Hello Laos, Cheerio Aperture

Posted on by

We got back from our latest long haul trip at the end of January. I normally try to write up our interesting trips as quickly as I can while I can still remember everything, but I’ve been migrating off my old Mac Pro – or more specifically, Aperture – which has turned into a pretty torturous affair. As it’s also something that has a direct bearing on the photos I’ll be embedding in this post, I’ll make a few comments on it. With the demise of Aperture landing at some point, I imagine there are a lot of people planning a similar move.

The long and short of it is that you have a few choices with your library under management with a view to moving, and – beyond the obvious, like organising your source files in a sensible directory structure – they all revolve around what to do with your edited files. You can either save them as separate duplicates files into the same library and live with the repeats, you can store them separately and live with the disconnect, or you can throw them away. After a lot of messing around I chose the final option.

This sounds draconian, but most of the changes I was making in Aperture were pretty minor – just topping and tailing exposure settings. There are a couple of exceptions to that, and the first is portraiture: I’ve tended to put a lot more effort into those. However they tend to be one-offs: I find I work on them at the time, send them to people, and then don’t really think about them again. I still have all of my original Aperture files backed up on a cloud service, so I have a few months to make up my mind as to whether or not I care; for now, I don’t think I do. The other exception is HDR but the Nikor plugin for Aperture that I was using saved the resulting merged file back as a Tiff, so I’ve got all of those.

If you are planning on a more sophisticated approach, like import tools, don’t bet the farm on it. I couldn’t get LightRoom’s offering to work.

It appears that I’m not alone in finding the subscription model that Adobe is applying to Lightroom unpalatable, and paying a perpetual license for the never-to-be-updated-again version amounts to swapping one timebomb for another, so I’m trying a couple of the alternatives that have sprouted up. The one I like best so far is On1, which has much more sophisticated editing features than Aperture [something of a mixed blessing], and won’t break the bank.

One final comment before I get onto the trip. I made a mistake over the 8 year period that I was running Aperture on the same machine. As I ran out of space I added a couple of SSDs as I went along, and decisions I made that seemed like a good idea at the time – in terms of splitting up my photos – were messy to retrace years after the fact. If it happens again, I’ll deposit READMEs for myself as a memory aid.

Anyway, on with the trip. The numbers of photos we took were well down by recent holidays’ standards: I took less than 400 and my wife took 275. There were a couple of reasons. First and foremost, it’s a low key destination for wildlife. I sweated blood over what lenses to take to Cambodia a couple of years ago, and ended lugging around everything, including my 100-400, which I used precisely never. So this time I took a more conservative approach: I packed my wide lens, my 24-105 and 100mm macro. I forgot my dust blower, which made me wary of getting dust on the sensor [a bloody nuisance to clone out after the fact] so, barring a couple of half-hearted, half-drunk HDR sessions with 16-35, I kept my walkabout pretty much nailed on the whole time we were there. That meant I could take a much smaller bag – annoyingly, still too big to put under the seat in front of me on the Thai Airlines flight. It was an A380, and the cabin service was pretty decent [putting Air France to shame on our last long haul with them], but the seats had an odd configuration. There was a metal container along the side of one of the legs in front which, never mind my bag, meant that we couldn’t put our legs out straight for the flight. Bearing in mind that we’re both at the smurf end of the height distribution, it was pretty uncomfortable. I’ve a feeling that the metal boxes may have contained life jackets, so I guess we can file those under “necessary compromises”. So I ended up doing what I hate: putting my camera bag in the overhead storage and then having kittens every time someone goes near it.

The second reason for the low exposure count was that I got a camcorder for Christmas. I’m not going to post the results here because, frankly, I’m rubbish.

We flew in via Bangkok. The only point worth passing comment on is the fact that Bangkok airport is furiously expensive. Our layover was about 4 hours so once we’d figured out the puzzling procedure for transferring without a boarding card, we could relax and try to stay awake. Then we had a couple of hours on a twin prop plane into Luang Prabang airport, which was painful getting out of. There was an incomprehensible – well, with jet lag descending – queuing system for the visas, which flummoxed everyone, but which was endured in a good humoured manner by everyone. The patience started to evaporate when we spent a good half hour at the baggage reclaim, getting dizzy watching the same bags going round, and wondering why there was a queue forming at a desk next to it. We eventually found out that the plane was unburdened by luggage for all the passengers who had transited via Bangkok. That was about half the plane we reckoned: you have to admire the even-handedness of it, if nothing else. One American lady was threatening litigation. The bags duly appeared at the hotel the same evening, so I doubt she’d have had a chance to dispatch her lawyer.

Our first pit stop was Le Sen Boutique in Luang Prabang, which we both really enjoyed. The room had an unusual layout, with an absolutely enormous bed right next to the bath. It also had two showers, which I think was a first for us, solving a problem which we didn’t know we had: who showers first. I think it also had the best breakfasts of the trip. Luang Prabang [I have to almost physically restrain myself from adding ‘Kipperbang‘] was a mixed bag. While it’s touristy, we had some absolutely cracking meals there.

On the whole, the food we had throughout the holiday was fantastic. Having been to the 3 countries comprising former French Indochina, based on our admittedly limited experience, I think I’d rate the food in Laos the best. It’s a combination of unusual flavours, and very heavy uses of herbs and spices. My predominant recollection of the food in Cambodia was that it tended to be quite sweet. The Lao food is closer to Vietnamese in style, but is very distinctive in its own right.

We ate in a place called the Coconut Garden on the first night [a bit simpler than subsequent nights but nice], then had a fairly fancy tasting menu at the 3 Nagas, and finishing in Tamarind on our last night. I’d rate Tamarind as one of the food highlights of the holiday.

We had an early start on our first full morning with alms-giving. Someone at work had done this a couple of years ago and said it was packed. We were the only tourists at the spot we were taken to, which was a little off the beaten track in a residential part of town. I have to say I had mixed feeling about participating. It felt like a bit of an intrusion, and it’s part of a faith that I know practically nothing about.

Glass Buddha

We spent rest of the morning walking around the town, the highlight of which was the local market [distinct from the night market]. Among the delicacies on sale were barbecued rats and squirrels. They look like any other cooked meat up to the point where you get to the head and feet, still attached, and with their teeth queuing up to get out of their mouths. We passed: having been hospitalised on our last trip to SE Asia, we tend to be very conservative with the street food options.

That afternoon we drove up to the Kuang Si waterfall. It was quite busy, but it was a pleasant enough walk up there, and the falls themselves were spectacular. I enjoyed watching a bloke flying what seemed like a very fancy drone. I have to admit they are on a [very] long list of toys I’d quite like. But as my wife will attest to, I have  enough expensive hobbies to be getting on with, and there is a huge potential for expensive mistakes with them. They must make packing for holidays interesting. I could see myself with a choice between the drone and clothes.

Kuang Si

We had the next day to ourselves, and had a long walk from the hotel to the far end of town, which was a nice way of spending our last day while still wrestling with the jet lag.

Temple in Luang Prabang

The next day we flew to Vientiane, which we both really liked. My wife said that she could imagine herself living there. She didn’t say whether or not I’d be in tow her but I remain hopeful. But, as we told ourselves, it was the middle of winter. It would be a very different proposition when it’s 40C+ and in the middle of the rainy season. There was a really relaxed feel to the place, lots of interesting shops and big wide boulevards. I was tempted to buy an old, ornate opium pipe in an antique shop for all of about 10 seconds, up to the point when I realised that it might turn into an interesting discussion at customs on the way home. We didn’t have any excursions planned for our first day in the capital, so it was nice pootling around and taking in the sights and sounds.

Vientiane

The room we had in the Ansara Hotel was vast. It had its own office area, just in case we were missing work, and had access onto a large terrace overlooking the pool. I was quite taken with the little laptop in the office which was running Ubuntu in some sort of kiosk mode, something I’d never come across before. I had a bit of a poke around: it seemed to create a new user every time it rebooted, which was quite an interesting approach to privacy. A point lost on whoever used the machine before me [without rebooting] and who failed to clear their cache: nothing dodgy, just really careless.

Anyway, back to South East Asia…

Vientiane HDR

We had what my wife rated as her standout meal on our last night, in a spot called the Lao Kitchen. She was amused to overhear a scrotal old duffer [he was English] telling his other half at the table next to us, “that’ll be on bloody Instagram in a bloody minute”, when my wife took a picture of her food – for private consideration, I might add. Part of me can’t wait to get to that age where all sense of discretion and your ability to judge how loudly you’re talking simply sail off into the sunset. Off to meet your long-departed moderate political views, I might add.

I won’t think of it as “going on holiday” any more, but rather “going abroad to complain about all the bloody foreign stuff” :).

Our second and final day in Vientiane was taken up with a tour of some temples. Interesting enough, but wasted on me. From there, we started a long trip south on Route 13, which we’d continue for the rest of the holiday. Our first stop was at a place called the Spring River Resort in Hin Boun. It was a stunning location. The room itself was a little on the basic side [no air con; electricity off for the early part of the day], but it overlooked a river with steep limestone formations looming over the other bank. The jagged karsts dominated the views for much of the rest of the journey.

Spring River Resort

Despite having relatively basic facilities, the network at the Resort was fantastic – something that we found repeated throughout the country. One more quick aside on the technology front, which really made me giggle: my iPhone wasn’t exactly tying itself down too much with the location for the weather:

The weather in the general vicinity of…

For what it’s worth, I’ve played around with the Google API that takes GPS coordinates and turns it into an address. This looks like a backing off of accuracy, based on address availability, taken to an extreme level.

It was a shame that we only had one night at the Resort because we really enjoyed it, but the main purpose of the stay was to break the journey so we could do a tour of the Kong Lor cave. It was really good fun: unlike our crystal maiden experience, we had full access to cameras, but I bottled out and left my SLR at home. The cave itself is huge [so even the flash would have been a waste most of the time] with most of the trip covered in a motor boat going at full tilt. The site could do with some more development: everywhere we pointed the head- and hand torches there were interesting rock formations, but we spent the majority of the hour or more we were in the cave in the dark, hoping that the guy driving the boat knew where he was going, and when to slow down.

Our next stop was in a town called Thakhek, which had a wild west vibe, and had what was probably the worst of the hotels we stayed in – the Inthira. It wasn’t terrible, it was just that the staff were almost universally miserable, and the food was a bit pants. Still, there was a decent little bar in the square across the road, where the beer was cheap and ice cold. Slightly incongruously, we had fantastic pizza on our last night there at a spot called Patalai.

Thakhek

We had one full day of sightseeing when we were in Thakhek, which started around a village called Ban Nakhang Xang in the morning. It was the closest that we came to something going wrong for the entire trip – other than the errant luggage – when a local guide failed to materialise for the first half hour. The walk started at the village, and quickly became quite steep via an overgrown path, at which point the shorts and sandals were starting to seem like a bad idea. After passing by a lake called Nong Thao, which was stunning, we ended up at our second cave, called Nong Paseum. It was occasionally a bit hairy clambering up and down over boulders, but interesting enough. Our final underground adventure was that afternoon, with a trip to the “Buddha Cave” at Nong Pa Fa. It was spectacular, but as an active Buddhist religious site, no cameras were allowed.

The last leg of the holiday started with another long drive down Route 13 to Champasak. We were staying at a hotel called The River Resort. The staff were fantastic, but it was very pricey. We ended up spending more in our 3 nights there than we did during the rest of the holiday combined. It has to be said it was a spectacular location, right on the bank of the Mekong.

Next up on the itinerary was the “4,000 island tour”. My wife was starting to feel the pace by this stage so decided to sit it out. A white lie that she wasn’t feeling well [rather than just saying she needed an idle day by the pool] started to take on a life of its own when our guide insisted on telling the every staff member at the hotel to look after her. Meanwhile I was sheepishly saying that, really, she wasn’t that ill, all the while receiving withering glances for being a heartless bastard.

It was a physically demanding day, the best parts of which were the boat trips to and from the island of Don Khone. I could have taken or left the island itself: it was OK, but not really enough to warrant the long journey at that stage of the trip. Part of the day out involved transferring onto yet another boat to go and have a look at some fresh water dolphins. “Boat” is an evocative word, all sleek lines and sunglasses. By contrast, ours was a bloody wreck. I could see the water through a joint in the wood at the pointy end where I really don’t think you should have been able to. It was also incredibly uncomfortable, sitting on a slat a few inches high. We did see the dolphins but by that stage my back was so sore I could barely have mustered interest if they were doing somersaults, rather than just breaching the water every now and then.

Or as dolphins probably call it, “breathing”.

Mekong

Lippi Falls

Our last outing was a look around the Watt Phou temple complex. This was a highlight of the trip. It was scorching though: the further south we travelled throughout the fortnight, the hotter it was getting. There is a slog up some steep steps to the temple so it was tough going in, what I reckon was mid-30s Celcius the day we went up there.

Watt Phou

Watt Phou

We weren’t able to stay in the country as long as we liked, because all of the hotels that made sense for our itinerary were full at the end of the second week. So, we had a long drive starting in the early afternoon of the Thursday, from Champasak across the Thai border to a regional airport called Ubon Ratchathani. One notable experience on the drive: we started it on the right hand side of the road and then, after crossing the border on foot, we got back into the car and continued on the left. It was a first for us. Contrary to what I guessed at the time, it’s actually not that unusual. There are vast swathes of former British empire influenced countries were you can do it.

When we got to the airport, we’d been misled by a couple of little details with the online check-in process that you normally take for granted: the time and the flight number, neither of which were on the departure board. Not a great leap of faith in the end – we worked out that ours was a flight with the same company going 10 minutes earlier or later – but it got our attention for a while. One slight nuisance was that we had to get our luggage at Bangkok. We were debating whether or not we would have to go all the way out through customs and passport control, and whether we’d have enough time. We did, and we did.

So, that was our couple of weeks. We’ve talked about going to Laos off and on since we went to Vietnam back in 2008. It’s hard to put our feelings about the place into context without sounding like we’re damning it with faint praise, but it’s lower key than some of the other places we’ve visited in Asia. Cambodia left more of a mark on us, but that’s principally to do with visiting places which remind you of how utterly traumatic its recent history has been. And we did get spectacularly ill in Phnom Penh, which we won’t forget in a hurry. Rather than raving about it since we got home, we’ve been a bit more measured in our praise. But there was plenty to see, the food was great and people were really friendly. Well worth the trip.

Automating Philips Hue Motion Sensor Functionality

Posted on by

OK, this turned out to be a *lot* more complicated than I thought. Here’s what I wanted to do: we have a Hue motion sensor in the bathroom which I’ve set up to do nothing during the day, and then come on at night. Nothing too controversial there. But I wanted to have a 3rd option: for a certain section of the night – say after midnight – to come on at a nightlight setting.

There’s a ‘3 times a charm formula‘ from the Hue Labs which sounded promising, but that only allows you to set the idle time after motion activation. So I started looking at the API. There were a few obvious options I tried which didn’t work [like simply setting the brightness – over-written by whatever scene you have set in the accessory setup].

This article set me on the right track for what I needed to do insofar as rule settings. By toggling changes on the smartphone app and then looking at the results in the Clip API debugger I narrowed down the changes to two rules called ‘MotionSensor 5.night-on’ and ‘MotionSensor 5.night-dark-on’. [Obviously the number is dependent on the identifier the sensor is registered under.]

This isn’t enough on its own. I gave up on this after my first pass, waiting for a rainy day to come back to it – today.

I ended up using OWASP ZAP to proxy the Hue app traffic, to see what it was doing when you submit a change to the sensor configuration. That’s quite interesting actually: I was initially a bit puzzled at what looked like a mountain of traffic on first pass, but what in part turns out to be a very zealous keep-alive – roughly twice a second.

Long and short of it is that resetting the scene config using the app overwrites a ‘resourcelink’ with new scene specific values, as well as updating the rules.

I’ve roughed this out with my own iOS app just to check that it works in a way that I can transplant to another setup [a cron job on a Raspberry Pi would be a reasonable candidate]. To toggle on the ‘dim at night after midnight’ setting I make 3 API calls. You’ll need to fiddle around with the clip tool to get the equivalents for your hub – specifically, your sensor number will be different. For me, these are:

  • Rule: MotionSensor 5.night-on
  • Rule: MotionSensor 5.night-dark-on
  • Resourcelink: MotionSensor 5

For the rules, I Post the same ‘actions’ payload to both of the corresponding endpoints. It looks like:

{"actions": [
                {
                        "address": "/groups/YourActionNumber/action",
                        "method": "PUT",
                        "body": {
                                "scene": "YourDimSceneIDHere"
                        }
                },
                {
                        "address": "/sensors/YourStateNumber/state",
                        "method": "PUT",
                        "body": {
                                "status": 1
                        }
                }
        ]
}

Then for the resourcelink, I post:

{
    "name": "MotionSensor 5",
    "description": "MotionSensor 5 behavior",
    "type": "Link",
    "classid": 10020,
    "owner": "OwnerIDHere",
    "recycle": false,
    "links": [
              "/sensors/5",
              "/sensors/6",
              "/sensors/19",
              "/groups/5",
              "/rules/4",
              "/rules/5",
              "/rules/6",
              [etc.....]
              "/scenes/YourDimSceneIDHere",
              "/scenes/RecoverRoomSceneIDHere"
              ]
}

The sensor and rule set you’re linking to will be specific to your own setup.

I’ve no idea what that ‘recover scene’ is. I’m guessing it’s something that’s created when you configure a sensor in the first instance, and is some sort of default state.

There’s a corresponding 3 API calls which I need to make to toggle back to the scene for ‘bright pre-midnight’, replacing the scene ID accordingly.

At the point I gave up – where I was just making the rule changes – I could tell that it wasn’t right by loading up the config in the app. The partial configuration – without the resourcelink change – manifest itself simply as ‘do nothing’ for the nighttime slot. Resetting this restored the full config. I guess there’s always the danger that if you run wild and free with setting values incorrectly, you might invalidate the ruleset to the point where unpicking it could be a problem. All I can say is that the above approach works for me, but test carefully!

Making Your WordPress Site Harder to Break Into

Posted on by

If you are using an infrastructure-as-a-service offering to host your WordPress site, you might find the following suggestions useful. If you have web access to site administration, e.g., via CPanel, there’s not much more you can do beyond:

  • Install WordFence.
  • Pick a very long password for your admin account. Have a look at secondary authentication options [described below].
  • Keep your software up to date.
  • Have a long hard look at all of those plugins you’re using, and try to cut them to the bone.

Here are a few Linux specific things to consider:

  • Install fail2ban.
  • Install the fail2ban WordPress plugin.
  • Change the default port you are running sshd on from 22 to something above 1024. You might want to check the IANA port listing to avoid colliding with other daemons you may be running on your box. This is pretty painless to do. You could do the same for all of your other network services [obviously excluding your web site and mail transfer agent, if you’re using one].
  • Consider running TCP wrappers on your ssh daemon access. Be careful not to lock yourself out if you don’t have a fixed IP address from your service provider. I use BT: a bit of googling suggested a couple of likely address ranges [81. and 86.], but my get out of jail card is a static IP I can use with a VPN service, which I’ve also configured.
  • Consider restricting access to mysqld to localhost. You may have already done this during install. I have to admit I was pretty careless when I was installing the database in terms of notetaking so I just added a TCP wrapper to be on the safe side.
  • Have an extremely long password for your admin account. Mine is basically half a mile long in 8 point text.
  • Have a look at some secondary authentication [or at least Captcha style robot identification] mechanism on the login form. I’ve experimented with Duo in the past. Make sure you understand the implications of changing your mobile phone if you are using one of the app based mechanisms.
  • Consider chrooting your website. I don’t but I may.
  • Have a look at some of the security scanners, like ZAP. Again, be careful not to lock yourself out with fail2ban.

The rest of these are host specific. A good starting point is to run

nmap -n localhost

to confirm what network services you are running. For instance, I found that my Linux distro had an FTP server running out of the box which I didn’t know about. In my case it was as simple as

pgrep ftp

to get the process id, then

ps -ef | grep <process_number>

[substituting appropriately] to find what the process was, and then finally

apt-get remove <package_name>

For any other servers you need to run, there’s a pretty good chance that there is fail2ban config that you can use off the shelf.

Why I felt I needed to pay more attention…

A few months ago, based on the daily activity reports I get from WordFence, I started blocking ranges of addresses using iptables. So if I got repeated brute force attempt on my admin password from say 192.187.111.146 [this is a real example], I’d block the the entire range by doing:

iptables -A INPUT -s 192.187.0.0/16 -j DROP

This was pretty tedious, but I only needed to do it around once a week. For some reason [presumably it’s some sort of off the shelf attack script], the attack counts from specific IPs always seemed to top out at exactly 1460 hits. Last week, I got my daily email which showed someone had hit the site 49k times that day. By the time I got home and did some digging in the logs, it was totalling more than 80k for the week. I suddenly realised that my manual blocking was way too blunt a tool, so last weekend I wrote a log scanning  script launched by cron every 30 minutes. It pattern matches on the login form in the Apache log file and sends me an email if an individual IP tops out at over a certain threshold. The longer term plan was that I’d call another script that would automatically insert the block rule in iptables. There would be a bit of messing around with state management [seek to a point in the log file based on the timestamp to not go over the same ground twice or something] and it would have to be run as root, but it would be better than nothing. I happened to mention this to someone at work who told me about fail2ban, which is doing the same thing [but better than I could have implemented it].

I also had a dig around at ssh logs, and discovered that some kind soul was trying to brute force the root password, and was up to 8k attempts for the week. Subsequent digging showed that the same thing was happening with my Imap server, but on a smaller scale.

While what I’ve suggested here isn’t necessarily bullet proof, it’s a reasonable start. Bear in mind that the types of attacks I’m seeing are commensurate with the value of my site, which in commercial terms is zero. And oh, the irony, when my server gets brought to its knees next week by someone with serious intent :).