I've been trying out Fedora 11 snap1, and have been impressed with the video performance of the nouveu open source driver for Nvidia cards. glxgears reports 299fps on the system and it feels very responsive when doing desktop tasks.

So I figured I'd try out my only game on the system and see if it was playable. The CPU is a Core 2 DUO and I have 4G of RAM so there should be no problems there. I followed the Bioware instructions for installing the Linux client and everything went smoothly until I started playing the game.

In the setup menus the mouse felt a bit jerky, but it was tolerable. The animations were fast (previously this has been an indication of how well things were going to go). But when I got into the actual game it was very jerky, the mouse had a lag that was intolerable and movement was slow. So, for right now, it is not playable.

It actually runs faster on WinXP, under Parallels on a Mac Mini so there must be some bottleneck it is hitting -- it shouldn't be that bad.

Tomorrow I make the annual trek to Bellingham, WA for Linuxfest Northwest, a gathering of northwest Linux and Open Source enthusiasts. Come join us!

Tags: bellingham, linux, linuxfest northwest
Current Mood: cheerful

I installed Fedora11 Snap1 last week from the live CD image, and it worked great! Until I ran yum update. That borked the X driver and I was left with only the console. I'm running this on a system with a Nvidia card so it uses the new nouveau driver and apparently something broke. I ran another update yesterday and all is well. Mostly.

The first thing you notice is how fast the system gets to the login screen. 20 seconds from POST to login for me, and I hear it is that slow because there is still debug code enabled in this release.

Today's hiccup is that VMware Workstation, which I use for alot of testing, doesn't want to build on the current kernel. So, its back to Fedora9 for the moment.

Tags: fedora, vmware

A while back I hacked together a wxPython based gpg encrypt/decrypt bundle. Here is the code for that. Put it into a couple of functions and it will take the selected text (or whole buffer) and use Gnu Privacy Guard to encrypt it.

Encrypt function, shows a dialog box with a list of keys, selecting a default key to encrypt to:

#!/usr/bin/env python
import os, sys, tempfile, traceback
from subprocess import *
import wx

exit_discard = 200
exit_show_tooltip = 206

def GetPassword():
	passphrase = None
	dialog = wx.TextEntryDialog(	None,
					"GPG Passphrase",
					"Encrypt Text with GPG",
					"",
					style=wx.OK|wx.CANCEL|wx.PASSWORD)
	if dialog.ShowModal() == wx.ID_OK:
		passphrase = dialog.GetValue()
	dialog.Destroy()
	return passphrase.encode('ascii')


def GpgDecryptFile( gpg_file, passphrase ):
	cmd = "/usr/local/bin/gpg -qd --batch --passphrase-fd 0 %s" % (gpg_file)
	p = Popen( cmd, shell=True, stdout=PIPE, stderr=PIPE, stdin=PIPE )
	(stdout, stderr) = p.communicate( passphrase )

	return stdout

def rmfile( file_path ):
	if os.path.exists(file_path):
		os.unlink(file_path)

app = wx.PySimpleApp()
passphrase = GetPassword()
if not passphrase:
	exit(exit_discard)
	
# Get the input for gpg
gpg_input = sys.stdin.read()

# Write it to a secure file
(out_fp, out_path) = tempfile.mkstemp()
os.write(out_fp,gpg_input)
os.close(out_fp)

try:
	gpg_output = GpgDecryptFile( out_path, passphrase )
	if not gpg_output:
		rmfile(out_path)
		exit(exit_show_tooltip)
	sys.stdout.write(gpg_output)
except:
	rmfile(out_path)
	traceback.print_exc(file=sys.stdout)
	exit(exit_show_tooltip)

rmfile(out_path)

Decrypt function, prompts for passphrase:

#!/usr/bin/env python
import os, sys, tempfile, traceback
from subprocess import *
import wx

default_gpg_user = "brianlane"

exit_discard = 200
exit_show_tooltip = 206

def GetRecipient():
	keys = GetGpgKeys()
	key_list = []
	user_idx = 0
	i=0
	for k in keys:
		if k[0] == "uid":
			s = "    %s %s" % (k[9],k[5])
		else:
			s = "%s %s %s" % (k[9],k[5],k[4])
		key_list += [s]
		if k[9].find(default_gpg_user) > -1:
			user_idx = i
		i += 1

	dialog = wx.SingleChoiceDialog(None, "Select a GPG Key", "Encrypt Text with GPG", key_list)
	dialog.SetSelection(user_idx)
	dialog.SetSize((400,200))
	key_info = None
	if dialog.ShowModal() == wx.ID_OK:
		key_info = keys[dialog.GetSelection()]
	dialog.Destroy()
	return key_info


def GpgEncryptFile( gpg_file, gpg_recipient ):
	cmd = '/usr/local/bin/gpg -qeaR "%s" --batch --output - %s' % (gpg_recipient, gpg_file)

	p = Popen( cmd, shell=True, stdout=PIPE, stderr=PIPE )
	output = ""
	for line in p.stdout:
		output += line
	stderr = ""
	for line in p.stderr:
		stderr += line

	return output, stderr


def rmfile( file_path ):
	if os.path.exists(file_path):
		os.unlink(file_path)

def GetGpgKeys():
	cmd = "/usr/local/bin/gpg --list-keys --with-colons"
	p = Popen( cmd, shell=True, stdout=PIPE, stderr=PIPE )
	key_list = []
	for k in p.stdout:
		key_args = k.strip().split(':')
		if key_args[0] in ['pub']:
			key_list += [key_args]
	return key_list
	

app = wx.PySimpleApp()

key_info = GetRecipient()
if not key_info:
	exit(exit_discard)
	
# Get the input for gpg
gpg_input = sys.stdin.read()

# Write it to a secure file
(out_fp, out_path) = tempfile.mkstemp()
os.write(out_fp,gpg_input)
os.close(out_fp)

try:
	gpg_armour, gpg_error = GpgEncryptFile(out_path, key_info[4])
	if not gpg_armour:
		rmfile(out_path)
		sys.stdout.write(gpg_error)
		exit(exit_show_tooltip)
	sys.stdout.write(gpg_armour)
except:
	rmfile(out_path)
	traceback.print_exc(file=sys.stdout)
	exit(exit_show_tooltip)
	
rmfile(out_path)

Tags: encryption, gpg, python, wxpython
Current Mood: accomplished

This article on email security discusses the difference in how the law 'protects' you depending on whether your email is stored on your own servers, or on a 3rd party's servers 'in the cloud'. Basically, if they are on your servers a warrant is needed to seize them. If they are on a 3rd part system, say gmail or yahoo, the government doesn't have to notify you that they have seized your private correspondence (its a bit more complicated than that, read the article for the details).

I run my own mailserver, so this really isn't a problem for me. But I thought it would be a good Sunday morning exercise to make sure all my incoming mail was encrypted anyway. You to can thwart the prying eyes of 'the man' by using procmail and gpg on your own server, or if you have access to a shell account on a remote system.

1. Install the gpg get you want to encrypt messages to. Usually this will be your public key. There is no need to have your private key on the server. You can import the key using gpg --keyserver pgp.mit.edu --search-keys youremail@domain and selecting the right key.


2. Setup procmail to pass all unencrypted incoming messages through gpg. Create a .procmailrc file that looks like this:

# Store all incoming mail in encrypted format using gpg
LOGFILE=$HOME/logs/procmail

# Encrypt the body of the message, skipping ones that are already encrypted
:0 Bfbw
* !^-----BEGIN PGP MESSAGE-----
| /usr/bin/gpg --batch --trust-model always --encrypt -r0x9712C2CD  --armor --output -

3. Create a logs directory in your home directory - mkdir ~/logs

That's all there is to it. Now send yourself an email and check the mailbox to make sure it is stored in encrypted form. Check the logfile for errors -- if gpg fails for some reason it will store the mail in unencrypted format.

Tags: encryption, gpg, privacy, security
Current Mood: accomplished

When we had a new deck built this summer I took down the antenna for the live Aisparser SDK site. My plan is to put it back up on the peak of he roof along with my 1-wire weather station. I had been using a Sharp EL-5500 as a serial to 802.11 adapter, but it only works with 1 serial port. I have a couple Digi WiME modules left over from my wireless 1-wire project, but that would mean I would have to use 2 of them, which seems like a waste.

Luckily enough I just replaced my main router with a WRT54GL running OpenWRT. One of the features of the '54GL is that it runs Linux and it completely open and hackable (Thanks Linksys!). It also has 2 serial ports buried inside of it. One is used for the serial console and the other is unused. It needs a 10 pin header on the '54GL's motherboard and a level converter to take the 3.3v level from the board up to RS232 levels (~13v). The MAX3232 works perfectly for this. It only requires 4 external caps and power.

I whipped up a PCB with Eagle CAD (on OSX) and pcbpool's basic service (no solder mask, just a bare board). I ended up ordering the wrong width MAX3232 part from DigiKey, but was able to still use them by bending the pins vertical.

Now I have a WRT54GL with 2 serial ports, running linux and only about 3M of free ram. Python won't fit into memory. Thus is born a new project -- SerialSocket, which will be a light-weight 'C' program to connect serial ports to sockets (either local or remote) as well as do UDP broadcast. This way I will be able to broadcast data from the AIS receiver to the local LAN and catch it with multiple apps, and will have a bi-directional socket connection to my Link45 1-wire adapter, the 1-wire weather station and the temperature sensors in the garage freezer and fridge.

Current Mood: accomplished

While on the road in Portland last week I was thinking more about the security of my Macbook. The DNS poisioning exploit has been in the news lately, and while my personal machines have always been using djbdns I, of course, have no control over what server is being used by the conference or by my hotel's networks. At first I thought this would be easy to fix, just edit the DNS server settings in the Network DNS settings dialog.

I was surprised to learn that I could add, but not delete the DHCP DNS entries! After a bit of Googling I discovered that I wasn't the only one. I came across this excellent article from John Simpson on setting up djbdns's dnscache on the system. This works fine, except that /etc/resolv.conf isn't the source of the DNS servers on OSX. Some command line tools use it, but not Firefox or Thunderbird or even the system's gethostbyname() call (who'se manpage lies, btw). He has a method for disabling all DHCP DNSservers for the system, but it requires deleting entries from a system XML file, something that I'd like to avoid doing if possible.

It ends up that DNS servers are handled as part of a service called System Configuration. The /etc/resolv.conf file is the result of this service, not the source for it. You can change these setting temporarily, as described in this macosxhints.com article, but the changes are overridden on reboot, sleep or DHCP renewal.

There used to be a way to overcome this using a system called Kicker that would monitor the System Configuration for changes and then run a script for you. This did involve editing system XML files, but you were adding to them instead of deleting entries. This article on performing actions during a fast user switch provided some insight into how to get this to work with DNS changes, but alas Apple removed this feature in Leopard.

One thing that Apple did right in Leopard, despite the above mess, is they included Python and PyObjC. This gives us a powerful language with hooks directly into the system libraries. It ends up there is an API (well documented even) for manipulating the System Configuration dynamic store, which is where the DNS server information is kept. The PyObjC svn repository had a simple example for watching for all configuration changes, I took that and modified it (with the help of this program for connecting to a F5 VPN) and came up with monitorDNS.py

What it does is monitor for changes to the State:/Network/Global/DNS key, and then set the DNS servers to a list specified at the top of the program. By default the monitorDNS.py includes the OpenDNS servers, but you can change them to be anything you want by editing the IPs. Just remember to keep them as unicode strings (enclosed in a u'').

You can also run this at startup by adding it to /etc/rc.local -
csh -cf '/Users/path-to-code/monitorDNS.py >> /var/log/monitorDNS.log &'

What it doesn't do is detect different locations, or examine the previous DNS settings. It just makes sure that the DNS servers always stay set to what you want them to be.

Current Mood: happy

OSCON was pretty cool, but a bit long. Maybe next year I'll skip the tutorials and just do 3 days. I learned a few important bits about writing files in a secure (from the data-loss perspective) as well as the fact that OSX will not let you override the DNS settings sent by DHCP servers. After a few days of digging around I've got a fix for that -- I'll post tomorrow.

One surprise about OSCON was that the quality of the presentations were, for the most part, no better than those at LFNW. And in a couple cases far below what I'd call the LFNW average.

Current Mood: tired

I made it (or the truck did, with me in it). It took almost exactly 2.5 hours, just like Google Maps predicted. Almost no traffic slowdowns to speak of and only 1 or 2 wrong turns finding the parking garage entrance.

I hit the Intro to Django talk by Jacob Kaplan-Moss, it was a pretty good overview of all the parts of a Django application. One thing that surprised me was that it doesn't have any kind of SQL revision control. Once you setup the model its set unless you modify things manually.

Tomorrow is wxPython by Robin Dunn and porting to Python 3

Tags: oscon, oscon2008, portland
Current Mood: tired

The company I work for is sending me to OSCON this year. I live about 3 hours north, so I decided to head down on Sunday, stop by my parent's house and dis-infect their virus ridden XP system and get to the hotel around 7 or 8pm. The best laid plans...

The XP system so so virus ridden that I, with my admittedly rusty Windows skills, can't get it clean. Something is overriding the hosts file, another thing is blocking firefox.exe from running unless you rename it, a fake anti-virus program keeps trying to get them to buy it, etc. Time to nuke from orbit -- except I don't have time.

I jump in the truck to finish the trip to Portland and it goes 'click'. A decidedly un-healthy noise for a truck to make. After futzing around with jumper cables (I really need to buy a set), we get it started and running. Looks like the alternator is working (gauges are much more precise than idiot lights) and drivable. I can head to Portland and be stuck with a potentially dead truck, or home and diagnose and fix it. I voted for home.

I pull into the driveway and shut it off. And try to restart. Not even a click this time. Good thing I am not in Portland. Time for the voltmeter (everyone should have one!). Hmm, 12.8v on the battery post. 9.2v on the cable. 3.6v drop in less than 0.5" isn't a good thing. The connectors look somewhat corroded, but not as bad as when I leaned it a month or so back.

I mix up some baking soda and water and take a toothbrush to the works. I scrub off all crud, rinse off the posts and then take the post cleaner tool to them. It doesn't shine them up, but apparently it did the trick for now. I get 12.8v at the post and connector, and 14.22v with the engine running. The gauge does seem to be inconsistent -- sometimes it reads < 0v but the voltmeter still shows it charging.

So, I'm off to Portland and OSCON 2008 again in a few minutes. Hopefully I make it there by lunchtime and the afternoon Django session.

Tags: oscon, oscon2008, portland
Current Mood: annoyed