Screenshots of the new Unity desktop. There’s certainly a harsh non – exclusive competing between Unity and GNOME Shell. A proxy war between Ubuntu and Fedora Core, which is in turn a proxy war between Canonical and Red Hat.

Eventually, it’s user experiences that would decide which desktop is best (and best for what), and that’s still a long way to come. But technically, Unity is the first huge bold break from tradition, whose real goal deep inside is replacing completely the age – old heritage of X window system by an OpenGL – based one, a problem partially addressed in my previous post.

am trying Ubuntu’s new desktop introduced lately with Natty Narwhal (11.04). After heavy development phases, Unity has reached its alpha stage, a massive move replacing the GNOME desktop environment by a completely new one written from scratch. I’ve read too many negative reviews about Unity already, but personally I think this is a good move. Developed from Ubuntu’s Netbook Remix (which I didn’t like much, you don’t have to maximize windows like that all the time), switched from Clutter to Compiz 3D windows compositing system (my last experiment with Clutter also hinted potential performance problems), the new Unity shows a huge shift toward Mac’s style desktop. Though there’s still lots of bugs and missing features, a few things can be said about this new Unity.

First, people complains about the break from the norms, some hates Unity because it stops their accustomed habits. The GNOME community (with its long development history) can feel like being betrayed. But for all I knew after some years in graphics, UI design is the job of personality, it’s the task of a small group who decides what is “nice and beautiful”, and which is the way (for other users) to follow, it’s not the task of a committee (that is “People’s Committee” I mean 😬). As a developer, I’m often in the self – conflicting state of wondering what is “nice and beautiful”, modify over and over again some simple UI widgets. It’s no strange that UI always becomes a huge diversity (and problems) for community – driven projects. Key requirements for a UI system in my opinion are: simplicity, consistency and elegance.

For consistency and simplicity, Unity is a big step forward, reasons given that GNOME has become too complex and inconsistent (then how about the much more complex KDE?). Maximized windows have the caption and menu bars all incorporated into the system bar on top, a feature clearly borrowed from Mac, yet further varied and developed. A simple dock bar is positioned on the left, and system menu button doesn’t bring up menu but a searching panel with which you can launch programs, open files… with a few key strokes. I like this much cause it offers a form of GNOME – Do: it’s harder to launch rarely – used items (especially if you don’t remember the names) but it’s more convenient for frequently – used ones. After all, lexical memory is much faster than spatial memory, if one has been trained to that.

One more apparent physical factor is that the vertical screen space is more scarce compared to horizontal space, and 16:9 screens has become quite popular. To conserve useful screen space, UI must make constraints to the caption, menu bars, especially tool bars, there’s even recommendations on eliminating the status bar and minimizing scroll bar at Mark Shuttleworth’s (Canonical’s founder) blog. For scroll bar, that’s quite sure a mimic and modified version taken from iOS. Actually with my recent experiences with Mac and iOS, there’s still a lot of lessons to be learned from these two OSes on how to use space efficiently: remove heavy windows decorations and borders, use lighter UI fonts, smaller and more symbolic icons, design simpler widgets… and in cases even sacrifice some less – used UI features.

The trend of UI becoming simpler and more consistent is quite obvious. Efficient uses of space is the key, but spatial is not all for user experiences: keyboard and mnemonic are also important parts of the learning path (UI effects can be fancy, but over time, people get to love the simplest keystrokes that do the job). The third factor: elegance is even more a topic of debate, people can largely agree to what is simplicity and consistency, but what is aesthetics remains mysterious! Unity claims that it would directly compete Mac on UI designs and user experiences, but my opinion is that its aesthetic aspect is still far behind that of Mac, e.g: Compiz’s effects are numerous, but actually not very fine – tuned compared to the smaller set of animations Mac offers… And even Mac still doesn’t satisfy my eyes in quite many cases…

jingle hell

First, it’s Jabber, then the open standard XMPP, then libjingle (the thing behind GTalk and several other VoIP applications). An essential part of VoIP, VPN, P2P technologies is ICE (Interactive Connectivity Establishment), techniques that help computers behind routers connect to each other…

ow it’s Christmas time, but this has nothing to do with Xmas except the name: LIBJINGLE. For a long time, I’ve been trying to expose one of my home servers to the Internet. Normally, you’d just need to setup dynamic DNS to update the router IP address and NAT (Network Address Translation) to forward one port onto the server. Unfortunately, my ADSL router is a special (hardware / firmware) version OEM-ed by Comtrend to FPT (the local ISP), and no matter how I configure, NAT is simply forbidden. I’ve tried various techniques to punch holes (TCP, UDP) through NAT, such as this pwnat, a trick to fool the router using ICMP echo packet. However, due to different router implementation & configuration, no technique is known to work in 100% of the cases, as pointed out in this paper.

The NAT traversal problem repeats itself in various applications: VoIP, P2P network, VPN (Virtual Private Network), networking for games… Current technologies take a dual approach in solving this: a certain kind of ICE (Interactive Connectivity Establishment) when two peers can directly connect to each other, or a central server in between in case the routers forbid it all. Such as with libjingle, Google Talk servers are used in case a direct connection can not be made. Remember the Skype’s global disconnect problem lately? It’s the same sort of problem with ‘central servers’. With these knowledge in hands, it’s turned out that setting up a VPN to access my home servers from anywhere is quite easy as follow.

Build libjingle and fwd (a simple wrapper around libjingle). Building libjingle on Debian is a nightmare (yes, it’s a real nightmare, libjingle 0.4 has a nasty code base). It took me a whole day, and after changing several dozens of places in libjingle’s code, I got it compiled and run correctly (please refer to this post for some initial building instructions). Once the transportation channel has been established with libjingle, a SSH tunnel is setup to forward a port on your roaming laptop to the SSHD port (22) on the home server:

# on a server inside your home network, this will forward
# port 2222 to port 22 of another machine (‘buffalo’)
./fwd -u account@gmail.com -p password 2222:buffalo:22

# on your laptop from anywhere on the Internet, almost
# the same command, but the -L option for client mode
./fwd -u account@gmail.com -p password -L 2222:buffalo:22

# then connecting to the ‘buffalo’ box is just setting up
# a SSH session, thus a SSH tunnel inside another SSH tunnel
ssh root@localhost -p 2222

The technique works flawlessly, I can now access my home VPN from anywhere. Basically you’re inside a VPN now, so various setups at home would transparently work (strictly speaking, this is still not real VPN as TCP, UDP broadcasting may not work, but most regular connections would). Next, I proceed to exposing some of my home services onto the outside world. Again SSH proves to be such a very very powerful tool as you can build SSH tunnel inside another tunnel, which can be nested for several layers (ssh is actually means ssshhh! – sign used to signal lowering one’s voice I think):

File sharing

SFTP (Secured File Transfer Protocol) is built on top of SSH, and SFTP is native to any Linux (for Windows, we could use WinSCP, and for Mac is Cyberduck). Just connect to one end of the tunnel like with SSH (localhost:2222) and on the other end of the (nested) tunnels, we get access to the whole file system.


SSH is built-in into SVN (I often use SVN by command line rather than WebDAV). Something like: svn co svn+ssh2222://user@localhost/svn/project would do the job, where ssh2222 is defined in your subversion’s configuration file (under the [tunnels] section) as: ssh -p 2222, this instructs the secured shell to connect to the host, then call the ad-hoc svnserve instead of a real web server.

Web Proxy

This is very useful since if helps surfing the Internet securely while you’re in public. After setting up Squid web proxy on the same server, the command: ssh -N -L 8080:localhost:8888 root@localhost -p 2222 tells SSH to forward the local port 8080 to the proxy port 8888, then pointing Firefox at localhost:8080 would secure our traffic more than enough (2 levels of nested tunnels and 2 levels of port-forwarding).

Music streaming

I use this to casually enjoy my music collections while not at home. Install FireFly (formerly mt-daapd) music streaming server and forward the default port 3689, then I can listen my favorites songs anywhere using Rhythmbox (Linux). And since the protocol (daap) is originated from Apple, listening is also natively available on any Mac machines using iTunes.

home servers

The C-Media usb board adds a cheap (~ $5) sound solution to the Debian box, sound quality is fair enough for “ad-hoc” listening (comparable to that of AC97 on-board chip, and for serious music, there’s already the home media player).

uite a long time it takes me to finish and “stabilize” all these “home servers”… and finally here it is… On the left, you can see: #1: the 650 Watt UPS that provides about 3 hours of un – interrupted electricity for the whole system, #2: the WAP54G Access Point (hacked with OpenWRT), #3: the Comtrend ADSL router, #4: the LinkStation CHL (Debian Lenny: print server, 1T disk space for samba share, bittorrent server), #5: the LinkStation Duo (Debian Lenny: 1T of RAID-1 disk space for important data, SVN, Web, VPN servers (for remote access) and MPD music servers), #6: speakers.

All these miniature machines help streaming lossless music and HD video to the media player (LT-H90LAN – another Linux box resides in the living room). Except for the router (which is specialized hardware & firmware OEM-ed by Comtrend to FPT – the local ISP), all others devices runs Debian or another Linux variant. The total power consumption of the whole system is less than 50 Watt. Future computers would consume less than 1/10th of power compared to today’s ones… Power is the key, less power means less heat, less noise, more stable and more durable… the factors that make successful home services!

buffalo duo

My Buffalo, a 400 MHz, power-efficient ARM system (it consumes about 17W on average). The duo: two SATA disks (1TB each) running in RAID-1 configuration. The system can also act as a print server: most cheap home laser printer are not stand-alone device (lacking PostScript capability) and need to be attached to a PC in order to print, instead we can connect printer to this Buffalo box via usb and serve printing over network.

y newest toy: a Buffalo LinkStation Duo Network Attached Storage (NAS – or a poor man’s home server). Had thought about this long ago but don’t have time till now to dig a little bit low-level to get the thing to work! Basically what I want to have is a miniature general-purpose home server, which would run continuously 24/7. But you know with the temperature and electricity conditions here in HCMC, most PC would surely break down if let running continuously for a few months. The idea is to hack this NAS device to run Debian and turn it into a hybrid system: NAS (file server, torrent, UPnP…) and a home server which would handle a little more extra tasks. I took me a whole night to figure out how to do it.

1.   Boot the device via tftp, using u-boot, the universal bootloader. We need to to erase the HDD’s partition table (with something like: dd if=/dev/zero of=/dev/sd[a/b] count=1) to force the device into tftp boot.

2.   Telnet to the device and prepare the disks: using fdisk to apply a same partition structure to both two disks (/dev/sda and /dev/sdb) with the usual Linux FS: /boot, /swap, /(root), and /data). The disk structure would appear like this:

Device Boot Start End Blocks Id System
/dev/sda1 1 6 48163 fd Linux raid
/dev/sda2 7 1200 9590805 fd Linux raid
/dev/sda4 1201 60801 478745032 85 Linux extended
/dev/sda5 1201 1329 1036161 82 Linux swap
/dev/sda6 1330 60801 477708808 fd Linux raid

3.   Setup the RAID-1 (one-to-one mirror) structure, you can see that we mirror /boot (sda1, sdb1), /(root) (sda2, sdb2), and /data (sda6, sdb6), there’s no need to mirror /swap:

mdadm –create /dev/md0 –level=1 –raid-devices=2 /dev/sda1 /dev/sdb1
mdadm –create /dev/md1 –level=1 –raid-devices=2 /dev/sda2 /dev/sdb2
mdadm –create /dev/md2 –level=1 –raid-devices=2 /dev/sda6 /dev/sdb6

4.   Install Debian (Lenny) using debootstrap, a very handy tool to install Debian directly from a repository. DeBootStrap pulls the packages over network, build a new rootfs, after chroot-ing to the newly build system, pull and build the kernel from source. After that, we can use regular Debian commands to update, configure network, add softwares, etc… After rebooting, we’d got a brand new Debian with 1TB of RAID-1 disk space, which runs flawlessly and which is ready to serve my various automation tasks!

Notes: installing Debian would void the warranty and could easily brick your device, use the information at your own risk. The steps here are just summary, there’s been various try and fail to get the thing done, e.g: we need priorly to have binutils, wget, zlib and libssl binaries for debootstrap to work (download the deb files from Lenny’s repository, extract and copy over the Buffalo), after debootstrap-ing, I forgot to set the root password, and unable to login when the machine reboot, thus having to start the whole process over again 😢. For further details, please consult the Buffalo NAS community.

UPDATE, Nov 18th, 2010

For a NAS which runs 24/7, it’s critical to monitor system status (temperature and the moving parts). I wrote this little fand script, a daemon to monitor hard disk temperature and adjust the fan’s speed accordingly. HDD’s temperature can be retrieved using smartmontools (most hard disk nowadays has S.M.A.R.T capabilities). And fan control on Buffalo LS Duo is done via the gpio module (thanks to talent hackers on the Buffalo NAS forum), something like this:

# values can be ‘off’, ‘slow’, ‘fast’ and ‘full’
$ echo ‘slow’> /proc/linkstation/gpio/fan

I’ve defined some thresholds, in a tropical country like VN, room temperature around 30° ~ 35° (Celsius) is a common thing, so if the HDD’s temperature is below 35°, we would turn off the fan. If it is between 35° ~ 40°, the fan speed would be ‘slow’, from 40° to 45°, the fan will be turned to ‘fast’, and if temperature excesses 45°, fan speed is set to ‘full’. Well, and even if 50° is reached, we would send a notification email (via sendmail) and shutdown the system. If you find it interesting, here is the fand scripts.

UPDATE, Nov 20th, 2010 (THE REAL DUO)

To pair with the Link-Station NAS is its cousin also from Buffalo, the Link-Theater LT-H90LAN. The LT-H90LAN reads media from Samba shares or DLNA server via LAN and is a 720p and 1080i HD-ready device. Although not Full-HD (1080p), that’s enough for my need (I don’t have a Full-HD TV in my house anyhow, maybe I’m waiting for 3D home video). It’s quite pleasing to enjoy good video quality and excellent audio in your living room, all streaming from a central NAS. The box also runs a variant of Linux (though hacking can be a pain, I would only left the device untouched for safe). This is one further step toward an all-Linux-devices home (thought I should buy an OpenMoko phone then).

chinese rendering server

n my previous post, we can see the image – replacement technique being applied to mathematical formulas rendering. Replacing text by image can be seen in various Web’s techniques, mainly to display things that browser can’t! It’s a possibility that many Web technologies would never converge into common “form factors”: how many years have passed but SVG is still not supported on all browsers, how font technologies are still fighting stiffly with each other? Various issues would always remain unresolved and image replacement, though ugly and inconvenient, could be used as a temporary solution.

As you can see in the image above: the first line is a popular Chinese straight – stroke font that can be seen on most browsers, the next lines are nice calligraphy (brush – stroke) fonts that can hardly be seen on the web! I’m going to try using FreeType2 for a very specific problem: rendering Chinese fonts, the only reason is just simple: aesthetics! Searching around, I can’t find any simple, standalone solution: nice Chinese fonts are very big, a typical ttf file has size from 5MB to 50MB depending on the character set and quality (with that size, it’s obvious that we should use a server side solution). Packages like Pango or Cairo are too complex, and would require additional dependencies (which is unavailable on a free Linux host).

It takes me a whole day struggling with FreeType2’s reference and manual to get it work with Chinese fonts (quite different from conventional Latin fonts indeed), and finally here it is! You can access the executable at: http://tkxuyen.com/freetype2.php with the following syntax: freetype2.php ? text=… &font=… &size=… &color=… here is an example. Below are renderings with different sizes (anti – alias works really well):


and renderings with 3 different Chinese fonts (very big files, installed on server) and in different colors. Just note these fonts are a bit non-standard: they produce traditional Chinese characters as output, but only accept simplified Chinese as input:


Update, Jun 6th, 2021:

Due to some changes on my web-hosting, CGI is disabled for some reason. I really don’t have time to figure out why, so just temporarily remove the Chinese font rendering for now!

FreeType2 is an very handy open source library, it’s available on many flatform: Unix, Dos, Windows, Mac, Amiga, BeOS, Symbian… and it does a very good job of handling typefaces! Since FreeType2’s patent issues have expired since May, 2010, we would see an increasing application of FreeType2 in many areas.

This is my very simple C code (~250 LOC) to experiment with FreeType2: loading font, loading glyph, rendering bitmap, dealing with Unicode… To compile, just something like: gcc gifsave.c freetype2.c -o freetype2.cgi `pkg-config --cflags --libs freetype2`. I hope I can have time to extend the code into a more usable form: multi – line layout, alignment, RTF support, etc… Some restrictions are imposed to protect the server, if some text can’t be rendered (e.g: rendering dimensions are too large), an error image like this is displayed instead:

latex rendering server

Some example expressions rendered by MimeTeX (it’s good to appear to be smarter than you are 😬!) If an expression fails to be rendered, you would see an error image like this:

ecently, the wonderful yourequations.com site (which I’ve been using to occasionally render mathematical expressions on web pages) has ceased it’s service due to heavy traffic. I was thinking about running my own LaTeX rendering server, things turned out to be pretty easy as follow, thanks to the excellent MimeTeX package, a LaTeX reduced subset. It’s also interesting to experiment the “stone age technique” of CGI, first download and compile the package:

wget http://www.forkosh.com/mimetex.zip
unzip mimetex.zip
cd mimetex
cc -DAA mimetex.c gifsave.c -lm -o latex.cgi
# test the binary, view the ‘fermat.gif’ image
./latex.cgi -i “a^2+b^2=c^2” -e fermat.gif

Uploaded to host, latex.cgi runs without any dependencies. The ugly thing with my (free) Linux host is that although it does allow CGI, it doesn’t allow CGI to return documents of type ‘image/gif’ no matter what. To work around, I wrote a small PHP script, which parses the GET input, calls CGI to generate and save image in a cache directory, then redirects request to the LaTeX image. This also helps not to expose your CGI directly on the web too!

// use ‘system’ command to execute CGI
$cmd = “$mimetex_path -e “.$full_filename;
$cmd = $cmd.” “.escapeshellarg($formula);
$text = $pictures_path.”/”.$filename;
return $text;

I’ve been always loving CGI for its simplicity, CGI, Perl, Python… old things never die! Although I have almost no experiences with them, they let you do whatever you want to given a little tweaking know – hows. Please note that MimeTeX is not as full – featured as LaTeX, it can’t render some too – complex expressions and it uses an ugly bitmap font. If your server has some LaTeX support, consider using MathTeX, a more advanced version from the same author.

Update, Jun 6th, 2021

Due to some changes on my web-hosting, CGI is disabled for some reason. I really don’t have time to figure out why, so just temporarily remove LaTeX rendering for now!

Win vs. Mac font rendering (and the way for Linux)

We could easily see the very poor font rendering quality of Windows right on Windows itself using Safari. Safari has different smoothing modes (image above) and another mode named “Windows’ standard” (image below)

Differences between font rendering on Ubuntu (above) and Windows (below).

everal years ago, on earlier versions of Fedora, Ubuntu… font rendering is just a crap! Many people would find Windows better at text rasterization, and both are far inferior compared to Mac. In latest versions of Linux desktop, things are much improved, while Windows (Vista, Win7) is still much lagging behind, Linux made bold advances from lessons learned from both Win and Mac!

Novice users on Windows would find its text sharper, clearer and easier to read, while Mac’s one is a bit blurry! That is because Mac and Win have different origins and targets! Apple has deep legacy in graphics designs and desktop publishing, its algorithms try to preserve the nature of typefaces as much as possible, which implement true sub-pixel rendering aiming at high-resolution output devices. Meanwhile, Win sticks to pixel unit and aims at low-resolution device (like computer screen which usually less than 100 dpi in resolution).

The consequence is that while Win’s text look sharper and clearer on screen, it would turn into a whole crap when come to printing, where Mac’s publishing products are closer to its screen look! Even worse, Windows text rendering solutions are just suitable for simple typefaces, when complex, high-quality font is needed, the output is usually very poor due to various wrong implementations in hinting, anti-aliasing, kerning algorithms. This paper (2007) addresses in details many Microsoft’s implementation problems, and suggest the correct ways for text rasterization, resulting in a now-much-better Linux desktop!

(If you’re using a Mac or a Linux desktop, you would see this blog text in VN URW Gothic L, a aesthetically fine font. Windows readers would only see the text in Arial, as I have to turn off font embedding for Windows due to its very poor presentation.)

Update, Feb, 20th, 2011

The font used now is Tex Gyre Adventor, an enhanced font based on URW Gothic L, you can see the hinting is quite better, especially for Vietnamese text. The trade – off is that file size is much larger, almost triple the URW Gothic L’s size.

linux sound server

1. Configure the PulseAudio server to broadcast itself and receive connections from clients. Configure the PulseAudio client to redirect audio output to server.

2. GMPC remotely play music on a MPD server.

ome funs with Linux sound system. Today, a small, lightweight laptop is well – suited for all my everyday need: email, web, office, music, video… A home PC is mostly used as file server or backup system. However, one thing you could never be pleased with the laptop is its sound, at least you still need a PC with good soundcard & speakers to enjoy music! Being lazy to plug-in the speaker jack most of the time, and in order to get rid of all those cables, we can choose two following approaches:

Setup a Sound server

1. Setup PulseAudio server on the PC machine and configure it to accept client connections. 2. setup PulseAudio client on the laptop. 3. We can choose to direct audio to local laptop headphone or to the remote PC (with our beloved good – quality speakers). PulseAudio can be a pain on some systems since Linux sound has always been a mess: ALSA, OSS, ESD, PulseAudio… As of Ubuntu 10.04 (Lucid Lynx), PulseAudio is quite stable, you would only need to:

sudo apt-get install padevchooser
# this will install PulseAudio device chooser
# which then trigger other dependency packages

Some old Linux apps (like XMMS, the music player I loved) would not know about PulseAudio. We need to configure it to use ALSA, which has been re-configured to work in bridge mode (ALSA would simply redirect signal to PulseAudio then).

Setup a Music server

Using MPD (Music Player Daemon – a music player working in client / server mode using a simple TCP text protocol) and a client like GMPC (Gnome Music Player Client). Though it may take some times tweaking around to get MPD working with PulseAudio, this would play very well mp3 files you stored on the server. I’ve been using all these 2 methods to have my music played while lying on sofa or in bed!

(And if you’re a vim – addicting user, you could use vimmpc to serve music for yourself while working inside vim).

dell mini 9 hacks

collective compile of various hacks on the Dell Inspiron Mini 9. People has found lots of things to play around with this tiny toy. The fact that though a compact machine, the Dell Mini 9 still has some space and slots (power, data) inside to embed a few more devices internally. These hacks range from little enhancements to very useful features for someone. I would really want to try adding a touch screen to my Dell mini sometimes.

1.   Add HDD LED

One member of the My Dell Mini forums decided to add a “hard drive activity” indicator. He managed to do this without replacing either the low battery indicator or the power LED by placing a new blue LED near the battery light. So when the SSD is in use (the Dell Mini doesn’t actually have a hard drive, but rather a solid state disk), the blue light glows. When your battery light gets below 10%, it will blink orange.

2.   Add wireless mouse

Wireless mouse is very handy, I would always want to get rid of mouse cable. In this hack, the “hacker” mount the Nano Receiver for Logitech VX Nano laser mouse into the Mini 9 without breaking down the receiver or soldering it in. That way it can be removed or replaced easily in the future.

3.   Add GPS receiver

Today, a GPS receiver chip is quite cheap (and small). We can solder an (USB) GPS chip onto the toy’s board, and turn the machine into a GPS – enabled device, on which various interesting applications can be deployed. This is really a brilliant idea! (besides: GPS receiver chip with size of a small dime). Well, if you don’t have a car with GPS navigation, you can carry the Dell Mini with you! But don’t blame it if the navigation software tells you about the safe road ahead while you’re at bottom of a lake!

4.   Add 3G modem

You can also turn your Dell mini 9 into a 3G mobile phone by adding a PCIe WWAN card. In this simple hack, you replace the machine’s wireless card by the WWAN card, plug a SIM in, and using software like MobiLink to make telephone calls. Of course with 3G, you can have Internet and other things come with WWAN.

5.   Add touch screen

With the 8.9″ LCD (quite small), a point and click device like touch screen is very neccessary. I found this hack the greatest one on Dell Mini 9, you can leave your mouse at home, browsing (web, file…) and other various tasks can be done by touching directly onto your screen. Imagine we can install an (online) handwriting recognition package and input Chinese directly on the screen (though we’d had SCIM which does the job quite well). Packages for Chinese handwriting recognition are available in some Chinese Linux distros.

6.   Install Mac OS X

Mac OS X (10.5 – Leopard) run smoothly on Dell Mini 9. This is perfect for ones who adore Mac look and feel. Just download the Leopard ISO file, burn a DVD, boot up the machine with an external DVD drive and proceed with the installation. However, to take, you have to give somethings, ethernet simply won’t work, however, you can manage to get through with wifi and sound.

dell inspiron mini 9

y new Dell Inspiron mini 9 notebook: the company laptop is far too heavy to carry back and forth daily, and this is really a cute tiny toy to have. Having dimensions briefly larger than a pencil, the notebook is really light, its display is bright and clear, sound is pretty good, and the external speaker is amazing for such a mini notebook.

This is a laptop with no moving part: hard disk is solid – state (16GB), no ventilating fan (the temperature is just right after long use). The disadvantage with the toy is that keyboard is quite small and strange, which may take times to get familiar with. Ubuntu (Hardy Heron) came pre-installed, and every softwares work out-of-the-box: graphics, sound, wifi, webcam…

The distro is a customized version for Dell called Netbook Remix, however, after a while, I get bored with that and switch to the default Gnome view. The good point is that mp3, Acrobat Reader, Adobe Flash, Sun Java… licenses come with the distro, there’s no need to hack for these stuffs. Please see below for some GUI screenshots.

fingerprint sensor & ubuntu

My right index finger scanned and correctly identified

oo much literature, too much music lately, now some technical to line up thoughts in my head. Fingerprint reader has been out for quite a long time, but has only come to my hand recently on this HP 6910p laptop. The machine has an AuthenTec AES2501 fingerprint sensor built in, and using it is quite straight – forward under Hardy Heron:

1.   Install fprint-demo, libfprint-dev, libfprint0 and libpam-fprint from the ppa.launchpad.net/madman2k repo.

2.   Use fprint_demo to enroll some fingers. Identification and verification is good for thumb and index fingers, but really bad for middle, ring and litte ones.

3.   Configure pam module to make use of fprint, add the two lines: auth sufficient pam_fprint.so & auth required pam_unix.so nullok_secure to your /etc/pam.d/common-auth file. Remember to enable still password login since fprint is quite preliminary.

Now restart your machine and enjoy! At login prompt, you would need to enter username, then enroll a finger for authentication. If enrolling fails, normal password login would then be applied. In KDE, screen-locking and gksudo work seemlessly with fprint.

I observe for a while the fingers’ scanned images, to find out how they did all the identification and verification tasks. It’s quite clear that they are using some control points (called minutiae). You can see red dots in the image on the left (binarized from raw scanned image): they are either end points or branching points (point at which vein separates into more veins). They don’t need to match all veins of fingerprints, they only need to do some pattern – matching on the set of minutiae. Given two sets of minutiae, some Cartesian measures on points’ position may be enough for matching two fingerprints.

This machine, HP 6910p, is designed for medium performance, but for advanced security: the machine has TMP chip inside, with a smart card slot, and a fingerprint sensor. That would be quite sufficient to protect your privacy.

file system encryption

The pc-link reader, could be in many forms: usb, serial, pcmcia, pinpad…

An Axalto (previously Schlumberger’s, now Gemalto) smart card, this could be an access – control card, a bank debit / credit card, health – care card, social – identification card… Some smart card types are actually tiny computers – they have an Operating System, and Java virtual machine inside. Note: many of the smart card vendors are OEM – ed from SCM Microsystems, a Germany – based company. We’d better choose hardware and firmware directly from SCM when work on open – source projects.

ou have important data on your laptop, and one day the laptop is stolen. The best you can expect is that you loose all those valuable information. The worse… who know what it can be!? Since having a computer (hardware) in touch means having access to every data stored on it. How can you protect yourself from that situation?

The solution is encrypting your storage and keep your key safe from others’ access. You can encrypt your home directory or a whole data partition. (Some even encrypts /boot, /swap and /(root) – full disk encryption – so that their activities leave no traces). With Linux, every tools is at your hand, so let start making your life easier. Below is some guide lines on how to do it on Debian.

1.   Install eCryptfs: a Linux native and POSIX – compliant enterprise – class stacked cryptographic file system.

$ aptget install ecryptfsutils
$ modprobe ecryptfs
# you may have to patch your kernel in order for
# ecryptfsd (the key management daemon of eCryptfs)
# to work. in that case, you’d better grab and
# build eCryptfs from the latest source.

2.   Setup eCryptfs:

# simple setup, passphrase entered from stdin,
# eCryptfs allows overlay mounting: mount point
# and the actual storage can be the same.

$ mountt ecryptfs /encrypted/storage /mount/point
# you can now see your new fs using the command df,
# test it, go to your mount point and input some
# data, watch the output at the encrypted storage.
$ cd /mount/point
$ echo “Hello World” > hi.txt
$ cd /encrypted/storage
$ less hi.txt
# umount /mount/point and the file system
# is not accessible anymore


Every security solution comes to a very dead-end that there’s must be a MASTER KEY as the main entrance for the whole system. And we have several ways to protect the master key:

+   the tricky way: store the key somewhere on the disk, e.g: at the first sector of the volume image (offset some bytes to a position only you know) so that the key is hard to find and can not be accidentally deleted. More information about the trick is here.

+   the explicit way: store on an external storage such as usb, the system could only be functional once the usb is plugged in.

+   the “smart” way: smart card is the best way to store key. Since you can write public / private key to a smart card but can only read public key back, no – one can read the private key, including you. Smart card is designed to do encryption / decryption jobs: just request the card to encrypt / decrypt some data using a specified key, and the card sends back the required output.

In an organization, the private key is stored on smart card and given to the “person in charge” without the fear of loosing the key. For personal use, I think the second solution (using usb) is quite enough.

1.   Setup smart card:

# install pcscd, the daemon to talk with
# card reader install OpenSC, the open
# source smart card project

$ aptget install pcscd
$ aptget install opensc
# in my case, I have an Axalto reader which is not
# supported by pcscd. knowing that Axalto’s
# hardwares are OEM-ed from SCM, I just download
# the firmware from SCM, flash the reader and it’s
# then recognized as a SCM SCR 331 device. You can
# play around the smart card using opensc-tool,
# you can erase, init the card’s file system,
# create some PIN, generate some keys using
# pkcs#15-init, encrypt/decrypt can be
# done using pkcs#15-crypt

2.   Working with keys:

Public and private keys are fundamental concepts of Digital Signature. In short, multiply two big prime numbers – two private keys – you have a semi-prime number – the public key. Certificate is wrapper of the public key to work with a CA (Certificate Authority), for the public to check if a public key really belongs to an organization.

# generate public and private keys in RSA 1024
# bit pem format extract the public key from this
# keys pair, encrypt/decrypt with the keys

$ openssl genrsaout private.pem 1024
$ openssl rsain private.pemout public.pemoutform PEMpubout
$ openssl rsautlencryptinkey public.pempubinin file.txtout file.ssl
$ openssl rsautldecryptinkey private.pemin file.sslout decrypted.txt
# create the smart card’s file system,
# then create a PIN

$ pkcs15initcreatepkcs15
$ pkcs15initstorepinauthid 01label “mycom”
# copy private key to smart card, to decrypt,
# we need to specify key’s usage

$ pkcs15initstoreprivatekey private.pemauthid 01id 45format pemkeyusage sign,decipher

3.   Setup the whole thing:

With your smart card properly setup (a public/private key pair has been stored), we can use the following script to: 1. create a temporary volatile file system 2. use smart card to decrypt the password and store to that file system (these files would simply disappear when the machine power down) 3. using the decrypted password to mount with eCryptfs.

# 1. create a volatile fs to temporarily store the
# decrypted passfile

$ mountt tmpfso size=10M,nr_inodes=10k,mode=0700 /tmp_fs
# 2. decrypt the password file from
# /root/passwd to /tmp_fs/passwd

$ pkcs15cryptpkcs1decipherk 45i /root/passwdo /tmp_fs/passwd
# 3. now mount our encrypted
# directories with eCryptfs

$ mountt ecryptfs /encrypted/storage /mount/pointo key=passphrase:passfile= /tmp_fs/passwd, cipher=aes, ecryptfs_key_bytes=16, passthrough=1, verbosity=0

Done! Choose a strong encryption algorithm (e.g AES 256 – bit), and in most cases, you and your data would be safe until they have quantum computer running. Be sure to keep your key secret or your efforts would be of no help. For maximum security, choose a good smart card model, increase your keys’ size, revise all procedures of your software system…

(You’re pretty safe right now, so why there’s an “in most cases” in my last paragraph? The truth of being secured is actually more complex than that, as a quite-simple technique like this could be applied to steal password of a disk-encryption system. This bases on the fact that data in DRAM is not faded right away after loosing power, it still can last for some seconds (or even minutes), and by cooling the DRAM using an air duster (to slow down the fading speed), the DRAM module could than be copied and scanned for password (assuming that password has been entered and kept in memory). Nothing is really safe, however, hardware problem like this should have a hardware solution (like this AES 256-bit encryption Fujitsu hard drives).


fter decorating my Linux box with all newest GUI components, next things are for work. I found out that all Vietnamese keyboard softwares is broken on Hardy Heron: xvnkb stops kde_init and x-unikey crashes other applications all the time. Then come the wonderful thing scim. scim is a global input software designed for almost every languages. Mathematically speaking, the job is just mapping between one key-combination to a character-code. In this view, mostly any languages could be supported without any difficulties.

On every day works, I mostly use English, and Vietnamese, Chinese is just for entertainment. Please note that Chinese input is done via vi-nomtelex method, which bases on Hán-Việt (the Vietnamese phonetical transcribe of Chinese) to retrieve the correct Unicode character, thus we have a double mapping here: from raw keystrokes to Vietnamese and from Vietnamese (Hán-Việt) to the final characters. Actually, this method is designed primarily not for Chinese, but for Nôm, the ancient Vietnamese writing system.