|
|
I recently bumped into an article written by Steve Smith, MD of IT Security firm Pentura. After reading only the 1st paragraph, I already came to the conclusion that either Mr. Smith is clueless or purposely disseminating falsehoods about OSS security. The rest of the article is an abomination peppered with inaccuracies and complete rubbish. The real kicker is that this article was hosted by the British Chartered Institute for IT (BCS) ITnow magazine. It’s quite strange for a supposedly decent industry body to associate themselves with such trash but looking through the comments from BCS members, it’s quite apparent that the BCS is no longer the body it used to be.
Let’s first take a look at BCS’ about statement:
BCS, The Chartered Institute for IT, promotes wider social and economic progress through the advancement of information technology science and practice.
How does one ‘promote wider social and economic progress’ by writing ineffectual articles like this one? Surely incorrectly disparaging OSS security ( as Steve appears to have done – I actually still don’t understand the point of this article ) does nothing to further the BCS’ agenda. Unless there is an ulterior motive here. It’s well known that FOSS software is a driver for economic and social progress – just look at it’s use in 3rd world countries and the benefits it brings to those areas of the globe. Does Steve really think that Rwanda, for example, can afford Microsoft’s software? And if they can’t, should they just forgo the ability to take part in the wider global Internet and computing culture? Of course not; FOSS gives everyone an equal footing! Anyone can, using FOSS, do anything others do with proprietary software. And often times more.
These FOSS users don’t have to spend a fortune on 3rd party software to try to secure their systems from security poor proprietary products nor are they at the mercy of these vendors’ belated security patches that don’t even address all the issues on that platform.
Second, let’s take a quick look at some of Steve’s statements:
Experts do not agree about open source security in terms of whether there is an advantage or disadvantage to its use in the business world.
Er, yes they do Steve; any security expert worth their salt, knows that OSS has the lead over proprietary software in terms of security – have you not read the code quality reports coming from Coverity and others?
By its very nature, open source applications expose the source code used to write programs to examination by everyone, both attackers and defenders. Experts argue that keeping the source code closed provides an additional layer of security through obscurity.
They do? Where are these experts that you’ve consulted Steve? Come on Steve, the security by obscurity view was debunked and floored years ago already.
Although Microsoft has become very efficient and transparent with their security vulnerabilities, this still leaves a window of opportunity for anyone who has discovered a security flaw prior to a patch being issued to exploit the vulnerability.
That’s a joke or sarcasm I presume? Do you call it efficient when Windows users wait months and sometimes years for patches to security issues? Is Microsoft being transparent when they don’t respond to notifications of security issues in their software?
And so it goes on …
What’s quite interesting is that Luke Leighton’s critical ( yet entirely valid ) response in the comments section was watered down to a serious degree – BCS, are we no longer adults that we can decide for ourselves? What’s with the censorship? BCS says in response to the editing:
BCS is absolutely against censorship, but as a professional organisation we have a responsibility to remove expletives, profanity and any comment which could potentially be construed as libellous from our site.
What? Huh? You’re not serious …
Luke’s complete response is available on the advogato site. I leave you to make up your own mind but I’m sure you’ll come to many of Luke’s conclusions. And mine. Steve, are you in the employ of Microsoft? Or are you just plain ignorant about OSS security?
Slackware releases are like a big shiny new birthday present for me ( in fact mine’s just around the corner, hint hint ) even though I follow -current mostly. It means that the distro is at a point where new packages have been added, others upgraded and bugs worked out. And Patrick, and the rest of the dev gang, are happy …
What’s new?
One of the views of Slackware in the past has been that it’s reliable and stable, but older versions of packages are used in a bid to combat instability in newer package releases. While that has been true in the past, I’ve found that since 13.0 especially, Slackware has been released with more up-to-date packages while retaining its stability.
The big upgrade in this new release is the move from the KDE 4.2 series to 4.4 with PolicyKit ( thanks to Eric Hameleers for all his KDE dev releases ). While some may not notice, there are performance, feature and stability improvements in this upgrade that make this ‘new’ desktop environment even better than before. Read H Online’s 4.4 review for more information.
The kernel is now at a 2.6.33.4 level, gcc at 4.4.4 and glibc at 2.11.1. X is updated to 1.7.x along with all the accompanying drivers, thanks to Robby Workman.
All the security apps have been updated with OpenVPN now being included by default and the LAMP stack is at Apache 2.2.15, PHP 5.2.13 and Mysql 5.1.46. The Cups package has had usblp support added back in, something that a number of people were looking for. Related, the hplip package has ijs support again. Firefox, Thunderbird and Seamonkey are at their latest releases – I was hoping Thunderbird 3.1 would be released before Slackware 13.1 but no matter as I’m sure it will be in -current soon.
In other news, the libv4l package has been replaced by v4l-utils, bittornado and emacsspeak are in /extra, /dev/sr0 is now searched for install media before the old IDE devices, JDK and JRE are at Update 20, Amarok 2.3.0.90 is in /testing and firmware for a number of wireless devices are added/upgraded.
In general
I won’t rehash information from my previous Interviews except to say that the stability, robustness and performance carries on from previous releases. Slackware continues to perform well in both server and desktop roles with support for most current desktop technologies ( bluetooth, wireless, etc. ) and server-side services and development. Don’t expect to find the customisations you’ll find in other mainstream distributions – Slackware is raw and to the point.
The ncurses-based installer hasn’t changed ( much ) while the newer txz package format gets support from 3rd-party solutions like Gilbert Ashley’s excellent src2pkg tool. The GSB project is tracking ( according to their website ) 13.1 closely and hopefully we can expect a release of this Gnome add-on to Slackware soon. In the meantime, a dev version of 2.28 is available from them. The Dropline Gnome and Gware projects appear to have stagnated as there is no recent news from them.
Many of the audio-video libraries I would have previously compiled manually are now included by default which makes Slackware very capable from a desktop audio point of view. These include libraw1394, libmsn, libdiscid, mpg123, libmtp, loudmouth, fftw, liblastfm and others.
64-bit support, introduced in Slackware 13.0, continues to mature in 13.1 and Eric Hameleers is tracking the mainline development effort with his MultiLib libraries very closely ( even when on holiday! ), allowing one to run a combined 32- and 64-bit system without too much extra effort.
Those who mirror the -current tree can go to sligdo for a method of generating ISOs.
Conclusion
Having built a number of 64-bit 13.0 servers in recent months, I can confirm that no issues have cropped up with the addition of the 64-bit version and these machines are running beautifully. My own 64-bit MultiLib desktop remains a pleasure to use even on slightly older hardware ( yes time to upgrade ). Slackware on the whole, retains a vibrant end-user community with many blogs, websites and forums dedicated to this venerable distribution. One of the busiest places on the ‘net is the LinuxQuestions forum where many Slackers hang out.
13.1 continues the Slackware tradition of a simple, no-frills, reliable distribution for those wanting a rock-solid Linux implementation, and also those wanting to learn the ins and outs of Linux. Thanks to Pat and everyone else involved in this wonderful project – support them through the Slackware store if possible so we can continue getting our Slackware fix.
Apparently the MPEG-LA forum, which manages a pool of patents relating to H.264, thinks that any implementation of video will be encompassed by one or more patents from its patent pool. Not only does this reek of megalomania, but it also shows just how far gone the US patent system had gone down hill. It also shows how monopolistic the MPEG-LA forum is.
Nero has come out fighting detailing a host of issues with MPEG-LA and it’s practices. Google has released the VP8 codec as an open source, royalty-free competitor to H.264 ( as part of the new WebM initiative ) and if it gains traction in it’s Youtube system, then many may flock to Google’s banner. Firefox and Opera have support for WebM in their latest test browsers and Microsoft has indicated they will support playback in IE 9 if suitable software is installed on the machine.
The question to ask is just how real is MEPG-LA’s threats against VP8. I think we’ll see a battle royal in the next few months, with the money-printing MPEG-LA trying to hold on to their little corner of gold.
I’ve had a few queries on setting up Slackware64 Multilib as well as GSB with -current. It’s not difficult at all but just requires one to follow a strict set of steps.
Multilib
Eric Hameleers ( Alien ) has the definite write-up on Multilib on his site however I’ll provide a short synopsis here for the impatient.
The first thing to note is that you need a set of Multilib-enabled gcc and glibc packages available on Eric’s site. These need to coincide with the version of Slackware you are running so make sure you get the correct packages:
Slackware64 13
Slackware64 -current
Once downloaded, install using:
upgradepkg –reinstall –install-new *.t?z
Now we need to create 32-bit compat packages from an existing 32-bit installation tree. Have a 13.0 or -current tree available, make a directory somewhere for this purpose and:
massconvert32.sh -i /path/to/slackware-13.0/slackware/
Once this is done, install using:
installpkg *-compat32/*.t?z
Add glibc and gcc as exclusions to your package manager to make sure the Multilib-enabled versions do not get overridden. Upgrades are done the same way except the compat packages, once generated, are installed using:
upgradepkg *-compat32/*.t?z
GSB
GSB is almost tricky but not quite. There are no current -current packages at the moment however the last 64-bit GSB available ( 2.28.1 ) works ok on Slackware64 -current. You may also need to get some of the 32-bit packages from this version – YMMV. The GSB site lists info relating to 2.28 and 2.30 for Slackware 13.1 so keep checking the site for updates.
Upgrade to kernel 2.6.33.4, gcc 4.4.4 and glibc 2.11.1. JDK 6u20 in extra and usblp back in cups
A recent posting on the Blog of Helios prompted me to write a short and simple definition of Linux that might be useful for current non-users of this operating system. It is however a difficult definition in the context of what people already know. And the fact of the matter is that what the general computer-using population knows about operating system platforms, is limited.
I often get calls from Windows desktop users about something not working. What is not working? “Well it’s something in Microsoft” they might say. Microsoft? Is that Microsoft Office, Windows, something else? Well they’re not sure, but it’s when they are trying to type a document. Ok, so that’s Microsoft Office Word then. What browser are you using? It’s the one with the blue e on the icon. Internet Explorer. What email client do you make use of? Microsoft. Is that Outlook or Outlook Express? Note I’m just using the Windows platform as an example, however this problem is not limited to that platform.
If general Windows users have difficulties on that platform, what chance do they have with Linux? And why the confusion in the first place?
Let’s try to answer these 2 questions …
What is Linux
Linux is a software platform that includes a kernel which controls and manages the computer itself, utilities which allow you to perform general tasks like file management and application launching, and applications themselves which allow you to get actual work done ( eg. word processor, email client, web browser ).
The original operating system ( to be exact the kernel ) itself was started by Linux Torvalds, a Finish student in 1990 who was frustrated with the licensing of another OS called Minix. Together with the GNU toolset ( a bunch of OS-independent user tools ) and development tools, GNU/Linux as a complete operating system platform was born.
Unlike Microsoft Windows, which comes in only 2 forms ( desktop and server ), Linux is packaged in the form of distributions, which put the Linux kernel, GNU utilities and other useful applications together. There are many distributions, some which cater for general use, some orientated towards audio-video use and others for supercomputing purposes. There are about 10 to 20 distributions which are used in mainstream desktop and server environments, the most popular of these being Ubuntu, Mandriva and Fedora ( for desktop use ), and Red Hat Enterprise Server/RHEL, Centos and Suse Linux Enterprise Server/SLES ( for server use ). An important difference vs commercial OS platforms is that Linux distributions typically provide all the day to day applications that you would use, therefore it’s fundamentally different to something like Microsoft Windows, where you only get the operating system and some utilities.
The Linux kernel itself and the GNU toolset are FOSS – free and open source software. This means that although they have a license and are copyrighted, the style of the license means anyone is fee to copy, use and alter this software, as long as one keeps to the terms of the license. Typically this includes something as simple as making sure the license is transferred with each copy, and that original and subsequent authors are acknowledged.
But how can you give something away for free if it’s copyrighted? I’ve been paying for my Windows and Office software all along …
Copyright fundamentally means that someone can assert the right to be acknowledged as the author of a particular creation. It does not infer that something can’t be given away for free, as much of the bumpf from music, movie and publishing concerns would have us believe. So yes you can have copyrighted software that is free.
There’s also the misconception that Linux is difficult to use. From a server perspective, this may have some validity ( although not much ), however, from a desktop point of view, Linux is as easy to use as competing platforms like Microsoft Windows and MacOS X. It’s just different – and it’s this difference that many confuse with difficult. There’s also the matter of change – human beings are comfortable with what they know; change is never easy because of this.
One important point to remember though is that because Linux is a different platform to Microsoft Windows, it will not run Windows applications natively. Most Windows applications have an equivalent in Linux so this is not a big problem. There is also the possibility of running Windows applications under emulation.
Some examples of FOSS application equivalents:
- Microsoft Office = OpenOffice
- Internet Explorer = Firefox
- Outlook = Thunderbird
- Photoshop = Gimp
Linux has some distinct advantages over other platforms:
- very secure and low attack surface for viruses and other malicious code
- good stability and reliability
- OS-integrated application installation/management system
- good performance on old equipment / low resource requirements
- free / low cost
How do I get support for something that is free? FOSS support is provided by the same community that develops the software as well as the user community around it, through forums, newsgroups, mailing lists and other methods. If that is not suitable, then many of the larger FOSS projects have commercial support options available.
FOSS in general
The Helios project is a group of volunteer Linux users in Texas, USA who refurbish old donated computers, install Linux and other FOSS applications on these machines, and deliver them to needy, impoverished and foster kids in that state. The financial cost to these volunteers is low because FOSS allows them to have an almost zero product cost. This is something that’s not possible with commercial software. And there are many other groups around the world that do work similar to the Helios group.
FOSS lowers the entry barriers to less fortunate people and communities, removing what is arguably the biggest cost of owning a computer – commercial software. This helps with social development, upliftment and education, by giving less fortunate people access tools they would not have had before, allowing them to create, communicate and distribute.
While FOSS and Linux are typically ‘free’, this does not mean that the quality of this software is compromised in any way. In fact it’s well acknowledged that FOSS software is generally of a higher standard than commercial software, due to the nature of the Open Source development process. A study by Coverity ( a commercial software vendor of code analysis tools ) in 2009, found that the Linux kernel and some other notable FOSS projects, had 10x less code errors than competing commercial equivalents.
Why the confusion?
At the start of this article, I asked why users were confused about what OS or applications they were using. An analogy: to drive a car on a public road, one needs to do a drivers test. This involves theoretical and practical training, after which one has a reasonable grasp of the concepts involved as well as some baseline experience to use in the act of driving itself. Using a computer is an altogether different proposition – one goes to the computer store, buys the computer and starts using it. This does not mean however that one is proficient in the use of that computer, and therefore the lack of general knowledge amongst casual computer users.
This issue is platform-independent, yet the stigma remains that FOSS and Linux are more difficult to use. Difficulty is not necessarily determined by what platform you use, but rather the training you receive in the use of that platform.
So take the time to learn something new today, about whatever platform you are using …
It seems that SCO’s litigation engine has been running for ever ( 7 years now ) and they exist only to litigate. But it appears that a jury-led decision agreeing with Novell being the rightful copyright holders of Unix, has finally put paid to any serious action by SCO. Perhaps we can all get on with our business now …
It looks like DNSSEC is breing implemented at the root level world-wide. Almost 2 years after the first country level signing ( .se for Sweden ), the K-, D- and E-root servers operated by RIPE, University of Maryland and NASA respectively, started root signing this week past. 7 of the 13 root servers now supply DNS record signing.
The DNS Security Extensions protocol, called DNSSEC in short, is designed to provide improved DNS security. DNSSEC uses cryptographic signatures to authenticate the responses to DNS queries, which will prevent attackers from forging responses via security holes in the DNS protocol, such as those described by Dan Kaminski (cache poisoning). With this protocol, responses to DNS queries are only accepted as authentic if a public key can be matched with a private key. However, signatures can’t be validated during the introductory phase. As a result, initially it will be unlikely that users notice the introduction of DNSSEC on the RIPE root server. While the response packets containing the signatures will be significantly larger, experts say that this doesn’t present a problem if the respective resolvers are implemented correctly. For the time being, users will also still be able to access one of the remaining 6 root servers without DNSSEC. ICANN, VeriSign and the NTIA decided on this gradual transition as a precautionary measure.
Personally I think this has been a long time coming. I had an excellent 2-day training course on DNSSEC with BIND a year ago ( courtesy of coza/Uniforum ) and it’s good to see the hard work of many engineers coming to fruition. Considering the amount of negativity as recently as a year ago, especially from the commercial root server operators ( read Verisign and co. ), it’s great to see DNSSEC in action.
I’ve been running Slackware-current ( the development version of Slackware ) for probably close to 5 years now. For the most part, it’s a pretty uneventful stream of upgrades however, every once in a while things get interesting.
The March 1 update is massive, has taken a month to release and includes around 465 updated packages. There are 2 main reasons for this:
- Xorg has been upgraded to 1.7.5
- a new version libpng is included which required the rebuild of a large number of dependant packages ( 13? )
I had some issues as follows …
On reboot I got ‘undefined symbols’ and ‘unknown module format’ when loading some modules. My NVidia binary driver would not load with a message the same as above. I had not upgraded the kernel so this was all a bit strange.
First step was to get a new NVidia driver ( 195.36.08 ) which installed fine but the driver still refused to load. Then I thought that a kernel package may have been installed erroneously so I upgraded all of them. Still no go.
To the LinuxQuestions forum where I gathered that there may have been an issue with a kernel config option ( CONFIG_PREEMPT ) in this particular kernel. The fix was straightforward – rebuild and install the kernel with the existing config file:
cp /boot/config-huge-2.6.33 /usr/src/linux-2.6.33/.config && cd /usr/src/linux-2.6.33 && make && make modules_install && cp arch/x86_64/boot/bzImage /boot/vmlinuz && lilo && echo “blacklist nouveau” >> /etc/modprobe.d/blacklist.conf && telinit 6
There was also an issue with the libgmp library which was updated today and fixed those issues.
Some other upgrades/changes:
- device-mapper is now included in the lvm2 package
- gzip security issue
- kernel 2.6.33
- kde 4.3.5
- openssl security fixes in 0.9.8m
- bash 4.1
I’m running AlienBob’s kde 4.4.x packages and hopefully he’ll have an updated ( to 4.4.1 ) set soon. All in all an interesting time however this is dev so it’s to be expected. Th problem is current is generally so stable that this is actually unexpected. No problems either way.
Thanks to Pat, Eric, Robby and all the rest.
The US Copyright Lobby has indicated that using FOSS equates to the undermining of intellectual property rights. Yes you read that correctly. They want the US Trade Representative to place countries like Brazil, India, and Indonesia on the Special 301 list, which is a list of countries that do not, according to mostly the Pharmaceutical Research and Manufacturers of America and the IIPA, do enough to protect intellectual property rights.
The governments of the countries the IIPA wants to add have one thing in common: they’ve used or are encouraging the adoption of Free and open source software, which, according to the IIPA, “weakens the software industry” and “fails to build respect for intellectual property rights”. Huh? No I’m not making this up – take a look for yourself.
“The Indonesian government’s policy [...] simply weakens the software industry and undermines its long-term competitiveness by creating an artificial preference for companies offering open source software and related services, even as it denies many legitimate companies access to the government market,” the IIPA states, “Rather than fostering a system that will allow users to benefit from the best solution available in the market, irrespective of the development model, it encourages a mindset that does not give due consideration to the value to intellectual creations.”
Since when has FOSS denied anyone anything, let alone legitimate companies’ access to the government market? And how is FOSS not an intellectual creation? Besides giving no proof of their statements, these murmurings are just plain fiction. Perhaps the US Copyright Lobby should stop spouting trash in the name of big business and do something for the man in the street for a change.
The number of articles lately concerning the overwhelming amount of Linux distributions available is quite interesting; why now? Perhaps because Linux on the desktop is becoming a little more mainstream. Or perhaps because of the miriad number of embedded devices that use Linux ( think home automation, signage boards, NAS storage, netbooks, phones, radios, media players, industrial devices, etc. ) and that are more visible. Whatever the reason, I think it’s always been a positive thing, with the competitive nature of open source driving improvement and maturation. And open source does not need proprietary offerings as competition ( as another journalist has recently inferred ). FOSS in itself is its own competition.
Just because there are numerous distros available ( distrowatch.com keeps track of the Top100 ) doesn’t mean Joe Blogs needs to become a guru on all or most of these. Many are specialist distros catering for recovery, security, audio, media or other areas and for the most part, one can keep your eye on the top 20 for something to use within mainstream server or desktop areas.
For desktop use, Ubuntu, Mandrake, Mint, Fedora, Puppy and openSuse come to mind. On the server side Centos, RedHat, SLES, Debian and Slackware are the main choices. For Business server use ( ala Windows Server SBS ) you can look at ebox and ClearOS.
So overall, that is not an overwhelming set of choices – just enough to give you something you are comfortable with. Read reviews on each, do a test run in a virtual machine ( care of VirtualBox ) and make the switch.
Here follows a quick matrix showing the main distros in each area.
| Desktop |
Ubuntu, Mandriva, Mint, Fedora, Puppy, openSuse |
| Server |
Red Hat Enterprise, Centos, SLES, Debian, Slackware, Scientific |
| SBS |
ebox, ClearOS |
| Security |
Backtrack, Nexenta, |
| Recovery |
Knoppix, SystemRescueCD, CloneZilla, |
| AV |
Mythbuntu, 64Studio , Musix |
| Storage |
FreeNAS, OpenFiler |
The Mozilla Foundation is releasing the latest and greatest version of its Web browser, Firefox 3.6.
|
