Essentially, a computer science student was developing an app to help students look at their records for the college when he discovered a security flaw that gavie him access to more information than he should have been able to see. He reported the flaw the college that opened a can of worms resulting in his expulsion. The story reports that the offense was his use of a security tool against the college servers that they regarded as an attack.
Is this justified? He did come forward with his findings and didn't seem to be trying to hide what he was doing from the college. I have personally been guilty of letting my curiosity go a little too far and doing an inadvertent test of my company's security. I was thanked for demonstrating that the security worked and told never to do it again. (It was the first time that I'd ever run a port scanner, nmap.)
Cyber security is a big deal. A quick glance at the IBM Security Solutions list shows a vast array of solutions for various situations. As more and more of our world goes digital and virtual we are much more likely to be victims of cyber crime than physical ones... and those crimes are potentially more impactful. Good security can't rely on obfuscation. You have to be able to know something is there and still not be able to get it. I imagine that those who safeguard the most sensitive information have a number of sleepless nights as the tools available to the average hacker become more sophisticated. Of course, the vast majority of hackers are as Ahmed (the man in our story) claims to be. They are technology enthusiasts who want to see things work well and eliminate mediocrity when they find it. Of course, some of that crowd feels that the lesson needs to be humiliating to be effective, which tends to attract more anger than solutions.
Are any of my readers amateur security sleuths? If you found a vulnerability would you feel comfortable in bringing it forward? Does our current ant-terrorism client create a harsher environment for the good guys?
Today I was reading an interesting Wired article today called "How Joe Biden Accidentally Helped Us All E-Mail in Private". I remember tinkering with PGP during that time and some of the controversy surrounding encryption, especially good encryption. The encryption battle of that time was largely won and we are generally free to make use of it in our lives. Of course, very few people do.
I was demonstrating a network sniffer called WireShark for a buddy a while back. It basically captures whatever packets are passing through the network and allows you to copy them, view them, etc. He was surprised to see that in some cases email was being sent by people in the total clear, with no sort of encryption or anything. In some cases the username and password for thre user's account were easily visible. That's a sobering thing to see, yet people still don't seem concerned about encrypting their information.
There is a lot of talk about The Cloud (cue Arnold Schwarzenegger's voice) and the concern about keeping our information out there because someone might find it and see it. Again... these are clear, unencrypted files and information.
There is already some good, free, open stuff out there to help people increase the security of their information. A lot of it is very easy to use with easy methods for establishing trust and exchanging keys with people you want to see your information while protecting it from the casual mail server admin with nothing better to do than read your stuff as it comes through. (Would they do that? You bet! Those late nights can get lonely and boring.)
Can you make things secure enough so that no one can possibly read it? Probably not. If you are dealing with James Bond sorts of secrets and the high tech espionage centers of the world are focused on you, then they will probably hack you. For the rest of us, we can cut out the casual observer and demand that someone who wants to get into your stuff needs to devote some resources and most likely get a warrant.
Clearly people did not get as excited as I did about the Bossies, the Open Source Software awards, that I wrote about in my last entry. Perhaps it's just not very compelling, or perhaps there is just a general lack of curiosity in such things.
I've had my world shaken and stirred a little with recent events-- in a good way. The first has been my involvement in developing a Knowledge Path for System Z (mainframes) where I have had to dive a little bit into that mysterious world. I remember when I worked at the Texas Lottery Commission and the mainframe guys were "over there". The operators were pretty decent, but the admins were scary dudes.
Picture a scene from an old Clint Eastwood spaghetti western. The sysadmin is dressed in black, with an ornate, but well-used six gun prominently displayed on his hip. I wander up as a wide-eyed kid dressed like Huckleberry Finn. "How do I learn more about the mainframe?" I would ask.
This is met with either a steely-eyed stare as the sysadmin says through clenched teeth "You don't... and pray never have to." He then strides away, the wind whipping his long coat around him, but miraculously having no affect on his hat. Later, there are gunshots.
It has been very nice to come into contact with much less scary people in the mainframe world. People who are excited about mainframes and who reward curiosity, but it is still a precious and rare resource and there are many gateways. It's a shame, because there are many interesting ways in which a mainframe could take the place of a number of computing resources, consolidating them together. Imagine a Bring Your Own Device (BYOD) world where I don't have to worry so much about your device being completely secure because I'm not actually running my software there... I'm providing a central resource and using your device as a fancy terminal. How could that make a difference?
In any case, this is very exciting to me and I'm enjoying the chance to see the outstanding engineering that makes the System Z what it is. It is amazing that people were able to think things through so completely... a vast difference from today's rush to market.
The other thing I am working with is a group of hgh school students in a security contest called CyberPatriot. The idea is to get kids interested in technology to have a greater appreciation for how computer security works. I'm a mentor in the group, drawn in because of my Linux background. (Apparently the team was hit with an Ubuntu image last year and they were very confused by being met with a console prompt and a blinking cursor.) It's been interesting, but so far all of the samples have been Windows-based... forcing me to dust off some of my brain cells, since I haven't really had to administer Windows machines with any seriousness for a while now! (There are advantages to being a long-haired techno-freak.)
One of the things that has intrigued me is the difference between how young people approach technology today and how I remember approaching it in my youth. I suppose that part of working with technology in the Eighties was that you really had to know how to make things work or it didn't. Windows was a ways off yet and the blinking cursor on my Commodore 64 or the school's Apple IIe (or the TRS80s) gave you no comfort, no clues as to what to do next. You really had to know something about the moving parts. Interestingly, many of those parts are still there, but buried within all the menus and icons.
It intrigues me that some of these students, who are clearly clever and interested in technology, seem to be experiencing these moving parts fo the first time. Ports and processes were always a part of my computing world. Some of them seem to be discovering these things for the first time. How is that possible? All of them embrace the knowledge eagerly and they are doing great, but it amazes me that one could learn about technology without developing an understanding about how these things work... especially if you are more of a techie type.
Curiosity is one of our most valuable assets as humans. We have always dug deeper as a species, finding out how things work and new ways to apply what we learn. We take things apart. We invent. We misapply what we know in wonderful ways to create new discoveries. It seems to me that some of this curiosity is waning. We seem to be waiting for experts to tell us what to do. Experts are great, but how do you know if they're right unless you've tried on your own?
I encourage everyone to try to dig a little deeper into technology. Don't let anyone tell you that you don't need to understand something and that it will all be handled by "top men", especially in these BYOD days! What you don't know can be used to exploit you in so may ways. Bad guys use it to steal your information and resources. Employers use it to make you give up your Facebook information and spy on your personal computers and phones. Governments and commerical interest use it to accumulate information about you and game you. I don't mean to be alarmist and I think that much of this is done with good intentions... but you can't defend yourself or make your own decisions unless you engage a little.
Technology is our servant. We should all be able to take advantage of mainframes or keep our email safe from bad guys. Solutions are there for the using, but we have to be curious and we have to not take "No" for an answer. Go do a search right now for a technical topic that you don't but would like to understand. The first two or three things may be way over your head, but you will ifnd something that introduces it to you correctly. (Don't be surprised if some of the better ones are on developerWorks.) Dig, learn, play, ask questions, get answers. You will be amazed at what you can find and do.
On Sunday night, I joined a number of space exploration enthusiasts at a Landing Party to watch the deployment of Curiosity, the newest Mars rover. It was an incredible event. Here is some video of my immediate reaction after the party. Bear in mind that it is very late, I'm out on the street and I'm pretty tired by now. It's raw-gritty reporting that puts you there! I would have had Monday or Tuesday, but I had to fiddle with the video a little... and I was pretty out of it on Monday and not able to multi-task as well as I do on other days.
First, let me congratulate NASA and all involved. It was an inspiring deployment where everything appeared to work perfectly. Watching it in a room full of people who cared was inspiring. Every stage was cheered enthusiastically. It was wonderful to behold.
In the video, I mention a couple of applications. First, was Uniview, which is a commercial application that was used to show us an impressive 3D rendering of our solar system and beyond as the presenter related it all to the Mars mission. However, he also pointed out Partiview, which he said was a similar application, freely available as open source. It's mulitplatform and I am downloading it now. I'll report the results.
I believe that space exploration is important. It drives us to solve problems and gives us places to reach when our own world seems a little inhospitable. Science fiction becomes science fact as people find ways to make their social and technological dreams come true. We will never stop reaching for the stars. If governments decide to get out (which might not be a bad idea on some levels) people will make it happen.
Hacking my DNS
A while back I was feeling frustrated about my home network. Everything just seemed sluggish, but when I would do various speed tests it didn't really seem to be so bad. What was going on? After poking around for a while, I observed that my slow-down seemed to be related to domain name resolution. If you already know about this stuff you can skip the explanation.
Quick explanation of DNS
In a TCP/IP (Transmission Control Protocol/Internet Protocol) network, which is what we use on the Internet, everything is done by the numbers. Ultimately, your network card is wanting to talk to another networks card somewhere else. That's what your MAC (Machine Access Control) address is. It's a unique identifier of your network card. Of course, having an index of all of those devices is cumbersome, so a system of cataloging them was determined. That's where the TCP/IP address comes in, the x.x.x.x number that is assigned to you on a network. However, telling you to visit my web page at 126.96.36.199 is probaby not going to be easy to deal with. So, a concept was devised where names could be given to the various networks and a lookup occur to point you to the final destination. That is known as the DNS (Domain Name System). I'm going pretty quickly here. If you really want to understand you should read more about tcp/ip and DNS, but here's essentially how it works:
You connect to a network. You get your own IP address (x.x.x.x) which points to your network card's MAC address. You usually don't care what your MAC address is unless you are doing some serious troubleshooting. You sometimes need to know your IP address.
You are pointed to a gateway, an IP address which will be the central point of communication for everything coming from your computer.
You are given DNS server which will translate names (like ibm.com) into IP addresses.
When you look up a name, your system will give the name to the DNS and receive the IP address. Then the IP address will be contacted to complete the connection. If you can't look up names, your system may seem like it can't talk to the Internet.
If this name lookup process is slow, it will delay every network connection that you access through a name.
Once I noticed that my name resolution seemed to be a bottleneck, I started digging around. I think that the DNS servers for ISPs are typically pretty overloaded. If I can bypass those, then I can perhaps get a faster lookup and faster networking overall. In Linux, there is a utility called dig. It performs name lookups with some feedback about the process. By default, it will use your network's name server, but you can designate a name server as well. I found a list of public name servers and played with them through dig. You can see some examples below.
Ultimately, I decided that I liked the Google server, 188.8.131.52, because it was easy to remember. All of them provided some improvements. So, I went to my home router and told it to use the Google name servers rather than the default. Voila! All machines connected to my network automatically go to the other servers to look up names. This has made a vast improvement in my networking latency. Isn't that interesting?
If I'm in another network and want to do the same thing, then I can adjust the network settings to include my own choices. That will vary with each operating system. On Linux, I simply edit a file called /etc/resolv.conf. Here's what it looks like:
184.108.40.206 is the secondary server.
What about the phone?
So, after I had done this for a while, I started wondering about the network on my phone. I have a 4G phone, but it just seemed to lose its mind from time to time. Again, the issues seemed to be related to finding things more than connecting to them? Could I do the same thing?
I did some digging, and since Android is based on Linux, there were similar underpinnings. However, these only seemed to work for the WIFI network, not the 4G/3G. Drat! I rooted my phone some time ago, so, I had access to the settings, but I just couldn't find anything useful. Then I found out that there are apps that will help out with this. The one I settled on is "Set DNS" by Steve Hanlon. I tried the free version for a while and then bought the pro version for less than $3. (I like to support independent developers when I can, so I donate to open-source projects and buy pro versions of phone apps that I like.) It has worked exactly as I hoped. Suddenly, some of the sites I had trouble with getting lost started working very efficiently and I have noticed a decided difference in my network stability.
Perhaps later on I'll find the guts for this and be able to do it without a helper app, though I'm satisfied with the solution.
If you are having sluggish access to the Internet, maybe a change to your name server will help. Feel free to post a comment with a question and I'll help if I can.
Computer security fascinates me. I freely admit that I don't have the chops that many do about cracking into or securing syststems, but I do alright for myself... on securing systems, that is. I'm certainly not claiming in any way that I spend time engaged in any activity that could be construed as subversive or illegal... Dang! Awkward...
Of course, this is the situation one gets into when taking an interest in the "dark arts" of computing. People assume that you are claiming to be some sort of criminal mastermind or something when actually you are simply fascinated by the nature of how bad guys do things. Just as someone who likes to watch true crime documentaries on TV is not necessarily using it to plan their weekend, many people interested in "Black Hat" hacking are not looking to lead the next charge of Anonymous. So, it is likely that if you had an interest in attending the recent Black Hat 2012 conference in Las Vegas that it was hard to make a strong connection between that and what you are paid to do. That's OK. Though the event is over, there is a reasonable archive of confernce material on the web site, including papers, presentations and even some source code! (Use at your own risk.) There's not much in the way of video from the site right now, but a YouTube search brings up material-- though most of it is from Black Hat 2012 in Europe. I'm guessing, though, that techniques and vulnerabilities don't change much by crossing the ocean, so you can probably get a lot from them.
I'll keep my eyes open and try to report additional material as I find it.
IP Law Talk
The other day I was reading about a patent license agreement between a major software company and a minor company for an undisclosed amount regarding undisclosed patents. The story was non-news, unless you're into corporate celebrity, but the discussion had some interesting thoughts expressed. At least they tried to be interesting. They ultimately turned into the sort of juvenile brawl that such discussions do because everyone is out to win. The part of the discussion that really caught my attention was why a company might not want to disclose their patents. Since Linux and Open Source software frequently comes under fire for allegedly violating patents this is interesting to me. The conversation is often along these lines:
Patent holding company: The villainous developers of these open-source projects are stealing our IP and violating our patents and they must pay.
open source developers: Uhhh... we don't think we are.
Patent holding company: Oh, yes you are. In fact we have been striking numerous deals with people who agree that this is a violation.
open source developers: Wow, you really do seem to be making deals with people. Maybe there is something to this. What patents are we violating so that we can fix that?
Crickets: (chirp) (chirp) (chirp)
OK... that wasn't completely fair and read more like a Dilbert cartoon, but I hope you see the fun side of it. It seems to me that if my goal was to prevent people from infringing on my intellectual property that I would want to proclaim loudly and strongly what was being stolen from me so they could and would cease and desist. That doesn't seem to be the way that it works out for some reason. There are non-disclosure agreements (NDAs), behind-the scenes business, announcements that are simultaneously widespread and secretive. It can be very confusing.
Well, it turns out that a new community has formed on trying to understand and relate to Intellectual Property Law. It's your chance to ask your questions and voice your own experiences with people who deal with this every day. It's called IP Law Talk, and should be a fascinating place. I wonder if they know about this weird patent slide show.
Has the Command Line outstayed its welcome?
This is the question asked by a Linux Insider story. I'm going to apologize for being a little prejudiced here, but I just don't understand someone who is technical who wants to do everything with a mouse. Even when I'm supporting Windows I will jump into the command line to get information because I can get information faster by typing "ipconfig /all" than I can browsing around with the mouse. I use icon-based launchers and I find them very handy. I recently talked about how I use them to keep my Firefox identities clear. However, there are some things that I can just flat do more efficiently using the command line. I can then combine those things into a script which I can place under an icon if I so desire. Macro recordings of mouse movements just don't seem to have the same capabilities.
I know that many people get nervous about the command line. They don't type well. They don't have the commands memorized. It can be frustrating until you get used to it. But there is a heavy price for a graphical interface in system resources which could and should be used for other things if the interface is only rarely required.
I hope that you aren't afraid of the command line. If you'd like to explore it in Linux there's a nice tutorial as part of our Learn Linux 101 series. Windows folks can look at this site. You don't have to use it all the time (though I admit that I do). It's nice to have it around, though for when the other tools aren't working. As an example, when I've had some program take over my graphical interface, it's nice to be able to switch to a command session to see what's happening and kill the offending processes. I've been able to use ssh from my phone to connect to my laptop when the keyboard wasn't responding and fix things without having to reboot. Is that geeky? You bet! But that skill comes in handy when you're dealing with bigger problems.
There has been some controversy about comments by Valve co-founder, Gabe Newell, calling Windows 8 a "catastrophe" and saying that Linux was part of Valve's future strategy. (Don't take my word for it. See the story by the BBC.) I admit that I haven't had as much time for games for a while, and when I do I am more likely to want to play a "human contact" game with dice and faces rather than having more computer time. However, it's no secret that Linux has been woefully thin in the gaming area. This is ironic, because I think that the tools and libraries available to Linux could make it an outstanding platform for media and gaming. It's just not where game creators focus.
Perhaps something like the Steam platform working more with Linux will make a difference. Of course, this is a future play. Steam has announced enthusiasm but not a release for Linux. It could get pretty interesting, though. While browsing through the gaming world I found that Steam is looking to Linux. Another site, Good Old Games, does not support Linux now, but might respond to interest, especially if it works well for Steam.
I did find a site, Desura, which already supports Linux. I downloaded a few of their free games to test and just might go for some of the paid titles as well. As entertainment becomes more network and browser based the native platform should matter less and less. I'm intersted to see what has happened. If anyone is already using Desura and knows games I should check out, let me know!
Yesterday I got a little frustrated at being tool bound. Today I'm
getting my article set up in an external editor so I shouldn't have any
I wanted to comment a little on the article I mentioned yesterday, "Government and library open data using Creative Commons tools".
To me openness in data is very important when it comes to organizations
and government. If you are running a business and you want to use
proprietary data formats with proprietary software to hold your data,
that's fine. That's entirely up to you. It's yourmy
data. I should not be required to purchase any special software or
worry about what happens if a company goes out of business, or simply
changes their mind as to what they want to be doing. (Have you seen
anyone with their information trapped in an old Foxpro application,
written by "some guy" who is no longer available? It's tragic!) I
think it is excellent that governments are starting to explore tooling
and making data more easily available. After all, we pay for all of
these things with our taxes. We should be able to leverage this
information for our own purposes. Can you imagine the amazing data
mashups that will happen over time? I can't wait to see where it all
I try to take the same attitude about data when I'm in some sort of
organization or club. I've seen too many situations where some
talented person with fantastic software connections swoops in and does
all kinds of great work for a club, then moves on. No one else has the
skills (or the licenses) for these great products and the whole thing
deteriorates and eventually has to be started from scratch by the next
volunteer. I try to get people into collaborative software so that
information is available to everyone who needs it and can be kept
up-to-date rather than trying to figure out which combination of people
has the most current data. I usually use Google Docs because anyone
can access it and most people already know it. However, it's not the
only way. I feel the same way about web sites and databases. Keep the
technologies simple and open and when your superstar steps away someone
can come in and pick up where he left off. All it takes is some
commitment and willingness to learn. Cost is not a barrier.
Speaking of organizations and coding, we have a great article this
week by Uche Ogbuji on developerWorks this week! He's talking about
how to use GitHub to help your group collaborate on projects. Of
course, these kinds of things work with things besides code. I've
often thought about applying this sort of document management to some
of my editorial work. Maybe this article will help me kick it off.
I've mentioned before how much I love repurposing equipment. It's
one of the things that got me interested in open-source in the first
place. I could take older equipment and breathe new life into it, or
discover new capability. It's fun if you like to tinker and it can
make you incredibly resourceful.
Some time back I reflashed my Internet router with DD-WRT. You can relive that in my entry, "My freak router".
I've continued to run this with great success. This week, Carla
Schroder gives you step-by-step information on taking your own modest
Internet router and unleashing its capabilities to give you more
control and security. Check out "Add Linux power to wireless routers with advanced tips and tricks for DD-WRT".
Let me know what you do with it. Also let me know if you know of other
projects like this that deserve some light. I try to keep up with
them, but I don't get to explore them all.
Coming soon, I'll be doing some more video work. Interesting stuff
a-comin'. Chroma-key, compositing, CGI, sound sync and cleanup... all
with free, open-source software on Linux.
Today I got this article, "Spoiler alert: Your TV will be hacked". Essentially the author reminds us that as our televisions become Internet devices that they are prone to the same sorts of attacks that any computer could suffer. It's not just televisions, either. All so-called "smart devices" are basically computers and need the same sort of care.
In the author's case they were doing some white-hat hacking to see if they could exploit a television set-top box. The box was likely running a variety of Linux and did not give them many opportunities, but then they found a web server. The manufacturer had chosen an old open-source application which had been abandoned several years ago. There had been no patching of this application and at was vulnerable to several attacks. They were able to root the box and controlled the entire system.
In general, an exploit has to either be run by a user, like Trojan Horse sort of application, or it needs to be able to interact with running software that can be forced to misbehave due to flaws brought about by the humanity of its creators. In an embedded device it is unlikely that you will be running strange software, though as games and little plugins become more available for these things one needs to be careful about the pedigree of anything you add. The vulnerability of the embedded applications is more complicated. As a user you can choose not to install weird stuff on your device. You can't control the choices that the manufacturer made.
Think about the scenario in the article. The set-top box had a web server. Why? Perhaps this was a method to allow the cable company to interact with the system for updates and such. I don't know. If it wasn't critical to the function of the system it should have been removed. When something moves from development into prototyping and production any bloat fromt he operating system should be removed. Anything that is not required for function is a potential exploit. We may not know what it is at the time of production, but if it's discovered later then your system is vulnerable, all because of something that you didn't even need.
The second, more damning thing is this open-source web server. I don't have a problem with it being an open-source project. Obviously I encourage that sort of thing. The thing I found troubling was the fact that it was an obscure project that had been abandoned several years ago. Wow! Really? Perhaps it was an active project when development began and was abandoned later. If that was the case, then the manufacturer should have replaced that project with something that was more current. Everything will become vulnerable over time as exploitation technology develops. If it can't be updated it must be replaced or else its a lurking vulnerability.
I guess that brings me to my last thought on this. As all of our devices become "smart", there needs to be a solid way to update them regularly. Updating firmware should just be a part of our lifestyle. Of course, that capability adds another vulnerability in that if someone can hack the updating mechanism they can install their own software. As consumers we need to develop awareness of this sort of thing and be able to manage devices just like we check to make sure our doors and windows are locked. We need to not be annoyed by these things when they are necessary and look at them as a part of owning the device. At the same time, developers and manufacturers need to not shield their consumers from this necessity. I know that the prevailing wisdom is that consumers are lazy and not to bright... but I think that if they are trained on the importance of maintenance and the procedures are straight-forward then it will all work out fine.
Of course, if devices had more openness to them in general it would make it easier for white hats to come up with ways to protect them... but that's a whole other discussion.
One of the benefits of rooting an android phone is that you can install custom ROMs. On my Motorola Droid I ran CyanogenMod and enjoyed it very much. It added a number of features that I liked, such as allowing me to blacklist SPAM calls I would get through my phone.
Unfortunately, CyanogenMod is not yet available for the Droid Bionic. So, I tried Liberty. However, before I installed a ROM I took some sage advice and installed the Safestrap program on the phone first. Safestrap creates a recoverable state on the phone so that when I do very bad things (and I have) that I can go back to a known state on the phone. So far I have put my phone in a mode that made my blood chill a couple of times and was still able to recover by simply rebooting into Safestrap and toggling the safe mode. Very nice. If you like to do dangerous things with your phone and risk hundreds of dollars worth of investment, I highly recommend Safestrap.
(Why are some of us made so curious?)
I don't know what started me on this process, but somehow I got curious about doing custom URL shorteners. After a little searching, I found out that bit.ly offers custom domains as a part of their free service. How sweet is that?!
Get a domain that works for you. There are a number of interesting options there, some of which are pricier than others. Through Godaddy, the .de (Germany) domain costs me about $17.99 per year. Ah, well. It's less than a vanity license plate. I was going to use osdud.de, but it seems to belong to a German dart association. OK, I'll make them a little longer for the branding.
Once you have your domain, go to your bit.ly account and look at the account settings (Figure 1).
Figure 1. bit.ly account settings
There's a section that lets you add a Custom Short Domain. (Figure 2)
Figure 2. Custom domain settings
If you modify those settings it will let you enter your own domain name. Upon entry, you'll be told what IP address to put into your domain record to direct it to the bit.ly servers.
That's it. Once you've done that and domain servers have updated then you will be able to talk to bit.ly through your own domain name, e.g. cmwosdu.de. From there, any link you create with that account will have your custom domain.
Want to see it in action? Read the next bit.
Microsoft is the King of Linux
This is probably old news to some of you by now but I ran across this article: cmwosdu.de/HCfD6F (See the URL!?)
According to the article, in the recent round of statistics: "Microsoft contributed 688 changes, or about 1% of the accepted changes to the kernel since 2.6.36." That doesn't sound like much, but it's not too shabby, especially compared to the number some might expect, which is 0. The changes appear to largely deal with virtualization. Quoting again from the article:
"Much of the work Microsoft did centers around providing drivers for its own Hyper-V virtualization technology. Microsoft's Hyper-V, part of Windows Server, can run Linux as a guest OS. Linux kernel developer and LWN.net editor Jon Corbet, a co-author of the study, estimates that Microsoft's involvement peaked around last year's 3.0 release of Linux and will diminish over time."
So, the additions are largely in support of running Linux in a virtual environment with Windows as the host. Ah, well. I suppose that's not shocking. However, it does show that Microsoft has decided that Linux is not going away and that they need to accommodate it in some way if they are going to meet customer demand.
Personally, I don't miss Windows. I've been happy in a Linux environment for about ten years or more now.
It looks like I'm going to be spending some time with Blender here pretty soon. It's an open-source 3D modeling and animation application that has grown to include some pretty sophisticated video compositing. For an example of what that means, look at this demo real by Pablo Vasquez.
I probably won't be doing anything that cool. I need a number of years worth of artistic development (and maybe a genetic infusion of artistic talent) to do anything like that. However, I can probably cobble together some flying logos and such and maybe a few interesting video effects. If anything comes of it, I'll share.
I read an interesting article today: Hackers aren't as sneaky as you think.
Ah! The good old days. I grew up on the hacker culture. I remember
the inspiration of the movie War Games and the almost romantic vision
of young, smart people getting past the system and into the secret
world of government and big business. Of course, the truth underneath
was a little less glorious. Cracking computer security is now much
more about vandalism and identity theft. Yet, that early curiosity
gave me an awareness of computer security and steps that could be taken
to protect one's self. Most computer crime is result of sloppiness on
someone's part. It could be the system administrator who's not a big
fan of browsing logs and running patches. There's not too much that
you can do about that. However, you can do things about your own
I've thought about a few ways that I do to keep
safe, and they're not too hard to do. Yes, you have to make some
changes to your behavior, and you will have to learn a few things, but
it's not any more difficult than the things that you have learned to
keep yourself safe on the motorway. I'm sure that some will argue with
a few of my conclusions, but at least they'll be thinking about it!
Start with a safe vehicle
I quit using Windows. I know that not everyone will do this, but I
simply had repeated problems with viruses (should that be virii?) and
other issues that I just could not keep a handle on. When I discovered
Linux and started making it work for me all of those issues went away.
I have had zero virus infections. I also got a lot more information
through logs as to what people were trying to do to attack my system
and came up with ways to complicate that. I think of it this way...
when driving on a dangerous highway, which would you rather have
between you and the idiots: a Pinto or a Volvo? If you decide that you
must stay with Windows, then
make sure that you have all of the safety features installed. You
should have firewalls, virus scanners, spyware scanners and make sure
that they are always up-to-date.
Maintain your vehicle
It's great to have a solid vehicle, but if you don't keep it running
smoothly then it will cease to be reliable. The most critical thing is
to keep your patches and software up-to-date. Elderly software tends
to be behind the times on security issues. If cost is what is
preventing you from staying current, then you really should consider
finding a freely available solution. The Open Source World provides a
good number of solutions that you should consider. If cost is not what
is holding you back, then set up a regular procedure for making you are
up-to-date. Many software packages have ways to automatically check
for updates. Turn this on.
Pay attention to how your computer is running. A slow computer may
mean that you're just overloading it with software and outgrowing the
system. It may also mean that your computer may be doing a lot of work
on behalf of a SPAM-bot or something else. If nothing has changed on
your computer, no major software changes or changes to how you are
using it, then it is not normal for your computer to suddenly start
running more slowly. If you were driving on a straightaway and your
car suddenly started losing acceleration you would be concerned.
Computers are the same. When you see signs of problems, check them out.
Keep a look out
A while back I got SPAM from my sister's email address. I wrote to
let her know that I had gotten it. Generally if SPAM comes from
someone and it's a random mix of email addresses (usually alphabetical)
then it's just someone spoofing that email address. The SPAM did not
actually come from your friend's computer. However, if the SPAM was
sent to people from their address book, then you are likely dealing
with something that is more of an attack. The computer needs to be
checked out. Don't ignore it when something suspicious happens. Tell
the people who need to know. They can't do anything about it if they
Accept that security may require some inconvenience
Yes, it's nice to be able to turn on your computer and get to work. But that also means that anyone
can turn on your computer and get to work. Are you sure that the kids
aren't on there when you're not around doing things that they aren't
supposed to? How about your spouse or your roommate. If you keep
something on a computer that you would not leave laying around for
people to read at a party then you should probably close the door on
your computer with a password. It's not just your personal
information, either. Maybe you have nothing to hide, but what if this
other person goes poking around in places that they shouldn't. They
see the warning that says "Are you sure that you want to activate this
malicious program that will steal your identity?" and they click "OK"
because they just want to get to the video.
If you'r going to have a password it should be a good one. When I
was working as a system tech supporting a company I was called to do
some work on a workstation in the security department. She had left,
even though she knew that I was coming and her screen was locked--
which was good. She had a Corn Huskers football plush sitting on top
of her monitor and a few other Huskers things laying around. I took a
guess and typed "huskers" and I was in! I left her a note telling her
that it was pretty easy to guess and she made it more secure. The best
passwords are phrases with numbers and letters. Abbreviations that
only you would know are good too. "H0w much is that doggie in the
wind0w?" would be a pretty difficult password to guess. Names of
family, birth dates, etc are terrible password. Take a line from your
favorite song in High School. Many security requirements demand that
you change your password regularly, but once you find a way to pick
things you can remember you will find it easier to change and maintain.
There are many ways now to encrypt information. Encryption turns
things into secret code so that no one else can read it. You can do
this with emails (and most people should) so that email to you can only
be read by you. You can also do it with file systems, so that you have
a section of drive that requires a password to access what's in there.
Encryption is a larger subject than I'm prepared to cover here, but you
should take a look at what can be done with the Gnu Privacy Guard,
which is free and powerful encryption software. You can hook this
functionality automatically into your applications and make encryption
easy to deal with.
Is that it?
There is a lot more ground to cover to keep yourself from being
cracked, but these things right here will make a dramatic difference in
your vulnerability. If there is more interest in this topic,
especially about specific practices or solutions I'd love to write more
about it. Shoot me a note and we'll try to cover more detail. If it's
enough conversation it might be worth a group on My developerWorks to
help everyone participate in the conversation.