Wednesday, October 24, 2007

Comments on "Switching From OS X to Ubuntu"

Here's an interesting rant by someone who Switched From OS X to Ubuntu and got homesick. Read through the comments - there are replacements for all of his missing applications. This is someone who was used to doing things one way, and never put the effort into learning something new, or looking for alternatives (that's not necessarily bad, just an observation). I've said it before, Linux will make an attractive Desktop when the OEM agreements are broken and you can walk into your local PC chain and buy Linux pre-installed, giving people a chance to get used to it. Otherwise, it's an uphill battle.

Tuesday, October 23, 2007

Serious Businesses Don't Use Ubuntu Because the Release Names are Silly

Ubuntu has an identity crisis, because the development names of its releases are silly. Sheesh. As one commenter points out, take a look at some other silly names. Also, to be on the safe side, you better not use any Intel hardware. Stay way from Apple, their codenames are just too silly for serious IT executives. Hopefully this is just satire and not a drunken rant by some columnist about to miss a deadline (or worse, a sober one).

Tuesday, October 16, 2007

Article Roundup

OK, I have no sympathy for these people. I mean, seriously, why are you using Hotmail for mailing lists?

It's about time the US patent system had an injection of sanity, especially given the recent visit from the patent trolls.

Mark Shuttleworth talks about Ubuntu 7.10, set to be released tomorrow.

John Wiegley brings us neat tricks with iptables

Here are ten funny quotes by Linus Torvalds.

More humor: I love reading the old BOFH episodes.

Sunday, October 14, 2007

BSDTalk - Richard Stallman Interview

BSDTalk has posted a nicely done interview with Richard Stallman. Well worth a listen. While you are there, check out the archived podcasts going back almost two years.

Friday, October 12, 2007

'Insecure by Default'? Well, Yes and No...

Azerblog mentions that Linux distros are insecure by default, specifically that you can boot into single user mode by editing the GRUB kernel line to get to a root shell. Actually, this doesn't work without the existing root password on Fedora, Debian, and Ubuntu (not sure about other Unices or Linux distros). Just before entering single-user mode, you will get a console message "Give root password for maintenance (or type control-D for normal startup)". To actually get a minimal root shell without a password, you need to add init=/bin/bash to the 'kernel' line in the GRUB edit shell. You could also boot from a live CD, or just take out the hard drive and mount it in another computer (all good methods of recovering a lost root password, BTW).

I guess the moral is that if a determined cracker gets physical access to your server, they can pretty much do what they want. I suppose to make things very difficult, you could 1) enable the system's BIOS password, 2) enable the GRUB password, and 3) use encrypted swap and filesystems. All of these would be a real pain if you don't have remote console on a CoLo'd or hosted server, since you would need someone physically present every time the server rebooted or lost power. I imagine that's why many of these security measures are not enabled by default.

Wednesday, October 10, 2007

Comments on 'Security without firewalls'

Debian Administration has an article up about the usefulness of firewalls. Are they really necessary? If you consider a firewall as just a non-stateful, layer-3 packet filter, then I would agree they are not very useful. However, modern firewalls can do all sorts of useful filtering that can protect a public application from compromise - things like stateful fragment reassembly, packet normalization, and rate limiting come to mind. Outbound filtering can also be useful, in the event of an internal compromise, or just as a spam-buster (only allowing outbound SMTP traffic to a mail relay with authentication).

This reminded me of an article I read some time ago by Abe Singer in the Usenix magazine ;login: about life without firewalls at the San Diego Supercomputer Center (SDSC) (PDF). Basically, they do the following:

  • They have a centralized configuration management system; they use only hardened 'reference systems' on any public networks
  • They have implemented aggressive patching policies
  • They enforce a strict policy on strong authentication


How well does this setup work? According to SearchSecurity.com, pretty well. The SDSC has seen one compromise in six years without a firewall, and that one compromise would not have been stopped by a firewall, even if they had one.

Tuesday, October 09, 2007

The Next Leap for Linux - New York Times

The New York Times published a halfway-decent look at Linux from a consumer standpoint several days ago. First, the article is noteworthy in that it mentions software freedom, something very rare in mainstream media considerations of Linux:

But why would anyone want to use Linux, an open-source operating system, to run a PC? “For a lot of people,” said Jim Zemlin, executive director of the Linux Foundation, “Linux is a political idea — an idea of freedom. They don’t want to be tied to Microsoft or Apple. They want choice. To them it’s a greater cause.”

They go on to mention Dell's entry into the consumer PC and laptop market with Ubuntu, then this:

One challenge for Linux users is finding media players that work with encrypted music and DVDs. Ubuntu comes with a movie player, but it is not automatically configured to play copy-protected commercial DVDs. To watch a movie, the Linux user must install necessary codecs, or decoders.

This is wrong on two counts - one, that finding codecs is hard. Yes, it used to be, but isn't any longer. Feisty Fawn, the version of Ubuntu shipping on Dell systems, will automatically download needed codecs for most multimedia formats after some click-through warnings. Second, Windows itself doesn't come with all needed codecs, either - they are downloaded for you in a similar fashion. As for encrypted DVD's, last I checked, Windows will not play encrypted DVD's out-of-the-box either, you need to by commercial DVD viewing software for this (I'm not including the usual spate of cripple-ware on most new Windows PC's, since they are time- and/or feature-limited). At least on Ubuntu, there are clear instructions for dealing with restricted multimedia formats, none of which involve the consumer spending money (similar pages exist for Debian and Fedora, too). Decent iTunes support is perhaps the only thing lacking from Linux these days. Banshee, mentioned in the article, apparently comes close.

Sunday, October 07, 2007

Article Roundup

Wired talks to Rob Malda, the creator of Slashdot on its 10th anniversary.

There's a good series of articles at OFB.biz on desktop FreeBSD.

Those of us still content using mutt to read email will enjoy Daniel Webb's article on The Ultimate Email Setup.

Rudd-o.com brings us how to speed up your Linux desktop.

If you're looking for a more secure alternative to FTP, head over to HowtoForge and read Chrooted SFTP With MySecureShell On Debian Etch.

For those that missed it, read DEranged Security's article on Tor snooping. This was the result (ouch). Remember, Tor only ensures anonymity as long as the content of your traffic stream doesn't give your identity (or more) away. Bruce Schneier has some insightful commentary on the matter as usual.

Friday, October 05, 2007

Updating Your Debian or Ubuntu Desktop Safely

Bruce Byfield wrote an article about the dangers of automatic updates at Linux.com. I agree with him that updates are often dangerous, however, I will say that after many years of updating systems running Debian "stable", I have not encountered any problems afterwards. After all, it's Debian's policy not to include any non-security updates in their stable branch. I don't take any chances, and run the updates manually (see my previous post on Remotely Administering Groups of Servers With Dsh and SSH for a way to run updates on many boxes at once), but still no problems. The one, big weakness of this policy over the years was that it excluded updates for packages that did need them - like Snort or ClamAV. With Debian volatile, this is no longer an issue.

My Ubuntu desktop, however, is another story. I tend not to update it unless I feel it is absolutely necessary - it usually isn't. With no services open to the world, security vulnerabilities will tend to be exposed via web or email, so important updates usually revolve around Firefox (I use mutt for email).

There's a couple of good ways on Debian or Ubuntu desktops to make updates a bit safer: You can select individual updates with the graphical update manager, or use apt-listchanges from a shell prompt. Using the update manager, you can not only select individual updates, you can also display detailed changelogs for the new version, so you can make an informed decision on whether or not to upgrade. Just select a package and click on the "Description of update" arrow.

Ubuntu Updates

Using the command line, let's say you just wanted to upgrade the 'tar' utility. Apt-listchanges gives us a similar functionality to the graphical update manager. First we have to install and configure it. The 'dpkg-reconfigure' step, below, will ask you a bunch of questions - the important ones are to have apt-listchanges display both changelogs and news, and to ask for confirmation before proceeding.

sudo apt-get update sudo apt-get install apt-listchanges sudo dpkg-reconfigure apt-listchanges
My /etc/apt/listchanges.conf is the following, this gets auto-generated after the 'sudo dpkg-reconfigure apt-listchanges' step, but you can certainly edit it by hand:

[apt] frontend=pager email_address=doug confirm=1 save_seen=/var/lib/apt/listchanges.db which=both
Now, after apt downloads the updated tar package, it will display a changelog, and ask for confirmation before updating:

doug@dev:~$ sudo apt-get install tar Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be upgraded: tar 1 upgraded, 0 newly installed, 0 to remove and 112 not upgraded. Need to get 0B/322kB of archives. After unpacking 0B of additional disk space will be used. Reading changelogs... Done ... tar (1.16-2ubuntu0.1) feisty-security; urgency=low * SECURITY UPDATE: directory traversal with malicious tar files. * src/names.c: adjust dot dot checking, patched inline. * References CVE-2007-4131 ... apt-listchanges: Do you want to continue? [Y/n]?

UK Law Demands Decryption Keys for Your Data

The UK has a new law that forces criminal suspects to hand over encryption keys or face jail time. The penalty for refusing is up to five years for terrorism-related investigations or up to two years for other types of criminal investigations. I was immediately struck by the futility of this law - people who are criminally innocent and but use encryption to protect their privacy will surely acquiesce and have their privacy violated. Hardcore criminals will likely take the guaranteed sentence rather than expose what they have been up to, which in many cases would carry a much stiffer penalty.

Perhaps the real hope is that this law gives law enforcement a bit of leverage when trying to elicit confessions or cooperation. In the end, it will just drive legitimate data encryption services out of the UK (the article notes the law doesn't apply to data outside of or in transit through the UK), or force users to some form of security through obscurity. If they don't know it's encrypted, they can't ask for the keys, right?

The US went through a similar debate in the '90s over key escrow; thankfully it never came to pass. The FBI now realizes it is easier to circumvent the encryption entirely.

Thursday, October 04, 2007

Comments on "Why I’m staying with Debian"

Bruce Byfield has a post up in which he tells us why he is staying with Debian. I tend to agree, Debian is still my favorite Linux distro, primarily for its packaging system. Bruce mentions packaging, but also talks about Debian's repositories and unique community.

There are several comments along the lines of "Well, you could replace 'Debian' with any distribution name, and what you said would still be true". I don't agree - although most of the big distros now have large communities and decent packaging systems (Fedora/Yum, e.g.), they still don't compare to Debian in either respect, nor can you ignore the commercial factor. I don't have to worry about the motives of Debian, they tend to include features that make for happy users and sysadmins first. Red Hat, for example, uses Fedora as a testing ground for RHEL. They are up-front about that, but the motive is still there. I do agree that your perspective matters - if I used nothing but desktop Linux, I would probably choose Ubuntu as a favorite. Debian wins overall in my opinion for making my life as a sysadmin and power-user easy. It's a distribution for generalists.