Linux Journal 2014 01 Security

™
HOW TO
HARDEN
YOUR SSH
CONNECTIONS
SECURITY
Since 1994: The Original Magazine of the Linux Community JANUARY 2014 | ISSUE 237 | www.linuxjournal.com
ENCRYPTED
BACKUP
SOLUTIONS
With TrueCrypt
and SpiderOak
TAKING
An Introduction to
ADVANTAGE OF QUANTUM
ENCRYPTION CRYPTOGRAPHY
TIPS FOR
USING TOR
THE PAX Browse the Web
ARCHIVING Anonymously
UTILITY
+
SOLID-STATE DRIVES
Are They Worth It?
LJ237-Jan2014.indd 1 12/17/13 3:42 PM

U P C OM I NG C ON F E R E NC E S
For a complete list of USENIX and USENIX co-sponsored events,
see www.usenix.org/conferences
FAST ’14: 12th USENIX Conference on File and 23rd USENIX Security Symposium
Storage Technologies August 20–22, 2014, San Diego, CA, USA
February 17–20, 2014, Santa Clara, CA, USA www.usenix.org/conference/usenixsecurity14
www.usenix.org/conference/fast14 Submissions due: Thursday, February 27, 2014
2014 USENIX Research in Linux File and Storage Workshops Co-located with USENIX Security ’14
Technologies Summit EVT/WOTE ’14: 2014 Electronic Voting Technology
In conjunction with FAST ’14 Workshop/Workshop on Trustworthy Elections
February 20, 2014, Mountain View, CA, USA USENIX Journal of Election Technology
Submissions due: January 17, 2014 and Systems (JETS)
Published in conjunction with EVT/WOTE
NSDI ’14: 11th USENIX Symposium on www.usenix.org/jets
Networked Systems Design and Implementation Submissions for Volume 2, Issue 2, due: December 5, 2013
April 2–4, 2014, Seattle, WA, USA Submissions for Volume 2, Issue 3, due: April 8, 2014
www.usenix.org/conference/nsdi14 HotSec ’14: 2014 USENIX Summit on Hot Topics
2014 USENIX Federated Conferences Week in Security
June 17–20, 2014, Philadelphia, PA, USA FOCI ’14: 4th USENIX Workshop on Free and Open
Communications on the Internet
USENIX ATC ’14: 2014 USENIX Annual Technical
Conference HealthTech ’14: 2014 USENIX Workshop on Health
www.usenix.org/conference/atc14 Information Technologies
Paper titles and abstracts due January 28, 2014 Safety, Security, Privacy, and Interoperability
of Health Information Technologies
HotCloud ’14: 6th USENIX Workshop on
Hot Topics in Cloud Computing CSET ’14: 7th Workshop on Cyber Security
Experimentation and Test
WiAC ’14: 2014 USENIX Women in Advanced
Computing Summit WOOT ’14: 8th USENIX Workshop on Offensive
Technologies
HotStorage ’14: 6th USENIX Workshop
on Hot Topics in Storage and File Systems OSDI ’14: 11th USENIX Symposium on Operating
UCMS ’14: 2014 USENIX Configuration Systems Design and Implementation
Management Summit October 6–8, 2014, Broomfield, CO, USA
www.usenix.org/conference/osdi14
ICAC ’14: 11th International Conference on
Abstract registration due April 24, 2014
Autonomic Computing
Co-located with OSDI ’14:
USRE ’14: 2014 USENIX Summit on Release
Engineering Diversity ’14: 2014 Workshop on Diversity
in Systems Research
Do you know about the USENIX LISA ’14: 28th Large Installation System
Open Access Policy? Administration Conference
USENIX is the first computing association to offer free November 9–14, 2014, Seattle, WA, USA
and open access to all of our conferences proceedings https://www.usenix.org/conference/lisa14
and videos. We stand by our mission to foster excel- Submissions due: April 14, 2014
lence and innovation while supporting research with a
practical bias. Your membership fees play a major role
in making this endeavor successful.
Please help us support open access.
Renew your USENIX membership and ask your
colleagues to join or renew today!
www.usenix.org/membership
twitter.com/usenix www.usenix.org/youtube www.usenix.org/gplus
Stay Connected... www.usenix.org/facebook www.usenix.org/linkedin www.usenix.org/blog
LJ237-Jan2014.indd 2 12/17/13 3:42 PM

coe_lj_10-29-13.indd 1 10/30/13 9:37 AM
$UH\RXFRQVLGHULQJVRIWZDUHGHÀQHGVWRUDJH"
zStax StorCore =)68QLÀHG6WRUDJH IURP6LOLFRQ ZFS Unified Storage
0HFKDQLFVLVWUXO\VRIWZDUHGHÀQHGVWRUDJH
)URPPRGHVWGDWDVWRUDJHQHHGVWRDPXOWLWLHUHGSURGXFWLRQVWRUDJHHQYLURQPHQWWKHzStax StorCore
=)6XQLÀHGVWRUDJHDSSOLDQFHVKDYHWKHULJKWPL[RISHUIRUPDQFHFDSDFLW\DQGUHOLDELOLW\WRÀW\RXUQHHGV
zStax StorCore 64
January Case Study Feature
zStax StorCore 104
8QLÀHG6WRUDJHLV&UXFLDO3DUWRI
6HDUFKDQG'LVFRYHU\IRUWKH&ORXG 7DONZLWKDQH[SHUWWRGD\
www.siliconmechanics.com/casestudies www.siliconmechanics.com/zstax
LJ237-Jan2014.indd 3 12/17/13 3:42 PM

CONTENTS JANUARY 2014
ISSUE 237
SECURITY
FEATURES
68 Quantum 80 More Secure 94 Encrypted Backup
Cryptography SSH Connections Solution “Home
Classical cryptography Secure shell Paranoia Edition”
may not be good connections can A solution for
enough in providing be hardened for safeguarding your
security in the extra security. personal information.
near future. Federico Kereki Tim Cordova
Subhendu Bera
Cover Image © Can Stock Photo Inc. / maxkabakov
ON THE COVER
/V^[V/HYKLU@V\Y::/*VUULJ[PVUZW
,UJY`W[LK)HJR\W:VS\[PVUZ^P[O;Y\L*Y`W[HUK:WPKLY6HRW
(U0U[YVK\J[PVU[V8\HU\[T*Y`W[VNYHWO`W
;VY!)YV^ZL[OL>LI(UVU`TV\ZS`W
;HRPUN(K]HU[HNLVM,UJY`W[PVUW
;PWZMVY<ZPUN[OLWH_(YJOP]PUN<[PSP[`W
:VSPK:[H[L+YP]LZ·(YL;OL`>VY[O0[&W
4 / JANUARY 2014 / WWW.LINUXJOURNAL.COM
LJ237-Jan2014.indd 4 12/17/13 3:42 PM

INDEPTH
108 Solid-State Drives—Get
One Already!
If you’ve been on the fence, this
article should convince you to give
SSDs a try.
Brian Trapp
COLUMNS
36 Reuven M. Lerner’s
At the Forge 26 MANDELBULBER
Talking to Twitter
44 Dave Taylor’s Work the Shell

Easy Watermarking with
ImageMagick
50 Kyle Rankin’s Hack and /

A Bundle of Tor
56 Shawn Powers’ The

Open-Source Classroom
Encrypting Your Cat Photos
120 Doc Searls’ EOF

Returning to Ground from the
Web’s Clouds
50 TOR
KNOWLEDGE HUB
106 Webcasts and White Papers
IN EVERY ISSUE
8 Current_Issue.tar.gz
10 Letters
16 UPFRONT
34 Editors’ Choice
64 New Products
94 TRUECRYPT
125 Advertisers Index
LINUX JOURNAL (ISSN 1075-3583) is published monthly by Belltown Media, Inc., 2121 Sage Road, Ste. 395, Houston, TX 77056 USA. Subscription rate is $29.50/year. Subscriptions start with the next issue.
WWW.LINUXJOURNAL.COM / JANUARY 2014 / 5
LJ237-Jan2014.indd 5 12/18/13 10:15 AM

Executive Editor Jill Franklin
jill@linuxjournal.com
Senior Editor Doc Searls
doc@linuxjournal.com
Associate Editor Shawn Powers
shawn@linuxjournal.com
Art Director Garrick Antikajian
garrick@linuxjournal.com
Products Editor James Gray
newproducts@linuxjournal.com
Editor Emeritus Don Marti
dmarti@linuxjournal.com
Technical Editor Michael Baxter
mab@cruzio.com
Senior Columnist Reuven Lerner
reuven@lerner.co.il
Security Editor Mick Bauer
mick@visi.com
Hack Editor Kyle Rankin
lj@greenfly.net
Virtual Editor Bill Childers
bill.childers@linuxjournal.com
Contributing Editors
)BRAHIM (ADDAD s 2OBERT ,OVE s :ACK "ROWN s $AVE 0HILLIPS s -ARCO &IORETTI s ,UDOVIC -ARCOTTE
0AUL "ARRY s 0AUL -C+ENNEY s $AVE 4AYLOR s $IRK %LMENDORF s *USTIN 2YAN s !DAM -ONSEN
Publisher Carlie Fairchild

publisher@linuxjournal.com
Director of Sales John Grogan

john@linuxjournal.com
Associate Publisher Mark Irgang

mark@linuxjournal.com
Webmistress Katherine Druckman

webmistress@linuxjournal.com
Accountant Candy Beauchamp

acct@linuxjournal.com
Linux Journal is published by, and is a registered trade name of,

Belltown Media, Inc.
PO Box 980985, Houston, TX 77098 USA
Editorial Advisory Panel

"RAD !BRAM "AILLIO s .ICK "ARONIAN s (ARI "OUKIS s 3TEVE #ASE
+ALYANA +RISHNA #HADALAVADA s "RIAN #ONNER s #ALEB 3 #ULLEN s +EIR $AVIS
-ICHAEL %AGER s .ICK &ALTYS s $ENNIS &RANKLIN &REY s !LICIA 'IBB
6ICTOR 'REGORIO s 0HILIP *ACOB s *AY +RUIZENGA s $AVID ! ,ANE
3TEVE -ARQUEZ s $AVE -C!LLISTER s #ARSON -C$ONALD s #RAIG /DA
*EFFREY $ 0ARENT s #HARNELL 0UGSLEY s 4HOMAS 1UINLAN s -IKE 2OBERTS
+RISTIN 3HOEMAKER s #HRIS $ 3TARK s 0ATRICK 3WARTZ s *AMES 7ALKER
Advertising
E-MAIL: ads@linuxjournal.com
URL: www.linuxjournal.com/advertising
PHONE: +1 713-344-1956 ext. 2
Subscriptions
E-MAIL: subs@linuxjournal.com
URL: www.linuxjournal.com/subscribe
MAIL: PO Box 980985, Houston, TX 77098 USA
LINUX is a registered trademark of Linus Torvalds.
LJ237-Jan2014.indd 6 12/17/13 3:43 PM

® has the tools to keep you afloat. Key Features:
t Dual Intel® Xeon® Processors 5600 Series

TrueNAS® Unified Storage features the Intel® Xeon® Processor t Support for CIFS, NFS, iSCSI, and more
5600 series and supports high availability, remote replication, t Active Directory, LDAP, and NIS
integration
deduplication, encryption, compression, and snapshots. It has t Multi-Petabyte Scalability
the tools to deal with any storage challenge you may face.
Intel, the Intel logo, and Xeon Inside are trademarks or registered trademarks of Intel Corporation in the U.S. and other countries.
Call iXsystems toll free or visit our website today! 1-855-GREP-4-IX | www.iXsystems.com
LJ237-Jan2014.indd 7 12/17/13 3:43 PM

Current_Issue.tar.gz
Lapsang SHAWN POWERS
Souchong!
B
ack when we were kids, my BirdCam project (which you’ll hear
“security” meant little more than more about in a month or so), I found
having a secret password to keep his column particularly interesting. If you
little siblings out of the treehouse. That’s need to work with photos, especially if
still the case in some situations. Take the direct interaction isn’t possible, Dave’s
title of this column, for instance. If you column will be interesting for you too.
go to the #linuxjournal IRC channel on Kyle Rankin gets into the security
FreeNode, saying “Lapsang Souchong” mindset this month by approaching
will mark you as part of the inner circle. privacy. Specifically, he explains how
(Note, this does not make you one of the to set up Tor in order to browse the
cool kids...possibly the exact opposite!) Web in private. Tor is just as useful as
When it comes to computer security, it once was, but thankfully, it’s gotten
however, things are quite a bit more easier and easier to implement. I follow
complex. Whether you want to encrypt Kyle’s column with The Open Source
your data or lock down network Classroom, and this month, I talk
access, Linux provides a wide variety of about file encryption. Many people are
security tools. This month, we focus on intimidated by the notion of encryption,
using those tools in our Security issue. but it doesn’t have to be scary. This
Reuven M. Lerner starts off the issue month, we’ll do just enough encryption
with instructions on how to integrate to wet your whistle, and hopefully get
Twitter into your applications. Whether you interested in learning more.
you need your app to tweet results, Although I may have introduced
error messages or automatic cat photos, encryption in my column, Subhendu Bera
Reuven walks through implementing takes things to a whole new level with
the API. Dave Taylor follows up with a 1UANTUM #RYPTOGRAPHY -ATHEMATICS
tutorial on using the ImageMagick suite based encryption is complex, for sure, but
to watermark and copyright photos. will it be enough as technology advances?
Since I use ImageMagick extensively with Subhendu gives an explanation of
LJ237-Jan2014.indd 8 12/17/13 3:43 PM

CURRENT_ISSUE.TAR.GZ
1UANTUM #RYPTOGRAPHY AND A QUICK LESSON encryption, don’t miss this article.
IN 1UANTUM -ECHANICS AS WELL )F YOURE We finish off the security issue with
interested in the future of cryptography, Brian Trapp’s article on solid-state drives.
you’ll love his article. SSDs have been around for a number
Remember Telnet? Telnet has been of years now, and we’re finally to the
replaced in almost every situation by the point that we can provide some longevity
much more secure SSH protocol. Granted, statistics and reliability information. Have
there still are a few situations that warrant you been avoiding SSDs because you
the use of Telnet, but those generally are thought they would wear out? Did you
inside your network and never over the think they had a significantly higher failure
Internet. Just switching to SSH, however, rate? Were you worried that you need
isn’t enough to ensure that you’re secure. Windows-specific drivers to make them
Sure, the connection itself is encrypted, work? Brian assuages many of those fears
but what if you have a user with a and validates those that are valid. SSDs are
simplistic password? Or a script kiddie fast, and they can provide an incredible
scanning for vulnerabilities? Federico performance boost in most situations. You
Kereki describes how to harden SSH this owe it to yourself to see if your scenario
month, making the wonderful and flexible warrants an SSD. Brian’s article will help.
SSH protocol a little safer to use. Whether This issue also contains tons of
you want to limit your allowed users or other Linux goodies. We have product
disable password connections altogether, announcements, opinion pieces and even
Federico’s article will guide you down the fractals. You don’t have to be one of
path of better SSH. the cool kids to enjoy this issue of Linux
I may have started this issue with the Journal, but it helps to be one of the
basics of file and disk encryption, but if smart kids. Thankfully, our readers tend
you are looking for more, Tim Cordova is to have that attribute in plentiful supply.
about to be your favorite person. Going We hope you enjoy this issue as much as
far beyond single file or even removable we enjoyed putting it together.Q
drive encryption, Tim shows how to
encrypt your entire hard drive. Then, Shawn Powers is the Associate Editor for Linux Journal .
Tim goes even further and explains how He’s also the Gadget Guy for LinuxJournal.com, and he has
to configure TrueCrypt in conjunction an interesting collection of vintage Garfield coffee mugs.
with SpiderOak to make sure your data Don’t let his silly hairdo fool you, he’s a pretty ordinary guy
is not only encrypted, but backed up as and can be reached via e-mail at shawn@linuxjournal.com.
well! If you’re interested in privacy and Or, swing by the #linuxjournal IRC channel on Freenode.net.
LJ237-Jan2014.indd 9 12/17/13 3:43 PM

letters
of 1s and 0s, but he’s not quite willing
to admit it!—Shawn Powers
LVM, Demystified
Regarding Shawn Powers’ article
“LVM, Demystified” in the December
2013 issue: I’ve been a fan of LVM2
from the beginning. (LVM1 really
wasn’t ready for Prime Time.)
You said in your article “LVM is an

incredibly flexible, ridiculously useful
and not terribly complicated to use
system.” I agree totally. However, it is
rss2email—Excellent Article not without its idiosyncrasies.
Thanks to Kyle Rankin for his
“Command-Line Cloud rss2email” If you do a followup article, you may
article in the October 2013 issue. mention a few things.
I’ve been lamenting my “loss” of
RSS feeds for some time, and this 1) There was a bug where trying
is a perfect solution! to pvmove an entire volume with
—Steve Hier multiple LVs on it sometimes hung
up LVM (at least the progress of
I love that Linux affords us multiple the move), necessitating a reboot.
solutions to our tech problems. I’ve The recommendation if you had a
tried a handful of Google Reader level with this bug was to move
alternatives (settling on commafeed), each LV individually.
but I love seeing how other people
tackle the problem as well. Kyle’s This had the side benefit of allowing
penchant for simplicity certainly you to “defragment” the segments
comes through with his preference for of your LV (by moving the segments
rss2email. I’m pretty sure Kyle would in order and filling each PV). This
be happy with just a constant stream makes no difference to performance,
LJ237-Jan2014.indd 10 12/17/13 3:43 PM

[ LETTERS ]
but makes it easier to see “what you 4) Don’t try to pvmove a swap
have where”. Tedious, but it makes volume. Simply allocate a new one
the neat freak in me happy. and delete the old one.
The Red Hat Advisory was Excellent article. It’s not an easy
2("! "UGZILLA ": concept to get across to the novice,
but once you understand it, it seems
2) The metadata present on each PV so simple.
now eats up a PE (that is, in your —Tom Lovell
case, “not usable 3.00 MiB”, but it’s
usually 4MB), and it is a good practice It’s always tough for me to decide
to have metadata on every PV! That
means that, for example, if you have
5 * 100GB PVs, you don’t have 500GB
to use, you have 499.9something
GB—that is, 500GB minus 20MB Low Cost Panel PC
(5 PEs, each 4MB in size). This is a PDX-090T
problem mainly with SAN LUNs, as l Vortex86MX+ 1 GHz Fanless
l Up to 1GB of RAM
they are usually precisely some size. l Low Power Consumption
l 1 RS232/422/485 serial port
l Mini-PCI Expansion slot
l 2 USB 2.0 Host Ports
This means that if you allocated l 10/100 BaseT Ethernet
l PS/2 KB port, Audio Out
-L 500G , it would fail, telling you l Compact Flash & MicroSD card sockets
l 9 inch 1024 x 600 WS VGA TFT LCD
that you were slightly short of l Resistive Touch Screen
what you needed. A subsequent l DC-IN 5V (or) +8 ~+35 option

l Wi-Fi (Optional) 2.6 KERNEL
-l 15980 would give you almost The PDX-090T comes ready to run with the Operating System installed on flash
disk. Apply power and watch the Linux X-Windows desktop user interface appear
500GB and would work. (I think I on the vivid color LCD. Interact with the PDX-090T using the responsive integrated
have my math right here, but you touchscreen. Everything works out of the box, allowing you to concentrate on your
application rather than building and configuring device drivers. Just Write-It and
get the picture.) Run-It... Starting at $450 Qty 1.
http://www.emacinc.com/sales/linux_journal_dec
3) lvdisplay --maps ... and Since 1985

OVER
pvdisplay --maps are your best 28

YEARS OF
EQUIPMENT MONITOR AND CONTROL

SINGLE BOARD
friends if you want to understand SOLUTIONS
Phone: (618) 529-4525 · Fax: (618) 457-0110 · www.emacinc.com

basic LVM.
LJ237-Jan2014.indd 11 12/17/13 3:43 PM

[ LETTERS ]
how far to travel down the rabbit hole one really has to keep doing it
when approaching a topic like LVM. throughout the winter now, as some
By sysadmin standards, I’m a noob birds become dependent on them.
myself, since I avoided LVM for so —Bob Kline
long. I figured it was worthwhile to
bring folks up to my comprehension It was my favorite article to write, up
level, even if I wasn’t a zen master. there with the article on the arcade
cabinet I built and submitted back
I said all that to say that I really, really when I was a freelancer. I’m starting
appreciate letters like yours. Not only a followup article now, which will
do I get to learn more, but it benefits probably be published...hmm...in
everyone who reads Linux Journal as February? I’ve been tinkering with
well. And, now I get to go play with BirdCam, adding multiple cameras,
more LVM stuff!—Shawn Powers motion detection with “motion”,
archive video creation—all sorts
Bird Feeder of cool stuff.
Shawn Powers’ bird-feeder article
(see “It’s a Bird. It’s Another Bird!” Thank you for the e-mail. I’m really
in the October 2013 issue) was glad you enjoyed the article and
one of the most appealing I’ve read the camera. I have it scaled out to
in LJ since 1994. It’s something my Dreamhost account, so it should
I often contemplated, but never be able to handle lots of hits. I
got beyond that. Many thanks for zoomed in the camera closer to the
pointing the way. feeders (you probably noticed), and
embedded the window cam and
An FYI, I alone have turned about a closeup of the bird bath. It’s so
six people into active viewers, funny to see the starlings in the bird
so I do hope you have plenty of bath. I might point a camera there
capacity, if only so I don’t get to capture video!—Shawn Powers
locked out now. It’s a very pleasant
diversion. And you’ve put out a Linux Archive DVD
great bird buffet. Based on my I would be very tempted by the
own feeders, you will be kept quite Archive DVD, if there were PDF or
busy keeping them full as word Mobi versions of the back issues
spreads in bird land. And of course, available on the Archive. I love the
LJ237-Jan2014.indd 12 12/17/13 3:43 PM

[ LETTERS ]
idea of using grep to search the going back to September 2011,

HTML versions, but it would be nice and PDFs of all formats from April
to send an issue (once found) to 2005). We don’t, unfortunately,
your favorite reading device. have digital versions going all the
way back, but those that exist
I know matching the original should be accessible on your
print format with a digital format subscriber page. Hopefully that
is a painstaking process. Maybe helps!—Shawn Powers
you could make it clear it is an
approximation or use a new iPad App Issues
“different” automated format for I’ve been using my iPad for viewing
the back issues? the digital subscription since the
printed version ceased to exist. I
The digital versions of the back think there needs to be a major
issues would be useful for LJ readers update to your newsstand app.
who have become accustomed to I’ve downloaded every issue to
carrying our LJ issues on Kindles, my iPad, but I cannot view any of
tablets or phones. the downloaded issues without
—Rob an active Internet connection. For
some reason, this evening I’m not
The Archive DVD used to confuse able to connect to whatever service
and frustrate me as well. I thought it controls your downloads. Not only
was a simple collection of past issues can I not download the latest issue,
that I’d be able to flip through like but I cannot view/read any of my
a pile of magazines. It’s grown on existing already-downloaded issues!
me over the years, however, because Reading my previously downloaded
I see it as more of a collection of issues should not rely on nor require
articles unbound from the magazine an active connection to anything.
format. Organization is still by When I’m not having a problem
issue, yes, but clicking through is a connecting to your servers, all my
different experience. downloaded issues say “Read” next
to them; when I am having an issue,
Subscribers have access to back they all switch back to “Download”.
issues in whatever digital format Please address this issue as soon
is available (all formats for issues as possible. Having to give up my
LJ237-Jan2014.indd 13 12/17/13 3:43 PM

[ LETTERS ]
print issues was hard enough, but this just

compounds the problem.
At Your Service
Thanks for a great magazine! SUBSCRIPTIONS: Linux Journal is available
in a variety of digital formats, including PDF,
—Jon Simonds .epub, .mobi and an on-line digital edition,
as well as apps for iOS and Android devices.
Renewing your subscription, changing your
e-mail address for issue delivery, paying your
I don’t have an iPad personally, but I’ve invoice, viewing your account details or other
noticed with my wife’s that the iOS7 subscription inquiries can be done instantly
on-line: http://www.linuxjournal.com/subs.
implementation of Newsstand, at least as it E-mail us at subs@linuxjournal.com or reach
us via postal mail at Linux Journal, PO Box
pertains to the Linux Journal app, is frustrating 980985, Houston, TX 77098 USA. Please
remember to include your complete name
at best. To be honest, I download either the and address when contacting us.
.epub or .pdf directly and peruse the issue ACCESSING THE DIGITAL ARCHIVE:
from there. We’ll work with our vendor to Your monthly download notifications
will have links to the various formats
try to get things working right with and to the digital archive. To access the
digital archive at any time, log in at
Newsstand, but I expect the process to be http://www.linuxjournal.com/digital.
lengthy and frustrating! The downloadable LETTERS TO THE EDITOR: We welcome your
letters and encourage you to submit them
copies you get links for as a subscriber should at http://www.linuxjournal.com/contact or
load right into the iBooks app if you’re having mail them to Linux Journal, PO Box 980985,
Houston, TX 77098 USA. Letters may be
issues with the Newsstand app. Hopefully, edited for space and clarity.
things will be straightened out soon. I have WRITING FOR US: We always are looking
for contributed articles, tutorials and
found in the past that deleting and then real-world stories for the magazine.
An author’s guide, a list of topics and
re-installing the Linux Journal app sometimes due dates can be found on-line:
http://www.linuxjournal.com/author.
helps as well.—Shawn Powers
FREE e-NEWSLETTERS: Linux Journal
editors publish newsletters on both
a weekly and monthly basis. Receive
late-breaking news, technical tips and
tricks, an inside look at upcoming issues
and links to in-depth stories featured on
WRITE LJ A LETTER http://www.linuxjournal.com. Subscribe
We love hearing from our readers. Please for free today: http://www.linuxjournal.com/
enewsletters.
send us your comments and feedback via
ADVERTISING: Linux Journal is a great
http://www.linuxjournal.com/contact. resource for readers and advertisers alike.
Request a media kit, view our current
editorial calendar and advertising due dates,
or learn more about other advertising
PHOTO OF THE MONTH and marketing opportunities by visiting

us on-line: http://ww.linuxjournal.com/
Remember, send your Linux-related photos to advertising. Contact us directly for further
information: ads@linuxjournal.com or
ljeditor@linuxjournal.com! +1 713-344-1956 ext. 2.
LJ237-Jan2014.indd 14 12/17/13 3:43 PM

Join th e ion!
s Revolut
Wea rab le
A conference for Designers, Builders and

Developers of Wearable Computing Devices
Wearable computing devices are the Next Big Wave

in technology. And the winning developers in the next decade
are going to be the ones who take advantage of these new tech-
nologies EARLY and build the next generation
of red-hot apps.
Choose from over 35 classes and tutorials!

! Learn how to develop apps for the coolest gadgets like Google
Glass, FitBit, Pebble, the SmartWatch 2, Jawbone, and the
Galaxy Gear SmartWatch
! Get practical answers to real problems, learn tangible

steps to real-world implementation of the next generation
of computing devices
March 5-7, 2014

San Francisco
WearablesDevCon.com
A BZ Media Event
LJ237-Jan2014.indd 15 12/17/13 3:43 PM

UPFRONT NEWS + FUN
diff -u
WHAT’S NEW IN KERNEL DEVELOPMENT
A recent bug hunt by kernel He’d started off using GCC 4.8.1,
developers ended up identifying but 4.6.1 also produced a kernel
a long-standing bug in GCC. The that would reproduce the oops. But
indications were there from the as Linus suspected, disabling “asm
start, but it took some investigation goto” in the kernel code did fix the
to nail it down. problem. After a while, Fengguang
Originally, Fengguang Wu reported also discovered that the older GCC
a kernel oops, and used “git bisect” version 4.4.7 also produced a working
to identify the specific patch that kernel, because that compiler had no
revealed the problem. It was an support for “asm goto”.
optimization suggested by Linus Gradually, other folks began to
Torvalds and implemented by be able to reproduce the problem
Peter Zijlstra that aimed at freeing on their own systems. Originally,
up a hardware register by using the the issue seemed to affect only
“asm goto” instruction in the kernel’s 32-bit Linux systems, but ultimately,
modify_and_test() functions. Linus was able to reproduce the
The first indication that the problem problem on his own 64-bit system.
might boil down to a compiler bug It was harder to trigger on a 64-bit
was that the patch just seemed system, but it boiled down to being
correct to folks. Neither Peter nor the same problem. As the scope
Linus were able to see anything wrong of the problem began to reveal
with it, so they suggested trying itself, Linus remarked, “It makes
to reproduce the oops on kernels me nervous about all our traditional
compiled with different versions of uses of asm goto too, never mind
GCC, and Linus suggested disabling the new ones.”
“asm goto” directly to see if that Jakub Jelinek opened a Bugzilla
had any effect. ticket against GCC, and folks started
At first, Fengguang found that thinking about workarounds for the
earlier compilers made no difference. kernel. Even after GCC got a fix for this
LJ237-Jan2014.indd 16 12/17/13 3:43 PM

[ UPFRONT ]
particular bug, it wouldn’t do to allow user code that actually looks up those
the kernel to miscompile on any version filesystems in the registry. There’s just
of GCC, if it possibly could be avoided. no reason anyone would want to.
A workaround did end up going into As Al explained on the mailing
the next Linux kernel release candidate, list, there used to be a need to
and a fix went into GCC 2.8.2. Shortly register all filesystems. But about a
afterward, Greg Kroah-Hartman also decade ago, the kern_mount() call
adopted the kernel workaround in the changed to take only a pointer to
3.11.x stable tree. the filesystem, rather than needing
The reason the kernel needed a to look it up by name.
workaround in spite of the fact that Ever since then, the need to
a real fix went into GCC was because register these internal filesystems has
the kernel needs to support the widest been minimal. The only remaining
possible dispersion of host systems. dependency was a single data structure
Anyone, anywhere, with any particular initialized by register_filesystem()
hardware setup, using any particular that was needed by all filesystems.
versions of the various development But, Al said that even this
tools, should be able to build and run dependency was eliminated a couple
the kernel. In some cases that ideal years ago, when the data structure
can’t be reached, but it remains an was optimized no longer to need
ideal nonetheless. register_filesystem(). By now, Al
Traditionally, software could mount said, “there’s no reason to register
a filesystem only after registering it the filesystem types that can only
with the kernel, so the kernel would be used for internal mounts.”
know its name and a bit about how With this change, /proc/filesystems
to manage it. This has been true even would no longer list internal
for internal filesystems like ia64, filesystems. And as Linus pointed out,
pfmfs, anon_inodes, bdev, pipefs those filesystems wouldn’t reliably be
and sockfs. But, Al Viro recently listed anywhere on the system. Even
said there was no longer any reason /proc/modules, Linus said, would list
to require registration for these those filesystems only if they’d been
filesystems, and he submitted a patch compiled as modules.
to take out the requirement. So, with some mild trepidation,
First of all, he and Linus Torvalds Linus accepted the patch. If no one
agreed that there probably isn’t any howls, it’ll probably stay. —ZACK BROWN
LJ237-Jan2014.indd 17 12/17/13 3:43 PM

[ UPFRONT ]
Blu-ray Encryption—
Why Most People
Pirate Movies
the job. MakeMKV is a cross-platform
utility that will extract the full,
uncompressed movie from most Blu-
ray discs. Unfortunately, you have to
download the source code and compile
I get a fair amount of e-mail from it. You need both the binaries and the
readers asking how a person could do source download files, and then follow
“questionable” things due to limitations the included directions for compiling
imposed by DRM. Whether it’s how to the software. Yes, it’s a bit complex.
strip DRM from ebooks, how to connect Once you compile MakeMKV, you
to Usenet or how to decrypt video, I should be able to use it to extract
do my best to point folks in the right the Blu-ray disc to your computer.
direction with lots of warnings and Be warned, the file is enormous, and
disclaimers. The most frustrating DRM you’ll most likely want to compress
by far has been with Blu-ray discs. it a bit. The tool for that thankfully
Unless I’ve missed an announcement, is much easier to install. Handbrake
there still isn’t a “proper” way for has been the de facto standard video
Linux users to watch Blu-ray movies on encoding app for a long time, and
their computers. It’s hard enough with when paired with MakeMKV, it makes
Windows or Macintosh, but when it creating playable video files close to
comes to Linux, it seems that turning painless. I won’t go through the step-
to the dark side is the only option. In by-step process, but if the legally
the spirit of freedom, let me point you questionable act of ripping a Blu-ray
in the direction of “how”, and leave it disc is something you’re comfortable
up to you to decide whether it’s a road doing, http://www.makemkv.com
you want to travel. and http://www.handbrake.fr are
When ripping a movie from Blu-ray, I the two software packages you’ll want
know of only one program that can do to explore. —SHAWN POWERS
LJ237-Jan2014.indd 18 12/17/13 3:43 PM

[ UPFRONT ]
Non-Linux FOSS:
Persistence of Vision
Raytracer (POV-Ray)
fascinating. As you
probably already
guessed, Russ and
I weren’t terribly
popular.
All these years
later, the same
ray-tracing software
we used back
then is now up to
version 3.7, and it
has been released
as free, open-
source software.
The developers
This image is completely computer-generated, created by kindly have created
Gilles Tran, released into public domain. a downloadable
Windows installer
Back in the mid-1990s, a college for those folks stuck on a Microsoft
friend (hi Russ!) and I would put our operating system. If you think the
old 8088 computers to work rendering world is nothing more than math,
ray-traced images for days—literally. and you’d like to prove it with
The end result would be, by today’s ray-traced images, head on over
standards, incredibly low resolution to http://www.povray.org and
and not terribly interesting. Still, download your copy today. I can’t
the thought of a computer system promise it will make you popular, but
creating realistic photos from nothing at least by my standards, it will make
more than math equations was you cool! —SHAWN POWERS
LJ237-Jan2014.indd 19 12/17/13 3:43 PM

[ UPFRONT ]
Stream and Share Your

Media with PlexWeb
URL generated by
plexapp.com.) You
will be redirected to
your home server,
and you’ll be able to
transcode and stream
your movies to any
computer, anywhere.
I freely admit that
I wish Plex was open
source. Thankfully,
however, its proprietary
code does’t mean Linux
Plex is one of those applications I users are excluded. Whether you’re
tend to write about a lot. It’s not using the Plex app on your Android
because I get any sort of kickback or device, installing Plex Home Theater
even a discount, but rather it’s just an on your Linux machine or even
incredible system that keeps getting streaming video to your Aunt Edna’s
better. For this piece, I want to talk Web browser while visiting over the
about PlexWeb, which functions much holidays, Plex is an incredible tool
like the Android app I’ve mentioned that keeps getting better. PlexWeb
before, but works completely inside is free, but if you’re interested
a Web browser—almost any Web in experiencing the latest and
browser, on any operating system. greatest Plex has to offer, a PlexPass
You can access PlexWeb by surfing subscription will get you access
to http://my.plexapp.com and to features like Cloud Sync before
logging in with your free account. anyone else gets to see them! To get
(If you have a static IP at home, you started with Plex, visit the Web site
also can connect directly to your at http://www.plexapp.com.
home server by bookmarking the —SHAWN POWERS
LJ237-Jan2014.indd 20 12/17/13 3:43 PM

[ UPFRONT ]
Make Peace with pax

pax is one of the lesser known utilities The -w option means “write”—that
in a typical Linux installation. That’s is, create an archive. The -f option
too bad, because pax has a very good provides the name of a file to which to
feature set, and its command-line write the archive. If desired, pax can
options are easy to understand and gzip or bzip the file at the same time:
remember. pax is an archiver, like
tar(1), but it's also a better version of $ pax -wzf paxample.tar.gz paxample
cp(1) in some ways, not least because
you can use pax with SSH to copy Like most tar implementations,
sets of files over a network. Once you pax, by default, uses the Posix ustar
learn pax, you may wonder how you file format. Because pax was born
lived without it all these years. of a desire to unify archive file
pax has four modes: list, read, formats, many other formats also are
write and copy. Reading and writing supported, but in practice, they’re
are controlled by the -r and -w seldom used. Likely as not, any .tar.gz
options, repectively. In combination, file you download from the Internet
-rw , pax acts a little bit like cp -R . actually will be a ustar archive:
If neither is used, pax lists the
contents of the archive, which may $ pax -wzf paxample.tar.gz paxample
be a file, device or a pipe. ÀOHSD[DPSOHWDU
By default, pax operates as a filter: paxample.tar: POSIX tar archive
it reads from standard input and paxample.tar.gz: gzip compressed data
writes to standard output, a feature
that turns out to be very useful. But The first thing you nearly always
usually these days, the target is an want to know about any archive is
archive file, the familiar tarball. Let’s what’s in it. Listing the contents is the
start by creating one: default action in the absence of either
a -r or -w option:
$ cd /tmp
$ mkdir paxample $ pax -f paxample.tar
$ touch paxample/foo paxample
$ pax -wf paxample.tar paxample paxample/foo
LJ237-Jan2014.indd 21 12/17/13 3:43 PM

[ UPFRONT ]
Note that the archive retains the $ pax -rw paxample t

directory name you specified on the ÀQGW
command line. That comes into play t
later when you read it. t/paxample
To read an archive, use -r : t/paxample/foo
$ mkdir t Unlike cp(1), pax is an archive

$ cd t utility. Its job isn’t to make copies,
$ pax -rf ../paxample.tar but to archive files. When pax
creates a file, it preserves the file’s
What did that do? Let’s look at metadata from its input. The form
the source and target directories: of the input doesn’t matter. In this
case, the input isn’t from an archive,
$ cd /tmp it’s the file itself:
ÀQGSD[DPSOHWWUDYHUVHERWKWUHHV
paxample $ ls -l paxample/foo t/paxample/foo
paxample/foo UZUUMNORZGHQZKHHO6HSSD[DPSOHIRR
t UZUUMNORZGHQZKHHO6HSWSD[DPSOHIRR
t/paxample
t/paxample/foo Yes—two identical files with two
identical timestamps. The permission
When pax read the paxample.tar bits and ownership can be controlled
archive, it created files in the too, if desired. Take that, cp(1)!
current directory, t. Because the Perhaps you don’t want to re-create
archive included a directory name, the directory, or perhaps you want to
paxample, that directory was change it in some way. One option
re-created in the output. is not to mention the input directory
Copying Sets of Files To my on the command line, but instead
mind, pax’s -r and -w options make provide filenames:
more sense than their -x and -c
equivalents in tar—reason enough $ rm -rf t/paxample/
to switch. But, pax can do more FGSD[DPSOH SD[UZ W
than tar: it can copy files too: ÀQGW
t
$ rm -rf t t/foo
LJ237-Jan2014.indd 22 12/17/13 3:43 PM

[ UPFRONT ]
That’s usually easiest. But WP\QHZSDWK
if you need something more WP\QHZSDWKIRR
sophisticated, the -s option

rewrites the path—actually, any The -s option is handy, for
part of the filename—using a instance, when unpacking a
regular expression: tarball that doesn’t have version
information in the directory name.
UPUIW What Could Go Wrong? If
SD[UZV
SD[DPSOHP\QHZSDWKJ
SD[DPSOHW you give the wrong filename to
ÀQGW write, you just get an archive by
t the wrong name—no harm no
t/my foul. If you mistype an input
WP\QHZ archive filename though, you’ll
Powerful: Rhino Tablet: Raven

Rhino M4700/M6700 Raven X230/X230 Tablet
r Dell Precision M4700/M6700 r ThinkPad X230/X230 tablet by Lenovo
w/ Core i7 Quad (8 core) r 12.5" HD LED w/ X@1366x768
r 15.6"-17.3" FHD LED r 2.6-2.9 GHz Core i7
w/ X@1920x1080 r Up to 16 GB RAM
r NVidia Quadro K5000M r 750 GB hard drive / 180 GB SSD
r 750 GB - 1 TB hard drive r Pen/finger input to screen, rotation
r Up to 32 GB RAM (1866 MHz) r Starts at $1920
r DVD±RW or Blu-ray r W530, T430, T530, X1 also available
r 802.11a/b/g/n
r Starts at $1375
r E6230, E6330, E6430, E6530
also available Rugged: Tarantula
r High performance NVidia 3-D on an FHD RGB/LED Tarantula CF-31
r High performance Core i7 Quad CPUs, 32 GB RAM r Panasonic Toughbook CF-31
r Ultimate configurability — choose your laptop's features r Fully rugged MIL-SPEC-810G tested:
r One year Linux tech support — phone and email drops, dust, moisture & more
r Three year manufacturer's on-site warranty r 13.1" XGA TouchScreen
r Choice of pre-installed Linux distribution: r 2.4-2.8 GHz Core i5
r Up to 16 GB RAM
r 320-750 GB hard drive / 512 GB SSD
r CF-19, CF-52, CF-H2 also available
EmperorLinux www.EmperorLinux.com
...where Linux & laptops converge 1-888-651-6686
Model specifications and availability may vary.
LJ237-Jan2014.indd 23 12/17/13 3:43 PM

[ UPFRONT ]
find yourself in 1985: this case, is the keyboard. You could

type ^D, for end-of-file, but that
$ pax -rf paxample.whoopsie forms invalid input to pax. Better to
SD[)DLOHGRSHQWRUHDGRQSD[DPSOHZKRRSVLH1RVXFKÀOH send up a smoke signal:
RUGLUHFWRU\
^C
$77(17,21SD[DUFKLYHYROXPHFKDQJHUHTXLUHG SD[6LJQDOFDXJKWFOHDQLQJXS
Ready for archive volume: 1
,QSXWDUFKLYHQDPHRUWRTXLWSD[ It’s even worse the first time

$UFKLYHQDPH! you accidentally write to standard
output while it’s connected to your
This is an idea that outlived terminal. You heard it here first:
its usefulness before it was don’t do that.
implemented. You could type in Putting Standard Input to
the filename here, again, without Work Standard input and standard
readline support or tab completion. output do have their uses, and here
Well, at least it says what to do: pax really comes into its own. For
one thing, you can verify the effect
$UFKLYHQDPH! of the -s option without creating
4XLWWLQJSD[ an archive or the files:
How exciting! SD[ZV

SD[DPSOHP\QHZSDWKJ
SD[DPSOH_SD[
As mentioned previously, pax P\QHZSDWK
uses standard input and standard P\QHZSDWKIRR
output by default. That is a feature,

but the first time you forget to Absent the -f option, pax -w
provide a filename, you may think writes to standard output. So
pax is very, very slow: rewrite the pathname with -s , and
pipe the output to pax again, this
$ pax -r paxample.tar time using its “list” mode, with
neither the -r nor -w option. By
Oops! No -f . Also no message default, pax reads from standard
and no prompt. pax is ignoring input and, in “list” mode, prints the
the archive filename argument and filenames on the terminal.
reading standard input, which in That can save a lot of time, not to
LJ237-Jan2014.indd 24 12/17/13 3:43 PM

[ UPFRONT ]
mention a mess on the disk, when there are

thousands of files. They Said It
Suppose you want to copy the paxample
directory to another machine. One approach Never let the future
would be to create a tarball, copy to the target, disturb you. You will
log in to the target and unpack the tarball: meet it, if you have
to, with the same
weapons of reason
$ pax -wf paxample.tar paxample
which today arm you
$ scp paxample.tar oak:/tmp/
against the present.
paxample.tar 100% 10KB 10.0KB/s 00:00 —Marcus Aurelius
$ ssh oak Antoninus
oak[~]$ cd /tmp
Temptation rarely
oak[tmp]$ pax -rf paxample.tar
comes in working
oak[tmp]$ ls paxample/
hours. It is in their
foo
leisure time that
men are made or
But there’s a much easier way. Invoke pax marred.
on both machines, and connect the output of —W. N. Taylor
one to the input of the other:
We turn not older
with years, but
SD[ZSD[DPSOH_VVKRDN
FGWPS SD[U ÀQGSD[DPSOH
newer every day.
paxample —Emily Dickinson
paxample/foo
The human tendency
to regard little
pax -w writes to standard output. ssh
things as important
reads standard input and attaches it to has produced very
whatever utility is invoked, which of course many great things.
in this case is pax again. pax -r reads from —Georg Christoph
standard input and creates the files from Lichtenberg
that “archive”.
Getting fired is
pax is one of the lesser known utilities in a nature’s way of
typical Linux installation. But it’s both simple telling you that you
and versatile, well worth the time it takes to had the wrong job in
lear n—recommended. the first place.
—JAMES K. LOWDEN —Hal Lancaster
LJ237-Jan2014.indd 25 12/17/13 3:43 PM

[ UPFRONT ]
Taking Fractals
off the Page
Fractals are one of the weird e r t h e y a re t w o - d i m e n s i o n a l ( o r
t hings you may come across a c t u a l l y g re a t e r t h a n o n e an d
when studying computer scie n c e less than two-dimensional, if
and programming algorithms . you want to be pedantic). But
From W ikipedia: “A fractal is a t h e re i s n o t h i n g t h a t f o rc e s t h i s
mathematical set that has a f r a c t a l to be the case. Fractals can be
dimension that usually excee d s i t s a n y d i m e n s i o n , i n c l u d i n g g re a t e r
t opological dimension and m a y f a l l than two. And with modern 3-D
between integers.” This is a re a l l y g r a p h i c s c a rd s , t h e re i s n o re a s o n
odd conce pt—that you could h a v e w h y y o u s h o u l d n ’t b e a b l e t o
s omething like an image tha t i s n ’t examine these and play with
made up of lines or of surfac e s , them. Now you can, with the
but something in between. T h e s o f t w a re p a c k a g e M a n d e l b u l b e r
t erm fractal was coined by B e n o i t ( h ttp : / / w w w. ma n d e l b u l b e r.c om).
M andelbrot in 1975. Mandelbulber is an experimental,
A key property of fractals i s o p e n - s o u rc e p a c k a g e t h a t l e t s
t hat they are self-similar. Thi s y o u re n d e r t h re e - d i m e n s i o n a l
means if y ou zoom in on a fr a c t a l , fractal images and interact with
i t will look similar to the way them. It is written using the GTK
t he fractal looked originally. t o o l k i t , s o t h e re a re d o w n l o a d s
The concept of recursion also i s available for Windows and Mac OS X
very important here. Many ty p e s a s w e l l a s L i n u x . A c t u a l l y, m o s t
of fractal algorithms use rec u r s i o n Linux distributions should include
t o generate the values in the it in their package management
given set. Almost everyone systems. If not, you always can
has seen computer generated d o w n l o a d t h e s o u rc e c o d e a n d
i mages of classic fractals, lik e b u ild it f rom scr a t c h .
t he Mandelbrot set or the If you want some inspiration on
Cantor set. One thing about a l l what is possible with Mandelbulber,
of these classic images is tha t I strongly suggest you go check
LJ237-Jan2014.indd 26 12/17/13 3:43 PM

[ UPFRONT ]
Figure 1. The main window gives you all parameters that control the generation of
your fractal.
out the gallery of images that have a large amount of information

been generated with this software. ( h ttp : / / w i ki . man d el b u l b e r.c om /
There are some truly innovat i v e i n d ex . p h p ? ti tl e=Mai n _ Pag e) .
and amazi ng images out the re , When you are done reading this
and some of them include th e article, check out everything else
parameters you need in orde r t o that you can do with Mandelbulber.
regenerate the image on you r o w n . When you first start up
The Mandelbulber W iki provi d e s M a n d e l b u l b e r, t h re e w i n d o w s
LJ237-Jan2014.indd 27 12/17/13 3:43 PM

[ UPFRONT ]
Figure 2. This is what the default 3-D fractal looks like.
open. The first is the parame t e r s t h e re n d e r b u t t o n w i l l s t a r t t h e

window (F igure 1). Along the v e r y re n d e r i n g p ro c e s s . I f y o u h a v e
t op are the two main button s : m u l t i p l e c o re s o n y o u r m a c h i n e ,
render and stop. Below that i s Mandelbulber will grab them to
a list of 12 buttons that pull u p h e lp spe e d u p t he ca lc u la t io n s .
different panes of parameter s . The rendered plot will be drawn in
You get an initial set of defa u l t its own window (Figure 2). The third
parameters that will generat e window shows you some measures
a 3-D version of the classic of how the rendering progressed
Mandelbrot set. Clicking on (Figure 3). You get two histograms
LJ237-Jan2014.indd 28 12/17/13 3:43 PM

[ UPFRONT ]
Figure 3. Histograms of the Rendering Progression
Figure 4. A Sierpinski sponge has infinite surface area and zero volume.
LJ237-Jan2014.indd 29 12/17/13 3:43 PM

[ UPFRONT ]
describing the number of iterations f i l e d i a l o g w h e re y o u c a n l o a d

and the number of steps. one of them. For example, you
To generate new images, could load “menger sponge.fract”.
more than 70 examples are C l i c k i n g t h e re n d e r b u t t o n w i l l
i ncluded with the installation o f generate a 3-D Sierpinski sponge
Mandelbulber that you can u s e a s ( F i g u re 4 ) . A l t h o u g h t e c h n ic a l l y,
s tarting points. Clicking on t h e the set is only one topological
button Load example pulls u p a d i m e n s i o n t h a t e n c l o s e s z e ro
Figure 5. There are several different fractal types from which to choose.
LJ237-Jan2014.indd 30 12/17/13 3:43 PM

[ UPFRONT ]
volume (aren’t fractals w eird ? ) . types of fractal formula types,

What can you change in such as mandelbulb, quaternion
Mandelbulber? Clicking on th e o r m e n g e r s p o n g e . Yo u c a n s e t
f ractal button pulls up the p a n e several options, depending on
where you can set the param e t e r s exactly which fractal type you
f or the fractal itself (Figure 5 ) . Yo u choose. For example, if you select
can select from several differe n t the iterated function system (IFS),
Figure 6. You can create a hybrid system made from a mix of up to five different
fractal types.
LJ237-Jan2014.indd 31 12/17/13 3:43 PM

[ UPFRONT ]
you then can click on the IFS t a b t h e D e l e t e b u t t o n . To m o d if y a

t o s et several different parame t e r s. g ive n k e yf r a m e , y o u c a n do u b l e -
One of the issues is coming u p click it to set the parameters, and
with truly unique, yet aesthe t i c a l l y t h e n y o u c a n c l i c k o n re c o rd t o
pleasing, sets of equations w i t h re nde r t he k e y f r a m e .
which to experiment. To help i n Interpolation between the
t his regard, Mandelbulber ha s a keyframes is handled by Catmull-Rom
hybrid option in the list of fr a c t a l splines. Once you have the
t ypes. When you select this o p t i o n , keyframes handled, you will need
you then can choose the hyb r i d t o re n d e r t h e f u l l a n i m a t i o n .
button and set up to five diff e re n t Clicking on the Animation button
f ractal equations (Figure 6). W i t h in the main window brings up the
t his option, you can create v e r y parameters you can set. These
complex and sophisticated fr a c t a l s include things like the number
t o render. o f f r a m e s t o re n d e r f ro m t h e
Mandelbulber doesn’t just keyframes, as well as the start
generate static images of these a n d e n d f r a m e n u m b e r s . Yo u t h e n
higher dimensional fractals. There c a n c l i c k o n t h e R e n d e r f ro m
is an option to generate animations key-frames button to generate the
of how these images change when animation. On my netbook, this is
some parameter is swept over. a p re t t y l o n g p ro c e s s . F o r i m a g e
To start, you need to click on the g e n e r a t i o n , y o u a l s o h a v e c o n t ro l
T imeline button at the bottom over camera position, lighting and
of the view pane. This pulls up a s h a d e r o p t i o n s . Yo u s h o u l d b e a b l e
timeline window where you can set to generate the exact image or
the parameters used to generate a n im a t io n t ha t you w a nt .
your animation. The record button I f y o u a re l o o k i n g t o g e n e r a t e
puts parameters into the actual some amazing 3-D landscapes
keyframe number (Key no. field or unique shapes for something
on the right). It then loads and s c i e n c e - f i c t i o n y, y o u d e f i n i t e l y
renders the next keyframe if it is sh o u ld c h e ck o u t Ma nde lbu l b e r —
not the last keyframe. j u s t b e p re p a re d t o l o s e s e v e r a l
Then, you can add new hours as you start playing with all
keyframes with the “insert a f t e r ” o f t he p a r a m e t e r s a v a ila b le .
button or delete keyframes w i t h —JOEY BERNARD
LJ237-Jan2014.indd 32 12/17/13 3:43 PM

LJ237-Jan2014.indd 33 12/17/13 3:43 PM
[ EDITORS' CHOICE ]
Zedge, for All EDITORS’

CHOICE
Your Annoying ★
Ringtones!
I really don’t understand
f olks who use songs as their
r ingtones. Isn’t it annoying o r
confusing when the song com e s
on the radio? If it’s your favo r i t e
s ong, don’t you get desensit i z e d
t o it when you listen to the C D
( or digital equivalent of CD)?
Nevertheless, you probably h e a r
dozens of ringtones every da y.
Those probably vary from “su p e r
annoying” to “what a cool
R INGT ONEv 7 ITH :EDGE YOU C A N
be the person annoying your
f ellow subway passengers—o r
m aking them jealous.
:EDGE IS A FREE APP IN THE
Google Play store, and the
r ingtones (and notification
s ounds and alarm sounds)
are completely free as
well. I currently use the
“WHAAAT ?!?!??!” sound fro m
t he m inions on Despicable Me
a s a notifi cation sound (whic h
i s clearly super cool and not
a nnoying). My ringtone, whi c h Screenshot from the Google Play store
LJ237-Jan2014.indd 34 12/17/13 3:43 PM

I hear much less often than sh o u ld pop r ig h t up. If S t a r Tr e k
i n years past, is one I made i s n ’t u p y o u r a l l e y, t h e re a re
myself from pasting together t h o u s a n d s o f o t h e r o p t i o n s f ro m
s ound clips from Star Trek th e W HIC H T O CHOOSE 7 IT H : E D G E
Next Gene ration . Somehow, m y installing them is simple and, of
homemade ringtone ended u p o n cour se , f re e .
:EDGE ) KNOW ITS MINE BECA U SE Due to its incredible selection,
I pasted together sounds tha t seamless integration and amazing price
don’t actually occur togethe r o n TAG :EDGE IS THIS MONTHS %DITORS
t he show. I’m terribly proud o f Choice winner. Check it out today at
my ringtone, and if you’d lik e t o https://play.google.com/store/apps/
hear it for yourself, search fo r details?id=net.zedge.android.
“Incoming Subspace Signal” , i t —SHAWN POWERS
LINUX JOURNAL
now available
for the iPad and
iPhone at the
App Store.
linuxjournal.com/ios
For more information about advertising opportunities within Linux Journal iPhone, iPad and
Android apps, contact John Grogan at +1-713-344-1956 x2 or ads@linuxjournal.com.
LJ237-Jan2014.indd 35 12/17/13 3:43 PM

COLUMNS
AT THE FORGE
Talking REUVEN M.
LERNER
to Twitter
Integrating Twitter into your application is easy, fun and useful.
I’m a very quick adopter of many that while I look through my feed
new software technologies. I try new several times a day, I tweet only once
programming languages, browsers, every few weeks. Call me a dinosaur,
databases and frameworks without but I still prefer to use e-mail to be in
hesitation. But when it comes to touch with friends and family, rather
social networks, I’m a bit of a Luddite, than 140-character messages.
waiting to see what all the fuss is Although I don’t see Twitter as
about before making them a part of a great medium for interpersonal
my life. Sure, I signed up for Facebook communication, I recently have begun
almost as soon as it was available, but to appreciate it for other reasons.
I haven’t really posted much there. Specifically, I have discovered (perhaps
I do use LinkedIn, mostly to collect long after the rest of the world has
and find contacts, but I don’t post done so) that using Twitter as a sort
there very often either, unless I’m of public logfile can make a Web
announcing a presentation that I’ve application more visible, updating
added to SlideShare. the rest of the world as to the
Twitter is something of a different status of your work and your on-
story. There are people, it seems, line community. Doing so not only
for whom Twitter is the ultimate in lets people hear about what you are
communication. I’ve been on Twitter doing—and potentially rebroadcast it
for some time, but other than an to the world, by “retweeting” your
occasional foray into that world, I message to followers—but it also
didn’t really pay it much attention. increases your application’s SEO, or
Even now, after having decided visibility on various search engines.
several months ago that I should try Finally, you can use Twitter to bring
to get into Twitter more heavily, I find attention to your on-line presence by
LJ237-Jan2014.indd 36 12/17/13 3:43 PM

COLUMNS
AT THE FORGE
The combination of tweeting updates and

following other people has had a remarkable
and direct effect on the number of visitors who
come to my site, the length of time they remain
and the number of pages they view.
following other people. (The idea is In this article, I explore some of

that when they receive your follow the things I did to use Twitter in
request, they may try to find out more my application. From a technology
about you, exploring your site or even perspective, you’ll see that
following you back.) the implementation was fairly
I might sound like a social- straightforward. But I think that what
media consultant, but I’ve seen the I’ve learned can be of interest to
difference that Twitter can make in anyone running a Web application,
an application. I recently connected particularly one that is trying to
my PhD dissertation project (the get the word out to the public. In
Modeling Commons, at http:// addition, although there are plenty
modelingcommons.org) to Twitter, of good reasons to question Twitter’s
such that each public action is sent to business practices and its relationship
the Twitter feed. The combination of with developers, there is no doubt
tweeting updates and following other that its attention to detail with its API
people has had a remarkable and offers a model for all of us who want
direct effect on the number of visitors to provide APIs to our applications.
who come to my site, the length of
time they remain and the number of Registering with Twitter
pages they view. Now, I’m not talking I’m going to assume that anyone
about millions of visitors per month. reading this article already has created
My application is still of interest a Twitter account or is able to figure
mainly to a small community of people out how to do so at Twitter.com. And
working with the NetLogo modeling of course, via the Twitter.com Web
environment. But the change has been site, you can do all the things that
obvious, and I grudgingly admit that I you might expect, such as tweeting,
owe some of it to Twitter. retweeting, following and searching.
LJ237-Jan2014.indd 37 12/17/13 3:43 PM

COLUMNS
AT THE FORGE
Twitter’s API allows you to do all updates to Twitter, which means you
of these things via code. That is, won’t have such issues—you don’t
you don’t need to go and compose need a callback URL or any special
tweets personally. You can write a login configuration.
program that will do so for you. In Perhaps the most confusing thing
order for this to happen, you need to (to me, at least) about setting things
do two things: register with Twitter’s up with Twitter was that the default
API service and install a library that permissions for an application allows
knows how to communicate with the you to retrieve tweets, but not post
Twitter API. to them. To allow your application
In order to register with the Twitter read-write access, go to the settings
API, you need to go to the “developer” tab and indicate that you want the
site at http://dev.twitter.com. read-write access, or even read,
Note that you need to sign in write and direct message. You won’t
with your Twitter user name and be using all of these capabilities
password, even if you already are for this example, but without write
signed in to the main Twitter site. permission, your application will not
The two sites do not seem to share be able to post to Twitter.
login sessions. And now for the most
Once you’re on the developer important part, the keys: Twitter’s
site, you need to create a new authentication model requires two
application. The application name tokens. First, there is your access
needs to be unique, but don’t token, which allows you to access
worry about it too much. You need Twitter via the API. The second is the
to provide not only a name, but “consumer key”, which describes
also a description and a URL that your particular application and
is associated with the application. usage. Each of these keys has an
Agree to the terms, fill in the accompanying secret, which you
Captcha, and you’ll be on your way. should treat as a password. As such,
Note that many types of Twitter putting these secrets directly in your
applications exist, with many application probably is a bad idea.
applications (including mobile) that You would be better off putting
post to Twitter on behalf of a user. them in environment variables,
The model I demonstrate in this thus avoiding having the secrets in
article is of an application sending version control.
LJ237-Jan2014.indd 38 12/17/13 3:43 PM

COLUMNS
AT THE FORGE
“Twitter” Gem for Ruby handled fairly straightforwardly from

Readers of this column know that I within a block that looks like this
love the Ruby language, so it won’t (filling in the values you got from
come as a surprise to hear that I intend Twitter’s API documentation):
to use Ruby for my examples. However,
there are Twitter API clients in virtually WZLWWHUBFOLHQW 7ZLWWHU5(67&OLHQWQHZGR_FRQÀJ_
every modern language, making it easy FRQÀJFRQVXPHUBNH\ &21680(5B.(<
to access from whatever you prefer to FRQÀJFRQVXPHUBVHFUHW &21680(5B6(&5(7
use in your programming. FRQÀJRDXWKBWRNHQ 2$87+B72.(1
The twitter Ruby gem, as is the case FRQÀJRDXWKBWRNHQBVHFUHW 2$87+B6(&5(7
for all Ruby gems (libraries), is available HQG
for installation via the gem program,

which comes with modern versions of Notice that you are not merely
Ruby. The gem currently is maintained executing the “new” method on
by Erik Michaels-Ober, also known as 7ZLWWHU5(67&OLHQW , but that
“sferik” on GitHub. You can type: you also are returning a value. Thus,
in contrast to previous versions of
JHPLQVWDOOWZLWWHU9 Ruby’s Twitter gem, you should accept
the returned object, which is then the
and the gem should be installed. On basis for all of the additional actions
many systems, including those not you wish to take.
running a Ruby version manager like Finally, you send the tweet with the
rvm, you need to execute the above “update” method:
line while logged in as root.
Once you have installed the gem, WZHHW WZLWWHUBFOLHQWXSGDWH+HOORZRUOG7ZHHWWZHHW
you can use it. There are three parts

to this process: bringing the gem Invoking the #update method has
into the program, configuring it the effect of sending the message to
to use your keys and secrets, and Twitter. If you go to the Web page
then executing a Twitter command. for your Twitter user, you’ll find that
The first is handled with the Ruby a new message has been sent, as if
UHTXLUH command, which looks at you had typed it.
installed gems, as well as the Ruby If you capture the return
core and standard libraries. value from the invocation of
Configuration of the client is WZLWWHUBFOLHQWXSGDWH , you’ll
LJ237-Jan2014.indd 39 12/17/13 3:43 PM

COLUMNS
AT THE FORGE
see that it is an instance of If you include a Twitter @username,

Twitter::Tweet , a Ruby object that hashtag or URL in your tweet, the
represents a tweet. This object provides appropriate magic will happen
the functionality that you would want automatically. Thus:
and expect from something associated
from Twitter. For example: WZHHW WZLWWHUBFOLHQWXSGDWH*RWR#UHXYHQPOHUQHU
V
´VLWHDWKWWSOHUQHUFRLO
WZHHWXVHUWHOOVXVZKRZURWHWKHWZHHW
WZHHWUHWZHHWHG"LQGLFDWHVZKHWKHULWZDVUHWZHHWHG In the above tweet, the URL

WZHHWIDYRULWHG"LQGLFDWHVZKHWKHULWZDVPDUNHGDVDIDYRULWH automatically will be shortened,
using Twitter’s standard t.co domain.
Now, it’s also possible that you will Similarly, the @reuvenmlerner (my
not get a tweet object back at all, but Twitter handle) will turn into a link.
rather that the “update” method will You can access both of these using
raise an exception. For example, Twitter methods on your tweet:
forbids users from sending an identical
tweet, at least within a short period of WZHHWXUOVUHWXUQVDQDUUD\RI7ZLWWHU(QWLW\85,
time. Thus, if you send the above “Hello, WZHHWXVHUBPHQWLRQVUHWXUQVDQDUUD\RI
world” tweet (from the example above) 7ZLWWHU(QWLW\8VHU0HQWLRQ
a second time, you’ll get an exception:

You can more generally ask
7ZLWWHU(UURU)RUELGGHQ6WDWXVLVDGXSOLFDWH Twitter for information about
tweets. For example, you can get
Of course, you can catch such the most recent tweets a user has
errors with: sent with:
EHJLQ WZLWWHUBFOLHQWXVHUBWLPHOLQHUHXYHQPOHUQHU
WZHHW WZLWWHUBFOLHQWXSGDWH+HOORDJDLQ
´#UHXYHQPOHUQHU7ZHHWWZHHW which returns an array of tweet

UHVFXH7ZLWWHU(UURU)RUELGGHQ !H objects. You can apply the “text”
SXWV<RXDOUHDG\WZHHWHGWKDW method to the first element, thus
UHVFXH !H getting the text back from the user’s
SXWVHFODVV7ZLWWHU(UURU)RUELGGHQ most recent tweet:
SXWVHPHVVDJH
6WDWXVLVDGXSOLFDWH
HQG WZLWWHUBFOLHQWXVHUBWLPHOLQHUHXYHQPOHUQHU>@WH[W
LJ237-Jan2014.indd 40 12/17/13 3:43 PM

COLUMNS
AT THE FORGE
But where would you use such API calls? Why

would you want to use Twitter on your site?
If there are URLs embedded in the As a result, a slow API call will lead
tweet, you can get those back: to slow responses from the API
clients—and may discourage people
WZLWWHUBFOLHQWXVHUBWLPHOLQHUHXYHQPOHUQHU>@XUOV from using your API.
But where would you use such API
This method returns an array of calls? Why would you want to use
7ZLWWHU(QWLW\85, objects, Twitter on your site?
each of which has attributes, such O n e s i m p l e u s e o f t h e Tw i t t e r
as “url” and “expanded URL”. API would be to display a
u s e r ’s m o s t re c e n t t w e e t s . F o r
Integrating into Your Application example, if your company (or you
As you can see, working with p e r s o n a l l y ) u s e Tw i t t e r t o s e n d
Twitter is surprisingly easy. The m e s s a g e s a b o u t w h a t y o u a re
startup time for connecting to doing, you can see that it would
Twitter can take a little bit of be fairly easy to include those
time—up to two seconds, in my t w e e t s i n a We b p a g e . U s i n g a n
experience—but tweeting and MVC system, such as Rails, you
querying Twitter take very little simply would grab the tweets
time. It’s obvious, as a consumer (with the “user_timeline” method,
of the API, that they have worked as shown above), and stick the
hard to make it execute as quickly re s u l t s o n y o u r h o m e p a g e . N o w
as possible. This is a lesson to y o u r h o m e p a g e p ro v i d e s a n o t h e r
all of us who create APIs. We all v i e w t o y o u r Tw i t t e r f e e d ,
know that Web pages should load re - e n f o rc i n g i t s i m p o r t a n c e a n d
quickly, and that slow load times u sa g e t o your com pa ny.
can discourage people from staying I have been doing something
on a site. slightly different. As I mentioned
API calls typically are embedded previously, I have begun to use
within another application, meaning Twitter to log public activity in
that if the API call takes time, the the application I’ve developed for
application itself will feel sluggish. my dissertation. Every time a new
LJ237-Jan2014.indd 41 12/17/13 3:43 PM

COLUMNS
AT THE FORGE
The biggest technical challenge I have faced so

far in all of this is the issue of duplicate tweets.
user joins, new content is posted to use Twitter to announce updates

or someone adds a posting to a on my site, the number of people
discussion forum, I send a new coming to visit has increased
tweet on the subject. In and of dramatically. Not coincidentally,
itself, this doesn’t do very much; my site’s ranking in Google has
Twitter is full of text and URLs. But improved noticeably.
I have certainly found by ensuring Now, if this were a commercial
that my tweets are followed and site, rather than a free
seen by a large number of people, I infrastructure for collaborative
have increased the number of users modeling, I would want to check
coming to my site. a second thing, namely the
In other words, by tweeting about “conversion rate”—that is, how
activity on my site, I have given many people who came to my site
my site additional exposure to the also became paying customers. But
world. Moreover, people who really for my small, educational site, it
want to see what my application is has been fascinating to see what a
doing can follow the link in their difference tweeting made.
Twitter feed and follow along. And what did I do? Truth be told,
By adding a #NetLogo hashtag not much. I set up things such that
to my tweets, I also have made it a new tweet would be sent, using
possible, and even easy, for my the “update” method demonstrated
tweets (and thus my site) to be above, every time a new model
found and identified by people version, forum posting or person
searching Twitter for mentions of was added to the system. Because
our modeling environment. The of the relatively low latency on the
fact that Google indexes tweets “update” method, I even do this
increases my site’s visibility on-line inline on an after_create callback
among people who are searching within Rails, rather than queueing it
for modeling-related sites. in a background job.
The net effect has been rather The biggest technical challenge
huge. W ithin two weeks of starting I have faced so far in all of this is
LJ237-Jan2014.indd 42 12/17/13 3:43 PM

COLUMNS
AT THE FORGE
the issue of duplicate tweets. When I’m not aware of it. It’s similar in
I first set up the Twitter feed, I some ways to seeing my children’s
defined the tweet for an additional creative output, but (obviously) less
discussion forum post to be: emotionally charged.
5HXYHQ/HUQHUKDVDGGHGDFRPPHQWDERXWWKH)RREDUPRGHO Conclusion
Adding automatic tweets to a
The problem with this style of Web application is easy to do and
tweet is that it quickly can lead to can have significant benefits. For
duplicates—and thus errors from your users, it gives them a way to
within the application. As a result, I follow what is happening in your
have made sure that every tweet has application without needing to visit
a unique number in it somewhere, the site or use an RSS reader. For
typically counting how many similar your site, automatic tweets will
objects already have been created. help bring in new visitors, improve
For example: SEO and generally improve your
project’s visibility. Q
5HXYHQ/HUQHUZURWHWKHWKFRPPHQWDERXWWKH)RREDUPRGHO
Web developer, trainer and consultant Reuven M. Lerner

The above ensures—assuming that is finishing his PhD in Learning Sciences at Northwestern
user and model names are unique— University. He lives in Modi’in, Israel, with his wife and three
that there cannot be duplicates, children. You can read more about him at http://lerner.co.il,
thus avoiding the problem. or contact him at reuven@lerner.co.il.
Beyond the advantages for
users, SEO and people interested
in following my work, I also have Send comments or feedback via
found it to be enormously satisfying http://www.linuxjournal.com/contact
to see tweets come out even when or to ljeditor@linuxjournal.com.
Resources
Twitter, of course, is at http://twitter.com. The developer and API documentation
is at http://dev.twitter.com. The Ruby gem for Twitter, which apparently has been
downloaded more than one million times (!), is at http://sferik.github.io/twitter.
LJ237-Jan2014.indd 43 12/17/13 3:43 PM

COLUMNS
WORK THE SHELL
Easy
Watermarking
DAVE TAYLOR
with ImageMagick
Script auteur Dave Taylor explores smart ways to use ImageMagick
and Bash to copyright and watermark images in bulk.
Let’s start with some homework. the image, but it’s impossible to shut
Go to Google (or Bing) and search for down theft of intellectual property
“privacy is dead, get over it”. I first completely in the on-line world.
heard this from Bill Joy, cofounder of This is why a lot of professional
Sun Microsystems, but it’s attributed to photographers don’t post images on-
a number of tech folk, and there’s an line that are bigger than low-resolution
element of truth to it. Put something thumbnails. You can imagine that
on-line and it’s in the wild, however much wedding photographers who make
you’d prefer to keep it under control. their money from selling prints (not
Don’t believe it? Ask musicians or shooting the wedding) pay very close
book authors or film-makers. Now, attention to this sort of thing!
whether the people who would Just as people have learned to accept
download a 350-page PDF instead of poor video in the interest of candor
paying $14 for a print book are hurting and funny content thanks to YouTube,
sales, that’s another question entirely, so have people also learned to accept
but the Internet is public and open, low-res images for free rather than
even the parts that we wish were not. paying even a nominal fee for license
This means if you’re a photographer rights and a high-res version of the
or upload images you’d like to protect photograph or other artwork.
or control, you have a difficult task There is another way, however, that’s
ahead of you. Yes, you can add some demonstrated by the stock photography
code to your Web pages that makes companies on-line: watermarking.
it impossible to right-click to save You’ve no doubt seen photos with
LJ237-Jan2014.indd 44 12/17/13 3:43 PM

COLUMNS
WORK THE SHELL
embedded copyright notices, Web site acknowledgement.

addresses or other content that mars the To do this, the basic idea is to create
image but makes it considerably harder a watermark-only file and then blend
to separate it from its original source. that with the original image to create a
It turns out that our friend new one. Fortunately, creating the new
ImageMagick is terrific at creating image can be done programmatically
these watermarks in a variety of with the FRQYHUW program included as
different ways, and that’s what I part of ImageMagick.
explore in this column. It’s an issue for Having said that, it’s really mind-
a lot of content producers, and I know numbingly complex, so I’m going to start
the photos I upload constantly are with a fairly uninspired but quick way
being ripped off and reused on other to add a watermark using the ODEHO
sites without permission and without feature. In a nutshell, you specify what
Figure 1. Original Image, Kids at a Party
LJ237-Jan2014.indd 45 12/17/13 3:43 PM

COLUMNS
WORK THE SHELL
text you want, where you want it on the that’s shown as 493x360.
image, the input image filename and the Now, let’s use composite to add a
output image filename. Let’s start with simple label:
an image (Figure 1).
You can get the dimensions and so forth FRPSRVLWHODEHO
$VN'DYH7D\ORUFRP
NLGVSDUW\SQJ?
of the image with LGHQWLI\, of course: NLGVSDUW\ODEHOOHGSQJ
LGHQWLI\NLGVSDUW\SQJ Figure 2 shows the image with the

NLGVSDUW\SQJ31*[[ELW label applied.
´'LUHFW&ODVV.%X That’s rather boring, although it’s
effective in a rudimentary sort of way.
You can ignore almost all of this; it’s Let’s do something more interesting
just the size that you care about, and now, starting by positioning the text
Figure 2. Label Added, No Styling
LJ237-Jan2014.indd 46 12/17/13 3:43 PM

COLUMNS
WORK THE SHELL
centered on the bottom but also adding Figure 3 shows the result.
space below the image for the caption: I’m not done yet though. For the
next example, let’s actually have the
FRQYHUWNLGVSDUW\SQJEDFNJURXQG.KDNL? text superimpose over the image, but
ODEHO
$VN'DYH7D\ORUFRP
? with a semi-transparent background.
JUDYLW\FHQWHUDSSHQGSDUW\NKDNLSQJ This is more ninja ImageMagick,
so it involves a couple steps, the first
Here I’ve added a background color of which is to identify the width of
for the new text (khaki) and tapped the the original source image. That’s
complicated but darn useful gravity easily done:
capability to center the text within the
new DSSHQG (appended) image space. ZLGWK LGHQWLI\IRUPDWZNLGVSDUW\SQJ
Figure 3. Caption against a Khaki Background
LJ237-Jan2014.indd 47 12/17/13 3:43 PM

COLUMNS
WORK THE SHELL
Run it, and you’ll find out: NLGVSDUW\SQJVZDSJUDYLW\VRXWKFRPSRVLWH?
SDUW\ZDWHUPDUNSQJ
$ echo $width
I did warn you that it’d be
complex, right? Let’s just jump to
Now, let’s jump into the FRQYHUW the results so you can see what
command again, but this time, let’s happened (Figure 4).
specify a background color, a fill You can experiment with different
and a few other things to get the backgrounds and colors, but for now,
transparency to work properly: let’s work with this and jump to the
second part of the task, turning this
FRQYHUWEDFNJURXQG

ÀOOZKLWHJUDYLW\FHQWHU? into a script that can fix a set of
VL]H^ZLGWK`[FDSWLRQ$VN'DYH7D\ORUFRP? images in a folder. The basic structure
Figure 4. Improved Semi-Transparent Label
LJ237-Jan2014.indd 48 12/17/13 3:43 PM

COLUMNS
WORK THE SHELL
for this script will be easy actually: You can see that it translates
pretty easily into a script, with the
IRUHYHU\LPDJHÀOH shuffle of taking the original images
calculate width and saving them in .originals.
FUHDWHQHZZDWHUPDUNHGYHUVLRQ The output is succinct when I run
PYRULJLQDOWRDKLGGHQGLUHFWRU\ it in a specific directory:
UHQDPHZDWHUPDUNHGYHUVLRQWRRULJLQDOLPDJHQDPH
GRQH ZDWHUPDUNHGÀJXUHSQJVXFFHVVIXOO\
ZDWHUPDUNHGÀJXUHSQJVXFFHVVIXOO\
Because Linux is so “dot file”- ZDWHUPDUNHGÀJXUHSQJVXFFHVVIXOO\
friendly, let’s have the script create ZDWHUPDUNHGÀJXUHSQJVXFFHVVIXOO\
a “.originals” folder in the current
folder so that it’s a nondestructive Easily done.
watermark process. Here’s the script: You definitely can go further
with all the watermarking in
VDYHGLU RULJLQDOV ImageMagick, but my personal
mkdir $savedir preference is to tap into the
reference works that already are
LI>"QH@WKHQ on-line, including this useful, albeit
HFKR(UURUIDLOHGPDNLQJVDYHGLU somewhat confusing, tutorial:
exit 1 http://www.imagemagick.org/
À Usage/annotating.
However you slice it, if
IRULPDJHLQ SQJ MSJ JLI you’re going to make your
do images available on-line in high
LI>VLPDJH@WKHQQRQ]HURÀOHVL]H resolution, or if they’re unique and
ZLGWK LGHQWLI\IRUPDWZLPDJH copyrighted intellectual property,
FRQYHUWEDFNJURXQG

ÀOOZKLWHJUDYLW\FHQWHU? knowing how to watermark them
VL]H^ZLGWK`[FDSWLRQ$VN'DYH7D\ORUFRP? from the command line is a dar n
LPDJHVZDSJUDYLW\VRXWKFRPSRVLWHQHZLPDJH helpful skill. Q
mv $image $savedir
PYQHZLPDJHLPDJH Dave Taylor has been hacking shell scripts for more than
HFKRZDWHUPDUNHGLPDJHVXFFHVVIXOO\ 30 years. Really. He’s the author of the popular Wicked Cool
À Shell Scripts and can be found on Twitter as @DaveTaylor
GRQH and more generally at http://www.DaveTaylorOnline.com.
LJ237-Jan2014.indd 49 12/17/13 3:43 PM

COLUMNS
HACK AND /
A Bundle KYLE RANKIN
of Tor
For privacy, windows have blinds, and Internet users have the
Tor browser bundle.
I don’t know how many readers an account on the site, it could

know this, but my very first Linux know much more.
Journal column (“Browse the Web
without a Trace”, January 2008) Even if you aren’t paranoid (yet),
was about how to set up and use you might want to browse the Web
Tor. Anonymity and privacy on the anonymously for many reasons.
Internet certainly take on a different For one, your information, almost
meaning in the modern era of privacy- all of it, has value, and you might
invading software and general like to have some control over
Internet surveillance. I recently went who has that information and who
back and read my original column, doesn’t. Maybe you just want to
and although the first few paragraphs post a comment to a blog without
were written six years ago, they seem the owner knowing who you are.
just as relevant today: You even could have more serious
reasons, such as whistle-blowing,
Is privacy dead? When I think political speech or research about
about how much information sensitive issues such as rape, abuse
my computer and my gadgets or personal illness.
output about me on a daily
basis, it might as well be. My cell Whatever reason you have for
phone broadcasts my general anonymity, a piece of software
whereabouts, and my Web browser called Tor provides a secure,
is worse—every site I visit knows I easy-to-setup and easy-to-use
was there, what I looked at, what Web anonymizer. If you are curious
browser and OS I use, and if I have about how exactly Tor works,
LJ237-Jan2014.indd 50 12/17/13 3:43 PM

COLUMNS
HACK AND /
you can visit the official site and stop Tor on demand.
at http://tor.eff.org), but in a The first step is to visit
nutshell, Tor installs and runs on https://www.torproject.org and
your local machine. Once combined check the lock icon in your navigation
with a Web proxy, all of your traffic bar to make sure the SSL certificate
passes through an encrypted tunnel checks out. If your browser gives you
between three different Tor servers some sort of certificate warning, it’s
before it reaches the remote server. possible you aren’t visiting the official
All that the remote site will know Tor site, and you should stop right
about you is that you came from a there and attempt to get Tor from a
Tor node. different computer. On the main page
is a large Download Tor button for you
The rest of the article went into to click. If you are browsing the site
detail on how to use the Knoppix from a Linux system (which of course
live disk to download and install you are), you will be presented with
Tor completely into ramdisk. Tor has links to a 32-bit and 64-bit browser
come a long way since those days bundle package, so click the one that
though, so I decided it was high corresponds with the appropriate
time to revisit this topic and explain architecture for your system.
the best way to set up Tor on your While the software downloads, I
personal machine today. highly recommend you do two things.
First, next to the button you clicked
Get the Tor Browser Bundle to download Tor, there should be a
In the past, Tor installation meant hyperlink labeled “sig”. Click this link
installing the Tor software itself, to download the signature you will
configuring a proxy and pulling down use to verify that the Tor package you
a few browser plugins. Although you downloaded was legitimate (I’ll talk
still can set it up that way if you want, about how to do that in a minute).
these days, everything is wrapped up The second thing you should do is
in a tidy little package called the Tor scroll down the page and start reading
browser bundle. This single package the section titled “Want Tor to really
contains Tor, its own custom Web work?” to familiarize yourself with
browser already configured with some of the extra habits you should
privacy-enhancing settings and a user take on if you really do want to
interface that makes it easy to start browse the Web anonymously.
LJ237-Jan2014.indd 51 12/17/13 3:43 PM

COLUMNS
HACK AND /
Verify the Software which you can import with the

After you download the Tor following command:
browser bundle and the signature
file, you should have two files in JSJNH\VHUYHU[KNSSRROVNVNH\VHUYHUVQHW
your directory: ´UHFYNH\V[))((
Q tor-browser-gnu-linux-x86_64- Once the key has been imported,

2.3.25-14-dev-en-US.tar.gz you should check its fingerprint:
Q tor-browser-gnu-linux-x86_64- JSJÀQJHUSULQW[))((
2.3.25-14-dev-en-US.tar.gz.asc SXE5)((
.H\ÀQJHUSULQW $%%$)'%))((
The first of these files is the XLG(ULQQ&ODUNHULQQ#WRUSURMHFWRUJ!
software itself, and the second file XLG(ULQQ&ODUNHULQQ#GHELDQRUJ!
is the GPG signature. Although a XLG(ULQQ&ODUNHULQQ#GRXEOHKHOL[RUJ!
lot of software uses MD5 or SHA1 VXE5(%)'
checksums so you can validate

the software you downloaded was If the fingerprint doesn’t match
complete, this checksum is different. what you see above, something fishy
The .asc file is a cryptographic is going on and you shouldn’t trust
signature you can use to prove that this package. Of course, if you are
the software you just download frequent GPG users, you may want
actually was provided to you by even better assurances. Hopefully, you
the Tor project and not by some have someone you already trust within
malicious third party. The site provides your GPG keyring who has been to a
documentation on how to verify this key-signing party with Erinn Clark. If
signature for different operating so, it would help validate that the key
systems at https://www.torproject.org/ is legitimate.
docs/verifying-signatures.html.en, Once you have validated the
but since you use Linux, here you fingerprint, cd to the directory that
will run the following commands. has the browser bundle and .asc file,
First, pull down the key that was and run the following command:
used to sign this package.
Currently, this would be Erinn $ gpg --verify
Clark’s key (0x416F061063FEE659), ´WRUEURZVHUJQXOLQX[[BGHYHQ86WDUJ]^DVF`
LJ237-Jan2014.indd 52 12/17/13 3:43 PM

COLUMNS
HACK AND /
JSJ6LJQDWXUHPDGH)UL1RY303'7
´XVLQJ56$NH\,')((
JSJ*RRGVLJQDWXUHIURP(ULQQ&ODUNHULQQ#WRUSURMHFWRUJ!
JSJDND(ULQQ&ODUNHULQQ#GHELDQRUJ!
JSJDND(ULQQ&ODUNHULQQ#GRXEOHKHOL[RUJ!
JSJ:$51,1*7KLVNH\LVQRWFHUWLÀHGZLWKDWUXVWHGVLJQDWXUH
JSJ7KHUHLVQRLQGLFDWLRQWKDWWKHVLJQDWXUH
´EHORQJVWRWKHRZQHU
3ULPDU\NH\ÀQJHUSULQW$%%$
´)'%))((
If the output says “Good

signature”, everything checked out.
Again, you will see a warning if you
don’t have someone in your chain of
trust that already trusts this key. Figure 1. The Vidalia Control Panel
Window
Install and Use Tor
At this point, it’s relatively trivial The initial Tor check page not
to install and use Tor. Just use tar only validates that you are using the
to extract the .tar.gz file into your Tor network, it also displays your
home directory or wherever else current IP address. If you ever notice
you’d like it to be, and then run the that IP address matches your home
start-tor-browser script inside: IP address, or if you don’t see this
congratulations window at all, for
WDU][YIWRUEURZVHUJQXOLQX[[BGHYHQ86WDUJ] some reason your Tor instance isn’t
WRUEURZVHUBHQ86VWDUWWRUEURZVHU working properly, so you shouldn’t do
anything within the browser that is
You should see a GUI window pop privacy-sensitive. Note that because
up that looks like Figure 1. you may be exiting the Tor network
It may take a little time for your from an exit node in a different
Tor network to finish configuring, country, certain sites like Google,
but once it does, you will know, for instance, that try to be helpful
because a browser that looks like and display the site in a country’s
Figure 2 will appear. native language may present you
LJ237-Jan2014.indd 53 12/17/13 3:43 PM

COLUMNS
HACK AND /
Figure 2. Congratulations, Tor works.
with Japanese, German or some other nodes. Although Tor itself does this
language as you visit. routinely as you use it, sometimes
If you go back to the Vidalia you may want to get a different
Control Panel, you’ll notice a endpoint so a Web site stops
number of different options. You displaying output in a language you
can view a map of the current global don’t understand.
Tor network; you can click the Setup
Relaying button to add your machine Special Tor Browser Plugins
to the network of Tor nodes, and if It’s important to note that this
you click Use a New Identity, you will special Tor browser has been
stop using the three Tor nodes you configured with extra plugins and
currently are using and will set up settings to enhance your privacy.
a new connection with different Tor For instance, by default, the
LJ237-Jan2014.indd 54 12/17/13 3:43 PM

COLUMNS
HACK AND /
Noscript plugin is installed and completely, click the Stop Tor

enabled, which blocks JavaScript, button, and then click exit to close
Java and other plugins and allows the application. Browsing the Web
them only for sites that you trust. anonymously and privately has
The browser also includes the HTTPS never been this easy. Q
Everywhere plugin that defaults to
using HTTPS for any site you try Kyle Rankin is a Sr. Systems Administrator in the San Francisco
to visit. You also will see a small Bay Area and the author of a number of books, including The
onion icon in the navigation bar Official Ubuntu Server Book, Knoppix Hacks and Ubuntu Hacks.
that you can use to tweak your Tor He is currently the president of the North Bay Linux Users’ Group.
preferences inside the browser.
Once you are done browsing
anonymously, close your browser Send comments or feedback via
and go back to the Vidalia Control http://www.linuxjournal.com/contact
Panel. If you are done using Tor or to ljeditor@linuxjournal.com.
LINUX JOURNAL
on your
Android device
Download app now in
the Android Marketplace
www.linuxjournal.com/android
For more information about advertising opportunities within Linux Journal iPhone, iPad and
Android apps, contact John Grogan at +1-713-344-1956 x2 or ads@linuxjournal.com.
LJ237-Jan2014.indd 55 12/17/13 3:43 PM

COLUMNS
THE OPEN-SOURCE CLASSROOM
Encrypting SHAWN POWERS
Your Cat Photos

Encryption is powerful and scary. Let’s remove the scary.
The truth is, I really don’t have warm we keep it. Some of those
anything on my hard drive that neighbors would be very upset to
I would be upset over someone see how “wasteful” the Powers
seeing. I have some cat photos. I family is in the winter. In fact,
have a few text files with ideas for there’s one local man who makes
future books and/or short stories, it a point to let everyone know
and a couple half-written starts to that anything over 60 degrees is
NaNoWriMo novels. It would be ecologically wasteful. I don’t want
easy to say that there’s no point to get into a fight with Old Man
encrypting my hard drive, because I Icebritches, so we just keep our
have nothing to hide. The problem comfortable house a secret. We
is, we wrongly correlate a “desire don’t have anything to hide, but it’s
for privacy” with “having something not something everyone needs to
to hide”. I think where I live, in know about.
America, we’ve taken our rights to Obviously my example is silly,
privacy for granted. Rather than the but hopefully it makes you think.
traditional “he must be hiding porn Modern Linux allows us to encrypt
or bombs”, think about something a our data easily and reliably, so why
little more mundane. not take advantage of it?
I live in Michigan. It’s cold here in
the winter, and I tend to keep my How Does It Work?
thermostat set around 75 degrees. I won’t go into too much detail
That might seem high to you, but about how encryption works, but a
for my family, it’s just right. Thanks basic understanding is necessary for
to the privacy of my own home, my even the simplest implementation.
neighbors don’t know how toasty To encrypt and decrypt a file, two
LJ237-Jan2014.indd 56 12/17/13 3:43 PM

COLUMNS
Modern Linux allows us to encrypt our data easily

and reliably, so why not take advantage of it?
“keys” are required. One is the key can be decrypted with your
private key, which is just that, public key. In this way, encrypting
private. I like to think of the private something with your private key
key as an actual key—you can make digitally “signs” the file.
copies if you want, but it’s not wise Usually it works like this:
to do so. The more copies of your
private keys you make, the more 1. You have a file you want to send
likely someone nefarious will get one to Suzy, so you encrypt it with
and break into your apartment—er, I Suzy’s public key. Only Suzy can
mean files. open it, but there’s no way for
The public key is more like a Suzy to know that you are the one
schematic for a lock that only you who sent it, since anyone could
can open (with your private key). encrypt a file with her public key.
You make this key available for
anyone. You can post it on a Web 2. Therefore, you take the file you
site, put it in your e-mail, tattoo encrypted with Suzy’s public key
it on your back, whatever. When and encrypt that file with your
others want to create a file that only private key. Suzy will have to
you can see, they encrypt it using decrypt the file twice, but she’ll
your public key. know it came from you.
This one-to-many scenario also
has a cool side effect. If you encrypt 3. Suzy receives the file and decrypts
something using your private key, the first layer with your public
anyone can decrypt it using your key, proving it came from you.
public key. This may sound silly, but
what makes such a scenario useful 4. Suzy then decrypts the second
is that although the encrypted file layer of encryption with her
isn’t protected from prying eyes, it private key, as that’s the only key
is guaranteed to be from you. Only able to decrypt the original file.
a file encrypted with your private (Because you originally encrypted
LJ237-Jan2014.indd 57 12/17/13 3:43 PM

COLUMNS
it with her public key.) than using a public and private key
pair, because it’s simply encrypted
That scenario is when encryption is using your passphrase. This does
used for safely transferring files, of make your file more susceptible to
course. It’s also quite common simply cracking (using rainbow tables or
to encrypt your files (or partitions) other hacking tools), but like the
so that no one can see them unless label on the tin says, it’s Pretty Good
you decrypt them first. Let’s start Protection. To encrypt your file, you
with file encryption, because that’s can do this:
what most people will want to do on
their systems. JSJFVHFUHWBPDQLIHVWRW[W
(QWHUSDVVSKUDVH
Starting Simple 5HSHDWSDVVSKUDVH
Before I go into more complex
type setting, let’s discuss simply Once complete, you’ll have a new
encrypting a file. There are various file in the same directory. It will be
programs to handle encryption. In named secret_manifesto.txt.gpg by
fact, it’s easy to get overwhelmed default. This is a binary file, which
with the available options for file means it’s fairly small, but it can’t be
and system encryption. Today, let’s copy/pasted into an e-mail or IM. For
use a basic (but very powerful) portability, you can add the -a flag,
command-line tool for encrypting which will create an encrypted file
a file. GPG (Gnu Privacy Guard) is that contains only ASCII text:
an open-source implementation of
PGP (Pretty Good Protection). JSJDFVHFUHWBPDQLIHVWRW[W
It allows encryption and signing, (QWHUSDVVSKUDVH
and manages multiple keys and so 5HSHDWSDVVSKUDVH
on. For this example, let’s simply OVO
encrypt a file. UZUZUVSRZHUVVSRZHUV1RYVHFUHWBPDQLIHVWRW[W
Let’s say you have a file called UZUZUVSRZHUVVSRZHUV1RYVHFUHWBPDQLIHVWRW[WDVF
secret_manifesto.txt, which contains UZUZUVSRZHUVVSRZHUV1RYVHFUHWBPDQLIHVWRW[WJSJ
the secrets to life, the universe and

everything. Using GPG, you can Notice there is now a file with
encrypt the file with a passphrase. .asc as the extension. This is text-
Using a passphrase is far simpler only, but you can see in the code
LJ237-Jan2014.indd 58 12/17/13 3:43 PM

COLUMNS
snippet that it’s also much larger are many options when it comes
than the binary encrypted file, and to encryption. One of the more
much much larger than the original popular methods of encrypting
text file. Once you’ve encrypted your partitions is the LUKS (Linux Unified
file, if you truly want to keep your Key Setup) system. A USB drive
information secret, it would be wise with a LUKS-formatted partition
to delete the original text file. should be detected automatically
To decrypt the file, you’ll again by most systems. In fact, if you’re
use the gpg program. The same using a desktop environment like
command will decrypt either file, Ubuntu Desktop, encrypting a USB
whether it’s binary or ASCII: drive is a simple check box during
the formatting process. Although
JSJVHFUHWBPDQLIHVWRW[WDVF that’s a perfectly acceptable way to
JSJ&$67HQFU\SWHGGDWD encrypt your USB drive, I’m going
(QWHUSDVVSKUDVH to demonstrate how to do it on the
JSJHQFU\SWHGZLWKSDVVSKUDVH command line, so you understand
)LOHCVHFUHWBPDQLIHVWRW[W
H[LVWV2YHUZULWH"\1 what’s actually happening behind
the scenes.
Notice in the example above, I Step 1: identify your USB drive.
hadn’t deleted the original text If you type dmesg after plugging
file, so gpg gave me the option of in your USB drive, you should get
overwriting. Once complete, I have all sorts of system information,
my original file back, unencrypted. including the device name of your
If you just have a file or two you freshly plugged-in USB device. Make
want to protect, the command-line sure you have the correct device
gpg program might be all you need. identified, because what you’re
If you’d rather have an area on your doing will destroy any data on the
system that automatically encrypts drive. You wouldn’t want to format
everything you save, it’s a little more the wrong disk accidentally. (It
complicated. It’s still not terribly should go without saying, but I’ll say
difficult, but let’s start with a fairly it anyway, make sure there’s nothing
simplistic model. on your USB drive that you want to
save—this is a destructive process.)
Encrypting a USB Drive Step 2: partition the USB drive.
Like I mentioned earlier, there Assuming that your USB drive is the
LJ237-Jan2014.indd 59 12/17/13 3:43 PM

COLUMNS
/dev/sdb device on your system, you &RPPDQGPIRUKHOSZ
need to create a single partition on 7KHSDUWLWLRQWDEOHKDVEHHQDOWHUHG
the drive. Let’s use fdisk. Below is

the interaction with fdisk required. Now you have a USB drive with
Basically, you create a new empty a single partition (/dev/sdb1), but
partition with the o command, then there is no filesystem on it. That’s
write changes with w . Then, you’ll exactly what you want, because the
restart fdisk and use the Q command LUKS system creates an encryption
to create a new primary partition, layer on the partition before you
using the defaults so that the entire put a filesystem on it. So before
drive is used: creating a filesystem, let’s create
the LUKS layer on the partition,
VXGRIGLVNGHYVGE using the cryptsetup program. If you
don’t have cryptsetup, search for it
&RPPDQGPIRUKHOSR in your distribution’s repository; it
%XLOGLQJDQHZ'26GLVNODEHOZLWKGLVNLGHQWLÀHU[ should be there. To create the LUKS
&KDQJHVZLOOUHPDLQLQPHPRU\RQO\XQWLO\RXGHFLGHWRZULWHWKHP encrypted partition layer:
$IWHUWKDWRIFRXUVHWKHSUHYLRXVFRQWHQWZRQ
WEHUHFRYHUDEOH
FU\SWVHWXSOXNV)RUPDWGHYVGE
&RPPDQGPIRUKHOSZ
7KHSDUWLWLRQWDEOHKDVEHHQDOWHUHG :$51,1*
VXGRIGLVNGHYVGE 7KLVZLOORYHUZULWHGDWDRQGHYVGELUUHYRFDEO\
&RPPDQGPIRUKHOSQ
&RPPDQGDFWLRQ $UH\RXVXUH"7\SHXSSHUFDVH\HV<(6
HH[WHQGHG (QWHU/8.6SDVVSKUDVH
SSULPDU\SDUWLWLRQ 9HULI\SDVVSKUDVH
3DUWLWLRQQXPEHUGHIDXOW Follow the directions, and be

8VLQJGHIDXOWYDOXH sure to remember your passphrase!
)LUVWVHFWRUGHIDXOW Note, that a “passphrase” is usually
8VLQJGHIDXOWYDOXH more than just a word. It’s most
/DVWVHFWRUVHFWRUVRUVL]H^.0*`GHIDXOW often a phrase, thus the name.
8VLQJGHIDXOWYDOXH The longer the phrase, the tougher
to crack.
LJ237-Jan2014.indd 60 12/17/13 3:43 PM

COLUMNS
In fact, when you put the USB drive into your

computer, if you have a modern GUI desktop, it
should prompt you for a password and mount
it automatically.
Once the process completes, you Now the drive is fully functional
have an encrypted partition, but and can be mounted like any other
it’s not mounted or formatted disk. In fact, when you put the USB
yet. The first step is to mount the drive into your computer, if you have
partition, which again uses the a modern GUI desktop, it should
cryptsetup utility: prompt you for a password and
mount it automatically. Then you
FU\SWVHWXSOXNV2SHQGHYVGEP\BFU\SWRBGLVN can eject it like a normal disk, and
(QWHUSDVVSKUDVHIRUGHYVGE it will be encrypted until you next
enter your passphrase. It’s simple to
When you type in your unmount and, therefore, re-encrypt
passphrase, the device name you the drive on the command line too,
entered will be mounted like a using cryptsetup:
virtual hard drive. Usually, it’s
mounted under /dev/mapper/ FU\SWVHWXSOXNV&ORVHP\BFU\SWRBGLVN
devicename, so this example
mounts a partition at /dev/mapper/ That’s Only the Tip of the Iceberg
my_crypto_disk. In this article, my hope is to peel
This device is now being accessed back some of the mystery behind
as an unencrypted volume. As long e n c r y p t i o n . I t ’s s i m p l e t o e n c r y p t
as it stays mounted, it will act like a n d d e c r y p t a f i l e . I t ’s n o t t o o
any other unencrypted volume. That m u c h m o re d i ff i c u l t ( e s p e c i a l l y i f
means you need to write a filesystem you use the GUI desktop tools) to
to it if you want to use it: e n c r y p t a n e n t i re U S B d r i v e . W i t h
m o s t d i s t r i b u t i o n s , i t ’s p o s s i b l e t o
PNIVYIDWGHYPDSSHUP\BFU\SWRBGLVNQP\BFU\SWRBGLVN e n c r y p t t h e e n t i re h o m e d i re c t o r y
PNIVYIDW-DQ d u r i n g t h e i n s t a l l a t i o n p ro c e s s !
LJ237-Jan2014.indd 61 12/17/13 3:43 PM

COLUMNS
Once you get the encryption bug, I must warn you,

you’ll want to start encrypting everything.
When encryption is set up on y o u r access that data on any system.

entire home directory, howev e r, W indows, Mac and Linux clients are
t here are some issues you ne e d t o all available, and the community has
address. For example, jobs th a t great support.
r un while you’re not logged i n You don’t have to have
most likely will not have acce s s t o something to hide in order to
your home directory. If you h a v e desire encryption for your files. Just
cron jobs that need access to y o u r like it’s wise to lock your house at
home directory, you should re w r i t e night, even if you live in a good
t hem to access data elsewhe re o n neighborhood, it’s a smart move to
t he system. I find a happy m e d i u m encrypt your personal data. If you
between security and conven i e n c e want to share your photos of Mr
i s to encrypt a USB drive and s t o re Whiskerton in his cute little beanie
m y per sonal data on it. hat with everyone on the Inter net,
Once you get the encryption that’s your right. But others don’t
bug, I must warn you, you’ll want need to see those things if they’re
to start encrypting everything. being nosey and poking around
That’s not a bad thing, but like the your hard drive! Q
home directory scenario, you’ll run
into a few snags. Cross-platform Shawn Powers is the Associate Editor for Linux Journal .
accessibility is a big one if you go He’s also the Gadget Guy for LinuxJournal.com, and he has
between systems. For situations like an interesting collection of vintage Garfield coffee mugs.
that, I highly recommend TrueCrypt Don’t let his silly hairdo fool you, he’s a pretty ordinary guy
(http://www.truecrypt.org). I’ve and can be reached via e-mail at shawn@linuxjournal.com.
mentioned TrueCrypt in UpFront Or, swing by the #linuxjournal IRC channel on Freenode.net.
pieces before, but it’s basically
an open-source, cross-platform
encryption system that allows you Send comments or feedback via
to encrypt files, folders, partitions http://www.linuxjournal.com/contact
and more while being able to or to ljeditor@linuxjournal.com.
LJ237-Jan2014.indd 62 12/17/13 3:43 PM

LINUX JOURNAL
ARCHIVE DVD
NOW AVAILABLE
Save $10.00 by using discount code DVD2013 at checkout.
Coupon code expires 2/3/2013
w w w.l i n uxjo ur nal.co m/dvd

LJ237-Jan2014.indd 63 12/17/13 3:43 PM
NEW PRODUCTS
Innodisk’s FlexiArray SE108

and HD224 Storage Appliances
The secret to the performance advances in Innodisk’s
FlexiArray line of storage appliances is the company’s novel FlexiRemap Technology, which
deals with the challenges of I/O performance, data endurance and affordability. FlexiRemap,
notes Innodisk, innovates in software and firmware, creating a new category of Flash-
collaborating storage appliances (in contrast to Flash-aware or Flash-optimized) that deliver
sustained high IOPS, even for random write operations. Innodisk’s first storage appliances
to leverage this technology, the new FlexiArray SE108 and HD224, are designed to provide
cost-effective performance for high-performance computing, cloud computing and I/O
bound server applications. Typical application areas include cloud computing, virtualization
and HPC. The slim SE108 offers up to 2TB of storage in a 1U-rackmount package; the
HD224 provides up to 8TB in a 2U-rackmount unit, with 8x 10GbE SFP+ interfaces. Both
units offer redundant hot-swappable SSDs and power modules.
http://flexiarray.innodisk.com
Magic Software
Enterprises’ Magic xpi
Integration Platform
With most core enterprise systems in place,
organizations of all sizes are looking to business process
integration and automation to increase operational efficiency and competitiveness. The updated
Magic xpi Integration Platform from Magic Software Enterprises is a cloud-ready integration
platform that enables users to unlock data from enterprise systems like SugarCRM, Sage and
SYSPRO. In the new release, the aforementioned three platforms now enjoy certified, prebuilt
adapters for optimized integration, which complement existing adapters for Oracle JD Edwards
EnterpriseOne, JD Edwards World, SAP, IBM Lotus Notes, Microsoft Dynamics, Microsoft
SharePoint and Salesforce, and more. In addition, an In-Memory Data Grid (IMDG) architecture
is the new standard. IMDG offers cost-effective elastic scalability, built-in clustering and failover
capabilities, which support enterprise needs for business continuity, faster processing and
increasing transaction loads spurred by new mobile, cloud and big-data use cases.
http://www.magicsoftware.com
LJ237-Jan2014.indd 64 12/17/13 3:43 PM

NEW PRODUCTS
AdaCore’s GNAT
Programming Studio
“Usability” is the word that best captures the
essence of the new version 6.0 release of AdaCore’s
GNAT Programming Studio (GPS) graphical IDE. This
“major engineering effort” features a significantly
revised and cleaner user interface that eases
program navigation and editing. The revised look
and feel, which exploits the latest Gtk+/GtkAda
graphical toolkit, is supported by a new relational
database at the heart of the GPS engine, making code navigation much more efficient. GPS
6.0 also brings improved performance and new functionality, including language support
for SPARK 2014, syntax highlighting and tool tips for Ada 2012 and SPARK 2014 aspects,
editor enhancements and a number of additions to the scripting API.
http://www.adacore.com
Rahul Singh’s Kali Linux Social

Engineering (Packt Publishing)
The new book Kali Linux Social Engineering by Rahul Singh
exists to help you master the social engineering toolkit, or
SET, found in the security-focused Kali Linux distribution.
With Singh’s book in hand, readers can learn how security
can be breached using social-engineering attacks, as
well as attain a very unique ability to perform a security
audit based on social engineering attacks. Starting with
attacks using Kali, this book describes in detail various
Web site attack vectors and client side attacks that can
be performed through SET. This book covers some of the most advanced techniques that
currently are being utilized by attackers to get inside secured networks, covering phishing
(credential harvester attack), Web jacking attack method, spear phishing attack vector,
Metasploit browser exploit method, Mass mailer attack and more.
http://www.packtpub.com
LJ237-Jan2014.indd 65 12/17/13 3:43 PM

NEW PRODUCTS
Jack Moffitt and Fred Daoud’s

Seven Web Frameworks in Seven
Weeks (Pragmatic Bookshelf)
There’s something to the “Seven in Seven Weeks”
concept in the tech books from Pragmatic Bookshelf. The
latest addition in this practical series is Jack Moffitt and
Fred Daoud’s Seven Web Frameworks in Seven Weeks:
Adventures in Better Web Apps. Whether you need a new
tool or merely a dose of inspiration, this work explores
your options and gives you sufficient exposure to each one,
along with tips for creating better apps. The authors cover frameworks that leverage
modern programming languages, employ unique architectures, live client-side instead
of server-side or embrace type systems. Covered frameworks include Sinatra, CanJS,
AngularJS, Ring, Webmachine, Yesod and Immutant. The breakneck evolution of Web
apps demands innovative solutions, and this survey of frameworks and their unique
perspectives is designed to inspire and promote new thinking for dealing with daily
programming challenges.
http://www.pragprog.com
OpenLogic’s
AWS Marketplace
Offerings
OpenLogic’s vision is to keep enterprise customers running on some of the world’s best
open-source packages. To convert this vision into reality, the firm intends to make
available more than 50 new preconfigured stacks through the Amazon Web Services
(AWS) Marketplace, including production-level support for JBoss, Apache HTTP, Tomcat,
-Y31, 0OSTGRE31, !CTIVE-1 AND THE #ENT/3 OPERATING SYSTEM 4HESE ARE IN ADDITION
to OpenLogic’s existing offerings on AWS. Enterprise support will include both 12x5
business-hour support and 24x7 production-level support. Products will be offered for use
at an hourly rate. OpenLogic adds that OLEX, its open-source scanning, governance and
provisioning portal, allows organizations to embrace open source with confidence.
http://www.openlogic.com
LJ237-Jan2014.indd 66 12/17/13 3:43 PM

NEW PRODUCTS
Stackinsider
Deployment-as-a-Service
Cloud Platform
Stackinsider’s approach to OpenStack is
packaging it as a Deployment-as-a-Service (DaaS)
cloud platform, which the company says is the
first of its kind to be public and free. Designed
to make OpenStack technology adoption significantly easier and faster than conventional
approaches, the Stackinsider DaaS approach consolidates and streamlines key OpenStack
distributions and real-world applications for a wide range of uses. DaaS has integrated
all popular IaaS deployment toolchains including RDO, FUEL, Puppet, DevStack and
Chef. Some popular applications like Moodle and SugarCRM also are provided for PaaS
prototyping. This public DaaS cloud is available for download at Stackinsider’s Web site.
http://www.stackinsider.com
JetBrains’ PhpStorm
For JetBrains, developing a new version of the PhpStorm
IDE for PHP means more than keeping on top of the latest
changes in Web languages. It is also about supporting and
integrating modern tools and popular frameworks, not
to mention removing obstacles on the road to productive
Web development. Of course, the new PhpStorm 7
supports the latest PHP 5.5 with improved PHP syntax
coloring, new refactorings, code inspections and quick-fixes. Support also has been added
for various front-end Web technologies, such as different JavaScript templates, Web
Components and modern stylesheets. Built-in tools for Vagrant, SSH console and local
terminal and Google App Engine for PHP have been added too. Finally, support has been
enhanced for various frameworks, including Drupal, Symfony2 and others.
http://www.jetbrains.com/phpstorm
Please send information about releases of Linux-related products to newproducts@linuxjournal.com or

New Products c/o Linux Journal, PO Box 980985, Houston, TX 77098. Submissions are edited for length and content.
LJ237-Jan2014.indd 67 12/17/13 3:43 PM

FEATURE Quantum Cryptography
QUANTUM
CRYPTOGRAPHY
Classical cryptography provides security
based on unproven mathematical assumptions
and depends on the technology available
to an eavesdropper. But, these things might
not be enough in the near future to guarantee
cyber security. We need something that
provides unconditional security. We need
quantum cryptography.
SUBHENDU BERA
LJ237-Jan2014.indd 68 12/17/13 3:43 PM

I
magine you want to send a quantum technologies may be a
message to your friend, and you threat to these classical cryptography
don’t want others to be able to techniques in the near future. One
read the message. You lock your of the solutions to these threats is
message in a box using a key and quantum cryptography.
send the box to your friend. Your What is quantum cryptography?
friend also has a key to unlock that 1UANTUM CRYPTOGRAPHY IS A COMPLEX
box, so he easily can open the box topic, because it brings into play
and read the message. In general, something most people find hard
this is the technique used by to understand—quantum
cryptographic algorithms. Locking mechanics. So first, let’s focus
the message in the box is like on some basic quantum physics
encryption, and unlocking the box is that you’ll need to know to
like decryption. Before sending the understand this article.
QUANTUM CRYPTOGRAPHY IS A COMPLEX TOPIC,

BECAUSE IT BRINGS INTO PLAY SOMETHING MOST PEOPLE
FIND HARD TO UNDERSTAND—QUANTUM MECHANICS.
message to the receiver, the data Simple Quantum Physics

is encrypted using an encryption 1UANTUM IN PHYSICS IS A DISCRETE
algorithm and a secret key. On natural unit, or packet of energy,
the receiver side, the encrypted charge, angular momentum or
data is decrypted using the reverse other physical property. Light, for
encryption algorithm. example, appears in some respects
Classical cryptographic algorithms as a continuous electromagnetic
mostly rely on mathematical wave, but on the submicroscopic
approaches to secure key level, it is emitted and absorbed in
transmission. The security they offer discrete amounts or quanta. These
is based on unproven assumptions particle-like packets (quanta) of
and depends on the technology light are called photons, a term also
available to an eavesdropper. applicable to quanta of other forms
But, rapidly growing parallel and of electromagnetic energy, such as
LJ237-Jan2014.indd 69 12/17/13 3:43 PM

all at the same time. This property

is called superposition. One thing
you should keep in mind is that
measuring something that is in its
superposition causes it to collapse
into a definite state (one of all the
possible states). Figure 1 should
help describe superposition.
Figure 1. Necker Cubes
Looking at Figure 1, you can
X rays and gamma rays. identify one of four possibilities:
One unique thing about quanta either both squares are protruding
is that they can exist in all of their forward or both are backward, or one
possible states at once. This also is forward and the other is backward.
applies to photons. This means Each time you look at the diagram,
that in whatever direction a photon only one possibility is true. In a
can spin—say, diagonally, vertically sense, all four options exist together,
and horizontally—it does so all but when you look at the diagram,
AT ONCE 1UANTUM OF LIGHT IN THIS it collapses into just one. This is the
state is called unpolarized photons. essence of quantum superposition.
This is like someone moving north, Through the use of polarization
south, east, west, up and down filters, you can force the photon to
Figure 2. Polarizing Photons
LJ237-Jan2014.indd 70 12/17/13 3:43 PM

Figure 3. Effect of Various Basis on Polarized Photons
take one of its states, or technically, prevents the observer from knowing
polarize it. If you use a vertical the value of the other. But, when
polarizing filter, some photons will dealing with photons for encryption,
be absorbed, and some will emerge Heisenberg’s Principle can be used to
on the other side of the filter. Those your advantage. When measuring the
photons that aren’t absorbed will polarization of a photon, the choice
emerge on the other side with a of what direction to measure affects
vertical spin. Thus, you can polarize all subsequent measurements. The
the photons to your required thing about photons is that once they
orientation using suitable filters. are polarized, they can’t be measured
The foundation of quantum physics accurately again, except by a filter
is the unpredictability factor. This like the one that initially produced
unpredictability is pretty much defined their current spin. So if a photon with
by Heisenberg’s Uncertainty Principle. a vertical spin is measured through
This principle says that certain pairs of a diagonal filter, either the photon
physical properties are related in such won’t pass through the filter or the
a way that measuring one property filter will affect the photon’s behavior,
LJ237-Jan2014.indd 71 12/17/13 3:43 PM

causing it to take a diagonal spin. In Now consider a quantum computer

this sense, the information on the with two qbits. There are four
photon’s original polarization is lost. possible states: |00 >, |01 >, |10 >
In the diagram in Figure 3, I have and |11 >, and its superposition is
used the wrong basis for the last a|00>+b|01>+c|10>+d|11>, where
two cases, and you can see that I a 2, b 2, c 2 and d 2 are the probabilities
have changed the polarization of of finding two qbits in any of the
two photons. four states. In a quantum computer,
the two bits are in all possible states
Quantum Information at one time. So it is possible to add
The bit is the fundamental concept a number to the two bits, which
of classical computation and classical means we can add the number to
INFORMATION 1UANTUM COMPUTATION 00,01,10,11 and compute the result
and quantum information are built at the same time. This ability to
upon an analogous concept: the operate on all states at one time
quantum bit, or qbit for short. Just makes it so powerful.
as a classical bit has a state of either Here the number of parallel
0 or 1, a qbit is like a bit, but it is operations depends on the number
in superposition between 0 and 1. of qbits used. If N number of qbits
Two possible states for a qbit are are used, then 2 N operations can be
the states “|0 >” and “|1 >” . This done in parallel, and this inherent
notation is called Dirac notation. parallelism makes quantum computers
A qbit can be fully expressed as: so fast. But the question is, how do
a|0 > +b|1 > with a 2 + b 2 = 1. When you encode a photon as a qbit? We
we measure a qbit, we get a 0 with know a photon has its own spin in
probability a 2 and 1 with b 2 . all possible directions. As in certain
Figure 4. Encoding Polarized Photons as Binary Values
LJ237-Jan2014.indd 72 12/17/13 3:43 PM

digital systems, we consider +5 volts Eve is in between them, trying to
as 1 and 0 volts as 0, and we can intercept the message. What Eve
use the spin property of a photon to does is somehow collect the secret
encode a photon as a qbit. We can key to the message and decrypts it.
use the photon’s spin in a particular Now, if Alice somehow can send the
direction as 1 and the spin in the key of the message to Bob without
other direction as 0—say, a photon any interception, she can send the
with vertical spin will be considered message without problems.
as 1 and a photon with an angular Now, let me discuss the BB84
spin as 0. protocol. It is based on the name of
the inventors Charles Bennet and
Quantum Cryptography Gilles Brassard, and it was invented in
Before starting to describe what 1UANTUM CRYPTOGRAPHY FOLLOWS
quantum cryptography is, let two steps. The first one is sending
me introduce three names I use the secret key, and the second step is
throughout this article: Alice, Bob sending the message. Here, Alice and
and Eve. Alice is sending the message, Bob make use of two fundamentally
and Bob is receiving the message. different communication channels:
Figure 5. Binary Encoding of Photons in My Examples
LJ237-Jan2014.indd 73 12/17/13 3:43 PM

a classical channel and a quantum left to right) is 0. In a diagonal basis,

channel. A classical channel is a photon with a spin “/” is considered
something that you use on the as 1, and “\” is 0. The diagram
Internet to transfer data. In a classical shown in Figure 5 should help you
channel, Eve can observe the bit- understand how I’m representing
stream without affecting the data. photons as binary values.
But, a quantum channel is something Now Alice has a key, and for each
different. It is capable of sending bit, she will select a random basis
information in terms of quantum, (either diagonal or rectilinear) to
and Eve can’t observe the data encode the bit to send. Nobody, not
without affecting the data. In the even Bob, knows what basis Alice is
BB84 protocol, the secret key is sent using. Bob will receive the encoded
through the quantum channel, but the qbits, and Bob will use random basis
IF HE USES THE SAME BASIS, HE WILL GET

THE EXACT BIT THAT ALICE SENT; OTHERWISE, THERE IS
A 50% CHANCE THAT HE WILL GET A WRONG BIT.
message is sent through the ordinary to decode the qbits. If he uses the
channel but encrypted by the secret same basis, he will get the exact
KEY 4HE FIRST STEP IS CALLED 1UANTUM bit that Alice sent; otherwise, there
+EY $ISTRIBUTION 1+$ )N THIS STEP is a 50% chance that he will get a
Alice and Bob use the quantum wrong bit. For example, if Alice uses
channel for communication. a diagonal basis to encode 1, and Bob
First, let’s imagine there is no Eve also uses diagonal basis to decode
between Alice and Bob. Let’s assume that, then he will get a 1. If he uses a
that Alice is using two types of rectilinear basis, then there is a 50%
polarizer: one is a diagonal polarizer
(X) and one a rectilinear polarizer (+).
Table 1. Alice Sending the Secret Key 100101
In a rectilinear basis, a photon with
a spin “|” (that is, up to down ) is ALICE BOB
considered as 1, and a “-” (that is, Basis used +,X,+,+,X,X +,+,+,X,+,X
LJ237-Jan2014.indd 74 12/17/13 3:43 PM

chance that he will get a 1 and a 50% it is quite possible that Eve will
chance of getting 0. As Bob is also intercept the communication. In this
using random basis, there’s a 50% case, as with the previous case, Alice
chance that he will use the right basis encodes the bit information using any
(that is, he will use the basis that Alice basis and sends it to Bob, but now
used) and will decode 50% of qbits Eve intercepts the qbits. Like Bob, Eve
exactly, and for the 50% wrong basis, also has a decoder of the qbit. But Eve
he will decode 25% of qbits exactly, also doesn’t know the basis Alice is
and that means Bob will decode 75% using, so like Bob, she also randomly
of qbits exactly. uses basis to decode the qbits. There
Alice and Bob will exchange the is a 50% chance that Eve will use the
basis they used for each bit using the right basis, and a 50% chance she will
normal channel without revealing use the wrong basis. For the correct
their bits. They can check for which 50%, the photon’s spin direction will
bits they both used the same basis, not be affected, but for the wrong
and those bits will be used as the 50%, the photon’s spin direction will
secret key. Consider the example be changed. For the 50% of qbits
shown in Table 1 where Alice is for which Eve used the right basis,
sending the secret key 100101. Bob will use a 25% right basis and
In this case, Bob will decode the 25% wrong basis, and for the right
key as 1,0/1,0,0/1,0/1,1. Because 25% of qbits, he will get a 25% right
Bob has used some wrong basis to qbit, and for the wrong 25% basis
measure the qbits, he may get a 0 Bob used, he will get 12.5% of qbits
or 1 randomly on those cases. Then, correct just due to probability. That
they will exchange their basis with means from the first 50% for which
others, and they will find that in Eve used the right basis, Bob will get
positions 2, 4 and 5, Bob used the 37.5% correct qbits. For the rest of
wrong basis. So they will use the the 50%, again Bob will use 25%
rest of the bit (1st, 3rd and 6th bit) right and 25% wrong basis. From
string as the secret key—that is, 101. this, Bob will get 12.5% and 12.5%
The rest is simple, just encrypt the due to probability, which means he
message using that key and send it. will get 25% right qbits. So when
The situation becomes critical when Eve is between them, Bob will have
Eve comes into action. As they are 37.5 + 25 = 62.5% accuracy. Figure 6
connecting using the public channel, demonstrates this calculation.
LJ237-Jan2014.indd 75 12/17/13 3:43 PM

Figure 6. Accuracy Calculation for Bob When Eve Is Intercepting
In Figure 6, the node with “**”, of the qbits using the wrong basis,
like C**, represents the nodes where Bob has a 50% chance of being right
Bob decoded the qbits correctly, and and a 50% chance of being wrong.
the node with “*”, like F*, represents So overall, Bob gets 12.5% right
the nodes where Bob decoded the qbits in I and 12.5% wrong qbits
qbits incorrectly. One question that in J. Now they will match the basis
may arise is why does Bob get 12.5% they used for each qbit, and they
accuracy (in E,L) when he used the will use the bits where Bob used the
wrong basis? Remember that when correct basis, and they will throw
you use a wrong basis to decode out the bits for which Bob used
a qbit, there is a 50% chance that the wrong basis. Now they need to
you will get a 0, and a 50% chance check whether Eve is listening. For
that you will get a 1. By this logic, that purpose, they will use a subset
Bob will have 12.5% accuracy from of the matched key (after throwing
D. Similarly, in the case of I, when out the bits for which Bob used
Bob has used the correct basis (with wrong basis) and compare with
respect to Alice’s basis) but Eve others using the normal channel.
already has changed the polarization Bob will have 100% accuracy if Eve
LJ237-Jan2014.indd 76 12/17/13 3:43 PM

Table 2. Alice Sending a Key of 01101011 to Bob Using Two Types of Polarization
Alice’s
+ X + + X X X X
basis
Alice’s
0 1 1 0 1 0 1 1
data
Eve’s
+ + X + X X X +
basis
Eve’s
0 1 0 0 1 1 1 0
data
Bob’s
+ + + X + X X X
basis
Bob’s
0 0 0 0 0 1 1 1
data
is not there; otherwise, Bob will key is different, which means Eve is
have 75% accuracy in the basis between them. Then they will repeat
comparison. If the accuracy is 100%, the same procedure again until they
they will discard the set of bits they get a 100% key match. When they
used for matching, and the rest of get a key, they easily can encrypt the
the bit string will be used as the key message using the key and send it
to encrypt the message. If 100% via the public network.
accuracy is not observed, they will
TRY AGAIN TO GET A KEY USING 1+$ Limitations
In Table 2, Alice is sending a key of In practice, the quantum channel also
“01101011” to Bob using two types will be affected by noise, and it will
of polarization as stated above. be hard to distinguish between noise
Now Alice and Bob will compare and eavesdropping.
their basis, and they will find that If Eve wants, she can intercept the
Bob has guessed the 1st, 3rd, 7th quantum channel just to not allow
and 8th basis correctly. So they will Alice and Bob to communicate.
throw out the bits for the remaining No amplifiers are used on the
positions—that is, the 2nd, 4th, 5th optical fiber carrying the quantum
and 6th. Now the key is “0011”. signal. Such devices would disrupt the
They will choose the first two bits communication in the same way an
for matching, and then they will eavesdropper does. This implies, in
find that their second bit in the TURN THAT 1+$S RANGE IS LIMITED
LJ237-Jan2014.indd 77 12/17/13 3:43 PM

Following the no-cloning System delivers digital keys for

THEOREM 1+$ CAN PROVIDE ONLY A cryptographic applications on fiber-
1:1 connection. So the number of optic-based computer networks
links will increase N(N – 1)/2, as N based on quantum cryptography. In
represents the number of nodes. particular, it allows key distribution
over standard telecom fiber links
Research exceeding 100km in length and bit
Researchers have been developing rates sufficient to generate 1 megabit
such systems for more than a decade. per second of key material over a
4HE $!20! 1UANTUM .ETWORK distance of 50km—sufficiently
which became fully operational in long for metropolitan coverage
BBN’s laboratory in October 2003, (https://www.toshiba-europe.com/
has been continuously running in research/crl/qig/quantumkeyserver.html).
six nodes, operating through the The current status of quantum
telecommunications fiber between cryptography in Japan includes an
Harvard University, Boston University INTER CITY 1+$ TESTBED BASED ON
and BBN since June 2004. The DARPA $03 1+$ A FIELD TEST OF A ONE WAY
1UANTUM .ETWORK IS THE WORLDS FIRST BB84 system over 97km with noise-
quantum cryptography network, and free WDM clock synchronization,
PERHAPS ALSO THE FIRST 1+$ SYSTEM and so on (“Toward New Generation
providing continuous operation across 1UANTUM #RYPTOGRAPHY*APANESE
a metropolitan area (http://arxiv.org/ Strategy” by Nukuikita, Koganei).
abs/quant-ph/0503058). The 973 Program and 863 program
NIST performs core research on the of China have funded support to
creation, transmission, processing THE 1+$ RESEARCH 0OST 1UANTUM
and measurement of optical qbits. Cryptography: Third International
)T DEMONSTRATED HIGH SPEED 1+$ Workshop, Pqcrypto 2010, Darmstadt,
systems that generate secure keys Germany, May 25–28, 2010,
for encryption and decryption of Proceedings, 1st ed.).
information using a one-time pad In Europe, the SEcure COmmunication
cipher, and extended them into a BASED ON 1UANTUM #RYPTOGRAPHY
three-node quantum communications 3%#/1# n PROJECT WAS
network (http://w3.antd.nist.gov/ funded for the same reason
qin/index.shtml). (http://vcq.quantum.at/publications/
4OSHIBAS 1UANTUM +EY $ISTRIBUTION all-publications/details/643.html).
LJ237-Jan2014.indd 78 12/17/13 3:43 PM

)N )$ 1UANTIQUE WAS situation will evolve in the near future
the first in the world to bring (http://swissquantum.idquantique.com/
a quantum key distribution ?-Quantum-Cryptography-#).Q
system to a commercial market.
)$ 1UANTIQUES 1+$ PRODUCT Subhendu Bera is from West Bengal (India). He completed his
was used in conjunction with Master of Science degree in Computer Science from Banaras
layer 2 Ether net encryption to Hindu University and his Bachelor of Science degree in Computer
secure elections in Geneva. Science from University of Calcutta. Currently, he is preparing for
/THER COMPANIES LIKE -AGIC1 entrance for a PhD. He likes to play with machine learning tools,
1INETI1 AND .%# ALSO ARE and in his spare time, he reads, blogs and plays cricket and chess.
working in this field. Companies
claim to offer or to be developing
1+$ PRODUCTS BUT LIMITED Send comments or feedback via
information is publicly available. http://www.linuxjournal.com/contact
However, it’s likely that the or to ljeditor@linuxjournal.com.
Resources
W. Chen, H.-W. Li, S. Wang, Z.-Q. Yin, Z. Zhou, Y.-H. Li, Z.-F. Han and G.C. Guo (2012).
“Quantum Cryptography”, Applied Cryptography and Network Security, Dr. Jaydip Sen (Ed.),
ISBN: 978-953-51-0218-2, InTech, available from http://www.intechopen.com/books/
applied-cryptography-and-network-security/quantum-cryptography
“Quantum Cryptography Hits the Fast Lane” by Adrian Cho: http://news.sciencemag.org/

sciencenow/2010/04/quantum-cryptography-hits-the-fa.html
“Do we need quantum cryptography?” by Peter Rohde:

http://www.peterrohde.org/2012/06/29/do-we-need-quantum-cryptography
“A Little (q)bit of Quantum Computing” by Douglas Eadline:

http://www.linux-mag.com/id/8753
“What is a quantum computer?” by Dr Boaz Tamir:

http://thefutureofthings.com/column/5/what-is-a-quantum-computer.html
Quantum Computation and Quantum Information by Michael A. Nielsen and Isaac L. Chuang,
Cambridge University Press, 2011.
“Quantum Communication”: http://w3.antd.nist.gov/qin/index.shtml
LJ237-Jan2014.indd 79 12/17/13 3:43 PM

FEATURE More Secure SSH Connections
More
Secure
SSH
Connections
Thwart would-be attackers
by hardening your SSH connections.
FEDERICO KEREKI
LJ237-Jan2014.indd 80 12/17/13 3:43 PM

I
f you need remote access to a with the standard SSH configuration,
machine, you’ll probably use your machine already has a nice target
SSH, and for a good reason. The to attack. The first method to consider
secure shell protocol uses modern is quite simple—just change the port to
cryptography methods to provide an unused, nonstandard port, such as
privacy and confidentiality, even over 22022. (Numbers above 1024 are usually
an unsecured, unsafe network, such free and safe, but check the Resources
as the Internet. However, its very at the end of this article just to avoid
availability also makes it an appealing possible clashes.) This change won’t
target for attackers, so you should affect your remote users much. They will
consider hardening its standard setup just need to add an extra parameter to
to provide more resilient, difficult-to- their connection, as in VVKS
break-into connections. In this article, the.url.for.your.server . And
I cover several methods to provide yes, this kind of change lies fully
such extra protections, starting with in what’s called “security through
simple configuration changes, then obscurity”—doing things obscurely,
limiting access with PAM and finishing hoping that no one will get wise to
with restricted, public key certificates your methods—which usually is just
for passwordless restricted logins. asking for problems. However, it will
help at least against script kiddies,
Where Is SSH? whose scripts just try to get in via
As defined in the standard, SSH uses port 22 instead of being thorough
port 22 by default. This implies that enough to try to scan your machine
Knock for SSH

Trying to attack your machine will be harder if the would-be invader cannot
even find a possible SSH door. The methods shown in this article are
compatible with the port-knocking technique I wrote about in a previous
article (“Implement Port-Knocking Security with knockd”, January 2010), so
I won’t go into NQRFNG configuration here. By using all techniques together,
attackers will have an even harder time getting to your machine (where all
the other measures shown in this article will be waiting), because they won’t
even be able to start trying to attack your box.
LJ237-Jan2014.indd 81 12/17/13 3:43 PM

for all open ports. The 0D[$XWK7ULHV limits users to

In order to implement this change, three wrong attempts at entering the
you need to change the /etc/ssh/ password before they are rejected.
sshd_config file. Working as root, open And finally, 3HUPLW5RRW/RJLQ forbids
it with an editor, look for a line that a user from logging in remotely as
reads “Port 22”, and change the 22 root (any attacker who managed to
to whatever number you chose. If the get into your machine still would
line starts with a hash sign (#), then have to be able to break into the root
remove it, because otherwise the line account; an extra hurdle), so would-
will be considered a comment. Save be attackers will have a harder time at
the file, and then restart SSH with getting privileges on your machine.
HWFLQLWGVVKGUHVWDUW . With Be sure to restart the SSH service
some distributions, that could be dæmon after these changes ( sudo
HWFUFGLQLWGVVKGUHVWDUW HWFLQLWGVVKGUHVWDUW does
instead. Finally, also remember to close it), and for now, you already have
port 22 in your firewall and to open managed to add a bit of extra safety
the chosen port so remote users will be (but not much really), so let’s get
able to access your server. down to adding more restrictions.
While you are at this, for an extra
bit of security, you also could add Who Can Use SSH?
or edit some other lines in the SSH Your machine may have several
configuration file (Listing 1). The servers, but you might want to limit
Protocol line avoids a weaker, remote access to only a few. You
older version of the SSH protocol. can tweak the sshd_config file a
The /RJLQ*UDFH7LPH gives the user bit more, and use the $OORZ8VHUV ,
30 seconds to accomplish a login. 'HQ\8VHUV , AllowGroups and
'HQ\*URXSV parameters. The first
Listing 1. These little SSH configuration one, $OORZ8VHUV , can be followed by
changes can add a bit of security a list of user names (or even patterns,
3RUW using the common * and ? wild cards)
3URWRFRO or user@host pairs, further restricting
/RJLQ*UDFH7LPH access to the user only from the given
0D[$XWK7ULHV host. Similarly, AllowGroups provides
3HUPLW5RRW/RJLQQR a list of group name patterns, and
login is allowed only for members
LJ237-Jan2014.indd 82 12/17/13 3:43 PM

From a software engineering viewpoint, it would
just be awful if each and every program had
to invent and define and implement its own
authentication logic.
of those groups. Finally, 'HQ\8VHUV specific rules could be added (say,

and 'HQ\*URXSV work likewise, maybe eguerrero should be able to
but prohibit access to specific users log in only from home), but if things
and groups. Note: the priority order start getting out of hand with too
for rules is 'HQ\8VHUV first, then many rules, the idea of editing the ssh
$OORZ8VHUV , 'HQ\*URXSV and finally configuration files and restarting the
AllowGroups , so if you explicitly server begins to look less attractive,
disallow users from connecting with and there’s a better solution through
'HQ\8VHUV , no other rules will allow PAM, which uses separate files for
them to connect. security rules.
For example, a common rule is
that from the internal network, The PAM Way
everybody should be able to access If you google for meanings of PAM,
the machine. (This sounds reasonable; you can find several definitions,
attacks usually come from outside ranging from a cooking oil spray
the network.) Then, you could say to several acronyms (such as Power
that only two users, fkereki and Amplitude Modulation or Positive
eguerrero, should be able to connect Active Mass), but in this case, you are
from the outside, and nobody else interested in Pluggable Authentication
should be able to connect. You Modules, a way to provide extra
can enable these restrictions by authentication rules and harden
adding a single line $OORZ8VHUV access to your server. Let’s use PAM
INHUHNLHJXHUUHUR as an alternative solution to specify
to the SSH configuration file and which users can access your server.
restarting the service. If you wanted From a software engineering
to forbid jandrews from remote viewpoint, it would just be awful
connections, an extra 'HQ\8VHUV if each and every program had to
MDQGUHZV would be needed. More invent and define and implement its
LJ237-Jan2014.indd 83 12/17/13 3:43 PM

PAM, PAM Everywhere

Although there is no “official” list of PAMs, most distributions are likely to include the following:
Q pam_access: allows or denies access according to the file /etc/security/access.conf.

Q pam_cracklib: checks passwords against dictionaries.
Q pam_debug: used for testing only.
Q pam_deny: always denies access.
Q pam_echo: displays the contents of a file.
Q pam_env: sets or unsets environment variables.
Q pam_exec: lets you run an external command.
Q pam_group: grants group memberships to the user.
Q pam_lastlog: shows the date and time of the user’s last log in.
Q pam_ldap: allows authentication against an LDAP server.
Q pam_limits: lets you set system resource limits, through the file /etc/security/limits.conf.
Q pam_listfile: an alternative to pam_access, with some extra options.
Q pam_mail: checks if the user has pending mail.
Q pam_make: runs make in a given directory.
Q pam_motd: displays the “message of the day” file, usually /etc/motd.
Q pam_nologin: blocks all logins should file /etc/nologin exist.
Q pam_permit: always allows access.
Q pam_pwcheck: checks passwords for strength.
Q pam_pwhistory: checks new passwords against recently used ones to avoid repetition.
Q pam_rootok: usually is included in /etc/pam.d/su as a “sufficient” test so root can act as any
other user without providing a password.
Q pam_selinux: sets the default security context for SELinux.
Q pam_sepermit: allows or denies login depending on SELinux state.
Q pam_shells: allows access only if the user’s shell is listed in the file /etc/shells.
Q pam_succeed_if: checks for account characteristics, such as belonging to a given group.
Q pam_tally: just keeps count of attempted accesses and can deny access if too many attempts fail.
Q pam_time: restricts access based on rules in the file /etc/security/time.conf.
Q pam_umask: lets you set the file mode creation mask (think umask) for newly created files.
Q pam_unix (or pam_unix2): provides classical UNIX-style authentication per the /etc/passwd
and /etc/shadow files.
Q pam_userdb: authenticates the user against a Berkeley database.
Q pam_warn: records logs in the system logs.
Q pam_wheel: provides root access only to members of group wheel.
File locations vary, but you can check /usr/lib/security or /lib/security (or read lib64 for lib,
for 64-bit Linux) to see what modules you actually have. For more information on each module,
try PDQQDPHRIWKHPRGXOH, but don’t try to execute them from the command line, for they
can’t be run that way.
LJ237-Jan2014.indd 84 12/17/13 3:43 PM

own authentication logic. How could in to your server. See the PAM, PAM
you be certain that all applications Everywhere sidebar for a list of some
did implement the very same available modules.
checks, in the same way, without PAM configurations are stored
any differences? PAM provides a in /etc/pam.d, with a file for each
way out; if a program needs to, say, command to which they apply. As
authenticate a user, it can call the root, edit /etc/pam.d/sshd, and add an
PAM routines, which will run all the DFFRXQWUHTXLUHGSDPBDFFHVVVR
checks you might have specified in line after all the DFFRXQW lines, so it
its configuration files. With PAM, ends up looking like Listing 2. (Your
you even can change authentication specific version of the file may have
rules on the fly by merely updating its some different options; just add
configuration. And, even if that’s not the single line to it, and that’s it.)
your main interest here, if you were You’ll also have to modify the sshd
to include new biometrics security configuration file (the same one that
hardware (such as fingerprint readers, you modified earlier) so it uses PAM;
iris scanners or face recognition) add a 8VH3$0\HV line to it, and
with an appropriate PAM, your restart the sshd dæmon.
device instantly would be available The DFFRXQW part is what is
to all applications. important here. After using the
PAMs can be used for four security standard UNIX methods for checking
concerns: account limitations your password (usually against the
(what the users are allowed to do), files /etc/passwd and /etc/shadow), it
authorization (how the users identify uses the module pam_access.so
themselves), passwords and sessions. to check if the user is in a list, such
PAM checks can be marked optional as shown in Listing 3. Both DFFRXQW
(may succeed or fail), required (must modules are UHTXLUHG , meaning
succeed), requisite (must succeed, and that the user must pass both checks
if it doesn’t, stop immediately without in order to proceed. For extra
trying any more checks) and sufficient restrictions, you might want to look
(if it succeeds, don’t run any more at pam_listfile , which is similar
checks), so you can vary your policies. to pam_access but provides even
I don’t cover all these details here, but more options, and pam_time , which
rather move on to the specific need lets you fix time restrictions. You also
of specifying who can (or cannot) log would need to add extra DFFRXQW
LJ237-Jan2014.indd 85 12/17/13 3:43 PM

Listing 2. Adding pam_access.so to the account PAM checks lets you specify which users
have SSH access to your machine.
DFFRXQWUHTXLUHGSDPBXQL[VR
DFFRXQWUHTXLUHGSDPBDFFHVVVR
DXWKUHTXLUHGSDPBHQYVR
DXWKUHTXLUHGSDPBXQL[VR
DXWKUHTXLUHGSDPBQRORJLQVR
SDVVZRUGUHTXLVLWHSDPBSZFKHFNVRQXOORNFUDFNOLE
SDVVZRUGUHTXLUHGSDPBXQL[VRXVHBDXWKWRNQXOORN
VHVVLRQUHTXLUHGSDPBOLPLWVVR
VHVVLRQUHTXLUHGSDPBXQL[VR
VHVVLRQRSWLRQDOSDPBXPDVNVR
lines to the /etc/pam.d/sshd file. allowed access from any machine.

You need to edit /etc/security/ The final -:ALL:ALL line is a catchall
access.conf to specify which users that denies access to anybody not
can access the machine (Listing 3). specifically allowed to log in in the
Each line in the list starts with either previous lines, and it always should
a plus sign (login allowed) or a minus be present.
sign (login disabled), followed by a Note that you could use this
colon, a user name (or ALL), another configuration for other programs
colon and a host (or ALL). The
pam_access.so module goes down
Listing 3. The file /etc/security/access.conf
the list in order, and depending on specifies which users have access and from
the first match for the user, it either which hosts.
allows or forbids the connection. The MDQGUHZV$//
order of the rules is important. First, $//
jandrews is forbidden access, then INHUHNL$//
everybody in the internal network HJXHUUHUR$//
is allowed to log in to the server. -:ALL:ALL
Then, users fkereki and eguerrero are
LJ237-Jan2014.indd 86 12/17/13 3:43 PM

and services (FTP, maybe?), and the log in. Now, let’s look at an even safer
same rules could be applied. That’s way of saying who can access your
an advantage of PAM. A second machine by using certificates.
advantage is that you can change
rules on the fly, without having to Passwordless Connections
restart the SSH service. Not messing Passwords can be reasonably secure,
with running services is always a but you don’t have them written down
good idea! Using PAM adds a bit of on a Post-It by your computer, do you?
hardening to SSH to restrict who can However, if you use a not-too-complex
Listing 4. Generating a public/private key pair with VVKNH\JHQ is simple. Opt for using a
passphrase for extra security.
VVKNH\JHQ
*HQHUDWLQJSXEOLFSULYDWHUVDNH\SDLU
(QWHUÀOHLQZKLFKWRVDYHWKHNH\KRPHINHUHNLVVKLGBUVD
Created directory '/home/fkereki/.ssh'.
(QWHUSDVVSKUDVHHPSW\IRUQRSDVVSKUDVH
(QWHUVDPHSDVVSKUDVHDJDLQ
<RXULGHQWLÀFDWLRQKDVEHHQVDYHGLQKRPHINHUHNLVVKLGBUVD
<RXUSXEOLFNH\KDVEHHQVDYHGLQKRPHINHUHNLVVKLGBUVDSXE
7KHNH\ÀQJHUSULQWLV
HDEEFIEIINHUHNL#IHGRUD[IFH
7KHNH\
VUDQGRPDUWLPDJHLV
>56$@
_ _
_R2 _
_(2 R_
_ R%_
_6_
__
__
__
__

LJ237-Jan2014.indd 87 12/17/13 3:43 PM

password (so it can be determined by it. (If not, add them, and restart the
brute force or a dictionary attack), service as described above.) Without
then your site will be compromised those lines, nothing I explain below
for so long as the attacker wishes. will work. Then, use VVKNH\JHQ to
There’s a safer way, by using public/ create a public/private key pair. By
private key logins, that has the extra directly using it without any more
advantage of requiring no passwords parameters (Listing 4), you’ll be asked
on the remote site. Rather, you’ll in which file to save the key (accept
have a part of the key (the “private” the standard), whether to use a
part) on your remote machine and the passphrase for extra security (more on
other part (the “public” part) on the this below, but you’d better do so),
remote server. Others won’t be able to and the key pair will be generated.
impersonate you unless they have your Pay attention to the name of the file
private key, and it’s computationally in which the key was saved. You’ll
unfeasible to calculate. Without going need it in a moment.
into how the key pair is created, let’s Now, in order to be able to
move on to using it. connect to the remote server, you
First, make sure your sshd need to copy it over. If you search
configuration file allows for the Internet, many sites recommend
private key logins. You should have directly editing certain files in order to
56$$XWKHQWLFDWLRQ\HV and accomplish this, but using ssh-copy-id
3XENH\$XWKHQWLFDWLRQ\HV lines in is far easier. You just have to type
Listing 5. After generating your public/private pair, you need to use ssh-copy-id to copy the
public part to the remote server.
VVKFRS\LGLKRPHINHUHNLVVKLGBUVDSXEINHUHNL#
7KHDXWKHQWLFLW\RIKRVW

´FDQ
WEHHVWDEOLVKHG
56$NH\ÀQJHUSULQWLVDGDHHHGIDDIGE
$UH\RXVXUH\RXZDQWWRFRQWLQXHFRQQHFWLQJ\HVQR"\HV
:DUQLQJ3HUPDQHQWO\DGGHG

56$WRWKHOLVW
´RINQRZQKRVWV
INHUHNL#
VSDVVZRUG
LJ237-Jan2014.indd 88 12/17/13 3:43 PM

ssh-copy-id -i the.file.where. Now, what about the passphrase?
the.key.was.saved remote.user@ If you create a public/private key pair
remote.host specifying the name of without using a passphrase, anybody
the file in which the public key was who gets access to your machine
saved (as you saw above) and the and the private key immediately will
remote user and host to which you have access to all the remote servers
will be connecting (Listing 5). And to which you have access. Using
you’re done. the passphrase adds another level
In order to test your new of security to your log in process.
passwordless connection, just do However, having to enter it over and
ssh remote.user@remote.host . over again is a bother. So, you would
If you used a passphrase, you’ll be do better by using VVKDJHQW , which
asked for it now. In either case, can “remember” your passphrase and
the connection will be established, enter it automatically whenever you
and you won’t need to enter your try to log in to a remote server. After
password for the remote site (Listing 6). running VVKDJHQW , run ssh-add
Listing 6. After you’ve copied the public key over, you can log in to the remote server without a
password. You will have to enter your passphrase though, if you used one when generating the
public/private pair.
VVKINHUHNL#
(QWHUSDVVSKUDVHIRUNH\
KRPHINHUHNLVVKLGBUVD

/DVWORJLQ0RQ-DQ
/LJKW)LQDOEXLOWRQ0DUFKRQ/LQX[
<RXDUHZRUNLQJDVINHUHNL
)UHTXHQWO\XVHGSURJUDPV
&RQÀJXUDWLRQYDVP
)LOHPDQDJHUPFSUHVV)IRUXVHIXOPHQX
(GLWRUPFHGLWQDQRYL
0XOWLPHGLDDOVDPL[HUSOD\
vector:/~
$ logout
&RQQHFWLRQWRFORVHG
LJ237-Jan2014.indd 89 12/17/13 3:43 PM

to add your passphrase. (You could do NH\FKDLQWKHSDWKWR\RXU

run it several times if you have many private.key , enter your passphrase
passphrases.) After that, a remote (Figure 1), and until you reboot the
connection won’t need a passphrase server or specifically run NH\FKDLQ
any more (Listing 7). If you want to -k all to stop NH\FKDLQ , your
end a session, use VVKDJHQWN , and passphrase will be stored, and you
you’ll have to re-enter the passphrase won’t have to re-enter it. Note: you
if you want to do a remote login. even could log out and log in again,
You also may want to look at and your key still would be available.
NH\FKDLQ , which allows you to If you just want to clear all cached
reuse VVKDJHQW between logins. keys, use NH\FKDLQFOHDU .
(Not all distributions include this If you use a passphrase, you could
command; you may have to use your take your private keys with you on a
package manager to install it.) Just USB stick or the like and use it from
Listing 7. Using VVKDJHQW frees you from having to re-enter your passphrase.
VVKDJHQW
66+B$87+B62&. WPSVVK5YKK[DJHQWH[SRUW66+B$87+B62&.
66+B$*(17B3,' H[SRUW66+B$*(17B3,'
HFKR$JHQWSLG
$ ssh-add
(QWHUSDVVSKUDVHIRUKRPHINHUHNLVVKLGBUVD
,GHQWLW\DGGHGKRPHINHUHNLVVKLGBUVDKRPHINHUHNLVVKLGBUVD
VVKINHUHNL#
/DVWORJLQ0RQ-XQIURP
/LJKW)LQDOEXLOWRQ0DUFKRQ/LQX[
<RXDUHZRUNLQJDVINHUHNL
)UHTXHQWO\XVHGSURJUDPV
&RQÀJXUDWLRQYDVP
)LOHPDQDJHUPFSUHVV)IRUXVHIXOPHQX
(GLWRUPFHGLWQDQRYL
0XOWLPHGLDDOVDPL[HUSOD\
LJ237-Jan2014.indd 90 12/17/13 3:43 PM

just be too dangerous. Losing your
USB stick would mean automatically
compromising all the remote servers
you could log in to. Also, using a
passphrase is an extra safety measure.
If others got hold of your private key,
Figure 1. By entering your passphrase they wouldn’t be able to use it without
once with NH\FKDLQ, it will be first determining your passphrase.
remembered even if you log out. Finally, if you are feeling quite
confident that all needed users have
any other machine in order to log in their passwordless logins set up, you
to your remote servers. Doing this could go the whole mile and disable
without using passphrases would common passwords by editing the
Using SSH and PuTTY

You can use SSH public/
private pairs with the
common PuTTY program,
but not directly, because it
requires a specific, different
key file. In order to convert
your SSH key, you need to
do SXWW\JHQ+20(VVK
your.private.key -o
\RXUSULYDWHNH\ÀOH
for.putty. Afterward, you
simply can open PuTTY, go
to Connection, SSH, Auth
and browse for your newly
generated “Private key file
for authentication”.
LJ237-Jan2014.indd 91 12/17/13 3:43 PM

sshd configuration file and setting your security. However, even if these
3DVVZRUG$XWKHQWLFDWLRQQR and methods do make your server harder
8VH3$0QR , but you’d better be quite to attack, remember you always need
sure everything’s working, because to be on the lookout and set up as
otherwise you’ll have problems. many obstacles for attackers as you
can manage. Q
Conclusion
There’s no definitive set of security Federico Kereki is a Uruguayan systems engineer with more
measures that can 100% guarantee than 20 years of experience developing systems, doing
that no attacker ever will be able to consulting work and teaching at universities. He currently is
get access to your server, but adding working with a good jumble of acronyms: SOA, GWT, Ajax, PHP
extra layers can harden your setup and, of course, FLOSS! Recently, he wrote the Essential GWT
and make the attacks less likely to book, in which you also can find some security concerns for Web
succeed. In this article, I described applications. You can reach Federico at fkereki@gmail.com.
several methods, involving modifying
SSH configuration, using PAM for
access control and public/private Send comments or feedback via
key cryptography for passwordless http://www.linuxjournal.com/contact
logins, all of which will enhance or to ljeditor@linuxjournal.com.
Resources
The SSH protocol is defined over a host of RFC (Request for Comments) documents; check
http://en.wikipedia.org/wiki/Secure_Shell#Internet_standard_documentation for a list.
Port numbers are assigned by IANA (Internet Assigned Numbers Authority), and you can go
to http://www.iana.org/assignments/port-numbers for a list.
The primary distribution site for PAM is at http://www.linux-pam.org, and the developers’
site is at https://fedorahosted.org/linux-pam.
Read http://www.funtoo.org/wiki/Keychain for more on NH\FKDLQ by its author, Daniel Robbins.
You can see the RSA original patent at http://www.google.com/patents?vid=4405829 and

the RSA Cryptography Standard at http://www.emc.com/emc-plus/rsa-labs/pkcs/files/
h11300-wp-pkcs-1v2-2-rsa-cryptography-standard.pdf.
For extra security measures, read “Implement Port-Knocking Security with knockd”, in the January
2010 issue of Linux Journal, or check it out on-line at http://www.linuxjournal.com/article/10600.
LJ237-Jan2014.indd 92 12/17/13 3:43 PM

Instant Access to Premium
Online Drupal Training
Instant access to hundreds of hours of Drupal
training with new videos added every week!
Learn from industry experts with real world

H[SHULHQFHEXLOGLQJKLJKSURȴOHVLWHV
Learn on the go wherever you are with apps

for iOS, Android & Roku
We also offer group accounts. Give your

whole team access at a discounted rate!
Learn about our latest video releases and

RIIHUVȴUVWE\IROORZLQJXVRQ)DFHERRNDQG
7ZLWWHU#GUXSDOL]HPH
Go to http://drupalize.me and
get Drupalized today!
LJ237-Jan2014.indd 93 12/17/13 3:43 PM

FEATURE Encrypted Backup Solution “Home Paranoia Edition”
Encrypted
Backup
Solution
“HOME PARANOIA EDITION”
How to safeguard your personal data
with TrueCrypt and SpiderOak.
TIM CORDOVA
LJ237-Jan2014.indd 94 12/17/13 3:43 PM

T
here are so many cases of limitations, but it is sound enough for
personal identifiable information safeguarding personal data.
(PII) or any type of data exposed The first step is addressing the
on the Internet today. The details physical aspect of security. This is a
provided in this article may assist in critical step, because some notable
safeguarding your tax information, compromises are a direct result of
social security number or password someone having physical access to a
file. The setup this article describes system. You always should prepare
will help keep your personal data yourself for the possibility that your
at home safe and secure in this beloved electronic devices could be
“cyber-security”-connected world. in hands of someone other than you
This includes virtual/physical security at any given moment. This situation
compromises—the only truly secure could occur on a train, or in a coffee
system is one that is unplugged and shop, automobile or home, and you
locked in a vault. This solution is must assume your data is lost when it
not all-encompassing and does have is outside your control.
Figure 1. Setup screen for encrypting your home directory in Ubuntu during initial
operating system installation.
LJ237-Jan2014.indd 95 12/17/13 3:44 PM

This article describes utilizing whole factor, especially when considering all
disk encryption to reduce some of the of the recent events concerning stolen
risks provided by a great open-source government laptops that contained
Linux operation system (Ubuntu millions of social security numbers.
12.10). Whole disk encryption is a key The next key step in safeguarding
Figure 2. If encrypting your home folder was missed during initial installation, use
HQFU\SWIWXWLOV to encrypt your home directory.
Figure 3. This is important feedback information “record passphrase as soon as

possible” that will be generated from the HQFU\SWIVPLJUDWHKRPH command.
LJ237-Jan2014.indd 96 12/17/13 3:44 PM

your personal information is by command on the user’s home
adding another security layer by directory (Figure 2):
encrypting home directories during
the initial installation (Figure 1). VXGRHFU\SWIVPLJUDWHKRPHX\RXUXVHUQDPH
You may be the only one using this
system; however, if others are able to Then, you need to log in to the
access your system while it’s running, encrypted home directory account
this may slow them down from trying before rebooting the machine
to access information contained in a (as stated in the important note
home directory. screen), providing a roll-back
You will need to run the command: opportunity in the event of any
unexpected complications during
VXGRDSWJHWLQVWDOOHFU\SWIVXWLOVFU\SWVHWXS the encryption process.
Use HQFU\SWIVXQZUDSSDVVSKUDVH
using an advanced packaging tool- to record your randomly generated
capable distribution. This will install mount passphrase. Keep this
the encrypting utilities needed to passphrase safe, because you may
encrypt your home directory. need it to recover your encrypted files.
The next step is to log in or Also, ensure that you reboot your
create another user account with system and remove the un-encrypted
root privileges to run the following backup folder (Figure 3).
Figure 4. TrueCrypt Installation Button
LJ237-Jan2014.indd 97 12/17/13 3:44 PM

A third step in the process is to at the time of this writing), and

utilize a great open-source application run the following commands
called TrueCrypt to provide encrypted and script:
containers to store personal
information. This easy process includes WDU[YIWUXHFU\SWDOLQX[[
visiting the TrueCrypt Web site at tar.gz
http://www.truecrypt.org/downloads VXGRWUXHFU\SWDOLQX[[
to download the latest package VHOHFW",QVWDOO7UXH&U\SWDWWKH
(truecrypt-7.1a-linux-x86.tar.gz, JXLPHQX
Figure 5. TrueCrypt Create Volume Button Screen
LJ237-Jan2014.indd 98 12/17/13 3:44 PM

The next step is to create an encrypted file container or a
encrypted container. This container volume within a partition/drive
will store personal identifiable (Figures 5 and 6). You also will
information (PII) or any file that have a choice of using a
you want to keep safe on your local standard TrueCrypt volume or
computer, and it will create another a hidden TrueCrypt volume
layer of security. The process for (Figure 7). The idea behind a
creating a basic container is by hidden container is to reveal an
selecting the default options during outside container password, and
initial installation (Figure 4). Once your hidden container encrypted
the software is installed, starting within the outside container
the application is a breeze using the (http://www.truecrypt.org/docs/
command truecrypt & or via the hidden-volume).
GUI menu system by selecting the On the next menu, simply select
create volume button. an encryption algorithm, hash
There are two options when algorithm and size of container.
creating a volume: choosing an Multiple books and papers provide
Figure 6. After the create volume button is selected, you will be presented with two options
for creating an encrypted file container or creating a volume within a partition/drive.
LJ237-Jan2014.indd 99 12/17/13 3:44 PM

Figure 7. The next menu item gives you the option of creating a standard or hidden volume.
Figure 8. After the standard volume is selected, the next options are to select the
encryption and hash algorithms, and size of the volume.
LJ237-Jan2014.indd 100 12/17/13 3:44 PM

specific information on the differences the volume-creating process is
between these algorithms and completed, mount your volume
hashes (AES with a 256/14 rounds using the TrueCrypt application and
and Sha-512 default hashing function). start saving your private files to this
The size of your container depends on encrypted container.
the amount of information you want to A safe and secure on-line storage
protect (Figure 8). location for your newly created
The next step is to select encrypted container is essential
your preferred filesystem type for backing up data in the cloud.
(ext3, ext4 and so on). Once A couple options are available for
Figure 9. Select the newly created standard volume to mount an accessible

unencrypted share.
LJ237-Jan2014.indd 101 12/17/13 3:44 PM

an on-line storage location, such ensuring that our customer’s data is

as Dropbox, Evernote, AWS and always completely secure—even from
SpiderOak. The final choice for secure us!” (https://spideroak.com/faq/
cloud storage is with the company category/privacy_passwords).
called SpiderOak, and this is based The company also provides
on the company’s “Zero-Knowledge” two-factor authentication for
privacy policy that states: “we never extra protection of requiring a
have any knowledge of your password user name, password and a token.
and no way to retrieve or reset it, The token will be sent to your
even in emergencies. It’s our way of mobile phone whenever you need
Figure 10. The backup tab in the SpiderOak application allows you to select your
encrypted volume.
LJ237-Jan2014.indd 102 12/18/13 10:14 AM

to log in to a Web site or mobile Installing SpiderOak is
device. The majority of big-name straightforward for all the Debian
providers are offering two-factor users out there. It includes
authentication since the traditional downloading and installing the
password/passphrase does not spideroak_4.8.4_i386.deb package
offer enough protection. Seeing from https://spideroak.com/
how this solution is deployed on a opendownload and using sudo
dedicated desktop and requires the GSNJLVSLGHURDNBBLGHE
token to authenticate, it provides to install this package on your favorite
a true two-channel authentication Ubuntu platform.
solution. Of course, using two- Identify a local upload folder
factor authentication does not as the staging point for your
guarantee safety, but it does require TrueCrypt container. Once you
the attacker to use sophisticated have a shared location that will host
methods, and attackers generally are your TrueCrypt container, simply
lazy and look for easy targets. open your SpiderOak application
Figure 11. A SpiderOak application status and backup menu provides a means to
back up your encrypted volume automatically in specified intervals.
LJ237-Jan2014.indd 103 12/17/13 3:44 PM

Listing 1. SpiderOak/TrueCrypt Backup Script

XVUELQS\WKRQ EUHDN
'''
6SLGHU2DN7UXH&U\SWGLVPRXQW%DFNXS6FULSW LIIRXQGVWULQJ
@author: Tim try:
''' GLVPRXQW RVV\VWHPWUXHFU\SWG
import os LIGLVPRXQW
LPSRUWVWULQJ IRZULWHVWUQRZ7UXH&U\SWVHUYLFHIRXQG
import datetime ´DQGWKHYROXPHLVGLVPRXQWHG?Q
LPSRUWKDVKOLE else:
)ROGHUDQG)LOH/RF )ROGHUDQG)LOH/RF IRZULWHVWUQRZ)DLOHGWR
6SLGHU2DN3DWK ´GLVPRXQWVHUYLFH?Q
7UXH&U\SW3DWK except: os.error
/RJ)LOHSDWK else:
VDIHÀOH IRZULWHVWUQRZPRXQWZDVQRWRSHQ?Q
GHIUHDGFRQÀJÀOH6SLGHU2DN3DWK7UXH&U\SW3DWK/RJ)LOHSDWKVDIHÀOH GHIFRS\FRQWDLQHUIR6SLGHU2DN3DWK7UXH&U\SW3DWK

´6HWXSÀOHRSHQ ´/RJ)LOHSDWKVDIHÀOHQRZ
7KLVZLOOUHDGWKHFRQÀJXUDWLRQDQGDVVLJQSDWKORFDWLRQ 6HW'HVWLQDWLRQDQG&RS\WRQHZORFDWLRQ
QRZ GDWHWLPHGDWHWLPHQRZ
KROGVWU +ROGGHVWÀOHVXP 7UXH&U\SW3DWKVDIHÀOH
IRUOLQHLQ6HWXSÀOHRSHQ +ROGRULJÀOHVXP 6SLGHU2DN3DWKVDIHÀOH
KROGVWU VWUVSOLWOLQH FKHFNVXPGHVW PGÀOHFKHFN+ROGGHVWÀOHVXP
LIVWULQJÀQGOLQH6SLGHU2DN3DWK! FKHFNVXPRULJ PGÀOHFKHFN+ROGRULJÀOHVXP
6SLGHU2DN3DWK KROGVWU>@
HOLIVWULQJÀQGOLQH7UXH&U\SW3DWK!
7UXH&U\SW3DWK KROGVWU>@ UXQVWULQJ FS7KLVZLOORQO\FRS\RYHUXSGDWHV
HOLIVWULQJÀQGOLQH/RJ)LOHSDWK! WRWKLVÀOH
/RJ)LOHSDWK KROGVWU>@ UXQVWULQJ 7UXH&U\SW3DWK
HOLIVWULQJÀQGOLQHVDIHÀOH! UXQVWULQJ VDIHÀOH
VDIHÀOH KROGVWU>@ UXQVWULQJ
UXQVWULQJ 6SLGHU2DN3DWK7KLVZLOORQO\VHQGRYHUDQ\
IR RSHQ/RJ)LOHSDWKD XSGDWHVWRWKLVÀOH
try: WHVWGLII RVV\VWHPGLII+ROGGHVWÀOHVXP
IR RSHQ/RJ)LOHSDWKD ´+ROGRULJÀOHVXP
IRZULWHVWUQRZ3DWK9DULDEOH6SLGHU2DN3DWK
´XVHG!6SLGHU2DN3DWK?Q
IRZULWHVWUQRZ3DWK9DULDEOH7UXH&U\SW3DWK LIWHVWGLII
´XVHG!7UXH&U\SW3DWK?Q try:
IRZULWHVWUQRZ3DWK9DULDEOH/RJ)LOHSDWK RVV\VWHPUXQVWULQJ
´XVHG!/RJ)LOHSDWK?Q WHVWGLII RVV\VWHPGLII+ROGGHVWÀOHVXP
IRZULWHVWUQRZ3DWK9DULDEOHKROG ´+ROGRULJÀOHVXP
´XVHG!VDIHÀOH?Q LIWHVWGLII
except: fo.error IRZULWHVWUQRZ7UXH&U\SW3DWKVDIHÀOH
VKXWGRZQWUXHFU\SWIRQRZ ´)LOH&RSLHGWR6SLGHU2DN3DWK?Q
FRS\FRQWDLQHUIR6SLGHU2DN3DWK7UXH&U\SW3DWK IRZULWHVWUQRZ3URFHVVLQJ&RPSOHWH
´/RJ)LOHSDWKVDIHÀOHQRZ else:
fo.close IRZULWHVWUQRZ7UXH&U\SW3DWKVDIHÀOH
´)LOHIDLOHGWRFRS\6SLGHU2DN3DWK?Q
except: os.error
GHIVKXWGRZQWUXHFU\SWIRQRZ
7HVWWRVHHLIWKHWUXHF\SWLVUXQQLQJ else:
,IQRWWKHQ6KXWLWGRZQ IRZULWHVWUQRZ)LOHKDVQRWEHHQFKDQJHG
IRXQGVWULQJ ´QRFRS\ZDVSHUIRUPHG?Q
try:
I RVSRSHQSVD[
except: os.error
6HWXSÀOHRSHQ RSHQ)ROGHUDQG)LOH/RFU
IRUOLQHLQI UHDGFRQÀJÀOH6SLGHU2DN3DWK7UXH&U\SW3DWK/RJ)LOHSDWKVDIHÀOH
LIVWULQJÀQGOLQH
WUXHFU\SW
! ´6HWXSÀOHRSHQ
IRXQGVWULQJ 6HWXSÀOHRSHQFORVH
LJ237-Jan2014.indd 104 12/17/13 3:44 PM

and select the backup tab. Then, The final step is to create a cron
drill down until you find your job to call the Python script:
TrueCrypt container location, such
as home/username/SpiderO/Upload. FGKRPHWZRUNVSDFH%DFNXS6FULSWVUFXVUELQS\WKRQ
The next step is to configure /home/t/workspace/BackupScript/src/BackupScript.py
your backup frequency using the

overview tab and selecting the This personal encrypted solution is
change button (Figures 10 and 11). something that works great at home
Many other configuration options when utilized on a daily basis. Many
are available using this interface. apps are available on the Internet for
For this example, use only these two managing passwords and data, but
options for a secure cloud backup. this one is easy to implement and
The last couple steps in this provides layers of encryption. I am
encrypted backup solution are confident that using the described
to move the TrueCrypt container encrypted containers and storage
from the working location to the location provides enough security for
designated SpiderOak export folder private personal data, but it may not
and create a cron job to run the script. be an ideal solution for an enterprise
I created a Python script to with various regulatory agencies. Use
accomplish the copy function, but the described methods at your own
I could have created any type of risk, and ensure that your passwords
script. This script is used to ensure or passphrases are safeguarded,
that the TrueCrypt application is because your data will be lost with
not running, verify whether there a forgotten password. Q
were changes to the container
and then copy over the container Tim Cordova is a computer geek who had a Commodore 64 at
if there were changes. This script age 9, and has a love for Linux, family, information security
requires a configuration file called and longboard surfing. He currently works as an information
FolderandFileLoc to function and security professional at a large contracting company and
the Python script BackupScript.py. has more than 15 years of experience.
The configuration file parameters
are SpiderOakPath, TrueCryptPath
and LogFilepath, a running log Send comments or feedback via
to verify whether a copy was http://www.linuxjournal.com/contact
successful and the Safefile filename. or to ljeditor@linuxjournal.com.
LJ237-Jan2014.indd 105 12/17/13 3:44 PM

KNOWLEDGE HUB
WEBCASTS
A Call to Arms for Private Cloud Builders
Sponsor: ActiveState | Topic: Cloud Computing ON DEMAND
The era of elastic IT is here. Businesses are realizing that the cloud not only allows cost reduction, but provides opportunities
for innovation and growth. Elastic clouds enable next-generation applications that drive revenue opportunities, increase agility,
and make IT teams competitive with public cloud systems.
In this presentation, Randy and John talk about the forces driving this change, and outline an action plan for building an elas-
tic cloud infrastructure and dynamic applications using DevOps and Platform-as-a-Service.
> http://lnxjr.nl/CTACloud
Private PaaS for the Agile Enterprise

Sponsor: ActiveState | Topic: Virtualization
If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization
offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In to-
day’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations
need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.
Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a
private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.
> http://lnxjr.nl/privatepaasAE
Learn the 5 Critical Success Factors to Accelerate

IT Service Delivery in a Cloud-Enabled Data Center
Today's organizations face an unparalleled rate of change. Cloud-enabled data centers are increasingly seen as a way to accelerate
IT service delivery and increase utilization of resources while reducing operating expenses. Building a cloud starts with virtualizing
your IT environment, but an end-to-end cloud orchestration solution is key to optimizing the cloud to drive real productivity gains.
> http://lnxjr.nl/IBM5factors
Linux Backup and Recovery Webinar

Sponsor: Storix | Topic: Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However,
fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, ap-
plications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a
system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using
Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.
> http://lnxjr.nl/StorixWebinar
LJ237-Jan2014.indd 106 12/17/13 3:44 PM

KNOWLEDGE HUB
WHITE PAPERS
Linux Management with Red Hat Satellite:
Measuring Business Impact and ROI
Sponsor: Red Hat | Topic: Linux Management
Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to de-
ploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT
organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility
workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows
in importance in terms of value to the business, managing Linux environments to high standards of service quality —
availability, security, and performance — becomes an essential requirement for business success.
> http://lnxjr.nl/RHS-ROI
Standardized Operating Environments

for IT Efficiency
Sponsor: Red Hat
The Red Hat® Standard Operating Environment SOE helps you define, deploy, and maintain Red Hat Enterprise Linux®
and third-party applications as an SOE. The SOE is fully aligned with your requirements as an effective and managed
process, and fully integrated with your IT environment and processes.
Benefits of an SOE:
SOE is a specification for a tested, standard selection of computer hardware, software, and their configuration for use
on computers within an organization. The modular nature of the Red Hat SOE lets you select the most appropriate
solutions to address your business' IT needs.
SOE leads to:
s $RAMATICALLY REDUCED DEPLOYMENT TIME
s 3OFTWARE DEPLOYED AND CONFIGURED IN A STANDARDIZED MANNER
s 3IMPLIFIED MAINTENANCE DUE TO STANDARDIZATION
s )NCREASED STABILITY AND REDUCED SUPPORT AND MANAGEMENT COSTS
s 4HERE ARE MANY BENEFITS TO HAVING AN 3/% WITHIN LARGER ENVIRONMENTS SUCH AS
s ,ESS TOTAL COST OF OWNERSHIP 4#/ FOR THE )4 ENVIRONMENT
s -ORE EFFECTIVE SUPPORT
s &ASTER DEPLOYMENT TIMES
s 3TANDARDIZATION
> http://lnxjr.nl/RH-SOE
LJ237-Jan2014.indd 107 12/17/13 3:44 PM

INDEPTH
Solid-State
Drives: Get One
Already!
Brian describes how SSDs compare to HDDs with regard to
longevity and reliability and provides the results from some
real-world performance benchmarking.
BRIAN TRAPP
I ’ve been buil ding compu t e r s actually made the move to SSDs
s ince the 1990s, so I’ve seen a yet. W ithin that group, the primary
l ot of new technologies work reluctance to try a SSD boiled down
t heir way into the mainstrea m . to three main concer ns:
Most were the steady, increm e n t a l
i mprovements predicted by Q I’ m w or r ie d a b o u t t he ir
Moore’s law, but others were re lia bilit y ; I he a r t he y w e a r o u t .
game-changers, innovations t h a t
really rocketed performance Q I’ m n o t sure i f t h e y w o r k w e l l
f orward in a surprising way. I w it h Linux .
remem ber booting up Quake a f t e r
i nstalling my first 3-D card— w h a t Q I’ m n o t sure a n S S D re a l l y w o u l d
a difference! My first boot o ff a m a k e m u c h o f a d i ff e re n c e o n
s olid-state drive (SSD) broug h t m y syst e m .
back that same feeling—wow,
what a difference! Luckily, these three concer ns are
However, at a recent gathering of based either on misunderstandings,
like-minded Linux users, I lear ned outdated data, exaggeration or are
that many of my peers hadn’t just not correct.
LJ237-Jan2014.indd 108 12/17/13 3:44 PM

INDEPTH
SSD Reliability Overview Instead of rotating platters and

How SSDs Differ from Hard Drives: read/write heads, solid-state drives
Traditional hard disk drives (HDDs) store data to an array of Flash memory
have two mechanical delays that chips. As a result, when a new file is
can come into play when reading or requested, the SSD’s internal memory
writing files: pivoting the read/write can find and start accessing the
head to be at the right radius and correct storage memory locations in
waiting until the platter rotates until sub-milliseconds. Although reading
the start of the file reaches the head from Flash isn’t terribly fast by itself,
(Figure 1). The time it takes for the SSDs can read from several different
drive to get in place to read a new file chips in parallel to boost performance.
is called seek time. When you hear This parallelism and the near-
that unique hard drive chatter, that’s instantaneous seek times make
the actuator arm moving around to solid-state drives significantly
access lots of different file locations. faster than hard drives in most
For example, my hard drive (a pretty benchmarks. My SSD (a pretty typical
typical 7,200 RPM consumer drive unit from 2012) has a seek time of
from 2011) has an average seek time 0.1ms—quite an improvement!
of around 9ms. Reliability and Longevity:
Reliability numbers comparing HDDs
and SSDs are surprisingly hard to find.
Fail rate comparisons either didn’t
have enough years of data, or were
based on old first-generation SSDs
that don’t represent drives currently
on the market. Though SSDs reap the
benefits of not having any moving
parts (especially beneficial for mobile
devices like laptops), the conventional
wisdom is that current SSD fail rates
are close to HDDs. Even if they’re
a few percentage points higher or
lower, considering that both drive
types have a nonzero failure rate,
Figure 1. Hard Drive you’re going to need to have a backup
LJ237-Jan2014.indd 109 12/17/13 3:44 PM

INDEPTH
solution in either case. Interestingly, all three types of

Apart from reliability, SSDs do cells are using the same transistor
have a unique longevity issue, as structure behind the scenes. Clever
the NAND Flash cells in storage have engineers have found a way to
a unique life expectancy limitation. make that single Flash cell hold
The longevity of each cell depends more information in MLC or TLC
on what type of cell it is. Currently, mode, however. At programming
there are three types of NAND time, they can use a low, medium-
Flash cells: low, medium-high or high voltage
to represent four unique states (two
Q SLC (Single Later Cell) NAND: one bits) in one single cell. The downside
bit per cell, ~100k writes. is that as the cell is written several
thousand times, the oxide insulator
Q MLC (Multi-Layer Cell) NAND: two at the bottom of the floating gate
bits per cell, ~10k to 3k writes, starts to degrade, and the amount
slower than SLC. The range in of voltage required for each state
writes depends on the physical increases (Figure 2). For SLC it’s
size of the cell—smaller cells are not a huge deal because the gap
cheaper to manufacture, but can between states is so big, but for
handle fewer writes. MLC, there are four states instead
of two, so the amount of room
Q TLC (Three-Layer Cell) NAND: between each state’s voltage is
~1k writes, slower than MLC. shortened. For TLC’s three bits of
Figure 2. A NAND Flash Cell
LJ237-Jan2014.indd 110 12/17/13 3:44 PM

INDEPTH
information there are six states, so Est. Lifespan (y) = SSDCapacity(GB) * (WriteLimit based on cell type)
---------------------------------------------------------------
the distances between each voltage DailyWriteRate (GB/day) * WriteAmplification * 365 (days/yr)
range is even shorter.

The final twist is write amplification. So if I was sizing a 256GB Samsung
Even though the OS is sending 1MB 840 Evo (which uses TLC cells), with
of data, the SSD actually may be a 6.3GB/day write rate and a write
doing more writes behind the scenes amplification of 3, it should give me
for things like wear leveling and around 37 years of service before
inefficient garbage collection if TRIM losing the ability to write new data.
support isn’t enabled (see the TRIM
section later in this article). Most SSD Considerations for Linux
real-world write amplification values TRIM: Undelete utilities work because
I’ve seen are in the 1.1 to 3.0 range, when you delete a file, you’re really
depending on how compressible the only removing the filesystem’s pointer
data is and how clever the SSD is at to that file, leaving the file contents
garbage collection and wear leveling. behind on the disk. The filesystem
So, how long can you expect an SSD knows about the newly freed space
to last for you? Longevity depends and eventually will reuse it, but the
on how much data you write, and drive doesn’t. HDDs can overwrite
the tune2fs utility makes it really data just as efficiently as writing to a
easy to estimate that from your new sector, so it doesn’t really hurt
existing filesystems. Run WXQHIV them, but this can slow down SSDs’
OGHYGHYLFH! . (Tip: if you’re write operations, because they can’t
using LVM, the stats will be under overwrite data efficiently.
the dm-X device instead of the sdaX An SSD organizes data internally
device.) The key fields of interest are into 4k pages and groups 128 pages
“Filesystem created” and “Lifetime into a 512k block. SSDs can write
writes”. Use those to figure out the only into empty 4k pages and erase
average GB/day since the filesystem in big 512k block increments. This
was created. For my laptop, it was means that although SSDs can write
2.7GB/day, and for my workstation it very quickly, overwriting is a much
was 6.3GB/day. With those rates, plus slower process. The TRIM command
a rough guess for write amplification, keeps your SSD running at top speed
you can estimate how much life you’d by giving the filesystem a way to tell
get out of any SSD. the SSD about deleted pages. This
LJ237-Jan2014.indd 111 12/17/13 3:44 PM

INDEPTH
gives the drive a chance to do the LVM: If you’re not using LVM,
slow overwriting procedures in the you can skip ahead to the filesystem
backgroupd, ensuring that you always section. TRIM has been supported in
have a large pool of empty 4k pages LVM since kernel 2.6.36.
at your disposal. In the “devices” section of
Linux TRIM support is not enabled /etc/lvm/lvm.conf, add a line
by default, but it’s easy to add. One LVVXHBGLVFDUGV :
catch is that if you have additional
software layers between your devices {
filesystem and SSD, those layers need ...
to be TRIM-enabled too. For example, LVVXHBGLVFDUGV
most of my systems have an SSD, ..
with LUKS/dm-crypt for whole disk }
encryption, LVM for simple volume ...
management and then, finally, an ext4
formatted filesystem. Here’s how to Filesystem: Once you’ve done any
turn on TRIM support, starting at the required dm-crypt and LVM edits,
layer closest to the drive. update initramfs, then reboot:
dm-crypt and LUKS: If you’re not
using an encrypted filesystem, you can VXGRXSGDWHLQLWUDPIVXNDOO
skip ahead to the LVM instructions.
TRIM has been supported in dm-crypt Although Btrfs, XFS, JFS and
since kernel 3.1. Modify /etc/crypttab, ext4 all support TRIM, I cover only
adding the discard keyword for the ext4 here, as that seems to be the
devices on SSDs: most widely used. To test ext4
TRIM support, try the manual TRIM
7DUJHW1DPH'HYLFH.H\)LOH2SWLRQV command: IVWULPPRXQWSRLQW! .
VGDBFU\SW88,' HEEFFGDHEHQRQHOXNVGLVFDUG If all goes well, the command will
work for a while and exit. If it exits
Note: enabling TRIM on an with any error, you know there’s
encrypted partition does make it something wrong in the setup
easier for attackers to brute-force between the filesystem and the
attack the device, since they device. Recheck your LVM and
would now know which blocks dm-crypt setup.
are not in use. Here’s an example of the output for
LJ237-Jan2014.indd 112 12/17/13 3:44 PM

INDEPTH
/ (which is set up for TRIM) and /boot Regardless of whether you use
(which is not): the discard option, you probably
want to add the QRDWLPH option
~$ sudo fstrim / to /etc/fstab. With atime on
aVXGRIVWULPERRW (the default), each time a file is
IVWULPERRW),75,0LRFWOIDLOHG,QDSSURSULDWHLRFWOIRUGHYLFH accessed, the access time is updated,
consuming some of your precious
If the manual command works, write cycles. (Some tutorials ask
you can decide between between you to include nodiratime too, but
using the automatic TRIM built in noatime is sufficient.) Because most
to the ext4 filesystem or running applications don’t use the atime
the fstrim command. The primary timestamp, turning it off should
benefits of using automatic TRIM improve the drive’s longevity:
is that you don’t have to think
about it, and it nearly instantly will GHYPDSSHUEDOG\OURRWH[WQRDWLPHGLVFDUGHUURUV UHPRXQWUR
reclaim free space. One down side

of automatic TRIM is that if your Partition alignment: When
drive doesn’t have good garbage- SSDs first were released, many of
collection logic, file deletion can be the disk partitioning systems still
slow. Another negative is that if the were based on old sector-based
drive runs TRIM quickly, you have logic for placing partitions. This
no chance of getting your data back could cause a problem if the
via an undelete utility. On drives partition boundary didn’t line up
where I have plenty of free space, nicely with the SSD’s internal 512k
I use the fstrim command via cron. block erase size. Luckily, the major
On drives where space is tight, I use partitioning tools now default to
the automatic ext4 method. 512k-compatible ranges:
If you want to go the automatic
route, enabling automatic TRIM is Q fdisk uses a one megabyte
easy—just add the discard option boundary since util-linux version
to the options section of the relevant 2.17.1 (January 2010).
/etc/fstab entries. For manual TRIM,
just put the IVWULPPRXQWSRLQW! Q LVM uses a one megabyte boundary
in a cron job or run it by hand at as the default since version 2.02.73
your leisure. (August 2010).
LJ237-Jan2014.indd 113 12/17/13 3:44 PM

INDEPTH
If you’re curious whether your Monitoring SSDs in Linux:

partitions are aligned to the right I already covered running WXQHIV
boundaries, here’s example output OGHYLFH! as a good place to get
from an Intel X25-M SSD with an statistics on a filesystem device, but
erase block size of 512k: those are reset each time you reformat
the filesystem. What if you want to
~$ sudo sfdisk -d /dev/sda get a longer range of statistics, at
:DUQLQJH[WHQGHGSDUWLWLRQGRHVQRWVWDUWDWDF\OLQGHUERXQGDU\ the drive level? smartctl is the tool
'26DQG/LQX[ZLOOLQWHUSUHWWKHFRQWHQWVGLIIHUHQWO\ for that. SMART (Self-Monitoring,
SDUWLWLRQWDEOHRIGHYVGD Analysis and Report Technology)
XQLWVHFWRUV is part of the ATA standard that
provides a way for drives to track
GHYVGDVWDUW VL]H ,G ERRWDEOH and report key statistics, originally
GHYVGDVWDUW VL]H ,G for the purposes of predicting drive
GHYVGDVWDUW VL]H ,G failures. Because drive write volume
GHYVGDVWDUW VL]H ,G is so important to SSDs, most
GHYVGDVWDUW VL]H ,G manufacturers are including this in the
SMART output. Run sudo smartctl
Since the primary partition (sda5) DGHYGHYLFH! on an SSD
starts and ends at a number evenly device, and you’ll get a whole host
divisible by 512, things look good. of interesting statistics. If you see the
Figure 3. smartctl Output (Trimmed)
LJ237-Jan2014.indd 114 12/17/13 3:44 PM

INDEPTH
message “Not in smartctl database” tools make this a breeze.

in the smartctl output, try building the SSD free space: SSDs run best
latest version of smartmontools. when there’s plenty of free space
Each vendor’s label for the for them to use for wear leveling
statistic may be different, but you and garbage collection. Size up and
should be able to find fields like manage your SSD to keep it less than
“Media_Wearout_Indicator” that will 80% full.
count down from 100 as the drive Things that break TRIM: RAID
approaches the Flash wear limit and setups can’t pass TRIM through to
fields like “Lifetime_Writes” or “Host_ the underlying drives, so use this
Writes_32MiB” that indicate how mode with caution. In the BIOS,
much data has been written to the make sure your controller is set to
drive (Figure 3). AHCI mode and not IDE emulation,
as IDE mode doesn’t support TRIM
Other Generic Tips and is slower in general.
Swap: if your computer is actively
using swap space, additional RAM SSD Performance
probably is a better upgrade than an Now let’s get to the heart of the
SSD. Given the fact that longevity is matter—practical, real-world examples
so tightly coupled with writes, the of how an SSD will make common
last thing you want is to be pumping tasks faster.
multiple gigabytes of swap on and Test Setup Prior to
off the drive. benchmarking, I had one SSD for
HDDs still have a role: if you have my Linux OS, another SSD for when
the space, you can get the best of I needed to boot in to W indows 7
both worlds by keeping your hard and an HDD for storing media files
drive around. It’s a great place for and for doing low-throughput,
storing music, movies and other high-volume work (like debugging
media that doesn’t require fast JVM dumps or encoding video). I
I/O. Depending on how militant used partimage to back up the
you want to be about SSD writes, HDD, and then I used a Clonezilla
you can mount folders like /tmp, bootable CD to clone my Linux
/var or even just /var/log on the HDD SSD onto the HDD. Although most
to keep SSD writes down. Linux’s sources say you don’t have to worry
flexible mounting and partitioning about fragmentation on ext4, I used
LJ237-Jan2014.indd 115 12/17/13 3:44 PM

INDEPTH
the ext4 defrag utility HGHIUDJ on at keeping up with the SSD.

the HDD just to give it the best shot Here’s the hardware on the
Figure 4. bootchart Output
LJ237-Jan2014.indd 116 12/17/13 3:44 PM

INDEPTH
development workstation I used for Table 1. Boot Times

benchmarking—pretty standard stuff: Test HDD (s) SSD (s) % Faster
Xorg Start 19.4 4.9 75%
Q CPU: 3.3GHz Intel Core i5-2500k CPU. Desktop
33.4 6.6 80%
Ready
Q Motherboard: Gigabyte
:! $( " : CHIPSET complicates how to measure boot
times, so to get the most accurate
Q RAM: 8GB (2x4GB) of 1333 DDR3. measurements, I used the bootchart
package that provides a really cool
Q OS: Ubuntu 12.04 LTS (64-bit, Gantt chart showing the boot time
kernel 3.5.0-39). of each component (partial output
shown in Figure 4). I used the Xorg
Q 33$ '" /#: 6ERTEX process start to indicate when X starts
up, the start of the Dropbox panel
Q HDD: 1TB Samsung Spinpoint F3, applet to indicate when X is usable
7200 RPM, 32MB cache. and subtracted the time spent in
cryptsetup (its duration depends more
I picked a set of ten tests to try on how many tries it takes me to type
to showcase some typical Linux in my disk password than how fast
operations. I cleared the disk cache any of the disks are). The SSD crushes
after each test with HFKR_VXGR the competition here.
tee /proc/sys/vm/drop_caches
and rebooted after completing a set.
I ran the set five times for each drive,
and plotted the mean plus a 95%
confidence interval on the bar charts
shown below.
Boot Times: Because I’m the only
user on the test workstation and use
whole-disk encryption, X is set up
with automatic login. Once cryptsetup
prompts me for my disk password, the
system will go right past the typical
GDM user login to my desktop. This Figure 5. Boot Times
LJ237-Jan2014.indd 117 12/17/13 3:44 PM

INDEPTH
Table 2. Application Launch Times Table 3. File I/O

Test HDD (s) SSD (s) % Faster Test HDD (s) SSD (s) % Faster
Eclipse 26.8 11.0 59% create 1.5 0.5 67%
Tomcat 19.6 17.7 10% copy 3.3 1.1 69%
TF2 72.2 67.1 7% read 2.2 0.2 63%
Figure 6. Application Launch Times Figure 7. File I/O
Application Start Times: To test Eclipse benefited from an SSD the

application start times, I measured the most, and the gains in Tomcat and
start times for Eclipse 4.3 (J2EE version), TF2 were present but less noticeable.
Team Fortress 2 (TF2) and Tomcat Single-File Operations: To
7.0.42. Tomcat had four WAR files at test single-file I/O speed, I created
about 50MB each to unpackage at start. a ~256MB file via time dd
Tomcat provides the server startup time LI GHY]HURRI IEV
in the logs, but I had to measure Eclipse FRXQW , copied it to a new file
and Team Fortress manually. I stopped and then read it via cat, redirecting to
timing Eclipse once the workspace was /dev/null. I used the time utility to capture
visible. For TF2, I used the time between the real elapsed time for each test.
pressing “Play” in the Steam client and Multiple File Operations: First,
when the TF2 “Play” menu appears. I archived the 200k files in my 1.1GB
There was quite a bit of variation Eclipse workspace via tar -c
between the three applications, where aZRUNVSDFH!ZWDU to test
LJ237-Jan2014.indd 118 12/17/13 3:44 PM

INDEPTH
Table 4. Multi-File I/O performing on par with HDDs. (You

Test HDD (s) SSD (s) % Faster need a good backup, either way.) If you
tar 123.2 17.5 86% were concerned about longevity, you
find & can use data from your existing system
34.3 12.3 64%
fgrep to approximate how long a current
generation MLC or TLC drive would last.
SSD support has been in place in Linux
for a while, and it works well even if you
just do a default installation of a major
Linux distribution. TRIM support, some
ext4 tweaks and monitoring via tune2fs
and smartctl are there to help you
maintain and monitor overall SSD health.
Finally, some real-world performance
benchmarks illustrate how an SSD will
boost performance for any operation
that uses disk storage, but especially
Figure 8. Multi-File I/O ones that involve many different files.
Because even OS-only budget-sized
archiving speed. Second, I used ILQG SSDs can provide significant performance
QDPH MDYDH[HFIJUHS gains, I hope if you’ve been on the
)RR^`!GHYQXOO to simulate fence, you’ll now give one a try.Q
looking for a keyword in the 7k java files.
I used the time utility to capture the real Brian Trapp serves up a spicy gumbo of Web-based yield reporting
elapsed time for each test. Both tests and analysis tools for hungry semiconductor engineers at one of
made the HDD quite noisy, so I wasn’t the leading semiconductor research and development consortiums.
surprised to see a significant delta. His signature dish has a Java base with a dash of JavaScript, Perl,
Bash and R, and his kitchen has been powered by Linux ever since
Summary 1998. He works from home in Buffalo, New York, which is a shame
If you haven’t considered an SSD, only because that doesn’t really fit the whole chef metaphor.
or were holding back for any of the
reasons mentioned here, I hope this
article prompts you to take the plunge Send comments or feedback via
and try one out. http://www.linuxjournal.com/contact
For reliability, modern SSDs are or to ljeditor@linuxjournal.com.
LJ237-Jan2014.indd 119 12/17/13 3:44 PM

EOF
Returning to DOC SEARLS
Ground from the

Web’s Clouds
Fixing problems of centralization with more centralized
systems only makes the problem worse.
T
he Net as we know it today first three Internet Service Providers.) James
became visible to me in March Fallows (http://www.theatlantic.com/
1994, when I was among james-fallows) was in the crowd,
several hundred other tech types and he described it this way
gathered at Esther Dyson’s PC Forum (http://listserv.aera.net/scripts/
conference in Arizona. On stage was wa.exe?A2=ind9406&L=aera-
John Gage (http://en.wikipedia.org/ f&D=0&P=351) for The Atlantic:
wiki/John_Gage) of Sun Microsystems,
projecting a Mosaic Web browser In the past year millions of people
(http://en.wikipedia.org/wiki/ have heard about the Internet, but
Mosaic_(web_browser)) from a flaky few people outside academia or
Macintosh Duo (http://en.wikipedia.org/ the computer industry have had a
wiki/PowerBook_Duo), identical to clear idea of what it is or how it
the one on my lap. His access was to works. The Internet is, in effect,
Sun over dial-up. a way of combining computers
Everybody in the audience knew all over the world into one big
about the Net, and some of us had computer, which you seemingly
been on it one way or another, but control from your desk. When
few of us had seen it in the fullness connected to the Internet, you can
John demonstrated there. (At that boldly prowl through computers
date, there were a sum total of just in Singapore, Buenos Aires, and
LJ237-Jan2014.indd 120 12/17/13 3:44 PM

EOF
While relying on the Web and its clouds has

increased the range of things we can do on the Net,
our freedom to act independently has declined.
Seattle as if their contents resided Mosaic to “control”, “boldly prowl”

on your own machine. and “navigate” his way around the
Web, which was the “gee-whizziest
In the most riveting presentation portion” of the Net.
of the conference, John Gage, of That portion has since become
Sun Microsystems, demonstrated conflated with the whole thing. Today
the World Wide Web, the gee- we use browsers to do far more than
whizziest portion of the Internet, navigate the Web. Protocols that
in which electronic files contain once required separate apps—file
not only text but also graphics transfer, e-mail, instant messaging—
and sound and video clips. Using are now handled by browsers as well.
Mosaic, a free piece of “navigator” We now also can use browsers to
software that made moving around watch television, listen to radio and
the Web possible, Gage clicked read publications. It’s hard to name
on icons on his screen exactly as anything a computer can do that isn’t
if he were choosing programs also doable (and done) in a browser.
or directories on his own hard Serving up most of those capabilities
disk. He quickly connected to a are utility Web services, provided by
Norwegian computer center that Amazon, Apple, Dropbox, Evernote,
had been collecting results during Google, Yahoo and many more, each
the Winter Olympics in Lillehammer with their own clouds. The growth
and checked out a score, of the Web, atop the Net, also has
duplicating what Internet users provided a conceptual bridge from
had done by the millions every day computers to smartphones and
during the games, when CBS-TV tablets. Today nearly every mobile
was notoriously late and America- app would be useless without a
centric in reporting results. back-end cloud.
While relying on the Web and its
Note the terms here. John used clouds has increased the range of
LJ237-Jan2014.indd 121 12/17/13 3:44 PM

EOF
things we can do on the Net, our from surveillance, but most muggles
freedom to act independently has are either clueless about the risks or
declined. The browser that started make do with advertising and tracking
out as a car on the “information blockers. This is less easy in the
superhighway” has become a mobile world, where apps are more
shopping cart that gets re-skinned rented than owned, and most are
with every commercial site it visits, maintained by vendor-side services.
carrying away tracking beacons Thus, we’ve traded our freedom for
that report our activities back to the conveniences of centralization.
centralized servers over which The cure for that is decentralization:
we have little if any control. The making the Net personal, like it
wizards among us might be adept at promised to be in the first place—and
maintaining some degree of liberty still is, deep down.
Figure 1. Servers Generating a Hypertext Representation
LJ237-Jan2014.indd 122 12/17/13 3:44 PM

EOF
It should help to remember that the There’s nothing wrong with any of
Web is polycentric while the Net is those, just something missing: your
decentralized. By polycentric, I mean independence and autonomy.
server-based: every server is a center. Meanwhile, the Net beneath the
So, even though Tim Berners-Lee Web remains decentralized: a World
wanted the Web to be what he called of Ends (http://worldofends.com)
“a distributed hypertext system” in which every end is a functional
for “universal linked information” distance of zero from every other
(http://www.w3.org/History/1989/ end. “The end-to-end principle is
proposal.html), what he designed the core architectural guideline
was servers “generating a hypertext of the Internet” says RFC 3724.
representation”, as shown in Figure 1. Thus, even though the Internet is
Today this looks like your e-mail on a “collection of networks”, what
a Google server—or your photos on collects them are the transcendent
Instagram or your tweets on Twitter. purposes of the Net’s ends, which
Figure 2. It helps to think of the Net as the ground we walk and drive on, and the Web
as clouds in the sky.
LJ237-Jan2014.indd 123 12/17/13 3:44 PM

EOF
What Eben calls for is not merely to suffer the

problems of centralization, but to solve them.
consist of you, me, Google and lately. One is TeleHash, and the
every other node. other is XDI.
If you want to grok the problems of TeleHash (http://telehash.org)
centralization fully, and their threat is the brainchild of Jeremie Miller,
to personal freedom, to innovation father of Jabber and the XMPP
and to much else, watch, listen to protocol for instant messaging.
or read Eben Moglen’s lectures titled Its slogan is “JSON + UDP + DHT
“Snowden and the Future” = Freedom”, and it is described
(http://snowdenandthefuture.info), as “a new wire protocol enabling
given in November and December applications to connect privately
2013 at Columbia University, where in a real-time and fully distributed
Eben has been teaching law for 26 manner, freeing them from relying
years. The lectures are biblical in on centralized data centers”. The
tone and carry great moral weight. rest of the index page says:
For us in the Linux community, they
are now in the canon. What
What Eben calls for is not It works by sending and receiving
merely to suffer the problems of small encrypted bits of JSON
centralization, but to solve them. (with optional binary payloads)
This requires separating the Net and via UDP using an efficient routing
the Web. For me, it helps to think of system based on Kademlia
the Net as the ground we walk and (http://en.wikipedia.org/wiki/
drive on, and the Web as clouds in Kademlia), a proven and popular
the sky, as I’ve illustrated with the Distributed Hash Table.
photo in Figure 2.
There are many possibilities for Demo
decentralized solutions on the Net’s It’s very much in the R&D stages
ground, and I hope readers will yet, but check out hash-im
remind us of some. Meanwhile, I’ll (https://github.com/quartzjer/
volunteer a pair I’ve been watching hash-im) for a simple demo.
LJ237-Jan2014.indd 124 12/17/13 3:44 PM

Status
The current spec (https://github.com/ Advertiser Index
telehash/telehash.org/blob/ Thank you as always for supporting our
master/protocol.md) is advertisers by buying their products!
implemented in a few languages
(any help here would be great!),
and prototype apps are being ADVERTISER URL PAGE #
CREATED TO TEST IT 1UESTIONS

Drupalize.me http://www.drupalize.me 93
can be directed at Twitter
(https://twitter.com/jeremie), Emac, Inc. http://www.emacinc.com 11
or to Jeremie Miller directly. EmperorLinux http://www.emperorlinux.com 23
XDI (http://xdi.org) is a mostly- iXsystems http://www.ixsystems.com 7
baked standard. Its purpose is “to SCALE https://www.socallinuxexpo.org/scale11x/ 33
define a generalized, extensible service

Silicon Mechanics http://www.siliconmechanics.com 3
for sharing, linking, and synchronizing
data over digital networks using USENIX Conferences https://www.usenix.org/conferences 2
structured data formats (such as WearablesDevCon http://www.wearablesdevcon.com 15
JSON and XML) and XRIs (Extensible

Resource Identifiers), a URI-compatible
abstract identifier scheme defined by
the OASIS XRI Technical Committee”
(https://www.oasis-open.org/ ATTENTION ADVERTISERS
committees/tc_home.php?wg_
The Linux Journal brand’s following has
abbrev=xdi). Wikipedia (at the grown to a monthly readership nearly
moment) says (http://en.wikipedia.org/ one million strong. Encompassing the
magazine, Web site, newsletters and
wiki/XDI): much more, Linux Journal offers the
ideal content environment to help you
reach your marketing objectives. For
The main features of XDI are:
more information, please visit
the ability to link and nest RDF http://www.linuxjournal.com/advertising.
graphs to provide context;
full addressability of all nodes
in the graph at any level of
context; representation of XDI
operations as graph statements
LJ237-Jan2014.indd 125 12/17/13 3:44 PM

EOF
so authorization can be built into distributed data sharing

the graph (a feature called XDI link network models the real-world
contracts); standard serialization mechanism of social contracts
formats including JSON and XML; (http://en.wikipedia.org/wiki/
and a simple ontology language Social_contract), and legal
for defining shared semantics contracts that bind civilized people
using XDI dictionary services. and organizations in the real world
today. Thus, XDI can be a key
XDI graphs can be serialized in a enabler of the Social Web
number of formats, including XML (http://en.wikipedia.org/wiki/
and JSON. Since XDI documents Social_Web). It has also been
are already fully structured, XML cited as a mechanism to support a
adds very little value, so JSON is new legal concept, Virtual Rights
the preferred serialization format. (http://www.virtualrights.org),
The XDI protocol can be bound which are based on a new legal
to multiple transport protocols. entity, the “virtual identity”, and a
The XDI TC is defining bindings to new fundamental right: “to have or
HTTP and HTTPS, however it is also not to have a virtual identity”.
exploring bindings to XMPP and
potentially directly to TCP/IP. It’s early for both of these. But I
know in both cases the mentality of
XDI provides a standardized portable the developers is on the ground of the
authorization format called XDI link Net and not lost in the clouds of the
contracts (http://en.wikipedia.org/ Web. We’ll need a lot more of that
wiki/Link_contract). Link contracts before we all get our freedom back. Q
are themselves XDI documents
(which may be contained in other Doc Searls is Senior Editor of Linux Journal . He is also a
XDI documents) that enable control fellow with the Berkman Center for Internet and Society
over the authority, security, privacy, at Harvard University and the Center for Information
and rights of shared data to be Technology and Society at UC Santa Barbara.
expressed in a standard machine-
readable format and understood by
any XDI endpoint. Send comments or feedback via
http://www.linuxjournal.com/contact
This approach to a globally or to ljeditor@linuxjournal.com.
LJ237-Jan2014.indd 126 12/17/13 3:44 PM

Linux Journal 2014 01 Security

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Linux Journal 2014 01 Security

Uploaded by

Copyright:

Available Formats

™

LJ237-Jan2014.indd 1 12/17/13 3:42 PM

twitter.com/usenix www.usenix.org/youtube www.usenix.org/gplus

Stay Connected... www.usenix.org/facebook www.usenix.org/linkedin www.usenix.org/blog

LJ237-Jan2014.indd 2 12/17/13 3:42 PM

zStax StorCore =)68QLÀHG6WRUDJH IURP6LOLFRQ ZFS Unified Storage

zStax StorCore 104

LJ237-Jan2014.indd 3 12/17/13 3:42 PM

Cover Image © Can Stock Photo Inc. / maxkabakov

4 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 4 12/17/13 3:42 PM

44 Dave Taylor’s Work the Shell

50 Kyle Rankin’s Hack and /

56 Shawn Powers’ The

120 Doc Searls’ EOF

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 5

LJ237-Jan2014.indd 5 12/18/13 10:15 AM

Publisher Carlie Fairchild

Director of Sales John Grogan

Associate Publisher Mark Irgang

Webmistress Katherine Druckman

Accountant Candy Beauchamp

Linux Journal is published by, and is a registered trade name of,

Editorial Advisory Panel

LINUX is a registered trademark of Linus Torvalds.

LJ237-Jan2014.indd 6 12/17/13 3:43 PM

t Dual Intel® Xeon® Processors 5600 Series

LJ237-Jan2014.indd 7 12/17/13 3:43 PM

Lapsang SHAWN POWERS

8 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 8 12/17/13 3:43 PM

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 9

LJ237-Jan2014.indd 9 12/17/13 3:43 PM

You said in your article “LVM is an

10 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 10 12/17/13 3:43 PM

what you needed. A subsequent l DC-IN 5V (or) +8 ~+35 option

3) lvdisplay --maps ... and Since 1985

pvdisplay --maps are your best 28

EQUIPMENT MONITOR AND CONTROL

Phone: (618) 529-4525 · Fax: (618) 457-0110 · www.emacinc.com

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 11

LJ237-Jan2014.indd 11 12/17/13 3:43 PM

12 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 12 12/17/13 3:43 PM

idea of using grep to search the going back to September 2011,

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 13

LJ237-Jan2014.indd 13 12/17/13 3:43 PM

print issues was hard enough, but this just

PHOTO OF THE MONTH and marketing opportunities by visiting

14 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 14 12/17/13 3:43 PM

A conference for Designers, Builders and

Wearable computing devices are the Next Big Wave

Choose from over 35 classes and tutorials!

! Get practical answers to real problems, learn tangible

March 5-7, 2014

LJ237-Jan2014.indd 15 12/17/13 3:43 PM

16 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 16 12/17/13 3:43 PM

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 17

LJ237-Jan2014.indd 17 12/17/13 3:43 PM

18 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 18 12/17/13 3:43 PM

That’s usually easiest. But WP\QHZSDWK

if you need something more WP\QHZSDWKIRR

,QSXWDUFKLYHQDPHRUWRTXLWSD[ It’s even worse the first time

How exciting! SD[ZV

As mentioned previously, pax P\QHZSDWK

uses standard input and standard P\QHZSDWKIRR

every modern language, making it easy FRQÀJFRQVXPHUBNH\ &21680(5B.(<

to access from whatever you prefer to FRQÀJFRQVXPHUBVHFUHW &21680(5B6(&5(7

use in your programming. FRQÀJRDXWKBWRNHQ 2$87+B72.(1

The twitter Ruby gem, as is the case FRQÀJRDXWKBWRNHQBVHFUHW 2$87+B6(&5(7