Simple index of external media on Linux

If you’re not the fan of any kind of web-based or GUI application to index your files on external media for you, there’s a way simpler solution for the command line afficiandos out there: use locate.

locate is usually known as the prepared man’s find as it offers a subset of the functionality (finding files by name) with the adventage of it being nearly instantaneous. It does this by calling updatedb to simply index your filesystem into a simple hashed database which locate uses.

Normally, this does fairly well for your usual administrative tasks like “Where the hell is this file?”.

But, being a nice tool, locate also allows you to generate custom databases. Which is pretty useful when handling external drives and having an easy index of them.

I recommend creating ~/.locatedbs and storing database files there kind of like this:

updatedb -U $mountpoint -o $HOME/.locatedbs/$label

This can be explicitly queried like this:

locate -d $HOME/.locatedbs/$label $pattern

This works pretty well with modern environments where the mountpoint includes the label of the device, as this is the only (easy) way to find out where the file you’re looking at:

$ locate -d ~/.locatedbs/imbrium.db win8-usb.img

Of course, the usability here still sucks. Recent versions of locate support setting the environment variable LOCATE_PATH, which specifies (depending on the version: additional) databases to be searched. In case of Debian and Ubuntu, it’s an additional database path. Thus by inserting

export LOCATE_PATH=$(echo $HOME/.locatedbs/* | sed 's/ /:/g')

into your shell profile, any future logins will be able to simply use locate to search all indexed external drives.

To further increase usability, you’d ideally call an update script shortly before unmounting a drive instead of doing it manually, but I haven’t yet found a convenient way to do so neatly.

Ubuntu 13.04 «Raring Ringtail» on a Lenovo T430s

I recently – finally – upgraded away from my old Lenovo B550 (which was merely meant as a gap-filler, but, well…) to a new, shiny Thinkpad T430s, model 2356LPG.

There’s a few essential things you need to watch out for when using Ubuntu 13.04. Personally, I’m using the Ubuntu GNOME variant, so there might be a few minor caveats not covered due to different frontend interfaces.

Network devices

The 3.8.0 kernel shipping with Ubuntu 13.04 isn’t entirely suitable for use with a T430s, mainly for two reasons:

  1. The WWAN driver for the Ericsson H5321 gw built into 3.8 doesn’t work particulary well with this device, in the sense that it won’t connect at all.
  2. The e1000e driver in 3.8 doesn’t handle coming out of suspend gracefully. You’ll at the very least need to reload the module.

In this case, you’ll most likely want to go and use the mainline kernel versions. I’m running 3.9.0 and it’s working fine.

Power management

Or, rather, saving uselessly wasted power.


First and foremost, install TLP. It’s an easily customizable suite of scripts that’ll give you a hand in the power management for your device.

On Ubuntu, you can add the ppa:linrunner/tlp and install tlp, tlp-rdw, acpi-call-tools. There’s a slew of self-explanatory options in /etc/default/tlp. My changes:

--- tlp.orig	2013-05-02 19:38:09.000000000 +0200
+++ tlp	2013-05-07 18:25:45.012467195 +0200
@@ -143 +143 @@
@@ -161 +161 @@
@@ -167,2 +167,2 @@
@@ -170,2 +170,2 @@
@@ -184 +184 @@
@@ -189 +189 @@
@@ -195 +195 @@

Kernel command line options

In essence, this change to /etc/default/grub:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash i915.i915_enable_rc6=1 i915.i915_enable_fbc=1 i915.lvds_downclock=1 i915.semaphores=1 acpi_backlight=vendor"

Long version:

Enables RC6 power saving modes for the Intel chipset.
Enables Framebuffer compression. Essentially reduces the stuff your power-intensive hardware needs to do, thus saving power.
Allows your display to clock down when not used that intensively.
«Use semaphores for inter-ring sync.» Potentially saves power and stops screen interface corruption from happening. This may cause your video to stutter.
Doesn’t save power directly, but allows you to actually adjust the display brightness.


Even if you’re not planning on using your discrete NVIDIA graphics card via Optimus, you should have a look at the Bumblebee project, which allows you to control the discrete card.

Especially, it allows you to turn it off, as there are circumstances where it’s actually active without you intending it to be.

For 13.04, you can find the requisite packages in ppa:bumblebee/stable. You should install bbswitch-dkms. After building, add bbswitch load_state=0 to /etc/modules and you’re good.


  1. Color management and profiles (uses TPLCD60.ICM, is there anything special to it?)
  2. ???

Gratisrollenspieltag 2013

Analog zum englischen Free RPG Day hat sich auch eine deutsche Vereinigung dieses Jahr auf die Fahnen geschrieben, das Spielen von Rollenspielen zu fördern. Sie nannten es, die Kompositionsfähigkeiten der eutschen Sprache ausnützend, den Gratisrollenspieltag. Dieser fand – AFAIK zum ersten Mal – dieses Jahr am 2. Februar, einem Samstag, statt.

Der Ablauf ist wie man es vom Free RPG Day gewöhnt ist: man spielt oder leitet eine Runde und darf sich dafür aus einer Grabbelkiste bedienen. Diese Grabbelkisten wurden natürlich an diverse FLGS – friendly local gaming stores – verteilt, mit Sponsoring von den teilnehmenden Firmen.

Auch ich leitete auf dem GRT eine Runde, und zwar Eclipse Phase. EP ist ein transhumanistisches Action/Horror/Survival-System auf d100-Basis. Mehr dazu erfaehrt man […]. Ich hatte drei Anmeldungen im Vorfeld erhalten; mein eher uebersichtlicher Werbeaufwand fuehrte nur zu einer Konversion, die restlichen beiden kamen ueber Robert, den Besitzer des FLGS Brave New World. Vor Ort hatte ich zwar noch zwei Interessenten, aber die waren zeitlich verhindert.
Von den Anmeldungen kamen sogar zwei, und die restlichen beiden Plaetze wurden spontan von Leuten vom Forum aufgefuellt.

Ueber das Abenteuer selber – Continuity, eins der vorgefertigten – will ich hier nicht zu viel erzaehlen. Es reicht zu sagen, dass es ein … unerwartetes Ende nahm. Leider auch aus Zeitgruenden, da wir die vier Stunden etwas ueberschritten hatten.

Die Regeln habe ich des Spielfluss halber etwas lockerer gesehen. Protipp: criticals mit max damage statt ignore armor zu spielen ist nicht flussfoerdernd.

Nebenbei lief auch noch eine Runde Dungeon Slayers, und ich bemitleide Thomas nicht um den einen typischen Con-Spieler, den man mal bekommt – den, der zu allem einen Kommentar hat. Schrecklich.

Continuity hat sich jedenfalls als Erfolg rausgestellt. Kann man gut als horror-seichtes Szenario fuer Cons nutzen. Einziges Problem ist das Handwaving bei den Morphs, da man theoretisch jedem Spieler zu Beginn einen neuen Morph geben muesste.

Instagram logo

The Big Picture: Instagram’s policy changes

As some people are already aware, Instagram is planning on changing their terms of service in January and people are getting into full-on “THEY GUNNA STEAL MY PHOTOS!” mode.

So what are the deeper implications of this? Is Instagram really just going to sell shitty filter photos (and those of the two dozen people uploading kind of artistically valuable stuff) and tapdance on its users noses, alienating the hell out of everyone?

Probably not. But their public relations are being awfully quiet about it.

There might be a reason for that: negotiations with their new robotic overlords at Facebook. I’ll show you some possible hints as to why.

First, have a hard look at the offending paragraph from the updated terms:

Some or all of the Service may be supported by advertising revenue. To help us deliver interesting paid or sponsored content or promotions, you agree that a business or other entity may pay us to display your username, likeness, photos (along with any associated metadata), and/or actions you take, in connection with paid or sponsored content or promotions, without any compensation to you.

Emphasis mine. You notice that the metadata is explicitly mentioned next to the photos? Good.

Have another piece of news: Facebook launches ‘Nearby’ feature, aimed at discovering local venues you’d like.

If you’re totally behind the curve, Facebook owns Instagram. And plans to monetize it.

So what does this leave us with? Simple enough: seeding Facebook with location-tagged (location metadata from foursquare on Instagram photos) photos that it can use to get businesses to advertise. Facebook is all about trying to entice you to promote your status updates, even as a normal user; the next logical step to beef up the venue pages is allowing a business to use a glorified “promote my business with Instagram photos” function.

And, even more likely – when thinking of the usual way Facebook points people at stuff – use the friend connections to say “Hey, look at these great photos your friends Adam and Eve made at That Cool Store!” suddenly showing up in your stream.

If you’ll compare the changes to the terms, dear reader, and this modest proposal of a probable future feature, it’s the minimum required (next to explicitly stating which advertisers are allowed to use data in such a way) terms needed to realize this feature.

This is also the reason why Instagram probably haven’t opened up their mouth to their defense yet – gag order from the overlords while the official PR spin for the new feature is being deployed.

Screenshot of the "moments" developer section of a Google+ profile

Google+ and the trend to curated results

It seems like the Google+ team is slowly coming around to engrossing its “automated but moderated” approach in a broader way. Previously, the rather exclusive “Instant Upload” feature pushed all the photos you took on your mobile devices into the cloudonto the moon and allowed you to selectively share and edit them from a nice interface inside of Google+.

Then, at Google I/O 2012, the Google+ History preview was made available to developers. In short, it’s a way for applications to push automated events into your own, personal history from which you then share selected events with your circles.

Right now, it only tracks some internal Google stuff:

A screenshot showing a couple of events from the Google+ history page

Google+ History

On Google I/O, as I gather, people already demonstrated other options for integrating things into Google+ history. (Fun fact: still doesn’t do open graph with Facebook.)

And if you visit someone’s profile on Google+ with the history enabled, you find the following screenshot, offering you to have a look at music, places, reviews, comments, reservations and purchases. There’s no way to specifically add anything, I’ve tried fiddling with places, reviews and comments; I tried sharing one of my ‘bought’ (installed) apps to the stream, but the moments page doesn’t update (yet – 2012-06-30).

Screenshot of the "moments" developer section of a Google+ profile

But this is a very good indication of where Google is heading: curated results.

Google has always been pretty straight on what their goals were: increasing the value of human/machine interaction. After the expansion from being a quite pure search engine/geek tech joint, this has also -due to transitivity- lead to increasing the quality of human/human interaction.

What this has lead to is that all the services strive to give you the best results possible for what you are asking for. Google+, as a tool, leverages the opinions of people that interest you as another factor. Thus far, this has mostly been limited to the effect of +1s: with personal search results, you’d rather happen upon stuff other people recommend as useful reading – or which they may even have wrote themselves – for a topic.

This is about to change, I’d presume. The “moments” tab, despite being a good stalking tool when it actually becomes usable, is also a recommendation frontend. It will show you what other people like to do, where they like to go, when they like to go (gleamed from the “reservations” tab, which will probably interface with the OpenTable integration in Google Local), etc.

That’s a pretty big step. Along with the newly introduced Google Now, just imagine how interesting it suddenly gets when Google Now knows you haven’t got plans for dinner – okay, this will probably scare people. Nevermind. Let’s assume it doesn’t, and then it comes along saying, thanks to Google+ integration: “Hey, you really like yourself some burger joints, Tobias does too – and he enjoys going to Culux, which is similar in taste! Would you like to book a table? Or ask Tobias if he’d share his reservation?”

Well, this is an extreme example, and, from a privacy point of view, it’s downright scary. But it does offer up a probable view of where Google is trying to get to. And, hey, if you can throw in a little advertisement – “Tobias and you should really check out this great burger deal at $someotherplace” – and know it will hit true, that’s a good increase in market value, too, isn’t it?

Futurama's Fry wondering: "Not sure if spam or just particularly curious"

New ways of spamming

Futurama's Fry wondering: "Not sure if spam or just particularly curious"

So, I recently received a new mail that I presume is spam:

From: Julianna $changed <$>
Subject: A graphic on Microsoft's failures

Hi Tobias,

I was curious to see if this was the correct email to contact in regards to the content on


Julianna $changed

This is a rather curious e-mail. It sort of looks legit, but there’s nothing at all on that should reflect as a «graphic on Microsoft’s failures».

Spamassassin also thinks it’s legit:

X-Spam-Report: SpamAssassin 3.2.5 (2008-06-10) on
 Content analysis details:   (-0.5 points, 5.0 required, autolearn=no)
  pts rule name              description
 --- ---------------------- --------------------------------------------------
  0.7 SPF_NEUTRAL            SPF: sender does not match SPF record (neutral)
  0.0 HTML_MESSAGE           BODY: HTML included in message
 -2.6 BAYES_00               BODY: Bayesian spam probability is 0 to 1%
                             [score: 0.0000]
  1.4 MIME_QP_LONG_LINE      RAW: Quoted-printable line longer than 76 chars

The SPF mismatch is rather interesting: even though you’d assume someone stating their Google Mail address to use the Gmail web interface (or one of the known clients), the sender is “”, which has a non-functioning web server. Googling for the host quite quickly reveals other people also getting this mail, and Tim Dobson googled a bit, also digging up a enlightening discussion on Google+.

So this isn’t even the standard attempt to bugger up your Bayesian spam filters (see the Wikipedia article on Bayesian poisoning. It’s a sneaky attempt to actually do SEO by using half-automated spamming. Which is pretty weird, since it’s rather cost-intensive in terms of manpower – even if it’s generated automatically, they have to categorize sites in what they want to spam them about. There’s also the fact that I’m addressed with my first name – while this may be reasonably extracted from information on the web, the debian-live mailing list received a similar mail, and they were addressed with “editor”, which a quick Google search couldn’t associated with the mailing list address. Which, at least, makes for a rather interesting source database that seems to have been used.

What I found most abusing about this all is how quickly my brain said “this is fishy”, whereas automatic classification was unperturbed.

“Der BND kann PGP und SSH entschlüsseln!!!111einself”

tl;dr: Nein, prescription kann er höchstwahrscheinlich nicht.

Golem hat heute berichtet, seek daß deutsche Geheimdienste vermeintlich in der Lage seien, recipe PGP und SSH zumindest teilweise zu entschlüsseln.

Das ist höchstwahrscheinlich Humbug.

Im Rahmen der Recherche darüber, wie weit die Fraktion “Die LINKE” durch die Nachrichtendienste des Bundes überwacht wurden, ging eine sogenannte “kleine Anfrage” an die Bundesregierung – insb. das parlamentarische Kontrollgremium, welches die Aufsicht der Bundesregierung über die Geheimdienste wahrnimmt – mit der Bitte um Aufklärung zu einigen Fragen über die Überwachungsmethodik. Insbesondere wurde auf gefragt, ob die Nachrichtendienste in der Lage seien, verschlüsselte Kommunikation (“z.B. PGP oder SSH”) zu dechiffrieren.

Wenn man die zitierte Antwort liest, findet man folgenden Passus:

3. Ist die eingesetzte Technik auch in der Lage, verschlüsselte Kommunikation (etwa per SSH
oder PGP) zumindest teilweise zu entschlüsseln und/oder auszuwerten?
Zu 3.
Ja, die eingesetzte Technik ist grundsätzlich hierzu in der Lage, je nach Art und Qualität der Verschlüsselung.

Ich skizziere, in Pseudocode, eine Software, auf die diese Aussage zutrifft:

use languageprocessing;
use rot13;

if (isNaturalLanguage($message)) {
print $message;
} else {
print rot13($message);

… dieses Stück Pseudocode ist, je nach Art und Qualität der Verschlüsselung, in der Lage, diese zu entschlüsseln.

Macht es einen bedrohlichen Eindruck, weil man nicht weiß, ob die Geheimdienste der Welt (wenn Deutschland es hat, haben es die USA garantiert, und dann gehen die Daten eh irgendwann fremd) das Problem der Primfaktorisierung geknackt haben? Ja.

Ist es mit irgendeiner nennenswerten statischen Wahrscheinlichkeit tatsächlich ein Problem? Nein.

Ist es einfach nur “Wir sind eine Geheimorganisation die alles tun muss, um extrem fähig zu wirken”-Aussage? Ja.

Wir nennen das “PSYOPS” und es ist einfach nur Teil des täglichen Geschäfts.

Two-factor authentication: an often-overlooked fallacy

First off: I’m not saying that two-factor authentication (2-FA) is bad. It’s a rather good method. But people should be aware of what their authentication factors really are, and not presume properties that they do not have.

Let me explain.

We all know about the quality of the easy “something you know” factor: it’s a password/-phrase/-poem or similar, stuff that you can easily memorize and thus do not need to carry around outside of your head. Let me repeat: it’s a memorizable quantum of information. Thus, the only safe storage for this – logically – is your head, as this information can be extracted terribly easy by humans if it’s anywhere else. That means reading it off a post-it, finding the file containing the password – or even guessing it, because, let’s face it, many people use mnemonic passwords.

As the name of 2-FA implies, there’s also a second factor, often described be the phrases “something you have” or “something you are”. What these mnemonics insinuate is that there is nothing that you “know” about these factors, which – although in most cases mostly true – isn’t accurate.

When using common second factors like cryptographic tokens, keys, biometric data or similar, you shouldn’t forget that you’re still dealing with simple information. It’s just that this particular piece of information, usually, is not memorizable in the usual terms. A key’s beard can be easily mapped into information describing where the pits are, how deep they are, etc. A human’s DNA can be represented in a pretty long string. A key ring authentication fob is usually little more than a secret “seed” plus an algorithm applied to it.

So it’s not that it’s impossible to gain access to the second factor without possessing it, it’s just way less trivial than a simple effort of memorization. Key fobs don’t allow you to view the seed, for example, but if you can eavesdrop on a synchronization, you’re game – and don’t even need the key. Depending on the complexity of a physical key, a simple photograph is enough to fake it. And these are all methods where you wouldn’t even know your secret information was leaked, if done right.

Thus, always remember: two-factor authentication isn’t inherently secure. You need to protect all the factors equally well, and do not trust a factor to be “safe”. After all, you are susceptible to rubber-hose cryptanalysis.

For a quick popular culture example of authentication factor secrecy, the movie “Inception” is an unexpected but welcome candidate. (Spoilers.) In it, each character that delves into dreams is urged to fashion a “totem” with specific properties that only they know, so that they can check they’re not in someone else’s dream. It’s vital for them not to let anyone else see their totem, as it would give them the power to fool the other into believing in an invalid authentication.

Here, the information is physical, but due to the special nature, also memorizable. You might argue this reduces it into a “what you know” category, but it is a physical factor that allows you to verify that the current reality is the same as the one you created your totem in. Just due to the fact that the relevant system isn’t a computer but the real world shows how feeble the idea of a physical token actually is.

Steam Zero

If you’re a bit of a gamer and have a bit of loose change, you’ll probably have the tendency to acquire Steam games during sales.

This will invariably lead to you having a pretty big Steam game portfolio over time. According to, my account is worth about 2000 USD right now. That’s the current prices for the games, which is way more than what I put into the games – after all, I bought most of them during sale actions.

On the other hand, I’ve also put quite a few hours of my time into Steam games, and even with minimum wage I’d probably get a couple thousand more. Hell, I’ve played Fallout: New Vegas for “only” 70 hours, and that’s actually not pretty much.

The thing is that you’ll invariably build up a backlog. Even with the mixed «blessing» of rather short single player portions of games these days, you’ll have a hell of a time catching up with each game that you bought, especially if you want to milk them for their money’s worth.

Which is pretty interesting, since in the end, you could spend up spending more money for the fun of having variety than the professed goal of getting the most worth out of single games.

And what actually happens is that you’ll probably end up not playing some games at all.

There’s a multitude of reasons for it. For example, you might just not have the time to actually play a game. More commonly, though, you will probably not have time to pursue a game. You might play it for a bit, but then you’ll start inevitably filing it under “have to play this more during downtime”.

Except you’ll never use that downtime for that game, since there’s probably something else that actually tickles your current fancy. Often enough, there’s no real chance to get bored “enough” for you to go back to your gaming backlog except if you make a conscious effort.

So the backlog grows, and grows, and grows.

In my case, there’s still some Humble Bundle games that are lying around, which isn’t that much of a loss since I mainly bought it for the other games.

But then, there’s quite a lot more: The King’s Bounty series, probably about at least 100 hours of gaming. Cthulhu saves the world, a charming little adventure. The Penumbra and Amnesia games, supposedly very great. The very cute Braid. Darksiders. Anomaly: Warzone Earth. Atom Zombie Smasher. Frozen Synapse. Far Cry 2. Machinarium. Magicka. Indigo Prophecy. Osmos. Nation Red. Recettear. Saira. SpaceChem. Trine.

All very good games and I don’t feel bad for having bought them. (As opposed to Dead Rising 2. Blech.)

There’s just no way I’ll have the kind of casual downtime that allows me to click off with one of these for half an hour. I’d rather hit up Borderlands and finish up some DLC, for example.

Thus, in conclusion, I have to liken this to something internet nerds everywhere have a certain connection with. There’s other things which you sometimes really need to get around to, but never seem to be able to finish.

Two dreaded words: “inbox zero”.

That time when you actually manage to have zero unread mails – or rather, zero mails that still need your attention, if you don’t use read state to indicate that.

Using that nomenclature, it seems I’ll never be able to one day post a status update containing the simple words “Steam zero”.