Categories

Donate

Advert

Worthless Questions at Lectures

I’ve previously blogged about the productive length of questions at lectures [1]. But it seems to me that worthless questions can be recognised before the person asking even gets properly started. Here is a list of ways of recognising them:

  1. Appeal to authority. If someone tells you about their job or other qualifications before asking a question then the question is almost certain to be useless. If a question is good then it can be asked by someone with no special qualifications who has 20 seconds to ask.
  2. An introduction that shows that it’s not a question. Anything starting with a statement like “I just want to say” isn’t a question and has no place in a conference lecture hall. After a lecture the speaker will usually hang around and talk to delegates, anyone can make comments then or send email later. In this case it’s not just that statements are inappropriate for “question time” it’s that people who think that they are so important that their statement is more important than genuine questions probably aren’t going to have anything useful to say.
  3. A second question. Anyone who has more than one question wants a conversation – they can do that privately after question time. Again it’s people with an over-inflated opinion of their own importance who do this.
  4. A statement of “fact” that they want the speaker to address. Questions should mostly concern facts referenced by the speaker. “Facts” that are cited by the audience are often the sort of thing that can be easily disproved by Snopes or Wikipedia – but not in the amount of time available during a lecture. While it is possible to ask useful questions regarding facts that weren’t presented in the lecture my observation is that most such questions are worthless and the “facts” are false.

I think that for a serious lecture the MC should cut off such questions when they start. Once enough has been said to make it obvious that the question falls into one of the above categories I believe that the correct thing to do is to say “that’s probably a good thing to discuss after the lecture”, and then move on to the next question.

Please note that the above list isn’t comprehensive. Let me know if you have suggestions for any I missed.

ASD Self-Diagnosis Tests

Here are some online psychological tests that can be used as part of an Autism Spectrum Disorder (ASD) self-diagnosis.

Simon Baron-Cohen is well known for his research into Autism, some of it is quite controversial (particularly the “Extreme Male Brain” theory which is widely rejected in the Autism community). There are some interesting tests based on his work though, GlennRowe.net has some online tests for Systemising Quotient, Empathy Quotient, Autism Spectrum Quotient, and the Mind in the Eyes test [1].

rdos.net has an online Aspie Quiz that allows you to create an account and track your results over time [2].

There is an online Alexithymia test, note that the Alexithymia.us site has no other useful content other than the test [3]. It would be useful if someone would create a better site about Alexithymia. I’d be happy to provide hosting for a forum if someone would do the moderation.

Some Suggestions for Parents of Aspies

I’ve had a couple of parents ask me for advice about children with Asperger Syndrome (AS), in one case a child who was formally diagnosed and in another case a child who is suspected of being an Aspie but who hasn’t been assessed. I don’t claim to be an expert on these things, but based on my own experiences growing up and what I’ve read from others I can at least provide some pointers for further research.

One thing to note is that it’s worth seeking advice from people who are on the Autism Spectrum as well as Neuro-Typical (NT) people in regard to these issues. You should also keep in mind the fact that the experiences of people on the Spectrum vary a lot, in this post I try to represent some people on the Autism Spectrum who are quite different from me to give a broad overview of the issue. But you should read what others write too. There will be some kids on the Spectrum who are in some ways quite different to what I describe, there’s lots of ways to not be average.

Should Your Child be Assessed?

A common issue is whether a child should be assessed for an Autism Spectrum Disorder (ASD).

For a young child there is no reason not to have them assessed. It is expensive but any time a parent thinks that their child is an Aspie they are probably correct (most parents seem to live in denial if at all possible). In most first-world countries a diagnosis of an Autism Spectrum Disorder in a child will result in a moderate amount of government funding so the expense will be repaid. The staff of any medical center can usually provide advice on where to look for information about government funding.

Some parents refuse to have their children assessed because they “don’t want their child to be labelled”. If the child in question attends school the other children will notice that they are different and label them, so this really isn’t an issue.

For a child who is old enough to make their own decisions it’s a really good idea to consult the child first. Doing a covert assessment and then springing the result on them can be taken really badly. There is an Aspie tendency to not appreciate surprises, and “that person you spoke to was a psychologist who diagnosed you with AS” is the type of surprise that can be taken badly. Of course the down-side to giving your child a choice is that they may not choose what you want – it’s something you have to deal with.

Note that the child doesn’t need to be old enough to make decisions that are necessarily good before they need to be consulted. While an 11yo may make grossly ill-informed decisions they will make decisions that they care about and remember it for a long time if you ignore their wishes. Even if you aren’t going to give your child a choice you should at least inform them in general terms of what is happening if they are old enough to understand.

I’ve seen suggestions that informing a child who was diagnosed when very young should be handled in the same way as informing a child that they were adopted. Tell them when they are very young and fill in more details as they get older.

When a child is diagnosed they should be informed. It’s best to inform them of the diagnosis as soon as possible, obviously young children won’t understand it properly but they should have the amount of information that they can handle. I’ve seen this compared to informing adopted children, if you tell them when they are very young and provide more details as they grow up they will never have a shocking realisation. If a child isn’t informed then they will just wonder why the other kids are always mean to them for no apparent reason.

Benefits of Assessment

When a child has been formally diagnosed there may be government funding available to the school (sometimes to the extent of hiring an extra teacher) and the school can arrange a formal support plan. If the management of the school are not willing to arrange such a support plan (which is often a legal requirement – but they may not want to obey the law) then it’s best to find another school.

An assessment for a child should include a document of the details of their case. Any school that has a decent special needs program will need a copy of that to know exactly the issues that they are dealing with, if they just want to know the diagnosis as a one word summary then they aren’t running their special needs program properly. But for an adult a one-word diagnosis is acceptable as adults will generally already know what issues they face.

In some countries the parents of an Aspie child can apply for social security payments.

If the child happens to need to see a psychologist for reasons that aren’t directly related to an ASD then they need to be diagnosed first. The strategies that psychologists use with NTs tend not to work well with Aspies. As the issues related to an ASD can give an increased risk of depression and other psychological problems this is something that’s worth keeping in mind.

Finally it’s good if parents and children can understand each other, and getting everyone diagnosed is an important part of that.

Can it be Cured?

ASDs are the result in differences in brain development and can’t be cured as such. People who are on the Spectrum learn strategies for coping and the environment can be configured to make things easier for them. Trying to cure something that is incurable is not a good strategy, at best it will take resources away from more useful things. There are many reports of parents spending tens of thousands of dollars on quack treatments that do no good.

There has been a lot of medical research into the issue of whether ASDs are caused by vaccines, it all shows that there is no link to vaccination. Anyone who claims otherwise is a liar or a quack and should not be believed.

Chelation doesn’t do any good for anyone unless they are suffering from heavy metal poisoning, the symptoms of which are nothing like an ASD. Any organisation that has anything to do with chelation should be avoided as they will just hurt children.

There are ways of alleviating some of the symptoms, some of the supposed cures (such as certain diets) merely avoid triggers and allow children to emulate NTs more effectively. If you find a diet that makes things better don’t think that you have cured anything.

Emulating an NT

Pretending to be like other people is a useful skill. Children need to be taught how to act like other people when in public places, but they should be allowed (even encouraged) to act in a way that is normal for them when at home. Trying to emulate someone who is Neuro-Typical (an NT) all the time is exhausting and results in a decreased ability to do most of the things that one might want to do.

Don’t try to force Aspie kids to socialise excessively, it’s not going to be fun for them and it’s not going to do any good. Team sports such as cricket and football are probably a bad idea. Golf and other individual sports are better options.

Is it bad to be on the Spectrum?

So far I haven’t found a single report of someone who unconditionally claimed that an ASD made their life suck, although many people report that they have big problems from some of the sensory issues.

It seems that an ASD only makes someone unhappy if they are mistreated by other people because of it.

Sensory Issues

One common factor with AS is Sensory Processing Disorder (SPD), the site Sensory-Processing-Disorder.com [1] has a lot of good information on it.

In most cases these are issues of degree, some things which irritate Neuro-Typical people (NTs) a little bit can irritate an Aspie a lot. But some are severe and require totally avoiding certain things, one example I’ve heard of is Aspies who can’t stand the feel of woolen clothing.

Discovering these things can be difficult as no-one really knows what other people experience. For example I don’t know how much my experience of strong sunlight differs from that of other people, but the fact that I like to stay inside on sunny days while most people don’t suggests that my experience is significantly different from that of others.

When an adult is diagnosed with AS they can usually determine what their sensory issues are by just thinking about what they have been avoiding for decades. Given enough time you can work out what things irritate you and avoid them (sometimes subconsciously). For a child you want a fast result.

For younger children there are companies that specialise in soft clothes which can deal with clothing comfort issues.

Noise cancelling headphones [2] are good for some sound related issues, over-ear headphones are good for people who don’t like things touching their ears and nowadays headphones are better than ear-muffs due to the recent development of wireless headphones and headphones with built-in MP3 players so they don’t seem so unusual. High fidelity ear-plugs [3] and custom made musicians earplugs [4] are two options for anyone who doesn’t have a problem with things being stuck in their ears.

Sunglasses (or prescription glasses with “transition” lenses that go dark in sunlight) can be used to deal with light sensitivity. There is also Scotopic Sensitivity Syndrome (SSS) also known as Irlen Syndrome and Visual Stress Syndrome in which certain colors cause problems and glasses with colored lenses alleviate the problem. Dealing with SSS can alleviate other problems that might seem to be unrelated (such as difficulty in recognising faces).

It’s probably best to try a range of measures and continue with the ones that seem to give a good result. The strategies that are used to determine minor food allergies can be used for minor sensory issues in terms of eliminating a lot of possible things and then reintroducing things one at a time to see what gives a bad result.

One thing to keep in mind is that minor sensory issues don’t cause an immediate obvious problem. They can over the course of hours cause someone to be more likely to become angry or unhappy than usual so some strategic planning is required to avoid problems. Adults can manage these things for themselves, young children need to be managed by their parents.

Selective Mutism

Selective Mutism is the condition of being unable to speak in certain situations. Some forms of it are reasonably common among people on the Autism Spectrum. Mild forms may not be apparent as people tend to avoid situations that trigger such problems.

Face Blindness

There seems to be a correlation between Face Blindness (Prosopagnosia) and ASDs. Face blind children can’t be sent to a regular school, the typical experience for such children is to have the other children take turns hitting them.

Food

Many Aspies have issues with food, one common issue is with food that is messy, for example dishes such as Paella are very unappealing to me. Japanese food is always very appealing to me, I like the way that the different items are separated and the consideration that is given to aesthetic appeal of the food. Also the Bento style of presentation where every type of food has it’s own compartment is appealing. If you serve food that is visually unappealing to an Aspie child then you will have trouble convincing them to eat it and you may convince them to avoid all variations of the food item in question – so make sure that healthy food looks good!

Food that tasted good today will probably taste good tomorrow, and every day for the next year. There’s no real reason not to eat the same food every day (as long as you get the necessary vitamins and proteins). There is a tendency among Aspies to not vary their diet much. So if an Aspie child is in the habit of eating relatively healthy food you really don’t want to break that habit, EG if the habitual meal is peanut butter sandwiches then offering a peanut butter and honey sandwich would be a really bad idea.

Finally sensory differences can have a significant impact on what food is edible, if an Aspie doesn’t like eating Broccoli it might be because they just don’t like it or it might be that Broccoli so horrible that thinking about it makes them nauseous. In the latter case it would be bad to force them to eat it. There are lots of web sites with information on the nutrition content of various foods, so finding acceptable foods that provide all essential amino acids and vitamins shouldn’t be difficult.

Note that minor food allergies can cause stress without showing any obvious symptoms. So a test for food allergies is a really good idea. Food allergies don’t cause Autism, but avoiding bad foods can make it easier to emulate an NT.

Stimming

Lisa wrote a long article about stimming that is worth reading if you want to learn a lot [5].

But in summary stimming is performing some repetitive action (such as chewing a pen, spinning a coin, or twirling hair) to help manage stress or excessive excitement. Bouncing and spinning are well known stims even though most stimming is less noticeable. Redirecting stimming to actions that are more socially acceptable is OK, but note that it can be extremely difficult or even impossible for someone else to suggest a suitable replacement stim – which is a problem when dealing with kids who are too young to work it out for themselves.

Trying to prevent an Aspie kid from stimming is a really bad idea, that will just result in them being more stressed and therefore more difficulties for everyone else. It’s a good idea to encourage children to stim when they appear to need it or when they have been under stress. Note that things that are fun can be stressful, so don’t assume that allowing a child to do something they enjoy will be a good way of relaxing.

Touching People

It seems that most children have issues with being touched by adults, I’ve heard a few comedians make jokes about being forced to kiss aunties at Christmas and the jokes seem to resonate with the majority of the audience who aren’t on the Autism Spectrum. Aspie kids have more issues with this than NT kids, not only is being touched unwelcome but there are problems with perfume and make-up that can rub off. One of my mother’s friends used to wear plenty of make-up and perfume, I can still remember the happy day when I was tall enough that she couldn’t kiss me unless I bent down – so I stood up straight and avoided getting any make-up and perfume on my cheek.

I suggest advising relatives not to initiate any physical contact with Aspie kids, or if they do initiate it make it optional (EG ask “would you like to shake hands”). It must really suck for Aspie girls having almost 100% of their adult relatives wanting to hug or kiss them – 50% was bad enough in my experience.

Pets

Pet cats seem to be quite popular among people on the Spectrum, you can pat a cat when you feel like it and just leave it alone when you don’t want the interaction. Other pets can also work well too.

A recent trend is towards prescribing Assistance Dogs for kids on the Spectrum, Assistance Dogs International [9] has a lot of general information about such working dogs. It’s illegal in Australia to deny entrance to an Assistance Dog but a lot of companies still have written regulations and staff training procedures that specify limited uses for such animals (such as specifically only allowing guide dogs for the blind). They will change such policies if asked.

Home Schooling

Reports of ASD kids being happy at school are few and far between. The vast majority of reports are bad. The special schools for ASD kids that have military-style discipline sound really bad.

Seriously consider home schooling.

Emotions

Some degree of alexithymia is usually associated with AS. Because of this asking questions like “how do you feel?” will generally get a bad result. In some cases you can substitute questions for a better result, such as asking “do you want to do that again?” instead of “did you enjoy that?“.

It seems that parents are generally advised to tell their children that they love them, that may be good advice regarding an NT child. For an Aspie child that can be a really creepy experience, don’t do it. If you want to show your child how much you love them then make them a jam sandwich!

You will often see references to Aspies lacking Empathy, but they don’t lack Sympathy – I’ve linked to the Wikipedia definitions of the two words. Basically in this context “empathy” means using non-verbal signals to determine someone’s emotional state while “sympathy” means caring about what other people feel. It’s widely regarded that Aspies can be taught to recognise other people’s emotions, but a common experience is to be good (or even significantly better than average) at recognising the emotions of people but be unable to process the data.

Many people on the Spectrum report Affective Flattening (sometimes referred to as “Blank Affect”). This means giving minimal signs of their emotional state. So don’t assume that someone really is calm when they appear to be.

Gender

SPD can cause people to act in ways that don’t conform to the most strict gender norms. The most obvious examples are boys who have long hair because short hair feels bad and girls who have really short hair because long hair feels bad. There are lots of other examples such as boys who have a great aversion to dirt and girls who can’t wear cosmetics.

The gender norms are so strict that anyone who generally acts differently to other people is likely to do something that can be interpreted as being outside the range of accepted behavior for their gender.

If your child doesn’t conform well to gender norms you should consider whether it’s a sensory issue and also whether it’s an issue of just failing to emulate an NT well enough. You should also consider whether your ideas of gender norms are reasonable.

Of course there are Transgender and Genderqueer Aspies. If you suspect that your child really doesn’t fit the gender norms then it’s best not to question them about it, alexithymia makes any such conversations unpleasant and creepy.

Sexuality

It seems to be a common belief that parents should talk to their children about sex etc. I think that most Aspie kids would find that extremely creepy. The best thing to do is to just provide them with some books covering the relevant topics. Everything that they might need to know about sex is in a book somewhere.

It’s widely regarded that about 1/3 of the people on the Autism Spectrum are Asexual. Also it seems reasonably common for people on the Spectrum to be psychologically ready for a relationship at a later age than NTs. So if your child doesn’t have a straight relationship when you think they should then don’t assume that they are gay or bisexual and don’t try to force them to have a relationship on your schedule.

Alexithymia makes applying labels more difficult. So don’t focus on whether your child’s close friend is actually a girlfriend or boyfriend and whether that makes them straight, gay, or bisexual. Focus on whether they are with someone who makes them happy and inspires them to do good things.

Because Aspies tend to be literal a statement like “it’s OK to be gay” may be interpreted as “it’s not OK to be anything other than straight or gay“. So it’s best to be aware of the other possibilities, the LGBT Wikipedia page is a good place to start learning about such things.

Executive Function

It seems that ASDs are almost always associated with some degree of executive function disorder. Among other things this makes it difficult to plan things, get things done on time, and avoid playing computer games for an entire day. A written schedule with numbered points can help with this.

Aspies can be diagnosed with ADD or ADHD because of this which among other things can be used to preclude a later AS diagnosis (due to AS only applying to people who have not been diagnosed with anything else). Ritalin has been reported to help some Aspies, and caffeine works for me.

Aspies Need Space

Socialising requires more effort for people on the Spectrum, it’s draining and it’s not something that can be done all the time. You should expect that a typical school day will push an Aspie kid to their limit. When they get home they often won’t want to talk to their parents or anyone else, they will want to read a book, watch TV, or play computer games. Plan to allow them a certain amount of time to unwind after something like school. After school some young Aspie kids want to tell their parents about all the things they thought about during the school day, so there is quite a range of ways of unwinding after socially stressful events – but some way of relaxing and recovering is necessary.

There are reports of Aspies who really hated family holidays. Having their routine broken and being forced to spend a lot more time with their family than usual can be stressful. For a child in their late teenage years it’s a good option to allow them to stay home alone while the rest of the family goes on holiday. A week or two of minimal involvement with other people can be really relaxing and help them prepare for the next semester of school. Aspie kids tend not to have wild parties while their parents are away. :-#

Should the Parents be Assessed?

In most cases ASDs are genetic and inherited from a parent (there is research suggesting that in some cases it’s due to a de novo mutation but they comprise a small minority). Also it seems very rare to have asymptomatic carriers of ASD genes. So it’s best to assume until proven otherwise that at least one parent of an Aspie child is an Aspie.

An Aspie who gets diagnosed is probably going to do a much better job of parenting than one who is in denial, so I believe that geeky parents of Aspie kids really should get assessed.

I put this suggestion at the end because I know that some people will stop reading here.

General

Lisa wrote an informative post “Ten Things Everyone Should Know About Autism” that is worth reading [6].

Forums such as Aspies For Freedom [7] are good sources of information.

I have an Amazon astore with links to some books related to ASDs [8].

I appreciate suggestions for this document, but please note that I don’t want to write a book. I aim to provide a list of suggestions that allows parents to do a Google search or ask on forums for more information. If you have a suggestion for a significant addition to this then please write it up in a blog post and send me the URL.

Free Books

Here are some free books that I have downloaded and read:

Computer Power Use

This table shows the power consumption of some of the computers I own. I use a domestic electricity meter that was certified for use in billing customers to measure this. Any inaccuracies in the measurement will
correspond to inaccuracies in electricity bills of people who use such computers.

Before anyone asks, I am not interested in contributions of data, I believe that doing tests with a different meter or in a different country with a different supply voltage will diminish the accuracy of the results. Also I will provide minimal analysis on this page (the numbers should allow you to perform your own analysis).

Before I started such tests I had significant problems cooling my house in summer. Based on the results of these tests I made changes such as replacing the Compaq 1GHz Athlon machine by an IBM 1GHz P3 machine for a small server I run, this saved 49W of power, 49W of power which mostly ends up as heat makes a significant difference in a small server room when running 24*7!

All the machines below apart from the SMP machine are workstation class machines, they don’t have ECC RAM and their PSUs are designed for small load. The SMP machine has a PSU designed for a desktop machine (I couldn’t easily obtain any other type). If it had a PSU designed for server use it would draw more power.

Unless otherwise noted all machines were idling while running Linux (idling while running DOS uses significantly more power).

The summary of this table is, P3 is a great CPU for power to computer power ratio, the P4 isn’t too good, and the Athlon sucks badly – don’t run an Athlon server if you have heat problems!

Thinkpad T20 500MHz P3 512M 30G IDE 10.7W
Cobalt Qube AMD K6-450MHz, 128M RAM, 10G IDE 20W
Thinkpad T41p 1.7GHz idle at 600MHz, screen on and battery charged 23W
Compaq SFF 800MHz P3 512M 10G IDE spun-down 28W
Compaq SFF 800MHz P3 512M 10G IDE 35W
Compaq 800MHz P3 128M 10G IDE 38W
IBM 1GHz P3 256M 30G IDE, idling 38W
HP Pavilion 513A Celeron 1.8GHz, 384M RAM, 40G IDE 45W
HP Pavilion 513A Celeron 1.8GHz, 768M RAM, 2*80G IDE + 46G IDE 58W
Compaq 1.1GHz Celeron 512M 40G IDE idling 46W
HP/Compaq Celeron 2.4GHz, 512M RAM, no hard disk 43W
HP/Compaq Celeron 2.4GHz, 512M RAM, 300G IDE 50W
NEC Pentium-E2160 1.8GHz, 1G RAM (1 DIMM), 160G S-ATA 52W
Packard-Bell (NEC) Celeron-D 2.93GHz, 512M RAM, 2*20G IDE 75W
Compaq 1.5GHz P4 256M 20G IDE, idling 78W
Compaq 1.5GHz P4 256M 20G IDE, installing 85W
SMP 2*P3 1GHz, 1GB RAM, 2*U160 SCSI 18G disks idle 81W
SMP 2*P3 1GHz, 1GB RAM, 2*U160 SCSI 18G disks disk busy 99W
SMP 2*P3 1GHz, 1GB RAM, 2*U160 SCSI 18G disks CPU busy 130W
SMP 2*P3 1GHz, 1GB RAM, 2*U160 SCSI 18G disks CPU and disk busy 136W
Compaq 1GHz Athlon 256M 20G IDE idling 87W
NEC Pentium-D (920) 2.8GHz, 1G RAM, 160G S-ATA 98W
White-box Athlon XP 1700+, 768M RAM, 2*80G IDE + 46G IDE 110W

Here is the Computer Related Power Use page [1] (for switches, filters, and other things).

How to Debug POP

POP (Post Office Protocol) is the most used protocol for receiving mail from a server to a MUA (Mail User Agent) for reading. It is specified in RFC1939.

But the way it works (in most cases) is quite simple and doesn’t require reading the RFC, connect to port 110 (the standard port for POP3) and a basic session transcript is as follows (data sent by the client is prefixed with C: and data sent by the server is prefixed with S:):
S:+OK POP3 Ready [HOST NAME]
C:user ABC
S:+OK USER ABC set, mate
C:pass asecret
S:+OK Mailbox locked and ready
C:list
S:+OK scan listing follows
S:1 2989
S:.
C:quit
S:+OK

When the server successfully completes an operation it will precede it’s response with “+OK“, when it fails it will precede it’s response with “-ERR“. The data after the OK or ERR statement is for humans not machines, so in most cases your MUA will discard it. Therefore connecting to the service manually is required to properly debug problems. The unfortunate thing is that often on big mail servers it takes time for the sys-admin to do such tests. If the user can do it for them and give a bug report saying “your POP server said -ERR user unknown” then things will get fixed a lot faster than if the report is “the POP server didn’t work”.

One thing that is quite important is the initial greeting string, on any system of moderate size you will have multiple back-end servers and the greeting will tell you which server you are connecting to. If POP sometimes works and sometimes fails then your ISP might have one server failing so making a note of this greeting string in a transcript of a failed session can really help in tracking down problems.

When the list of messages is displayed, the first column is message numbers (starting at one and going up sequentially) and the second column is message sizes. If you have a POP session timing out and you have an extremely large message then that might be the cause.

A commonly used program for testing POP (and other Internet services) is telnet. So start the above process you would type telnet mail.example.com 110.

There are methods of hashing POP passwords (which make things a little more complex), but they often aren’t used – and in any case don’t encrypt the data. So it’s common to run POP servers with SSL, and the standard port for this is 995. This makes testing a little more complicated (but actually no more difficult).

To make an SSL connection you can use the program stunnel, it is included in many (most?) distributions of Linux, and Windows binaries are apparently at this link (NB I’ve never tested the Windows binaries as I don’t use Windows).

The command stunnel -c -r mail.example.com:995 will connect you to your mail server via SSL and you can then type in the POP commands as normal.

If your POP server supports the STLS command (which allows negotiation of TLS/SSL on port 110) then you can use the command stunnel -n pop3 -c -r mail.example.com:110.

To use gnutls, you can use the command “gnutls-cli mail.example.com -p 995” or to work with STLS on port 110 you use the command “gnutls-cli -s mail.example.com -p 110” and press ^D after entering the STLS command.

How to Debug SMTP with TLS(SSL) and AUTH

The first thing to test is a TLS (aka SSL) connection. The stunnel program has special code for this, the command “stunnel -n smtp -c -r mail.example.com:25” will connect to the server via SMTP and negotiate SSL.

If you use gnutls then the command “gnutls-cli -s mail.example.com -p 25” will connect to the server, allow you to establish the session (by typing “ehlo hostname” and then “starttls“) after which you can press ^D to enter TLS mode. This is a little more inconvenient.

Once one of these is done and you will receive a 220 message acknowledging the connection (which is the same as if you had just connected without TLS). If you want to test the TLS certificate then use the “-v” option to stunnel. Note that if the certificate is not verified successfully then stunnel will exit and log via syslog the reason why. While stunnel seems more convenient for actually using a protocol, the openssl utility is a much better program for actually testing out the SSL functionality. The command “openssl s_client -CApath /etc/ssl/certs/ -starttls smtp -connect mail.example.com:25” will dump a lot of diagnostic information about the SSL protocol. Note that the location of the SSL certificates varies by distribution, /etc/ssl/certs is the location used on Debian.

When compared to openssl and stunnel, gnutls-cli is less convenient than stunnel, and somewhere between the other two in terms of utility for debugging. It’s good to have all three clients available for testing!

Then enter the command “ehlo hostname.example.com” (the hostname is generally not checked for the case of mail relaying so any text that vaguely resembles a real host DNS name will do).

The response to that command will be something like the following:
250-mail.example.com Hello hostname.example.com [10.10.10.10], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH LOGIN PLAIN
250-DELIVERBY
250 HELP

The important thing to note is the 250-AUTH message which indicates that you may authenticate, it tells us that you can use the LOGIN and PLAIN methods of authentication. All the further communication for the login will be base64 encoded, the best utilities that I know of in Debian/Etch for encoding and decoding base64 are /usr/share/fml/bin/base64encode.pl and /usr/share/fml/bin/base64decode.pl which are in the fml package. Debian/Lenny and newer have base64 as part of the coreutils package.

The command auth login will typically give the response “334 VXNlcm5hbWU6“, the command “echo VXNlcm5hbWU6|/usr/share/fml/bin/base64decode.pl” shows that it is requesting the “Username:“.

To generate a response to the Username prompt run the command “echo -n user@example.com | /usr/share/fml/bin/base64encode.pl” (or whatever your user-name is) and you will receive an encoded message such as “dXNlckBleGFtcGxlLmNvbQ==“. Enter that to the mail server and you will get a response with another 334 code similar to “334 UGFzc3dvcmQ6“, again if you decode the part after the space you will br prompted for the “Password:“. The command “echo -n mypass | /usr/share/fml/bin/base64encode.pl” will give a response that you can give to that prompt. If all goes well that will give a 235 message to tell you that you are authenticated. Then you can relay mail!

When relaying mail after authenticating using SASL, if the mail is authenticated then you can use the auth parameter. This means that instead of using the SMTP command “mail from: <user@example.com>” you use the command “mail from: <user@example.com> auth=<user@example.com>“.

Normally this will all be done by your MUA, but if something goes wrong and you don’t know why then manually running through the steps can reveal the source of the problem.

Software vs Hardware RAID

It’s a commonly held myth that hardware RAID is unconditionally better than software RAID. That claim is not true in all cases and is particularly wrong at the low end.

Really Cheap Hardware RAID

The cheapest so-called hardware RAID uses RAID in the BIOS and relies on an OS driver for support when running in protected mode. This is essentially a different sort of software RAID but with BIOS support to boot from it. Using a different disk format to the standard software RAID for your OS can make it more difficult to recover when things go wrong and there’s no benefit to this. If you use software RAID-1 from your OS and set things up correctly then you can boot from either disk. Using software RAID-1 for booting and RAID-5 or RAID-6 for the OS and data is a viable option.

Cheap Hardware RAID

Cheap hardware RAID doesn’t have write-back caching and therefore can’t give any significant performance benefit over software RAID. Note that there are different options for how RAID stripes are laid out which can affect performance, so if a cheap hardware RAID device gives any significant performance benefit over software RAID then it’s probably due to where the blocks happen to be stored working well with your filesystem. Which is of course a benefit you could get from tuning software RAID.

The Mythical CPU Benefits of Hardware RAID

It’s widely regarded that hardware RAID is faster due to taking the processing away from the CPU. But the truth is that for at least the last 10 years CPUs have been fast enough and in fact it’s often been the case that RAID controllers have been the bottleneck.

When I loaded the Linux RAID-5/RAID-6 driver on my Thinkpad T61 it’s 2.2GHz T7500 CPU (which isn’t a particularly new or powerful laptop CPU) was tested and shown to be capable of 3227MB/s for RAID-6 calculations. The fastest SATA disk I’ve benchmarked was capable of sustaining almost 120MB/s on it’s outer tracks. If we assume that newer disks are capable of 150MB/s then my Thinkpad could handle the RAID calculations for an array of 20 such disks.

An old P3-1GHz desktop system I use for a low-end server can do 591MB/s of RAID-6 calculations in software, if I was able to connect SATA disks to that old system then it could drive four of them in a RAID array at full speed!

It’s often regarded that a benefit of hardware RAID is to avoid CPU use. Contiguous IO can use a moderate amount of CPU power, I could potentially use 20% of one core of a T7500 if I had four disks running at once. But usually contiguous IO isn’t that common. If you are using a Gigabit Ethernet port to transfer data then you are limited to something slightly more than 100MB/s. But most applications don’t involve large contiguous data transfers and thus the amount of data transferred goes down.

One way that hardware RAID can save CPU time is if the interface to the hard drives was inefficient. The IDE interface didn’t seem particularly efficient and large transfers to IDE disks used to often require more CPU time than was expected. For such disks having them on a RAID controller that emulated a giant SCSI disk could save some CPU time.

Back in 2000 I did some tests on a Mylex DAC 960 hardware RAID controller that was only capable of sustaining 10MB/s. This wasn’t a problem as the applications were seek intensive and the Mylex performed well for that task. But for contiguous IO software RAID would have given much better performance.

The Real Benefits of Hardware RAID

A good hardware RAID system will have NVRAM for a write-back cache. This can dramatically improve write performance which is very important on RAID-5 and RAID-6 systems that perform really badly for small writes.

Good hardware RAID controllers will often support many more disks than a non-RAID controller. If you want to have more than 4 disks then hardware RAID has some serious benefits. But it has to have NVRAM write-back cache, otherwise you get no useful benefits and you might as well use software RAID.

Conclusion

If you can’t afford a high-end RAID system like a HP CCISS then use software RAID. Software RAID will be faster and more reliable than cheap hardware RAID.

If you need more than four disks then you can probably benefit a lot from hardware RAID with write-back caching.

SE Linux Terminology

Security Context is the SE Linux label for a process, file, or other resource. Each process or object that a process may access has exactly one security context. It has four main parts separated by colons: User:Role:Domain/Type:Sensitivity Label. Note that the Sensitivity Label is a compile-time option that all distributions enable nowadays.

User in terms of SE Linux is also known as the Identity. The program semanage can be used to add new identities and to change the roles and sensitivities assigned to them. System users often end in “_u” (EG user_u, unconfined_u, and system_u) but this is just a convention used to distinguish system users from users that associate directly with Unix accounts – which are typically the same as the name of the account. So the user with Unix account john might have a SE Linux user/identity of john. Note that as the local sysadmin can change the user names with semanage you can’t make any strong assumptions about a naming convention. When a process creates a resource (such as a file on disk) then by default the resource will have the same user as the process.

Role for a process determines the set of domains that may be used for running a child process. Through semanage you can configure which roles may be entered by each user. The default policy has the roles user_r, staff_r, sysadm_r, and system_r. Adding new roles requires recompiling the policy which is something that most sysadmins don’t do. So you can expect that all role names end in “_r“.

Object Class refers to the object that is to be accessed, there are 82 object classes in the latest policy, many of which are related to things such as the X server. Some object classes are file, dir, chr_file, are blk_file. The reason for having an object class is so that access can be granted to one object with a given type label but not be granted to another object of a different object class.

Type is the primary label for the Domain/Type or Type-Enforcement model of access control, by tradition a type name ends in “_t“. There is no strong difference between a domain and a type, a domain is the type of a process. In the DT model there are a set of rules which specify what happens when a domain tries to access an object of a certain object class for a particular access (read, write, etc).

MLS stands for Multi Level Security, it’s a hierarchical system for restricting access to sensitive data. It’s core principle is that of no write-down and no read-up. In a MLS system you can only write data to a resource with an equal or higher sensitivity label.

MCS stands for Multi Category Security.

Sensitivity Level is for a hierarchical level of sensitivity in the MLS policy. In the default policy there are 16 levels from s0 to s15. The MCS policy uses some of the mechanisms of MLS but not the level, so in MCS the level is always set to s0. The policy can be recompiled to have different numbers of levels.

Category is a primitive for the MCS and MLS policies. The default policy has 1024 categories from c0 to c1023, the policy can be recompiled to have different numbers of categories.

Sensitivity Label is for implementing MLS and MCS access controls. It may be ranged, in which case it has a form “LOW-HIGH” where both LOW and HIGH are comprised of a Sensitivity Level and a set of categories separated by a colon – EG “s0:c1-s1:c1.c10” means the range from level s0 with category c1 to the level s1 with the set of categories from c1 to c10 inclusive. If it isn’t ranged then it just has a level and a set of categories separated by a colon. In a set of categories a dot is used to indicate a range of categories (all categories between the low one and the high one are included) while a comma indicates a discontinuity in the range. So “c1.c10,c13” means the set of all categories between c1 and c10 inclusive plus the category c13. The kernel will canonicalise category sets, so if it is passed “c1,c2,c3” then it will return “c1.c3“. These raw labels may be translated into a more human readable form by mcstransd.

Constraint is a rule that restricts access. SE Linux is based on the concept of deny by default and the domain-type model uses rules to allow certain actions. Constraints are used for special cases where access needs to be restricted outside of the domain-type model. MCS and MLS are implemented using constraints.

MySQL Cheat Sheet

This document is designed to be a cheat-sheet for MySQL. I don’t plan to cover everything, just most things that a novice MySQL DBA is likely to need often or in a hurry.

Configuring mysqld

If you are going to provide a database service to other machines edit /etc/mysql/my.cnf and set the bind-address parameter to a suitable value. A value of 0.0.0.0 will cause it to accept connections on any of the server’s addresses. I recommend using a private address range (10.0.0.0/8, 192.168.0.0/16, or 172.16.0.0/12) for such database connections and ideally a
back-end VLAN or Ethernet switch that doesn’t carry any public data.

For the purpose of this post let’s consider the MySQL server to have a private IP address of 192.168.42.1. So you want the my.cnf file to have bind-address = 192.168.42.1

To start mysql administration use the command mysql -u root. In Debian the root account has no password by default, on CentOS 5.x starting mysql for the first time gives a message:
PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:
/usr/bin/mysqladmin -u root password ‘new-password’
/usr/bin/mysqladmin -u root -h server password ‘new-password’

That is wrong, for the second mysqladmin command you need a “-p” option (or you can reverse the order of the commands).

There is also the /usr/bin/mysql_secure_installation script that has an interactive dialog for locking down the MySQL database.

Administrative Password Recovery

If you lose the administration password the recovery process is as follows:

  1. Stop the mysqld, this may require killing the daemon if the password for the system account used for shutdown access is also lost.
  2. Start mysqld with the --skip-grant-tables option.
  3. Use SQL commands such as “UPDATE mysql.user SET Password=PASSWORD('password') WHERE User='root';” to recover the passwords you need.
  4. Use the SQL command “FLUSH PRIVILEGES;
  5. Restart mysqld in the normal manner.

User Configuration

For an account to automatically login to mysql you need to create a file named ~/.my.cnf with the following contents:
[client]
user=USERNAME
password=PASSWORD
database=DBNAME

Replace USERNAME. PASSWORD, and DBNAME with the appropriate values. They are all optional parameters. This saves using mysql client parameters -u parameter for the username, “-p for the password, and specifying the database name on the command line. Note that using the “-pPASSWORD” command-line option to the mysql client is insecure on multi-user systems as (in the absence of any security system such as SE Linux) any user can briefly see the password via ps.

Note that the presence of the database= option in the config file breaks mysqlshow and mysqldump for MySQL 5.1.51 (and presumably earlier versions too). So it’s often a bad idea to use it.

Grants

To grant all access to a new database:
CREATE DATABASE foo_db;
USE foo_db;
GRANT ALL PRIVILEGES ON foo_db.* to 'user'@'10.1.2.3' IDENTIFIED BY 'pass';

Where 10.1.2.3 is the client address and pass is the password. Replace 10.1.2.3 with % if you want to allow access from any client address.

Note that if you use “foo_db” instead of “foo_db.*” then you will end up granting access to foo_db.foo_db (a table named foo_db in the foo_db database) which generally is not what you want.

To grant read-only access replace “ALL PRIVILEGES” with “SELECT“.

To show what is granted to the current user run “SHOW GRANTS;” .

To show the privs for a particular user run “SHOW GRANTS FOR ‘user’@’10.1.2.3’;

To show all entries in the user table (user-name, password, and hostname):
USE mysql;
SELECT Host,User,Password FROM user;

To do the same thing at the command-line:
echo “SELECT Host,User,Password FROM user;” | mysql mysql

To revoke access:
REVOKE ALL PRIVILEGES ON foo_db.* FROM user@10.1.2.3 IDENTIFIED BY ‘pass’;

To test a user’s access connect as the user with a command such as the following:
mysql -u user -h 10.1.2.4 -p foo_db

Then test that the user can create tables with the following mysql commands:
CREATE TABLE test (id INT);
DROP TABLE test;

Listing the Databases

To list all databases that are active on the selected server run “mysqlshow“, it uses the same methods of determining the username and password as the mysql client program.

To list all tables in a database run “SHOW TABLES;” . For more detail select from INFORMATION_SCHEMA.TABLES or run “SHOW TABLE STATUS;

For example to see the engine that is used for each table you can use the command echo “SELECT table_schema, table_name, engine FROM INFORMATION_SCHEMA.TABLES;” |mysql.

But INFORMATION_SCHEMA.TABLES is only in Mysql 5 and above, for prior versions you can use mysqldump -d to get the schema, or “SHOW CREATE TABLE table_name;” at the command-line.

Also the mysqldump program can be used to display the tables in a database via “mysqlshow database” or the columns in a table via “mysqlshow database table“.

To list active connections: “SHOW PROCESSLIST;”

Database backup

The program mysqldump is used to make a SQL dump of the database. EG: “mysqldump mysql” to dump the system tables. The data compresses well (being plain text of a regular format) so piping it through “gzip -9” is a good idea. To backup the system database you could run “mysqldump mysql | gzip -9 > mysql.sql.gz“. To restore simply run “mysql -u user database < file“, in the case of the previous example “zcat mysql.sql.gz | mysql -u root database“.

To dump only selected tables you can run “mysqldump database table1 [table2]“.

The option --skip-extended-insert means that a single INSERT statement will be used for each row. This gives a bigger dump file but allows running diff on multiple dump files.

The option --all-databases or -A dumps all databases.

The option --add-locks causes the tables to be locked on insert and improves performance.

Note that mysqldump blocks other database write operations so don’t pipe it through less or any other process that won’t read all the data in a small amount of time.

mysqldump -d DB_NAME dumps the schema.

The option --single-transaction causes mysqldump to use a transaction for the dump (so that the database can be used in the mean time). This only works with INNODB. To convert a table to INNODB the following command can be used:
ALTER TABLE tablename ENGINE = INNODB;

To create a slave run mysqldump with the --master-data=1.

When a master has it’s binary logs get too big a command such as “PURGE MASTER LOGS BEFORE ‘2008-12-02 22:46:26’;” will purge the old logs. An alternate version is of the form “PURGE MASTER LOGS TO ‘mysql-bin.010’;“. The MySQL documentation describes how to view the slave status to make sure that this doesn’t break replication.