Wednesday 27 July 2011

TVHeadend Priority of DVB hardware

 As I continue to use the TVHeadend and XBMC setup I'm starting to find the odd little problem crop up. Most of these are pretty minor and can fix them as I go along (Pause live TV still a major missing element to this, and not one that looks like it'll be sorted soon unfortunately). One such minor issue I found was when setting up hardware adapters that can provide the same channels.

I have two DVB-S cards (Satellite, from my original quad-LNB) and one DVB-T (Terrestrial from the aerial installed in my loft). Now for whatever reason the DVB-S signal/channels show up as much better quality than the DVB-T (Not knowing the technologies, this may be expected due to available bandwidth on the MUXES, or whatever). So if I tune to BBC1 on my DVB-T its worse quality than on the DVB-S. The problem is that the DVB-T card seems to give out a signal quality of 100% all of the time, and the DVB-S can vary depending on weather conditions, etc. So TVHeadend was wanting to use the DVB-T card, and hence we got worse quality pictures.

I noticed in the TVHeadend issue tracker a request to be able to prioritise tuners, which sounds ideal. Basically in a nutshell somebody has modified the code so that you can force in a priority, to add "distance" (Using cisco/network terminology) to the adapter, and so make it less preferable for tuning. Martin Mrvka kindly produced the patch for his code modification so I could download and test it, and so far it looks good.

I've added a distance of 50 to my DVB-T card, and left everything else on defaults. So far it looks to have worked, however I've not fully tested it, so will do so over the next couple of days and see how it goes. Anyone else interested in this can get the patch from: https://www.lonelycoder.com/redmine/issues/343

Don't forget to post back and let him/me know how the patch works, see if it does the job for you too!

MORE Twitter Spam (More Replies from Twitter)

 So, I got another reply from Twitter in relation to my complaint that they're not really reading my replies, and I have actually got somebody who seems to understand what I'm after, but not quite in the context of "There is something wrong, please investigate". Here's the reply I've got:

"

@Kessel about 18 hours ago

Dear Twitter User:

 

If you are requesting your own Twitter account information, please fax us a signed request providing consent to disclosure for specific information (e.g., IP logs), including the username (e.g., @Safety and http://twitter.com/safety) and email address on the account, along with a scanned copy of your valid, government-issued photo ID to 1-415-222-9958.

 

We will send a request-for-consent email to the email address of record for the account, to which you will have to respond affirmatively. Receipt of an appropriate request and an affirmative response to the request-for-consent email will authorize us to release your information.

 

Regards, "

 

 

Hm, So now what do I do, shall I jump through their hoops and see what happens, as I'm really getting curious now what information they'll give to me, and if it will actually give an insight into whats going on!

 

 

Tuesday 26 July 2011

MORE Twitter Spam (The Reply)

 OK, so I've got the reply from twitter, and to be honest, its rubbish. They've not read my email, not responded to what I asked or anything. So here it is in full, please feel free to comment on this as I'm not impressed and going to re-open the ticket and chase this further with them:

Twitter Support: update on "My account was hacked by Twitter Mobile Web"


----------------------------------------------
tiger, Jul-25 12:00 pm (PDT):

Hello,

If you think your account may have been compromised, please take these two steps immediately:

1. Change your password. After you log in, you can change your password at http://twitter.com/settings/password. 
Be sure to pick a strong, unique password you haven't used before. If you're having trouble logging in, request 
a new password at http://twitter.com/account/resend_password.

2. Check your connections. Check the Applications tab at http://twitter.com/settings/applications and revoke the 
access privileges of any third party applications that you do not recognize.

This help page has more information for hacked or compromised accounts:

http://support.twitter.com/entries/31796

Please let us know if you continue to experience problems. 

Thanks!
 

Hmm, so not really answering anything of my original message. So back to twitter support I go....

Monday 25 July 2011

Windows7 Frustrations

 So,

Over the weekend I needed to install a new machine for the community radio station that I help out with. Their current playout system is a WindowsXP Dell machine, thats probably getting on for 7 or 8 years old I'd guess, and has practically been running 24x7 since installed. Originally at one location, and I then relocated it to their new broadcast building about 3 years ago when they got their full-time FM license. Well its about time the machine got replaced as it has everything the station needs to keep running, so I'm a little nervous that it'll fail at some point.

So a new Dell Vostro was ordered. Dual-Core Intel, 2Gb RAM, nice little machine.

So I got to installing it on Sunday, stripped down the pre-installed Windows7 system, removed all the rubbish backup applications, Dell assistance software, all the trialware and junk. Removed desktop wallpapers, screensavers, power management, etc. Basically because this is a radio station playout system you want it minimal as it just has to do one job, but without question! So all that was stripped out.

Then I got to installing the second sound card. I had an old Creative Labs Sound Blaster Live! 5.1 digital surround card, from my old desktop from about 4 years ago. So slapped that in (You need multiple inputs and outputs for playout systems so that the various faders, etc, all have separate sound channels). Booted up, and Windows7 couldn't recognise the hardware. So then starting to trawl the web, CLabs website showed the hardware was discontinued, but you could try their beta Windows7 driver. So downloaded all 40Mb of that (!), installed, and half way through got a windows driver signing error, and windows then decided to remove each of the .sys files the installer had created. No surprise, on reboot the card was partially detected, but "Had a problem", windows couldn't fix.

OK, so I gave up with that, removed the card and will just pick up another cheap PCI card, that had newer drivers, etc. No big problem (Although I'd spent quite a bit of time to now).

Next steps, was the re-create the fiddly filesystem that the playout software "SoundBox" needed. It uses windows shares for all its locations, so I created the relevant audio folders, then the 10 or so storage folders, set each one to have shared permissions with read and write access for network users (Yes I know the security is abysmal but unfortunately SoundBox works like that, so you're stuck with a wide-open system). Did that, so then started to trawl through my archives for the SoundBox installation CD. That took about 30 mins, I didn't realise I had data spread out over so many NAS and storage systems. REally do need to sort that out one day! Found the ISO and related patches and stuff, copied them over to the new machine all ready.

Ran the setup.exe, and immediately Windows7 threw a "This version is not compatible with Windows 7". Arrrgh! So next, try running it through the compatibility troubleshooter (annoying! I knew if I set compatibility to WindowsXP it should work, but it doesn't let you do that anymore, you have to use the stupid wizard!). So ran the troubleshooter, which surprise surprise set it to windowsxp for compatibility, then let me try again. This time it failed saying that the installer couldn't run on a 64-bit machine. Tried a few times with and without admin permissions (just in case!) and no go.

So basically, I'm stuck. The software supplier won't have updated the software, as its pretty much out of existance, no updates and to replace the software now would require hundreds of man-hours in training, not to mention the multi-thousands it costs to buy most radio playout software.

I'm thinking of removing Windows7 and installing WindowsXP now, even though its old, unsupported and the hardware probably won't get on with it very well, this seems my only option for the system. How annoying..... and yes, I seriously am considering re-writing the software to run under Ubuntu now!

 

MORE Twitter Spam

 Well it went and happened again. "I" posted another random spammy comment that mentioned how to make a quick $ by sending people to a dodgy website. Unsurprisingly I didn't send this, and was rather annoyed that its happened again. After the original spam attack I'd changed passwords, revoked access to the twitter mobile application and thought all was fine.

However, its exactly the same attack vector thats been used. Late on Saturday night the app was authorised again: "Mobile Web by Twitter was authorised "Sat Jul 23 2011 20:56:18" GMT. "

Well that wasn't me. And then on Sunday night around 22:30 the spam appeared in my timeline again "check out this article! I made $350 today!"

So this time, I removed the application permissions (again), removed the post from my timeline and have opened a trouble ticket with Twitter to see what happens. Oh and I changed my password to a random series of letters, numbers and extended characters. So we'll see what happens next.

I'm now thinking this IS NOT a password crack thats going on and there is something more deep seated wrong with twitter. The alarm bells are that twitter mobile application is created by twitter themselves, so I suspect an implicit trust is somewhere setup between twitter and their mobile web application, and thats why it automagically gets authorised when a post is made from it. Why or how the actual exploit takes place I'm still really in the dark.

My message to twitter was: (bits taken out for security):

Description of problem: Hi, 

Several times now posts that I have not made are being posted to my timeline. They are all along the lines of "check out this article! I made $350 today!" and a link. 
Each time I've logged in and found it was posted by "Mobile Web", and looking, shortly before it had been authorise to post on my account. I obviously haven't permitted twitter mobile web application permissions, and did not make the post. 
I have changed by password several times now and it still keeps happening. Please can you investigate. If possible can you retrieve the IP address that was permitting the application, and/or making the posting. I can supply screenshots of the hacked timeline and also the application screen that showed Mobile Web by Twitter was authorised "Sat Jul 23 2011 20:56:18" GMT. The post to my timeline was made On Sunday Jul 24 2011 22:24 GMT "

 

So I'm hoping they can get the IP address, as I know the IP addresses I would post messages from, its one of about 4 or 5 so pretty easy to spot if its come from an address outside those. So we'll see what reply I get. I'll post back when I get further, but I'm mega-annoyed now as not very professional looking at all.

 

 

 

 

 

Saturday 16 July 2011

IPv6

 Well, this week I attended the IPv6 course provided by RIPE for LIRs. I hadn't really done any advanced reading or anything in particular before the course, so wasn't sure what to expect.

First a bit of background, at work we have IPv6 enabled on a lot of the network, and slowly progressing to get it tested and ready for deployment. On world IPv6 day we tried to prepare people within the organisation, but didn't really get very far, and I still believe that a lot of people in the company don't believe or think IPv6 is real, or something to be considered. I have to admit, I was a little like this, but know that I need to get up to speed pretty quickly on it!

So along I went to the RIPE course, and wow was I shocked. It was really hard work, and you have to almost totally change your point of view. I've dealt with RIPE and handling IPv4 address-space for around 8 or 9 years now, from my previous jobs where I setup an LIR, came up with address plans, administered the RIPE db. Basically the whole course was based around forgetting what you did with IPv4 and to change your way of thinking.

The main change, is when it comes to address preservation. Whilst you still only dish out what blocks you think are justified, etc, you don't worry as much about the number of IPs or subnets given out, and are encouraged to give out slightly more if you can see a requirement.

For example, the smallest allocation you give out is a /64. That equates to 18,446,744,073,709,551,616 (18 quintillion) addresses. So even for your router link or point-to-point connections, you assign those a /64. Thats probably the bit that I found most tricky to get my head around. Whereby you would normally assign a /30 in IPv4 as you only need the two usable IP addresses, in IPv6 you would assign the /64 and simply use 0000:0000:0000:0001 and 0000:0000:0000:0002 as the addresses (I haven't shortened those or anything, before the pedants point it out!). So apart from that big difference, you then get onto other things.

Such as, how many IP addresses would you give to home DSL users? Would you give them a /64 which you'd argue would be enough for them to never run out of. BUT look at it a different way. What if they wanted further networks BEHIND their link /64. So for example, they had a kitchen network, that their new IP-based fridge resides within, and that fridge has temperature sensors, proximity or other things. You'd probably put that into its own subnet, and then route that over your DSL /64 link network. So, perhaps you would give home users something like a /56 (which is what RIPE suggested), that lets them have 256 /64 networks at home, which again should be hugely over-planned, but would be sensible based around future needs (Think, home alarm systems on one subnet, smart water meters/electricity/gas, home automation, IP-based TV, etc)

The next struggle, is the actual addresses themselves. We're very used to the 4-quad addresses with IPv4, and generally a lot of people can remember these (well I certainly can, I can give out addresses for the company such as DNS, monitoring, core routers, etc, from memory). Well that isn't going to happen with IPv6, you might remember bits of the address but probably not all

Then, you get onto how are you going to implement IPv6 in your network. There are various 6 to 4 techniques, or methods of providing IPv6 space (6in4, 6to4, 6RD, NAT64, DS-Lite) these are all ways of implementing but without running natively. Ideally running dual-stacked is how you want to go, and thats how we're implementing at present, with the odd combination of 6to4 via Toredo when you're in an IPv4 only environment and want to tunnel and get to your IPv6 network. The other key thoughts are how to implement to your customers, as you don't really want to NAT64 or do evil tunneling to your customers, so really you want to work towards dual-stack on your customer connections and then allow the CPE to do IPv6 natively, that makes it clean, but then how do those clients get to somewhere thats only IPv4? You have to run some DNS tricks or otherwise allow them to get to the rest of the IPv4 world. Not simple!

There are lots more foibles and things to add to this, so this is just a starting point. I'll continue to add more as more comes along and as I test out and try out what I've learnt. Along with how to write IPv6 addresses, as there are various shortcuts. But for now all i need to remember is the Onyx IPv6 allocation of 2001:4dc0::/32 double colons indicate suppressing 0's in IPv6 space, so you can shortly the addresses! Neat.

 

Tuesday 5 July 2011

Dropbox and Encryption

 This is a subject thats had quite a bit of attention recently. Mainly due to Dropbox changing their terms and conditions of use. Now I'm not a lawyer or understand legal-speak, but what it appears to boil down to is that Dropbox can now open/read/own your documents should they choose to (OK this might be stretching it, but lets look at worst case scenario)

 

So we want to maintain using Dropbox to keep in sync between all your machines, but encrypt the data.

My normal encryption of choice is Truecrypt, as I use that on all my portable devices. However this is great on local machines, it doesn't really scale very well as it creates a single encrypted 'volume' on the target, so in this case would create a huge 1-2Gb file on my Dropbox. So when I changed something, the entire file would appear 'changed' to Dropbox and it would start re-syncing the whole thing. No problem on most of my connections/machines, apart from my rubbish home DSL connection which can barely manage 2Mb download at times, and if you shove too much data over it the PPP session fails and you start the PPP ping-pong at the exchange (Thats a whole different story. Who'd have thought somebody working for an ISP would have broadband problems....)

Anyway, so what I have is my dropbox on my work laptop, my home server and a windows VM desktop. Handy keeping all 3 in sync. My home Ubuntu server keeps a local copy, and does a daily rsync to a local HDD NAS, so I've always got a backup at home. My works laptop is an Ubuntu desktop, and my VM desktop is on Windows 7, so all 3 have to be compatible with the final solution, and as seamless as possible.

 

In comes Encfs, which looks ideal, loads of tutorials for Ubuntu, mac, etc, so looks good, its built on top of FuseFS which integrates with PAM authentication nicely, and there is a handy tutorial for setting up at pragmattica.wordpress.com/2009/05/10/encrypting-your-dropbox-seamlessly-and-automatically/ So that looks fine for my Ubuntu systems.

However the windows machine is still a problem. Looking around Boxcryptor looks like it solves it, as its a windows solution built around EncFS www.boxcryptor.com/support.html and it supports generally.

 

However after setting up my encrypted volume, etc, I found a few problems between the two versions. Firstly my Ubuntu desktop is running an older version of EncFS (version 1.6), which apparently Boxcryptor is incompatible with, so immediately my windows machine fails to connect with the encrypted dropbox with an incompatibility error. Hmph, so looks like I need to get on and do the upgrade of my laptop (I've been holding off on the latest version release).

Will carry this out and see how it goes, so for now I've got encryption all sorted, my linux machines are happy, just not windows. Ah well, a minor price to pay temporarily. I can always get the data from my NAS when I need it I guess.

 

Oh and if you haven't got a dropbox, then sign up via my referrer url at db.tt/0dLLilw Each referrer you send, you get some additional free space, which is nice!

Twitter spam

 Right then, over the past couple of days some of you may have noticed 'me' spamming your twitter timeline with things like "Check out this article! I made $150 today! http://t.co/" and a url on the end there. Well as you can imagine, this wasn't me. And I was INCREDIBLY angry at this, as I'm usually very careful about security, what I login to, what permissions things get, etc.

Now the first time it happened, in my anger I just deleted the post, THEN started looking at how/why/where, etc. Well this isn't the best way to do things as any security analyst will tell you, as you've just destroyed the evidence and also any trace that you can use to find out where/how it got there.

 

Well today at 13:23:33 it happened again, so this time, quickly jumped onto the twitter website, looked at my timeline and clicked the entry, to try and find out what/how I supposedly posted the article. Well interestingly it said "twitter mobile web". Hmm, thats an application by twitter themselves, like a cut-down web version of their service, based at mobile.twitter.com Thats not good news then! Well first thing I did, went to my twitter profile, went to Applications and revoked access to that.

So hopefully that has stopped the timeline spam, but thats got me curious, whats been using my web API to send these messages. Since twitter probably won't give me access to the logfiles, then chances of tracking it down are slim, but I'm still going to do a little background digging.

One is not amused!

 

Monday 4 July 2011

XBMC hardware

 A quick rundown of hardware I'm using for my XBMC and TV Headend installation:

 

XBMC:

Dell

Intel Core2 1.86Ghz

2Gb RAM

 

TV Headend:

Generic PC

 

XBMC

 The problem: I pay Sky a fortune a month (ok, not as much as some people do, but still), and feel that after I've had several Sky+ boxes fail and Sky really don't care, that there must be a better option.

In the house, we rarely watch sky1/2/3, Sky movies or all the other junk thats on there. We mainly watch the 4 terestrial channels (ignoring 5, who watches that anyway?), Dave and occasionally the other "UK" group of channels (gold, etc). So looking at this and since I already have a Sky minidish, I thought why not go with XBMC and some sort of free-sat backend decoder. Well doing a bit of research and thanks to Andy Newton at work, I was pointed in the direction of TV Headend. Ordering a single cheap satellite decoder PCI card for one of my servers and to get things moving along.

Installed the PCI card, installed a basic Ubuntu server and then TV Headend, and it was quite easy to get working. A few of the settings in TV Headend are complicated at first, until you know the magic sequence to do things in, so here we go:

  1. Install TV Headend and go to the web gui
  2. Choose Configuration tab, and TV Adapters
  3. In the drop-down choose your card (if none are listed, then linux hasn't found the card, or its not V4L2 compatible)
  4. Tick Idle scanning and Monitor signal quality
  5. Then click Add DVB by network, from the list that pops up Astra 28E, which is the standard Sky transponder/satellite
  6. That will have populated the Muxes for you, you now need to wait as it scans them and checks for signal and identification. (You can see this happening, on the GENERAL tab, you'll see Services, Muxes and awaiting initial scan. The initial scan number should keep going down as it detect them. Go to the Multiplexes tab and you'll see signal quality and the list that its found. Generally you should see a good percentage (over 40%) and the network field filled in. Give it 10-15 minutes and see how its got on. I had to delete a few that had errors and just never got values filled in.
  7. When Tv Headend is ready, and its identified all the muxes you can press the MAP services to channels button (if its not available, then there are still muxes awaiting initial scan, let it scan, or delete the faulty muxes)
  8. Leave TV Headend to map the services to channels - NOTE this generally disrupts watching TV if you're already watching on a different card, etc
  9. When done, click on the services tab and you'll see its done its work. Ignore invalid/empty entries, those will be tidied up later
  10. Now go to XMLTV and configure that (along with the command-line setup)
  11. Finally check under Channels and it should be looking good
  12. After XMLTV and TV Headend have sync'd up, go to EPG and you should see data. Then move onto the front-end config

 

That should get TV Headend running. Repeat for each of your decoders. I use a combination of DVB-S (Satellite) and DVB-T (Terestrial) receivers, that way I get the maximum number of channels (some channels are only available on Terestrial) and have the ability to record/playback/watch simultaneously too.

I'll post on next steps to get XBMC and your front-end up and running next time.

Generally about the car

 Well, as some of you may know I purchaed a Chrysler Grand Voyager  CRD 2.8 LX CRV. Which I've got to say I'm really impressed with, and for quite a decent price. OK its a big american bus, drinks diesel like its going out of fasion and parking is a bit tricky. But on the plus side, there are loads of gadgets, which always interests me.

So in this one, I've found (It wasn't sold avertising any of these great features, so this was a great surprise when we went to take a look at it at the dealership):

  • Electric sliding rear doors
  • Electric boot open/close
  • Electric rear windows (the sticky out type, not up/down type)
  • DVD TV in the ceiling with 2x infra-red headphones and remote-control
  • Separate video/audio in for console/tv tuner
  • CD head-unit, switchable between DVD player and CD/Radio (So DVD can be on via headphones only, rest of speakers on your CD/Radio channel)
  • Retractable wing-mirrors
  • Auto-dimming rear view mirror
  • A/C climate control
  • Trip computer, compass, temperature, etc
  • Removable rear seats (the two in the middle are individual recliners, the 3-seat in the back like a couch!)
  • 2-setting driver seat/mirror system setup by the remote unlock fob
  • Loads of 12v cigarette-style power sockets (driver side optionally changed from ignition to permanent on)
  • Auxiliary in-car heater (diesel burner)

 

 

Welcome

Welcome everyone,
I've finally got round to writing up a blog, so I'm going to generally post information and snippets on here, mainly because my memory is so bad, that I need a reference site for things I've thought of, etc.

If you'd like to contribute, or comment, then please do, I'd love to hear from you, especially if you've found any information of any use, or applied/tested anything and the results.


As per normal, everything here is (C) me, and also I'm not liable for any problems trying anything here causes, information here is not the thoughts or opinions of my employer, any groups I'm affiliated with or anybody else in my family, its the random gibberings of an idiot, so please take it as that and check anything twice, at least! tmp