- LJ Index, November 2010
- Hacking, Old-School
- Boxee Scores a Knockout
- diff -u: What's New in Kernel Development
- Non-Linux FOSS
- Where's My CD?
- Drobo Shmobo
- LJ Store's Featured Product of the Month: May the Source Be with You T-Shirt
- They Said It
- Security at LinuxJournal.com
LJ Index, November 2010
1. Thousands of Google hits for “Android Tablet”: 1,320
2. Number of Android Tablets available in the US, as of Q2 2010 (including the Archos 7): 1
3. Number of confirmed/available/rumored Android Tablets, as of Q2 2010: 45
4. Thousands of Google hits for “MeeGo Tablet”: 216
5. Thousands of Google hits for “Windows Tablet”: 423
6. Number of BOINC-based projects (such as seti@home) currently available: 36
7. Number of top-level Apache Software Foundation projects: 77
8. Percent of Web sites that use Google Analytics: 54
9. Percent of Web sites that use Google AdSense: 31
10. Percent of Web sites that use DoubleClick.net: 28
11. Percent of blog sites that use WordPress: 86
12. Percent of CMS sites that use Drupal: 41
13. Percent of CMS sites that use vBulletin: 17
14. Percent of CMS sites that use Joomla!: 9
15. Percent of eCommerce sites that use IBM Websphere Commerce: 40
16. Percent of eCommerce sites that use Yahoo Store: 15
17. Percent of Web sites that use UTF-8: 63
18. Percent of Web sites that use ISO-8859: 37
19. Percent of Web sites that use Apache: 61
20. Percent of Web sites that use IIS: 22
1, 4, 5: Google
2: Common knowledge
When you mention hacking in the general public, the image most people think of is a nerdy guy breaking into a computer system from his bedroom. This month, I take a look at some of the tools available to do exactly that. Of course, this is for information purposes only, so please don't do anything nasty. Remember, with great power comes great responsibility. Most people have heard of tools like Nmap or Nessus, but here I look at some other available tools for playing with networks.
The granddaddy of network utilities is tcpdump. This utility simply listens to all network traffic going by and records the packets for later analysis. If you have more than one network interface, you can select which one to listen to with the option -i interface. By default, tcpdump puts your network card into promiscuous mode, so it can record all packets that exist on the network cable. If you want to limit the packets recorded simply to those destined for your machine, use the -p option to turn off promiscuous mode. Lots of options are available to tcpdump, so check out the man page for more details.
Say you want to find out what machines exist on your network. Several tools can do this by actively sending out queries on the network. The problem with this technique is that you end up creating traffic on the network, which may be noticed by a good network administrator. A way around this is to use the tool p0f. This utility uses passive techniques to try to guess what machines exist on the network and properties about those machines. If you have more than one network interface, you can select which interface to use with the option -i interface. p0f can work with tcpdump files. If you have a tcpdump file that you created earlier, you can make p0f use it rather than live capture with the -s file option. You also can use p0f to record network traffic into a tcpdump file with the -w file option. If you're using p0f in a script, use the -o file option to dump the output into a text file for later perusal.
By default, p0f looks only at network packets that are addressed to the machine where it is running. To look at all the packets that go by on the network, you need to set the card into promiscuous mode with the -p option. By default, p0f sees machines only when they open new connections. You can try to guess what's going on with already-opened connections with the -O option. This option can generate a lot of data, so you probably won't want to use it for an extended period of time.
More and more often, machines actually are located behind routers and NATs, so they don't really show up as individual machines. You can try to identify these types of machines with the -M option. This uses the masquerade-detection algorithm to try to identify individual machines in these situations.
Once you know what machines exist on the network, you may be interested in what traffic is traveling to those machines, as well as who is generating this traffic. You can use dsniff to see the user names and passwords being used to access services on the network. It can handle many different protocols, such as FTP, HTTP, POP, IMAP, X11 and many others. You can tell dsniff on which interface to listen with the -i interface option. Like most network tools, you can read previously recorded network data with the -p file option. Alternatively, you can use dsniff to record the network data rather than parsing it with the -w file option. You can enable automatic protocol detection by using the -m option. This can give you some of the gory details about people on your network.
Now that you know some details about your network, and the people on it, you may want to check the security of some of the services provided. One common target for security problems are Web servers. You can use the nikto tool to assess your Web server's security. Select the host with the -h hostname option. If you have a series of hosts you want to check, place the hostnames (or IP addresses) in a text file, and hand them to nikto with the -h file option. The default port nikto looks at is port 80. If you want to check out a Web server on some other port, simply use the -p port option. Tons of extra options exist in terms of what specific security issues to test for, far too many to mention here. See the manual at the project's home page for more information (cirt.net/nikto2).
The hack I cover this month is how to check your own backyard. Many people will use this kind of knowledge for nefarious purposes. A utility you can use is chkrootkit. This utility analyzes your systems and tries to determine whether they've been tampered with. You can get a list of the tests it can perform with the -l option. With the standard install on my Ubuntu box, chkrootkit has 69 available tests. You can check things like whether ls has been infected, or you can check for evidence of rootkits that may have been installed. Hopefully, you won't find anything when you run chkrootkit.
Now you have a few new tools you can use to play around with your networks. Hopefully, you won't find anyone doing anything nasty. And remember, if you are going to use these tools, be sure you have permission before you do anything that might be frowned on. Other than that, hack away and keep learning.
Boxee Scores a Knockout
One of my passions is seeking the holy grail of the home-entertainment center. I've often written about creating the perfect media-center PC, and I've tried almost every set-top box ever made. They all seem to be limited in one area or another—whether they lack in the playback of local media (Roku and PS3) or don't stream on-line content from Hulu and Netflix (XBMC, ASUS O-Play and GeeXboX).
Enter Boxee. My first experiences with Boxee were not great. I was disappointed with the interface, it locked up more than not, and its various media-playing abilities were awkward and hard to navigate. Recently, however, the Boxee software has matured to the point that it's a viable and beautiful media center. Although Boxee's Linux version is unable to play Netflix, due to Netflix's dependence on Microsoft's Silverlight, the interface's usability will pave the way for wide acceptance of the Boxee device being built by D-Link (assuming when it ships it can play Netflix, that is).
My advice is to play with Boxee now, and watch for our review of the sub-$200 box when it ships. If the software is similar to what you can download today, we may have a new heavyweight champion!
diff -u: What's New in Kernel Development
David Airlie has said that he won't accept any DRM (Direct Rendering Manager) drivers from companies that release only an open-source-crippled version of the driver, so they can layer their proprietary user-space version on top. Amazingly, he came under criticism for that from people accusing him of playing to his employer's (Red Hat's) business interests. He denied it, and several other folks also said David wouldn't do that. Personally, it seems to me that David is just upholding a solid open-source ethic. There are real technical reasons why layering proprietary user-space code over a crippled kernel driver is not the best way to go. At the same time, it's not clear how to prevent companies from doing that. If they add a certain level of functionality, the driver will make it into the kernel, and then they still can put their proprietary enhancements on top. We'll be seeing this debate heat up in the near-to-middle term, because of all the 3-D video drivers that soon will be flooding the world.
It looks like the console code is going to receive a major overhaul in the near future. Mattia Jona-Lasinio wrote up an in-kernel VT102 emulator, which essentially was rejected on the grounds that everything it did could be implemented as an enhancement to the console code. Not only that, but as Alan Cox pointed out, there's a whole big pile of 3-D graphics people who very much want the kernel console code to be revamped and enhanced. James Simmons also has been interested in fixing up the console code, so it looks as though he and Mattia are going to work on it together. They each compiled big lists of things that would be very good to fix, and in spite of the daunting complexity, it does seem as if they're going ahead with it. And, with the blessing of someone like Alan Cox, it seems like they'll have a lot of support for getting their code ultimately into the kernel.
Once in a while a strange and funny thing crops up on the mailing list. This time, a completely anonymous person suggested implementing Kademlia at the kernel level. Kademlia is a peer-to-peer networking protocol used for creating large, anonymous data-sharing networks. The anonymous person suggested that with Kademlia at the kernel level, it would obviate all the user-space implementations and allow all Linux computers to become one with the universe, in an immense, all-powerful file-sharing service that could never be stopped! Unfortunately for this plan, a lot of folks pointed out that the existence of plenty of user-space implementations of Kademlia was a good indication that there was no need to stick it into the kernel. So, the anonymous person went away unsatisfied.
Nick Piggin has started a new git repository, just to house patches for scaling the VFS (Virtual Filesystem). One patch on the system helped make name lookups go much faster by reducing the amount of data movement that had to happen for each lookup. VFS speedups are great because all filesystems rely on the VFS for fundamental operations. A speedup in the VFS means a speedup for every filesystem out there.
Back around 2002 PD (Pre-Drupal), the Linux Journal Web site ran on PHP-Nuke. PHP-Nuke is no longer free software, so it seems fitting that there's a free and open-source CMS for the .NET platform named DotNetNuke (aka DNN). The DNN Web site claims that DotNetNuke is “The most widely adopted Web Content Management Platform for Microsoft .NET powering more than 600,000 Web sites.”
The open-source version of DNN is known as the community edition. In addition to the community edition, a number of nonfree versions are available that provide extra functionality and technical support.
DNN is extensible via add-on modules. The community edition includes 25 add-on modules, and there is a DNN Forge that contains additional modules and skins. There's also a separate site (snowcovered.com) that contains more than 8,000 third-party modules and skins for sale.
DotNetNuke is written in VB.NET, but because it is based on the .NET platform, any .NET language can be used for writing add-ons (although VB programmers and C# programmers normally don't hang out together). There is some indication in the forums that DNN will run on Mono, but expect a bumpy road if you try.
DotNetNuke is licensed under an MIT License (although in some places it mentions a BSD license), and licensing and copyright monitoring is managed actively.
Where's My CD?
I don't like to take my music collection to work. Don't get me wrong. I like having access to my Jonathan Coulton and Weird Al Yankovic albums when I'm troubleshooting servers, but I don't like having my personal music collection stored on a work computer. It just gives me the heebie-jeebies. Thankfully, with a broadband Internet connection and a little bit of work at home, I can stream my personal collection anywhere I happen to be sitting.
More options probably exist, but the two I generally fiddle with are kPlaylist and Jinzora. Both have matured during the years, and both can stream your music collection a number of different ways—even with a Web-based Flash player in a pinch.
Granted, setting them up can be a little tough, but having your music collection available anytime and anywhere is worth the effort. In fact, if you're really a tinkering sort of person, it's possible to get them to stream your video collection as well. To be fair, your boss might be a little more annoyed if you're watching your favorite television show than if you're listening to music, but it's still nice to have the option.
Last month, I mentioned my new Drobo FS, which is a Linux-based NAS device from the folks at Data Robotics. Although I'm still moderately impressed with its functionality, I find myself frustrated at its limitations. Don't get me wrong; if you're just looking for a place to store lots of data, the Drobo FS is great. Unfortunately, I want a little bit more. For those of you considering a Drobo FS, or something similar, let me suggest the following: build your own.
Really, it's not that difficult. What I've done is taken the five 2TB drives out of the Drobo FS and placed them into a desktop tower. As long as your desktop's power supply is big enough to handle six SATA drives and has a gigabit Ethernet port, the setup is fairly simple:
Install your favorite distribution onto a sixth, smaller, SATA drive.
Create a software RAID5 partition with the five large drives.
Granted, you lose the fancy Drobo mismatched drive ability. Yes, upgrading storage isn't quite as simple. True, in the event of a hard-drive failure, you'll have to do a little command-line work, but just think of the benefits. Any program you want to run on the server is as easy as an apt-get or yum away. Heck, install a VM system (I'm using VMware Server), and you even can spin up another operating system within your SuperNAS!
Building your own NAS might not be for everyone, but if you're reading Linux Journal, perhaps you're the perfect candidate. Be sure to search LinuxJournal.com for information on software RAID and installing virtual machines. Chances are, you'll enjoy building your own NAS, and you even might save some money!
LJ Store's Featured Product of the Month: May the Source Be with You T-Shirt
The force is strong with this 100% cotton T-shirt featuring Tux the penguin.
Regular price: S–XL: $19.95; XXL/XXXL: $20.95
Sale price: S–XL: $14.95; XXL/XXXL: $15.95
Coupon code: luke
Sale ends November 30, 2010.
Buy yours now at www.linuxjournalstore.com.
They Said It
Moore's Law has been the name given to everything that changes exponentially. I say, if Gore invented the Internet, I invented the exponential.
There are 10 types of people in the world: those who understand binary, and those who don't.
URLs are the 800 numbers of the 1990s.
UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity.
Almost everybody today believes that nothing in economic history has ever moved as fast as, or had a greater impact than, the Information Revolution. But the Industrial Revolution moved at least as fast in the same time span, and had probably an equal impact if not a greater one.
If with the application base, with the tools that we have, with the user understanding and momentum and everything going on, we can't compete with...whatever the weird collection of Android machines is going to look like, shame on us.
—Steve Ballmer, Microsoft CEO
Security at LinuxJournal.com
This month's issue is all about hacking, but as we all know too well, hacking is not always a good thing. Sure, sometimes it can mean taking apart your Roomba and making a toy for your hamster, or it can mean finding a creative solution to a technical problem. Unfortunately, it also can mean violating a secure system and generally wreaking havoc. Fortunately, LinuxJournal.com has some valuable information that may help you avoid such a situation. You may notice an area on the right side of the page with a list of topics we are particularly interested in. Right now, one of them is security, and we think you'll find this section incredibly valuable. Here you'll find a variety of news, tutorials and opinions about what's relevant in Linux security. Check it out at www.linuxjournal.com/tag/security, and as always, happy (and safe) surfing!
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Server Hardening
- May 2016 Issue of Linux Journal
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- The Humble Hacker?
- BitTorrent Inc.'s Sync
- The Death of RoboVM
- The US Government and Open-Source Software
- New Container Image Standard Promises More Portable Apps
- Open-Source Project Secretly Funded by CIA
- ACI Worldwide's UP Retail Payments
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide