Planet Sysadmin               

The Stockholm IETF meeting is shaping up to be an interesting one (and not just because it’s in such a beautiful city).

As announced on the mailing list, we are having a HTTPbis working group meeting. It looks like all of the editors will be there as well, so we’ll have a chance to get good feedback from the community, as well as move forward on the documents in between other meetings.

Additionally, I’m helping to arrange a couple of informal meetings:

The IETF/W3C Liaison has been discussing issues surrounding IRIs for a little while now, and we’re holding an IRI Bar BoF (informal meeting that’s often but not always in a bar) to get more involvement from the wider community (including the IDNAbis effort) so that we can figure out the appropriate standards actions.

I’m particularly interested in this one, since a lot of XML efforts (e.g., Atom) are reflexively using IRIs instead of URIs wherever they can — including cases where they’re not intended for display to humans — even though supporting them is potentially a lot trickier.

There’s also been a fair amount of recent discussion around Atom extensions and revisions, so we’re arranging an Atom Bar BoF as well. My personal feeling is that revising Atom to account for non-blog use cases is necessary, although the energy that the community has to devote to it is probably low. Should be an interesting discussion.

See you there!

Cherokee is a very fast, flexible and easy to configure Web Server. It supports the widespread technologies nowadays: FastCGI, SCGI, PHP, CGI, SSI, TLS and SSL encrypted connections, Virtual hosts, Authentication, on the fly encoding, Load Balancing, Apache compatible log files, Data Base Balancing, Reverse HTTP Proxy, Traffic Shaper, Video Streaming and much more.
(...)
Read the rest of Howto install Cherokee web server with MySQL, PHP support on Jaunty (364 words)

---

© admin for Ubuntu Geek, 2009. | Permalink | No comment | Add to del.icio.us
Post tags: Cherokee web server, Cherokee web server ubuntu, install Cherokee web server ubuntu, install Cherokee web server ubuntu jaunty, Server

Related Articles

• Securing SSH Using Denyhosts (8)
• Install GUI in Ubuntu Server (9)
• How to install Vmware server From Canonical commercial repository in Ubuntu Feisty (79)
• Money Manager Ex – Cross-platform, easy-to-use personal finance software (4)
• Securely Administer Your Ubuntu Server Remotely (1)
• Ubuntu Server:Install GUI and Webmin in Ubuntu 8.10 (Intrepid Ibex) Guide (25)
• Mount a Remote Folder using SSH on Ubuntu (12)
• Ubuntu manpages repository (1)
• MySQLTuner – High-performance MySQL tuning script (0)

Over the last week I've been up in Birmingham catching up with some old friends and attending some talks at the little get together of around 450 Pythonistas that was EuroPython 2009.

This was my second Python conference. The first was PyCon 2008, which was so well organised (by many of the same team as this years EuroPython) that I was inspired to come back. And I wasn't disappointed. There were a lot of very good talks, some that have planted seeds that I'll have to come back and try to find the time to look at and some that showed me things I plan on using in the very near future (such as py.test).

The atmosphere was topnotch. Everyone seemed friendly, the speakers were approachable and after spending the evening with so many people working on so many things it was a pleasure to get back to the room and make sure I actually did something technical before bed.

It's a wonderful feeling to come away from a conference feeling motivated to try new technologies and all I need to do now is actually schedule some time actually write some Python code...

The organisers did a great job and I'll be back next year.

Like this post? - Digg Me! | Add to del.icio.us! | reddit this!

The registration process for my TCP/IP Weapons School 2.0 class at Black Hat USA 2009 continues to be active, with seats almost gone in the weekday version. The weekend version has open seats. If you'd like more details, please see my post Black Hat Class Outline Posted.

I was invited to be a panelist for The Laws of Vulnerabilities Research Version 2.0: Comparing Critical Infrastructure Industries, a description of which is posted at the Black Hat Briefings speaker list. Because I'm busy during the 10 am panel time on day 1, I won't have to make the decision about which great talk I'll miss at that time! I mean, Billy Hoffman, FX, Rod Beckstrom, Dino Dai Zovi, and Chris Gates all at the same time?

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

In my Predictions for 2008 I wrote Expect greater military involvement in defending private sector networks. Today I read a great Washington Post story titled Obama Administration to Involve NSA in Defending Civilian Agency Networks. It says in part:

The Obama administration will proceed with a Bush-era plan to use National Security Agency assistance in screening government computer traffic on private-sector networks, with AT&T as the likely test site...

President Obama said in May that government efforts to protect computer systems from attack would not involve "monitoring private sector networks or Internet traffic" and Department of Homeland Security officials say that the new program will only scrutinize data going to or from government systems...

Under a classified pilot program approved during the Bush administration, NSA data and hardware would be used to protect the networks of some civilian government agencies. Part of an initiative known as Einstein 3, the pilot called for telecommunications companies to route the Internet traffic of civilian government agencies through a monitoring box that would search for and block malicious computer codes...

The internal controversy reflects the central tension in the debate over how best to defend the nation's mostly private system of computer networks. The most effective techniques, experts say, require the automated scrutiny of e-mail and other electronic communications content -- something that commercial providers already do.

Proponents of involving the government said such efforts should harness the NSA's resources, especially its database of computer codes, or signatures, that have been linked to cyberattacks or known adversaries. The NSA has compiled the cache by, for example, electronically observing hackers trying to gain access to U.S. military systems, the officials said.

"That's the secret sauce," one official said. "It's the stuff they have that the private sector doesn't."

But it is also the prospect of NSA involvement in cybersecurity that fuels concerns of unwarranted government snooping into private communications...

The classified NSA system, known as Tutelage, has the ability to decide how to handle malicious intrusions -- to block them or watch them closely to better assess the threat, sources said. It is currently used to defend military networks.

You're thinking, "this article says NSA will not monitor purely private networks. What's the fuss?" Imagine you're the CEO, CIO/CTO, or CISO of a big company. You say "why is my company and our employees paying taxes so that the government can protect itself while my company is left outside the circled wagons?" The higher you go in corporate management, the more likely the only "security" that will be recognized will be "firewalls." So, you're going to have big-league corporate leaders telling the government that they want their companies "protected" too. This isn't really what is happening, but at that level it really doesn't matter.

The bottom line is that first the military protected itself, and now the military is going to help protect civilian government agencies. Critical private infrastructure will be next, followed by economically important companies -- think "too big to be 0wned." This will be interesting.

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

Amazon.com just posted my four star review of Hacking Exposed: Windows, 3rd Ed. Better late than never! From the review:

I've been reading and reviewing Hacking Exposed (HE) books since 1999, and I reviewed the two previous Windows books. Hacking Exposed: Windows, 3rd Ed (HEW3E) is an excellent addition to the HE series. I agree with Chris Gates' review, but I'd like to add a few of my own points. The bottom line is that if you need a solid book on Windows technologies and how to attack and defend them, HEW3E is the right resource.

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

This is yet another my first time story collection whereby I successfully upgrading HP Proliant BL460c firmware from Linux. There are 3 firmwares to be upgraded; BIOS - System ROM, Lights-Out Management (aka iLO) and Storage Controller. This machine is running RHEL 5.2 and all of the firmwares were upgraded ‘online’ from operating system itself. BIOS [...]

This guide works for the gnome desktop manager (used by Ubuntu and other Linux distributions).

First we go to Gnome-looks. This is a large collection of themes and other artwork that can be used to make gnome look any which way you like. From there we select and download a theme. Since many people have asked what theme I use, I chose my theme, SlicknesS-black, for the example. Once we’ve downloaded our theme and saved it to the desktop, we will then extract it to the desktop.

Once it is extracted, in the terminal we enter the following commands to copy the theme files to the shared theme directory (where the themes manager looks for it) and change the permissions to make it available to all users of the computer:

$ sudo cp -r $HOME/Desktop/SlicknesS-black /usr/share/themes
$ sudo chmod 755 /usr/share/themes/SlicknesS-black/Sluckness-black.jpg

Remember, file and directory names are case-sensitive in Linux, so be careful to use the correct case.

Next we open the theme manager (in this case System -> Preferences -> Appearance -> Themes) and we should see our new theme listed there!

For Ubuntu users only - you may notice if you choose to install SlicknesS-black an error that states the engine “ubuntulooks” is not found. If that is the case enter the following command in the terminal to install the missing theme engine:

$ sudo apt-get install gtk2-engines-ubuntulooks

Enjoy your new theme!

(The wallpapers I use can be found at beautifulfractals and are available under the Creative Commons license)

---

  Follow me on Twitter and check out my blog.

My recent visit to Brazil was a wonderful validation of the belief that I've held for more than 20 years: if you give people a better way to do things, they'll do better things. The Brazilian government continues to expand its adoption of open source, both across more and more ministries and deeper within each ministry. I had the pleasure of talking with one of Brazil's top IT strategists, and she told me some very interesting things, both encouraging and alarming.

read more

<p><span class="mt-enclosure mt-enclosure-image" style="display: inline;"><img alt="Straighten brake rotor.JPG" src="http://blog.makezine.com/archive/2009/07/01/Straighten%20brake%20rotor.JPG" width="600" height="450" class="mt-image-none" style="" /></span></p> <p>My dad recently took a minor tumble on his motorcycle. He's fine, but the bike was banged up a bit, including a bent brake rotor. Consensus among his buddies in the <a href="http://www.magnaownersoftexas.com/main.htm">Magna Owners of Texas</a> was that the rotor would have to be replaced, but of course they're pricey, and since the rotor was "shot" anyway, Dad figured he might as well try to straighten it and see what happened.</p> <p>Here's what he did, in his own words:</p> <p><BLOCKQUOTE>Since I had mounted the tire/wheel on the axle in my vice to polish the wheel, it was a simple matter to rig up the "feeler" shown in the first picture to check out the rotor flatness. Just a piece of copper wire about AWG 7 to 9 or thereabouts -- I had in my electrical junk box. With a light behind the setup, one can use the reflection of the end of the wire from the rotor surface to obtain a very sensitive indication of warp when one spins the tire/wheel. Brought it back to planar using a soft face (brass) hammer. Go slow, it takes some time. "Sneak up on it" by whacking gently, measure, whack a little harder, measure, etc. until it yields just a bit.</BLOCKQUOTE></p> <p>Then, concerned that the rotor needed to be flatter than he could detect with the naked eye, he rigged up a second jig to test it:</p> <a href="http://blog.makezine.com/archive/2009/07/motorcycle_brake_rotor_repair_kludg.html?CMP=OTC-0D6B48984890" />Read more</a> | <a href="http://blog.makezine.com/archive/2009/07/motorcycle_brake_rotor_repair_kludg.html?CMP=OTC-0D6B48984890" /> Permalink</a> | <a href="http://blog.makezine.com/archive/2009/07/motorcycle_brake_rotor_repair_kludg.html?CMP=OTC-0D6B48984890#comments" />Comments</a> | <a href="http://blog.makezine.com/archive/transportation/?CMP=OTC-0D6B48984890" />Read more articles in Transportation</a> | <a href="http://digg.com/submit?url=blog.makezine.com%2Farchive%2F2009%2F07%2Fmotorcycle_brake_rotor_repair_kludg.html&title=Motorcycle%20brake%20rotor%20repair%20kludge&bodytext=Drilled%20and%20tapped%20for%20the%20screw%20and%20drilled%20a%20clearance%20hole%20for%20the%20mount%20bolt.At%2020%20threads%20per%20inch%2C%20that%20would%20be%20.050%26quot%3B%20per%20turn.%20%20So%20.01%26quot%3B%20would%20be%201%2F5%20of%20a%20turn.%20%20Put%20on%20a%20standard%20six-flat%20nut%20for%20reference.%20%20Turn%20less%20than%20one&topic=tech_news" />Digg this!</a>

Ever since the new Google Blog Search homepage launched, we've been fielding requests for a myriad of different features. Today we're happy to announce the launch of our most requested feature: RSS and Atom feeds. Simply click on the links under "Subscribe" in the left-hand column of the Blog Search front page to subscribe to any topic or story in any feed reader, like Google Reader.

If you don't use a feed reader, we're also offering an iGoogle gadget that lets you embed the Blog Search front page right inside of your iGoogle page or any other page where iGoogle gadgets are accepted. You can browse topics and drill into stories from within the widget, and you can customize the gadget to choose which topics you want to follow.

With these new ways to read Blog Search stories, you might think our homepage was going unloved, but not to worry. We've also added two new features to the Blog Search homepage to better help you discover what people are talking about right now on the web: Hot Queries and Latest Posts.

Hot Queries lists searches currently popular in Blog Search — it's an easy way to quickly dive into the trending points of conversation on the web. Latest Posts, on the other hand, shows new posts from popular blogs. While Hot Queries highlights what people are looking for, Latest Posts lets you find out about stories even before people start searching for them.


There's a lot of great, fresh content being published in blogs every day. We hope these new features help you discover more of it, faster.

Posted by Akshay Patil, Software Engineer, & Dylan Casey, Product Manager

I finally decided to upgrade my cell phone to one that supports the web and email.  I settled on an LG enV3 in slate blue.  One of the pages I frequently check is my comments page, and as I had taken care to ensure that the markup degraded gracefully, the page displays adequately on my mobile device — with one obvious annoyance that surprised me.

To read the comments, I have to horizontally scroll.  Usability significantly improves if I add the following to my CSS:

body {width:320px}

Now, clearly I don’t want all user agents to format the page with a 320px width.  My preferred approach would be to solve this in the CSS.  The first thing I tried was media="handheld", but sadly the results showed that this was ignored.

I tried Media Queries, but they too were ignored.  This opens up the possibility of styling by default a limited width and only utilizing the full width on browsers that support Media Queries.  Firefox 3.5 being one such browser.  Firefox 3.0.11 doesn’t have such support.  My conclusion is that this isn’t widely enough supported for me to depend on it.

I may end up having to do conneg.  Available headers include:

HTTP_X_WAP_PROFILE: "http://uaprof.vtext.com/lg/vx9200/vx9200.xml"
HTTP_ACCEPT_CHARSET: utf-8, utf-16, us-ascii, iso-8859-1
HTTP_USER_AGENT: Mozilla/5.0 (compatible; Teleca Q7; Brew 3.1.5; U; en) 320X240 LGE VX9200
HTTP_VIA: 1.1 Comverse 4.5
HTTP_ACCEPT: text/html, application/xhtml+xml, multipart/mixed, multipart/related, */*
HTTP_ACCEPT_LANGUAGE: en; q=1.0, en, *; q=0.5
HTTP_ACCEPT_ENCODING': gzip, deflate

A while back, I talked about hiring another administrator. That process is currently happening and progressing nicely.

If anyone reading the blog applied, thank you. If you didn't receive a call, it is probably because you were far more overqualified than we were looking for. It's a sign of the bad economy that we're having people with 20 years experience applying for junior positions. I hope this turns around for everyone's sake.


Also, even longer ago, I presented a survey which asked an optional open-ended question. What would you do to improve the blog. Well, I hope you're not too attached to how this blog looks right now, because some time over the weekend, it's going to change quite a bit. This new iteration will require you to update the URL for the RSS feed if you're a subscriber.

To facilitate an easier transition, I'm going to be continuing to publish articles here in addition to the new site, so RSS subscribers who haven't caught the news aren't left in the dark. You will automatically be redirected to the new site if you visit this address, though. My plan for it is to be seamless for people visiting, and nearly painless for subscribers. I have no doubt that you'll let me know how it affects you and if something isn't working.

Here's where the fun begins...

The July issue of the OSBR is now available in PDF and HTML formats. The editorial theme this month is Collaboration and the authors include:

• stamen design | Oakland Crimespotting update: the pie of time
  Another novel way of slicing data / content: time of day.
  (categories: interaction timeline ui infoviz stamen time )

• The Hacker Chick Blog: Plane Crashes, Software Failures, and other Human Errors
  Quote: "… errors occur most often when a senior, experienced person is performing. In other words, even in these highly trained professions, it is not just about being skilled or knowledgeable enough – in fact, the more skilled you are, the more it can hurt you!"
  (categories: aviation communication management )

• KeyView IDOL & Connectors
  Currently connecting to over 400 content repositories and supporting over 1,000 file formats, Autonomy is uniquely able to aggregate and index any form of structured, semi-structured and unstructured data into a single index, regardless of where the file resides.
  (categories: connector aggregator content indexing search )

• ISYS File Readers | Document Filter Alternative to INSO, KeyView and More
  The newly released ISYS File Readers are an embeddable set of document filters for extracting text from any of the 200-plus, ISYS-supported file, container and email formats. Providing customers with a powerful and proven alternative to open-source options and similar solutions from INSO and KeyView, the ISYS File Readers are aimed at addressing the unique document filter and information access needs of applications that range from e-discovery and forensic analysis to open source search tools like Lucene.
  (categories: lucene java file search indexing extraction )

• Ajaxian » MySpace open sources advanced browser performance tool for IE
  Wow: Measure the CPU hit and memory footprint of your pages as they render on the client’s browser.
  (categories: ie javascript performance browser tools myspace )

I'm in the process of working on, and improving, test suite support in TestSwarm (an upcoming project of mine). However, there isn't a lot of information on which unit testing frameworks developers actually use to test their code (whereas there is more information on which JavaScript libraries are used).

It will be of great help to me if you could quickly fill out the question below. I will release the results of the survey as soon as possible. Thanks!

» Which JavaScript Unit Testing Frameworks do you use?

Loading...

More information on the frameworks listed above:

• JSUnit
• Selenium Core
• JSSpec (MooTools)
• UnitTestJS (Prototype)
• QUnit (jQuery)
• DOH Unit Testing (Dojo)
• YUITest 2
• YUITest 3
• Mochitest
• ScrewUnit
• JsUnitTest
• jsUnity
• JsTestDriver
• Crosscheck
• Env.js
• FireUnit

An effective Linux desktop is made up of various sets of software, using various programming languages, paradigms, toolkits, and more. The two major desktop environments competing for top dog are obviously KDE and GNOME. I've been using KDE since the 2.x days, and it was X-Windows before that. I have to admit that KDE4 is bringing a lot of improvements in desktop usability, but there's a lot of non-KDE programs out there that I use on a daily basis that simply don't work as nicely as I'd like to see.

• Firefox - My only real complaint about Firefox is the lack of support for the QT toolkit. Yes, there is a project going on to port it over to QT... sadly, the progress is slow and the usability isn't there yet.
• Thunderbird - KMail isn't that bad, but it randomly crashed on me. For that reason, I use Thunderbird. Again, no QT support. My other complaint is that the "Message Checker" plasmoid doesn't support Thunderbird for checking mail.
• Pidgin - Kopete doesn't stand a chance against Pidgin. It's a more solid codebase, and much more widely supported. I think Kopete would benefit more if they build a QT client for libpurple, Pidgin's backend.
• OpenOffice.org - This has shown the most improvement in this area over all the other programs I've listed so far. QT4 support finally arrived a week or so ago, and now I'm just waiting for Gentoo to update Portage. KOffice is a very nice office suite, but OpenOffice.org is a much more robust application.

Reasons such as those above are what have sparked my interest in developing a QT4 client for XMMS2. I'm hoping that in the near future we'll see more KDE/QT4 compatibility with some of these programs I've listed.

When I first began using Linux quite some time ago, I remember thinking to myself WTF is all this stuff in /boot. There were files related to grub, a file called vmlinuz, and several ASCII text files with cool sounding names. After reading through the Linux kernel HOWTO, the /boot directory layout all came together, [...]

• Cooliris | Discover More

While the need for security and integrity is well-recognized, it is less often well-implemented. Security assessments and industry reports regularly show how sporadic and inconsistent security configurations become for organizations both large and small. Published recommended security practices and settings remain unused in many environments and existing, once secured, deployments suffer from atrophy due to neglect.

Why is this? There is no one answer. Some organizations are simply unaware of the security recommendations, tools, and techniques available to them. Others lack the necessary skill and experience to implement the guidance and maintain secured configurations. It is not uncommon for these organizations to feel overwhelmed by the sheer number of recommendations, settings and options. Still others may feel that security is not an issue in their environment. The list goes on and on, yet the need for security and integrity has never been more important.

Interestingly, the evolution and convergence of technology is cultivating new ideas and solutions to help organizations better protect their services and data. One such idea is being demonstrated by the Immutable Service Container (ISC) project. Immutable Service Containers are an architectural deployment pattern used to describe a platform for highly secure service delivery. Building upon concepts and functionality enabled by operating systems, hypervisors, virtualization, and networking, ISCs provide a secured container into which a service or set of services is deployed. Each ISC embodies at its core the key principles inherent in the Sun Systemic Security framework including: self-preservation, defense in depth, least privilege, compartmentalization and proportionality. Further, ISC design borrows from Cloud Computing principles such as service abstraction, micro-virtualization, automation, and "fail in place".

By designing service delivery platforms using the Immutable Service Containers mode, a number of significant security benefits:

• For application owners:
  • ISCs help to protect applications and services from tampering
  • ISCs provide a consistent set of security interfaces and resources for applications and services to use
• For system administrators:
  • ISCs isolate services from one another to avoid contamination
  • ISCs separate service delivery from security enforcement/monitoring
  • ISCs can be (mostly) pre-configured by security experts
• For IT managers:
  • ISCs creation can be automated, pre-integrating security functionality making them faster and easier to build and deploy
  • ISCs leverage industry accepted security practices making them easier to audit and support

It is expected that Immutable Service Containers will form the most basic architectural building block for more complex, highly dynamic and autonomic architectures. The goal of the ISC project is to more fully describe the architecture and attributes of ISCs, their inherent benefits, their construction as well as to document practical examples using various software applications.

While the notion of ISCs is not based upon any one product or technology, an instantiation has been recently developed using OpenSolaris 2009.06. This instantiation offers a pre-integrated configuration leveraging OpenSolaris security recommended practices and settings. With ISCs, you are not starting from a blank slate, but rather you can now build upon the security expertise of others. Let's look at the OpenSolaris-based ISC more closely.

In an ISC configuration, the global zone is treated as a system controller and exposed services are deployed (only) into their own non-global zones. From a networking perspective, however, the entire environment is viewed as a single entity (one IP address) where the global zone acts as a security monitoring and arbitration point for all of the services running in non-global zones.

As a foundation, this highly optimized environment is pre-configured with:

• non-executable stack
• encrypted swap space (w/ephemeral key)
• encrypted scratch space (w/ephemeral key)
• security hardened operating system (global and non-global zones)

Further, the default OpenSolaris ISC uses:

• Non-Global Zone. Exposed services are deployed in a non-global zone. There they can take advantage of the core security benefits enabled by OpenSolaris non-global zones such as restricted access to the kernel, memory, devices, etc. For more information on non-global zone security capabilities, see the Sun BluePrint titled "Understanding the Security Capabilities of Solaris Zones Software". Using a fresh ISC, you can simply install your service into the provided non -global zone as you normally would.

  Further in the ISC model, each non-global zone has its own encrypted scratch space (w/its own ephemeral key), its own persistent storage location, as well as a pre-configured auditing and networking configuration that matches that of the global zone. You do not need to use the encrypted scratch space or persistent storage, but it is there if you want to take advantage of it. Obviously, additional resource controls (CPU, memory, etc.) can be added as necessary. These are not pre-configured due to the variability of service payloads.

• Solaris Auditing. A default audit policy is implemented in the global zone and all non-global zones that tracks login and logout events, administrative events as well as all commands (and command line arguments) executed on the system. The audit configuration and audit trail are kept in the global zone where they cannot be accessed by any of the non-global zones. The audit trail is also pre-configure d to be delivered by SYSLOG (by default this information is captured in /var/log/auditlog).
• Private Virtual Network. A private virtual network is configured by default for all of the non-global zones. This network isolates each non-global zone to its own virtual NIC. By default, the global and non-global zones can freely initiate external communications, although this can be restricted if needed. A non-global zone is not permitted to accept connections, by default. Non-global zone service s can be exposed through the global zone IP address by adjusting the IP Filter and IP NAT policies (below).
• Solaris IP NAT. Each non-global zone is pre-configured to have a private address assigned to its virtual NIC. To allow the non -global zone to communicate with external systems and networks, an IP NAT policy is implemented. Outgoing connections are masked using the IP address of the global zone. Incoming connections are redirected based upon the port used to communicate. Beyond simple hardening of the non-global zone (a state which can be altered from within the non-global zone itself), this mechanism ensures that the global zone can control which services are exposed by the non-global zone and on which ports.
• Solaris IP Filter. A default packet filtering policy is implemented in the global zone allowing only DHCP (for the exposed network interface) and SSH (to the global zone). Additional rules are available (but disabled) to allow access to non-global zones on an as-needed basis. Further, rules are implemented to deny external access to any non-global zone that has changed its pre-assigned (private) IP address. Packet filtering is pre-configured to log packets to SYSLOG (by default this information is captured in /var/log/ipflog).

So what does all of this really mean? Using the ISC model, you can deploy your services in a micro-virtualized environment that offers protection against kernel-based root kits (and some forms of user-land root kits), offers flexible file system immutability (based upon read-only file systems mounted into the non-global zone), can take advantage of process least privilege and resource controls, and is operated in a hardened environment where there is a packet filtering, NAT and auditing policy that is effectively out of the reach of the deployed service. This means that should a service be compromised in a non-global zone, it will not be able to impact the integrity or validity of the auditing, packet filtering, and NAT configuration or logs. While you may not be able to stop every form of attack, having reliable audit trails can significantly help to determine the extent of the breach and facilitate recovery.

The following diagram puts all of the pieces together:

Additional private virtual networking models are also being considered. All in all, the ISC model offers a very compelling deployment model. The accessiblity and attractiveness of this model is further enhanced by the availability of an ISC construction kit that allows you to take an OpenSolaris 2009.06 system and convert it to the ISC model with a single command. Sound interesting? Give it a try, come join the project and be sure to send along your feedback !

When it comes to Unix diagnostics I was raised the old fashion way, with iostat, vmstat and similar tools. However times change and tools evolve. dstat, while not as comprehensive as using all the tools one by one, provides a wide range of system performance details in an easy to use package.

While it's useful enough in its default state there is even more functionality lurking just below the surface. To see which other modules are available (but are not enabled by default) run dstat -M list. To add an extra module to the output use a command like this one: dstat -a -M topmem -M topcpu

As part of my growing use of the tool I've started to write my own little dstat plugins. I was pleasantly surprised at how easy they were to write and deploy even with my basic python skills. While the memcached plugin was a proof of concept I've not needed much I've found the process count plugin to be very handy.

dstat is becoming one of the overview tools I use when investigating performance issues and it's worthy of a place in your toolbox too.

Like this post? - Digg Me! | Add to del.icio.us! | reddit this!

For a few years now at work we've been using a patched version of PHP, one those patching featuring type hinting. Over time this proved to be a very handy feature that allows for a much more readable code and introduces a language based validation layer to ensure that the right data types are getting to your functions and methods. It also caught numerous bugs due to functions returning or passing un-expected values. Best of all this feature does not require any changes on the part of opcode caches (essential component for PHP performance) and allows for simple deployment.

I and other people have tried a number of times in the past to introduce type hinting into stock PHP, but unfortunately have never been successful. On a general level most people agree it would be a good idea to have, since it is an optional feature and does not introduce any regressions, heck you can even mix type hinted code with the non-type hinted one. The "PROBLEM" has always been combining of PHP's typeless nature with type hinting, which is where the consensus has been difficult (impossible) to reach. To illustrate the problem let's consider the following:

function foo(int $bar) {}

Some people would expect that passing "1" (string containing number 1) would be accepted by function foo() and not raise any type errors, since in PHP typically, numbers within strings are considered to be perfectly valid numbers ("1" + "1" == 2). Hence the conflict, some people (I am a part of that group) think that type hinting should be strict, while others think it should be more permissive to be inline with PHP's fluid nature.

With introduction of PHP 5.3 and free day in the middle of the week (Happy Canada Day to all Canucks) I've decided to port my internal patch to 5.3 and introduce a new 'feature' to it to hopefully bridge the divide. I've added a IS_NUMERIC (numeric) type hint that allows the script author to designate a parameter as having to be number, meaning input of type boolean, long or float as well as strings containing purely numbers will be accepted. This means if were to rewrite my previous function as:

function foo(numeric $bar) {}

Then calling foo("112"); would perfectly valid. To further extend basic type hinting support I've also added IS_SCALAR (scalar) type hint that allows a parameter to be designated as scalar, which means it'll accept any boolean, float, string or integer value.

The patch is available here: http://ia.gd/patch/type_hint_53.txt

I've also posted it to the internals list in the hope of gathering enough support on the part of PHP developers and users to have it added to 5.3 and future releases of PHP.

It should be noted that this is not the first idea for type hints, that credit goes to Hannes Magnusson who had posted a similar patch on the internals list back in 2006. Also, back in 2008 Felipe Pena wrote a complete RFC on type hinting with patches and even test.

Agile Web Development with Rails, 3rd Edition is about to have its third printing.  Translations are under way for Chinese, Japanese, Korean, and Spanish.

One thing I wasn’t aware of before participating in the development of this book is that printers have an opportunity to address errata in each printing.  I don’t know how widespread this practice is, but this is definitely something that Pragmatic Programmers takes advantage of.  The ground rules on what changes are allowed are a bit flexible, but in general work out to be something along the lines of “no new features” (i.e., bug fixes only) and “don’t affect pagination”.  Process wise, I make changes to the source, provide a diff to a layout editor who verifies the layout and makes tweaks as necessary (e.g., adjusting inter-line spacing if necessary to ensure that changes are localized), and the results are sent off to the printer.

Other changes are fodder for a new edition (or possibly even a new title).  Examples of this include the changes required to use this book with Rails 2.3.2.

What would I like to see in a follow-on to this book?

• First, basic hygiene.  All the examples should be changed so that they work without any deprecation warnings against the first 3.0 public release of Rails.  Given that Yehuda Katz is now actively monitoring these tests, this should not be an issue.  This brings up a naming issue, as a fourth edition of this book being the one that targets the third release of Rails is a point of confusion.  Those that remember the early days of the NEcho wiki know that I suck at naming, so I’m happy to leave this problem to others.
• Second, widen the base.  The first edition of this book had a near cult following from a number of Rails enthusiasts, so the introduction to Ruby tucked into the back was sufficient, and perhaps even overkill.  Based on the errata I have seen, it now is a necessity, and should both be moved into the front of the book and updated to specifically target refugees from other languages. But I mean more than that.  It is clear that a number of readers have never found the command line (translation for Mac users: Terminal.app).  A few pages on that topic, as well as another couple on SQL would go a long way.
• Third, pruning.  This book contains in depth coverage of topics aren’t fundamental or are no longer exemplary (e.g. database constraints, data migrations, active record based sessions, non-REST routing, non AR objects in sessions, non AR objects in forms, forms without underlying models, ...).  At a minimum, these topics should be deemphasized by being moved later in the book.  In some cases, they should be moved outside the book entirely (fodder for future “recipe” books perhaps).  Additionally, over time, the state of Rails documentation has improved, so this book can afford to reference the documentation more.
• Fourth, refactoring.  This book starts with scaffolding, and then takes a walk through a number of Rails features.  As Rails is getting more modular, a more phased introduction is possible.  one could imagine a book that starts out with a “we don’t need no steenken framework” approach to life, and starts out with a single file (Sinatra style) application, and then one by one adds in a Rails feature, explores what benefits (and tradeoffs) that feature provides.  Initially, the approach could stay entirely with Rails defaults, and then once that is complete, subsystems can be swapped out or augmented.  Concretely, this could mean starting with an XML file on another machine with products that needs to be parsed and stored in a database.  This could start with no Rails (coding direct to SQLite3), substituting in ActiveRecord.  Introducing Rack, then Metal, then ActionController::Http, ... eventually dovetailing with the current Depot application.  When Depot gets to the point where it generates XML, it won’t seem so random.  And when we get to ActiveResource, it will complete the loop as it will essentially be parsing the XML with zero code.
• Fifth, radical refactoring.  This is the part that is most speculative, and may not be successful.  I’ve talked about eliminating or moving forward the appendixes.  I’ve talked about pruning the “Rails In Depth” chapters.  If the remainder of these chapters could be made small enough, they could be integrated with the chapters in Depot where these concepts are introduced.  Additionally, the very first Rack based-application could be automated using whenever, tested using Rack-Test, deployed using Capistrano, establishing best practices early on.  I’ll be honest: while this is highly desirable, it is also a considerable challenge.  If the end result is that this overwhelms the coverage of Rails it ends up being a disservice and a distraction.  I definitely don’t want to get to the point where you have to get 2/3rds of the way through the book before you learn about scaffolding.

Hopefully, this work can get underway by the end of the month and be complete as near as possible to the first public release of Rails.

I mentioned in a previous post that I was using the Linux flock utility to ensure that only one copy of yum would run at any given point in time (well, theoretically someone could call yum from outside of the script, but there are only so many use cases you can protect against). The lock [...]

I love labels in Gmail. Most email programs use folders, which only let me put mail in one place at a time. With labels, I can organize mail in multiple ways. Combined with filters to automatically label incoming messages, Gmail offers powerful ways to organize email.

When I joined the Gmail team, I was surprised to learn that only 29% of Gmail users had created any labels. At first, I thought perhaps conversation threading and search made the need to organize our mail less important. But when we talked to people who use Gmail, we got a different story. People often asked us to add folders to Gmail, assuming no system of organization existed. As one person said in a usability study, "What are labels... and where are my folders?"

We realized that if you didn't know about labels, it would be easy to assume Gmail had no way to organize your mail. Not only were "labels" unfamiliar, they were kind of hidden. So, we set out to make labels more accessible, as well as more powerful. Most of the changes have been in Gmail for a while, but we're adding some new features today. We thought you'd enjoy a peek at the method to our madness.

The first thing we did was make labels look more like the sticky notes you use in real life. Making the interface mimic things you interact with outside the computer can sometimes improve ease of use.


We also made it easier to remove a label from an open conversation:


Then we worked on the actions you take to apply and remove labels. Before, to put a label on a message, you had to look under "More actions> Apply label." Not only was this option hidden in a generic menu, but the language wasn't what people are familiar with when it comes to organizing mail. We explored several alternatives:

My newest column is up at Simple Talk Exchange. It's called "Manage Stress Before it Kills You.

It starts out with a true-to-life story of something that happened to me one night. It was scary, but it did let me know that something was wrong. My advice is to manage your stress before it gets to this point, because it isn't an enjoyable experience.

Please make sure to vote up the article if you like it! Thanks!

Blended threats. Payload viruses. Spam. If you're one of the more than 15 million people whose work email is protected by Postini's email security products, we hope you don't spend a lot of time thinking about these things. And if we're doing our job right, they certainly shouldn't be showing up in your inboxes. But we process more than 3 billion business emails per day for our customers, culling the spam, viruses, and other threats out, so we do think about this stuff. A lot.

On occasion, we like to share some of what we've learned, so that those of you who are interested can see what spammers are up to. If you're one of those people, head over to our Enterprise Blog for an update on spam trends over the past few months.

Posted by Ellen Leanse, Google Enterprise team

• Real-time systems hurting long-term knowledge?
  Quote: "The other night Jeremiah Owyang told me that thought leaders should avoid spending a lot of time in Twitter or FriendFeed because that time will be mostly wasted. If you want to reach normal people, he argued, they know how to use Google.

And if you want to get into Google the best device — by far — is a blog. Yes, FriendFeed is pretty darn good too (it better be, it was started by a handful of superstars who left Google to start that company) but it isn’t as good as a blog and, Jeremiah argues, my thoughts were lost in the crowd most of the time anyway."
(categories: twitter facebook realtime search blogging )

• Free Utility: RichCopy, an Advanced Alternative to RoboCopy

Another quikie copy/paste kind of thingy…

You may set your search path automatically each time you log in, by placing the appropriate “set path” command in your “.login” file. (To learn more about the .login file, type “help dotlogin”.) Here is a sample of a command line that you might put in your .login file to set a non-standard search path:

        set path = ( $PATH /usr/ucb /bin /usr/bin /usr/new .)

Volumes on a Sun Storage 7000 Unified Storage System can be published to a Microsoft Windows server using CIFS or iSCSI with Microsoft SQL Server 2005 databases. The necessary steps are outlined here.

The video from my talk at JSConf has been posted. Thanks to Chris for organizing the conference and the excellent quality of the video.

The description from the JSConf site summarizes the talk well:

John Resig presents his mystery topic, which is actually three topics that strike his interest. First up is measuring performance and a quick introduction to benchmarking (and its positives and negatives). This is followed by JavaScript Games which he unveils some super cool hidden functionality (cheat codes++) on the jQuery web site. This is followed up by the introduction of John's distributed continuous test framework platform, Test Swarm. It is jam packed with Nirvana and goodness so be sure to watch both parts.

Part 1: Measuring JavaScript Performance, JavaScript Games

Part 2: Distributed JavaScript Testing, Q&A

Additionally, the slides from the talk are up on Slideshare.

Zones are one of the best features in Solaris 10 -- they're so lightweight that you can use them at almost no cost in performance. Today, I ran across a situation where one of my zones needed more RAM, and the box it was on didn't have it. Read on for how to migrate a Solaris Zone to a different machine, and an important update to Solaris 10/08 that makes the process so much easier.

read more

Glyn Moody writes "Detractors of free software like to point out it's not really 'free,' and claim that its Total Cost of Ownership is often comparable with closed-source solutions if you take everything into account. And yet, despite their enthusiasm for including all the costs, they never include a very real extra that users of Microsoft's products frequently have to pay: the cost of cleaning up malware infections. For example, the UK city of Manchester has just paid out nearly $2.5 million to clean up the Conficker worm, most of which was 'a £1.2m [$2million] bill in the IT department, including £600,000 [$1 million] getting "consultancy support" to fix the problems, which including drafting in experts from Microsoft.' To make the comparisons fair, isn't it about time these often massive costs were included in TCO calculations?"

Read more of this story at Slashdot.

By now many have heard about the performance degredation found in Intel SSDs due to the write/rewrite commands. Although they remain incredibly fast, there are some instances where you may wish to “reset” the drive or at least secure erase the drive for a second sale or install in a different computer or server.

An Intel quote: “An alternative method (faster) is to use a tool to perform a SECURE ERASE command on the drive. This command will release all of the user LBA locations internally in the drive and result in all of the NAND locations being reset to an erased state. This is equivalent to resetting the drive to the factory shipped condition, and will provide the optimum performance.”

The Center for Magnetic Recording Research no longer has HDDErase 3.3 on their website which is needed to secure erase the Intel X18-M, X25-M and X25-E. HDDErase 4.0 is not compatible with the Intel SSDs but should be used for all other hard drives. HDDErase 3.3 is available below:

Download HDDErase 3.3 (Intel SSD Compatible) here.

Included in the zip file are usage instructions. Be sure you can create a DOS 6.22 boot disk (in Windows XP explorer, right click on the “A drive” and select “format” and “create boot disk”). Then include the HDDErase.exe file on the disk.

You must also disable AHCI (SATA Mode) if enabled in your BIOS before you boot into DOS for the utility to run and work properly. Most BIOS will have an option to emulate IDE mode for SATA ports. Be sure to switch it back to AHCI once you are done.

Secure erasing the Intel SSD only takes about a minute.

   

If you saw this text on a webpage, how would you figure out what it means?

Если вы читаете этот текст, вы, вероятно, уже говорите по-русски. Однако миллионы людей не знают русского и не могут прочитать миллионы русскоязычных веб-страниц.*

You would likely need to translate manually via our language tools or in Toolbar. Today we're excited to announce that translations will be even easier with the newest release of Google Toolbar for Internet Explorer. We have been working with the Translate team to make translations a faster and more integrated part of your browsing experience.

The Translate feature automatically detects if the language of a webpage you're on is different from your default language setting and allows you to translate it. With one click, you can now instantly translate the page and all of its text will appear in the new language.


Language detection happens only on your computer, so no information is sent to Google until you choose to translate a page. You can find more details about how the feature works in our help center.

If you go to another page in the same language, you will continue to see translations rather than have to translate one page at a time. And if the page has dynamic content, like Google Reader, you will get translations in real-time. Finally, if you frequently translate pages in the same language, Toolbar will let you translate that language automatically without any extra clicks in the future.

The new Translate feature is available in all international versions of Toolbar, including English, and the translation service supports 41 different languages: Albanian, Arabic, Bulgarian, Catalan, Chinese, Croatian, Czech, Danish, Dutch, English, Estonian, Filipino, Finnish, French, Galician, German, Greek, Hebrew, Hindi, Hungarian, Indonesian, Italian, Japanese, Korean, Latvian, Lithuanian, Maltese, Norwegian, Polish, Portuguese, Romanian, Russian, Serbian, Slovak, Slovenian, Spanish, Swedish, Thai, Turkish, Ukrainian and Vietnamese.

Download Google Toolbar for Internet Explorer to try it out for yourself. We'll add this feature to Toolbar for Firefox soon, too.

* In case you don't speak Russian, we translated the paragraph above for you using our translation engine:

If you are reading this text, you probably already speak in Russian. However, millions of people do not know Russian and cannot read the millions of Russian-language webpages.

Posted by Jerry Tang and Dick Sites, Software Engineers

I heard a new phrase on a conference call with a client this morning.  The client claimed they were suffering from intense ambiguity.  I knew immediately I had a post in those two words.

What the client meant was that there was significant pressure from the management team to do something - especially new and interesting things.  However, there isn't necessarily a corresponding amount of clarity about what those things should be.  So, there's a lot of pressure to get things done, just no one is really sure what kinds of things should be done.

This is known, my friends, as a failure to communicate.  There are only three possibilities here:

1. The management team wants new and interesting products and services delivered, but hasn't communicated the strategic goals of the company.  Either they don't have clarity around that themselves or they are waiting for a couple of really bright people to present them with a strategy that works.
2. The management team has no ability to generate a strategic vision and is hoping and praying that someone in the organization has a compelling vision that they'll present, so the management team can champion.
3. The management team has communicated a vision that was so tissue thin and unimpressive that everyone missed it and is still waiting for the "real" vision.

So, here's the dilemma:  Would you rather be led by a madman with a very clear strategic vision that may not be correct but is well formed, or would you rather be "led" by a group of senior managers who cannot or will not provide a clear strategic vision?  In the first case you know specifically where you are going, you may not agree but it isn't hard to align vision and resources to those goals.  In the second case, there's a significant amount of pressure to do something, but no one is clear what that "something" is, and so a number of different teams acquire different interpretations and work at cross purposes, or nobody does anything, waiting for clarity.

As for me, hoist the Jolly Roger any day.  I'd rather work to a clearly flawed but clearly articulated goal than an ambiguous plan with no clear strategy any day.

How's that intense ambiguity working for you?

After over 2 years in development, huge amount of commits and changes PHP 5.3.0 is finally out. Kudos to Lukas M. Smith and Johannes Schlüter who have managed this herculean task and overall have done an excellent job.

There are some really nifty features in this release such as namespaces, closures, mail() logging, a bunch of new extensions and much more. Hopefully, the process of making 5.3 be production ready will be a quick one, as a large amount of testing has already gone into making this release possible. In fact, I be brave enough to say that for non-mission critical environments PHP 5.3 is ready to go as is.

The moment I heard about the Open Source Bridge Configuration Management panel session on FLOSS Weekly a while ago, I was hoping that I will be able to see the recording of this session (as for obvious reasons I was not able to attend and see this live in Portland, Oregon). They managed to bring together (for the first time to my knowledge) the creators (or maintainers) of *all* the major configuration management tools to date was very impressive; and obviously someone as myself that has been working with many of these tools (I haven’t tried/used automateit yet) would definitely see this as a great session.

Here are the members of the configuration management panel (from left to right):

• Igal Koshevoy of AutomateIt
• Brendan Strejcek of Cfengine
• Luke Kanies from Reductive Labs for Puppet
• Narayan Desai of bcfg2
• Adam Jacob from Opscode for Chef

Luckily the video of the session (among other videos from Open Source Bridge) was published and anyone can see this great event:

Now, after I sow this I must admit that I was hoping for a little more engagement and controversy. Instead we sow a friendly debate where everyone presented his own tool, without trying to go over the line and tell why it is better than the one of someone else (we have definitely seen several such blog posts from them in the past ). Anyway this was a great event and a great opportunity to have all the major people in this field come together and share their story. I’m sure that after this they will get back to work, we will see new features and improvements in their tools.

Day one of playing with bare metal hypervisors, and I'm already having a blast.

I decided to try ESXi first, since it was the closest relative to what I'm running right now.

Straight out of the box, I run into my first error. I'm installing on a Dell Poweredge 1950 server. The CD boots into an interesting initialization sequence. The screen turns a featureless black, and there are no details as to what is going on behind the scenes. The only indication that the machine isn't frozen is a slowly incrementing progress bar at the bottom. After around 20 minutes (I'm guessing the time it takes to read and decompress an entire installation CD into memory), the screen changes to a menu asking me to hit R if I want to repair, or Enter if I want to install. I want to install, so I hit Enter. Nothing happens, so I hit enter again. And again. And again. It takes a few more times before I realize that the "numlock" light is off. Curious, I hit numlock and it doesn't respond.

Awesome.

I unplug and replug the keyboard in. Nothing. Move it to the front port. Nothing. I reboot and come back to my desk to research. Apparently, I'm not alone. Those accounts are from 2008. I downloaded this CD an hour ago, and it's 3.5 U4 (the most current 3.5x release). It is supposed to have support on the PE1950, but if the keyboard doesn't even work, I have my doubts.

Lots of people have suggested using a PS2 keyboard as the accepted workaround, but in a similar tone to most of my problem/solution options, this server has no PS2 ports.

I'm downloading ESX v4 now. I'll update with how it goes, no doubt.

I read over the latest KVM putback log last night, and saw that KVM now supports booting from ISO images that are accessible via HTTP (it uses libcurl under the covers). This is pretty fricking cool, and allow you to boot in recovery mode without requiring local media or PXE, and provides a super [...]

If you administer a Linux server or are a developer it is quite likely that you might need to watch a file to check for live updates to it. It could be a log file which you want to keep an eye on to see if any errors or messages appear, or it could just be a file with some data written into it. Here’s a way you can have that file update itself rather than your having to hit the refresh button constantly.

Say you want to monitor the Apache web server log file, /var/log/http/access.log. Use the following command to get live updates:

# tail -f /var/log/http/access.log

When you hit the Return key you should see the last few entries in the file (if there are any) and then the command will wait for further updates to the file and update automatically. One drawback of this command is that you can not scroll up or down using tail. Another drawback of this command is that if you are monitoring a file that gets rolled (the file gets moved to another file and a new blank file is used instead of the first one), then this command will stop the updates. We have a solution for the second problem. Use the following syntax:

# tail -F /var/log/http/access.log

The upper case -F ensures that even if the file rolls it will continue reading from the new file, which is quite useful. I usually just use this option regardless of whether I think the file might roll or not.

---
Related Articles at Simple Help:

• How to customize Windows Live Messenger (remove ads, add/remove buttons etc)
• 5 Great Web Comics
• Simplehelp Updates
• How to securely clean up data on a hard disk on Linux
• Fantastic new Canadian service: Live Vote

How to view live updates in a file under Linux - Simple Help

All around Google, we're proud of our work, our culture and, most importantly, our people. In the spirit of celebration, this spring and summer Googlers have participated in Pride celebrations in Tel Aviv, New York, Zürich, San Francisco and many other cities around the world. Pride is a time for the LGBT* community along with families, friends and supporters to stand up for equality, and to honor those who paved the way for us to express sexual orientation and gender identity openly.

In the U.S., this year's celebration is historically important: it's the 40th anniversary of the Stonewall riots in New York City, a response to what was then routine police harassment of LGBT people. Some 75 Googlers, family members and friends marched with several hundred members of New York's Lesbian, Gay, Bisexual and Transgender Community Center. Hundreds of Googlers also joined other U.S. celebrations in Pittsburgh, Chicago, and San Francisco.

Earlier this month, around 50 Googlers and friends gathered to celebrate at Europride, Europe's best-known Gay Pride celebration. This year it was in Zürich, Switzerland. After weeks of sunshine, on the morning of the parade it began to storm, but that didn't deter our intrepid Googlers from being out at 6:30am turning a 28-ton truck into a rainbow-colored nightclub on wheels. Hundreds of nuts, bolts and gallons of helium later, the truck was transformed, the sun came out and we were ready to march through the city streets, cheered on by a crowd of 50,000.

Google is a company that supports its LGBT employees, taking a public stand on issues that are important to our community. This is not the first year that Google has supported Pride, and it will certainly not be the last. We hope you enjoy this photo album of our global celebrations.




*LGBT stands for lesbian, gay, bisexual or transgendered people and is also intended to include people who identify as queer, asexual or intersexed, amongst others.

Posted by Cynthia Yeung, Partner Strategy Team

This post is sponsored by FindMyHosting - a free and very comprehensive web hosting directory featuring the most popular web hosting companies and thousands of customer reviews.

I’ve been asked to review this site and give my impressions about it. The truth is that I don’t have much experience with shared hosting as most of my experience is with dedicated servers from various hosting companies, and anytime I had a friend asking about where do I recommend him to host his small site I didn’t knew where to direct him. This is why I thought that such a webhosting directory as FindMyHosting would be a great start for anyone looking for a shared hosting account to host his new site. We can search from a long list of hosting company and get them ranked by users reports (nice).

We can easily search for the best hosting plans by:

• price
• country (would be nice to see some from EU, not only from the US, etc.)
• platform (linux, win, etc.)
• disk space
• data transfer

The hosting directory also lists various plans by their programming languages and features support like:

• FrontPage Web Hosting
• PHP / MySQL Web Hosting
• ASP Web Hosting Plans
• JSP Web Hosting Plans
• ColdFusion Web Hosting Plans

Besides the searchable database of hosting plans FindMyHosting is also providing some very good introductory articles for people new to hosting that can help them better understand this industry and make a better decision on finding their first host.

Conclusion

FindMyHosting is a webhosting directory that can help people find the right hosting plan and hosting company. This is mainly restricted to shared hosting (even if you can see some dedicated server entries you should not rely on that list) and mainly from hosting companies from the States. I would suggest to bring in more hosting companies and their offering from all over the world (Europe for ex., but any country really); normally finding a good host in US is much easier than in other places . Also personally, I would rather remove the dedicated server section as that can be confusing to new users in the domain, or if not try to add some serious companies and be a real directory for dedicated servers also.

Posted by Michael Wyszomierski, Search Quality Team

Having been a 'super user' for most of my career, I do not have the same perspective other people do when it comes to interacting with corporate IT. Because of what I do, I see everything. That's part of my job, so that's what I see. I have to know it is there.

However, how each company handles their elevated privilege accounts varies. Some of it depends on what system you're working in, of course.

Take a Windows environment. I see three big ways to handle the elevated user problem:

1. One Administrator account, used by all admins. Each admin has a normal user account, and log in as Administrator for their adminly work.
• Advantages Only one elevated account to keep track of.
  
• Disadvantages Complete lack of auditing if there is more than one admin around. Also, unless said admin has two machines, or has a VM for adminly work, they're logged in as Administrator more often than they're logged in as themselves.
2. One Administrator account, admins user accounts are elevated to Administrator. Each admin's normal account is elevated. Administrator is relegated to a glorified utility account, useful for backups, other automation, or if you need to leave a server logged in for some reason.
   
• Advantages Audit trail. Changes are done in the name of the actual admin who performed the change.
  
• Disadvantages These users really need to be exempted from any Identity Management system. Since there are only going to be a few of them, this may not matter. Also, these users need to treat these passwords like the Administrator password.
3. Each admin gets two accounts, normal and elevated As with the above, Administrator is a glorified utility account. But each admin gets two accounts; a normal account for every day use (me.normal) and an elevated account (me.super) for functions that need that kind of access.
• Advantages Provides audit trail, and allows the admin's normal account to be subject to identity-management safely. Easy availability of 'normal' account allows faster troubleshooting of permissions issues (hard to check when you can see everything)
• Disadvantages Admin users are juggling two accounts again, with the same problems as option 1.
  

I personally haven't seen the third option in actual use anywhere, even though that's my favorite one. Unixy environments are a bit different. The ability to 'sudo' seems to be the key determiner of elevated access, with ultimate trust granted to those who learn the root password outright. Sudo is the preferred method of doing elevated functions due to its logging capability.

What other methods have you seen in use?

dmidecode and hpasmcli can be used to check HP Proliant System ROM (BIOS) version in Linux. In this example, I’m checking System ROM version of HP Proliant BL460c which is running RHEL 5.2, 1) dmidecode, provided by dmidecode package. # dmidecode 2.7 SMBIOS 2.4 present. 72 structures occupying 2245 bytes. Table at 0x000EE000. Handle 0x0000, DMI type 0, 24 bytes. BIOS Information [...]

We use the Internet all the time: at home, at work (especially at Google!), on the move, and, increasingly, at school. We believe that the Internet and cloud-based tools are a key part of a 21st century classroom, helping students learn and teachers teach in collaborative and innovative ways. Students use Google Docs to work on group projects; classrooms use Google Sites to show off their work; and teachers use Forms in Google Docs for instant grading and Google Calendar for lesson planning. Google Apps Education Edition is helping schools build online communities for students, teachers and parents, and we now have 4 million students using Google Apps Education around the world.

This week the Google Apps Education team is launching a few new ways to make it easier for K-12 schools to use Google Apps, and attending the National Education Computing Conference (NECC) in Washington D.C. To help address schools' email security needs, Google Message Security (GMS) will be offered free to current and new eligible primary and secondary schools globally that opt in by July of next year. GMS filters out email messaging threats, and education IT departments can customize the filtering rules and group messaging lists to suit their schools. We're also launching the Google Apps Education Community site for educators and students to share tips and ideas for using Google Apps in their classrooms, as well as the Search Education Curriculum and a Google Apps Education resource center with more than 20 classroom-ready lesson plans for teachers. We'll be adding more to these resources going forward.

If you're at NECC this year, come visit the Google team in booth #3148. If not, the teaching and learning continues with some cool presentations and lesson plans on the Google Apps Education Community site, or you can learn more at google.com/a/edu.

Posted by Dana Nguyen, Google Apps Education team

• XKeymacs

Moovida is much more than a simple media player… it is a cutting edge media center bringing the best of the internet to your TV screen. Automatically creating your own digital library you can browse from your sofa with a remote control. The elegant and easy to use interface automatically displays artwork and fan art throughtout and gives you access to movie synopsis and artist info.Moovida, previously known as Elisa.
(...)
Read the rest of Moovida – Free Media Player (Play all your files – AVI,mp3,MKV,DivX,MOV,MP4) (553 words)

---

© admin for Ubuntu Geek, 2009. | Permalink | 5 comments | Add to del.icio.us
Post tags: desktop, install Moovida ubuntu, install Moovida ubuntu 9.04, Moovida, Moovida ubuntu jaunty

Related Articles

• Host interface networking made easy in VirtualBox 2.1.0 (3)
• Howto Enable Ctrl + Alt + BackSpace in Ubuntu Jaunty (21)
• Howto Reformat My External Hard disk to install Ubuntu (4)
• Ubuntu Tip:Linking Music Across Operating Systems (5)
• How to use apt-p2p For Faster Upgrades From Ubuntu Intrepid (8.10) to Jaunty (9.04) (7)
• BleachBit – Cleans unnecessary files to free disk space and maintain privacy (19)
• Workaround for Thunderbird not starting via profile manager (1)
• ccd2iso – Convert CloneCD disc image (.img) format to standard ISO (.iso) (3)
• How to install Virtualbox 2.1.0 in Ubuntu 8.10 (Intrepid Ibex)/8.04 (Hardy Heron) (26)

Christian Plesner Hansen: Today we’re releasing the Sputnik JavaScript test suite. Sputnik is a comprehensive set of more than 5000 tests that touch all aspects of the JavaScript language as defined in the ECMA-262 standard.

Allen Wirfs-Brock: Anyone who has the interest and skills for developing individual ECMAScript conformance tests are invited to participate in the project. If you’re interested check out the Codeplex site and get involved.

Yes, I have bought Sony Ericsson W995 :) Good Bye W850i First of all, I would like to say a sayonara to my Sony Ericsson W850i. It has been a great a friend to me since August 2007. Although I love it very much (and I still love it), I have to move forward. It’s hard [...]

<p><span class="mt-enclosure mt-enclosure-image" style="display: inline;"><img alt="DSCN4031_4036_harness_400x400q4.jpg" src="http://blog.makezine.com/archive/2009/06/28/DSCN4031_4036_harness_400x400q4.jpg" width="400" height="400" class="mt-image-none" style="" /></span></p> <p>I recently got it in my head that I wanted to take some time-lapse photos showing the oxidation of various bright-polished metals over the course of a week or so. Investigating the possibility of setting up an intervalometer for my elderly Coolpix 4300 quickly became frustrating, however, as I realized that I was facing a nightmare of proprietary connectors, unpublished protocols, and exotic cables. Nikon manufactured a time-lapse controller compatible with my camera (the MC-EU1), but all the reviews I've seen are unfavorable, and I can't find one for sale for less than $85.</p> <p>To make matters worse, it turns out the proprietary 8-pin connector used on the 4300 and other older Coolpix cameras is dual-function: Four of the pins provide for normal USB connectivity, while the other four provide the serial interface used, for instance, by the MC-EU1 to remotely control the camera. My camera was supplied with a cable to access the USB half of the connector, but of course getting to the serial pins requires the purchase of a completely different cable (the SC-EW3), which can't be had for less than $30 plus shipping.</p> <p>Fortunately, I then stumbled across <a href="http://delphys.net/d.holmes/">this excellent tutorial by David Holmes</a> about how to convert the connector on the bundled USB cable into a dual-use USB/serial cable that lets you swap out the proprietary end with two different harnesses that access the USB or the serial pins as needed. Thanks, David! </p> <p>P.S. I've found a promising piece of freeware called <a href="http://www.ruwebit.net/article/81">Snappixx</a> that claims to control the Coolpix cameras through the serial interface. I can't vouch for it yet, however, other than to report that it downloads, installs, and starts up without any apparent hitches.<br /> </p> <a href="http://blog.makezine.com/archive/2009/06/how-to_dual_usbserial_cable_for_nik.html?CMP=OTC-0D6B48984890" />Read more</a> | <a href="http://blog.makezine.com/archive/2009/06/how-to_dual_usbserial_cable_for_nik.html?CMP=OTC-0D6B48984890" /> Permalink</a> | <a href="http://blog.makezine.com/archive/2009/06/how-to_dual_usbserial_cable_for_nik.html?CMP=OTC-0D6B48984890#comments" />Comments</a> | <a href="http://blog.makezine.com/archive/photography/?CMP=OTC-0D6B48984890" />Read more articles in Photography</a> | <a href="http://digg.com/submit?url=blog.makezine.com%2Farchive%2F2009%2F06%2Fhow-to_dual_usbserial_cable_for_nik.html&title=How-To%3A%20%20%20Dual%20USB%2Fserial%20cable%20for%20Nikon%20Coolpix%20cam&bodytext=%20I%20recently%20got%20it%20in%20my%20head%20that%20I%20wanted%20to%20take%20some%20time-lapse%20photos%20showing%20the%20oxidation%20of%20various%20bright-polished%20metals%20over%20the%20course%20of%20a%20week%20or%20so.%20Investigating%20the%20possibility%20of%20setting%20up%20an%20intervalometer%20for...&topic=tech_news" />Digg this!</a>

Googler Jake Brutlag recently published a short study, "Speed Matters for Google Web Search" (PDF), which looked at how important it is to deliver and render search result pages quickly.

Specifically, Jake added very small delays (100-400ms) to the time to serve and render Google search results. He observed that even these tiny delays, which are low enough to be difficult for users to perceive, resulted in measurable drops in searches per user (declines of -0.2% to -0.6%).

Please see also my Nov 2006 post, "Marissa Mayer at Web 2.0", which summarizes a claim by Googler Marissa Mayer that Google saw a 20% drop in revenue from an accidentally introduced 500ms delay.

Update: To add to the Marissa Mayer report above, Drupal's Dries Buytaert summarized the results of a few A/B tests at Amazon, Google, and Yahoo on the impact of speed on user satisfaction. As Dries says, "Long story short: even the smallest delay kills user satisfaction."

Update: In the comments, people are asking why the effect in this study oddly appears to be an order of magnitude lower than the effects seen in previous tests. Good question there.

Update: By the way, this study is part of a broader suite of tools and tutorials Google has gathered as part of an effort to "make the web faster".

The Debian project just announced the second update for its stable distribution “lenny” 5.0.2. Those installing regular updates from security.debian.org might not even notice this update, except for the version change to 5.0.2. As an interesting change, the debian-installer has been updated to allow the installation of the oldstable release (Debian 4.0 “etch”).

“The Debian project is pleased to announce the second update of its stable distribution Debian GNU/Linux 5.0 (codename “lenny”). This update mainly adds corrections for security problems to the stable release, along with a few adjustment to serious problems.
Please note that this update does not constitute a new version of Debian GNU/Linux 5.0 but only updates some of the packages included. There is no need to throw away 5.0 CDs or DVDs but only to update via an up-to- date Debian mirror after an installation, to cause any out of date packages to be updated.
…
New version of the debian-installer
The debian-installer has been updated to allow the installation of the previous stable release (Debian 4.0 “etch”) and to include an updated cdebconf package which resolves several issues with installation menu rendering using the newt frontend, including:
* explanatory text overlapping with the input box due to a height miscalculation
* overlapping of the “Go Back” button and the select list on certain screens
* suboptimal screen usage, particularly affecting debian-edu installations
The installer has been rebuilt to use the updated kernel packages included in this point release, resolving issues with installation on s390 G5 systems and IBM summit-based i386 systems.”

Release Announcement: http://www.debian.org/News/2009/20090627

If you store important information on your Linux server and want to make sure it is for your eyes only you need to password protect these files. Let’s see how you can do this with Linux.

First, pick a good password. There are a few websites on the Internet that help you generate strong passwords. Try and pick an alphanumeric password. Something such as Rv7fkcxASW8h would be a good choice.

Now check to see if you have the package gpg installed on your computer. Run the following command to check:

# whereis gpg
gpg: /usr/bin/gpg /usr/share/man/man1/gpg.1.gz

If you get an output like the one shown above it means you have the required package installed. If not, check your Linux distribution’s documentation to see how you can install the GPG package.

Say you want to password protect a file called dbbackup.zip with the password Rv7fkcxASW8h here’s how you would go about it:

# gpg -c dbbackup.zip

When you enter this you will be requested to enter a passphrase, which is the password you want to protect the file with. Enter the password twice. Now you should see a file called dbbackup.zip.gpg in the same directory as the original file. This is the encrypted and password protected copy of the original file. You can store this file on your hard drive or ship it to someone on a DVD knowing that it will be very hard and nearly impossible for most people to crack it.

When you want to read the file you will need to remove the password protected encryption. For that execute the following command:

gpg dbbackup.zip.gpg

You will be asked to enter the password using which the file was protected. Enter that and you should be in business. Note that this only works for files and not for folders. You should create a zip or tar archive of the files you want to secure and then add the password protected encryption to it.

---
Related Articles at Simple Help:

• How to encrypt your Linux backups
• 9 easy ways to secure your WordPress blog
• How to control Winamp from your iPhone, iPod Touch or web browser
• How to SSH to your remote server without entering a password every time
• How to post to Twitter from the Linux command line

How to password protect files in Linux - Simple Help

Due to technical reasons I'll be getting to in a moment, this blog will be moving off of WWU's servers in the next few weeks. I have high confidence that the redirects I'll be putting in place will work and keep any existing links to the existing content still ultimately pointing at their formal home. In fact, those of you reading by way of the RSS or Atom feeds won't even notice. Images I link in will probably load a bit slower(+), and that's about it.

And now for the technical reasons. I've been keeping it under my hat since it has politics written all over it and I so don't go there on this blog. But WWU has decided (as of last September actually) that they're dropping the Novell contract and going full Microsoft to save money. And really, I've seen the financials. Much as it pains this red heart, the dollars speak volumes. It really is cheaper to go Microsoft, to the tune of around $83,000. In this era of budget deficits, that's most of an FTE. Speaking as the FTE most likely to get cut in this department, that makes it kind of personal.

Microsoft? The cheap option?

Yes, go fig. But that's how the pricing is laid out. We were deep enough into the blue beast already (Exchange, MS-SQL, SharePoint is embryonic but present and going to grow, there is Office on every Windows desktop) that going deeper wasn't much of an extra cost per year. To put it even more bluntly, "Novell did not provide enough value for the cost."

The question of what's happening to our SLES servers is still up for debate. We could get those support certificates from Microsoft directly. Or buy them retail from Novell. I don't know what we're doing there.

Which means that we're doing a migration project to replace the WUF 6-node NetWare cluster with something on Windows that does the same things. NetStorage is the hardest thing to replace (I know I'm going to miss it), but the file-serving and printing are challenging but certainly manageable. The "myweb" service will continue, and be served by a LAMP server with the home directories Samba-mounted to it, so it will continue as Apache. It could have been done with IIS, but it was an ugly hack.

As soon as we get hardware (7/1 is when the money becomes available) we'll be hitting the fast phase of the project. We hope to have it all in place by fall quarter. We'll still maintain the eDirectory replica servers for the rest of the Novell stuff on campus that is not supported (directly) by me. But for all intents and purposes, Technical Services will be out of the NetWare/OES business by October.

OH MY GOD! YOU'RE LEAVING! THAT'S WHY YOU'RE MOVING THE BLOG!

No, no. That's not the reason I'm moving this blog. Unfortunately for this blog, there was exactly one regular user of the SFTP service we provided(*). Me. So that's one service we're not migrating. It could be done with cygwin's SSH server and some cunning scripting to synchronize the password database in cygwin with AD, if I really wanted to. But... it's just me. Therefore, I need to find an alternate method for Blogger to push data at the blog.

Couple that with some discrete hints from some fellow employees that just maybe, perhaps, a blog like mine really shouldn't be run from Western's servers, and you have another reason. Freedom of information and publish-or-perish academia not withstanding, I am staff not tenured faculty. Even with that disclaimer at the top of the blog page (that you RSS readers haven't seen since you subscribed) that says I don't speak for Western, what I say unavoidably reflects on the management of this University. I've kept this in mind from the start, which is why I don't talk about contentious issues the University is facing on any term other than how they directly affect me. And also why this is the first time I've mentioned the dropping of the Novell contract until it is effectively written in stone.

So. It's time to move off of Western's servers. The migration will probably happen close to the time we cut-over MyWeb to the new servers. Which is fitting, really, as this was the first web-page on MyWeb. This'll also mean that this blog will no longer be served to you by a NetWare 6.5 server. Yep, for those that didn't know this blog's web-server is Apache2 running on NetWare 6.5.

(+) Moving from a server with an effective load-average of 0.25 to one closer to 3.00 (multi-core, though) does make a difference. Also, our pipes are pretty clean relatively speaking.

(*) Largely because when we introduced this service, NetWare's openssh server relied on a function in libc that liked to get stuck and render the service unusable until a reboot. MyWeb was also affected by that. That was back in 2004-06. The service instability drove users away, I'm sure. NetStorage is more web-like anyway, which users like better.

This is the first of a series of posts from YouTube's news and politics blog, Citizentube. -Ed.

YouTube is the biggest video news site on the Internet, and at no time in our site's history was that more apparent than in these last two weeks of the crisis unfolding in Iran. As hundreds of thousands of Iranian citizens took to the streets of Tehran to protest the national elections, the government kicked out foreign journalists, leaving citizens themselves as the only documentarians to the events unfolding there. We've been highlighting many of these videos and keeping track of the latest developments on our YouTube news and politics blog, Citizentube.

Though the circumstances in Iran are unique, this isn't the first time that citizens have played a crucial role in reporting on events around the world. Burmese citizens uploaded exclusive video footage to YouTube during the protests in Myanmar back in 2007; people in China's Sichuan province documented the devastating and historic 7.8-magnitude earthquake of 2008 in real-time; and eyewitnesses to the shooting of young Oscar Grant by Oakland police forces captured the event on their cell phone cameras and uploaded videos to YouTube for the world to see. Citizens are no longer merely bystanders to world events. Today, anyone can chronicle what they see and participate in the news-gathering process.

Though it's the phenomenon of citizen reporting that YouTube is probably best known for, we also have hundreds of news partners who upload thousands of videos straight to YouTube every day. You can see lots of these on our news page at youtube.com/news. Many of these organizations have used YouTube in unique ways, like asking the community to submit questions for government officials, providing a behind-the-scenes look at traveling with the Obama press corps and accepting video applications for a reporting assignment in West Africa. We believe the power of this new media landscape lies in the collaborative possibilities of amateurs and professionals working together.

And so today, we're launching a new resource on YouTube to help citizens learn more about how to report the news, straight from the experts. It's called the YouTube Reporters' Center, and it features some of the nation's top journalists sharing instructional videos with tips and advice for better reporting. Learn how to prepare for an interview; or how to be an investigative reporter from the legendary Washington Post journalist Bob Woodward; or how to report on a global humanitarian crisis from Nick Kristof of the New York Times. All of the videos are available on the YouTube Reporters' Center channel.

Posted by Olivia Ma, YouTube News and Politics

From the Qimo home page:

Qimo is a desktop operating system designed for kids. Based on the open source Ubuntu Linux desktop, Qimo comes pre-installed with educational games for children aged 3 and up.

Qimo’s interface has been designed to be intuitive and easy to use, providing large icons for all installed games, so that even the youngest users have no trouble selecting the activity they want.

Qimo needs a minimum of 256MB of memory to run from the CD, or 192MB to install. At least 6 GB of hard drive space is recommended, and a 400MHz or faster CPU. Because of its very minimal system requirements, it’s a fantastic OS to install on that old PC sitting in your closet and put in your childs room.

This tutorial will guide you through installing Qimo, and give a brief overview of the apps that are included, as well as instructions on removing some of the ones you may not want your child to access.

1. To get started, download the Qimo .iso file. You’ll need to burn this .iso to a CD or DVD (it does fit on a CD). Once completed, insert the CD/DVD into your CD/DVD-ROM and boot up your computer. Make sure that your PC is set to boot from the CD/DVD drive first (before the hard disk or other drive).

   You’ll be presented with the initial Qimo boot screen. Because Qimo is a LiveCD, you can try it before you install it, if you’d like. Select Try Qimo without any change to your computer if you’d like to give it a run before you actually install it. This tutorial will actually walk you through the complete installation process - to do so click the down arrow on your keyboard to highlight Install Qimo and then hit Enter.


click to enlarge

2. The Qimo installer will begin to load.


click to enlarge

3. The first step of the installation is to select your language. Do so from the list on the left side of the screen, and then click the Forward button.


click to enlarge

4. Now select the city closest to you (in your time zone) from the drop-down menu, and click the Forward button.


click to enlarge

5. Select your keyboard layout from the list in the left column, and again, click the Forward button.


click to enlarge

6. Now you’ll need to decide how much disk space to allocate to Qimo. Because I’m going to dedicate the entire hard drive to Qimo, I selected Guided - use entire disk. If you don’t want to use your entire hard drive for Qimo, select Manual and use the ’slider’ to determine how much space Qimo gets vs. any other operating system(s) you may already have installed. When you’re ready, click the Forward button.


click to enlarge

7. Now you’ll need to create a profile. Enter your name, a user name, password and name for the computer. NOTE: do NOT place a check in the box labeled Log in automatically. Qimo will automatically create a username named “qimo” which is the user that your child will log in with. This username automatically signs in each time Qimo starts - your child doesn’t need to enter a user or pass. The account created on this screen is for you to use to administrate the PC. Click the Forward button to continue.


click to enlarge

8. That’s it - you’re ready to install Qimo. Click the Install button after you’ve reviewed all the info on the summary page.


click to enlarge

9. Qimo will now install. This may be a good time to go grab a cup of coffee.



10. Once the installation has completed, click the Restart now button.



11. Qimo will now start up.


click to enlarge

12. Because Qimo automatically logs in with the ‘qimo’ account (the account your child should/will use) you’ll be taken directly to the desktop.


click to enlarge

13. The “Dock” at the bottom of the screen includes links to the apps your child will use most.



14. The first app in the Toolbar is Text Editor which is exactly as you’d guess - a text editor. Your kids can create brief notes or use it to write out homework.
15. The second app in the Toolbar is GCompris, a collection of general educational games that are appropriate for children ages 2 and up.


click to enlarge

16. Childsplay is a collection of educational games.


click to enlarge

17. TuxPaint is a very simple Paint program that allows your children to create colorful pictures, posters, cards and letters.


click to enlarge

18. Tux Math teaches mathematics through a series of fun games.


click to enlarge

19. Certain programs are off-limits to the ‘qimo’ user (your childs account). When/if they try to run those programs, they’ll get an error message similar to the one displayed in the screenshot below.



20. However, some programs are not off limits. For example, Firefox can be used by the qimo user. The easiest solution to avoid having your child use programs like Firefox, Transmission (bittorrent), IRC or Instant Messaging, is to keep the PC offline entirely.



21. To quickly update the system, open a Terminal and enter the command su your-user-name (where your-user-name was the one you selected back in step #7). Enter your password when prompted, and then issue the command sudo apt-get update


click to enlarge

22. Now enter the command sudo apt-get -f install


click to enlarge

23. If you’d like to remove programs from qimo entirely, enter the command sudo /usr/sbin/synaptic to launch the Synaptic Package Manager.


click to enlarge

24. From here you can easily search for and remove any programs that you simply don’t want on the PC.


click to enlarge

25. You can also administer Qimo by logging out of your current session, and logging back in with the username and password you created in step #7.


click to enlarge

---
Related Articles at Simple Help:

• How to right-click using just your trackpad in Bootcamp, Parallels and VMware (OS X)
• How to set up multiple accounts using OS X v10.4 (Tiger)
• Answers: When to use Parallels or VMWare Fusion vs. when to use Bootcamp
• Using System Restore in Windows XP
• How to install Ubuntu Eee 8.04.1 on your Eee PC

Qimo - an Operating System designed for kids - Simple Help

• From my #yapc notes: "jesus christ he just made SQL create a mandelbrot set fractal graphic" #
• Why is the History Channel showing a show about what'll happen in the future assuming humans vanish in a poof? #
• 6am is way too early to be up. #yapc #
• $8.50 in fees on top of a $26 Pirates ticket? RE. TAR. DED. #
• Pirates down 5-0 going into bottom of 9th, leadoff homer, a few doubles in a row, bases loaded with 2 outs, 3-2 count was crazy. They lost. #
• And now it's time for bed. I'm tiiiiiiiiiiiired. #
• RT @drjonboyg #f1 – Peace deal has been agreed between FIA and teams to end breakaway threat. Details on http://www.jamesallenonf1.com #
• Hooray for fire alarms at 3am. #yapc #
• Oh no, Billy Mays died! Will this bring down Twitter like MJ's death did? #

Someone burnt a bagel this morning. It got smokey enough to trigger the alarms, so the building evacuated. It happened before I got to the office, so when I got here the facilities guys were wrestling in the biiiiig fans into the hallways to get a good cross-breeze going to cut down the burnt smell. Now everyone who comes in is dropping by asking what burned ;). According to my office-mate who was here when it happened, a burnt bagel produces a surprising amount of smoke.

This particular toaster oven is a complete loss. Not surprising.

Every once in a while, someone will ask me what I use for keeping passwords securely. I tell them that I use password safe, which was reccommended to me when *I* asked the question.

Other times, people will ask for simple ways to encrypt or store files. If you're looking for something robust, cross platform, and full featured, you could do a lot worse than TrueCrypt. Essentially, it hooks into the operating system's kernel and allows it to mount entire encrypted volumes as if they were drives. It also has advanced security methods to hide volumes, so that if searched, no volumes would be found without knowing the proper key. In addition, it has a feature that can be valuable if you are seized and placed under duress: in addition to the "real" password, a 2nd can be setup to open another volume, so that your captors believe that you gave them the correct information. Unreal.

So you see that truecrypt is an amazing piece of software. For many things, it's definitely overkill. Instead, you just want something light, that will encrypt a file and that's it. In this case, Gnu Privacy Guard is probably your best bet. I use it in our company to send and receive client files over non secure transfer methods (FTP and the like). With proper Key Exchange, we can be absolutely sure that a file on our servers came from our clients, and vice versa. If you're running a Linux distribution, chances are good you've got GPG installed already. Windows and Mac users will have to get it, but it's absolutely worth it, and the knowledge of how public key encryption works is at the heart of everything from web certificates to ssh authentication. If you want to learn more about how to use it, Simple Help has a tutorial on it, covering the very basic usage. Once you're comfortable with that, check out the manual.


I'm sure I missed some fun ones, so make sure to suggest what you use!

• The Nike Experiment: How the Shoe Giant Unleashed the Power of Personal Metrics
  Quote: "The gist of the idea is that people change their behavior—often for the better—when they are being observed (which is why it’s sometimes called the observer effect). Those workers at Western Electric didn’t build more relays because there was more or less light or because they had more or fewer breaks. The Hawthorne effect posits that they built more relays simply because they knew someone was keeping track of how many relays they built."
  (categories: apple nike data stats health hawthorne-effect observer-effect metrics )

• fever again (tecznotes)
  Quote: "There are three steps: you start with a small seed application on your own server, you make it world-writeable so that it can modify itself, and then you link it to a paid account on the Fever website. The complete application is pushed to your server without your intervention, and you’re off to the races. I’m fairly certain I’ve never seen anything quite like this before: usually PHP/MySQL software is more like Reblog or Wordpress, where you unpack the thing as a complete unit, install the database and so on yourself, and do your own configuration."
  (categories: installation ux design whille-you-were-out )

• Snarkmarket: Compress Into Diamonds
  Quote: "Google, I want you to give me a button labeled “Compress into diamonds.” When I click that button, spin your little algorithmic wheels and turn my reader into a personalized Memeorandum. Show me the most linked-to items in the bunch, and show me which of my feeds are linking to them. And take it a step further. You’ve got all that trends data that reflects the items I’m reading. Underneath the hood might very well be data about the links I click on in those posts. Use that information about me to compress my unread items into diamonds I will find uniquely wonderful."
  (categories: google rss googlereader feeds aggregation attention )

• BashReduce — Richard Crowley’s blog
• USAF slammed for pranging Predators on manual • The Register
  A senior Pentagon official has delivered a stinging attack on the US Air Force, saying that its philosophy of using fully qualified human pilots to handle unmanned aircraft at all times has resulted in unnecessary, expensive crashes. By contrast, US Army drones with auto-landing equipment and cheaply-trained operators have an enviable record.

At Google we seek to serve a broad base of people — not only those who can afford to access the Internet from the convenience of their workplace or with a computer at home. It's important to reach users wherever they are, with the information they need, in areas with the greatest information poverty. In many places around the world, people look to their phones, rather than their computers, to find information they need in their daily lives. This is especially true in Africa, which has the world’s highest mobile growth rate and where mobile phone penetration is six times Internet penetration. One-third of the population owns a mobile phone and many more have access to one.

Most mobile devices in Africa only have voice and SMS capabilities, and so we are focusing our technological efforts in that continent on SMS. Today, we are announcing Google SMS, a suite of mobile applications which will allow people to access information, via SMS, on a diverse number of topics including health and agriculture tips, news, local weather, sports, and more. The suite also includes Google Trader, a SMS-based “marketplace” application that helps buyers and sellers find each other. People can find, "sell" or "buy" any type of product or service, from used cars and mobile phones to crops, livestock and jobs.

We are particularly excited about Google SMS Tips, an SMS-based query-and-answer service that enables a mobile phone user to have a web search-like experience. You enter a free form text query, and Google's algorithms restructure the query to identify keywords, search a database to identify relevant answers, and return the most relevant answer.












Both Google SMS Tips and Google Trader represent the fruits of unique partnerships among Google, the Grameen Foundation, MTN Uganda and local organizations*. We worked closely together as part of Grameen Foundation's Application Laboratory to understand information needs and gaps, develop locally relevant and actionable content, rapidly test prototypes, and conduct multi-month pilots with the people who will eventually use the applications have truly been a global effort, and created with Ugandans, for Ugandans.

We're just beginning. We can do a lot more to improve search quality and the breadth — and depth — of content on Google SMS, especially on Tips and Trader. Google SMS is by no means a finished product, but that's what's both exciting and challenging about this endeavor.

Meanwhile, if you're curious about what Google is doing in Africa, learn more at the Google Africa Blog.

Update: Corrected link to YouTube video for "rapidly test prototypes".
____
*BROSDI, (Busoga Rural Open Source and Development Initiative), Straight Talk Foundation, Marie Stopes Uganda.

Posted by Joe Mucheru, Head of Google Sub-Saharan Africa, & Fiona Lee, Africa Project Manager

<p><span class="mt-enclosure mt-enclosure-image" style="display: inline;"><img alt="tifi-hotwater.jpg" src="http://blog.makezine.com/archive/2009/06/28/tifi-hotwater.jpg" width="500" height="375" class="mt-image-none" style="" /></span></p> <p>The latest addition to my feed reader is <a href="http://thereifixedit.com/">There, I Fixed It</a>, a site collecting fantastic and hilarious examples of jury-rigging in daily life. My favorite so far is the point-of-use hot water heater shown above, but the "Franken-chair" has to take a close second. Thanks to Melody for steering me to it. </p> <a href="http://blog.makezine.com/archive/2009/06/blogging_epic_kludges.html?CMP=OTC-0D6B48984890" />Read more</a> | <a href="http://blog.makezine.com/archive/2009/06/blogging_epic_kludges.html?CMP=OTC-0D6B48984890" /> Permalink</a> | <a href="http://blog.makezine.com/archive/2009/06/blogging_epic_kludges.html?CMP=OTC-0D6B48984890#comments" />Comments</a> | <a href="http://blog.makezine.com/archive/hacks/?CMP=OTC-0D6B48984890" />Read more articles in hacks</a> | <a href="http://digg.com/submit?url=blog.makezine.com%2Farchive%2F2009%2F06%2Fblogging_epic_kludges.html&title=Blogging%20epic%20kludges&bodytext=%20The%20latest%20addition%20to%20my%20feed%20reader%20is%20There%2C%20I%20Fixed%20It%2C%20a%20site%20collecting%20fantastic%20and%20hilarious%20examples%20of%20jury-rigging%20in%20daily%20life.%20My%20favorite%20so%20far%20is%20the%20point-of-use%20hot%20water%20heater%20shown%20above%2C%20but%20the%20%26quot%3BFranken-chair%26quot%3B...&topic=tech_news" />Digg this!</a>

Webmaster Level: Intermediate.




Written by Luisella Mazza, Search Quality Senior Analyst

Seeing things like the free Ksplice Uptrack service for Ubuntu, I'm really starting to wonder if I'm using the right distro, on servers. Debian is my current preference, and has been for quite a while.

Ksplice is a product/project I've been interested in for quite sometime, but I've always had a bit of a problem with the implementation. I try and keep on top of vulns for as many as the products that I support at work, and personally, but inevitably I do miss things. The Uptrack service seems to solve this, but as an individual I couldn't justify what I suspect is a non-trivial cost for my Debian boxes.

So, as Ubuntu is Debian based, and the Canonical server team seems to hold a lot of the same values as the Debian team and myself, am I still using the right distro for the times? More importantly, is Debian destined to be nothing more than "meta-distro"^[1] in the future^[2]?

[1] A distro from which other distros are built.
[2] Given the number of distros which now depend on Debian, and the size and number of skilled people who contribute it, I don't believe that Debian will be going away any time in the future, nor can I see it's usage as a standalone distro diminishing to 0, I can see it shrinking with time. Especially if we keep seeing free/low cost, integrated, collateral services.

<p><span class="mt-enclosure mt-enclosure-image" style="display: inline;"><img alt="creepybaby.jpg" src="http://blog.makezine.com/creepybaby.jpg" width="600" height="398" class="mt-image-none" style="" /></span></p> <p>From <a href="http://www.flickr.com/photos/planetwrite/3649936468/in/pool-make/">planetwrite in the MAKE Flickr pool</a>, This ought to scare the daylights out of your average babysitter! <br /> </p> <a href="http://blog.makezine.com/archive/2009/06/creep_out_your_babysitter.html?CMP=OTC-0D6B48984890" />Read more</a> | <a href="http://blog.makezine.com/archive/2009/06/creep_out_your_babysitter.html?CMP=OTC-0D6B48984890" /> Permalink</a> | <a href="http://blog.makezine.com/archive/2009/06/creep_out_your_babysitter.html?CMP=OTC-0D6B48984890#comments" />Comments</a> | <a href="http://blog.makezine.com/archive/arts/?CMP=OTC-0D6B48984890" />Read more articles in Arts</a> | <a href="http://digg.com/submit?url=blog.makezine.com%2Farchive%2F2009%2F06%2Fcreep_out_your_babysitter.html&title=Creep%20out%20your%20babysitter%21&bodytext=%20From%20planetwrite%20in%20the%20MAKE%20Flickr%20pool%2C%20This%20ought%20to%20scare%20the%20daylights%20out%20of%20your%20average%20babysitter%21...&topic=tech_news" />Digg this!</a>

In today's SANS ISC journal, the story IP Address Range Search with libpcap wonders how to accomplish the following:

...how to find SYN packets directed to natted addresses where an attempt was made to connect or scan a service natted to an internal resource. I used this filter for addresses located in the range 192.168.25.6 to 192.168.25.35.

The proposed answer is this:

tcpdump -nr file '((ip[16:2] = 0xc0a8  and ip[18] = 0x19 and ip[19] > 0x06)\
and (ip[16:2] = 0xc0a8 and ip[18] = 0x19 and ip[19]  0x23) and tcp[13] = 0x02)'

I am sure it's clear to everyone what that means!

Given my low success rate in getting comments posted to the SANS ISC blog, I figured I would reply here.

Last fall I wrote Using Wireshark and Tshark display filters for troubleshooting. Wireshark display filters make writing such complex Berkeley Packet Filter syntax a thing of the past.

Using Wireshark display filters, a mere mortal could write the following:

tshark -nr file 'tcp.flags.syn and (ip.dst > 192.168.25.6 and ip.dst  192.168.25.35)'

Note that if you want to be inclusive, change the > to >= and the to = .

To show that my filter works, I ran the filter against a file with traffic on my own 192.168.2.0/24 network, so I altered the last two octets to match my own traffic.

$ tshark -nr test.pcap 'tcp.flags.syn and (ip.dst > 192.168.2.103 and ip.dst  192.168.2.106)'

137 2009-06-28 16:21:44.195504 74.125.115.100 -> 192.168.2.104 HTTP Continuation or non-HTTP traffic

You have plenty of other options, such as ip.src and ip.addr.

Which one do you think is faster to write and easier to understand?

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

Shooting macro photography without a tripod is hard. You need a lot of light and you’re trying to balance the depth of field with a fast enough shutter speed to get a sharp picture. Bump your ISO up too high and you loose detail and get noise.

So here’s a little trick I picked up. Set your exposure compensation down a stop or two. You’ll under-expose the shot but the detail will be there. Back home you can push the exposure back up in post processing the RAW file.

I got this little guy hand held at ISO: 400, Exposure: 1/45 sec, Aperture: 8.0 with -1 stop set. It works!

Yesterday I mentioned a speech by my CEO, Jeff Immelt. Charlie Rose also interviewed Mr Immelt last week. In both scenarios Mr Immelt talked about preserving long-term competitiveness. Two of his themes were funding research and development and ensuring the native capability to perform technical tasks.

It occurred to me that digital security is reflected in both themes. In Crisis 0: Game Over I asked I'm sure some savvy reader knows of some corporate espionage case that ended badly for the victim, i.e., bankruptcy or the like? I got a few interesting cases, but I believe the net result is that it is difficult to find examples where an intrusion or breach was so devastating that it ended up destroying the victim organization.

This makes sense once you reflect on it. Why would a mature, thoughtful intruder seek to destroy his victim, if the purpose of his mission is to conduct espionage on behalf of a competitor or intelligence service? Destroying the victim renders it useless as a source for stealing intellectual property gained by the victim's research and development. In the foreign intelligence case, almost all operators prefer to keep a source active, even in wartime when you might think that destruction is the ultimate goal.

Taking this line of reasoning to its natural conclusion, we can see that digital security can be considered a means to preserve long-term competitiveness, particularly for organizations that seek to drive internal growth via investing in research and development. Such an organization is a natural target for competitors who find it immensely cheaper to steal intellectual property, rather than fund their own.

The problem is showing those who make budgetary and management decisions that digital security has a real role in loss prevention. I've written a lot about intellectual property and digital security, but it is exceptionally difficult to tie individual intrusions to real impact. How does pervasive theft of intellectual property (IP) manifest itself? In commercial cases, perhaps it would appear as a loss of sales to rivals who make similar or duplicate products based on stolen IP. Would the victim organization even know these lost or declining sales were the result of IP theft?

Even if the victim identified the stolen IP, could it be traced back to one or more intrusions, or would it be considered the consequences of product reverse engineering by competitors? The bottom line could be that the victim is still in business, but the double-digit growth and expanding market share it craves are reduced to single-digit growth and eroding market share.

It's a waste of time to use terms like "ROI" or "ROSI" when talking to managers or business people. It is usually impossible to fully explain, from loss to impact, the IP theft cases like the one I described in Intellectual Property: Develop or Steal, i.e., spend $10 million over 10 years on a product, then watch the Chinese duplicate it for $1.4 million in 6 months after stealing the IP. More often than not, the victim of IP theft simple whithers, wondering why its competitive advantage is not what it expected it to be. It's time to get managers and business people to think in terms of long-term competitiveness.

Clearly Mr Immelt has determined that it is not in his company's best interest, nor in the interests of the country, for the US to be underfunding R&D or outsourcing everything overseas. We security professionals need to adopt this line of reasoning to emphasize how effective digital security preserves long-term competitiveness.

By the way, you might be wondering if I can prove there is an impact to IP theft. I look at the question this way. If there were no impact to IP theft, why would economic and national competitors fund teams to steal IP? You might argue that IP thieves can duplicate and sell products at prices lower than the IP owner could afford, thereby serving a new market. If that were true, why would IP owners file patents? Clearly there is value in IP, so stealing it lessens the value available to the IP owner.

I use a variant of this argument when I encounter asset owners who claim there is no impact associated with an intrusion. My reply is usually this: If there is no impact, then why operate the asset? Retire it.

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

Mac4Lin is best Mac like User Interface for Gnome and Xfce desktops like Ubuntu/Xubuntu, Fedora, Debian and others, that will take care of absolutely everything (from icons, themes to usplash – loading window at start) to look just like Mac. With this package comes: dock, the GTK theme, Emerald theme (3d window borders), new icons, new wallpapers, taskbar image, GDM themes, cursors, themes for

Yehuda Katz: Last week, Carl and I started digging into the Rails initializer, and the tests in the initializer (railties) are more mock-based and less reliable than the tests in ActionPack (which we’ve been working with so far). They’re pretty reasonable unit tests for individual components, but getting all of the tests to pass did not result in an (even close) bootable Rails app.

As work continues on initialization, problems continue to pop up from time to time.  As I write this, there are a number of failures, all of the same basic form: the tests that Rails will generate for a project won’t run.

To help with spreading the word, I’ve created a registration page where those with an interest in doing so can sign up for IM notification on test results.

I’ve worked with OpenID before, but this was the first time I tried the Rails plugin.  It truly does make this much simpler, but one still needs to be aware of the fact that methods that call open_id_authentication will be called twice: once with the original params, and once after all the openid redirects have been processed.  If there is interesting information in the params it needs to be saved someplace, like in the session or a cookie.

I developed the page on my own machine.  One problem that I haven’t fully debugged that I found after I deployed it on DreamHost is that retrieving the value of cookies results in a quoted string, specifically double quotes are added around the value.  Weird.

I'm not a big fan of just publishing links to other people's stories, but there's a few that I really like this week. Please consider checking these out:

• Nate Richmond wrote Building an IR Team: People and Building an IR Team: Organization. These posts are gold for anyone trying to build an IR team on their own, or trying to benchmark against an expert's recommendation. Keep writing Nate!


• Alec Waters caught my attention with his post Prevention Eventually Fails, part one. Anyone who read my first book recognizes my catchphrase "Prevention eventually fails." Alec's posts look interesting!


• My CEO delivered a great speech this week, viewable at American Renewal: Immelt addresses Detroit Econ Club and readable at Text of Immelt's Speech. This caught my eye:
  
  In some areas, we have outsourced too much. We plan to "insource" capabilities like aviation component manufacturing and software development. These are the things we will be working on in Michigan. This will make us faster and more competitive over the long term.
  
  I totally agree -- internal security staff matters.

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

Earlier this month I wondered How much to spend on digital security. I'd like to put that question in a different light by imagining what a black hat could do with a $1 million budget.

The ideas in this post are rough approximations. They certainly aren't a black hat business plan. I don't recommend anyone follow through on this, although I am sure there are shops our there who do this work already.

Let's start by defining the mission of this organization, called Project Intrusion (PI). PI is in "business" to steal intellectual property from organizations and sell it to the highest bidders. In the course of accomplishing that mission, PI may develop tools and techniques that it could sell down the food chain, once PI determines their utility to PI has sufficiently decreased.

With $1 million in funding, let's allocate some resources.

• Staff. Without people, this business goes nowhere. We allocate $750,000 of our budget to salaries and benefits to hire the following people.




• The team leader should have experience as a vulnerability researcher, exploit developer, penetration tester, enterprise defender, and preferably an intelligence operative. The leader can be very skilled in at least one speciality (say Web apps or Windows services) but should be familiar with all of the team's roles. The team leader needs a vision for the team while delivering value to clients. $120,000.


• The team needs at least one attack tool and technique developer for each target platform or technology that PI intends to exploit. PI hires three. One focuses on Windows OS and client apps, one on Web apps, and one on Unix and network infrastructure. $330,000.


• The team hires two penetration operators who execute the team leader's mission directives by using the attack tools and techniques supplied by the developers. The operators penetrate the target and establish the persistence required to acquire the desired intellectual property. $180,000.


• The team hires one intelligence operative to direct the penetration operators attention toward information of value, and then assess the value of exfiltrated data. The intel operative interfaces with clients to make deals. $120,000.




• Technology. The team will need the following, for a total of $200,000.




• Lab computers running the software likely to be attacked during operations.


• Operations computers from which the penetration operators run attacks.


• Network connectivity and hosting for the lab computers and operations computers, dispersed around the world.


• Software required by the team, since many good attack tools are commercial. MSDN licenses are needed too. There's no need to steal these; we have the budget!




• Miscellaneous. The last $50,000 could be spent on incidentals, bribes, team awards, travel, or whatever else the group might require in start-up mode.

If the attack developers manage to make enough extra money by selling original exploits, I would direct the funds to additional penetration operators. It would take about six of them to support a sustainable 24x7 operation. With only two they would need to be careful and operate within certain time windows.

So what is the point of this exercise? I submit that for $1 million per year an adversary could fund a Western-salaried black hat team that could penetrate and persist in roughly any target it chose to attack. This team has the structure and expertise to develop its own attack methods, execute them, and sell the results of its efforts to the highest bidders.

This should be a fairly scary concept to my readers. Why? Think about what $1 million buys in your security organization. If your company is small, $1 million could go a long way. However, when you factor in all of the defensive technology you buy, and the salaries of your staff, and the scope of your responsibilities, and so on, quickly you realize you are probably out-gunned by Project Intrusion. PI has the in-house expertise to develop its own exploits, keep intruders on station, and assess and sell the information it steals.

Worse, PI can reap economies of scale by attacking multiple targets for that same $1 million. Why? Everyone runs Windows. Everyone uses the same client software. Everyone's enterprise tends to have the same misconfigurations, missing patches, overworked staff, and other problems. The tools and techniques that penetrate company A are likely to work against company B.

This is why I've always considered it folly to praise the Air Force for standardizing its Windows deployment with supposedly secure configurations. If PI looks at its targets and sees Windows, Windows, some other OS that might be Linux or BSD or who knows what, Windows, Windows, who do you think PI will avoid?

It's all about cost, on the part of the attacker or defender. Unfortunately for defenders, it's only intruders who can achieve "return on investment" when it comes to exploiting digital security.

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

After my last post, some of you are probably thinking that it's easy to be a critic, but what would I suggest instead? The answer is simple to name but difficult to implement.

1. Operate a defensible network architecture. Hardly anyone does. I don't need to explain all of the reasons why here; they could occupy a series of posts, or maybe even a book.


2. Once the DNA is operating, detect and respond to failures. The nice aspect of operating a DNA is that the number of failures should be lower but of higher complexity. Unfortunately at the moment almost all of the world's detection and response teams have to deal with the entire spectrum of security incidents. These range from the most mundane to the most complex. Too often the mundane hide the complex, or at the very least divert resources and attention.


3. Use the knowledge learned from failures (either caused by adversaries or adversary simulation) to guide the next version of the DNA. Since most enterprises are not operating a DNA, they never get to work on the next version anyway.

I know other people think this way too. Harlan Carvey is one. He is also an incident responder and he finds so many clients that are not doing the basics anywhere remotely right.

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

I came home from Sarah's this morning after sleeping for a few hours. In those few hours, I had what seemed to be a weird dream... but not?

Unfortunately, all I can remember is that I was standing inside a classroom full of people standing up. I turned towards the door and saw my friend Chris Hernandez standing there. I gasped, then tried to move towards him, but he ran out the door. After I left the classroom, I woke up and couldn't manage to fall back asleep.

Chris committed suicide in 2007... and I haven't seen him since. It's so distinctly odd that I would see him in a dream like that. Especially when I woke up from it and couldn't get back to sleep... almost like a ghastly feeling was tingling the back of my head. Visitation from an old friend, or a sign of something to come?

I read Anton Chuvakin's post MUST READ: Best Chapter From “Beautiful Security” Downloadable! with some interest. He linked to a post by Mark Curphey pointing out that Mark's chapter from O'Reilly's new book Beautiful Security was available free for download in .pdf format. O'Reilly had been kind enough to send me a copy of the book, so I decided to read Mark's chapter today.

I found the following excerpts interesting.

Builders Versus Breakers

Security people fall into two main categories:

• Builders usually represent the glass as half full. While recognizing the seriousness of vulnerabilities and dangers in current practice, they are generally optimistic people who believe that by advancing the state they can change the world for the better.


• Breakers usually represent the glass as half empty, and are often so pessimistic that you wonder, when listening to some of them, why the Internet hasn’t totally collapsed already and why any of us have money left unpilfered in our bank accounts. Their pessimism leads them to apply the current state of the art to exposing weaknesses and failures in current approaches.

I remembered I had seen something like this before and wrote On Breakership in response. However, back then the debate seemed to center around calling people who helped create and defend systems as "builders, while labeling people who exploited or at least tested systems as "breakers." Mark seems to have dismissed people who "break" systems in order to improve security, while praising builders as people who stay "optimistic." I don't think this is fair. My post Response to Is Vulnerability Research Ethical? explains my position, which is essentially that Offense and Defense Inform Each Other.

Next, in a section titled Clouds and Web Services to the Rescue, Mark describes how centralized data storage for his 6 home PCs at Amazon S3 is great for security. Unfortunately, all he is really showing is that there is value in offsite storage. Storing data at Amazon S3 doesn't help much when those 6 systems are part of Calin's botnet in Romania. This is an example of focusing on one aspect of security (availability) while ignoring the other parts (confidentiality and integrity). Don't get me wrong -- I think cloud storage is great and I use a variety of services myself. However, it only helps with one aspect of the security landscape, and if not properly utilized introduces other vulnerabilities and exposures not found in other models.

Next Mark talks about using cloud services for data analysis.

Event logs can provide an incredible amount of forensic information, allowing us to reconstruct an event. The question may be as simple as which user reset a specific account password or as complex as which system process read a user’s token. Today there are, of course, log analysis tools and even a whole category of security tools called Security Event Managers (SEMs), but these don’t even begin to approach the capabilities of supercrunching. Current tools run on standard servers with pretty much standard hardware performing relatively crude analysis...

[T]he power and storage that is now available to us all if we embrace the new connected computing model will let us store vast amounts of security monitoring data for analysis and use the vast amounts of processing power to perform complex analysis. We will then be able to look for patterns and derive meaning from large data sets to predict security events rather than react to them. You read that correctly: we will be able to predict from a certain event the probability of a tertiary event taking place. This will allow us to provide context-sensitive security or make informed decisions about measures to head off trouble.

Does Mark mean that the real problem we've had with detecting and responding to security events is a lack of processing power? Good grief. I hear thoughts like this quite often from people who don't actually detect and respond to security incidents. Even academic security researchers in their ivory towers are probably laughing at Mark's angle. "Oh, you're right -- we've just been waiting for a supercomputer to run our algorithms!"

Mark then talks about using Business Process Management (BPM) software to improve security:

When security BPM software (and a global network to support it) emerges, companies will be able to outsource this step not just to a single company, in the hope that it has the necessary skills to provide the appropriate analysis, but to a global network of analysts. The BPM software will be able to route a task to an analyst who has a track record in a specific obscure technology (the best guy in the world at hacking system X or understanding language Y) or a company that can return an analysis within a specific time period. The analysts may be in a shack on a beach in the Maldives or in an office in London; it’s largely irrelevant, unless working hours and time zones are decision criteria...

This same fundamental change to the business process of security research will likely be extended to the intelligence feeds powering security technology, such as anti-virus engines, intrusion detection systems, and code review scanners. BPM software will be able to facilitate new business models, microchunking business processes to deliver the end solution faster, better, or more cheaply. This is potentially a major paradigm shift in many of the security technologies we have come to accept, decoupling the content from the delivery mechanism. In the future, thanks to BPM software security, analysts will be able to select the best anti-virus engine and the best analysis feed to fuel it — but they will probably not come from the same vendor.

Again, this is so detached from reality, I am curious how anyone could think this is possible. Mark works for Microsoft. Would you ever imagine Microsoft pivoting on a dime to "select the best anti-virus engine and the best analysis feed" -- or would they stick to their own product, because it's their own product? What about your company -- have you witnessed the organizational inertia associated with any IT product or system?

How about trust factors? What if "the best guy in the world at hacking system X or understanding language Y" works in a country with a reputation for industrial espionage? What if that guy was just hired by a competitor, or is working for a competitor now? How long does it take outside help to become familiar with the aspects of your business that eventually determine success? There's a reason why companies are not collections of free agents working independently.

Mark's last section talks about social networking for the security industry, talking about how people should share what they know. There are indeed certain collaborative forums where this works, but you are seldom if ever going to find any serious company telling other companies how their security defenses work, how they fail, and what is lost as a result of that failure. Individual collaboration occurs, but there could be severe consequences for a security staff member who unloads specific technical security information to a social network. The most productive associations that currently exist are found in certain private mailing lists, associations of peer companies that sign mutual nondisclosure agreements, and individual exchanges among peers.

Mark is a smart guy but I think his prognosis for the security industry in his Beautiful Security chapter are largely incomplete and unrealistic.

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

KeePassX is a password manager or safe which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key-disk. This means that you only have to remember one single master password or insert the key-disk to unlock the whole database. The complete database is always encrypted either with AES (alias Rijndael) or

Steghide is a steganography program that is able to hide data in various kinds of image and audio files. The color-frequencies (for image files) or sample-frequencies (for audio files) are not changed, thus making the embedding resistant against first-order statistical tests. Features include:     * Compression of embedded data     * Encryption of embedded data     * Embedding of a checksum to

PeaZip is a cross-platform portable file archiver, released under LGPL. PeaZip supports many different archive and compression formats including: 7z, 7z-sfx, ARC/WRC, BZ2, GZ, LPAQ, PAQ, PEA, QUAD, split, TAR, UPX, ZIP; Read: 7Z, ARC/WRC, ACE, ARJ, BZ2/TBZ2, CAB, CHM, CPIO, DEB, GZ/TGZ, ISO, JAR/EAR/WAR, LZH, NSIS, OOo, PAK/PK3/PK4, PAQ, PEA, PET/PUP, QUAD, RAR, RPM, SLP, split, TAR, U3P, WIM,

DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks). If you've ever looked at your ssh log (/var/log/secure on Redhat, /var/log/messages on OpenSuSe, etc...) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were

cksum prints the CRC checksum for each file along with the number of bytes in the file, and the file name unless no arguments were given. cksum is typically used to ensure that files transferred by unreliable means have not been corrupted, by comparing the cksum output for the received files with the cksum output for the original files (typically given in the distribution). The CRC algorithm is

• M2Crypto : Me Too Crypto

PySDM is a PyGTK Storage Device Manager that allows full customization of hard disk mountpoints whitout manually access to fstab. It also allows the creation of udev rules for dynamic configuration of storage devices
(...)
Read the rest of Pysdm – Graphical Storage Device Manager (114 words)

---

© admin for Ubuntu Geek, 2009. | Permalink | No comment | Add to del.icio.us
Post tags: desktop, Graphical Storage Device Manager, Graphical Storage Device Manager ubuntu, install Pysdm ubuntu, Pysdm, Pysdm ubuntu

Related Articles

• How to install two microsoft fonts (office 2007) ‘APA’ or ‘Turabian’? (14)
• Howto Reinstall all of currently installed packages in fresh Ubuntu install (18)
• QuickStart – Back-up, Restore, and Set-up Ubuntu Quickly and Easily (4)
• Ubuntu Installation Report Generator (3)
• Nice Ubuntu themes for Jaunty and Intrepid Users (32)
• Sound Solutions for Ubuntu 9.04 (Jaunty) Users (29)
• How to Set a Static IP address in Ubuntu 8.10 (Intrepid Ibex) (48)
• Ubucleaner – Simple bash script to keep your Ubuntu System Clean (20)
• Super Ubuntu 2008.11 – Ubuntu Based Linux including Your Favourite applications (17)

An ensemble of methods from four teams has passed the criteria to win the Netflix Prize.

Other teams have 30 days to beat it, but, no matter what happens, the $1M prize will be claimed in the next month.

Congratulations to the winning team and all the competitors. It was a goal that some thought impossible without additional data, but remarkable persistence has proven the impossible possible.

Please see also my earlier post, "On the front lines of the Netflix Prize", which summarizes an article that describes some of the algorithms that brought the winning team to where it is now.

Earlier this month the FreeBSD Foundation contacted me to see if I was interested in helping to research and write up what is happening both within the Foundation and the FreeBSD Project. There's certainly no lack of cool stuff to write about.

Yesterday I had a chance to meet the lead singer of O Teatro Magico and then see their show. It was amazing! This creative group of musicians were about to "live the dream" by signing with a record company a number of years ago, but after they recorded the songs for their first album, the recording company said "sorry, but you need to change everything so that it sounds more like pop."

read more

It's been some time since I've had time to write an opinion blog post. While I still don't have the time, three items I read yesterday prompted me to want to write.

At Google, we are moved by the life and untimely passing of Michael Jackson. As word spread of his death, millions and millions of people from all over the world began searching for information about the pop icon. The following chart shows the meteoric rise in related searches around 3:00pm PDT:


Search volume began to increase around 2:00pm, skyrocketed by 3:00pm, and stabilized by about 8:00pm. As you can see in Google Hot Trends, many of the fastest rising search queries from yesterday and today have been about Michael Jackson's passing (others pertained to the death of another cultural icon, Farrah Fawcett). People who weren't near a computer yesterday turned to their mobile phones to check on breaking news. We saw one of the largest mobile search spikes we've ever seen, with 5 of the top 20 searches about the Moonwalker.

The spike in searches related to Michael Jackson was so big that Google News initially mistook it for an automated attack. As a result, for about 25 minutes yesterday, when some people searched Google News they saw a "We're sorry" page before finding the articles they were looking for.

Michael Jackson led an amazing and controversial life in the public eye. Many of us have a "Michael Jackson story." Mine is that he actually taught me how to moonwalk — thanks to many an hour I spent in front of the television trying to mimic his performances. Regardless of your story or personal opinions about this astounding performer, global interest in the King of Pop is undeniable.

Posted by R.J. Pittman, Director, Product Management

Hubert Feyrer had a great blog post yesterday with a recipe for a useful .windowrc.

Michael Dexter announced yesterday that a Beastie Visa card is now available through BSD Fund.

We missed a step or something in decommissioning our Exchange2003 servers. As a result, we have a whole lot of... stuff going 'unresolvable' due to how Outlook and Exchange work. There is an attribute on users and group called LegacyExchangeDN. Several processes store this value as the DN of the object. If that object was created in Exchange 2003 (or earlier) it's set to a location that no longer exists.

The fix is to add an X500 address to the object. That way, when the resolver attempts to resolve that DN it'll turn up the real object. So how do you add an X500 address to over 5000 objects? Powershell!

$TargetList = get-distributiongroup grp.*

foreach ($target in $TargetList) {
    $DN=$target.SamAccountName
    $Leg=$target.LegacyExchangeDN
    $Email=$target.EmailAddresses
    $Has500=0

    if ($leg -eq  "/O=WWU/OU=WWU/cn=Recipients/cn=$DN") {
       foreach ($addy in $Email) {
           if ($addy -eq [Microsoft.Exchange.Data.CustomProxyAddress]("X500:" + $Leg)) {
               $Has500=1
           }
       }
       if ($Has500 -eq 0) {
           $Email += [Microsoft.Exchange.Data.CustomProxyAddress]("X500:" + $Leg)
           $target.EmailAddresses = $Email
           set-distributiongroup -instance $target
           write-host "$DN had X500 added" -foregroundcolor cyan
       } else {
           write-host "$DN already had X500 address" -foregroundcolor red
       }
   } else {
   write-host "$DN has correct LegacyExchangeDN" -foregroundcolor yellow
   }
}

It's customized for our environment, but it should be obvious where you'd need to change things to get it working for you. When doing users, use "get-mailbox" and "set-mailbox" instead of "get-distributiongroup" and "set-distributiongroup". It's surprisingly fast.

My contribution to the community!

A brute force attack consists of trying every possible code, combination, or password until you find the right one. As an example, imagine a system which only allows 4 digit PIN codes. This means that there are a maximum of 10,000 possible PIN combinations. From the example above, PIN security could be increased by:     * Increasing the length of the PIN     * Allowing the PIN to contain

I was messing around inside top trying to diagnose a server slowdown and I noticed that my server has been up for 463 days. The server runs Linux Centos 4.4.

Want to share your server uptime?

Huge congratulations to Daniel Halasz from Hungary, who was awarded the Google Photography Prize this week. This was a global student competition to create themes for iGoogle. More than 3,600 students from across the world entered, and a couple of weeks ago we asked you to vote on the shortlist. The six finalists who got the most public votes were Amelia Ortúzar (Chile), Fahad AlDaajani (Saudi Arabia), Matjaz Tancic (U.K.), Mikhail Simin (U.S.) and Vesna Stojakovic (Serbia) — congratulations to all of them! From that group, a jury of respected art critics and artists chose Daniel as the winner. They also gave a special commendation prize to Aliyah Hussain from the U.K.

You can see the work Daniel and the other finalists submitted at the Saatchi Gallery in London until Sunday, June 28th. Come by if you're in town, or have a look at their photographs on google.com/photographyprize, where you can also add them to your iGoogle homepage.

Posted by Posted by Louise Rigby, Consumer Marketing Team

This article gives a good understanding of Ext4 - the 4th extended file system. Ext4 was released as a functionally complete and stable filesystem in Linux kernel 2.6.28. Ubuntu 9.04 aka Jaunty Jackalope was released with support for the ext4 file system, so do many latest builds of many other Linux distributions.

They have an option to set a custom X-header for indicating spam. The other options are subject-line markup and quarantine on the ForeFront servers. What they never document is what they set the header to. As it happens, if the message is spam it gets set like this:

X-WWU-JunkIt: This message appears to be spam.

Very basic. And not documented. Now that we know what it looks like we can create a Transport Rule that'll direct such mail to the junk folder in Outlook. Handy!