The best of a bad lot

Welcome to my blog!

Permalink 09/18/09 18:25, by Ryan, Categories:
[photograph of self]

Hello! My name is Ryan Tucker, and you’ve found my awesome blog. If you’re new here, feel free to read more about me…

Full story »

MikroTik RB750GL: Linux goes into the closet

Permalink 09/02/11 15:56, by Ryan, Categories: Geekery , Tags: , , , , , , , , , , , , ,

Once in awhile, a product comes along that makes me smack my forehead and exclaim “I’ve been doing it wrong!” After a week of mulling my latest solution – an OSPFv3-powered IPv6 OpenVPN network between my house, a remote server, and my netbook, so that I can print over the household wireless LAN without tromboning the print job through New Jersey – I remembered an advertisement I’d seen in Linux Journal from a company called MikroTik, pitching a $39.95 MPLS router. Having cut my teeth on hardware priced with commas instead of decimal points, I was convinced there must be a catch.

I finally looked into it, and was pleasantly surprised by the specifications of their SOHO gigabit product, the RouterBOARD 750 GL. In short, the router will do everything I’m currently doing (and more!) with my trusty Linksys BEFSR41 and an old PC running Linux, but in one $60 box. With five 10/100/1000 Mb/sec auto-everything Ethernet ports, respectable throughput, and flexible power (8 to 30 volts DC, barrel plug or PoE), it was going to be a slight improvement over the existing router, at the very least. I went for it.

MikroTik’s RouterBOARD includes a variety of different hardware form factors, network interfaces, and enclosures, centered around a common embedded platform and a Linux-based operating system, RouterOS. The operating system will run on other hardware, including x86. RouterOS isn’t free, but as router operating systems go, the licenses are both generous and affordable. Of course, RouterBOARD hardware is licensed and ready-to-run. My device arrived with RouterOS v5.2 and the starter Level 4 (WISP) license, a $45 value.

(At this point, you might notice that the $39.95 router mentioned above costs less than $45. Also, the RB750GL’s nominal power consumption is a miserly 2.4 watts, with 3.6 watts maximum. If you’re one of those people, measure how much power your old router-computer draws, then recycle it in an environmentally-friendly fashion.)

I have yet to put it through its paces with OSPF or OpenVPN (perhaps because the router obviated my present need for them), but here’s how my experience has gone so far:

Purchasing: Being a Latvia-based manufacturer of specialty equipment, MikroTik doesn’t sell directly to consumers, nor can you buy their products on Amazon. This means you’re going to get to work the ol’ distributor/reseller network. They have a respectable number of distributors, although none of the 29 North American distributors were names I’d heard of. I picked the six or seven closest, eliminated any that did not have online ordering, pricing, or stock of the RB750GL, and ended up with Illinois-based rOc-nOc. The unit was priced as expected, and UPS Ground shipping to upstate New York was reasonable. My Monday evening order shipped Tuesday and arrived on Thursday.

Packaging: A cardboard box, sized perfectly for the router and its obligatory wall wart. It made me happy, with everything recyclable but a twist-tie and the operating instructions printed entirely on the bottom of the box, but I’m weird like that. It quickly cleared household customs inspection.

Turning it on: Well, I followed the instructions. I plugged port 1 into the household LAN, my netbook into port 2, and plugged it in. After some frustration with the network stack on my netbook – not the router’s fault at all – there I was. The Internet was reachable, I had an IP address, and it was effectively doing everything my existing router was doing. This is perhaps the best possible default for the SOHO environment. While I’m quite familiar with configuring NAT with Linux, I wouldn’t exactly say I was looking forward to having to do so. Nevertheless, I went to the router’s IP address to look under the hood, and received a choice of options for configuring my router.

Configuration: As any network technician will tell you, the user interface makes the router. Having seen a lot of dubious clones of Cisco’s IOS, I’m happy to report that MikroTik did not attempt to make it look like IOS. Actually, I don’t know that first-hand because I have not had to use the CLI; I am, however, basing it on the copious online documentation, most of which is targetted to the CLI. The great news is that Webfig configuration interface matches the CLI in an intuitive fashion, although it sometimes isn’t obvious what the menu-specific actions do (e.g. “DHCP Config” vs. “DHCP Setup” on the DHCP Server menu), and it was by accident that I realized you could double-click on menu items. Some tooltips to suggest actions might be nice to have. There’s also a mature Windows-based software client, Winbox, and the aforementioned CLI.

Documentation: MikroTik has dispensed with the traditional Canonical Manual of Ultimate Truth, having apparently realized that such things are obsolete the moment they click “Export to PDF” and cannot anticipate the wonderfully crazy things customers want to do. The MikroTik Wiki might just be the culmination of the printed manual set’s long decline. The affordability of the RouterOS platform seems to bring out the grassroots innovation, and the community likes to share. Pretty much every feature is documented in detail, often with examples, although some of the more “advanced” features assume prior experience. It’s unlikely you’d find an illustrated example of OSPFv3 interoperability with Quagga or a practical discussion of grounding in a traditional manual.

IPv6: Even though my ISP does not yet support IPv6, I maintain IPv6 connectivity through the free Hurricane Electric tunnel broker service. Previously, I was using a PC as an IPv6 router, with an OpenVPN tunnel through the IPv4 NAT to a Linode VPS, which itself tunneled to the nearby tunnel broker. This worked quite nicely, but it is somewhat complex to operate alongside Linode’s native IPv6: source-based policy routing isn’t rocket science, but it’s not something normal people do. Fortunately, RouterOS supports IPv6 nicely, and works nicely with tunnel brokers. Not too much to say here, aside from this being a good time to mention the scripting capability, and its usefulness for updating the IPv4 address of your tunnel, should it change.

Still in the pipeline: I’ve only had this router for about 24 hours, and it has only been in production since last night. So, I haven’t had a chance to play with everything. The next things on my list include bandwidth shaping, VLANs (to isolate VoIP phones), DHCP-triggered DNS updating, and – yes – taking a look at the CLI.

OVERALL: My biggest disappointment with the MikroTik RB750GL is that I didn’t buy one sooner. It’s the sort of router I love to support – solid, featureful, and competitively-priced. It’s a performant Linux router for the serious network closet, without flashing firmware, pounding out shell scripts, or voiding warranties. Your wallet might think you’re getting DD-WRT, but your wife knows the telephones will still work.

1 comment »

Why I Support Universal Healthcare

Permalink 06/10/11 16:30, by Ryan, Categories: Useless Blatherings, Rally , Tags: , , , , , ,

As many of my compadres know, my wife and I head down to Wellsboro, Pennsylvania each year for the Susquehannock Trail Performance Rally, a two-day rally race through the forests of north central Pennsylvania.  Most years, my wife works in net control and I work out in the woods as a navigator and radio guy on the Trakker team, the first non-competition team that enters the stage shortly after the last competition car.  Fun, challenging, and a great way to spend the weekend.

Of course, as anyone involved with rally knows, nothing ever goes according to plan.  I spent much of Thursday morning working, then helped my wife haul the remains of a downed fence to the curb.  We grabbed lunch, finished packing, then went to a meeting in the early evening.  About an hour into the meeting, my back started getting particularly stiff, as it often does after sitting too long.  I excused myself, and tried some stretches to get it limbered up.  Alas, none seemed to help that much.  I didn’t think much of it at the time, but I did advise my wife that she was going to have to drive, and I took muscle-relaxing and pain medications.

My back, unfortunately, started hurting more and more as we drove.  We’d stop every once in awhile and I’d try to help whatever was wrong, but nothing was working.  Somewhere around Avoca, the pain became unbearable, and I spent the rest of the trip roiling around in the back seat, unable to stay in the same position for more than a few seconds.  This was not a stable situation, and I feared there might be some serious underlying problem.

As we approached Wellsboro, I declared an emergency.  I told my wife that we’d drop our belongings off at the B&B, and once that was done, I’d like to be taken to the emergency room.  Of course, she took me there, and within about a half-hour, I was receiving intravenous pain medication and on my way to get a CT scan for possible kidney stones.

I did not, at any point during this ordeal, think about the costs involved.  My only concerns were getting better, and ensuring that everyone relying on me – my wife, my teammates, etc – were informed about my situation and able to keep things going, since I was certainly not going to be able to do much the rest of the weekend.

This makes me one of the luckiest people in the world.  I am married to a card-carrying member of IBEW Local 86.  In my wallet, I have an insurance card.

I don’t yet know how much the ER visit cost, and we will undoubtedly have to pay something out of pocket, but the hospital will get their money, the doctors and radiologists and nurses will get theirs, and I will not have to cash in my IRA or declare bankrupcy or dicker with the hospital’s Accounts Receivable department.  Thankfully, there were no kidney stones or other obvious acute problems, so I was only there a few hours and left with a prescription for a common medication to treat muscle spasms (which shall not be named, thanks to the anti-spam filter), but it could have been worse.

There are about 46.3 million people in the United States (as of 2008, per the Census Bureau) who do not have the luxury of health insurance, for whatever reason.  Many can’t afford it, others can, but choose to opt out of it.  If I were one of those 46.3 million people, the hospital would have been required to treat me (under EMTALA), but I would be personally responsible for the full cost of treatment.  Like any other debt, I would either have to pay it or suffer deleterious consequences to my credit reputation.  In other words, by entering the emergency room, an uninsured individual assumes a significant risk of financial ruin.  The hospital also (involuntarily) assumes a risk of not receiving any compensation for emergency treatment of this individual.

That’s fifteen percent of the population of the United States.  Some are already in financial ruin, some will be fortunate enough to avoid it, but it does impact all of us when it happens.  A hospital must pay their bills, even when a patient cannot; this increases the costs for all of us, especially when the emergency room is used for primary care by those who have already fallen into the abyss.

I do not see my prosperity and security as things rare and special, as jewels to hoard and protect.  Indeed, our society’s wealth is not defined by the “high scores,” like some sort of arcade game, but rather by the shared prosperity and security of all.  I cannot fully enjoy my health insurance as a privilege, knowing that it is as essential to my success and sense of well-being as clean air and water, yet it is merely a perk of choosing a particular way of life.  I do not want to be part of an exclusive, elite club of people who can enjoy the privileges of a healthy life under the guidance of physicians.

If this makes me a socialist, then I’ll gladly be a socialist.

Blog software upgrade: Now running b2evolution 4.0.3

Permalink 02/13/11 19:28, by Ryan, Categories: Useless Blatherings, Geekery

(Because, obviously, I pay a lot of attention to this blog.)

Due to a sudden, unexplained surge of productivity, targetted at matters not immediately related to schoolwork or awesomely-fun client projects, this blog has found its underlying softwares upgraded to the latest stable b2evolution.  (Also, having seen the light, I've relented and allowed it to use the InnoDB storage engine.)

Let me know if something is broken.  Odds are good I won't do anything about it for months, but it will be added to my to-do list, where it will languish me with procrastinational guilt every day.

Trust, but verify, your life safety technology

Permalink 11/14/10 20:32, by Ryan, Categories: Useless Blatherings , Tags: , , , , , ,

For as long as I can remember, firefighters have been known for their twice-a-year reminder to change your smoke alarm batteries when you change your clocks.  However, since most new smoke alarms (including all of ours) ship with ten-year lithium batteries and low-battery alarms, I stopped paying attention some time ago.  Instead of climbing the stepladder twice a year to swap out the batteries, I just go ahead and trust that they will bellow when their batteries get low.

Last Sunday, I got an e-mail from a good friend of ours in DC.  At about 7am Saturday morning, she awakened to the sound of the smoke alarm in her small apartment.  She quickly noticed the flames shooting out of the top of her electric stove and jumped out of bed.  Fortunately for herself and her neighbors, she had the presence of mind to grab the fire extinguisher, put out the fire, and call 911.  She, and her dog, are uninjured, and the damage is limited to a few destroyed appliances and a mess of soot and dry chemical to clean up.

This story ends well because she had a working smoke detector and a charged fire extinguisher.

Picture of Nicole's extinguished stove

For the first time in an embarrassingly long time, I tested our smoke detectors.  The one purchased last year (with a permanent set of batteries) tested fine, but the one nearest our bedroom was another story:

Me: "This is a test!" *click*

Smoke detector: ...

Me: "That... was a failure."

I plucked the detector off of the wall and replaced its original battery, easily eight years old, and it now works again.  I also tested our CO detector, which I walk past a dozen times a day.  I hadn't tested it since buying this house seven years ago, and sure enough, it was dead.

Both have low-battery indicators and should have let us know when they were low.  But we trusted a single, fallible feature with our lives, when the "Test" button was right there the whole time.  Obviously, they would let us know they weren't working... right

So, if you haven't done so lately, change the batteries in your smoke and CO detectors.  Batteries are cheap.  If a smoke detector is more than ten years old, or if your CO detector is more than five years old, replace it.  They, too, are inexpensive, especially when you consider the consequences of not having them in good working order when you need them.  You should have a smoke detector on each level of your home, and outside of each bedroom.  Also, make sure you have properly-sized fire extinguishers where you need them, and that they are in good working order.

If you don't have the means to ensure this equipment is in good working order, perhaps due to physical or financial constraints, call your local fire department.  They will help you out.  If you can't afford a smoke detector or CO detector and your fire department won't help, drop me an e-mail.

1 comment »

A Case for Working with Your Hands

Permalink 09/13/10 14:32, by Ryan, Categories: School, Useless Blatherings, Geekery , Tags: , , , , , , , , , , , ,

Matthew Crawford, author of the best-selling Shop Class as Soulcraft, opened the Caroline Werner Gannett Project’s “Visionaries in Motion IV” speaker series at RIT on September 8. Crawford, whose career path has meandered from electrician to philosopher to think-tank director to motorcycle mechanic, speaks a gospel seemingly well-crafted to the emerging open-it-up-and-make-it-better maker culture. The prevalence of futuristic seamless designs, built to be replaceable rather than repairable, is but one contributor to the demise of the craftsperson in every day life, however.

The focus of Crawford’s ire is more systemic. Over the past few generations, the perceived value of doing “hard work” for a living has plummeted. Smart kids have been increasingly funneled towards a college degree in some field of thinking, such as engineering or computer science or philosophy. This left the more vocational career paths, such as becoming a mechanic or a tradesperson, for those not “smart enough” to operate a pencil or keyboard for a living, and created a belief that “if the work is dirty, it must be stupid.”

In reality, trades work requires nontrivial thought, often more so than white collar jobs. Crawford’s current profession, repairing classic motorcycles, is a prime example of a very thought-driven yet “dirty” job. There are myriad things that can go wrong with a motorcycle, and each manifests itself in a unique and often deceptive way. There is no OBD-II port, and there probably isn’t a repair manual either. This leaves the motorcycle mechanic somewhere the office dweller rarely treads: relying only on intuition and experience.

An important discriminant of a good career path is economic viability. Here, Crawford draws a distinction from the makers and artists by focusing on the ability to earn a decent living. Hackers and knitters and gardeners are essential in our culture, but very few people make a career of such craftwork. This leaves the rest of us, who aren’t the “rock stars” of our fields, to find some way to pay the mortgage and feed the cats. Crawford also underscores economic viability with the outsourcing test: if it can be outsourced to another country to save money, it probably will be. As unglamorous as plumbing may be, you cannot (currently) outsource toilet repair to Indonesia.

Another cornerstone of Crawford’s argument includes the intrinsic satisfaction of a job well done. In his work as an “unlicensed but careful” residential electrician, he found the “let there be light” moments at the end of  the day to be uniquely satisfying: something actually happened indicating that his work was successfully completed. Also, self-assessment is trivial in such a job. Either the light comes on, or you did something wrong; either you can bend conduit or you can’t. Incompetence is obvious, and there is no hiding behind nebulous evaluations or committee reports. In my personal work as a contract systems administrator and shadetree Pythonista, I know the other side of this quite well. It’s often difficult to end the day thinking “well, maybe I got something done.”

How does Crawford propose rectifying the lack of respect for the trades and the over-importance of the college path? It comes down to perception, and that will be difficult to change. Any high school principal who publicly states that her school’s ultimate goal is anything less than a 100% four-year college transfer rate will find herself without a job relatively quickly. School resources will necessarily be focused towards activities which crank up the test scores, and shop class is usually not one of them. This is quite unfortunate, as the only tangible things I still have from my high school career are a wooden lamp from shop class and a frilly pillow from home economics. They are also the only tangible things (aside from a balsa wood bridge and various baked goods, elsewhere in those courses) I made in high school. Alas, Crawford offers no real solutions, but drawing attention to the problem is a necessary first step.

A good job is one where one puts their best capacities to work with an effect on the real world, according to Crawford, and we have optimized our society to produce individuals focused on putting their college degrees to work with an effect on their real bank balance. While the world needs engineers and architects and middle managers too, the future seems to be in the calloused hands and adaptive minds of the workers.

(Full disclosure: this blag post will be submitted for extra credit in an Intro to Philosophy class.)

3 comments »

Review: Sharpie Liquid Pencil

Permalink 08/28/10 18:20, by Ryan, Categories: Useless Blatherings, Geekery, Photographs , Tags: , , , , , , , , , ,

Since man’s first forays into the written word, his dreams and aspirations have centered around improving the weakest link in the compositional process: the interface between nebulous mind and printed matter.

Sharpie Liquid Pencil

Certainly, the advent of the printing press and the widespread acceptance of the word processor revolutionized writing as we know it, but the actual implements of drafting have changed comparatively little. We still scribble with pens and pencils and type on keyboards that would be familiar to many typists alive during the civil war.

Perhaps this is because great writers, like great carpenters or engineers, never blame their tools for their own inadequacies. Investing in the right tool for the right job is one of the most important investments you can make, but is a mechanical pencil the best we can do?

Most of my writing output is digital nowadays, so my “analog” writing needs center around tactical writing situations. I still prefer a mechanical pencil and paper for mathematics work, note-taking, and jotting down reminders. Even though I carry a netbook most days, pencil and paper affords me maximum freedom to arrange and annotate notes just so, with drawings and diagrams requiring no additional effort.

This works out pretty well, but I have a few issues with mechanical pencils: broken leads, incessant clicking to dispense more lead, and a tendency to make noise due to the leads rolling around inside the chamber. Also, my favorite mechanical pencil, a Pentel 0.5 mm, has a relatively slender profile and causes a little more fatigue than I’d like, especially compared to the Pilot G-2 fine point I enjoy. Even though I have no reason to ditch my beloved Pentels, I owe it to myself to see what’s out there.

Enter the Sharpie Liquid Pencil. This curious device writes like a pen, but its output is equivalent to #2 pencil lead and is erasable as such. While Pentech’s Liquaphite has been on the market for some time now, the Sharpie’s major advantage is price: about $2 each, versus about $50 each for the Pentech.

The Physics

Liquid pencils in their natural habitatI ordered a two-pack of Sharpie Liquid Pencils from Amazon.com, for about $6 with tax. After a brief backorder, the devices arrived. The two-pack comes with a set of six bonus erasers, which are loosely floating around inside the blister pack (I had to do a brief search and rescue operation after opening the package).

It is a bog-standard retail package of the sort you’ve all seen before, so I immediately popped it open and weighed it using the hoopycat.com scales of science. The liquid pencil weighed in at 12 grams, compared to 11 grams for my recently-reloaded Pentel and 10 grams for my Pilot G-2. I would consider this reasonable, within the expected error range of the scale.

As far as handfeel and geometry go, the Sharpie is almost indistinguishable from the Pilot G-2. It feels solid, has good balance, and has the padded grip right where I like it. The grip lacks the texture of the Pilot, but this is not a dealbreaker for me.

Curiously, the Sharpie rattles when shaken. This is due to the clicker retraction mechanism, which involves the entire top quarter of the barrel. Unfortunately, there’s too much mass there and too many places for plastic-on-plastic contact, so its operation is not completely silent. A smaller “button,” such as on the G-2, would have likely improved the situation.

The Output

Comparison writing testAlas, my tests revealed that the Sharpie Liquid Pencil’s writing quality is more like that of a cheap ballpoint pen than a quality mechanical pencil. I tested on a variety of surfaces, including a sticky note, some copy paper, the backs of the packing slip and shipping envelope, a sheet of newsprint, and the writing pads I use for note-taking. Overall, I found the marks to be spotty and irregular, as if the flow rate through the ball were inconsistent depending on angle and velocity.

This is a curse that befalls a number of pens, but is certainly an unwelcome introduction to the pencil. I think this, above all, will be the dealbreaker for notes and homework. While the liquid pencil’s quality improved with greater downforce and velocity, this is not acceptable for lectures due to the resulting fatigue.

A high-resolution scan of the writing pad test is available in the photo gallery, along with a number of other images.

Hiding the Evidence

Erasing testThe ability to erase is one of the key features of a pencil, and in this category, the Sharpie is no slouch. The built-in eraser erased the text from a post-it note perfectly, but my standard Staedtler Mars plastic eraser left a little bit behind. In the image on the right, the third row was erased with the Staedtler, and the fourth was with the built-in eraser.

One downside to the built-in eraser: it goes fast. I had a noticeable bevel on it from just erasing two words, and I’m not entirely sure it would survive my typical sentence.

After 24 hours at room temperature, marks were essentially un-erasable by either eraser. They just get a bit lighter without fully disappearing.

Unsuccessful Smear Campaign

My more sinister colleagues often worry about their clumsy left hands smearing ink from particularly juicy specimens. While it is harder than you’d think to write left-handed (I hear only 10% of people can do it), I did try writing backwards to no avail. I eventually gave up, wrote a chunk of text, and then dragged the edge of my hand across it.

Skin-on-paper drag test

I sure wasn’t expecting that to happen.

Rather than smearing, the writing disappeared with about as much effectiveness as my Mars eraser! It appeared as a black grit on the edge of my hand, which wouldn’t wipe off (or erase off), but did come off nicely with soap and water. Mind you, I was dragging my hand pretty hard and pretty much trying to get a reaction out of it. If you’re left-handed and writing normally, it probably won’t be a problem.

Overall

Well, they gave it a good shot. I like the idea in theory, but the execution could use some work. The cheap-sounding rattle when shaken, the inconsistent liquid graphite flow, and the poor erasability with the Mars plastic eraser limit it to occasional use at this time. I look forward to future development in this field, but I’m not putting away my Pentel just yet.

4 comments »

Hanging out with my PEAPs: Wireless Access Control with IEEE 802.1x, PEAP, and RADIUS

Permalink 08/15/10 14:53, by Ryan, Categories: Howto , Tags: , , , , , , ,

I’ve been having some weird kernel lockup problems when using the authenticated WPA2 network at RIT.  Since I can’t effectively bring my kernel bug troubleshooting tools to campus, I decided I needed to bring the wireless network home.  This meant converting the home wireless network from the usual shared-secret configuration to a Protected Extensible Authentication Protocol (PEAP)-based system.

Access Point Configuration

Belkin F5D7230-4 in its natural habitatMy access point is a Belkin F5D7230-4, a humble piece of crap that I wouldn’t recommend unless you enjoy rebooting or power-cycling network infrastructure.  What did I do wrong to get cursed with such terrible wireless networking problems?

I digress.

The access point is set up with Channel and SSID configured in a working fashion, along with Use as Access Point and System Settings adjusted to disable NAT and give the access point a usable LAN IP (192.168.1.2).  The real magic is under the Security tab.

  • Allowed Client Type: WPA2 Only
  • Authentication: 802.1X
  • Session Idle Timeout: 0
  • Re-Authentication Period: 0
  • Quiet Period: 10
  • Server-IP: 192.168.1.10
  • Server-Port: 1812
  • Secret Key: a long, random string used as a shared secret with the RADIUS server
  • NAS-ID: wifi-sodtech1  (I’m an optimist)

In this case, 192.168.1.10 is the IP address of a local server that I’m going to use for RADIUS.  The RADIUS server doesn’t have to be local, but it should be reliably reachable.

FreeRADIUS

Next thing you will need is a RADIUS server.  I chose FreeRADIUS as the current best-of-breed RADIUS server for this application, since it supports EAP “out of the box” and has a configuration format much less treacherous than my last RADIUS server.  If you are looking to use your distribution’s packages, note that FreeRADIUS 2.1.8 or above is required, which means Ubuntu 10.04 LTS (Lucid) is the way to go.

To install it: apt-get install freeradius freeradius-mysql.  Ding, fries are done.

After you install it, the first thing you want to do is add a test user and try it out.  FreeRADIUS has an excellent introduction to this process on their wiki.  Note that you can certainly use the users file to maintain your user’s credentials: it’s quick, it’s easy, and it works just fine.  I chose to use a MySQL database, however, since I eventually want to make a pretty web front end for managing users.  But we’ll get there.

An important thing to note: FreeRADIUS must have access to the cleartext version of the password in this scenario.  It cannot do what it needs to do with a crypted or hashed password.  This may be a problem in some circumstances.  MSCHAPv2 does include mechanisms for challenge-response authentication without cleartext being stored on the server or transported over the network, most commonly implemented by using Active Directory as an authentication oracle.

The next thing you will need to do is add an entry to clients.conf for your access point.  Based upon the well-documented entry for the localhost test client, I created a client stanza for my access point:

[gist:github:525614]

I also chose to change the logging from destination = files to destination = syslog, to reduce log file creep.  And, just for paranoia’s sake, I changed the secret for the localhost test client.  At this point, restart your FreeRADIUS server, reboot your access point, and create a new connection from your laptop.

Wireless configuration for PEAP on Ubuntu + Network Manager

Easy as pie.  Note that the CA Certificate option on your client should be left blank at this point, because you’re using the standard auto-generated SSL certificate.

A “real” SSL Certificate

To generate a new one, I use DigiCert’s nifty OpenSSL CSR Wizard to create an openssl command line.  For the Common Name, I chose wifi.sodtech.net, although it doesn’t really matter as long as you can get a certificate signed to that CN.  I then sent the resultant CSR to CAcert.org, which sent a signed certificate back.  You could, of course, use a local CA or a commercial CA depending on your situation.  It’s pretty much the same as setting up an SSL’d web server.

I stuck the .crt in /etc/ssl/certs/ and the .key in /etc/ssl/private/, adjusting permissions as appropriate.  I then adjusted the symlinks in /etc/freeradius/certs/ to point at these files instead of the default snake oil certificate.  Upon restart of FreeRADIUS, I could point my laptop’s configuration at /etc/ssl/certs/cacert.org.pem and verify that I wasn’t attaching to some rogue network.  Hooray!

Storing Credentials in a Database

There’s nothing wrong with using the users file to store your users, especially if you only have a few.  But, if you have a lot of users or want to automate various things, some sort of database backend is crucial.  FreeRADIUS supports a wide variety of SQL servers, along with LDAP and Active Directory.  All it needs is to know how to get a cleartext password for a particular username (or some other way to get a yes/no answer for a session with the information it has, which is possible with AD).

The FreeRADIUS wiki covers SQL configuration nicely, including importing the schema found in /etc/freeradius/sql/mysql/schema.sql, but here’s the summary of my configuration changes:

  • radiusd.conf
    • modules {
      • Uncomment $INCLUDE sql.conf
  • sites-available/default
    • authorize {
      • comment out unix (optional)
      • uncomment sql
      • comment out expiration, logintime (optional)
    • accounting {
      • comment out unix (optional)
      • comment out radutmp (optional)
      • uncomment sql
    • post-auth {
      • uncomment sql
  • sites-available/inner-tunnel
    • authorize {
      • comment out unix (optional)
      • uncomment sql
    • post-auth {
      • uncomment sql
  • sql.conf
    • In sql{}, change the server credentials as required.
  • users
    • Comment out the original test user!

And there you go.

Is PEAP for you?

Probably not.  However, when I set out to configure it, I was expecting it to be a lot more complicated than it was.  If you have an access point that speaks 802.1X and RADIUS, you might want to give this a try to add it to your box of enterprise tools.  For a security-minded organization, this can be one part of reducing the risk of a wireless network.  On a home network, however, it is probably overkill.

Oh… and the kernel lockup bug?  Doesn’t happen here.  Dang.


Edit 2010/08/15: Clarified cleartext password requirement; added mention of (and links to) Active Directory-related configuration.

RIT's 19th Undergraduate Research and Innovation Symposium

Permalink 08/13/10 13:40, by Ryan, Categories: School , Tags: , , , , ,

RIT hosted their 19th annual Undergraduate Research and Innovation Symposium on Friday, August 13, showcasing over 100 undergraduate research projects across (and between) all of RIT’s disciplines.  I figured it was well worth waking up early on a Friday for the promise of a free lunch and an opportunity to test my arrive-by-8am bus routing to RIT, but the quality of the research and presentations certainly surpassed my expectations.

With so many presentations, the sessions were split across five tracks, with a ten-minute time limit per presentation.  Fortunately, they were grouped logically: I could avoid the ones that would go over my head, saving me from falling asleep.

My morning tracks were focused on the humanistic applications of technology, with presentations focusing on urban gardening, data visualization, improved power wheelchairs and cookstoves, and a plot to turn shipping containers into disaster housing.

Over lunch, RIT alum Jennifer Indovina, CEO and co-founder of Tenrehte Technologies, Inc., presented a buoyant keynote address recounting her startup’s experience creating the PICOwatt smart plug device.  Tenrehte’s journey (that’s “ethernet,” backwards) from nascent idea to underdog winner of 2010 CES Best of Show ("green” category) was sudden and unexpected: when your CES contingent consists of two people and you’re going up against Google and Microsoft, you don’t expect to bring home the hardware.  But they did.  Jennifer attributes it to the PICOwatt being a real product designed to directly improve people’s lives, rather than just being a vigorous marketing plan.

The afternoon sessions included an awesome video by Qian Yi Lau Li, documenting the power wheelchair project presented previously, along with a dirigible-based wind turbine system.  A pair of projects highlighted the challenges of developing applications for the OLPC XO laptop platform.  The final session of the afternoon featured instructional interactivity through the digital immersive cube, bringing better techniques to interactive physics experiments, and a MEMS thermally-actuated switch.

After the break, a list of the presentations.

Full story »

Voicemail notifications with Asterisk and Google Voice

Permalink 07/29/10 23:12, by Ryan, Categories: Geekery, Howto , Tags: , , , , , , , , , ,

We use Asterisk 1.4 for our home telephone system, with FreePBX 2.7 as the front end.  This allows great flexibility to do strange things, although a home PBX is certainly a little overkill for a two-person, three-bedroom urban house.

Recently, I decided to give Google Voice a spin for voicemail processing.  I’m using a single Google Voice account for my cellphone and home phone extension.  I’m not going to elaborate on how the actual call forwarding to Google Voice is accomplished, but the key parts of the FreePBX and Google Voice configuration are:

FreePBX
  • Misc Destination: Google Voice
  • Ring Group: Destination if No Answer set to Misc Destination
Google Voice
  • All forwarding disabled – prevents loop
  • Home phone number set as “mobile” ("other” carrier, of course)

To make the voicemail integration more seamless from my end, I decided that I needed to have two features:

  1. Voicemail notifications on SIP phones
  2. Normal feature code to retrieve voicemail

I couldn’t completely gut the existing voicemail system, as my wife still uses it.  So, I had to improvise.  First, the “easier” of the two features:

Per-extension feature code handling

FreePBX’s structure is such that an administrator can override parts of the dialplan if required.  This is one of those situations.  Into extensions_override_freepbx.conf, I copied the existing context from extensions_additional.conf and made a few modifications:

[gist:github:499571]

On line 6, I added GotoIf($["${AMPUSER}” = “103″]?googryan), which goes to the googryan label if the caller is user 103 (me).  Then, I added lines 18 through 20 to the end, as the destination for googryan.  The first plays a nice little message telling me to wait.  The second line is a little bit of Asterisk magic.

I didn’t want to have to hit * to get to Google Voice’s PIN prompt, so I wanted Asterisk to hit * for me.  Dial(Local/15855550000@from-internal,15,D(w*)) does this by opening a channel to 15855550000@from-internal (thereby using the normal call routing rules), then it waits for a couple moments and hits * (that’s the D(w*) part).

This works out really well.  Allison Smith politely introduces me to Kiki Baessell, who asks me for my PIN, and I’m there.  Bam.

Voicemail notifications on SIP phones

This is the more interesting of the two features.

I’m using pygooglevoice, a library of Python bindings for the Google Voice API.  Installing pygooglevoice was pretty easy: sudo easy_install pygooglevoice

Once installed, check out the documentation for some example code.  I take that back, actually.  Check out the command line script first.  By typing gvoice and entering your e-mail address and password, you get a delicious command line interface to Google Voice.  Try “help” if you’re stumped.

It turns out that getting the voicemail status from Google Voice was the easy part.  Telling Asterisk about it, however, was more difficult.  I could not find a mechanism where Asterisk could ask my program directly, so I decided to create fake msg0000.txt, msg0001.txt, etc files in the actual voicemail folders to match the current number of voicemails.

Being fancy, I also tried to make sure it would work “seamlessly” with Asterisk’s own voicemail, just in case I need to use that for whatever reason.  I do this by considering any other files on that msg#### (such as a msg####.wav) an indicator that it is an Asterisk-based voicemail and not one of our doppelgangers.  I hope Asterisk has the same courtesy.

So, here’s the code.  It sucks, of course, but it was an afternoon project.  So far, it’s working good.  I’m firing it from cron every three minutes, which seems wasteful: I might change it to only check during times I’m awake, since I won’t hear the voicemail indicator when I’m asleep.  But that’s another project…

[gist:github:499562]

2 comments »

Running PHP 5.2 on Ubuntu 10.04 LTS

Permalink 07/25/10 20:17, by Ryan, Categories: Howto , Tags: , , , , , , ,

Recently, I was tasked with installing a Drupal environment on an existing Ubuntu 10.04 LTS (lucid) server.  This release is the first Ubuntu release to ship with PHP 5.3.  Unfortunately, while the Drupal core is reasonably happy with PHP 5.3 as of late, there are likely still some modules out there that might break.

The installation for the environment in question required PHP 5.2, and I was not about to argue with it.  Fortunately, some research found a blog post with a PHP-downgrading shellscript that looked quite promising.  So, I decided to base my approach off of that.

There are alternative methods available.  A common, but misguided, approach is to uninstall the existing PHP components and compile your own PHP from source.  I am a strong believer that compiling software on a modern production server is a bad idea, for security and reliability reasons.  Another approach is to use a Personal Package Archive on Launchpad.  This is better, but I would much rather rely on the Ubuntu security team for updates than someone else (myself included!)

Since PHP 5.2 ships with karmic, lucid isn’t that much different than karmic, and karmic is still supported, why not just use the tried-and-true package management techniques?

Build a Testbed

Being a dull boy, I wanted to try this out “in the lab” before I went and blew up a client’s server.  To do this, I used a freshly-deployed VPS instance (testbox).  First, I used dpkg to clear the package selections from testbox.  Then, I cloned the selections from the production server (prodbox).  Finally, I logged into testbox and ran apt-get dselect-upgrade to apply the selections:

home$ ssh root@testbox dpkg --clear-selections
home$ ssh prodbox dpkg --get-selections | ssh root@testbox dpkg --set-selections
home$ ssh root@testbox
testbox# apt-get dselect-upgrade

Note: it goes without saying that logging in as root on a routine basis is Bad, and allowing remote ssh logins to root is also bad.  This is, however, a testbox.  I had previously used ssh-copy-id to install my public key on both testbox and prodbox.

I created the most basic of basic PHP pages, /var/www/testing.php, containing nothing more than:

<? phpinfo(); ?>

This gave me a URL to go to (http://testbox/testing.php) to make sure PHP was “there” and happy.  Once this was done, I shut down the instance and duplicated the image so I had a “known good” image.

Develop the Script

After booting, my next order of business was to look through the original script, figure out what it does, and make sure it “does the right thing."  Here, in short, is what it does:

  1. Gets the list of all installed packages with “php” in their name using dpkg -l and grep.
  2. Removes all of them – configs and all – with apt-get purge.
  3. Using apt-cache search, get a list of all php-related packages and create pins for them in /etc/apt/preferences.d/php.
  4. Add the karmic repositories to /etc/apt/sources.list.d/karmic.list, then apt-get update.
  5. Install all of the packages that were installed before using apt-get -t karmic install.
  6. Restart Apache, just because you’re probably running Apache.

I went through line-by-line, copying the “good stuff” to a shell script as I went along.  Once I was done, hoorah!  I had PHP 5.2 and all seemed well.

Test and Deploy the Script

I replaced this working image with a copy of the “known good” image, uploaded the script, and fired it.  Hoorah!  All was well.  Once that was set, I made sure a backup of prodbox was at the ready, just in case.  :-)  I then fired the script off on the real server, and… hoorah!  I checked out anything that might have broken, and indeed, all was well.

The script is available at http://gist.github.com/489868 with, of course, no guarantees of anything.  Hopefully this will be useless sooner rather than later, but we can hope!

[gist:github:489868]

:: Next >>

Blog posts come from a can. They were put there by a man in a factory downtown.

Recent Twitterings

    Stalk me with RSS

    Search the Blog

     

    Support the Beer Fund

    Powered by Linode: Life's too short for crappy hosting

    [Powered by Linode]

    powered by b2evolution free blog software

    © 1962-2014 by Ryan Tucker (Public Key)

    Contact | Help | Blog skin by Asevo | blog software | web hosting | monetizing