Notes on Devuan on Disk on R.Pi Model 3

Some long long time ago I’d played with putting R.Pi Debian OS file systems on Real Disk. Then that whole SystemD(amned) thing came along and I got side tracked. I’m now very comfortable with Devuan as my Daily Driver. I remember it was nice using Real Disk, for the few minutes I played with it…

Well, time passes and I’ve been “cleaning up” my disk farm. Along the way, realized that disk had old Debian stuff on it, and I had a newly updated Devuan… So basically I scrubbed it and reformatted / repartitioned and put copies of the Devuan filesystem name space on it.

Well, it’s noticeably “snappier”.

There was a brief moment when mysql wasn’t starting. Then I realized I’d accepted the default RWXR-XR-X permissions on the ‘new’ /tmp on disk, and it needs to be world writable for things to use /tmp… So it’s now RWXRWXRWX (or mode 777) and all is well.

I did the copy “old school” with a scriptlette I’ve used for decades. There are a dozen more efficient ways now, but I’ve become very comfortable that this works without any odd permissions, ownership, links, whatever issues… The command is named “cpdir” in my bin.

(cd ${1-.} ; tar cf - .) | (cd ${2-/tmp} ; tar xvf - )

So just saying:

cpdir /usr  /new/usr

does it all (if you forget the second $2 argument, it defaults to tossing the copy in /tmp rather than dumping junk in your current working directory; which is very important since it defaults to using your current working directory to copy from… That is how I tested it, BTW.)

Then just add a line in /etc/fstab so that the new copy overlays the old name space on the memory card at boot time. That way, you CAN boot just off the card using the ‘old bits’; or if the disk is working right, this new copy will overlay.

The only real complication is that if you “update” or “upgrade” or add programs, you need to do it with the overlay unmounted, then recopy to the overlay to keep things matching. One could also just upgrade the overlay, then if it is icky, unmount it and copy the last version back onto it… only coping to the memory card once proven to be a ‘keeper’. So there’s a bit of operational complexity at upgrades, but in exchange you get built in ‘fall back’ on ooopsies.

Here’s a bit of the /etc/fstab:

LABEL=SG15_swap         swap            swap    sw,pri=1024                     0 0
#LABEL=SG15_tmp         /SG15/tmp       ext4    rw,suid,dev,exec,auto,async     0 2
LABEL=SG15_tmp          /tmp            ext4    rw,suid,dev,exec,auto,async     0 1
#LABEL=SG15_Climate     /SG15/Climate   ext4    rw,suid,dev,exec,auto,async     0 3
LABEL=SG15_Climate      /Climate        ext4    rw,suid,dev,exec,auto,async     0 3
#LABEL=SG15_var         /SG15/var       ext4    rw,suid,dev,exec,auto,async     0 2
LABEL=SG15_var          /var            ext4    rw,suid,dev,exec,auto,async     0 2
#LABEL=SG15_lib         /SG15/lib       ext4    rw,suid,dev,exec,auto,async     0 2
LABEL=SG15_lib          /lib            ext4    rw,suid,dev,exec,auto,async     0 2
#LABEL=SG15_usr         /SG15/usr       ext4    rw,suid,dev,exec,auto,async     0 2
LABEL=SG15_usr          /usr            ext4    rw,suid,dev,exec,auto,async     0 2

Note that I’ve commented out the /SG15/tmp (and similar) entries. Those are used for putting a new copy onto that slice of disk. Presently the /tmp mount point is active (no leading # to make it a comment) so it is in use as the active /tmp.

Also you can see that I’ve set the priority on the swap space with pri=1024. You can make those any integers. I tend to use powers of 2 just because I’m in that mode when on the computer anyway ;-) To be really “hard core” about it, I could tune the ‘swappiness’ settings at boot time to be more swap happy with real disk, but I’m not that in need of speed, yet…

It works well. Better than well.

Now I’ve not had time or opportunity to measure improvement nor even sort out which file system did the improving. Or most of it. But here’s where I put bits of system on a Seagate drive:

Filesystem      1K-blocks      Used Available Use% Mounted on
/dev/sdb3        61665068     53324  58449632   1% /tmp
/dev/sdb5        61665068   6879220  51623736  12% /Climate
/dev/sdb6         8191416   1220460   6535144  16% /var
/dev/sdb7         1998672    163456   1713976   9% /lib
/dev/sdb8         8191416   3013172   4742432  39% /usr

My home directory is on a different drive, so no head seek issues with home dir activity vs system. I’ve got swap on both disks with equal priority (so system can choose least busy) and that priority is higher than the ‘swap file’ on the SD card.

The /Climate is where I’m playing with compiling models, so when I do that there will be a bit of contention with system stuff… then again, I’m using ‘distcc’ so it will be spread over two other cards.

Now when loading a program to run, it comes from disk, and temp files go to disk, and libraries are loaded from disk, and home directory “chatty Cathy” stuff (ALL those browser cache files and crap) go to disk.

Not only is SD card wear reduced (hopefully to near zero) but writes are done ONLY to the data blocks involved, unlike the SD card that writes a whole giant chunk, and oh so slowly at that….

I’ve said at times that the Model 3 was “good enough” as a desktop box. As I remember it, I’d used the disk prior on a Model 2, and while it sped things up, it was a slow board inherently. This seems even more of a speed up. Like the disk is letting the chip get more done.

I’ll need to figure out some benchmarks to measure it, but for now, I’m not going back!

I also set aside a 40 GB partition for a future direct install of the whole OS onto the disk.

/dev/sdb1        41022688     49176  38859976   1% /SG15/Devuan

But it is empty at the moment. Once done, that would leave only the boot code on the SD card. I’ve done this with a different disk for some other operating systems (LFS, Slackware, Gentoo, etc.) and it isn’t all that hard. Just didn’t have the time to deal with it today. But that’s the next step I’m going to take.

Doing it as different partitions for known large chunks is a quick and easy way to do it, and lets me characterize which bits need it the most. Eventually, though, I suspect I’ll just be in the one disk partition and direct boot to it. For now, I wanted the ‘easy fall back’ and flexibility of different partitions for different things.

So, that’s it for this little note. I’m happy. Things are faster. SD card wear is reduced, and write times much faster for /tmp and similar things. I’ll add notes below if anything interesting pops up as I take it for the Test Drive of daily use.

Subscribe to feed


About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits and tagged , , , , , . Bookmark the permalink.

34 Responses to Notes on Devuan on Disk on R.Pi Model 3

  1. Steven Fraser says:

    Just curious about your recursive copy procedure… was there some reason that you did did not want to preserve file ownerships and modification dates? Just asking becaise the -p option to tar was missing. Also, does that version not support the cp -r command syntax?

    Glad to see your procedure anyway. I’ve used Unix and unix-look-alikes since 1983 for work. Seems that a PI would be fun to have. Your example is inspiring.

  2. E.M.Smith says:

    It preserves owner and perms and date stamps fine. IIRC, the -p is the default (at least as root ).

    When I learned Unix, cp didn’t have a -r option. Now I have old habits and scripts proven to work…

    Like I said, lots of more efficient ways to do it. I have an rsync version used when keeping things in sync, that also does a basic copy. The problem comes when moving between dozens of systems with ages spanning 20 years… So after fighting “rsync not installed” , and THIS cp -r is slightly different than that old one and more, well, that old cludge from 1980 or so that just always seems to work calls to me when it’s morning and I’m on my first coffee…

    FWIW, as I recall it, about 1990 I had the -p in the script. Then it slowly became unnecessary on the systems I was using. At some point, needed to type the command in again, double checked with the manual, and just left it out. I tend to do an ls – l and a du -ks on source and destination just to be sure, though… “whenever” I get my old accounts unpacked (working on integrating my archives into the Pi now) I even have a script in them that does that compare recursively. I think I called it “lsdiff”. For now I just do the top layer by hand on the compare. When doing it for a client, I run the full compare.

    For some reason, sysadmins made a dozen, or so it seemed, ways to copy things. Somewhere around 2000? the Unix folks combined the codes into one program, so it has different options depending on calling name, but only one program inside. Along the way there was a little option bleed from one command into another. Shifting options was also part of why I went this way, back when. The oldest versions tested for BSD vs Solaris vs SystemV vs Unicos vs Ultrix and changed options as needed. That was left out in my typing this back in on the Pi, but may well return during my archives restore / integration process… just for nostalgia if nothing else.

  3. E.M.Smith says:

    Yeah, checking the “man tar” manual pages on the Pi shows:

         -p, --preserve-permissions, --same-permissions
               extract information about file permissions (default for superuser)

    It’s that “default for superuser” thing… As I only move chunks as superuser, I decided it wasn’t needed anymore ;-)

  4. Way above my pay grade.

  5. p.g.sharrow says:

    Sounds like you are getting comfortable with this concept. Preliminary R&D is over and you have begun to feel like this little bunch of toys might be a useful tool set. It will be interesting to follow your exploration of the possibilities of massive computer system on the cheap…pg

  6. Steven Fraser says:

    Chief: I see your point about the default -p for superuser. Thanks for your response.

  7. E.M.Smith says:


    It was a good catch on your part. Habits can be strong, and my example assumed my habit of working as superuser. Yet I was unaware enough to not state it… So you pointing it out is of benefit to everyone else. It is me who needs to thank you.


    The PiM3 is now my desktop machine period.

    Sure, I’d like a bit faster, and 2 GB of memory would have zero swap used even on big filesystem moves. (Inode info for files are cached in memory, so move w TB of files and swap use expands to 600 MB.) Faster I/O would help big filesystem moves too. Yet the Pi M3 is “enough”.

    So much so that the added speed of the Odroid has not seduced me away from the Devuan OS.

    I’m currently eyeing the newer Pine64 (that can be had already built into a laptop), but not enough to buy one. Until I can see a Devuan port on it, and/or a larger community of OS support, the time and effort to make a minority board “comfortable” for constant daily broad use is more annoying than the remaining Pi issues.

    I’d expected to move the OS to real disk back when I was exploring OS options, but beteeen the kernal hack that forced movement to a newer kernal and SystemD restricting OS choices, that got set back. But now I’ve caught up with that goal again.

    The Pi M3 is enough fsster than the M2 that it I/O limits more often, that means fsster I/O will help it more too. While it was “OK I guess” running from fast SD card, it is more like “works well” with this setup. Now, when it is feeling slow, it is usually in the browser when it is displaying “waiting for site FOO”. I.E. IO limited on internet speed. The only other time the sloth bites is moving hundred GB chunks between disks. Then the USB 2.0 instead of 3.0 bites.

    So that tells me the next iteration to have USB 3.0 and 2 GB memory will be worth buying, but not in a hurty. Or similar sprec Other Board if the have a well supported OS snd a Devuan port exists. But also not in a hurry.

    I mean, think about it: I’ve got 2 TB of disk as my basic running set on this machine. Even slugging around 2 TB on a Wintel PC takes time…

    So I’ve settled on this as my main machine “for a while” snd I’m moving in and unpacking the archives (on another 7 TB of disk, much of it compressed though with redundant copies of backups so less real unique data than that…). The Chromebox (HP Intel) is my media station on the TV snd does that well with minimal technical demand. Just works, and I don’t care if Google sees what Youtubes I watch as they know that anyway. Since media player is a stretch gor the Pi, that is a good alternative to fighting media support, HDMI cable adapters, CPU speed, etc for that use.

    Those two are now “fixed use”, or “decided”.

    The Pi B hss been a champ as DNS server for a year or two now. It is settled as Alpine (security and router oriented build) OS and unlikely to change. IFF I have free time, I might try adding WiFi Access Point functions to it, and DHCP. But just not really needed right now.

    The 2x PiM2 boards are set up to be compute servers and also fairly settled. The cluster assembled as desired. They need more tuning and some operational cleanup, but only after I get back to playing with the climate modrls again.

    That just leaves the Odroid. I got it running and tested. I like it. But I’m not fully comfortable with it yet. I need more time on it and hopefully the OS has matured. I also need to also look again at Devuan support on other boards.

  8. E.M.Smith says:


    The thumbnail sketch is simple: Put your operating system on a real disk, the system is faster than running from the SD Card. You can do this by just putting a copy of the “stuff” on a disk partition and mounting it over the original. Leaving the old copy under the new disk mount lets you drop back to it just by unmounting the disk partition.

    I did that for /tmp, /var, /usr and /lib but you can do fewer or more chunks as you like it. (Since the SD Card is particularly slow on write speed, /var and / tmp get the best gains, while the relatively static /usr and /lib the least)

    The rest is implementation details and commentary.

  9. E.M.Smith says:

    Looks like Devuan still has a limited set of prebuilt images for small boards:

    We provide ready-to-use images for the most popular embedded computing platforms, in particular we are starting with RaspberryPi2, BananaPi and Cubieboard2.

    These images can be downloaded via torrent or from the download zone, then put on a SD card using the dd method and booted directly on the device.

    The embedded images are made using our arm-sdk on top of the devuan-sdk.

    I know there is a Pi 3 version too as I’m running it :-)

    IIRC the Cubieboard was less interesting to me due to having a fan. I’m not fond of fan noise… but as the comparison of the Pi, Orange, and Odroid boards showed, these ARM chips are now thermal limited at full computes. They MUST have (for the 64 bit chips) either big aluminum heat sinks or active cooling. Maybe I can find a way to fit a heat pipe cooler to a Cubieboard in place of the whirring bits :’)

    With that, I need to get back to making breakfast 8-)

  10. E.M.Smith says:

    Well, breakfast was quick!

    Shows they have more boards supported, just not as prebuilt images for download:

    A total of 29 different ARM boards are now supported, thanks to the added support for u-boot:
    Currently supported boards are:
    Acer Chromebook (chromeacer)
    Veyron/Rockchip Chromebook (chromeveyron)
    Nokia N900 (n900)
    Odroid XU (odroidxu)
    Raspberry Pi 0 and 1 (raspi1)
    Raspberry Pi 2 and 3 (raspi2)
    Raspberry Pi 3 – arm64 (raspi3)
    Allwinner boards are now contained in a single image (sunxi), and their respective U-Boot bootloader downloads are available in the u-boot directory. The currently supported boards are:
    Olimex: Lime (A10), Lime, Lime2, MICRO (A20)
    Banana Pi: Pi, Pro (A20)
    CHIP: CHIP (R8), CHIP Pro (GR8)
    Cubieboard: Cubieboard (A10), Cubieboard2, Cubietruck (A20) Cubieboard4 (A80), Cubietruck Plus (A83t)
    Lamobo R1 (A20)
    OrangePi: OrangePi2, OrangePi Lite, OrangePi Plus (H3) OrangePi Zero (H2+), OrangePi, OrangePi Mini (A20)
    Allwinner-based Tablet (A33)

    Noted as absent are the Odroid C2 and the Pine64 . The ones I’m more interested in. Looks like their community likes the Cubieboards better. Maybe I need to review them again… and the Acer Chromebook. Figure out if there is a real advantage or just an accident of what hardware got donated to them.

    Acer Cromebook vs Pinebook is an interesting question… which gives the better laptop with full user control… last I looked, the Pinebook still had issues with media drivers (sound and maybe video cores) but that was near beta release.

    As Russia and China both announced laws banning internet privacy (VPN apps they can’t bugger) being free of “app stores” and having open source VPN are becoming much more important. When governments “leverage” vendors, it is time to bypass vendors…

  11. E.M.Smith says:

    Interesting new board:

    UPDATE: Product reviews on Amazon are not all that great. Board failures and OS hard to use. Reboots and drops. Maybe in a year or two of teething….

    It is about $60

    The ASUS Tinker Board is a single board computer launched by ASUS in early 2017. Its physical size and GPIO pinout are designed to be compatible with the second-generation and later Raspberry Pi models. The first released board features 4K video, 2GB of onboard RAM, gigabit Ethernet and a Rockchip RK3288 processor running at 1.8GHz.



    ASUS’ intent to release a single board computer was leaked shortly after CES 2017 on SlideShare. ASUS originally planned for a late February 2017 release, but a UK vendor broke the embargo and began advertising and selling boards starting on February 13, before ASUS’ marketing department was ready.[5] ASUS subsequently pulled the release; the Amazon sales page was changed to show a March 13, 2017 release date, but was later removed entirely.However, as of March 24, the Tinker Board again became available on Amazon. ASUS assured reviewer websites that the board is now in full production.

    Very limited information is available at this time due to the few boards that have made it into the wild. However, tests so far have shown that the Tinker Board has roughly twice the processing power of the Raspberry Pi Model 3 when the Pi 3 runs in 32-bit mode.[8] Because the Pi 3 has not released a 64-bit operating system yet, no comparisons are available against a Pi 3 running in 64-bit mode.

    Recent benchmark testing found that while the WLAN performance is poor at only around 30Mbit/s, the gigabit ethernet delivers a full 950Mbit/s throughput. RAM access tested using the mbw benchmark is 25% faster than the Pi 3. SD card (microSD) access is about twice as fast at 37MiB/s for buffered reads (compared to typically around 18MiB/s for the Pi 3[9]) due to the Tinker Board’s SDIO 3.0 interface, while cached reads can fly at up to 770MiB/s.

    It’s a 32 bit Av7 instruction set, so lots of Linux ports easily made. The 64 bit instruction set is not ported much, or all that well, yet. I.e. lots of work to do it and not many hands on it. Also, 64 bit really only gets a big win for double precision math. For other stuff, it isn’t all that much better. (What the 64 bit data path giveth, the byte packing and unpacking taketh away…)

    It is also by a major computer maker, so has real quality control, specs, design, etc. etc.

    With 2 GB memory, swapping ought to be zero. With the added speed

    The ARM Cortex-A17 is a 32-bit processor core implementing the ARMv7-A architecture, licensed by ARM Holdings. Providing up to four cache-coherent cores, it serves as the successor to the Cortex-A9 and replaces the previous ARM Cortex-A12 specifications. ARM claims that the Cortex-A17 core provides 60% higher performance than the Cortex-A9 core, while reducing the power consumption by 20% under the same workload.

    It looks like it ought to be a very nice desktop alternative for not that much more money.

    Only “issue” is a straight Debian port (though it looks like a good one) so the path to Devuan is a bit more DIY via the Devuan upgrade path.

    I might try one of these someday.

    TinkerOS ‧ Supported OS ‧ Applications
    A Debian-based distribution ensures a smooth and functional experience, directly out of the box. Whether it’s browsing the web, watching videos, or writing scripts, TinkerOS is a great starting point for your next project or build.

    Furthermore TinkerOS has been carefully designed to be extremely lightweight and responsive. Running on top of the base Debian 9 is a the LXDE desktop environment. This GUI is optimized specifically for SBC boards. It also features plug & play NTFS support allowing for easy access to Windows based flash drives and external hard drives.
    The included web browser has also been carefully selected and optimized. It based on Chromium allowing for speed and stability along with a number of extensions. The ASUS team has help to enable hardware acceleration of the browser allowing for improved web rendering and video playback including HD resolutions in YouTube.

    TinkerOS also includes a number of popular applications allowing for easy programming and development. These include IDLE / Python as well as Squeak / Scratch.

    Beyond TinkerOS and its Debian Linux offering Tinker Board also support the Android Operating system. This allows for an entirely different usage scenarios ranging from media playback, gaming, and much more.

    So the major hurdles of getting a gui comfortable and NTFS support already done. Nice.

  12. R. de Haan says:

    And I thoiught we were going for Quantum computing…

  13. Steven Fraser says:

    Chief: just to put the data point out there… the first Unix-look-alike I used was Uniflex, a commercial product of Technical System Consultants, running on the Motorola 6809 @2MHz. The whole thing was written in 6809 assembly, including the utilities. The unit I learned on had a dual-8″ floppy storage, and 128K of RAM. It is very interesting to see how far we have come in just the span of my career.

  14. E.M.Smith says:

    @R. de Haan:

    As “Quantum Computing” is entirely theoretical at this point, I only use it for theoretical operations on theoretical probems using theoretical software ;-)

    @Steven Fraser:

    Oh Gak! I think I remember those!

    I hate to admit it, but I remember the transition from 8 inch floppies to 5 1/4 inch… a “great leap forward”… I think I have a 6809 computer of some sort in the garage… I really ought to sort that out. There’s a couple of dirt cheap computers that were made with a plastic shell / keyboard and a z80? in them, forget the name, but they drove a TV set and had something like 8 k of RAM … About the size of two paper plates stuck together and about as study ;-) Maybe I need to assemble a small museum out of my junk piles ;-)


    While I am NOT moving off the Pi M3… I do want to let you all know I’ve ordered Yet Another New Board. Seems Odroid has figure out some of us HATE FANS. The XU3 boards would be great compared to the Pi M3, but for the Damn Fan. Well, in doing some followup checking on “new boards”, it seems they have one without a fan that is 32 bit:

    ODROID-XU4Q with Passive Heatsink [0007Q]
    $76.95 $61.95

    One presumes the “Q” is for “QUIET!”

    It’s an “octo core” (but only 4 run at any one time) based on the Big-Little A15 A7 layout. The A15 cores run fast and hot when needed, but shed work to the A7 slow low power CPUs when demand is low. Your thread says live while it does something low demand, but gets sent over to the slow low power processor until it hits that big computing intensive part…

    ODROID-XU4[54] Samsung Exynos 5 Octa (5422) ARM Cortex-A15 ARM Cortex-A7 8 (4 + 4) 2 GHz 1.4 GHz ARM Mali-T628 @695 MHz 2 GB 933 32[98] DDR3L

    So fastest speeds are with 4 x A15 cores at 2 GHz cranking, but lowest power use is when idling along on 4 x A7 (or maybe even just 1 x A7 actually doing things) at 1.4 GHz. With 2 GB memory, no swapping is likely most of the time. Also has USB 3.0 and Gigabit Ethernet.

    It runs Devuan “out of the box” since it runs all the XU3 codes (i.e. it is the same 32 bit processor).

    It also dodges the 64 bit trap.

    Much of my grief with Devuan (and other Linuxes as well, really) on the Pi M3 and Odroid C2 boards is due to them being 64 bit cores. It’s a Royal Pain to port to a new instruction set / architecture. Now the ARM folks wanting to NOT slow adoption of their new set, included the ability to run the 32 bit instruction set too.

    Great! I can get “up and running fast!”… the downside is that it makes it easy for folks to NOT bother to port. So you end up with a 64 bit machine running at 32 bit width. All the silicon and power of 2 x the gates, but not using the facilities to benefit.

    So I bought the C2 because it had no fan, and found that because it was 64 bit, it didn’t have a Devuan port. (There is still SOME work in doing the port, even of the 32 bit code, as things like video drivers change). It’s running on Armbian (a Debian variation) and that’s fine. Works reasonably well. But has SystemD… It will likely be a couple of MORE years before a Real 64 Bit Devuan exists. Slightly less for Real 64 Bit Debian. As a consequence, I have it doing “odd jobs”.

    Similarly the R.Pi M3 is 64 bit, but running the 32 bit M2 Devuan for stability. I need to try their 64 Bit ARM64 M3 code again (and downloaded it last night) but last time I ran it, it was still buggy with some software missing. (NOT just the OS needs a 64 bit ARM port, but all the various APPLICATIONS need to finish their ports…. Open Office, browsers, things like fsck and LXDE too… ). So really all I’m getting out of the M3 is the clock speed increase over the M2. Hopefully that will change, but…

    So lesson one:

    The 64 bit chips are more a PITA, still, than speed increasing. Choosing the Odroid C2 was not the best choice just due to that (but it had no fan!!!….)

    Lesson two:

    Clock is king. For more speed, you want more clock speed.

    Lesson three:

    It’s the I/O, stupid. Lots of bench marking shows that much of the time the Pi M3 is “waiting for I/O (or someone like him)”. Especially things like moving files around. That Gig-E and USB 3.0 will matter (as will the faster chip speeds it has).

    So put all those together and the XU4Q has the potential to be a real “Barn Burner”… provided it doesn’t turn up some OTHER software issues or… But if nothing else, it is another 4 cores (at any one time) of 32 bit computes for the compute cluster. Neatly shifting power demand with load. And, essentially, after a year or two now, I’ve decided that a real 64 Bit option is not coming soon so I might as well embrace a 32 bit cluster. I bought a couple of 64 bit boards “for the future” and I’m still waiting for it… so “someday” I’ll start building a 64 bit cluster based on them, but for now, it’s a 32 bit ARM Linux world and I want things running NOW.

    It is much pricier than the Pi M3 (you can almost get 2 x M3 for one XU4Q) so in general it would be reasonable to build a cluster on M3 boards (running 32 bit for now – ready for real 64 bit ‘someday’). I’m still not ruling that out. But for a file server those added I/O speeds are very nice. As a desktop, likely also better. For those reasons I’m dumping $62 ($80 with power supply, shipping, taxes…) on one of the XU4Q boards as an explorational project. It ought to show up in about a week.

    Oh, and it has a Really Really BIG heat sink on it, so you know these folks figured out that the boards without one are heat limited on actual compute performance. I like it when you can see that folks were thinking ;-)

    So even though I’m settled on the Pi M3 as my Daily Driver for the foreseeable future ( I like the stability and known product aspects…) that doesn’t stop the exploration process.

    FWIW, I also looked over a lot of other “high clock rate” boards on that wiki list. Those that looked most interesting were often in the “well over $100” range, so too pricey. Others had dodgy software and / or vendor issues. Most had near zero “community”. Yet Others were, like the Pine64, stuck with the 64 Bit Trap. Really nice “some day”… when ARM64 has everything ported, bugs stomped, and good support… Eventually this one looked like the best “bang for the buck with stability and without SystemD”. Oh, and without noise ;-)

  15. Larry Ledwick says:

    Aside from the economics of cost of hardware I really don’t understand why computer manufactures do not simply standardize on USB 3.0 ports on their systems, (especially the front panel ports that are most likely to be used). If you want to increase USB port count for marketing purposes stick a couple USB 2.0 ports on the back panel, but it would really be nice to be able to actually use the data rate of USB 3.0 without constantly unplugging and re-plugging stuff in one or two USB 3.0 ports.

    Same with gigabit ethernet as standard.

    As we move more and more toward solid state storage, the data link between devices is becoming the operational bottle neck for most users, and the technology to solve that issue already exists, although the cheaper solid state devices rarely operate at speeds that stress USB 2.0.

  16. Larry Ledwick says:

    On the active Left, and item about the left’s intimidation tactics and intentional efforts to brand middle of the road constitutional small government conservatives who support Trump as “nazis”:

  17. Larry Ledwick says:

    If all these accusations are true about how they handled the protests I suspect there will be grounds for lawsuits against the city of Charlottesville for intentionally creating a situation that promoted the violence as the crowds were dispersed.

    View story at

    Interesting connection to the torch march being functionally identical to the torch marches used by Soros to co-opt the Ukraine protests and facilitate the chaos there.

  18. Steven Fraser says:

    The 6809 machine I described was from SWtPC, where I worked. They go started (before my time) with kit computers, and did all their own board design & fabrication at the factory, including the wavesoldering. By the time I got there (Summer of ’83) they had hard drive based units that would run 16 simultaneous terminals… at that 2MHZ clock.

    I remember going to Comdex when Maxtor announced their full-height, 5-1/4″ 90MB hard drives… very exciting for the time for the SS-50 bus…

  19. E.M.Smith says:


    I think the “nazi” article hit the wrong thread… (Not that it matters, but anyone looking for it in the future likely won’t think to look on a Pi thread…)


    Well, having just badmouthed arm64, I checked the Devuan web site and saw that they have officially shipped release 1.0 across the board, including arm64. FWIW, I’m typing this on it at the moment. It has a somewhat buggy FireFox (or needs a lot of tuning) as it sometimes hangs. I think it is the dictionary for spell checking that I just turned off… (Probably need to select dictionaries are some such)

    Other than that, seems fast and looks pretty.

    As expected, memory usage looks higher. With 2 terminals open (one running “top” and the other idle but there so I can inspect, look at things) and Firefox with ONLY this one page open, I’ve got 12,204 of “swap” used already. (I pointed it to disk so not hitting the chip)

    I’ve got it on a sepparate chip from the 32 bit “Daily Driver” so once I think up some benchmarks I can compare them. So far, my impression is that the 32 bit OS uses less memory and is a bit faster on FireFox. (That may be due to FF not being set up well ATM) We’ll see.

    It also looks like some minor visual glitches in the text field for ‘name email website’ in that the text I entered is overlaying the prompt (‘name required’) after a recovery from killing the browser. So on recovery it didn’t clear the buffer of prompt before overlaying with the text I’d entered last round.

    Well, I couldn’t get through more than one line of text without a hang before, and now I’m typing paragraphs. Looks like turning off “check spelling as I type” fixed the hang. Likely I need to set up dictionaries better or some such…

    FWIW, in the ‘top’ panel, for Firefox, it shows VIRT at 1,780,596 and has a new entry of “Web Content” at 1,492,068. Both those seem high to me. It also looks like they split out a thread to handle processes from inside web pages on a separate CPU via this “Web Content” thing (at least I don’t remember seeing it before…) It’s cranking 35% of a CPU as I type.20% when I don’t. Also, between the two of them, it’s 55% of %MEM, so fat little bastards…

    OK, my general impression so far is that it is running OK, not significantly buggy (better than last time I tried it a year+ ago) and may be workable. It is NOT more comfortable as a posting station just yet; either due to the higher memory usage or just because I’ve not cleaned up the FireFox settings. We’ll see.

    I’m going to continue using the 32 bit version as my Daily Driver but I’ll be taking this one for a shakedown cruise and benchmarking as time permits.

    Oh, and I couldn’t find an intallation candidate for Opera or Chromium so “alternative browsers” not easily installed… But that’s “for another day”. For now, it looks like FF is OK as long as spell checking it turned off (or fixed…)

  20. Larry Ledwick says:

    Ooops sorry about posting to the wrong thread while multi tasking at work.

  21. E.M.Smith says:

    OK, I had to find the Mozilla / FireFox site where you download and add on the dictionary. Now it doesn’t hang with spell checking turned on… So a minor bug in that they ship it with a feature turned on that doesn’t work until an addon is added on… Got it.

    Also, on return to this page without a crashed browser recovery, the “shadow prompt” text is gone from the ‘your details’ lines. So another minor bug in that crashed browser recovery wasn’t checked, tuned, or they just ignored the double text.

    None of that makes it a problem, much, as long as you know it’s coming…

    Oh, and I’m now at 46,352 of swap used after opening, then closing, two tabs (one to add on the dictionary).

    So “works now” but still taking more memory (as you would expect with 2 x the bytes in every word of machine code…)

    Well, I need to get back to setting up my account on this chip and generally making it a bit more than a raw installation. Then at some future point I’ll post my “Buildit” script for this one (almost identical to the 32 bit) and some benchmarks…

  22. CuriousCat says:

    I have a question to Smith and one comment:

    Moving away from Apple after many years, as the writing is on the wall for a long time to close down OS-X and make it a pay to play sandbox like the iphone and to push everything to the cloud. Thank you, not for me. Then also, after I starting turning a local firewall on and logging everything, is really scary how much calling home happens (Apple and every browser), and undocumented daemons are running and doing what. But that is another topic.
    So I need a machine that I can control finally again.
    But I got spoiled from the very silent Apple machines, both laptops and mini. So I also came to the rPi 2 with separate disk setup.

    Question, I like the Pi2 has no built in Wifi. How do you feel about the Pi3 and similar boards with
    built in Wifi. I like the cord cutting ability and then I can be quite sure the network is down, no matter what.

    I also use Devuan with good result (so I didn’t get around trying Alpine) and as a tip, the freenode irc channel #devuan-arm has the chap who does all the Devuan compiling and packaging for ARM boards (forgot the name, but he is mentioned in the channel topic title and is the channel operator). So if really curious, he hangs there every day and can be pinged about what he is up to next (in case) or if you have a board specific issue…

  23. E.M.Smith says:

    Wow! Logged in as “me” and opened my browser with the same tabs (reopen last session setting) and what do I get? But 655 MB of swap used! (!!)


    At least Fire Fox is a real memory hog in 64 Bit. I wonder if they are just packing bytes in the first 32 bits of the word and didn’t bother to use more with 64 bit machines? Otherwise, I can’t explain it. It isn’t like the pages are bigger here than in 32 bit land…

    This also points up the problem of “limited” memory and then treating memory as unlimited… The world has decided 1 GB “just isn’t big enough”. Sigh. 512 MB ought to be overkill… but for sloppy programming and system buffer tuning practices. Oh Well.

    I’ve now got swap spread over two real disks and have 4 GB of it available. It is very clear that to run the Pi M3 as 64 Bit you MUST have swap and it better be good swap. You WILL use it, a lot, if you run a browser at all.

    OK, that, for me, is enough to answer the question of 64 bit vs 32 bit. As a Daily Driver that much swapping for a few web pages is just nuts. (On my ARM tablet I have way more pages open in the browser and way less swapping from about the same memory. Clearly it isn’t ‘arm-ness’ nor “linux-ness’ as Android is a Linux derivative. It’s “careful-ness’ in coding…)

    But, for now, the Pi M3 running 32 bit system is staying my Daily Driver. The 64 bit MIGHT have some advantage in some kinds of compute tasks. I’ll have to test it to see. But for “LXDE + Browser” you end up immediately in Swap-Land with ONE tab open, and having any more than that is All-Swap-All-The-Time so slow.

    This also leads me to believe that the Odroid XU4 with 32 bit build AND 2 GB ought to be a far better choice than this 64 bit build and 1 GB memory… by about a factor of 4 …

    Ok #2: Back to playing with it ;-)

  24. p.g.sharrow says:

    We have had this discussion before “what might be the best compromise in bit size OS” 32 bit or 64 bit?
    It seems to be, twice the length may well be half as effective in resource utilization. Putting too many cores on a chip may also be a waste due to heat dissipation problems. I also to hate to listen to fan noise and the need for periodically needed dust cleaning.
    The Pi-3 seems to be a good compromise at the moment but it’s IO speed sucks. The “Pi” form factor seems to have become a standard with quite a number of clones being created and offered at relative cheap prices so one can hope a better balanced board might be found.
    Still it is the software that is the biggest hangup to achieve nirvana. :-) Devuan & LXDE would seem to be the direction to go. Not sure that Firefox is the most useful browser though it is the one that I use most. Too many bells and whistles and it is getting worse. Sometimes less is more…pg

  25. E.M.Smith says:

    OK, on the 32 bit OS, same (updated) Devuan, same login, same swap on same disks with same browser (FireFox) with same tabs opened and same same same…

    I get 119 MB of swap. More than I’d remembered, then again I’ve got a few more tabs open now… but that still leaves 535 MB of MORE swap used on the 64 bit build.

    I’ve also “activated” each tab in both systems by switching to it long enough to assure it has loaded (meatball stops spinning…). Since I don’t do that in Real Life, it is likely the reason I’m using swap now on the 32 bit build but don’t remember it being over 1 k before. Some pages were not activated. (For example, I logged into my router with the login web page on both 32 and 64 bit builds; normally I only do that to manage something, and that’s only once every few weeks).

    In any case, half a GB of swap takes a while to read / write and that shows up as a less responsive browser. Since the web pages look the same on both, the 32 bit build “Wins” the browser usage comparison. Easily. So “32 bit for Daily Driver / browser and such”.

    Still TBD is technical use. Compiles, disk management (byte shoveling…), compute intensive models, compute intensive GIMP. But that’s for another day…

  26. David A says:

    Larry, my biggest issue with the Atlantic article is the repetitive association of Trump conservatives with white supremacist. Also pretending antifacist is anarchist instead of Marxist is simply not accurate.

  27. E.M.Smith says:


    Yup. IMHO the 32 bit word size is about all you need for anything and the 64 bit only has a real advantage on Double Precision Math (where it’s just a regular multiply, for example…).

    For text based things, even the 8 bit box is pretty good. No byte packing / unpacking needed ;-) But 16 gives an advantage for things like unicode characters and other character sets. At 32 bit, you have darned good math without issue (other than double precision needing some extra time / steps – but Double isn’t used much by regular folks) while Byte packing isn’t that complicated. FWIW, anything attempted beyond 64 bit has regularly gone down in flames as expensive and not seeing the gain. That tells me 64 bit is as much as can reasonably be used, and only a marginal “gain” on the math front.

    I’ve gotten fond of Opera on the Tablet. Faster and lighter than Firefox. I’ve got a half dozen browsers on it and several are nice. Opera has interesting data compression features so better for use on slow links. As near as I can tell, they have a proxy server that contacts the website on your behalf. It caches lots of stuff, so multiple folks hitting the site don’t cause multiple downloads of images and stuff. Then the Opera server compresses the items from the web page and sends it to you, where you uncompress it automagically. Per their report, I’m using about 1/2 the normal bandwidth (or getting things 2 x as fast ;-) I likely ought to see if there is an Opera install kit for Devuan… at the vendor site not in the packages archive…

    The Odroid XU4 has FAST I/O. GigE, USB 3.0. I expect it to be optimal (but we’ll see…). The Pi M3 on Devuan 32 bit is quite usable, especially with swap and OS bits on real disk eliminating a lot of SD Card I/O. I’m happy with it. I expect the Odroid XU4 to have enough performance juice (from the 2 GHz clock and faster I/O) to make it the eventual winner as desktop and as main file server. For distributed compiles, a 32 bit cluster is likely ideal too. That only leaves the question of Climate Models as needing fast Double Precision Math… At least that’s what I expect. Benchmarking will tell the tale.

    Per heat:

    You remember my heat trials. You can get about 1 fast core of performance with no heat sink. You can get 4 cores worth with good cooling. At 8 cores, heat is just going to kill you if you run them all at the same time. (Part of why I’m OK with the Big/little architecture swapping work from A15 to A7 and back and NOT letting you run both sets at the same time… you couldn’t get all 8 running at the same time anyway due to heat issues.)

    There’s some interesting YouTube videos showing Extreme Cooling of Pi boards. One has it immersed in a tank of mineral oil. Another has a very nice commercial liquid cooling hat and a reservoir / pump / radiator setup…. Oddly, their temps were not as cool as the guy in the UK who put a big Odroid like metal heat sink on his. What I gathered from it all was a big chunk of finned copper does more than anything else. But yeah, 4 cores in a package is about it for now without a lot of active cooling (fans / pumps). Part of why I lost interest in the Parallela board. Early ones had “heat issues” and it was clear they had not thought through what running 16 cores all out would need in cooling.

    So for my purposes, I’m pretty much settled on the basic device being 32 bit OS, 4 cores, large enough metal heat sink. (The XU4 fits this as it is “only 4 cores active at once”…) Then just gang them up in clustering for things like huge compile / build operations or distributed model runs. For now, the Pi M3 is the target board of choice for that on a $/Mips basis, but the XU4 has a shot at beating it (and certainly on throughput time especially for I/O dependent things). Being ALL 32 bit Devuan / Linux builds, all of them ought to inter-operate well in clusters anyway.

    So for my part, I’m pretty much wrapped up on OS, and Hardware Spec issues. Just one more board to test for A/B selection inside an established general interoperable set…

    That means a little bit of benchmarking just for grins, really. Then setting up the Cluster as a more stable / permanent thing. (Right now it’s sort of “turn on and assemble as needed if interested”) Then I’m lined up to proceed to doing Real Work with system build compiles, local repository (so system builds need not be exposed to internet / interception) on the systems side; and “make my model go” on the applications side. I’m going to start with a “GISTemp on a chip” build first. See if I can get it running well enough on a Pi with all GHCN data included.

    It’s an oddly bitter sweet feeling when an investigation ends. Sweet that the work is done, wrapped and shipped. Bitter in that after investing so much time in something it is a bit of a loss feeling to “just let it go”… But that’s where I’m at on OS, word size, hardware, etc. Reaching an end with no clear path of interest left in front. (Subject to change if someone ships a killer board or way cool new OS; but that’s a slow process at best…) Oh Well. I can keep myself entertained playing with the Orange Pi / Armbian and Odroid C2 64 bit Debian / Ubuntu when I’m feeling the urge to do something different ;-)

    So, next place to explore: GIVEN a 32 bit build Devuan Pi / Odroid Stack – what interesting things can be done to implement distributed computing on them? Possible point: The XU4 has a set of video cores that ought to be easily used in computing (implement an open standard IIRC) so they might be usable with custom adapted code in things like climate models. This will be a low priority exploration just because for an hour or two worth of time I can add a whole new board to the stack… so sinking a few days into vector computing may not pay off any time soon…

    As of now, I’ve got a 12 core stack. With the XU4 that will be a 16 core stack. (All 32 bit and compatible). I suppose I could try running the XU4 32 bit build on the C2 and see if it can be run as a 32 bit system and added to the stack… Or not. If it takes more than a couple of hours I could just buy another board instead… Optimization is such fun ;-) But for now I’ve definitely got enough of a stack to get serious about starting the applications compute work. distcc worked well, so a first start is likely to be doing OS builds on a cluster. The Climate models need to be made runable “at all” before trying to make them cluster friendly, and that’s going to take time.

  28. E.M.Smith says:

    @Curious Cat:

    Isn’t it interesting how running a network monitor ‘enlightens’ you about how much information is leaking / sucked out of your machines by “others”?

    Per built in vs pluggable WiFi:

    “ifconfig” is your friend. Just open a terminal window and have one of those running:

    while true
    sleep 60

    Then every minute you get a refreshed listing of what I/O is running like:

    root@Headend:/# ifconfig
    eth0      Link encap:Ethernet  HWaddr b8:27:eb:cf:83:ed  
              inet addr:  Bcast:  Mask:
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:35899 errors:0 dropped:1 overruns:0 frame:0
              TX packets:25238 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:40789828 (38.9 MiB)  TX bytes:2773571 (2.6 MiB)
    lo        Link encap:Local Loopback  
              inet addr:  Mask:
              UP LOOPBACK RUNNING  MTU:65536  Metric:1
              RX packets:1538 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1538 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1 
              RX bytes:128401 (125.3 KiB)  TX bytes:128401 (125.3 KiB)
    wlan0     Link encap:Ethernet  HWaddr b8:27:eb:9a:d6:b8  
              inet addr:  Bcast:  Mask:
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:16 errors:0 dropped:0 overruns:0 frame:0
              TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:3245 (3.1 KiB)  TX bytes:3703 (3.6 KiB)

    Now you can either do “ifdown wlan0” to just turn it off when desired, or you can go ‘whole hog’ like I do and have a (fairly cheap $50?) wifi router in your office that connects via Ethernet cable to your house WiFi provided by the Telco. Now I can just shut down my office WiFi by downing the router whenever I want assurances. My office machine has no password / SSID info about the Telco WiFi so can’t log into it anyway…

    That way the TV Sets et al keep on working via the Telco House WiFi (and all looks normal to someone outside) while my office WiFi can be bounced up and down and nobody notices. Also ALL my office traffic comes out one NATed port to the Telco so interior IP info is a bit scrambled, and I can run my own time / squid proxy cache / VPN etc to further limit visibility to the outside world. Also, I can set things like routing tables to simply “ground” all traffic to places like China. Just send their whole IP range to the bit bucket…

    Defense is a game best played in depth… and having a WiFi chip on the board is not very important as long as you control the WiFi router…

    But if you really like being able to “pull the wireless plug”, there are other fast boards without WiFi built in. The Odroids for example. See:
    and scroll down to the red / green blocks spreadsheet. Lots of choices. I’m thinking the XU family and in particular the XU4Q will be that quiet no fan high performance board of choice (and has no WiFi built in)… but we’ll know in about a week or two when I’ve played with it.

    Alpine is NOT a general purpose desktop build. It is the old “one floppy” router Lnux all grown up. Very good as your own router, not so good as a desktop. (Features like you must commit changes or they don’t survive a reboot – great for router resets, a PITA for a nooby admin on their desktop). I’d use it to build my own WiFi Access Point (one day, when the Control Nazis put too many rules on what can be bought for $50…) but not my desktop.

    Oddly, I’ve never been one for IRC or “chatting”. OTOH, I keep thinking it’s time to get into it. Though I’d be inclined to contribute work on bits he was not getting around to doing, rather than just nagging; and not having much uncommitted time right now taking on more to do might not be the best idea ;-)

  29. E.M.Smith says:

    @Curious Cat:

    Here’s an example from my /etc/dnsmasq.conf file of how I “ground” some things:


    So all those folks get nothing from my browser or my computer. It just can’t get there from here…

    On my “todo list” is to make sure the Apache Server I had on a Squid box is running and point all such traffic to it, so it can serve up a ‘page blocked’ message on web junk in web pages; but for now I just send them to the localhost port.

    FWIW, in addition to just blocking large swaths of globe with a fixed route to hell with broad range, you can build ACLs (Access Control Lists) in routers for more fine grained things. This site has an interesting comment in it:

    k-schwartz 5 years ago
    User Badges:

    Check out the CountryIPBlock website. Here is a link to this cool feature where you put in a country and it can otput a Cisco router ACL for you About a month ago I was instructed to block China and Iran on our Internet facing 2851’s. I was concerned about what this would do to latency but we have no issues. When I was doing my research I found that Cisco uses a more efficient algorithm as of (I believe) 12.3T. I forget the details but it appears to be similiar to the turbo ACL feature that the PIX firewalls used. Except it works by default (like current ASA’s do) and you do not have to manually compile the ACL.

    I just select the country, copy the text to notepad and you are ready to create the ACL on your router. I pasted the output for Russia in an Excel spreadsheet and got about 6500 lines.

    List of China IP ranges here:

    Not really all that long a list to block.

  30. jim2 says:

    I got a case and fan for my Pi3. I don’t recommend this one because the “ears” that latch the case shut are fragile and broke. But the fan is only 1 inch square and very quiet. You can get 25 mm fans on amazon.

  31. E.M.Smith says:

    I’ve got three cases plus the Dogbone Stack. The one I like most is the Dogbone. Great vetilation (and, as my heat tests showed, heat limits performance). 95%+ of the time it is fine standing upright, but IF I ever run it 100% pegged, I can get a bit more cooling by tipping it on the side. I covered that in my heat stress postings showing core temp readings.

    I have a clear plastic case that is OK for regular desktop use. It has enough ventilation via the GPIO cable slot and some others for normal loads, but not for 100% operation. It works at 100% but temps rise a bit high. I also have a nice red and white case with snap on sides and top. IMHO, fully closed it has way too little cooling. Snap out the sides or take off the top cover, it works great (just 2 red top and bottom plates holding the Pi with big openings in the side and top. Snaps together and apart easier than the clear ones too.

    So far, no need for a fan.

    I need to post the youtube of the guy overclocking Pis with added heat sinks. The big copper passive one gave lower temps than the guy using active liquid cooling. Go figure…

    I have the little chip sized aluminum stick on heat sinks and with free air flow, they seem to be just enough.

    I’m likely going to get two more Pi M3 boards (even if the Odroid XU4Q captures my muse) just to put in the now empty clear and colored cases (those boards moved to the dogbone). Then those two can be added to the cluster when needed via a chip swap, but mostly will be setup as dedicated purpose servers. So less chip swapping needed :-)

    I’ll likely reserve the red one for “financial transactions only”. If I only ever connect to paypall or the bank on that chip, it ought never be at risk from rogue web sites (like following random links chasing an idea…). Figure once a month “flash it” back to the stored pristine image from archive disk just to be sure. I’m happy to pay $40 for that level of protection…

    Similarly, one for doing questionable searches. Like hacking R&D wher you may hit questionable sites. Just “flash” it back to a pristine image when done… (probably keep that image on another locked SD card just as added isolation from everything else. Make and test the image. Then copy from disk to 2 x SD and lock it. Future flashing just does a dd from one SD to the working SD using its own dedicated chip to run the board. Three chip Monty? :-) But by doing that, nothing can ever crawl back upstream to my disk farm or Daily Driver… Air Gap is your friend :-) Oh, and that system only used on my Telco Router side. Not inside my office net…

    Overkill? Maybe… but in about 30 years of network exposure I’ve never been infested, near as I can tell. Isolation and a steady flow of data and system images from pristine sources toward the open to the world side seems to help that a lot… crap has to crawl up stream faster than the downstream flow and the gaps prevent that.

  32. Pingback: Making A Pristine Build Builder | Musings from the Chiefio

  33. AnotherCat says:

    Hi Smith, thanks. I understand now, you don’t give the build in wifi a password, then no way to get out. Or if you set it, you turn physically off the in house wifi router. So no reason, not to buy a board with build in wifi. However, for people who don’t live on their own farm in the prairie, like me right now I have visibility of nine other hot spots in my home, besides my own one and the one that is a virtual one for guests using one of the wifi routers of the biggest telco here (so maybe via mine). Who knows what passwords they have set… And when I moved in not too long ago, there have been 2 unprotected hotspots (which I used often when my cable had a problem..). In Germany I think it is legal again to open/remove the password of your wifi router.

    My initial thought was actually more paranoid as in, I got hacked via ethernet and when I plug out the line there is a chance he/she still gets out via wifi, especially when I am not at the machine and think it is offline. But I admit then I lost already anyway. Now I have another paranoid thought, that actually could it be useful information for a hacker to see what wifi spots are around (once he/she got in)? Maybe to find new targets or to narrow the localisation of machines down? Then again lost already anyway.

    Regarding dns conf, I didn’t know about. So far I keep adding stuff to /etc/hosts. Not long ago after seting up the firewall to block and not just time out, web sites started loading fast in Firefox again, as most side show downloads were blocked immediately. But I don’t know why or what changed, now Firefox happily fires off up to a few hundred requests for the same address till giving up and only then, maybe, showing the main page. Do most of my browsing now via a self scripted textual downloads via wget. What a relief to just read text, or did any of you miss any pictures on chiefio? But then, now I also added to tcp server scripts to listen on 443 and 80 ports to just close the connection with filtered links from etc hosts (analog your squid proxy idea). Now firefox also got mega fast again.

    Regarding China, at least at home that is kept at bay via NAT to get in. Now I mean not on a web browing but ssh login level (not so on rented web hosting). But I wonder, if your machine is accessible from the internet, indeed I got thousands of ssh try ins from Shenzhen when a new machine was up, but recently being a visitor to China, you can’t access my rented server from there through the Great Firewall. Is like the whole country goes through one distributed Squid proxy, and they can reconfigure it any minute to their liking. So just wondering without any investigation who is and how they do their fishing always out of China.

    Regarding VPN in Russia, I also heard they forbid the Chinese WeChat completely (I didn’t check that thought). Meaning they also don’t trust their commy big brother at all.

    Back to the etc hosts and firewall, yeah, default disable is a full time hobby. Need to setup separate machines as hinted in your newer post and just let all the garbage in on one machine. Biggest problem are the CDN providers, Akamai, CloudThisAndThat. Google and Amazon of course too. Not only is DNS returning a different IP for almost every request, the f$ckers now sometimes use Javascript or server side html generation to forward to ever changing hostnames as well, like which again maps to an ever changing ip. So yes, seems must control this better on the DNS layer.

    Regarding irc, yes, TimeIsLimited. For just lurking, the Devuan support channel has live logs here:

    Oh, and the Arm maintainer’s name is parazyd, in case.

  34. E.M.Smith says:


    Well, that’s a pretty big list of concerns. Let’s see if I can address them.

    I live in the Silicon Valley Microwave Stew Pot. Typically, I’ve got a dozen active WiFi nodes show up in my choices just on the tablet (i.e. not a great antenna…). One, xfinity wifi, seems ubiquitous in the whole valley and at airports I’ve used. It requires you to be an xfinity customer, so despite looking open, it isn’t. It just in the open mode, ask for your xfinity login OR would you like to buy xfinity…

    The number of unsecured WiFi hotspots (really unsecured) in the residential areas has dropped a lot. Mostly, IMHO, since AT&T has been putting pre-locked routers in place as folks upgraded. So, for example, I swapped from DSL to “whatever I have now” and they shoved a new device at me that has the password pre-set. They follow a general naming pattern for the router names so you can easily see when it’s one of theirs. I see a lot of theirs in residential areas.

    Is it really a risk if a hacker uses an open WiFi to get out of your box? Not really. The exposure was to them getting inside in the first place. If you have not kept them out, worry they might “bounce off you” to somewhere else is unimportant. Any hacker (really “system cracker” but common use is obliterating that distinction) who got in, can turn on the things to get back out, and would most likely want to go back out the wire and just use you as a fast indirection node (i.e. “bounce off you to hide their path”). Using WiFi for that exposes their traffic to anyone with AirSNORT and similar and is not a good idea, really.

    IF it really bothers you, you could just put aluminum foil over the antenna of the chip. Some even have a wire you can unplug to attach an external antenna, so just unplug it and not attach an antenna…

    It really is easy to just turn the WiFi off in software and many times you can have a little icon on the top status bar showing it is on/ off.

    Per “seeing the WiFi nodes” as information. Well, that is in fact a real issue. Mostly on Android devices and similar. Folks who care about privacy have turned off things like location sharing and identity sharing. The Commercial Snoops of the world have responded by collecting lists of installed Apps and options and release levels (to create a specific “machine ID fingerprint” and using the known WiFi hotspots in the kept history to identify a particular machine. As folks wander around, they look at presently available and active hotspots to get a rough location (building the database of all hotspots any of their known GPS location users have passed…) So for an Android or similar device, to be really anonymous and location hidden, you need to regularly flush the known WiFi list (a PITA as you must reenter login info to use it again…) and if NOT actively using it, shut off WiFi so it doesn’t search for new hot spots as you walk around. Oh, and mutate the exact software on the machine from time to time, swap the MAC address sometimes, etc. etc. And folks wonder why I’ve said my next tablet will be home made and running a Linux I control…

    /etc/hosts works, but having a DNS server with dnsmasq gives more control and you can wildcard names. So .ru would map ANY Russian domain name (IIRC the syntax…) It isn’t all that hard to install, or configure, or learn, really. I posted an example config a while back, so search on ‘dnsmasq’ in the search box ought to find it.

    Between pointing your ‘upstream’ DNS server at addblock servers, and crushing a load of sites in DNS via dnsmasq, you can get a lot more speed and privacy. As to the mutating script stuff: That’s harder. But often they are in ranges or it is {FOO.BAR} and you can just nuke with widecards in dnsmasq. Or 123.456.255.255 in routing blocks. There’s a lot of cool stuff you can do working at the network level and the OS can’t get around it. It depends on the network services.

    The folks hacking from China often map to official locations / organizations. i.e. it is government sponsored. There are some independents who bypass the Great Firewall – but that takes some skill and you are unlikely to find who they are or how they did it.

    So far I’ve mostly used NAT to block anything I have not chosen to connect with, DNS to blacklist sites and blocks of sites, DNS Addblock upstream, and a few manual routes to prevent ANY routing to a place. I’ve played with a squid proxy locally (and used them professionally at client sites where the stakes are higher). Going forward, I may need to move to more than the default AT&T NAT Firewall / interior NAT router 2nd firewall. Putting in place real hard core access lists on my interior firewall router (i.e. a better router – Probably home built on a R.Pi using OpenWRT or similar) and shifting to DNS Whitelists. ONLY places I know I want to go get added to the white list It would mean a lot of stuff would by default break (so things like reading a news page with a link to a story on another site). Thus my move toward dedicated machines and networks. The most interior secure network has its own DNS server with whitelist only. NOT used for general browsing. A dedicated tablet connects to the Telco net with addblock DNS set, but not much else. It gets a ‘reset’ to factory fresh every few months and NEVER connected to the interior network. Don’t know if I’ll really go that far, but we’ll see.

    I need to finish my IDS Intrusion Detection System set-up / configuration first. It’s the essential bit that tells you how much of a problem you have, if any. So now that I’ve got my Pristine Build Builder built (say that 3 times fast ;-) I can set about building out more of my security infrastructure. I’m to a point where I can “flow the bits” from pristine inside to OSs on boards closer to risk and outside in a fairly secure way. So now I need to remake those layers to assure they, too, are Pristine (and then make backup copies and run stats for the IDS to assure their operating systems don’t change…)

    Some stuff that might help:

Anything to say?

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s