Radio Frequency Exposure (RFE) Calculator

So far in my amateur radio career, I have not been able to offer much that may be of use to other hams. That changes today. A while back, when I was dreaming about where to put my antennas safely, I did a lot of research about radio frequency exposure. I poured over OET Bulletin 65, which details the FCC’s limits on human exposure to RF electromagnetic fields. They have formulas and tables and forms to fill out. It is all wonderful and fine, if you live in the 1960s. Welcome to the 21st Century. We live in a world of computers to do all that number crunching for you. I looked around for any web-based things that would help, but the closest I could find was power density calculator written by W4/VP9KF. This is fine if you want to do it for EVERY band on EVERY transmitter each time you make a change to your station. Plus, it means that I have to transmit all that data to his PHP script, which does the calculations and sends them back. We have this great thing in web browsers called JavaScript, which is more than powerful enough to do the work. I set upon creating a JS-only version of his creation. But it still lacked the memory—I would still need to re-enter for each band for every change. And it wouldn’t let me view multiple bands at once. Bigger calculator!

This is where my offering steps in. My requirements:

  1. Save my data so I don’t have to re-enter everything in every time
  2. Something I can share with others, without saving their data on my server
  3. Let me add, edit, delete at will
  4. Something that can show all my transmitter/antenna/connection information at once

Seems easy enough, right? It was the first two that really got me stuck. I whipped up a little JavaScript ditty that fulfilled number four in very little time at all. Number three was dependent upon the first two and was technically the hardest, but once I had the first two figured out, it was only coding, which I enjoy.

And this is what I came up with: N7OH RFE Calculator. Take it for a spin, share it with your friends. Upon your initial visit, it may not look like much, but if you move over to the “Import/Export” tab, you can press the “Reset to sample data” button and see it in action. Please offer suggestions and comments if you find it to be too difficult to use or see something that might make it better.

As for fulfilling my four requirements, the first two were done once I learned about local storage with HTML 5. This means that your web browser is storing the data. Not as a cookie, but similar. Cookies get sent back to the server with each request. Local storage is meant to be persistent data that a web page can access via JavaScript to be used locally. This means I can save my data on my machine and your data on your machine. I can host the page for everyone, yet not save everyone else’s data on my server. The add/edit/delete requirement was probably the most fun I have had with jQuery to date. And I hardly scratched the surface of what it can do. Lastly, the glory of the Results tab just makes me weak in the knees. Okay, not really, but it is the crown jewel of the whole application. It shows all the stuff you want to know about your radio setup.

Combating SpamBots

The war against spam is ever escalating. Two weeks ago I took my anti-spam tactics to the next level. I want people to be able to post comments to my website without registering. Anonymous comments (or rather unverified authors of comments) should be available if the webmaster sees fit. But I have found that in the past several months that comment spam was getting to be a real problem. I logged in one day and found that there were several hundred spam comments that had gone unnoticed for quite some time. At that time, I did not have any anti-spam measures. I looked around and added a CAPTCHA to the comment form. That stopped most of the spam, but the determined spammers were still getting through.

IP addresses in failed CAPTCHA log Number of failed CAPTCHA responses 514 250 160 158 138 111 78 78 73 72 69 60 60 54 54 52 50
2700+ other unique hosts <50 hits per host

In the past 2 months, I have logged more than 14,000 failed CAPTCHA attempts. Most the unique hosts have one or two failures, but more than 1,000 unique IP addresses have four or more failures. At some point you have to draw the line and I draw it at four. Or maybe three. One or two failures can easily be done even if a bona fide person is responding. But usually only spambots are dumb enough to get more than three failures.

I can characterize the failures and many of them seem to be of a certain forms: hit twice in rapid succession and then give up for a while. Two hits alone is not usually successful — it usually guesses an empty string or 0 or 1. The problem is if you are using a math CAPTCHA, those can be the right answer. And obviously, if the spambot keeps at it two at a time, it will eventually guess correct and be able to post. I found that the spambot was able to crack several of the CAPTCHAs I offered: ReCAPTCHA, math, word list, word order, etc. Other than ReCAPTCHA, the other ones can be cracked by random entries. I am not sure how they managed to crack ReCAPTCHA. But it was starting to make me angry at all the spam. Finally, in addition to CAPTCHA I resorted to using comment moderation, requiring me to log in and manually approve all comments. I really don’t like this because sometimes I forget. Then the comments get old and people think I don’t care.

I did a little hunting around the Drupal front and found Mollom. This is a nice line of defense against spam. But I read elsewhere that in some cases it wasn’t catching it all. Remember that spambots are in it for the speed and money, so their GET to POST times are very short. I whipped up a little module that checks that. All you super-human typists had better slow down when commenting on my forms. Then I took a page out of Ignacio Segura‘s book and added a honeypot to the comment form to my little module as well. Though you will not see it, (unless you are looking at the html source, reading with a non-CSS compliant browser like lynx, or are a spambot) it is meant to be left empty and will cause a form rejection if it has any text in it.

Then one step more. Because what is escalation if you are not really accelerating? I noticed that once spambots did get in that they usually were ‘advertising’ for companies of ill repute. Offering things like p1Lz and other items to EnH4Nc3 certain parts of one’s body. But in order to get around blacklists for certain words, they intentionally misspell what they are advertising for and also have links to obscurely named domains (which are usually not words either.) I figured any rational thinking human being would spell at least 75% of their words correctly (and that includes things like spambot and acronyms and other non-English shortcuts). So my latest addition to the spam warfare is PHP’s pspell library. So all you spammers out there had better spell it right.

[acidfree:5001 size=800]Then as the final blow to spammer (and bad spellers everywhere) I added a “three strikes and you are out” gotcha where if you fail the previous tests more than a given number of times, you will get added to the blacklist. All entries in the blacklist are forbidden to access any part of the website. Permanently. And it seems to work. I have not seen any spam get past the filters in the last two weeks that this has been in effect. Let’s hope this lasts.

I was curious about the actual counts of things, so I whipped up a few SQL queries that gave me the statistics that I wanted. I pushed it all into OOo and came up with this fine chart. There are a couple of things to note:

  • This is about a month of data.
  • The yellow line (number of daily comment spam posts) is on the scale to the right. The other two lines are on the scale to the left.
  • The first day I tried all this stuff out (29 Jul) I didn’t actually have the blacklist implemented, which accounts for no HTTP/403 entries on that day
  • There has been zero comment spam since 29 Jul. It is not for a lack of trying.
  • The blue line shows the number of newly recognized SpamBot IP addresses.
  • The red-orange line shows the number of attempts from previously identified SpamBots that got rejected by the blacklist.
  • I find if quite funny that the HTTP/403 line looks like my server is flipping the bird at the SpamBots. That’s what it is doing…. And no, I did not doctor the data.
  • I see that there seem to be trends or waves of spam. That is fascinating and frightening all at the same time.

Do you do anything to combat spam on your sites? Obviously comment moderation is the only truly perfect filter, but it requires so much work. Especially when I really don’t get that many human comments per day, but loads of spam attempts.

Today ends with Vernon: 15, SpamBots: 0.

Callsign Change

I recently had the itch to change my Amateur Radio callsign because the one I had chosen before (NV2M) is from region 2, and I live in region 7. I didn’t think it mattered that much, but it seemed that half the time I would tell someone my callsign, they would question me and ask again. I decided to find a 1×2 or 2×1 in region 7. I found a couple of 2×1 callsigns that were acceptable and then I read about how to ‘pan for 1×2 gold’ on a couple of websites. Basically if you can find a silent key (a ham who has passed away) that still has an active callsign even though he/she passed away more than 2 years ago, then you can request that the FCC cancel the callsign and you can apply for it.

I did what any programmer would do and downloaded the FCC database and wrote a script that queries the database for the callsigns I am interested in ([KNW]7[A-Z]{2}) and then queried the SSDI (social security death index) to see if that person had a record there. I found several that were immediately available and about twice that many that had passed away less that 2 years ago. I picked my favorite and applied. Then I requested that the FCC cancel the original license. So now I am the proud new owner of N7OH.

I picked N7OH because it is 1×2 in region 7, it has a light phonetic weight (No-vem-ber Se-ven Os-cah Ho-tel), it has a light CW weight (48, the same as NV2M), and it sounds cool in CW (dah-dit dah-dah-dit-dit-dit dah-dah-dah dit-dit-dit-dit). The last item on my list there was just the icing on the cake since I am still trying to learn CW. Beyond the 1×2 in district 7, the biggest deciding factor was whether or not I liked the sound phonetically. Some letters I like better than others. My least favorites are most of the three-syllable letters like juliet, romeo, sierra, uniform. November is okay, but only because it is common as a prefix. I also had a list of favorite and less favorite two-syllable letters. Let’s just say that oscah-hotel is not my favorite, but it was loads better than the other options I had. And since 1×2 callsigns are so rare (2,028 for ~14,000 Amateur Extra operators in region 7; 20,280 for ~124,000 Amateur Extra operators nation wide) I figured I should just take what I could and not get to picky. Ideally, I would like K7VM, but that one is taken.

Ramble, ramble, ramble. Enough of that. Now to go order my Oregon Amateur Radio license plates for my car.

Nouveau Baked Beans

When you think of baked beans, you usually mentally insert Boston at the front. These are not Boston Baked Beans. More like Chickpea Popcorn or something. They make a great, tasty, healthful snack.

Nouveau Baked Beans

  • 2 C. cooked garbanzo beans (~ 3/4 C. dry beans, prepared)
  • olive oil
  • seasonings

Coat the beans in olive oil and bake on a cookie sheet at 425°F for 15-17 minutes or until starting to brown. Take care, the beans hiss, spit, pop and jump while baking. You may want to stir them part way through. Remove beans from oven and toss with seasonings. Try salt and pepper, curry powder, cumin, or any other flavor you like. Eat as an appetizer or add to a salad. Mmmm.
[acidfree:4997 align=left]

Musings on the transition to IPv6

As a part of the IPv6 certification program, you have an opportunity to earn extra points by daily activities: IPv6 traceroute, AAAA dig, IPv6 PTR dig, IPv6 ping, and IPv6 whois. Among those, I would say the most commonly used by me are ping and traceroute, then the digs and finally whois. But I use ping and ping6 everyday. Yes, the tool to ping something is actually 2 tools. It seems odd that while so many other programs seamlessly handle both network protocols just fine, this one requires a whole new binary. The ‘route’ command, is a single binary, using a command line argument ‘-4’ or ‘-6’ to determine which protocol to use. It defaults to IPv4, since that was around first. On the other hand, nc, dig, ssh/scp, telnet, mtr, wget, curl, ip (though it uses ‘inet’ and ‘inet6’), and many more default to IPv6, only choosing IPv4 if specified or if it is the only protocol available. Then we have the dark side: ping/ping6, traceroute/traceroute6, iptables/ip6tables (along with the -save and -store variants), and maybe some others.

What prompted the authors of those programs to fork the code to add IPv6 support? I would bet that most of the logic is the same. In fact the man page for ping lists ping6 too; they have the same options. Why can’t I just say `ping -6` or `traceroute -4`? Last night, I finally got fed up with ping and wrote a little python wrapper for ping, which parses the arguments, ignoring all except ‘-4’ and ‘-6’ and then passing everything else on to the appropriate ping. If neither ‘-4’ nor ‘-6’ are passed, it does a quick dig for an AAAA address to test if the remote host is even capable of IPv6 and then automatically chooses the right ping. I shouldn’t have to do this though. Please give me a reason besides breaking legacy stuff to have an entirely new program. Legacy is not a good enough reason, you can only pack around so much baggage before it pulls you down. Just ask Intel. 🙂

Finally, you have the ubiquitous browsers, which if they are well behaved do both IPv4 and IPv6, favoring the latter when it is available (and not even really letting you pick or telling you what you are using; the only way to know for sure is to have the webserver report you IP address). This is helpful for the chicken/egg scenario that we are seeing with this transition. We don’t need to support IPv6, nobody is using it. But if we can at least get all the dual-stack folks to use it by default, that will give a little push. This leads us to other services. Most of the services that I have come across now support IPv6 as well; http (apache2, lighttpd, cherokee, and more), smtp (postfix, exim, qmail, and more), imap (courier, uw-imap, and more), dns (bind, dnsmasq), and many more. The services vary on whether they listen by default on IPv6 if it is available. Most you have to configure to suppress IPv6 support; that is a good default.

The truth is, most people don’t care about the transition to IPv6; most don’t even know what IPv6 and don’t want to know. But the end of IPv4 is looming on the horizon and it may hurt when it gets here unless we, the geeks who run the networking backbone of the planet, make sure we are ready. The current policy of many applications to default to IPv4 for legacy’s sake needs to stop. If the computer has IPv6 connectivity, it should be using that by default and falling back to IPv4 only when explicitly requested or when the service is not available on IPv6. Then we just have to get all those lumbering service providers to move. But there’s no business justification for IPv6…. Make one and save the planet.

Server Tinkering

I was born to tinker. I think this must be the opposite of the optimizer. I see a project in anything that I could tweak to make it a little better. This not only applies to computers, which are the easiest thing to tinker with, but food, DIY projects, and more. This particular post is centered a little more around computer tinkering, just as a warning to the technophobes.

My host for the past 2+ years for this server has been Site5. They have been adequate. I had never used a Web Hosting Service before so this was a whole new experience. Moving there from a private server took a lot of tweaking. Server wise, they were pretty good. I think my site got its fair share of the server pie, but it is not a really demanding site. Service wise (meaning the people), I think they only get 4 out of 5 stars. Whenever I had a problem, they did finally resolve it, but it took some work and push-back from me to make it happen. Usually the first contact would try to blow me off. I would patiently explain that they were contractually obligated to fix the problem and then ‘level 2’ support would fix it. I could deal with this if they had all the features I wanted, but I wanted more. Sure, they have ‘unlimited’ disk space (as long as you don’t use it), and unlimited bandwidth, which with my vast sea of devoted readers, I don’t really need. But what I do need is IPv6. And they have no plans for that (at least I am privy to none).

So I jumped ship. The market for dual stack hosting is not yet very big so there really aren’t that many service providers yet. I finally found BurstNET®, which seemed to offer IPv6 as well as very low-priced VPS (Virtual Private Server). So low, in fact that I could get a whole VPS for less than I was paying at Site5. That’s very cool. Being a tinkerer, I really need w00t. Still, since BurstNET uses OpenVZ technology instead of Xen or KVM, I don’t quite have complete control over everything. I don’t get to configure my network, for instance. But I do have two static IPv4 IP addresses; doing my part to reduce the remaining pool of IPv4 addresses. And after a quick service request, they granted me two IPv6 addresses. Yes, only two, not an entire subnet. I thought that was odd, but hey, at least it is something. Their service department has been nothing but good. I have made several requests for help:

  • Request for IPv6 connectivity
  • Request for reverse-DNS mapping IPv4 and IPv6 addresses
  • Request to get ip6tables working

All there responses were quick and positive. This was the best service I had ever gotten and for what? Yup, $5/mo. This month I got more than my money’s worth in support man-hours. I am hoping that the tinkering I have done over the last week is sufficient to have my VPS in decent shape.

Also as part of my tinkering, I managed to set up my VPS as a master name server for the three DNS zones that I control (,, and my IPv6 arpa reverse zone). Then, using’s DNS service, I can push to their DNS slave servers. This means that I have five geographically diverse, topologically diverse, redundant nameservers. So even though almost nobody reads my blog, you will never not be able to track it down.

Now on to the next tinkering project….

IPv6 Certified

IPv6 Certification Badge for vmauery

Some will care and some will not, but I can now boast that I have finished all the IPv6 certification tests at at The last one was a real stinker. A while back, I registered because I wanted to tinker with DNS stuff. But it turns out that I registered with a registrar that doesn’t support IPv6 glue records, which were the entirety of the last certification step. I gave up after a while, since I didn’t know what I was doing and didn’t have the time to sit down and figure it out. Recently I got the itch to finish up my certification with I looked into glue records, which are basically the link that breaks the recursion in DNS. For IPv4, the glue records are apparently pretty easy to come by, but few registrars will do IPv6 glue records yet. Especially few actually have a way to do it without raising a support ticket. I found one that does (, moved over to them, and got my glue records all up in the TLD’s nameserver. Hooray.

Now, is a fully functional IPv4/IPv6 domain. You can access it via IPv4 only, dual stack, or IPv6 only. Too bad it doesn’t really do anything that you could get access to… I don’t run any public webservers in the domain or anything. It is basically my home network. Like I said, I purchased the domain because I wanted to play around with DNS and learn some things. For a long while, I was using mauery.home as my domain. I know, .home is not a real TLD, but I figured that it would make sure that there were no namespace collisions with any legitimate domain names. I have since moved over to the domain.

Does my certification make me superior to you? Maybe not. But my domain kicks your domain’s arrobase. And the free t-shirt doesn’t hurt.

MythTV 0.23 running on Lucid

Bella, my mythbox has been overheating for the past few months when the furnace has been running. Whenever we would watch HD content, decoding (and likely resizing) the stream to our screen would take too much CPU horsepower. Watching an HD stream would use nearly 100% of one of the two 2.1GHz Athlon cores. Then her over-sized, quiet fan would kick into high gear. Sometimes I would feel sorry for her and pull the top cover off to let out all that hot air. VDPAU has been around for a while now, and Bella’s video card is supported, so I have been itching to upgrade her to Lucid. I started a couple of weeks ago by installing to an external USB drive. This way, I didn’t interrupt the regular programming. I could boot to the drive, tinker, fix, test, etc., and then boot back to the main drive when I was done.

I tried to copy over the original database so I didn’t lose any settings, but that didn’t seem to work very well. The database upgrade scripts kept dying on me. I finally rolled up my sleeves and dug in a little deeper. The error messages that it was giving me were about duplicate columns in tables. I am not sure how they got there, but with my mysql hacker-foo skills, I manually altered the tables to drop the columns, which allowed the script to successfully update the mythconverg database. Then it seemed to be working. Kind of.

Bella has a little USB card reader that does a variety of memory card types. For whatever reason, when probed, it reports that it has devices there already, even though there are no cards plugged in. It reports /dev/sd{d,e,f,g}. For whatever reason, mythfrontend likes to probe devices and try to mount them??? When it runs into these non-devices, it segfaults. I finally just decided to unplug the card reader from the motherboard and mythfrontend starts up just fine.

With Myth finally up and running, it doesn’t take long to make sure all the settings are good. I kick off a show and notice that the processor is still running at full speed. A little more digging and I find the VDPAU setting screen. I turn it on and viola! CPU usage drops to 40%. I was a little underwhelmed by this number, hoping to see something more on the order of 5%. I don’t know if it is because of the stream type or maybe my hardware? The video card is several years old and one of the earlier ones that does support VDPAU. And the stream is whatever the broadcasters in my area are using. I assume it is MPEG2, while H.264 is what VDPAU would prefer? Anyway, something is better than nothing. I just hope that the reduction in CPU thermal requirements is sufficient.

Defeating a Ninja

I was recently asked if I had ever used Ninja on any of my machines. I had not even heard of such a thing. I found that it was available in the Lucid repository, so I installed it and configured it for my system. The two changes I made were to have it constantly poll, instead of waiting 1 second between polls; and to kill the offending tasks, instead of merely warning about them. I whipped up a little back door application that gets root. I ran it and sure enough, it was instantly killed by the Ninja. But how instantly? There is a race there to be sure. I had my w00t process run ‘killall -9 ninja’ instead of giving me a root shell. Sure enough, my hack was faster than the Ninja. It must only be a wannabe or maybe a Ninja Apprentice. Whatever it is, I defeated the Ninja in less than ten minutes. Without even breaking a sweat.

Ninja may be good in concept, but poor in execution (I’m so punny!!!) The race window that exists is wide enough to easily defeat it. What it needs to do is something along these lines:

1) Run the critical section in the kernel as a kprobe parked on the fork, exec, setuid, setgid syscalls.
2) On each watched syscall, check for escalation and pause execution while we pop out to userspace (probably via the kprobe print functions) and do a bit of testing.
3) If we pass muster, let the task go, otherwise kill it.

This way, we can pause the questionable tasks in the kernel before they get a chance to do anything malicious.

Right now, all Ninja does is make you think you are safe, while really, it does very little for you.

AVR junkie paradise

[acidfree:4987]I have been pining for some shiny tiny hardware that would look good in the CW (Morse code) paddle that I am making. Arduino had been a first choice for several days. I was on the verge of buying a couple of boards when I came across PJRC’s Teensy. It really is teensy. But it incorporates a little bit of hardware that I had not seen in a proto-board before: Atmel’s 8-bit MCU with USB support. The Teensy has the Mega32U4 processor at its core, which has 32kB of flash, 2.5kB SRAM, and 1kB EEPROM, support for up to 6 USB full-speed functions, and lots more of the standard AtMega goodies. I think one of the coolest things about this board is that once you have a bootloader in place, you can flash the system over the USB connection that is already has. No need for an extra programmer and more cables. And even if you screw up your application, the bootloader is safe, because it is protected by separate lock bits.

To make a short story even shorter, I ordered two Teensy boards over the weekend and they arrived today. Fast shipping. (It helps that PJRC is less than 20 miles away.)

I am in Atmel junkie paradise.