Practical Technology

for practical people.

May 4, 2005
by sjvn01
0 comments

Linux Lasts Longer

The Honeypot Project has added fuel to the debate over which is more secure, Linux or Microsoft Windows. It found that unpatched Linux systems can be on the Internet for months before being successfully attacked, while Windows systems have been compromised in hours.

The international nonprofit security organization—with members from security companies like Foundstone Inc., Counterpane Internet Security Inc., and SecurityFocus—did not set out to show that Linux is more secure than Windows. Instead, noting a decline in “successful random attacks against Linux-based systems,” the group set out to ask the question, “Why is no one hacking Linux anymore?”

To explore this question, Honeypot Project members set up 12 “honeynets.” A honeynet consists of two or more “honeypots,” systems designed not to do any real work. Instead, their sole purpose is to detect and track any interactions with them, since any such interaction can be assumed to be a probe, scan, or attack. The honeynets were deployed in eight countries (the United States, India, the United Kingdom, Pakistan, Greece, Portugal, Brazil, and Germany) and consisted of a variety of systems accessible from anywhere on the Internet. Data was collected mostly during the latter half of 2004.

The study, deployed a total of 24 unpatched Unix honeypots, of which 19 were Linux, primarily Red Hat. (Specifically, there were nine Red Hat 9.0, five Red Hat 7.3, two Fedora Core 1 and one each of Red Hat 7.2, SUSE 7.2, and SUSE 6.3 installations.) The other five systems comprised two running Solaris SPARC 8, two with Solaris SPARC 9, and one with FreeBSD 4.4.

These honeypots were set up as servers with default settings and typical services such as HTTPS (Secure HTTP), FTP, and SMB (Server Message Block), with host-based firewalls that allowed inbound connections to these services. To make the systems more like those found in the real world, insecure or easily guessed passwords were used on several of them.

The honeynets were deliberately set up to be not especially attractive—they were primarily home or small-business networks. Moreover, they were not registered in the DNS or in search engines, so that if the systems were found, it would be by “primarily random or automated means.”

Of the systems, only four Linux (three RH 7.3 and one RH 9.0) and three Solaris honeypots were compromised. Two of the Linux systems were compromised by brute password guessing, not by a specific vulnerability.

The organization did note that these systems were not well known, and that more attractive targets, such as company Web servers, potentially had a shorter life expectancy. But the longevity of the Linux systems in the study “is all the more surprising when compared to vulnerable Windows systems. Data from the Symantec DeepSight Threat Management System indicates a vulnerable Win32 system has life expectancy not measured in months, but merely hours.”

Why the dramatic difference in life expectancy between Linux and Windows systems? The Honeypot Project suggests a number of possible explanations. One is that Linux distributions have become harder to compromise because newer versions have more secure defaults with fewer services enabled, are automatically running firewalls, and so on. Further, no matter which operating system is more secure, the huge installed base of Windows users means those systems are likely to be targeted more often. Still, knowing that it will be months rather than minutes before someone tries to break into our systems is little comfort to us. We believe you should choose the OS that suits your needs, and fortify it to withstand the attacks that will undoubtedly come.

A version of this story was first published in PC Magazine.

April 22, 2005
by sjvn01
0 comments

Torvalds Gives Inside Skinny on Git

Linus Torvalds didnt want to change software configuration management tools; however, business and open-source philosophy problems left the Linux founder with no choice but to abandon BitKeeper and create his own system: Git.

SCM programs are used to control the flow of updates and track program changes. In a project as large as Linux—more than 17,000 files—this can be very difficult and very slow.

Because most SCMs—such as CVS (Concurrent Versions System)—are too slow for him, Torvalds built his own.

He describes Git as “a stupid (but extremely fast) directory content manager. It doesn’t do a whole lot, but what it does do is track directory contents efficiently.”

It also cant be used with BitMover Inc.s BitKeeper, the controversial and proprietary SCM that Torvalds had used to manage Linux kernel development.

“Git has a totally different model of representing the source tree,” said Torvalds in an exclusive interview with Ziff Davis Media Internet News.

The name itself really doesn’t have a meaning. Torvalds joked that it can be a “random three-letter combination that is pronounceable, and not actually used by any common Unix command. The fact that it is a mispronunciation of “get” may or may not be relevant.” Or, “stupid. contemptible and despicable. simple. Take your pick from the dictionary of slang.” Or, “global information tracker: [if] youre in a good mood, and it actually works for you. Angels sing, and a light suddenly fills the room.”

Git has already been used for its first run of Linux: the beta of Linux 2.6.12-rc3. But Torvalds admits that Git is still a work in progress.

“The roughness really comes from two things,” said Torvalds. “Its a young project, and it just takes time for things to mature. That will go on for years, assuming none of the other open-source SCMs just eventually show themselves to be capable enough that we just end up deciding that Git was a good temporary bridge.”

Also, Git does some things very differently from traditional source management, Torvalds said.

“BK [BitKeeper] did that too, but in many ways, Git is even more different,” he said. “You literally cannot track single files individually. Git always works on a collection of files model, and theres no way to get the history of just one file without also getting the history of all other files; you can then ignore the other files, of course.”

Its also, Torvalds believes, a matter of perception.

“Some of the roughness is just that people who are used to some things working certain ways will just be surprised by the Git model,” he said.

“Git is just incredibly fast at handling big collections of files. The kernel is 17,000+ files, and Git can show the difference between two different kernel versions in small fractions of a second.

“But,” Torvalds continued, “if you ask it, When did this file change last? Git will have to think about that, exactly because it doesn’t do things on a file level, and it will have to look at all [the] changes.”

That may not be for everyone.

“Now, that model is very appropriate for me, and I much prefer the Git model over traditional SCMs. But others will quite possibly hate it with a passion. Different often means rough to people,” admitted Torvalds.

Torvalds also isn’t sure that Git will move far beyond its use with Linux.

“The most superficial roughness will have been fixed in a month or two. … You certainly could use it for other projects. I bet kernel people will, just because they get used to working with Git,” he said.

Still, “it’s a different mentality, and a lot of the things that it does well are probably not horribly relevant to many other projects.”

There’s a good reason for this, he said. “Most other projects just don’t have tens of thousands of files and hundreds of patches a day, so they don’t have the kind of performance requirements that the kernel has.

“Also, most other projects simply don’t use the same distributed development that the kernel uses. They have a single central repository, and people work with that, and while you can certainly use Git that way too, you just won’t see a lot of advantages to Git if you use it in a centralized manner,” Torvalds said.

“So well see,” said Torvalds pragmatically.

“Its entirely possible that people will start using Git more widely, but it’s absolutely not a done deal. Let’s face it, most new projects end up being failures, and I won’t be terribly upset if Git just ends up being the thing that gets us kernel developers working well until the point where some other SCM ends up being good enough.”

A version of this story was first published in eWEEK. 

April 22, 2005
by sjvn01
0 comments

Torvalds Creates New Linux Development System

Linux founder Linus Torvalds has reluctantly created his own software configuration management system, Git, to oversee Linux kernel development.

Previously, Torvalds had been using BitMover Inc.s BitKeeper SCM (software configuration management) to manage Linux. “Im pretty well known for not being a huge fan of source control that gets in the way and makes it harder to merge with all the people I work with all the time,” Torvalds said in a statement last year.

“BitKeeper is different. Its made me more than twice as productive, and its fundamentally distributed nature allows me to work the way I prefer to work—with many different groups working independently, yet allowing for easy merging between them.”

Not everyone in the free software/open-source community was as happy as Torvalds about BitKeeper because it is a proprietary program. Flame wars quickly erupted over the use of the proprietary program to manage the creation of the open-source software poster-child project: Linux.

In essence, it was a debate between open-source pragmatists such as Torvalds, who believes in using the right tool for the job regardless of whether its proprietary or open source, and free-software purists like Richard Stallman, who believes that using proprietary programs is contrary to what free software should be about.

“This problem, like the decision to use BitKeeper, reflects the attitude of the original developer of Linux, a person who thinks that technically better is more important than freedom,” wrote Stallman in a 2002 criticism of Torvalds use of BitKeeper.

This could have stayed a tempest in a teacup in Linux development circles, but recent events forced the matter to a boil.

After much debate over whether an open-source attempt should be made to reverse-engineer BitKeeper, Andrew Tridgell, co-founder of the popular Samba CIFS (Common Internet File System) server project, created a new program, SourcePuller, that could work with BitKeeper data.

Tridgell was the OSDLs (Open Source Development Lab) second appointed Fellow; Linus Torvalds was the first. These positions are designed to enable strategic developers to focus on their development and coding contributions to the open-source community.

At this, Larry McVoy, BitMovers founder, decided to pull the non-commercial version of BitKeeper, which had been used for Linux development, from the market. At the same time, McVoy released a less powerful open-source version.

McVoy has long held the position that “you cant use BK if you are developing a similar system, i.e., a clone.”

After still more heated discussion, Torvalds decided that Linux development and BitKeeper would have to part ways.

But Torvalds was careful to praise McVoy for his efforts to defuse the situation. “Don’t blame BitMover, even if that’s probably going to be a very common reaction. Larry in particular really did try to make things work out, but it got to the point where I decided that I don’t want to be in the position of trying to hold two pieces together that would need as much glue as it seemed to require.”

Torvalds said he doesn’t care for any of the existing SCMs, so he created his own: Git.

As for his conflict with Tridgell over BitKeeper, Torvalds said, “I don’t hate him if that’s what you’re asking. I’m very disappointed by this whole brouhaha, but my whole life I’ve been writing my own tools for my own use. I’ll survive. It’s just sad because I really did like BK.”

“We’ve never had a working relationship,” Torvalds added. “Samba and the kernel are just so independent that we’ve never worked together. So its been purely social. Now its just a bit less so.”

A version of this story was first published in eWEEK.

April 22, 2005
by sjvn01
0 comments

Finding a Corporate IM Server to Call Your Own

Like it or lump it, your staffers are using instant messaging. For years, no one has cared about managing IM (instant messaging). But security risks such as the Kelvir worm, which temporarily put Reuters IM out of business; IM-based phishing attacks; and Sarbanes-Oxley Act IM requirementsare making instant-messaging management a priority.

How big is the IM management problem? AOL reports that in the United States alone, there are about 14 million business AIM users. And it’s no wonder that many companies have taken to defaulting to using public IM systems such as AIM (AOL Instant Messenger) and YM (Yahoo Messenger).

That’s a mistake.

With public IM, you’re essentially outsourcing your IM to a third-party system, with which your company has no contract, no guarantee of service and no real control over what they may or may not do with your business IMs.
For that matter, IM carriers such as AOL and Yahoo can, and have, just shut down interoperability with such popular third-party IM clients as Gaim and Trillian.Users prefer these clients since they let them talk to users on multiple IM networks.

When you consider all of the issues—security, management and quality of service—it’s clear that you can’t continue to rely on the public IM systems. Using public IM may be easy, but it just doesn’t make business sense in the long run.

Still, recalling those 14 million business AIM users, you’ll also need a system that will enable your users to talk to the greater IM universe and not just to their fellow corporate citizens. Just like e-mail, your workers need to talk not just with each other, but also with their customers and clients.

Private IM Systems, Public IM Networks

Fortunately, AOL has recently made talking to AIM usersmuch easier.

The AOL Enterprise Federation Partner Program now makes it possible for users working with IM clients using SIP/SIMPLE (Session Initiation Protocol/SIP Instant Messaging and Presence Leveraging Extensions), XMPP (Extensible Messaging and Presence Protocol), or AOL’s proprietary format to communicate with each other.

This works via a translation gateway approach, AOL’s Federation Gateway, in a way that’s remindful of the old RFC-822/X.400 e-mail gateways before RFC-822 became the dominant e-mail standard.
Four enterprise IM companies have already signed on board with AOL’s new program: Antepo Inc., Jabber Inc., Omnipod Inc. and Parlano Inc.

“AOL’s major IM competitors, Yahoo and MSN, have far less commitment to enterprise support,” said David Ferris, president of e-mail research house Ferris Research.”Microsoft seems to be de-emphasizing MSN enterprise IM connectivity in favor of connectivity through its LCS [Live Communication Server] 2005, [and] Yahoo shut down its enterprise sales unit.”

Providing an IM lingua franca.

Therefore, it is becoming even more important to add AIM or another product with a similar ability to be managed and to act as an IM lingua franca and interlocutor between the public IM network and your corporate IM system.Some IM products already have AIM support, such as Microsoft’s LCS 2005. IBM used to do so with its Sametime system, but Big Blue no longer supports AIM intercommunications.

On the other hand, as Ferris pointed out, “Microsoft has had great difficulty getting a usable IM system out to its customers, and that situation might continue, [and] telephony players are discovering the key role of presence. As new VOIP (voice-over-IP) solutions are deployed, presence might bring other IM players to the fore.”

“With LCS 2005, different companies with LCS 2005 will be able to federate directly,” Ferris said. “But for each pair of links, they’ll need to implement and manage the link. Using AOL as the connecting hub should be much more practical.”

A wise administrator should look beyond LCS 2005 and consider other enterprise IM solutions, such as those of AOL’s new partners or other companies that use protocols compatible with AOL Federation Gateway.

One open-source IM system that shows promise in this direction is Jive Software’s JM (Jive Messenger).

JM is a Java-based server for both group chat and IM. It is based on Jabber’s XMPP protocol. As such, out of the box it can be used both internally and to connect with other Jabber users on the Internet.
Since Jive is a partner with both Antepo and Jabber, and AOL has every intention of expanding its Federation Partner Program, it seems likely that JM soon will be AIM-compatible. In any case, its protocol, XMPP, is already AOL Federation Gateway-compatible. This means that your Jive users should be able to use their clients to talk to AIM users.

Why JM?

So, specifically, why would you want to give Jive a try for your enterprise IM?

JM has several factors in its favor. First, it is open-source, so if you have Java programmers on staff, you can easily tweak it to your exact needs. That also enables you, if your show has some savvy developers, to do such things as set up the Jive server to use SSL (Secure Sockets Layer) to safeguard IM communications using the standard Java security SSL implementation (javax.net.ssl.SSLServerSocket).

Then, using for example, Sun JDK (Java Developer Kit) 1.5.x or higher, you can set up the server to use SSL during user authentication and communications. You also can set it to use a self-signed SSL certificate to avoid the costs of a certificate authority-signed certificate.

No need to get your hands dirty.

At the same time, though, you don’t have to get your hands dirty with code. Jive Software will cheerfully give you other support options.

If you want more than group and one-on-one IM sessions, Jive also sells commercial XMPP servers such as Jive Live Assistant,a live customer-chat system that includes built-in access to e-mail archives, file systems and third-party knowledge bases so that the help-desk assistant can quickly and easily assist customers when they request aid.

What You Need to Run JM

For basic operations, you probably won’t need support or a commercial product. JM is very simple to install, operate and manage with its full, Web-based administration interface. Jive Software is also an active user community,which includes not just expert users but JM developers as well.

Last but not least in the reasons to look toward JM for your corporate IM needs, JM runs on several operating systems and with several back-end databases.
JM runs on both Windows and Linux/Unix systems. However, while you can run JM on client systems such as XP Pro, you’d be much better off running it on a real server platform such as Windows 2000 Server or Server 2003.

JM also comes in two Linux/Unix builds, a Red Hat Package Manager edition for Red Hat/Fedora systems and a compressed archive, .tar.gz, for other *nix operating systems. The one key difference is that the compressed archive does not include a bundled Java runtime. Thus Unix administrators would need to check to make sure JDK 1.5.0 of J2ME (Java 2 Micro Edition) or later was installed. The Windows version also comes with the right JDK.

You can easily check to see if you need to upgrade by typing “java -version” at your command line. If you don’t have the right version, you can upgrade it from Sun’s Java site.

The program also needs a database server back end if you’re going to do more than play with it. While JM comes with an embedded database, it’s strictly lightweight.

Fortunately, JM supports JDBC (Java Database Connect), so almost any major database can be used with it. In particular, Jive provides instructions for running JMwith, among others, IBM’s DB2, Microsoft’s SQL Server, MySQL, and Oracle 9i or 10g.

Putting JM Through Its Paces

In my case, I decided that even though I run several flavors of Linux, I would give the Windows XP 2.1.2 version a try.

With minimal system requirements—recall that you can run it from an XP Pro workstation—I nonetheless decided to put it on a production-level system: a 2GHz Pentium IV white-box server running Server 2003 SP1 (Service Pack 1).

For the database back end, I used SQL Server 2000 running on a similar hardware platform with Windows 2000 Server SP4 installed. I connected JM to the database using Microsoft’s own SQL Server 2000 Driver for JDBC SP3.

JM comes with a Web-based setup tool that automatically sets up its tables in the appropriate database.

For user authentication, I used LDAP (Lightweight Directory Access Protocol). Jive provides a straightforward explanationof how to connect JM with your LDAP server.

There are, however, a few things you need to keep in mind. The first is that JM treats LDAP as read-only, so you can’t add or edit users via JM. You’ll need to use your usual LDAP interface for those purposes.

Some LDAP servers, such as the extremely popular OpenLDAP,do not support server-side sorting of search results. This causes what appear to be out-of-order results when you’re looking at a directory of users. Jive recommends setting up client-side sorting to avoid this problem.

Getting adventurous with JM Code

Adventurous developers might want to try working with the JM code and OctetString’s open-source JDBC-LDAP Bridge Driverto enable server-side editing or sorting.In the event, I used OpenLDAP, with Jive’s suggestion of setting ldap.clientSideSorting to “true” in JM’s XML configuration file. I ran OpenLDAP on SLES (SuSE Linux Enterprise Server 9) SP1.

The actual JM installation on Server 2003 was almost mindlessly simple. I spent far more time setting up SQL Server 2000 for JM than I spent on setting up JM itself. All in all, I was up and operational within an hour.

Fine-tuning it, though, took a while. First, while it looked perfectly available within my network, I had trouble getting messages to it from the Internet.

That turned out to be my own problem rather than JM’s fault. I used a packet-based firewall between my LAN and my DMZ (demilitarized zone), and then both a packet-based firewall and Network Address Translation between the DMZ and the Internet.

As can happen when you use these kinds of multiple layers of defense, I didn’t have my ports opened up properly.

My final solution, since there’s no proxy for JM, was to place the JM server in the DMZ. I then opened only ports TCP 389 for OpenLDAP and TCP 1433 for SQL Server. I opened up public ports 5222, for normal XMPP traffic, and 5223, for SSL-encrypted XMPP traffic.

Once that was taken care of, it ran flawlessly. My only concern from a server perspective is an old one I have with the JVM (Java Virtual Machine). Left to its own devices, this version on Server 2003 seems to eat up more heap memory than it should. So, I fed the JVM the -Xms –Xmx arguments, to set the minimum and maximum heap sizes. This in turn enabled me to keep its memory requirements in sharp check.

The Web-based administration was straightforward. I had no trouble running it with both Firefox and Internet Explorer.
I used a variety of IM clients without any trouble. These included Gaim on both Linux and Windows, and Trillian Pro (the free version doesn’t support the XMPP/Jabber family). I did, however, have trouble running the KDE Kopete client with JM. But this turns out to be a known problem with Kopete and XMPP in general and not a JM problem at all.

While my server load was light—never more than 20 users online at any given time—I saw no signs that a far higher level would have caused my middleweight JM server any trouble. Since the program is freeware, and simple to install if you leave out the DBMS and LDAP requirements, you can run it yourself in a test environment. I’d be very surprised if you ran into significant performance problems, even on lightweight servers.

In short, if you want an easy-to-use, inexpensive XMPP/Jabber IM server to call your own, JM is an excellent choice. If it does indeed gain AIM compatibility, I would put it on my “must test out” list of enterprise IM servers.

And let me say again, whether you choose JM or not, you really must have an enterprise IM server of your own. It’s no longer a luxury or something you can simply fob off on the public IM networks.

A version of this story first appeared in Channel Insider.
Finding a Corporate IM Server to Call Your Own. More>

April 19, 2005
by sjvn01
0 comments

SCO Gives Sun Blessings to Open-Source Solaris

The SCO Group CEO reveals that the company’s been made aware of Sun’s plans to open-source Solaris and approves of them.

For more than a year, Sun Microsystems Inc. has inched its way towards the release of an open-source version of Solaris. Still, one piece of the strategy remained on the table: With the SCO Group Inc. owning the underlying code to Solaris, could Sun avoid the legal battles faced by other open-source Unix vendors?

However, during SCOs earning teleconference on Tuesday, CEO Darl McBride revealed that Sun had discussed with SCO its plans to open-source the Solaris operating system and that SCO has no problems with them.

Continue Reading →

March 23, 2005
by sjvn01
0 comments

Software Patents and Mutually Assured Destruction

The Cold War policy of MAD was that things could never get too ugly between the United States and the Soviet Union because if one of us went too far, the other could bomb it into the stone age … and vice-versa. That may be where we’re
Have I mentioned that I hate software patents?

Why, yes, I have. Many times.

Im also a realist. Maybe someday, PUBPAT (the Public Patent Foundation) and other patent-reform groups such as the Electronic Freedom Foundations Patent-Busting Project will succeed in getting rid of software patents, but Im not holding my breath.

Even with Microsoft backing some software patent reform, amazing but true, I just cant see significant changes to U.S. patent law happening anytime soon.

And lest we forget, Microsoft isnt exactly the most trustworthy company in the world when it comes to patents.

Just this week, Microsoft announced that a new, integrated IPv4/IPv6 network stack would be in its upcoming Longhorn operating system. At the same time, lawyers for the Public Patent Foundation and the Software Freedom Law Center are concerned over a patent about automatic generation of IP addresses to facilitate simple network connections.

If my network-savvy readers say that sounds a bit like some of the features of IPv6 and DHCP (Dynamic Host Configuration Protocol), well yes it does, doesnt it.

Now, IPv6 isnt that important in North America at this time, but sooner or later, everyone on a TCP/IP network connected with the Internet is going to have to deploy it. Some people, with good reason I think, are concerned that Microsoft might use that patent to try to place a tariff on all programs that access the next generation of the Internet.

This is only part of what many see as a pattern of Microsoft getting ready to retroactively claim IP (intellectual property) rights over many of the Internets basic protocols.

Maybe they are, but Darl McBride, the CEO of The SCO Group, made me think that that may not be the case. We were talking about patents on Tuesday—no, SCO is not getting ready with a surprise patent lawsuit—and he said he didnt think Microsoft would dare use its patents in such a broad way.

His logic was that the technology world is a lot like the world situation of the 50s through the 80s, when the Soviet Union and the United States never went to outright war with each other because of the cynical but all too practical notion of MAD (mutually assured destruction).

In a nutshell, the policy of MAD was that things could never get too ugly between the United States and the Soviet Union because if one of us went too far, the other could bomb it into the stone age … and vice-versa.

How that applies to todays computing world is that if Microsoft started really throwing its patent weight around, IBM or Novell could retaliate in kind. Thus, if any one company tried to really strangle a large part of the market with an overly aggressive patent enforcement, they would be blasted by other companies with large patent portfolios. The end result would be that all of the companies involved would be locked into a software development doomsday, where nothing could be developed.

This isnt just idle speculation. After talking with McBride, I contacted several other people. Both a senior Novell executive and a prominent open-source attorney told me that if Microsoft ever tries to push too hard with its patents, other companies are more than ready to counter-attack with their own patent portfolios.

Maybe they are, but Darl McBride, the CEO of The SCO Group, made me think that that may not be the case. We were talking about patents on Tuesday—no, SCO is not getting ready with a surprise patent lawsuit—and he said he didnt think Microsoft would dare use its patents in such a broad way.

His logic was that the technology world is a lot like the world situation of the 50s through the 80s, when the Soviet Union and the United States never went to outright war with each other because of the cynical but all too practical notion of MAD (mutually assured destruction).

Lets take this analogy a little further. The peaceful coexistence based on MAD between the Soviets and the Americans meant that we didnt see World War III. We did, however, see lots of brushfire wars in Afghanistan, Angola and Vietnam.

Thus, just because the big companies may never go too far with their patents with each other and worldwide technologies such as the Internet doesnt mean that smaller companies or open-source developers wont be attacked. They will be.

Of course, as the good people at Black Duck Software will tell you, a patent holder doesnt actually have to sue you for a violation. Just the mere threat is enough to stop a company from developing or marketing a program if it doesnt have the legal protection or deep pockets needed to fight a patent battle in the courts.

So, while I now think that were unlikely to see any truly broad attempts to abuse software patents, I still believe that software patents are bad in general and that, in specific, small companies and open-source developers are still vulnerable to the bullying of software-patent superpowers.

A version of this story first appeared in eWEEK.