dawgiestyle

12/31/04: Last Post of 2004

As 2004 comes to an end, I know that many people are posting New Year's Resolutions on their blogs. I actually don't have any. I don't believe a person should need an excuse to make positive changes in their lives. We can all resolve to do anything on any given day, but only if we believe it is possible. I quit smoking this past year, about 8 months ago actually. I did it without the aid of nicotine gum or patches, but with a positive mindset. I didn't give something up, but rather, I became something I was not; namely, a non-smoker. On the other hand, New Year's Resolutions can provide a schedule for making positive changes in one's self, but again, the danger is thinking that this is the only time one can make changes.

I certainly don't mean to look down my nose at anyone. Afterall, if the New Year's Resolutions help people to better themselves, then who am I to argue against them.

Now for a perfect ending to 2004, a quote:

Happy New Year to all, and to all a good night!

...no wait...

12/29/04: Make Firefox Faster on Broadband

How To Speed Up Firefox (Helpful Vanity) -- Here's something for broadband people that will really speed Firefox up:

1. Type "about:config" into the address bar and hit return. Scroll down and look for the following entries:

network.http.pipelining network.http.proxy.pipelining network.http.pipelining.maxrequests

Normally the browser will make one request to a web page at a time. When you enable pipelining it will make several at once, which really speeds up page loading.

2. Alter the entries as follows:

Set "network.http.pipelining" to "true"

Set "network.http.proxy.pipelining" to "true"

Set "network.http.pipelining.maxrequests" to some number like 30. This means it will make 30 requests at once.

3. Lastly right-click anywhere and select New-> Integer. Name it "nglayout.initialpaint.delay" and set its value to "0". This value is the amount of time the browser waits before it acts on information it recieves.

If you're using a broadband connection you'll load pages MUCH faster now!

12/26/04: Attackers Apparently Stuck Working Xmas Day

Holiday Attacks Target IE Browser, PHP Servers By Larry Seltzer -- Malware authors on Christmas day left dubious "gift" packages in e-mailboxes across the Internet. Fresh attacks, which took advantage of old Internet Explorer bugs, as well as new versions of the Santy worm fouled the holidays for some Windows users and PHP server admins.

I'm not Christian, but come on! One day off should not hurt anyone. Still, spammers and attackers were out in full force yesterday. It's really quite pathetic. Though it is more than possible that these people just don't celebrate Xmas, I find it more likely that they are mainly just spoiled 15 year olds who take a few minutes to open presents with their families before devoting the rest of the day, like any other day, to their precious computers. Beautiful!

12/23/04: A New Fan of FreeBSD

I have been holding off writing about my FreeBSD experience until my system was fully implemented. Now it is, so here we go.

I shut down my Slackware server 5 days ago for the last time. Since it was down anyway, I took the opportunity to blow all the dust out and reseat the cables and cards, check fans, etc. Then I started the FreeBSD installation.

Installation was definitely friendlier than OpenBSD's, but not super refined like SuSE's. In fact, it was very close to the Slackware installer, which suited me just fine.

Immediately after installation, the first priorities were LDAP authentication and Samba. Both went smoothly using the Ports collection along with my LDAP backup and old smb.conf file. I was pleased to see that there were also PAM_LDAP and NSS_LDAP ports.

After this, I started juggling around data to reformat my drives as UFS. As it worked out, I had about 80GB of data spread over 2 80GB drives, so I simply copied everything to 1 drive, used my 15GB and 1 80GB drive for installation, then copied everything from the remaining ext3 drive back to the other 80GB drive and completed the formatting. This actually took a really long time, as you would imagine when copying 80GB of data.

The next day, I installed dhcpd and Bind9 from the Ports collection and set them up as they were before. I like using Webmin for setting these things up. I do like text config files, but I rarely remember syntax for dhcpd and bind since I don't usually tinker with them once they are set up.

At this point, the system was providing all of the essential services that the Slackware box was providing, except pop3, which was more just a convenient way to recieve system reports and whatnot.

Over the next couple of days I made minor changes to my backup scripts to make them work with FreeBSD, and I installed Qmail in place of Sendmail. I struggled with pop3 access at this time and after recieving about 20 "authentication failed" messages, gave up for the day.

This brings me to yesterday, when I tried googling "checkpassword pam." Checkpassword is the program that qmail uses to authenticated pop3 users. I knew the problem was related to my LDAP authentication, and the Google results confirmed this. I immediately learned about checkpassword-pam, go figure. I checked the Ports collection for it, and to my surprise, it had been there all along. I installed it, modified my qmail startup script to call checkpassword-pam instead of checkpassword, and immediately it worked :)

I would recommend FreeBSD to anyone. This whole experience has been great, and for me, the use of PAM gives FreeBSD a slight edge over Slackware. Now, reflecting on this past few days, I clearly see the importance of planning. Prior to shutting down Slackware, I made a list of all the services I needed, and even mirrored my whole installation to the 80GB storage drive so that I could retrieve any config files I would need. Use pen and paper to plan a specific order in which you install and configure services, format drives, backup data. This can help you make sure you get the most essential issues taken care of it the shortest amount of time, worrying about the smaller things later. It worked for me, and now I am a happy FreeBSD user :)

12/20/04: Google Desktop Search Vulnerability

Google Patches Desktop Search Flaw By Ryan Naraine -- Web search powerhouse Google has acknowledged and patched a security vulnerability in its desktop search utility that opens the doors for man-in-the-middle data leak attacks.

Not much to say about this. A problem was found, and Google went "oops, our bad" and fixed it. Any software can be flawed; people write software and people are not perfect, so neither is software. What we must pay attention to is how the flaws are handled by the software provider. To my understanding, Google has been swift in producing this patch, and it is installed without any action from the user. Good stuff :)

12/19/04: Evidence of Open Source Effectiveness

Enterprise Unix Roundup: Linus' Law in Effect By Michael Hall -- "Given enough eyeballs, all bugs are shallow," goes the open source verity popularly known as "Linus' Law." The thrust of Linus' Law is less about security than it is the general process of assuring quality in software, but it certainly resonates with a general current of thought among open source advocates, which is that having source code available for review and audit helps ensure potentially dangerous bugs are more easily neutralized.

The effects of source code that is freely available will always be a topic of heated discussion. On one hand, the closed source guys say the open source gives blackhats the opportunity to find bugs and vulnerabilities more easily; and on the other hand, the open source guys say that it gives the whitehats the opportunity to fix potential bugs and vulnerabilities before they are exploited. There is, however, another side of the argument on behalf of open source. I read this somewhere a few months ago and I don't remember where, but it went something like this: the benefit of open source has less to do with finding bugs easier than it does with writing less bugs in the beginning. You see, if you are writing a piece of software that you know will be available to the whole world in source code, then you are much more likely to code accordingly, i.e. cleaner, simpler, and generally less buggy because of the extra care taken. I tend to agree with this more than the more popular argument.

12/17/04: Vulnerabilities in Cisco, Veritas, and Samba

Holes Found in Cisco, Veritas, Samba Products By Wayne Rash -- Thursday was a big day for vulnerability announcements, but not necessarily for big vulnerabilities. Cisco on Thursday announced two problems with its products, one of which had the potential to be serious. A potentially serious problem with Samba appeared on Bugtraq, and Veritas reported a problem with Backup Exec versions 8 and 9. None of the problems should cause trouble for companies with good security practices.

I got worried when I saw Veritas and Samba in the title :) Here's a tip: do not dismiss vulnerabilities because they can only be exploited locally. Many boxes running Samba may not necessarily be used directly by many people, but usually there are at least a few user accounts that could ssh in if they were so inclined. Locally does not mean sitting at the machine, it means from a user account, whether that user is logged in at the console or via ssh/telnet.

12/15/04: Free VPN over SSL

Meet OpenVPN By Hans-Cees Speel -- If your company has people on the road, such as sales or technical people, a VPN is a good method for letting them access data on the company network. Many different VPN solutions can be bought, but many are free. Here, I discuss only solutions you can set up without buying a commercial VPN product.

VPN is my latest stumbling block. I have mostly been experimenting with Smoothwall Express and OpenBSD but with no success. From what I gather, there is a very good chance that everything is done right on the server end, but its the native windows client that is giving me trouble. OpenVPN is a little encouraging, and this article is definitely a keeper to help with experimenting, but I still lack a solution for networks with a VPN router already in place as I am not sure if they will do VPN Pass-through. On the other hand, I suspect that this may be a non-issue since OpenVPN uses SSL tunnels. I will post my findings on this as soon as I get time to create a test environment.

12/12/04: FreeBSD RAID

Implementing Hardware RAID on FreeBSD by Dan Langille -- Want better performance, higher reliability, and better recovery possibilities from your disks? Try RAID. Dan Langille recently made the switch to hardware RAID on his FreeBSD box; here's how he did it.

When I read this article, it struck me as something I would wish I saved, so hear it is :) The author mentions buying his drives at OEM Express, which is cool because I do my shopping in the Edmonton location. Over the past little while, I've been thinking about replacing my Slackware file/authentication server with FreeBSD. To be clear, I absolutely love Slackware for being what it is and nothing else. Unfortunately, what it is is not extremely well suited to my current setup. If you read my Linux and Windows Interoperability post, you know that I use LDAP authentication on my network. Usually, with other Linux distributions and FreeBSD, this is achieved through the use of PAM, or Pluggable Authentication Modules. Slackware, however, does not support PAM because of its past security vulnerabilities. Slackware being the server in my setup, it is manageable, but authentication only half works for users that exist only in the LDAP directory. In many many cases, PAM is completely unnecessary, and in those cases I will continue to use Slackware over anything else. Here at home, on the other hand, FreeBSD will be a worthy replacement just as soon as I come up with a plan for a swift replacement and the time to carry it out.

12/11/04: PHP Templates With Smarty - Recommended

After this ONLamp article, I decided to take a look at PEAR:: DB and Smarty. I passed on PEAR:: DB for now because the class I use for database access works pretty well for now, but I liked what Smarty claimed to be so I downloaded it and got to work. All I can say is Wow. I re-wrote a couple pages from Dawg Tag and everything flowed so much better. Using only PHP, writing only application code invariably involves thinking about the design of the resulting page. Scripts are full of html code, and changing the appearance of a page means editing script files, being careful not to break them. Smarty made all of that better. Now, my script files have no html code. All application code goes in the regular php file so you can just build arrays, fill variables, manipulate data without worrying about what it will look like. Then, any variables or arrays that need to be in the output are just assigned to Smarty, where you lay them out in a seperate template file. The templates are ridiculously easy to work with. Basically, they are plain html files with some variables pulled in from the application, beautiful.

I will be using this for any project I work on from now on. The documentation is good, the syntax is easy, and the result is cleaner code with less headaches. Highly recommended!

12/09/04: An Informative and Useful PHP Article

Three-Tier Development with PHP 5 by Luis Yordano Cruz -- Well-factored applications separate data storage, manipulation, and display. For PHP programmers, PHP 5 and PEAR make that easier than ever. Luis Yordano Cruz demonstrates how to combine PEAR:: DB_DataObject, Smarty, and PHP 5 to improve the design and maintenance of your applications.

ONLamp just keeps pumping out the great articles. Though PHP5 isn't exactly commonplace yet, I found this article extremely useful as general advice and good coding practice. I have been using database abstraction classes lately, but now I will definitely be looking into PEAR and Smarty. Up to now, my projects have been small enough that doing all the legwork myself hasn't been too troubling. In fact, everybody should start off with the basics and add sophistication little by little. For me, it is time to start seperating logic from design. It will be well worth the re-writing.

12/07/04: Mozilla Thunderbird is Officially Here

Mozilla Thunderbird 1.0 Email Client Has Landed -- The Mozilla Foundation, a non-profit organization dedicated to preserving choice and promoting innovation on the Internet, today announced the worldwide availability of the Mozilla Thunderbird 1.0 email client. Thunderbird focuses on new features and settings to help stop spam and prevent viruses, the two biggest problems facing email users today. Mozilla Thunderbird follows last month's highly successful release of Mozilla Firefox 1.0 that has been downloaded by over nine million users. --

I've been using Thunderbird only since version 0.8, but as soon as I saw it I knew that it had the same appeal as Firefox: just what you need and nothing else. I am happy to see both of these products reach version 1.0 so that I can now confidently suggest them to everyday users. I could have been doing this with high success before now, but I feared that some tiny bugs would just drive them back to MS products. Well, those days are over :)

12/05/04: Linux and Windows Interoperability

As long as I have been using Linux, I have been striving for seamless interoperability between my Linux and Windows experiences. It hasn't been easy, but over time - with enough tinkering - I have arrived at a very finely tuned setup that provides full functionality in both environments.

The big requirement for all of this is a Linux server, along with a Linux/Windows desktop. LDAP authentication is key for true consistency. With it, we have only one source for accounts and passwords. The passwd/shadow files are still used for root and system accounts on the Linux side, but all user accounts exist only in the LDAP directory. I use OpenLDAP for this task. This Howto was helpful.

Samba is also key. My Samba server is set up as a domain controller, using LDAP authentication. This is what makes the Windows client use the same LDAP directory as the Linux client. All of this took some digging around in the Samba Howto Collection. My smb.conf is attached to this post.

I also use smbldap-tools to act as an interface between Samba and OpenLDAP. This set of tools includes useradd, passwd, etc. scripts that act on the LDAP directory.

Obviously this isn't a step-by-step howto, but merely a guideline. Besides, I honestly don't remember exactly how I did all of this :) The hope is that it will be much easier for somebody else if they know where to look.

Moving on, the main setup now being in place, I looked to the system policy editing. As you may know, Samba does not use Windows 2000 style group policies, but rather the older NT4 style system policies. This type of policy has its drawbacks such as registry tattooing (where a policy is enforced until another policy specifies otherwise), but for our purposes it will do just fine. The only policy setting I use is a folder redirection of My Documents to serverusernameDocuments so that I have a Documents directory right in my Linux home directory.

The system policy editor is not included with Windows XP, but one simply has to download a Windows 2000 service pack, extract it with the /x switch, and install it from there. The policy templates file I use is attached to this post.

The latest addition to my setup is the Mozilla Thunderbird email client. With just a little tinkering I was able to configure it to use the same directory in both Linux and Windows (it uses the directory in my linux home dir).

Again, this is nowhere near a complete howto. I have neither the patience nor the experience to take on such a task. Keep in mind that this whole setup took months of playing around to achieve, only because I was starting with a blank slate. If I were to very simply trace my footsteps, it would look something like this: Install Samba (manually map home dir) -> setup domain controller with tdb backend (map via logon script) -> system policy -> LDAP authentication (linux) -> convert Samba to LDAP with the help of smbldap-tools -> Thunderbird.

I would be happy to offer any help I can if anybody tackles this and gets stuck at some point. Perhaps if I go through the steps with others enough times, a full howto may not be out of the question afterall.

Good luck!

My Samba config file Poledit Template

12/04/04: Misconception: Firefox "breaks" things.

Firefox's biggest obstacle is lazy programming by Munir Kotadia, ZDNet Australia -- The biggest obstacle facing widespread adoption of the Firefox browser is lazy programming - not from the Mozilla Foundation but from corporates that have not tested their applications with anything but IE. --

The article goes on to explain that this is done to keep testing costs down, and until now, the short-sightedness of the ones making these decisions have trapped large industry into IE. Microsoft is indeed pressured to improve IE now with Firefox gaining in popularity. Short of a complete rewrite though, I expect to see more of the same, i.e. masking security problems only to have more appear. On my desktop at least, IE is no threat to my browser of choice.