(Non-)Internet at LSM/RMLL

Did I ever mention that having reliable and fast Internet access is the single most important factor for me (and other busy developers, especially those who are self-employed or run their own company) when visiting a conference or other event?

When visiting a conference, I basically have to leave all my work behind for a number of days. I can only do that if I at least respond once per day to customer emails, and deal with the most important things that pile up in the incoming queue of business-related email and faxes.

So at LSM the first issue with the network was authentication. You were required to enter your login name and password that you used to register for the conference [several months ago]. For those people who don't reuse the same password for multiple sites again and again, and who don't have monster brains, this means that the password is not something they will remember off their head. In my case that password is securely stored in an encrypted keyring on my nfs serve at home.

Obviously it wouldn't be a problem to bring that password to the event, if somebody actually had cared to spread the information that it would be required at the event.

After some discussion with multiple people, a new account was created for me. It was supposed to work within 15 minutes, but it didn't.

Even better, the wireless network was shut off at 6pm. Jeez. They don't get it. When at a conference, I need to use the nights in order to cover up for the lost working time during the day. If there is no Internet access in the evening or during the day, I'm unable to do so.

On Thursday it was even better: The wireless network was shut off at 12 noon. Somebody told me that this was to motivate the incentive for people to go to a speech by the mayor of Dijon. This speech would no doubt be very interesting - if only I understood a single word of French. So the best thing the foreign visitors (among them a number of speakers) could have done during that time was to catch up with their email and work - if only there was network access.

So as a matter of fact, I've now spent the longest period offline (four working days) for years. I can only imagine how upset some of my customers will be. Thanks, LSM.

This will be my last post about this horrible event. I only wish I had taken the first train back after running into the problems finding an accommodation on Tuesday.

Libre Supper at LSM/RMLL

The problems with this conference continue.

The social event libre supper costs real money, and about the only thing you get for it is a nice venue. It was held in the city hall.

The buffet was not set up in the middle of the hall, but in some separate room next to it. So the bottleneck was not the buffet itself, but the door between the hall and the buffet-room. This further prolonged the queue lining up unnecessarily.

So at the time I ended up at the buffet, there weren't even any glasses left - meaning that I had to "enjoy" my dinner without wine or water. Obviously everyone would line up for a second and probably third helping. People like me who refuse to line up for half an hour and only enqueue when the queue is shorter don't actually get any of the desert.

I've probably never wasted my money and time more efficiently.

Chaotic Organization at LSM/RMLL

After my voluntary 6-hour stopover in Paris, I finally arrived in Dijon at something like 7pm.

During the train ride there, I wanted to read the instructions on how to get onto the campus. I've received an email regarding that subject some time ago, but I didn't yet read it, since I have all my email synchronized to (an encrypted partition on) my notebook. Sadly it turned out that this email didn't contain any instructions but just a link. Obviously the link is useless unless you have online access. Ok, I can't blame the LSM/RMLL for not having read the email before - but it's also been the first time in all of the conferences I visit that such vital instructions haven't been sent by mail.

Luckily I ran into some LSM/RMLL attendees in downtown Bordeaux who told me how to find the campus.

At the campus, I found dozens of LSM/RMLL signs pointing in contradictory directions - and nobody there.

So I called the only other person at LSM/RMLL of whom I had the cell phone number: Werner Koch, one of the other speakers. He was lost, too :( So I made the only reasonable decision: Get back to the city centre and look for a hotel room. Obviously, the tourist information was long closed. So I walked from one hotel to the other. The first two were fully booked. At the instance of entering the third hotel, Werner called again.

Luckily he ran into some other attendees (not organizer!) who managed to talk one of (obviously non-English speaking) officials at the student dormitories into accepting the two of us for one night.

Obviously I didn't have the breakfast vouchers at the time of breakfast (since registration opens only after breakfast is finished, and it's a 15minute walk to the restaurant). So I end up at the conference venue without breakfast.

I think this is the way you _not_ want to organize a conference. I don't think there was any other event (even the previous LSM in Bordeaux I've been to) which had equally non-existent speaker care. At most events, you get picked up from the airport / railway station, brought to your accommodation, and at the hotel reception you receive printed instructions, such as a map of the campus, Instructions on when to be where, and (most importantly) some contact phone numbers in case you get lost or have any other problems in a country whose language you don't speak.

At my presentation (as the presentation of David Turner, FSF GPL Compliance Lab Engineer) were about 10-15 people in the audience. So I'm actually leaving an ever-growing pile of work behind in my office, choose to not do any paid work for three days, paying for the accommodation myself (travel is covered), going through all the hassle of the travel as described above, to talk in front of that small an audience. I guess this really was my last LSM.

And yes, I could continue this rant now about the wireless network, which requires you to log in with the account data you used to register for the conference. That data is securely stored on my hard drive at home. Why would I bring such data with me, if nobody tells me upfront that I would need it? *sigh*

Picking up pre-paid SCNF tickets in France

If you want to do an online purchase of a SCNF (french national railway) ticket, the only option you get is: Pre-pay the ticket via credit card in their online store, and later pick up the ticket at some vending machine at the railway station.

So this is what I did for my Paris->Dijon travel. So I went to the first vending machine at the CDG Airport in Paris. For authorization you are required to enter the booking code, your name and the credit card you used to do the online purchase. The first machine was broken, since it wasn't able to read the magnetic stripe on my credit card. The second machine already had a sign attached that it is malfunctioning and cannot be used for pickup of pre-paid tickets. Al the other machines were out of service.

Then I went to the next machine and tried to buy a public transport ticket from CDG airport to Gare de Lyon. The fare is 8 EUR and according to the signs on the machine, you can pay cash (in coins, which I never have), by french debit cards (which I obviously don't have) or by VISA card. Unfortunately it refused to accept my perfectly valid VISA card. So I had to line up at the long queue in front of the ticket counters.

At Gare de Lyon, I tried again to pick up my train ticket to Dijon. Most of the machines would again have problems reading the magnetic stripe on the VISA cards, and the others could read it, but would just tell me: Cancelled, please retry at a different machine.

So I again had to line up for the extremely long queue in front of the ticket counters, wait in addition for the only English-speaking cashier to become available. I told her my story, and she said: Yes, it only works with french VISA cards.

I was outraged. The online shop for buying tickets is fully translated to English and German (among others). You can buy the ticket using a non-french VISA card, and the amount is charged to your credit card account at that time. The translated instructions tell you to pick up your ticket at the machines, and nowhere it was stated that you have to queue up in front of a counter with non-french VISA cards.

The sole purpose of reading the credit card at the ticket machine is to provide a third authentication factor ('is this person really the person who booked the ticket'). There is no technical reason for restricting this to credit cards of a particular issuing country.

I'm planning to write some letters about this, since this is actually against fair competition regulations. If I want to receive the same service and not wait for half an hour for every train ticket I buy than everybody else, I have to open an account with a french bank.

Heading off to LSM/RMLL

I'm heading off towards LSM/RMLL (Libre Software Meeting) in Dijon (France) tomorrow.

I'm looking forward to this event, especially since I'm going to meet David Turner, the new head of the FSF's GPL compliance lab. We've got a lot to talk about with regard to cooperation/coordination between the gpl enforcement efforts of the FSF and gpl-violations.org.

Travelling will take me enroute to Paris, so I'll spend a couple of hours stopover in the city to visit some of its famous cemeteries. With some luck the weather will be ok for photography...

For those who are curious: I'll be back to Berlin by Friday evening.

pptp-conntrack-nat for 2.6.11 and 2.6.12.x ready

I've finished the port of pptp-conntrack-nat to the new 'rustynat' infrastructure of the 2.6.11 (and 2.6.12.x) kernels.

The frequent reader of this blog will have noticed my prior post. Despite being just a minor kernel release, the conntrack/nat core got some recent re-work which made porting of non-trivial helpers quite complex.

I've tested plain conntrack and SNAT/MASQUERADE so far. DNAT remains untested for now, but should work. It's not as common so I deferred testing and potential debugging - esp. since I'm going to be travelling again by tomorrow.

Thanks again to the cool guys from NetBoxBlue for funding this work. That made it a lot easier to put this in the top section of my TODO list.

Heather J. Meeker spreads false claims about gpl-violations.org.

In an article on linuxinsider.com, Heather J. Meeker of Greenbar Traurig LLP (don't miss the background info at FFII Wiki) makes false claims about the gpl-violations project and myself.

I've pointed out her mistakes in the following letter:

Dear Ms. Meeker,

it has come to my attention that you have authored an article entitled "Open Source and the Legend of Linksys", published at linuxinsider.com, in which you make false statements in order to discredit the gpl-violations.org project and myself.

There is nothing wrong with press articles and commentaries about the GPL, the gpl-violations.org project or myself, no matter how critical they are - as long as they are based on facts. Spreading lies is however not acceptable to me.

The most obviously wrong statement is "But, it so happened, that AOpen was actually compliant, having offered the source code on a German Web site, as Welte later noted in his blog. Never mind.".

The truth is: AOpen Germany offered the _object_ code of the GPL licensed software on their German FTP-server, without complying to the GPL license terms. My blog clearly states "Firmware" (which is by definition object code, not source code). This means that in fact they are even legally responsible, since they distributed GPL licensed software without adhering to the license conditions.

Two other quotes from your article: "The problem is that Welte apparently does not hold the copyright to the code that is the subject of these letters."

"Some of Welte's targets have complied voluntarily, but one suspects that is because they were simply unaware of the problem. Welte apparently has no authority to enforce these copyrights."

This is again wrong. I have never enforced any copyright that I don't own. What has happened is that some other Linux kernel developers have transferred their copyright to me, so I can take action in cases where my own copyright is not involved. [which by the way is also a good indication that gpl-violations.org is not some lone lunatic but backed by the development community].

Obviously I reserve the right to inform any organization about illegal copyright infringement they might be committing, even if I'm not the copyright holder. This must not be confused with legal GPL enforcement by an actual copyright holder through in or out-of-court legal action.

Specifically, regarding to the "CeBIT letter action", I could have started legal proceedings in all those cases. In fact, my legal team an I were planning to personally hand over a preliminary injunction at one of the CeBIT booths. Rather than doing so, I thought I could save the respective infringing companies the trouble of legal charges and legal expenses by first writing them an informal letter.

At this point in time, I do not know the legal situation of such easily-to-be-proven false statements in the US. In Germany we have laws that force the press to publish "correction statements" written by the person or entity that was subject of those false statements. I will consult my legal advise about this matter.

I would like to ask you to clarify those issues. Since it is an on-line article, it should be possible to amend it. If that is not possible, I'm sure there is some other way to let the readers know about those two "mistakes" in the article.

Sincerely, Harald Welte

I've posted some additional comments in the talkback section of the article. They yet have to be approved by the publisher.

Liquid cooling system of my workstation massively corroded

Only three months after putting in place the Alphacool liquid cooling system for my dual Opteron workstation, it has already corroded severely.

I don't really understand why, since I only used a readily-packaged set as offered by the vendor, and I only used original anti-corrosion liquid from the same vendor.

Spent multiple hours getting rid of all the crystals in the system, dismantling the CPU coolers, etc.

I hope the vendor replaces some of the parts for free and comes up with a good solution to prevent this in the future. I don't want to give up my silent office anymore. (btw: I didn't tell you about my new managed VLAN-capable fan-less 16port gigE switch, did I?).

WPA, Linux, wpa_supplicant, DWL-7000AP, freeradius

It's amazing how long it can take to set up a small "reasonably-secure" WPA wireless network.

I thought it would be pretty straight-forward. Just configure the AP to EAP, tell it the radius secret, apt-get install freeradius, distribute some X.509 certificates and start wpa_supplicant on the client machines.

In principle, that's it. However, practical issues I ran into:

  • The AP crashes every so often
  • The AP needs to reboot after every single config change (no chance to do multiple changes and then reboot
  • The AP needs some 5 minutes to reboot
  • The AP refuses to use certain totally valid IP addresses, be it via DHCP or statically configured in the web frontend
  • The Debian freeradius package on AMD64 misses EAP support due to a libtool problem (missing -fPIC), known since January.
  • The Debian freeradius package doesn't ship with EAP-TLS, since the EAP-TLS code is GPL licensed but links to openssl.
  • wpa_supplicant doesn't work with the PowerBook built-in Airport (orinoco_cs) card

So I wasted the better part of a day to overcome the issues above, but I'm still not happy. My PowerBook now needs an Atheros Cardbus card, even though it has a built-in card. DHCP randomly fails for unknown reasons (I see the valid DHCP replies go into the AP, but it fails to pass them on).

ct_sync, kernel 2.6.10, NAT and masquerade

Following up some thorough testing and debugging, I finally got both (SNAT, DNAT) and MASQUERADe to work with ct_sync on a 2.6.10 kernel.

Apart from forgetting to disable TCP window tracking, there were some subtle mistakes in #ifdef/endif of the code that actually prevented whole sections from being built ;)

Debugging the problem however has forced me to update the ct_sync ethereal plugin (screenshot) to parse almost every bit within the ct_sync protocol.

More and more Media Players running Linux but don't offer source code

There's a recent uprise in the availability of handheld media player devices. Most of them come with a 240x320 / 16bit colour screen, FBAS output, USB, 20GB hard drive, etc.

A big part of them seems to be running based on Linux and other free software, which is great. However, the vendors once again forget about their obligations under the GNU GPL and do not tell their users about the GPL or make the source code available.

The first device I ran into was the iRiver PMP-120/140, on which I have reported earlier in this blog. It was based on a TI DSP with embedded synthesized ARM core.

Now we're seeing similar devices from iStation, iUbi, Sitecom and some other vendors hitting the marketplace. They are all based on the SigmaDesigns EM8511 chipset. Rumors have spread that Sigma actually tries to bind their customers under an NDA not to release the GPL licensed source code, which they would obviously have no right to. Please keep in mind that that's rumours, and I don't have any confirmation about this yet.

Fighting with Docbook-Website

Almost all homepages I maintain are built using docbook-website.

Unfortunately I'm not a big XSLT guru, so I'm having a hard time finding and fixing bugs in them. For that reason especially the netfilter.org homepage was suffering from problems with olinks.

Luckily, the 2.6.0 release of docbook-website seems to have fixed all the olink-related bugs I was experiencing. I just re-built the page and now all the cross-linking (including #localifo) is working fine now. Thanks to whoever fixed it :)

netfilter patch-o-matic-ng cleanup day

Just a quick status update:

I've tried to make most of the patches in netfilter patch-o-matic-ng work with 2.6.12 today. It's amazing how fast the code bit-rots there.

I've also applied tons of cosmetic cleanup fixes, such as %zu and %ti format strings to avoid compiler warnings on 64bit archs.

Now it's time to head back to the PPTP-conntrack-nat port for 2.6.11+. Once that is finished, I'm back to ct_sync work.

Oh, and yes, I almost forgot: ftp.netfilter.org will have start having daily snapshots of conntrack and ipset.

Adding missing features to libctnetlink and "conntrack" program

I'm back to netfilter hacking, and it's more fun than ever :)

libctnetlink was extended to provide an API function to add an expectation. Also, the cool new conntrack control program now has preliminary support to add expectations from the command line.

This means there is now the full chain in place (from kernel to userspace library to command line tool) to allow expectations to be created from userspace. I wonder how long it will take to see the first userspace ALG's to show up. It would be a pleasure to finally see complex protocol handling done in userspace rather than the kernel side.

While hacking at conntrack, I also added a man page and fixed some other bits and pieces. Once the "do we want an ID, and if yes which kind of ID" discussion has concluded on netfilter-devel, we can submit nfnetlink and ctnetlink to the mainline kernel and make a first libnfnetlink, libctnetlink and conntrack release.

Network Access at LinuxTag (and Vodafone hotspots)

Same procedure as every year. One of the hardest things at LinuxTag is to get Internet access. My experience this year is a follow-up to long discussions in the previous years following-up to my complaints. However, the problem seems to be persistent.

First of all, the WLAN is not working. WLAN access is provided by a different organization than wired Ethernet access, and nobody from the WLAN team was around to comment on why.

Wired access is almost impossible to get, since there are only _three_ public Ethernet ports available at this time - apparently due to a lack of multi-port Ethernet switches. The network admins were nice enough to allow me access at one of the non-public infrastructure switches, though.

Even after finally having access to an Ethernet port, I wasn't much more excited. The only thing that worked was HTTP via a proxy, and SSH. So no way to do speak commonplace protocols such as IMAP-over-SSL on port 993. Or to access Subversion-over-Webdav servers on non-standard ports. Or to build up an IPsec tunnel :(

Luckily I'm in the situation to be able to do SSH tunneling, but not everybody has shell accounts on their mailservers...

Then I tried the Vodafone hotspot available in the Conference Hotel. Not only do they charge ridiculous EUR 24,95 for 24h access, but they also offer something that barely can be called "Internet access". So far, I've only been able to establish HTTP(s) sessions and IMAP-over-SSL. There's no outgoing SSH working, and also no IPsec.

This leaves me now with the option to run between the two adjacent conference and hotel buildings. SSH works in one place, but IMAPS only in the other. Surprisingly, I never have similar problems at any other conference that I attend - and if you look at my schedule, you notice I travel to a lot of conferences.

I've already decided to have my bank cancel the Vodafone credit card charge since they promised me Internet access, but all I got was WWW-and-IMAP. They should have told me before, then I wouldn't have bought their services.

Cisco GPL violation

I've just confirmed yet another GPL Violation of Cisco Systems. This time it's not a consumer class product sold under the Linksys label, but an enterprise-class "Cisco" product.

More details will follow as soon as Cisco has been informed. I regularly don't make any details public before the respective opponent has received the first letter from my lawyers.

Sitecom did it again

Sitecom apparently _again_ violates the GPL. This is now the third product in little more than a year.

Again, more details will follow soon, stay tuned.

Arrived in Karlsruhe

I've just arrived in the south-west German city of Karlsruhe for three days Astaro and two days of LinuxTag.

In addition to that, there are several scheduled GPL-related meetings. The most important one is probably the meeting with Cisco Germany. I'm really interested in what they want to say with regard to the recent uprise in GPL-issues inside Cisco.

Unlike a lot of my recent travel, I have Internet access every day. This means there will be little [additional] delay in responding to email.

Just finished three days of teaching intensive netfilter/iptables course

I just finished my first three-day-in-a-row training for quite some time. Seems like I almost forgot how exhausting it can be to talk for three full days. However, it seems like the biggest part of the training went quite fine, and the attendees were satisfied.

The most interesting part for me was to learn about the practical "real-world" setups in which those users were actually using packet filters, NAT, bridges, routers, etc. So basically it put me in touch with some of the more advanced users, and taught me about their particular requirements. This will definitely help during the further development process.

Browsers and large HTML tables

What is wrong with browsers displaying large HTML tables? Well, I had to look at a "CISCO global price list" (looking for the price of their latest alleged gpl violation). Of course that list is only available as .xls, so I used xlshtml to convert it to HTML. THe result is a 12MB HTML document.

Opening that HTML in w3m took quite some time on my dual Opteron 246, and I was wondering why it took so long (it indicated it was opening the file from the local hard drive at 9.6MB/s, though). Looking at top, I hardly believed my eyes. The total virtual size grew up to 760MB(!)

I then re-tried with Mozilla, and it did equally bad with 815MB. However, I would have expected something like this from Mozilla, being a monstrous GUI program... but w3m? I'm puzzled.

Using Centrino miniPCI in non-Centrino devices

Mostly out of curiosity, I recently bought one of the cheap Intel PRO/Wireless 2915ABG cards. I tried to install it in my (obviously non-centrino) AMD Turion64 notebook, and it almost worked immediately with the ipw2200 driver.

The only issue remaining is the hardware RF_KILL pin. It's intended for those hardware-switches that allow the user to physically disable any RF input/output [for airplanes, hospitals and the like]. Intel is using Pin 13 of the miniPCI slot for that, and even though the TARGA notebook (manufactured by MSI) has such a switch, it seems to be using a different pin. So what I did is cut a tiny strip of adhesive tape and glue it on pin13. This prevents any electrical contact and makes the 2915ABG card happy.

Now I have working wireless in that notebook. However, at the expense of Bluetooth, since the original INPROCOMM 2220 card implemented both, 802.11 and Bluetooth.

Just as a reference, I also tried a Winstron CM9 Atheros 5212 a/b/g card, and though it electrically worked, I was unable to receive anything with the latest madwifi-cvs. Played some time with the debugging options - at no avail.

Now the TODO contains checking out Jeff Garzik's latest wireless-2.6 tree and see how Intel and SuSE are doing with the new generalized 802.11 layer.

Oops, Linksys did it again...

For the third time, Linksys (now only a brand of Cisco) seems to be selling devices in a GPL-incompliant fashion. Following up the WRT54 case in early 2003, and the less-known WMA11B issues last year, they've now started to sell the ADSL2MUE.

I did a test purchase. It clearly contains the Linux kernel and other GPL licensed software. There is no mentioning of the GPL, no GPL license text, no source code, and no written offer anywhere in the package, manual or on the included CD-ROM.

I really don't get it. How could this happen again? Rumours say that the device was OEM'ed from somewhere else. Even in that case, Linksys should have enough GPL experience to include a statement like "if the product contains GPL or other copyleft-licensed software, the full corresponding source code has to be delivered" into their contracts with the upstream vendor.

Shortly after the warning notice had been sent by my legal team, some source code appeared on http://www.linksys.com/support/gpl.asp. I have not yet conformed that it is complete, but it looks like they even included the Texas Instruments' LZMA (de)compression bits, which no other vendor using TI's AR7 platform has been provided, even though they are a clear modification of the existing GPL licensed Linux kernel source code.

Linksys (Germany) officials have invited me to meet them. Due to restrictions of my travel schedule, the meeting will only happen in late July. I'm looking forward to that meeting and will remain curious about their interest in such a meeting :)

librfid news

After yet another break I'm now back at some librfid hacking. I've compiled the code from svn on my ppc notebook, and it worked straight ahead (as far as it is implemented). Quite surprising, since I didn't even think once about endianness so far. I suppose this will change when implementing the upper layers.

I've now also started work on libmrtd, which is to be a library implementing the functions typically required at a "border control application" of an ICAO-compliant MRTD (passport). This includes basic access control, encrypted communication with the MRTD, and parsing of the data (DG1, DG2) stored on the MRTD.