This is a big sarcastic thanks to AFL and Telstra for building the AFL web site in such a way that it only really works properly in Windows.

Being in London, I want to listen to the Geelong games over the streaming radio, but in Linux (and probably Mac), Silverlight just won’t cut it – and the radio fails to load with an error.

I did some digging around, and worked out the URL for the the streaming radio, which you can then plug into MPlayer to obtain the ASX stream:

mplayer -user-agent "NSPlayer/11.08.0005.0000" http://lon-cdn220-is-1.se.bptvlive.ngcdn.telstra.com/online-radio-afl_12

The code on the end is the stream ID. These are the station codes I’ve managed to work out:

• ABC774: 2
• 5AA Adelaide: 3
• 6PR Perth: 4
• 3AW Melbourne: 5
• National Indigenous Radio Service: 6
• Gold FM Gold Coast: 7
• Triple M Sydney: 11
• Triple M Melbourne: 12
• Triple M Brisbane: 13
• Triple M Adelaide: 14
• K-Rock Geelong: 15

I hope this proves useful to someone else.

UPDATE:

For Mac OSX, install MPlayer OSX Extended from http://www.mplayerosx.ch/#downloads.

Then, for the command line bit, just open up the Terminal application from the Utilities folder, and use this full path to find the mplayer binary:

/Applications/MPlayer\ OSX\ Extended.app/Contents/Resources/Binaries/mpextended.mpBinaries/Contents/mpextended-mt.mpBinaries/Contents/MacOS/mplayer -user-agent "NSPlayer/11.08.0005.0000" http://lon-cdn220-is-1.se.bptvlive.ngcdn.telstra.com/online-radio-afl_12

I’ve been slowly doing some bits and pieces for a new Tram Hunter web site. I would now like to announce the new site at http://tramhunter.andybotting.com/.

Since v0.5 of Tram Hunter, we’ve included an option to send anonymous usage statistics to a server I have running on Google’s App Engine. My main aim was to generate some heat maps, based on the location of tram stop requests.

You can now see the final version of the heap map, which is generated nightly, from the latest 1000 requests. It turns out to be quite interesting to look at.

I’m also using the Google Chart API to generate some nice pie charts showing some other info like handset model, Android version and mobile networks.

In other Tram Hunter news, the latest stats from the Android Market show 5687 total installs, with 4293 active installs (75%). We also have a 4.85 rating out of 5, with 255 comments. The comments are all really positive, so it definitely makes development worthwhile.

I’ve created a new Twitter account for Tram Hunter, so for the latest updates, follow @tram_hunter.

The Yubikey is a nice little device. It’s quite simple in design and operation.

The key actually emulating a USB keyboard, which makes it instantly usable on any modern OS. You just press the button on the key to generate a one-time-password (OTP) to validate you. The method works by typing in your password, but before hitting the return key, you press the Yubikey button to finish it off. At the end of the OTP generation, it sends a carriage return itself.

The OTP is then sent to a validation server, either hosted by Yubico themselves, or you can host your own.

I’m going to walk through how you can set the infrastructre for doing two-factor authentication on Debian. In my specific case, the requirement was two-factor with an Active Directory username/password combination and the Yubikey as the second factor.

Unfortunately, the documentation from Yubico is quite average. To top it off, they insist on using multiple Google Code project sites for hosting their software.

This would normally be fine, but in this case, they have a Google Code project for every single little piece of code. Much of the documentation I found relates to older projects which are not supported by Yubico. This makes working out exactly what you need difficult. Within the Google Code project sites, documentation often runs in circles between projects.

In this document, I’ll look at using PAM to auth again the Yubico auth servers first. Once that’s working, I’ll move onto flashing the Yubikey with a new key and using our own Validation System.

NOTE: This is just some rough notes I put together. You should definitely read the Yubico documentation for this to really make sense.

Authenticating with the Yubikey with PAM

Get some dependencies

apt-get install libpam-dev libcurl4-openssl-dev libpam-radius-auth

Make ourselves a source directory

mkdir ~/yubikey; cd ~/yubikey

Get the current tarball of libyubikey, and install it

wget http://yubico-c.googlecode.com/files/libyubikey-1.5.tar.gz
tar xf libyubikey-1.5.tar.gz
cd libyubikey-1.5
./configure
make check install

Get the current tarball of the Yubico C client, and install it

wget http://yubico-c-client.googlecode.com/files/ykclient-2.3.tar.gz
tar -xf ykclient-2.3.tar.gz
cd ykclient-2.3
./configure
make
make install

Get the current tarball of the Yubico PAM module, and install it

wget http://yubico-pam.googlecode.com/files/pam_yubico-2.3.tar.gz
tar -xf pam_yubico-2.3.tar.gz
cd pam_yubico-2.3
./configure
make
make install

You should end up with your Yubico PAM module ‘/usr/local/lib/security/pam_yubico.so’

We’ll refer to this in our PAM config /etc/pam.d/openvpn

#
# /etc/pam.d/openvpn - OpenVPN pam configuiration
#
# We fall back to the system default in /etc/pam.d/common-*
#
auth required /usr/local/lib/security/pam_yubico.so id=1 debug authfile=/etc/yubikeyid
auth required pam_radius_auth.so no_warn try_first_pass
@include common-account
@include common-password
@include common-session

This configuration will tell PAM to hit the Yubico module first. This splits apart your password field into your password and OTP. The OTP is validated against the Validation Servers, and the password is then passed onto the next module. This configuration will use the Yubico auth servers to check your token.

Once you have a working config, we’ll move to setting up our own Validation Servers. We’ll need to specify the URL for that in this config later on.

In that case, we’re also using RADIUS. This could be LDAP if you had an LDAP server available. You should be able to use the standard UNIX credentials (/etc/password, /etc/shadow) also.

The other important piece to note here is the authfile, /etc/yubikeyid

This file lists the mapping between username and the fixed part of your Yubikey. This is the first 12 chars of the Yubikey OTP (e.g. when you press the button)

abotting:vvcnrdkvevtj

FreeRADIUS authenticating against Active Directory 2008.

I banged my head against a wall for a while on this one. The trick is that you need at least FreeRADIUS 2.1.6 for AD authentication to work properly.

Add Debian backports to your /etc/apt/sources.list

deb http://www.backports.org/debian lenny-backports main contrib non-free

Import the backports key

wget -O - http://backports.org/debian/archive.key | apt-key add -

Update and install the new freeradius

apt-get update
apt-get -t lenny-backports install freeradius freeradius-ldap

In your radiusd.conf

ldap {
    # Define the LDAP server and the base domain name
    server = "ad.yourcompany.com"
    basedn = "dc=ad, dc=yourcompany, dc=com"

    # Active Directory doesn't allow for Anonymous Binding
    identity = "ldap_bind_user@ad.yourcompany.com"
    password = password

    password_attribute = "userPassword"
    filter = "(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(memberOf=CN=Users,DC=ad,DC=yourcompany,DC=com))"

    # This fixes Active Directory 2008 access
    chase_referrals = yes
    rebind = yes

    # The following are RADIUS defaults
    start_tls = no
    dictionary_mapping = ${raddbdir}/ldap.attrmap
    ldap_connections_number = 5
    timeout = 4
    timelimit = 3
    net_timeout = 1
}

In our FreeRADIUS client file /etc/freeradius/clients.conf:

client localhost {
    ipaddr = 127.0.0.1
    secret = testing123
    nastype = other
}

Use radtest to test our RADIUS is authenticating properly

radtest <username> <password> localhost 1 testing123

Should return Accept.

Set the address and shared secret of the radius server in /etc/pam_radius_auth.conf. The password of testing123 was defined in our RADIUS client config.

# server[:port] shared_secret   timeout (s)
127.0.0.1       testing123      1

OpenVPN has an issue with PAM loading the Yubikey module, so we have to LD_PRELOAD the pam module before starting OpenVPN.

export LD_PRELOAD=/lib/libpam.so.0.81.12; openvpn --config openvpn.conf

For a permanent fix, at the end of the start_vpn function in /etc/init.d/openvpn, just before the $DAEMON line:

    export LD_PRELOAD=/lib/libpam.so.0.81.12
    $DAEMON $OPTARGS --writepid /var/run/openvpn.$NAME.pid \
        $DAEMONARG $STATUSARG --cd $CONFIG_DIR \
        --config $CONFIG_DIR/$NAME.conf || STATUS=1

Change the path of /lib/libpam.so.0.81.12 to suit your own system.

I won’t go into the OpenVPN configuration, except that for PAM authentication you need these options in your server config:

plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn
username-as-common-name
ns-cert-type server
client-cert-not-required

Personalising your Yubikey

To host your own Yubikey validation system, you require the secret AES key of your Yubikey. In the past, Yubico could provide this to you. Now, you’re required to flash your Yubikey yourself which will generate a new AES key.

Yubico provide a personalisation tool for Linux, Mac and Windows. If you’re on Windows, you get a nice little GUI. For Linux and Mac, you have a CLI based tool. It’s worth having a look at the ‘Personalization Tool’ page at: http://www.yubico.com/developers/personalization/

Installing the Personalisation Tool

Install some dependencies:

apt-get install libusb-1.0.0-dev

Grab the latest Pesonalisation Tool tarball from: http://code.google.com/p/yubikey-personalization/

cd ~/yubikey
wget http://yubico-c.googlecode.com/files/libyubikey-1.5.tar.gz

Extract, build and install libyubikey

tar xf libyubikey-1.5.tar.gz
cd libyubikey-1.5
./configure
make
make install

You’ll need to provide a UID value for flashing your Yubikey. It needs to be 6 characters, and in hexadecimal. You can use this command to generate one for you.

dd if=/dev/urandom of=/dev/stdout count=100 2>/dev/null | xargs -0 modhex | cut -c 1-10 | awk '{print "vv" $1}'
74657374696e

You must provide the public name (fixed) parameter in modhex format. The modhex format is a special encoding used to ensure characters sent by the key are always correctly interpreted whatever keyboard layout you use.

You also need to generate yourself a public name for your key. This is known as the ‘fixed’ part, and it’ll be the first 16 chars when you generate your OTP. This will identify your key from anybody else’s.

dd if=/dev/urandom of=/dev/stdout count=100 2>/dev/null | xargs -0 modhex | cut -c 1-10 | awk '{print "vv" $1}'
vvcnrdkvevtj

This comamnd generate some random text, does a modhex operation, grabs the first 10 chars, then adds ‘vv’ to the front to make it up to 12.

You’ll be prompted for a passphrase on your AES key. I leave mine blank, but if you do set one, don’t ever lose it. I believe it’ll stop you from re-personalising your Yubikey.

ykpersonalize -ouid=74657374696e -ofixed=vvcnrdkvevtj
Firmware version 2.1.2 Touch level 1793 Program sequence 1
Passphrase to create AES key:
Configuration data to be written to key configuration 1:
fixed: m:vvcnrdkvevtj
uid: h:74657374696e
key: h:fcaad309a20ne1809c2db2f7f0e8d6ea
acc_code: h:000000000000
ticket_flags: APPEND_CR
config_flags:

Commit? (y/n) [n]: y

Save this information, as we’ll need it later.

Setting up yor own YubiKey OTP Validation Server

You need to install two things: The Key Storage Module and the Yubico Validation Server. The Key Storage Module (KSM) holds the secret AES key of your Yubikey token, while the Validation Server does the OTP check against the KSM.

In their 2.0 architecture, you can have multiple KSM’s and Validation servers with work together for reduncancy.

KSM Installation

Make a working directory, and get the KSM package

mkdir ~/yubikey && cd ~/yubikey
wget http://yubikey-ksm.googlecode.com/files/yubikey-ksm-1.3.tgz
tar xfz yubikey-ksm-1.3.tgz

Install the KSM files

cd yubikey-ksm-1.3
make install

Install Apache2 and PHP

Install Apache2, PHP and MySQL

apt-get install apache2 php5 php5-mcrypt php5-curl mysql-server php5-mysql libdbd-mysql-perl

Create the ykksm table

echo "CREATE DATABASE ykksm;" | mysql -u root -p

Import the DB schema

mysql -u root -p ykksm < /usr/share/doc/ykksm/ykksm-db.sql

Set up some MySQL permissions

CREATE USER 'ykksmreader';
GRANT SELECT ON ykksm.yubikeys TO 'ykksmreader'@'localhost';
SET PASSWORD FOR 'ykksmreader'@'localhost' = PASSWORD('hYea3Inb');

CREATE USER 'ykksmimporter';
GRANT INSERT ON ykksm.yubikeys TO 'ykksmimporter'@'localhost';
SET PASSWORD FOR 'ykksmimporter'@'localhost' = PASSWORD('ikSab29');

FLUSH PRIVILEGES;

Include path configuration

Set the include path by creating a file /etc/php5/conf.d/ykksm.ini

cat > /etc/php5/conf.d/ykksm.ini << EOF
include_path = "/etc/ykksm:/usr/share/ykksm"
EOF

Make a web server symlink

make -f /usr/share/doc/ykksm/ykksm.mk symlink

Set your configuration settings in /etc/ykksm/ykksm-config.php

<?php
  $db_dsn      = "mysql:dbname=ykksm;host=127.0.0.1";
  $db_username = "ykksmreader";
  $db_password = "hYe63Inb";
  $db_options  = array();
  $logfacility = LOG_LOCAL0;
?>

Restart Apache2

/etc/init.d/apache2 restart

Test the KSM Server

Try this URL:

curl 'http://localhost/wsapi/decrypt?otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh'
ERR Unknown yubikey

It should return ‘Unknown Key’ until we have imported our Yubikey into the database.

Install the Yubico Validation Server

The latest version, and documentation can be found at: http://code.google.com/p/yubikey-val-server-php/

Installation

Go to our working source directory, and grab the package

cd ~/yubikey
wget http://yubikey-val-server-php.googlecode.com/files/yubikey-val-2.4.tgz

Extract, build and install the server

tar -zxf yubikey-val-2.4.tgz
cd yubikey-val-2.4
make install

Create the ykval database and import the schema

echo 'create database ykval' | mysql -u root -p
mysql -u root -p ykval < /usr/share/doc/ykval/ykval-db.sql

Install the symlink

make symlink

Include path configuration

cat > /etc/default/ykval-queue << EOF
DAEMON_ARGS="/etc/ykval:/usr/share/ykval
EOF

Create a htaccess file: /var/www/wsapi/2.0/.htaccess

RewriteEngine on
RewriteRule ^([^/\.\?]+)(\?.*)?$ $1.php$2 [L]

php_value include_path ".:/etc/ykval:/usr/share/ykval"

Symlink the htaccess file

cd /var/www/wsapi; ln -s 2.0/.htaccess /var/www/wsapi/.htaccess

Copy the template config file for the Validation Server

cp /etc/ykval/ykval-config.php-template /etc/ykval/ykval-config.php

Edit the file and configure settings in /etc/ykval/ykval-config.php

<?php

  # For the validation interface.
  $baseParams = array ();
  $baseParams['__YKVAL_DB_DSN__'] = "mysql:dbname=ykval;host=127.0.0.1";
  $baseParams['__YKVAL_DB_USER__'] = 'ykvalverifier';
  $baseParams['__YKVAL_DB_PW__'] = 'password';
  $baseParams['__YKVAL_DB_OPTIONS__'] = array();

  # For the validation server sync
  $baseParams['__YKVAL_SYNC_POOL__'] = array("http://localhost/wsapi/2.0/sync");

  # An array of IP addresses allowed to issue sync requests
  # NOTE: You must use IP addresses here.
  $baseParams['__YKVAL_ALLOWED_SYNC_POOL__'] = array("127.0.0.1");

  # Specify how often the sync daemon awakens
  $baseParams['__YKVAL_SYNC_INTERVAL__'] = 10;

  # Specify how long the sync daemon will wait for response
  $baseParams['__YKVAL_SYNC_RESYNC_TIMEOUT__'] = 30;

  # Specify how old entries in the database should be considered aborted attempts
  $baseParams['__YKVAL_SYNC_OLD_LIMIT__'] = 10;

  # These are settings for the validation server.
  $baseParams['__YKVAL_SYNC_FAST_LEVEL__'] = 1;
  $baseParams['__YKVAL_SYNC_SECURE_LEVEL__'] = 40;
  $baseParams['__YKVAL_SYNC_DEFAULT_LEVEL__'] = 60;
  $baseParams['__YKVAL_SYNC_DEFAULT_TIMEOUT__'] = 1;

  // otp2ksmurls: Return array of YK-KSM URLs for decrypting OTP for
  // CLIENT.  The URLs must be fully qualified, i.e., contain the OTP
  // itself.
  function otp2ksmurls ($otp, $client) {
    return array("http://localhost/wsapi/decrypt?otp=$otp",);
  }
?>

In the above configuration, we’re only expecting to use one Validation Server and one KSM. If you’re planning on having multiple Validation servers and KSM’s, then you’ll be including the other Validation Servers in the SYNC_POOL, and your KSM’s in the URLs at the bottom, returned by the otp2ksmurls function.

Enable the mod_rewrite

a2enmod rewrite

Create the ykval database user

CREATE USER 'ykvalverifier'@'localhost' IDENTIFIED BY  'password';
GRANT ALL PRIVILEGES ON `ykval`. * TO  'ykvalverifier'@'localhost';

Fix some privileges on our config file

chgrp www-data /etc/ykval/ykval-config.php

The Sync Daemon uses the PEAR module System_Daemon so you need to install it:

apt-get install php-pear
pear install System_Daemon-0.9.2

Install the init.d script

ykval-queue install
update-rc.d -f ykval-queue defaults

Start the daemon

/etc/init.d/ykval-queue start

Testing

Use CURL to test our server is working

curl 'http://localhost/wsapi/verify?id=1&otp=vvcnrdkvevtefjbrjnlnldnhcujvddbikngjrtgh'

It should return something like this:

h=aPCQ4kWJilDgriyEii3j8J8lfuY=
t=2009-04-27T19:08:51Z0100
status=NO_SUCH_CLIENT

Once we import our Yubikey into the database, we should get a nice ‘status=OK’ message.

Importing your keys into the KSM server

Refer back to the output from personalising your Yubikey. You’ll need the fixed part (referred to as publicname in the DB), internal name (UID) and our AES key.

This is an entry for our newly personalised Yubikey.

USE ykksm;
INSERT INTO `yubikeys` (`serialnr`, `publicname`, `created`, `internalname`, `aeskey`, `lockcode`, `creator`, `active`, `hardware`)
VALUES (101209, 'vvcnrdkvevtj', '2010-05-07 15:18:40', '74657374696e', 'fcaad309a20ne1809c2db2f7f0e8d6ea', '000000000000', '', 1, 1);

This entry is required for our systems to authenticate against the Validation server. I’m not exactly sure about this, as the documentation is somewhat bare. I think you need an administrator-type person’s key details in here. The imporant part is the ID. This values corresponds the the ‘id=’ value in our CURL requests and in our PAM config.

USE ykval;
INSERT INTO `clients`
(`id`, `active`, `created`, `secret`, `email`, `notes`, `otp`)
VALUES
(1, 1, 1, 'fcaad309a20ne1809c2db2f7f0e8d6ea', 'your@email.addr', 'Any text your want', 'vvcnrdkvevterfbtelvnvkkueenecrlfnlhdjetrhgnk');

We’ll hit our new Validation Server to make sure it’s working

curl "http://localhost/wsapi/2.0/verify?id=1&nonce=askjdnvajsndjkasndvjsnad&otp=vvcnrdkvevtjkreuvvlhtubjecbrticjneckgrigkck"
h=KLEb3gOJ4KqQaCVbh8cEvXjH50U=

It should return something like this:

t=2010-05-20T11:24:53Z0051
otp=vvvcnrdkvevtjkreuvvlhtubjecbrticjneckgrigkck
nonce=askjdnvajsndjkasndvjsnad
sl=100
status=OK

In this URL, we’ve added the ‘nonce’ parameter. This just a test to make sure the v2.0 API is working. ‘status=OK’ means it’s all good! If you get ‘NOT_ENOUGH_ANSWERS’, it means it has trouble trying to sync with other Validation Servers.

We’ll get PAM using our new Validation Servers for auth

/etc/pam.d/openvpn

auth required /usr/local/lib/security/pam_yubico.so id=1 authfile=/etc/yubikeyid url=http://10.68.130.198/wsapi/verify?id=%d&otp=%s debug

If you watch /var/log/auth.log, you should see the PAM module spitting out some debugging information which may be useful. It also spits out your plain text password too, while you have the debug option on. Make sure you remove this later.

Problems

If you see an error like this:

PAM unable to dlopen(/lib/security/pam_yubico.so): /lib/security/pam_yubico.so: undefined symbol: pam_set_data

you’ll need the LD_PRELOAD trick from above. Something to do with dlopening the PAM module I believe.

It seems that Adobe, after issuing a press release claiming they would be opening up the RTMP protocol in the ‘first half of 2009′, have issued a DMCA take down request for an open source implementation of the protocol, RTMPdump. The SourceForge project site for RTMPdump now shows ‘Invalid Project’.

This is going to mean it’s going to become much harder to get RTMPdump for downloading copies of ABC’s iView files, which I previously posted about. This might also have interesting consequences for XBMC and Boxee which both include this code for supporting streaming media from BBC’s iPlayer.

This is pretty disappointing from Adobe, especially after claiming they would be in the process of opening up the protocol.

So it seems that my CentOS 5 Dom0 wasn’t stable. When building new virtual machines, the machine would hang and I’ve have to go back into the machine room to reboot it.

I have suspicions that it was due to the 3ware 8006 RAID controller, but instead of messing around with that, I’ve installed Debian Lenny as the Dom0 (using kernel 2.6.26 as opposed to kernel 2.6.18 with CentOS).

With this machine, I wanted to find the best way to support both Debian and CentOS machine, using a common method of installation. There seem to be two main ways to accomplish this.

You could use the (older) Debian route and use xen-create-image from xen-tools, which does a bootstrap of the OS on the filesystem, or use the newer virt-install from libvirt, to do an actual OS install. Libvirt seems like it’s the preferred method these days, which many of the distro’s now using for managing virtual machines using Xen, KVM or QEMU.

Using xen-create-image for Debian virtual machines has worked for me for a long time, but trying to use it for CentOS failed. The machine built, but I believe there were some packages missing from the install. I really didn’t want to have to mess around with the package lists, so I tried to use both xen-create-image for Debian and virt-install for CentOS. One problem with this is that virt-install doesn’t install the Xen config files into /etc/xen like the other tools do. Instead, it manages its own list, and contacts Xen directly using a Unix socket.

This would make management a pain, because you would have to use xm create <domain>to start a Debian VM, but then use virsh start <domain> for CentOS. I needed something simpler.

Then I discovered that Debian Lenny now has para-virtualisation support built into the Debian Installer.

This means that I could use virt-install to build Debian Lenny virtual machines, using the actual Debian installer.

With a quick install of the libvirt packages in the Debian Lenny’s repository:

apt-get install libvirt-bin virtinst

You’ve got all the libvirt stuff you need. Then, to create a Debian virtual machine using virt-install:

virt-install \
--name=debian-test \
--ram=512 \
--file-size=8 \
--nographics \
--paravirt \
--file=/var/lib/xen/images/debian-test.img \
--location=http://mirrors.uwa.edu.au/debian/dists/lenny/main/installer-i386

The important part is that last line. You can actually just throw a path to the install images of a Debian mirror, and virt-install is smart enough to boot a new VM from that. This then begins a Debian install, identical to what you would use on a standard machine. This also gives you full access to use the nice virt-manager. You can install virt-manager by doing:

apt-get install virt-manager

So I just need to remember now that if I want to start a VM, I need to use virsh start <domain>

Although, once started, you can use the standard xm tools.

So finally, I have reached open-source para-virtualisation nirvana. Now if only Debian did Kickstart…

Once we realised how much Stable lodge was really costing us, we upgraded our accommodation for the four nights we had in Bangkok. We booked a serviced apartment at Citiadines in Sukhumvit 8, just down the road from Stable Lodge.

Messy bed at Citadines

We booked it on Wotif and it cost us a little bit more than what Stable Lodge was. It was totally worth it for the comfortable bed alone, especially after sleeping on really hard and really soft beds at the other places.

Nice TV at Citadines

Somehow we ended up wth four nights in Bangkok with was way too much. If you’re going to Thailand, only spend a few days in Bangers at a maximum. It’s just not that exciting. It’s too similar to Melbourne really. Trains, shopping centers, etc.

We checked out the massive MBK shopping center and the King Power duty free place too. If you see King Power anywhere.. avoid it. Don’t waste your time, it’s fancy stuff that is way overpriced.

The last night in Bangkok, we found out about the semi-permanent beer gardens that get set up outside the CentralWorld shopping center. The beer garden for the Thai beer Singha, must have had some association with the Japanese beer Asahi, which just happens to be my favourite beer. So, you can imagine my excitement to find out they were serving it there.

The Asahi tower

Bek and I polished off a tower of Asahi. The tower is a 3 litre tube full of beer with a column of ice down the middle to keep it cold and a tap on the bottom to pour. It was awesome. I thought about how good it would be to do a similar thing in Melbourne, but I realised that it just wouldn’t work because it would get abused. People would be getting smashed and then smashing each other (like going to any pub in the city these days). The Thai people don’t drink that much and are very passive. It’s nice to walk around at any time and feel totally safe.

All gone

We had trouble getting a taxi to the airport when it was time to leave. The guy at the hotel mentioned something about a bomb, but we didn’t know anything else. Finally a taxi arrived who was willing to take us. This guy was crazy. He had this strange twitch in his seat while he was driving. He was doing 130 km/h down the freeway, which had 80 signs. Weaving through traffic and flashing his lights at anyone slowing him down. We also didn’t have any seat belts.

Closer to the airport, we started seeing lots of people in yellow shirts with plastic hand clappers. I had no idea who they were until later. They were protesters heading towards the airport to shut it down.

Protester convoy

We managed to get most of the way to the airport before traffic stopped moving. Bek and I had to put our backpacks on and walk the last km to the terminal. It was pretty exciting actually. We were so lucky to get our fight, because not long after, the protesters stormed the terminal and all flights got shut down. It must have been only an hour or two after we left.

Their aim was to stop their prime minister from getting into the country, from Peru where the APEC summit was held. It seems they don’t like him very much… and it’s a long story.

A nine hour flight and we touched down in Melbourne. First stop, the Classic Curry Company

All the photos have been uploaded to my Google Picasa account.

We were planning on catching the overnight train from Bangkok to Chiang Mai, but at the train station, they said they didn’t have any first class tickets available, so we flew instead. This meant waiting at the airport in Bangkok for a few hours, but it meant we got to Chiang Mai much sooner.

Bek had found a rave review of a boutique hotel from The Age which sounded pretty good. The place was called Banilah and it’s in the north-west part of the city.

Bek standing outside Banilah

This worked out well, because most of the westerners stayed on the east side of the city, so I think we got more of a feel for what Chiang Mai is really about. The young ladies who run the hotel were awesome. They gave us a map when we got there and hilighted lots of things on it we should look at. I also asked them about a good restaurant to eat at for Thai food. If you’re in Chiang Mai, you have to eat at Cafe de Nimman. It was awesome.

We did lots of walking around in Chiang Mai. Bek had an upset stomach, so we had to tone it down a little, but we managed to see lots of the city.

The Tanin fresh food market

The funny thing about the people in Thailand is that they don’t walk anywhere. We occasionally found it difficult to get around because there were so many motorbikes zooming around and the lack of footpaths. Shop owners often put their wares right to the road side, so it doesn’t leave much room for walking. Also, to add to this, stopping for red lights at pedestrian crossings seems to be optional. It does make life interesting.

Busy Chiang Mai road

If you go to Chiang Mai and you want to get around, here’s a tip. Some blue tuk-tuks have an affiliation with the TAT and will drive you for an hour for 30 baht. I think they may operate during the day only, but I’m not sure. You always ask before you get in anyway.

Look out for the blue tuk-tuk’s

Crusing around in a tuk-tuk is a lot of fun. I could have just paid a guy 200 baht to just drive me around all day.

Riding around in a tuk-tuk

After five nights, we got ourselves a tuk-tuk to the airport to fly to Bangkok again for the final part of our trip.

Got a taxi from Stable Lodge to Bangkok airport early in the morning to fly to Surat Thani. Surat Thani airport reminds me a lot of Avalon Airport. Pretty small and smells funny. Once we grabbed our bags, there was a guy selling tickets to Ko Samui. Perfect.

Air Asia plane at Surat Thani

We jumped on the bus and it took us to the Sea Trans ferry at Don Sak. We got off the bus and onto the ferry for about and hour and a half. Once we arrived at Na Thon port at Ko Samui, we got our bags off the bus and got a mini bus to the bungalow, except the guy must have mistaken me, and dropped us off at the Beach House, not Beer’s House. Simple mistake. Once we worked out where we were, we jumped on a ute with a roof, which finally got us to Beer’s house.

Beer’s house was awesome. We had a bungalow right on the beach. For the few days we were staying in Ko Samui, the weather held out. Just before and just after, Ko Samui had rain and thunderstorms, so we were pretty lucky.

Beer’s House Beach-front bungalow

Ko Samui is an interesting place. Like the rest of Thailand, the roads are full of motorbikes, doing crazy stuff. We did lots of walking around, but mainly around the Lamai beach area which is on the west side of the island. The way the trip worked out, we only stayed there a few days. I could have easily spent much more time there.

Sunday morning we left early to make our way up to Chiang Mai. We organised our trip to the Surat Thani airport with a travel agency, which might have cost us a little more, but it did make it easy. Although Bek and I had this feeling that something would go wrong and we’d miss our flight, it seemed to work out fine in the end.

A mini-bus picked us up at 6:30am from Beer’s House and took us to Na Thon port.
We were told to get on a bus at Na Thon port, which was crammed full. People were standing in the aisle. Nobody had any idea what was going on, we just were fed small bits of english which gave us an uncomfortable feeling.

We took the bus 15 minutes to the Raja Ferry pier. Bek had read lots of bad things about the Raja ferry, so when she saw the sign, she began to get really nervous. Not to mention she also gets sea sick. She’d heard stories about the ferries running aground and other dodgy acts.

Boarding the Raja ferry

We were told to get off the bus, and get onto the ferry. We were also told to leave our bags on there, which made us a little nervous. The ferry ride was fine, so that was a relief. We got back on the bus at Don Sak and travelled about an hour to the town of Surat Thani.

In the middle of nowhere, we had to get off the bus and get into a different one. We when traveled a bit further and had to get out again. This time it was a little shed, which was some sort of bus terminal. We got in a mini-van with a few other people from there on our way to Surat Thani airport.

Meanwhile, I had brought my Nokia Internet Tablet with me and my external GPS. I had pre-downloaded all the Google Maps tiles so I could track where we were going. It was really handy, because we got lost a couple of times. I was following where the guy was taking us for a while, and he was going in a totally different direction to the airport. I was getting a bit nervous, but he eventually turned the van around. He was taking a short-cut

One interesting moment was when we were overtaking a truck. We weren’t going that fast and there was a car coming towards us in the other direction but it seems there was time for another car to overtake us at the same time. Thailand drivers are nuts.

We checked in to our Air Asia flight with plenty of time. We flew from Surat Thani to Bangkok airport but had to wait 5 and a half hours to then board another Air Asia flight to Chiang Mai.

As you may have heard, protests have been going on in Bangkok recently. It seems to be about the Thai people wanting their prime minister to resign.

We finally got a taxi from our hotel to the airport, after many taxi’s refused to take us. The guy who did end up taking us was a bit crazy, and he was going 130 km/h down the 80 km/h freeway and our seatbelts didn’t work.

Protesters were stopping traffic a few kilometers from the airport. Traffic was crawling from there towards the airport, with people wearing yellow shirts yelling a going crazy.

We managed to almost make it all the way to the airport, but we had to get our and walk the last bit, which wasn’t too bad. News says that the airport was closed shortly after, so we were probably lucky.

The Age has an article: Protesters storm Bangkok airport which might give some insight about what is going on in Bangkok right now.

I’ve got more to write about our holiday, but that might have to come tomorrow.

Bek and I managed to score some really cheap JetStar flights to Bangkok six months ago in a 2 for 1 deal. In the end we paid about $400 each for our return tickets, so we’ve had six months to look forward to this trip.

The flight was about normal. It started with JetStar being late to open bag check-in and delays before boarding the flight. During the flight we had the token screaming baby and annoying Americans behind us, not to mention, the in-flight entertainment system was broken. I think this is probably deliberate, to get more people to hire their Video-on-demand systems which cost extra. I came fully prepared with an iPod loaded with new movies which helped a little with the 9 hour flight.

The first thing you notice in Thailand is the humidity as soon as you get out of the airport. It wasn’t overpowering, probably because it was 8pm and a coolish day, by Bangkok’s standards. Bek had done her research, and knew exactly what we needed to do once we got off the plane. We had to find the proper airport taxi queue to avoid being taken for a ride (bad pun alert!). The freeways are pretty smooth and the tollways quick. Lanes and indicators are optional, as well as doing the speed limit. Makes for good fun.

We got the taxi to our hotel, just off Sukhumvit Rd, which was about 30 minutes in the taxi from the airport. The streets that run off Sukhumvit Rd are called Soi’s. We’re staying on Soi 8. It looks more like a laneway than a street, and there is plenty going on, all the time. We’ve actually got two 7-eleven’s on ours, which has been handy changing our large 1000 THB notes to something more manageable.

Sukhumvit Road, Soi 8

We’re staying at Stable Lodge. It has free wifi (which lots of places have here) which is nice. It’s meant that we could book our flights and do some research without having to leave the place. I also put in a call home to let the parentals know we’re still alive. The Eee PC is awesome btw.

Stable Lodge restaurant and pool area

We caught the Skytrain today into the city and exchanged some money and had a walk around the big shopping centers. MBK is the largest. It’s massive. It’s a shame that the prices are too similar to what we’re used to in Australian dollars, but that’s probably more just because I’ve been looking at the gadgets.

The tuk-tuk drivers are seriously pissing me off though. Everywhere you go, there they are waiting to harass you to make you go for a ride with them. They’d probably just take you to their mates jewelery shop. We also had a few incidents at the train station. The ‘official’ information people aren’t official. Even with their fake ID badges.

Busy Bangkok motorway

We bought a couple of long-necks of Chang beer from 7-eleven, which were a bargain at 35 THB and we’re having an early night. It’s up early tomorrow morning to catch our flight to Surat Thani. We go by ferry from there to our next destination.. Beer’s house at Ko Samui. It’s going to be rad.. as long as the weather stays ok.

Bangkok skyline, from our balcony