Professional Documents
Culture Documents
HOW TO
HARDEN
YOUR SSH
CONNECTIONS
SECURITY
Since 1994: The Original Magazine of the Linux Community JANUARY 2014 | ISSUE 237 | www.linuxjournal.com
ENCRYPTED
BACKUP
SOLUTIONS
With TrueCrypt
and SpiderOak
TAKING
An Introduction to
ADVANTAGE OF QUANTUM
ENCRYPTION CRYPTOGRAPHY
TIPS FOR
USING TOR
THE PAX Browse the Web
ARCHIVING Anonymously
UTILITY
+
SOLID-STATE DRIVES
Are They Worth It?
FAST ’14: 12th USENIX Conference on File and 23rd USENIX Security Symposium
Storage Technologies August 20–22, 2014, San Diego, CA, USA
February 17–20, 2014, Santa Clara, CA, USA www.usenix.org/conference/usenixsecurity14
www.usenix.org/conference/fast14 Submissions due: Thursday, February 27, 2014
2014 USENIX Research in Linux File and Storage Workshops Co-located with USENIX Security ’14
Technologies Summit EVT/WOTE ’14: 2014 Electronic Voting Technology
In conjunction with FAST ’14 Workshop/Workshop on Trustworthy Elections
February 20, 2014, Mountain View, CA, USA USENIX Journal of Election Technology
Submissions due: January 17, 2014 and Systems (JETS)
Published in conjunction with EVT/WOTE
NSDI ’14: 11th USENIX Symposium on www.usenix.org/jets
Networked Systems Design and Implementation Submissions for Volume 2, Issue 2, due: December 5, 2013
April 2–4, 2014, Seattle, WA, USA Submissions for Volume 2, Issue 3, due: April 8, 2014
www.usenix.org/conference/nsdi14 HotSec ’14: 2014 USENIX Summit on Hot Topics
2014 USENIX Federated Conferences Week in Security
June 17–20, 2014, Philadelphia, PA, USA FOCI ’14: 4th USENIX Workshop on Free and Open
Communications on the Internet
USENIX ATC ’14: 2014 USENIX Annual Technical
Conference HealthTech ’14: 2014 USENIX Workshop on Health
www.usenix.org/conference/atc14 Information Technologies
Paper titles and abstracts due January 28, 2014 Safety, Security, Privacy, and Interoperability
of Health Information Technologies
HotCloud ’14: 6th USENIX Workshop on
Hot Topics in Cloud Computing CSET ’14: 7th Workshop on Cyber Security
Experimentation and Test
WiAC ’14: 2014 USENIX Women in Advanced
Computing Summit WOOT ’14: 8th USENIX Workshop on Offensive
Technologies
HotStorage ’14: 6th USENIX Workshop
on Hot Topics in Storage and File Systems OSDI ’14: 11th USENIX Symposium on Operating
UCMS ’14: 2014 USENIX Configuration Systems Design and Implementation
Management Summit October 6–8, 2014, Broomfield, CO, USA
www.usenix.org/conference/osdi14
ICAC ’14: 11th International Conference on
Abstract registration due April 24, 2014
Autonomic Computing
Co-located with OSDI ’14:
USRE ’14: 2014 USENIX Summit on Release
Engineering Diversity ’14: 2014 Workshop on Diversity
in Systems Research
Do you know about the USENIX LISA ’14: 28th Large Installation System
Open Access Policy? Administration Conference
USENIX is the first computing association to offer free November 9–14, 2014, Seattle, WA, USA
and open access to all of our conferences proceedings https://www.usenix.org/conference/lisa14
and videos. We stand by our mission to foster excel- Submissions due: April 14, 2014
lence and innovation while supporting research with a
practical bias. Your membership fees play a major role
in making this endeavor successful.
Please help us support open access.
Renew your USENIX membership and ask your
colleagues to join or renew today!
www.usenix.org/membership
0HFKDQLFVLVWUXO\VRIWZDUHGHÀQHGVWRUDJH
)URPPRGHVWGDWDVWRUDJHQHHGVWRDPXOWLWLHUHGSURGXFWLRQVWRUDJHHQYLURQPHQWWKHzStax StorCore
=)6XQLÀHGVWRUDJHDSSOLDQFHVKDYHWKHULJKWPL[RISHUIRUPDQFHFDSDFLW\DQGUHOLDELOLW\WRÀW\RXUQHHGV
zStax StorCore 64
January Case Study Feature
8QLÀHG6WRUDJHLV&UXFLDO3DUWRI
6HDUFKDQG'LVFRYHU\IRUWKH&ORXG 7DONZLWKDQH[SHUWWRGD\
www.siliconmechanics.com/casestudies www.siliconmechanics.com/zstax
SECURITY
FEATURES
68 Quantum 80 More Secure 94 Encrypted Backup
Cryptography SSH Connections Solution “Home
Classical cryptography Secure shell Paranoia Edition”
may not be good connections can A solution for
enough in providing be hardened for safeguarding your
security in the extra security. personal information.
near future. Federico Kereki Tim Cordova
Subhendu Bera
ON THE COVER
/V^[V/HYKLU@V\Y::/*VUULJ[PVUZW
,UJY`W[LK)HJR\W:VS\[PVUZ^P[O;Y\L*Y`W[HUK:WPKLY6HRW
(U0U[YVK\J[PVU[V8\HU\[T*Y`W[VNYHWO`W
;VY!)YV^ZL[OL>LI(UVU`TV\ZS`W
;HRPUN(K]HU[HNLVM,UJY`W[PVUW
;PWZMVY<ZPUN[OLWH_(YJOP]PUN<[PSP[`W
:VSPK:[H[L+YP]LZ·(YL;OL`>VY[O0[&W
COLUMNS
36 Reuven M. Lerner’s
At the Forge 26 MANDELBULBER
Talking to Twitter
KNOWLEDGE HUB
106 Webcasts and White Papers
IN EVERY ISSUE
8 Current_Issue.tar.gz
10 Letters
16 UPFRONT
34 Editors’ Choice
64 New Products
94 TRUECRYPT
125 Advertisers Index
LINUX JOURNAL (ISSN 1075-3583) is published monthly by Belltown Media, Inc., 2121 Sage Road, Ste. 395, Houston, TX 77056 USA. Subscription rate is $29.50/year. Subscriptions start with the next issue.
Contributing Editors
)BRAHIM (ADDAD s 2OBERT ,OVE s :ACK "ROWN s $AVE 0HILLIPS s -ARCO &IORETTI s ,UDOVIC -ARCOTTE
0AUL "ARRY s 0AUL -C+ENNEY s $AVE 4AYLOR s $IRK %LMENDORF s *USTIN 2YAN s !DAM -ONSEN
Advertising
E-MAIL: ads@linuxjournal.com
URL: www.linuxjournal.com/advertising
PHONE: +1 713-344-1956 ext. 2
Subscriptions
E-MAIL: subs@linuxjournal.com
URL: www.linuxjournal.com/subscribe
MAIL: PO Box 980985, Houston, TX 77098 USA
Intel, the Intel logo, and Xeon Inside are trademarks or registered trademarks of Intel Corporation in the U.S. and other countries.
Call iXsystems toll free or visit our website today! 1-855-GREP-4-IX | www.iXsystems.com
Souchong!
B
ack when we were kids, my BirdCam project (which you’ll hear
“security” meant little more than more about in a month or so), I found
having a secret password to keep his column particularly interesting. If you
little siblings out of the treehouse. That’s need to work with photos, especially if
still the case in some situations. Take the direct interaction isn’t possible, Dave’s
title of this column, for instance. If you column will be interesting for you too.
go to the #linuxjournal IRC channel on Kyle Rankin gets into the security
FreeNode, saying “Lapsang Souchong” mindset this month by approaching
will mark you as part of the inner circle. privacy. Specifically, he explains how
(Note, this does not make you one of the to set up Tor in order to browse the
cool kids...possibly the exact opposite!) Web in private. Tor is just as useful as
When it comes to computer security, it once was, but thankfully, it’s gotten
however, things are quite a bit more easier and easier to implement. I follow
complex. Whether you want to encrypt Kyle’s column with The Open Source
your data or lock down network Classroom, and this month, I talk
access, Linux provides a wide variety of about file encryption. Many people are
security tools. This month, we focus on intimidated by the notion of encryption,
using those tools in our Security issue. but it doesn’t have to be scary. This
Reuven M. Lerner starts off the issue month, we’ll do just enough encryption
with instructions on how to integrate to wet your whistle, and hopefully get
Twitter into your applications. Whether you interested in learning more.
you need your app to tweet results, Although I may have introduced
error messages or automatic cat photos, encryption in my column, Subhendu Bera
Reuven walks through implementing takes things to a whole new level with
the API. Dave Taylor follows up with a 1UANTUM #RYPTOGRAPHY -ATHEMATICS
tutorial on using the ImageMagick suite based encryption is complex, for sure, but
to watermark and copyright photos. will it be enough as technology advances?
Since I use ImageMagick extensively with Subhendu gives an explanation of
1UANTUM #RYPTOGRAPHY AND A QUICK LESSON encryption, don’t miss this article.
IN 1UANTUM -ECHANICS AS WELL )F YOURE We finish off the security issue with
interested in the future of cryptography, Brian Trapp’s article on solid-state drives.
you’ll love his article. SSDs have been around for a number
Remember Telnet? Telnet has been of years now, and we’re finally to the
replaced in almost every situation by the point that we can provide some longevity
much more secure SSH protocol. Granted, statistics and reliability information. Have
there still are a few situations that warrant you been avoiding SSDs because you
the use of Telnet, but those generally are thought they would wear out? Did you
inside your network and never over the think they had a significantly higher failure
Internet. Just switching to SSH, however, rate? Were you worried that you need
isn’t enough to ensure that you’re secure. Windows-specific drivers to make them
Sure, the connection itself is encrypted, work? Brian assuages many of those fears
but what if you have a user with a and validates those that are valid. SSDs are
simplistic password? Or a script kiddie fast, and they can provide an incredible
scanning for vulnerabilities? Federico performance boost in most situations. You
Kereki describes how to harden SSH this owe it to yourself to see if your scenario
month, making the wonderful and flexible warrants an SSD. Brian’s article will help.
SSH protocol a little safer to use. Whether This issue also contains tons of
you want to limit your allowed users or other Linux goodies. We have product
disable password connections altogether, announcements, opinion pieces and even
Federico’s article will guide you down the fractals. You don’t have to be one of
path of better SSH. the cool kids to enjoy this issue of Linux
I may have started this issue with the Journal, but it helps to be one of the
basics of file and disk encryption, but if smart kids. Thankfully, our readers tend
you are looking for more, Tim Cordova is to have that attribute in plentiful supply.
about to be your favorite person. Going We hope you enjoy this issue as much as
far beyond single file or even removable we enjoyed putting it together.Q
drive encryption, Tim shows how to
encrypt your entire hard drive. Then, Shawn Powers is the Associate Editor for Linux Journal .
Tim goes even further and explains how He’s also the Gadget Guy for LinuxJournal.com, and he has
to configure TrueCrypt in conjunction an interesting collection of vintage Garfield coffee mugs.
with SpiderOak to make sure your data Don’t let his silly hairdo fool you, he’s a pretty ordinary guy
is not only encrypted, but backed up as and can be reached via e-mail at shawn@linuxjournal.com.
well! If you’re interested in privacy and Or, swing by the #linuxjournal IRC channel on Freenode.net.
LVM, Demystified
Regarding Shawn Powers’ article
“LVM, Demystified” in the December
2013 issue: I’ve been a fan of LVM2
from the beginning. (LVM1 really
wasn’t ready for Prime Time.)
but makes it easier to see “what you 4) Don’t try to pvmove a swap
have where”. Tedious, but it makes volume. Simply allocate a new one
the neat freak in me happy. and delete the old one.
The Red Hat Advisory was Excellent article. It’s not an easy
2("!
"UGZILLA ": concept to get across to the novice,
but once you understand it, it seems
2) The metadata present on each PV so simple.
now eats up a PE (that is, in your —Tom Lovell
case, “not usable 3.00 MiB”, but it’s
usually 4MB), and it is a good practice It’s always tough for me to decide
to have metadata on every PV! That
means that, for example, if you have
5 * 100GB PVs, you don’t have 500GB
to use, you have 499.9something
GB—that is, 500GB minus 20MB Low Cost Panel PC
(5 PEs, each 4MB in size). This is a PDX-090T
problem mainly with SAN LUNs, as l Vortex86MX+ 1 GHz Fanless
l Up to 1GB of RAM
they are usually precisely some size. l Low Power Consumption
l 1 RS232/422/485 serial port
l Mini-PCI Expansion slot
l 2 USB 2.0 Host Ports
This means that if you allocated l 10/100 BaseT Ethernet
l PS/2 KB port, Audio Out
-L 500G , it would fail, telling you l Compact Flash & MicroSD card sockets
l 9 inch 1024 x 600 WS VGA TFT LCD
that you were slightly short of l Resistive Touch Screen
-l 15980 would give you almost The PDX-090T comes ready to run with the Operating System installed on flash
disk. Apply power and watch the Linux X-Windows desktop user interface appear
500GB and would work. (I think I on the vivid color LCD. Interact with the PDX-090T using the responsive integrated
have my math right here, but you touchscreen. Everything works out of the box, allowing you to concentrate on your
application rather than building and configuring device drivers. Just Write-It and
get the picture.) Run-It... Starting at $450 Qty 1.
http://www.emacinc.com/sales/linux_journal_dec
how far to travel down the rabbit hole one really has to keep doing it
when approaching a topic like LVM. throughout the winter now, as some
By sysadmin standards, I’m a noob birds become dependent on them.
myself, since I avoided LVM for so —Bob Kline
long. I figured it was worthwhile to
bring folks up to my comprehension It was my favorite article to write, up
level, even if I wasn’t a zen master. there with the article on the arcade
cabinet I built and submitted back
I said all that to say that I really, really when I was a freelancer. I’m starting
appreciate letters like yours. Not only a followup article now, which will
do I get to learn more, but it benefits probably be published...hmm...in
everyone who reads Linux Journal as February? I’ve been tinkering with
well. And, now I get to go play with BirdCam, adding multiple cameras,
more LVM stuff!—Shawn Powers motion detection with “motion”,
archive video creation—all sorts
Bird Feeder of cool stuff.
Shawn Powers’ bird-feeder article
(see “It’s a Bird. It’s Another Bird!” Thank you for the e-mail. I’m really
in the October 2013 issue) was glad you enjoyed the article and
one of the most appealing I’ve read the camera. I have it scaled out to
in LJ since 1994. It’s something my Dreamhost account, so it should
I often contemplated, but never be able to handle lots of hits. I
got beyond that. Many thanks for zoomed in the camera closer to the
pointing the way. feeders (you probably noticed), and
embedded the window cam and
An FYI, I alone have turned about a closeup of the bird bath. It’s so
six people into active viewers, funny to see the starlings in the bird
so I do hope you have plenty of bath. I might point a camera there
capacity, if only so I don’t get to capture video!—Shawn Powers
locked out now. It’s a very pleasant
diversion. And you’ve put out a Linux Archive DVD
great bird buffet. Based on my I would be very tempted by the
own feeders, you will be kept quite Archive DVD, if there were PDF or
busy keeping them full as word Mobi versions of the back issues
spreads in bird land. And of course, available on the Archive. I love the
noticed with my wife’s that the iOS7 subscription inquiries can be done instantly
on-line: http://www.linuxjournal.com/subs.
implementation of Newsstand, at least as it E-mail us at subs@linuxjournal.com or reach
us via postal mail at Linux Journal, PO Box
pertains to the Linux Journal app, is frustrating 980985, Houston, TX 77098 USA. Please
remember to include your complete name
at best. To be honest, I download either the and address when contacting us.
.epub or .pdf directly and peruse the issue ACCESSING THE DIGITAL ARCHIVE:
from there. We’ll work with our vendor to Your monthly download notifications
will have links to the various formats
try to get things working right with and to the digital archive. To access the
digital archive at any time, log in at
Newsstand, but I expect the process to be http://www.linuxjournal.com/digital.
lengthy and frustrating! The downloadable LETTERS TO THE EDITOR: We welcome your
letters and encourage you to submit them
copies you get links for as a subscriber should at http://www.linuxjournal.com/contact or
load right into the iBooks app if you’re having mail them to Linux Journal, PO Box 980985,
Houston, TX 77098 USA. Letters may be
issues with the Newsstand app. Hopefully, edited for space and clarity.
things will be straightened out soon. I have WRITING FOR US: We always are looking
for contributed articles, tutorials and
found in the past that deleting and then real-world stories for the magazine.
An author’s guide, a list of topics and
re-installing the Linux Journal app sometimes due dates can be found on-line:
http://www.linuxjournal.com/author.
helps as well.—Shawn Powers
FREE e-NEWSLETTERS: Linux Journal
editors publish newsletters on both
a weekly and monthly basis. Receive
late-breaking news, technical tips and
tricks, an inside look at upcoming issues
and links to in-depth stories featured on
WRITE LJ A LETTER http://www.linuxjournal.com. Subscribe
We love hearing from our readers. Please for free today: http://www.linuxjournal.com/
enewsletters.
send us your comments and feedback via
ADVERTISING: Linux Journal is a great
http://www.linuxjournal.com/contact. resource for readers and advertisers alike.
Request a media kit, view our current
editorial calendar and advertising due dates,
or learn more about other advertising
A BZ Media Event
diff -u
WHAT’S NEW IN KERNEL DEVELOPMENT
A recent bug hunt by kernel He’d started off using GCC 4.8.1,
developers ended up identifying but 4.6.1 also produced a kernel
a long-standing bug in GCC. The that would reproduce the oops. But
indications were there from the as Linus suspected, disabling “asm
start, but it took some investigation goto” in the kernel code did fix the
to nail it down. problem. After a while, Fengguang
Originally, Fengguang Wu reported also discovered that the older GCC
a kernel oops, and used “git bisect” version 4.4.7 also produced a working
to identify the specific patch that kernel, because that compiler had no
revealed the problem. It was an support for “asm goto”.
optimization suggested by Linus Gradually, other folks began to
Torvalds and implemented by be able to reproduce the problem
Peter Zijlstra that aimed at freeing on their own systems. Originally,
up a hardware register by using the the issue seemed to affect only
“asm goto” instruction in the kernel’s 32-bit Linux systems, but ultimately,
modify_and_test() functions. Linus was able to reproduce the
The first indication that the problem problem on his own 64-bit system.
might boil down to a compiler bug It was harder to trigger on a 64-bit
was that the patch just seemed system, but it boiled down to being
correct to folks. Neither Peter nor the same problem. As the scope
Linus were able to see anything wrong of the problem began to reveal
with it, so they suggested trying itself, Linus remarked, “It makes
to reproduce the oops on kernels me nervous about all our traditional
compiled with different versions of uses of asm goto too, never mind
GCC, and Linus suggested disabling the new ones.”
“asm goto” directly to see if that Jakub Jelinek opened a Bugzilla
had any effect. ticket against GCC, and folks started
At first, Fengguang found that thinking about workarounds for the
earlier compilers made no difference. kernel. Even after GCC got a fix for this
particular bug, it wouldn’t do to allow user code that actually looks up those
the kernel to miscompile on any version filesystems in the registry. There’s just
of GCC, if it possibly could be avoided. no reason anyone would want to.
A workaround did end up going into As Al explained on the mailing
the next Linux kernel release candidate, list, there used to be a need to
and a fix went into GCC 2.8.2. Shortly register all filesystems. But about a
afterward, Greg Kroah-Hartman also decade ago, the kern_mount() call
adopted the kernel workaround in the changed to take only a pointer to
3.11.x stable tree. the filesystem, rather than needing
The reason the kernel needed a to look it up by name.
workaround in spite of the fact that Ever since then, the need to
a real fix went into GCC was because register these internal filesystems has
the kernel needs to support the widest been minimal. The only remaining
possible dispersion of host systems. dependency was a single data structure
Anyone, anywhere, with any particular initialized by register_filesystem()
hardware setup, using any particular that was needed by all filesystems.
versions of the various development But, Al said that even this
tools, should be able to build and run dependency was eliminated a couple
the kernel. In some cases that ideal years ago, when the data structure
can’t be reached, but it remains an was optimized no longer to need
ideal nonetheless. register_filesystem(). By now, Al
Traditionally, software could mount said, “there’s no reason to register
a filesystem only after registering it the filesystem types that can only
with the kernel, so the kernel would be used for internal mounts.”
know its name and a bit about how With this change, /proc/filesystems
to manage it. This has been true even would no longer list internal
for internal filesystems like ia64, filesystems. And as Linus pointed out,
pfmfs, anon_inodes, bdev, pipefs those filesystems wouldn’t reliably be
and sockfs. But, Al Viro recently listed anywhere on the system. Even
said there was no longer any reason /proc/modules, Linus said, would list
to require registration for these those filesystems only if they’d been
filesystems, and he submitted a patch compiled as modules.
to take out the requirement. So, with some mild trepidation,
First of all, he and Linus Torvalds Linus accepted the patch. If no one
agreed that there probably isn’t any howls, it’ll probably stay. —ZACK BROWN
Blu-ray Encryption—
Why Most People
Pirate Movies
the job. MakeMKV is a cross-platform
utility that will extract the full,
uncompressed movie from most Blu-
ray discs. Unfortunately, you have to
download the source code and compile
I get a fair amount of e-mail from it. You need both the binaries and the
readers asking how a person could do source download files, and then follow
“questionable” things due to limitations the included directions for compiling
imposed by DRM. Whether it’s how to the software. Yes, it’s a bit complex.
strip DRM from ebooks, how to connect Once you compile MakeMKV, you
to Usenet or how to decrypt video, I should be able to use it to extract
do my best to point folks in the right the Blu-ray disc to your computer.
direction with lots of warnings and Be warned, the file is enormous, and
disclaimers. The most frustrating DRM you’ll most likely want to compress
by far has been with Blu-ray discs. it a bit. The tool for that thankfully
Unless I’ve missed an announcement, is much easier to install. Handbrake
there still isn’t a “proper” way for has been the de facto standard video
Linux users to watch Blu-ray movies on encoding app for a long time, and
their computers. It’s hard enough with when paired with MakeMKV, it makes
Windows or Macintosh, but when it creating playable video files close to
comes to Linux, it seems that turning painless. I won’t go through the step-
to the dark side is the only option. In by-step process, but if the legally
the spirit of freedom, let me point you questionable act of ripping a Blu-ray
in the direction of “how”, and leave it disc is something you’re comfortable
up to you to decide whether it’s a road doing, http://www.makemkv.com
you want to travel. and http://www.handbrake.fr are
When ripping a movie from Blu-ray, I the two software packages you’ll want
know of only one program that can do to explore. —SHAWN POWERS
Non-Linux FOSS:
Persistence of Vision
Raytracer (POV-Ray)
fascinating. As you
probably already
guessed, Russ and
I weren’t terribly
popular.
All these years
later, the same
ray-tracing software
we used back
then is now up to
version 3.7, and it
has been released
as free, open-
source software.
The developers
This image is completely computer-generated, created by kindly have created
Gilles Tran, released into public domain. a downloadable
Windows installer
Back in the mid-1990s, a college for those folks stuck on a Microsoft
friend (hi Russ!) and I would put our operating system. If you think the
old 8088 computers to work rendering world is nothing more than math,
ray-traced images for days—literally. and you’d like to prove it with
The end result would be, by today’s ray-traced images, head on over
standards, incredibly low resolution to http://www.povray.org and
and not terribly interesting. Still, download your copy today. I can’t
the thought of a computer system promise it will make you popular, but
creating realistic photos from nothing at least by my standards, it will make
more than math equations was you cool! —SHAWN POWERS
paxample/foo UZUUMNORZGHQZKHHO6HSSD[DPSOHIRR
t UZUUMNORZGHQZKHHO6HSWSD[DPSOHIRR
t/paxample
t/paxample/foo Yes—two identical files with two
identical timestamps. The permission
When pax read the paxample.tar bits and ownership can be controlled
archive, it created files in the too, if desired. Take that, cp(1)!
current directory, t. Because the Perhaps you don’t want to re-create
archive included a directory name, the directory, or perhaps you want to
paxample, that directory was change it in some way. One option
re-created in the output. is not to mention the input directory
Copying Sets of Files To my on the command line, but instead
mind, pax’s -r and -w options make provide filenames:
more sense than their -x and -c
equivalents in tar—reason enough $ rm -rf t/paxample/
to switch. But, pax can do more FGSD[DPSOH SD[UZ
W
than tar: it can copy files too: ÀQGW
t
$ rm -rf t t/foo
EmperorLinux www.EmperorLinux.com
...where Linux & laptops converge 1-888-651-6686
Model specifications and availability may vary.
^C
$77(17,21SD[DUFKLYHYROXPHFKDQJHUHTXLUHG SD[6LJQDOFDXJKWFOHDQLQJXS
Ready for archive volume: 1
Taking Fractals
off the Page
Fractals are one of the weird e r t h e y a re t w o - d i m e n s i o n a l ( o r
t hings you may come across a c t u a l l y g re a t e r t h a n o n e an d
when studying computer scie n c e less than two-dimensional, if
and programming algorithms . you want to be pedantic). But
From W ikipedia: “A fractal is a t h e re i s n o t h i n g t h a t f o rc e s t h i s
mathematical set that has a f r a c t a l to be the case. Fractals can be
dimension that usually excee d s i t s a n y d i m e n s i o n , i n c l u d i n g g re a t e r
t opological dimension and m a y f a l l than two. And with modern 3-D
between integers.” This is a re a l l y g r a p h i c s c a rd s , t h e re i s n o re a s o n
odd conce pt—that you could h a v e w h y y o u s h o u l d n ’t b e a b l e t o
s omething like an image tha t i s n ’t examine these and play with
made up of lines or of surfac e s , them. Now you can, with the
but something in between. T h e s o f t w a re p a c k a g e M a n d e l b u l b e r
t erm fractal was coined by B e n o i t ( h ttp : / / w w w. ma n d e l b u l b e r.c om).
M andelbrot in 1975. Mandelbulber is an experimental,
A key property of fractals i s o p e n - s o u rc e p a c k a g e t h a t l e t s
t hat they are self-similar. Thi s y o u re n d e r t h re e - d i m e n s i o n a l
means if y ou zoom in on a fr a c t a l , fractal images and interact with
i t will look similar to the way them. It is written using the GTK
t he fractal looked originally. t o o l k i t , s o t h e re a re d o w n l o a d s
The concept of recursion also i s available for Windows and Mac OS X
very important here. Many ty p e s a s w e l l a s L i n u x . A c t u a l l y, m o s t
of fractal algorithms use rec u r s i o n Linux distributions should include
t o generate the values in the it in their package management
given set. Almost everyone systems. If not, you always can
has seen computer generated d o w n l o a d t h e s o u rc e c o d e a n d
i mages of classic fractals, lik e b u ild it f rom scr a t c h .
t he Mandelbrot set or the If you want some inspiration on
Cantor set. One thing about a l l what is possible with Mandelbulber,
of these classic images is tha t I strongly suggest you go check
Figure 1. The main window gives you all parameters that control the generation of
your fractal.
Figure 4. A Sierpinski sponge has infinite surface area and zero volume.
Figure 5. There are several different fractal types from which to choose.
Figure 6. You can create a hybrid system made from a mix of up to five different
fractal types.
LINUX JOURNAL
now available
for the iPad and
iPhone at the
App Store.
linuxjournal.com/ios
For more information about advertising opportunities within Linux Journal iPhone, iPad and
Android apps, contact John Grogan at +1-713-344-1956 x2 or ads@linuxjournal.com.
Talking REUVEN M.
LERNER
to Twitter
Integrating Twitter into your application is easy, fun and useful.
I’m a very quick adopter of many that while I look through my feed
new software technologies. I try new several times a day, I tweet only once
programming languages, browsers, every few weeks. Call me a dinosaur,
databases and frameworks without but I still prefer to use e-mail to be in
hesitation. But when it comes to touch with friends and family, rather
social networks, I’m a bit of a Luddite, than 140-character messages.
waiting to see what all the fuss is Although I don’t see Twitter as
about before making them a part of a great medium for interpersonal
my life. Sure, I signed up for Facebook communication, I recently have begun
almost as soon as it was available, but to appreciate it for other reasons.
I haven’t really posted much there. Specifically, I have discovered (perhaps
I do use LinkedIn, mostly to collect long after the rest of the world has
and find contacts, but I don’t post done so) that using Twitter as a sort
there very often either, unless I’m of public logfile can make a Web
announcing a presentation that I’ve application more visible, updating
added to SlideShare. the rest of the world as to the
Twitter is something of a different status of your work and your on-
story. There are people, it seems, line community. Doing so not only
for whom Twitter is the ultimate in lets people hear about what you are
communication. I’ve been on Twitter doing—and potentially rebroadcast it
for some time, but other than an to the world, by “retweeting” your
occasional foray into that world, I message to followers—but it also
didn’t really pay it much attention. increases your application’s SEO, or
Even now, after having decided visibility on various search engines.
several months ago that I should try Finally, you can use Twitter to bring
to get into Twitter more heavily, I find attention to your on-line presence by
Twitter’s API allows you to do all updates to Twitter, which means you
of these things via code. That is, won’t have such issues—you don’t
you don’t need to go and compose need a callback URL or any special
tweets personally. You can write a login configuration.
program that will do so for you. In Perhaps the most confusing thing
order for this to happen, you need to (to me, at least) about setting things
do two things: register with Twitter’s up with Twitter was that the default
API service and install a library that permissions for an application allows
knows how to communicate with the you to retrieve tweets, but not post
Twitter API. to them. To allow your application
In order to register with the Twitter read-write access, go to the settings
API, you need to go to the “developer” tab and indicate that you want the
site at http://dev.twitter.com. read-write access, or even read,
Note that you need to sign in write and direct message. You won’t
with your Twitter user name and be using all of these capabilities
password, even if you already are for this example, but without write
signed in to the main Twitter site. permission, your application will not
The two sites do not seem to share be able to post to Twitter.
login sessions. And now for the most
Once you’re on the developer important part, the keys: Twitter’s
site, you need to create a new authentication model requires two
application. The application name tokens. First, there is your access
needs to be unique, but don’t token, which allows you to access
worry about it too much. You need Twitter via the API. The second is the
to provide not only a name, but “consumer key”, which describes
also a description and a URL that your particular application and
is associated with the application. usage. Each of these keys has an
Agree to the terms, fill in the accompanying secret, which you
Captcha, and you’ll be on your way. should treat as a password. As such,
Note that many types of Twitter putting these secrets directly in your
applications exist, with many application probably is a bad idea.
applications (including mobile) that You would be better off putting
post to Twitter on behalf of a user. them in environment variables,
The model I demonstrate in this thus avoiding having the secrets in
article is of an application sending version control.
´VLWHDWKWWSOHUQHUFRLO
WZHHWXVHUWHOOVXVZKRZURWHWKHWZHHW
If there are URLs embedded in the As a result, a slow API call will lead
tweet, you can get those back: to slow responses from the API
clients—and may discourage people
WZLWWHUBFOLHQWXVHUBWLPHOLQHUHXYHQPOHUQHU>@XUOV from using your API.
But where would you use such API
This method returns an array of calls? Why would you want to use
7ZLWWHU(QWLW\85, objects, Twitter on your site?
each of which has attributes, such O n e s i m p l e u s e o f t h e Tw i t t e r
as “url” and “expanded URL”. API would be to display a
u s e r ’s m o s t re c e n t t w e e t s . F o r
Integrating into Your Application example, if your company (or you
As you can see, working with p e r s o n a l l y ) u s e Tw i t t e r t o s e n d
Twitter is surprisingly easy. The m e s s a g e s a b o u t w h a t y o u a re
startup time for connecting to doing, you can see that it would
Twitter can take a little bit of be fairly easy to include those
time—up to two seconds, in my t w e e t s i n a We b p a g e . U s i n g a n
experience—but tweeting and MVC system, such as Rails, you
querying Twitter take very little simply would grab the tweets
time. It’s obvious, as a consumer (with the “user_timeline” method,
of the API, that they have worked as shown above), and stick the
hard to make it execute as quickly re s u l t s o n y o u r h o m e p a g e . N o w
as possible. This is a lesson to y o u r h o m e p a g e p ro v i d e s a n o t h e r
all of us who create APIs. We all v i e w t o y o u r Tw i t t e r f e e d ,
know that Web pages should load re - e n f o rc i n g i t s i m p o r t a n c e a n d
quickly, and that slow load times u sa g e t o your com pa ny.
can discourage people from staying I have been doing something
on a site. slightly different. As I mentioned
API calls typically are embedded previously, I have begun to use
within another application, meaning Twitter to log public activity in
that if the API call takes time, the the application I’ve developed for
application itself will feel sluggish. my dissertation. Every time a new
the issue of duplicate tweets. When I’m not aware of it. It’s similar in
I first set up the Twitter feed, I some ways to seeing my children’s
defined the tweet for an additional creative output, but (obviously) less
discussion forum post to be: emotionally charged.
5HXYHQ/HUQHUKDVDGGHGDFRPPHQWDERXWWKH)RREDUPRGHO Conclusion
Adding automatic tweets to a
The problem with this style of Web application is easy to do and
tweet is that it quickly can lead to can have significant benefits. For
duplicates—and thus errors from your users, it gives them a way to
within the application. As a result, I follow what is happening in your
have made sure that every tweet has application without needing to visit
a unique number in it somewhere, the site or use an RSS reader. For
typically counting how many similar your site, automatic tweets will
objects already have been created. help bring in new visitors, improve
For example: SEO and generally improve your
project’s visibility. Q
5HXYHQ/HUQHUZURWHWKHWKFRPPHQWDERXWWKH)RREDUPRGHO
Resources
Twitter, of course, is at http://twitter.com. The developer and API documentation
is at http://dev.twitter.com. The Ruby gem for Twitter, which apparently has been
downloaded more than one million times (!), is at http://sferik.github.io/twitter.
Easy
Watermarking
DAVE TAYLOR
with ImageMagick
Script auteur Dave Taylor explores smart ways to use ImageMagick
and Bash to copyright and watermark images in bulk.
Let’s start with some homework. the image, but it’s impossible to shut
Go to Google (or Bing) and search for down theft of intellectual property
“privacy is dead, get over it”. I first completely in the on-line world.
heard this from Bill Joy, cofounder of This is why a lot of professional
Sun Microsystems, but it’s attributed to photographers don’t post images on-
a number of tech folk, and there’s an line that are bigger than low-resolution
element of truth to it. Put something thumbnails. You can imagine that
on-line and it’s in the wild, however much wedding photographers who make
you’d prefer to keep it under control. their money from selling prints (not
Don’t believe it? Ask musicians or shooting the wedding) pay very close
book authors or film-makers. Now, attention to this sort of thing!
whether the people who would Just as people have learned to accept
download a 350-page PDF instead of poor video in the interest of candor
paying $14 for a print book are hurting and funny content thanks to YouTube,
sales, that’s another question entirely, so have people also learned to accept
but the Internet is public and open, low-res images for free rather than
even the parts that we wish were not. paying even a nominal fee for license
This means if you’re a photographer rights and a high-res version of the
or upload images you’d like to protect photograph or other artwork.
or control, you have a difficult task There is another way, however, that’s
ahead of you. Yes, you can add some demonstrated by the stock photography
code to your Web pages that makes companies on-line: watermarking.
it impossible to right-click to save You’ve no doubt seen photos with
text you want, where you want it on the that’s shown as 493x360.
image, the input image filename and the Now, let’s use composite to add a
output image filename. Let’s start with simple label:
an image (Figure 1).
You can get the dimensions and so forth FRPSRVLWHODEHO
$VN'DYH7D\ORUFRP
NLGVSDUW\SQJ?
centered on the bottom but also adding Figure 3 shows the result.
space below the image for the caption: I’m not done yet though. For the
next example, let’s actually have the
FRQYHUWNLGVSDUW\SQJEDFNJURXQG.KDNL? text superimpose over the image, but
ODEHO
$VN'DYH7D\ORUFRP
? with a semi-transparent background.
JUDYLW\FHQWHUDSSHQGSDUW\NKDNLSQJ This is more ninja ImageMagick,
so it involves a couple steps, the first
Here I’ve added a background color of which is to identify the width of
for the new text (khaki) and tapped the the original source image. That’s
complicated but darn useful gravity easily done:
capability to center the text within the
new DSSHQG (appended) image space. ZLGWK LGHQWLI\IRUPDWZNLGVSDUW\SQJ
SDUW\ZDWHUPDUNSQJ
$ echo $width
I did warn you that it’d be
complex, right? Let’s just jump to
Now, let’s jump into the FRQYHUW the results so you can see what
command again, but this time, let’s happened (Figure 4).
specify a background color, a fill You can experiment with different
and a few other things to get the backgrounds and colors, but for now,
transparency to work properly: let’s work with this and jump to the
second part of the task, turning this
FRQYHUWEDFNJURXQG
ÀOOZKLWHJUDYLW\FHQWHU? into a script that can fix a set of
VL]H^ZLGWK`[FDSWLRQ$VN'DYH7D\ORUFRP? images in a folder. The basic structure
for this script will be easy actually: You can see that it translates
pretty easily into a script, with the
IRUHYHU\LPDJHÀOH shuffle of taking the original images
calculate width and saving them in .originals.
FUHDWHQHZZDWHUPDUNHGYHUVLRQ The output is succinct when I run
PYRULJLQDOWRDKLGGHQGLUHFWRU\ it in a specific directory:
UHQDPHZDWHUPDUNHGYHUVLRQWRRULJLQDOLPDJHQDPH
GRQH ZDWHUPDUNHGÀJXUHSQJVXFFHVVIXOO\
ZDWHUPDUNHGÀJXUHSQJVXFFHVVIXOO\
Because Linux is so “dot file”- ZDWHUPDUNHGÀJXUHSQJVXFFHVVIXOO\
friendly, let’s have the script create ZDWHUPDUNHGÀJXUHSQJVXFFHVVIXOO\
a “.originals” folder in the current
folder so that it’s a nondestructive Easily done.
watermark process. Here’s the script: You definitely can go further
with all the watermarking in
VDYHGLU RULJLQDOV ImageMagick, but my personal
mkdir $savedir preference is to tap into the
reference works that already are
LI>"QH@WKHQ on-line, including this useful, albeit
HFKR(UURUIDLOHGPDNLQJVDYHGLU somewhat confusing, tutorial:
exit 1 http://www.imagemagick.org/
À Usage/annotating.
However you slice it, if
IRULPDJHLQ
SQJ
MSJ
JLI you’re going to make your
do images available on-line in high
LI>VLPDJH@WKHQQRQ]HURÀOHVL]H resolution, or if they’re unique and
ZLGWK LGHQWLI\IRUPDWZLPDJH copyrighted intellectual property,
FRQYHUWEDFNJURXQG
ÀOOZKLWHJUDYLW\FHQWHU? knowing how to watermark them
VL]H^ZLGWK`[FDSWLRQ$VN'DYH7D\ORUFRP? from the command line is a dar n
LPDJHVZDSJUDYLW\VRXWKFRPSRVLWHQHZLPDJH helpful skill. Q
mv $image $savedir
PYQHZLPDJHLPDJH Dave Taylor has been hacking shell scripts for more than
HFKRZDWHUPDUNHGLPDJHVXFFHVVIXOO\ 30 years. Really. He’s the author of the popular Wicked Cool
À Shell Scripts and can be found on Twitter as @DaveTaylor
GRQH and more generally at http://www.DaveTaylorOnline.com.
of Tor
For privacy, windows have blinds, and Internet users have the
Tor browser bundle.
you can visit the official site and stop Tor on demand.
at http://tor.eff.org), but in a The first step is to visit
nutshell, Tor installs and runs on https://www.torproject.org and
your local machine. Once combined check the lock icon in your navigation
with a Web proxy, all of your traffic bar to make sure the SSL certificate
passes through an encrypted tunnel checks out. If your browser gives you
between three different Tor servers some sort of certificate warning, it’s
before it reaches the remote server. possible you aren’t visiting the official
All that the remote site will know Tor site, and you should stop right
about you is that you came from a there and attempt to get Tor from a
Tor node. different computer. On the main page
is a large Download Tor button for you
The rest of the article went into to click. If you are browsing the site
detail on how to use the Knoppix from a Linux system (which of course
live disk to download and install you are), you will be presented with
Tor completely into ramdisk. Tor has links to a 32-bit and 64-bit browser
come a long way since those days bundle package, so click the one that
though, so I decided it was high corresponds with the appropriate
time to revisit this topic and explain architecture for your system.
the best way to set up Tor on your While the software downloads, I
personal machine today. highly recommend you do two things.
First, next to the button you clicked
Get the Tor Browser Bundle to download Tor, there should be a
In the past, Tor installation meant hyperlink labeled “sig”. Click this link
installing the Tor software itself, to download the signature you will
configuring a proxy and pulling down use to verify that the Tor package you
a few browser plugins. Although you downloaded was legitimate (I’ll talk
still can set it up that way if you want, about how to do that in a minute).
these days, everything is wrapped up The second thing you should do is
in a tidy little package called the Tor scroll down the page and start reading
browser bundle. This single package the section titled “Want Tor to really
contains Tor, its own custom Web work?” to familiarize yourself with
browser already configured with some of the extra habits you should
privacy-enhancing settings and a user take on if you really do want to
interface that makes it easy to start browse the Web anonymously.
Q tor-browser-gnu-linux-x86_64- JSJÀQJHUSULQW[))((
2.3.25-14-dev-en-US.tar.gz.asc SXE5)((
.H\ÀQJHUSULQW $%%$)'%))((
JSJ6LJQDWXUHPDGH)UL1RY303'7
´XVLQJ56$NH\,')((
JSJ*RRGVLJQDWXUHIURP(ULQQ&ODUNHULQQ#WRUSURMHFWRUJ!
JSJDND(ULQQ&ODUNHULQQ#GHELDQRUJ!
JSJDND(ULQQ&ODUNHULQQ#GRXEOHKHOL[RUJ!
JSJ:$51,1*7KLVNH\LVQRWFHUWLÀHGZLWKDWUXVWHGVLJQDWXUH
JSJ7KHUHLVQRLQGLFDWLRQWKDWWKHVLJQDWXUH
´EHORQJVWRWKHRZQHU
3ULPDU\NH\ÀQJHUSULQW$%%$
´)'%))((
with Japanese, German or some other nodes. Although Tor itself does this
language as you visit. routinely as you use it, sometimes
If you go back to the Vidalia you may want to get a different
Control Panel, you’ll notice a endpoint so a Web site stops
number of different options. You displaying output in a language you
can view a map of the current global don’t understand.
Tor network; you can click the Setup
Relaying button to add your machine Special Tor Browser Plugins
to the network of Tor nodes, and if It’s important to note that this
you click Use a New Identity, you will special Tor browser has been
stop using the three Tor nodes you configured with extra plugins and
currently are using and will set up settings to enhance your privacy.
a new connection with different Tor For instance, by default, the
LINUX JOURNAL
on your
Android device
Download app now in
the Android Marketplace
www.linuxjournal.com/android
For more information about advertising opportunities within Linux Journal iPhone, iPad and
Android apps, contact John Grogan at +1-713-344-1956 x2 or ads@linuxjournal.com.
The truth is, I really don’t have warm we keep it. Some of those
anything on my hard drive that neighbors would be very upset to
I would be upset over someone see how “wasteful” the Powers
seeing. I have some cat photos. I family is in the winter. In fact,
have a few text files with ideas for there’s one local man who makes
future books and/or short stories, it a point to let everyone know
and a couple half-written starts to that anything over 60 degrees is
NaNoWriMo novels. It would be ecologically wasteful. I don’t want
easy to say that there’s no point to get into a fight with Old Man
encrypting my hard drive, because I Icebritches, so we just keep our
have nothing to hide. The problem comfortable house a secret. We
is, we wrongly correlate a “desire don’t have anything to hide, but it’s
for privacy” with “having something not something everyone needs to
to hide”. I think where I live, in know about.
America, we’ve taken our rights to Obviously my example is silly,
privacy for granted. Rather than the but hopefully it makes you think.
traditional “he must be hiding porn Modern Linux allows us to encrypt
or bombs”, think about something a our data easily and reliably, so why
little more mundane. not take advantage of it?
I live in Michigan. It’s cold here in
the winter, and I tend to keep my How Does It Work?
thermostat set around 75 degrees. I won’t go into too much detail
That might seem high to you, but about how encryption works, but a
for my family, it’s just right. Thanks basic understanding is necessary for
to the privacy of my own home, my even the simplest implementation.
neighbors don’t know how toasty To encrypt and decrypt a file, two
“keys” are required. One is the key can be decrypted with your
private key, which is just that, public key. In this way, encrypting
private. I like to think of the private something with your private key
key as an actual key—you can make digitally “signs” the file.
copies if you want, but it’s not wise Usually it works like this:
to do so. The more copies of your
private keys you make, the more 1. You have a file you want to send
likely someone nefarious will get one to Suzy, so you encrypt it with
and break into your apartment—er, I Suzy’s public key. Only Suzy can
mean files. open it, but there’s no way for
The public key is more like a Suzy to know that you are the one
schematic for a lock that only you who sent it, since anyone could
can open (with your private key). encrypt a file with her public key.
You make this key available for
anyone. You can post it on a Web 2. Therefore, you take the file you
site, put it in your e-mail, tattoo encrypted with Suzy’s public key
it on your back, whatever. When and encrypt that file with your
others want to create a file that only private key. Suzy will have to
you can see, they encrypt it using decrypt the file twice, but she’ll
your public key. know it came from you.
This one-to-many scenario also
has a cool side effect. If you encrypt 3. Suzy receives the file and decrypts
something using your private key, the first layer with your public
anyone can decrypt it using your key, proving it came from you.
public key. This may sound silly, but
what makes such a scenario useful 4. Suzy then decrypts the second
is that although the encrypted file layer of encryption with her
isn’t protected from prying eyes, it private key, as that’s the only key
is guaranteed to be from you. Only able to decrypt the original file.
a file encrypted with your private (Because you originally encrypted
it with her public key.) than using a public and private key
pair, because it’s simply encrypted
That scenario is when encryption is using your passphrase. This does
used for safely transferring files, of make your file more susceptible to
course. It’s also quite common simply cracking (using rainbow tables or
to encrypt your files (or partitions) other hacking tools), but like the
so that no one can see them unless label on the tin says, it’s Pretty Good
you decrypt them first. Let’s start Protection. To encrypt your file, you
with file encryption, because that’s can do this:
what most people will want to do on
their systems. JSJFVHFUHWBPDQLIHVWRW[W
(QWHUSDVVSKUDVH
Starting Simple 5HSHDWSDVVSKUDVH
Before I go into more complex
type setting, let’s discuss simply Once complete, you’ll have a new
encrypting a file. There are various file in the same directory. It will be
programs to handle encryption. In named secret_manifesto.txt.gpg by
fact, it’s easy to get overwhelmed default. This is a binary file, which
with the available options for file means it’s fairly small, but it can’t be
and system encryption. Today, let’s copy/pasted into an e-mail or IM. For
use a basic (but very powerful) portability, you can add the -a flag,
command-line tool for encrypting which will create an encrypted file
a file. GPG (Gnu Privacy Guard) is that contains only ASCII text:
an open-source implementation of
PGP (Pretty Good Protection). JSJDFVHFUHWBPDQLIHVWRW[W
snippet that it’s also much larger are many options when it comes
than the binary encrypted file, and to encryption. One of the more
much much larger than the original popular methods of encrypting
text file. Once you’ve encrypted your partitions is the LUKS (Linux Unified
file, if you truly want to keep your Key Setup) system. A USB drive
information secret, it would be wise with a LUKS-formatted partition
to delete the original text file. should be detected automatically
To decrypt the file, you’ll again by most systems. In fact, if you’re
use the gpg program. The same using a desktop environment like
command will decrypt either file, Ubuntu Desktop, encrypting a USB
whether it’s binary or ASCII: drive is a simple check box during
the formatting process. Although
JSJVHFUHWBPDQLIHVWRW[WDVF that’s a perfectly acceptable way to
JSJ&$67HQFU\SWHGGDWD encrypt your USB drive, I’m going
(QWHUSDVVSKUDVH to demonstrate how to do it on the
JSJHQFU\SWHGZLWKSDVVSKUDVH command line, so you understand
)LOHCVHFUHWBPDQLIHVWRW[W
H[LVWV2YHUZULWH"\1 what’s actually happening behind
the scenes.
Notice in the example above, I Step 1: identify your USB drive.
hadn’t deleted the original text If you type dmesg after plugging
file, so gpg gave me the option of in your USB drive, you should get
overwriting. Once complete, I have all sorts of system information,
my original file back, unencrypted. including the device name of your
If you just have a file or two you freshly plugged-in USB device. Make
want to protect, the command-line sure you have the correct device
gpg program might be all you need. identified, because what you’re
If you’d rather have an area on your doing will destroy any data on the
system that automatically encrypts drive. You wouldn’t want to format
everything you save, it’s a little more the wrong disk accidentally. (It
complicated. It’s still not terribly should go without saying, but I’ll say
difficult, but let’s start with a fairly it anyway, make sure there’s nothing
simplistic model. on your USB drive that you want to
save—this is a destructive process.)
Encrypting a USB Drive Step 2: partition the USB drive.
Like I mentioned earlier, there Assuming that your USB drive is the
FU\SWVHWXSOXNV)RUPDWGHYVGE
7KHSDUWLWLRQWDEOHKDVEHHQDOWHUHG :$51,1*
VXGRIGLVNGHYVGE 7KLVZLOORYHUZULWHGDWDRQGHYVGELUUHYRFDEO\
HH[WHQGHG (QWHU/8.6SDVVSKUDVH
Once the process completes, you Now the drive is fully functional
have an encrypted partition, but and can be mounted like any other
it’s not mounted or formatted disk. In fact, when you put the USB
yet. The first step is to mount the drive into your computer, if you have
partition, which again uses the a modern GUI desktop, it should
cryptsetup utility: prompt you for a password and
mount it automatically. Then you
FU\SWVHWXSOXNV2SHQGHYVGEP\BFU\SWRBGLVN can eject it like a normal disk, and
(QWHUSDVVSKUDVHIRUGHYVGE it will be encrypted until you next
enter your passphrase. It’s simple to
When you type in your unmount and, therefore, re-encrypt
passphrase, the device name you the drive on the command line too,
entered will be mounted like a using cryptsetup:
virtual hard drive. Usually, it’s
mounted under /dev/mapper/ FU\SWVHWXSOXNV&ORVHP\BFU\SWRBGLVN
devicename, so this example
mounts a partition at /dev/mapper/ That’s Only the Tip of the Iceberg
my_crypto_disk. In this article, my hope is to peel
This device is now being accessed back some of the mystery behind
as an unencrypted volume. As long e n c r y p t i o n . I t ’s s i m p l e t o e n c r y p t
as it stays mounted, it will act like a n d d e c r y p t a f i l e . I t ’s n o t t o o
any other unencrypted volume. That m u c h m o re d i ff i c u l t ( e s p e c i a l l y i f
means you need to write a filesystem you use the GUI desktop tools) to
to it if you want to use it: e n c r y p t a n e n t i re U S B d r i v e . W i t h
m o s t d i s t r i b u t i o n s , i t ’s p o s s i b l e t o
PNIVYIDWGHYPDSSHUP\BFU\SWRBGLVNQP\BFU\SWRBGLVN e n c r y p t t h e e n t i re h o m e d i re c t o r y
PNIVYIDW-DQ d u r i n g t h e i n s t a l l a t i o n p ro c e s s !
NOW AVAILABLE
Save $10.00 by using discount code DVD2013 at checkout.
Coupon code expires 2/3/2013
Magic Software
Enterprises’ Magic xpi
Integration Platform
With most core enterprise systems in place,
organizations of all sizes are looking to business process
integration and automation to increase operational efficiency and competitiveness. The updated
Magic xpi Integration Platform from Magic Software Enterprises is a cloud-ready integration
platform that enables users to unlock data from enterprise systems like SugarCRM, Sage and
SYSPRO. In the new release, the aforementioned three platforms now enjoy certified, prebuilt
adapters for optimized integration, which complement existing adapters for Oracle JD Edwards
EnterpriseOne, JD Edwards World, SAP, IBM Lotus Notes, Microsoft Dynamics, Microsoft
SharePoint and Salesforce, and more. In addition, an In-Memory Data Grid (IMDG) architecture
is the new standard. IMDG offers cost-effective elastic scalability, built-in clustering and failover
capabilities, which support enterprise needs for business continuity, faster processing and
increasing transaction loads spurred by new mobile, cloud and big-data use cases.
http://www.magicsoftware.com
AdaCore’s GNAT
Programming Studio
“Usability” is the word that best captures the
essence of the new version 6.0 release of AdaCore’s
GNAT Programming Studio (GPS) graphical IDE. This
“major engineering effort” features a significantly
revised and cleaner user interface that eases
program navigation and editing. The revised look
and feel, which exploits the latest Gtk+/GtkAda
graphical toolkit, is supported by a new relational
database at the heart of the GPS engine, making code navigation much more efficient. GPS
6.0 also brings improved performance and new functionality, including language support
for SPARK 2014, syntax highlighting and tool tips for Ada 2012 and SPARK 2014 aspects,
editor enhancements and a number of additions to the scripting API.
http://www.adacore.com
OpenLogic’s
AWS Marketplace
Offerings
OpenLogic’s vision is to keep enterprise customers running on some of the world’s best
open-source packages. To convert this vision into reality, the firm intends to make
available more than 50 new preconfigured stacks through the Amazon Web Services
(AWS) Marketplace, including production-level support for JBoss, Apache HTTP, Tomcat,
-Y31, 0OSTGRE31, !CTIVE-1 AND THE #ENT/3 OPERATING SYSTEM 4HESE ARE IN ADDITION
to OpenLogic’s existing offerings on AWS. Enterprise support will include both 12x5
business-hour support and 24x7 production-level support. Products will be offered for use
at an hourly rate. OpenLogic adds that OLEX, its open-source scanning, governance and
provisioning portal, allows organizations to embrace open source with confidence.
http://www.openlogic.com
Stackinsider
Deployment-as-a-Service
Cloud Platform
Stackinsider’s approach to OpenStack is
packaging it as a Deployment-as-a-Service (DaaS)
cloud platform, which the company says is the
first of its kind to be public and free. Designed
to make OpenStack technology adoption significantly easier and faster than conventional
approaches, the Stackinsider DaaS approach consolidates and streamlines key OpenStack
distributions and real-world applications for a wide range of uses. DaaS has integrated
all popular IaaS deployment toolchains including RDO, FUEL, Puppet, DevStack and
Chef. Some popular applications like Moodle and SugarCRM also are provided for PaaS
prototyping. This public DaaS cloud is available for download at Stackinsider’s Web site.
http://www.stackinsider.com
JetBrains’ PhpStorm
For JetBrains, developing a new version of the PhpStorm
IDE for PHP means more than keeping on top of the latest
changes in Web languages. It is also about supporting and
integrating modern tools and popular frameworks, not
to mention removing obstacles on the road to productive
Web development. Of course, the new PhpStorm 7
supports the latest PHP 5.5 with improved PHP syntax
coloring, new refactorings, code inspections and quick-fixes. Support also has been added
for various front-end Web technologies, such as different JavaScript templates, Web
Components and modern stylesheets. Built-in tools for Vagrant, SSH console and local
terminal and Google App Engine for PHP have been added too. Finally, support has been
enhanced for various frameworks, including Drupal, Symfony2 and others.
http://www.jetbrains.com/phpstorm
QUANTUM
CRYPTOGRAPHY
Classical cryptography provides security
based on unproven mathematical assumptions
and depends on the technology available
to an eavesdropper. But, these things might
not be enough in the near future to guarantee
cyber security. We need something that
provides unconditional security. We need
quantum cryptography.
SUBHENDU BERA
take one of its states, or technically, prevents the observer from knowing
polarize it. If you use a vertical the value of the other. But, when
polarizing filter, some photons will dealing with photons for encryption,
be absorbed, and some will emerge Heisenberg’s Principle can be used to
on the other side of the filter. Those your advantage. When measuring the
photons that aren’t absorbed will polarization of a photon, the choice
emerge on the other side with a of what direction to measure affects
vertical spin. Thus, you can polarize all subsequent measurements. The
the photons to your required thing about photons is that once they
orientation using suitable filters. are polarized, they can’t be measured
The foundation of quantum physics accurately again, except by a filter
is the unpredictability factor. This like the one that initially produced
unpredictability is pretty much defined their current spin. So if a photon with
by Heisenberg’s Uncertainty Principle. a vertical spin is measured through
This principle says that certain pairs of a diagonal filter, either the photon
physical properties are related in such won’t pass through the filter or the
a way that measuring one property filter will affect the photon’s behavior,
message is sent through the ordinary to decode the qbits. If he uses the
channel but encrypted by the secret same basis, he will get the exact
KEY 4HE FIRST STEP IS CALLED 1UANTUM bit that Alice sent; otherwise, there
+EY $ISTRIBUTION 1+$ )N THIS STEP is a 50% chance that he will get a
Alice and Bob use the quantum wrong bit. For example, if Alice uses
channel for communication. a diagonal basis to encode 1, and Bob
First, let’s imagine there is no Eve also uses diagonal basis to decode
between Alice and Bob. Let’s assume that, then he will get a 1. If he uses a
that Alice is using two types of rectilinear basis, then there is a 50%
polarizer: one is a diagonal polarizer
(X) and one a rectilinear polarizer (+).
Table 1. Alice Sending the Secret Key 100101
In a rectilinear basis, a photon with
a spin “|” (that is, up to down ) is ALICE BOB
considered as 1, and a “-” (that is, Basis used +,X,+,+,X,X +,+,+,X,+,X
In Figure 6, the node with “**”, of the qbits using the wrong basis,
like C**, represents the nodes where Bob has a 50% chance of being right
Bob decoded the qbits correctly, and and a 50% chance of being wrong.
the node with “*”, like F*, represents So overall, Bob gets 12.5% right
the nodes where Bob decoded the qbits in I and 12.5% wrong qbits
qbits incorrectly. One question that in J. Now they will match the basis
may arise is why does Bob get 12.5% they used for each qbit, and they
accuracy (in E,L) when he used the will use the bits where Bob used the
wrong basis? Remember that when correct basis, and they will throw
you use a wrong basis to decode out the bits for which Bob used
a qbit, there is a 50% chance that the wrong basis. Now they need to
you will get a 0, and a 50% chance check whether Eve is listening. For
that you will get a 1. By this logic, that purpose, they will use a subset
Bob will have 12.5% accuracy from of the matched key (after throwing
D. Similarly, in the case of I, when out the bits for which Bob used
Bob has used the correct basis (with wrong basis) and compare with
respect to Alice’s basis) but Eve others using the normal channel.
already has changed the polarization Bob will have 100% accuracy if Eve
is not there; otherwise, Bob will key is different, which means Eve is
have 75% accuracy in the basis between them. Then they will repeat
comparison. If the accuracy is 100%, the same procedure again until they
they will discard the set of bits they get a 100% key match. When they
used for matching, and the rest of get a key, they easily can encrypt the
the bit string will be used as the key message using the key and send it
to encrypt the message. If 100% via the public network.
accuracy is not observed, they will
TRY AGAIN TO GET A KEY USING 1+$ Limitations
In Table 2, Alice is sending a key of In practice, the quantum channel also
“01101011” to Bob using two types will be affected by noise, and it will
of polarization as stated above. be hard to distinguish between noise
Now Alice and Bob will compare and eavesdropping.
their basis, and they will find that If Eve wants, she can intercept the
Bob has guessed the 1st, 3rd, 7th quantum channel just to not allow
and 8th basis correctly. So they will Alice and Bob to communicate.
throw out the bits for the remaining No amplifiers are used on the
positions—that is, the 2nd, 4th, 5th optical fiber carrying the quantum
and 6th. Now the key is “0011”. signal. Such devices would disrupt the
They will choose the first two bits communication in the same way an
for matching, and then they will eavesdropper does. This implies, in
find that their second bit in the TURN THAT 1+$S RANGE IS LIMITED
Resources
W. Chen, H.-W. Li, S. Wang, Z.-Q. Yin, Z. Zhou, Y.-H. Li, Z.-F. Han and G.C. Guo (2012).
“Quantum Cryptography”, Applied Cryptography and Network Security, Dr. Jaydip Sen (Ed.),
ISBN: 978-953-51-0218-2, InTech, available from http://www.intechopen.com/books/
applied-cryptography-and-network-security/quantum-cryptography
Quantum Computation and Quantum Information by Michael A. Nielsen and Isaac L. Chuang,
Cambridge University Press, 2011.
More
Secure
SSH
Connections
Thwart would-be attackers
by hardening your SSH connections.
FEDERICO KEREKI
File locations vary, but you can check /usr/lib/security or /lib/security (or read lib64 for lib,
for 64-bit Linux) to see what modules you actually have. For more information on each module,
try PDQQDPHRIWKHPRGXOH, but don’t try to execute them from the command line, for they
can’t be run that way.
Listing 2. Adding pam_access.so to the account PAM checks lets you specify which users
have SSH access to your machine.
DFFRXQWUHTXLUHGSDPBXQL[VR
DFFRXQWUHTXLUHGSDPBDFFHVVVR
DXWKUHTXLUHGSDPBHQYVR
DXWKUHTXLUHGSDPBXQL[VR
DXWKUHTXLUHGSDPBQRORJLQVR
SDVVZRUGUHTXLVLWHSDPBSZFKHFNVRQXOORNFUDFNOLE
SDVVZRUGUHTXLUHGSDPBXQL[VRXVHBDXWKWRNQXOORN
VHVVLRQUHTXLUHGSDPBOLPLWVVR
VHVVLRQUHTXLUHGSDPBXQL[VR
VHVVLRQRSWLRQDOSDPBXPDVNVR
Listing 4. Generating a public/private key pair with VVKNH\JHQ is simple. Opt for using a
passphrase for extra security.
VVKNH\JHQ
*HQHUDWLQJSXEOLFSULYDWHUVDNH\SDLU
(QWHUÀOHLQZKLFKWRVDYHWKHNH\KRPHINHUHNLVVKLGBUVD
Created directory '/home/fkereki/.ssh'.
(QWHUSDVVSKUDVHHPSW\IRUQRSDVVSKUDVH
(QWHUVDPHSDVVSKUDVHDJDLQ
<RXULGHQWLÀFDWLRQKDVEHHQVDYHGLQKRPHINHUHNLVVKLGBUVD
<RXUSXEOLFNH\KDVEHHQVDYHGLQKRPHINHUHNLVVKLGBUVDSXE
7KHNH\ÀQJHUSULQWLV
HDEEFIEIINHUHNL#IHGRUD[IFH
7KHNH\
VUDQGRPDUWLPDJHLV
>56$@
_ _
_R2 _
_(2
R_
_ R%_
_6_
__
__
__
__
password (so it can be determined by it. (If not, add them, and restart the
brute force or a dictionary attack), service as described above.) Without
then your site will be compromised those lines, nothing I explain below
for so long as the attacker wishes. will work. Then, use VVKNH\JHQ to
There’s a safer way, by using public/ create a public/private key pair. By
private key logins, that has the extra directly using it without any more
advantage of requiring no passwords parameters (Listing 4), you’ll be asked
on the remote site. Rather, you’ll in which file to save the key (accept
have a part of the key (the “private” the standard), whether to use a
part) on your remote machine and the passphrase for extra security (more on
other part (the “public” part) on the this below, but you’d better do so),
remote server. Others won’t be able to and the key pair will be generated.
impersonate you unless they have your Pay attention to the name of the file
private key, and it’s computationally in which the key was saved. You’ll
unfeasible to calculate. Without going need it in a moment.
into how the key pair is created, let’s Now, in order to be able to
move on to using it. connect to the remote server, you
First, make sure your sshd need to copy it over. If you search
configuration file allows for the Internet, many sites recommend
private key logins. You should have directly editing certain files in order to
56$$XWKHQWLFDWLRQ\HV and accomplish this, but using ssh-copy-id
3XENH\$XWKHQWLFDWLRQ\HV lines in is far easier. You just have to type
Listing 5. After generating your public/private pair, you need to use ssh-copy-id to copy the
public part to the remote server.
VVKFRS\LGLKRPHINHUHNLVVKLGBUVDSXEINHUHNL#
7KHDXWKHQWLFLW\RIKRVW
´FDQ
WEHHVWDEOLVKHG
56$NH\ÀQJHUSULQWLVDGDHHHGIDDIGE
$UH\RXVXUH\RXZDQWWRFRQWLQXHFRQQHFWLQJ\HVQR"\HV
:DUQLQJ3HUPDQHQWO\DGGHG
56$WRWKHOLVW
´RINQRZQKRVWV
INHUHNL#
VSDVVZRUG
Listing 6. After you’ve copied the public key over, you can log in to the remote server without a
password. You will have to enter your passphrase though, if you used one when generating the
public/private pair.
VVKINHUHNL#
(QWHUSDVVSKUDVHIRUNH\
KRPHINHUHNLVVKLGBUVD
/DVWORJLQ0RQ-DQ
/LJKW)LQDOEXLOWRQ0DUFKRQ/LQX[
<RXDUHZRUNLQJDVINHUHNL
)UHTXHQWO\XVHGSURJUDPV
&RQÀJXUDWLRQYDVP
)LOHPDQDJHUPFSUHVV)IRUXVHIXOPHQX
(GLWRUPFHGLWQDQRYL
0XOWLPHGLDDOVDPL[HUSOD\
vector:/~
$ logout
&RQQHFWLRQWRFORVHG
Listing 7. Using VVKDJHQW frees you from having to re-enter your passphrase.
VVKDJHQW
66+B$87+B62&. WPSVVK5YKK[DJHQWH[SRUW66+B$87+B62&.
66+B$*(17B3,' H[SRUW66+B$*(17B3,'
HFKR$JHQWSLG
$ ssh-add
(QWHUSDVVSKUDVHIRUKRPHINHUHNLVVKLGBUVD
,GHQWLW\DGGHGKRPHINHUHNLVVKLGBUVDKRPHINHUHNLVVKLGBUVD
VVKINHUHNL#
/DVWORJLQ0RQ-XQIURP
/LJKW)LQDOEXLOWRQ0DUFKRQ/LQX[
<RXDUHZRUNLQJDVINHUHNL
)UHTXHQWO\XVHGSURJUDPV
&RQÀJXUDWLRQYDVP
)LOHPDQDJHUPFSUHVV)IRUXVHIXOPHQX
(GLWRUPFHGLWQDQRYL
0XOWLPHGLDDOVDPL[HUSOD\
sshd configuration file and setting your security. However, even if these
3DVVZRUG$XWKHQWLFDWLRQQR and methods do make your server harder
8VH3$0QR , but you’d better be quite to attack, remember you always need
sure everything’s working, because to be on the lookout and set up as
otherwise you’ll have problems. many obstacles for attackers as you
can manage. Q
Conclusion
There’s no definitive set of security Federico Kereki is a Uruguayan systems engineer with more
measures that can 100% guarantee than 20 years of experience developing systems, doing
that no attacker ever will be able to consulting work and teaching at universities. He currently is
get access to your server, but adding working with a good jumble of acronyms: SOA, GWT, Ajax, PHP
extra layers can harden your setup and, of course, FLOSS! Recently, he wrote the Essential GWT
and make the attacks less likely to book, in which you also can find some security concerns for Web
succeed. In this article, I described applications. You can reach Federico at fkereki@gmail.com.
several methods, involving modifying
SSH configuration, using PAM for
access control and public/private Send comments or feedback via
key cryptography for passwordless http://www.linuxjournal.com/contact
logins, all of which will enhance or to ljeditor@linuxjournal.com.
Resources
The SSH protocol is defined over a host of RFC (Request for Comments) documents; check
http://en.wikipedia.org/wiki/Secure_Shell#Internet_standard_documentation for a list.
Port numbers are assigned by IANA (Internet Assigned Numbers Authority), and you can go
to http://www.iana.org/assignments/port-numbers for a list.
The primary distribution site for PAM is at http://www.linux-pam.org, and the developers’
site is at https://fedorahosted.org/linux-pam.
For extra security measures, read “Implement Port-Knocking Security with knockd”, in the January
2010 issue of Linux Journal, or check it out on-line at http://www.linuxjournal.com/article/10600.
Go to http://drupalize.me and
get Drupalized today!
Encrypted
Backup
Solution
“HOME PARANOIA EDITION”
How to safeguard your personal data
with TrueCrypt and SpiderOak.
TIM CORDOVA
Figure 1. Setup screen for encrypting your home directory in Ubuntu during initial
operating system installation.
This article describes utilizing whole factor, especially when considering all
disk encryption to reduce some of the of the recent events concerning stolen
risks provided by a great open-source government laptops that contained
Linux operation system (Ubuntu millions of social security numbers.
12.10). Whole disk encryption is a key The next key step in safeguarding
Figure 2. If encrypting your home folder was missed during initial installation, use
HQFU\SWIWXWLOV to encrypt your home directory.
Figure 6. After the create volume button is selected, you will be presented with two options
for creating an encrypted file container or creating a volume within a partition/drive.
Figure 7. The next menu item gives you the option of creating a standard or hidden volume.
Figure 8. After the standard volume is selected, the next options are to select the
encryption and hash algorithms, and size of the volume.
Figure 10. The backup tab in the SpiderOak application allows you to select your
encrypted volume.
Figure 11. A SpiderOak application status and backup menu provides a means to
back up your encrypted volume automatically in specified intervals.
WEBCASTS
A Call to Arms for Private Cloud Builders
Sponsor: ActiveState | Topic: Cloud Computing ON DEMAND
The era of elastic IT is here. Businesses are realizing that the cloud not only allows cost reduction, but provides opportunities
for innovation and growth. Elastic clouds enable next-generation applications that drive revenue opportunities, increase agility,
and make IT teams competitive with public cloud systems.
In this presentation, Randy and John talk about the forces driving this change, and outline an action plan for building an elas-
tic cloud infrastructure and dynamic applications using DevOps and Platform-as-a-Service.
> http://lnxjr.nl/CTACloud
Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a
private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.
> http://lnxjr.nl/privatepaasAE
> http://lnxjr.nl/IBM5factors
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using
Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.
> http://lnxjr.nl/StorixWebinar
WHITE PAPERS
Linux Management with Red Hat Satellite:
Measuring Business Impact and ROI
Sponsor: Red Hat | Topic: Linux Management
Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to de-
ploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT
organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility
workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows
in importance in terms of value to the business, managing Linux environments to high standards of service quality —
availability, security, and performance — becomes an essential requirement for business success.
> http://lnxjr.nl/RHS-ROI
Benefits of an SOE:
SOE is a specification for a tested, standard selection of computer hardware, software, and their configuration for use
on computers within an organization. The modular nature of the Red Hat SOE lets you select the most appropriate
solutions to address your business' IT needs.
s 4HERE ARE MANY BENEFITS TO HAVING AN 3/% WITHIN LARGER ENVIRONMENTS SUCH AS
s 3TANDARDIZATION
> http://lnxjr.nl/RH-SOE
I ’ve been buil ding compu t e r s actually made the move to SSDs
s ince the 1990s, so I’ve seen a yet. W ithin that group, the primary
l ot of new technologies work reluctance to try a SSD boiled down
t heir way into the mainstrea m . to three main concer ns:
Most were the steady, increm e n t a l
i mprovements predicted by Q I’ m w or r ie d a b o u t t he ir
Moore’s law, but others were re lia bilit y ; I he a r t he y w e a r o u t .
game-changers, innovations t h a t
really rocketed performance Q I’ m n o t sure i f t h e y w o r k w e l l
f orward in a surprising way. I w it h Linux .
remem ber booting up Quake a f t e r
i nstalling my first 3-D card— w h a t Q I’ m n o t sure a n S S D re a l l y w o u l d
a difference! My first boot o ff a m a k e m u c h o f a d i ff e re n c e o n
s olid-state drive (SSD) broug h t m y syst e m .
back that same feeling—wow,
what a difference! Luckily, these three concer ns are
However, at a recent gathering of based either on misunderstandings,
like-minded Linux users, I lear ned outdated data, exaggeration or are
that many of my peers hadn’t just not correct.
information there are six states, so Est. Lifespan (y) = SSDCapacity(GB) * (WriteLimit based on cell type)
---------------------------------------------------------------
the distances between each voltage DailyWriteRate (GB/day) * WriteAmplification * 365 (days/yr)
gives the drive a chance to do the LVM: If you’re not using LVM,
slow overwriting procedures in the you can skip ahead to the filesystem
backgroupd, ensuring that you always section. TRIM has been supported in
have a large pool of empty 4k pages LVM since kernel 2.6.36.
at your disposal. In the “devices” section of
Linux TRIM support is not enabled /etc/lvm/lvm.conf, add a line
by default, but it’s easy to add. One LVVXHBGLVFDUGV :
catch is that if you have additional
software layers between your devices {
filesystem and SSD, those layers need ...
to be TRIM-enabled too. For example, LVVXHBGLVFDUGV
most of my systems have an SSD, ..
with LUKS/dm-crypt for whole disk }
encryption, LVM for simple volume ...
management and then, finally, an ext4
formatted filesystem. Here’s how to Filesystem: Once you’ve done any
turn on TRIM support, starting at the required dm-crypt and LVM edits,
layer closest to the drive. update initramfs, then reboot:
dm-crypt and LUKS: If you’re not
using an encrypted filesystem, you can VXGRXSGDWHLQLWUDPIVXNDOO
skip ahead to the LVM instructions.
TRIM has been supported in dm-crypt Although Btrfs, XFS, JFS and
since kernel 3.1. Modify /etc/crypttab, ext4 all support TRIM, I cover only
adding the discard keyword for the ext4 here, as that seems to be the
devices on SSDs: most widely used. To test ext4
TRIM support, try the manual TRIM
7DUJHW1DPH'HYLFH.H\)LOH2SWLRQV command: IVWULPPRXQWSRLQW! .
VGDBFU\SW88,' HEEFFGDHEHQRQHOXNVGLVFDUG If all goes well, the command will
work for a while and exit. If it exits
Note: enabling TRIM on an with any error, you know there’s
encrypted partition does make it something wrong in the setup
easier for attackers to brute-force between the filesystem and the
attack the device, since they device. Recheck your LVM and
would now know which blocks dm-crypt setup.
are not in use. Here’s an example of the output for
/ (which is set up for TRIM) and /boot Regardless of whether you use
(which is not): the discard option, you probably
want to add the QRDWLPH option
~$ sudo fstrim / to /etc/fstab. With atime on
aVXGRIVWULPERRW (the default), each time a file is
IVWULPERRW),75,0LRFWOIDLOHG,QDSSURSULDWHLRFWOIRUGHYLFH accessed, the access time is updated,
consuming some of your precious
If the manual command works, write cycles. (Some tutorials ask
you can decide between between you to include nodiratime too, but
using the automatic TRIM built in noatime is sufficient.) Because most
to the ext4 filesystem or running applications don’t use the atime
the fstrim command. The primary timestamp, turning it off should
benefits of using automatic TRIM improve the drive’s longevity:
is that you don’t have to think
about it, and it nearly instantly will GHYPDSSHUEDOG\OURRWH[WQRDWLPHGLVFDUGHUURUV UHPRXQWUR
Q Motherboard: Gigabyte
:!
$(
" : CHIPSET complicates how to measure boot
times, so to get the most accurate
Q RAM: 8GB (2x4GB) of 1333 DDR3. measurements, I used the bootchart
package that provides a really cool
Q OS: Ubuntu 12.04 LTS (64-bit, Gantt chart showing the boot time
kernel 3.5.0-39). of each component (partial output
shown in Figure 4). I used the Xorg
Q 33$ '" /#: 6ERTEX process start to indicate when X starts
up, the start of the Dropbox panel
Q HDD: 1TB Samsung Spinpoint F3, applet to indicate when X is usable
7200 RPM, 32MB cache. and subtracted the time spent in
cryptsetup (its duration depends more
I picked a set of ten tests to try on how many tries it takes me to type
to showcase some typical Linux in my disk password than how fast
operations. I cleared the disk cache any of the disks are). The SSD crushes
after each test with HFKR_VXGR the competition here.
tee /proc/sys/vm/drop_caches
and rebooted after completing a set.
I ran the set five times for each drive,
and plotted the mean plus a 95%
confidence interval on the bar charts
shown below.
Boot Times: Because I’m the only
user on the test workstation and use
whole-disk encryption, X is set up
with automatic login. Once cryptsetup
prompts me for my disk password, the
system will go right past the typical
GDM user login to my desktop. This Figure 5. Boot Times
T
he Net as we know it today first three Internet Service Providers.) James
became visible to me in March Fallows (http://www.theatlantic.com/
1994, when I was among james-fallows) was in the crowd,
several hundred other tech types and he described it this way
gathered at Esther Dyson’s PC Forum (http://listserv.aera.net/scripts/
conference in Arizona. On stage was wa.exe?A2=ind9406&L=aera-
John Gage (http://en.wikipedia.org/ f&D=0&P=351) for The Atlantic:
wiki/John_Gage) of Sun Microsystems,
projecting a Mosaic Web browser In the past year millions of people
(http://en.wikipedia.org/wiki/ have heard about the Internet, but
Mosaic_(web_browser)) from a flaky few people outside academia or
Macintosh Duo (http://en.wikipedia.org/ the computer industry have had a
wiki/PowerBook_Duo), identical to clear idea of what it is or how it
the one on my lap. His access was to works. The Internet is, in effect,
Sun over dial-up. a way of combining computers
Everybody in the audience knew all over the world into one big
about the Net, and some of us had computer, which you seemingly
been on it one way or another, but control from your desk. When
few of us had seen it in the fullness connected to the Internet, you can
John demonstrated there. (At that boldly prowl through computers
date, there were a sum total of just in Singapore, Buenos Aires, and
things we can do on the Net, our from surveillance, but most muggles
freedom to act independently has are either clueless about the risks or
declined. The browser that started make do with advertising and tracking
out as a car on the “information blockers. This is less easy in the
superhighway” has become a mobile world, where apps are more
shopping cart that gets re-skinned rented than owned, and most are
with every commercial site it visits, maintained by vendor-side services.
carrying away tracking beacons Thus, we’ve traded our freedom for
that report our activities back to the conveniences of centralization.
centralized servers over which The cure for that is decentralization:
we have little if any control. The making the Net personal, like it
wizards among us might be adept at promised to be in the first place—and
maintaining some degree of liberty still is, deep down.
It should help to remember that the There’s nothing wrong with any of
Web is polycentric while the Net is those, just something missing: your
decentralized. By polycentric, I mean independence and autonomy.
server-based: every server is a center. Meanwhile, the Net beneath the
So, even though Tim Berners-Lee Web remains decentralized: a World
wanted the Web to be what he called of Ends (http://worldofends.com)
“a distributed hypertext system” in which every end is a functional
for “universal linked information” distance of zero from every other
(http://www.w3.org/History/1989/ end. “The end-to-end principle is
proposal.html), what he designed the core architectural guideline
was servers “generating a hypertext of the Internet” says RFC 3724.
representation”, as shown in Figure 1. Thus, even though the Internet is
Today this looks like your e-mail on a “collection of networks”, what
a Google server—or your photos on collects them are the transcendent
Instagram or your tweets on Twitter. purposes of the Net’s ends, which
Figure 2. It helps to think of the Net as the ground we walk and drive on, and the Web
as clouds in the sky.
consist of you, me, Google and lately. One is TeleHash, and the
every other node. other is XDI.
If you want to grok the problems of TeleHash (http://telehash.org)
centralization fully, and their threat is the brainchild of Jeremie Miller,
to personal freedom, to innovation father of Jabber and the XMPP
and to much else, watch, listen to protocol for instant messaging.
or read Eben Moglen’s lectures titled Its slogan is “JSON + UDP + DHT
“Snowden and the Future” = Freedom”, and it is described
(http://snowdenandthefuture.info), as “a new wire protocol enabling
given in November and December applications to connect privately
2013 at Columbia University, where in a real-time and fully distributed
Eben has been teaching law for 26 manner, freeing them from relying
years. The lectures are biblical in on centralized data centers”. The
tone and carry great moral weight. rest of the index page says:
For us in the Linux community, they
are now in the canon. What
What Eben calls for is not It works by sending and receiving
merely to suffer the problems of small encrypted bits of JSON
centralization, but to solve them. (with optional binary payloads)
This requires separating the Net and via UDP using an efficient routing
the Web. For me, it helps to think of system based on Kademlia
the Net as the ground we walk and (http://en.wikipedia.org/wiki/
drive on, and the Web as clouds in Kademlia), a proven and popular
the sky, as I’ve illustrated with the Distributed Hash Table.
photo in Figure 2.
There are many possibilities for Demo
decentralized solutions on the Net’s It’s very much in the R&D stages
ground, and I hope readers will yet, but check out hash-im
remind us of some. Meanwhile, I’ll (https://github.com/quartzjer/
volunteer a pair I’ve been watching hash-im) for a simple demo.