Made of Bugs

I’ve made two new interesting discoveries about wpa_supplicant since writing my last blog post on the subject. (Actually, I pretty much made both of them while reading documentation in order to write it, and have been lame about writing them up).

Using wpa_gui

It turns out that wpa_gui not only allows you to select existing networks, but also to scan for and add new networks to your configuration file. In addition, you can run it as yourself, without needing to sudo it. In order to do so, you need to add two lines to /etc/wpa_supplicant/wpa_supplicant.conf:

ctrl_interface_group=netdev
update_config=1

ctrl_interface_group selects a UNIX group that will be given permission to read/write the control socket. I chose netdev because it seems like it’s supposed to be networking-related, and my login user was already in it on my Ubuntu machine.

update_config allows wpa_supplicant to write back to its conf file if instructed to configure new networks by a UI (wpa_cli or wpa_gui). Note that this will squash any comments you have in the file.

wpa_action — a mostly-baked roaming solution

The setup I described in the previous post causes wpa_supplicant to manage associating with access points, while Debian’s ifupdown request DHCP independently. There’s no communication between the layer, so if you switch networks, or associate sometime after we bring up the interface, nothing tells dhclient to request a new lease. It turns out we can turn this picture inside-out, and make wpa_supplicant responsible for bringing up and down a virtual interface, whenever it associates or loses association.

To make this work, we’re going to need to edit /etc/network/interface again. Our wpa_supplicant.conf can stay unchanged; Debian’s wrapper scripts do all the magic. Replace your ath0 block and add a virtual default interface as follows:

iface ath0 inet manual
  wpa-driver wext
  wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf

iface default inet dhcp

The way this is going to work is that, whenever wpa_supplicant associates to a network, it will bring up the virtual default interface, causing ifupdown to spawn dhclient and request DHCP. When it loses association, it brings it down, killing the DHCP daemon.

Furthermore, we can associate different virtual interfaces with different networks. Suppose that I usually want DHCP, but at home (essid nelhage) I don’t run a DHCP server, and just want my laptop to always grab 10.0.1.100. I can add an interface to wpa_supplicant.conf:

network={
    ssid="nelhage"
    id_str="nelhage"
    key_mgmt=NONE
}

And then I add a new virtual interface to interfaces, corresponding to the id_str:

iface nelhage inet static
        address 10.0.1.100
        netmask 255.255.255.0
        network 10.0.1.0
        gateway 10.0.1.1

Now, if wpa_supplicant associates to the nelhage network, it will bring up the nelhage interface, binding ath0 to the static configuration there listed.

For documentation, check out the third section of /usr/share/doc/wpasupplicant/README.modes.gz on your Debian or Ubuntu machine.

In conclusion…

This setup actually seems pretty close to the correct design for a roaming wifi architecture, to me. Unfortunately, my experience is that it hasn’t worked well for me; For some reason, when I put it in roaming mode, it fails to associate with networks that it otherwise works fine with. I suspect that this is related to madwifi suckage as much as wpa_supplicant suck, though, so I’d encourage everyone else who’s been fighting with wifi to try it out and report back if it works for them.

As most of you probably know, X has several different mechanisms for copy-paste, used by different applications in different ways. I know some people who use them deliberately, juggling two pieces of text in different clipboards at once, but for me, it’s always just been annoying. When I copy something, be it by Gnome C-c, emacs C-w, or selecting it in an xterm, I then want to be able to paste it again, no matter what mechanism I use.

I’ve long thought it should be trivial to write a daemon that synchronizes the clipboards, and it turns out that indeed someone’s done so: Autocutsel. And now, it turns out there are in fact at least three clipboards, but by running it twice, syncing between two pairs, I’ve no longer had the issue of pasting from the wrong clipboard and having to remember how I copied that URL to give to someone. My .xsession incant is simply:

autocutsel -fork
autocutsel -selection PRIMARY -fork

I finally got fed up with Blogger, and am moving this blog to live on Wordpress hosted off of scripts.mit.edu. In the process of converting everything over and setting up Wordpress I’ve decided I hate it, but hopefully I hate it less than I hate Blogger. We’ll see.

I’ve also changed the URL to this blog from http://nelhage.com/blog to http://blog.nelhage.com, which I like better as URL anyways. It should redirect to the toplevel of the new URL now.

I’ve been using wpa_supplicant to manage wifi on my Ubuntu laptop for a while, and have found that it’s pretty close to what I want for managing wireless — closer than anything else I’ve found, at least. I figured I should document my setup and experiences.

Some Background

You probably all know just how much wireless on Linux can be a pain to get working right. Getting drivers and so forth working is usually fine these days, especially if you’re using Ubuntu, but managing connecting to multiple networks and dealing with WPA and WEP is a serious pain in the ass. Debian’s solution the ifupdown infrastructure lets you specify a single network or any, and doesn’t have an answer for encryption, as far as I can tell. Ubuntu (and Fedora)’s NetworkManager works great when it works, but it wants to own your entire networking stack, isn’t very transparent or debuggable when networking isn’t working, and the only interface is a dock applet, which is problematic for my minimalist XMonad-based desktop.

Enter wpa_supplicant

Despite its name, wpa_supplicant isn’t just about WPA. It’s actually a general management system for your wireless in disguise. You give it a config file of networks you want to connect to if they’re available, optionally with priorities, and settings about the kind of encryption and a password or key if needed. You then tell it “go”, and it will go scan for networks and connect to the appropriate ones as needed. If you need to override it, there’s a command line client (wpa_cli) to connect to the running ndaemon and tell it connect to a specific network or AP (I think — I haven’t actually had occasion to use it much at all)

My configuration

I have an Atheros wifi card, so my wifi device is ath0. Adjust this as appropriate (it’ll probably be eth1 with most other drivers)

First, install the necessary packages:

$ sudo apt-get install wpasupplicant

Then set up your configuration:

• /etc/network/interfaces — We’re still going to use ifupdown to manage getting DHCP, but just not for wireless. So add a stanza to interfaces that looks something like:

  auto ath0
  iface ath0 inet dhcp
  wpa-driver wext
  wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
  

• /etc/wpa_supplicant/wpa_supplicant.conf — This is the file where you’re going to specify what networks you want to connect to. /usr/share/doc/wpasupplicant/examples/ can explain the full range of options better than I can, but there are some examples below. For now, you can just put a

  ctrl_interface=/var/run/wpa_supplicant
  

at the start of the file.

Now, configure your networks in wpa_supplicant.conf. Some examples:

• MIT’s network — open, no encryption

  network={
      ssid="MIT"
      key_mgmt=NONE
  }
  

• WEP, hex key

  network={
      ssid="langtonlabs"
      key_mgmt=NONE
      wep_key0=deadbeef
  }
  

• WPA1, password

  network={
      ssid="wireless-is-a-lie"
      psk="passw0rd"
  }
  

Now if you bring up the interface with ifup ath0, wpa_supplicant will start scanning for networks and associate as needed. The crappy thing about this solution is that there’s no communication between wpa_supplicant and dhclient, so you won’t automatically try to get a new lease if you switch networks. I solve this with a ifup --force ath0 when I move my laptop between access points. I don’t do this too often without suspending, though, so it’s not a huge deal. Browsing documentation points me at something called wpa_action that’s supposed to fix this… If I figure it out I’ll post again.

This works quite well for me, better than any other solution I’ve found for moving my laptop between multiple access points, and handles WEP, WPA, and WPA2 just fine. Hopefully it’ll be helpful for someone else.

For some time now, many of us around MIT have noticed just how awesome sshfs is. It gives a totally lightweight way to access the remote filesystem of any machine you have ssh to, without requiring any extra setup on the host. I’ve been running for at least a year now with my /data RAID on my server sshfs-mounted on my laptop, and it works totally great.

Recently, I came across two awesome things that make sshfs even neater. The first is the ServerAliveInterval ssh configuration option. I (and many others) had noticed that if you changed IP addresses (which happens all the time with our laptops), sshfs will just kinda hang there, and so will anything that tries to access anything in the ssfs-mounted filesystem. sshfs has a -o reconnect option that makes it automatically reconnect the underlying ssh if it dies, but it doesn’t solve the problem of the ssh hanging forever. The solution, it turns out, is the ServerAliveInterval config option. Just add

Host *
ServerAliveInterval 15

to .ssh/config, and ssh will send in-protocol keepalives every 15 seconds if the connection is idle, and die if it doesn’t receive anything back. Combine this with -o reconnect, and everything Just Works when you change IPs

The second cool thing is afuse, the FUSE automounter. It lets you set up an automounter for just about anything you can think of, using another FUSE filesystem itself. I simply run it as

afuse -o mount_template='sshfs -o reconnect %r:/ %m' -o unmount_template='fusermount -u -z %m' /ssh

from my .xsession, and I have a /ssh automounter! Combined with the wonders of kerberos and public keys, so I never have to type a password, and I can get easy remote access to just about every machine I care about!

(Note that I did have to chown /ssh to me in order for me to be able to run afuse as me, which is necessary for sshfs to access my kerberos tickets and ssh keys. This is fine for my laptop, but obviously wouldn’t work for a dialup or other multi-user machine.)

I’ve recently switched to Conkeror as my primary browser. It started life as a Firefox extension, but nowadays it’s a standalone app built on top of Mozilla’s xulrunner, so it uses the Gecko rendering engine.

What it is, is an emacs implemented in Javascript, for the web. This means on the one hand that it acts like emacs. Most of the basic emacs keybindings are supported — you open URLs with C-x C-f, and have buffers you can switch between with C-x b and so on.

However, what is also means is that internally, it is fully an emacs, with all the extensibility and all the other things that applies. The UI you see is just code written on top of a generic core, that implements the core emacs primitives, including

• The basic buffer datatype. But instead of being a plain text store, it’s instead a full Gecko XUL/XHTML DOM.
• A self-documenting command infrastructure and variable infrastructure, that lets you look up the documentation and definition of any command or configuration variable.
• keymaps accessible from javascript that map keys and key sequences to commands, letting you rebind any key from your configuration code, and define new modes with completely new keybinding sets

In other words, it really is not just an emacs-like frontend to Gecko/Firefox, but is a full platform on top of xulrunner for writing interactive applications in javascript/html/css like emacs.

I predict it’s only a matter of time before someone

• Adds the ability to edit local files and becomes a full text editor that can actually start to compete with emacs. At that point people will start to port things like emacs-vc and all the Nice Things we’ve come to expect from emacs, and
• Writes a mailreader for it ;)

broder has been hacking on some better quicksilver integration for Hiveminder using todo.pl.

I don’t use a mac, but I don’t see why linux users shouldn’t get fun toys to. So I hacked up the following two-liner that uses todo.pl and ratmenu to pop up a list of tasks, and mark one as completed:

#!/bin/sh
todo.pl | perl -ne 'push @a,$2,"todo.pl done $1" if /^#([\w]+) (.+)$/;’ \
               -e ‘END{exec(”ratmenu”,@a)}’

I dropped it into my ~/bin and bound it to C-t x in my window manager (XMonad). I love it already.

I’ve had a new iPhone for about a week now, so I figure it’s time to write up some thoughts about it.

First, the little things. It is, in typical Apple fashion, an incredibly slick piece of work. Scrolling and zooming images or webpages is simple, easy, and, well, just fun to do and watch. Mobile Safari does a great job of making full webpages usable on the tiny screen.

The keyboard is totally fine after a little practice. I don’t think it’d work nearly as well for e.g. working at a shell; the predictive text is key to using it well, and getting at symbols is a bit of a pain. Also, I’ve found that using it (or just using the phone heavily) with one hand (phone in palm, thumb on keys) is horrible for my hand. Doing so for more than a very short time leaves the back of my hand and/or thumb hurting for the rest of the day.

I haven’t hacked the phone at all — Firmare 1.1.2 patched the hole jailbreakme used to get in, and my attempts to downgrade the firmware left the phone nonfunctional until I flashed it up again. I may try again later, but I’ll probably just wait and see what the official SDK looks like in a month or two.

My first major complaint about the iPhone is that it seems to be, for all it’s supposedly running a nearly full-blown OS X, a single-tasking device. There’s no way that get Mail to download your email in the background. Switch away from Safari, and the only option is to pause what it’s doing, not keep loading or running JS in the background. So, if I want to be logged into AIM via a Web 2.0 javascript client, that’s all I’m doing. No checking mail or making notes in the background, or even browsing the web in abother window! Leave two windows open long enough, and Safari will eventually decide to entirely forget about the contents of the inactive one, presumably to save memory. I haven’t checked, but I bet even an incoming call will completely pause whatever’s running, so stay on a call for more than 30s and you’ll get bumped. I understand the desire to keep resource usage down, but this is pretty annoying.

Edit: Apparently Mail is fetching in the background. That doesn’t change the fact that Safari, and hence every “supported” custom “app” (by which I mean webapps), can’t run in the background.

The second issue is more fundamental. The iPhone seems to be basically a dumb internet client. It expects to be connected to the web all the time. Take away the web, and it becomes more of an iPod than a PDA. And EDGE, while it’s not horrible, just doesn’t quite cut it for this purpose. Hiveminder is practically unusable from the thing over EDGE, due to the server roundtrips for every operation. And while a local client might be able to hide that in the background, we don’t (currently) get the ability to write such a thing even if someone wanted. The Javascript AIM client I’ve been using is decent, but it’s definitely not as smooth as a local one could be. (And Safari doesn’t save passwords, so I get to type my password, mixed caps and symbols and all, on the soft keyboard every time. It’s the little things.) You also can’t save content from the web on the phone itself; You can download images or calendars from a computer to the phone, but not from the phone itself, which is pretty annoying.

I’ve spent most of the last four days outside of wifi, so I’ve been using the phone via EDGE a lot. I’m starting to buy into Jesse’s vision of a disconnected syncable future more and more. I really want my data local, not 1s latency away, or completely inaccessible because I happened to step inside the wrong building.

I think the summary is: No, cute little JS webapps are not in fact nearly sufficient as a development platform for this thing. It’s got great potential, but Apple, please give us a real SDK. When you release your announced SDK in a month or so, it had better let us write apps that are first-class in every way compared to the built-in apps. Otherwise, I will never be able to take the (unhacked) iPhone seriously.

I’m sitting in the airport in Las Vegas on the way back from [DEF CON][http://defcon.org] 15. It’s the first time I’ve been at the con, and it wasn’t really what I expected. Frankly, I walked away feeling kinda underwhelmed.

Very few of the talks were as technical as I was hoping — they were almost universally broad overviews of an area, with lots of introduction, and relatively little, to my eye, technical meat. Jim informs me this is fairly typical, and it makes sense, but it was disappointing for me. I was really hoping to find more talks that I would have to stretch to understand, or look at the slides later over Wikipedia and some code samples to figure out what was going on, but everything I saw felt kinda dumbed-down. It’s probably realistically all I can expect from a con of that size, but it’s not what I was hoping for.

I felt like I was disappointed at the amount of cool random hacker energy from the attendants, as well. DEF CON seems to be universally characterized as “hardk0re”, but it didn’t always feel like it to me. There was a “Øwn the box, Own the box” contest, where about a dozen boxes were put on the network at published IPs, and if you compromised one of them, you would walk away with it. Not one of them got owned, even ones running known-vulnerable services (albeit protected by ASLR and some form of W^X). Maybe the boxes actually were just really secure, but I had hoped that at the place with a reputation for “The world’s most hostile network,” one of them would have gotten cracked. It seems like people — at least the people with real skill and experience — probably just weren’t trying. Obviously a crappy PIII isn’t worth the time you’re going to spend cracking it, but I would hope people would do it for the fun and the challenge.

Maybe part of the problem is that no one wanted to take much time out of the talks to work on other stuff. I think that if I go back, I’ll probably punt most of the talks, and spend my time at the contests, learning to pick locks better, or participating in aCTF or attacking the ØtB/OtB boxes myself. I severely doubt I would have won anything, but I think I would have learned more, and met more cool people, than I did at the talks.

I am glad I went, despite the disappointment. It was fun, some of the talks were pretty cool, the DEF CON badge is totally fucking awesome (I think I’m going to try to get the technology and time to hack at it over the year), the NBC Dateline reporter getting outed was fucking hilarious, and it was a really interesting experience. I’m not yet sure whether or not I’ll go back again, though.

I might follow up this post with a more specific one about things that were cool.

I’m taking 6.170 Lab in Software Engineering this semester. The course sucks in various ways, but one of the most egregious, in my opinion, is that they force you to use CVS for your version control. Problem sets are distributed by the TAs importing them into your repository, and are then checked out later to be graded. Well, CVS sucks, and there’s no way I’m going to use it when there are sane, modern alternatives like SVN and SVK

Luckily for sanity, there’s a great piece of software called Tailor designed to solve exactly this problem — it lets you mirror a repository that uses one version control system into one using another. So, I can mirror the required CVS repository into a svn repository somewhere, and operate against that.

But the issue is that tailor only really does one-way mirroring; It doesn’t do syncing and merging between the two repositories. So, if I have svn mirror CVS, then changes I make don’t get propagated back. If I mirror svn to CVS, I don’t get new problem sets the TAs import.

My current solution, which I can describe only as “I know what I am doing is wrong”, is as follows:

• I have tailor set up to merge from SVN to CVS
• tailor runs in a SVN post-commit hook, so revisions are automatically pushed to CVS

• Whenever the TAs announce a new pset is available, I do the following:

  # The svn repo is checked out at ~/6.170/psets
  # The cvs repo is located at /mit/nelhage/6.170/cvsroot
  # The TAs have just announced ps2 is available
  $ cd ~/6.170/psets
  $ cvs -d /mit/nelhage/6.170/cvsroot co /psets/ps2
  $ svn add ps2
  $ rm -rf /mit/nelhage/6.170/cvsroot/psets/ps2
  $ svn ci -m "ps2 import from CVS"
  

That is to say, I manually add the new problem set to SVN, and then delete all trace of it from CVS, and then the commit runs tailor to re-create it in CVS, but keeping svn as the master repository.

The sketchy piece is that I am actually deleting all trace of it from the CVSROOT; There is no trace whatsoever of the initial import by the TAs.

However, the same time, it feels somewhat elegant; The svn repository is at all times the master, containg all the information in the CVS repository. And, frankly, I’m uncomfortable that the TAs are injecting things directly into my repository anyways, so I have no problem undoing it.

• tailor configuration file
• post-commit hook to run tailor