On Personal Internet Security…

I have over a hundred accounts on the Internet. I do a lot of online shopping for everything from books to computer hardware to toys for my kids. I also have accounts on various social networking sites like linked-in, facebook, myspace, plaxo, pulse and naymes. I use online authoring sites like wordpress, freesoftwaremagazine, digg, technorati and others. I like to personalize google news and various product support sites to my own tastes. I like it when sites like this allow me to create a profile – essentially a login account.

I also work in the software industry and write a fair amount of open source code, so I have accounts at locations like sourceforge.net, which manages separate authentication materials for mailing list accounts, primary site access, shell access, etc – and often for each project they support. This means literally dozens of passwords for a single site.

These places are all pretty benign as far as security issues are concerned. Frankly, I don’t really care if someone knows my middle name, or my phone number for that matter. But I do most of my banking online , and some web-based store fronts keep track of my credit card information these days. I have the option of not giving it to them, but if I trust them, I like to use this feature, and that presents a real security problem for me. Some of these sites have fairly good identity security–others do not. I don’t know which ones do and which ones don’t.

I used to use the same password everywhere – so I wouldn’t forget it. When I started doing online banking and storing credit card information at various store fronts, I used one password for these places, and another one for everywhere else. But lately the number of security classifications I use has increased significantly, making it difficult to remember all of the passwords I use.

If a hacker can break into one of these weaker sites, and capture account information and passwords, they can then access more sensitive personal information at many other sites where I have accounts. Now, I’m not a conspiracy theorist. I don’t believe there are groups of people out to get me personally. But I do believe in bad guys. And I know for a fact that there are bad guys out there “phishing” for random authentication materials. If they find a way to access one (like mine) and if they then find that I use the same password at my bank, I really do believe they’ll go after my cash. After all, they don’t really care whose money they take.

KeePass

Recently, I was introduced to the KeePass project on SourceForge.net. What a gem of a little project! KeePass allows you to store passwords and other account information in an easily accessible hierarchical format within an encrypted database on your hard drive. You only need to remember a single master password to get into the database.

Some people might balk at the idea of another layer of indirection between themselves and their online banking web site. I’d agree myself, if it weren’t for some of the really cool usability features in KeePass. For instance, KeePass can copy a password to the clipboard from an entry in its database, which means you need only click on the password entry field and press Ctrl-V to paste it in. If you care to take this to the next level, KeePass will also fill in login forms automatically with a configurable hot-key press on the login page of your sites.

KeePass also contains a small area in each password entry for notes and such. I have an AT&T cell phone account which allows me to connect to the Internet on my laptop through my phone over a high-speed connection. But configuring this connection initially was a real pain in the neck! Once I got it figured out, I wrote down the steps for configuration so I wouldn’t forget them. The next time I needed to reconfigure my laptop, I forgot where I’d written down these instructions. Now, I have them in the notes section for my AT&T wireless account in KeePass.

Another nice feature is that KeePass will automatically generate a high-security password for you, with a single click. When I create a new account on a web-site these days, I just pull up KeePass and create the account and the KeePass entry at the same time. When the site asks me for a password, I don’t waste time thinking about what I should use–I just tell KeePass to give me a good one, then cut and paste it in.

Finally, KeePass will stay resident on your Windows machine, adding a little icon to the system tray while it’s running. Click the icon and you have instant access to your password database. With highly configurable security policy tailored to your personal tastes, you can decide how often you want to type in your master password: Once at login, each time you click the system tray icon, only when you lock it, when you lock your computer screen, etc. You can also configure it to minimize to the tray, or to close to the tray.

Taking It With You

This is all well and good if you only work on one machine. I work on multiple machines. I have one at home where I spend time shopping, and I have one at work where I access my sourceforge.net accounts. I have a laptop that I take with me to sneak in some work or play while I’m waiting at the repair shop for my car to be fixed. Sometimes I use my wife’s laptop–just because it’s handy. Sometimes I use a kiosk computer at the airport or at the library. Sometimes I use a colleague’s computer in another office at work.

KeePass has a solution for this problem as well. If you wish, you can store the database on a removable media device, like a USB drive. You can pick up a 1G USB drive these days for 10 to 20 bucks. And this is 100 times as much memory as you need for a password store.

But the database does you little good if you can’t access it with the KeePass program when you need a password. The designers of KeePass understood this. You can store a portable version of the program itself on the USB drive. Portable, in this context, means programming in such a way that the software requires no explicit installation. It creates no registry entries, or special file system objects. This means you can access your password database from any Windows machine with a USB port. Just plug it in and run the program right from the USB drive.

What, Now Linux Too?!

What more could I ask for? Well…recently, I installed Linux on my desktop machine at work. Since moving to OpenSUSE 10.3, I’ve been very satisfied with what I’ve been able to accomplish using only free software. It’s been a whirlwind romance, and I’ve loved every minute of it, but it’s the first time I’ve been without a Windows machine handy to…you know, do the stuff I can only do on Windows. Sad to consider it that way, but it’s been true for me, so I’m guessing it’s true for most everyone else, as well.

Unfortunately, KeePass is a Windows program. “Well, I’m in love with the concept, not the program”, I told myself. So I went looking for a more portable alternative. One that was perhaps not as functional as KeePass, but at least ran on Windows and Linux. And I found it–KeePassX. This is a spin off of the original Windows open source program found on SourceForge.net.

KeePassX is written using QT and compiled under mingw on Windows, so its interfaces on both platforms are nearly identical. The people who did the port stayed true to the original KeePass look and feel as much as they could in this portable version. I’m very pleased, because now I can carry copies of KeePassX for Windows and Linux, as well as the database which, of course, both versions will open and process.

The only glitch I ran into with KeePassX was that it requires the mingwm10.dll, which fact is not advertised anywhere on the KeePassX web site that I could find, and the win32 package didn’t ship with this library. In fact, the only reference to it that I could find was an entry by a user in their forums indicating that they should probably mention the requirement somewhere. Personally, I think it’s an oversight, and that the Windows bundle should just install it.

To get the library, I just did a Google search for mingwm10 and found a myriad of places from which I could download it. I did that, placed the library in the same directory as the executable and all was well again.

Setting It All Up

To set all this up, I first formatted the USB key under Windows (because Linux has no problem reading FAT-formatted drives, and typically Windows only does Windows). Then I created a directory structure like this on the USB key:

Win32\
   ...unpacked files from KeePassX Win32 bundle
Linux\
   ...unpacked files from KeePassX Linux bundle
Install\
   ...bundles for both platforms, plus mingwm10 bundle, still packed
Passwords.kdb
Autorun.inf

Now, I like to do things up right. On Windows XP, when you insert a USB key, it acts like a removable drive–a CDROM or a USB hard drive. On these types of media, you can place a file at the root of the volume called Autorun.inf, which describes for Windows some things you’d like to have happen when the volume is mounted. I added the following text to an Autorun.inf file on the root of my USB key:

[autorun]
action="Run KeePassX"
open=Win32\KeePassX.exe
icon=Win32\KeePassX.exe
shell\keepassx=&KeePassX
shell\keepassx\command=Win32\KeePassX.exe

The “action” keyword allows Windows to display an option called “Run KeePassX” in the list of stuff to do when a drive is mounted that contains mixed media. Unfortunately, the graphic files (icons, bitmaps, etc) on a QT application are stored separately from the binary, so Windows interprets them as picture files. Since there are both pictures AND executables on the USB key, Windows doesn’t know what you really want to do, so it asks you every time you insert the USB key.

On Vista, you have a few more options. You can add more entries under a “[Contents]” section that tells Vista exactly what to do in the case of a conflict. To me, it’s a no-brainer to have done this in XP, but that’s not the way things came out, so we have to put up with the confusion. Most often, CDROM’s that contain executables designed to be run when the disk is inserted are installation CD’s for software you purchase. These have all sorts of media, but they often come packaged up in CAB or ZIP files, so Windows is not confused. There are only executables, so there’s no ambiguity. Windows just runs the setup.exe or install.exe program, as specified in the “open” tag.

When specifying an “action”, the “open” option tells Windows what to do if you select the “Run KeePassX” option in the pop up menu when the key is inserted. The “icon” option is really neat because it not only tells Windows what icon to display next to the action in the pop up, but also what icon to display in file explorer when the drive is mounted. The “shell” option is used to add a context menu option to the menu that comes up when you right-click on the drive in file explorer.

Look here at msdn.microsoft.com to learn more about Autoplay on Windows platforms.

Now, I’ve got the best of both worlds, and access to my password database from either place. Could I be any happier about the state of my personal Internet security? I don’t think so.

[Edit: I lost my password database the other day – it was corrupted when I pulled the USB key out of my Linux machine while the program was open. I think the corruption occurred because I popped it into a Windows machine, opened the database, and then put the key BACK into the Linux USB socket, and saved the database. In any case, I HIGHLY recommend you backup your password database once in a while. Luckily, I had a recent copy saved off somewhere, and I was able to get back about 95 percent of my data. Now, I keep a backup of the database on the same USB key in a “Backup” directory, which I overwrite quite often. I also keep a backup on another disk that I backup once a week or so, if I’ve made changes during the interim.

One person I know stores his database in a subversion repository, and updates it on any of his machines. That’s nice to get the latest version on any of your own machines, but it doesn’t help you when you want to access your store on a machine that’s not yours. Still, it’s a good idea to keep it in a repository like this.]

Nagios and XP Printing Troubles

Well, since I posted my troubles with Linux installation last month, a lot has happened in my life. I’ve accepted a position with the LDS church to work on open source software projects. Seemed to be a nice fit and, while I loved working at Novell for 16 years, it was time for a change.

The project I’m currently working on is called DNX, which is an acronym for Distributed Nagios eXecutor. DNX is a Nagios plugin that evenly distributes the network checks traditionally done by a single Nagios monitoring system among a group of worker nodes. DNX has the potential to add incredible scalabilty to Nagios.

In the process of moving, I’m now back on a Windows machine – the Church ICS department standard is Windows XP Pro. It’s a sad, but true fact that if your company has a number of OTS software products that are used in its daily processes, then you will have trouble running Linux. I love Linux, and we code to it, and use it on our servers at work – Nagios itself is a Linux/Unix network monitoring tool – as far as I know, it’s never even been ported to Windows (although that would be an interesting project, but I digress… I’ll have more to say about Nagios later, I’m sure).

The short story is that I now have to run Windows on my laptop. With the setup they gave me, I can do most of my work from home. Using the Cisco VPN, I’m able to access all of the resources I need behind the firewall at work. I’ve used VPN’s before, but frankly, I never really needed it like I do now. Most of the services I needed at Novell were actually outside the firewall anyway. I mostly used it to access my linux box on my desk at work from home.

The only real problem I’ve had so far is printing from my new laptop to my home machine’s networked printer. It’s an HP Laserjet 1200 which is shared by my home XP Pro machine. I’ve never had trouble getting to it from any of my other home machines, nor from my wife’s Dell Inspiron laptop. But I just could not connect to the printer from my Dell D830 from work.

One significant difference between the two laptops is that my work machine (not a little ironically) is running the Novell client – something I hadn’t done at Novell for over 7 years!

I spent a couple of hours this morning googling for the error message that Windows was giving me when I attempted to add the printer:

“Operation could not be completed. Either the printer name was typed incorrectly, or the specified printer has lost its connection to the server. For more information, click Help.”

I finally found a single entry on one of the Microsoft tech forums where someone was having a similar problem, and he was persistent enough to figure out a work-around for this issue. Interestingly, the issue is not in Microsoft’s own knowledge base.

The work-around was to treat the printer as a local device, but specify its port as a UNC path. It appears that the Windows network printing subsystem has problems with networked printers that that the local printer subsystem does not have. Here’s what you do:

  1. click the Add Printer wizard icon in the Printers and Faxes pane of explorer.
  2. add a *local* printer (even if it’s not on the local machine)
  3. on the next screen choose “Create a new port” and leave the default “Local Port” in the drop down list.
  4. when you click Next, you’ll get a dialog asking for a port name – type in the UNC path for the printer (eg., \\home-machine\hplj1200)

This actually works. Apparently one valid type of port in the local printing subsystem is a UNC path to a remote printer! You gotta love those Microsoft engineers – they thought of everything when it comes to integration. Too bad they didn’t work together a bit more on the actual implementation of their versions of these subsystems.

To be clear, I can print to my home printer now from my laptop when I’m working at home. It’s amazing how you miss something that you take for granted when it works.

Experiences with Linux Hardware Config

I got a new laptop at work in late August. The date is especially significant because it’s now mid-October and I’m still sorting out issues with video drivers, network cards, and bluetooth functionality.It’s a Lenovo T60p – a nice machine. Speedy. Sleek. Full-featured – it even comes with some built-in biometric features. Oddly, these are the sorts of hardware features that open source geeks love to play with. And it’s a good thing for us users because otherwise they’d just be extra baggage on an otherwise nice machine. Manufacturers just don’t spend a lot of time yet on Linux drivers.

For example, the package I ordered came with a Logitech M-RBB93 bluetooth wireless mouse. Now, this is a nice piece of hardware. I’ve had wireless mice before, and they all come with a USB fob that takes most of the joy out of using a wireless mouse. This mouse has an on/off switch on the bottom. That’s the extent of the init/shutdown process. I love it! But it didn’t work with my laptop out of the box as it should have. I didn’t even bother to open the CD that came with it. I would only have found myself disappointed by the instructions, as they nearly always begin with “Press the Start button, and select the Run option…” I hope this will change in the near future – not everyone runs Windows these days.

SLED 10

My new laptop came with SLED 10 (SuSE Linux Enterprise Desktop, version 10) pre-installed. Now, this Linux variant is clearly designed for non-technical people, as it comes completely configured to work well with several hardware configurations, including my Lenovo T60p. But it still had troubles with unforeseen additions such as the bluetooth mouse. It turns out that SLED 10 does work pretty well with the mouse, but you need to perform a few command-line gymnastic stunts in order to get the laptop to connect. Secretaries and executives will probably just toss the mouse in the garbage can, assuming it’s broken. Geeks like me know better.

I didn’t even hope that I could get the fingerprint reader working. But it turns out that there’s an entire community surrounding this little built-in device, known affectionately as the ThinkFinger. There’s a wiki site for configuration that contains very complete information on getting the fingerprint reader working on a variety of platforms, and Ubuntu actually has it’s own ThinkFinger community. I must say, it works very well. Sometimes it requires more than one pass to get a good reading, but usually it works on the first try – much of the quality of experience involves training yourself to swipe your finger in just the right way, but it’s an easy habit to pick up.

ATI is making big advances in coming to terms with the open source world, but they still have a long way to go. Five years ago, I installed a version of Mandrake Linux on my home computer (dual boot) just to play with it. I had an ASUS NVidia card installed. The desktop graphics came up out of the box in 800 x 600, 8-bit color. I was a bit disappointed at first, but then I decided to dig a bit deeper. I went to NVidia’s website, downloaded their latest open source Linux drivers, ran the installer and rebooted. When it came back up, I was viewing my X desktop in 1280 x 1024 24-bit color – perfect! I didn’t even have to select the resolution and color depth (although I had plenty of choices).

I can only wish for the same experience with ATI drivers. Five years ago, ATI drivers for Linux were unheard of. The answer to your question was simply this: You bought the wrong video card. Since AMD acquired ATI, things have changed. Video drivers for ATI cards can now be downloaded from AMD’s web site. They even (usually) work – if you have the patience and technical prowess to mess with them for long enough. But to the average user, my answer to your question is generally still the same: You bought the wrong video card. Give it a couple of years, and ATI will have caught up to where NVidia was five years ago. Now, don’t get me wrong. ATI cards are wonderful, but if you want to take full advantage of them, you’d better stick to Windows.

OpenSuSE 10.2

SLED 10, being designed for non-technical folks, has been tweaked and tested such that many of the processes that have to be done manually in even later opensuse offerings are well integrated and much more automated. However, SLED 10 is old. I’m sorry, but anything older than a year in this industry is out of date. I’m a developer, so I need the latest tools and libraries, and many of these just won’t install on SLED 10, so the first thing I did was upgrade to opensuse 10.2.

SLED 10 is actually ahead of opensuse 10.2 when it comes to integration. While the software may be older, the amount of integration testing and tuning is much greater with enterprise-level offerings. Frankly, given what I know about opensuse 10.2, I can’t wait for the next version of SLED. I still won’t use it, but for my non-technical co-workers, it will be a wonderful improvement.

Well, the devil (as they say) is in the details, so here they are:

Bluetooth Mouse

The bluetooth subsystem on Linux is called bluez. The bluez project is hosted by sourceforge.net. The trouble with the bluez web site and packages is (like many free software offerings) a woeful lack of both technical and non-technical documentation. The maintainers have done a great job of making it easy to build and install. Unpack the tarball, type “sudo configure; make; make install” and you’re done. The makefile installs a dozen tools and libraries, and even man pages for most of them. The trouble is that there’s no overarching documentation that describes WHY you’d want to use any of them.

Most of the tools are fairly low-level, designed to be configured and consumed by system integrators to provide a good automated end-user experience. The problem, of course being that system integrators in the Linux world generally stop short of the finish line.

Bluetooth is designed to work with a wide variety of devices. Most of these fit into a few categories. Bluetooth mice, for instance, are classified as input devices. The bluez tool that deals with human interface devices is known as hidd – human interface device daemon. This daemon is a system service that is supposed to be started by your system init scripts at boot time. It can also be called by a user logged in as root in order to configure it to bind to your mouse.

If you look on the bottom of your mouse, you’ll see what looks like an ethernet MAC address – a six part, colon separated set of values, two hexadecimal digits each (mine is: 00:07:61:6b:92:13). You can tell hidd to bind to your mouse by using a command like this:

>sudo hidd --connect 00:07:61:6b:92:13

Another way of doing this, is to tell hidd to just search for all devices it can see:

>sudo hidd --search

But if you happen to have more than one mouse lying around, it may connect to the wrong one.

The trouble with opensuse 10.2 is that it’s about 89 percent there with respect to bluez integration. Sometimes this works, other times you have to resort to tricks like adding the above hidd –connect command to your initialization startup scripts, so that it will connect every time. The hidd daemon is designed to remember connections, and the latest offerings really do work, but you may have to play with it for a while to get it to work consistently.

Fingerprint Reader

Download the latest version of the thinkfinger package (0.3 at the time of this writing) from the sourceforge.net thinkfinger project site. The package is easily compiled and installed. From the root of the directory into which you extracted the package, just run the following sequence of commands:

>su
#configure; make
#make install
#exit
>

Next, you’ll want to configure the pam module that comes with the package so that you can log into your desktop using your finger print. Pam modules are configured using the /etc/pam.d/common-auth file. Edit this file with your favorite editor and add the following line BEFORE the line containing the reference to pam_unix2.so:

auth  sufficient  pam_thinkfinger.so

This will cause the PAM (Pluggable Authentication Modules) library to query the fingerprint reader each time a password is requested. But you’re only half done. You have to supply credentials in the form of .bir files. For this, you use the tf-tool command (as root):

>su
#tf-tool --add-user jcalcote
#ThinkFinger 0.3 (http://thinkfinger.sourceforge.net/)
Copyright (C) 2006, 2007 Timo Hoenig <thoenig@suse.de>

Initializing... done.
Please swipe your finger (successful swipes 3/3, failed swipes: 1)... done.
Storing data (/etc/pam_thinkfinger/jcalcote.bir)...done
#exit
>

Note that your .bir file was stored as username.bir in the /etc/pam_thinkfinger directory. Now, if all has gone well, the login prompt should say, “Password or swipe finger:”, instead of simply “Password:”. You’ll also get a prompt like this at the command line when you type “su”.

ATI Video Drivers

The Lenovo T60p comes with an integrated ATI Mobility FireGL V5250 video card. The “Mobility” part means it’s for laptops, the FireGL part means it’s one of their high-end offerings (along side of, but slightly lower than the Radeon series), and the V5250 part means it’s close enough to a V5200 that it works with any drivers designed for the V5200 – and that’s a good thing, because the drivers don’t actually recognize the card model number.

At the time of this writing, the latest driver available on ATI’s web site was 8.41.7. The most difficult issue to deal with here is that ATI’s website driver guide will not lead you to the latest drivers for your card unless it’s a fairly late Radeon series card. This doesn’t mean the driver won’t work with your FireGL card – it just means that ATI hasn’t spent the testing resources on your card with that driver, so they aren’t going to lead you to it. Here’s the deal: Most of ATI’s drivers will work with most of their cards just fine – they’re all based on the same or similar chip sets, so the drivers can’t really tell the difference. If you want the latest features, you’ll have to just get the latest driver and see if it works with your card. In fact, I’ve found that the 8.41.7 driver does NOT work with my card, but the previous 8.40.4 driver works fine.

Drivers come from ATI in the form of an executable that runs either from the command line, or as a GUI-based application. This application is actually designed to build a variety of driver installation packages for several different flavors and versions of Linux. For instance, it can build an rpm package for opensuse or redhat. It can also build .deb packages for debian.

To use the driver generator, use the following command-line syntax:

>su
#ati-driver-installer-8.40.4-x86.x86_64.run --help          (optional)
#ati-driver-installer-8.40.4-x86.x86_64.run --listpkg       (optional)
#ati-driver-installer-8.40.4-x86.x86_64.run --buildpkg SuSE/SUSE102-IA32

This will generate an rpm installer package for your system. Note that the first two ati* commands are only for your information. The –listpkg option will display a list of all packages that CAN be generated by the package generator. Choose the one that’s closest to your system type. After this command has completed, you’ll find an rpm package named fglrx_7_1_0_SUSE102-8.40.4-1.i386.rpm in the same directory.

Here’s the tricky part. This installer is complicated. It actually builds a kernel module as part of the installation process, which means that you’ll have to have kernel source and development packages installed in order to install this package. So ensure that you have the appropriate kernel development libraries installed on your system.

The opensuse community and ATI itself provides a YUM repository for various flavors of the opensuse 10.2 kernel (found at http://www2.ati.com/suse/10.2 – note that this site is not accessible via the web – only through YUM). This package is NOT the same as the one you just generated. It’s pre-configured to run against a specific kernel version with a specific set of patches. Personally, I like the approach taken by this ATI package generator better. If you install kernel patches, you’ll either have to get matching updated community drivers, or simply reinstall from this rpm you just generated. It will rebuild the kernel module against the latest libraries and headers installed with those patches. If the kernel changes too much, then you’ll need to get a later ATI driver that’s designed to work with the latest kernel.

Now install the drivers with this set of commands (It’s best if you do this from a tty console – press Ctrl-Alt-F1):

Login: root
Password:
#init 3
#rpm -ivh  fglrx_7_1_0_SUSE102-8.40.4-1.i386.rpm
#sax2 -r -m 0=fglrx
#init 5

You should now be running with your ATI drivers. To test your configuration, open a terminal window, and type:

>su
#glxinfo

You should see the following lines among the output:

...
client glx vendor string: ATI
...
OpenGL vendor string: ATI Technologies Inc.
OpenGL renderer string: ATI MOBILITY FireGL V5250
OpenGL version string: 1.2 (2.0.6747 (8.40.4))

ATI drivers are not as well integrated as they could be. They don’t hook into sax2 so that you can toggle settings and enable or disable 3D mode. However, they do allow you to configure clone and xinerama modes from sax2, if you want. This situation can cause some frustration until you understand it. Basically, 3D hardware acceleration can’t be disabled, regardless of what sax2 tells you its current state is.

To prove this to yourself, run the fgl_glxgears program that’s installed with the firegl drivers. You should see a spinning cube whose faces each contain a set of gears spinning within the plane of the face. You can’t do this in software, so if you have any sort of smooth performance in this demo, then you’re definitely runnning with hardware acceleration enabled. Note that there’s a more basic program called glxgears. This one shows a simple set of gears spinning in one plane.

Compiz to Beryl to Compiz-Fusion

Of course, after getting your 3D accelerated drivers installed, you’ll want to do something with your system that will prove the worth of all that effort every minute that you use your computer. This is where compiz comes in. You know all that yummy eye candy that Mac OSX provides for its user experience? Well, Linux isn’t that far behind. To quote the compiz.org home page:

“Compiz is a compositing window manager that uses 3D graphics acceleration via OpenGL. It provides various new graphical effects and features on any desktop environment, including Gnome and KDE.”

To enable the required OpenGL features, you’ll have to switch your display manager server from xorg to xgl. The default display manager server is the one that comes with the xorg system. It’s tried and true, and doesn’t often have a problem. In the vernacular, it’s stable. The xgl display manager server uses OpenGL to do everything done manually by the xorg server. The community calls xgl “experimental”, but the fact is it’s pretty good lately.

To change from xorg to xgl, you need to use your system configuration editor (YaST | System | etc/sysconfig Editor). From the menu on the left, choose Desktop | Display Manager | DISPLAYMANAGER_XSERVER. Change the setting on the right from “Xorg” to “Xgl”.

Close your applications and restart XWindows by pressing Ctrl-Alt-Backspace. If everything comes up as before, then you’re set. Now go to your main menu and from the section entitled “Look and Feel”, select “Desktop Effects”. The information in this dialog is a bit disconcerting. It tries to tell you that you can’t enable desktop effects (compiz) because your hardware is not recognized. It also tries to tell you that 3D acceleration is not enabled. Don’t forget that ATI drivers have bypassed the sax2 hooks for this feature. So applications that use sax data to determine 3D acceleration state are going to be misled into believing it’s not enabled. But just select “Enable Desktop Effects” at the bottom anyway (if it’s not already done for you). When you exit this dialog, you should see your windows doing cool stunts (sometimes without your aid or approval).

Probably because of the “experimental” nature of Xgl, occasionally you will lose your window manager. The effects of this are simple – the title bars on all of the windows on your screen will disappear, making it difficult at best to accomplish anything. Easily remedied however – just restart XWindows (Ctrl-Alt-Backspace). Unless you’ve really hosed things up, it should restart the window manager correctly.

OpenSuSE 10.3

After all of that (and that took me a month of research), opensuse 10.3 was released on the 3rd of October. I’m a bleeding edge sort of guy (if you couldn’t tell by now), so I immediately upgraded my 10.2 system. Believe it or not, nearly everything worked without a lot of tweaking and configuring in opensuse 10.3.

The only problem I’m having at this point is with my wireless network card. I got myself into a situation where there were two entries for my wireless card in the Network Devices dialog. One of them came from the udev hardware detection subsystem, and was listed as “unconfigured”. The other was a copy of the detected card that was listed as “DHCP” (meaning, configured to use DHCP). When I would try to delete the configured entry, and then configure the detected entry, it would look good until I closed the dialog and then rentered it, whereupon it would look as it did before. The solution to this problem finally presented itself accidentally, as I tried to do what I’d tried before, but in reverse order. That is, I first configured the detected card, and THEN deleted the originally configured card. For some reason, this worked.

One other problem I’m having with wi-fi is that I can’t seem to connect to my wireless network at work. At work, we have a wireless network with an unadvertised or “hidden” ssid – the network identifier. In order to connect to a network with a hidden ssid, you have to know the value of the ssid and specify in when you attempt to connect. I just can’t connect – I still can’t, and I haven’t got a clue why not. I can only assume there’s some sort of bug in the wireless drivers for 10.3 because I can connect just fine at home, where my ssid is advertised. I’ve googled this one for hours, but apparently no one else has had this problem, or they’re not speaking up. In truth, I did find some references to a problem like this last November – nearly a year ago, but it was quickly resolved with a patch to the wlan sub-system. Apparently, the bug is back with a vengeance – at least on my system.

But these things tend to sort themselves out in fairly quick order. People don’t like to go without network access, and whether or not they’re talking about it, this sort of defect is often more wide-spread than it appears at first glance.

Regarding ATI video drivers and opensuse 10.3; ATI provides a web-based repository for 10.3 drivers along side of their 10.2 repository, but be aware that it provides an rpm package with the 8.41.7 drivers. You’ll perhaps recall that these drivers didn’t work with my V5250 FireGL card, and this repository version is no exception. I tried them, and then had to back off to the 8.40.4 drivers. YMMV.

The bluetooth subsystem is substantially enhanced on 10.3. I was able to bind to my mouse using (get this) a GUI interface! If you’re coming from a Windows background, you’re no doubt laughing, but then I’m not talking to you, am I? 🙂

The fingerprint reader actually has a YaST panel plugin in 10.3. The installer detects the fingerprint reader and ensures that the appropriate packages are installed, so you don’t have to go looking for it.

Despite the fact that both bluetooth and biometric hardware integration is much better in 10.3, I still upgraded these two packages from bluez and thinkfinger – probably because I’m a glutton for punishment. But the latest packages do provide some small bit of extended functionality.

All in all, I’m so pleased with opensuse 10.3 laptop, that my co-workers think I’m weirder than I really am, walking around the office with a big grin on my face. But they’re not laughing at me when I show them something cool that my machine can do that theirs can’t.