Linux Journal | January 2013 | Issue 225 - ACM Digital Library

FREE TOSUBSCRIBERSEPUB, Kindle, Android, iPhone & iPad editionsWeb Sockets | PXE | OTPW | Wi-Fi Honeypots | ECCPhonegapfor EasySmartphoneApplicationDevelopmentSince 1994: The Original Magazine of the Linux CommunityJANUARY 2013 | ISSUE 225 | www.linuxjournal.comSECURITYConfigureOne-Time PasswordAuthenticationwith OTPWProvide StrongerSecurity withElliptic CurveCryptographyProject: Build aWi-Fi HoneypotHOWTO:AddGraphicalPXE Menusto YourPXE ServerBEST PRACTICESFOR CREATINGPASSWORDSWORKINGWITH WEBSOCKETSPLUS: MORESHELL SCRIPTGAMES

visit us at www.siliconmechanics.com or call us toll free at 888-352-1173RACKMOUNT SERVERS STORAGE SOLUTIONS HIGH-PERFORMANCE COMPUTING“ Just becauseit’s badass,doesn’t meanit’s a game.”Pierre, our new Operations Manager,is always looking for the right tools to get morework done in less time. That’s why he respectsNVIDIA ® Tesla ® GPUs: he sees customers returnagain and again for more server productsfeaturing hybrid CPU / GPU computing, like theSilicon Mechanics Hyperform HPCg R2504.v3.We start with your choice of two state-ofthe-artprocessors, for fast, reliable, energyefficientprocessing. Then we add four NVIDIA ®Tesla® GPUs, to dramatically accelerate parallelprocessing for applications like ray tracing andfinite element analysis. Load it up with DDR3memory, and you have herculean capabilitiesand an 80 PLUS Platinum Certified power supply,all in the space of a 4U server.When you partner withSilicon Mechanics, youget more than stellartechnology - you get anExpert like Pierre.Silicon Mechanics and Silicon Mechanics logo are registered trademarks of Silicon Mechanics, Inc. NVIDIA, the NVIDIA logo, and Tesla, are trademarks or registered trademarks of NVIDIA Corporation in the US and other countries.

INDEPTH102 Phonegap ApplicationDevelopmentWith Phonegap, you can write yourapplication and take it with you.Mike DiehlCOLUMNS34 Reuven M. Lerner’s At the ForgeReal-Time Messaging44 Dave Taylor’s Work the ShellCounting Cards: Cribbage48 Kyle Rankin’s Hack and /More PXE Magic58 Shawn Powers’ The Open-SourceClassroomThe Secret Password Is...110 Doc Searls’ EOFOn Infrastructure, Geology andOther Temporary ThingsIN EVERY ISSUE8 Current_Issue.tar.gz10 Letters18 UPFRONT32 Editors’ Choice64 New Products117 Advertisers Index24 GNUPLOTON THE COVER• Phonegap for Easy Smartphone Application Development, p. 102• Configure One-Time Password Authentication with OTPW, p. 76• Provide Stronger Security with Elliptic Curve Cryptography, p. 68• Project: Build a Wi-Fi Honeypot, p. 90• How-To: Add Graphical PXE Menus to Your PXE Server, p. 48• Best Practices for Creating Passwords, p. 58• Working with Web Sockets, p. 34• Plus: More Shell Script Games, p. 4432 WIFI ANALYZERLINUX JOURNAL (ISSN 1075-3583) is published monthly by Belltown Media, Inc., 2121 Sage Road, Ste. 310, Houston, TX 77056 USA. Subscription rate is $29.50/year. Subscriptions start with the next issue.WWW.LINUXJOURNAL.COM / JANUARY 2013 / 5

Executive EditorSenior EditorAssociate EditorArt DirectorProducts EditorEditor EmeritusTechnical EditorSenior ColumnistSecurity EditorHack EditorVirtual EditorJill Franklinjill@linuxjournal.comDoc Searlsdoc@linuxjournal.comShawn Powersshawn@linuxjournal.comGarrick Antikajiangarrick@linuxjournal.comJames Graynewproducts@linuxjournal.comDon Martidmarti@linuxjournal.comMichael Baxtermab@cruzio.comReuven Lernerreuven@lerner.co.ilMick Bauermick@visi.comKyle Rankinlj@greenfly.netBill Childersbill.childers@linuxjournal.comContributing EditorsIbrahim Haddad • Robert Love • Zack Brown • Dave Phillips • Marco Fioretti • Ludovic MarcottePaul Barry • Paul McKenney • Dave Taylor • Dirk Elmendorf • Justin RyanPublisherAdvertising Sales ManagerAssociate PublisherWebmistressAccountantCarlie Fairchildpublisher@linuxjournal.comRebecca Cassityrebecca@linuxjournal.comMark Irgangmark@linuxjournal.comKatherine Druckmanwebmistress@linuxjournal.comCandy Beauchampacct@linuxjournal.comLinux Journal is published by, and is a registered trade name of,Belltown Media, Inc.PO Box 980985, Houston, TX 77098 USAEditorial Advisory PanelBrad Abram Baillio • Nick Baronian • Hari Boukis • Steve CaseKalyana Krishna Chadalavada • Brian Conner • Caleb S. Cullen • Keir DavisMichael Eager • Nick Faltys • Dennis Franklin Frey • Alicia GibbVictor Gregorio • Philip Jacob • Jay Kruizenga • David A. LaneSteve Marquez • Dave McAllister • Carson McDonald • Craig OdaJeffrey D. Parent • Charnell Pugsley • Thomas Quinlan • Mike RobertsKristin Shoemaker • Chris D. Stark • Patrick Swartz • James WalkerAdvertisingE-MAIL: ads@linuxjournal.comURL: www.linuxjournal.com/advertisingPHONE: +1 713-344-1956 ext. 2SubscriptionsE-MAIL: subs@linuxjournal.comURL: www.linuxjournal.com/subscribeMAIL: PO Box 980985, Houston, TX 77098 USALINUX is a registered trademark of Linus Torvalds.

[ LETTERS ]My point is that there is practicallycomplete functional equivalencebetween the two languages (pax,fellow aficionados/purists of either!),especially in this particular domain ofBash-replacement utility scripts. Rubytoo has a very large and capable library,both standard and gems, for dealingwith exactly the same kinds of problemsthat Delaney covers so well. Forexample, Ruby also includes a powerfulOptionParser module (“optparse”)for handling command-line switchesand arguments easily and generally. Iknow, I’m developing a large and evergrowingrepertory of Ruby utility scripts,many of which are replacements andimprovements of older Bash versions—the Ruby versions are much morereadable, understandable, maintainableand expandable.Either is an excellent choice in thisdomain. Ruby just happens to be mypersonal favorite, but others mayprefer Python. Your mileage may vary,and I’m not trying to start a languageflame war here. Interested readersmay want to read David BryantCopeland’s excellent book BuildAwesome Command-Line Applicationsin Ruby: Control Your Computer,Simplify Your Life (2012, PragmaticBookshelf), which explores thisapplication domain in detail. He alsocovers and recommends “optparse”(OptionParser) to build truly powerfulcommand-line utility apps.With both Ruby and Pythonbulwarking good-old Bash, Long Livethe Command Line! Thanks again.—Lorin RickerRichard Delaney replies: Thank youvery much for your letter. I think youbring up a brilliant point, and havinghad little real experience with Ruby, Ican only take your word for it. Pythonand Ruby fill a very similar void inwhat they hope to achieve and makeany “flame wars” between the twocommunities all the more illogical.As you prefer Ruby, my preferenceis for Python, but only because Iprogram with Python on a daily basis.The reality is that a number of thesebeautifully crafted languages, suchas Python and Ruby, are almost dropinreplacements for one another. Theinterpreted, dynamic nature of boththese languages along with otheradvantages, such as an REPL, makestheir choice as a Bash replacement allthe more enticing.WWW.LINUXJOURNAL.COM / JANUARY 2013 / 11

[ LETTERS ]seem non-trivial.Or, what about an entire issue onbenchmarking? You could do onearticle on comparing differentdistros via benchmarking. You coulddo another article on comparingvirtualization to physical. Or, youcould do a project where you showhow readers could benchmark theirboxes, and readers could send intheir results.Finally, I know you just did anissue on the kernel, but therewas no article about where thekernel is going. What about anarticle on possibilities for kerneldevelopment? Are there moreand newer additions to the kernelfor virtualization? How will thekernel compete with MountainLion and Windows 8? What newadditions to the kernel will beadded for touchscreens?Overall, I love your magazine. It’sgreat, and I wouldn’t be a subscriberif it wasn’t. However, this is what Ifeel is missing.—DougThank you for your letter. It’s onlyfeedback like this that lets us knowthe thoughts of our readers. Wedo try to cover both ends of thespectrum, largely due to feedbacklike yours and feedback quiteopposite: “I want to learn moreabout Linux, but your magazineseems to exclude all but theseasoned veterans.”We will try to find the properbalance, and if the pendulum hasgone the other way a bit, hopefully,it will swing back toward the middle.Seriously though, thank you for thefeedback, it’s critical!—Ed.GamesI’ve read about all the games thatare being brought to Linux nowthat Windows 8 is out. I guess thedevelopers hate how 8 is lockeddown. How about some articles onthe games? I love games.—DougMe too. “Loving” very rarely equatesto “is good at”, but I try not to letthat stop me. I have been keepingup on the Steam client for Linux,and once that’s released, perhapsit will spark a renewed interestin gaming. I freely volunteer my14 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

[ LETTERS ]services as resident game-tester!—Ed.Ignorance in Windows Does NotMake You Knowledgeable in LinuxI have been a UNIX user for morethan 30 years. I love UNIX becauseof the philosophy on which UNIXwas designed.I have noticed that in the Linuxcommunity, many people try toshow they are knowledgeableby showing they are ignorant inWindows. An example of this is inThe Open-Source Classroom columnin the November 2012 issue. Theauthor stated that “after I learnedto press Ctrl-Alt-Del to log in....”One must have lived on Mars fordecades not to know how to login to Windows. It is theoreticallypossible but practically veryunlikely for someone working inthe IT field never to have loggedin to Windows.—John DuMy apologies if my sarcasmwas taken as a serious point ofconfusion. I was trying to makea humorous observation that“Ctrl-Alt-Del” historically has beenhow to reboot a computer, andit’s ironically the way to begincomputing in modern Windows.If I’m being completely transparent,however, my new day job doesactually mark the first time I’veever had to press Ctrl-Alt-Del to login. I managed one Windows serverin my last sysadmin position, butI used pGina for authentication,so I never had to use the threefingersalute to get a login prompt!(Your observation is correctthough, I knew perfectly wellhow to log in in my new Windowsenvironment.)—Shawn.A Better Shell Script TimeoutMethodRegarding Dave Taylor’s columnin the November 2012 issue: thefollowing code handles multiple,even overlapping, shell scripttimeouts reliably. It does not riskkilling any unrelated process thatjust happens to match $myname.It sends SIGTERM, not SIGALRM.The following shell routines, takenfrom the script http://pauljackson.us/watchdog_eg.sh, provide aconvenient and robust way for shellscript authors to handle multiple,WWW.LINUXJOURNAL.COM / JANUARY 2013 / 15

doesn’t run on VNC.Keep up the good work. I for one am verypleased with your digital format; it’s gettingbetter and better, and it’s a very convenientand cheap solution for us subscribers abroad.—triantaresThank you for the kind words. I just purchaseda 10" tablet computer after turning in my lastone when changing jobs. I was surprised howmuch I missed the tablet computer, largely dueto the beautiful magazine rendering. Muchlike the new digital billboards popping up allalong the highways, I find the digital magazineto grab my attention. I often worry the formermight cause car accidents, but I’m quitepleased with the latter.As to Kyle’s N900, well, we’ve been teasinghim ever since Maemo was discontinued. Hemay have given up his N900, but it will takean army to pry the IBM Model M keyboardfrom his fingers.—Ed.WRITE LJ A LETTER We love hearing from our readers. Please send usyour comments and feedback via http://www.linuxjournal.com/contact.PHOTO OF THE MONTHRemember, send your Linux-related photosto ljeditor@linuxjournal.com!At Your ServiceSUBSCRIPTIONS: Linux Journal is availablein a variety of digital formats, including PDF,.epub, .mobi and an on-line digital edition,as well as apps for iOS and Android devices.Renewing your subscription, changing youre-mail address for issue delivery, paying yourinvoice, viewing your account details or othersubscription inquiries can be done instantlyon-line: http://www.linuxjournal.com/subs.E-mail us at subs@linuxjournal.com or reachus via postal mail at Linux Journal, PO Box980985, Houston, TX 77098 USA. Pleaseremember to include your complete nameand address when contacting us.ACCESSING THE DIGITAL ARCHIVE:Your monthly download notificationswill have links to the various formatsand to the digital archive. To access thedigital archive at any time, log in athttp://www.linuxjournal.com/digital.LETTERS TO THE EDITOR: We welcome yourletters and encourage you to submit themat http://www.linuxjournal.com/contact ormail them to Linux Journal, PO Box 980985,Houston, TX 77098 USA. Letters may beedited for space and clarity.WRITING FOR US: We always are lookingfor contributed articles, tutorials andreal-world stories for the magazine.An author’s guide, a list of topics anddue dates can be found on-line:http://www.linuxjournal.com/author.FREE e-NEWSLETTERS: Linux Journaleditors publish newsletters on botha weekly and monthly basis. Receivelate-breaking news, technical tips andtricks, an inside look at upcoming issuesand links to in-depth stories featured onhttp://www.linuxjournal.com. Subscribefor free today: http://www.linuxjournal.com/enewsletters.ADVERTISING: Linux Journal is a greatresource for readers and advertisers alike.Request a media kit, view our currenteditorial calendar and advertising due dates,or learn more about other advertisingand marketing opportunities by visitingus on-line: http://ww.linuxjournal.com/advertising. Contact us directly for furtherinformation: ads@linuxjournal.com or+1 713-344-1956 ext. 2.WWW.LINUXJOURNAL.COM / JANUARY 2013 / 17

[ UPFRONT ]hardware, without a lot of messingabout with file ownership, specialpermissions or anything like that.The assumption would be thatthe user had full ownership ofeverything, which, for regular users,is almost always the case.There was a lot of initialresistance, because FAT32traditionally has been the filesystemused on such drives. But FAT32has a file size limit, and Dan hadhit that limit with an Arduinoproject and wrote LanyFS partly toovercome that.Meanwhile, exFAT is Microsoft’ssolution to the same use case.The only problem is, as CarlosAlberto Lopez Perez put it, exFATwas encumbered by patents andlicensing fees, which put it out ofthe running. But, Microsoft mightbe reluctant to support LanyFS, ifit’s pushing its own exFAT solutiononto users.As it turns out, Arnd Bergmannalso is working on a minimalistFlash filesystem. Although becausehe was working with a third-partyvendor and didn’t want to messup the time frame, he didn’t offerany details, except to say thatthe filesystem would be optimizedfor Flash.The appealingly named UnifiedExtensible Firmware Interface(UEFI) probably will be supportedin the Linux kernel at some point.Its purpose is to prevent users fromhaving control of their own systems,so that third-party vendors can runthe show. Look it up. It’s ugly.A variety of technical problemsare standing in the way of UEFIsupport. Matthew Garrett recentlyposted some patches to prevent theroot user from modifying the kernel.But, Alan Cox didn’t think thekernel alone could guard againstthe root user successfully. After all,the foundation of Linux securityrests on the idea that once anyonegets to be root, that’s the ballgame,and so it’s more important to tryto prevent that from happening,than to try to interfere with root’sactions once it did.I’d say UEFI almost certainly willbe part of the kernel. But at thesame time, it wouldn’t be enabledby default on any system other thanthose third-party systems beingdistributed specifically in order tohave UEFI enabled. Hopefully, itwon’t go too far beyond that.—ZACK BROWNWWW.LINUXJOURNAL.COM / JANUARY 2013 / 19

[ UPFRONT ]WunderlistI’m often compared to the Absent-Minded Professor. I take it as agreat compliment, because in themovie, he’s brilliant. Unfortunately,when people refer to me as him, it’sthe “absent-minded” part they’restressing—not the “professor” part.During the past few years, I’ve writtenabout task-management systems, “getthings done” digital tools and ways tokeep track of to-do lists in Linux. Thismonth, I’m sharing Wunderlist, whichis a cross-platform task-managementand sharing utility that is truly amazing.When I say cross-platform, I really meanit too. Wunderlist works in Windows,OS X, Linux, iOS, Android, Blackberry,the Web and probably another halfdozeninterfaces I’ve yet to encounter.Although it has a robust feature setincluding task list sharing, due dates, tasknotes, the ability to drag tasks betweenlists and keep track of completed items,for me, its real value is in its simplicity.Wunderlist doesn’t try to do too much;it just does task lists really, reallywell. If you haven’t seen Wunderlistin action before, put it on your listtoday: http://www.wunderlist.com.—SHAWN POWERS22 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

LINUX JOURNALARCHIVE DVDNOW AVAILABLESave $10.00 by using discount code DVDFEB at checkout.Coupon code expires 2/16/2013www.linuxjournal.com/dvd

[ UPFRONT ]Gnuplot—theGrandfather ofGraphing UtilitiesIn these columns, I have coveredseveral different scientific packagesfor doing calculations in manydifferent areas of research. I alsohave looked at various packages thathandle graphical representation ofthese calculations. But, one packagethat I’ve never looked at before isgnuplot (http://www.gnuplot.info).Gnuplot has been around since themid-1980s, making it one of theoldest graphical plotting programsaround. Because it has been aroundso long, it’s been ported to most ofthe operating systems that you mightconceivably use. This month, I takea look at the basics of gnuplot andshow different ways to use it.Gnuplot is a command-line-drivenprogram. As such, it has beenco-opted to provide graphic capabilitiesin several other applications, such asoctave. Thus, you may have used gnuplotwithout even realizing you were doingso. You can use gnuplot in severalways. It not only can accept input datato plot, but it also can plot functions.Gnuplot can send its output either tothe screen (in both a static file formatdisplay or an interactive display), orit can send output to any of a largenumber of file formats. Additionally,lots of functions are available tocustomize your plots, changing thelabels and axes, among other things.Let’s start by installing gnuplot.Binaries are available for manydifferent operating systems. MostLinux distributions also should comewith a package for gnuplot, soinstallation should be a breeze. Ifyou want the latest and greatestfeatures available, you always candownload the source code and buildgnuplot from scratch.Once gnuplot is installed, you canstart it by executing the commandgnuplot. When executed this way,you are launched into an interactivesession. Let’s start by trying to plot abasic function. You should be able toplot any mathematical function thatwould be accepted in C, FORTRANor BASIC. These mathematicalexpressions can be built up frombuilt-in functions like abs(x), cos(x)24 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

[ UPFRONT ]or Bessel. You can use integer, realand complex data types as argumentsto these functions.When using gnuplot to generatea plot, you either can have all of thecommands in a single file and handthem in to gnuplot as a script, or youcan start gnuplot up in interactivemode and issue these commandsone at a time in the commandenvironment. To run a gnuplot script,you simply need to add it at theend of the command when you rungnuplot—for example:gnuplot script_to_runWhen you run gnuplot ininteractive mode, you can quityour session with the commandquit. The two most basiccommands are plot and splot.plot generates two-dimensionalplots, and splot generates threedimensionalplots. To plot a simplefunction, you can use:plot sin(x)/xThis generates a plot window,displaying the graphical results(Figure 1). If you want to add a titleto the plot, you can add this optionFigure 1. Plotting commands open a new window for display.WWW.LINUXJOURNAL.COM / JANUARY 2013 / 25

[ UPFRONT ]Figure 2. A Basic Plot of sin(x)/xto the plot command:independent variables to splot, such as:plot sin(x)/x title "Example 1"splot x**2+y**2You even can plot multipleexpressions on the same plotwindow with:plot sin(x)/x title "Example 1", sin(x) title "Example 2"To plot a three-dimensional graph,simply hand in an expression with twoIf you run into a problem, the firstplace to look is the built-in helpfunction. To get help with the plotcommand, execute the command:help plotThis pulls up the help documentation26 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

[ UPFRONT ]Figure 3. You can plot multiple functions on the same graph.that gnuplot has regarding theplot command.This is fine if you are just tryingto see what some expression lookslike when it is plotted out, butin real science, you often collectdata in experiments that need tobe plotted so you can do somegraphical analysis and get ideasas to what may be happening.Gnuplot can handle this type ofplotting too. To do so, you simplyneed to hand in the filename ofthe file containing the data to beplotted. This file should have thedata elements arranged in columns,where the columns are separatedby white space of some kind. Anylines that start with # are treatedas comments by gnuplot and areignored. If your data file containsseveral data columns, you can selectwhich columns are pulled in to beplotted as options to the plot orWWW.LINUXJOURNAL.COM / JANUARY 2013 / 27

[ UPFRONT ]Figure 4. Gnuplot even can handle 3-D plots.splot functions. As an example,say you have a data file that hasthe temperature and pressurefor each day. You can plot thetemperature with:plot "weather.dat" using 1:2 title "Temperature"If you want to get the pressuregraph, you would use:plot "weather.dat" using 1:3 title "Pressure"If you want to plot all threecolumns, you can use:splot "weather.dat"There are two ways ofcustomizing your plots when usinggnuplot. The first is to use optionsto the plot and splot commands.In this case, you define things likethe title of the plot, the axes orthe style. The styles available can28 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

[ UPFRONT ]be lines, points, linespoints,impulses, dots, steps, fsteps,histeps, errorbars, xerrorbars,yerrorbars or xyerrorbars. To useone of the styles, you can includethe option with the with keyword.So, if you want to plot both thelines and points of your graph,you could add with linespointsto your plot command. You alsocan use shortcuts for these options.For with, you can use w. For thetitle option, you can use t. Forthe using option shown earlier,you can use u.The second option for customizingyour plots is to use the setcommand. With this command,you are free to set the values forseveral graphing options. Using thesecond option, you can set all typesof options, like the title, xlabel,yrange, xtics or key, among otheroptions. For example, you can setthe y-range with:set yrange [20:500]After setting the variousplotting options, you need totell gnuplot to redraw the plotyou are working on. You can dothis with the command:replotMany of these set options alsouse shortcuts. For example, theshortcut version of the abovecommand is:set yr [20:500]Gnuplot is not only a capableutility to plot data and functions,but it also can do some analysison the data being plotted. Forexample, you can get gnuplot to docurve fitting on the data. To do so,Embedded ServerSince 1985OVER28YEARS OFSINGLE BOARDSOLUTIONSStandard SIB• Fanless x86 1GHz CPU• 1 GB DDR2 RAM On Board• 4 GB Compact Flash Disk• 10/100/1000 Base-T Ethernet• Two RS-232 Ports• Four USB 2.0 Ports• Mini-PCIe• Audio In / Out• Power Supply Included• Analog SVGA 3D Video• VESA Hole Pattern• Optional Wireless LAN• Locked Compact Flash Access• No Moving Parts• XPE or Linux with Eclipse IDE• Dimensions: 4.9” x 4.7” x 1.7” (125 x 120 x 44mm)2.6 KERNELThe EMAC Server-In-a-Box (SIB) is a low cost, small footprint,yet powerful server. Like all EMAC SIBs, the Standard SIB has nomoving parts and features a rugged enclosure design making itan ideal choice for most industrial applications. The Standard SIBhas a secure locking cover for securing the flash media, while stilloffering easy removal for updates and backing up the system.http://www.emacinc.com/servers/Standard_sib.htmEQUIPMENT MONITOR AND CONTROLPhone: (618) 529-4525 · Fax: (618) 457-0110 · Web: www.emacinc.comWWW.LINUXJOURNAL.COM / JANUARY 2013 / 29

[ UPFRONT ]you first need to define a function,as well as some initial guessesbefore calling the fit command. Anexample would look like this:f1=a1*tanh(x/b1)a1=300; b1=0.005;fit f1(x) 'data_file.dat' using 1:2 via a1,b1This tells gnuplot to try to fit thedata from the columns 1 and 2 fromthe file data_file.dat to the functiondefined by f1(x).When you have an environmentcreated for a particular researcharea, you can save all of thesettings you may have set up withthe command save. This commandessentially saves off all of thegnuplot commands you issued tothe text file. This text file can beloaded into a new gnuplot sessionwith the load command. This willtake all of the commands saved tothe “save” file and re-run them inthe new session.You always can see whatoptions have been set by using thecommand show. This commandshows you what values have beenset within the current session.To see all of the options, use thecommand show all. When youare playing with options, yousometimes can get yourself into anodd condition. Just remember thatyou always can reset any valuescreated with the set by using thereset command. This commandresets these session options to theirdefault values.Sometimes you may need tointeract with the system on whichgnuplot is running. In those cases,you need to start a shell sessionfrom gnuplot. There are two waysto do so. The first is to use thecommand system. In this case,you can hand in a string containingthe system commands that need tobe run outside of gnuplot.The other option is to use thecommand !. This command actuallyis just a shortcut for the commandsystem, and the commands canbe used interchangeably.This article has covered onlythe most basic functions availablein gnuplot. It’s definitely worthyour time to look deeper into thedocumentation to see what else itcan do for you in analyzing yourdata. Even if you don’t use gnuplotdirectly, learning more about itwill help you when you use otherapplications like octave. Take thisarticle as a jumping-off point andexplore just what is possible indata analysis.—JOEY BERNARD30 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

[ EDITORS' CHOICE ]placement of access points whendeploying a building-wide wirelessinfrastructure. I’ve used it to pickthe best channel for my homeaccess points. I’ve even walkeddown the road with it to seewhat my neighbors use as SSIDs.(That last one might be a littlecreepy, but really, if people nametheir wireless networks afterTeletubbies, you want to keepan eye on them.)Because it’s incredibly useful,completely free and not available oniOS, WiFi Analyzer gets this month’sEditors’ Choice award. Check it out athttp://a.farproc.com/wifi-analyzer.—SHAWN POWERSLinux JournaLon youre-ReaderCustomizedKindle and Nookeditionsnow availablee-ReadereditionsFREEfor SubscribersLEARN MORE

COLUMNSAT THE FORGEReal-TimeMessagingREUVEN M.LERNERWant to send messages to all the browsers connected toyour site? The pub-sub paradigm, run through Web sockets,might be just the solution.Back in the 1980s, BSD UNIXintroduced the idea of a “socket”, adata structure that functioned similarlyto a file handle, in that you could readfrom it or write to it. But, whereas afile handle allows a program to workwith a file, a socket is connected toanother process—perhaps on the samecomputer, but quite possibly runningon another one, somewhere else onthe Internet. Sockets brought about acommunications revolution, in no smallpart because they made it easy to writeprograms that communicated acrossthe network.Today, we take that for granted.Dozens or hundreds of sockets areopen on my computer at any givenmoment, and I don’t know if they’recommunicating with local or remoteprograms. But, that’s just the point—it’sso easy to work with sockets, we nolonger think of networked programs asanything special or unusual. The peoplewho created sockets couldn’t possiblyhave imagined the wide variety ofprotocols, applications and businessesthat were built using their invention.My point is not to praise sockets,but to point out that the inventorsof a technology, particularly one thatprovides infrastructural support and anew abstraction layer, cannot know inadvance how it’ll be used.In that light, consider a new networkcommunication protocol called Websockets, part of the standards knowncollectively as HTML5. To me, at least,Web sockets are the most undersold,least discussed parts of the HTML5suite, with the potential to transformWeb browsers into a fully fledgedapplication platform.Web sockets don’t replace HTTP.Rather, much like BSD sockets, theyprovide bidirectional, long-termcommunication between two computers.The “bidirectional” and “long-term”34 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

COLUMNSAT THE FORGEaspects distinguish Web sockets fromHTTP, in which the client sends a request,the server sends a response, and thenthe connection is terminated. Setting upa Web socket has very little overhead—and once communication is established,it can continue indefinitely.Now that Web sockets exist, and areeven supported by a growing numberof browsers, what can you do withthem? That question is still hard toanswer, in no small part because Websockets are so new. After all, if youhad asked someone in the 1980s whatyou could do with BSD sockets, it’sunlikely that streaming video wouldhave come to mind.That said, there are someapplications for which Web socketsare already showing their advantage.In particular, applications that benefitfrom real-time data updates, suchas stock-market tickers, now canreceive a steady stream of data, ratherthan perform repeated Ajax callsto a server. Real-time chat systemsare another example of where Websockets can shine, and where HTTPhas not performed adequately. Indeed,any Web application that handles ordisplays a constant flow of data canbenefit from Web sockets.But you can go even farther thanthat. Remember, Web sockets providecommunication between a single serverand a single client. There are, however,numerous applications in which theserver might want to “broadcast”information to a large number ofclients simultaneously. You can imaginehow this could work with Web sockets,creating a Web socket connectionbetween a server and each of theclients, and then sending messagesto each of the clients, perhaps byiterating over the array of Web socketsand invoking send() on each one.This is certainly possible, butimplementing such a system yourselfwould be time-consuming anddifficult, and might not scale easily.Fortunately, now there are thirdpartyservices that (for a fee) willhandle such connections for you. Suchpublish-subscribe (“pub-sub”) systemsmake it possible for a server to sendto any number of clients almostsimultaneously, opening the door toall sorts of Web applications.In this article, I review the basicsbehind Web sockets and then moveforward to demonstrate a simpleapplication that uses the pub-subparadigm. Even if you don’t currentlyneed this sort of functionality in yourWeb application, I have no doubt you’lleventually encounter a situation thatcan benefit from it. When the timecomes, you’ll hopefully realize that it’snot too difficult to put it into place.WWW.LINUXJOURNAL.COM / JANUARY 2013 / 35

COLUMNSAT THE FORGEWorking with Web SocketsWeb sockets, as with the rest of theHTML5 standard, have to do withprogramming within the browser—which, of course, happens inJavaScript or a language that compilesinto JavaScript. To create a new Websocket, you simply say:var ws = new WebSocket("ws://lerner.co.il/socket");The beauty of this API is itssimplicity. I don’t know about you, butI’m tired of protocols that expect me toremember which parameter representsthe hostname, which the protocol andwhich the port (if any). In the caseof Web sockets, as you would expectfrom a Web standard, you pass all ofthat along in a URL whose protocolis defined as “ws” or “wss” (forSSL-encrypted Web sockets). Alsonotice that you don’t have to definethe Web socket as being read-only,write-only or read/write; Web socketsare all bidirectional.You can send data to the other sideof your Web socket by invoking the“send” method:ws.send("Hello");Or, if you want to send somethinga bit more complicated, it’s typicalto use JSON:var stuff_to_send = {a:1, b:2};ws.send(JSON.stringify(stuff_to_send));What happens when your Websocket receives some data? Nothingjust yet. You have to tell the browserthat each time it receives data, it shoulddo something with that data, such asdisplay it on the screen. You tell it whatto do with a callback, as you mightexpect in a functional language, suchas JavaScript. That is, you tell the Websocket that when it receives data, itshould execute a function, passing thereceived data as a parameter to thatfunction. A simple example might be:ws.onmessage = function(message) {};alert("Received ws message: '" + message.data + '"');You also can do something moreinteresting and exciting with the data:ws.onmessage = function(message) {$("#wsdata").html(message.data);};Of course, the incoming data isn’tnecessarily a string. Instead, it mightbe a bunch of JSON, in which case, itmight contain a JavaScript object withfields. In such a case, you could say:ws.onmessage = function(message) {36 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

COLUMNSAT THE FORGE};parsed_message = JSON.parse(message)$("#one").html(parsed_message.one);$("#one").html(parsed_message.two);Now, it’s important to remember thatthe Web sockets protocol is a distinctprotocol from HTTP. This means thatwhen I say I want to connect tows://lerner.co.il/socket, I need to besure I’m running a Web socket serveron lerner.co.il that responds to itemsat that URL. This is not the same thingas Apache, nginx or whatever yourfavorite HTTP server is.So, when I say here that yourbrowser connects to a server, you needto provide such a server. The Resourcessection of this article describes anumber of systems that make itpossible and fairly straightforward tocreate a server for Web sockets.Pub-SubAs you can see, working with Websockets is fairly straightforward.But, what happens if you want tosend messages to multiple clients?For example, let’s say your companydeals with stocks, and you wantthe home page of your company’sWeb site to show the latest valueof certain stocks and stock indexes,updated continuously.The simplest and seemingly moststraightforward way is to use thestrategy I described above—namely,that the server can store its Websockets in an array (or similar datastructure). At a set interval, the serverthen can execute ws.send() to eachof the clients, either sending a simpletext string or a JSON data structurewith one or more pieces of information.The client, upon receiving this data,then executes the onmessage callbackfunction, which then updates theuser’s browser accordingly.This approach has a number ofproblems, but the main one that bothersme is the lack of a real abstraction layer.As application developers, you want tosend the message, rather than considerhow the message is being sent, or evenwho is receiving it. This is one way oflooking at the publish-subscribe (pub-sub)design pattern. The publisher andsubscriber aren’t connected to eachother directly, but rather through amiddleman object or server that takescare of the connections. When thepublisher wants to send a message, itdoes so through the broker, which thenuses the existing Web socket connectionto send a message to each client.Now, this might sound somethinglike a message queue, which Idescribed about a year ago in thisspace. But message queues andpub-sub systems work quite differentlyWWW.LINUXJOURNAL.COM / JANUARY 2013 / 37

COLUMNSAT THE FORGEfrom each other, and they are used fordifferent purposes.You can think of a message queueas working something like e-mail, witha single sender and a single recipient.Until the recipient retrieves themessage, it waits in the message queue.The order and timing in which messagesappear isn’t necessarily guaranteed, butthe delivery of the message is.By contrast, a pub-sub systemis something like a group IM chat.Everyone who is connected to thepub-sub system and is subscribingto a particular channel, receives themessages sent to that channel. If youhappen not to be subscribed at the timea message is sent, you won’t receive it;there is no mechanism in pub-sub forstoring or replaying messages.If you were interested in giving peoplereal-time stock updates from your homepage, the pub-sub way of doing thatwould be to have each client registeritself as a subscriber with the pub-subserver. The server then would send newmessages at regular intervals to thepub-sub server, which would passthem along to the appropriate clients.Remember, in a pub-sub system, thepublisher doesn’t know how manysubscribers there are or when theyenter/leave the system. All the publisherneeds to know is the API for sendingdata to the pub-sub server, which passesthings along to the appropriate clients.Implementing Pub-SubPub-sub has long existed outsidethe Web and is a fairly standardarchitecture for “broadcasting”information to a variety of clients.And, you can create a pub-sub systemon your own, but there are at leasttwo commercial services—Pusher andPubNub are the best known—thatmake it trivially easy to implementreal-time messaging within your Webapplication. Pusher uses Web sockets,substituting a Flash-based solutionwhen a browser doesn’t supportthem. PubNub uses a different system,known as “HTTP long polling”, whichavoids the problem of browser supportfor Web sockets. Both are worthconsideration if you’re looking for acommercial pub-sub service, but I usePusher here (as well as in my ownconsulting work), partly because Iprefer to use Web sockets, and partlybecause Pusher lets you tag eachmessage with an event type, giving youa richer mechanism for sending data.Because Pusher is a commercialservice, you need to register with itbefore you can use it. It has a free“sandbox” system that is more thanviable for systems in development.Once you go beyond its limits of 20connections and 100,000 messages38 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

COLUMNSAT THE FORGEOn my system, I get the followingresponse:== Sinatra/1.3.3 has taken the stage on 4567➥for development with backup from Thin>> Thin web server (v1.5.0 codename Knife)>> Maximum connections set to 1024>> Listening on 0.0.0.0:4567, CTRL+C to stopIn other words, if I now make arequest for http://localhost:4567/,I’ll get an error, because the templateis not in place. Creating a subdirectorynamed “views”, I then can create thefile index.erb within it, which is shownin Listing 1.As you can see, index.erb is a simpleHTML file. Its body consists of aheadline and a single paragraph:Current value of NAME is➥PRICE.The above line is the primitivestock ticker. When your publishingsystem will send a new stock nameand price, you will update this line toreflect that message.Just as you used a callback to handleincoming messages on your Websocket, you also will need to define acallback to handle messages sent bythe publisher to your Pusher “channel”,as it is known. (Each application canhave any number of channels, and eachchannel can have any number of events.This allows you to distinguish betweendifferent types of messages, even withinthe same application.)In order to do this, you need toload the JavaScript library (frompusher.com), and then create a newPusher object with the key of theaccount you have created:var pusher = new Pusher('cc06430d9bb986ef7054');You then indicate that you want tosubscribe to a particular channel, thename of which does not need to beset in advance:var channel = pusher.subscribe('stock_ticker');Finally, you define a callbackfunction, indicating that whenyou receive a message of type“update_event” on the stock_tickerchannel, you want to replace theHTML in the body of this document:channel.bind('update_event', function(data) {});$("#name").html(data['name']);$("#price").html(data['price']);Notice that I’m using jQuery herein order to replace the HTML on thepage. In order for that to work, I’vealso brought in the jQuery library,40 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

COLUMNSAT THE FORGEListing 1. index.erbStock Marketvar pusher = new Pusher('KEY_FROM_PUSHER');var channel = pusher.subscribe('stock_ticker');channel.bind('update_event', function(data) {$("#name").html(data['name']);$("#price").html(data['price']);});Stock MarketCurrent value of NAME is➥PRICE.WWW.LINUXJOURNAL.COM / JANUARY 2013 / 41

COLUMNSAT THE FORGEdownloading it from Google’s servers.With this HTML page in place, andmy Sinatra application running, I’mnow ready to receive messages. I runthe Sinatra application and point mybrowser to localhost:4567. I shouldsee the static version of the page, withNAME and PRICE in the paragraph.Publishing a message is almostas easy as receiving one. Differentapplications will have different usecases. Sometimes, you will want to senda message from the Web applicationitself, indicating that a new messagehas been posted to a forum or thatthe number of signed-in users haschanged. In other cases, you’ll wantthese updates to come from an externalprocess—perhaps one that is runningvia cron or is monitoring the databaseseparately from the Web application.For this particular example, I wrote aListing 2. update-stocks.rb#!/usr/bin/env rubyCOMPANIES = %w(ABC DEF GHI JKL MNO)require 'pusher'Pusher.app_id = APP_ID_FROM_PUSHERPusher.key = 'KEY_FROM_PUSHER'Pusher.secret = 'SECRET_FROM_PUSHER'loop docompany = COMPANIES.sampleprice = rand 100Pusher['stock_ticker'].trigger('update_event',➥{ :name => company, :price => price})sleep 5end42 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

COLUMNSAT THE FORGEsmall Ruby program, update-stocks.rb,which is shown in Listing 2. Thisprogram uses the “pusher” gem,provided free of charge by the Pusherpeople. You then choose one of thecompanies in your list (the constantarray COMPANIES), then choose arandom number up to 100. Next,you send the message to all of thesubscribers on the “stock_ticker”channel, indicating that you’ve sentan “update_event”. Because of thedecoupled nature of communicationbetween publisher and subscriber,you won’t get an error message if youmisspell the channel or event name.Rather, the message will be deliveredto no one. Thus, you will want to beparticularly careful when writing theseand ensure that the same names areused in your client and your server.ConclusionWeb sockets are going to change theWeb dramatically, but it’s not yet clearhow or when. Being able to update alarge number of client displays almostsimultaneously using pub-sub is alreadychanging the way people see Webapps—and as you can see from this smallexample application, it isn’t very difficultto do. Pub-sub isn’t appropriate forall applications, but if you are sendingthe same data to many people, andif they might want to receive updatesautomatically into their browsers, this is aneasy and straightforward way to do it.■Reuven M. Lerner is a longtime Web developer, consultantand trainer. He is also finishing a PhD in learning sciences atNorthwestern University. His latest project, SaveMyWebApp.com,went live this spring. Reuven lives with his wife and childrenin Modi’in, Israel. You can reach him at reuven@lerner.co.il.ResourcesYou can learn about Web sockets from a variety of sources. The W3C’s API and definitionare at http://www.w3.org/TR/2009/WD-websockets-20090423, in a document thatis surprisingly readable. Another good source of information is the book ProgrammingHTML5 Applications written by my colleague Zach Kessin and published by O’Reilly.Web socket servers have been written in nearly every language you can imagine. I founda relatively up-to-date list, with links, on Wikipedia, under the “Web socket” entry, andthus, I’ll not try to reproduce it here.You can learn more about Pusher at http://pusher.com or a popular competitor, PubNub,at http://pubnub.com.WWW.LINUXJOURNAL.COM / JANUARY 2013 / 43

COLUMNSWORK THE SHELLCountingCards: CribbageDAVE TAYLORDave takes on the challenge of capturing game logic in ashell script.I’ve spent the past few monthsreviewing shell scripting basics, soI think it’s time to get back into aninteresting project. It’s always a goodchallenge to capture game logic in ashell script, particularly because we’reoften pushing the envelope with thecapabilities of the Bash shell.For this new project, let’s modelhow a deck of cards works in ascript, developing specific functionsas we proceed. The game that we’llstart with is a two- or three-playercard game called Cribbage. Thebasic functions we’ll create alsowill be easily extended to simplePoker variants and other multi-cardevaluation problems.If you aren’t familiar with Cribbage,you’ve got time to learn more about thegame, because I won’t actually get toany game-specific elements until nextmonth. Need a good place to learn? Trythis: http://www.bicyclecards.com/card-games/rule/cribbage.The first and most obviouschallenge with any card game ismodeling the deck of cards. It’snot just the deck, however, it’sthe challenge of shuffling too.Do you need to go through thedeck multiple times to randomizethe results? Fortunately, that isn’tnecessary, because you can create adeck—as an array of integer values—in sequential order and randomlypick cards from the deck instead ofworrying about shuffling the deckand picking them in sequential order.This is really all about arrays,and in a shell script, arrays areeasy to work with: simply specifythe needed index in the array, andit’ll be allocated so that it’s a validslot. For example, I simply coulduse deck[52]=1, and the deckarray will have slots 0..52 created(though all the other elements willhave undefined values).Creating the ordered deck of cards,44 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

COLUMNSWORK THE SHELLI don’t care what game you’re playing, a handlike 3H, 4D, 5D, 9H, 9H and 9H is going to getyou in trouble!therefore, is really easy:for i in {0..51}dodeck[$i]=$idoneSince we’re going to use the value-1 to indicate that the card has beenpulled out of the deck, this wouldwork just as well if everything wereset to any value other than -1, but Ilike the symmetry of deck[$i]=$i.Notice also the advanced for loopwe’re employing. Early versions of Bashcan’t work with the {x..y} notation,so if that fails, we’ll need to incrementthe variable by hand. It’s not a bighassle, but hopefully this’ll work fine.To pick a card, let’s tap into themagic $RANDOM variable, a variablethat has a different value each timeyou reference it—darn handy, really.So, picking a card randomly fromthe deck is as easy as:card=${deck[$RANDOM % 52]}Note that to avoid incorrect syntacticanalysis, it’s a good habit always toreference arrays as ${deck[$x]} ratherthan the more succinct $deck[$x].How do you know whether you’vealready picked a particular card outof the deck? I don’t care what gameyou’re playing, a hand like 3H, 4D,5D, 9H, 9H and 9H is going to get youin trouble! To solve this, the algorithmwe’ll use looks like this:pick a cardif it's already been picked beforepick againuntil we get a valid cardProgrammatically, remembering thata value of -1 denotes a card that’salready been picked out of the deck, itlooks like this:until [ $card -ne -1 ]docard=${deck[$RANDOM % 52]}doneecho "Picked card $card from the deck"The first card picked isn’t a problem,but if you want to deal out 45 of theWWW.LINUXJOURNAL.COM / JANUARY 2013 / 45

COLUMNSWORK THE SHELL52 cards, by the time you get to the lastfew, the program might well bouncearound, repeatedly selecting alreadydealt cards, for a half-dozen timesor more. In a scenario where you’regoing to deal out the entire deck or asignificant subset, a smarter algorithmwould be to count how many randomattempts you make, and when you’vehit a threshold, then sequentially gothrough the deck from a random pointuntil you find one that’s available—justin case that random number generatorisn’t as random as we’d like.The piece missing in the fragment aboveis the additional snippet of code thatmarks a given card as having been pickedso that the algorithm identifies twicepickedcards. I’ll add that, add an arrayof six cards I’m going to deal, and alsoadd a variable to keep track of the arrayindex value of the specific card chosen:for card in {0..5} ; dountil [ ${hand[$card]} -ne -1 ]dopick=$(( $RANDOM % 52 ))hand[$card]=${deck[$pick]}doneecho "Card ${card} = ${hand[$card]}"deck[$pick]=-1done# no longer availableYou can see that I’ve added the useof a “pick” variable, and because theequation appears in a different context,I had to add the $(( )) notationaround the actual random selection.There’s a bug in this code, however.Can you spot it? It’s a classic mistakethat programmers make, actually.The problem? The until loop isassuming that the value of $hand[n]is -1 and remains so until a valid cardrandomly picked out of the deck isassigned to it. But the value of anarray element is undefined when firstallocated—not good.Instead, a quick initialization isrequired just above this snippet:# start with an undealt hand:for card in {0..5} ; dohand[$card]=-1doneWe’re almost actually ready to dealout a hand and see what we get.Before we do, however, there’s onemore task: a routine that can translatenumeric values like 21 into readablecard values like “Nine of Diamonds”or, more succinctly, “9D”.There are four suits and 13 possiblecard values in each, which means thatthe div and mod functions are needed:rank = card % 13 and suit = card / 13.We need a way to map suit into itsmnemonic: hearts, clubs, diamonds andspades. That’s easy with another array:46 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

COLUMNSWORK THE SHELLsuits[0]="H"; suits[1]="C"; suits[2]="D"; suits[3]="S";With that initialized, showing ameaningful value for a given card issurprisingly straightforward:doneshowcard ${hand[$card]} # sets 'showcardvalue'echo "Card ${card}: $showcardvalue"deck[$pick]=-1 # no longer availabledoneshowcard(){suit=$(( $1 / 13 ))rank=$(( ( $1 % 13 ) + 1 ))showcardvalue=$rank${suits[$suit]}}Actually, that’s not quite right,because we don’t want results like11H or 1D; we want to convert 1into an Ace, 11 into a Jack and soon. It’s the perfect use for a casestatement:case $rank in1) rank="A" ;;11) rank="J" ;;12) rank="Q" ;;13) rank="K" ;;esacNow we’re ready to deal a hand andsee what we get:for card in {0..5} ; dountil [ ${hand[$card]} -ne -1 ]dopick=$(( $RANDOM % 52 ))hand[$card]=${deck[$pick]}And the result of running this? Hereare a few iterations:$ sh cribbage.shCard 0: 5DCard 1: 5CCard 2: JSCard 3: QDCard 4: 4DCard 5: JD$ sh cribbage.shCard 0: 10CCard 1: 5DCard 2: KCCard 3: 7SCard 4: 4SCard 5: 8CCool. Now that we have the basicsof how to model a deck and deal ahand of unique cards, we can startwith the interesting elements—next month. In the meantime, yourhomework is to learn Cribbage.■Dave Taylor has been hacking shell scripts for more than30 years. Really. He’s the author of the popular Wicked CoolShell Scripts and can be found on Twitter as @DaveTaylorand more generally at http://www.DaveTaylorOnline.com.WWW.LINUXJOURNAL.COM / JANUARY 2013 / 47

COLUMNSHACK AND /More PXEMagicKYLE RANKINLearn how to add graphical PXE menus to your PXE server andboot Ubuntu and Debian releases.When writing this month’s column,I realized this will begin my fifth yearwriting Hack and / for Linux Journal.I enjoy writing this column, sothanks to everyone who follows it.For those of you who either e-mailthe editor or me directly, thanks forthe feedback. (And, for those ofyou who e-mail me more in-depthquestions, I’m sorry I can’t alwaysget back to you with full responses.Hopefully, some of those questionswill be fodder for future columns.)This month, I’ve decided to followup on a topic I wrote about not inthis column directly, but as a featurearticle called “PXE Magic” in theApril 2008 issue. In that article,I talk about how to set up a PXEserver from scratch, including howto install and configure DHCP andTFTP. Ultimately, I even provide abasic pxelinux configuration to getyou started. Since then, PXE menuswith pxelinux have become moresophisticated and graphical and couldseem a bit intimidating if you are newto it. In this column, I explain how topiggyback off of the work the Debianand Ubuntu projects have done withtheir PXE configuration to make yourown fancy PXE menu without muchadditional work. I know not everyoneuses Debian or Ubuntu, so if you use adifferent distribution, hold off on theangry e-mail messages; you still canuse the PXE configuration I’m showinghere for your distro, provided it givessome basic examples of how to PXEboot its installer. Just use these stepsas a launching off point and tweakthe PXE config to work for you.Simple Ubuntu PXE MenuIf this is your first time configuringa PXE server, for the first step, Irecommend following my steps inthe “PXE Magic” article to installand configure DHCP and TFTP(it’s available on the Linux Journal48 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

COLUMNSHACK AND /Web site if you don’t have yourcopy of the magazine handy athttp://www.linuxjournal.com/article/9963). Otherwise, if youhave existing servers in place, justmake sure that DHCP is configuredto point to your TFTP server (if it’son the same machine, that’s fine).And, if you already have any sort ofpxelinux configuration in your tftpbootdirectory, I recommend that you backit up and move it out of the way—I’mgoing to assume that your entire/var/lib/tftpboot (or /tftpboot on somesystems) directory is empty to start with.For the rest of this article, I reference/var/lib/tftpboot as the location tostore your PXE configuration files,so if you use /tftpboot, adjust thecommands accordingly.Both Debian and Ubuntu provide anice all-in-one netboot configurationfor each of their releases that makes itsimple to PXE boot a particular releaseyourself. The file is called netboot.tar.gzand is located in a netboot directoryalong with the rest of the differentinstall images. For instance, thenetboot.tar.gz for the i386 Ubuntu12.04 release (named Precise) can befound at http://us.archive.ubuntu.com/ubuntu/dists/precise/main/installer-i386/current/images/netboot/netboot.tar.gz.To get started, cd to your tftpbootdirectory, and then use wget to pulldown the netboot.tar.gz file (I’massuming you’ll need root permissionsfor all of these steps, so I’m puttingsudo in front of all of my commands),and then extract the tarball:$ cd /var/lib/tftpboot$ sudo wget http://us.archive.ubuntu.com/ubuntu/dists/precise/➥main/installer-i386/current/images/netboot/netboot.tar.gz$ sudo tar xzf netboot.tar.gz$ lsnetboot.tar.gz pxelinux.0 pxelinux.cfg➥ubuntu-installer version.infoAs the ls command shows, anubuntu-installer directory wascreated along with pxelinux.0 andpxelinux.cfg symlinks that pointinside that ubuntu-installer directoryto the real files. Without performingany additional configuration,provided your DHCP and TFTP serverswere functioning, you could PXEboot a server with this configurationand get a boot menu like the oneshown in Figure 1.Ubuntu has taken the extra stepsof theming its PXE menu with itscolor scheme and even provided alogo. Unlike the PXE menu I demoedin my previous “PXE Magic” article,this menu functions more like a GUIprogram. You can use the arrow keysto navigate it, the Enter key to selectWWW.LINUXJOURNAL.COM / JANUARY 2013 / 49

COLUMNSHACK AND /Figure 1. Ubuntu Precise PXE Boot Menua menu item and the Tab key to edit amenu entry.Multi-OS PXE MenuIf all you were interested in was PXEbooting a single version of Ubuntuor Debian, you would be done. Ofcourse, what if you wanted the choiceof either the 32- or 64-bit versionsof a particular release, or what if youwanted to choose between a fewdifferent releases? Although you couldjust overwrite your tftpboot directoryevery time you wanted to changeit up, with only a few extra tweaksto the config, you easily can hostmultiple releases with the same menu.Move Precise to a SubmenuTo get started, let’s clean out anyexisting files in the /var/lib/tftpbootdirectory. Let’s use the i386 Precise50 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

COLUMNSHACK AND /netboot.tar.gz to begin, but let’stweak how the files are organized byisolating precise in its own directory:$ cd /var/lib/tftpboot$ sudo mkdir precise$ cd preciseThe specific pxelinux configurationthat points to the Ubuntu Precisekernel and initrd can be foundunder precise/ubuntu-installer/i386/boot-screens/txt.cfg. If you wereto look at that file, it would looksomething like this:$ sudo wget http://us.archive.ubuntu.com/ubuntu/dists/precise/➥main/installer-i386/current/images/netboot/netboot.tar.gz$ sudo tar xzf netboot.tar.gzAll of the interesting PXEconfiguration can be found insidethe ubuntu-installer/i386 directory,so make a copy of those files backin the root tftpboot directory so youcan edit them:default installlabel installmenu label ^Installmenu defaultkernel ubuntu-installer/i386/linuxappend vga=788 initrd=ubuntu-installer/i386/➥initrd.gz -- quietlabel climenu label ^Command-line installkernel ubuntu-installer/i386/linux$ cd /var/lib/tftpboot$ sudo cp -a precise/ubuntu-installer/i386/boot-screens➥precise/ubuntu-installer/i386/pxelinux.0➥precise/ubuntu-installer/i386/pxelinux.cfg .Unfortunately, all of theconfiguration files under the bootscreensdirectory you copied referenceubuntu-installer/i386/boot-screens,when you want them to reference justboot-screens, so the next step is to runa quick Perl one-liner to search andremove any instance of ubuntu-installer/i386/ found in the config file:append tasks=standard pkgsel/language-pack-patterns=➥pkgsel/install-language-support=false vga=788➥initrd=ubuntu-installer/i386/initrd.gz -- quietWhat you want to do is make acopy of this config file under yourroot-level boot-screens directory, butbecause you extracted the tarball intoa directory named precise (insteadof the root directory), you need todo another search and replace, andadd precise in front of any referenceto the ubuntu-installer directory.Otherwise, the paths to the kerneland initrd will be wrong:$ cd /var/lib/tftpboot/boot-screens$ sudo perl -pi -e 's|ubuntu-installer/i386/||' *$ cd /var/lib/tftpboot/boot-screensWWW.LINUXJOURNAL.COM / JANUARY 2013 / 51

COLUMNSHACK AND /$ sudo cp ../precise/ubuntu-installer/i386/boot-screens/txt.cfg➥precise-i386.cfg$ sudo perl -pi -e 's|ubuntu-installer|precise/ubuntu-installer|g'➥precise-i386.cfgWhen you are done, the /var/lib/tftpboot/boot-screens/precise-i386.cfgfile should look something like this:include boot-screens/stdmenu.cfginclude boot-screens/txt.cfginclude boot-screens/gtk.cfgmenu begin advancedmenu title Advanced optionsinclude boot-screens/stdmenu.cfglabel mainmenumenu label ^Back..menu exitdefault installlabel installlabel climenu label ^Installmenu defaultkernel precise/ubuntu-installer/i386/linuxappend vga=788 initrd=precise/ubuntu-installer/i386/initrd.gz➥-- quietmenu label ^Command-line installkernel precise/ubuntu-installer/i386/linuxappend tasks=standard pkgsel/language-pack-patterns=➥pkgsel/install-language-support=false vga=788➥initrd=precise/ubuntu-installer/i386/initrd.gz -- quietFinally, open up /var/lib/tftpboot/boot-screens/menu.cfg in your favoritetext editor. This file contains the bulkof the configuration that has to dowith the PXE menu system, and thefile should look something like this:menu endlabel helpinclude boot-screens/adtxt.cfginclude boot-screens/adgtk.cfgmenu label ^Helptext helpDisplay help screens; type 'menu' at boot prompt to➥return to this menuendtextconfig boot-screens/prompt.cfgWhat you want to do is replace theinclude boot-screens/txt.cfgline with a submenu that points to thenew precise-i386.cfg file you created.I used the existing advanced submenuas an example to start from. Theresulting file should look like this:menu hshift 13menu width 49menu hshift 13menu margin 8menu width 49menu margin 8menu title Installer boot menu^Ginclude boot-screens/stdmenu.cfgmenu title Installer boot menu^Gmenu begin precise-i38652 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

COLUMNSHACK AND /right directory:menu hshift 13menu width 49$ cd /var/lib/tftpboot/boot-screensmenu margin 8$ sudo cp ../precise/ubuntu-installer/amd64/boot-screens/txt.cfg➥precise-amd64.cfg$ sudo perl -pi -e 's|ubuntu-installer|precise/ubuntu-installer|g'➥precise-amd64.cfgNow, open up /var/lib/tftpboot/boot-screens/menu.cfg again, andadd an additional menu entry thatpoints to the precise-amd64.cfg fileyou created. The file ends up lookinglike this:menu title Installer boot menu^Ginclude boot-screens/stdmenu.cfgmenu begin precise-i386menu title Precise 12.04 i386include boot-screens/stdmenu.cfglabel mainmenumenu label ^Back..menu exitinclude boot-screens/precise-i386.cfgmenu endHarness Microway’s Proven GPU ExpertiseThousands of GPU cluster nodes installed.Thousands of WhisperStations delivered.Award Winning BioStack – LSAward Winning WhisperStation Tesla – PSC with 3D‘11AWARDBESTBest NewTechnologyns/Day (Higher is Better)CPU + GPUCPU Only1.070.332.020.653.541.301 Node2 Nodes 4 NodesNAMD F1-ATP Performance GainConfigure Your WhisperStation or Cluster Today!www.microway.com/tesla or 508-746-7341

COLUMNSHACK AND /menu begin precise-amd64new netboot.tar.gz file:menu title Precise 12.04 amd64include boot-screens/stdmenu.cfglabel mainmenumenu label ^Back..menu exitinclude boot-screens/precise-amd64.cfgmenu endinclude boot-screens/gtk.cfgmenu begin advancedmenu title Advanced optionsinclude boot-screens/stdmenu.cfglabel mainmenu$ cd /var/lib/tftpboot$ sudo mkdir quantal$ cd quantal$ sudo wget http://us.archive.ubuntu.com/ubuntu/dists/quantal/➥main/installer-i386/current/images/netboot/netboot.tar.gz$ sudo tar xzf netboot.tar.gzNext, copy over the quantal txt.cfgfile to your root boot-screens directory,and run a Perl one-liner on it to pointit to the right directory:menu label ^Back..menu endlabel helpmenu exitinclude boot-screens/adtxt.cfginclude boot-screens/adgtk.cfgmenu label ^Helptext helpDisplay help screens; type 'menu' at boot prompt to➥return to this menuendtextconfig boot-screens/prompt.cfgAdd a New Ubuntu ReleaseSo, you were happy with your 12.04PXE menu, and then Ubuntu released12.10 Quantal, so now you wantto add the 32-bit version of that toyour menu. Simply adapt the stepsfrom before to this new release. First,create a directory to store the newrelease, and pull down and extract the$ cd /var/lib/tftpboot/boot-screens$ sudo cp ../quantal/ubuntu-installer/i386/boot-screens/txt.cfg➥quantal-i386.cfg$ sudo perl -pi -e 's|ubuntu-installer|quantal/ubuntuinstaller|g'➥quantal-i386.cfgFinally, edit /var/lib/tftpboot/boot-screens/menu.cfg again, andadd the additional menu entry thatpoints to the quantal-i386.cfg fileyou created. The additional sectionyou should put below the previoussubmenus looks like this:menu begin quantal-i386menu title Quantal 12.10 i386include boot-screens/stdmenu.cfglabel mainmenumenu label ^Back..menu exit56 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

COLUMNSHACK AND /menu endinclude boot-screens/quantal-i386.cfgThe resulting PXE menu should looksomething like Figure 3. To add the64-bit release, just adapt the stepsfrom the above Precise 64-bit releaseto Quantal. Finally, if you want to mixand match Debian releases as well, thesteps are just about the same, exceptyou will need to track down the Debiannetboot.tar.gz from its project mirrorsand substitute precise for Debian projectnames like squeeze. Also, everywhereyou see a search and replace thatreferences ubuntu-installer, you willchange that to debian-installer.■Kyle Rankin is a Sr. Systems Administrator in the San FranciscoBay Area and the author of a number of books, including TheOfficial Ubuntu Server Book, Knoppix Hacks and Ubuntu Hacks.He is currently the president of the North Bay Linux Users’ Group.Figure 3. Now with Three OptionsWWW.LINUXJOURNAL.COM / JANUARY 2013 / 57

COLUMNSTHE OPEN-SOURCE CLASSROOMThe SecretPassword Is...SHAWN POWERSIf your password is as easy as 123, we need to talk.The first password I ever rememberusing when I started in systemadministration was “.redruM” (noquotes). It was by far the craftiest,most-impossible-to-guess password everconceived by a sentient being. Sadly,a mere 17 years later (wow, it’s beena long time!) that password probablycould be brute-force compromised inten minutes—with a cell phone.Since retinal scans still mainly areused in the movies to set the scenefor gruesome eyeball-stealing, for theforeseeable future (pun intended), we’restuck with passwords. In this article,I want to take some time to discussbest practices and give some thoughtson cool software designed to help youkeep your private affairs private. Beforegetting into the how-to section, let meopenly discuss the how-not-to.happens every day—in almost everybusiness. In fact, sometimes tech folksare guilty of this cardinal sin becausethey’ve changed passwords for usersand need to let them know their newpasswords. Seeing your passwordwritten or typed out should cause youphysical pain and distress. Displayingit on your monitor is just wrong.It’s a bad idea to use any of thefollowing as your password, or at leastas your entire password:n Your pet’s name, current or past.n Your child’s name or nickname.n Your car’s name, model or a caryou want.n Birth dates of any people you know.The Things You Shall Not DoIt’s a bad idea to write your password ona sticky note and affix it to your monitor.Yes, it sounds like a joke, but thisn Name of your college/high-schoolmascot.n Anything related to your hobbies.58 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

COLUMNSTHE OPEN-SOURCE CLASSROOMn Your address in any form.n Your telephone number, pastor present.n Your mother’s maiden name (thisis less secure than .redruM).n Any of the following: password,123456, abc123, letmein, love,iloveyou, sex, god, trustno1,master, asdfjkl;, qwerty,password123, secret, jesus or ninja.If I’ve just described your passwordor, heaven forbid, actually listed it inthe last bullet point (some of the mostcommon passwords), you need to keepreading. Don’t change your passwordyet though, as I’m going to discussbest practices next, but even if youdon’t read another word, you can’tleave your password like it is—really.The Things You Shall Try to DoWhen it comes to passwords, thelonger and more complex, the better.Unfortunately, there is an inverserelationship between the quality ofa password and a person’s ability toremember it. Logically, one wouldfind the balance between easy toremember and sufficiently complex,but because some people forget howto spell their own names, using sometricks of the trade is necessary—preferably, combining the tricks.The Sentence-Mnemonic MethodIf I were to tell you my password is“sipmnwnoilbinetb” and that I canremember it every time, you’d probablybe impressed. Watch, I’ll type it againwithout looking back: sipmnwnoilbinetb.Am I really a cyborg with an eideticmemory? Maybe, but in this case,I’ve just used the sentence-mnemonicmethod to remember my password. Inreality, when I type that password, I’msaying in my head, “Sometimes I pickmy nose when no one is looking, but Inever eat the boogers.”This particular mnemonic is goodfor a couple reasons. One, it’s easyto remember. Two, it’s a horrible lie,so no one would ever guess that’swhat I’m typing. And three, becauseit’s embarrassing, it’s unlikely that I’dsay it out loud while typing. For mostpeople, just using this method forpasswords would be an improvementover their current practice. For thebest security, however, it’s importantto add other complexity.Substitutionary ComplexicationAnyone who was a geek in the 1990sknows that all the cool kids would usenumbers in their user names. Whetherit was l33th@ck3r or z3r0c00l (orWWW.LINUXJOURNAL.COM / JANUARY 2013 / 59

COLUMNSTHE OPEN-SOURCE CLASSROOMshawnp0wers), substituting numbersand characters for letters does add alayer of complexity. It’s certainly notenough on its own—don’t think thecrafty use of an @ symbol or a few “3”sfor “e”s will keep you safe—but if youadd that to the mnemonic method, itcertainly will help. “sIpmnwn1il,bInetb”looks similar to the eye to my passwordabove, but it is much more resistant toa brute-force attack.Compound WordsIn addition to the above-mentionedmethods for increasing complexity,a great way to make your passwordeven more secure basically is to havetwo passwords separated by a stringof numbers or characters. Continuingwith our booger-picking exampleabove, what if instead of using acomma to separate the phrases, Iused a short string of numbers? On itsown, something like 6229 is horriblyinsecure, but if you do somethinglike “sIpmnwn1il6229bInetb”, itbecomes a really impressive passwordthat is simple to remember. BecauseI’m talking about the middle of acharacter string, using an easy-toremembernumber is acceptable here.Based on just a few tricks, I’vemanaged to come up with anexcellent password that is easy toremember and not terribly difficult totype. Yay! I’m done! Well, yes and no.Hey, That’s My LuggageCombination!The problem is that most people login to more than one computer systemor Web site. Some Web site designershave started to adopt an OpenID sortof authentication system, which allowsauthentication without actually usinga separate password, but that isn’t thecase everywhere. At least in the nearfuture, we’ll be stuck with logins andpasswords for multiple Web sites. In aperfect world where Web sites storeonly well-encrypted passwords, and badguys never steal password databases,a single well-made password wouldsuffice. That is not the world we live in.It seems every day there’s a companywhose Web site has been compromised,and passwords have been leaked.Granted, it’s often fun to see what sortsof passwords other people use, but it’sa sinking feeling to find your passwordon the list of compromised—especiallyif it’s the same password you useeverywhere. The problem is, coming upwith a new password for every Web siteis difficult to manage.If you’re consistent and sneaky enough,you might be able to have a “pattern”that only you know. For example:n wIvljdc_Iapmn = when I visit60 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

COLUMNSTHE OPEN-SOURCE CLASSROOMLinux Journal dot com, I alwayspick my nose.with syllables, rather with how theword separation occurs in my head.n wIvadc_Iapmn = when I visit Appledot com, I always pick my nose.n wIvwpdo_Iapmn = when I visitWikipedia dot org, I always pickmy nose.Yes, looking at them side by side,it’s easy to tell what the pattern is,but if only one is compromised, it’snot terribly clear. Also, in the aboveexamples, I used what letters madesense to me, but they don’t line upOne Ring to Rule Them AllFor many security-conscious readers,possibly even you, these lessons ingood password practice may makeyou angry. For you, if a passwordisn’t 128-characters long, with acombination of letters, symbols,numbers and fairy spells, it’s not goodenough. I understand—really, I do.Sadly, I also understand that mostof the world still thinks “abc123”is a perfectly cromulent password.For you, my cyborg friend, there are

COLUMNSTHE OPEN-SOURCE CLASSROOMpassword management tools.When every site has apassword like “af&6fw^faew^@f88*hlDSLjfe8wlsfyy&&8s0##~”, itgoes beyond simple mnemonics toremember. Thankfully, there aretools like KeePassX, which is anexcellent password manager forLinux, discussed at length byAnthony Dean in the May 2010 issue(http://www.linuxjournal.com/content/keepassx-keeping-yourpasswords-safe).The idea behind programs likeKeePassX, or the popular browserbasedLastPass, is that you can keepyour passwords as complex, and evenas random, as you like. The programskeep your passwords encrypted andrequire a master password to unlockthem. (When creating a masterpassword, it’s very important to followsome sort of complexity strategy, like Ioutlined earlier in this article.)With a password manager, you canlet your brain keep track of a singlepassword, knowing you can retrievewhatever ultra-safe password youneed for a site or computer at anytime. Granted, this means relyingon a program to keep track of yourinformation, so you’ll have to usethe program to retrieve it, but withprograms like LastPass, there areapplications for pretty much everyoperating system, browser andsmartphone in existence. It is usuallythe only practical way to keep trulyrandom passwords in order. If youcan train yourself to use a program orservice to manage passwords, it canchange the way you think of security.It also can keep you safe if a particularaccount is hacked. The system is onlyas secure as the master password,however, so be sure that’s a good one!Not Quite a Retina Scan...Thankfully, some companies are takingan honest look at users and realizingpassword security isn’t something theycan force feed. Regardless of articleslike this, people still will use thenames of their dogs to secure theirbank accounts. Some companies havebegun to use two-step authentication,which adds a physical response to apassword challenge.Someone certainly can steal yourpassword, but what if in order tolog in to your e-mail account, younot only had to enter your passwordcorrectly, but also had to respond toa text message sent to your phone?It certainly would eliminate the longdistancehacks, because it’s unlikelyhackers even would know your cellphonenumber, much less be able torespond to a text message sent to it.Two-step, or two-factor, authentication62 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

COLUMNSTHE OPEN-SOURCE CLASSROOMisn’t terribly popular yet, but the conceptis powerful. If we can continue tocome up with complex, yet convenientmethods for proving authentication,we will make the world safer and safer.That doesn’t mean we can becomelax on how we create our passwords,however. Because at least for the nearfuture, secure passwords are the onlyway to keep our data private.So Class, What Did You Learn?You all learned that Shawn apparentlypicks his nose—at every Web site hevisits. Seriously though, hopefully thisarticle has helped you figure out yourown method for creating passwords.Please don’t use my exact method, butrather use it to come up with your own.Until we can have retinal scanners onevery laptop, we’re going to have tosecure our passwords the old-fashionedway, like barbarians. So remember,“Sdrphn,iwoae!” (Shawn doesn’t reallypick his nose, it was only an example.)■Shawn Powers is the Associate Editor for Linux Journal. He’salso the Gadget Guy for LinuxJournal.com, and he has aninteresting collection of vintage Garfield coffee mugs. Don’tlet his silly hairdo fool you, he’s a pretty ordinary guy andcan be reached via e-mail at shawn@linuxjournal.com.Or, swing by the #linuxjournal IRC channel on Freenode.net.ReadLINUX JOURNALon yourAndroid deviceDownload the appnow in theAndroidMarketplace.www.linuxjournal.com/androidFor more information about advertising opportunities within Linux Journal iPhone, iPad andAndroid apps, contact Rebecca Cassity at +1-713-344-1956 x2 or ads@linuxjournal.com.

NEW PRODUCTSDigital Defense Inc.’sSecurED TrainingFor most employees, security is something theyleave for folks like us to deal with. With itsnew SecurED training modules, Digital DefenseInc. (DDI) is employing the oldest trick in thebook—humor—to get nongeeks to realize the importance of collaborative enterprisesecurity. DDI has partnered with Emmy-award-winning comedy writer T. Sean Shannonto develop training modules, each 5–7 minutes in length, that promote a culture ofsecurity awareness. Humorous situations are used to maintain attention and increasethe “stickiness factor”. The modules can be accessed via a PC, laptop, iPad/tablet ormobile device and are accessed through an organization’s LMS. Designed as a year-longprogram to be viewed monthly, the 12 modules cover topics like password security,acceptable computer use, safe browsing, dangers of social-media sites, preventingviruses and malware and installing software from unknown sources.http://www.ddifrontline.comKyle Rankin’s DevOpsTroubleshooting (Addison-Wesley)The best perk in working for a magazine is that shamelessplugs are free. In all seriousness, Linux Journal readerscertainly will be interested to know that our own Hack and /columnist, Kyle Rankin, has written a new book titled DevOpsTroubleshooting: Linux Server Best Practices. The purpose ofDevOps is to give developers, QA and admins a common setof troubleshooting skills and practices so they can collaborateeffectively to solve Linux server problems and improve ITperformance, availability and efficiency. Kyle walks readers through using DevOpstechniques to troubleshoot everything from boot failures and corrupt disks to lost e-mailand downed Web sites. They’ll also master indispensable skills for diagnosing high-loadsystems and network problems in production environments. Addison-Wesley Professionalis the publisher (and royalty provider) for DevOps. So, Kyle, about those royalties....http://www.informit.comWWW.LINUXJOURNAL.COM / JANUARY 2013 / 65

NEW PRODUCTSWireload Inc.’s YippieMove APIWith the release of the new YippieMove API, Wireload Inc.’s YippieMove isupgrading itself from e-mail migration service to e-mail migration solutionprovider. Since its inception, YippieMove has been actively slaying thebeasts involved in moving e-mail history between different e-mail vendors.With the release of the YippieMove API, YippieMove is aiming to becomethe go-to e-mail migration service for vendors to integrate with. The moveopens up a new market for third-party software developers and enablese-mail vendors and ISPs to create fully automatic inbound e-mail migrationsfor new accounts. Vendors or ISPs potentially could add a simple step totheir sign-up process that would enable users to bring over their e-mailarchives from any provider or solution to the newly created account in justa few clicks. The custom-built technology has been built from scratch andperfected by YippieMove during the past four years.http://www.yippiemove.comJason R. Briggs’ Python for Kids(No Starch Press)Veteran programmer Jason R. Briggs’ inaugural ventureinto book publishing, Python for Kids: A PlayfulIntroduction to Programming, aims to inspire thesame love of computing that he experienced decadesago hacking his Radio Shack TRS-80. Python forKids, published by No Starch Press, is a lightheartedintroduction to the Python programming language, fullof fun examples and original color illustrations. Briggsbegins the book with the basics of how to install Pythonand write simple commands. In bite-sized chapters, he explains essential programmingconcepts. By the end of the book, readers have built simple games and created cooldrawings with Python’s graphics library, Turtle. Each chapter closes with offbeatexercises that challenge readers to put their newly acquired knowledge to the test.http://www.nostarch.com66 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

NEW PRODUCTSSTEC Inc.’s Linux-Based SSD SolutionsWe Linuxers always are happy to see new vendors embrace the Linuxand open-source paradigm. STEC Inc. is also finding much more tolike than it ever imagined after recently developing Linux drivers forits PCI Express-based solid-state drives. STEC reports that couplingthe new open-source Linux with the company’s high-performances1120 PCIe Accelerator SSD card dramatically broadens the rangeof applications for the device. Furthermore, the combination resultsin “very promising performance results never seen before”, such asa boost to Oracle application performance to more than 160,000transactions per minute. Other improvements include an improvementin application response times by maximizing I/Os per second on a single server and alower TCO by reducing data-center operational and capital expenditures.http://www.stec-inc.comtxtr beagleIf you are an e-book fan in North America,Kindles or NOOKs probably are the amongthe first devices that come to mind. If theBerlin-based txtr has its way, however, yousoon may find yourself reading e-books onthe company’s new beagle e-book reader. Thetxtr beagle, with its 5" screen, 1/4" profileand 4.5oz weight, is billed as the smallest and lightest e-book reader on the market.txtr says the beagle will run for a year on AAA batteries and does not require cables orchargers. It is the first companion reader to receive e-books sent from a smartphone,says the device developer. The Android-based txtr beagle is part of the overall Adobecertifiedtxtr eReading platform, but does not count as an extra device. txtr believesthat these characteristics, as well as a price point for telecom providers potentially aslow as $13.00, are the raw materials for a truly global, mass-market e-book reader.http://www.txtr.comPlease send information about releases of Linux-related products to newproducts@linuxjournal.com orNew Products c/o Linux Journal, PO Box 980985, Houston, TX 77098. Submissions are edited for length and content.WWW.LINUXJOURNAL.COM / JANUARY 2013 / 67

FEATURE Elliptic Curve CryptographyELLIPTICCURVECRYPTOGRAPHYElliptic Curve Cryptography providesstronger security at much smaller key sizesthan an RSA. This article explains how itworks and how to use it with OpenSSH.JOE HENDRIXWhen it comes to public key cryptography, most systems todayare still stuck in the 1970s. On December 14, 1977, two eventsoccurred that would change the world: Paramount Picturesreleased Saturday Night Fever, and MIT filed the patent for RSA.Just as Saturday Night Fever helped popularize disco through its choreographyand soundtrack, RSA helped popularize cryptography by allowing two parties tocommunicate securely without a shared secret.68 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

FEATURE Elliptic Curve CryptographyDEPARTMENT OF DEFENSE REQUIREMENTSAlthough NIST guidance is well respected, the Department of Defensehas stronger requirements for classified information. For the DefenseDepartment, 128 bits is only good enough for protecting informationclassified SECRET. Use of RSA isn’t approved, and TOP SECRET informationrequires use of AES-256, SHA-384 and ECC with a 384-bit key size.Furthermore, systems must use two separate encryption implementations forprotection. For example, use both IPsec and TLS, so that the information isstill protected by one layer if a flaw in the other is found. Although this maynot be very practical for most Internet applications, it’s interesting to seewhat the requirements are when security is paramount.that you use cryptography providingat least 112 bits of security. Forapplications that need longer-termprotection, NIST recommends at least128 bits of security.Just because NIST makes theserecommendations, doesn’t mean thatapplications follow them. Many Websites, including on-line banks, stillwill use SHA-1 and pair it with AES128 and a 1024- or 2048-bit RSA key.According to NIST, achieving true128-bit security means that theRSA key should be at least 3072bits—a size most Internet certificateauthorities don’t even offer. Atpresent, Verisign will sell you an SSLcertificate that it claims offers “256-bitsecurity”, because you can use it withAES-256. The signature itself usesSHA-1 and a 2048-bit RSA key.At present, the security on theInternet is still sufficiently weak thatit almost always will be easier to finda vulnerability that allows an attackerto bypass security rather than directlyattack the encryption. However,it is still worthwhile to be awareof how much security the overallencryption implementation provides.In cryptography, more bits are usuallybetter, but an implementation is onlyas strong as its weakest length. BothECC and SHA-2 represent essentialalgorithms to getting real 128-bit or256-bit security.The Mathematics of EllipticCurve CryptographyElliptic Curve Cryptography has a70 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

eputation for being complex andhighly technical. This isn’t surprisingwhen the Wikipedia article introducesan elliptic curve as “a smooth,projective algebraic curve of genusone”. Elliptic curves also show up inthe proof of Fermat’s last theoremand the Birch and Swinnerton-Dyerconjecture. You can win a milliondollars if you solve that problem.To get a basic understandingof ECC, you need to understandfour things:1. The definition of an elliptic curve.2. The elliptic curve group.3. Scalar multiplication over theelliptic curve group.4. Finite field arithmetic.Essentially, elliptic curves arepoints on that satisfy an equationwith the form:y 2 = x 3 + ax + bFigure 1 shows a picture of anelliptic curve over the real numberswhere a is –1 and b is 1. Elliptic curvessatisfy some interesting mathematicalproperties. The curve is symmetricaround the x axis, so that if (x,y) isa point on the curve, then (x,–y) isalso on the curve. If you draw a line3210-1-2y 2 = x 3 - x + 1-3-3 -2 -1 0 1 2 3Figure 1. Elliptic Curve over RealNumbersbetween any two points on the linewith different x coordinates, theywill intersect the line at a uniquethird point. Finally, for each point onthe curve, if you draw a straight linetangent to the cover from that point,it will intersect the curve once againat another point.Mathematicians use these propertiesto form a structure called a groupfrom the points on the elliptic curve.A group consists of a set of elementscontaining a special point (denoted 0),an operation for negating an element(denoted –x), and an operation foradding two elements (denoted x + y).The elements in the group definedby an elliptic curve consist of theWWW.LINUXJOURNAL.COM / JANUARY 2013 / 71

FEATURE Elliptic Curve Cryptography33221P1PQ-R0O0-1-P-1R = P + Q-2-2-3-3 -2 -1 0 1 2 3-3-3 -2 -1 0 1 2 3Figure 2. Negating a PointFigure 3. Adding Two Pointspoints on the curve plus an additionalpoint for 0 that is not on the curve,but as you’ll see below is easiest tovisualize as a line on the x-axis. Tonegate a point, you just negate they-coordinate of the point, and addinga point to its negation is defined toreturn 0 (Figure 2). To add two pointsP and Q with different x-coordinates,draw a line connecting the two pointsand extending beyond them. Thisline should intersect the curve at athird point. The sum R = P + Q is thenegation of the third point. Finally,to add a point P to itself, draw theline tangent to P (Figure 3). The sumR = 2P is the negation of the pointthat line intersects (Figure 4).Once the group is defined, we cantalk about scalar multiplication—thefundamental operation that makeselliptic curves useful in cryptography.The kth scalar multiple of P is thepoint obtained by adding P to itself ktimes. This can be done efficiently byrepresenting k as a binary number andusing a double-and-add multiplicationmethod. If you are familiar withRSA, scalar multiplication plays asimilar role in ECC that modularexponentiation plays in RSA.The real numbers used in diagramsfor explaining ECC are not practicalto use in actual implementations.72 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

3210-1-2-3P-RR = 2P-3 -2 -1 0 1 2 3987654321018171615141312111010 11 12 13 14 15 16 17 180 1 2 3 4 5 6 7 8 9Figure 4. Doubling a PointReal numbers can have an arbitrarynumber of digits, and computershave only a finite amount ofmemory. Most applications, includingOpenSSL, use elliptic curves overcoordinates that use modulararithmetic, where the modulus is alarge prime number. Figure 5 showsthe elliptic curve with the sameequation as in Figure 1, but wherearithmetic is performed modulo 19.For the different key sizes in Table 1,NIST recommends a specific ellipticcurve with a prime modulus forthat key size (see the Binary Fieldssidebar). For each key size, NISTspecifies three things:Figure 5. Elliptic Curve over Prime Field(mod 19)1. The coefficients in the elliptic curveequation.2. The size of the underlying field forrepresenting x and y.3. A base point that is a point ofthe curve to be used when callingscalar multiplication.To see how big the numbers for a256-bit curve are, the NIST P-256curve equation has the coeffientsa=–3 and b = 41058363725152142129326129780047268409114441015993725554835256314039467401291.The coordinates are in a prime fieldWWW.LINUXJOURNAL.COM / JANUARY 2013 / 73

FEATURE Elliptic Curve CryptographyBINARY FIELDSFor each bit size, NIST also recommends two other elliptic curves over a type offield called a binary field. Although prime fields are more common in software,binary fields are common when implementing ECC in low-power hardware. Ifocus on prime curves in this article, because that’s what OpenSSL uses, andthere are a lot more patents on binary curve implementations than prime curves.Unless you have some specific hardware needs and also money to spend onlawyers to deal with patents, I’d recommend sticking to prime curves.modulo p_256 where:p_256 = 2 256 – 2 224 +2 192 +2 96 – 1The base point is G=(x G,y G) anddefined by:x G= 48439561293906451759052585252797914202762949526041747995844080717082404635286y G= 36134250956749795798585127919587881956611106672985015071877198253568414405109If these numbers look big to you,just think that the 256-bit ellipticcurve is equivalent to RSA with3072-bit numbers. RSA public keyscontain more than 12 times thenumber of digits.If you’d like to learn more about EllipticCurve Cryptography, there are manyreferences available. Certicom, a companyfounded by some of the inventors ofECC, hosts an on-line tutorial athttp://www.certicom.com/ecc-tutorial.For a more comprehensive understandingof cryptography, the bookUnderstanding Cryptography byChristof Paar, Jan Pelzl and BartPreneel has a chapter about ECC andalso covers the AES and SHA. I’vejust touched the basic definitionshere, and I’ve not discussed theoptimizations used to make a highperformanceimplementation likethe one in OpenSSL. For a quitecomprehensive reference on fast ECCalgorithms, the “Handbook of Ellipticand Hyperelliptic Curve Cryptography”(http://www.hyperelliptic.org/HEHCC) has yet to let me down.Using Elliptic CurveCryptography in OpenSSHA little more than a year ago,OpenSSH 5.7 added support forECC-based cryptography. Althoughit’s still not in every Linux distribution,support for ECC finally is becoming74 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

widespread enough that it’s startingto be worth considering a migration.Support for ECC requires OpenSSHversion 5.7 or later and OpenSSLversion 0.9.8g or later. OpenSSHcan use ECC both to help youauthenticate that you really aretalking to the server you want andto help the server perform key-basedauthentication of users.Host authentication is used by theclient to authenticate the server.It is used to detect man-in-themiddleattacks and normally is set upautomatically and used by OpenSSH.When OpenSSH is installed, it shouldcreate one or more host keys, whichnormally are stored in /etc/ssh. TheECC private key normally is namedssh_host_ecdsa_key, and thecorresponding public key normally isnamed ssh_host_ecdsa_key.pub.See the man pages for sshd_configif you would like to change thispath. Just make sure that the privatekey can be read only by authorizedadmins; anybody with access to thehost private key potentially couldimpersonate the server.Client authentication is used toauthenticate the client against theserver. Using keys to authenticaterather than passwords is both moreconvenient (because you can usessh-agent or another programto cache the key) and more secure(because the password is neversent in plain text to the server). Ifyou have used SSH for significantwork in the past, you’ve probablyset this up using RSA keys, and theexact same process, namely usingssh-keygen, is used to createECC keys. The only difference isto pass -tecdsa to create the key.The man page for ssh-keygen willhave more details, and there aremany tutorials for setting up SSHkeys available on-line if you need awalk-through.For most people, once encryptionsoftware supporting ECC is morewidely deployed, converting to ECCshould be quick and painless. RSAstill is probably “good enough”for most applications, but ECCis significantly more secure, andit may be essential to gettingstrong security on tiny, low-power,networked devices that arebecoming more widespread. Itsintroduction into open-sourcetools like OpenSSL and OpenSSHis definitely a great step towardgaining more widespread use.■Joe Hendrix is a security researcher who works in Portland,Oregon, for Galois, Inc. His main interest is in applyingformal verification techniques to real security problems.He welcomes comments sent to jhendrix@whoisjoe.info.WWW.LINUXJOURNAL.COM / JANUARY 2013 / 75

FEATURE Configuring One-Time Password Authentication with OTPWCONFIGURINGONE-TIMEPASSWORDAUTHENTICATIONwith OTPWHave you ever wanted to log in to your system from ahotel kiosk or Internet café? That’s risky business, butTodd A. Jacobs shows you how to work hard and play safe onpublic terminals. Todd walks you through the configurationand day-to-day usage of one-time password authenticationusing OTPW, and even shows you how to integrate it with SSH.Sadly, he offers no advice on what coffee tastes best whileconnecting safely from a trendy hotspot.TODD A. JACOBS76 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

Password authenticationcontains a lot of assumptionsabout security and trust.Encrypted SSH tunnels and publickey verification are two commonways to ensure that your passwordis not compromised in transit.But, what if it’s the computeryou’re currently typing on thatcan’t be trusted?This isn’t just a tinfoil-hatscenario for paranoid penguinistas.There are many everyday situationsand common locations where youprobably should not use your systempassword, even over a securetunnel. Examples include:n A public computer in a hotel,library or Internet café.n A coworker’s virus-infestedcomputer.n A shared workstation whilepair-programming.n Any place someone could watchyou type in your password.What do all these examples havein common? Essentially, that you’retrying to connect to a trusteddestination from an untrusted source.This is a complete reversal of whatmost authentication systems weredesigned to address.Take public key authentication.SSH public key authenticationcertainly bypasses the passwordprompt on the remote host, but itstill requires you to trust the localmachine with your private keypassword. In addition, once the keyis decrypted with your password,the local system has full access tothe sensitive key material inside.Uh-oh—luckily, there’s already asolution for this frequently overlookedproblem: one-time passwords.The combination of SSH and one-timepasswords is powerful:n The SSH protocol providesencryption of the login sequenceacross the network.n A good SSH client allows you toinspect the remote host’s publickey fingerprint before enteringyour credentials. This prevents arogue host from collecting yourone-time passwords.n The one-time password systemensures that a password can’tbe reused. So, even if thepassword is captured in transit,it’s worthless to an attacker onceyou’ve logged in with it.WWW.LINUXJOURNAL.COM / JANUARY 2013 / 77

Although not a drop-in replacement for OPIE, OTPWoffers comparable functionality while providing someinteresting features not found in either S/KEY or OPIE.n Shared-filesystem support.Because OTPW checks passwordsagainst a list of hashed valuesstored in a user’s home directory,one password list will work forall systems mounting the same$HOME directory.Next, I cover installing and usingOTPW, with a special focus onintegration with OpenSSH.Package InstallationTo make use of OTPW, you need twobinaries: otpw-bin and libpam-otpw.With Debian and Ubuntu, installationis as easy as:sudo apt-get install otpw-bin libpam-otpwIf your distribution does notprovide OTPW, you can downloadthe source directly from the author’shome page. The source tarball doesnot use GNU autoconf, so you willneed to compile and install thebinaries manually in accordance withthe author’s instructions.Configure PAMThe next step in preparing the system forOTPW is configuration of libpam-otpw.A full treatment of PAM is outside thescope of this article, but I cover themost common use cases here.Changing your PAM configurationcan lock you out of your workstationor server, so it’s a good idea to keepyour existing terminal open untilyou’re sure that things are workingcorrectly. If you have console access,keep a bootable distribution or rescuedisk handy. See the Testing One-TimePassword Authentication with SSHsidebar for more information abouttesting PAM over SSH.The easiest way to enable OTPWis to put it immediately abovepam_unix in your common-authconfiguration file:# /etc/pam.d/common-authauth sufficient pam_otpw.sosession optional pam_otpw.soauth sufficient pam_unix.so nullok_secureauth required pam_deny.soWWW.LINUXJOURNAL.COM / JANUARY 2013 / 79

FEATURE Configuring One-Time Password Authentication with OTPWTESTING ONE-TIME PASSWORDAUTHENTICATION WITH SSHIf you are configuring a remote system for OTPW, you should test your PAM stackwithout closing your current SSH connection. Remember, if you make a mistakewith your PAM configuration, you may be unable to authenticate—even with consoleaccess—so keep a bootable distribution, such as Knoppix, SystemRescueCD orFinnix handy just in case. Meanwhile, existing logins remain unaffected because theyalready are authenticated.In order to test the PAM stack properly, you can’t re-use your existing SSH connection.Most recent distributions support SSH multiplexing and persistent connections out ofthe box, so explicitly disable these options for testing.In addition, SSH prefers public key authentication by default. So, in order to testOTPW authentication, public key authentication needs to be temporarily disabled too.The following invocation enables accurate testing of the SSH PAM stack, withoutmaking any system changes:read -p 'Hostname: ' REMOTE_HOST &&SSH_AGENT_PID= SSH_AUTH_SOCK= \ssh \-o PreferredAuthentications=keyboard-interactive \-o ControlPersist=no \-o ControlPath=none \"$REMOTE_HOST"Once you have confidence that OTPW is working correctly, you also should verifythat your other authentication mechanisms (namely SSH public keys and normalsystem passwords) continue to work as expected.The order of the PAM libraries isvery important. When placing OTPWfirst, users with an ~/.otpw file areprompted for a one-time passwordfirst, allowing fallback to standardsystem passwords if the OTPWlogin fails. Users without a ~/.otpwfile simply will see the standard80 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

If you’re tempted to remove standard systempasswords altogether, especially from consolelogins, please don’t.password prompt.If you prefer to reverse theorder, prompting for a systempassword before falling back toone-time passwords, just ensurethat pam_deny comes last:# /etc/pam.d/common-authauth sufficient pam_unix.so nullok_secureauth sufficient pam_otpw.sosession optional pam_otpw.soauth required pam_deny.soIf you’re tempted to removestandard system passwordsaltogether, especially from consolelogins, please don’t. On somesystems, most notably Ubuntusystems with ecryptfs-encryptedhome directories, recovering fromOTPW mishaps is extremely difficultwithout standard system passwords.Modifying common-auth is usuallythe right thing to do on a headlessserver or console-only system.However, workstations or serversthat provide the X Window Systempresent special problems for one-timepassword systems.Some tools or applications won’twork properly with OTPW becausethey can’t display the challengeto the user. The typical symptomis usually a password dialog thatnever completes or seems to ignoreuser input. In times past, gksu andGNOME Display Manager (GDM) hadthis issue with OPIE. In such cases,the solution is to move OTPW outof common-auth and include it onlyin specific services.For example, you can add OTPWauthentication to SSH connectionswhile using just the standardpassword prompt for console orGUI logins. You can do this inthree easy steps:1. Delete any lines fromcommon-auth that referencepam_otpw.so:# /etc/pam.d/common-auth on Debian Squeezeauth sufficient pam_unix.so nullok_secureauth required pam_deny.soWWW.LINUXJOURNAL.COM / JANUARY 2013 / 81

FEATURE Configuring One-Time Password Authentication with OTPW2. Create a new OTPW include filefor PAM:# /etc/pam.d/otpwauth sufficient pam_otpw.sosession optional pam_otpw.so3. Include OTPW immediately beforecommon-auth in /etc/pam.d/sshd:# Other stuff ...# Enable OTPW authentication.@include otpw# Standard Un*x authentication.@include common-auth# More stuff ...SSH ConfigurationIn addition to configuring the PAMlibraries, OTPW needs the followingthree settings in the SSH dæmon’sconfiguration file:# /etc/ssh/sshd_configUsePrivilegeSeparation yesUsePAM yesChallengeResponseAuthentication yesThese are usually there, but possiblycommented out or set to “no”, somodify them accordingly. Next, reloadthe SSH dæmon after modifying itsconfiguration file:# Generic Linuxsudo /etc/init.d/ssh reload# Debian 6.0.4+sudo service ssh reload# Ubuntu 11.04+sudo reload sshGenerating OTPW PasswordsOnce the OTPW PAM module hasbeen configured properly, onlyusers with an ~/.otpw file willbe challenged with a one-timepassword dialog during login. Thisfile contains some metadata aboutits contents, as well as a list ofone-way hashes that will match onlya valid response to a challenge.To create this file, or to re-populateit with new passwords, use theotpw-gen utility. By default, itwill create 280 password suffixes,formatted to fit on a single sideof US letter-sized (8.5" x 11")paper. Because only the one-wayhashes are stored in ~/.otpw, notthe passwords themselves, youmust capture or print the standardoutput of this command when thepasswords are generated. You willnot be able to retrieve the passwordlist after the fact; you’ll need to82 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

generate new passwords instead.Here is what it looks like whenyou run the command for the firsttime, piping the output to yourdefault printer:Overwrite existing password list '~/.otpw' (Y/n)?Enter new prefix password:Reenter prefix password:Creating '~/.otpw'.$ otpw-gen | lprGenerating random seed ...If your paper password list is stolen, the thiefshould not gain access to your account with thisinformation alone. Therefore, you need to memorizeand enter below a prefix password. You will have toenter that each time directly before entering theone-time password (on the same line).When you log in, a 3-digit password number will bedisplayed. It identifies the one-time password onyour list that you have to append to the prefixpassword. If another login to your account is inprogress at the same time, several password numbersmay be shown and all corresponding passwords have tobe appended after the prefix password. Best generatea new password list when you have used up half ofthe old one.Enter new prefix password:Reenter prefix password:Creating '~/.otpw'.Generating new one-time passwords ...Generating new one-time passwords ...The first prompt ensures thatyou don’t accidentally over-writeyour existing password list; thesecond prompt asks you for a newpassword. There’s nothing stoppingyou from reusing the same prefixpassword on each invocation—the random seed makes duplicatehashes unlikely—but best practiceis to use a new prefix each time youregenerate the password list.If you want to generate apassword list on a remote host butprint to a local printer, you can dothis over your SSH connection aslong as you trust your localhost:read -p 'Hostname: ' &&{stty -echossh "$REPLY" otpw-gen | lprstty echo}When generating a new passwordlist, the prompts that appear onstandard error are slightly different:Note the use of stty to ensurethat your prefix password isn’techoed to the screen. As longWWW.LINUXJOURNAL.COM / JANUARY 2013 / 83

FEATURE Configuring One-Time Password Authentication with OTPWas your prefix password remainssecure, you are no worse off usingan untrusted printer than youare if your password list falls intothe wrong hands. This is oftena valuable security trade-off forfrequent travelers.Finally, to disable OTPWchallenges for a given user, justdelete the .otpw file in that user’shome directory.Using OTPW to Log InOnce you have your password list inhand, you’re ready to use one-timepassword authentication for yourSSH connection. Assuming that youdon’t have any identities loaded intoyour SSH agent, your dialog shouldlook similar to this:$ ssh localhostPassword 015:The prompt with the digits is theOTPW challenge. To respond, find thematching challenge ID on the passwordsheet you printed earlier. Next, enteryour prefix password followed by thestring that follows the challenge ID.Using “foo” as a prefix password,the following suffix list wasgenerated. Your list and suffixeswill be different, even if you use thesame prefix password.OTPW list generated 2012-05-06 13:40 on localhost000 SWvv JGk5 004 =qfF q2Mv 008 sb5P h94r 012 o5aH +/GD 016 8eLV VxuA001 xPZR :ceV 005 B=bq =mHN 009 WBSR smty 013 QMZ% +bm8 017 vjFL K4VU002 Sj%n 9xD3 006 RrNx sJXC 010 Xr6J F+Wv 014 j=LO CMmx 018 Km8c 8Q3K003 s7g8 NE%v 007 sd=E MTqW 011 fNKT vo84 015 fWI% MB9e 019 z8ui %eQ3!!! REMEMBER: Enter the PREFIX PASSWORD first !!!To respond to this challengesuccessfully, type:foo fWI% MB9eat the prompt. The spaces are optional;OTPW ignores them if present.If you answered the challengecorrectly, login will proceed. Otherwise,you will be prompted with thestandard system login. At this point,you can enter your standard systempassword, or press Return to giveOTPW another try. After the systemdefinednumber of password attempts(usually three), the login will fail andreturn you to the command prompt:$ ssh localhostPassword 013:Password:Password 013:Password:Password 013:Password:Permission denied (publickey,password,keyboard-interactive).84 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

FEATURE Configuring One-Time Password Authentication with OTPWThe use of triplets in particular can exhaust yourunused passwords rapidly, so it’s a good idea toregenerate the password list whenever you fallbelow a minimum amount.To prevent simultaneous logins,or when SSH is interrupted duringOTPW authentication, OTPW maylock a password. When a passwordis locked, your next login attemptwill present a triplet challengethat requires one prefix and threesuffixes to respond:login will proceed and the ~/.otpw.lock symlink should be removed,and your next challenge will againbe a single challenge ID number.In some cases, the lock is notremoved properly. If you continue tobe prompted for a triplet, you canremove the lockfile manually:$ ssh localhostPassword 004/011/005:Given the same password list asbefore, enter your triplet responseas a single line, with or withoutspaces. The following shows howthe response is composed (notethat the first line below is just aninformational aid; you would typeonly the second line below, withoutthe pipe characters):prefix | suffix 004 | suffix 011 | suffix 005foo| =qfF q2Mv | fNKT vo84 | B=bq =mHNOnce you have successfullyresponded to a triplet challenge,rm ~/.otpw.lockUsers with encrypted homedirectories that are not alreadymounted before login will need totake a few additional steps. Seethe OTPW and Encrypted HomeDirectories sidebar for an example.Check for Remaining PasswordsIf your password list is exhausted,you will no longer be able to useOTPW to log in until a new listis generated. Likewise, if yourpassword list doesn’t contain at leastthree unused responses, you will notbe able to use OTPW to log in when~/.otpw.lock exists, because there86 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

Listing 1. otwp-stats.sh#!/bin/bash# 30 unused passwords seems like a reasonable, if# arbitrary, floor to ensure randomness and a small# cushion against triplet exhaustion. Feel free to# adjust this number to suit your needs.MIN_PASSWORDS=30OTPW_LIST="$HOME/.otpw"# Stop processing if OTPW isn't set up for this# user.[ -f "$OTPW_LIST" ] || exit# The top two lines of an OTPW file are meta-data.TOTAL_PASSWORDS=$((`wc -l < "$OTPW_LIST"` - 2))# Lines with dashes represent used passwords.USED_PASSWORDS=$(egrep '^-' "$OTPW_LIST" | wc -l)# The number of passwords remaining is a calculated# value.PASSWORDS_LEFT=$((TOTAL_PASSWORDS - USED_PASSWORDS))cat

FEATURE Configuring One-Time Password Authentication with OTPWare not enough challenge IDs toissue a triplet.In addition, some of thesecurity of OTPW comes fromthe randomness of the remainingchallenges. The use of triplets inparticular can exhaust your unusedpasswords rapidly, so it’s a goodidea to regenerate the passwordlist whenever you fall below aminimum amount.The OTPW author recommendsregenerating the password list whenless than half the original passwordsremain unused, but doesn’t definea minimum bound for number ofpasswords required for adequaterandomness of challenges. A smallnumber of unused passwords makesyou more vulnerable to brute-forceattacks, since there are fewerchallenges to present.The pam_otpw.so PAM moduleis supposed to inform the user whenunused passwords fall below halfof those generated. However, thePAM session functionality doesn’tseem to work on Debian or Ubuntu.In addition, even if it worked, themodule doesn’t establish a floorto ensure sufficient randomnessof challenges.The otwp-stats.sh script shownin Listing 1 provides this missingfunctionality. It also allows youto define a sensible minimum forunused passwords by adjusting theMIN_PASSWORDS variable at thetop of the script.Add otwp-stats.sh to your~/.profile (or other shell startupscript) to provide feedback at login:# Only run script when logging in via SSH.[ -n "$SSH_CONNECTION" ] && ~/bin/otpw-stats.shConclusionOTPW provides a one-time passwordimplementation that comparesfavorably against OPIE and S/KEY.It is easy to integrate with SSH onmost Linux systems, and remainspossible to use on Ubuntu systemswith encrypted home directories.■Todd A. Jacobs is a veteran IT consultant with a passion forall things Linux. He spends entirely too much time makingsystems do things they were never designed to do. Hespends the rest of his time being immensely grateful fora wife who supports his geektastic projects.ResourcesOTPW Source: http://www.cl.cam.ac.uk/~mgk25/otpw.html88 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

Get the scoop onSharePoint 2013!Register Early and SAVE!The BestSharePoint Training!Choose from over90 Classes & Workshops!Check out these classes,taught by the industry’s best experts!NEW!Check out more than55 exhibiting companies!A BZ Media EventFollow us: twitter.com/SPTechConSPTechCon is a trademark of BZ Media LLC. SharePoint ® is a registered trademark of Microsoft.How to Install SharePoint 2013 WithoutScrewing It UpTodd Klindt and Shane YoungWhat IS SharePoint Development?Mark RackleySharePoint Performance: Best Practicesfrom the FieldJason HimmelsteinCreating a Great User Experience inSharePointMarc AndersonTen Best SharePoint Features You’veNever UsedChristian BuckleyUnderstanding and ImplementingGovernance for SharePoint 2010Bill EnglishBuilding Apps for SharePoint 2013Andrew ConnellSharePoint Solutions with SPServicesMarc AndersonLists: Used, Abused and UnderappreciatedWes PrestonPlanning and Configuring Extranets inSharePoint 2010Geoff VaroskyCreating Simple Dashboards UsingOut-of-the-Box Web PartsJennifer MasonIntegrating SharePoint 2010 and VisualStudio LightswitchRob WindsorSolving Enterprise Search Challenges withSharePoint 2010Matthew McDermottGetting Stuff Done! Managing Tasks withSharePoint Designer WorkflowsChris BeckettSharePoint 2013 Upgrade Planning for theEnd User: What You Need to KnowRichard HarbridgeTen Non-SharePoint Technical IssuesThat Can Doom Your ImplementationRobert BogueSharePoint MoneyBall: The Art of Winningthe SharePoint Metrics GameSusan HanleyIntro to Branding SharePoint 2010 in theFarm and OnlineRandy Drisgill and John RossHow to Best Develop Requirements forSharePoint ProjectsDux Raymond SyLots more online!www.sptechcon.com

FEATURE Wi-Fi Mini HoneypotWi-FiMiniHoneypotDo you have an old,unused wireless routercollecting dust?Have some fun andmake a Wi-Fi honeypotwith it!MARCIN TEODORCZYK90 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

Recently, I’ve been playingwith some new wireless gear.It’s nothing special: 200mWAtheros-based transceiver and18dBi yagi antenna. I’m living in anapartment in a city of about 640,000people. I’ve pointed the antenna to awindow and passively received about30 wireless ESSIDs, three of whichwere unsecured (open) and six securedwith WEP (easily crackable). I haven’tconnected to any of them, of course,but that gave me some ideas.What if I deployed a wireless accesspoint deliberately open? Some peopleinformation about attackers as youwant. Such honeypots are especiallyuseful in large networks as earlythreat indicators, but you alsocan play with them on your homenetwork, just for fun and research.You can build a wireless honeypotwith old hardware, some spare timeand, of course, a Linux-based solution.OpenWrt (https://openwrt.org) andDD-WRT (http://www.dd-wrt.com/site/index) are the two most popularLinux-based firmware projects forrouters. I use them and some oldspare routers in this article to showBuilding a very basic wireless honeypotshouldn’t take you more than an hour or two.eventually will connect and try to useit for Internet access—some might bemalicious, and some might think thatit’s a hotspot. And, what if I deployeda similar access point, but securedwith easily crackable WEP this time?Well, in my humble opinion, it’s notpossible to unconsciously crack WEP. Ifsomebody that I don’t know connectsto this AP, I’ve just been attacked. All Ineed to do is to monitor.That’s exactly a wireless honeypot:fake access point, deliberatelyunsecured or poorly secured andmonitored, so you can get as muchyou how to build three kinds ofhoneypots: a very basic one thatlogs only information about packetssent by users into its memory, alittle more sophisticated one withUSB storage that logs a few moredetails about malicious clients tothe storage, and finally, a solutionthat redirects HTTP traffic through aproxy that not only can log, but alsointerfere with communication.Basic Honeypot with DD-WRTBuilding a very basic wirelesshoneypot shouldn’t take you moreWWW.LINUXJOURNAL.COM / JANUARY 2013 / 91

it has 32MB of RAM and 4MB ofFlash memory. OpenWrt’s hardwarerequirements are a little bigger.Next, flash your router (that’sthe risky part). Basically, you needto download the firmware foryour machine and upload it to thememory. On some routers, it’s aseasy as clicking a button on theWeb interface. On others, youhave to connect through a serialcable, for example. Remember, thisstep can be dangerous. Make abackup first and be sure to readthe instructions carefully on theDD-WRT/OpenWrt sites.After successfully flashing yourrouter, you should see an enhanced(as compared to the original one) Webinterface. Now, set up SSH access andwireless network parameters. If youdon’t know how, you can find detailedinstructions on the DD-WRT homepage. As it is going to be a honeypot,I would suggest WEP, which shouldattract potential attackers. At thesame time, it won’t be so vulnerableto false positives—people withdevices automatically connecting toan open network.If you can log in as root and seethe prompt, you’re ready for the nextstep: enabling system logging. Youcan do this using the Web interface:Services→Services→System Log andSecurity→Log Enable (Figure 1).You also can set a few ESSIDsinstead of just one: Wireless→BasicSettings→Virtual Interfaces. Afterthat, your honeypot will be seenas a few networks—at least atfirst glance. This increases theprobability of attacks, especiallywhen there are many othernetworks in your neighborhood.Remember, you don’t have toconnect your honeypot to theInternet. In fact, you shouldn’t,as you have no control of whatpotential users might do with theInternet access. After configuring it asdescribed above, test whether it logsyour connections. DD-WRT writes thelog in /var/log/messages by default.You can check it using SSH. Here’s anexample fragment of such a log:Jan 1 00:43:03 orange user.warn kernel: ACCEPT IN=br0➥OUT= MAC=00:26:5a:a1:bc:86:00:0c:f1:11:43:0e:08:00➥SRC=192.168.2.2 DST=192.168.2.1 LEN=84 TOS=0x00 PREC=0x00➥TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=22535 SEQ=1Jan 1 00:43:04 orange user.warn kernel: ACCEPT IN=br0➥OUT= MAC=00:26:5a:a1:bc:86:00:0c:f1:11:43:0e:08:00➥SRC=192.168.2.2 DST=192.168.2.1 LEN=84 TOS=0x00 PREC=0x00➥TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=22535 SEQ=2If you can see your packet infologged, just leave the router and wait,looking at the log from time to time.Unfortunately, with such smallWWW.LINUXJOURNAL.COM / JANUARY 2013 / 93

FEATURE Wi-Fi Mini Honeypotresources, you can’t do muchmore—at least within a few hours.This basic honeypot would logonly packet headers, IPs and MACaddresses. You can see how aping command is logged in theprevious example. Generally, all theinformation you can collect is whensomebody with a specified MAC andIP try to use your network—that’snot much.Logging Associations toUSB Storage with OpenWrtYou can build a little more-advancedwireless honeypot with OpenWrt.Using it, you’ll be able to log notonly packets, MAC addresses andIP addresses, but also wirelessassociations, authentications,disassociations, deauthenticationsand timestamps. With a little effort,you also can expand your honeypotlogging capabilities to use USBstorage—that gives you a lot morespace for logs.My second router has 32MB ofRAM, 8MB of Flash memory andUSB support. On such hardware, youeasily can install OpenWrt in a similarway as DD-WRT. Detailed instructionsare available on the OpenWrt site.After installing it, setting up awireless access point and logging invia SSH as root, you need to installa few more packages.First, you’ll need USB storage support:opkg updateopkg install kmod-usb-ohciopkg install kmod-usb2insmod usb-ohciinsmod usbcoreinsmod ehci-hcdNow, after connecting a pendrive,dmesg should show it to you, forexample, as /dev/sda. Make a directoryfor mounting your storage: mkdir/storage. Then mount it: mount/dev/sda1 /storage. You’ll use itlater for gathered data.Next, you must decide what trafficto log. Let’s assume you want tolog all traffic forwarded by therouter. To do this, use netfilter andiptables (http://www.netfilter.org):iptables -I FORWARD -j LOG,just as you would do in a typicalLinux distribution.Listing 1 shows an examplefragment of a log stored on thependrive. It was generated by theuser associating, authenticating,requesting IP through DHCP andconnecting to google.pl:80.This honeypot is a little moreadvanced, although you still don’thave much control over user activityon the Internet. You either shouldn’t94 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

Listing 1. Example Log Generated with OpenWrt and Stored on a PendriveOct 15 10:17:01 white daemon.info hostapd: wlan0:➥STA 00:0c:f1:11:43:0e IEEE 802.11: authenticatedOct 15 10:17:01 white daemon.info hostapd: wlan0:➥STA 00:0c:f1:11:43:0e IEEE 802.11: associated (aid 1)Oct 15 10:17:01 white daemon.info hostapd: wlan0:➥STA 00:0c:f1:11:43:0e WPA: pairwise key handshake completed (RSN)Oct 15 10:17:03 white daemon.info dnsmasq-dhcp[1106]:➥DHCPDISCOVER(br-lan) 192.168.1.99 00:0c:f1:11:43:0eOct 15 10:17:03 white daemon.info dnsmasq-dhcp[1106]:➥DHCPOFFER(br-lan) 192.168.1.99 00:0c:f1:11:43:0eOct 15 10:17:03 white daemon.info dnsmasq-dhcp[1106]:➥DHCPREQUEST(br-lan) 192.168.1.99 00:0c:f1:11:43:0eOct 15 10:17:03 white daemon.info dnsmasq-dhcp[1106]:➥DHCPACK(br-lan) 192.168.1.99 00:0c:f1:11:43:0e redOct 15 10:17:14 white user.warn kernel: IN=br-lan OUT=eth0.2➥SRC=192.168.1.99 DST=209.85.148.105 LEN=60 TOS=0x00➥PREC=0x00 TTL=63 ID=59445 DF PROTO=TCP➥SPT=49958 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0Oct 15 10:17:14 white user.warn kernel: IN=eth0.2 OUT=br-lan➥SRC=209.85.148.105 DST=192.168.1.99 LEN=60 TOS=0x00➥PREC=0x00 TTL=51 ID=6488 PROTO=TCP SPT=80 DPT=49958➥WINDOW=5672 RES=0x00 ACK SYN URGP=0Oct 15 10:17:14 white user.warn kernel: IN=br-lan➥OUT=eth0.2 SRC=192.168.1.99 DST=209.85.148.105 LEN=52➥TOS=0x00 PREC=0x00 TTL=63 ID=59446 DF PROTO=TCP➥SPT=49958 DPT=80 WINDOW=229 RES=0x00 ACK URGP=0Oct 15 10:17:14 white user.warn kernel: IN=br-lan➥OUT=eth0.2 SRC=192.168.1.99 DST=209.85.148.105➥LEN=200 TOS=0x00 PREC=0x00 TTL=63 ID=59447 DF PROTO=TCP➥SPT=49958 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0Oct 15 10:17:15 white user.warn kernel: IN=eth0.2 OUT=br-lan➥SRC=209.85.148.105 DST=192.168.1.99 LEN=52 TOS=0x00➥PREC=0x00 TTL=51 ID=6489 PROTO=TCP SPT=80➥DPT=49958 WINDOW=106 RES=0x00 ACK URGP=0Oct 15 10:17:15 white user.warn kernel: IN=eth0.2 OUT=br-lan➥SRC=209.85.148.105 DST=192.168.1.99 LEN=561 TOS=0x00➥PREC=0x00 TTL=51 ID=6490 PROTO=TCP SPT=80➥DPT=49958 WINDOW=106 RES=0x00 ACK PSH URGP=0WWW.LINUXJOURNAL.COM / JANUARY 2013 / 95

FEATURE Wi-Fi Mini Honeypotconnect the router to the Internet,filter the traffic with iptables and/orset up a proxy between your routerand the Internet. Or, you can set up aproxy on your router!OpenWrt and TinyproxyIf your machine has enough resources,you can go one step further and usea proxy on your router. With this,you will be able to monitor, filterListing 2. Tinyproxy Configuration with Domain Filtering, Stealth Mode and CustomLog Localizationconfig 'tinyproxy'option 'User' 'nobody'option 'Group' 'nogroup'option 'Port' '8888'option 'Listen' '192.168.1.1'option 'Timeout' '600'option 'DefaultErrorFile' '/usr/share/tinyproxy/default.html'option 'StatFile' '/usr/share/tinyproxy/stats.html'option 'Logfile' '/storage/tinyproxy.log'option 'LogLevel' 'Connect'option 'MaxClients' '100'option 'MinSpareServers' '5'option 'MaxSpareServers' '20'option 'StartServers' '10'option 'MaxRequestsPerChild' '0'list 'Allow' '192.168.1.0/24'list 'Allow' '127.0.0.1'option 'ViaProxyName' 'tinyproxy'option 'DisableViaHeader' '1'option 'FilterDefaultDeny' '1'option 'Filter' '/storage/filter'list 'ConnectPort' '443'list 'ConnectPort' '563'option 'enable' '1'96 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

FEATURE Wi-Fi Mini HoneypotThen, configure and run it with:uci set tinyproxy.@tinyproxy[0].enable=1uci commit/etc/init.d/tinyproxy enable/etc/init.d/tinyproxy restartFrom now on, your tinyproxyshould listen by default on port8888 on your localhost. You cancheck this with the netstatcommand. Since you want to acceptconnections not only from localhost,but also from LAN, you’ll have tochange the configuration a littlebit. Also, in our case, it’s better torun it in so-called stealth mode—that means no added headers inHTTP. You can find the tinyproxyconfiguration in the /etc/config/tinyproxy file. Listing 2 shows anexample of such a configuration.Notice that logfile is specified tobe in the /storage directory, whichis our pendrive. Another importantoption is list ’Allow’. These arethe IPs that are allowed to connectto the tinyproxy. You should specifyyour LAN network or a part of it.Tinyproxy also lets you filterrequests by domain. You can specifya blacklist or a whitelist of domainsListing 4. tinyproxy.htmlInformationInformation{clienthost} You shouldn't use this network for web access.98 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

Figure 2. Web Site Templatein the Filter file. In our configuration,this is '/storage/filter'Also, here we notify tinyproxyto treat this file as a whitelist(FilterDefaultDeny 1), meaningthat requests only for specifieddomains will be allowed. Thatway, you can forbid attackers fromaccessing the Internet with theirbrowsers or let them access onlyspecified domains. An example ofa /storage/filter file could be:linuxjournal.comThat would let them visit only theLinux Journal Web site.Keep in mind that this will blockonly HTTP requests; all the othertraffic will be allowed if you haven’tblocked it elsewhere.Finally, you must tell your routerto forward all HTTP traffic toyour new proxy. As usual, youcan do this with iptables, butfirst you need to install theiptables-mod-nat-extra package:opkg install iptables-mod-nat-extraiptables -A PREROUTING -t nat -p tcp --destination-port 80➥-j REDIRECT --to-port 8888From now on, all HTTP requestsshould be forwarded throughtinyproxy and logged to /storage/tinyproxy.log. Listing 3 shows afragment of such a log. You can seewhat connections the user tried tomake and what has been filteredby the proxy.WWW.LINUXJOURNAL.COM / JANUARY 2013 / 99

FEATURE Wi-Fi Mini HoneypotWhen tinyproxy filters aconnection request, it displays aninformation page describing whathappened. You also can make use ofthis to hide tinyproxy’s presence orto inform or deceive your attackers(or make a joke). The Web sitetemplate is in /usr/share/tinyproxy/default.html. You can see a slightlymodified version of this in Listing 4and Figure 2. This doesn’t tell usersabout tinyproxy and the reason forseeing this page; instead, it politelyinforms them that they shouldn’tuse this network for Internet access.Go with the EvolutionThe next step in the evolutionwould be a full-blown wirelesshoneypot. You can make one using amachine that can run a typical Linuxdistribution. Then install, for example,dionaea (http://dionaea.carnivore.it),use a wireless card configured to runas an access point and forward alltraffic to your localhost, on whichthe attacker will see fake services.Remember, if you want a reallygood honeypot, make sure that itlooks as close as possible to reality.That means, for example, that youmight use some dummy clients justto simulate traffic. Or, use WPAinstead of WEP. It all depends onyour environment.Also, it is important to befamiliar with your country’s laws.Make sure it’s not prohibited tosniff your attackers’ data. Thinkabout whether it’s wise to make anInternet connection available forthem. Maybe it would be better notto connect your router’s WAN portto anything at all, connect it to yourmachine simulating the Internet orconnect it to the Internet but filterthe traffic with iptables?Finally, don’t be discouraged bythe DD-WRT or OpenWrt systems.They are based on Linux and arevery similar in use, but becauseof the small resources available,they’re stripped down. There are nomanual pages and slightly differentutilities that you may know fromyou Linux distribution, even thoughthey are named the same. And,the documentation isn’t alwaysaccurate. If you have any problems,both projects’ wikis are very helpful.And, last but not least, havefun building your solution and(especially) with browsing thecollected data!■Marcin Teodorczyk is a GNU/Linux user with more than 12 yearsof experience. For the past four years, he’s been using Arch Linuxexclusively on his personal computers. Marcin has an M.Sc.degree in IT and works as a security officer. In his spare time,writes articles for IT magazines or...juggles.100 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

INDEPTHPhonegapApplicationDevelopmentPhonegap: the easy way to develop smartphone applications.MIKE DIEHLHow many times have you heard,“there’s an app for that”? Butsometimes, there actually isn’t “anapp for that”, or the apps that doexist don’t meet your needs. As Linuxusers, we tend to like to scratch ourown itches, and if that means wewrite some code to do it, so be it.However, writing code to run on anAndroid phone or tablet has a bit of alearning curve, and it’s even worse onApple products. Fortunately, Phonegapprovides a simple way to createstandalone apps for Android, iPhone,WebOS, Blackberry and WindowsPhone, among others. You just needto be reasonably proficient in HTML,JavaScript and CSS, and you candevelop native apps for the majority ofsmartphones currently in use. And, thesame code base can run, with obviouslimitations, on any Web browser.Developing native code for Androidis relatively easy. You’ll have to learnto use Android’s XML-based screenlayout mechanism, and you’ll haveto learn Java. For iPhone, you’ll needto learn Objective C. If you want todevelop for Windows Phone, you’llneed to learn C# as well. Instead,you simply could use Phonegapand maintain a singe code base inHTML/JavaScript/CSS. This is thedefinition of a “no-brainer”.Before I go much further, I needto clear up a potential source ofconfusion. Phonegap initially wasdeveloped by a company named Nitobi,which subsequently was acquired byAdobe. In 2011, Nitobi/Adobe donatedthe Phonegap code base to theApache Foundation. As a result of this102 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

INDEPTHcontribution, they needed to ensurethat the intellectual property wasunfettered by trademark ambiguity, sothey renamed the Phonegap projectto Cordova. The Apache Foundationis in the process of migrating fromPhonegap to Cordova, so I refer to thisproject as Cordova here.Getting started with Cordova onAndroid isn’t difficult. At the riskof rehashing material that is welldocumented elsewhere, I’ll just outlinethe process involved. First, you haveto install the Android SDK, which isa free download from the Androidsite and is very well documented.The Android SDK integrates with theEclipse IDE, so you will need to have afairly recent version of Eclipse as well.The SDK documentation will walkyou through the whole process, fromdownloading the software to buildingand running the sample application.The SDK lets you run your programin an emulator or on a real Androiddevice, if you have one.Installing Cordova is also fairlystraightforward and well documented.The only difficulty I had with theentire process is that I wasn’t veryfamiliar with Eclipse and stumbled abit. The Cordova installation processculminates with building and runningthe sample Cordova application. Thesample application demonstratesmuch of Cordova’s API and is worthlooking at.I found the process of creatinga new Cordova project to be a bitkludgey. The process involved creatinga new Android project first, thenmaking a two-line modification to aJava program, pasting in a dozen linesof XML into another file, and well,you get the idea. All of the changesmade sense, but seemed a bit errorprone.Finally, I decided to copy theexample project and strip it downto its bare necessities. This is theapproach that I recommend; it workedlike a champ for me.A Cordova application has threemain pieces. There is an architecturespecificbinary piece that actuallycommunicates directly with the device’shardware. Then there is a Java-basedabstraction layer that sets up yourapplication’s runtime environmentand presents a JavaScript API for yourapplication to use. The third part isyour HTML/JavaScript/CSS code, andthis is the only part that you normallyneed to be concerned with. All ofthese pieces get linked together atbuild time to form a native binaryexecutable for the target device.The Cordova JavaScript API allowsyour program to access many of thehost device’s sensors. This means thatyour application has easy access to theWWW.LINUXJOURNAL.COM / JANUARY 2013 / 103

INDEPTHdevice’s GPS, accelerometer, compass,microphone and speaker. The APIprovides persistent data storage byallowing access to the device’s contactdatabase, its filesystem and a nativeSQLite database.Let’s look at some code.For the sake of illustration, Ideveloped a simple application. Theapplication is designed to demonstratethree main features: access to thedevice’s GPS sensor, access to theuser’s contacts and the ability to makeAjax calls to remote Web services.The HTML needed to create thisapplication is pretty straightforward.See Listing 1.The content of the sectionis mostly boilerplate. Note that youimport the cordova.js and then yourmain.js JavaScript files, and that theorder is important. In the ,you find a graphic that you bringin from a remote server. Then yousee input fields for your currentGPS coordinates. Next, you havesome form fields that will containinformation from the phone’s contactdirectory, followed by Previous andNext buttons that allow users to scrollthrough their contacts. Finally, thereare two s that will allow theprogram to display witty commentsfrom a remote Web site and anyerror messages that might need to bedisplayed. Figure 1 shows what thepage looks like in a browser.Listing 2 shows the JavaScript codethat makes it all work.Line 1 is a simple boolean flagthat determines whether the scriptis running on a mobile device or aFigure 1. Sample Application Running ina Browser104 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

INDEPTHListing 1. HTML for the Sample ApplicationSample ApplicationYou are here: Longitude, Latitude.PreviousNext"Linux Rocks!"WWW.LINUXJOURNAL.COM / JANUARY 2013 / 105

INDEPTHListing 2. JavaScript Code for the Sample Application1 var mobile = 1;2 var contacts;3 var current_contact = 0;45 function init () {67 if (mobile == 1) {8 navigator.contacts.find(["*"], store_contacts);9 }1011 update();12 window.setInterval(update, 1000);13 }1415 function update () {16 var req;1718 if (mobile == 1) {19 navigator.geolocation.getCurrentPosition➥(set_location,location_error);20 } else {21 document.getElementById("lat").value =➥Math.floor(Math.random()*46)22 document.getElementById("lon").value =➥Math.floor(Math.random()*46)23 }2425 req = new XMLHttpRequest();2627 if (!req) {28 alert("Ajax failed!");29 return false;30 }3132 req.open("GET", "http://example.com/test.html", true);33 req.onreadystatechange = set_quote;34 req.send(null);3536 return true;37 }3839 function store_contacts (c) {40 contacts = c;41 display_contact();42 return true;43 }4445 function previous_contact () {46 current_contact = current_contact - 1;47 if (current_contact < 0) { current_contact = 0; }48 display_contact();49 return true;50 }5152 function next_contact () {53 current_contact = current_contact + 1;54 if (current_contact > (contacts.length-1)) { current_contact =➥contacts.length-1; }55 display_contact();56 return true;57 }5859 function display_contact () {60 document.getElementById("id").value = " ";61 document.getElementById("name").value = " ";62 document.getElementById("phone").value = " ";63 document.getElementById("email").value = " ";6465 document.getElementById("id").value =➥contacts[current_contact].id;66 document.getElementById("name").value =➥contacts[current_contact].displayName;67 document.getElementById("phone").value =➥contacts[current_contact].phoneNumbers[0].value;68 document.getElementById("email").value =➥contacts[current_contact].emails[0].value;6970 return true;71 }7273 function set_location (p) {74 document.getElementById("lat").value = p.coords.latitude;75 document.getElementById("lon").value = p.coords.longitude;76 return true;77 }7879 function location_error (e) {80 document.getElementById("error").innerHTML = e.message;81 return true;82 }8384 function set_quote (p) {85 if (!p) { return 1; }86 if ((p.status) && (p.status > 299)) { return 1; }87 document.getElementById("quote").innerHTML = this.responseText;88 return true;89 }9091 if (mobile == 1) {92 document.addEventListener("deviceready", init, false);93 } else {94 window.onload = init;95 }106 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

INDEPTHWeb browser. Setting this variableto 0 allows me to run and debugthe program in Firefox where Ihave all of the HTML, DOM andJavaScript development tools thatI’m accustomed to using. Setting thisvariable to 1 targets the program fora mobile device where I can debugthe Cordova-specific aspects of myprogram, knowing that my JavaScriptis probably correct.Lines 91–95 arrange to have theJavaScript init() function calledwhen the DOM is loaded and afterthe Cordova initialization routineshave run. These lines also point outa couple oddities about Cordovadevelopment. First, there is no wayto detect automatically whether theprogram is running in a browser oron a smartphone. That’s why I setthat variable, as discussed earlier.Also, Cordova creates its own eventthat gets triggered when it’s ready tobegin JavaScript execution; you can’tuse window.onload as you normallywould, because this event mighttrigger before Cordova is ready. Eitherway, the init() function will becalled at the appropriate time.The init() function is on lines5–13. On line 8, you make a call tothe contacts.find method to getan array of contact objects from thedevice’s contact directory. This arrayis then passed, asynchronously, tostore_contacts(), lines 39–44,which simply stores the array in aglobal variable. Then, init() makes acall to update() to initialize the datadisplay and arranges for update() tobe called every second from then on.The update() function, lines15–37, is where the fun begins. Ifthe program is running in a browser,you simply populate the Longitudeand Latitude fields with randomnumbers. Having the numberschange like that allowed me to verifythat the program was still running.However, if the program is runningon a physical device, you use thegeolocation.getCurrentPositionmethod to fetch the real GPScoordinates. If this operation issuccessful, set_location() is called.Otherwise, location_error()gets called, and you can display anerror message (lines 73–83). Theonly error I’ve encountered with thegetCurrentPosition call was whenI actually had the GPS disabled.Lines 25–36 form an almostembarrassing Ajax call. I’ve strippedthis code down to the least amountof code that would run underFirefox and Cordova. It won’t runon IE, and it doesn’t do much, ifany, error checking. I’m not tryingto demonstrate how to do an AjaxWWW.LINUXJOURNAL.COM / JANUARY 2013 / 107

INDEPTHcall in Cordova. I’m only trying todemonstrate that you can. In this case,you’re loading some content from aremote server and putting it inside thequote discussed earlier. Duringdevelopment, I’d simply change thecontent of that file on the server toverify that it changed inside the app.Lines 44–58 are onclick handlers forthe two buttons in the application. Allthese routines do is adjust an arrayindex plus or minus one, as appropriate,and do some bounds checking. Finally,they call display_contact() todisplay the current contact.The display_contact() function (lines59–72) is the last of the Cordovaspecificfunctions in the program.In lines 60–64, you blank out all ofthe contact fields in preparation forsetting them with new values. I foundthat if I didn’t blank them out first,they would persist into the next recordif the next record didn’t happen tohave a value for a given field. In lines65–69, you populate the fields withdata from the current contact record.Note that both phoneNumbers ande-mails are arrays of objects, and thatfor this purpose, you are interestedonly in the first element.And there you have it. There’snothing here that would be unfamiliarto the average Web developer,except a really powerful API. But, I’veonly touched on what this API cando. Figure 2 shows the applicationrunning on my Droid Bionic.I did some hand waving over asubtle problem with this applicationthat many JavaScript, particularly Ajax,developers have encountered. Onmost browsers, your program can’tFigure 2. Sample Application Runningon Android108 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

INDEPTHload from one domain, and then loadcontent or code from another domain.However, this program is standaloneand needed to load content froma potentially arbitrary Web site.Cordova handles this problem by“whitelisting” the domains fromwhich an application is allowed tofetch content. By default, all domainsare blacklisted, and, thus, all networkaccess is disabled. A developer canwhitelist a domain by editing/res/xml/cordova.xml and followingthe examples given for the tag. This is a safe but elegant solutionto a potentially nasty problem.Another interesting possibility is tohave your application load all of itsHTML and JavaScript from a remoteWeb server. This easily can be doneby making a simple change to ./src/{projectname}/{projectname}.java. Thisfile has only 20 lines of real code, andthe necessary change is pretty intuitive.Being able to load content froma remote server actually makesdevelopment easier. I found it easierto do my development on a remote,publicly accessible server, than todevelop on my workstation. This way,I could point my Web browser at theapplication and get all my HTML,CSS and JavaScript working the wayI wanted. Then I got the applicationfully functional on my Android. Onceit was fully functional, I copied theproject to my workstation for thefinal build. Doing it this way is theonly way you’ll be able to test anapplication that makes any Ajax callswithout violating your browser’scross-site scripting security policy.As neat as Cordova is, thereare a few things I didn’t like. As Imentioned earlier, there is no wayto detect automatically whether aprogram is running in a browseror on a device. Also, I found thewhitelisting functionality to be abit buggy, but not in any way thatbroke my application. But, the mostdisheartening thing I found waswhen I tried to use the camera API.Instead of simply snapping a pictureand either returning the data orstoring it, the API actually broughtup the device’s native camera deviceas a pop-up. This was extremelyintrusive and actually broke my firstdemonstration app.I’ve had a lot of fun playing withCordova, and I’ve barely scratchedthe surface of what it can do or beextended to do. This has to be theeasiest way to get into smartphoneapplication development.■Mike Diehl operates Diehlnet Communications, LLC, a small IPphone company. Mike lives in Blythewood, South Carolina, with hiswife and four sons. He can be reached at mdiehl@diehlnet.com.WWW.LINUXJOURNAL.COM / JANUARY 2013 / 109

EOFDOC SEARLSOn Infrastructure,Geology and OtherTemporary ThingsLinux is lasting. This can help inform our understanding ofother things we depend on.Infrastructure, like geology, istemporary. Both work on a LIFObasis. Dunes built by surf andwind are the first landforms to gowhen the weather gets wild—likewisehuman constructions, such as beachhouses and boardwalks. As I writethis, on Halloween 2012, the dunesand boardwalks of the Jersey Shore,where I spent my summers as a kid,have been torn apart and depositedinland by Superstorm (née Hurricane)Sandy, which came ashore two nightsago. A broken gas line feeds a firethat already has burned ten housesin Mantoloking. Nearly every clearsummer day, from 1949 to 1961,when I was age 2 to 14, we’d go toMantoloking Beach. That’s where Ilearned to swim and ride the surf.Since then, Mantoloking has becomean upscale enclave. From what I cantell, all the houses that just burnedwere put up since I knew the place.Last in, first out.Infrastructure is the geology wemake and re-make for ourselves.Across eastern Massachusetts, whereI am now, bike paths have replacedrailroads that replaced the tow pathsof canals that replaced paths ofanimals and other natives through thewoods. Construction is the world’soldest and biggest business. Much ofthat work is re-construction. There isno urge more human, Stewart Brandonce said, than the urge to alter apermanent structure. Using natural110 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

EOFEven for hackers, attention tends to be partial andprovisional, and always subject to rot.and manufactured materials, we buildand re-build, constantly. On the islandof Majorca, which is one big piece ofmarine limestone, it is said that everybuilding block has been lifted by athousand hands a thousand times.A single block holding up an oliveterrace also may have served time inpavement, a lookout tower and thewall of a house. How that works alsois a good model for code. A few yearsago, on a Linux Journal Geek Cruise(I still miss those), I asked AndrewMorton if hackers would still beimproving the Linux kernel 200 yearsfrom now. He said yes. To me, thatmakes Linux a form of infrastructure.Something of its nature is geological.That is, its purposes transcend thetemporary, and even the specific. It’smade for wide usability more thanfor any specific use. “I don’t knowwhat happens outside the kernel,and I don’t much care”, Linus says(http://www.linuxjournal.com/article/6427). “What happens insidethe kernel I care about.”Given the nature of humanattention, it’s amazing thatinfrastructure gets made at all. Evenfor hackers, attention tends to bepartial and provisional, and alwayssubject to rot. The sentences wehear verbatim are forgotten withinseconds, leaving only meaningbehind—and partial meaning at that.Each cycle of human life runs abouta century at best. If we’re lucky, wemight get 60 productive years. Withinthose years, one’s lasting effects areso rare that others treasure them.My own favorite treasure is theGeorge Washington Bridge, which myfather helped build, as a cable rigger(http://www.flickr.com/photos/docsearls/3503894401). He’s longgone, but his work is not. Yet, ittoo shall pass. The purpose of thebridge—to carry traffic in and out ofNew York—surely will outlive all of us,but it is unlikely to outlast the geologyin which it is anchored. On the NewYork side, the rock is Manhattan Schist(http://www.washington-heights.us/history/archives/000457.html),formed in the Cambrian, about ahalf-billion years ago. On the NewJersey side, it’s the Palisades(http://en.wikipedia.org/wiki/The_Palisades_(Hudson_River)):WWW.LINUXJOURNAL.COM / JANUARY 2013 / 111

EOFcliffs that began as an intrusive sillat the end of the Triassic, a littlemore than 200 million years ago.That’s when Pangea began to breakup. If you want to see the adjacentgeologies of that time, visit the AtlasMountains of Morocco.On the stellar scale, the rockflanking the Hudson is young. Thesolar system is 4.65 billion years old;the universe about 2.8 times olderthan that. Conveniently, the firsthalf-dozen billion years of matter’sexistence were enough time topopulate most of the periodic table.This required compressing lightelements into stars and explodingthose stars, over and over, scatteringthe building materials of new starsand planets in all directions. Mostheavy elements involved in Earth’screation sank early to the core. Theones found in Earth’s crust—gold,titanium and tungsten, for example—were deposited by meteorites(http://www.sciencedaily.com/releases/2009/10/091018141608.htm)after the surface hardened.Surely much of it came duringthe same Heavy Bombardment(http://en.wikipedia.org/wiki/Late_Heavy_Bombardment) that put aface on the moon, during a 300-millionyearspan, starting 4.1 billion years ago.More than 90% of the iron mined sofar on Earth was deposited as ferroussludge on ocean floors a little morethan two billion years ago, when lifebegan to bloom and metabolize outthe iron then saturated in the seas. Thiswas an event that will not be repeated.If our species’ appetite for iron persistslong enough, we’ll re-mine it fromlandfills after exhausting its supplyin ancient rock. Helium, the secondlightestelement and one of the mostcommon in the universe, is currentlyproduced on Earth only by decay ofa certain breed of natural gas. At thecurrent usage rate, helium is due torun out in a few dozen years(http://www.washingtonpost.com/wp-dyn/content/article/2010/10/11/AR2010101104496.html). As yet,we have no other way to make it,but that doesn’t stop us from usingit up, just as we use up othernon-renewable things, deferringthe problem of resource exhaustionto future generations. We are,undeniably, a pestilential species.Our summer home was about tenmiles inland from Mantoloking, in BrickTownship, on the edge of the PineBarrens (http://en.wikipedia.org/wiki/Pine_Barrens_(New_Jersey)).My parents had an acre and a halfthere, which they bought in 1948112 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

EOFfor $150. Pop and Uncle Archie, hisbrother-in-law, cut a driveway to aclearing and brought in a small oldshack on a flat-bed truck, which theydeposited on a shallow foundationof cinder blocks. They named it TheWanigan, a native term for a portableabode. They drove a well by hand,pounding lengths of galvanized steelpipe down into the ground. Theirdriver was a capped iron pipe halffilled with lead, weighing about 80pounds. They fit this over the top ofthe well pipe, then lifted and droppedit, over and over again. After they gotwater flowing with a hand pump, theybuilt a kitchen around the pump andthen a one-hole privy in the back. Afew years later Pop added a bedroom,dug a septic tank and built a smallindoor bathroom. Electricity arrivedearly on, but telephony never did.Grandma and other relatives boughtadjacent properties, and put up theirown little houses. I still remember everyfoot of the paths between them. For mysister and me, plus countless cousins,it was paradise. The forest floor was athick mass of blueberries, huckleberriesand wintergreen, under a canopy ofscrub oak and pitch pine. Clearings andpaths were established by deer andother woodland creatures. We wentbarefoot all summer, running from onesecret place to another, grazing onberries like sheep on grass, and ridingour bikes to the country store to buycandy and comic books, which we readand re-read on our bunk beds. Bedtimecame when the whip-poor-will called(http://en.wikipedia.org/wiki/Eastern_Whip-poor-will), and wefell asleep to a hubbub of cricketsand tree frogs.The LIFO geology under TheWanigan was sand deposited in thePliocene, when the whole coast wasunder water. The sand was easy todig up, which we often did, to makecastles, forts and other structures.Our hands and feet would alwaysturn black when we did. Pop told usthis was because countless wildfiresdestroyed the forest over and over,turning the sand gray with ash. Later,when I looked more deeply into thematter, I found he was right. In fact,the whole forest ecosystem wasadapted to fire. Also, apparently, tosuburban sprawl, since the Wanigan,Grandma’s place and nearly everythingaround it is now a strip mall.The main influence on my life inthose days was my cousin Ron, whowas five years older than me andmuch more hip to what matteredin the world, such as girls, cars androck & roll. I was too shy and geekyWWW.LINUXJOURNAL.COM / JANUARY 2013 / 113

EOFto recruit a girlfriend and wasn’t oldenough to drive, but I could sublimatemy yearnings through music. My mainsource for that was WMCA, thenNew York’s main Top 40 station. Iloved to gawk at WMCA’s transmitterwhen we passed it on the New JerseyTurnpike, on our way down to TheShore (pronounced “Da Shaw”). I sawWMCA’s three-tower rig as the wellfrom which all cool music came.It was from this that I becameobsessed with the mysteries ofwireless. Why did some AM stationshave one tower while others hadmore? Why did AM signals fade underbridges wile FM ones didn’t? Whatmade signals at the bottom end ofthe AM band travel farther along theground than those at the top end?What made the ionosphere reflectiveof AM and shortwave signals but notof FM and TV signals? Why did TVwork best with a roof antenna whileAM radio didn’t?At age 12, I got a ham radio licenseand began to build electronic stuff,sometimes on advice from engineers Imet at the transmitters of New York’sAM stations, nearly all of which stood,like WMCA’s, in stinky swamps alongthe Hackensack and Passaic Rivers.I’d ride my bike down there fromour house in Maywood, knocking ondoors of transmitter buildings, andthen asking questions of the engineerswhile they took readings off meters,threw big scary switches and whackedvegetation away from the bases oftowers. At night I’d “DX”—listening tofar-away stations—on my HammarlundHQ-129X ham receiver, which dida great job picking up AM signals,mostly through my 40-meter dipoleantenna, which hung like a clotheslinebetween my bedroom and a tree inour backyard. By the time we movedaway from Maywood, I had loggedabout 800 stations, or about 10%of all the stations transmitting in theUS at that time. Later, as an adult inNorth Carolina, I did the same with FMsignals, which occasionally refract at alow angle, like a mirage above a hotroad, off the same ionospheric layerthat reflects AM signals, bringing inclear signals from 800 to 1,000 milesaway. The thrill of this was less in signalfishing than in gaining an empiricalunderstanding of how things work.It was because of that understandingthat I blogged this two days ago,while Sandy was headed ashore(http://blogs.law.harvard.edu/doc/2012/10/29/riding-out-the-storm):Given the direction of the storm,and the concentrating effects114 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

EOFof the coastlines toward theirconvergence points, I would bevery surprised if this doesn’t putsome or all of the following underat least some water:n All three major airports: JFK,La Guardia and Newark.n The New York Container Terminal.n The tower bases of New York’sAM radio stations. Most of themtransmit from the New JerseyMeadows, because AM transmissionworks best on the most conductiveground, which is salt water. On AM,the whole tower radiates. That’swhy a station with its base underwater won’t stay on the air. At risk:WMCA/570, WSNR/620, WOR/710,WNYC-AM/820, WINS/1010,WEPN/1050, WBBR/1130,WLIB/1190, WADO/1280 andseveral others farther up the band.WFAN/660 and WCBS/880 sharea tower on High Island in LongIsland Sound by City Island, andI think are far enough above sealevel. WMCA and WNYC share athree-tower rig standing in waternext to Belleville Pike by the NewJersey Turnpike and will be thefirst at risk.I got most of that right. Two ofthe three airports took water, andWMCA, WNYC, WINS, WLIB andsome number of other stations wentoff the air when the tide surge roseover their transmission equipmentand tower bases. The main reasonI called them right is that I’ve beenstudying infrastructure in variousways ever since Ron turned me on torock & roll. It also has occurred to megradually, during the decade and ahalf I’ve been writing here, that myinterest in Linux and infrastructureare of a single piece with my interestin geography, aerial photographyand fault lines where the convergingforces of business, hackery and policymeet. In the parlance of geologists,much of what happens amidst all ofit is “not well understood”.According to the Oxford EnglishDictionary, the word infrastructurefirst appeared in the early 1900s(http://oxforddictionaries.com/definition/english/infrastructure).According to Google’s Ngram Viewer(http://books.google.com/ngrams/graph?content=infrastructure&year_start=1800&year_end=2000&corpus=15&smoothing=3share=),which graphs usage of words in booksacross time, infrastructure didnot hockey-stick until the 1960s.WWW.LINUXJOURNAL.COM / JANUARY 2013 / 115

EOFRelatively speaking, academic workon infrastructure is sparse. There arefew university departments devotedto infrastructure. (The Universityof Melbourne’s Department ofInfrastructure Engineering is one:http://www.ie.unimelb.edu.au).It’s more of a topic in many fieldsthan a field of study itself. I havecome to believe this is a problem.If we’d had a better understandingof infrastructure, we might havesuffered fewer losses from Katrina,Sandy and other natural disasters.We might also have a betterunderstanding of why it’s nuts tobuild on barrier dunes, fault linesand places nature likes to burnevery few dozen years—unless theinevitability of loss is a conscious part ofour deal with nature. Likewise, I believewe’d have a better understanding ofhuman inventions with vast positiveexternalities, such as those producedby Linux and the Internet, if we alsounderstood their leverage as the sameas that provided by infrastructure.Without that understanding, it’shard to make full sense of modernoddities, such as Google’s giant datacenters. A few days ago, as I writethis, Google took the wraps off ofwhat had been, until then, largely asecret matter. Now it’s bragging onthe giant, nameless buildings thattogether comprise, Google says,“where the Internet lives”. Googledoes its best to pretty up these placeswith gorgeous photos and copy like,“Steam rises above the cooling towersin The Dalles data center in Oregon.These plumes of water vapor create aquiet mist at dusk.” Still, they look likeprisons (http://www.google.com/about/datacenters/gallery/#/places)—or data-fired power plants,which is basically what they are.Think about it. These places areno less central to what civilizationdoes today than are power plantsand container ports. Yet there islittle if any regulatory oversight ofthem, outside concerns over poweruse and environmental impact. Norcould there be. Knowledge of whatthe Internet is, and how it works,is minimal to most of those whouse it, and worse than absent inlegislative and regulatory circles,both of which have long sincebeen captured by Hollywood andthe phone and cable companies.Because of this, the Net is slowlyturning into a “service” throughwhich Hollywood and the carrierscan bill us in fine detail for“content” and data usage. And,because of this, we risk diminishing116 / JANUARY 2013 / WWW.LINUXJOURNAL.COM

or losing the most productivegenerator of positive economicexternalities the world has everknown. Google is both at war andallied with these forces, and thatwar is being played out insidethese data centers. I believe we’dunderstand all of this a lot better ifwe also had a better understandingof what infrastructure is, and whatit does.Sometime soon I’ll re-start workon The Giant Zero: my book aboutinfrastructure and the Internet,and how the two overlap. The titlecomes from a description of theNet as “a hollow sphere in whichevery point is visible to every otherpoint across an empty space in themiddle—a vacuum where the virtualdistances are zero”. That insight isCraig Burton’s, and he provided it inan interview I did for a Linux Journalpiece in the mid-1990s. Learningsfrom Linux will be at the core ofThe Giant Zero. Anybody interestedin helping build the prose base forthat work, please get in touch.I can’t, and won’t, build it alone.■Doc Searls is Senior Editor of Linux Journal. He is also afellow with the Berkman Center for Internet and Society atHarvard University and the Center for Information Technologyand Society at UC Santa Barbara.Advertiser IndexThank you as always for supporting ouradvertisers by buying their products!ADVERTISER URL PAGE #1&1 http://www.1and1.com 21Confoo http://Confoo.ca 101Emac, Inc. http://www.emacinc.com 29Emperor Linux http://www.emperorlinux.com 61iXsystems http://www.ixsystems.com 7Microway http://www.microway.com 54, 55SCALE https://www.socallinuxexpo.org/scale11x/ 2Sharepoint http://www.sptechcon.com/ 89Silicon Mechanics http://www.siliconmechanics.com 3ATTENTION ADVERTISERSThe Linux Journal brand’s following hasgrown to a monthly readership nearlyone million strong. Encompassing themagazine, Web site, newsletters andmuch more, Linux Journal offers theideal content environment to help youreach your marketing objectives. Formore information, please visithttp://www.linuxjournal.com/advertising.WWW.LINUXJOURNAL.COM / JANUARY 2013 / 117