ArchculTure

If Oracle purchases Redhat...

2009-03-24T08:04:00.000-07:00

...I quit.

Seriously, nothing good comes out of Oracle acquisitions. Larry Ellison and the Oracle monstrosity should stick with the database that made them so popular. In my opinion, Oracle has completely failed to integrate any open-source technology successfully. Talk to any middle-ware administrator and ask their opinion on OAS vs. others and you will likely find very few who would choose OAS over any of the latter. Oracle is trying to make moves too quickly in this space. They should put some real strategy together and give it time to grow, similar to what Sun Microsystems has done with open source technologies. If this acquisition does happen, it will be absolute zero kelvin for Redhat innovation. Not that Redhat had much going for it since they spun off as the Redhat Empire with the Fedora slave in tow, and ruined a great thing.

They will erase the trademark... Over the past few years many organizations have migrated to a Redhat platform, due primarily licensing to costs. Oracle is interested in buying it's customers back at a discounted price. There is nothing innovative about this. This is about growth, stock price and customer base. Oh, well, the writing was on the wall when Redhat went public anyway. Bye, it was fun...

iPhone 3G hacks - wasting ur tim3

2008-07-22T06:45:00.000-07:00

The group of coders who hang out around the iphone-dev corner store have released code that jail breaks iPhone 2.0 firmware. The current version is PwnageTool 2.0.1. Don't waste your time hacking up your 3G unless your a tech junkie who like to smash things. Even with this successfully installed on the 3G iPhone your still stuck with AT&T. There are no SIM lock hacks for the current base-band firmware to remove the requirement to use a contract-bound carrier. However, you can use this firmware 2.0 hack on the iPhone 2G running 2.0 firmware. SIM hacks are readily available for this platform. I think, once the dust settles, the 2G iPhone will make a nice tech-junkie toy that you can pick up cheap on e-bay ;)

Don't waste your time. Be patient, and don't take the risk! The iPhone 3G will be available for direct purchase without a contract soon enough. Not to mention, no one I know actually complains about being an AT&T customer while toting an iPhone. 6 months from now you will be able to pick one up at a fraction of the total cost of ownership. Meanwhile, I'll continue to chuckle when I see new iPhone 3G users...

silly tech-junkie.

UPDATE 12 jan 09: hmmm, several months and still no word of carrier free iphones... maybe it would be worth it afterall?

UPDATE: Well, that took a long time, AT&T announced the availability of contract free iPhones, you're still bound to AT&T service, unless you pick up a factory unlocked 3G like those showing up on e-bay . (Watch out for the scams).

TrueCrypt 5.0 for Mac ...Finally, but bring some bug spray.

2008-02-06T13:27:00.001-08:00

Truecrypt 5.0 for the mac has been released. I encountered an issue with permissions on the default install under leopard/intel. If you try to run it from finder as a normal user it spits out an "unsupported architecture" error. A quick work around is to set the binary to setuid:

sudo chmod u+s /Applications/TrueCrypt.app/Contents/MacOS/TrueCrypt

I'm not sure how to work in the Leopard privilege controls (still researching, they may fix it first) and I can make no guarantee that this is a "secure" means of running the software. i.e. if there are vulnerabilities in the TrueCrypt binary one could exploit the fact that it is setuid and take control of the system...

You would need to be local to the machine to do that.

The Windows XP/Vista full disk encryption works like a charm so far. Easy to use in a single partition/boot configuration. I have not used it under multi-boot or along side grub/lilo. Happy encrypting...

Also: checkout http://www.wilderssecurity.com/showthread.php?p=1177223 since the TrueCrypt forums seem to be down ...like forever. There are some bugs in 5.0, maybe the dev team should have put out a beta for testing and while they were at it, fix their forums...

UPDATE: (2-8-8): Forums are back online. Thanks guys.

The Mac moves in..

2007-12-19T14:00:00.000-08:00

Has anyone been to an Apple store lately? It's getting crowded in there...

Why are Macbooks, ipods and iphones gaining so much momentum these days? It wasn't too long ago when Apple product consumers were limited to the art crowd. At some point it spilled over to the main stream consumer. It's interesting to watch the progression of a trend or fab. I think their ad campaign is cheese though... specifically their whole PC vs. MAC guys on the white backdrop, cool dude with a not-so cool dude... come on, we're all geeks. Getting into a geek class system is insane and quite pretentious. And not to mention, we're comparing apples (pun intended) and oranges. Apple is a hardware/software package, Micro$oft typically is not. I have to admit, however, that I think this Apple surge will be a long standing mode of operation for technology consumers. This surge is based on good solid design principles with the help of popular culture, and when those two get together, they stick around for a long time. Take the mountain bike crowd for a comparable example...

The processor race on the n-core speedway

2007-12-19T11:28:00.000-08:00

This is a quote from an article in the New York Times:

The opportunity for the company is striking, Mr. [Craig] Mundie said, because manycore chips will offer the kind of leap in processing power that makes it possible to take computing in fundamentally new directions.

He envisions modern chips that will increasingly resemble musical orchestras. Rather than having tiled arrays of identical processors, the microprocessor of the future will include many different computing cores, each built to solve a specific type of problem. A.M.D. has already announced its intent to blend both graphics and traditional processing units onto a single piece of silicon.

In the future, Mr. Mundie said, parallel software will take on tasks that make the computer increasingly act as an intelligent personal assistant.

Well I'm excited. I spent several years studying architecture in the built environment and every time I see the design principles that go into true architecture find their way into technical architecture makes me think my time was well spent. If you think about how pragmatic building design or master planning is an evolutionary descendant of the way humans live and occupy space it only makes sense that technology design will follow that same evolutionary pattern. This organic relationship, to me, is the basis of good solid design. You could refer to it as ergonomic technology. As the industry moves more into n-core technology platforms I would expect the usability and interoperability of these systems to more natural to human instincts. Like, for example, if I look away from the screen maybe it goes blank to save on power consumption and lights back up when I focus back on the screen. For the system to make that decision today it would take power hungry CPU cycles to crank through facial recognition algorithms. Thats a tall order in today's CPU design terms. With the introduction of n-core CPU design direction like that which is described in the referenced article you start to think that just maybe we're closer to getting true human compatibility like this minuscule example. The iphone and other multi-touch technologies have covered some ground here but we will have severe limitations in software compatibility as time goes on. I expect this because, as the chip designers become more complex and proprietary, they will not be willing to share how many and what types of processing cores perform which functions etc. This makes coding software for cross-platform compatibility very difficult. Look at the gaming console race, a game designed for the PS3 in not compatible with your core duo running linux. Maybe this means all OS's and software will have to be compiled by the owner of the platform for which it will run?? Wow, here comes bug land for sure... Unless there is a standard like traditional x86 architecture it will become that complex. How can I help?

RIAA wins in court!

2007-10-06T08:13:00.000-07:00

The RIAA won their first federal case pertaining to the protection of copyrighted music and file sharing this week. I was expecting a much more intellectual exchange of thoughts about this. I haven't seen much thus far. The offender was fined over $220K for 24 songs worth less than $25.00. This was just a cut and dried case about a high tech shop-lifter who will have to pay more than she should for her crimes. I wonder if that's the precedence setter? At any rate, just for the record, I would like to see the music industry change soon. I have always been a consumer, my wife and I own over 800 CD's which we have purchased over the years. For us it's more about convienience. I need a service to convert all of these compact-discs, along with their liner notes to a digital format to make listening to them more enjoyable in today's world of technology. I don't have the time to do that. Not to mention the fact that the industry will not replace what you have purchased if it is damaged. Maybe the recording industry should include a little customer service in their price of a compact disc and it may entise more people to stay on thier side. Say, replace lost, damaged or stolen copies, with proof-of-purchase of course. Or, allow registered purchasers to download or stream, at any time from any location the music they have legally purchased. Just a thought...

Radiohead - In Rainbows: An approach that could change it all?

2007-10-02T08:25:00.000-07:00

Speaking of the RIAA and copyrights, Radiohead announced the release of their 7th album recently. The story here isn't the announcement, although fans like me are very excited, but the release approach. They intend to make it available for download and allow the "consumer" to set the price. In my opinion, this is the way any work of art should be delivered. This isn't the first bold move in the music industry, if you look around you'll see examples of other artists opening their vision. One of the most notable "vision changes" was highlighted in David Bowie's interview with the New York times where he stated "The absolute transformation of everything that we ever thought about music will take place within 10 years, and nothing is going to be able to stop it. I see absolutely no point in pretending that it's not going to happen. I'm fully confident that copyright, for instance, will no longer exist in 10 years, and authorship and intellectual property is in for such a bashing.". So, if we do the math on this theory, the music recording/distribution industry will be non-existent by the end of 2012. I think it will change sooner than that.

RIAA in Court Today

2007-10-02T07:36:00.000-07:00

The RIAA get it's first trip to the dance today since starting it's campaign to rid the world of the distribution of copyrighted material through technologies such as Peer-to-Peer. A trial is one thing that has not yet happened during the RIAA's 4+ year litigation campaign. Until today... The outcome should be very interesting.

Extending design with multi-touch technology

2007-09-30T06:14:00.000-07:00

From the early days of Wacom tablets and drafting digitizers to the introduction of technologies like the Wii controler and the iPhone interface, the human's interaction with computing platforms is changing. The anticipation of the success of multi-touch technologies like that which is being developed by Perceptive Pixel and Microsoft is enough to kill me. Multi-touch technology, or surface computing, will enable designers and artisans to use computer technology to visualize and create on a computer as they would with physical medium such as wood or clay. In to order to fully understand the possibilities of multi-touch technologies like this, you'll need some experience working with popular design software like Adobe Photoshop, Maya and 3D Studio. Traditionally, these programs have depended largely on the usage of the keyboard and mouse as the primary working tool. After some time touch pen tablets were integrated into design software which ultimately increased the human touch factor. However, it did take some time for these devices to become useful. Don't take my word for it visit this site. Bill Buxton gives a pretty good history of the developments over the years. He also mentions some of the research that was done by the folks at Alias. The engineers and artists at Perceptive Pixel have pushed this usefulness into the next human-computing generation. You really have to see this to believe it. I'm guessing 4-5 years before it's marketable and affordable, unless Apple can beat everyone to it...

Microsoft is claiming consumer ready surface computing product release by the end of this year!!

Linux Tools That Work

2007-09-24T16:45:00.001-07:00

So, since I have been so tough on "Linux", I thought I would give credit where credit is due. After years of providing enterprise class Linux system support in every imaginable form, here are the top 5x3 most useful Linux tools IMHO. Most will be of the fedora flavor, and most will work under any open source moniker. The catch is I'll be breaking the tools out into 3 different categories and 3 separate posts. The first is network security device/system, the second is linux as a server category, and the third is the Linux on a laptop category.

Linux systems as a network security device:

1) By far, the most useful firewall management tool for a kernel 2.4+ linux systems is FireWall Builder. I first came across fwbuilder sometime in 2000, and it has made incredible progress since then. The best thing about fwbuilder is that it just plain works. Installation is easy, it has a very intuitive interface and it can support very complex NAT, prerouting and postrouting functions. It is any easy transition for those of you familiar with CheckPoint. (Not to mention, it makes Cisco PIX, ipf, and ipfw management pretty easy as well.) Its free for GPL'd OS users. Windoze users will have to pay. Don't change the "deny all" rule at the bottom of the default policies!! Allow only specific access to and from networks.

Down side: There are no log management tools or log analysis tools. However, you can prefix log lines.

2) OpenVPN is next on my list. It's an SSL VPN package that makes virtual private networking pretty easy. Setup is relatively difficult for the newcomer, and for the openSSL newbie, it's not for the faint of heart. There is also a nice little windoze package as well. I have had some trouble with tun/tap interfaces in the windoze world. Linux client setup is a snap if you are using NetworkManager.

Down side: if you get into a pinch, documentation is lacking, and usage is not very widespread so you'll need to dig around for answers.

3) Snort, of course, makes this list. To ~~use it in production~~ rely on it you'll need to get it as close to the asset as possible and jettison all of the rules you don't need. Don't put the device in the line of a major network intersection and expect anything useful. (Sourcefire's RNA does a great job of handling this situation) Tune it for specific servers or services. For example, use windoze signatures in front of windoze hosts for specific applications. It's a great analysis tool, however, I won't leave it standing on it's own. Use ACID (great but dated), or BASE which is still maintained.

Down side: Too many people expect it to work "out of the box". Snort is a collection of tools and materials, you will still need to design and build the house.

4) The HoneyNet Security Console is one of my favorites. OK, I admit, I slid out of scope a little here, this one requires evil windoze and .NET, but the juice is all opensource. It provides great reports and correlation tools. Setup is straight forward, documentation is good and it will require other packages to work. It makes my list because if you intend to use Linux systems as your primary line of network security devices you will need something like HSC to analyze and respond to your security events.

Down side: Scalability of HSC is poor, usage is not widespread, and it is a reduced functionality version of a commercial tool.

5) The last tool on my list is ntop. OK, another cross platform tool, but if it counts for anything I first started using this tool pre-winpcap integration. Ultimately, if you plan to use a Linux flavored OS as a network security device, you'll want it to speak to you. ntop will do just that. Don't get me wrong, tcpdump is a great tool, but ntop will save you as a security analyst who depends on network security devices.

Down side: You may run into scalability issues. I would advise tighter scopes and close asset proximity placement.

These are just a few security-type tools that I have found very useful over time. It's hard not to list tools like ngrep, tcpdump, or syslog-ng. You'll find them in my tool bag, and they may make future lists, but for now these get the spotlight.

Linux systems as servers:

1) The most flexible and useful server tools are rooted (pun intended) in the command line. Some tools are scripts, some are compiled code. The first to make my list is chkconfig. This is a very useful tool to get servers setup and to get the correct services running at the right run-level. A simple 'chkconfig --list |grep on' will list all of the services that are currently set to run upon system startup, organized by run level. I believe chkconfig got its start in the BSD world and can be found in big unix OS's like IRIX. Fedora flavors can have an associated python gui through the 'system-config-levels' tool which can be used if you chose to admin you server through X.

2) For the next useful tool, see FireWall Builder above. :)

3) If you don't log it, it didn't happen. Check out syslog-ng. Syslog-ng provides a very flexible logging mechanism that goes beyond standard unix style syslog. This tool also supports logging to a database.

4) LVM. It was a wonderful day when file system tools and capabilities like this came to the Linux platform free of charge. The Logical Volume Manager tools are one of the most handy toolsets when you need to save a server from downtime. LVM is about managing and changing file systems on the fly. You can shrink and grow file systems without interrupting service, in most cases. LVM refers to a typical partition as a Physical Volume (PV). A Volume Group (VG) comprises one or more physical volumes. Each volume group must be divided into Logical Volumes (LV). You may also want to look at LVM2.

5) Today, most Linux servers will have the last tool as part of a default installation. Regardless of that fact, this tool is by far the most useful tool in any admin's tool bag. I'm talking about the OpenSSH2 protocol and the associated suite of tools. If you aren't using it, you should be. You could run the world through an OpenSSH tunnel. Now that server processor speeds scream upwards of 3Ghz, overhead is not an issue as it use to be. If you use this tool, Donate to Theo de Raadt. I did. With his leadership and the help of the open source community Linux server administration was forever changed. Now you can securely administer servers, transfer files and bypass security controls anywhere :)...

Linux on a Laptop

1) Coming soon...

Linux, linux, linux... Wherefore art thou? The dilution of responsibility...

2007-09-24T10:22:00.000-07:00

Ok, I've been an avid linux user for a very long time now. I believe the first RedHat version I used was in the 4.0 release days. Before that I used some Slackware and played with Caldera of the same era. I can remember when getting X11 to run, after hours of head splitting compilers and library includes, was a huge accomplishment. Or, when the OSS sound drivers went from costly to free. I've seen the world open itself up to this wonderful caffeine and fructose fueled culture over the years. I have enjoyed being a part of it over the years. I even obtained an RHCE in 2001.

What really grinds my gears is that even after all that time, after all of the input, innovation, useful code and cool new kernel trickery, Linux, in general, daily, personal computer usability terms, is STILL IN BETA.

Yeah, yeah, yeah... Oracle has certified on RHEL, IBM is doing this..., Novell and SuSE doing that ..., yada yada yada...

BETA
BETA
BETA

Let me tell you why. If you so dare to use a Linux platform beyond the configuration of a server, router or firewall be warned. (I feel very sacreligious right now.) Simple things like USB mass storage devices may or may not work, the software support for the linux world still leaves much to be desired, and don't even get me started on wireless hangups, ACPI, HAL or hardware like laptops. SELinux is a great technology to enhance the security of your operating system. It's not so great if you don't want to take the time to RTFM or seek a doctorate in Linux kernel API's, MAC's, the LSM and role based access control. It isn't the fault of "Linux" either. However, "Linux" is the unfortunate victim of the cross between innovation and the dilution of responsibility. There are too many cooks in the kitchen and not enough consistency in the menu. In order to effectively use any of the current Linux platforms you have to be a good Linux cook and to be able to take care of your own plate.

The biggest problem is that the counter point to this entire argument is that "yes" you can do it all with Linux. Believe me, I have, but I don't want to. I don't want to compile software anymore. I've already learned too much about libraries and includes, I don't want to continue this forever. I don't want to look for, and subsequently install rpms that contain some not so frequently used libraries in order to get some other tool to work. I don't want to spend my time with one terminal running "tail -f /var/log/messages" and "strace" or "ptrace" in the other. I'm done with message board trouble shooting. I can remember when Deja News was the Google of the 90's. It was fun and exciting then. Now, it's just a pain it the neck.

I just want and OS I can trust (tricky when it comes to closed source), one that I know the interworkings of and one that just plainly works. I just want it to work, without having to visit rpmfind. I want an OS that digital cameras and USB printers can work together in bliss, while at the same time makes an excellent firewall or file server. I'm done. I'm switching to Apple and OSX for a while. Maybe I'll have better luck with this platform.

Don't get me wrong. Linux has been my ticket to success and understanding in many cases. I'm burnt out with having to RTFM just to use something as simple as a multi-function printer, or media devices and files (ah, the lost world of Linux and codecs).

Here are some tips from a long time, avid linux user, and an RHCE to boot:

1) Don't store important files under the root mount point (/). Linux is best used as a research platform. Expect everything under the system root to be temporary, don't use the main file system for long term storage. Place long term file storage on separate partitions or separate devices all together. (This is good practice for any OS.)

2) Contrary to many other resources, Linux platforms are not good media PC's. If you spend a lot of time working with music, video, or pictures you'll spend even more time finding and fixing the necessary resources and dependencies to work with such data. Use a mac instead.

3) Linux is not a business productivity tool. Open office works, but you would be a fool to depend on it to get you through the work day. Every laptop/projector combo I've used has been different and some don't even work. If business productivity is a requirement make sure you check your favorite distribution's hardware compatibility list, or better yet use a Windows OS and get a laptop or desktop with one of those "Designed for Windows" stickers on it.

4) Don't expect anything that you can buy at any major computer product retail chain to work with your favorite Linux distribution. Again, check you distribution's hardware compatibility list.

5) Linux is best suited for a specific technology function. Set up the system for that function and leave it alone. You will stand a very good chance of the system outlasting the necessity of the function. For example, a firewall, a VPN device, a proxy server, a file server or a web server. Linux distributions are very flexible and dynamic if you want to spend hours working them over to be flexible and dynamic. However, be warned, that flexibility may end when some library or dependency changes without your knowledge. Anyone ever tried to run Beryl or Compiz with nVidia hardware? You can get it to work pretty well but compatibility and consistency is built like a house of cards.

Get with the program, security spending in the wrong place

2007-09-20T18:31:00.000-07:00

I just read an article that covered a discussion on the subject of information security investments and return or ROSI. They focused on these questions:

Are we spending enough to ensure the desired security posture? and How much security spending is enough? are asked in boardrooms of security conscious companies around the world. These questions are difficult to answer because today's spending is 'enough' as long as the enterprise is secure and 'not enough' the day after a security breach makes the headlines. What is needed today is a pragmatic approach for assessing the current security posture and determining whether security spending is in fact enough to sustain the state of security.

Sustain the state of security?? You've got to be kidding me. I want to get to a better place, not sustain the state. I am disappointed to know that CSO's in such high positions and companies like intellitactics still support, practice and attempt to run a security program based on this reasoning. Please step aside...

The fact of the matter is that over the past 10 years security spending has significantly increased. While at the same time so has the cost of poor security. Sensitive records continue to end up in the wrong hands. Companies are still being vaporized even after spending millions on these so called security programs.

Why is that? Because we will not solve the problem in the name of security. It shouldn't be "security" spending. The problem isn't that we need to strike a balance between security spending and risk. The problems is poor process, poor products and poor management. Talking about ROSI only works to treat the symptoms. It can be compared to fixing a leaky roof by painting the ceiling, once water has found a way in you can't stop the damage with paint. We will not be successful if you don't focus on the issue at hand, you're going to have to get up on top of the roof and fix the problem.

Spending should be directed toward better business process and education and it should be done in the name of the business, not security. Organizations must hold their product vendors responsible for delivering good product, not crappy product that requires a fix once a month or once a quarter. Imagine having to take you car in every month because some part or component failed. I bet you would eventually get rid of the car. "There are three alerts this month for your new Hum-esccal-excursion , the brakes will fail if you go over 55MPH, the steering wheel will collapse if left in the sun too long, and the fuel line was inadvertently open which could allow debris to enter the line which could result in catastrophic engine failure above 55MPH."

Security industy's response: Increase spending to buy a tow truck to take this hunk of junk to the destination...

First Post

2007-09-17T13:19:00.000-07:00

Let's get this off on the right foot.