific information. If they do not find what they are looking for, they will move on to the next site in their list, then possibly linger for other articles and may eventually graduate to repeat visitor status. Closely related are people who follow links from other sites, pointing to yours.
  3. Those who let feed readers do the polling for them, and thus do not necessarily care how often a feed is updated. Feed readers allow for much more scalable browsing – I currently subscribe to 188 feeds (not all of them are listed in my blogroll), and I certainly couldn’t afford to visit 188 sites each day. Feed readers are still a minority, but specially for commercial publications, a very attractive one of tech-savvy early adopters. The flip side of this is a more demanding audience. Many people go overboard with the number of feeds and burn out, then mass unsubscribe. If you are a little careful, you can avoid this pendulum effect by pruning feeds that no longer offer a sufficient signal to noise ratio.

The following sections, in no particular order, are rough guidelines on how best to cater to the needs of the other two types of users.

Maintain a high signal to noise ratio

Posting consistently good information on a daily or even weekly basis is no trivial amount of work. I certainly cannot manage more than a couple of postings per month, and I’d rather not clutter my website with “filler material” if I can help it. For this reason, I have essentially given up on the first constituency, and can only hope that they can graduate to feed readers as the technology becomes more mainstream.

Needless to say, test posts are amateurish and you should not waste your readers’ time with them. Do the right thing and use a separate staging environment for your blog. If your blogging provider doesn’t provide one, switch to a supplier that has a clue.

Posting to say that one is not going to post for a few days due to travel, a vacation or any other reason is the height of idiocy and the sure sign of a narcissist. A one-way trip to the unsubscribe button as far as I am concerned.

Distinguish between browsers and feed readers

In November of last year, I had an interesting conversation with Om Malik. My feedback to him was that he was posting too often and needed to pay more attention to the quality rather than the quantity of his postings.

The issue is not quite as simple as that. To some extent the needs of these browser users and those who subscribe to feeds are contradictory, but a good compromise is to omit the inevitable filler or site status update articles from the Atom or RSS feeds. Few blog tools offer this feature, however.

Search engines will index your home page, which is normally just a summary of the last N articles you wrote. Indeed, it will often have the highest page rank (or whatever metric is used). An older article may be pushed out but still listed in the (now out of date) search engine index. The latency is often considerable, and the end result is that people searching for something saw a tantalizing preview in the search engine results listing, but cannot find it once they land on the home page, or in the best of cases they will have to wade through dozens of irrelevant articles to get to it. Ideally, you want them to reach the relevant permalink page directly without stopping by the home page.

There is a simple way to eliminate this frustration for search engine users: make the home page (and other summary pages like category-level summaries or archive index pages) non-indexable. This can be done by adding the following meta tags to the top of the summary pages, but not to permalink pages. The search engine spiders will crawl through the summary pages to the permalinks, but only store the permalink pages in their index. Thus, all searches will lead to relevant and specific content free from extraneous material (which is still available, just one click away).

Here again, not all weblog software supports having different templates for permalink pages than for summary pages.

There is an unfortunate side-effect of this — as your home page is no longer indexed, you may experience a drop in search engine listings. My weblog is no longer the first hit for Google search for “Fazal Majid”. In my opinion, the improved relevance for search engine users far outweighs the bruising to my ego, which needs regular deflating anyways.

Support feed autodiscovery

Supporting autodiscovery of RSS feeds or Atom feeds makes it much easier for novice users to detect the availability of feeds (Firefox and Safari already support it, and IE will soon). Adding them to a page is a no-brainer.

Categorize your articles

In all likelihood, your postings cover a variety of topics. Categorizing them means users can subscribe only to those of interest to them, and thus increases your feed’s signal to noise ratio.

Keep a stable feed URL under your control

If your feed location changes, set up a redirection. If this is not possible, at least post an article in the old feed to let subscribers know where to get the new feed.

Depending on a third-party feed provider like Feedburner is risky — if they ever go out of business, your subscribers are stranded. Even worse, if a link farm operator buys back the domain, they can easily start spamming your subscribers, and make it look as if the spam is coming from you. Your feeds are just as mission-critical as your email and hosting, don’t enter in an outsourcing arrangement casually, specially not one without a clear exit strategy.

Maintain old posts

Most photographers, writers and musicians depend on residuals (recurring revenue from older work) for their income and to support them in retirement. Unless your site is pure fluff (and you would not be reading this if that were the case), your old articles are still valuable. Indeed, there is often a Zipf law at work and you may find some specific archived articles account for the bulk of your traffic (in my case, my article on lossy Nikon NEF compression is a perennial favorite).

It is worth dusting these old articles off every now and then:

  • You should fix or replace the inevitable broken links (there are many programs available to locate broken links on a site, I have my own but linkchecker is a pretty good free one.
  • The content in the article may have gone stale and need refreshing, Don’t rewrite history, however, and change it in a way that alters the original meaning — better to append an update to the article. If there was a factual error, don’t leave it in the main text of the article, but leave a mention of the correction at the end
  • there is no statute of limitations on typos or spelling mistakes. Sloppy writing is a sign of disrespect towards your readers; Rewriting text to clarify the meaning is also worthwhile on heavily visited “backlist” pages. The spirit of the English language lies in straightforwardness, one thing all the good style guides agree on.
  • For those of you who have comments enabled on their site, pay special attention to your archives, comment spammers will often target those pages as it is often easier for them to avoid detection there. You may want to disable comments on older articles.
  • Provide redirection for old URLs so old links do not break. Simple courtesy, really.

Make your feeds friendly for aggregators

Having written my own feed reader, I have all too much experience with broken or dysfunctional feeds. There is only so much feed reader programmers can do to work around brain-dead feeds.

  • Stay shy of the bleeding edge in feed syndication formats. Atom offers a number of fancy features, but you have to assume many feed readers may break if you use too many of them. It is best if your feed files use fully qualified absolute URLs, even if Atom supports relative URLs, for instance. Unicode is also a double-edged sword, prefer HTML entity-encoding them over relying on a feed reader to deal with content-encoding correctly.
  • Understand GUIDs. Too many feeds with brain-dead blogging software will issue a new GUID when an article is edited or corrected, or when its title is changed. Weblogs Inc. sites are egregious offenders, as is Reuters. The end-result is that an article will appear several times in the user’s aggregator, which is incredibly annoying. Temboz has a feature to automatically suppress duplicate titles, but that won’t cope with rewritten titles.
  • Full contents vs. abstracts is a point of contention. Very long posts are disruptive on web-based feed readers, but on the other hand most people dislike the underhanded teaser tactics of commercial sites that try and draw you to their website to drive ad revenue, and providing only abstracts may turn them off your feed altogether. Remember, the unsubscribe button is a mere click away…

Blogging ethics

The golden rule of blogging is that it’s all about the readers. Everything follows from this simple principle. You should strive to be relevant and considerate of their time. Take the time to spell-check your text. It is very difficult to edit one’s own text, but any article can benefit from a little time spent maturing, and from tighter and more lucid prose.

Don’t be narcissistic, unless friends and family are the primary audience. Most people couldn’t care less about your pets, your garden or for the most part your personal life (announcing major life events like a wedding or the birth of your children is perfectly normal, however).

Respect for your readers requires absolute intellectual honesty. Laziness or expediency are no excuse for poor fact-checking or revisionist edits. Enough said…

Update (2008-05-21):

Unfortunately setting the meta tags above seems to throw Google off so that it stops indexing pages altogether (Yahoo and MSN search have no problems). So much for the myth of Google’s technical omnipotence… As a result, I have removed them and would advise you to do as well.

Update (2015-11-20):

If you use JavaScript and cookie-based web analytics like Piwik or Mint, make sure those script tags are disabled if the browser sends the Do-Not-Track header. As for third-party services like Google Analytics, just don’t. Using those services means you are selling giving away your readers’ privacy to some of the most rapacious infringers in the world.

Migrating from Cyrus to Dovecot

I ran the Cyrus IMAP server for almost a year on my home server, but I recently switched to Dovecot. I originally used Cyrus because of its demonstrated scalability and in part because it is a product of my father’s alma mater, but it is quite hard to set up, and quite brittle to changes in its dependencies.

The last straw was when I tried unsuccessfully to set up another instance of Cyrus on a server, with the exact same configuration files and permissions, but different versions of the Berkeley DB and Cyrus SASL libraries, and it simply wouldn’t cooperate. In disgust, I downloaded Dovecot, compiled it and installed it in less time it took me just to figure out that Cyrus wouldn’t allow me to authenticate because the ever-crufty SASL library failed in a new inscrutable way. I had also never managed to get Cyrus’ SSL to work reliably, it is nearly effortless with Dovecot.

Dovecot is much easier to build and manage, does not have dependencies on unreliable cruft like the Cyrus SASL library, and is much easier to integrate with procmail, SpamAssassin and other goodies thanks to its use of the Maildir format rather than a proprietary database cum filesystem structure like Cyrus. From what I have seen of the internals of the Cyrus 2.2 “skiplist” database back-end (which replaced the BerkeleyDB back-end used in previous releases), I have a hard time believing it is significantly more efficient than Dovecot, if at all.

One problem was migrating my email – I have pretty much all my email since 1995 in my IMAP mailbox, migrated from various Emacs Babyl mailbox files or Exchange PSTs over time. The Dovecot Wiki points to this migration script, but for recent versions of Cyrus like the 2.2.12 I ran, it has two major shortcomings:

  1. It will not preserve the flag that indicates whether an email was read or not.
  2. It does not preserve the delivery timestamp for the emails so they all look as if they were delivered at the time you did the conversion.

I wrote my own migration script in Python,, to avoid these shortcomings. It does not preserve the “replied to” flag, but the Read flag is carried over, as is the delivery timestamp (in some edge cases like emails you sent, it has to guess, though). This is not a very polished program because I spent far more time on it than I had anticipated, and basically stopped once I got it working, but it should be usable, or at least a starting point for anyone with some Python skills. Of course, it can also be used by users of other Maildir++ based servers like Courier.

The script should guess most parameters, and will dump the emails to a directory named Maildir.cyrus/ in your home directory. By default, your user will not have read access to the Cyrus mail spool, you may have to alter permissions (I do not recommend running the script as root). For the syntax, just type: -h

On an unrelated note, Solaris 10 users may find the SMF manifest and method useful to automate service management and fault recovery. To install them, copy the manifest to /var/svc/manifest/site and the method to /lib/svc/method and install them into SMF with the command: svccfg import /var/svc/manifest/site/imap-dovecot.xml

Palm T|X first impressions

After an abortive experiment with a Nokia Symbian Series 60 smartphone, I bought a Palm T|X on Wednesday, the very day it was announced. I find PDAs superior to fiddly, fragile and cumbersome laptops, and have owned no fewer than 9 Palm compatible handhelds (*) in the last 5 years, which means I upgrade handhelds at least three times more often than my main (desktop) computers. My previous PDA is a Palm Tungsten T3 (I actually bought it after the T5 was announced, so underwhelming the latter is). I even obtained a spare T3 in case the first one broke (since given to my father). I am not entirely sure yet as to whether the T|X is really an upgrade. Here are some first impressions after a few days of use:


  • Built-in WiFi. No more fiddling with the easily lost SDIO WiFi card.
  • A better browser. Blazer feels much snappier than Web Pro, specially with the new Fast mode (disables CSS and image loading).
  • More memory, non-volatile if the battery fails.
  • Lighter.
  • Can actually dial and send SMS on a Nokia 6230 via Bluetooth


  • Plastic construction feels much less robust (but at least it is not pretending to be metal like the E, E2 or T5, that’s just tacky).
  • No voice recorder, charge LED or vibrating alarm. I seldom use the voice recorder, as I prefer taking notes on 3×5 jotter cards, but the voice recorder works when you have to capture that elusive idea while driving.
  • 20–25% slower processor. Graffiti2 is noticeably slower to respond, for instance.
  • The flip cover with the hinge on the side is less convenient than the one on top, which flips up like a reporter’s notebook, in one fluid motion.
  • The SD slot has a plastic filler card, not a spring-loaded cover.
  • Bigger. Many people complain about the true Tungstens’ slider, but it is very natural to use, and much more convenient than the power switch.
  • The stylus has a nice heft to it, but is not as substantial as the T3’s, and less easy to extract from its slot.
  • Yet another connector design incompatible with previous accessories. The cradle is an expensive option.
  • The home icon on the status bar has disappeared. This is very annoying in daily use
  • The application buttons and the 5-way navigator are less responsive and smaller. The T3 has generally superior haptics (feels much better in the hand).

The only potential deal-breaker is the slower Graffiti performance (there is a visible lag). I will probably keep the T|X due to the convenience of integrated WiFi, but the T3 is a superior device in almost all other respects, in the same class as the Palm V as one of the PDA world’s truly outstanding designs. If Palm were to come out with a new model marrying the WiFi and newer software stack of the T|X with the solid construction and faster processor of the T3, I would definitely upgrade again.

(*): Handspring Visor, Sony Clié T615C, Kyocera QCP-6035, Palm Tungsten T, Sony Clié UX50, Palm Zire 71, Palm Tungsten T3 (x2), and now the Palm T|X.

Update (2010-05-16):

The T|X was the last Palm device I bought. I switched to an iPhone in 2007 and never looked back.

The real story behind the WSIS

There has been much speculation recently about a possible rift in Internet governance. Essentially, many countries resent the US government’s control over the Internet’s policy oversight. They advocate the transfer of those responsibilities to the International Telecommunications Union (ITU), a more multilateral venue. The big news is that the European Union, which previously sat on the fence, came out strongly in favor of this proposal. Unsurprisingly, the US government is hostile to it. More surprisingly, I agree with their unilateralist impulse, obviously for very different reasons. I was planning on writing up a technical explanation as most of the IT press has it completely wrong, as usual, but Eric Rescorla has beaten me to the punch with an excellent summary.

Many commentators have made much hay of the fact the ITU is under the umbrella of the United Nations. The Bush administration is clearly reticent, to say the least, towards the UN, but that is a fairly widespread sentiment among the American policy establishment, by no means limited to Republicans. For some reason, many Americans harbor the absurd fear that somehow the UN is plotting against US sovereignty. Of course, the reality is the UN cannot afford its parking tickets, let alone black helicopters. American hostility towards the UN is curious, as it was the brainchild of a US president, Franklin D. Roosevelt, its charter was signed in San Francisco (at Herbst Theatre, less than a mile from where I live), and it is headquartered in New York.

The UN is ineffective and corrupt, but that is because the powers on the Security Council want it that way. The UN does not have its own army and depends on its member nations, specially those on the Security Council to perform its missions. It is hardly fair to lay the blame for failure in Somalia on the UN’s doorstep. As for corruption, mostly in the form of patronage, it was the way the US and the USSR greased the wheels of diplomacy during the Cold War, buying the votes of tin-pot nations by granting cushy UN jobs to the nephews of their kleptocrats.

A more damning condemnation of the UN is the fact the body does not embody any kind of global democratic representation. The principle is one country, one vote. Just as residents of Wyoming have 60 times more power per capita in the US Senate than Californians, India’s billion inhabitants have as many votes in the General Assembly as those of the tiny Grand Duchy of Liechtenstein. The real action is in the Security Council anyways, but they are not fully represented there either. Had Americans not had a soft spot for Chiang Kai-Shek, China, with its own billion souls, would not have a seat at that table either. That said, the Internet population is spread unevenly across the globe, and the Security Council is probably more representative of it.

In any case, the ITU was established in 1865, long before the UN, and its institutional memory is much different. It is also based in Geneva, like most international organizations, geographically and culturally a world away from New York. In other words, even though it is formally an arm of the UN, the ITU is in practice completely autonomous. The members of the Security Council do not enjoy veto rights in the ITU, and the appointment of its secretary general, while a relatively technocratic and unpoliticized affair, is not subject to US approval, or at least acquiescence, the way the UN secretary-general’s is, or that of more sensitive organizations like the IAEA.

My primary objections to the ITU are not about its political structure, governance or democratic legitimacy, but about its competence, or more precisely the lack of it. The ITU is basically the forum where government PTT monopolies meet incumbent telcos to devise big standards and blow big amounts of hot air. Well into the nineties, they were pushing for a bloated network architecture called OSI, as an alternative to the Internet’s elegant TCP/IP protocol suite. I was not surprised — I used to work at France Télécom’s R&D labs, and had plenty of opportunity to gauge the “caliber” of the incompetent parasites who would go on ITU junkets. Truth be said, those people’s chief competency is bureaucratic wrangling, and like rats leaving a ship, they have since decamped to the greener pastures of the IETF, whose immune system could not prevent a dramatic drop in the quality of its output. The ITU’s institutional bias is towards complex solutions that enshrine the role of legacy telcos, managed scarcity and self-proclaimed intelligent networks that are architected to prevent disruptive change by users on the edge.

When people hyperventilate about Internet governance, they tend to focus on the Domain Name System, even though the real scandal is IPv4 address allocation, like the fact Stanford and MIT each have more IP addresses allocated to them than all of China. Many other hot-button items like the fight against child pornography or pedophiles more properly belongs in criminal-justice organizations like Interpol. But let us humor the pundits and focus on the DNS.

First of all, the country-specific top-level domains like .fr, .cn or the new kid on the block, .eu, are for all practical purposes already under decentralized control. Any government that is afraid the US might tamper with its own country domain (for some reason Brazil is often mentioned in this context) can easily take measures to prevent disruption of domestic traffic by requiring its ISPs to point their DNS servers to authoritative servers under its control for that zone. Thus, the area of contention is really the international generic top-level domains (gTLDs), chief of all .com, the only one that really matters.

What is the threat model for a country that is distrustful of US intentions? The possibility that the US government might delete or redirect a domain it does not like, say, Actually, this happens all the time, not due to the malevolence of the US government, but to the active incompetence of Network Solutions (NSI). You may recall NSI, now a division of Verisign, is the entrenched monopoly that manages the .com top-level domain, and which has so far successfully browbeaten ICANN into prolonging its monopoly, one of its most outrageous claims being that it has intellectual property rights to the .com database. Their security measures, on the other hand, owe more to Keystone Kops, and they routinely allow domain names like to be hijacked. Breaking the NSI monopoly would be a worthwhile policy objective, but it does not require a change in governance, just the political will to confront Verisign (which, granted, may be more easily found outside the US).

This leads me to believe the root cause for all the hue and cry, apart from the ITU angling for relevance, may well be the question of how the proceeds from domain registration fees are apportioned. Many of the policy decisions concerning the domain name system pertain to the creation of new TLDs like .museum or, more controversially, .xxx. The fact is, nobody wakes up in the middle of the night thinking: “I wish there were a top-level domain .aero so I could reserve a name under it instead of my lame .com domain!”. All these alternative TLDs are at best poor substitutes for .com. Registrars, on the other hand, who provide most of the funding for ICANN, have a vested interest in the proliferation of TLDs, as that gives them more opportunities to collect registration fees.

The resistible ascension of the smartphone

I bought a Nokia 6682 phone a couple of weeks ago, as an upgrade for my Nokia 6230. Actually, I have my parents signed up on my service plan, and I was planning on sending them the 6230 to replace an older phone they lost, and taking advantage of this as an excuse to upgrade… The 6682 is a Symbian “smartphone” sporting Nokia’s Series 60 UI, and I was influenced by rave reviews like Russell Beattie’s. In recent years, Nokia has been churning out phones with crackpot designs and dubious usability for coolness’ sake. There must have been a customer backlash, as their recent phones like the 6682 have a much more reasonable, reassuringly boring but functional design. Another reason is that Apple’s iSync only works with Nokia’s Series 60 phones, and it will sync photos from the OS X address book.

I returned the phone for a refund last Friday, because the ergonomics are simply atrocious, and from a usability point of view it was actually an unacceptable downgrade from the Series 40 (non-Symbian) Nokia 6230. The low-res 176×208 screen has significantly lower information density than the 320×480 or 640×480 screens now standard on most PDAs, and makes web browsing almost useless. The only thing it has going for it is a semi-decent camera.

Even basic functionality like the address book is poorly implemented. When you scroll down your contacts list, you can select one to decide whether you want to reach them on their home or mobile number. The problem is, the next time you want to make a call and access the address book, you do not start afresh, but still in the list of contacts for the previous contact, making you back out. Let’s not even mention the ridiculously complex key sequence required to record a voice memo.

I have to contrast this with my Palm Tungsten T3, in my book still the best PDA ever (specially compared to the underwhelming, plasticky T5 or the boat-anchor and RAM-starved Lifedrive). Recording a voice memo merely requires pressing and holding a dedicated button, something that can be done one-handed by touch alone. Palm’s address book quick look up scrolling algorithm is a model of efficiency yet to be matched on any phone I have ever used. PalmOS might be getting long in the tooth, specially as regards multitasking, and its future is cloudy, but it still has a serious edge in usability. This is not by accident — Palm paid as much attention to the user interface as Apple did in its day, as this anecdote by New York Times technology columnist David Pogue illustrates:

I once visited Palm Computing in its heyday. One guy I met there introduced himself as tap counter. It was his job to make sure that no task on the PalmPilot required more than three taps of the stylus on the screen. More than three steps, and the feature had to be redesigned. Electronics should save time, not waste it.

In retrospect, I should not have been surprised by the 6682’s poor ergonomics, they were readily apparent from day one. The device is neither a good phone, nor an even halfway acceptable PDA. I decided to give it a chance, thinking it could just be a question of settling into an unfamiliar user interface. I did not have as long an adaptation period when moving from my old T68i to the 6230, and after two weeks my dim initial opinion of the Series 60 had if anything deteriorated further. Russell Beattie can dish it, but he can’t take it. In hindsight, Beattie’s defensiveness about smart people preferring dumb phones over jack-of-all-trades devices was not a good sign.

Pundits have been predicting the demise of the PDA at the hands of the smartphone for many years. Phones certainly outsell PDAs by a handy margin, but a small minority of them are smartphones, and I suspect most people get them for the improved cameras and disregard the unusable advanced functionality. I tend to agree with this old but still valid assessment — the best option is to have a decent PDA in hand, connected to the cell phone in your pocket via Bluetooth.

I suspect the smartphones’ ergonomic shortcomings are structural, not just due to lack of usability skills on the manufacturers’ part. Nokia knows how to design good user interfaces, like Navi or Series 40, but the situation with Series 60 is not going to be rectified anytime soon. The reason for this is that most people buy their cell phones with a subsidy that is paid back over the duration of a 1 or 2 year minimum duration contract. This control over distribution allows the mobile operators ultimate say over the feature set. This is most visible in branding elements like Cingular’s “Media store” icon that flogs overpriced garbage like downloadable ring tones.

To add injury to insult, deleting those “features” is disabled, so they keep hogging scarce memory and screen real estate. Carriers also disable features that would allow people to use their phones without being nickel-and-dimed for expensive intelligent network services like MMS, like some Bluetooth functionality or the ability to send photos over email rather than MMS. It is highly likely carriers will fight tooth-and-nail against the logical inclusion of WiFi and VoIP in future handsets. This conflict of interest between carriers and users won’t be resolved until regulators compel them to discontinue what is in effect a forced bundling practice.

Mobile carriers, like their Telco forebears, seem to believe if they piss on something, it improves the flavor… This is also the reason why I think mobile operator cluelessness about mobile data services is terminal — they keep pushing their failed walled-garden model of WAP services using phones, and gouge for the privilege of using a PDA or laptop to access the real Internet via Bluetooth, while at the same time not deigning to provide any support. WiFi may not be an ideal technology, specially in terms of ubiquity, but as long as carriers make us unwashed users jump through hoops to be allowed access to their data networks, low-hassle WiFi access using a PDA will be the superior, if intermittent alternative to a data-enabled phone. As for the aborted phone upgrade, I guess I will just wait for the Nokia 6270 to hit these blighted shores.