Domain of Aragon

I recently peaked at Hulu. For those that don't know, it's a US based online TV streaming service where one can watch certain TV series and movies free of charge on the web.

I spent most of a weekend watching video via Hulu and I think it's a brilliant service. Video quality is awesome — far better than Youtube with the "low" quality setting being equivalent to digital satellite (standard def). There is one tiny problem with Hulu, however. It is restricted to US based IP addresses. Any attempt to use it from a non-US internet connection will yield an appropriate error message.

What's a freedom loving geek to do when capitalists get in the way? He uses a work around of course! Unfortunately though it is not as easy as finding a US web proxy and enabling it in your web browser. You see, the problem is that Hulu's Flash video player does not stream its data over HTTP. It uses Flash's proprietary streaming protocol, and by doing so, the app ignores the browser's proxy settings (even SOCKS proxy settings).

I read a few pages written by others who had worked around the situation, but they're either outdated and no longer work, or suggest tunnelling traffic over a NATed VPN to a US system. Well I'm sure that will work, but unless you're willing to pay for a US VPN service, it's a bit of a pain to roll your own one.

The easy workaround is quite simple, so here we go.

Hulu uses a mix of HTTP and Flash's own streaming protocol to make things happen. To get Hulu traffic from your browser to bounce through a US system you will need:

1. A SOCKS proxy
2. A TCP port bouncer

For both of the above I highly recommend SSH, and it's what I'll be explaining. So you'll need a shell account on a US system somewhere. Once you've found one, follow these steps:

1. Enable a local SOCKS/dynamic port forward in your SSH client. Mine listens on localhost:1080.
2. Enable a local (static) port forward in your SSH client. It must listen on 1935 and forward to 96.17.156.116:1935. (keep reading for more info on that IP address)
3. Connect and log in to your shell account.
4. Configure your web browser to use the SOCKS proxy enabled in step 1. Test that you can browse the web like this.

Now I need to tell you about the tricky bit. That IP address in step 2 above (96.17.156.116) is not a random incantation made up by me, and it might change over time. It comes from resolving one of the content distribution server addresses that Hulu uses. In fact, if you resolve one of those addresses yourself it'll likely not resolve to the IP address I've given. The best thing you can do is to resolve one of the addresses in your shell account itself, take the resulting IP address and substitute it for the one in step 2 above. The one I've given is really more of an example and is suboptimal, but should work anyway.

Which brings me to the very important part — those content distribution server addresses. In my limited usage, they are:

cp51756.edgefcs.net
cp39465.edgefcs.net
cp47346.edgefcs.net

All of those addresses need to be added to the 127.0.0.1 entry in your system's hosts file. In Unix derivatives (Mac too, I think) that will be /etc/hosts. On Windows that will be C:\Windows\System32\Drivers\Etc\Hosts. It is just a text file, and its format is the same on both platforms. After editing, your 127.0.0.1 entry should look something like this:

127.0.0.1 cp51756.edgefcs.net cp39465.edgefcs.net cp47346.edgefcs.net localhost

At this point you should be able to watch Hulu videos! Now the only thing you need to be aware of is that those content distribution server addresses might change over time. Whenever you load a video in Hulu, pay attention to what your browser is doing. I know for certain that Firefox will show in its status bar which address it is connecting to when it does it, but you need to be prepared to watch out for it. If it tries to connect to an address that is not noted above, you need to add that address to the hosts file, restart your browser, flush your local DNS cache, and try again. Feel free to post a comment here if you find new content distribution server addresses.

I hope you're stocked up on pop corn! Enjoy.

I've been working on putting the OpenID 2.0 spec into graph/flowchart form to help my own understanding of the protocol. It's a fairly involved protocol with many conditionals, the specifics of which are hard to implement without seeing the full picture first. Grab the PNG here: OpenID 2.0 for Relying Parties (608 KiB). The graph is so entitled because it really does not deal with much detail from a Provider's perspective at all. I've taken some interpretive liberties in a couple of places, and some things it may not depict clearly, but I'll try improve it over time.

If/when I update it I'll amend this post accordingly. :-)

Here's a quick, arbitrary tip for making PDFs with majority text really small.

When a PDF is authored, the authoring software looks at the fonts you've used in your document. The PDF specification provides for 5 built-in fonts: Courier (monospace), Helvetica (sans-serif), Times (serif), and two symbolic fonts. The first 3 include italic and bold variants. If your source document uses fonts that your PDF authoring software can not map to the built-in fonts, it will embed the font into the document so that readers can correctly render it, and each embedded font consumes about 15KB. If your source document uses only built-in fonts, your PDF will be smaller as it does not have to store any font data.

For very large documents this might not make a big difference, but for small documents the space saving can be as much as 70%. If you're generating small PDF documents for emailing to many people, you can save yourself a good bit of bandwidth by just choosing your fonts carefully.

I've been getting up to speed with OpenID 2.0 recently. The first time I looked at OpenID was when I skimmed through the 1.1 specs, which left me pretty disappointed in the protocol. OpenID 2.0 doesn't address my disappointment, but even so I'm a lot more positive about the protocol now. The potential convenience that it offers is just too good to pass up! It was really the potential of using XRIs that swung me. Something unmistakable about XRIs is that it makes me think that the Internet is slowly evolving into a system with more and more layers of abstraction sitting on top of the old, underlying low level protocols as it gets older. XRI is just that — a URI resolution protocol sitting on top of HTTP, and it looks very very cool. The next big thing perhaps?

If you are familiar with DNS you'll know it's a resolution protocol that resolves named addresses into numbered IP addresses (among other things). XRI is kind of the same, except it's a protocol that resolves names into service URIs. For example, right now most people who use OpenID authenticate with a domain name. OpenID takes the domain name, shoves http:// infront of it, and does a web GET on it looking for <link> tags in the HTML source. In other words, it's very ugly, and not very extensible.

You can use an XRI as an OpenID identifier. I registered mine last night; "=aragon" is it. When used as an OpenID identifier, the XRI protocol allows a relying party to resolve the OpenID service on it. Kind of like a DNS SRV lookup, except instead of getting an IP address and port number, you get a service URI — your OpenID provider's authentication endpoint. All neatly wrapped up in a well formed, validating, easy to parse, extensible XML document.

But that's not all I can do with my XRI name. If your web browser is XRI capable, typing "=aragon" into the address bar should bring you to this page (you can try via a proxy service for now: http://xri.net/=aragon). In an XRI capable mail client, addressing a mail to "=aragon" should resolve to my email address, or I could have the XRI resolve to a web form that performs a captcha request before dishing out my real email address, or have it notify me requesting permission to give the sender my email address before actually giving it out.

What's more is I can create subdelegatings below my XRI, such as =aragon*projects, that I could maybe use to keep all my open source related URIs (email addresses, OpenIDs, SIP addresses) seperate from everything else. Or when I'm rich and famous I could just delegate that completely over to my agent to take care of, and he can administer that XRI however he sees fit. Like I said, XRI is a lot like DNS for URIs, and it operates over HTTP(S). Very cool, very confusing at first glance, but with so much potential I think!

Imagine being able to post to mailing lists from your XRI name, preventing spammers from grabbing your address, and also allowing readers to authenticate that you actually sent the mail...

In other exciting news, OpenID released the first version of their Provider Authentication Policy Extension specification in December. It basically looks like a mechanism for relying parties to assert security policies/standards on OpenID providers when an authentication takes place. I haven't read it yet, but if I'm right about its description, this could address the gripes I had with OpenID a few months ago. More on that once I've read it!

Until about a year ago, Adobe Photoshop was one of those applications I'd always have installed on my systems no matter what. I'm no graphic artist by trade, but like any geek I do dabble in making web graphics or just editing photos, and Photoshop is probably the best out there for this (Windows comes with bugger all). When I stopped using Windows a while ago I continued to run Photoshop under Wine because it worked and I was so used to it, but due to other Wine issues I threw the towel in on Wine all together about a year ago and decided it was time to see what Gimp's all about.

I've been using it since and it just keeps getting better. Everything I was doing in Photoshop I can still do in Gimp, and some things Gimp even does better (eg. selection masking). Overall there are things Photoshop is and always will be superior at, being a commercially supported product (eg. printing), but for the most part I happen to not need any of those features, and I suspect there are many Photoshop users that are the same.

I can also say with confidence that most non-professional Photoshop users did not a chance pay for their copies of Photoshop. It's one of those apps that is/was so dearly loved by so-called pirates for its almost non-existent copy protection and abundant availability online. If everything I've said sounds familiar and you've ever wondered what Gimp is all about, go ahead and just try it for a few weeks. Gimp 2.6 motivated me to write this post because they finally fixed my biggest hang up with it - really bad window/toolbar management. I shall now bleet if I see anyone using a pirated copy of Photoshop for no good reason. :)

Incidentally, this site was designed in Gimp.

I just saw Engadget's post about Carl Zeiss's Cinemizer video eyewear and I was blown away. Not because of the idea behind it, but because I was literally thinking of exactly the same idea 2 days ago! These video goggles are precisely what I've been wanting and I can't wait for them to come out.

In a nutshell they support a 3D mode whereby they take the input video signal, cut it in half, and feed each half into each LCD. This allows film makers to record video using two cameras spaced apart like eyes and merging the two seperate video feeds into two halves of a single video. This idea has had me deep in thought about the sheer awesomeness that'd be possible with recorded video, but my thinking didn't stop there.

Although 3D video would be awesome, what about sound? Well, that part is actually easy. It has existed for centuries and it's called Binaural recording. The concept is simple: place a pair of microphones into a solid structure shaped like a head with ears (a "dummy" head) and record the sound from each microphone into the left and right channels of a stereo recorder. Playback the sound with a pair of headphones and the result is near identical 3 dimensional sound imaging as if you were hearing the original sound first hand. The recorded sound could also be fed into a Dolby Prologic II or DTS Neo6 processor (present in most home theatre receivers) which would seperate everything out into a 5 channel speaker arrangement.

Now pair up the two technologies and you have, in my opinion, the next level of home entertainment!

Getting back to 3D video, I have some good news for you. You can experience it with out Carl Zeiss's Cinemizer right now and I'm going to show you how. Have you ever heard of a Random Dot Stereogram? If you are able to see stereograms then you can watch a 3D movie right now without Carl Zeiss's goggles. If not, take a read through the Wikipedia article I linked to. It has samples and links to sites that will help you train your eyes at seeing them. If you can see them, keep reading.

So I went poking around on Carl Zeiss's web site and found some sample 3D movie downloads! They look and work fantastically! Here are the links:

• Video 1
• Video 2
• Video 3
• Video 4
• Video 5

When watching them, pause them at the beginning where there's a simple image on screen. Get your eyes into 3D mode and hit unpause. If you struggle to get the 3D image, try resize your video window smaller - it'll make it easier to see. Here's an easy sample screenshot from one of the videos that has lots of depth:

Since dropping windows a while ago I'm always looking for some or other app that can replace some of my remaining windows habits that are missed. I've been looking for a fast, small, minimalistic, easy to use image viewer for a long time. I've tried the usual suspects like xv, feh, Ristretto, and some others whose names I can't recall. Never been entirely impressed with any. (feh was my favourite until today)

I finally found a really great image viewer. It's extremely fast, has almost zero dependencies, resembles XP's builtin image viewer (ie. very simple), and integrates well with FreeDesktop.org environments. I highly recommend it: LXDE's GPicView.

Incidentally, LXDE looks kinda cool too. I might try it sometime. (very happy with Xfce right now)

I've recently been a bit obsessed with the Zeitgeist movies. If you haven't seen them, I highly recommend downloading both here and watching them. They are conspiracy oriented documentaries. The first movie left me drooling for more, and by the middle of the second movie I'd just about heard enough (I did watch it all though). I don't really follow politics, economics, or religion at all, so these movies were extremely intriguing and thought provoking for me.

At first I was convinced they're right, then I started trying to challenge that by reading what many others have said on the subject. I subsequently watched other conspiracy movies that are more focused on the 9/11 and world banking claims: Loose Change and The Money Masters. I've read anti-conspiracy pages that (claim to) debunk the conspiracy theories. Well, there's a lot of conflicting information out there and still a lot of unanswered questions.

For one I still have not seen concrete evidence of Flight 77 hitting the Pentagon. Zeitgeist and Loose Change both have similar claims. At least one anti conspiracy site counters it by claiming that the videos released by the government and downloadable here show a plane colliding with the Pentagon. But they show absolutely nothing like that. They show a massive explosion briefly preceded by what, to me, looks more like a missile smoke trail. They're also not full motion videos - they've either been edited or the security recording equipment from which they were sourced didn't record full motion video. It is also surprising that they're the only videos ever released.

The controlled demolition claims of the WTC towers are very enticing, even when considering such an enormous operation not going unnoticed. WTC 7 is still a big question mark for me. Bottom line for me is that the conspiracy theories provide more believable logical evidence than the anti conspiracy theories try to debunk. I still need to do more research and encourage all other viewers to do the same. As for the facts as the US Government would have you believe... does anyone even need to comment on the immensely unconvincing speeches of government officials?

Zeitgeist's first part is all about religion and its message is basically that Jesus Christ did not exist and that religion is a means of controlling and influencing people. Even if that were true, I think it'd have been better left out of the movie. Trying to debunk millennia of religion is suicide. It would take a lot more convincing and reputable facts, enough of which probably do not exist.

Despite everything, I think the motivation of the movie is what's most important. It is trying to promote Technocracy, more specifically Jacques Fresco's Venus Project. This is detailed in the second movie, Addendum. The first movie and the beginning of Addendum is really just buttering up the viewer into accepting that the current world economic model is ineffective (more specifically, evil). Apparently not every one likes a conspiracy theory, but I do think the technocratic model they propose is very worthy of consideration. I like it a lot, but I am a geek I guess. I think it can work. In fact it is already working to some extent in the form of open source software.

What I am sceptical about is the process of transition to a system like this. I don't understand how that will be possible in the monetary system that exists today — who will pay for its development? And I'm not entirely convinced by their argument against a punishment system. Even in the society they propose I think crime will still be present and will have to be dealt with in some way. The crime might not be caused by the same factors as today, but I don't believe money causes all crimes. What about human jealousy, betrayal, and intolerance? What about clinically insane individuals?

So anyhow, give the Zeitgeist movies a watch and check out the movement's web site. You might like it all. I'll definitely be checking in on its progress from time to time.

I've been reading all about OpenID recently. I've used it before and have been really intrigued by it ever since I discovered it a year or so ago. Lately I've been very interested in implementing it on this site and others so I decided to take the time to see how it all works by reading the online specs at openid.net. It's pretty clear to me now that it is a terrible protocol in so many ways that I can't believe any one could consider it a viable authentication mechanism for anything that actually needs authentication.

My biggest gripe with it from a potential consumer's (or relying party's) point of view is that there is no way of attaching trust to an OpenID authenticated session. If I'm running a site that provides my users something related to money or access to confidential information (or anything of similar value), I'd be crazy to rely on OpenID to authenticate my users. The fact that anyone can become an OpenID provider and there's no mechanism in place to certify the reliability and security of an OpenID provider is a huge problem in my eyes. Then there are all the phishing vulnerabilities surrounding OpenID that have been published, and the privacy issues with it, and the fact (ok, maybe it's an opinion, but definitely not a unique one) that the protocol itself is quite complex for both adopters and users. OpenID in its current form stinks from all angles, really, and looks too fundamentally broken to fix too.

But don't take my word for it, read the specs yourself. Then read publications like this and this, and this. Then look at the current OpenID landscape. How many OpenID providers are there now? A lot. Some big names too, like Google, Yahoo, etc. So Google and Yahoo are both OpenID providers... why don't either let users log onto their systems with an OpenID account then? Probably because they both know better than to trust it, that's why.

So I'll stick with passwords a while longer, but I am wondering what alternatives there are. Something that could work and has been around for years, but is really unpopular is SSL client authentication. I've set this up more than once before. It works quite well and I think it could be a viable alternative if someone can dumb it down a notch. Its biggest problem is that no one has tried to make something out of if that can be picked up by the average user. I'm convinced this is just a matter of clever software architecture because the idea behind it isn't that complicated.

User downloads software (or in windows land, microsoft eventually bundle it), it generates a public/private key pair and saves it along with a portable copy of the software to some place that can be taken by the user wherever he/she goes. The user (or the software) loads the key pair into the user's browsers so that authentication is just a matter of confirming a browser prompt and typing in the private key password — all the challenging takes place in HTTPS at the protocol level. When the user registers to a site the site stores a copy of the public key and attaches it to that user's account for future reference. If the user needs to logon from, say, a web cafe the portable version of the software would generate a new key pair signed by their original key pair, except the new key pair would have a very short expiry time. In addition, sites accepting this authentication should accept derived key pairs only once and invalidate them after their first use. The user (or software) loads the new key pair into the insecure PC, the user does his/her business and logs out. The loaded key will expire in a few minutes time (or has already expired), and the site(s) the user just accessed with it have already invalidated it.

If the idea of loading certs into foreign PCs still sounds risky, the SSL challenging could be done out of band too without loading certificates into the browser. Sites could generate a challenge using a nonce encrypted with the public key, the user would paste that challenge into the portable software that decrypts it with the private key and pastes the decrypted nonce back into the site, proving that the user has the private key matching the public key the site has stored for his account.

Does that sound overly complex? Maybe it's no less complex than OpenID for the user, but I don't think it's an unworkable idea and it will solve all the other problems with OpenID. I think this can be made into a workable solution...

I decided to make a quick write up of one of FreeBSD's jewels — moused(8). I stand to be corrected, but I don't think the other BSDs nor linux have anything like it, and it makes mousing under X a lot more pleasant.

If you're a X user you should already be familiar with its builtin mouse acceleration support. Most desktop environments have control panels to configure it, but here's the bad news — it sucks! It's a feature that runs your mouse at a low sensitivity when it's moving slowly, but increases the sensitivity when it accelerates beyond a set threshold to make the pointer move quicker. So it only has only two levels: slow and fast.

$ ps -wwp $(pgrep moused)
  PID  TT  STAT      TIME COMMAND
98163  ??  Ss     3:27.46 /usr/sbin/moused -F 200 -A 1.5,2.0 -a 0.7 -r high -V -p /dev/ums0 -t auto -I /var/run/moused.ums0.pid

$ grep moused /etc/rc.conf
moused_ums0_flags="-F 200 -A 1.5,2.0 -a 0.7 -r high -V"

Section "InputDevice"
        Identifier      "Configured Mouse"
        Driver          "mouse"
        Option          "CorePointer"
        Option          "Device" "/dev/sysmouse"
        Option          "Protocol" "auto"
        Option          "Emulate3Buttons" "false"
EndSection

$ xset q |grep -A 1 ^Pointer
Pointer Control:
  acceleration:  1/1    threshold:  1

There are a few other useful features you might want to experiment with. Go ahead and browse through the moused(8) manual to find out more. Don't forget to ensure that Xorg's builtin mouse acceleration remains disabled. Enjoy!