Bash is worse than heartbleed! Oh noes!

A really bad remote code execution bug surfaced yesterday, in Bash–the GNU replacement for the Unix shell. If you have a webserver running, or possibly just SSH, it can be used to execute arbitrary code. It affects anything Unixy–Linux, BSD, Mac OS X, and likely many proprietary Unix flavors, since many of them have adopted the GNU toolchain.

This could be really bad. Some people are calling it potentially worse than Heartbleed. Maybe. I’m thinking it’s more along the lines of MS08-067. But there’s an important lesson we must learn from this. Read more

How to increase the capacity of a Log Logic appliance by 45%

My 9-5 gig revolves primarily around Tibco LogLogic (I’ll write it as Log Logic going forward, as I write in English, not C++), which is a centralized logging product. The appliances collect logs from a variety of dissimilar systems and present you with a unified, web-based interface to search them. When something goes wrong, having all of the logs in one place is invaluable for figuring it out.

That value comes at a price. I don’t know exactly what these appliances cost, but generally speaking, $100,000 is a good starting point for an estimate. So what if I told you that you could store 45% more data on these expensive appliances, and increase their performance very modestly (2-5 percent) in the process? Read on.

Read more

Is the Windows firewall safe enough?

Is the Windows Firewall safe enough? I wish more people would ask that question rather than make assumptions.

I wish I had a nickel for every time I’ve heard an unsubstantiated statement like “Windows firewall is junk.” I went looking, and the best I could find was this, an editorial that said it doesn’t do enough to address outbound connections, particularly on a program-by-program basis.

OK, point taken. But “enough” is a moving target.

Read more

Open-source licenses, the CISSP, and the real world

You may have a question about open-source licenses on your CISSP exam. I don’t remember the specifics and wouldn’t be able to repeat them anyway, but I had a question on my exam where knowing the differences was helpful in finding the right answer.

And I had to deal with an issue this past week involving open-source technologies where the licenses made a big difference.

Read more

Replace your Antivirus software with this freebie and regain your performance

Antivirus software is the worst culprit in PC slowdowns. I am not alone in this belief. I don’t suggest going without (not completely) but it’s certainly possible to save lots of money, eliminate subscriptions, eliminate most of the overhead, and still practice (relatively) safe computing while running Windows.

Use Clamwin, the Windows version of ClamAV, and don’t engage in risky behavior (more on that later).Clamwin is free, GPL software, meaning you never have to pay for or renew it. It lacks a realtime scanner, which is the main resource hog for PCs. This may leave you vulnerable to infections, but think about where the majority of infections come from: E-mail, downloads, and drive-by installations. Clamwin comes with hooks into Outlook to scan e-mail attachments for you, and Clamglue is a plugin for Firefox that automatically scans all downloaded files. Of course you’re using Firefox, right? Using a non-Internet Explorer browser is the most effective way to prevent drive-by installations. I don’t use IE on my personal PCs for anything other than running Windows update.

Realtime protection made lots of sense when the main distribution point for viruses was infected floppies, but those days are long gone. This approach protects you against modern viruses without making your multi-gigahertz computer run like a Pentium-75.

I do suggest periodically scanning your system, something that even antivirus packages with realtime protection do. It makes you wonder how much confidence they have in that resource-hogging realtime protection, doesn’t it? Weekly scans are usually adequate; daily scans are better if you suspect some users of your computer engage in risky behavior.

Risky computer behavior

The last virus that ever hit any computer I was using was LoveLetter, which was way back in May 2000. The only reason I got that one was because I had a client who got infected and she just happened to have me in her address book. I don’t know the last time I got a virus before that.

It’s not because I’m lucky, it’s because I’m careful. There are lots of things I don’t do with my computers.

I stay off filesharing networks. Not everything on your favorite MP3-sharing site is what it claims to be, and there are people who believe that if you’re downloading music without paying them for it, they are entirely justified in doing anything they want to you, such as infecting you with a computer virus.

I don’t open e-mail attachments from strangers, or unexpected e-mail attachments from people I know. For that matter, if I don’t recognize the sender of an e-mail message, I probably won’t open it at all, attachment or no attachment.

I don’t run Internet Explorer if I can possibly avoid it. Internet Explorer’s tight integration into the operating system makes it far too easy for people to run software on your computer if you so much as visit a web page. Google tries to identify web pages that might be trying to do this, but a safer option is to use a different web browser that doesn’t understand ActiveX and doesn’t have ties into your underlying operating system.

I don’t install a lot of software downloaded from the Internet. A good rule is not to install any “free” software whatsoever unless it’s licensed under the GNU GPL or another similar open-source license. If you don’t know what that means, learn. Open source means the computer code behind the program is freely available and outside programmers can examine it. If a program distributed that way does anything malicious, someone’s going to figure it out really fast. If I’m going to download and install something that isn’t open source, I only do so when somebody I trust (be it a trusted colleague, a magazine columnist, etc.) recommends it.

I don’t rely on software firewalls. I have a separate cable/DSL router that acts as a firewall and sits between my computers and the Internet. So when the random virus comes around looking for a computer to infect, my firewall doesn’t even speak their language (it doesn’t run Windows and doesn’t have an Intel or AMD processor inside), so the potential infection just bounces right off.

Use a web-based e-mail service instead of a program like Outlook or Outlook Express if you can. If you use something like Yahoo Mail or Hotmail, that company’s servers scan your incoming and outgoing e-mail for viruses, so if someone sends a virus to your Yahoo account, you won’t get it. Does your ISP scan your e-mail for you? If you don’t know, you probably should consider getting your e-mail from someone else. Your antivirus should catch it, of course, but it never hurts to have someone else looking out for you too.

If you avoid these practices, you can join me in throwing out your commercial, for-pay antivirus software and reclaim a lot of computer performance too.

Another site listing spyware-free software

Generally speaking, I tell people not to install free software on a computer anymore unless it’s licensed under the GNU GPL or another similar open-source license, because open-source software is the only type of software that has any high degree of likelihood of not containing adware or spyware or other malware.

The problem with that advice is that the people who know what it means probably already follow it, and if you follow this Farquhar’s Law (there are many) to the letter, you miss out on gems like Irfanview.I’ve recommended the Tinyapps.org web site for a long, long time, but some jewels like Mozilla are much too big to qualify for that list.

Enter Cleansoftware.org.

While neither list is likely to have every safe, free application available, checking those sites for software that does what you want gives a broader range of choice than simply making a blanket statement like “Don’t install anything that isn’t Free (as in speech) Software,” or “Don’t install anything that isn’t GPL.”

If you want software that you can copy and redistribute and, if you wish, modify, with little or no restriction, then of course your best bet is to check out Freshmeat.net and look for software with a license that’s OSL approved.

Contrary to what it may seem, strings-free freeware isn’t a totally lost art. You just have to look a little harder these days, that’s all.

So there is a uClibc-based Linux distribution

I think I found just what I needed. Somehow I overlooked it before. Right there on Erik Anderson’s uClibc page, near the bottom, there’s his uClibc development environment. What is it? A Linux distribution based on his uClibc, busybox and tinylogin userspace in addition to enough GNU tools to compile other stuff. If you don’t want all 150 megs’ worth, download his makefile and uncomment just the stuff you want.
It’s not a general-purpose Linux distribution. It’s intended as a development environment. But besides that, it would be perfect for running on a low-end PC, like a 386 or 486 laptop. You get the benefits of a modern kernel and a modern, in-development libc, but with everything designed to lower memory consumption. On an older PC with a slow hard disk, that all translates into better performance.

Now I’m not sure how much of a GUI you get, but frankly, an older laptop, especially a network-capable one, with this stuff and the excellent Links web browser, the machine would be useful. If SVGAlib and the SVGAlib-capable version of Links compile, then you could even have a graphical web browser on a low-octane machine. Wouldn’t that be cool?

More on tiny but potentially modern Linux distributions

I found a couple of interesting things on Freshmeat today.
First, there’s a Linux-bootfloppy-from-scratch hint, in the spirit of Linux From Scratch, but using uClibc and Busybox in place of the full-sized standard GNU userspace. This is great for low-memory, low-horsepower machines like 386s and 486s.

I would think it would provide a basis for building small Linux distributions using other tools as well.

What other tools? Well, there’s skarnet.org, which provides bunches of small tools. The memory usage on skarnet’s web server, not counting the kernel, is 2.8 megs.

Skarnet’s work builds on that of Fefe, who provides dietlibc (yet another tiny libc) and a large number of small userspace tools. (These tools provide most of the basis for DietLinux, which I haven’t been able to figure out how to install, sadly. Some weekend I’ll sign up for the mailing list and give it another go.

And then there’s always asmutils, which is a set of tools written in pure x86 assembly language and doesn’t use a libc at all, and the e3 text editor, a 12K beauty that can use the keybindings for almost every popular editor, including two editors that incite people into religious wars.

These toolkits largely duplicate one another but not completely, so they could be complementary.

If you want to get really sick, you can try matching this kind of stuff up with Linux-Lite v1.00, which is a set of patches to the Linux 1.09 kernel dating back to 1998 or so to make it recognize things like ELF binaries. And there was another update in 2002 that lists fixes for the GCC 2.72 compiler in its changelog. I don’t know how these two projects were related, if at all, besides their common ancestry.

Or you could try using a 1.2 kernel. Of course compiling those kernels with a modern compiler could also be an issue. I’m intrigued by the possibility of a kernel that could itself use less than a meg, but I don’t know if I want to experiment that much.

And I’m trying to figure out my fascination with this stuff. Maybe it’s because I don’t like to see old equipment go to waste.

DietLinux — a Linux that boots in under 10 seconds

The tinkerer in me just couldn’t stay away. I saw a reference on Linux Weekly News to DietLinux and had to look at it.
DietLinux is an example of a Linux distribution that can’t properly be called GNU/Linux, because the majority of its userspace didn’t come from the GNU project. GNU’s libc–the main API for Unixish systems, and I’ll call Linux a Unix just to hack off SCO–is replaced with an alternative, trimmed-down libc called dietlibc. It’s not feature-complete but it’s tiny. Those of you who programmed casually in the 1980s and 1990s probably remember a day when you could write a fairly sophisticated program in a few kilobytes. Under modern operating systems, a simple program that simply emits “Hello, world!” can take up 32K or more. Using dietlibc instead of GNU’s libc shrinks that program back down to a couple of kilobytes.

The majority of DietLinux’s userspace comes from Felix von Leitner, the author of dietlibc. Von Leitner reimplemented init–the program that bootstraps a Unix system once the kernel is loaded–and getty, which is the program that handles text-based logins. These unglamorous programs can eat up a fair chunk of memory, and since Unix systems typically go for long periods of time without being rebooted, it’s a bit of a waste unless you need certain features provided by the more traditional init and getty programs. He also wrote replacements for several standard utilities.

Obviously, not every program in the world designed for glibc will compile and run under dietlibc, so DietLinux won’t ever be a complete general-purpose distribution. But for network infrastructure glue-type servers providing services like firewalling, DNS and DHCP (all of which already function), it would be perfect.

I don’t know what the future plans for DietLinux are. The asmutils provide an impressive number of userspace and server utilities, written in assembly language with very low overhead, and would appear to be a nice complement to DietLinux’s infrastructure. Their use would limit DietLinux to x86, however. And the text editor e3 is tiny, full-featured, and emulates keybindings for vi, emacs, WordStar, and Pico, so it’s friendly to pretty much any command-line jockey regardless of heritage and takes little space.

It’s also not a newbie distribution. Installation requires a fair bit of skill and pretty much requires an existing Linux system to bootstrap it.

But it’s definitely something I want to keep an eye on. I’m highly tempted to put it on one of my 486s. I just wish I had more time to mess around with it.

The Compaq DL320 and Ghost

We got another Compaq Proliant DL320 in at work. This one’s a Windows 2000 print server (grumble grumble–we’ve been playing with HP’s Linux-based print appliances and so far I really like them).

But anyway, since rebuilding a Windows server is a much bigger deal than rebuilding a Linux server (all our other DL320s run Debian Linux), we tried building a recovery image with Ghost.

Only one problem: Ghost 7.5 doesn’t see the DL320’s IDE drives. DOS sees them just fine. But Ghost 7.5 doesn’t see them, and neither did MBRWork, a freeware partition-recovery tool that’s saved my bacon a few times. There’s something odd going on here.

In desperation, I dug out an old copy of Ghost 5.1c I found on our network. It’s from mid-1999. Oddly enough, 5.1c sees the Proliant’s CMD 649-based UDMA controller just fine. The only problem is, Ghost 5.1c doesn’t handle the changes Windows 2000 made to NTFS. It’ll make the image just fine, but when I went to try to restore it, Ghost crashed.

So I pulled out an unused copy of PowerQuest Drive Image. Drive Image worked fine. Mostly. It made the image at least. One thing I noticed was that Drive Image’s compression was a whole lot less effective than Ghost’s. The other thing I noticed was that Drive Image’s partition resizing didn’t work right. I’d re-size the partitions so they’d fit on another drive I had (I wanted to test the backup to make sure it worked, but not on the live, production drive) but no matter what I did, it reported there wasn’t enough room on the drive.

“Ghost would be so much better in every way, if it worked,” I said in frustration.

“Isn’t that true of everything?” Charlie asked. I guess he didn’t think that was the most brilliant observation I ever made. Not that I did either.

We’ve got support with both Symantec and HP, so we really ought to call them and see if they have a resolution. HP talks out of both sides of its mouth; on the one hand, I found statements on its Web site that Ghost is unsupported on Proliant hardware, and on the other I found some tools that claim to help with system deployment using Ghost.

But since this DL320 is being used to drive a printer that costs about as much as any of us make in a year, and it’s being set up by a guy who’s being flown in early this week at $2,000 a day, I’m not positive that we’re going to get a good resolution to this. I suspect we’ll just end up using Drive Image and keeping an identical drive on hand in case Windows 2000 gets suicidal on us. The price of an IDE drive is pocket change on top of all this.

But when you’re running Linux and GNU tar is a legitimate option as a backup and recovery tool, I love the DL320. It’s small, fast, and cheap. It’s funny when tools allegedly written by college students as a hobby work better and more consistently than commercial tools you have to pay for.

Well, I guess I should say it’s funny when that happens and it’s someone else who has to deal with it.

WordPress Appliance - Powered by TurnKey Linux