Swift, bad idea #3

Function types are declared like:

var mathFunction: (Int, Int) -> Int

In this example: mathFunction is a variable that can hold any function that takes two Int as parameters and returns one Int. Fine, so far.

Functions can take such functions as parameters and also return them. For instance, a function taking a function like the above as parameter would be declared as:

func printMathResult(mathFunction: (Int, Int) -> Int)

A function returning a function taking a Bool as parameter and returning an Int could look like:

func chooseFunction(choice: Bool) -> (Int) -> Int

Notice how the two pointer operators (->) mean to entirely different things. The first indicates a return value, the second is part of the function signature of the returned value.

Let’s imagine what a function type would look like if it takes a function of an Int, returning an Int as parameters, and returns a similar function:

func confusingFunction(number: Int) -> (Int) -> (Int) -> Int

I may very well have written that wrong, but can you tell? This is totally different from old school C declaration of function prototypes, but I’m far from sure it’s any easier to understand. Maybe judicious use of “function types” (or “typedefs” as we used to call them 30 years ago…) could make this clearer.

Swift, bad idea #2

Function parameters now have distinct “internal” and “external” parameter names. The simplest form does away with named parameters when calling functions, that is, we can now do:

mysteriousFunction(15.2, "yeah, right", "only on a sunday", -1)

…just like in the good(?) old days of plain C/C++. Yes, you can force naming of parameters on the caller’s side, but it’s more work than the sloppy old way. Guess how often we’ll see that now? So, simple, inscrutable, and bug prone is the new default.

Swift, bad idea #1

Looking over the “Swift” language Apple presented during the WWDC keynote. First off, declarations using “var” and “let” made me think of Basic, and had to stifle a gag reflex.

I’m reading the iBooks book on Swift. When I got to closed and halfopen ranges on page 100, I thought this was a big mistake. It’s very hard to see at a glance which is which. We’ve been trained for so many years to see ranges in for loops as closed, and react immediately if that expected “-1” as in “(0 to n-1)” or equivalent, is missing.

Sure enough, go to page 135 in the same book, and the example given is clearly wrong, where the author of the book confused the two. Two dots is a halfopen interval, three dots a closed interval, and the example is:

“shoppingList[4...6] = ["Bananas", "Apples"]”

(Excerpt From: Apple Inc. “The Swift Programming Language.” iBooks.)

This is not going to end well.

Update: I was wrong. See the comments.

Next draft

I just uploaded the next draft (v10) of my book on EHR systems. I included a chapter on business cases, and expanded quite a bit on the document tree structure.

You can find a diff file for version 10 there as well, if you want to focus on the changes.

Update May 13, 2014: I stupidly linked to a particular draft in the above post. A much better link is this:

http://wehlou.com/ehrbook/draft.pdf

…which always points to the most recent draft. Currently I’m on draft 15 and will upload 16 later today.

Sorry about that piece of bad information.

EHR, the book

Back in January, I began writing a book on the Electronic Healthcare Record. Not how they work (they don’t), not just what’s wrong with them (most everything), but mainly going back to basics and figuring out what they are really for. Or should be for, more accurately.

Current systems are a marvel of bad design and misunderstandings of purpose. I’m trying in the book to figure out why, and what to do to improve on things. The contents range between the medical and the technical, taking side roads into politics, both the office kind and the real kind.

The contents are mainly based on the Swedish situation, but I welcome any input on how it is elsewhere. If I can be made to understand the differences, I’ll only be too happy to take that into account in the text.

I’m hoping with this book to make the stakeholder ask the right questions, else there is no hope we’ll ever get the right answers.

From today, I’ll publish my latest draft weekly (if I can keep it up) at:

http://wehlou.com/ehrbook/draft.pdf

I’ll welcome any comments in any form, but you’ll have to email them to me at martin@wehlou.com, or even better, post them as messages on our forum. You can register for the forum at:

http://vard-it.com/vi

The intention is to have it ready for publication sometime in June 2014. I’ll publish it under our own name through one of the publish on demand sites.

SRX100 Junos dynamic VPN, Win7, OSX, VPNTracker

(Update March 6, 2014: The Junos “standard” proposal actually includes 3DES in both phase 1 and phase 2, still making it hard for VPNTracker to connect. What we need to do is create a custom proposal for each phase with only AES in it. I updated the text to reflect that.)

(Update November 11, 2014: VPN Tracker 7 failed for me if there were multiple remote networks configured. VPN Tracker 8 works fine with multiple remote networks, though, but you have to switch off the option under “advanced” that says “Establish a separate phase 2 tunnel for each remote network”. That option is new with VPN Tracker 8. I added that step in the text, but I didn’t update the screen shots. They’re all from VPN Tracker 7 still.)

So this is what I needed to accomplish: get one single SRX100 running Junos 12.1X44D20 to have a site-to-site VPN to another SRX100, while also having a dynamic VPN working with both Windows 7 clients and Mac OSX 10.9 clients. And I succeeded, except not for free. I’m not mentioning the site-to-site setup in what follows, since it does not interact with dynamic VPNs.

The SRX100 has a Windows VPN client built in, such that if you connect with a Win7 machine, it lets you log in using a web interface, then offers you a download of the Junos Pulse client, already completely configured for that SRX100. This works like a charm. The problem is that there is no Junos Pulse client for OSX, which I think is really weird. I love Juniper, but man, what’s up with this?

The client everyone recommends for this is VPN Tracker, a pretty expensive piece of very nice software from Equinux. But, of course, even though VPNTracker supports a truckload of firewalls, the SRX series is not among them. The software is very configurable, however, so even though there’s no guide, there’s a way.

First, take the lazy way and fire up the J-Web interface to the SRX100 (yes, I know, I lost all cred by doing this, but having to choose between self-respect and actually having a life, I finally crumbled, left the command line and took to the browser). To my defence, the J-Web interface is actually pretty darn good, at least compared to the Netscreen interface on the SSG5.

From experiments and a lot of searching on the interwebs, it’s clear there is a problem somehow with the DES and/or 3DES algorithms with the SRX100 and/or VPNTracker. They just can’t negotiate a phase 1 proposal, with VPNTracker failing in phase 1. The solution is to set the SRX100 to not use DES or 3DES, by selecting “Standard” in both “IKE Security Level” and “IPSec Security Level”.

The solution is to create a custom phase 1 proposal and phase 2 proposal that does not include DES or 3DES. In the SRX configuration, do:

set security ike proposal ike_prop_aesonly description "reduced proposal for vpntracker"
set security ike proposal ike_prop_aesonly authentication-method pre-shared-keys
set security ike proposal ike_prop_aesonly dh-group group2
set security ike proposal ike_prop_aesonly authentication-algorithm sha1
set security ike proposal ike_prop_aesonly encryption-algorithm aes-128-cbc
set security ike proposal ike_prop_aesonly lifetime-seconds 86400

set security ike policy ike_pol_wizard_dyn_vpn proposals ike_prop_aesonly

Don’t forget to remove the policy-set standard you had from before. The “ike_pol_wizard_dyn_vpn” can have another name on your system, of course.

and…

set security ipsec proposal ipsec_prop_aesonly description "reduced proposal for vpntracker"
set security ipsec proposal ipsec_prop_aesonly protocol esp
set security ipsec proposal ipsec_prop_aesonly authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec_prop_aesonly encryption-algorithm aes-128-cbc
set security ipsec proposal ipsec_prop_aesonly lifetime-seconds 3600

set security ipsec policy ipsec_pol_wizard_dyn_vpn proposals ipsec_prop_aesonly

Also, choose group 2 in IPSec Perfect Forward Secrecy (I haven’t experimented with other values here). With these choices, there’s no use of DES or 3DES. Note the IKE Preshared key and Remote Identity values. In the next screen, you choose users and stuff, and I’m not going to show you mine. Nothing there has a bearing on this description anyway.

SafariScreenSnapz028

So, with this set, first try to log in using Win7, download the Junos Pulse client and connect. This should work without anything else but your login credentials that you set in the screen “Remote Users” (that I didn’t show) in the VPN Wizard on the SRX100.

Now, back to VPNTracker. In the “Basic screen” of your connection setup, you enter the following:

VPN Tracker 7ScreenSnapz002

And in the second, “Advanced”, you enter the following:

VPN Tracker 7ScreenSnapz004

Notable items in the first of the two screens (“Basic”) are:

  • Network configuration: “Mode Config”
  • Identifiers, local: “FQDN”, with the “shoehorn” name you entered in the SRX100 VPN Wizard as “Remote Identity”
  • Identifiers, remote: “Don’t verify”

Notable items in the second (“Advanced”) screen, where we take care to only select the algorithms included in the Junos SRX100 “Standard” set, which is AES-128, SHA-1, and DH Group2 in both phase 1 and phase 2, and DH Group2 for PFS in phase 2:

  • Exchange mode: Aggressive
  • Phase 1 encryption: AES-128 only
  • Phase 1 hash: SHA1 only
  • Diffie-Hellman: group 2
  • Phase 2 encryption: AES-128 only
  • In VPN Tracker 8, there is here a checkbox “Establish a separate phase 2 tunnel for each remote network”. This should be off.
  • Authentication: HMAC SHA1 only
  • PFS: DH Group 2

There’s one last, hard to find, little detail: you have to change the ike-user-type on the SRX100 from “shared-ike-id”, as the wizard generated it, to “group-ike-id”, through the commandline on the SRX100, assuming your SRX100 VPN Wizard generated the gateway name to be “gw_wizard_dyn_vpn”, which it probably did, like so:

set security ike gateway gw_wizard_dyn_vpn dynamic ike-user-type group-ike-id
commit

Interestingly, you don’t have to change your remote identifier in any way, neither in the SRX100 or the VPNTracker. From now on, you can connect.

Now, amazingly, you can connect with VPNTracker from OSX 10.9 while at the same time using the Junos Pulse client from Win7. All you have to do now is cough up $100 or $200 for VPNTracker (depending on version).

The SRX100 comes with a default two simultaneous dynamic VPN connections. You can get five connections with an extra license (SRX-RAC-5-LTU) for around $150, but I don’t know if that leaves you with a total of five or seven simultaneous connections.

Which new Mac Pro? The old one.

So with the new Mac Pro coming out, I’ve been torn between getting one of those or live with my old Mac Pro early 2008 for a while longer. Now, just estimating the price of the new Mac Pro, adding in a Thunderbolt drive storage and two Thunderbolt screens, the sum is way beyond what I can credibly argue myself into. And I’d be stuck with something that has much more processing power than I could invent excuses for, while still being a first generation product.

After a lot of arguing with myself back and forth, I decided to try to speed up my old Mac Pro with SSDs. I also have a bootcamp Win7 I would like to preserve if possible, which seems to preclude using regular SSDs, unless I use a lot of them. The solution seems to be a Fusion Drive (combined SSD and hard disk), where the bootcamp partition ends up on the hard disk proper.

The SSD I bought is an OWC Accelsior E2 480 GB PCIe card, and I combined it with one of my “old” Seagate Constellation ES.2 2 TB drives into a 2.1 TB Fusion Drive with a 300 GB Windows partition. I can access the Win7 through Parallels as a virtual machine, but without any speedup from the SSD (since Win7 is in its own partition), but right now I can’t boot from it. I moved it using Winclone, so I’m waiting on a response from them on how to proceed. Worst case, I can skip bootcamp, I don’t really need it.

But for all the other virtual machines through Parallels, and all the other software and files I have, the machine has become unbelievably snappy. The Fusion Drive has about 1 TB of applications and data on it, so the SSD part should be able to handle most daily tasks, once it balances out right. But already, I’m seeing some fantastic speedups.

Just to make you envious, see the screenshot that follows. Theoretically, I should be getting 800 MB/sec, but I’m pretty happy with what I’m seeing. Can’t really see how much faster the machine can get in actual handling. Seems it boots apps and opens files as fast as the screen can be written. Almost.

BlackMagic Disk Speed Test on Mac Pro 2008
BlackMagic Disk Speed Test on Mac Pro 2008

As a comparison, the test data from the “old” ES.2 2TB 7200 rpm drive that contains my old home folder, and which is still in one of the slots of the Mac Pro:

Disk Speed TestScreenSnapz002

In short, for a fraction of the money a new Mac Pro would cost, I got most of the benefit of one by adding this PCIe SSD card. (Nope, I have no relationship to OWC other than as a happy customer.)

The next step would be screens. I’ve got two 24″ Cinema displays, but with their 1920×1200 resolution, they’re getting cramped, especially when using the interface builder and storyboards in XCode. I’m still thinking it over, what to do about that. I already have an ATI Radeon 5870 card in the machine, so it should be able to handle bigger screens fine.

Southend Enterprises scam

Just this afternoon I got a call from “iAssist” who wanted to fix my computer, since it had malware, or was out of support or something. It was the regular fare with them taking over my computer to “fix” it for me. So I let him do just that.

While I “doddered” around and “tried” to boot my computer, I opened an old XP I have for experiments under Parallels, booted up my ScreenFlow screen capture, did a system snapshot, and then let him have at it. He’d called me on our home number on a DECT phone, so it took me a while to figure out how to get the sound, but finally I simply held a little Olympus hand recorder next to my ear, and that’s pretty good. Had to make him wait, mumbling something about having a prostate problem or something, while I got out the recorder, located batteries and got it started.

The whole thing is 34 minutes. The first 6 minutes or so are silent, then 2-3 minutes of only my voice (I’d turned the Olympus the wrong way up… duh), then after that it’s pretty clear. Note that the sound is offset by 10-20 seconds, so some places may look weird.

What he was after, once he got me, a “living alone 74 year old man who only uses his son’s old decrepit computer (seven years old computer) every sunday” (really; he asked me twice if I lived alone), hooked up was selling me an extended support for Windows and all my machines for only 3200 SEK for five years. That’s $500 by the way. Once I got to the screen where I had to enter my billing info, I quit the charade. After telling him twice that we were in a virtual machine and I had recorded the whole thing, he just hung up.

In the recording, you’ll see my name, street address, and phone number; that’s what he typed in. The email, I gave him (momo..something at hotmail.com, couldn’t think of anything better at the drop of a hat).

As far as I can figure out, iAssist (and LogMeIn) have nothing to do with this, but Southend Enterprises almost certainly do. That’s the “PCSupport” page I’m supposed to enter my payment data into. I found other people on the net reporting on this shady company.

I posted the whole recording on youtube, if someone wants to see them do this thing and hear this guy’s piercing and ennervating voice. It’s pretty boring, but maybe someone gets a kick out of it.

One really, truly, funny thing is that somewhere along the way, there’s a Parallels dialog box that pops up and says “Parallels tools are installed”, and he just clicks it away. I can’t locate it from the video, and I don’t want to watch it all again. Somebody told me it’s at 26:50 approximately. Also, there’s the “Parallels Shared Folders” icon in the upper left corner of the desktop, and even that didn’t tip him off.

 

So today I got a followup call from Customer Satisfaction at Southend Enterprises. Really. To hear if my machine worked fine today. Turned into two five-minute talks, where it’s pretty clear the guy (not the same guy as yesterday) either really is a fine actor, or (more likely) has no idea what he’s doing. But “persistence” is clearly his middle name.

The audio is even worse than yesterday’s recording. Maybe I should set up a rig to record these “artists” better, if this goes on. Here it is:

Buying books is such a mess

Buying books is such a mess right now, at least if you try to switch over to eBooks in one form or another. Let’s see what we have here.

Kindle

Kindle has the advantage of running on Kindle devices, Windows, OSX, iOS, whatever. Books are also usually cheap on Kindle, even though there are examples where the electronic version is actually more expensive than the paper version. The problem with Kindle is that it’s a proprietary and DRM’d format, and that doesn’t feel right. Non-technical litterature without illustrations are pretty nice on Kindle, but anything with code, drawings, or images sucks big time. Reading programming books on Kindle, at least on iOS and OSX, the platforms I use, is horrible.

iBooks

I’ve never bought a book on iBooks. They may be fine, I don’t know, but since iBooks, an Apple product, doesn’t run on OSX (and how sick is that), I wouldn’t invest in any book on that platform. The books are also more expensive than on Kindle, while being just as DRM challenged.

Protected PDF

APress used to sell protected PDF books, and it was really shitty. You had to use Adobe Acrobat to read them, with all the limitations, such as not being able to read them on the iPad. They fixed that by switching over to unprotected PDF. Several other publishers still use protected PDF, but you have to really scrutinize their sites to discover this vital fact. I’m avoiding doing any business with these people.

Online reading

I have to include online repositories such as O’Reilly bookshelf. I have access to a limited form via ACM, but it’s pretty shitty. The interface to the book is based on a Flash browser plugin, making it difficult to navigate. And, worse, it doesn’t work when you’re offline.

Plain PDF

I’ve found three publishers that sell unprotected PDFs, or at least they are not mandating that you use Adobe Acrobat; any PDF reader, including Goodreader and OSX Preview, is good enough. The only thing these guys do is sprinkle the document with the name of the purchaser, making it really easy to see who gave away copies to the torrent sites. I find this totally acceptable. The three publishers I’ve found are Pragmatic Bookshelf, Apress, and O’Reilly. Somewhat disturbingly, O’Reilly charges almost double for their eBooks as compared with Kindle for the same titles, which irks me enough to not buy the books I would normally have wanted to buy.

What a mess this is

You end up with some of your books on Kindle, some in Dropbox (where I put the unprotected PDF files), and some on your physical bookshelf. The advantages of carrying around a laptop or iOS device with all the books on it, are huge, though. PDF files can also be easily searched, even from Spotlight on OSX. Luckily, the three publishers I mentioned, publish enough good titles that I can simply ignore the rest, at least as far as modern programming goes. I actually think that this is the model that will dominate in the long run, at least as far as technical books are concerned.

Mountain Lion for free?

I’ve downloaded and installed Mountain Lion (10.8) on several machines now, but I never paid for it. No, I didn’t pirate it, I got it from the App store, but it never gave me a chance to pay. Looking up the transaction in the App store via iTunes, I see this:

In other words, I did “buy” it, but got it for nothing. Officially. What I don’t get is why. I’m just guessing here, but since I’m a registered developer on the same account, and I’ve run the developer previews, that earns me a free release version as well. (Note that the 10.8 above is not a developer preview, but the released public version.)

Nice gesture, Apple. Unless it’s an error. If so, I really don’t mind paying for it; it’s not exactly expensive.