The Rhodanthe CA System

Recently, the hosting company I use made it compatible to use Server Name Indication to support SSL/TLS. This has made it possible for me to encrypt many of sites under HidekiSaitoCom domain. Currently, as written in HidekiSaitoCom PKI Information some of my sites utilize certificates issued by StartSSL. The problem of StartSSL is that its limitation calls for a fee for each revocations issued, and this is mandatory for generating a replacement certificate; the problem that can be very critical for low budget sites such as mine. Certificate costs are not negligible for websites with virtually no income. These problems are perhaps one’s aimed to be fixed by Let’s encrypt project, but its implementation is still far, and considering server side implementation seems to be necessary with their model, it is still unknown when this would be available to me.

One way to solve this problem is to use Self-signed Certificate which basically a certificate that attests itself, however, as a promoter of GnuPG I thought of handling this slightly better. Meet Rhodanthe CA.

Rhodanthe CA Diagram
Rhodanthe CA Diagram

The goal of Rhodanthe CA is not to authenticate the site, however, it is mainly used to offer opportunistic encryption scheme, using root certificate that can be externally verified using an OpenPGP key. Feature for the CA includes root certificate, intermediate certificates, and also offers Certification Revocation List. Considering the upcoming Let’s Encrypt feature seems to aim to provide a light-weight basic level of domain matching authentication, other than seeing scary warning when accessed without importing the root certificate, it should offer just as good security. Perhaps, in the future, actual authentication is more bound to Extended Validation Certificates; it’s very important that we provide functional encryption to the site.

As a side story, major corporation such as Google owns its own Certificate Authority. They have this functionality by having root certificate authority to sign their CA key, which effectively makes Google’s CA Intermediate Certificate Authority to the root CA (in their case GeoTrust) in order to issue certificates for Google’s services. The problem of this is the cost and burden such as Certificate Practices Statement; what is beyond for individuals like myself to apply for.

Technology The Endless Debates

The Endless Debates: E-mail Signature

The Endless Debate covers topics that seems to come up again and again, which seems to have no winner in the end. The classic example of it is the number of spaces after the period. (This particular topic is not covered by me yet, but I will certainly get to it at some point, stay tuned!) The purpose of this series is to not attach people with the opposite view, rather, it’s an exploration of ideas, with the main focus on history, technology, and practicality.

In this article, I will be covering E-mail signature placement, which also covers reply styles.

What’s an E-mail Signature?

If you are sending E-mail daily basis, you know what is it. As many articles1 claims E-mail usages among young people are feeling, let me explain what it is.

My E-mail is my password.
Verify me.

Werner Brandes
Playtronics Corporation

Bottom of E-mail, with the name and the company name is an E-mail signature block.

A Typical E-mail Structure
A Typical E-mail Structure

What’s the argument?

With a single message (or the first message in the thread), there’s not much room for arguments; you begin by starting your message, and then you sign the message at the bottom. This starts to get a bit complicated when someone replies. I will illustrate two cases:

The first one:

Werner Brandes writes:
> Hi,
> My E-mail is my password.
> Verify me.
> -- 
> Werner Brandes
> Playtronics Corporation

Who are you?

Playtronics Corporation

and the second one…

Who are you?

Playtronics Corporation

Werner Brandes writes:
> Hi,
> My E-mail is my password.
> Verify me.
> -- 
> Werner Brandes
> Playtronics Corporation

You see two different approaches? The first example is called interleaved-posting and the second one is called top-posting.

What’s the specification say?

Currently, there aren’t any specification stipulate the way E-mail signature need to be placed. It is, however, the convention is to use “-- ” (two dashes, plus space) followed by a new line to separate E-mail signature from the body.

Many E-mail systems assume that this convention is used, for example Mozilla Thunderbird would dim the portion after the separator, visually separating the section of a message from the body. Gmail also treats it differently, too.



Gmail has a checkbox that says “Insert this signature before quoted text in replies and remove the “-- ” line that precedes it.” Apparently, it removes “-- ” so to prevent many E-mail software to mistreat quoted text as signature blocks.

Mozilla Thunderbird

Mozilla Thunderbird defaults to interleaved-posting style. Can be configured to top post. Like Gmail, I believe it also removes “-- ” when it is set to do top posting.

Microsoft Outlook

I do not actually know how this works with Microsoft Outlook. Mainly because I don’t even have a license for it. I’m assuming it’s using top posting.

Semantic differences

If the purpose of the signature is denote your ownership of the message, there are several ways you can view it. Perhaps, mainly this comes from the way one perceives quoted text.

Quoted text as transcript

This approach takes quoted text as a transcript of the message – therefore the message is signed at the end of the reply. Quoted text is thought to be a transcript, so the sender is not signing it, because it’s not his/her text.

Quoted text as treated text

This is the consideration that quoted text no longer holds parity to the originally replied message, even when they are identical. This is fair view that once it is quoted by someone else, the message was physically outside of original sender’s control.

Rational is that quoted text may or may not be modified, thus signature is very bottom of the message.


It’s actually really pointless arguments, for sure. Consider this, with E-mail system, we already face enough of a difference.

Many E-mail software (Mozilla Thunderbird, Gmail, and countless others) uses Usenet quoting for replying. Which basically means, something like this:

Werner Brandes writes:
> Hi,
> My E-mail is my password.
> Verify me.
> -- 
> Werner Brandes
> Playtronics Corporation

While some use forward quoting (Microsoft Outlook and some others):

----Original Message-----
From: Werner Brendas
Sent: Wednesday, November 26, 2014 8:20 AM
To: Cosmo
Subject: My password

My E-mail is my password.
Verify me.
Werner Brandes
Playtronics Corporation

And mixing those two:

-----Original Message-----
From: C
Sent: Wednesday, November 26, 2014 1:32 AM
To: A
Subject: Foobar

Foo bar bar bar
A writes:
> Foo bar
> B writes:
>> Foo bar bar
>> -----Original Message-----
>> From: C
>> Sent: Wednesday, November 25, 2014, 9:00PM
>> To: B
>> Foo bar
>> A writes:
>>> Foo bar

You see? We are already forced to live much greater difference when it comes to E-mail. Placement of signature, or even reply style is least of our worries.


I Transitioned Local E-mail Management to Gnus

I have been mostly using E-mail on Gmail interface, as I use Gmail and Google Apps (or, I guess they changed their enterprise offering to Google Apps for Work…) I have been using Mozilla Thunderbird once in a while. In normal circumstance, it would have been OK, but here are some issue of bit slow for the load.

Basically my requirements were:

  1. I literally receive a few hundred of E-mail a day and it needs to be able to handle that. Not that I have to read over every single E-mail with details, but there are a handful of mailing list articles I’d like to triage.
  2. Being able to author and send text E-mail (more on it later)
  3. I use Mac and Linux, and cross platform is a must. (This is one of reasons, in addition to bitter experience in the past that I would never use Microsoft Outlook — in case someone would suggest this — and it’s not great at handling #1 point above.)
  4. Support OpenPGP
  5. It must be able to support multiple account (Home and Work)

So this left me with few choices. Pretty much even 3rd point would disqualify a lot of choices to begin with. Then I just thought, Emacs already has built-in mailer, and considering every platform I ever have to interact would have it already installed, mainly because I use it daily.

So this is how I landed on Gnus.

In the case of myself, the following was an advantage I have found of this set up:

  • It pretty much fulfills my requirements.
  • As far as authoring text E-mail, it’s one of the most powerful softwares you can find out there. After all, it’s a text editor.
  • Gives me full control, won’t try to hide things from me.
  • It’s relatively easy for me to service it myself to modify or extend its parameter and functionality, knowing some Emacs Lisp.
  • Works with Org-mode. (See here.)

Things I purposely didn’t consider are:

  • Search facility — I felt it’s better to leave it up to Gmail interface, considering how fast it can search. Beside some automatic tagging, pretty much my E-mail is managed chronologically, and searching for E-mail more than I can glance over would require some serious deep searching. I have determined that after E-mail gets old enough to past certain point, it would be too old to be useful, and never get touched. Although, I still keep a copy of it, they are pretty much dormant, so I tend to leave the structure flat.
  • Notification — The age of smartphone (and I even have smartwatch) made it quite unnecessary for me to receive notification from my mailer. Although I can have Gnus pull E-mail and notify of new E-mail arrival, I purposely didn’t configure it.
  • Richtext authoring — I do not need fancy HTML/Rich text authoring. If you know me, I don’t purposely send out E-mail with mark ups. I’d rather stick with plain text and occasional use of simplified markdown. (Only time you’d see any formatted E-mail is coming from me is when I send the message out from my phone — because Gmail for Android sends the message out that way. I don’t know the reasoning behind the use of formatted E-mail as opposed to plain text considering you can’t really take advantage of rich formatting on that app.) Occasionally some ill-behaving (and possibly misconfigured) mailer sends me E-mail without alternative MIME part for text. In this case, I’d just read that portion of E-mail on the browser. (K-H command works very well to make this happen.) By the way, if you send mail this way, your E-mail will be ignored and/or will be sent to the very end of my queue.

So if you care about those points, my experience wouldn’t be too useful to begin with, so you can stop reading here.

Considering I have multiple Gmail/Google Apps account, I had to have something that manages multiple SMTP address.
I used using ‘gnus’ to read mail article from the emacs 30 Day Challenge useful to configure this. What I did not do was fully automated the process of choosing SMTP server, as there are fairly complex set of E-mail aliasing I have to take care, so I left some manual control to configuring this information by myself when sending E-mail, specifically by configuring X-Message-SMTP-Method and From fields. The code from the site is still incorporated, to validate that only valid E-mail addresses are ever specified in such configuration. This is primarily done by the code like below:

(defun gnus-set-mail ()
  (insert "X-Message-SMTP-Method: smtp 587\nFrom: Example \n\n")

Further, I’ve replaced the default key map for toggling thread view (gnus-summary-toggle-threads initially defined as C-M-t to C-c C-t simply because I use C-M-t for opening a console on my Linux machines. (I currently use KDE, but I find this shortcut like Unity useful.) Configuring this is actually easy, by the way:

(define-key gnus-summary-mode-map "\C-c\C-t" 'gnus-summary-toggle-threads)

Gnus contains powerful E-mail authoring feature called MML, which basically allows me to mark up MIME structure. This would allow me, for example, to insert arbitrary MIME parts into E-mail. While I don’t do so much of this, nonetheless, this would allow me to fine tune the way attachments are configured, for example.

Defining MIME parts, each with different character set.
Defining MIME parts, each with different character set.

Smooth sailing so far, but I like to improve few of process to fit my needs, which I will be exploring as they becomes necessary!

Japan Sociology

How the End-of-the-Day Meeting at Japanese Schools Endorse Horrible Totalitalian Whistle-blowing

(This is a translated/enhanced edition of the Japanese article originally published on 2013-11-25, due to some interests from Freenet users, I am publishing English translated version.)

When I was attending a Japanese elementary school, very long time ago, beginning around the year 1986, the end of each day was an end-of-the-day meeting.

Generally, important information for the following day, for instance, are main purpose of the meeting, however, there were part of the meeting where people were encouraged to whistle-blow their fellow students, usually for anything petty, such as “So and so weren’t working hard during cleaning hours.” (Students do cleaning duties for schools in Japanese schools.) It was held for all grades, perhaps except for first year, so I believe it was practiced school wide. (A quick Google search suggests it is widely practiced in school throughout Japan.)

It’s probably have been OK, if the whole accusation is true and appropriate for the one being accused, but the problem is when it is an accusation that one do not deserve. Many people who are weak to be confronted (or being sensitive to how others see them) tend to admit their fault, even when they know they don’t deserve one. Myself being quite cynical, and not necessary popular (kind of guy who would be alone, when the teacher asks pair up with other students, sort of speaking) I wouldn’t admit where there was no wrongdoing. This would often have caused this supposedly 10 minute meeting continuing for hours, although, by the time it deemed to take too long, teachers tend to wrap it up, perhaps making a rather ambiguous remark like “I have to leave this up to your consciousness.”

The problem of the end-of-the-day meeting is that there were no protection for one being accused, and judgement is being held by person(s) of interests; essentially first one that says something wins. It’s because logically, it is difficult, if not impossible to prove such wrongdoing didn’t take place to begin with. With an added disadvantage of not being popular in the class would make it worse, and indeed, these are the ones targeted the most. The End-of-the Day meeting contributed nothing but unnecessary dissension among students. What it essentially promoted whistle-blow for every minor dispute; including ones supposed to be solved among ones involved, as well as self-contained wrongdoing that has no effect on anyone but themselves. Essentially, it was a world of MAD (Mutual Assured Destruction) to make sure they weren’t the sole target for such whistle-blowing.

I don’t think it is an overstatement this practice promotes forced confession by police officers, with no transparency in Japan. The End-of-the-Day meeting should be abolished.

Android Software

Google Camera Depth Map Collection

Some pictures interpreted by Google Camera

You can extract these using the following:

exiftool -X -b $1.jpg | sed -n -e 's/.*<XMP-GDepth:Data>\(.*\)<\/XMP-GDepth:Data>.*/\1/p' | base64 -d > $1_depthmap.png
exiftool -X -b $1.jpg | sed -n -e 's/.*<XMP-GImage:Data>\(.*\)<\/XMP-GImage:Data>.*/\1/p' | base64 -d > $1_preprocessed.jpg

















Emacs Software Technology

On generating UUID

I have been using UUID for several different things now, and I have been using uuidgen program available on Linux.
Since I use Emacs, I wanted to better way of generating UUID right from Emacs.

Ergoemacs has good coverage about it back in 2011 about it.

There is a example that uses the uuidgen program:

(defun insert-random-uuid ()
  (shell-command "uuidgen" t))

The above pretty much solves problems for generating UUID, but I wanted to have a solution that generates UUID inside Emacs, just in case it’s needed.

The example codes, Ergoemacs have posted seems to the job, however, I’ve noticed the original piece of code fixed the first character of the fourth segment character “a” (which actually generates a valid UUID, as this character needs to be either 8, 9, A, or B. I’ve modified this code slightly to generate one of those characters instead of it being always “a” which would be the following.

;; by Christopher Wellons. 2011-11-18. Editted by Xah Lee.
;; Edited by Hideki Saito further to generate all valid variants for "N"
;; in xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx format. 
(defun insert-uuid-internal ()
  "Insert a UUID. This uses a simple hashing of variable data."
  (let ((myStr (md5 (format "%s%s%s%s%s%s%s%s%s%s"
    (insert (format "%s-%s-4%s-%s%s-%s"
                    (substring myStr 0 8)
                    (substring myStr 8 12)
                    (substring myStr 13 16)
            (format "%x" (+ 8 (random 4)))
                    (substring myStr 17 20)
                    (substring myStr 20 32)))))

Also one thing to note is that it’s generally better to use uuidgen where available, as it generates one from /dev/urandom, which tied to various random number sources — although, for the scope of generating uuid, it may not that be critical as likelihood of collision would still be low.

A full code is available on HidekiBin.











Computers Linux Technology

How Far Can a $300 Laptop Go?

When my last laptop decided to give up on me, giving me a one blink on caps lock, which apparently means that CPU has failed, I needed to get a replacement quick.

I decided to search for Linux laptops, because that’s what I used on my last machine. I could either shop some specialized vendors for laptop, or as I always do, search

Then I found this device called Acer Aspire V5-131-2887.

This is a very inexpensive $300 laptop that is pre-installed with a variant of Linux called Linpus. Just because my preference, I’ve reinstalled Ubuntu running KDE desktop.

According to, this device has:

  • Intel Celeron 847 1.1 GHz
  • 4 GB DDR3
  • 320 GB 5400 rpm Hard Drive
  • 11.6-Inch Screen
  • Linux

Usually, when it comes to computing, it’s pretty much you get what you paid for, and this computer is not an exception. For instance, I wouldn’t expect this machine to do heavy computing, such as video editing and 3D modeling.

Yet this Intel HD Graphics GPU built into the CPU is actually not that bad of graphic processor, capable of displaying 3D contents with very surprising speed; I just don’t think I would play cutting edge games on it but nonetheless provides adequate speed for applications like Google Maps in WebGL mode. Another good thing about this particular GPU is that it’s one of most well supported series of graphic card on Linux.

This machine is equipped with 1.1GHz processor, which is not very fast, even at yesterdays standard, but it is very smooth, and in very good thermal profile. (It’s usually around 50C.)

as for connectivity, this computer provides 802.11a/b/g/n and Bluetooth. It is a nice touch, it provides those as even more expensive machines of often lacks 802.11a and Bluetooth. (Amazon’s listing is missing those features, you may want to go to a product page for Acer Aspire V5-131-2887 for more complete information.)

Would I recommend this laptop? Absolutely, but only if you know something about Linux. For example on Ubuntu, it worked, but I had to modify grub setting to make brightness adjustment work. If you don’t know what that means, maybe you want to stay away. But then, if you are considering learning how to deal with Linux, at $300, maybe this is a good start!


Raspberry Pi as VPN Host Point

My work has been used VPN for certain applications that requires static IP. Since the location of my work is pretty much abandoned by pretty much every single broadband companies (other than Clear), I’ve decided to move VPN access point off-site, to ensure I have access to this device at decent speed — even from off-site if needed to be.

At the office, I have connected the VPN router through one of PC running Linux. For taking this functionality off the company network, I wanted more power-efficient, portable solution. I already had one of Raspberry Pi, so I decided to take it a spin for using it as a VPN Host Point.

For providing the conduit to this system, I’ve decided to use recently open sourced SoftEther. The reasons I’ve selected this particular solution is:

  • It’s easy to configure
  • Provides a variety of emulation, including OpenVPN, L2TP/IPSec (since SoftEther lacks client support for Mac, those emulation supports are very useful)

Another factor was the fact that I was already familiar with UT-VPN which has similar configuration styles.

Configuration for SoftEther went fairly smooth, only pitfall was that when kernel mode NAT was used in conjunction with the device, it obtained IP address outside of the VPN, thus, I had to set DisableKernelModeSecureNAT to true.
While vpncmd utility would provide configuration options, configuration options were bit confusing, such as natenable, and securenattable actually switches different part of the NAT system; I had to wonder why NAT was not activated. Once I learned to inspect both of them, it wasn’t too bad after that.

So far, performance seems to be satisfactory, and the next step will be to actually have dedicated Raspberry Pi for this purpose.

Linux Microsoft Software Windows

4+ Things I don’t Miss About Windows

So now I have transitioned my desktop into Linux, this means I no longer have any system that runs Windows (at least at native capacity.)

1. No more crappy update systems

Apparently, Windows has a defect (that roots from Windows XP) on its Windows Update driver, that can cause very high disk load on every startup/resume, mainly, for parsing datastore.edb file. This actually caused in bit of issues trying to use my system. Essentially, every time I turn on my machine to use, it’d take at least 10 minutes to “stabilize.” This has happened in three of prior systems, and latest machine, which is i7-2600 with 16GB didn’t help solve this issue either.

Besides, I have a lot of complaints of how the update system works on Windows. Unfortunately, Windows pretty much requires restart and just about any updates, perhaps thanks to its locking file system, too.

2. I am no longer underprivileged citizen of the system

Why am I getting “Access denied” when you are using your machine as Administrator? Because on Windows, you are not the man of the house. Windows has layers of the system that prevents people from doing stupid things in their system.

Essentially, on Windows, you are prevented to do a lot of stupid things. This mentality often causes cases where I know what I’m doing, but the system is not letting me do that.

For instance, on Linux and other Unix system, you can cause a bit of damage by doing something like:

sudo rm -rf /*

I am more than willing to take a risk, and if this command does kill my system, that’s my own fault. After all great power comes with great responsibilities.

 3. Exiting out from the blackbox

In any computing, you can’t really escape from error messages. Things happen in many degrees of issues. Some are minor, and some are major. If anything goes crazy on Linux, I can usually just type dmesg to find out what exactly happened in few seconds. Windows also has logging facility, but even after spending a long time trying to boot system event logs, information I can get is extremely limited. Something as simple as a defective thumb drive is a bit hard to investigate under Windows.

4. Locking file system

You can’t delete or move files that are in use. This is somewhat a legacy from old Windows versions. On Linux, you can do these things as executables are mostly preloaded into RAM, hence many system updates don’t require a reboot of the system.  Most of system has more RAM than you ever use, so this is very ridiculous notion that you still can’t do this on Windows.

Ranting continues…

Another thing I want to point out is that Microsoft has been harsh on IT professionals (well, I don’t know if I’d call myself “IT professional” but I do maintain a handful of systems…) lately. TechNet Plus was a useful resource in evaluating softwares, so I can support the platform that I don’t necessarily use. First, they degraded its contents of the subscription, and then they decided to retire it altogether. I was paying my own hard earned money to stay on top of the platforms I have been supporting. An enterprise may be able to move to MSDN, but smaller business, which relies heavily on personal expertise of staff, this won’t be very realistic. Anyways, Microsoft no longer seems to care. So why should I care? That’s pretty much what I will have to tell people from now on.