Menu Sidebar

Tai Toh

Enter a brief biography here by editing your profile →

    Review: Into the Woods Film (2014)

    I want to thank Ben and Sara for taking the kids out to Disney on Ice at the Rogers Centre this past Saturday. It’s been a while that Jen and I spent time together alone and we decided to watch Into the Woods at the Don Mills Cineplex VIP1.

    Now, I’ve seen a stage production of Into the Woods at the Stratford Festival back in 2005 with Jennifer and Jason and enjoyed that particular staging. It stayed very true to the original 1987 Broadway production with Bernadette Peters as the Witch and Joanna Gleason as the Baker’s Wife.

    The Hollywood transfer of the musical was well done.  It enhances some the setting by providing a luscious backdrop for some of the songs (in particular, “Agony” was over the top — total props to Chris Pine and Billy Magnussen for arguably stealing the show).  However, I feel that it missed its mark somewhat when compared to the musical.

    Ultimately, I think of the original stage production as a meta-fable, where the moral of the story is that there are consequences to your decisions in the real world.  That how I saw it at least.  I think the film “misses” by underplaying this.  It doesn’t give it time for this tenet to gestate.  The curse is broken in Act 1 and the Baker’s Wife is magically pregnant–cut to the speech at the castle with the prince and his new wife and begin Act II.  There are small, subtle things in the original staging that implies that the characters are not 100% happy.  The strain on the Baker and his Wife’s relationship with their new son, him shirking his responsibilities, Cinderella’s unhappiness with royal-life–all things that add a bit more tension.  The removal of the Giantess’s exposition, really just made her into a B-Movie monster, whereas in the musical, you get to understand how much she has lost due to Jack’s actions. Agony’s reprisal in the 2nd act underscores Prince Charming’s daliance with the Baker’s Wife and Sleeping Beauty.  It makes the emotional betrayal that Cinderella feels even more impactful.

    Every decision we make has consequences, both good and bad.  We need to grow up and accept responsibility.  These themes didn’t carry over as well as they did in the musical vs. the film.

    There are few other small things that didn’t transfer well from the theatre to film.  Much of the dialogue, especially the pauses, did not transfer over at all in the film.  It made some of the more humorous moments just fall flat. There needed to be an audience to play off of.

    That said, some of the changes were very well done.  Anna Kendrick’s scene on the staircase made way more sense as an internal monologue than it did as a conversation with the Baker’s Wife. Agony was over-the-top (but I wish they had done the reprisal performance because the first was so good!). Billy Magnussen showed amazing comedic physicality.  I didn’t miss the elimination Rapunzel’s storyline all that much.   Chris Pine showed remarkable range, from charming to smarmy–and he can sing too.

    Meryl Streep as the witch did a good turn (especially since she has to go up against the likes of Bernadette Peters, Vanessa Williams, and Donna Murphy).  Although I wonder if they should have went with Bernadette Peters, who originated the role.

    Overall, I walked out of the theatres with a 7.0/10 rating.  After Jen and I had time to dissect it a bit, it’s definitely a 6.5/10 for me. seems to agree with me as well.

    1. For those who don’t know what VIP is, it’s a luxury, adults only, line of cinemas from Cineplex. It’s nice and at a the price premium ($25 a ticket), but you order your food while seated and they bring your order directly to your seats. There is also a lounge area where you can order dinner–so in retrospect, it’s really a 1-stop, movie and dinner experience. 

    HP T620 thin client

    [UPDATE – 2014/11/26: Made a few updates on the hardware.] [UPDATE – 2015/12/23: I ended up taking the Wireless N / Bluetooth combo card from the T610 and putting it in the T620]

    I’ve been fascinated with repurposing PC thin clients.  I like them because they are  virtually silent and very energy efficient1.  I’ve used one for pfSense, and another as an XBMC box (now called a Kodi Media Centre). They can be acquired pretty affordably as organizations that have invested in these boxes usually swap them out at a steady pace (2-3 year leases).

    Earlier thin clients were based on more exotic hardware (embedded CPUs from VIA, Cyrix, AMD), but modern clients use embedded SOC versions of mobile x86 CPUs.  We’re talking full-on, dual- and quad-core AMD-based APUs or even full-out Intel Celeron/i3/i5 chips with Intel HD graphics. All this buttoned-up into a custom mini-ITX or mATX form factor with a included DC-to-DC power supply.

    I managed to pick up an HP T620 Plus on eBay for less than $200 CAD. This model was released last year and features an embedded AMD “Kabini” processor (GX-420CA), with 4GB Ram, AMD HD8400 graphics + a fireGL 2270 video card.  It’s powered by a 90W pico psu with a heat-pipe CPU cooler and a low-RPM fan. The FireGL card can easily be repurposed for better graphics or networking.  It is virtually identical to the AMD A6-5200 and AMD Athlon 5350 in terms of performance and features and about twice as fast as the AMD e350-based HP T610 thin client that I am using for XBMC.  This should be able to transcode a single 1080p stream in realtime.

    A few things to note:

    • Storage is mSATA only. I’ve paired it with 128 GB crucial m500 SSD.

    • UPDATE: There is also a M2 NGFF port available.

    • UPDATE: In addition to the 2 x USB3 and 4 x USB2 ports on the back and the front, there are also 2 x USB headers inside for flash storage, Bluetooth, WiFi, etc.

    • The onboard graphics uses 2, full-sized display ports. This particular model came with a working FireGL 2270 card.  Not very useful and I’ve already removed it.

    • If I use the box for pfSense, I’ll add an Intel GigE dual-NIC

    • I might add a Gigabyte GB WB300D WiFi and BT 4.0 card.  See my note above.

    • The onboard GigE port is no longer Broadcom-based. It’s a cheap Realtek controller (RTL8111/8168/8411 rev C)

    • The PCIe expansion bay only accepts low-profile cards. This is a pretty significant difference from the previous version.

    • 2 serial ports + a Parallel port.

    • The second serial port can be rewired to a VGA connector using a 15-pin VGA header cable.  I am fortunate to have a spare that I tried to add to my Watchguard Firebox x550e box.

    • UPDATE: The VGA connector uses a small 16-pin port that I have never seen before.  I haven’t located a cable yet (best I can fine is a small 12-pin port VGA header cable)

    Add some storage (this one had a bad mSATA drive) and a display port to HDMI adapter and you have a complete system that is basically the same as AMD AM1 Athlon 5350 build. For less than $200 CAD, I certainly couldn’t build an off-the-shelf unit for that price.

    The bios on these thin clients are very bare-bones.  Don’t expect to over clock the systems as there doesn’t appear to be any means of OC’ing the chips.

    This will most likely replace my newish T610-based XBMC computer.  The great thing is that some parts are interchangeable,  I have a spare Bluetooth and WiFi Mini-PCIe adapter from my T610 that I can reuse for instance.  Not too a shabby of system and I’m excited to put it through it’s paces as an XBMC client or as a pfSense router with AES-NI support.

    Here is a readout of “lspci”:

    It runs pretty cool at full load, a Prime95 Torture test of all four cores maxed only pushed it to 65˚C (23˚C ambient).

    [UPDATE – 2015/12/23]: Right now, I am using the box as a Zwiftbox.  I upgraded the ram to 12GB and added a R250 video card.  Runs Zwift at an acceptable 15 FPS at 1080p.

    1. 15 to 18 Watts reviews the Kobo H2O

    Jordan Shapiro writes 3 Reasons Why Kobo’s Aura H20 is the Perfect Luxury E-Reader:

     Kobo is the quiet Kindle competitor–the underdog in the eReader market. They released their most recent premium eReader at the beginning of October. I’ve been reading on the Aura H2O ever since. I sometimes use my Kindle Paperwhite when I have to read an eBook I bought from Amazon, but I prefer the Aura H20.

    I believe this is the first product to have inspired thoughts about French philosophers and epistemological constructs.

    Probably won’t be the last.

    Hats off to the team for building the [best luxury eReader on the market][2].

    Feature Pruning: When and how to kill a product or feature?

    Kobo hosted the November 5th, ProductTO MeetUp.  I facilitated a session on “When and how to kill a product / feature?”

    The sessions went well.  It was nice to participate in the larger community for once–it’s something that Kobo has never been good at, but I’m going to make a priority for 2014 to host these type of events in the future or at least participate at a personal level.

    I often approach feature pruning from the sense of operational expense.  Old features that are not used, or no longer relevant have a cost associated to them:

    • They take up space in the UI. Make the UI more confusing because you have to move it around or add hierarchy.
    • Code quality is reduced. Often times, old features use old programming paradigms.
    • They add weight to the code that you need to carry forward with each release.  You feel that as SDKs update or through regression testing.

    It makes the code in the product more brittle.

    The same can be said at a macro-level with the company’s product portfolio.

    I kind of want to write my own “Spring Cleaning” blog for Kobo; similar to how Google announces it.

    However, it takes effort to gracefully remove and prune items.  Effort that could be used to add new and innovative features.  There is also a downside for some of our customers, most likely a minority, who rely on that specific feature that deprecate.  How do you handle the collateral damage when everyone has a twitter or facebook account?

    The response that I get internally at Kobo is about 50%.  Now, 100% of the people understand what I am saying, but only 50% respond positively with outright support.  The other 50% are reluctant to accept my approach.

    One of the learnings from the session that I facilitated is that I should change my approach. Rather than a subtractive discussion, make it about “additive value”. Spin it up in a positive light by saying that removing this feature or product will allow us to focus on this specific functionality that we know is extremely valuable.

    I’m going to give that try.

    Setup pfSense as an OpenVPN client for specific devices


    [UPDATE – 20141101 – Based on trying to help a redditor with trouble shooting, I actually tried this out on my backup router.  I’ve updated the post.] [UPDATE – 20141103 – Added a note for those using pfSense 2.2 Betas.  There is a bug that  prevents this from working.]

    Note: This How-To is meant for pfSense 2.1.x. For those using 2.2 Beta, there is a bug that prevents this from working.  Read about here in the pfSense forum thread, “cannot NAT trough OPT1 interface on multiwan.”  The bug has been filed in redmine and at the time of this writing, it has been fixed for IPv4 traffic.

    One of the most powerful features of pfSense is it’s ability to direct your data requests through different end-points using NAT rules. In my case, I like to be able to access the content in Netflix US. In comparison, Netflix Canada’s content is somewhat anemic, although we do get such gems as Community and the Good Wife here. There are many ways to access Netflix US content (and BBC iPlayer content) outside of the geo-fence territories.  I prefer to use a Virtual Private Network (VPN). pfSense is amazing as an OpenVPN client because I can selectively route any device on my network through the VPN service (i.e., my tablets and TV go through US servers, while my smartphone, VoIP, computers go my local ISP).

    There are other reasons for using a VPN:

    • Anonymize your traffic to defeat deep-packet inspection used by ISPs to throttle your data.
    • Secure your browsing / network sessions while on a public network (e.g., Coffee Shop’s Wifi).
    • Have your originating IP address  appear to be from anywhere. This is especially useful if you need to do online banking overseas.
    • Access the internet through a consistent Static IP address.
    • Unblock sites that are geo-fenced (like Netflix US or

    In this particular case, I am using the VPN to tunnel my Internet traffic through to a server located in the United States. This VPN server acts as a “proxy” or “end-point” for all my HTTP requests. For websites on the receiving-end of your request, I appear to be in the country that the VPN server is residing (in this case the US). I prefer VPNs because I can visit other sites (not necessarily just Netflix USA) and see the local experience on both your Desktop and device. OpenVPN provides the most secure means of doing this.  The provider that I’ve chosen is StrongVPN (although I use others) as they have:

    • Dedicated, statically-assigned IP-address (when connecting over OpenVPN)
    • A proven track record of not overselling
    • Apps for all major platforms

    Things that StrongVPN does NOT offer:

    One of the reasons I prefer a consistent, statically assigned IP address, is that I can guarantee access to specific servers and what not through IP Whitelisting. Although, that’s another topic.

    I like using pfSense because I can set it as an OpenVPN client and use the router to offload the encryption handling (currently an upgraded Watchguard x550e). By setting up the OpenVPN client as a gateway, I effectively negate the load on the device connecting to the Internet through the VPN. Having it at the router level also means I can share the connection with multiple devices connected to my wireless or wired network.  Having a 2.0 GHz Pentium-M based router means I can easily max out my 45/4 Mbps cable connection when going through the VPN1.

    I can also use NAT-based rules to select which devices use the VPN connection or which bypasses the VPN all together and access the Internet through the default WAN provided by my ISP.  For instance, my VoIP ATA connects to directly because I don’t want to add latency to the connection by going through StrongVPN’s server in NYC.

    NOTE: This probably works with IPSec, PPTP and L2TP, but YMMV.

    How To

    Get a VPN account, select a fast server, and download the OpenVPN configuration file

    1. Setup an account with StrongVPN (or any other VPN provider).
    2. Select an appropriate package based on your location.  Most VPN packages usually offer a discounted package for an annual-fee (best value).  Ensure that it has the locations that you are interested in and that the package offers OpenVPN support.
    3. Sign into StrongVPN and use their tools to select a server in the country that you would like to route your data through.  They have speed tests that I found were useful.
    4. Go to the “Setup Instructions page” > “Manual Setup – All other devices” and download the OpenVPN config file (for PC and Mac)
    5. Open the vpn-inXXX_ovpnXXX_account.ovpn in a text editor.  You’ll use this data to setup the connection in pfSense.

    What is this *.ovpn file?

    I won’t get into the technicals of public key encryption and what a certificate authority is and what certificates do.

    The *.ovpn file is a configuration file. It is divided into 5 sections:

    1. IP addresses for the VPN server that you want to connect to and the default UDP ports required.
    2. A list of configuration flags that you will use to optimized the connection in pfSense.
    3. The certificate for your Certificate Authority (CA).  It begins with <ca> and ends with </ca>. It looks something like this:
    4. You’ll have another section that contains your private.key. It starts with <key> and ends with </key>. It looks like this:
    5. You’ll then have your VPN certificate.  It’s defined by the <cert> </cert> tags.
    6. Finally, you’ll have your OpenVPN Static Key.  It starts with <tls-auth> and ends with </tls-auth>.

    Enter your Certificates into pfSense

    NOTE: I am using pfSense 2.1.5.

    You’ll need to add your Certificate Authority, OpenVPN certificate and private key data into pfSense.  It’s just copy and pasting.

    1. Go to “System” > “Cert Manager”
    2. You will see three tabs:
      1. CAs
      2. Certificates
      3. Certificate Revocation
    3. In the CAs tab, click the “+” icon to add a new certificate Authority
      1. Provide a name like “<VPN PROVIDER> CA”
      2. Copy and paste the <ca> section from the .ovpn file. NOTE: do NOT include the <CA> and </CA> tags.
      3. It should look like this:
    4. Click “Save”.
    5. Go to the “Certificates” Tab and click the “+” icon to add your VPN certificate and private key.
      1. Provide a name like “<VPN PROVIDER> CERT”
      2. Copy and paste the <cert> section from the .ovpn file into the “Certificate data” text box. NOTE: do NOT include the <cert> and </cert> tags.
      3. Copy and paste your the <key> section from the .ovpn file into the “Private key data” text box. NOTE: do NOT include the <key> and </key> tags.
      4. It should look like this:
    6. Click “Save”.

    Configure your OpenVPN Client

    You’ll need to configure pfSense to act as the OpenVPN client.

    1. Go to “VPN” > “OpenVPN”
    2. You’ll see 4 tabs:
      1. Server – Makes your pfSense router into a server.
      2. Client – connect your router to an OpenVPN server. <– You want this tab
      3. Client Specific Overrides – Allows you to set special directives that change the behaviour of the client you are connected to.  For instance, you force the OpenVPN client to send out Google DNS servers.
      4. Wizards – Helpful step-by-step tutorial to set things up.
    3. Click the “Client” tab
    4. Click the “+” icon to add a new client.
    5. You’ll be required to enter your static key and use the details from sections 1 and 2 from the .ovpn file to configure it.  Use the image below as a guide.
      1. NOTE: This is very specific to StrongVPN.  You will need to experiment with the settings given to you by your VPN provider.
      2. You’ll need to copy your OpenVPN Static Key into the TLS Authentication text box. Note: remember leave out the <tls-auth> and </tls-auth> tags.
      3. Strong VPN offers several Ports to connect with. I specify the first, port 4672, type UDP.
      4. In the “Peer Certificate Authority” dropdown, select the “<VPN PROVIDER> CA” certificate authority you made above.
      5. In the “Client Certificate” dropdown, select the “<VPN PROVIDER> Cert” you made.
      6. Set the Encryption Algorithm based on the option available to you in the .ovpn file.
      7. Depending on your hardware, you should select whether you have hardware crypto acceleration (e.g., Via Nano, AMD Geode, Hifen, or AES-NI capable CPU).
      8. In the advanced configuration text box, you’ll enter the items from section 2 of the .ovpn file. Experiment with what works.  You’ll see errors in the log files if an attribute doesn’t work. This is what I use:

        verb 4;tun-mtu 1500;fragment 1390;mssfix 1390;keysize 128;key-direction 1;redirect-gateway def1;persist-tun;persist-key;route-delay 2;explicit-exit-notify 2;comp-lzo yes;

    6. Provide a name and click “Save”.

    Check your VPN logs now!

    You’ll want to see if you can successfully connect with your service provider through the system logs.

    1. Go to “Status” > “System Logs”
    2. Select the “OpenVPN” Tab
    3. Verify that you have successfully connected. Specifically you want to see, “Initialization Sequence Completed”.

    If you don’t see it, it means you are not connected.  Check your configuration again. Use the log to look for errors.  These are probably flags in your advance settings. Double check that you pasted in the right TLS Authentication key.

    Time to set up our OpenVPN gateway interface

    If you’ve gotten this far, congratulations.  Now all you need to do is setup pfSense to route traffic through the dedicated VPN tunnel we’ve just created.  What we’re going to do set up the tunnel as a gateway interface and then route traffic based on IP address using firewall rules.

    1.  Go to “Interfaces” > “(assign)”.
    2. Assign click the “+” icon and add a new interface. It will be called “OPT1” if you don’t already have it.
    3. In the “Network Port” dropdown, select  “ovpnc1 <VPN PROVIDER>”.  This is a virtual network port for you to send data through.
    4. Now change the name of OPT1 into something more useful.
      1. Click the “OPT1” hyperlink on the left side.
      2. Provide a descriptive name.
      3. Click “Save”
    5. It should look like this:

    TROUBLE SHOOTING: Verify that you have working gateways

    When I tried configuring a spare box, I ran into trouble getting this tutorial to work on a fresh install of

    Verify that you are getting an IP address in the pfSense homepage.

    1. Click the pfSense logo in the top, left-hand corner.
    2. Verify that you have an IP Address for your VPN.
    3. If no, go to “Status” > “Services”
    4. Restart the OpenVPN service by clicking the stop button, waiting, and then the play button.

    Verify that your gateways are available in “System” > “Routing”

    1. Go to “System” > “Routing”
    2. In the “Gateway” Tab, You should see 4Gateways:
      1. WAN IPv4 with an XXX.XXX.XXX.XXX IP Address
      2. WAN IPv6 with a hexadecimal IP Address
      3. StrongVPN IPv4 with a ZZZ.ZZZ.ZZZ.ZZZ IP Address
      4. StrongVPN IPv6 with either “dynamic” or a hexadecimal IP Address

    It should look like this:

    If no IP Addresses are there.  Open the StrongVPN entries, scroll down and click, “Save”.  That seemed to restart it for me.

    Set your Outbound NAT rules to Manual Generation

    You will need to know the IP address of the device you are using.  I set up static mappings for my own devices, but it’s not really necessary because most home networks don’t really need this.

    1. Go to “Firewall” > “NAT”.
    2. Select the “Outbound” tab.
    3. Select the “Manual Outbound NAT Rule Generation (AON) radio button.
    4. Click “Save”
    5. You’ll see a list of interfaces that look like the picture below:

    TROUBLE SHOOTING: Only 3 entries for Outbound NAT rules, not 6

    You should see 6 entries (like above) when you set your system to “Manual Outbound NAT rule generation).  However, when I tried doing this for a fresh Install of 2.1.5, I was only given 3 NAT entries for WAN.2  Since your VPN is another gateway, you should have an additional 3 (as depicted above).  In the case that you don’t see it.  Verify that the gateway is there with an IP address by going to “System” > “Routing”.

    If the gateway is there, then you need to create the proper WAN rules.

    1. Make a copy of the first WAN Rule that says, “Auto created rule for ISAKMP – LAN to WAN”, click the “+” button beside it.
    2. In the “Interface” dropdown.  Select “<VPN PROVIDER>”.
    3. Change the name to “Auto created rule for ISAKMP – LAN to <VPN NAME>”
    4. Repeat this for the next 2 WAN rules.
    5. Position the rules as seen in the image above.

    You want to duplicate all the rules so that the VPN has proper NAT directions.

    Create firewall rules for your devices

    You’ll need to create rules for StrongVPN and OpenVPN tabs under “Firewall” > “Rules”.  After that all you need to do is specify the IPs of which devices you want to send through the VPN. The last rule you create is a blanket rule that directs all other non-specific devices through WAN (rather than the VPN).

    Note: I am making an assumption that most traffic goes through your ISP and not your VPN.

    1. Go to “Firewall” > “Rules”.
    2. Select the “<VPN PROVIDER>” tab
    3. Click the “+” icon to add a new rule.
    4. Create a “Pass” action for all IPV4 traffic through the “<VPN Provider>” Interface.
    5. It should look like this:
    6. Click “Save”
    7. Click “Apply Changes”
    8. Select the “OpenVPN” tab.
    9. Create a “Pass” action for all IPv4 traffic through the “OpenVPN” Interface.
    10. In the “Advanced features” > “Gateway” dropdown,  select your “<VPN Provider>”.
    11. It should look like this:
    12. Provide a descriptive name and click “Save”
    13. Click “Apply Changes”.

    Now it’s time to select your devices.  You’ll need to know their IP address.

    1. Go to “Firewall” > “Rules”.
    2. Select the “Lan” tab.
    3. Click the “+” icon the add a rule.
    4. Create a “Pass” action for the device
      1. Set “Action” dropdown to “Pass”
      2. Set Interface to “LAN”
      3. TCP/IP Version to “IPv4”
      4. Protocol to “Any”
      5. Source: Set to “Single host or alias” and provide the IP address or “alias name”
      6. Provide a descriptive Name
      7. In “Advance features” > “Gateway”, select the gateway you want to use:
        1. “WAN” for your ISP, or
        2. “VPN” to route traffic through OpenVPN.
      8. Click “Save”
    5. It should look like this:
    6. Click “Apply All”

    Repeat for any device (Tablet, SmartTV, XBox, Hackintosh etc.)

    Create a rule for non-specific devices

    Finally, the last rule that you need to make is to specify all other devices in your Lan to use the default WAN.

    1. Go to “Firewall” > “Rules”.
    2. Select the “Lan” tab.
    3. Click the “+” icon the add a rule.
    4. Create a “Pass” action for the device
      1. Set “Action” dropdown to “Pass”
      2. Set Interface to “LAN”
      3. TCP/IP Version to “IPv4”
      4. Protocol to “Any”
      5. Source: Set type to “LAN Net”
      6. Provide a descriptive Name like “DEFAULT REST OF LAN TO WAN
      7. In “Advance features” > “Gateway”, select the “WAN_DHCP – XXX.XXX.XXX.XXX”
    5. Click “Save”
    6. It should look like this:
    7. Click “Apply All”

    Ensuring rules are applied in the proper order

    In order to ensure that the rules are applied in the proper order, you’ll need to move the items up and down the list in the “LAN” tab under the “Firewall > Rules” section of pfSense.

    Make sure that all the rules are above the line in red. Device specific overrides are at the top with the non-specific devices the last rule above the red line.

    Use this image to help out:

    Make sure to apply the changes and let the firewall rules process.

    You can verify your external IP address by visiting StrongVPN’s website and look at the IP and country of origin.

    Hope you found this useful.

    NOTE: FWIW, I think you could accomplish this through VLANs.


    1. Provided by
    2. I suspect it is because my VPN gateways were not registered yet. 

    What it boils down to is the fact that one technology is designed for the users (Apple) and the other is designed for the merchants (CurrentC). Normally I’d say that the product with the most user appeal will win but the power and size behind the CurrentC group is too big to ignore. People aren’t reliant on mobile payments at this point so stopping Apple Pay out of the gate is a strong move as almost nobody will miss it.

    CurrentC requires an app, password and QR Code to be scanned.  It works for pre-paid, cash accounts.  This is a solution to a business problem (lower transaction fees, better customer tracking) that is being touted as addressing a customer need.  People like using their credit cards.  The US economy (and Canada to a lesser extent) are built on easy access to credit.  They’ll be shocked to find out that people don’t have positive balances in their bank accounts.

    I’m not even sure if the CurrentC group of retailers (really big retailers with over 110,000 storefronts in North America) are even serious about deploying it.  It strikes me as a competitive wedge to negotiate lower transaction fees with Credit Card companies. They are probably also using it to extract better terms (customer info) from Apple and Google with their competing wallet technologies.

    Apple Pay: Addressing a customer problem

    I think one thing that people don’t understand about Apple is that they are really trying to solve customer problems.  

    A lot of people think that Apple is about selling more hardware, creating lust for their products, but deep down, I feel that they are trying to address real problems and pain points for their customers.

    It’s remarkably simple, but often times, the tension between business needs and customer needs leads to a blurred product vision.  I’ve seen multiple instances where innovation often lead to more internal friction and customer confusion than addressing a real need for the customer.

    That said, a lot of it comes through in execution. Kobo has learned this the hard way; Apple too with their initial maps rollout.  It’s tough when you are required to move fast and the bar for MVP gets higher and higher each month.

    Take Apple Pay for instance.  I think it’s genius.  Apple is making payment inherently easier, more accessible, and more secure. While some would argue that it is no easier than using Tap-to-pay, I think it will be a boon for those with physical or visual disabilities.  Moreover, for someone like my mom, who only recently learned to use her debit card, it is way more easier to demonstrate and teach.  These are palpable problems.  Apple is sweating the details.

    Things like CVS and Rite Aid disabling their NFC terminals to prevent people using Apple Pay is ludicrous.  I get that retailers don’t like credit cards because of the high exchange fees, but they have an excellent opportunity to work with Apple and change that.  If anybody has enough sway to negotiate on fees, it will be Apple.

    Apple Pay has the opportunity to address eCommerce as much physical retail commerce too.  It addresses the biggest issue today with eCommerce on mobile/tablets–difficult text input. Don’t be surprised if you will see Apple Pay and TouchID being used as Single-factor and 2-factor authentication over the Web.  Moreover, I wonder if you’ll see this in their computing hardware.  Imagine the return of the power button on their laptops, but rather than just showing the shutdown prompt, it also acts as a TouchID sensor?  Finger print scanners have been available for more than decade, but now there is finally a framework that makes them useful outside of unlocking your computer.

    HP T610 thin client: low-powered, low-cost XBMC box

    [UPDATE 2015/06/26]: I ended up buying an HP T620 for my XBMC box.  The T610 here is now my pfSense router firewall with a dual Intel Gigabit NIC.

    I’ve been looking for something to replace the aging Asus O!Play HDP-R1.  

    While the media player still plays all my content, the usability is absolutely atrocious.  It also doesn’t stream Netflix.  Options included getting a Mac Mini for Plex or take a look at XBMC also has the advantage of being a live TV front-end for my HDhomerun and OTA system.

    I’ve fooled around with XBMC for a bit and I still find the usability not to my liking, but it is much better than the O!Play.

    Now that Netflix has gone HTML5 Video and provides Linux support on Chrome, it started to feel that XBMC was a viable alternative. Getting some ROMs and emulators going seemed intriguing for me as well.

    I had planned to use my ESXI whitebox (AMD FX8350) to host XBMC and wire it from the basement to my TV.1  Unfortunately, fishing the cable proved more difficult and I was unwilling to make new holes in the ceiling of the basement, so I started looking for low power, stand-alone alternatives to host XBMC.

    Since, I’m always looking at esoteric hardware, I was steered naturally to thin clients.

    Enter the HP T610 Flexible Thin Client

    Modern HP Thin clients are proving remarkably viable for this use case (although, as you’ll see below, I do have some reservations).

    Older HP Thin clients, like the Atom N280-based T5740 require a Broadcom CrystalHD BCM970015 add-in card to sufficiently process 1080p video.  However, the latest version of KODI “Helix” v14 (they changed their name from XBMC) has since dropped support for the CrystalHD, so I felt that this route wasn’t an ideal way to go.2  Since most modern graphic cards (GPUs) can natively decode HD video, looking for something that supported HD out of the box was a requirement.

    Specs for the HP T610 flexible thin client

    I picked up a used HP T610 Flexible Plus thin client from eBay for about $250 CAD shipping and taxes included.

    The T610 is based on AMD’s Brazos architecture.  It uses the G-T65N, a dual-core 1.65 GHz CPU w/ integrated HD 6320 GPU.  The G-T65N is  part of AMD’s embedded line of Fusion APUs.  It is equivalent to their Zacate, line of chips.  In fact, it shares the same specs as the AMD E-350 mobile processor.3  These chips were meant to compete with the Intel Atom D510 and D525 line.  They provide slightly better performance on the processing side w/ a very large performance on the graphics.

    System features
    Processor AMD Dual-Core T56N APU with Radeon HD 6320 Graphics
    1.65 GHz
    Operating system installed Windows Embedded Standard 7
    Environmental Low halogen
    Browser supported Microsoft Internet Explorer 9
    Standard memory 4 GB 1600 MHz DDR3 SDRAM
    16 GB Flash (SATA DOM)
    Graphic card AMD Radeon HD 6320 integrated
    AMD FirePro 2270 PCIe Video Card with 4 monitors support
    Communication features
    Wireless 802.11 a/b/g/n (Broadcom)
    Network interface 10/100/1000 (Broadcom)
    Expansion features
    I/O ports 1 DVI
    1 Full-sized Display port (w/ Audio passthrough)
    2 USB 3.0
    4 USB 2.0
    1 audio in
    1 microphone in
    1 headphone/line stereo output
    1 RJ-45
    2 PS/2 (keyboard & mouse)
    2 DB9 serial
    1 Parallel Port
    Media devices
    Audio Internal amplified speaker, 1/8-inch mini jack, full 16-bit stereo, 44-kHz sample rate, 1/8-inch mini jack microphone
    Dimensions and Weight
    Product weight 1.55 kg
    with stand
    Dimensions (W x D x H) 22 x 4 x 25.1 cm
    with stand

    The model that I got is pretty unique (C9K57UA#ABA) in that it is the “Plus” size version with the 4x PCIe riser and additional 4-way display card.4  I bought this because I figured I could always repurpose the thin client to make another pfsense router.  The performance should be on par with an Intel Atom setup.  

    Some unique things about the board:

    • Dual SATA ports – They overlap each other right angles..  You can reasonably mount a full drive in one, but you’d need some sort of msata-to-sata converter for the lower.  If you are handy, you route cabling inside for a full-drive.
    • 2 x USB3 ports – Nice to have.
    • 2 x DB9 Serial ports –  ?
    • 1 x 25-pin Parallel port – WTF?  Who needs that anymore?
    • 1 x PATA / IDE connector – Probably for an MLC- NAND Flash Disk on Module (DOM)

    Given that this is an embedded chip (soldered on), some of the features of the board are probably geared towards industrial use.

    This slideshow requires JavaScript.


    The system comes pre-installed with Windows Embedded 7 Standard. It’s a stripped down version of Windows 7, but is only 32-bit.  Thus, you don’t get full use of the 4GB of memory that is available.  You can download a 64-bit version of Windows 8.0 from HP’s website.  The device will self-activate.  I chose not to meddle with the OS on the flash drive.  I basically unlocked the drive from write-protect mode and updated the PC with the latest AMD Catalyst drivers and added XBMC “Gotham” v13.2.  It ran pretty well using the built-in video card, but really struggled with some file formats that couldn’t be hardware accelerated at 1080p in Windows (things encoded with ffmpeg?). Even with hardware decoding, I was still seeing 65-85% CPU use. I also couldn’t get the system stable at all.  Memtest86 found no errors, but running Prime95 would fail almost immediately. I suspected that this is Windows 7 Embedded not playing well.

    Fortunately, I had a few spare video cards lying around and was able to add an old AMD HD 6450 card to the expanded chassis (fanless, supports all the hardware decoding and HDMI audio passthrough necessary). This card also does the de-interlacing necessary for any LiveTV setup in the future.

    I also took the time to install XBMCBuntu over the Windows 7 Embedded solution.  It flies with the new video card. Seeing 15-35% CPU utilization now when decoding 1080p.

    Running at a solid 18W bursting to 30W.

    Foiled by my TV

    Up until then, I was working with the box connected to my computer LCD. Unfortunately, my old HDTV (an LG DLP with no HDMI) wouldn’t recognize the device.  Not yet at least.

    I shouted expletives at my TV.

    So my experiment will probably mean much large purchase in the near future.

    Final thoughts. Was it worth it?

    I’ve been thinking about this for a while.  While I’m able to get acceptable performance from the T610, it’s not without compromise (additional AMD HD6450 card).

    Coincidentally, Kevin, also bought a similar thin-pc, the Lenovo q190 the same week I ordered the thin client.  Their is a very large discussion thread about the Lenovo q190 — people basically call it the best HTPC for XBMC on the market right now. As of the time of this writing, it is still selling for $291 at w/ free shipping.

    In hindsight, while I’m able to get acceptable performance off the thin client (there are many people who still use the E-350 as a platform for XBMC today), I’d go with the Lenovo hands down (even with the $100 dollar savings buying the thin client used).  There are also more affordable routes to XBMC-like the multitude of cheap quad-core ARM/MAUI-based media players around.

    Given that I can’t use the XBMC system until I solve the compatibility issues with my HDTV, I’ll proabably give PFSENSE a run on it.

    1. It sits unused in my basement. 
    2. There is an ongoing discussion for supporting the decoder chip via the Sam Nazarko’s OSMC derivative. So we might see support in future versions of KODI (there are a lot of Apple TVs that use this chip). 
    3. You can find much more information on the E-350 mobile line of processors. 
    4. Previous thin clients by HP, like the 5720 through to the 5740, had add on extensions chassis extenders which can be purchased at very little cost on eBay.  However, it’s important to note that HP now uses separate model SKUs for this, so if you want to add an additional PCIe card, you need to get the “T610 Plus” version. 

    Happy Anniversary

    Jen and I celebrated our 8-year anniversary this past Tuesday at a wonderful dinner at L’Avenue, a neighborhood restaurant.

    My wife wrote a very heart felt post about the love that we share between each other and the relative value of that love to our two kids.  Given that I was involved in the conversation, I feel pretty much the same way:

    While my heart is also filled with my love for our children, it is frankly a much simpler and less nuanced love at this point in time. Yes, they amaze me and fill me with wonder and joy, and I couldn’t imagine life without them them. It boggles the mind to grasp that they really are creations that you and I made, and I’m proud to see the results of our parenting helping them turn into wonderful little human beings. Our love for them and them for us is unconditional…clear, simple.

    One of the things that I am amazed at to this day is how eye-to-eye we see things.  I think of our relationship as “seamless but effortful”; always growing and evolving.  I can think of no one else I rather do this with.



    Newer Posts
    Older Posts

    Pixels & Widgets

    A blog by Tai Toh