Practical Technology

for practical people.

July 20, 2010
by sjvn01
0 comments

What does Oracle plan for Sun’s open-source projects?

I get that Oracle runs on open-source software. I know that Oracle is a major Linux supporter. But, please, please dont mistake Oracle as an open-source, open-core, or any other kind of “open” business at heart. Larry Ellison, Oracle’s CEO, is all about making billions of dollars. There’s nothing wrong with that. That’s what all businesses are about. But, to Ellison open source is just the means to that end and nothing else. If a program doesn’t fit into his plan, it’s not going to get supported.

So, while Oracle recently put up a page listing its native open-source projects and the ones that it inherited from Sun, don’t think for a minute that all those programs are actually going to be supported. They’re not.

The good people trying to keep OpenSolaris going already know that. OpenSolaris, as a standalone operating system distribution, is on its way out. I was wrong, by the way, when I said that OpenSolaris was under the GPLv3. That had been the plan, but it never happened. Instead OpenSolaris is still under the old Sun CDDL (Common Development and Distribution License). 

What that means is that when I said it would be possible to fork OpenSolaris, I was right. But you’ll need to master the OpenSolaris kernel, a mere few million lines of code. Good luck with that. The only top OpenSolaris kernel engineers work for Oracle and Oracle is not going to permit them to write an open-source competitor to Solaris. And more than that, there are still closed parts you’ll need to replace

Oracle has decided to let OpenSolaris die by benign neglect. It’s also a policy that they’re using with other Sun open-source projects. I predicted that Oracle would do this after the company acquired Sun to projects like NetBeans, the IDE (integrated development environment) that competes with Oracle’s own IDE of choice Eclipse. I’m now being told at OSCon in Portland, OR by people close to Sun and Oracle that that’s exactly what’s happening.

Oracle isn’t actively killing any of these projects. Instead, they’re simply no longer funding them or assigning staffers to them. So, for example, there may still be servers devoted to one project or another, but there’s no longer anyone who can give any outside developers permission to commit changes to the projects hosted on those servers.

Some projects are getting support. The ones that will continue on, according to my sources, appear to be OpenOffice, MySQL, and VirtualBox. That’s it. But, if you’re not an Oracle programmer assigned to one of these projects you may find it very hard indeed to get involved. The code is indeed open-source, but Oracle prefers developers who work on its open-source projects to also be Oracle employees.

There’s a reason why so many leading open-source lights from Sun, such as Java’s creator James Gosling, XML co-inventor Tim Bray, and Simon Phipps, Sun’s chief open source officer left Sun after the Oracle acquistion. They knew they had no home at Oracle. Neither do most of Sun’s open-source projects now.

A version of this story first appeared in ComputerWorld.

July 20, 2010
by sjvn01
0 comments

Wi-Fi Convenient, but Dangerous

With the advent of standardized 802.11n Wi-Fi, it’s easier than ever to expand your business network wirelessly, but that may not always be a smart idea.

I’m sitting outside an office building in Portland, Oregon. The building has at least half a dozen businesses with about 40 Wi-Fi access points (AP). In the hour I’ve been sitting here, I’ve broken into 28 of these corporate networks.

While I certainly know more about networking than most people do, I’ve no special expertise. I’m no hacker. I’m just making use of a good network packet analyzer, Wireshark (formerly known as Ethereal) and several common-as-dirt, dead simple to use cracking tools.

The simple truth is that, given a few days and publicly available programs, any wireless network can be broken. Sadly, as I just rediscovered today, most Wi-Fi networks don’t require that much trouble. Heck, it barely requires any effort at all.

Indeed, two of the businesses (downtown businesses, mind you, not Harry’s Home Network) didn’t have any security on their APs. Sigh. Leaving an open AP isn’t just a matter of letting other people share your bandwidth. It’s also an open door into your network. Another three were even worse: They used the default passwords for their wireless routers and APs. As for the rest, most were little more trouble to unlock.

That’s because most Wi-Fi security protocols are pathetically easy to break. For example, it’s a good bet that every Wi-Fi device your company has supports Wi-Fi Wired Equivalency Privacy (WEP). And many of you, including ten of the companies I just “visited,” use WEP for security.

It’s just too bad that WEP was broken, for all practical purposes, back in 2001. WEP stops someone with no clue about Wi-Fi networking security, but those are the only people that it will stop. However, every vendor still includes WEP as part of their laundry list of supported protocols; some reputable sources, like Consumer Reports, as recently as 2009 recommended WEP’s use. Consumer Reports subsequently corrected its mistake, but alas its “better” recommendation, WPA (Wi-Fi Protected Access), is also pretty easy to crack.

WPA, with its baked in security protocol, Temporal Key Integrity Protocol (TKIP), was broken more recently. It takes more of an effort to break than does WEP, but it’s also useless against any determined attacker. If someone wants to be fancy about it, he can try cracking your WPA using either a vulnerability in Quality of Service (QOS)  or using a man-in-the-middle attack.

Practically speaking, I, and anyone else who wants to jump into your network probably doesn’t need to bother with these methods. Instead, they’ll use the rainbow tables, lists of the most common WPA passwords. That’s because your SSIDs (the broadcast name of your Wi-Fi Access Point) makes up part of the password. Thus, chances are you’ve already given any would-be hacker part of the key. They then use the rainbow table to look through likely passwords until they find one.

How successful is this technique? With a 2.2GHz processor and an 8GB rainbow library, I broke into 15 WPA “protected” networks. Mind you, I didn’t have to do any work; I used a common program that automated the process and set it to work. Had I more time, I have no doubt I would have cracked the other WPA networks. There’s even a service, WPA Cracker to do it for you!

Perhaps you imagine that WPA2, the most advanced standardized Wi-Fi security protocol out there, would be immune. You’d be wrong. You see WPA2 has two security standards: TKIP and the jaw-breaking Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), also known as Advanced Encryption Standard (AES).

It’s more trouble to break WPA2 with CCMP, but thanks to those rainbow tables, it can be done on any ordinary laptop computer. Such as mine, which managed to bust into one WPA2/TKIP network. In 2011, both WEP and TKIP-based security will no longer be supported by the Wi-Fi Alliance. But, of course, millions of legacy devices, including any that you buy this year, will still include them.

So, what you really want is WPA2 with AES. Unfortunately, a lot of older equipment and operating systems don’t support it. For example, Windows 2000 and Windows XP SP2 systems cannot support this protocol natively. If for some reason you just won’t move to Windows XP SP3, you can add WPA2-AES support to Windows XP SP2 with the Windows KB893357 hotfix. Note that this is not a patch. Even if your system techs. were keeping Windows XP SP2 up to date, before Microsoft pulled the plug on Windows XP SP2 support, you still won’t be able to use WPA2-AES unless they deployed that hotfix.

OK, let’s say you are using WPA2. You probably know that it comes in two versions: Personal and Enterprise. With Personal version there is a single universal password, the so-called Pre-Shared Key (PSK) for everyone. With the Enterprise version, each Wi-Fi wireless network user gets his or her own password.

As you might guess, the Personal version, even with AES, is more dangerous to use than the Enterprise one. But both can be broken. As long as your network is constantly sending and receiving packets over the air anyone can snatch them and try to brute-force their way into the network. If you were using a really long, random password, like say 20-characters, you’d be “relatively” safe. But how many of us would really use 20-character long passwords like sfds*&10wiJMdis12rt?

The other networks I visited were all “protected” by WPA2-Personal with a really easy to guess password. In one case, the password was the same as the SSID. In the other, it was the name of the company. Great security there, guys. Just great.

Of course, you could just let the machine remember the password rather than try, and fail, to get people to remember it. That will fail, of course, if anyone with malicious intent ever steals a PC.

Here’s the simple truth. People being people, your Wi-Fi security will be broken.  It’s just a matter of time. That being the case, if you’ve got information on your network that you really don’t want anyone getting into, consider making it only available over wired networks. Yes, you get into those too, but the skill sets needed to break into a building are entirely different, and a lot harder to find, than those needed to break into a wireless network.


A version of this story first appeared in IT Expert Voice.

July 19, 2010
by sjvn01
0 comments

Linux First Steps

Every now and again someone writes me and asks me “What’s the best way for me to get started in Linux?” Over the years, I’ve answered in several different ways, but here’s the summarization of my thoughts.

First, most of the people who write me aren’t interested in the fine details of Linux. They are just sick and tired to death of Windows’ endless security problems or its costs. Indeed, most of them aren’t that interested in learning Linux. They just want a cheap operating system that will let them read e-mail, browse the Web, and run some office applications without worrying about malware.

So, here’s what I tell people who just want a good, working PC, and could care less about the specific differences between “free software” and “open source” or how KDE 4.4 compares to GNOME 2.30

More >

July 19, 2010
by sjvn01
0 comments

Five Important Video Formats You Must Know

There are hundreds of Internet video formats, but fortunately for you, you can ignore most of them.

It’s all too easy to get tangled up in the seemingly endless number of video formats on the Web. Fortunately for all of us, there are only a handful that you’re likely to need to view or use.

There are several reasons why there are so darn many of them. Number one on my list is the sheer number of possible displays and the standards that come with them. To take just one example you might think that all standard definition TVs are the same. You’d be wrong.

Even something as simple as frame rate, the number of images per second, comes with four different standards. These are PAL (Phase Alternate Line), which is used in the UK and most of Europe, Asia, and Australia and SECAM (Séquentiel couleur à mémoire) is used in France and Francophone Africa ) both of which require 25 frames per second. Then, there is NTSC (National Television System Committee, which is used in most of the Americas and Japan), which demands 29.97 frames. But at the same time, film is shot at the slower still frame rate of 24 images per second.

On top of that, video displays can also be interlaced or progressive. With interlacing, which is used in ordinary OTA (over the air) U.S. television, the horizontal scan lines of every frame are split into a pair of fields and a broadcast alternative refreshes one set of lines after another. With progressive, all the scan lines are updated every time. The advantage of interlaced is that you can squeeze video into a narrow frequency while with progressive you get a sharper picture with fewer artifacts.

Oh, and did I mention that the number of those horizontal scan lines varies from standard. Your old analog TV in the U.S. displays 480 lines of interfaced video, or 480i. A television of the same vintage in the UK would show the same episode of Rocky and Bullwinkle in 576i.

But enough of that. I’m not even going to touch on resolution, data compression, and all the other things that makes working with video across platforms and devices such a complicated mess. For practical purposes, if you want to do more with them, look to FFmpeg for those of you who are technically minded. If all you want to do though is to translate one common video format to another then what you want is HandBrake.

That said, let’s say you want to view videos, what are the formats you’re going to need to deal with?

More >

July 19, 2010
by sjvn01
0 comments

Can Windows kill the Internet?

I’ve long thought that someday Windows security problems could end up fouling up the Internet for everyone. That day may be arriving.

That’s not just me being paranoid about Windows. That’s the ISC (Internet Storm Center), the group that tracks the overall health of the Internet, wondering whether the newly discovered ‘LNK” exploit might be used to slam the brakes on the Internet’s high-speed traffic.

According to Lenny Zeltser, an ISC security consultant, the ISC has “decided to raise the Infocon level to Yellow to increase awareness of the recent LNK vulnerabilityand to help preempt a major issue resulting from its exploitation. Although we have not observed the vulnerability exploited beyond the original targeted attacks, we believe wide-scale exploitation is only a matter of time. The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch. Furthermore, anti-virus tools’ ability to detect generic versions of the exploit have not been very effective so far.”

The LNK vulnerability is an obnoxious little security hole that’s present in all versions of Windows from Windows 2000 on up. There are now numerous attack programs that can use a malicious shortcut file, identified by the “.lnk” extension, to automatically run malware. All a user has to do is view the contents of a folder containing the infected shortcut, and, ta-da, the program is wreaking havoc.

More >

July 16, 2010
by sjvn01
0 comments

RIP OpenSolaris

Goodbye, OpenSolaris. It’s been fun knowing you. Unfortunately for you, it’s become all too clear that your new parent company, Oracle, doesn’t want a thing to do with you.

I predicted that Oracle, which is a Linux company, was going to let OpenSolaris die from neglect, but most people disagreed with me. Folks insisted that Solaris was better than Linux and that Oracle would never let OpenSolaris die.

Sorry, folks. I may not be right a lot of the time, but I was right on this one. By April of this year, the OpenSolaris Governing Board had seen the handwriting on the wall. Or, to be more exact, they saw that Oracle wasn’t even giving them the time of day.

Now, since Oracle has continued to ignore them, some members the OpenSolaris Governing Board (OGB) are demanding that Oracle at least appoint a liaison to OpenSolaris’ leadership by Aug. 16, or they’ll disband the board.

I bet that “threat” has Oracle shaking in its boots. Oracle wants nothing more than OpenSolaris to vanish from the landscape. According to the OGB’s minutes, Jeb Dasteel, Oracle Senior VP and Chief Customer Officer, who never showed up for meeting, is reputed to have indicated that “The bottom line is that Oracle don’t have any information to pass on and that they’d like us to wait a couple of months before we make any moves to disband.”

I would have just killed the organization then and there myself — an option that was considered. Instead, the OGB has decided, rather forlornly, to give Oracle more time to ignore them before pulling the plug. As Simon Phipps, formerly Sun’s Chief Open Source Officer and member of the OGB, points out: “It became obvious to the OGB quite some time ago that Oracle is not interested in the sort of OpenSolaris open source community that the [OpenSolaris] Charter envisages.”

Exactly. It’s over. OpenSolaris’ only real future is as a fork, which would not be easy to pull off. Still, with enough interest from developers it could be done.

I’ve always had serious doubts about OpenSolaris’ future. By the time the “supported” version appeared in 2008, Linux wasn’t just established; it was already chasing Solaris, OpenSolaris’ commercial big brother, out of server rooms. And that was with Sun’s support.

Looking ahead, I doubt very much that OpenSolaris could be anything than it is already: a niche operating system. Yes, I know the arguments for why OpenSolaris is better than Linux. I also know the market hasn’t cared. In addition, for every OpenSolaris developer, they’re probably two dozen Linux developers. On the commercial front, Red Hat and IBM have just launched a new campaign to get people to move to Linux from OpenSolaris and Solaris entitled, “Where will you be when the Sun burns out?” Ouch!

OpenSolaris’ future was bleak even if Oracle had cared to support it. Without Oracle, the question for the OpenSolaris community now is where they will go next. I fear it will drop from being a niche operating system to first being an operating system just for hobbyists and then to the computer graveyard with the likes of OS/2. That’s a pity, since there really were great ideas in it and top-notch developers working on it. But, I see nothing else for it. Do you?

A version of this story first appeared in ComputerWorld.