Guggenheim Museum, Chinatown and Aquarium

The weather remains incredibly cold, which means that any activity outdoors becomes a challenge. Apart from the Guggenheim Museum and the Aquarium, we've spent a couple of hours exploring various shops in Chinatown.

A day of shopping

Since NYC seems to be the capital of the capitalistic world, it offers a paradise for shoppers. Unfortunately we're not really in the mood of shopping, but we decided to ignore that and make the best out of it. So we ended up bring numerous books, from Hindi grammar to historical sewing techniques.

Second day in NYC: Metropolitan Museum of Art

The second day was fully spent at the Metropolitan Museum of Art, which seems to be a universe of it's own. Quite impressive Museum, just a bit odd for us old-world European that the paintings are organized/sorted by collector instead of by artist or age. I guess that is what happens if even art in museums is commercialized.

One of the main reasons why we went to the museum is it's "costume institute". According to what we've read, they have tens of thousands of historical costumes. Unfortunately, the exhibition area is only large enough for hardly one hundred of them, and currently this space is occupied by some stupid "men in skirts" exhibition. Hey, I own more skirts than trousers... what's so special about that subject? Am I now worth exhibiting? And what happened to the interesting historical costumes? They are hidden away :(

Wireless Internet access in NYC

Staying in the 36th floor of a hotel in midtown Manhattan has the advantage of receiving about 35 wireless networks, many of them unencrypted and with pre-configured IP address range ;)
So the hotel doesn't even have to bother offering Internet access to their customers, I guess.
The real problem is to stick with one AP, since everybody seems to use the pre-configured 'Linksys' ESSID, and the client thus thinks it can roam between them... which obviously doesn't work.

Arrival in NYC

After a quite decent flight with Singapore airlines, Eli and I have arrived in New York City. I'm here for LWE, and we thought It'd be a good idea to add a couple of days for sightseeing. I've been in NYC the last time 9 years ago. Jeez, I feel like I'm getting old.

It seems like we're visiting NYC at it's coldest time ever. The ground staff at the airport was fighting with a snow storm, and temperatures are at about -12 Celsius. But this isn't all, we also have extremely cold arctic winds.

On our first half day (arrived at about 1:30pm at the hotel), we didn't do much but getting over our jet lag and having some fast-food.

Infrequentness of weblog entries

Shortly after starting the weblog, entries become less frequent :( I'll try to improve over the next couple of days. Heading off to New York for LWE 2004 where I'll be giving a netfilter programming tutorial on behalf of my sponsor Astaro.

Four hours left for sleep, I'd rather use the time and write some stuff here tomorrow.

Final work on new netfilter homepage

The last section of the homepage (security advisories) has now been converted. The security advisories in their text form are just placed into a certain directory, and some makefile, perl-script and docbook-xml magic takes care of the rest.

With some luck, the new homepage will be online tomorrow

Harald arrives back home for a full week

After lots of travelling, I'll finally be at home for a whole week. After that, I'm going to fly to NYC, heading for LinuxWorldExpo, where I'll be giving a presentation on behalf of Astaro.

While travelling to lots of conferences can be quite nice, I have actually concluded that I spent less than half the year 2003 at home in Berlin. This sucks. I moved to Berlin because there's so much interesting people (lixnke the CCC), culture and community. 2004 is going to be way less travelling than the previous years. A hand full of conferences (LinuxTag, Linux-Kongress, OLS, Kernel Summit) and that's it. Sorry guys.

More work on the new website and

I've finished the scripts for auto-generation of the mirrors.html page from the DNS zone file, and the HOWTO-link-generation similar to what the current netfilter homepage has. Also done some final tweaking of the style sheets.

With regard to the blosxom configuration: I've now finished some nice blosxom templates (flavour, how it likes to call these itself) that resemble the exact layout of the docbook-website generated netfilter homepage... in fact, it is using the same CSS :)

libiptc2 woes

After quite some time, a posting on the netfilter-devel list reminded me of my unfinished work on libiptc2. The problem with old libiptc is, that it has a n^2 complexity when adding rules to an in-memory ruleset. This slows down the time for iptables-restore with large rulesets.

Old libiptc has a so-called chain cache that contains pointers to the start of each chain within the ruleset blob. This chain cache has to die, and libiptc2 needs a totally separate representation of the ruleset. Every rule as a malloc()ed chunk of memory, put into a linked list (which builds a chain, which are in turn linked lists). Only at the iptc_commit() stage this libiptc-internal representation is compiled into the ruleset blob.

Let's hope Andre Uratsuka Manoel will find the time to continue this work, since I really don't even know to start with my ever-growing TODO list :(

installed blosxom on

From previously being just installed on my notebook (debian testing), I've now managed to install blosxom on (debian woody). This was quite a hassle. First, there was no blosxom backport for woody available on the net (what a shame). Second, rebuilding the blosxom .deb on woody didn't seem to be as easy as usual due to some strange interaction with fakeroot+gpg. Didn't solve the problem, but rather built the package as root.

After that, I had to discover that the blosxom 'isp' plugin doesn't work quite well with debian suEXEC enabled apache. The problem is that ~laforge/weblog is outside of the documentRoot and thus suEXEC refuses to execute /usr/lib/cgi-bin/blosxom. The only kludge I could manage to do is to copy blosxom into somewhere below ~laforge/public_html in order to make suEXEC happy. As I want to move to static pre-built html files anyway, I didn't bother to find a real solution to the problem.

Now I'm thinking about the integration. Since the new homepage is built with docbook-website, a good choice would be something like a 'docbook-xml' flavour for blosxom. Need to think more about this.

netfilter developer diaries

I've started to use blosxom as the designated tool for the upcoming netfilter developer diaries. If the test phase works out well, every netfilter/iptables developer will have the possibility to host their own homepage including a blosxom-enable blog on this server.

Harald got engaged

I've proposed to the wonderful Elisabeth, who has enlightened the last 6+ years of my live. She accepted my proposal and we became engaged. Now if that isn't good news :)
Though we've first met on IRC in early 1997, she's not a frequent computer user these days... so there's no homepage (yet) I could point the curious reader to.

Started using fedora legacy

Since RedHat decided to discontinue RedHat Linux, I've migrated almost all the remaining RedHat and Conectiva Linux boxes to Debian.

However, I didn't migrate the Fedora Legacy as a means for installing security updates for the discontinued RedHat. Works like a charm, and I send many kudos to those volunteers who set this up in a very short time.

Presentation/Workshop about reverse engineering of Linux firmware images

At the 20c3 conference, I'll be giving a presentation/workshop on my personal experience on how to reverse engineer Linux-based firmware images.

This is basically the technique I've used to find out about violations of GPL'd software under my copyright.

The presentation will cover strategies, tools and describe the step-by-step process of an example firmware image.

KNF blog section started

I'm planning to drop here some notes about my work at KNF, a non-for-profit Internet organization based in my old home town Nuernberg. Despite not living there anymore, I'm still doing sysadmin for them, especially maintaining our large usenet server.

Companies violating the GPL of software under my copyright

Numerous companies have started to use Linux as the foundation for their commercial products. While this is a good thing[tm], they have to play by the rules. Over the last couple of months I found out that quite a number of companies is violating my copyright by not adhering to the GPL.
One of the more commonly-known cases is the Linksys WRT54G product, but there are several others.

The major problem for individual software developers and free software projects is the jurisdiction. For me as a German, I am very unlikely to carry the burden of starting a trial against a U.S. company. Not only that I don't trust their legal system, consider the incredible cost associated with a trial in foreign country.

However, as soon as a product is sold within Germany, I am able to take action against the importer of that device. Considering that .de is supposedly Europe's biggest market for IT, that might hurt the vendor enough to comply with the license, rather than stop selling it.

In the Linksys case, the Free Software Foundation is one of the copyright holders, and thus pushing for GPL compliance. However, after about half a year of lawyers talking, there is still no full GPL compliance. Yes, they have offered some source code on their website, but there's still lots of stuff missing.

I've also received significant indication about quite a number of other cases where GPL'd source code was used to build proprietary software. If I only had the time, I would like to start a website with a database of all known GPL violations, the companies involved, their response, the legal proceedings (if any).

I've started with registering the domain name. If anybody out there is interested in starting the website, I'm happy to offer the hosting, traffic, domain, etc. on one of my machines.

conntrack and nat helpers in 2.6.x

The last couple of days I'm trying to finalize the first release of patch-o-matic-ng. Everything seems really close now. A lot of patchlets available for 2.4.x however are missing for 2.6.x kernels. Maybe the biggest and most important lack is for all conntrack/nat helpers.

The reason is that the semantics for those helpers have completely changed. They now get fed non-linear skb's by the conntrack core, which in turn means that they all need to copy the skb payload into some temporary buffer in order to search for some particular string (e.g. PORT command).

The conntrack core should definitely provide some function that is able to look for strings within a packet. Need to think more about this.