Tested my vocabulary size in Finnish and in English

I did the Finnish vocabulary size test provided by ARealMe.com first and the results was that my Finnish vocabulary size is about 17,280 words which puts me at the top 7.33%

Then to the English language vocabulary size test by ARealMe.com: Here I did a little better with approx. 22,350 words in my vocabulary which puts me in the top 6.08%. So it would seem my English vocabulary is slightly better than my native tongue’s.

Both tests commented that my vocabulary is on the level of “professional white-collar”. I did not cheat in either test by looking up words in Wikipedia or Wiktionary. I’m considering whether to try the French test, but kinda put of by knowing in advance that I will get a dismal result.

 

 

 

Upgrading Debian GNU/Linux from Jessie to Stretch

The official Debian GNU/Linux logo
Debian is a very reliable OS for servers, though you can install it on desktops too.

Objective: To safely upgrade from Debian 8 (Jessie) to Debian 9 (Stretch) two servers and to keep good records of what was done to perform the upgrade.

  1. Server #1 is used just to verify and hold backups of other servers so it has no public services running.
  2. Server #2 hosts a diaspora*, a Hubzilla, a GNU social, a Friendica and a GNU Mediagoblin.

The definitive source on how to achieve the objectives

There are various tutorials with very brief instructions on how to go about the upgrade, but I decided to follow  The definitive guide to upgrading from Debian Jessie (8) to Debian Stretch (9) at Debian.org to learn how to do the upgrade very carefully.

Preparation

First off: I informed the users of the free social media instances about the upcoming upgrade and the downtime to be expected.

Make sure all the software are in their latest version

# apt update && apt upgrade

Made backups of /etc, /var/lib/dpkg, /var/lib/apt/extended_states /home/username, /var/www and the output of dpkg --get-selections "*" and stored them off-site. Additionally I took a snapshot of the system disk just in case the upgrade doesn’t go well then it is possible to revert to the pre-upgrade situation.

Next checked for non-Jessie software with

$ apt-forktracer | sort

It found some items from jessie-backports but nothing that is in use.

Checked for half-installed packages with

# dpkg --audit

Nothing of interest was found. Just one dummy package.

Check for packages on hold

# dpkg --get-selections | grep 'hold$'

None were found.

Edit the /etc/apt/sources.list

Now update the /etc/apt/sources.list changing each occurrence of ‘jessie’ with ‘stretch’. I did it with sed (Stream EDitor) but it is also possible to manually edit the file with your favourite editor.

# sed -i 's/jessie/stretch/g' /etc/apt/sources.list

Start session recording for later reference

Next start session recording with (replace step with a number. When needing to reboot then restart the session recording with an incremented number)

# script -t 2>~/upgrade-stretchstep.time -a ~/upgrade-stretchstep.script

If you have used the -t switch for script you can use the scriptreplay program to replay the whole session:

# scriptreplay ~/upgrade-stretch1.time ~/upgrade-stretch1.script

The upgrade

Update the package list with the Stretch sources in place

# apt-get update

Make sure you have enough disk space for the upgrade

# apt-get -o APT::Get::Trivial-Only=true dist-upgrade

There is ample of space so proceed with minimal upgrade (upgrading only the installed software).

# apt-get upgrade

Now time to upgrade the system. This will take a while.

# apt-get dist-upgrade

Next check if you have already installed the linux-image* meta-package

# dpkg -l "linux-image*" | grep ^ii | grep -i meta

If you do not see any output, then you will either need to install a new linux-image package by hand or install a linux-image metapackage. To see a list of available linux-image metapackages, run:

# apt-cache search linux-image- | grep -i meta | grep -v transition

If unsure which linux-image metapackage you can get longer description of the linux-image in question by running

# apt-cache show linux-image-amd64

Looks good. Let’s install it.

# apt-get install linux-image-amd64

apt-get reports that there are installed packages that are no longer needed. Remove them with

# apt-get autoremove

Now it is time to reboot for the new kernel to take effect.

# reboot

Login and check the OS version

$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 9.5 (stretch)
Release:        9.5
Codename:       stretch

Verified that the services were up-and-running. Upgrade successful!


UPDATE: It seems there are 2 PostgreSQL running: Version 9.4 (the old one from Jessie) and Version 9.6, which ships with Stretch. Going to look into removing the old one safely.

Installing a LetsEncrypt.org wildcard certificate on Linux using acme.sh and a DNS Api

Let’s Encrypt is a certificate authority (CA) that offers free SSL/TLS certificates

Objective: To acquire and install a wildcard SSL/TLS certificate from LetsEncrypt.org to a GNU/Linux system with automatic renewal enabled by using a registrar’s DNS API to prove the ownership of the domain. In this case I’m using the Gandi LiveDNS API but the instructions work with other DNS providers with APIs too that have acme.sh DNS plugins available.

Install acme.sh

sudo su
git clone https://github.com/Neilpang/acme.sh.git
cd ./acme.sh
./acme.sh --install

Get API key from Gandi

Go to https://account.gandi.net/ and click on “security” and generate an API key and store it in a safe place and export it with

export GANDI_LIVEDNS_KEY="fdmlfsdklmfdkmqsdfkthiskeyisofcoursefake"

Generate the cert

Followed the official acme.sh DNS API instructions at GitHub.

Now use the staging environment (–test) for the certificate issuing. This will save you on the issuing limits of LetsEncrypt.org production platform.

acme.sh --issue --test --log --dns dns_gandi_livedns --log -d *.domain.tld -d domain.tld

Notice that this will fail on the first run but succeed on the second one.

Once the –test finishes successfully you can switch to the production environment by deleting the /root/.acme.sh/*.domain.tld-directory (it contains the staging server’s information and will be regenerated with the production server’s info on next run)

rm -rf /root/.acme.sh/*.domain.tld

Now run the issuing command twice (it will fail on the first run) just changing –test to –force

acme.sh --issue --force --log --dns dns_gandi_livedns --log -d *.domain.tld -d domain.tld

Install the certificate in some sensible place as the directory structure of /root/.acme.sh may change in the future.

Certificate deployment instructions for Apache at acme.sh GitHub

acme.sh --install-cert -d *.domain.tld -d domain.tld \
--cert-file /etc/apache2/acme.sh/*.domain.tld/*.domain.tld.cer \
--key-file /etc/apache2/acme.sh/*.domain.tld/*.domain.tld.key \
--fullchain-file /etc/apache2/acme.sh/*.domain.tld/fullchain.cer \
--reloadcmd "service apache2 force-reload"

Edit Apache configuration to take the SSL/TLS protected site into use

Create a VirtualHost-directive for the SSL/TLS protected site

<VirtualHost *:443>
...
   SSLEngine on
 SSLCertificateFile /etc/apache2/acme.sh/*.domain.tld/*.domain.tld.cer
   SSLCertificateKeyFile /etc/apache2/acme.sh/*.domain.tld/*.domain.tld.key
  SSLCACertificateFile /etc/apache2/acme.sh/*.domain.tld/fullchain.cer
</VirtualHost>


Once you are sure that the HTTPS site works redirect requests from the http-site to the HTTPS site with URL rewriting.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

Enable forward secrecy in your Apache configuration

Enabling forward secrecy makes users of the site more secure. Instructions by SSLLabs research here at GitHub.


That’s it. The acme.sh installation added a cronjob to run it daily and it will renew the certificate automatically when it is nearing the end of it’s validity period.


 

UPDATE 2018-07-16: If you need to use more than one API Key do as follows. This usually occurs when you are hosting sites for many different registrants.

Export the API key if this is the first time you are using that key. If you have already created certificates with this API key the acme.sh will read it from the config file from the file /root/.acme.sh/yourconfigdirectory/account.conf

acme.sh --issue --config-home /root/.acme.sh/yourconfigdirectory --log --dns dns_gandi_livedns --log -d *.domain.tld -d domain.tld

First run will fail. Run it again.

Create the target directory for certificate installation.

mkdir /etc/apache2/acme.sh/yourconfigdirectory/\*.domain.tld

Now install the certificate

./acme.sh --install-cert --config-home /root/.acme.sh/yourconfigdirectory -d *.domain.tld -d domain.tld \
--cert-file /etc/apache2/acme.sh/yourconfigdirectory/\*.domain.tld/\*.domain.tld.cer \
--key-file /etc/apache2/acme.sh/yourconfigdirectory/\*.domain.tld/\*.domain.tld.key \
--fullchain-file /etc/apache2/acme.sh/yourconfigdirectory/\*.domain.tld/fullchain.cer \
--reloadcmd "service apache2 force-reload"

Now you are ready to proceed to configure your website’s Apache configuration as described in the original instructions (scroll up).


If you have any improvement suggestions or would just like to say thanks you can use the contact form below.

Migrating a Mediawiki to a new Linux server

To get you started: Get a Linux VPS.

I chose Tavu.io, an ecohosting company with the data center deep inside the Finnish granite bedrock, a “renewable electricity only”-policy and a cloud infrastructure built on top of OpenStack.

For OS I chose latest Debian Stable which was version 9 at the time of writing.

Mediawiki's logo
Mediawiki is a wiki system of awesome quality and reliability

Tavu.io created the VPS on their OpenStack based cloud in a matter of few tens of seconds.

Then the system gave a temporary password and on login via ssh the system required a new password was set.

Login with the new password and run

sudo apt update && sudo apt upgrade

This will get the pre-installed software to their latest version numbers and may take a while.

Then I added a user name I usually use on Linux systems by entering:

sudo useradd -m -s /bin/bash <username>

Now set a password for username with

sudo passwd <username>

and add the user to /etc/sudoers (make a copy of the line that says “root” and change ‘root’ to your user name of choice) and log out and log in as the newly created user.

Now is a good time to get an firewall going so do so.

Now grab a list of installed packages with

dpkg --get-selections > packages-YYYY-MM-DD.list

This could be useful for later use.

Now install some software

sudo apt install tmux nmap apache2 lynx
  1. tmux is a shell session multiplexer
  2. nmap is a port scanner
  3. apache2 is a web server
  4. lynx is a terminal-based web browser

And some more software

sudo apt install htop atop itop iotop glances chkrootkit
  1. htop, atop, itop and glances are system monitoring (for humans)
  2. iotop is a IO (Input/Output) monitoring system for humans (requires sudo)
  3. chkrootkit is a software for checking if your system has a known rootkit installed (bad for you)

Migrating the Mediawiki

First install the dependencies as described below and only then we switch to following the moving a wiki guide. which consists of actually three operations:

  1. Making a backup of the Mediawiki on the old server
  2. Moving the backup to the new machine
  3. Restoring Mediawiki from the backup.

Installing Mediawiki’s dependencies

Now we move on to installing the dependencies of Mediawiki. For this we will follow the Mediawiki installation guide for Debian and Ubuntu (generic guide here) up-to-the-point of actually installing one.

sudo apt-get install apache2 default-mysql-server default-mysql-client php php-mysql libapache2-mod-php php-xml php-mbstring

We installed MariaDB instead of MySQL. They are binary compatible so you can choose one or the other and also interchange them afterwards. Add the database and database user of your wiki and grant all rights on the database to the database user.

Those are the mandatory components and next up are the beneficial components out of which we chose the following

sudo apt-get install php-apcu php-intl imagemagick php-cli

Move required files and the database to new machine

If possible make sure that your Mediawiki is the latest version on the old server.

Next I packed and moved

  1. The database
  2. The Mediawiki directory /var/www/mediawiki
  3. The Mediawiki logs from /var/log/sites/mediawiki
  4. site configuration from /etc/apache/sites-available

and expanded them into the right place on the new server.

A sane approach to the Mediawiki files ownership is as follows

First recursively make you the owner of all of the Mediawiki directory and its subdirectories and files with

sudo chown -R <username> /var/www/mediawiki

and then explicitly making the images/-directory, where Mediawiki stores its writables, to be posession of user www-data (www-data is the user that Apache and Mediawiki run as) by

sudo chown -R www-data /var/www/mediawiki/images

Minimize downtime

The TTL (Time To Live) of the domain at the DNS also naturally affects the length of the outage so modifying it to very short time such as 15 minutes way in advance of commencing the migration.

I temporarily modified the domain name of the Mediawiki (in /etc/apache2/sites-available and also LocalSettings.php) to a temporary subdomain to test that the Mediawiki is working on the new server before doing the DNS change of the production Mediawiki. After you have viewed that the wiki is working on the new server change the domains back to the “real” one.

Following these two practices are simple practical things to do that help to make the imminent outage of your service as short as possible.


Configure Apache2

Link the .conf files with symbolic links from /etc/apache2/sites-available to /etc/apache2/sites-enabled.

ln -s ../sites-available/example.com example.com

Enable mod_rewrite which is needed for the pretty URLs to work.

sudo a2enmod rewrite

Test your Apache2 configuration with

sudo apachectl configtest

and fix your config untill the configuration says ‘Syntax OK’

The last step is that we need to make the Apache2 reload its configuration which is accomplished with

sudo service apache2 reload

Now navigate to the temporary subdomain’s /wiki/-directory and you should see your wiki there.

Warning: The Mediawiki extensions may have dependencies that are not satisfied so also check that each extension works.


If using reCAPTCHA

Google’s reCAPTCHA stopped working (CAPTCHA shows up but when it is time to approve the human as a human I got an error message that reCAPTCHA “cannot contact server”.

This seemed to be solved by logging in to the CAPTCHA management page at Google and deleting the old keys and generating new keys and naturally changing the keys to the new ones at Mediawiki’s LocalSettings.php


Important: Enable outgoing email for Mediawiki

Now we need to put in place a way for the Mediawiki to send emails (very important).

My registrar Gandi.net provides a mailing system which enables the one to use $wgSMTP (set this in LocalSettings) to send outgoing mailing. They also have 5 mailboxes and 1000 forwards included for each domain for all registrants so I can confidently use …@consumerium.org addresses since Gandi.net is rock-solid operation with a very wide palette of TLD’s though maybe 20% higher prices than the price leader which is often buggy, slow and unreliable if they just compete with the “cheapest on planet”.

Other method to get email to go outwards is to install a MTA (Mail Transfer Agent) such as Sendmail, Postfix or Nullmailer and configure it to send the messages.

Whichever method you chose to enable email do check that it works!

Happy wikiditing! – Juho

Installing a Kubuntu 17.04 (again)

This is a blog post mainly about how to flexibly reinstall Kubuntu 17.04 GNU/Linux OS after the previous install running into troubled waters and break down.

Cycle through more than one disk in the install clean approach so get an USB-to-SATA3 casing and some hard drives. The idea is that to install the next OS you do not need to overwrite the previous OS.

  • Get FireFox sync. This way you don’t need to import your bookmarks as sync does it for you.
  • Take previous disk out of the computer and insert another disk, connect the USB installation medium (and select boot order in BIOS or UEFI) and power up.
  • Install Kubuntu.
  • Boot Kubuntu
  • Open a shell and run ‘sudo apt update && sudo apt upgrade’ to get the installed software to the latest version.
  • Install software
    • Monitoring: ‘sudo apt install htop atop iotop glances’ (glances will install python)
    • Database: ‘sudo apt install mariadb-server’
    • Graphics and video: ‘sudo apt install inkscape gimp kdenlive’
    • Audio: ‘sudo apt install linux-lowlatency audacity fluidsynth patchage’
    • Shell multiplexer: ‘sudo apt install tmux’
    • Virtual machine: ‘sudo apt install virtualbox’
  • Copy files:
    • Connect the old disk to the computer with the USB-to-SATAIII casing and mount it
    • I am trying to avoid getting broken confs from the old machine so only conf file I will take is in /media/username/UUID/username/.config/kdenlive. I used cp command in the shell to get it
    • Copy all files and directories from your old home directory to the new home directory, tick “apply to all” and select “write into” when it asks what to do with directories that exist.
    • Copy any other files you need. Unmount the external drive and remove and put in a cool and dry place.

Law draft to ban covert modeling

Law draft to ban covert modeling

covert what?!??!

Since the early 00’s it has become (nearly) impossible to determine in still or moving pictures what is an image of a human, imaged with a (movie) camera and what on the other hand is a simulation of an image of a human imaged with a simulation of  a camera.

When there is no camera and the target being imaged with a simulation looks deceptively human it is a digital look-alike.

Now the equivalent thing is happening to our voices i.e. they can be stolen to some extent with the 2016 prototypes like Adobe Voco and DeepMind WaveNet and made to say anything. When it is not possible to determine with human testing what is a recording of a real voice and what is a simulation it is a digital sound-alike.

It is time to act and ban covert modeling.

9 images showing various techniques on a model derived interactively from a single photo
Image 1 (low resolution rip)
Sculpting a morphable model to one single picture (1)
Produces 3D approximation (2)
Texture capture (4)
The 3D model is rendered back to the image with weight gain (3)
With weight loss (5)
Looking annoyed (6)
Forced to smile (7)
Image 1 by Blanz and Vettel – Copyright ACM 1999 – http://dl.acm.org/citation.cfm?
doid=311535.311556 – PPermission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page.
finding the specular and the diffuse components of the light
Image 4: Separating specular and diffuse reflected light
Normal image in dot lighting (a)
Image of the diffuse reflection which is caught by placing a vertical polarizer in front of the light source and a horizontal in the front the camera (b)
Image of the highlight specular reflection which is caught by placing both polarizers vertically (c)
Subtraction of c from b, which yields the specular component(d)
Images are scaled to seem to be the same luminosity.
Original image by Debevec et al. – Copyright ACM 2000 – http://dl.acm.org/citation.cfm?doid=311779.344855 – Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page.

 

 

 

In the cinemas we have seen digital look-alikes for over 10 years. These digital look-alikes have “clothing” (a simulation of clothing is not clothing) or “superhero costumes” and “superbaddie costumes”, but unfortunately organized criminal gangs with this weapons capability at their disposal are spreading naked digital look-alikes with unnatural “physical” interactions. These industrially produced delusions cause human suffering and societal suffering and the parts that can be outlawed should be outlawed for the protection of the citizens from the arbitrary disinformation attacks by criminal leagues.

Anecdotally we can say: “Do you think that was Hugo Weaving’s left cheekbone that Keanu Reeves punched in with his right fist?”

Brief look at laws that intersect with covert modeling concerns

Chapter 24 of the Finnish Criminal Code “on violating privacy, peace and honor” includes some laws that are touching the issue but unfortunately do not yield sufficient methods to stop crime.

  • § 6 Covert watching
  • § 7 Preparing for covert listening or watching
  • § 8 Spreading information that violates right to private life
  • § a 8 Aggravated spreading information that violates right to private life
  • § 9 Defamation
  • § 10 Aggravated defamation

 


Proposed law to ban covert modeling

§ 1 Covert modeling of appearance

Acquiring a 3D model and making a 7D bidirectional reflectance distribution function model¹ or similar but technically different model without consent i.e. covert modeling of appearance is illegal. Also possession, purchase, sale, yielding, import and export of covert models are punishable.

§ 2 Of using covert image likeness models

Animation and projection from the covert models defined in section 1 to still and animated 2D image or stereo-images² and making these available is forbidden³.

§ 3 Covert modeling of a human voice

Acquiring a model of human voice⁴ that deceptively resembles a human voice, possession, purchase, sale, yielding, import and export without the consent of the target is illegal.

§ 4 Of using covert voice models

Generating and making available audio material from a covert model of a human voice is illegal.


  1. The seven dimensions of the bidirectional reflectance distribution function are as follows: 3 cartesian X,Y,Z and 2 for the entry angle and 2 for the exit angle of the light.
  2. In movie lingo the so called “3D”. In reality it supposedly is only 2 pcs 2D planes in its dimension.
  3. Those in posession of the end product should be encouraged to seek help and not criminalized.
  4. E.g. Adobe Voco ja DeepMind WaveNet. Not yet publicly audible.

Ending words

It may be seven dimensional and we are in approximately 4 dimensions but they cannot leave the 2D projection if we don’t let it anymore. Is there any political will to do something about it?


Serious viewing on the situation


This is a document is the translation of a Finnish original from 2016 intended to be a citizens initiative.

Translation: Tao Te King – Chapter 81. Proof of simplicity

Chapter 81. Proof of simplicity

Honest words are not high and mighty, mighty and high words are not reliable.

The man of  Tao does not argue.

Statue of Laozi in Quanzhou
Statue of Laozi in Quanzhou 中文: 福建泉州老君岩. Uploaded via Flickr to Commons by Dirrival.

Those who argue are not skilled in the Tao.

Those who know it are not scholars. The scholars don’t know it.

A wise man does not amass treasures.

The more he spends on others the more he himself has.

The more he gives to others the richer he becomes.

This is the heavenly Tao that passes through all things, but offends no-one.

This is the wise man’s Tao that acts but does not fight.

End of the Book of the Way of Virtue


Own translation from 1925 Finnish translation by Pekka Ervast (ISBN 951-8995-01-X) with kind permission of Ruusu-Ristin Kirjallisuusseura ry.

Translation: Tao Te King – Chapter 2. Becoming perfect

Chapter 2. Becoming perfect

When the world speaks of the beauty of beauty then ugliness is defined in the same.

Painting picturing Laozi looking troubled
Laozi is not totally free of the pain of knowledge but knowing the Tao decreases the pain caused by search for information. PD-life-plus-70

When good is seen as good then evil is also immediately clear.

Thus being and unbeing both awaken each other; same as difficult and easy, distant and near, high and low, sounding and tinkling, head of the troop and the follower.

A wise one deals only with what is unprejudiced.

He teaches without using words; he works effortlessly, he produces without owning; he acts without seeking the fruits of labor; he finishes his tasks without borrowing; and as he does not claim anything to be his, it cannot be said that he would ever lose anything.


Own translation from 1925 Finnish translation by Pekka Ervast (ISBN 951-8995-01-X) with kind permission of Ruusu-Ristin Kirjallisuusseura ry.

Translation: Tao Te King – Chapter 80. Standing alone

Chapter 80. Standing alone

If I had a small kingdom and only ten or hundred able men, I would not use them for government.

I would teach the people to view death as a high thing and then they would not go abroad to seek it.

Even if they had ships and carriages, they would not leave with them.

Painting of 2 women mending a fishing net
“Improve the present hour” by Winslow Homer depicting two women mending a fishing net. Uploaded by Davepape. PD-life-plus-100

Even if they had war gear they would never have an opportunity to wear them. The people would return again to using yarn and knots (instead of writing).

They would notice coarse food to be palatable, keep their simple clothing beautiful, see their houses as places of rest and would enjoy their simple entertainments.

Even if nearby there was another state and from there the crowing of the roosters and barking of the dogs sounded, my people would grow old and die without needing to socialize with them.


Own translation from 1925 Finnish translation by Pekka Ervast (ISBN 951-8995-01-X) with kind permission of Ruusu-Ristin Kirjallisuusseura ry.

Translation: Tao Te King – Chapter 79. Keeping promise

Chapter 79. Keeping promise

When agreement has been reached after a long dispute, one side always grumbles. And how could this be said a good resolution to an argument?

That is why the wise one takes his part of the commitment and does not demand anything else for himself.

Picture of even scales made from
Glyph of the Unicode character U+2696 scales, using the font Symbola. CC0 and PD-unicode. Artist and uploader Karl432.

A just man checks only his own obligations in an agreement but the unjust seeks his own profit.

The heavenly Tao has no favorites.

It always helps the good.


Own translation from 1925 Finnish translation by Pekka Ervast (ISBN 951-8995-01-X) with kind permission of Ruusu-Ristin Kirjallisuusseura ry.