Saturday, June 27, 2015

Three Things

I still don't know what this blog is about, other than being a place to work out some stuff rattling around in my head.  So far I have avoided writing about politics and social issues, but the last couple of weeks have been a wild ride for us here in the U.S.A.  I grew up, live, and work in "the South", where the majority of my family, friends and co-workers are unabashedly conservative, religious, and mostly Republican with a smattering of Libertarians rounding out the crowd.  They are also, for the most part, very good people with whom I can have thoughtful conversations on a wide variety of issues, and the fact that I often fall into the liberal camp doesn't seem to have cost me any friends.

Still, I've really been thinking a lot about some of the things that have transpired in this great nation of ours of late, and I'm going to use some space here to clear my head.


Supreme Court Ruling On The ACA

The affordable care act, which many refer to as "Obamacare", has been a huge political football.  It was (I believe) a well-intentioned law, but nevertheless one which was pretty badly flawed.  I think it will be a long time before we can assess the overall level of benefit it provides or the damage it does.  And I suspect we will continue to see court challenges to parts of the law which some folks find objectionable, so the final form has yet to take shape. 

Recently the Supreme Court of the United States (SCOTUS) heard a challenge to a provision that allows the federal government to provide subsidies to people who buy insurance on the exchanges that have been set up.  A poorly worded provision of the law literally refers to exchanges set up by the states, which led to a suit claiming that this means the federal government isn't allowed to give subsidies to people who buy insurance on exchanges set up by the federal government, which is what we get in states that refuse to set up their own exchanges. 

This week the court ruled that the federal government can give those subsidies.  Many on the right have howled about this - that in making this ruling, SCOTUS has "rewritten" the law.  Frankly, I think this is a misunderstanding about how SCOTUS works.  In cases like these, their goal is generally to try to understand what the authors of a law meant or intended.  The court decided, rightly in my view, that there is no way the authors of the law intended to withhold subsidies from people forced to buy insurance on federal exchanges just because their states didn't set up their own.


Flying the Confederate Flag

The Confederate Flag is a symbol which means different things to different people.  It's a gross understatement to point out that the mixture of emotions it evokes is complex; for people like me, liberal southerners, it's really complex.  For some the flag is a symbol of a time when our country's laws allowed one race of people to own people of another race, when the southern states tried to leave the Union specifically to preserve that right, and of more than a century since that war in which racism has remained alive, like Voldemort, half-dead but never quite killed off.  For others, it is a symbol of a time when their ancestors took up arms and risked life and limb to defend their homes from an invading army, and acquitted themselves honorably in battle.  And frankly, for some, it's simply a symbol of a mysterious attribute we might call "southern pride."

Over the last week in the wake of a terrible mass shooting in which a young white man brutally murdered a number of black churchgoers, there has been an intense discussion concerning the meaning of the flag (which is featured prominently in pictures of this young man), and concerning whether and when it is appropriate to display it.

I believe in free speech, and therefore believe that for individual citizens, there is no question but that they have the right to fly the flag in their yards, wear clothing using the flag, put bumper stickers on their cars and trucks, etc.  However when it comes to government institutions, be they state, county or municipal, I believe strongly that it is wrong for them to fly it.  There are two reasons for this.  First, the flag is also a symbol of rebellion against the Union, and any state or other government flying the flag is making a statement glorifying rebellion against the U.S.A.  The fact that a number of southern states have done and continue to do so is almost incomprehensible to me, especially given the extreme level of patriotic fervor felt by nearly all southerners.  Second, these governments are charged with the representation of ALL of their constituents, of all races and all ancestries, and to fly this flag is a direct insult to vast numbers of their citizens.  I have no desire to see the flying of the flag made illegal for individual citizens, frankly do not think it should be a legal matter for the states or municipalities either - just that those government institutions should make the clear and rational choice not to do so.


Supreme Court Ruling on Gay Marriage

This week the Supreme Court ruled that the individual states may not prohibit gay and lesbian marriages.  There is much left to happen here; there will be challenges and court battles.   But make no mistake, I have expected this.  I believe that it is inevitable that we will have marriage equality in the U.S.A.  This is where the currents are carrying us, and while some may swim against the river for a while, eventually it carries us all along.

The trend over more than a decade has been towards a growing percentage of the American public in favor of legalized gay marriage.  For the past year most polls have put this number at around 60%.  That number is interesting.  Some folks who are unhappy with the SCOTUS ruling this week feel that the court abridged the natural democratic process that should have been allowed to play out. What I think it interesting is that at least in the Senate, 60% is what we think of as a "supermajority".  Assuming the trend continues, Americans would almost certainly have elected an increasing number of Senators and Representatives who would have supported gay marriage, and congressional action would have occurred at some point.  It would have taken years longer of course, but this is what I meant by seeing this as a sort of inexorable current.

More to the immediate point, in my view there was very good reason for the court to make this ruling now, rather than allowing the country to go through the longer process.  Over the last few years, either by direct popular vote or due to legal action, well over half of the states were allowing gay marriage.  A situation in which a couple can marry in one state, and then find their marriage to be held illegal or invalid in another, results in a sort of chaos which is not good for anyone.  It's easy to say things like "Well, they should just choose to live in a state where their marriage is welcome."  But this ignores the fact that the choices we make about where to live are driven by forces not always under our control.  What happens to the gay couple when one partner needs to live in a particular state for a job?  What happens when they need to move closer to family, perhaps to care for an elderly parent?  The simple fact is that some kinds of legal arrangements need to be accepted by all states in order for the nation and her citizens to function.

Finally, let me just say this - my own feelings about homosexuality were resolved long ago when I realized one simple fact - it's not a choice.  Ethical and moral questions were simply made irrelevant by that one thing.  In this country we can and do make legal distinctions about the choices people make, but we do not make legal distinctions about who people are.  Saying that a person must "choose between who to love and where to live" makes no sense once we accept that people do not choose who to love.  Until now, the only choice for gays and lesbians has been whether to live a closeted existence, denying the reality of who they are in exchange for the convenience of benefits, or to live openly and be punished by a country with a confusing and constantly changing set of laws.

The SCOTUS ruling doesn't set everything right, not by a long shot - but it clearly sets forth the path we are going to follow.  For my gay and lesbian friends, I'm happy for you.  For the rest of us, and especially the people I know who are wondering whether the country is now on the verge of some sort of moral collapse - I say, "We're going to be just fine, like we always have."

Wednesday, June 24, 2015

Printing Problems Redux

Some time ago I wrote a rather lengthy post about an old case where I had to troubleshoot a difficult problem with print jobs failing - The Case of the Silence on the Wire.  Recently I have had to look at a problem that carried some of the same baggage.  An external customer is printing to a print server at our print facility, over a VPN, and seeing some issues.

This is a LPD/LPR setup, with our server listening on TCP port 515 and the customer's system using the standard client side ports 721-731 (see https://www.ietf.org/rfc/rfc1179.txt).  When the issue was reported a few weeks ago I didn't really see anything I could put my finger on.  Our server response time (as calculated by my analysis software) was a little slow, and there were a few retransmissions from the client, but overall the connections looked healthy enough - TCP three-way handshakes looked ok, data being transferred with our server acknowledging, proper FIN exchanges at the end.  At least that's what I saw the first two or three times we were contacted to check it out.

Today I was asked to take another look - the problem was reported to have occurred between 7:00AM and 9:00AM on June 23rd.  I grabbed a capture off our sniffers and took a look.  The sniffer is capturing everything both on the inside interface of our firewall and on the interface that goes to our private extranet connections, including VPNs, so I had a sort of "double trace", with one copy of the traffic showing the connection to the real internal IP address of our server, and the other showing the connection to the external NAT address.

Looking at a list of connections that took place during the time in question, I saw a bunch of connections that looked more or less like what I described above, but today I noticed something different - there was a connection listed that looked really small on the packet count.  This was sourced from client-side port 722.  I filtered on the trace and saw incoming SYN packets, but our server wasn't responding with SYN/ACKS - it was responding with plain ACK packets, and the ACK numbers weren't correct for the incoming SYNs.

Now, first guesses aren't always right and you must take care to check things thoroughly.  On the other hand, when you've been working with a particular system as long as I've been working with TCP communications, you can sometimes get pretty close to the mark.  In this case, I wondered whether the server was responding to an old connection - some previous connection sourced from port 722 that didn't close properly, so the server was still trying to reply using ACK numbers for that old connection.

I began working my way backwards through what our sniffer had captured - all the way back to about 6:35AM - and every time they tried connecting from port 722, we were just sending these ACKs.  In all cases the ACK numbers we were sending back were the same (at least on the packets taken from the inside interface of the firewall), and none of them were anywhere close to being correct for the SYN packets.  Earlier than that there were no connections on June 23rd.

I shifted focus to my Netflow tool.  Hunting for connections out of the vast number captured on a big capture box being fed by multiple taps can be really difficult, but Netflow boils down connection information to the essentials.  My Netflow records indicated that communications from this client had ceased a little after 10:00PM on the night of the 22nd, and further that there had been a connection from client port 722 that had enough packets in it to have been viable.  With that information I delved back into the sniffer to find that connection.

It was exactly what I was looking for.  The connection had started off fine, with a good three-way handshake, and for a time had proceeded normally - client sending data, server sending ACKs.  At the end, the client send a final packet with data in it and with the PUSH flag set indicating the server should process it and acknowledge, which it did.  I verified that this last ACK got through our firewall, as it appeared in the trace taken on the outside.  After that the client didn't send anything further for about 25 seconds, no further data and no FINs - after which, it sent a new SYN packet from client port 722.

This packet did not get through the firewall - the firewall was monitoring state and still thought the old connection was open (the firewall has an idle timer of 1 hour for TCP connections in the state table).  The firewall - apparently - sent an ACK using the last valid sequence numbering from the previous connection.  The client resent the SYN several times, and the firewall sent those ACKs each time, never letting the SYN through to our server.  After a while the client gave up and moved on to a new port number.

The difference between this and what we were seeing in the morning was this - by the time the client got around to starting up again on the 23rd, the firewall had forgotten about the old connection, removing it from the state table, so it was now allowing the SYN packets through to the server.  But the server still had the old connection open (more than 8 hours later!!!) and was still sending ACKs for the sequence numbering of the old connection from the night before.

There were two interesting things about these traces that revealed something I'd never seen before, and which challenge my assumptions about how much I know about this particular brand of firewall.  First, I've never seen the firewall send an ACK of its own to a connection like we saw on the final connection on the night of the 22nd.  At that time the firewall was not letting the SYNs through and my traces on the inside interface of the firewall confirm this - the print server was not getting them and was not sending the ACKs, yet I could see ACKs on the outside interface of the firewall.  As near as I can tell the firewall had to be sending them.

Second, in my experience this particular type of firewall is very strict about keeping track of state, and I would not have expected it to allow those ACKs from the server the next morning - once the firewall was letting the SYNs through it should have been watching for SYN/ACKs from the server, and also watching to make sure the ACK numbers were correct.  Instead, it was letting those ACKs go right through.  I am thinking maybe the firewall is programmed to do this in case there are out-of-order packets on the wire, but it still seems a little freaky and I'm going to have to read up on it.

Sunday, June 14, 2015

Panasonic DMC-LX100 - First Impressions

Note: This is not a full review of the LX100 as I lack the technical expertise to do it justice.  For a couple of good, in-depth technical reviews, check out this one at DPReview and this one at Camera Labs.

I got into photography as a hobby as a young man, and over the years I've owned a number of cameras, including a very capable DSLR with some fine lenses.  One of the hardest things to accept has been that I just don't like carrying around a big camera and a lot of associated gear.  I love the freedom of full manual control, but I hate the weight and bulk of the traditional setup.  For these reasons, earlier this year I finally sold off my DSLR and lenses (which spent most of the time on the shelf gathering dust) and went looking for something that would better suit my needs.

My short list of desired features went something like this:
  • Something small, light, portable
  • A good quality non-removable lens 
  • Full manual controls
  • Good low-light sensitivity (I never learned to properly use a flash and thus prefer natural light)
  • Minimum image size of 10 megapixels
  • The ability to shoot RAW as well as JPEG
The camera which I chose, and which ticks off all the boxes for me, was the Panasonic DMC-LX100.  I have had the camera for about a week, and today I'm going to lay out my overall impression of this camera.  


Controls & Handling

The LX100 is small - not shirt-pocket small, but probably coat-pocket small.  However it is large enough to fit comfortably in my hands which are medium sized for an adult male.  There's a comfortable grip on the right-hand side and hand-holding feels quite normal, even though almost all my previous cameras have been a lot bigger.

The LX100 gives full manual control of the things a photographer cares about - ISO, aperture, shutter speed, and focus.  One of the neat things about this camera is that several of these controls are laid out in a traditional way - the shutter speed is selected with a dial on top of the camera, the aperture using a ring on the lens, likewise a ring for manual focus (this ring serves various functions depending upon the mode in which the camera is used), and an exposure compensation dial on top.  Shutter speed and aperture can be fine tuned using a dial on the back of the camera - in other words you can select values in between those found on the physical controls.

The camera allows for a full range of settings from full manual to full automatic.  Shutter priority, aperture priority, manual or automatic focus (with an array of autofocus modes), manual or automatic ISO selection, it's all there.

Shooting with the LX100 feels very familiar - after selecting some combination of manual and automatic settings, I aim the camera at my subject, use a half-shutter press to evaluate exposure and focus, recompose the shot if necessary and shoot.  It's a satisfying experience.

As with nearly all digital cameras, many features can only be accessed through a menu system, others through a variety of dedicated buttons on the camera.  Initially I found the menu system a bit daunting, but it's pretty well organized and I quickly got familiar with the locations of those features I most frequently use.  There is also a "quick menu" feature that allows you to customize an abbreviated set of features you're interested in.  

One thing I really appreciate is the electronic viewfinder.  While the camera's LCD screen is decent, my eyesight is not, and the ability to look through a clear, bright viewfinder with a dioptic adjustment is a big deal for me.


Performance

The LX100 is a serious piece of equipment, despite being labeled a "point and shoot" on Panasonic's web site.  It is outfitted with a really nice, fast Leica lens with a maximum aperture of f1.7, and that's paired up with a micro four-thirds sensor.  This camera does really well in low-light.  Image quality appears to me to be very good, as good or better than my old DSLR, although my own capabilities are not often up to the task of getting the best out of the camera.  In short I do not feel like the camera is holding me back.

There are certain things I have had to learn to pay attention to when using this camera.  The two biggest are autofocus and automatic ISO.  In both cases the camera does not always make the choices I would prefer.  

The camera has a 49-area autofocus which should - in theory - produce good results, but I have found myself using the single-area setting more and more, which allows me to point the camera at my subject and use the half-press shutter method to evaluate focus.  One thing I do appreciate is the ability to focus manually using the lens-mounted ring, and the camera has a neat "focus-peaking" feature than makes evaluating precise focus on macro shots much easier.

As for ISO, the camera has a tendency to err on the side of selecting higher ISO settings than I would like.  I have taken some shots of roses in my yard, in plenty of light, only to find later that the camera selected an ISO of 1600 and they turned out grainier than I wanted.  Setting the ISO is certainly easy enough, so when I know I have plenty of light I just pick something suitably low.  On the other hand, I find the image quality to be better at higher ISO settings than I was ever able to achieve with my previous cameras.  Indoor hand-held shots at ISO 1600 have produced some very acceptable results.

Although I highly prize all the manual controls, the camera does a reasonable job in full-auto mode, and it has a dedicated button for activating that.  Press it once and the camera becomes a real point and shoot, so snapping spontaneous shots (or handing it over to a non-photographer) is simple.  Pressing it again returns the camera to the previous state.

One of the outstanding features of the camera is that it has a nine-leaf aperture, which produces very round and soft out-of-focus areas (what real photographers call bokeh).  I love taking close-up shots of subjects with a large aperture setting and getting that lovely, soft look to the background.

One of the few things I would change if I could is I'd like a little longer focal-length.  The effective zoom range is 24mm to 75mm.  I'd like it be able to do optical zoom out to about 100mm.  You aren't going to get up close to subject with this camera unless you carry it up close - taking pictures of this birds and squirrels on the feeders in my front yard isn't so easy with the LX100. 


Interesting Features

Although I mainly bought this camera for its ability to operate like a traditional all manual camera, there are a number of things I've found to be pleasant, even fun surprises:
  • Wireless control - The LX100 can be paired with an Android or IOS phone or tablet, offering some interesting possibilities.  When paired, you can view what the camera sees on the remote device, adjust some (but not nearly all) settings, and shoot.  If you are shooting something on a tripod and want to avoid shaking the camera by pressing the shutter button, this is the way to do that.  It also means if you want to be in a group shot, you can set up the camera and take your time getting situated and fire it off.  The wifi app also lets you transfer images and movies to the phone or tablet for easy upload to social media sites.  The pairing process, however, can be a bit of a pain.  I have it working pretty reliably now but only after a lot of trial and error getting the process down.  I might do a separate blog post on this at some point.
  • Time-lapse movies - I am not writing about the camera's considerable movie-making features because I rarely take videos, but one of the neat things you can do is full in-camera time-lapse photography.  You set up the camera on a tripod or otherwise secure it, adjust the normal features (shutter speed, aperture, ISO, focus) or set some of these to automatic, pick how often you want shots to be taken and how many you want it to take, and let the LX100 go to work.  At the end of the process you are prompted to process the images into a video, with selections for the video quality and frame rate, and even whether to make the video in forward or reverse order of images.  One of the neat things is that you can go back after the fact and reprocess the images into videos with different settings.
  • Panoramas - The camera lets you take panoramic shots, panning as it shoots, and it stitches the images together automatically.  So far I have found this produces good quality panoramas.  Shooting panoramas by manually stitching images together in an external computer program may produce better results, but I always found it too cumbersome to mess with.  But since the LX100 makes it so easy, I have found myself using it on occasion and I'm happy with the results.


Accessories

I have outfitted my LX100 with a few accessory options.  I put a B+W UV/Haze filter on the lens and it will likely stay there for the life of the camera.  I know there are a variety of opinions about this, but to me, it's cheap insurance for the lens.  When I sold off my DSLR equipment earlier this year, I was able to guarantee my buyers that the lenses were completely clean and free of scratches because I did this with every lens I bought.

I am not fond of traditional lens caps, which are easy to lose, so I was interested in getting a more-or-less permanently mounted auto-opening lens cap for this camera.  Panasonic makes one, but theirs is about $40 US, and according to various reports will not close over the lens with a filter installed (such as the UV lens I use).  I opted for an aftermarket cap, the JJC ALC-LX100.  It fits well and closes over the UV lens perfectly.

I bought a Gariz "Mirror Less" leather wrist strap for the camera.  Although the LX100 comes with a traditional neck strap, it is a small enough camera that it feels quite comfortable on the wrist, and the Gariz strap is a good choice.  It fits well and it looks very classy.

I bought two spare batteries (aftermarket replacements for the DMW-BLG10).  Battery life varies a LOT depending upon how you use the camera.  If you're just taking photos, especially without flash, it may last quite a while.  If you are shooting video, doing a lot with wifi, doing time-lapse shots and processing into video, all these things can knock the battery down really fast.

Finally I picked up a Lowepro Format 110 bag just to keep the camera, batteries & charger, and USB cable all in one place.  


Final Thoughts

I am really pleased with the Panasonic DMC-LX100.  It fills my requirements for portability, manual control and image quality.  It's got more digital tricks than I have time to write about here, and which will provide endless learning opportunities.  My list of complaints is minimal; most of the things other reviewers have complained about (lack of external mic for videos, lack of touch screen LCD) just don't matter to me.

More importantly, it's got me doing photography again.  I carry this camera with me, because I can.  It's easy to pick up any time I have a few spare moments.  The manual controls and great ergonomic layout make the camera a joy to hold and use.  I am back to doing photography, because the LX100 gives me the right set of tools to do it.  

Thursday, June 4, 2015

Some Things Shouldn't Have To Be Hard

Part of my job involves supporting the network for a business unit with government contracts.  We have a connection to a private government extranet, over which our users connect to several websites required to fulfill the contract work.

Monday morning the senior director of IT operations for this business unit called me to say that his users couldn't log into one of these sites.  He had already been in touch with tech support for the site, and they had confirmed that it was up and running, and suggested we had a problem on our end.

I started my troubleshooting by logging into the perimeter router connecting to the private extranet, and saw that the connection was up.  Next I logged into a perimeter firewall and checked that there was live traffic passing in both directions - everything looked healthy there as well.

Finally I logged into a PC on the affected network and tried connecting to the external site myself using a web browser.  I was unable to connect.  Browsers these days do a pretty poor job of indicating what the problem is if a site can't be reached.  I was using IE 11, and it gave me a list of possible causes that covered just about every possible issue.

I decided to look up the IP address of the remote site so that I could trace the path through the network and double check firewall rules.  Using nslookup at the command prompt, I got a good indication of the problem right away - I was unable to resolve the IP address of the site.  My computer was configured to point to our internal DNS servers, which in turn forward certain domains to DNS servers located across the private extranet.  

Since I was unable to resolve the IP address, I suggested that we needed to get the on-call DNS administrator to check things out.  In the meantime we also started a conference call with the tech support people for the remote network.  While waiting for our own DNS administrator to join, I described the issue I was seeing.

The remote technician asked me, "Well, what did you change?"  I told him we hadn't made any changes.  He asked, "Did you do anything to your network connection?"  No, we hadn't.  "Did you make any firewall changes over the weekend?" was the next question.  No, we didn't.  I reiterated to the remote tech that our connection was up, everything seemed to be working, but we just couldn't get DNS resolution.

After a short while our local DNS admin joined the call.  In short order he confirmed that the DNS servers were working properly, no changes were made on our end, and we seemed to be getting "denied" messages back from the remote DNS server.  The remote tech repeated just about every possible iteration of the question about what WE had done to break things.

Only after more than an hour of this line of questioning did the remote technician finally reveal that the remote DNS servers had been changed over the weekend - completely replaced with entirely new devices.  It took a little longer, but it was eventually discovered that the new devices had a built-in ACL which was blocking our requests.  The old servers hadn't had this capability, and the ACL which the remote DNS admins had put in place didn't allow our servers to talk to theirs.

So riddle me this, Batman - you know you changed out your DNS servers, but when I call and tell you my DNS queries are being refused, you spend an hour making me repeatedly assert that I didn't change anything?  I lost two hours of my time, and more importantly my business lost two hours of productive work for dozens of users trying to fulfill their quota of work on a government contract because some bozo didn't want to admit that his change broke the system?  Priceless.

Taking the Acer Spin 714 Chromebook for a spin (ouch)

 For nearly a decade now I've been a Chromebook convert.  I don't try to use a Chromebook as a complete desktop replacement, but for...