Content extract
SSH TUNNELS AND ENCRYPTED VIDEO STREAMING ™ WATCH: ISSUE OVERVIEW V APRIL 2016 | ISSUE 264 STUNNEL + SECURITY for Databases Since 1994: The Original Magazine of the Linux Community LinuxJournal.com Intro to Pandas The Python Data Analysis Library A Look at printf Protect Your Desktop Environment with Qubes A SuperUseful Scripting Command What’s the Kernel Space of Democracy? BE SMART ABOUT CREATING A SMART HOME LJ264-April2016.indd 1 3/22/16 10:12 AM Practical books for the most technical people on the planet. !""#$!%&"( Download books for free with a simple one-time registration. http://geekguide.linuxjournalcom LJ264-April2016.indd 2 3/22/16 10:12 AM ! NEW Self-Audit: Checking Assumptions at the Door Author: Greg Bledsoe Agile Product Development Author: Ted Schmidt Sponsor: IBM Sponsor: HelpSystems Improve Business Processes with an Enterprise Job Scheduler Finding Your Way: Mapping Your Network to Improve Manageability
Author: Mike Diehl Author: Bill Childers Sponsor: Skybot Sponsor: InterMapper DIY Commerce Site Combating Infrastructure Sprawl Author: Reuven M. Lerner Sponsor: GeoTrust Author: Bill Childers Sponsor: Puppet Labs Get in the Fast Lane with NVMe Author: Mike Diehl Sponsor: Silicon Mechanics & Intel LJ264-April2016.indd 3 Take Control of Growing Redis NoSQL Server Clusters Author: Reuven M. Lerner Sponsor: IBM 3/22/16 10:12 AM CONTENTS APRIL 2016 ISSUE 264 FEATURES 86 Rock-Solid Encrypted Video Streaming Using SSH Tunnels and the BeagleBone Black 100 Stunnel Security for Oracle Improve database security with Stunnel. Charles Fisher Learn how SSH tunnels work by setting up a remote viewable Webcam on your BeagleBone Black. ON THE COVER Ramon Crichlow (3VVRH[WYPU[M!H:WLY<ZLMS:JYPW[PUN*VTTHUKW :[UULS:LJYP[`MVY+H[HIHZLZW )L:THY[HIV[*YLH[PUNH:THY[/VTLW ::/;UULSZHUK,UJY`W[LK=PKLV:[YLHTPUNW
7YV[LJ[@VY+LZR[VW,U]PYVUTLU[^P[O8ILZW 0U[YV[V7HUKHZ[OL7`[OVU+H[H(UHS`ZPZ3PIYHY`W >OH[Z[OL2LYULS:WHJLVM+LTVJYHJ`&W 4 | April 2016 | LinuxJournal.com LJ264-April2016.indd 4 3/22/16 10:12 AM CONTENTS COLUMNS 34 Reuven M. Lerner’s At the Forge Pandas 42 Dave Taylor’s Work the Shell All about printf 50 Kyle Rankin’s Hack and / Secure Desktops with Qubes: Introduction 60 Shawn Powers’ The Open-Source Classroom Jarvis, Please Lock the Front Door 120 Doc Searls’ EOF What’s the Kernel Space of Democracy? 24 IN EVERY ISSUE 8 10 16 32 76 125 Current Issue.targz Letters UPFRONT Editors’ Choice New Products Advertisers Index 60 LINUX JOURNAL (ISSN 1075-3583) is published monthly by Belltown Media, Inc., PO Box 980985, Houston, TX 77098 USA Subscription rate is $29.50/year Subscriptions start with the next issue 5 | April 2016 | LinuxJournal.com LJ264-April2016.indd 5 3/22/16 9:06 PM Executive Editor Senior
Editor Associate Editor Art Director Products Editor Editor Emeritus Technical Editor Senior Columnist Security Editor Hack Editor Virtual Editor Jill Franklin jill@linuxjournal.com Doc Searls doc@linuxjournal.com Shawn Powers shawn@linuxjournal.com Garrick Antikajian garrick@linuxjournal.com James Gray newproducts@linuxjournal.com Don Marti dmarti@linuxjournal.com Michael Baxter mab@cruzio.com Reuven Lerner reuven@lerner.coil Mick Bauer mick@visi.com Kyle Rankin lj@greenfly.net Bill Childers bill.childers@linuxjournalcom Contributing Editors )BRAHIM (ADDAD s 2OBERT ,OVE s :ACK "ROWN s $AVE 0HILLIPS s -ARCO &IORETTI s ,UDOVIC -ARCOTTE 0AUL "ARRY s 0AUL -C+ENNEY s $AVE 4AYLOR s $IRK %LMENDORF s *USTIN 2YAN s !DAM -ONSEN President Carlie Fairchild publisher@linuxjournal.com Publisher Mark Irgang mark@linuxjournal.com Associate Publisher John Grogan john@linuxjournal.com Director of Digital Experience Accountant Katherine Druckman webmistress@linuxjournal.com Candy
Beauchamp acct@linuxjournal.com Linux Journal is published by, and is a registered trade name of, Belltown Media, Inc. 0/ "OX (OUSTON 48 53! Editorial Advisory Panel Nick Baronian Kalyana Krishna Chadalavada "RIAN #ONNER s +EIR $AVIS -ICHAEL %AGER s 6ICTOR REGORIO $AVID ! ,ANE s 3TEVE -ARQUEZ $AVE -C!LLISTER s 4HOMAS 1UINLAN #HRIS $ 3TARK s 0ATRICK 3WARTZ Advertising % -!),: ads@linuxjournal.com 52,: www.linuxjournalcom/advertising 0(/.% EXT Subscriptions % -!),: subs@linuxjournal.com 52,: www.linuxjournalcom/subscribe -!), 0/ "OX (OUSTON 48 53! LINUX IS A REGISTERED TRADEMARK OF ,INUS 4ORVALDS LJ264-April2016.indd 6 3/22/16 10:12 AM !"#$%&%#$%()*%+#,%-./0 With Drupal 8 newly released and thousands of community members in attendance, DrupalCon New Orleans promises to be an event to remember. See you in New Orleans this May. Laissez les Bon Temps Rouler! neworleans2016.drupalorg LJ264-April2016.indd 7
3/22/16 10:12 AM Current Issue.targz Linux Does Stuff W SHAWN POWERS Shawn Powers is the Associate Editor for Linux Journal. He’s also the Gadget Guy for LinuxJournal.com, and he has an interesting collection of vintage Garfield coffee mugs. Don’t let his silly hairdo fool you, he’s a pretty ordinary guy and can be reached via e-mail at shawn@linuxjournal.com Or, swing by the #linuxjournal IRC channel on Freenode.net V ERE HUGE FANS OF OPEN SOURCE HERE AT Linux Journal, which I’m sure comes as no SURPRISE TO ANYONE 4HE BEST PART ABOUT ,INUX ITSELF HOWEVER IS THAT ITS THE CONCEPT OF OPEN SOURCE REALIZED )T HAS PERMEATED EVERY ASPECT OF )4 AND IT HAS PROVEN THAT BEING OPEN DOESNT EQUATE TO BEING INSECURE )N FACT ITS QUITE THE OPPOSITE 7HEN you have nothing to hide, there aren’t any dirty secrets WAITING TO BE LEAKED )N THE SPIRIT OF hDOING THINGSv THIS MONTH WEVE GOT A BUNCH OF REALLY COOL TOPICS that show open source in action. 7E START WITH 2EUVEN -
,ERNER ,AST MONTH HE talked about navigating data, and this month he talks ABOUT 0ANDAS 3PECIFICALLY 2EUVEN TALKS ABOUT PARSING AND ANALYZING #36 COMMA SEPARATED VALUES FILES WITH 0YTHON )F YOURE A DATA NERD AND WANT TO GET THE MOST FROM YOUR #36 DATA FILES YOU WONT WANT TO MISS 2EUVENS COLUMN THIS ISSUE $AVE 4AYLOR FOLLOWS WITH A LOOK AT SOME POWERFUL SCRIPTING COMMANDS BORROWED FROM THE # LIBRARY )F YOU WANT TO TIGHTEN YOUR CODE THE PRINTF COMMAND IS INCREDIBLY POWERFUL AND THANKFULLY AVAILABLE FOR SCRIPTING +YLE 2ANKIN KEEPS HIS SECURITY HEAD FIRMLY IN PLACE AND STARTS A SERIES ON 1UBES THIS MONTH 1UBES IS A DISTRIBUTION FOCUSED ON SECURITY 7ITH ALL THE PUBLICITY encryption and privacy is getting thanks to the Apple/FBI case, it’s important to understand how VIDEO: Shawn Powers runs through the latest issue. 8 | April 2016 | LinuxJournal.com LJ264-April2016.indd 8 3/22/16 10:12 AM Current Issue.targz SECURITY ON YOUR DEVICES FUNCTIONS +YLE STARTS HIS SERIES
BY DESCRIBING HOW 1UBES COMPARTMENTALIZES APPLICATIONS ISOLATING THEM FROM EACH OTHER AND THE /3 ITSELF 7HETHER OR NOT YOU WANT TO BEEF UP YOUR DESKTOP SECURITY HIS ARTICLE IS A FASCINATING LOOK AT AN AWESOME TECHNOLOGY ) GO IN A VERY DIFFERENT DIRECTION THIS MONTH AND RATHER THAN TALK ABOUT SECURITY ) FOCUS ON WHAT SOMETIMES CAN BE THE OPPOSITE OF securityconvenience. I’ve always wanted a smart house, and thanks TO 3MART4HINGS AND THE !MAZON %CHO ) FINALLY HAVE ONEOR AT LEAST THE START OF ONE )F YOUVE EVER WANTED TO TALK TO YOUR HOUSE LIKE IT WAS THE computer on the Starship Enterprise, you’ll want to check out my column. 33( IS ARGUABLY MY FAVORITE COMMAND LINE TOOL IN ,INUX )TS SECURE and it’s so versatile. Ramon Crichlow explains how to stream video securely through an SSH tunnel this month. Not only will you learn how to accomplish a cool video streaming task, but along the way, you’ll learn a lot about how SSH works and what tunneling really means. You’ll also
LEARN HOW TO TWEAK IT SO ITS NOT MORE FRUSTRATING THAN USEFUL #HARLES &ISHER FOLLOWS 2AMON WITH A VERY IN DEPTH LOOK AT USING STUNNEL AS A TOOL FOR AUTHENTICATION ISOLATION AND PRIVACY OF DATA STORED IN AN /RACLE DATABASE )F YOUVE EVER MANAGED AN /RACLE DATABASE AND HAD CONCERNS ABOUT ITS SECURITY IMPLEMENTATIONS EVEN CONSIDERING RECENT IMPROVEMENTS USING THE OPEN SOURCE STUNNEL TOOL CAN ADD A SOLID LAYER OF SECURITY THAT IS REGULARLY UPDATED AND OFFERS THE PEACE OF MIND THAT COMES WITH &/33 7HETHER YOU WANT TO IMPROVE THE SECURITY OF YOUR DESKTOP ENVIRONMENT USE ,INUX AS A TOOL TO ACCOMPLISH A NECESSARY FUNCTION OR JUST TURN ON YOUR BEDROOM LIGHTS BY TALKING TO A 0RINGLES CAN SHAPED ROBOT THIS MONTH IS AN ISSUE WORTH READING !S ALWAYS ITS ALSO FULL OF PRODUCT ANNOUNCEMENTS TIME SAVING TIPS AND OTHER ,INUX RELATED GOODIES 7HETHER THIS IS YOUR FIRST ISSUE OF Linux Journal OR YOUVE BEEN ONE OF US FOR YEARS WE HOPE YOU enjoy this issue as much as we enjoyed putting it
together. Q Send comments or feedback via http://www.linuxjournalcom/contact or to ljeditor@linuxjournal.com RETURN TO CONTENTS 9 | April 2016 | LinuxJournal.com LJ264-April2016.indd 9 3/22/16 10:12 AM LETTERS LETTERS PREVIOUS Current Issue.targz ] NEXT UpFront V V [ Dave Taylor’s Article on getopt 2EGARDING $AVE 4AYLORS h7ORKING WITH #OMMAND !RGUMENTSv IN THE &EBRUARY ISSUE ITS A WORTHY ARTICLE BUT LETS EXPAND ON IT A BIT Long arguments like !!"#$% certainly deserve a mention. "UT MY MAIN GRIPE WITH USING GETOPT IN BASH IS THE LACK OF A WRAPPER FUNCTION 0YTHON # # 2UBY ETC ALL HAVE WRAPPERS THAT SIMPLIFY using getopt enormously. ) HELP MAINTAIN HUNDREDS OF SCRIPTS AT WORK AND HOME AND ) FIND THE BIGGEST SOURCE OF ERRORS ARE THOSE THAT CREEP IN DURING MAINTENANCE 4HE PROBLEM IS THAT THERE ARE MULTIPLE PLACES THAT NEED TO BE KEPT IN SYNCTHE CALL TO GETOPT ITSELF THE CASE STATEMENT WHERE THE OPTIONS are processed and the help output that
documents it all. 3OTIME FOR SHAMELESS SELF PUBLICITY) WROTE A WRAPPER FOR BASH THAT FIXES this shortcoming. It’s at http://bhepplecom/doku/dokuphp?id=argpsh 4O USE IT YOU PUT ALL THE INFORMATION ABOUT THE VARIOUS OPTIONS IN A SIMPLE VARIABLE OR HERE DOCUMENT AND RUN A BIT OF MUMBO JUMBO to process the arguments. For that low, low price, you get the OPTIONS PARSED A CALL MADE TO GETOPT AND VARIABLES SET FOR YOU AS WELL AS A HELP SCREENALL AUTOMATICALLY FROM THE SINGLE SOURCE Here’s an example: 10 | April 2016 | LinuxJournal.com LJ264-April2016.indd 10 3/22/16 10:12 AM LETTERS &()*+, --------------------------------------------------------------, -./012)3, -456#*7#859$:,;456#,5<=,,,,,,,:>%#,<54=#,,,7#;?<@%:@A4, --------------------------------------------------------------, BC*DD,,,,,,,,,?,,,,,DD,,,,,,,,E,,,,DD,,,,,,8AAE5<, )F.0*DD,,,,,,,;,,,,,D4D,,,,,,,;,,,,DD,,,,,,A%:@A4,:"5:,:5G#;,5,H5$9#,
0.IJ2*DD,,,,,,:,,,,,D496E#<D,,;,,,,DD,,,,,,A%:@A4,:"5:,:5G#;,5,H5$9#, F.2(*DD,,,,,,,DD,,,,D$A4=D,,,,;,,,,DD,,,,,,5,$A4=,A%:@A4,K@:"A9:,5,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,;"A<:,A4#, )1FJ20*DD,,,,,DD,,,,DD,,,,,,,,E,,,,DD, --------------------------------------------------------------, +, ,,,,#L#?,MNOP, ,,,,#H5$,QR#?"A,+Q&()+,S,5<=%T;",+QU+,VNOP,PNOM,SS,#?"A,#L@:,QW,X, ,,,,#L#?,MNO! 4HAT LAST BIT LOOKS SCARY BUT IT DOES THE JOBIF THE USER INVOKED THE SCRIPT with !;,Y , the bash variable )F.0 has that value, etc, etc (OPE IT HELPSIT CERTAINLY HAS MADE MY LIFE MUCH EASIER Bob Hepple CSV Files and the Comma 4HIS IS WITH REFERENCE TO $AVE 4AYLORS ARTICLE IN THE $ECEMBER ISSUE ABOUT DEALING WITH #36 FILES 9ES FOR PEOPLE SKILLED WITH THE POWER OF THE SHELL DOING TAXES AND SUCH ACCOUNTING THINGS WITH SCRIPTING IS VERY EASY AND FULL OF ENJOYMENT ) DO NOT KNOW WHO INVENTED THE COMMA AS A DELIMITER OR THE FORMAT CALLED hCSVv
)NSTEAD THAT PERSON SHOULD HAVE USED TAB AS A DELIMITER AND THE FORMAT SHOULD HAVE BEEN CALLED hTSVv ) USE TAB AS A DELIMITER WHEN EXPORTING FROM SPREADSHEETS USING /PEN/FFICE AND FACE NO PROBLEMS WHATSOEVER "ESIDES EASE OF PROCESSING THE FILE BECOMES SO MUCH MORE READABLE WITH THE SUITABLE TAB STOP SETTING Mayuresh 11 | April 2016 | LinuxJournal.com LJ264-April2016.indd 11 3/22/16 10:12 AM LETTERS Dave Taylor replies: Mayuresh, I love your suggestion, and you’re right, the use of any punctuation symbol that can occur within the data fields themselves is really pretty stupid as a format. When I convert delimiters back and forth, I use sequences like ^^ that are incredibly unlikely to show up in any prose or data set. More bizarreCSV is a standards-body-approved format: HTTPWWWDIGITALPRESERVATIONGOVFORMATSFDDFDDSHTML. My only comment: tabs can make things more readable, but if you’ve wrestled with data where the fields vary from less than to greater
than a tab’s width (typically eight characters), you know how annoying that can be to align perfectly. Thanks for writing in! Does Every Year Have a Friday the 13th? 4HE h#OMMAND ,INE 4UTORIALv IN THE &EBRUARY ISSUE WAS A FUN ARTICLE BY 3OL ,EDERMAN )T GOT ME PLAYING AROUND WITH THE commands, and I started manually checking with ?5$ and ?G;96 FOR UNIQUE LEAP YEARS 7HEN ) FOUND THE EIGHTH UNIQUE ONE ) STARTED TO WORRY IF THE WORLD WAS ENDING !FTER DIGGING AROUND A BIT ) DISCOVERED THAT MY MIS MATCHED PAIR WAS AND &OR SOME REASON IN $EBIAN *ESSIE AND OKAY IN &EDORA THE YEAR IS GENERATED IN A STRANGE FASHION 4HE NUMERICAL DATES ARE DISPLAYED WITH DIGITS SEPARATED BY ONE OR MORE SPACES X AS APPROPRIATE EXCEPT FOR THE PRIOR AND CURRENT DATE WHEN THE CAL IS GENERATED IN THIS CASE THE ND RD LAST NIGHT AND THE RD TH THIS MORNING 4HE DATE OF GENERATION AND PRIOR DAYS DATE ARE SEPARATED BY hSPACEv hUNDERBARv hBACKSPACEv X XF
X SEQUENCES INSTEAD OF JUST hSPACEv .OW THE ?G;96 and K?,!? just went out the window 12 | April 2016 | LinuxJournal.com LJ264-April2016.indd 12 3/22/16 10:12 AM LETTERS AND DONT MATCH ANYTHING EVEN THOUGH THE APPEARANCE OF THE TWO CALENDARS IS IDENTICAL EXCEPT FOR THE YEAR 3O ) WOULD SURMISE THIS APPLIES TO ANY $EBIAN DERIVATIVES AND ONLY FOR THE CURRENT YEAR AND POSSIBLY FOR ONLY SINGLE DIGIT DATES )LL HAVE TO WAIT TO SEE WHAT HAPPENS ON A TWO DIGIT DATE 0ERHAPS ITS A REMNANT OF SYNTAX TO HIGHLIGHT THE CURRENT DATE Wally Olson Sol Lederman replies: I’m glad you had fun with the calendar puzzle. Thanks for pointing out that different flavors of Linux render calendars differently. I ran into differences as well, and pointed it out in the article, hoping to give readers a heads up in case they got unexpected results. Perhaps other readers will find even more differences. And, maybe the lesson here is that a command as simple as ?5$ has different output on different
systems. Hopefully, others who run into different flavors of ?5$ will be inspired to dig in and figure out what’s wrong as you did. Happy computing! Google Blocks the Inclusion of APNG in Blink/Chromium ) BELIEVE ITS NEWSWORTHY THAT OOGLE IS EFFECTIVELY BLOCKING THE INCLUSION OF AN ALREADY READY PATCH TO INCLUDE !0. SUPPORT IN #HROMIUM"LINK 4HIS REACTION IS SO BLATANTLY AGAINST THE COMMUNITY AND SO CLEARLY IN PROTECTION OF OOGLES OWN 7EB0 THAT NOBODY USES THAT ) CANT HELP BUT CLENCH MY FISTS ) WOULD VERY MUCH APPRECIATE IF YOU COULD SPREAD THE NEWS TO YOUR READERS AND COLLEAGUES SO THAT THE )NTERNET MAY FINALLY BE FREE OF THE LEGACY OF )& Here’s the thread: https://groups.googlecom/a/chromiumorg/ FORUMTOPICBLINK DEV+C-JM&/GW. OlegM 13 | April 2016 | LinuxJournal.com LJ264-April2016.indd 13 3/22/16 10:12 AM LETTERS The Powers That Be 2EGARDING 3HAWN 0OWERS h4HE 0OWERS 4HAT "Ev IN THE &EBRUARY ISSUE ) REALLY LIKED THE ARTICLE IT
REMINDED ME OF A SIMILAR PROBLEM WE HAD A FEW YEARS AGO !LL OF A SUDDEN EVERY EVENING AT PM OUR POWER WOULD DROP FOR A MOMENT AND EVERY COMPUTER IN THE HOUSE WOULD DROPNO EXPLANATION 7E GOT THE POWER COMPANY OUT AND THEY FOUND NOTHING WRONG WITH THE LINE BUT THEY WERE TESTING ONLY DURING THE DAY !NYHOW THREE VISITS LATER I mentioned the major hospital three blocks away, and I noticed THAT THERE WAS POWER LINE WORK HAPPENING ON THE MAIN ROAD 7E LIVED ON A BACK STREET THREE STREETS FROM THE MAIN ROAD )T turns out that while the power company had been doing power WORK ON THE MAIN LINE THEY SWITCHED THE POWER FOR THE HOSPITALS INCINERATORS TO THE SUB LINES ON THE BACK STREETS AND HAD FORGOTTEN TO SWITCH THEM BACK 4HE PROBLEM WAS THAT THE HOSPITAL INCINERATORS WERE AUTO SET TO START EVERY NIGHT AT AND THIS WAS PUTTING TOO MUCH DRAIN ON THE LINE AND CAUSING MINOR DROP OUTS 4HE MORAL it pays to look around. Trevor Furnell Shawn Powers replies: I can only imagine your
irritation! Great job figuring out what was causing the problem. Finding a resolution like that is almost worth the frustration it caused in the first place. Almost The Powers That Be, II ) HAD POWER PROBLEMS LIKE 3HAWNS IN MY HOUSE FOR SOME TIME !LTHOUGH THE HOUSE WAS NEW IN THE POWER DROP FROM THE utility pole into my electric meter was very old, as the previous house was demolished to build a new one. I plugged an analog AC VOLTMETER IN TO AN OUTLET AND WATCHED THE VOLTAGE FLUCTUATE FROM VOLTS TO VOLTS -Y LIGHTS WOULD FLICKER ALSO !FTER MANY MONTHS OF THIS ) CALLED THE ELECTRIC COMPANY 4HEY CHECKED THE CONNECTION AT THE UTILITY POLE END OF MY DROP AND FOUND A BADLY CORRODED SPLICE 4HE LINEMAN CUT OFF THE CORRODED ENDS AND MADE A NEW CONNECTION 14 | April 2016 | LinuxJournal.com LJ264-April2016.indd 14 3/22/16 10:12 AM LETTERS at the pole, and my problems disappeared. 4HIS MIGHT BE THE CAUSE OF YOUR PROBLEM 4HE FLUCTUATIONS WERE WORSE ON WINDY DAYS SINCE
the drop wires were swaying in the wind MAKING THE FLUCTUATIONS EVEN MORE APPARENT I hope this helps. Eric Shawn Powers replies: Thanks for the suggestion! During the next year, our city is moving overhead lines to under ground. Hopefully during that process, the new lines will make for more stable electricity. Of course, now it’s a moot point for me, but still, stability is nice! PHOTO OF THE MONTH Remember, send your Linux-related photos to ljeditor@linuxjournal.com! WRITE LJ A LETTER We love hearing from our readers. Please send us your comments and feedback via http://www.linuxjournalcom/contact RETURN TO CONTENTS At Your Service SUBSCRIPTIONS: Linux Journal is available in a variety of digital formats, including PDF, .epub, mobi and an on-line digital edition, as well as apps for iOS and Android devices. Renewing your subscription, changing your e-mail address for issue delivery, paying your invoice, viewing your account details or other subscription inquiries can be done
instantly on-line: http://www.linuxjournalcom/subs E-mail us at subs@linuxjournal.com or reach us via postal mail at Linux Journal, PO Box 980985, Houston, TX 77098 USA. Please remember to include your complete name and address when contacting us. ACCESSING THE DIGITAL ARCHIVE: Your monthly download notifications will have links to the various formats and to the digital archive. To access the digital archive at any time, log in at http://www.linuxjournalcom/digital LETTERS TO THE EDITOR: We welcome your letters and encourage you to submit them at http://www.linuxjournalcom/contact or mail them to Linux Journal, PO Box 980985, Houston, TX 77098 USA. Letters may be edited for space and clarity. WRITING FOR US: We always are looking for contributed articles, tutorials and real-world stories for the magazine. An author’s guide, a list of topics and due dates can be found on-line: http://www.linuxjournalcom/author FREE e-NEWSLETTERS: Linux Journal editors publish newsletters on both a
weekly and monthly basis. Receive late-breaking news, technical tips and tricks, an inside look at upcoming issues and links to in-depth stories featured on http://www.linuxjournalcom Subscribe for free today: http://www.linuxjournalcom/ enewsletters. ADVERTISING: Linux Journal is a great resource for readers and advertisers alike. Request a media kit, view our current editorial calendar and advertising due dates, or learn more about other advertising and marketing opportunities by visiting us on-line: http://ww.linuxjournalcom/ advertising. Contact us directly for further information: ads@linuxjournal.com or +1 713-344-1956 ext. 2 15 | April 2016 | LinuxJournal.com LJ264-April2016.indd 15 3/22/16 10:12 AM UPFRONT UPFRONT PREVIOUS Letters NEXT Editors’ Choice V V NEWS + FUN diff -u What’s New in Kernel Development 3OMETIMES IF YOU WANT TO STOP MAINTAINING A PIECE OF SOFTWARE BUT NO one will take it over, all you have to do is simply announce that you’re STEPPING
DOWN AND EVERYONE WILL JUMP FOR IT 4HAT WAS Neil Brown’s experience with software RAID !FTER years as maintainer, he wanted out, but he couldn’t get anyone to COMMIT TO TAKE IT OVER 3O HE ANNOUNCED HIS DEPARTURE AND OFFERED UP A DESCRIPTION OF WHAT HE SAW FOR SOFTWARE 2!)$ GOING FORWARD A SMALL TEAM OF MAINTAINERS WHO WOULD GATHER AND REVIEW PATCHES RESOLVE BUGS AND FEED PATCHES UPSTREAM ,O AND BEHOLD LOTS OF PEOPLE EXPRESSED INTEREST IN TAKING OVER MAINTAINERSHIP OR AT LEAST IN PARTICIPATING IN A TEAM !FTER SIFTING through many volunteers, he settled on Jes Sorensen FOR mdadm and Shaohua Li FOR THE kernel/md SIDE OF THINGS .EIL DOCUMENTED SOME OF THE BASICS FOR *ES AND 3HAOHUA TO CONSIDER SAYING 4HE FIRST QUESTION IS WHERE DO YOU SEND YOUR PATCHES TO GET THE APPROPRIATE REVIEW AND UPSTREAM ACCEPTANCE !LASDAIR OR -IKE $- *ENS "LOCK !NDREW -ORTON ANYTHING AND ,INUS EVERYTHING ARE ALL DEFENSIBLE CHOICES FOR UPSTREAMING )VE SUBMITTED THROUGH !NDREW IN THE PAST
BUT THROUGH ,INUS EXCLUSIVELY ONCE ) FIGURED OUT GIT 4HAT IS REALLY SOMETHING YOU AND 16 | April 2016 | LinuxJournal.com LJ264-April2016.indd 16 3/22/16 10:12 AM UPFRONT they would need to negotiate though. [] I plan TO SUBMIT A PULL REQUEST TO ,INUS FOR THE MERGE WINDOW AND THEN STOP QUEUING PATCHES !ND *ES ALSO ANNOUNCED A NEW GIT TREE FOR mdadm, at http://git.kernelorg/pub/scm/utils/ mdadm/mdadm.git Kernel documentation has traditionally been written in DocBook AN 8-, BASED SYSTEM THATS BEEN FALLING BEHIND THE INCREASINGLY POPULAR FORMS OF READABLE MARKUP LIKE Markdown, AsciiDoc and others. Recently, Jonathan Corbet and Jani Nikula did some overlapping work to convert the KERNEL TO USE !SCII$OC FOR ALL DOCUMENTATION 4HE GOAL WAS NOT JUST TO ADOPT THE NEW HOTNESS BUT ALSO TO REDUCE SOME OF THE MANY TOOL DEPENDENCIES THAT WERE NEEDED FOR $OC"OOK processing and speed up overall doc production. Along the way, however, any new system would have to be at least as
good as DocBook and SUPPORT LARGE FILES CROSS REFERENCES A BIG PILE OF OUTPUT FORMATS AND SO ON 4HERE TURNED OUT TO BE SIGNIFICANT PROBLEMS DOING THE WHOLE MIGRATION /NE OF THE MOST VIABLE options, at least temporarily, turned out to be MIGRATING THE SOURCE FILES TO !SCII$OC BUT HAVING THE MAKEFILES PROCESS THAT INTO $OC"OOK AND FROM THERE INTO WHATEVER OUTPUT WAS NEEDED 4HIS WOULD NOT REDUCE THE NUMBER OF TOOL DEPENDENCIES BUT it would at least produce reliable output, while ACCEPTING THE NEW MORE PREFERABLE INPUT 5LTIMATELY $OC"OOK WOULD BE ELIMINATED BUT FOR now it seems there will be this intermediate step. It’s also possible that AsciiDoc would need to be MODIFIED UPSTREAM BEFORE IT WOULD BE ABLE TO HANDLE THE KERNEL DOCS WITHOUT $OC"OOK FULLYZack Brown THEY SAID IT Giving is a necessity sometimes. more urgent, indeed, than having. Margaret Lee Runbeck Life is full of obstacle illusions. Grant Frazier The future, according to some scientists, will be
exactly like the past, only far more expensive. John Sladek I think the world is run by “C” students. Al McGuire Real freedom lies in wildness, not in civilization. Charles Lindbergh 17 | April 2016 | LinuxJournal.com LJ264-April2016.indd 17 3/22/16 10:12 AM UPFRONT Back to Backups )N MY /PEN 3OURCE #LASSROOM COLUMN LAST MONTH ;h"ACK )T 5P "USTERv -ARCH = ) TALKED ABOUT BACKUPS AND GOT SOME REALLY FASCINATING FEEDBACK )N FACT AT THE TIME OF THIS WRITING ITS STILL pretty early in the month, so I expect to get even more ideas and SUGGESTIONS FOR BACKUP OPTIONS (ERES A FEW OF THE IDEAS WORTH checking into: Q Carlos Baptista wrote in as someone who also has struggled with lost data. His current solution is to use rsnapshot http://rsnapshot.org ON A PAIR OF 4" DRIVES %VERY WEEK HE SWAPS THE DRIVES TAKING ONE TO HIS PARENTS HOUSE 4HIS SOLUTION GIVES HIM LOW TECH OFF SITE STORAGE A MAXIMUM OF ONE WEEK OF LOST DATA IN THE EVENT OF A TOTAL FAILURE PLUS
AN EXCUSE TO VISIT HIS PARENTS ON A REGULAR BASIS !WESOME JOB Q Harald Nipen TAKES THE INTERESTING STEP OF MAKING SURE THE DUPLICATION PROCESS FOR HIS BACKUPS IS not AUTOMATED 4HAT MAY seem like a silly thing to do, but as someone who accidentally reversed the source and destination on his rsync backup script BEFORE ) CAN ASSURE YOU THERE IS SOME PEACE OF MIND THAT COMES FROM MANUALLY SEEING YOUR BACKUP TAKE PLACE (ARALD DOES OF course, automate his regular backups, but the duplication process FOR OFF SITE STORAGE IS A MANUAL PROCESS USING THE UNISON PROGRAM Q Nicola Larosa pointed me to an interesting project that uses hCONTENT DEFINED CHUNKINGv TO BACK UP DATA EFFICIENTLY )TS THE FASTEST BACKUP SYSTEM HES EVER USED AND WORTH CHECKING OUT IF YOU HAVE LARGE AMOUNTS OF DATA TO SECURE http://restic.githubio/ BLOG RESTIC FOUNDATION CDC. Johann Schoonees WROTE IN ABOUT RDIFF BACKUP )TS A PROGRAM )D HEARD OF BUT NEVER REALLY LOOKED INTO USING 4HATS UNFORTUNATE
THOUGH BECAUSE IT REALLY IS A NEAT CONCEPT )F YOUVE Q &INALLY FOR NOW 18 | April 2016 | LinuxJournal.com LJ264-April2016.indd 18 3/22/16 10:12 AM UPFRONT EVER USED "ACKUP0# TO KEEP RSYNC SNAPSHOTS HARD LINKED TO SAVE SPACE ITS A LITTLE LIKE THAT 4HE PROGRAM IS AN ALL IN ONE SOLUTION HOWEVER THAT KEEPS A CURRENT SNAPSHOT OF A FILESYSTEM WHILE ALSO KEEPING DIFF FILES OF PREVIOUS CHANGES 4HAT ALLOWS OLDER VERSIONS OF FILES TO BE RECOVERED WITHOUT THE COMPLEXITY OF SETTING UP THE entire BackupPC system. 4HE MOST ENCOURAGING PART ABOUT GETTING FOLLOWUP E MAIL MESSAGES FROM READERS ABOUT THEIR BACKUP SOLUTIONS IS TO HEAR THAT LOTS OF FOLKS ACTUALLY HAVE BACKUP SOLUTIONS 2EGARDLESS OF THE COMPLEXITY OF YOUR BACKUP PROCESS OR THE LEVEL OF AUTOMATION YOU DEEM APPROPRIATE FOR YOUR DATA APART FROM CREATING THE MEMORIES IN THE FIRST PLACE FEW THINGS ARE AS IMPORTANT AS BACKING THEM UP Shawn Powers LINUX JOURNAL on your Android device Download the app now from the Google
Play Store. www.linuxjournalcom/android For more information about advertising opportunities within Linux Journal iPhone, iPad and Android apps, contact John Grogan at +1-713-344-1956 x2 or ads@linuxjournal.com 19 | April 2016 | LinuxJournal.com LJ264-April2016.indd 19 3/22/16 10:12 AM UPFRONT Non-Linux FOSS: Caffeine! /KAY THIS PROGRAM IS FREE BEER BUT NOT &REE SPEECH ) WOULDNT NORMALLY INCLUDE A FREEWARE APPLICATION IN THE h.ON ,INUX &/33v SECTION BECAUSE QUITE FRANKLY IT ISNT &/33 But, I decided to break the rules a bit here because I realized HOW OFTEN ) USE A FREEWARE PROGRAM WHEN )M ON /3 8 THAT ) couldn’t imagine doing without. )F YOU USE /3 8 FOR PRESENTATIONS OR DEMONSTRATIONS YOUVE PROBABLY HAD YOUR SCREEN SHUT OFF WHILE YOU EXPLAINED A SLIDE OR DIALOG BOX 4HEN THE SCREEN PROBABLY LOCKED AND YOU HAD TO hurry over to the keyboard so you could unlock, and so on and SO ON #AFFEINE IS A SIMPLE APP THAT DOES NOTHING MORE THAN KEEP YOUR -ACINTOSH
OR (ACKINTOSH COMPUTER AWAKE )T RUNS 20 | April 2016 | LinuxJournal.com LJ264-April2016.indd 20 3/22/16 10:12 AM UPFRONT as a cute little icon in your menu bar, and it disables screen SAVERS AND SLEEP MODE EVEN IF YOU HAVE AGGRESSIVE POWER SAVING settings enabled. 4HE DANGER IS THAT YOU COULD LEAVE #AFFEINE RUNNING accidentally and completely drain your battery. I’ve had that HAPPEN ONLY ONE TIME HOWEVER AND ) LEAR NED QUICKLY TO TAKE MY COMPUTER OFF #AFFEINE WHEN ) WAS DONE PRESENTING %VEN WITH THAT RISK ) FIND ITS WORTH IT TO NO LONGER NEED TO WIGGLE the mouse pointer every minute to make sure my laptop doesn’t FALL ASLEEP #AFFEINE IS AVAILABLE FOR FREE IN THE !PP 3TORE OR YOU CAN GET IT FROM ITS 7EB SITE HTTPLIGHTHEADSWCOMCAFFEINE. Shawn Powers 2015 Linux Journal Archive NOW AVAILABLE as a DVD or Digital Download www.linuxjournalcom/archive 21 | April 2016 | LinuxJournal.com LJ264-April2016.indd 21 3/22/16 10:12 AM UPFRONT Android Candy: Seeing Red and
Getting Sleep )M ALWAYS LEERY WHEN ) HEAR h2ECENT STUDIES SHOWv "UT THE IDEA THAT LOOKING AT ELECTRONIC DEVICE SCREENS BEFORE BED CAN CAUSE SLEEP ISSUES SEEMS TO BE FAIRLY ACCEPTED 4HE FASCINATING PART FOR me is that it isn’t really the screen ITSELF BUT THE BLUE PART OF THE COLOR spectrum that contributes to the sleeplessness. In a purely anecdotal EXPERIMENT ) FIND that it’s much more DIFFICULT FOR ME TO FALL ASLEEP IN THE KITCHEN COOL colored lighting, closer to blue in the SPECTRUM THAN IT IS TO FALL ASLEEP ON THE LIVING ROOM COUCH WARMER LESS BLUE LIGHTS RANTED PART OF THAT MIGHT BE GENERAL COMFORT on the couch and more sharp objects in the kitchen, but in 22 | April 2016 | LinuxJournal.com LJ264-April2016.indd 22 3/22/16 10:12 AM UPFRONT general, warmer lighting tends to be more relaxing. "ASED ON THE IDEA THAT LESS BLUE AND MORE RED WILL MAKE FOR BETTER SLEEPING THE h4WILIGHTv APP FOR !NDROID SHIFTS THE COLOR OF YOUR SCREEN AS BEDTIME APPROACHES
)TS FREE FOR BASIC FUNCTIONALITY BUT FOR A SMALL PRICE you can get a timed, gradual transition on your Android devices. ) HAVE NO IDEA WHETHER IT HELPS ME SLEEP BETTER BUT IF NOTHING ELSE IT reminds me that it’s getting late as my ebook becomes redder and redder AS ) READ )F YOU STRUGGLE WITH SLEEPLESSNESS ESPECIALLY WHEN YOU FIRST GO TO BED GIVE 4WILIGHT A TRY )TS FREE IN THE Google Play Store, AND IF IT WORKS THE GRADUAL SHIFT OPTION with the paid version is well worth the cost. And as a bonus, the red screen won’t hinder your night vision during those LATE EVENINGS OF SUMMER STARGAZING Shawn Powers 23 | April 2016 | LinuxJournal.com LJ264-April2016.indd 23 3/22/16 10:12 AM UPFRONT Night Sky Tools on Android )N PREVIOUS ARTICLES )VE LOOKED AT SEVERAL DIFFERENT ASTRONOMY PROGRAMS THAT YOU CAN RUN ON YOUR ,INUX MACHINES 4HOSE ARE GREAT when you are doing work indoors, but most laptops and Netbooks are STILL A BIT OF A PAIN TO CARRY AROUND WITH YOU IF YOU ARE GOING
OUT INTO THE FIELD )N THOSE CASES HAVING SOMETHING MORE PORTABLE IS DEFINITELY nice. And, since I’m beginning to look at Android apps in THIS COLUMN THIS IS A PERFECT OPPORTUNITY ,OADS OF ASTRONOMY applications are available within the Android environment that are well worth a look. In this article in particular, I’m exploring .IGHT 3KY 4OOLS 4HE APPLICATION is available in the Google Play store, and it should run on most VERSIONS OF !NDROID Once you have it installed, open it to see a very complete MENU OF ALL OF THE FUNCTIONALITY available within Night Sky 4OOLS -ANY OF THE FUNCTIONS are updated over the Internet automatically, so you are sure to HAVE THE LATEST INFORMATION FOR whatever objects you are trying to observe in the night sky. 4HE FIRST CATEGORY IS GENERAL ASTRONOMICAL INFORMATION Figure 1. The opening screen displays 9OU CAN SEE LISTS OF UPCOMING a menu of the various categories of functions available. astronomical events, as well as 24 | April 2016 |
LinuxJournal.com LJ264-April2016.indd 24 3/22/16 10:12 AM UPFRONT what is up right now and what WILL BE COMING UP TONIGHT 4HERE ALSO ARE ENTRIES FOR A COMPASS AND A PAGE OF THE VARIOUS astronomical times that you may NEED 4HE ASTRONOMICAL TIME page gives the moonrise/moonset AND SUNRISESUNSET TIMES 4HERE even is a page that lets you calculate the visual limiting magnitude based on the actual environmental conditions like TEMPERATURE AND HUMIDITY 4HE last page in this section is the sky MAP 4HE INFORMATION PROVIDED IN the sky map is rather complete. You can see the stars and constellations, along with the FORMAL CONSTELLATION BOUNDARIES )T EVEN DISPLAYS ARTWORK FOR EACH OF THE CONSTELLATIONS SHOWING you what they are supposed to look like. Figure 2. The sky map provides a 4HE NEXT SECTION HAS display of what the sky looks like at INFORMATION ON THE %ARTH AND the current time. -OON .OTE WHEN MOVING between sections, be aware that THE OTHER SECTIONS DO NOT AUTOMATICALLY
CLOSE 9OU ALSO CAN PULL UP A DAYLIGHT MAP SHOWING WHAT PARTS OF THE %ARTH ARE IN DAYLIGHT AND which are in night. 4HERE ARE PAGES THAT SHOW WHEN THE SOLAR AND LUNAR ECLIPSE HAPPEN ALONG WITH DATES FOR THE EQUINOXES AND SOLSTICES 4HE METEOR PAGE GIVES A LISTING OF ALL OF THE KNOWN METEOR SHOWERS WITH THE START PEAK AND END DATES )T ALSO HELPFULLY GIVES THE PERCENTAGE OF THE moon phase so that you can tell right away whether the night will BE DARK ENOUGH TO HAVE A GOOD OBSERVING PERIOD 4HE MOON MAP BY 25 | April 2016 | LinuxJournal.com LJ264-April2016.indd 25 3/22/16 10:13 AM UPFRONT Figure 3. The daylight map shows you where on Earth it is day and night Figure 4. The moon map shows points of interest with pins on the map 26 | April 2016 | LinuxJournal.com LJ264-April2016.indd 26 3/22/16 10:13 AM UPFRONT DEFAULT SHOWS A FULL LISTING OF SITES OF INTEREST 4APPING ON ONE OF THESE POINTS BRINGS UP A TEXT LABEL WITH THE NAME OF THE SITE 4HE SOLAR SYSTEM CATEGORY EXTENDS
AVAILABLE INFORMATION FARTHER OUT INTO SPACE 4HE #ONJUNCTION/PPOSITION PAGE PROVIDES A LIST OF ALL TIMES THIS YEAR WHEN PLANETS EITHER FORM A CONJUNCTION OR AN OPPOSITION 4HERE ARE TWO PAGES ONE FOR COMETS AND ONE FOR NEAR %ARTH ASTEROIDS WHERE YOU CAN SEARCH FOR DETAILED INFORMATION ON SPECIFIC COMETS OR ASTEROIDS 9OU ALSO CAN CLICK THE UPDATE BUTTON TO PULL A FRESH LISTING FROM THE )NTERNET OF WHAT OBJECTS ARE KNOWN 4HERE ARE FOUR LARGE MOONS ORBITING *UPITER THAT ARE VISIBLE IN A LARGE Figure 5. You can get a map of the locations of the four main Jovian moons. Figure 6. You can get a map of the largest of Saturn’s moons as well. 27 | April 2016 | LinuxJournal.com LJ264-April2016.indd 27 3/22/16 10:13 AM UPFRONT PAIR OF BINOCULARS #LICKING on the Jupiter’s Moons page BRINGS UP A MAP OF THEIR RELATIVE locations around Jupiter. A related page gives you the POSITIONS OF THE LARGEST OF 3ATURNS MOONS TOO 6IEWING THEM WILL REQUIRE AT LEAST A SMALL telescope though.
4HE 0LANETARY /RBITS PAGE TAKES THINGS EVEN FARTHER OUT TO SEE THE RELATIVE POSITIONS OF ALL OF THE planets within the solar system. As with the Moon map described previously, this section includes a Mars map, also with pins at LOCATIONS OF INTEREST 4HE STARS CATEGORY TAKES YOU EVEN FARTHER OUT INTO SPACE 4HE FIRST SELECTION PROVIDES A LIST OF THE BRIGHTEST STARS IN THE SKY 4HE LIST INCLUDES THE name, magnitude and location FOR EACH OF THESE STARS 4HE entire sky is divided up into Figure 7. The relative locations of all of the planets are available on the Planetary Orbits page. Figure 8. There is a Mars map with locations of interest. 28 | April 2016 | LinuxJournal.com LJ264-April2016.indd 28 3/22/16 10:13 AM UPFRONT CONSTELLATIONS 4HE CONSTELLATIONS PAGE PULLS UP DETAILED INFORMATION FOR THE SELECTED CONSTELLATION 4HERE ALSO ARE PAGES WITH THEORETICAL INFORMATION ABOUT ASTRONOMY &OR EXAMPLE YOU CAN PULL UP A (ERTZSPRUNG 2USSELL $IAGRAM SHOWING HOW STARS ARE
CATEGORIZED 4HE STELLAR CLASSIFICATION PAGE DESCRIBES THE TEN CLASSES OF STARS WITH THEIR TEMPERATURE MASS RADIUS AND LUMINOSITY CHARACTERISTICS 4HE LAST TWO PAGES IN THIS SECTION LET YOU SEARCH FOR INFORMATION ON VARIABLE STARS AND VISUAL BINARY STARS 4HE DEEP SKY SECTION CONTAINS PAGES FOR SEVERAL OF THE DEEP SKY CATALOGS 4HE #ALDWELL AND -ESSIER CATALOGS ARE DISPLAYED AS A LIST OF ALL OF THE OBJECTS WITHIN THE CATALOG 9OU CAN CLICK ON AN OBJECT OF Figure 9. You can get detailed information on constellations, including a map. Figure 10. The Hertzsprung-Russell diagram shows how stars are categorized. 29 | April 2016 | LinuxJournal.com LJ264-April2016.indd 29 3/22/16 10:13 AM UPFRONT interest and pull up detailed INFORMATION FOR IT 4HERE ALSO ARE SECTIONS WHERE YOU CAN DO SEARCHES FOR exoplanets and NGC/IC catalog OBJECTS 4HE REMAINDER OF THE SECTIONS PROVIDE FUNCTIONS TO DO common astronomy calculations. You can handle coordinate calculations, astrophotography and
telescope calculations. 4HE OBSERVATION LOG HELPS YOU TRACK YOUR OWN INFORMATION 4HERE IS A PAGE TO MANAGE ALL OF YOUR ASTRONOMICAL EQUIPMENT LIKE TELESCOPES EYEPIECES FILTERS and cameras. You also can log all OF YOUR OBSERVATIONS RECORDING ALL OF THE DETAILS OF INTEREST You can export your log, including whatever sections you need, so that you can incorporate it into some other Figure 11. You can get detailed DATABASE OF YOUR RESEARCH information on Messier catalog objects. .OW YOU HAVE NO EXCUSE FOR not going out and exploring the SKIES ABOVE YOU )N MY NEXT FEW ARTICLES ) PLAN TO LOOK AT SEVERAL OTHER SCIENTIFIC APPLICATIONS THAT YOU CAN USE ON YOUR !NDROID DEVICES FOR DOING PORTABLE SCIENCE Joey Bernard RETURN TO CONTENTS 30 | April 2016 | LinuxJournal.com LJ264-April2016.indd 30 3/22/16 10:13 AM LJ264-April2016.indd 31 3/22/16 10:13 AM PREVIOUS UpFront NEXT Reuven M. Lerner’s At the Forge My +1 Sword of Productivity V V EDITORS’ CHOICE ™ EDITORS’
CHOICE ★ )F )M BEING COMPLETELY HONEST ) THINK THE GAME IFICATION OF A DAILY TASK LIST IS A DUMB idea. I also love it, and can’t stress enough how well it works. Habitica might just be the way I get things done FROM NOW ON )M A PERFECTIONIST )F YOUVE EVER SEEN PHOTOS OF MY OFFICE OR HAIRDO YOU MIGHT NOT THINK THATS THE CASE BUT ) ASSURE YOU ITS TRUE 5NFORTUNATELY ONE OF THE BIG SIDE EFFECTS OF BEING A PERFECTIONIST IS PROCRASTINATION .OT LAZINESS BUT DELAYING OR REDOING TASKS UNTIL YOU CAN GET THEM JUST RIGHT )T CAN BE CRIPPLING FOR PRODUCTIVITY AND IRONICALLY THE RUSHED PRODUCT THAT RESULTS OFTEN IS SUB PAR TO WHAT WOULD HAVE BEEN CREATED IN THE FIRST PLACE (ABITICA TURNS THE STRUGGLES WITH PERFECTIONISM BACK ON THE PERFECTIONIST !LTHOUGH ) HONESTLY DONT CARE VERY MUCH ABOUT THE SWORDS AND SHIELDS ) EARN BY COMPLETING TASKS FOR SOME REASON THE IDEA OF LOSING (0 FOR SKIPPING A TASK IS DIFFICULT FOR ME TO ACCEPT ) FIND MYSELF DOING EXTRA hGOOD HABITSv THROUGHOUT THE
DAY just so my character is as good as he can be. Honestly, I’m surprised (ABITICA WORKS FOR ME ) STILL THINK ITS DUMB ) ALSO CANT STOP STRIVING FOR NEW EXPERIENCE LEVELS AND EARLY TASK COMPLETIONS 4HERES A GREAT 7EB VERSION OF THE FREE PROGRAM AT http://habitica.com, PLUS YOU CAN GET MOBILE VERSIONS FOR I/3 OR !NDROID VIA THEIR 32 | April 2016 | LinuxJournal.com LJ264-April2016.indd 32 3/22/16 10:13 AM EDITORS CHOICE RESPECTIVE APP STORES )N FACT (ABITICA IS SO UNIQUE AND SURPRISINGLY EFFECTIVE ITS EASILY MY PICK FOR %DITORS #HOICE THIS MONTH )F YOU think it sounds like a dumb idea, I completely agree. I also urge you TO TRY IT BECAUSE ) FIND IT INCREDIBLY AWESOME Shawn Powers RETURN TO CONTENTS 33 | April 2016 | LinuxJournal.com LJ264-April2016.indd 33 3/22/16 10:13 AM AT THE FORGE Pandas Reading data from CSV files, and then analyzing the data, is easy with Pandas. PREVIOUS Editors’ Choice NEXT Dave Taylor’s Work the Shell Reuven M. Lerner offers
V V REUVEN M. LERNER training in Python, Git and PostgreSQL to companies around the world. He blogs at http://blog.lernercoil, tweets at @reuvenmlerner and curates IN MY LAST ARTICLE, I started discussing the AMAZING WORLD OF DATA SCIENCEIN WHICH YOU EXPLORE AND NAVIGATE THROUGH DATA TRYING TO FIND CORRELATIONS THAT MIGHT BE OF INTEREST TO YOUR BUSINESS ANDOR POINT to trends you should consider. 3ERIOUS PRACTITIONERS OF DATA SCIENCE USE THE FULL SCIENTIFIC METHOD STARTING WITH A QUESTION AND A HYPOTHESIS FOLLOWED BY AN EXPLORATION OF THE DATA to determine whether the hypothesis holds up. But IN MANY CASES SUCH AS WHEN YOU ARENT QUITE SURE WHAT YOUR DATA CONTAINS IT HELPS TO PERFORM SOME exploratory data analysisjust looking around, trying TO SEE IF YOU CAN FIND SOMETHING And, that’s what I’m going to cover this month, using tools provided by the amazing Python ecosystem FOR DATA SCIENCE SOMETIMES KNOWN AS THE 3CI0Y STACK )TS HARD TO OVERSTATE THE NUMBER OF PEOPLE )VE MET
in the past year or two who are learning Python SPECIFICALLY FOR DATA SCIENCE NEEDS "ACK WHEN ) WAS ANALYZING DATA FOR MY 0H$ DISSERTATION JUST TWO YEARS http://DailyTechVideo.com Reuven lives in Modi’in, Israel, with his wife and three children. 34 | April 2016 | LinuxJournal.com LJ264-April2016.indd 34 3/22/16 10:13 AM AT THE FORGE ago, I was told that Python wasn’t yet mature enough to do the sorts OF THINGS ) NEEDED AND THAT ) SHOULD USE THE 2 LANGUAGE INSTEAD ) DO HAVE TO WONDER WHETHER THE TABLES HAVE TURNED BY NOW THE NUMBER OF contributors and contributions to the SciPy stack is phenomenal, making IT A MORE COMPELLING PLATFORM FOR DATA ANALYSIS )N MY LAST ARTICLE ) DESCRIBED HOW TO FILTER THROUGH LOGFILES TURNING THEM INTO #36 FILES CONTAINING THE INFORMATION THAT WAS OF INTEREST (ERE ) explain how to import that data into Pandas, which provides an additional LAYER OF FLEXIBILITY AND WILL LET YOU EXPLORE THE DATA IN ALL SORTS OF WAYS including
graphically. Although I won’t necessarily reach any amazing conclusions, you’ll at least see how you can import data into Pandas, slice and dice it in various ways, and then produce some basic plots. Pandas .UM0Y IS A 0YTHON PACKAGE DOWNLOADABLE FROM THE 0YTHON 0ACKAGE )NDEX 0Y0) http://PyPI.pythonorg WHICH PROVIDES A DATA STRUCTURE KNOWN AN A .UM0Y ARRAY 4HESE ARRAYS ALTHOUGH ACCESSIBLE FROM 0YTHON ARE MAINLY IMPLEMENTED IN # FOR MAXIMUM SPEED AND EFFICIENCY 4HEY ALSO OPERATE ON A VECTOR BASIS SO IF YOU ADD TO A .UM0Y ARRAY YOURE ADDING TO EVERY SINGLE ELEMENT IN THAT ARRAY )T TAKES A WHILE TO GET USED TO THIS WAY OF THINKING AND TO THE FACT THAT THE ARRAY SHOULD HAVE A UNIFORM DATA TYPE Now, what can you do with your NumPy array? You could apply any NUMBER OF FUNCTIONS TO IT &ORTUNATELY 3CI0Y HAS AN ENORMOUS NUMBER OF FUNCTIONS DEFINED AND AVAILABLE SUITABLE FOR NEARLY EVERY KIND OF SCIENTIFIC AND MATHEMATICAL INVESTIGATION YOU MIGHT WANT TO PERFORM But in this
case, and in many cases in the data science world, what ) REALLY WANT TO DO IS READ DATA FROM A VARIETY OF FORMATS AND THEN EXPLORE THAT DATA 4HE PERFECT TOOL FOR THAT IS 0ANDAS AN EXTENSIVE LIBRARY DESIGNED FOR DATA ANALYSIS WITHIN 0YTHON 4HE MOST BASIC DATA STRUCTURE IN 0ANDAS IS A hSERIESv WHICH IS BASICALLY A WRAPPER AROUND A .UM0Y ARRAY ! SERIES CAN CONTAIN ANY NUMBER OF ELEMENTS ALL OF WHICH SHOULD BE OF THE SAME TYPE FOR MAXIMUM EFFICIENCY AND REASONABLENESS 4HE BIG DEAL WITH A SERIES IS THAT YOU CAN SET whatever indexes you want, giving you more expressive power than would be possible in a NumPy array. Pandas also provides some additional FUNCTIONALITY FOR SERIES OBJECTS IN THE FORM OF A LARGE NUMBER OF METHODS 35 | April 2016 | LinuxJournal.com LJ264-April2016.indd 35 3/22/16 10:13 AM AT THE FORGE "UT THE REAL POWERHOUSE OF 0ANDAS IS THE hDATA FRAMEv WHICH IS SOMETHING LIKE AN %XCEL SPREADSHEET IMPLEMENTED INSIDE OF 0YTHON /NCE YOU GET A TABLE OF
INFORMATION INSIDE A DATA FRAME YOU CAN PERFORM A WIDE VARIETY OF MANIPULATIONS AND CALCULATIONS OFTEN WORKING IN SIMILAR WAYS TO A RELATIONAL DATABASE )NDEED MANY OF THE METHODS YOU CAN INVOKE ON A DATA FRAME ARE SIMILAR OR IDENTICAL IN NAME TO THE OPERATIONS YOU CAN INVOKE IN 31, )NSTALLING 0ANDAS ISNT VERY DIFFICULT IF YOU HAVE A WORKING 0YTHON installation already. It’s easiest to use %@% , the standard Python installation program, to do so: ;97A,%@%,@4;:5$$,!Z,496%>,65:%$A:$@E,%5475; 4HE ABOVE WILL INSTALL A NUMBER OF DIFFERENT PACKAGES OVERWRITING THE EXISTING INSTALLATION IF AN OLDER VERSION OF A PACKAGE IS INSTALLED As good as Pandas is, it’s even better when it is integrated with the rest OF THE 3CI0Y STACK AND INSIDE OF THE *UPYTER THAT IS )0YTHON NOTEBOOK You can install this as well: ;97A,%@%,@4;:5$$,!Z,D[9%>:#<4A:#EAAG]D $ONT FORGET THE QUOTES WHICH ENSURE THAT THE SHELL DOESNT TRY TO INTERPRET THE SQUARE BRACKETS AS A FORM OF SHELL GLOBBING .OW
ONCE YOU have installed this, run the Jupyter notebook: [9%>:#<,4A:#EAAG )F ALL GOES WELL THE SHELL WINDOW SHOULD FILL WITH SOME LOGFILE OUTPUT "UT SOON AFTER THAT YOUR 7EB BROWSER WILL OPEN GIVING YOU A CHANCE USING THE MENU ON THE RIGHT SIDE OF THE PAGE TO OPEN A NEW 0YTHON PAGE 4HE IDEA IS THAT YOULL THEN INTERACT WITH THIS DOCUMENT ENTERING Python code inside the individual cells, rather than putting them in a FILE 4O EXECUTE THE CODE INSIDE A CELL JUST PRESS 3HIFT %NTER THE CELL WILL EXECUTE AND THE RESULT OF EVALUATING THE FINAL LINE WILL BE DISPLAYED %VEN IF ) WASNT WORKING IN THE AREA OF DATA SCIENCE ) WOULD FIND THE *UPYTER .OTEBOOK TO BE AN EXTREMELY CLEAN EASY TO USE AND CONVENIENT WAY TO WORK WITH MY 0YTHON CODE )T HAS REPLACED MY USE OF THE 36 | April 2016 | LinuxJournal.com LJ264-April2016.indd 36 3/22/16 10:13 AM AT THE FORGE TEXT BASED 0YTHON INTERACTIVE SHELL )F NOTHING ELSE THE FACT THAT ) CAN SAVE AND RETURN TO CELLS ACROSS SESSIONS MEANS
THAT ) SPEND LESS TIME RE CREATING where I was the previous time I worked on a project. Inside Jupyter Notebook, you’ll want to load NumPy, Pandas and A VARIETY OF RELATED FUNCTIONALITY 4HE EASIEST WAY TO DO SO IS TO USE A COMBINATION OF 0YTHON @6%A<: statements and the ^%>$5E magic FUNCTION WITHIN THE NOTEBOOK ^%>$5E,@4$@4#, @6%A<:,%5475;,5;,%7, 8<A6,%5475;,@6%A<:,)#<@#; ,C5:5`<56# 4HE ABOVE ENSURES THAT EVERYTHING YOULL NEED IS DEFINED )N THEORY YOU don’t need to alias Pandas to %7 , but everyone else in the Pandas world DOES SO ) MUST ADMIT THAT ) AVOIDED THIS ALIAS FOR SOME TIME BUT FINALLY DECIDED THAT IF ) WANT MY CODE TO INTEGRATE NICELY WITH OTHER PEOPLES PROJECTS ) REALLY SHOULD FOLLOW THEIR CONVENTIONS Reading the CSV .OW LETS READ THE #36 FILE THAT ) CREATED FOR LAST MONTHS ARTICLE !S YOU MIGHT REMEMBER THE FILE CONTAINS A NUMBER OF COLUMNS SEPARATED BY TABS WHICH WERE CREATED FROM AN !PACHE LOGFILE )T TURNS OUT THAT #36 ALTHOUGH A
SEEMINGLY PRIMITIVE FORMAT FOR EXCHANGING INFORMATION IS ONE OF THE MOST POPULAR METHODS FOR DOING SO IN THE DATA SCIENCE WORLD !S A RESULT 0ANDAS PROVIDES A VARIETY OF FUNCTIONS THAT LET YOU TURN A #36 FILE INTO A DATA FRAME 4HE EASIEST AND MOST COMMON SUCH FUNCTION IS <#57a?;H . As you might expect, <#57a?;H CAN BE HANDED A FILENAME AS A PARAMETER WHICH ITLL READ AND TURN INTO A DATA FRAME "UT <#57a?;H LIKE MANY OTHER OF THE <#57ab FUNCTIONS IN 0ANDAS ALSO CAN TAKE A FILE OBJECT OR EVEN A 52, ) STARTED BY TRYING TO READ ACCESSCSV THE #36 FILE FROM LAST MONTHS article, with the <#57a?;H method: 78,*,%7T<#57a?;HRD5??#;;T?;HDX 5NFORTUNATELY THIS FAILED WITH A VERY STRANGE ERROR MESSAGE INDICATING THAT DIFFERENT LINES OF THE FILE CONTAINED DIFFERENT NUMBERS OF FIELDS !FTER A BIT OF 37 | April 2016 | LinuxJournal.com LJ264-April2016.indd 37 3/22/16 10:13 AM AT THE FORGE THOUGHT AND DEBUGGING IT TURNS OUT THAT THIS ERROR IS BECAUSE THE FILE CONTAINS
TAB SEPARATED VALUES AND THAT THE DEFAULT SETTING OF PDREAD?CSV IS TO ASSUME comma separators. So, you can retry your load, passing the ;#% parameter: 78,*,%7T<#57a?;HRD5??#;;T?;HD ,;#%Dc:DX !ND SURE ENOUGH THAT WORKED -OREOVER IF YOU ASK FOR THE KEYS OF THE 0ANDAS DATA FRAME YOU HAVE JUST CREATED YOU GET THE HEADERS AS THEY WERE DEFINED AT THE TOP OF THE FILE 9OU CAN SEE THOSE BY ASKING THE DATA FRAME TO SHOW YOU ITS KEYS 78TG#>;RX .OW YOU CAN THINK OF A DATA FRAME AS A 0YTHON VERSION OF AN %XCEL SPREADSHEET OR OF A TABLE IN A TWO DIMENSIONAL RELATIONAL DATABASE BUT YOU ALSO CAN THINK OF IT AS A SET OF 0ANDAS SERIES OBJECTS WITH EACH SERIES providing a particular column. I should note that <#57a?;H AND THE OTHER <#57ab FUNCTIONS IN 0ANDAS ARE TRULY AMAZING PIECES OF SOFTWARE )F YOURE TRYING TO READ FROM A #36 FILE AND 0ANDAS ISNT HANDLING IT CORRECTLY YOU EITHER HAVE AN EXTREMELY STRANGE FILE FORMAT OR YOU HAVENT FOUND THE RIGHT OPTION YET Navigating through
the Data Frame .OW THAT YOUVE LOADED THE #36 FILE INTO A DATA FRAME WHAT CAN YOU DO WITH IT &IRST YOU CAN ASK TO SEE THE ENTIRE THING BUT IN THE CASE OF THIS EXAMPLE #36 FILE THERE ARE MORE THAN ROWS WHICH MEANS THAT PRINTING IT OUT AND LOOKING THROUGH IT IS PROBABLY A BAD IDEA 4HAT SAID WHEN YOU LOOK AT A DATA FRAME INSIDE *UPYTER YOU WILL SEE ONLY THE FIRST FEW ROWS AND LAST FEW ROWS MAKING IT EASIER TO DEAL WITH )F YOU THINK OF YOUR DATA FRAME AS A SPREADSHEET YOU CAN LOOK AT INDIVIDUAL ROWS COLUMNS AND COMBINATIONS OF THOSE 9OU CAN ASK FOR AN ENTIRE COLUMN BY USING THE COLUMN KEY NAME IN SQUARE BRACKETS OR EVEN AS AN ATTRIBUTE 4HUS YOU CAN GET ALL OF THE REQUESTED 52,S BY ASKING FOR THE hRv COLUMN AS FOLLOWS 78D<D] 38 | April 2016 | LinuxJournal.com LJ264-April2016.indd 38 3/22/16 10:13 AM AT THE FORGE Or like this: 78T< /F COURSE THIS STILL WILL RESULT IN THE PRINTING OF A VERY LARGE NUMBER OF ROWS 9OU CAN ASK FOR ONLY THE FIRST FIVE ROWS BY
USING 0YTHON SLICE SYNTAXSOMETHING THATS OFTEN QUITE CONFUSING FOR PEOPLE WHEN THEY START WITH 0ANDAS BUT WHICH BECOMES NATURAL AFTER A SHORT WHILE 2EMEMBER THAT USING AN INDIVIDUAL COLUMN NAME INSIDE SQUARE BRACKETS PRODUCES ONE COLUMN WHEREAS USING A SLICE INSIDE SQUARE BRACKETS PRODUCES ONE OR MORE ROWS 3O TO SEE THE FIRST TEN ROWS YOU CAN SAY 783Pd] !ND OF COURSE IF YOURE INTERESTED ONLY IN SEEING THE FIRST TEN (440 REQUESTS THAT CAME INTO THE SERVER THEN YOU CAN SAY 78T<3Pd] 7HEN YOU ASK FOR A SINGLE COLUMN FROM A DATA FRAME YOURE REALLY GETTING A 0ANDAS SERIES WITH ALL OF ITS ABILITIES /NE OF THE THINGS YOU OFTEN WILL WANT TO DO WITH A DATA FRAME IS FIGURE OUT THE MOST POPULAR DATA 4HIS IS ESPECIALLY TRUE WHEN WORKING WITH LOGFILES WHICH ARE SUPPOSED TO GIVE YOU SOME INSIGHTS INTO YOUR WORK &OR EXAMPLE PERHAPS YOU WANT TO FIND OUT WHICH 52,S WERE MOST POPULAR 9OU CAN ASK TO COUNT ALL OF THE ROWS IN 78 : 78T?A94:RX 4HIS WILL GIVE YOU A TOTAL OF ALL ROWS
"UT YOU ALSO CAN RETRIEVE A SINGLE COLUMN WHICH IS A 0ANDAS SERIES AND ASK IT TO COUNT THE NUMBER OF TIMES each value appears: 78D<D]TH5$9#a?A94:;RX 4HE RESULTING SERIES HAS INDEXES THAT ARE THE VALUES THAT IS 52,S 39 | April 2016 | LinuxJournal.com LJ264-April2016.indd 39 3/22/16 10:13 AM AT THE FORGE THEMSELVES AND ALSO A COUNT IN DESCENDING ORDER OF THE NUMBER OF TIMES each one appeared. Plotting 4HIS IS ALREADY GREAT BUT YOU CAN DO EVEN BETTER AND PLOT THE RESULTS &OR example, you might want to have a bar graph indicating how many times EACH OF THE TOP TEN 52,S WAS INVOKED 9OU CAN SAY 78D<D]TH5$9#a?A94:;RX3Pd]T%$A:TE5<RX .OTICE HOW YOU TAKE THE ORIGINAL DATA FRAME COUNT THE NUMBER OF TIMES EACH VALUE APPEARS TAKE THE TOP TEN OF THOSE AND THEN INVOKE METHODS FOR PLOTTING VIA -ATPLOTLIB PRODUCING A SIMPLE BUT EFFECTIVE BAR CHART )F YOURE USING *UPYTER AND INVOKED ^%>$5E,@4$@4# , this actually will appear in your browser window, rather than an
external program. You similarly can make a pie chart: 78D<D]TH5$9#a?A94:;RX3Pd]T%$A:T%@#RX "UT WAIT A SECOND 4HIS CHART INDICATES THAT THE MOST POPULAR 52, BY A LONG SHOT WAS FEED A 52, USED BY 233 READERS TO ACCESS MY BLOG !LTHOUGH THATS FLATTERING IT MASKS THE OTHER DATA )M INTERESTED IN 9OU THUS CAN USE hBOOLEAN INDEXINGv TO RETRIEVE A SUBSET OF ROWS FROM 78 and then plot only those rows: 78e78T<T;:<T?A4:5@4;RDf8##7fDX]D<D]TH5$9#a?A94:;RX3Pd]T%$A:T%@#RX 7HOATHAT LOOKS HUGE AND COMPLICATED ,ETS BREAK IT APART TO understand what’s going on: Q 4HIS USED BOOLEAN INDEXING TO RETRIEVE SOME ROWS AND GET RID OF OTHERS 4HE CONDITIONS ARE EXPRESSED USING A COMBINATION OF GENERIC 0YTHON AND .UM0Y0ANDAS SPECIFIC SYNTAX AND CODE Q 4HIS EXAMPLE USED THE ;:<T?A4:5@4; method provided by Pandas, which ENABLES YOU TO FIND ALL OF THE ROWS WHERE THE 52, CONTAINED hFEEDv 40 | April 2016 | LinuxJournal.com LJ264-April2016.indd 40 3/22/16 10:13 AM AT THE
FORGE Q 4HEN THE EXAMPLE USED THE NORMALLY BITWISE OPERATOR ^ TO INVERT THE LOGIC OF WHAT YOURE TRYING TO FIND Q &INALLY THE RESULT IS PLOTTED PROVIDING A PICTURE OF WHICH 52,S WERE and were not popular. 2EADING THE DATA FROM #36 AND INTO A DATA FRAME GIVES GREAT FLEXIBILITY in manipulating the data and, eventually, in plotting it. Conclusion )N THIS ARTICLE ) DESCRIBED HOW TO READ LOGFILE DATA INTO 0ANDAS AND EVEN EXECUTED A FEW SMALL PLOTS WITH IT .EXT MONTH ) EXPLAIN HOW YOU CAN TRANSFORM DATA EVEN MORE TO PROVIDE INSIGHTS FOR EVERYONE INTERESTED IN THE LOGFILE Q RESOURCES Data science is a hot topic, and many people have been writing good books on the subject. I’ve most recently been reading and enjoying an early release of the Python Data Science Handbook by Jake VanderPlas, which contains great information on data science as well as its use from within Python. Cathy O’Neil and Rachel Schutt’s slightly older book, Doing Data Science, also is excellent,
approaching problems from a different angle. Both are published by O’Reilly, and both are worth reading if you’re interested in data science. To learn more about the Python tools used in data science, check out the sites for NumPy (http://numpy.org), SciPy (http://SciPyorg), Pandas (http://pandaspydataorg) and IPython (http://IPython.org) There is a lot to learn, so be prepared for a deep dive and lots of reading. Pandas is available from, and documented at, http://pandas.pydataorg Python itself is available from http://python.org, and the PyPI package index, from which you can download all of the packages mentioned here, is at http://PyPI.pythonorg Send comments or feedback via http://www.linuxjournalcom/contact or to ljeditor@linuxjournal.com RETURN TO CONTENTS 41 | April 2016 | LinuxJournal.com LJ264-April2016.indd 41 3/22/16 10:13 AM WORK THE SHELL All about printf PREVIOUS Reuven M. Lerner’s At the Forge NEXT Kyle Rankin’s Hack and / V V Dave describes a
super-useful scripting command stolen from the C standard I/O library. IN MY LAST ARTICLE, I explored the surprising ABILITY OF THE ,INUX SHELL TO CONVERT NUMERIC BASES ON THE FLY INCLUDING THIS SWEET LITTLE SNIPPET THAT CONVERTS FF hexadecimal into decimal notation: DAVE TAYLOR Dave Taylor has been hacking shell scripts since the dawn of the computer era. Well, not really, but still, 30 years is a long time! He’s the author of the popular Wicked Cool Shell Scripts and Teach Yourself Unix in 24 Hours (new edition just released!). He can be found on Twitter as @DaveTaylor and at his tech site: www.AskDaveTaylorcom Q,#?"A,QRR,dL``,XX, gYY And, I discussed how you even could use the handy %<@4:8 command within scripts too, such as this command to display decimal numbers in octal and hexadecimal: Q,%<@4:8,+A?:5$3,^Ac4"#L3,^Lc4+,Mg,Mg, A?:5$3,Yg, "#L3,g5 42 | April 2016 | LinuxJournal.com LJ264-April2016.indd 42 3/22/16 10:13 AM WORK THE SHELL )TS PRETTY
NEAT STUFF BUT TO BE HONEST ) RARELY FIND MYSELF NEEDING TO CONVERT NUMERIC BASES NOWADAYS SO ITS REALLY SOMETHING ) FILE UNDER hFUNKY SHELL TRICKSv 9OUR EXPERIENCE MAY BE DIFFERENT SO ITS STILL WELL worth learning anyway. In this article, I thought it would be interesting to take a closer look at the %<@4:8 COMMAND BECAUSE IT IS SO DARN POWERFUL BUT BEFORE GOING THERE HERES A QUICKIE SOME NEAT WAYS YOU CAN MAKE YOUR IF THEN STATEMENTS BE MORE SUCCINCT If/Then Statements )F YOURE LIKE ME THEN YOU FIND YOURSELF FREQUENTLY WRITING CONDITIONAL STATEMENT BLOCKS IN YOUR SHELL SCRIPTS 5M ) MEAN @8,,>A9D<#,$@G#,6#,],h,:"#4, ,,,>A9,8@47,>A9<;#$8TTT 7ELL YOU GET THE IDEA )N FACT CONDITIONAL EXPRESSIONS ARE WHERE SEQUENCES OF CODE TURN INTO MORE SOPHISTICATED PROGRAMS WHETHER THEYRE A HALF DOZEN LINES LONG OR HUNDREDS OF LINES A typical conditional expression actually might look like this: @8,,QR75:#,i^KX,!#j,d,]h,:"#4, ,,,#?"A,+1:D;,)9475>+,
#$;#, ,,,#?"A,+1:D;,4A:,)9475>+, 8@ 4HIS IS CLEAR AND READABLE BUT IT SURE TAKES UP A LOT OF VERTICAL SPACE in a shell script. Fortunately, there are some ways you can tighten up things by using the && and || notations in your shell scripts. 4HE NOTATION MEANS IF WHATS INVOKED PRIOR TO THE ENDS WITH A SUCCESS RETURN CODE DO WHATS SUBSEQUENTFOR EXAMPLE :#;:,QR75:#,i^KX,!#j,d,OO,#?"A,+)9475>+ 43 | April 2016 | LinuxJournal.com LJ264-April2016.indd 43 3/22/16 10:13 AM WORK THE SHELL )F ITS -ONDAY AFTERNOON WHEN ) RUN THIS CODE )LL GET NO OUTPUT AND THE ECHO STATEMENT ISNT EVEN EVALUATED "UT IF ITS 3UNDAY THE ABOVE command will output appropriately. 4HE \ NOTATION OFFERS THE SAME BASIC FUNCTIONALITY BUT WITH THE OPPOSITE LOGIC IF THE RETURN CODE OF THE COMMAND PRIOR TO THE \ RETURNS A FAIL NON ZERO RETURN CODE THEN THE SUBSEQUENT COMMAND will be invoked: :#;:,QR75:#,i^KX,!#j,d,SS,#?"A,+1:D;,4A:,)9475>,>#:+ You also can
make this even more succinct by using the [] notational SHORTCUT FOR A TESTJUST REMEMBER TO INCLUDE THE CLOSING = TO ENSURE ITS ALL WELL FORMED ,QR75:#,i^K,!#j,d,],SS,#?"A,+@:D;,4A:,)9475>,>#:+ 4HE BIGGEST LIMITATION WITH THIS NOTATION IS THAT THERES REALLY NO RELIABLE and properly interpreted way to add an else clause. You can try something like this: ?67P,OO,?67g,SS,?67V "UT BECAUSE OF PRECEDENCE INTERPRETATION ITS LIKELY TO HAVE CMD INVOKED IF EITHER CMD OR CMD HAVE A NON ZERO RETURN CODE WHICH MAKES IT FUNCTIONALITY DIFFERENT FROM THIS @8,?67P,h,:"#4, ,,?67g, #$;#, ,,?67V, 8@ !LL IS NOT LOST HOWEVER BECAUSE YOU ALWAYS CAN USE A LOT OF SEMICOLONS to move that onto a single line: @8,?67P,h,:"#4,?67g,h,#$;#,?67V,h,8@ 44 | April 2016 | LinuxJournal.com LJ264-April2016.indd 44 3/22/16 10:13 AM WORK THE SHELL But, is it more readable? Is it really how you want to write your COMMANDS -AYBE !T LEAST NOW YOU KNOW The Ever-Helpful printf
Command .OW LETS LOOK AT A COMPLETELY DIFFERENT TYPE OF COMMAND A COMMAND THAT IS A BUILT IN # PROGRAMMING LANGUAGE FUNCTION THATS SO DARN USEFUL ITS NOW INCLUDED IN ,INUX AS A STANDALONE COMMAND In C and its brethren, the command shows up like this: %<@4:8R8A<65:;:<@4= ,5<= ,5<=Xh 4HIS ACTUALLY IS A SHORTCUT FOR THE MORE GENERAL 8%<@4:8RX COMMAND WHICH PREPENDS THE FILE HANDLE AND WOULD LOOK MORE LIKE THE FOLLOWING 8%<@4:8R;:7@A ,8A<65:;:<@4= ,5<= ,5<=Xh It’s not really relevant to this discussion, but hey, you should know this C programming nuance just so you know what’s going on, right? Okay, okay, back to the shell. 4HE %<@4:8 command is basically the same, just without the parentheses and commas: %<@4:8,8A<65:;:<@4=,5<=,5<= 5NLIKE THE #?"A command, %<@4:8 doesn’t automatically append a CARRIAGE RETURN LINE FEED SEQUENCE SO YOU CAN END UP WITH ODD RESULTS like this: Q,%<@4:8,+"#$$A+, "#$$AQ 4HE
FORMAT STRING ALLOWS A NUMBER OF BACKSLASH ESCAPED SEQUENCES to alleviate this problem, notably c4 TO PRODUCE THE END OF LINE carriage return. )NDEED GO BACK TO THE FIRST FEW PARAGRAPHS OF THIS COLUMN AND YOULL 45 | April 2016 | LinuxJournal.com LJ264-April2016.indd 45 3/22/16 10:13 AM WORK THE SHELL Where things get more interesting is with the specifics of the format string. NOTICE ) INCLUDED THIS SEQUENCE %<@4:8,+A?:5$3,^Ac4"#L3,^Lc4+,Mg,Mg Now you know what those c4 SEQUENCES MEAN EACH PRODUCES AN END OF LINE SEQUENCE !DDITIONAL ESCAPE SEQUENCES INCLUDE c5 FOR A BELL TRY IT cE FOR A backspace, c: FOR A TAB AND cc FOR A BACKSLASH CHARACTER ITSELF 7HERE THINGS GET MORE INTERESTING IS WITH THE SPECIFICS OF THE FORMAT STRING !LL OF THESE ARE DENOTED WITH THE SYMBOL FOLLOWED BY THE SPECIFIC LETTER THAT SPECIFIES HOW THE ASSOCIATED ARGUMENT should be interpreted and displayed. Give it a decimal value but use ^A AND ITLL BE OUTPUT AS OCTAL AS SHOWN EARLIER
4HE MOST IMPORTANT SEQUENCES ARE Q ^? FOR A CHARACTER Q ^; FOR A STRING A SEQUENCE OF CHARACTERS Q ^7 FOR A DECIMAL VALUE Q ^8 FOR A FLOATING POINT NON INTEGER VALUE 4HERE ARE NUANCES OF COURSE AND IN PARTICULAR DISPLAYING FLOATING POINT NUMBERS CAN BE QUITE COMPLICATED BECAUSE OF THE VARIOUS notational conventions used. You can read the %<@4:8 MAN PAGE FOR much more detail on that. *UST ABOUT EVERY FORMAT SEQUENCE ALSO ALLOWS YOU TO SPECIFY A FIELD WIDTH AND A PRECISION WHICH IS WHERE ALL OF THIS GETS BOTH complicated and interesting. 46 | April 2016 | LinuxJournal.com LJ264-April2016.indd 46 3/22/16 10:13 AM WORK THE SHELL ,ETS CONSIDER THE FLOATING POINT NUMBER AND HOW %<@4:8 MIGHT DISPLAY IT IN DIFFERENT WAYS Q,%@*VTPMPYkl, Q,%<@4:8,+^7c4+,Q%@, !E5;"3,%<@4:83,VTPMPYkl3,@4H5$@7,496E#<, d 4HAT SHOULDNT BE A SURPRISE YOU CANT INTERPRET A FLOATING POINT NUMBER AS AN INTEGER 5SE ^8 instead: Q,%<@4:8,+^8c4+,Q%@, VTPMPYkl 4HATS THE
DEFAULT AND %<@4:8 IS SHOWING ITS DEFAULT PRECISION FOR THE FLOATING POINT VALUE ,ETS SEE WHAT HAPPENS IF YOU SPECIFY A ZERO PRECISION THAT IS ZERO DIGITS SUBSEQUENT TO THE DECIMAL POINT Q,%<@4:8,+^Td8c4+,Q%@, V 4HAT MAKES SENSE "UT WHAT IF ITS ACTUALLY CURRENCY YOURE WORKING with and you want to be able to ensure that you don’t get weird VALUES LIKE AS A VALUE Q,%<@4:8,+^Tg8c4+,Q%@, VTPM 7HERE THIS REALLY GETS INTERESTING IS WHEN YOU WANT TO LINE UP VALUES IN COLUMNS ALLOCATING OR MORE CHARACTERS OF SPACE PER FIELD 4HATS THE FIELD WIDTH AND IT APPEARS PRIOR TO THE DECIMAL POINT ON THE FORMATTING STRING SPECIFIER OR BY ITSELF IF THERES NO DECIMAL POINT Q,%<@4:8,+m^PY8mc4+,Q%@, m,,,,,,,VTPMPYklm 47 | April 2016 | LinuxJournal.com LJ264-April2016.indd 47 3/22/16 10:13 AM WORK THE SHELL You can combine things too: Q,%<@4:8,+m^PdTg8mc4+,Q%@, m,,,,,,VTPMm 9OU ALSO CAN USE FIELD WIDTH SPECIFIERS WITH STRINGS WHICH IS
particularly interesting: Q,%<@4:8,+S^gd;S^gd;Sc4+,+A4#+,+:KA+h,%<@4:8,+S^gd;S^gd;Sc4+, +:"<##+,+8A9<+, S,,,,,,,,,,,,,,,,,A4#S,,,,,,,,,,,,,,,,,:KAS, S,,,,,,,,,,,,,,,:"<##S,,,,,,,,,,,,,,,,8A9<S, Q )M RUNNING OUT OF SPACE BUT ) ENCOURAGE YOU TO CHECK OUT THE %<@4:8 command and its many tricks to help you create more ATTRACTIVE OUTPUT FROM YOUR SHELL SCRIPTS !ND DONT FORGET IF YOU HAVE AN IDEA FOR A SHELL SCRIPT ) SHOULD tackleor a game I should considerplease don’t hesitate to send an E MAIL TO LJEDITOR LINUXJOURNALCOM Q Send comments or feedback via http://www.linuxjournalcom/contact or to ljeditor@linuxjournal.com RETURN TO CONTENTS 48 | April 2016 | LinuxJournal.com LJ264-April2016.indd 48 3/22/16 10:13 AM Attend June 27-30, 2016 The Sheraton Boston BOSTON R e g is t e r E a r ly E! and SAV ! “This is the most informative conference I have been to in years. The technical discussions gave me a much better understanding of direction,
advantages and challenges we face with this massive platform.” Jamie Tyndall, Manager, Application Development, Business Information Group Learn what’s new in SharePoint and Office 365! Whether you want to learn about what’s coming in SharePoint 2016, are still making the most out of SharePoint 2013 or even 2010, or getting started with Office 365, you will find the SharePoint and Office 365 training you need at SPTechCon. “This was a great conference that addresses all levels, roles and abilities. Great variety of classes, great presenters, and I learned many practical things that I can take back and start implementing next week.” Kathy Mincey, Collaboration Specialist, FHI 360 “As a newcomer to SharePoint, SPTechCon was an excellent way to begin learning more of its vast capabilities. This conference is a great way to hear about technical features and success stories of the product. Great vendors too I will be following up with several of them about their products.”
Jeffrey Wahl, IT Services Manager, Carbonite, Inc. A BZ Media Event www.sptechconcom SPTechCon™ is a trademark of BZ Media LLC. SharePoint® is a registered trademark of Microsoft LJ264-April2016.indd 49 3/22/16 10:13 AM HACK AND / Secure Desktops with Qubes: Introduction KYLE RANKIN Kyle Rankin is a Sr. Systems Administrator in the San Francisco Bay Area and the author of a number of books, Learn about next-generation desktop security with Qubes. including The Official Ubuntu Server Book, Knoppix Hacks and PREVIOUS Dave Taylor’s Work the Shell NEXT Shawn Power’s The Open-Source Classroom currently the president V V Ubuntu Hacks. He is of the North Bay Linux Users’ Group. THIS IS THE FIRST IN A MULTIPART SERIES ON 1UBES /3 A SECURITY FOCUSED OPERATING SYSTEM THAT IS FUNDAMENTALLY DIFFERENT FROM ANY OTHER ,INUX DESKTOP I’ve ever used and one I personally switched to during THE PAST COUPLE MONTHS )N THIS FIRST ARTICLE ) PROVIDE AN OVERVIEW OF WHAT 1UBES IS
SOME OF THE APPROACHES IT TAKES THAT ARE COMPLETELY DIFFERENT FROM WHAT YOU MIGHT BE USED TO ON A ,INUX DESKTOP AND SOME OF ITS PARTICULARLY INTERESTING SECURITY FEATURES )N FUTURE ARTICLES )LL GIVE MORE HOW TO GUIDES ON INSTALLING AND 50 | April 2016 | LinuxJournal.com LJ264-April2016.indd 50 3/22/16 10:13 AM HACK AND / CONFIGURING IT AND HOW TO USE SOME OF ITS MORE ADVANCED FEATURES 7HEN IT COMES TO ,INUX SECURITY SERVER SECURITY TENDS TO GET THE MOST ATTENTION 7HEN YOU ARE HARDENING SERVERS YOU GENERALLY TRY TO LIMIT WHAT ANY INDIVIDUAL SERVER DOES AND USE FIREWALLS TO RESTRICT ACCESS BETWEEN servers to only what is necessary. In a modern environment where a server is running only SSH plus maybe one or two other networked services, THERE ARE ONLY A FEW WAYS FOR AN ATTACKER TO GET IN )F A PARTICULAR SERVER does get hacked, ideally you can detect it, isolate that server and respond TO THE EMERGENCY WHILE THE REST OF YOUR ENVIRONMENT STAYS UP $ESKTOP ,INUX SECURITY IS A
COMPLETELY DIFFERENT CHALLENGE BECAUSE OF JUST HOW MANY different THINGS YOU DO WITH YOUR DESKTOP %ACH action you take with your desktop computer opens up a new way to BE COMPROMISED 7EB BROWSING ESPECIALLY IF YOU STILL HAVE CERTAIN risky plugins like Flash installed, is one major way a desktop can be COMPROMISED % MAIL IS ANOTHER POPULAR ATTACK VECTOR SINCE YOU NEED TO OPEN ONLY ONE MALICIOUS E MAIL ATTACHMENT OR CLICK ON ONE MALICIOUS PHISHING LINK FOR AN ATTACK TO SUCCEED ,INUX DESKTOPS ALSO OFTEN ARE USED AS DEVELOPMENT PLATFORMS WHICH MEANS USERS MIGHT BE DOWNLOADING building and executing someone else’s code or running services directly on their desktop to test out their own code. Although some Linux users are SMUG WHEN THEY THINK ABOUT ALL OF THE MALWARE ON OTHER PLATFORMS THE FACT IS THAT THE DAYS WHEN 7INDOWS WAS THE ONLY DESKTOP /3 IN TOWN ARE OVER AND THESE DAYS MUCH OF THE MALWARE IS WRITTEN IN A CROSS PLATFORM WAY SO THAT IT CAN RUN ON MANY DIFFERENT OPERATING
SYSTEMS 4HE BIGGEST ISSUE WITH DESKTOP ,INUX SECURITY IS WHATS AT RISK IF YOU DO GET HACKED ALL OF YOUR PERSONAL DATA 4HIS COULD BE ANYTHING FROM USER NAMES AND PASSWORDS TO IMPORTANT ACCOUNTS LIKE YOUR BANK OR CREDIT CARD ACCOUNTS YOUR SOCIAL MEDIA ACCOUNTS YOUR DOMAIN REGISTRAR OR 7EB SITES YOU SHOPPED AT IN THE PAST THAT HAVE YOUR CREDIT CARD DATA CACHED !N ATTACK COULD EXPOSE ALL OF YOUR PERSONAL PHOTOS OR ACCESS TO PRIVATE E MAIL MESSAGES !TTACKERS COULD LEAVE BEHIND A 2EMOTE !CCESS 4ROJAN that lets them get back into your machine whenever they want, and in the MEANTIME THEY COULD SNOOP ON YOU WITH YOUR 7EBCAM AND MICROPHONE 4HEY EVEN COULD COMPROMISE YOUR 33( 60. AND 0 KEYS WHICH OPENS up access to other computers. 4HE CORE IDEA BEHIND HOW 1UBES PROVIDES SECURITY IS AN APPROACH CALLED 51 | April 2016 | LinuxJournal.com LJ264-April2016.indd 51 3/22/16 10:13 AM HACK AND / SECURITY BY COMPARTMENTALIZATION 4HIS APPROACH FOCUSES ON LIMITING the damage an attacker can do
by separating your activities and their RELATED FILES TO SEPARATE VIRTUAL MACHINES 6-S 9OU THEN ASSIGN EACH 6A CERTAIN LEVEL OF TRUST BASED ON THE LEVEL OF RISK THAT 6- PRESENTS &OR INSTANCE YOU MAY CREATE AN hUNTRUSTEDv 6- THAT YOU USE FOR YOUR GENERIC UNAUTHENTICATED 7EB BROWSING 9OU THEN MIGHT HAVE A SEPARATE MORE TRUSTED 6- THAT YOU USE ONLY TO ACCESS YOUR BANK 9OU MAY DECIDE TO CREATE A THIRD HIGHLY TRUSTED 6- THAT HAS NO NETWORK ACCESS AT ALL THAT YOU USE TO MANAGE OFF LINE DOCUMENTS )F YOU ALSO WORK FROM YOUR PERSONAL COMPUTER YOU MAY CREATE SEPARATE 6-S FOR PERSONAL VERSUS WORK ACTIVITIES WITH THE WORK 6- BEING MORE TRUSTED )F YOU BROWSE TO A MALICIOUS 7EB SITE WITH YOUR UNTRUSTED 7EB BROWSER THE ATTACKER WONT HAVE ACCESS TO YOUR BANKING CREDENTIALS OR PERSONAL FILES SINCE YOU STORE THOSE ON DIFFERENT 6-S 1UBES EVEN PROVIDES DISPOSABLE 6-S ONE TIME USE 6-S THAT ARE DELETED COMPLETELY FROM DISK AFTER THE APPLICATION CLOSES How Qubes Works !LTHOUGH YOU CERTAINLY
COULD USE ANY OF THE VIRTUAL MACHINE TECHNOLOGIES OUT THERE TO SET UP MULTIPLE 6-S ON YOUR REGULAR ,INUX DESKTOP THAT KIND OF ARRANGEMENT CAN END UP BEING PRETTY CLUNKY ESPECIALLY IF YOU DONT want multiple desktop environments running inside their own windows. 4HERE ALSO ARE ALL KINDS OF MISTAKES YOU COULD MAKE WITH THAT KIND OF SET UP THAT WOULD ELIMINATE ANY SECURITY BENEFITS YOU MIGHT GET &OR INSTANCE HOW SHOULD YOU SHARE FILES OR COPY AND PASTE BETWEEN 6-S SECURELY AND HOW DO YOU KEEP ALL OF THOSE 6-S UP TO DATE WITH SECURITY PATCHES 7HERE A TRADITIONAL ,INUX DISTRIBUTION MADE IT EASY FOR YOU TO GET ALL OF THE SOFTWARE YOU WANTED TO USE WITHOUT HAVING TO DOWNLOAD AND COMPILE IT ALL 1UBES PROVIDES A NUMBER OF EXTRA TOOLS THAT MAKES IT EASY TO MANAGE A DESKTOP FULL OF DIFFERENT VIRTUAL MACHINES ALL WITH DIFFERENT LEVELS OF TRUST 1UBES ALSO APPROACHES ALL ASPECTS OF THE DESKTOP WITH SECURITY AT THE FOREFRONT AND USES SECURE DEFAULTS THROUGHOUT THE /3 )N DOING SO 1UBES MAKES
IT MORE DIFFICULT BUT NOT IMPOSSIBLE FOR YOU TO SHOOT YOURSELF IN THE FOOT 1UBES USES 8EN TO PROVIDE ALL OF ITS VIRTUALIZATION IF YOU WANT TO KNOW WHY 1UBES CHOSE THAT OVER OTHER TECHNOLOGIES SEE THE &!1 ON THE 1UBES SITE )NSTEAD OF EACH 6- HAVING ITS OWN COMPLETE DESKTOP 52 | April 2016 | LinuxJournal.com LJ264-April2016.indd 52 3/22/16 10:13 AM HACK AND / ENVIRONMENT 1UBES USES THE MORE PRIVILEGED DOM 8EN 6- AS A HOST FOR THE DESKTOP ENVIRONMENT CURRENTLY 1UBES GIVES YOU THE CHOICE OF +$% OR 8&#% ALTHOUGH THE COMMUNITY HAS CONTRIBUTED OTHERS AND THE OTHER 6-S DISPLAY INDIVIDUAL APPLICATION WINDOWS WITHIN DOMS desktop environment. 3O LAUNCHING &IREFOX IN 1UBES BEHAVES MUCH LIKE YOU WOULD EXPECT IN ANY OTHER DESKTOP DISTRIBUTION 4HE MAIN DIFFERENCE HOWEVER IS THAT 1UBES LETS YOU COLOR CODE EACH OF YOUR 6-S BASED ON LEVEL OF TRUST RANGING FROM RED UNTRUSTED TO BLACK ULTIMATELY TRUSTED WITH A NUMBER OF DIFFERENT RAINBOW COLORS IN BETWEEN 7HEN YOU LAUNCH AN
APPLICATION FROM AN APPLICATION 6- APP6IN 1UBES PARLANCE THE 6- STARTS UP IF IT WASNT STARTED BEFORE THEN the application appears with a window border that is colorized based ON THE COLOR YOU ASSIGNED ITS APP6- 3O IF YOU HAVE TWO INSTANCES OF &IREFOX ON YOUR DESKTOP AT THE SAME TIME YOU CAN TELL YOUR UNTRUSTED 7EB BROWSER FROM YOUR BANKING 7EB BROWSER BECAUSE THE UNTRUSTED one might be colored red while your banking browser might be colored GREEN &IGURE PROVIDES A SCREENSHOT FROM 1UBES DOCUMENTATION THAT Figure 1. Multiple Windows with Different Colors 53 | April 2016 | LinuxJournal.com LJ264-April2016.indd 53 3/22/16 10:13 AM HACK AND / Figure 2. Qubes Application Menu demonstrates the point. 3INCE THE DOM 6- HAS PRIVILEGED ACCESS TO DATA ABOUT THE OTHER 6-S IN 8EN 1UBES GOES TO EXTRA LENGTHS TO PROTECT IT BY HAVING ONLY THE DESKTOP ENVIRONMENT RUN FROM IT AND BY REMOVING ALL NETWORK ACCESS FROM DOM 9OU ARE ENCOURAGED TO DO AS LITTLE AS POSSIBLE IN DOM AND
INSTEAD YOU SHOULD USE APP6-S FOR ANY APPLICATIONS YOU WANT TO RUN 1UBES EVEN INTENTIONALLY MAKES IT MORE DIFFICULT TO COPY FILES TO OR FROM DOM COMPARED TO COPYING THEM BETWEEN APP6-S )N THE DOM DESKTOP ENVIRONMENTS APPLICATION MENU EACH 6- HAS ITS OWN SUBMENU WHERE YOU CAN LAUNCH EACH OF ITS APPLICATIONS &IGURE 1UBES PROVIDES TOOLS SO ALL OF THOSE SUBMENUS DONT become too unwieldy, and you can select which applications appear UNDER WHICH APP6-S MENU Sharing Information between AppVMs 7HEN YOU HAVE MULTIPLE WINDOWS OPEN HOWEVER THAT RAISES THE QUESTION OF HOW DO YOU COPY AND PASTE !N INSECURE APPROACH MIGHT be to share the clipboard between all windows, but then the risk 54 | April 2016 | LinuxJournal.com LJ264-April2016.indd 54 3/22/16 10:13 AM HACK AND / WOULD BE THAT IF YOU LOGGED IN TO A 7EB SITE IN A TRUSTED 7EB BROWSER BY COPYING AND PASTING FROM YOUR PASSWORD MANAGER THAT PASSWORD WOULD BE READABLE BY ANY OTHER APP6-S THAT HAPPENED TO BE RUNNING
)NSTEAD 1UBES PROVIDES A TWO TIER APPROACH TO CLIPBOARDS %ACH APP6- HAS ITS OWN CLIPBOARD AND YOU CAN COPY AND PASTE WITHIN THAT APP6- AS NORMAL )F YOU WANT TO COPY FROM ONE APP6AND PASTE TO ANOTHER ONCE YOU HAVE PUT THE DATA IN ONE APP6-S CLIPBOARD YOU PRESS #TRL 3HIFT C TO PUT IT IN THE GLOBAL CLIPBOARD THEN HIGHLIGHT THE WINDOW YOU WANT TO PASTE INTO AND PRESS #TRL 3HIFT V TO PASTE THAT DATA INTO THAT 6-S CLIPBOARD AND WIPE IT FROM THE GLOBAL CLIPBOARD 4HEN YOU CAN PASTE INSIDE THAT APPLICATION AS NORMAL )TS DEFINITELY AN EXTRA CUMBERSOME STEP BUT YOU WOULD BE SURPRISED AT HOW QUICKLY YOU ADAPT TO #TRL C #TRL 3HIFT C CHANGE WINDOW #TRL 3HIFT V #TRL V )T DEFINITELY HELPS YOU PREVENT ACCIDENTALLY PASTING INFORMATION INTO THE WRONG WINDOW 1UBES ALSO PROVIDES A COMMAND LINE TOOL AND RIGHT CLICK MENU OPTIONS IN THE 5) FILE MANAGER SO YOU CAN COPY OR MOVE A FILE BETWEEN APP6-S 7HEN YOU ATTEMPT THIS YOU GET A PROMPT IN A BLACK BORDERED WINDOW THE APP6- DOESNT CONTROL SO YOU CAN
ACCEPT THIS FILE TRANSFER %VEN THEN THE FILE DOESNT APPEAR WHEREVER YOU WANT ON THE DESTINATION 6- OTHERWISE AN ATTACKER COULD OVERWRITE IMPORTANT FILES WITH BACKDOORED VERSIONS )NSTEAD THE FILES SHOW UP IN A 1UBES)NCOMING DIRECTORY INSIDE YOUR HOME DIRECTORY TemplateVMs, Persistence and Backdoor Protection !NOTHER AREA WHERE 1UBES PROVIDES AN EXTRA LEVEL OF PROTECTION FOR A DESKTOP USER IS IN HOW IT HANDLES PERSISTENCE )F ATTACKERS COMPROMISE A NORMAL DESKTOP THEY CAN INSTALL BACKDOORED VERSIONS OF UTILITIES like ls or bash, or add extra programs that are triggered to start at BOOT 7ITH 1UBES APP6-S ARE BASED OFF TEMPLATE6-S THAT HAVE BASE INSTALLS OF &EDORA $EBIAN OR 7HONIX BY DEFAULT THE COMMUNITY HAS PROVIDED TEMPLATES FOR OTHER POPULAR DISTRIBUTIONS 7HEN YOU CREATE A NEW APP6- YOU CHOOSE WHICH TEMPLATE IT IS BASED FROM AND WHEN YOU START IT THAT APP6- GETS A READ ONLY VERSION OF THAT TEMPLATES ROOT FILESYSTEM !LTHOUGH THE USER INSIDE THE APP6- STILL CAN INSTALL
SOFTWARE OR CHANGE THE ROOT FILESYSTEM WHEN THAT APP6- SHUTS DOWN 55 | April 2016 | LinuxJournal.com LJ264-April2016.indd 55 3/22/16 10:13 AM HACK AND / This means your browser history and settings will stick around, but if an attacker did compromise your browser and tried to install a backdoor into bash or Firefox, the next time you rebooted that appVM, the backdoor would be gone. ALL OF THOSE CHANGES ARE ERASED /NLY THE RW USRLOCAL AND HOME DIRECTORIES PERSIST 4HIS MEANS YOUR BROWSER HISTORY AND SETTINGS WILL STICK AROUND BUT IF AN ATTACKER DID COMPROMISE YOUR BROWSER AND TRIED TO INSTALL A BACKDOOR INTO BASH OR &IREFOX THE NEXT TIME YOU REBOOTED THAT APP6- THE BACKDOOR WOULD BE GONE !LSO BY DEFAULT APP6-S DO NOT LAUNCH ANY COMMON INIT SERVICES LIKE CRON AUTOMATICALLY 4HAT MEANS ATTACKERS ALSO COULDNT JUST ADD A USER cron entry that launched the backdoor. Although it’s true that attackers COULD STORE A MALICIOUS PROGRAM IN YOUR APP6-S HOME DIRECTORY THE NEXT
TIME YOU REBOOT THE APP6- THE PROGRAM NO LONGER WOULD BE running, and they would have no way to launch it again automatically. 3O HOW DO YOU INSTALL SOFTWARE "ECAUSE EACH APP6- USES A ROOT FILESYSTEM BASED ON ITS TEMPLATE6- WHEN YOU WANT TO INSTALL NEW SOFTWARE YOU LAUNCH THE SOFTWARE MANAGER FROM THE TEMPLATE6AND INSTALL THE APPLICATION WITH YUM APT GET THE 5) EQUIVALENT OR WHATEVER OTHER METHOD YOU NORMALLY WOULD USE TO INSTALL THE SOFTWARE 1UBES THEN DETECTS ANY NEW APPLICATION MENU ITEMS YOUVE ADDED AND MAKES THEM AVAILABLE TO THE APP6-S BASED ON THAT TEMPLATE 4HE ONLY GOTCHA IS THAT THOSE NEWLY INSTALLED APPLICATIONS ARE UNAVAILABLE TO APP6-S UNTIL THOSE APP6-S RESTART "ECAUSE COMPROMISING THE TEMPLATE6- COMPROMISES EVERY APP6- BASED ON IT 1UBES GENERALLY ENCOURAGES YOU TO LEAVE TEMPLATE6-S OFF TO NOT RUN GENERAL APPLICATIONS FROM THEM AND TO TURN THEM ON ONLY WHEN YOU ADD TRUSTED SOFTWARE !LTHOUGH THIS DOES ADD AN EXTRA BIT OF WORK WHEN YOU WANT TO INSTALL
SOFTWARE IT ALSO PROVIDES A NICE BENEFIT 56 | April 2016 | LinuxJournal.com LJ264-April2016.indd 56 3/22/16 10:13 AM HACK AND / in that when you need to apply a security update, you just need to UPDATE THE TEMPLATE6- AND WHEN YOU RESTART EACH APP6- IT WILL GET the update. Network Security with netVMs !NOTHER WAY 1UBES PROVIDES SECURITY IS BY COMPARTMENTALIZING THE NETWORK 5PON INSTALLATION 1UBES WILL CREATE A FEW SPECIAL SYSTEM 6-S CALLED NETWORK 6-S NET6-S NAMED SYS NET SYS FIREWALL AND SYS WHONIX 4HE SYS NET NET6- IS ASSIGNED ANY NETWORKING HARDWARE ON YOUR HOST SO ITS UNAVAILABLE TO ANY OTHER 6- "ECAUSE THIS NET6is the only one with an IP on the external network, it’s considered UNTRUSTED AND COLORED RED 9OU USE .ETWORK -ANAGER TO CONFIGURE THIS NET6- WITH ANY CREDENTIALS IT NEEDS TO CONNECT TO WIRELESS networks, and its Network Manager applet shows up on your desktop AS NORMAL 4HE SYS FIREWALL 6- TECHNICALLY CLASSIFIED AS A PROXY6IS COLORED GREEN AND CONNECTS
TO SYS NET FOR ITS NETWORK ACCESS "Y DEFAULT ANY APP6-S YOU CREATE THEN USE SYS FIREWALL FOR THEIR network access. 7HY ALL THIS COMPLEXITY &IRST SYS FIREWALL ACTS AS A TRUE FIREWALL FOR ALL OF YOUR APP6-S !LTHOUGH BY DEFAULT ALL APP6-S CAN TALK TO THE )NTERNET UNRESTRICTED 1UBES PROVIDES A 5) TOOL THAT MAKES IT EASY TO LOCK DOWN INDIVIDUAL APP6-S SO THAT THEY CAN ACCESS ONLY certain hosts on the network. For instance, you could restrict your BANKING APP6- SO THAT IT CAN TALK ONLY TO PORT ON YOUR BANKING 7EB SITE OR RESTRICT AN E MAIL APP6- TO TALK ONLY TO YOUR REMOTE MAIL SERVER 9OU EVEN COULD RESTRICT OTHER 6-S SO THAT THEY COULD TALK ONLY to hosts on your internal network. Anyone who wants to attack one OF YOUR APP6-S HAS TO GO THROUGH SYS NET AND SYS FIREWALL 4HIS ALSO MEANS IF ATTACKERS DO COMPROMISE AN APP6- THEY DONT HAVE DIRECT ACCESS TO NETWORK HARDWARE SO THEY CANT FOR INSTANCE AUTOMATICALLY CONNECT TO A DIFFERENT WIRELESS ACCESS POINT 4HE SYS WHONIX 6-
ACTS LIKE SYS FIREWALL EXCEPT THAT IT AUTOMATICALLY SETS UP A SECURE 4OR ROUTER !NY APP6-S THAT USE SYS WHONIX INSTEAD OF SYS FIREWALL OR SYS NET FOR THEIR NETWORK HAVE ALL OF THEIR TRAFFIC ROUTED OVER 4OR AUTOMATICALLY 1UBES ALSO PROVIDES AN ANON WHONIX APP6- BY DEFAULT THAT USES THE SECURITY AND ANONYMITY FOCUSED 57 | April 2016 | LinuxJournal.com LJ264-April2016.indd 57 3/22/16 10:13 AM HACK AND / DISTRIBUTION 7HONIX AND IT INCLUDES THE 4OR BROWSER AND ROUTES ALL TRAFFIC THROUGH SYS WHONIX BY DEFAULT )M SURE YOU ALREADY CAN SEE A NUMBER OF AREAS WHERE 1UBES PROVIDES GREATER SECURITY THAN YOU WOULD FIND IN A REGULAR ,INUX DESKTOP (OPEFULLY YOU HAVE A SENSE OF WHAT A DIFFERENT APPROACH 1UBES TAKES FROM WHAT YOU MIGHT BE USED TO 7 ITH 1UBES YOU FIND YOURSELF THINKING MUCH MORE ABOUT HOW YOU SHOULD ISOLATE FILES AND INFORMATION AND WHAT ATTACKERS COULD GET IF THEY SUCCESSFULLY COMPROMISED ONE OF YOUR APP6-S %VEN THE EXTRA COPY AND PASTE AND FILE COPY STEPS FORCE YOU TO
CONFRONT WHETHER YOU ARE TRANSFERRING INFORMATION BETWEEN AN UNTRUSTED 6- TO A TRUSTED ONE AND THINK THROUGH THE IMPLICATIONS )VE FOUND THE EXTRA SECURITY MEASURES actually let me relax a little bit more than I would otherwise, because FOR INSTANCE ) KNOW AN E MAIL ATTACHMENT ) OPEN IN A DISPOSABLE 6CANT DO ME MUCH HARM OR A MALICIOUS 7EB SITE IN MY UNTRUSTED 7EB BROWSER CANT ACCESS ANYTHING OF VALUE )VE TOUCHED ON ONLY SOME OF THE HIGHER LEVEL SECURITY FEATURES IN 1UBES WITH THIS ARTICLE )N MY NEXT ARTICLE ) WILL DESCRIBE HOW TO DOWNLOAD AND INSTALL 1UBES EXPLAIN HOW TO USE 1UBES AS A DESKTOP /3 INCLUDING SOME OF THE BASIC FEATURES OF THE 1UBES 6- -ANAGER AND OTHER 1UBES SPECIFIC TOOLS AND GIVE SOME EXAMPLES FOR HOW YOU MIGHT ORGANIZE YOUR DAY TO DAY DESKTOP USE ACROSS APP6-S )LL FOLLOW UP WITH AN ARTICLE DESCRIBING MORE ADVANCED 1UBES FEATURES INCLUDING SPLIT 0 A METHOD THAT ALLOWS APP6-S TO USE YOUR 0 PRIVATE KEY WITHOUT HAVING DIRECT ACCESS TO IT HOW TO MANAGE LINKS MORE
SECURELY WITH DEFAULT APPLICATION HANDLERS HOW TO OPEN E MAIL ATTACHMENTS AUTOMATICALLY IN DISPOSABLE 6-S AND HOW TO CREATE A USB6- THAT ISOLATES ALL OF YOUR 53" DEVICES FOR YOU AND WHY YOU WOULD WANT TO DO THAT Q Send comments or feedback via http://www.linuxjournalcom/contact or to ljeditor@linuxjournal.com RETURN TO CONTENTS 58 | April 2016 | LinuxJournal.com LJ264-April2016.indd 58 3/22/16 10:13 AM 2016 HPC FOR WALL STREET – CLOUD & DATA CENTERS Show & Conference April 4, 2016 (Monday) Roosevelt Hotel, NYC Pl an nf L to an ere ow at d nc -C te Fr e os nd ee P t . Sh rog ow ra . m Co 13th Annual The all-star lineup of speakers from HPC 2015 Madison Ave and 45th St, next to Grand Central Station 2016 Capital Markets are coming to the 2016 HPC for Wall Street. All-Star Conference program for 2016. Plan to attend the largest meeting of HPC, Cloud, Big Data, Data Centers, Virtualization, Low Latency for the Capital Markets. Dave Weber Ken Barnes Global
Financial Services SVP Corp Dev, Options Director, Lenovo Information Technology Bernard S Donefer Associate Director, Baruch College Mike Blalock Global Sales Director, Intel Andy Bach Chief Architect, Financial Service, Juniper Networks Jeffrey M. Birnbaum Founder and CEO, 60East Technologies Dino Vitale TD Securities Harvey Stein Head of Credit Risk Modeling, Bloomberg Fadi Gebara Sr Manager, IBM Research Terry Keene CEO, iSys Rob Krugman VP Digital Strategy, Broadridge Fin Sols Lee Fisher VP Marketing, Redline Trading Solutions Jeremy Eder Perf Engineering, Red Hat Matt Smith Sol Architect, Red Hat David B. Weiss Sr Analyst, Aite Rick Aiere Architect Specialty, AIG Shagun Bali Analyst, TABB Group Jeffrey Scheel Senior Technical Staff, IBM Linux Tech Center Ed Turkel Mgr WW HPC Mkting, Hewlett-Packard Charles Milo Enterprise Technical Specialist, Intel Alex Tsariounov Principal Architect Adv. Platforms, London Stock Exchange Ugur Arslan Quantative Analyst Davor
Frank Sr Solutions Architect, Solarflare Phil Albinus Editor, Traders Magazine, SourceMedia Markus Flierl VP Software Dev, Oracle Nick Ciarleglio Distinguished Syst. Engineer, FSI Product Mgr Arista Networks See the program from 2015. The 2016 program will have the same all-star lineup of speakers. Location. Location Location The Roosevelt is next to Grand Central Station and within walking distance of JPMorgan Chase, Deutsche Bank, Morgan Stanley, NASDAQ – all in midtown. Register online today: www.flaggmgmtcom/linux 2015 Sponsors ™ www.flaggmgmtcom/linux Show Hours: Mon, April 4 8:00 - 4:00 Conference Hours: Mon, April 4 8:30 - 4:50 Show & Conference: Flagg Management Inc 353 Lexington Avenue, New York 10016 (212) 286 0333 fax: (212) 286 0086 flaggmgmt@msn.com LJ264-April2016.indd 59 Russ Kennedy David Malik Sr Director, Advanced SVP of Product Services, Cisco Systems Strategy, Cleversafe Ryan Eavy Exec Dir, Architecture, CME Group 3/22/16 10:13 AM THE
OPEN-SOURCE CLASSROOM Jarvis, Please Lock the Front Door SHAWN POWERS PREVIOUS Kyle Rankin’s Hack and / NEXT New Products V V I’m like Tony Stark, but my Jarvis is named Alexa. YEARS AGO, WE PUT OUT A REQUEST FOR ARTICLES ON HOME AUTOMATION !BOUT THE TIME %UREKA CAME OUT ON 46 PEOPLE WANTED TO HAVE THEIR VERY OWN 3!2!( 3ELF !CTUATED 2ESIDENTIAL !UTOMATED (ABITAT AND IT SEEMED LIKE THE PERFECT TIME FOR NERDS EVERYWHERE TO MAKE THEIR HOUSES SMART 4HE PROBLEM WAS ALTHOUGH A FEW PROGRAMS EXISTED -ISTER(OUSE FOR EXAMPLE the hardware wasn’t really reliable or highly available. 4HE 8 COMPANY WAS ABOUT THE ONLY GAME IN TOWN HARDWARE WISE AND IT TENDED TO BE GLITCHY WITHOUT much advantage over traditional switches. )N RECENT YEARS A GLUT OF PRODUCTS HAVE BEEN DUMPED ONTO THE MARKET ALL TOTING OPTIONS FOR Shawn Powers is the Associate Editor for Linux Journal. He’s also the Gadget Guy for LinuxJournal.com, and he has an interesting collection of vintage Garfield coffee
mugs. Don’t let his silly hairdo fool you, he’s a pretty ordinary guy and can be reached via e-mail at shawn@linuxjournal.com Or, swing by the #linuxjournal IRC channel on Freenode.net 60 | April 2016 | LinuxJournal.com LJ264-April2016.indd 60 3/22/16 10:13 AM THE OPEN-SOURCE CLASSROOM AUTOMATED LIGHTING WIRELESS SWITCHES AND SO ON 5NFORTUNATELY MOST WERE VERY CLOSED AND PROPRIETARY FORCING USERS TO STICK TO A SPECIFIC BRAND 4HAT PROBABLY WAS THE GOAL BUT IT BACKFIRED BECAUSE THE CONCEPT OF BRANDING MY HOUSE WITH PROPRIETARY HARDWARE AND SOFTWARE WAS ANATHEMA 4HANKFULLY TIMES ARE CHANGING AND THE PRODUCT THAT MADE ME JUMP INTO THE HOME AUTOMATION POOL WITH BOTH FEET IS A SURPRISINGLY PROPRIETARY ONE !MAZON %CHO BUT MORE ON THAT LATER Wireless Communication 3EVERAL BRANDS OF HOME AUTOMATION DEVICES USE STANDARD 7I &I (Z TO COMMUNICATE !T FIRST GLANCE THAT SEEMS LIKE A GOOD IDEA 5NFORTUNATELY THE (Z FREQUENCY IS SO CLUTTERED ADDING MORE DEVICES MIGHT BE
COUNTERPRODUCTIVE )TS ALSO A HIGH BANDWIDTH TYPE PROTOCOL WHICH IS JUST NOT NEEDED FOR SIMPLE SWITCHING AND COMMUNICATION -OST HOME AUTOMATION DEVICES REGARDLESS OF BRAND FOCUS ON THE -(Z SPECTRUM 9OU MIGHT REMEMBER -(Z FROM THE DAYS OF CORDLESS PHONES NOT CELL PHONES RATHER THE OLD CORDLESS PHONES FROM THE S &OR SEVERAL REASONS -(Z NETWORK DEVICES HAVE NEVER REALLY GONE MAINSTREAM WHICH MEANS THE FREQUENCY ISNT OVERSATURATED )T ALSO PENETRATES WALLS BETTER MAKING IT PERFECT FOR CONNECTING DEVICES AROUND Figure 1. SmartThings is my choice for the most flexible platform upon which to build 61 | April 2016 | LinuxJournal.com LJ264-April2016.indd 61 3/22/16 10:13 AM THE OPEN-SOURCE CLASSROOM Unfortunately again, even though SmartThings supports Z-Wave and ZigBee, that doesn’t mean it has native support for all devices that use Z-Wave or ZigBee. your home. 5NFORTUNATELY EVERYONE HAS BEEN TRYING TO BECOME hTHE STANDARDv IN HOME AUTOMATION MAKING THE
VARIOUS BRAND NAMES OFTEN INCOMPATIBLE WITH EACH OTHER 7HEN ) DECIDED TO START USING HOME AUTOMATION devices, I wanted something that was compatible with the most PRODUCTS &OR ME THAT MEANT 3MART4HINGS FROM 3AMSUNG )T SUPPORTS THE VERY COMMON : 7AVE PROTOCOL AND THE :IG"EE PROTOCOL WHICH IS SIMILAR BUT IS BASED ON AN ACTUAL )%%% STANDARD )%%% 5NFORTUNATELY AGAIN EVEN THOUGH 3MART4HINGS SUPPORTS : 7AVE AND :IG"EE THAT DOESNT MEAN IT HAS NATIVE SUPPORT FOR ALL DEVICES THAT USE : 7AVE OR :IG"EE )T MIGHT BE ABLE TO COMMUNICATE WITH them wirelessly, but it’s sorta like using a standard phone line. Just because I can call someone in Germany doesn’t mean we’ll be able TO UNDERSTAND EACH OTHER ONCE CONNECTED 4HAT DOWNFALL IS ACTUALLY ANOTHER REASON ) CHOSE 3MART4HINGS OVER THE ALTERNATIVES %VEN THOUGH it doesn’t support all devices, it does have a very open development PLATFORM THAT ALLOWS USERS TO WRITE DEVICE DRIVERS FOR ANY PRODUCT THE
3MART4HINGS HUB CAN FIND 4HAT EVEN INCLUDES DEVICES IT CANT COMMUNICATE WITH DIRECTLY LIKE MY .EST THERMOSTAT 4HE DEVELOPER COMMUNITY IS VERY ACTIVE AND DRIVERS FOR DEVICES ARE USUALLY EASY TO IMPLEMENT "E SURE TO GOOGLE THE DEVICE BEFORE YOU BUY IT THOUGH because some products are just so closed, communicating with them is CURRENTLY NOT POSSIBLE )M LOOKING AT YOU )NSTEON The Actual Automation 4HIS IS STARTING TO FEEL LIKE AN ADVERTISEMENT FOR 3MART4HINGS BUT REALLY ITS JUST MY OPINION BASED ON LOTS OF RESEARCH AND TIME USING IT 7HEN IT COMES TO USING YOUR PHONE TO TURN LIGHTS ON AND OFF OR LOCK 62 | April 2016 | LinuxJournal.com LJ264-April2016.indd 62 3/22/16 10:13 AM THE OPEN-SOURCE CLASSROOM doors, most brands work just FINE 7 ITH 3MART4HINGS HOWEVER YOU CAN GO ONE STEP FURTHER AND write programs that have actual INTELLIGENCE 4HOSE PROGRAMS CAN be shared, and many are available IN THE 3MART4HINGS -ARKETPLACE 9OU CAN ADD THESE h3MART!PPSv to your system and
provide a WIDE VARIETY OF ACTIONS BASED on events. &OR EXAMPLE IF 3MART4HINGS DETECTS MY FRONT DOOR OPENING DUE TO EITHER DETECTING MOTION ON THE FRONT PORCH VIA MOTION sensor, door opening via door sensor or lock unlocking via MANUAL CODE ENTRY ON MY : 7AVE DEADBOLT IT CHECKS THE CURRENT TIME OF DAY AND COMPARES THAT TO THE SUNRISESUNSET )F ITS DARK IT TURNS MY ENTRYWAY LIGHT ON FOR FIVE MINUTES THEN TURNS IT BACK OFF 4HAT MIGHT SEEM LIKE A FAIRLY COMPLICATED EVENT FOR A SIMPLE Figure 2. The Marketplace is full of ACTION BUT THATS THE BEAUTY OF SmartApps ready to download. programmatically dealing with mundane house activities. It REQUIRES NO THOUGHT AND THE HOUSE RESPONDS INTELLIGENTLY EVERY TIME without any interaction on my part. )F YOURE NOT A PROGRAMMER THAT DOESNT MEAN YOURE LEFT OUT OF THE AUTOMATION GAME 3MART4HINGS AND IN ALL FAIRNESS SEVERAL OTHER PLATFORMS TOO INTEGRATES WITH )F 4HIS 4HEN 4HAT HTTPIFTTTCOM FOR TRIGGER BASED ACTIONS THAT WILL INTERACT
WITH YOUR HOME 7ANT TO GET A CALL OR TEXT IF YOUR HOUSE SENSES MOTION 9OU COULD PAY FOR AN EXPENSIVE SECURITY SYSTEM OR YOU COULD JUST HAVE )&444 CALL YOU 63 | April 2016 | LinuxJournal.com LJ264-April2016.indd 63 3/22/16 10:13 AM THE OPEN-SOURCE CLASSROOM Figure 3. IFTTT with SmartThings makes your smart house even smarter. WHEN 3MART4HINGS TRIGGERS A MOTION EVENT 7 ITH THE FLEXIBILITY OF )&444 YOUR SMART HOUSE BECOMES ONE MORE THING YOU CAN ADD TO your recipes. Call Me Alexa ) MENTIONED EARLIER THAT THE !MAZON %CHO IS REALLY WHAT CONVINCED ME TO START DELVING INTO THE HOME AUTOMATION WORLD 4HATS LARGELY BECAUSE ALTHOUGH THE !NDROID APP FOR 3MART4HINGS IS VERY NICE ITS NOT VERY NICE IF YOURE A GUEST ) DO HAVE MANY : 7AVE PHYSICAL SWITCHES INSTALLED SO LIGHTS CAN BE MANIPULATED IN THE TRADITIONAL WAY BUT IF YOU HAVE A SMART HOUSE YOU WANT IT TO BE CONVENIENT FOR PEOPLE 4HATS WHERE THE INTEGRATION WITH !MAZON %CHO COMES INTO PLAY )NTERACTING WITH 3MART4HINGS
VIA !LEXA CAN HAPPEN IN TWO BASIC 64 | April 2016 | LinuxJournal.com LJ264-April2016.indd 64 3/22/16 10:13 AM THE OPEN-SOURCE CLASSROOM Figure 4. Alexa can do IFTTT things even if you don’t use SmartThings! WAYS &IRST THERE IS DIRECT INTEGRATION WITH 3MART4HINGS 5NFORTUNATELY THE DIRECT INTEGRATION IS LIMITED TO TURNING SWITCHES ON AND OFF 4HAT sounds great, and it is, but there’s so much more I’d like Alexa to do. 4HATS WHERE !LEXA AND )&444 COMES INTO PLAY )N FACT ) DO JUST AS MUCH INTEGRATION WITH !LEXA AND )&444 AS ) DO WITH 3MART4HINGS !LEXA ISNT PERFECT AND SOMETIMES THE VERBIAGE HAS TO BE PERFECT IN ORDER FOR IT TO FUNCTION PROPERLY 4HAT SAID ITS NICE TO CRAWL INTO BED AND SAY Q h!LEXA TURN OFF ALL LIGHTSv h!LL LIGHTSv IS AN !LEXA GROUP OF 3MART4HINGS SWITCHES ALL AROUND OUR HOUSE Q h!LEXA TRIGGER DOOR LOCKSv 4HIS STARTS AN )&444 RECIPE THAT TELLS 3MART4HINGS TO LOCK ALL THE DEADBOLTS 65 | April 2016 | LinuxJournal.com
LJ264-April2016.indd 65 3/22/16 10:13 AM THE OPEN-SOURCE CLASSROOM Q h!LEXA BEDROOM LAMPS TO v 4HIS TURNS ON OUR READING LAMPS AND DIMS THEM TO Q h!LEXA TURN ON BOX FANv 4HIS ACTIVATES AN OUTLET TURNING ON THE FAN MY WIFE NEEDS IN ORDER TO SLEEP AT NIGHT Q h!LEXA TURN ON NIGHT MODEv 4HIS TRIGGERS A 3MART4HINGS VIRTUAL SWITCH WHICH ACTUALLY ACTIVATES A CERTAIN STRING OF EVENTS WHICH HAPPENS TO INCLUDE ALL OF THE ABOVE ACTIONS Don’t Skimp on Physical Switches )F ) LIVED ALONE AND NEVER HAD HOUSEGUESTS ) WOULDNT NEED ANY PHYSICAL SWITCHES IN MY HOUSE AT ALL )D ALSO SMELL WORSE AND PROBABLY BE UNSHAVEN "UT BECAUSE ) LIVE IN A HOUSE WITH MY FAMILY ITS VERY IMPORTANT THAT OUR hSMART HOUSEv IS ADDING VALUE INSTEAD OF ADDING UNNEEDED COMPLEXITY &OR EXAMPLE ITS SOMETIMES DIFFICULT TO GET !LEXA TO DO EXACTLY WHAT ) WANT &OR SOME TASKS ITS REQUIRED TO SAY h!LEXA TRIGGER !#4)/.v AND FOR OTHER THINGS ITS h!LEXA TURN ON )4%-?/2?4!3+v 0LUS IF
YOU HAVE A HOUSE FULL OF PEOPLE OR IF THE TELEVISION IS PLAYING !LEXA OFTEN CANT HEAR WHAT YOURE SAYING CLEARLY )N SITUATIONS LIKE THAT ITS VITALLY IMPORTANT TO HAVE A PLAIN OLD SWITCH ON THE WALL TO TURN THINGS ON AND OFF 4HANKFULLY ADDING A SMART SWITCH IN PLACE OF A TRADITIONAL LIGHT SWITCH OFTEN GIVES YOU THE BEST OF BOTH WORLDS 9OU CAN USE TRADITIONAL OR ,%$ LIGHT BULBS AND GET THE AUTOMATION BY UTILIZING A WALL SWITCH THAT WILL TURN THE LIGHTS ON AND OFF VIA PHYSICAL SWITCHING OR WIRELESS CONTROL )N FACT RATHER THAN BUYING SMART LIGHT BULBS ) GENERALLY TRY TO REPLACE SWITCHES INSTEAD ! SMART BULB IS EFFECTIVE ONLY IF ITS POWERED ONAND IF YOU KEEP YOUR OLD SWITCH YOU INEVITABLY WILL SHUT OFF THE POWER MAKING your smart bulbs as dumb as ever. Getting Started 2ATHER THAN JUST TELLING YOU TO GO BUY A SPECIFIC PRODUCT ITS IMPORTANT TO FIGURE OUT WHAT YOU WANT TO ACCOMPLISH WITH HOME AUTOMATION ) EVENTUALLY WANT EVERY POSSIBLE ASPECT OF MY HOUSE TO BE AUTOMATIC
SCRIPTABLE OR VOICE CONTROLLED -Y WIFE WOULD BE JUST AS HAPPY WITH 66 | April 2016 | LinuxJournal.com LJ264-April2016.indd 66 3/22/16 10:13 AM THE OPEN-SOURCE CLASSROOM !LEXA AND A FEW SMART LIGHT BULBS 7HEN YOU STICK TO SOMETHING BASIC like an Amazon Alexa and some Phillips Hue lights, the integration is really simple. For my personal goals, using a central hub like the Samsung 3MART4HINGS (UB WAS IDEAL ) CAN ADD DEVICES TO IT )T SUPPORTS A WIDE VARIETY OF BRANDS AND TECHNOLOGIES 4HE OPEN NATURE OF THE SYSTEM MEANS CUSTOMIZATIONS CAN BE MADE EVEN SOME SPECIFIC TO MY NEEDS ASSUMING ) LEARN THE PROGRAMMING LANGUAGE 2ATHER THAN TAKING MY WORD FOR IT ) URGE YOU TO RESEARCH THE VARIOUS BRANDS AND SEE WHAT FITS INTO YOUR WORLD THE BEST )NSTEON FOR EXAMPLE HAS THE NICEST LOOKING SWITCHES AVAILABLE AND A WIDE VARIETY OF PRODUCTS FOR SALE !S LONG AS YOURE HAPPY BEING LIMITED TO THOSE PRODUCTS ITS HARD TO BEAT THE QUALITY Show and Tell !FTER ALL THE WARNINGS ABOUT RESEARCHING
FOR YOURSELF IT SEEMS ONLY FAIR TO LIST MY EXPERIENCES WITH THE HANDFUL OF PRODUCTS )M CURRENTLY USING IN NO PARTICULAR ORDER Samsung SmartThingsHome Monitoring Kit ($249): 4HIS IS A PRICY KIT BUT IT INCLUDES NOT ONLY THE HUB ONLY ONE HUB REQUIRED Figure 5. The Samsung SmartThings Home Monitoring Kit is a great way to start your adventure. 67 | April 2016 | LinuxJournal.com LJ264-April2016.indd 67 3/22/16 10:13 AM THE OPEN-SOURCE CLASSROOM PER HOUSE REGARDLESS OF THE NUMBER OF DEVICES YOU HAVE BUT ALSO A SMART OUTLET MOTION SENSOR WITH TEMP SENSOR AND TWO DOOR SENSORS WITH VIBRATION DETECTION 4HIS IS A GREAT WAY TO START BECAUSE IT GIVES YOU MULTIPLE DEVICES THAT SENSE THINGS AND AN OUTLET TO hDOv SOMETHING 9OU EASILY CAN ADD A FEW SMART LIGHT BULBS AND MAKE IT A complete system. Amazon Echo ($179): 4HERES ACTUALLY A FEW OTHER OPTIONS FOR USING !LEXA 4HE NEW %CHO $OT IS AND IT HAS ALL THE SAME HOME AUTOMATION FEATURES IT JUST DOESNT HAVE THE NICE SOUND SYSTEM
INCLUDED WITH THE FULL BLOWN %CHO )T DOES HAVE AUDIO OUT HOWEVER SO YOU POTENTIALLY COULD BUILD YOURSELF AN EVEN BETTER !LEXA !LSO !MAZON &IRE 46 INCLUDES !LEXA 4HAT VERSION DOESNT HAVE ALL THE FUNCTIONALITY OF THE %CHO OR %CHO $OT BUT IT DOES SUPPORT ALL THE HOME AUTOMATION FEATURES Figure 6. The original Amazon Echo or the new Echo Dot both work well for home automation. 68 | April 2016 | LinuxJournal.com LJ264-April2016.indd 68 3/22/16 10:13 AM THE OPEN-SOURCE CLASSROOM Figure 7. This is a great device for dimming lamps. Unfortunately, it’s also great for ruining televisions. Be careful! Leviton DZPD3-1LW Z-Wave Lamp Dimmer ($33.95): Rather THAN INSTALL A BUNCH OF EXPENSIVE light bulbs in our living room lamps, I just bought this dimmer AND PLUGGED ALL THE LAMPS WITH EXTENSION CORDS INTO THE SINGLE DIMMER MODULE )T ALLOWS FOR ONOFF FUNCTIONALITY PLUS IT DIMS ALL THE LAMPS AS WELL .OTE it’s very important not to plug ELECTRONIC EQUIPMENT INTO THE lamp
dimmer. It basically provides A BROWN OUT SITUATION AND CAN RUIN THINGS LIKE TELEVISIONS Enerwave ZWN-SC7-W 7-Button Scene Controller ($42.99): 4HE PROBLEM WITH THE lamp dimmer module is that it doesn’t include any switches. Figure 8. Enerwave 7-Button Scene ControllerI use only the single big button now, but all seven are usable. 69 | April 2016 | LinuxJournal.com LJ264-April2016.indd 69 3/22/16 10:13 AM THE OPEN-SOURCE CLASSROOM 3INCE ) REPLACED A WALL MOUNTED OUTLET SWITCH WITH THE DIMMER module, I just used that junction box and wired this controller in PLACE OF THE OLD SWITCH )T REQUIRED CUSTOM PROGRAMMING IN ORDER TO MAKE IT WORK WITH 3MART4HINGS BUT THE CODE IS STABLE AND FREELY AVAILABLE FROM THE 3MART4HINGS DEVELOPMENT COMMUNITY ) USE ONLY ONE OF THE SEVEN BUTTONS AT THIS POINT BUT )LL USE THE OTHERS FOR THINGS LIKE LOWERING MY PROJECTOR SCREEN IN THE FUTURE Kwikset 910 Z-Wave Smartcode Deadbolt ($150): 4HIS WAS AN EXPENSIVE PURCHASE BUT SINCE WE HAD TO REPLACE
OUR LOCKS ANYWAY WE RECENTLY MOVED IN AND HAVE NO IDEA WHO HAS KEYS TO THE OLD LOCKS IT WAS A GOOD TIME TO MAKE THE INVESTMENT )M REALLY GLAD WE DID 5SING ONE OF THE DOOR SENSORS FROM THE kit above, I have the deadbolt set to lock automatically when THE DOOR HAS BEEN CLOSED FOR A MINUTE 4HAT MEANS AS LONG AS THE DOOR IS SHUT ITS EFFECTIVELY locked as well. I sleep a lot better knowing the doors are locked whether I checked them or not. Plus, the programable codes means we won’t have to RE KEY THE LOCK LATER JUST CHANGE CODES IF THEY ARE COMPROMISED Aeon Labs Aeotec Z-Wave Home Energy Meter ($94.90): I can’t get this to work. I basically want to monitor the usage on our home circuit breaker to see when and what electricity we’re using. 5NFORTUNATELY ) CANT GET THE dumb thing to work with my Figure 9. This Kwikset deadbolt was 3MART4HINGS HUB /THERS HAVE expensive, but I think it was worth it. There’s succeeded, so I just need to a more expensive version available too,
spend more time on it. I mention with individual buttons for the numbers. 70 | April 2016 | LinuxJournal.com LJ264-April2016.indd 70 3/22/16 10:13 AM THE OPEN-SOURCE CLASSROOM Figure 10. This Aeon Labs Home Energy Meter will be cool, if I can ever get it working! it because I don’t want everyone to think things ALWAYS GO SMOOTHLY 4HIS IS TECHNOLOGY AFTER ALL AND TECHNOLOGY IS FRUSTRATING GE 12727 Z-Wave Lighting Control Smart Toggle Switch ($40): 4HESE LOOK AT A QUICK glance like a standard LIGHT SWITCH 4HE hFLIPPERv however, is always in the center position and can be bumped up or down to TRIGGER THE ONOFF ACTION )T doesn’t actually switch to up or down, but activates a switch and then returns to THE CENTER POSITION 4HIS IS SO THAT IF YOU TURN THE LIGHT ON WITH THE SWITCH THEN OFF Figure 11. It feels weird, but it works like any other switchsorta. 71 | April 2016 | LinuxJournal.com LJ264-April2016.indd 71 3/22/16 10:13 AM THE OPEN-SOURCE CLASSROOM Figure 12.
Perfect for dimming lights, but make sure they’re dimmable bulbs! WITH ELECTRONIC AUTOMATION THE SWITCH ISNT IN THE hWRONGv POSITION )T TAKES A LITTLE GETTING USED TO BUT THE FUNCTION IS STRAIGHTFORWARD EVEN FOR FOLKS WHO DONT KNOW ITS A SMART SWITCH 4HEY JUST THINK ITS WEIRD GE 12724 Z-Wave Smart Dimmer ($40): 4HIS IS THE SAME AS THE above toggle switch, but includes dimming technology. It’s also a WIDE hPADDLEv TYPE SWITCH )T FUNCTIONS THE SAME WAY IN THAT IT returns to a middle position, but it’s less noticeable with this switch than with the toggle switch. You basically tap the top to turn lights ON AND THE BOTTOM TO TURN LIGHTS OFF 4O DIMUNDIM YOU JUST HOLD THE button up or down. SmartenIt Three-Button ZigBee Switch ($49.99): 4HIS IS A BATTERY OPERATED SWITCH WHICH FUNCTIONS A BIT LIKE THE SEVEN BUTTON SWITCH MENTIONED EARLIER BUT WITH FOUR FEWER BUTTONS !LSO SINCE ITS BATTERY OPERATED YOU CAN PLACE IT ANYWHERE 7E ACTUALLY PUT THIS 72 | April 2016 |
LinuxJournal.com LJ264-April2016.indd 72 3/22/16 10:13 AM THE OPEN-SOURCE CLASSROOM Figure 13. The Smartenlt Three-Button ZigBee Swtich is great for sticking places that don’t have power lines. BY OUR BED SO WE CAN TURN OUR LAMPS ONOFF DIM WITH THE TOUCH OF A BUTTON 7E CAN DO THE SAME WITH !LEXA BUT ITS NICE TO HAVE THE TACTILE OPTION AS WELL 4HIS IS ONE OF THE ONLY AVAILABLE BATTERY OPERATED SWITCHES THAT )VE FOUND WHICH IS FRUSTRATING BECAUSE BATTERY OPERATED SWITCHES ARE PERFECT FOR A SMART HOUSE THAT DOESNT REQUIRE YOUR SWITCHES TO BE HARD WIRED INTO THE HOUSE POWER GE Link Wireless A19 Smart Dimmable LED Light Bulb, 60-Watt Equivalent ($15): 4HESE BULBS ARE CHEAP !T THEYRE HARDLY MORE EXPENSIVE THAN A NON SMART ,%$ BULB BUT THEY ARE DIMMABLE AND WORK WITH 3MART4OOLS ) USE THESE IN OUR BEDROOM LAMPS )N FACT SMART BULBS ARE BEST USED IN LAMPS WHERE THE CORDS are plugged in so the bulbs have constant power. I used bulbs INSTEAD OF A COMMON DIMMER FOR BOTH
LAMPS NEXT TO OUR BED SO WE CAN HAVE THEM ONOFF INDEPENDENTLY 4HE THREE BUTTON SWITCH mentioned previously manages both lamps at once, but Alexa can MANAGE THEM INDIVIDUALLY OR AS A GROUP )TS WINWIN 4HE ONLY thing I don’t like about them is that although they do dim, it’s not AN EVEN DISTRIBUTION FROM n 4HERES HARDLY ANY VARIATION 73 | April 2016 | LinuxJournal.com LJ264-April2016.indd 73 3/22/16 10:13 AM THE OPEN-SOURCE CLASSROOM BETWEEN n AND the bulbs really get dim only when you go to OR BELOW 4HATS JUST a nitpick, however, and THE PRICE OF THE BULBS MAKES it a complaint I can happily live with. Figure 14. These GE LinkWireless Smart Dimmable LED bulbs are cheap, but occasionally difficult to pair properly. The cost makes them worth the hassle. Is Your Home Smart? !S WITH MOST OF MY ARTICLES I write about things I love. )F YOU HAVE IMPLEMENTED smart technology in your house, I’d love to hear about it. Just put something like ;3-!24 (/-%= IN
THE SUBJECT line, and drop me a message at shawn@linuxjournal.com )M SURE )LL FOLLOW UP WITH cool things I do or horrible mistakes I make along the path to my FUTURE ROBOT ARMYER ) MEAN SMART HOME )LL BE SURE TO SHARE THE TIPS YOU SEND IF ) FIND THEM USEFUL Q Send comments or feedback via http://www.linuxjournalcom/contact or to ljeditor@linuxjournal.com RETURN TO CONTENTS 74 | April 2016 | LinuxJournal.com LJ264-April2016.indd 74 3/22/16 10:13 AM May 16–19, 2016 Austin, TX The original (also the biggest, baddest & broadest) open source gathering comes to Austin. Save 20% Register today. Use code PCLinuxJournal LJ264-April2016.indd 75 3/22/16 10:13 AM NEW PRODUCTS PREVIOUS Shawn Power’s The Open-Source Classroom NEXT Feature: Rock-Solid Encrypted Video Streaming V V NEW PRODUCTS Linaro Announces Software Reference Platform for ARM With the launch of its Software Reference Platform for ARMv8-A processors, Linaro is proud to enable both a complete
end-to-end open-source server software stack and access to enterprise-class ARM-based server hardware for developers. The build for the Linaro Enterprise Group is a complete reference implementation for ARM servers, including open-source boot software and firmware implementing the ARM Trusted Firmware, UEFI and ACPI standards, a Linux 4.4 kernel, tested latest Debian and CentOS distributions, OpenStack, OpenJDK, Hadoop and Spark. A build for the Linaro Mobile Group also is available. Linaro expects the platform to be utilized by Linaro members and the wider community for enterprise products and cloud-instance development and deployment. During 2016, the Linaro Software Reference Platform releases will provide market-segment-specific application stacks to support an increasing range of data-center, networking and home-gateway applications. http://linaro.org 76 | April 2016 | LinuxJournal.com LJ264-April2016.indd 76 3/22/16 10:13 AM NEW PRODUCTS Kolab Systems AG and Collabora’s
CloudSuite The chemistry created by the Kolab Systems-Collabora Productivity partnership enabled CloudSuite, the first 100% open-source, enterprise-grade cloud office suite. Kolab Systems’ contribution is its Kolab open-source groupware and collaboration framework; Collabora Productivity is the architect behind LibreOffice Online, the cloud-based office productivity suite. The integration of CloudSuite into Kolab allows users to work on documents simultaneously using a full-featured on-line office suite. Collaboratively, they can compose text documents, fill spreadsheets and design presentations, even from different locations. Documents can be saved in Microsoft-compatible and Open Document formats. The CloudSuite offering also includes Collabora Office, a professional LibreOffice distribution, for off-line use on the desktop. An important motivation for both firms in this effort involves a desire to move away from closed and insecure solutions to ones that respect users’ freedoms,
protect their privacy and guarantee their work will not be locked away in proprietary formats. http://kolabsys.com, http://collaboraofficecom 77 | April 2016 | LinuxJournal.com LJ264-April2016.indd 77 3/22/16 10:13 AM NEW PRODUCTS AdaCore’s SPARK Pro With this new version of the SPARK Pro toolset, AdaCore comes one step closer to its goal of making the writing of proven software both efficient and pleasant. As part of its new SPARK Pro 16 integrated development and verification environment, AdaCore further simplifies software engineers’ transition to greater reliance on static verification and formal proofs sans need for expertise in mathematical logic. SPARK Pro 16 also provides enhanced coverage of the SPARK 2014 language features and now supports the Ravenscar tasking profile, thus extending the benefits of formal verification methods to a safe subset of Ada 2012 concurrent programming features. This new SPARK Pro can generate counter-examples to verification conditions
that cannot be proved, making it easier for developers to find defects in the functional code or in the supplied contracts. Finally, SPARK Pro 16 also improves the handling of bitwise/modular operations, and the product’s proof engine now includes the Z3 SMT solver. http://adacore.com 78 | April 2016 | LinuxJournal.com LJ264-April2016.indd 78 3/22/16 10:13 AM NEW PRODUCTS Canonical and BQ’s Aquaris M10 Ubuntu Edition Tablet Canonical’s broad vision for Ubuntu Linux is to offer a single, converged personal computing experience across devices. This vision has taken a leap forward with the launch of the Aquaris M10 Ubuntu Edition tablet, “the first fully converged Ubuntu device” released by Canonical together with its European partner, BQ. As a converged device, the Aquarius M10 with dynamically adaptive user experience is capable of providing both a true tablet and the full Ubuntu desktop experiences. The former becomes the latter by simply plugging in a monitor via the
HDMI port or connecting a keyboard and mouse via Bluetooth. Canonical hopes to offer customers everything they have come to expect from an Ubuntu PC, now on the tablet. Ubuntu is already the preferred desktop OS for more than 30 million users worldwide, and the first Ubuntu phones have proven successful as well. With this latest software release and the launch of the Aquaris M10 Ubuntu Edition, Canonical notes that Ubuntu is now the only platform that runs both a mobile-based fulltouch interface and a true PC experience from a single smart device. Hundreds of apps and scopes (content-specific home screens) already are available in the Ubuntu App Store. http://ubuntu.com/tablet 79 | April 2016 | LinuxJournal.com LJ264-April2016.indd 79 3/22/16 10:13 AM NEW PRODUCTS BitTorrent Inc.’s Sync The Sync application from BitTorrent Inc. is simple yet powerful, offering the ability to move large amounts of data directly between devices. The new Sync 23 provides new features to support
power users seeking to unlock Sync’s full potential. BitTorrent says that Sync is simple to use in combination with a cloud provider’s storage space or NAS to ensure data redundancy for backup. Of course, having data stored anywhere on thirdparty infrastructure is a serious concern The new Encrypted Folder feature in Sync 2.3 solves this issue by providing the ability to encrypt data at rest on any designated location. Encrypted Folders can be shared to read-only nodes to provide an off-site snapshot of data without providing direct access, or users can deploy multiple Encrypted Folders to increase the reliability of a peer swarm. Another new feature is support for moving data to and from an SD card on Android 5+ devices. Finally, Selective Sync support is available on all flavors of Sync for Linux. Users download only the files they need, when they need them, without having to replicate entire folders on their beloved Linux boxes. http://bittorrent.com 80 | April 2016 |
LinuxJournal.com LJ264-April2016.indd 80 3/22/16 10:13 AM NEW PRODUCTS ACI Worldwide’s UP Retail Payments As customers of global-payments solution provider ACI Worldwide retire aging platforms, they are clamoring for Linux-based options. ACI Worldwide has responded with a Red Hat Enterprise Linux version of UP Retail Payments, a complete and customizable end-to-end enterprise payments solution. UP Retail Payments, targeted at banks and processors, combines the benefits of ACI’s BASE24 and UP BASE24-eps solutions. BASE24 is ACI’s retail payment platform; UP Framework orchestrates any payment type, channel, currency or network. ACI’s approach with this solution is like a bridge between BASE24 customers’ current systems and evolving end-user demands, enabling them to continue running some or all of their systems into the foreseeable future. This strategy lowers risk and costs, adds ACI, eliminating the need to “rip and replace” systems to address emerging payment
needs. ACI emphasizes the advantages of the new RHEL version of UP Retail Payments, such as a 50% reduction in TCO while increasing performance, scalability and reliability. http://aciworldwide.com 81 | April 2016 | LinuxJournal.com LJ264-April2016.indd 81 3/22/16 10:13 AM NEW PRODUCTS EnterpriseDB’s EDB Postgres Advanced Server and EDB Postgres Enterprise Manager The elegance of open source is on full display with new product releases like EnterpriseDB’s (EDB’s) new PostreSQL-based database solutions. On the heels of the significant PostgreSQL 95 update come two EnterpriseDB solutions that take Postgres further, namely EDB Postgres Advanced Server 9.5 and EDB Postgres Enterprise Manager 60 EDB Postgres Advanced Server integrates additional capabilities and security into Postgres that large companies and governments require in order to use it, and this new v9.5 features the following: preconfigured integration with Hadoop and MongoDB, enhanced security with password
profiles, expanded compatibility with Oracle to ease and speed migrations, and dramatic performance increases through vertical scaling optimizations. Meanwhile, EDB Postgres Enterprise Manager, EDB’s single console for tuning, monitoring and administering large Postgres deployments, adds enhancements as well in this v6.0 release These include Nagios support, failover management, a streaming replication wizard, audit log alerts and an improved alert UI. http://enterprisedb.com 82 | April 2016 | LinuxJournal.com LJ264-April2016.indd 82 3/22/16 10:13 AM LJ264-April2016.indd 83 3/22/16 10:13 AM NEW PRODUCTS Varnish Software’s Hitch Making life easier for the 2.2 million Web sites that deploy the Varnish Cache HTTP engine is the point of Hitch from Varnish Software. The recently updated Hitch is a scalable, open-source network proxy designed to handle tens of thousands of connections on multicore machines efficiently. Maker Varnish describes Hitch’s benefits as easy to
configure, a low memory footprint and the ideal way of terminating client-side SSL/TLS for Varnish. The deployment process for Varnish Cache is streamlined by the support for the PROXY protocol, which lets Varnish consider the original client’s endpoints as if there were no TLS proxy in between. Hitch is tested on Linux, but works on other *nixes as well. Hitch’s features include support for TLS1.0-12; SNI, with and without wild-card certificates; support for HAProxy’s PROXY protocol; seamless configuration run-time reload support and performance of up to 15,000 listening sockets and 500,000 certificates. http://hitch-tls.org, http://varnish-software.com Please send information about releases of Linux-related products to newproducts@linuxjournal.com or New Products c/o Linux Journal, PO Box 980985, Houston, TX 77098. Submissions are edited for length and content. RETURN TO CONTENTS 84 | April 2016 | LinuxJournal.com LJ264-April2016.indd 84 3/22/16 10:13 AM
LJ264-April2016.indd 85 3/22/16 10:13 AM FEATURE ROCK-SOLID ENCRYPTED VIDEO STREAMING Using SSH Tunnels and the BeagleBone Black Gain a deep understanding of SSH port forwarding by implementing a streaming video server on a BeagleBone Black. PREVIOUS New Products NEXT Feature: Stunnel Security V V RAMON CRICHLOW 86 | April 2016 | LinuxJournal.com LJ264-April2016.indd 86 3/22/16 10:13 AM FEATURE: Rock-Solid Encrypted Video Streaming Y ou probably have used SSH as a remote login shell, BUT YOU ALSO CAN USE 33( IN A NUMBER OF UNEXPECTED BUT VERY USEFUL APPLICATIONS /NE SUCH USE IS TUNNELLING OR PORT FORWARDING WHICH IS AN EFFECTIVE METHOD OF ACCESSING NETWORKED HOSTS LOCATED BEHIND ROUTERS FIREWALLS AND .!4 GATEWAYS !S AN ADDED BENEFIT 33( ENCRYPTS THE DATA PASSING THROUGH THE TUNNEL INCREASING THE SECURITY OF YOUR COMMUNICATIONS 4HIS ARTICLE SHOWS YOU HOW TO SET UP STABLE AND RESILIENT 33( TUNNELS that will survive network outages, computer reboots and idle
connection timeouts. Understanding SSH Tunnelling 4HE 33( MAN PAGE DESCRIBES 33( AS hA PROGRAM FOR LOGGING INTO A Figure 1. Data Path for TCP Packets Traveling between Hosts Charlie and Sam 87 | April 2016 | LinuxJournal.com LJ264-April2016.indd 87 3/22/16 10:13 AM FEATURE: Rock-Solid Encrypted Video Streaming REMOTE MACHINE AND FOR EXECUTING COMMANDS ON A REMOTE MACHINE 8 CONNECTIONS AND ARBITRARY 4#0 PORTS CAN ALSO BE FORWARDED OVER THE SECURE CHANNELv 3TARTING AT THE SOCKET LEVEL LETS TAKE A LOOK AT HOW 33( FORWARDS 4#0 ports securely. It’s easiest to begin with an example &IGURE ILLUSTRATES THE DATA PATH FOR 4#0 PACKETS TRAVELING BETWEEN HOSTS CHARLIE AND SAM )N THIS EXAMPLE THE FOLLOWING COMMAND WAS executed on charlie: Q,;;",!F,MMMM3PglTdTdTP3YYYY,;A6#a9;#<U;56 4HIS COMMAND DIRECTS THE 33( CLIENT ON CHARLIE TO FORWARD PORT TO PORT ON SAM 4HE !F FLAG INDICATES THAT PORT IS ON THE LOCAL OR CLIENT HOST WHICH IN THIS CASE IS CHARLIE
WHERE THE ;;" command was executed. 7HEN THIS COMMAND RUNS SEVERAL ACTIONS TAKE PLACE Q 4HE 33( PROGRAM ESTABLISHES A CONNECTION TO SAM USING THE DEFAULT 33( PORT Q 4HE 33( PROCESS ON CHARLIE CREATES A SERVER SOCKET BOUND TO LOCALHOST AND BEGINS LISTENING Q 7HEN AN ARBITRARY USER PROCESS CREATES A CLIENT SOCKET AND CONNECTS TO THE SERVER SOCKET AT THE 33( PROCESS ENCRYPTS THE DATA THEN TRANSMITS IT OVER THE 33( CONNECTION ESTABLISHED IN STEP TO SAM Q 4HE 33( SERVER ON SAM DECRYPTS THE DATA Q 4HE 33( SERVER CREATES A CLIENT SOCKET AND WRITES THE DATA TO THE HOST AND PORT SPECIFIED IN THE 33( COMMAND WHICH IN THIS CASE IS IS OF COURSE THE LOOPBACK OR localhost address. Q 4HE ARBITRARY USER SERVER PROCESS ON SAM THAT CREATED THE SERVER SOCKET bound to 5555 receives the data. 88 | April 2016 | LinuxJournal.com LJ264-April2016.indd 88 3/22/16 10:13 AM FEATURE: Rock-Solid Encrypted Video Streaming Understanding SSH Commands 4HE
LOCATION OF THE SERVER SOCKET AND CLIENT SOCKET IS KEY TO UNDERSTANDING HOW 33( TUNNELS WORK !S &IGURE SHOWS 33( TUNNELS ALWAYS RESULT IN THE CREATION OF A CLIENT AND SERVER SOCKET )N A FORWARD TUNNEL THE LOCAL host creates the server socket and the remote host creates the client socket. In a reverse tunnel, the local host creates the client socket and the REMOTE HOST CREATES THE SERVER SOCKET 4HE LOCAL HOST IS THE MACHINE WHERE the SSH command was executed. 4HE REMOTE HOST TO WHICH THE PORT IS FORWARDED DOES NOT HAVE TO BE THE 33( SERVER #ONSIDER THE FOLLOWING COMMAND EXECUTED ON CHARLIE Q,;;",!F,PgVM3KKKT;A6#aK#E;@:#T?A63nd,;A6#a9;#<U)&o )N THIS INSTANCE CHARLIE CREATES A SERVER SOCKET BOUND TO PORT )F YOU RUN A 7EB BROWSER ON CHARLIE AND POINT IT TO LOCALHOST 33( SECURELY FORWARDS THE CONNECTION TO SAM WHERE THE 33( SERVER THERE CREATES A CLIENT SOCKET AND CONNECTS TO THE 7EB SERVER AT SOME?WEBSITECOM 4HIS COMMAND CAN BE USED TO CONNECT TO A
SERVER FROM A PRIVATE NETWORK on which it is blocked. Reverse SSH tunnels work exactly the same way, except that the remote host creates the server socket and the local host creates the client socket. 4HE ! option instructs the SSH process to create a reverse tunnel: Q,;;",!,PgVM3KKKT;A6#aK#E;@:#T?A63nd,;A6#a9;#<U)&o 4HIS COMMAND EXECUTED ON CHARLIE CREATES A SERVER SOCKET ON SAM AT PORT ! BROWSER RUNNING ON SAM AND CONNECTING TO PORT ON SAM WOULD HAVE ITS TRAFFIC ENCRYPTED AND ROUTED TO CHARLIE AND THENCE TO SOME?WEBSITECOM /NE SOURCE OF CONFUSION WHEN USING OR LOCALHOST IN PORT FORWARDING COMMANDS IS DETERMINING WHICH HOST IS THE LOCALHOST FROM THE POINT OF VIEW OF THE TUNNEL /NE WAY TO RESOLVE WHERE LOCALHOST REFERS IS TO REMEMBER THAT A CLIENT SOCKET AT THE END OF THE TUNNEL IS USED TO CONNECT TO THE SPECIFIED HOST THUS LOCALHOST IS THE MACHINE THAT CREATES THE CLIENT SOCKET &OR FORWARD TUNNELS REFERS TO THE REMOTE 33( SERVER
AND FOR REVERSE TUNNELS REFERS TO THE CLIENT MACHINE 89 | April 2016 | LinuxJournal.com LJ264-April2016.indd 89 3/22/16 10:13 AM FEATURE: Rock-Solid Encrypted Video Streaming where the SSH command executes. .OW LETS LOOK AT USING 33( TUNNELLING TO STREAM VIDEO FROM A "EAGLE"ONE "LACK !N !MAZON 7EB SERVER CONFIGURED WITH A PUBLIC STATIC IP will serve as a relay where the video can be viewed. Amazon Web Server Configuration &OLLOW THESE STEPS TO CREATE AND CONFIGURE AN %# INSTANCE !MAZON HAS AN EXCELLENT SET OF INSTRUCTIONS ON ITS 7EB SITE DOCUMENTING EACH STEP IF you encounter problems. 3IGN UP FOR AN !73 ACCOUNT AT https://aws.amazoncom/free 4HE !73 &REE 4IER IS FREE FOR ONE YEAR AT THE TIME OF THIS WRITING HOWEVER BE AWARE THAT IF YOU EXCEED THE BANDWIDTH LIMIT IT WILL TRIGGER CHARGES TO YOUR CREDIT CARD /PEN THE %# DASHBOARD BY CLICKING ON THE h%# VIRTUAL SERVERS IN THE CLOUDv TAB AND CREATE AN %# INSTANCE 3ELECT THE 5BUNTU
3ERVER ,43 (6- IMAGE .OTE CAREFULLY THE LOCATION OF THE DOWNLOADED PRIVATE KEY FILE PEM AS YOU WILL NEED IT TO ;;" in to YOUR %# INSTANCE !SSIGN A PUBLIC STATIC )0 TO YOUR INSTANCE USING THE %LASTIC )0 TAB UNDER THE %# DASHBOARD /PEN PORT ON YOUR INSTANCE BY CREATING A NEW SECURITY GROUP 5. Assign the newly created security group to your instance 4HE FINAL STEP IS TO CONFIGURE THE KEEP ALIVE TIME FOR THE 33( SERVER !PPEND THE FOLLOWING LINES TO ETCSSHSSHD?CONFIG NOTE IT IS SSHD?CONFIG NOT SSH?CONFIG -,H@,f#:?f;;"f;;"7a?A48@=, B$@#4:&$@H#BA94:o5L,V, B$@#4:&$@H#14:#<H5$,pd 90 | April 2016 | LinuxJournal.com LJ264-April2016.indd 90 3/22/16 10:13 AM FEATURE: Rock-Solid Encrypted Video Streaming 4HEN REBOOT Q,;97A,;"9:7AK4,!<,4AK B$@#4:&$@H#14:#<H5$ IS A TIMEOUT INTERVAL )F A CONNECTION HAS BEEN IDLE FOR B$@#4:&$@H#14:#<H5$ seconds, the sshd server will send a message THROUGH THE ENCRYPTED CHANNEL
TO REQUEST A RESPONSE FROM THE CLIENT B$@#4:&$@H#BA94:o5L SETS THE MAXIMUM NUMBER OF CLIENT ALIVE MESSAGES WHICH MAY BE SENT WITHOUT ANY CLIENT RESPONSE )F THIS THRESHOLD is reached, sshd will disconnect the client, terminating the session. BeagleBone Black Configuration Many intermittent BeagleBone Black problems can be resolved by using A 6 ! $# POWER SUPPLY INSTEAD OF POWERING THE "EAGLE"ONE OVER 53" ,IKEWISE IT IS SAFER TO USE A POWERED 53" HUB WHEN CONNECTING MULTIPLE 53" DEVICES I used a BeagleBone Black Rev C to complete the steps outlined in this ARTICLE 4HE DEFAULT $EBIAN IMAGE AS SHIPPED AT THE TIME OF THIS WRITING WAS $EBIAN .5,INUX WHEEZY Q,$;Ea<#$#5;#,!5, 2A,F)q,6A79$#;,5<#,5H5@$5E$#T, C@;:<@E9:A<,1C3,C#E@54, C#;?<@%:@A43,C#E@54,(2ZfF@49L,lTM,RK"##r>X, #$#5;#3,lTM, BA7#456#3,K"##r> 4HE KERNEL WAS UPGRADED TO BONE USING THE BUILT IN SCRIPT Q,?7,fA%:f;?<@%:;f:AA$;f, Q,=@:,%9$$,
Q,;97A,Tf9%75:#aG#<4#$T;", Q,;97A,<#EAA:, , Q,9456#,!<, VTnTPV!EA4#lk 91 | April 2016 | LinuxJournal.com LJ264-April2016.indd 91 3/22/16 10:13 AM FEATURE: Rock-Solid Encrypted Video Streaming ) USED A ,OGITECH ($ 7EBCAM # FOR THE 53" 7EBCAM Installing mjpg-streamer 4O COMPLETE THESE STEPS ENSURE THAT YOUR "EAGLE"ONE HAS A LIVE )NTERNET connection. Log in to your BeagleBone and type: Q,?7, Q,K=#:,"::%;3ff=@:"9ET?A6f;"<G#>f6[%=!;:<#56#<f<5Kf65;:#<f, ´6[%=!;:<#56#<T:5<T=r, Q,:5<,!LH8,Tf6[%=!;:<#56#<T:5<T=r, Q,?7,6[%=!;:<#56#<, Q,65G# .OTE THAT IN THE FOLLOWING SCRIPTS AND COMMANDS YOU MUST REPLACE 6>aE#5=$# with its IP address. 0LUG IN YOUR 7EBCAM 9OU CAN USE $;9;E to check that it has enumerated properly: Q,$;9;E, q9;,ddP,C#H@?#,ddV3,1C,dMp73dngY,FA=@:#?" ,14?T,s#E?56,Bgld )F THE 7EBCAM DOESNT ENUMERATE LEAVE IT CONNECTED AND REBOOT the BeagleBone. 3TART MJPG?STREAMER
Q,Tf6[%=a;:<#56#<,!@,+Tf@4%9:a9H?T;A+,!A,+TfA9:%9:a"::%T;A,, ,´!K,TfKKK,!%,ndkd+ Check whether the BeagleBone is streaming video by opening a browser in a host on the same network as the BeagleBone and browse TO HTTPMY?BEAGLEACTIONSTREAM .OW CREATE A SCRIPT TO START MJPG?STREAMER Q,?7,, Q,6G7@<,;?<@%:;, Q,?7,;?<@%:;, 92 | April 2016 | LinuxJournal.com LJ264-April2016.indd 92 3/22/16 10:13 AM FEATURE: Rock-Solid Encrypted Video Streaming Q,H@,6[%=a;:<#56#<T;", -tfE@4fE5;", @8,t,%=<#%,!8,f"A6#f7#E@54f6[%=!;:<#56#<f6[%=a;:<#56#<,, :"#4,f"A6#f7#E@54f6[%=!;:<#56#<f6[%=a;:<#56#<,!@,+f"A6#f7#E@54f, ´6[%=!;:<#56#<f@4%9:a9H?T;A,!!<#;A$9:@A4,uv(&,+,!A,, ,´+f"A6#f7#E@54f6[%=!;:<#56#<fA9:%9:a"::%T;A,!K,, ,´f"A6#f7#E@54f6[%=!;:<#56#<fKKK,!%,ndkd+, 8@, Q,?"6A7,iL,6[%=a;:<#56#<T;" #REATE A CRONJOB THAT CHECKS WHETHER MJPG?STREAMER IS
RUNNING ONCE per minute: Q,?<A4:5E,!#, b,b,b,b,b,f"A6#f7#E@54f;?<@%:;f6[%=a;:<#56#<T;" !T THIS POINT THE VIDEO SERVER IS RUNNING ON PORT WITH 16! resolution and will restart automatically when the BeagleBone is rebooted. SSH Setup 4O ;;" IN TO YOUR %# INSTANCE YOU WILL NEED TO COPY THE PRIVATE KEY TO THE "EAGLE"ONE 4HE PRIVATE KEY IS THE PEM FILE THAT YOU DOWNLOADED WHEN CONFIGURING THE %# INSTANCE 9OU CAN COPY THE PRIVATE KEY TO THE BeagleBone using ;?% WHICH COINCIDENTALLY ALSO USES THE 33( PROTOCOL TO TRANSFER FILES BETWEEN HOSTS 3O FROM THE COMPUTER WHERE YOU downloaded the private key, type: Q,;?%,6>a%<@H5:#aG#>T%#6,7#E@54U6>aE#5=$#3,ef Now log in to the BeagleBone and type: Q,?"6A7,dMdd,6>a%<@H5:#aG#>T%#6 .EXT LOOK UP THE PUBLIC )0 OF MY?AMAZON 4HE PUBLIC )0 FOR MY?AMAZON CAN BE FOUND IN THE %LASTIC )0 TABS IN THE !73 CONSOLE 4EST THAT YOU CAN ;;" IN TO YOUR %# INSTANCE BY TYPING 93 | April
2016 | LinuxJournal.com LJ264-April2016.indd 93 3/22/16 10:13 AM FEATURE: Rock-Solid Encrypted Video Streaming Q,;;",9E94:9U6>a565rA4,!@,6>a%<@H5:#aG#>T%#6 4O MAKE THINGS EASIER LETS SET UP AN ALIAS TO STORE THE %# INFORMATION !PPEND THESE LINES TO THE END OF ETCSSHSSH?CONFIG Q,;97A,H@,,f#:?f;;"f;;"a?A48@=, , wA;:,#?g, ,,,,,,,,wA;:256#,6>a565rA4, ,,,,,,,,17#4:@:>`@$#,,f"A6#f7#E@54f6>a%<@H5:#aG#>T%#6, ,,,,,,,,Z;#<,9E94:9, ,,,,,,,,)#<H#<&$@H#14:#<H5$,pd,,,,,,,,,,, ,,,,,,,,)#<H#<&$@H#BA94:o5L,g 2EPLACE MY?AMAZON WITH ITS PUBLIC )0 ADDRESS 4HE )#<H#<&$@H#14:#<H5$ and )#<H#<&$@H#BA94:o5L ARE THE CLIENT SIDE ANALOGS TO B$@#4:&$@H#14:#<H5$ and B$@#4:&$@H#BA94:o5L 4HEY FUNCTION IN EXACTLY THE SAME WAY .OW TYPING THE FOLLOWING SHOULD LOG YOU IN TO YOUR %# INSTANCE Q,;;",#?g autossh Configuration -ANY HOW TOS EXPLAIN HOW TO USE 33( COMMANDS FOR PORT FORWARDING
BUT FAIL TO DESCRIBE HOW TO KEEP THE 33( TUNNEL ALIVE /NE COMMON CHALLENGE IN KEEPING NETWORK CONNECTIONS UP IS MANAGING THE ROUTER OR FIREWALL INACTIVE CONNECTION TIMEOUT 2OUTERS OFTEN WILL CLOSE A CONNECTION IF IT IS IDLE FOR A CERTAIN PERIOD SOMETIMES CLOSING A CONNECTION IF IT IS IDLE FOR AS FEW AS FIVE minutes. Server reboots and network outages also obviously can kill the tunnel &ORTUNATELY THERE IS A READY MADE UTILITY THAT MONITORS 33( CONNECTIONS AND RESTARTS THEM WHEN THEY DIE AUTOSSH 4HE )#<H#<&$@H# CONFIGURATION FLAGS YOU ADDED TO SEND A PACKET PERIODICALLY THROUGH THE TUNNEL WILL DEFEAT THE INACTIVE CONNECTION TIMEOUT )NSTALL AUTOSSH ON MY?BEAGLE BY TYPING Q,;97A,5%:!=#:,@4;:5$$,59:A;;" 94 | April 2016 | LinuxJournal.com LJ264-April2016.indd 94 3/22/16 10:13 AM FEATURE: Rock-Solid Encrypted Video Streaming Now, let’s write a startup script that launches autossh at boot time using the @4@:T7 FACILITIES #REATE A SCRIPT NAMED TUNNEL IN
ETCINITD Q,?7,f#:?f@4@:T7, Q,;97A,H@,f#:?f@4@:T7f:944#$, , -tfE@4fE5;", ---,qJ(12,1210,12`., -,/<AH@7#;3,,,,,,,,,,:944#$, -,#j9@<#7!):5<:3,,,,Q$A?5$a8;,Q<#6A:#a8;,Q4#:KA<G,Q;>;$A=,Q456#7, -,#j9@<#7!):A%3,,,,,Q$A?5$a8;,Q<#6A:#a8;,Q4#:KA<G,Q;>;$A=,Q456#7, -,C#859$:!):5<:3,,,,,g,V,M,Y, -,C#859$:!):A%3,,,,,,d,P,p, -,)"A<:!C#;?<@%:@A43,):5<:f;:A%,,;;",:944#$, ---,J2C,1210,12`., , ;#:,!#,-5EA<:,5:,8@<;:,#<<A<, F.(`1FJ*f"A6#f7#E@54f6>a59:A;;"T$A=, #L%A<:,&Z0.))wa(&0J01oJ*d,,-/<#H#4:;,59:A;;",8<A6,#L@:@4=,@8,8@<;:,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,-5::#6%:,,85@$;, #L%A<:,&Z0.))wa/1C`1FJ*f"A6#f7#E@54f6>a59:A;;"T%@7,, , ?5;#,QP,@4, ,;:5<:X, ,,;9,!?,+75:#,NNQF.(`1FJh,59:A;;",!o,d,!2,!,YYYY3$A?5$"A;:3ndkd,, ,´#?g,ONNQF.(`1FJ+,!;,fE@4fE5;",7#E@54, ,hh, ,;:A%X, ,,@8,,!#,Q&Z0.))wa/1C`1FJ,],, ,,,:"#4, ,,,G@$$,!k,x?5:,Q&Z0.))wa/1C`1FJx, ,,8@,
,hh, ,bX, ,,#?"A,+Z;5=#3,f#:?f@4@:T7f:944#$,y;:5<:S;:A%Sz+, ,,#L@:,P, 95 | April 2016 | LinuxJournal.com LJ264-April2016.indd 95 3/22/16 10:13 AM FEATURE: Rock-Solid Encrypted Video Streaming ,hh, #;5?, , Q,;97A,?"6A7,iL,:944#$, Q,;97A,9%75:#!<?T7,:944#$,7#859$:;, Q,;97A,;"9:7AK4,!<,4AK PC Setup Since this is a video streaming application, it is likely that you want to VIEW THE VIDEO STREAM ON DIFFERENT COMPUTERS 4HIS CAN BE ACHIEVED BY ALLOWING THE SSHD SERVER ON YOUR !73 SERVER TO FORWARD CONNECTIONS FROM ANY HOST AND BY SETTING A PASSWORD ON MJPG?STREAMER FOR SECURITY )LL EXPLAIN HOW TO DO THAT SHORTLY HOWEVER THIS EXPOSES MJPG?STREAMER TO BRUTE FORCE PASSWORD ATTACKS 4HE INTRUDER WOULD ONLY BE ABLE TO VIEW THE video stream, but that may not be desirable. /NE ALTERNATIVE IS TO CREATE A FORWARD TUNNEL AND STREAM THE ENCRYPTED VIDEO OVER THIS TUNNEL 4HIS REQUIRES INSTALLING THE PRIVATE KEY ON WHATEVER MACHINE YOU ARE VIEWING FROM AS WELL AS
SETTING UP THE TUNNEL Secure Video Streaming 4O REDUCE TYPING CREATE AN ALIAS FOR YOUR %# AS YOU DID ON MY?BEAGLE Q,;97A,5%:!=#:,@4;:5$$,59:A;;", Q,H@,efT;;"f?A48@=, wA;:,#?g, ,,,,,,,,wA;:256#,6>a565rA4, ,,,,,,,,17#4:@:>`@$#,,%5:"a:Af6>a%<@H5:#aG#>T%#6, ,,,,,,,,Z;#<,9E94:9, ,,,,,,,,)#<H#<&$@H#14:#<H5$,pd,,,,,,,,,,, ,,,,,,,,)#<H#<&$@H#BA94:o5L,g 4HE COMMAND TO CREATE A FORWARD TUNNEL TO MY?AMAZON IS THE FOLLOWING Q,;;",!F,PgVM3$A?5$"A;:3YYYY,#?g 4HE CHOICE OF THE LOCAL SERVER PORT IS ARBITRARY IT CAN BE ANY PORT 96 | April 2016 | LinuxJournal.com LJ264-April2016.indd 96 3/22/16 10:13 AM FEATURE: Rock-Solid Encrypted Video Streaming 0ORT NUMBERS UNDER WILL REQUIRE ROOT ACCESS HOWEVER Once this command is executed, start a browser and open HTTPACTIONSTREAM 9OU SHOULD SEE THE LIVE VIDEO STREAM FROM THE 7EBCAM ON MY?BEAGLE You can make this tunnel permanent by adding a startup
script FOLLOWING THE SAME MODEL AS BEFORE Q,?7,f#:?f@4@:T7, Q,;97A,H@,f#:?f@4@:T7f8A<K5<7:944#$, -tfE@4fE5;", ---,qJ(12,1210,12`., -,/<AH@7#;3,,,,,,,,,,8A<K5<7:944#$, -,#j9@<#7!):5<:3,,,,Q$A?5$a8;,Q<#6A:#a8;,Q4#:KA<G,Q;>;$A=,Q456#7, -,#j9@<#7!):A%3,,,,,Q$A?5$a8;,Q<#6A:#a8;,Q4#:KA<G,Q;>;$A=,Q456#7, -,C#859$:!):5<:3,,,,,g,V,M,Y, -,C#859$:!):A%3,,,,,,d,P,p, -,)"A<:!C#;?<@%:@A43,):5<:f;:A%,,;;",8A<K5<7:944#$, ---,J2C,1210,12`., , ;#:,!#,-5EA<:,5:,8@<;:,#<<A<, F.(`1FJ*f"A6#f>A9<a9;#<456#f6>a59:A;;"T$A=,,-,Bw&2(J,{.ZaZ)J2&oJtt, #L%A<:,&Z0.))wa(&0J01oJ*d,-/<#H#4:;,59:A;;",8<A6,#L@:@4=,@8,, ,´8@<;:,5::#6%:,85@$;, #L%A<:,&Z0.))wa/1C`1FJ*f"A6#f>A9<a9;#<456#f6>a59:A;;"T%@7,-,Bw&2(J,, ,´{.ZaZ)J2&oJtt, , ?5;#,QP,@4, ,;:5<:X, ,,;9,!?,+75:#,NNQF.(`1FJh,59:A;;",!o,d,!2,!F,PgVM3$A?5$"A;:3YYYY,,
,´#?g,ONNQF.(`1FJ+,!;,fE@4fE5;",>A9<a9;#<456#-,Bw&2(J,{ZaZ)J2&oJtt, ,hh, ,;:A%X, ,,@8,,!#,Q&Z0.))wa/1C`1FJ,],, ,,,:"#4, ,,,G@$$,!k,x?5:,Q&Z0.))wa/1C`1FJx, ,,8@, 97 | April 2016 | LinuxJournal.com LJ264-April2016.indd 97 3/22/16 10:13 AM FEATURE: Rock-Solid Encrypted Video Streaming ,hh, ,bX, ,,#?"A,+Z;5=#3,f#:?f@4@:T7f8A<K5<7:944#$,y;:5<:S;:A%Sz+, ,,#L@:,P, ,hh, #;5?, , Q,;97A,?"6A7,iL,8A<K5<7:944#$, Q,;97A,9%75:#!<?T7,8A<K5<7:944#$,7#859$:;, Q,;97A,;"9:7AK4,!<,4AK Note that you will have to change >A9<a9;#<456# in the above to your user name. Unsecured Video Streaming 5NSECURED VIDEO STREAMING PERMITS ANYONE WITH THE CORRECT USER NAME AND PASSWORD TO CONNECT TO THE MJPG?STREAMER SERVER AND VIEW THE VIDEO STREAM !LTHOUGH MJPG?STREAMER HAS PASSWORD PROTECTION IT IS VULNERABLE TO BRUTE FORCE ATTACKS (OWEVER THE CONVENIENCE OF VIEWING THE VIDEO STREAM FROM ANY PLATFORM WITHOUT THE PRIVATE KEY
AND WITHOUT SETTING UP A FORWARD TUNNEL MAY BE WORTH IT &IRST LETS ADD SOME SECURITY BY REQUIRING ANYONE VIEWING THE 7EBCAM to authenticate with the correct user name and password by using the AUTHENTICATION OPTION TO MJPG?STREAMER On the BeagleBone: Q,H@,f"A6#f7#E@54f;?<@%:;f6[%=a;:<#56#<T;", -tfE@4fE5;", @8,t,%=<#%,!8,f"A6#f7#E@54f6[%=!;:<#56#<f6[%=a;:<#56#<,, :"#4,f"A6#f7#E@54f6[%=!;:<#56#<f6[%=a;:<#56#<,!@,+f"A6#f7#E@54f, ´6[%=!;:<#56#<f@4%9:a9H?T;A+,!A,+f"A6#f7#E@54f6[%=!;:<#56#<f, ´A9:%9:a"::%T;A,!K,f"A6#f7#E@54f6[%=!;:<#56#<fKKK,!%,ndkd,, ,´!!<#;A$9:@A4,uv(&,!?,9;#<256J3/5;;Kd<7+, 8@, Q,;"9:7AK4,!<,4AK 98 | April 2016 | LinuxJournal.com LJ264-April2016.indd 98 3/22/16 10:13 AM FEATURE: Rock-Solid Encrypted Video Streaming Change 9;#<256J3/5;;Kd<7 TO ONE OF YOUR OWN INVENTION 4HE USER name is unrelated to any account on your
BeagleBone. 4HE SECOND CHANGE IS TO SET THE (5:#K5>/A<:; FLAG TO YES ON THE !MAZON 7EB SERVER -,H@,f#:?f;;"f;;"7a?A48@=, B$@#4:&$@H#BA94:o5L,V, B$@#4:&$@H#14:#<H5$,pd, (5:#K5>/A<:;,>#;, -,;#<H@?#,;;",<#;:5<: /NCE THE 33( TUNNELS ARE RE ESTABLISHED BROWSING TO MY?AMAZONACTIONSTREAM WILL OPEN THE VIDEO STREAM AFTER ENTERING THE CORRECT USER NAME AND PASSWORD 4HE (5:#K5>/A<:; FLAG CONTROLS WHETHER THE SSHD SERVER FORWARDS CONNECTIONS FROM EXTERNAL HOSTS (5:#K5>/A<:;,>#; OR ONLY FROM LOCALHOST (5:#K5>/A<:;,4A Conclusion In this article, I have described how to set up secure and reliable SSH tunnels, explained the underlying mechanism behind SSH tunnelling and IMPLEMENTED A SECURE VIDEO STREAMING SERVER ACCESSIBLE FROM EXTERNAL NETWORKS WITHOUT REQUIRING ANY ROUTER OR FIREWALL CHANGES !NOTHER CONFIGURATION YOU MIGHT EXPLORE IS A TUNNEL TO AN SSHD SERVER ON YOUR "EAGLE"ONE 7ITH THIS TUNNEL
YOU COULD LOG IN REMOTELY FROM ANY EXTERNAL NETWORK (APPY TUNNELLING Q Ramon v3.0 is an embedded software AI with a keen interest in real-time video streaming. Having outgrown several Saskatchewan-based hard drives, he now resides diffusely in the Google cloud. Send comments or feedback via http://www.linuxjournalcom/contact or to ljeditor@linuxjournal.com RETURN TO CONTENTS 99 | April 2016 | LinuxJournal.com LJ264-April2016.indd 99 3/22/16 10:13 AM FEATURE Stunnel Security for Oracle Replace database TLS for simplified best-practice compliance. PREVIOUS Feature: Rock-Solid Encrypted Video Streaming NEXT Doc Searls’ EOF V V CHARLES FISHER 100 | April 2016 | LinuxJournal.com LJ264-April2016.indd 100 3/22/16 10:13 AM FEATURE: Stunnel Security O RACLE HAS INTEGRATED MODERN 4RANSPORT ,AYER 3ECURITY 4,3 NETWORK ENCRYPTION INTO ITS EPONYMOUS DATABASE PRODUCT AND 4,3 USAGE NO LONGER REQUIRES THE !DVANCED 3ECURITY OPTION BEGINNING WITH THE DATABASE RELEASE
,EGACY CONFIGURATIONS LACKING 4,3 EXCHANGE ENCRYPTED passwords, but the session payload is transmitted in clear text and is intercepted easily by anyone with control over the intermediate NETWORK $ATABASES HOLDING SENSITIVE CONTENT SHOULD AVOID CLEAR TEXT TRAFFIC CONFIGURATIONS It is possible to use the stunnel utility to wrap the Oracle 4RANSPARENT .ETWORK 3UBSTRATE 43 ,ISTENER hINVISIBLYv WITH 4,3 ENCRYPTION AS AN ISOLATED PROCESS AND THIS CONFIGURATION APPEARS TO BE COMPATIBLE BOTH WITH /RACLES SQLPLUS COMMAND LINE UTILITY AND WITH DATABASE LINKS THAT ARE USED FOR DISTRIBUTED TRANSACTIONS BETWEEN MULTIPLE DATABASE INSTANCES 4HERE ARE SEVERAL BENEFITS TO STUNNEL OVER THE 4.3 ,ISTENERS NATIVE 4,3 IMPLEMENTATION Q 4HE STUNNEL UTILITY CAN BE FAR LESS EXPENSIVE /LDER /RACLE DATABASE RELEASES REQUIRED THE !DVANCED 3ECURITY OPTION TO USE 4,3 WHICH IS LICENSED AT PER #05 ACCORDING TO THE LATEST PRICING HTTPWWWORACLECOMUSCORPORATEPRICINGTECHNOLOGY PRICE LIST
PDF BUT 4,3 IS NOW INCLUDED WITH 3TANDARD %DITION 3% HTTPSORACLE BASECOMARTICLESMISCCONFIGURE TCPIP WITH SSL AND TLS FOR DATABASE CONNECTIONS Q 4HE STUNNEL UTILITY AND THE ASSOCIATED DEPENDENT LIBRARIES THAT IS /PEN33, ARE PATCHED FAR MORE OFTEN AND UPDATES CAN BE APPLIED IMMEDIATELY WITH NO DATABASE hBOUNCEv IF STUNNEL IS USED IN AN hINETDv CONFIGURATION /RACLE ISSUED EIGHT TOTAL PATCHED VERSIONS OF /PEN33, IN FOR /RACLE ,INUX HTTPSOSSORACLECOMOL 320-3 UPDATES $ATABASE PATCHES ARE ISSUED ONLY FOUR TIMES PER YEAR AT REGULAR QUARTERLY INTERVALS AND REQUIRE INSTANCE BOUNCES OUTAGES !N URGENT 33,4,3 UPDATE WILL HAVE LENGTHY DELAYS WHEN IMPLEMENTED AS A DATABASE PATCH DUE IN PART TO AN OVERABUNDANCE 101 | April 2016 | LinuxJournal.com LJ264-April2016.indd 101 3/22/16 10:13 AM FEATURE: Stunnel Security For this reason, security-sensitive code that may require immediate updates should be kept out of the database server whenever possible. The
stunnel utility meets this requirement very well. OF CAUTION BY MOST $"!S BUT WILL BE FAR EASIER TO APPLY AS A SIMPLE /3 UTILITY PATCH WITH NO DOWNTIME &OR THIS REASON SECURITY SENSITIVE CODE THAT MAY REQUIRE IMMEDIATE UPDATES SHOULD BE KEPT OUT OF THE DATABASE SERVER WHENEVER POSSIBLE 4HE STUNNEL UTILITY MEETS THIS REQUIREMENT VERY WELL Q 4HE STUNNEL UTILITY CAN RUN AS A SEPARATE USER AND GROUP INSIDE A hCHROOT JAILv THAT HAS LIMITED VISIBILITY TO THE REST OF THE SYSTEM /RACLES SERVER 4,3 IMPLEMENTATION RUNS WITH THE FULL PRIVILEGE OF THE 4.3 ,ISTENER ! COMPROMISE OF THE 4,3 ENGINE CAN BE DRASTICALLY LESS DANGEROUS IF IT IS CONFINED WITHIN A CHROOT JAIL 0RIVILEGE SEPARATION AND CHROOT ARE WELL RECOGNIZED SECURITY TECHNIQUES AND MANY SECURITY SENSITIVE INSTALLATIONS LIKELY WILL DISABLE LISTENER 4,3 FOR THIS REASON ALONE ,ETS PROCEED WITH ADDING STUNNEL 4,3 SERVICES TO /RACLE Server Configuration ) AM ASSUMING THAT THE READER IS FAMILIAR WITH /RACLE DATABASES AND
THE PROCEDURES TO START UP AN INSTANCE AND THE 4,3 ,ISTENER &OR REFERENCE LETS ASSUME THAT A DATABASE 3)$ hMYDBv IS RUNNING AND AN EXAMPLE LISTENER DMON IS LAUNCHED ON THE )0 ADDRESS WITH THE FOLLOWING COMMANDS #L%A<:,.&BFJa)1C*6>7E,.&BFJawoJ*eA<5?$#f.<5Pg?f7E, , Q.&BFJawoJfE@4f$;4<?:$,;:5<: 102 | April 2016 | LinuxJournal.com LJ264-April2016.indd 102 3/22/16 10:13 AM FEATURE: Stunnel Security 4HE LISTENER WILL GENERATE A STARTUP MESSAGE SIMILAR TO THE OUTPUT BELOW F)2B0F,8A<,F@49L3,v#<;@A4,PgTPTdTgTd,!,/<A79?:@A4,A4,, ,´Pk!`Jq!gdPp,PV3Pn3YY, , BA%><@=":,R?X,PkkP ,gdPM ,.<5?$#T,,&$$,<@=":;,<#;#<H#7T, , ):5<:@4=,f"A6#fA<5?$#f.<5Pg?f7EfE@4f:4;$;4<3,%$#5;#,K5@:TTT, , 02)F)2,8A<,F@49L3,v#<;@A4,PgTPTdTgTd,!,/<A79?:@A4, )>;:#6,%5<56#:#<,8@$#,@;,f"A6#fA<5?$#f.<5Pg?f7Ef4#:KA<Gf, ´576@4f$@;:#4#<TA<5,
FA=,6#;;5=#;,K<@::#4,:A,f"A6#fA<5?$#f.<5Pg?f7@5=f:4;$;4<f, ´w.)02&oJf$@;:#4#<f5$#<:f$A=TL6$, F@;:#4@4=,A43,RCJ)B1/01.2*R&CCJ))R/.0BF*:?%XRw.)0*PTgTVTMX, ´R/.0*PYgPXXX, F@;:#4@4=,A43,RCJ)B1/01.2*R&CCJ))R/.0BF*@%?XRIJ{Jm0/.BXXX, , BA44#?:@4=,:A,RCJ)B1/01.2*R&CCJ))R/.0BF*0B/XRw.)0*PTgTVTMX, ´R/.0*PYgPXXX, )0&0Z),A8,:"#,F1)0J2J, !!!!!!!!!!!!!!!!!!!!!!!!, &$@5;,,,,,,,,,,,,,F1)0J2J, v#<;@A4,,,,,,,,,,,02)F)2,8A<,F@49L3,v#<;@A4,PgTPTdTgTd,!,/<A79?:@A4, ):5<:,C5:#,,,,,,,,Pk!`Jq!gdPp,PV3Pn3YY, Z%:@6#,,,,,,,,,,,,d,75>;,d,"<T,d,6@4T,d,;#?, 0<5?#,F#H#$,,,,,,,A88, )#?9<@:>,,,,,,,,,,.23,FA?5$,),&9:"#4:@?5:@A4, )2o/,,,,,,,,,,,,,,.``, /5<56#:#<,`@$#,,,,f"A6#fA<5?$#f.<5Pg?f7Ef4#:KA<Gf576@4f$@;:#4#<TA<5, F@;:#4#<,FA=,`@$#,f"A6#fA<5?$#f.<5Pg?f7@5=f:4;$;4<fw)02&oJf$@;:#4#<f, ´5$#<:f$A=TL6$, F@;:#4@4=,J47%A@4:;,)9665<>TTT,
,,RCJ)B1/01.2*R&CCJ))R/.0BF*:?%XRw.)0*PTgTVTMXR/.0*PYgPXXX, ,,RCJ)B1/01.2*R&CCJ))R/.0BF*@%?XRIJ{Jm0/.BXXX, )#<H@?#;,)9665<>TTT, 103 | April 2016 | LinuxJournal.com LJ264-April2016.indd 103 3/22/16 10:13 AM FEATURE: Stunnel Security )#<H@?#,+6>7E+,"5;,P,@4;:54?#R;XT, ,,14;:54?#,+6>7E+ ,;:5:9;,Z2I2.s2 ,"5;,P,"547$#<R;X,8A<,:"@;,;#<H@?#TTT, 0"#,?A66547,?A6%$#:#7,;9??#;;89$$> )T IS IMPORTANT THAT THE LISTENER NOT ENGAGE IN hPORT REDIRECTIONv OF CLIENTS TO SEPARATE SERVER PORTS MOST COMMONLY SEEN IN -433HARED 3ERVER !NY FEATURE CAUSING THE 4.3 ,ISTENER TO ENGAGE IN SUCH activity must be disabled. 4O CONFIGURE STUNNEL THE ROOT USER MUST CREATE A KEYPAIR FOR 4,3 4HIS KEYPAIR CAN BE hSIGNEDv BY A #ERTIFICATE !UTHORITY #! IF DESIREDTHIS IS CONVENTIONALLY USEFUL FOR 7EB SITE ENCRYPTION (4403 SINCE THE LACK OF A RECOGNIZED #! SIGNATURE WILL TRIGGER BROWSER SECURITY WARNINGS /RACLE CLIENTS CAN VERIFY SERVER KEYS ONLY
WHEN SIGNED BY A RECOGNIZED #! WHICH IS ADDRESSED IN THE FINAL SECTION OF THIS ARTICLE 4O OBTAINED SIGNED KEYS FOLLOW THE INSTRUCTIONS ON THE STUNNEL 7EB SITE https://www.stunnelorg/howtohtml /THERWISE FOR MORE INFORMAL USE A SELF SIGNED KEY CAN BE GENERATED WITH THE FOLLOWING COMMANDS ?7,f#:?f%G@f:$;f?#<:;, 65G#,;:944#$T%#6 4HE PROCESS OF KEY GENERATION WILL ASK A NUMBER OF QUESTIONS (#4#<5:@4=,5,gdMn,E@:,)&,%<@H5:#,G#>, TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTiii, TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTiii, K<@:@4=,4#K,%<@H5:#,G#>,:A,Df:6%fA%#4;;$T"m/V=sD, !!!!!, {A9,5<#,5EA9:,:A,E#,5;G#7,:A,#4:#<,@48A<65:@A4,:"5:,K@$$,E#,@4?A<%A<5:#7, @4:A,>A9<,?#<:@8@?5:#,<#j9#;:T, s"5:,>A9,5<#,5EA9:,:A,#4:#<,@;,K"5:,@;,?5$$#7,5,C@;:@4=9@;"#7,256#,, A<,5,C2T, 0"#<#,5<#,j9@:#,5,8#K,8@#$7;,E9:,>A9,?54,$#5H#,;A6#,E$54G,
`A<,;A6#,8@#$7;,:"#<#,K@$$,E#,5,7#859$:,H5$9# , 18,>A9,#4:#<,DTD ,:"#,8@#$7,K@$$,E#,$#8:,E$54GT, 104 | April 2016 | LinuxJournal.com LJ264-April2016.indd 104 3/22/16 10:13 AM FEATURE: Stunnel Security !!!!!, BA94:<>,256#,Rg,$#::#<,?A7#X,mm]3Z), ):5:#,A<,/<AH@4?#,256#,R89$$,456#X,]31F, FA?5$@:>,256#,R#= ,?@:>X,C#859$:,B@:>]3B"@?5=A, .<=54@r5:@A4,256#,R#= ,?A6%54>X,C#859$:,BA6%54>,F:7]3&BoJ,BA<%A<5:@A4, .<=54@r5:@A45$,Z4@:,256#,R#= ,;#?:@A4X,]3s@7=#:,C@H@;@A4, BA66A4,256#,R#= ,>A9<,456#,A<,>A9<,;#<H#<D;,"A;:456#X,]375<G;:5<, J65@$,&77<#;;,]3$@49;U%A;@LTA<= 4HE KEY PRODUCED ABOVE WILL BE SET FOR EXPIRATION IN DAYS FROM THE DAY IT WAS CREATED )F YOU WOULD LIKE TO GENERATE A KEY WITH A LONGER LIFE you can call OpenSSL directly: A%#4;;$,<#j,!4#K,!LYdk,!75>;,VpYd,!4A7#;,c, , !A9:,;:944#$T%#6,!G#>A9:,;:944#$T%#6 4HE KEY WILL LOOK SOMETHING LIKE THIS
-,?5:,f#:?f%G@f:$;f?#<:;f;:944#$T%#6, !!!!!qJ(12,/1v&0J,IJ{!!!!!, o11JH=1q&C&2q=Gj"G@(kKdq&uJ`&&)BqI=K==)G&=J&&A1q&uBgV6iKdqFL1grq, f%nf0@9`?J9<0FEFBuK?.f`JiH2?|%77?G9`pfv=%q&|Gi7k@l2}2j<[owlPPwPn, V&{"#K}0BEZouJV475{J1L):Mu"E6nmE8Z8Lp`6=MB4s"fmrJlqn}lmEw%KuM7, Gu.r1BrEP4:kpuI7sA&AElVi"Hlj7@VZ[|VfgdrVBLYFs8sA5Vg{Ydff:Hq[q:?u, wlu%@Jg:8Fsw0uY:r:Gjv{fo}|sv=A0YF4ju$}#}qfBM@r){2AkJ(&4KM0"5`|f>, 27H6>Ip;{5.VCjM#`lnirrj>8"/B:?8En$o90}5n9@Hlr@v8d&V#()KI{A4Z8, @Fl;9dG|&=oq&&JB==J&)>#CGYJu`k}2/[Z?dm({Yvq/5.GK/jvF:7/K:iVM($[, rkVw.q0/v}}m6/=sF0>5>:`>r?=B"}$n;0w[9>FI5|As5w:rs%M7;{Z<"$;L[(/o, #Cp)8);{1fk<=$Hq:4@5l{Mv[n78ZAB9g6H?<g2Fr`sF[>s)JMZn161pw0lL>/P>, Y&En|{mYBdj.C0[[/$7AHrn`6kmJl>Iv=Ymuk5&n5LjP9s{l<9rLm$@fi"l0|F/#, Hf>BB#IFjFi=)G.["=n};Ifk%p14o2p9`Z#)HEd{k#F4F4|p:BZ("M6i?=m9$<C,
Z$#mL#`rL4)V>7B2wvC4=m>5|PZiEF(v#w.F?}w&uIq=uC{Y[Zi<Znv/m<E/|5#, 8}n;K8V/@dduZI2M/Y}>>Y?;PnIo=Cw5Z7{6vB%01)ls@dmwJ1l@wC%I$FffG, rB0dFsi8GiM&lE/Y>Z"FF:7PlYZ%V@#q9mE&}jC5/oC|PL%}[i"C@)"/Hi.(, GlJ04qC6frGP0i`gF9pj#EFE?uIq=uCmPEp1l#CG>`}10}mPHi)p/GA0ouo#B(m, ?)KvH9C9@;r=E8l116sHH`L7l"is|}JvHM[vpMYF.;HG{pm>`m7sl@2|(GI=0"=p, 105 | April 2016 | LinuxJournal.com LJ264-April2016.indd 105 3/22/16 10:13 AM FEATURE: Stunnel Security {2JVmY8PA(HAYJViw2m)VH(;lp{vI0<5C7d)I10kn6g[@mBvBKiIs$Y(iL%g&, n#LBA0{F(uIq=uC|7?69PE<(:lK22$(u`1Y;/B2F);f"8M0s=f$LP<=<Y%H`7In5, |&M"|.:MMM#(=>)j86kPq:@gsZ<oolJrBAjA{@:rL);[A5sL2oHY))Cw{@=?`9(0, 11L&ouM2#4">:K645r0dPp=4qr72"}si5E84L9moI/o>(s=||EYM@sJ8=uIq=uCv, 2VL=82wKLYAn(1GnKvwnpvsjoqHJ0EBLGosB/#>jiG76:AF%};(}$l)/H[:|n%58, IVs?C4s$Ek1{FrB>oip.gfm0;l2YksK2rlo#L<jL$#EJ00sm&$@${#7P5[g{jIs,
MH?H"Ko@@C@6:ZA<lZ?fjvdVV>MfY>6v6@$?#@mGuIq=JE`"&Im/kj}o78F#Hs%, vm&}B?Y6ug"Lu.)u&FYvH0Zm6p}Kvmv8fZMg|wV{m@vmEKCEJ[[L)fno:)EuZkr, FAvufiEH?VLudn9nGL7u@sr0rKLw|ofr4L%ACk5;:1:jM9sZYn"BAZ21:wJI(|:, pdE?r79V<}F}1qP4gr)op;A`, !!!!!J2C,/1v&0J,IJ{!!!!!, !!!!!qJ(12,BJ01`1B&0J!!!!!, o11Cf0BB&9s=&K1q&=1|&F0fk;GBH7Yo&d(B)j()1EVCuJqBKZ&o1(Zou;KBu{C, vuu(JK|vZrJFo&G(&PZJB&KB)ZKLJC&.q=2vq&?oqd2A5s2"}gnL(0&mq=2vq&Ao, JJ`C0ZZ=ugk>?(k>{m%EgML(C&sq=2vq&;oCP7%}(7$7BqJ5m}%?g$HE[Jo&n(, &PZJ&KK1}(`>5V2d{m1Lw[&?q=Gj"G@(kKdqBuJsCgL%E4vruwqH?g$MF6k>}r&#, `KdL20JKor&Kor1g20|5`Kd>20JKo[?Kor1g20|5o1(Zou;KBu{Cvuu(JK|vZrJF, o&G(&PZJB&KB)ZKLJC&.q=2vq&?oqd2A5s2"}gnL(0&mq=2vq&AoJJ`C0ZZ=ugk>, ?(k>{m%EgML(C&sq=2vq&;oCP7%}(7$7BqJ5m}%?g$HE[Jo&n(&PZJ&KK1}(`>,
5V2d{m1Lw[&?q=Gj"G@(kKdqBuJsCgL%E4vruwqH?g$MF6k>}rBB&)1KCu{|IA}1, "H?2&uJqqu&C==J/&CBB&uAB==Jq&FE#ElCuJHJ[Eowi4rk.IMvK)p:o:;;|CqKl, nZ0pnPK6$PP>)Mm<ksBGJ&60YVgF;PGgj9oK8HmZ8mr?q@`lq$o|:`uL&0#7P%=u, [`IV"B`9EL7:kfwAs5C=I75wk8o0;wL4:7;#4q`C"g&lo=F2Hs#VV%&%P5=B"H, H8p(f9%gF7)o48fE0/?FwG:}k5"<8}[40fign(o(PL&8:B6105Pn:{72C6V.g)%v, [nLG$}sB"/G9#%Bv$YGwnF@F2|=g[du{B8C".`AZ4f1PgiE1<jL"Al?<"MZlHKl, l/.<|iJnIPLkH>Z>Y`2$<>pIfH|vfuC7M}F&%@@7i1H9>l)uGB&KJ&&52uoJMK, wu{Cvd.qq{J`J=B7J2|iP>d)0o>u:9rV9jC2V2oqn(&PZ71Ku{oq5&`J=B7J2|, iP>d)0o>u:9rV9jC.2V2o&K(&PZ7JKu`o&oq&8nKCu{|IA}1"H?2&uJFqu&C==Jq, &10sl?q27sq?=5=;@4(I8>J)q$|l|HLH;or{v"1n6>Bn":fV4`o>0w6q=:6L72Es, 6BBrC7#)@=u8f@JrwdgGfJIlFl1VC&0(qspKks@{q7j<}|$knB1LA{k[i(vd&#FP,
12o)EY(Mg>=4#Gmv20|;1B#vw09[q|;CM%;}qY7")1nnn<&go<7un[&`(CGl}M, v{?G&g=uild>mmL%`)CM4g#?jV#E2:#[dlrgK&:&G:f|:9(@Z[E$P6M}`0/A0K<, LC{o?#rJ=A%or{o@"HpBudBJZijFikgB{:JC;7P"r4lM)$qIkwoI[oF<Eq}/"EJM, f|osYA5fi0`}1?5?0L=&K*, !!!!!J2C,BJ01`1B&0J!!!!! 106 | April 2016 | LinuxJournal.com LJ264-April2016.indd 106 3/22/16 10:13 AM FEATURE: Stunnel Security 4HE /1v&0J,IJ{ SECTION ABOVE IS THE MOST SENSITIVE PORTION OF THE FILE ENSURE THAT IT IS NOT SEEN OR COPIED BY ANYONE THAT YOU DO not trust, and any recordings on backup media should be encrypted. 4HE qJ(12,BJ01`1B&0J SECTION IS PRESENTED TO 4,3 CLIENTS THAT IS SQLPLUS WHEN THEY CONNECT TO STUNNEL )T IS LIKELY WISE TO COMPUTE CUSTOM PRIMES FOR THE $IFFIE (ELLMAN KEY EXCHANGE ALGORITHM FOLLOWING GUIDANCE FROM THE STUNNEL manual page: A%#4;;$,7"%5<56,gdMn,NN,;:944#$T%#6 4HE PREVIOUS COMMAND WILL ADD ANOTHER SECTION TO YOUR STUNNELPEM FILE FOR HIGH
SECURITY $IFFIE (ELLMAN PRIMES !!!!!qJ(12,Cw,/&&oJ0J)!!!!!, o11qB&IB&uJ&Aw@Y[r{Y}vK(B``6PJ"v;#/mL2KB);f#uE5BV<?i@mJ2FnLGgP9j, p#)K{1usZ#C2f"pKqqC#p7%`A2C|u#jIB6Z5n5A[(w4G?j;|q7vZIv`Yfl<sEP{@, 0rHE#}:nZH{42ZJ<|J%=qo@I/C{@%Jgq}pGpPsKGIpsvp;H(&w%1?VAfkGZilg98, 7/`521>=&EgwF5|{Hmjk.{(H<o;6>}0"V84%=g@})v|8i@Mq8>#F@{GK4)}Ar&), g<uM"8gJYs{p[@&?2}qFIHjn$Z915m7kivG@B)vd?g%mrEgJ$L.Gn;"#&w$@K@%, )5IBpkMrk$pV#2Iusg|Ms1klKG@$dj5MoK1q&=*, !!!!!J2C,Cw,/&&oJ0J)!!!!! 4HE /RACLE 4.3 ,ISTENER CONVENTIONALLY RUNS AT PORT )N THIS EXERCISE LETS RUN /RACLE 4,3 SERVICES AT PORT WHICH HAS THE current service name: -,=<#%,PYgg,f#:?f;#<H@?#;, <@?5<7A!$6,,,PYggf:?%,,,,,,-,@?5<7A,2A<:",&6#<@?5,F@?#4;#, ,,,,,,,,,,,,,,,,,,,,,,,,,,,-,o545=#<, <@?5<7A!$6,,,PYggf97%,,,,,,-,@?5<7A,2A<:",&6#<@?5,F@?#4;#, ,,,,,,,,,,,,,,,,,,,,,,,,,,,-,o545=#< 0LACE
THE FOLLOWING FILE TO CONTROL STUNNEL FOR THE hRICARDOv SERVICE ALTER THE )0 ADDRESS TO THE LOCATION OF YOUR 4.3 ,ISTENER 107 | April 2016 | LinuxJournal.com LJ264-April2016.indd 107 3/22/16 10:13 AM FEATURE: Stunnel Security -,?5:,f#:?f;:944#$f<@?5<7AT?A48,, ;;$v#<;@A4,*, 0F)HPTg, , A%:@A4;, *, 2.a))FHV, , A%:@A4;, *, 2.a))FHg, , A%:@A4;, *, )12(FJaCwaZ)J, , A%:@A4;, *, )12(FJaJBCwaZ)J, , A%:@A4;, *, B1/wJa)JvJa/J`JJ2BJ, , ?#<:,*, f#:?f%G@f:$;f?#<:;f;:944#$T%#6, , `1/),*, 4A, , 7#E9=, *, p, , ;>;$A=, *, >#;, , ?"<AA:, *, fH5<f#6%:>, , ;#:9@7, *, 4AEA7>, , ;#:=@7, *, 4AEA7>, , ?A44#?:, *, PTgTVTM3PYgP, , h,E#;:!%<5?:@?#,?@%"#<;3, h,"::%;3ff">4#GT6#f5<:@?$#;f"5<7#4@4=!>A9<!K#E!;#<H#<;!;;$!?@%"#<;f, ?@%"#<;*JBCwi&J)(Bo3Cwi&J)(Bo3JBCwi&J)gYp3Cwi&J)gYp3JBCwi&J)Pgn3,
´Cwi&J)3JBCwiVCJ)3CwiVCJ)3)&i&J)(Bo3)&i&J)3)&iVCJ)3, ´t52ZFF3toCY3tC)) .OTE ABOVE THAT YOU ARE CONFIGURING 4,3 FOR BEST PRACTICE ENCRYPTION WITH THE HIGHEST QUALITY PROTOCOLS AND CIPHERS HTTPSWWWRFC EDITORORG RFCRFCTXT 4HE /RACLE CLIENTS APPEAR COMPATIBLE WITH THESE SETTINGS .OTE THAT -ICHAL 4ROJNARA THE AUTHOR OF STUNNEL DOES hNOT RECOMMEND USING $( CIPHERSUITES IN THE HARDENED SET %#$( CIPHERSUITES ARE MUCH MORE SECURE AND MUCH FASTER 2&# SHOULD BE CONSIDERED OUTDATED AFTER THE RECENT ATTACKS ON $(v /N THE OTHER HAND THERE HAVE BEEN RECENT QUESTIONS OF SOFTWARE PATENTS ON %LLIPTIC #URVE HTTPSECURITYSTACKEXCHANGECOMQUESTIONSCAN ECC BE USED WITHOUT INFRINGING ON PATENTS ALTHOUGH 3UN/RACLE CONTRIBUTED THE %## IMPLEMENTATION IN /PEN33, AND USED GREAT CARE TO AVOID PATENTED METHODS 2ED (AT&EDORA WENT FURTHER IN ENABLING ONLY THE 3UITE " SUBSET OF .)34 %## CURVES FOR PROTECTION FROM #ERTICOM WHETHER THIS IS A
SUFFICIENT COURTROOM DEFENSE AGAINST #RYPTO0EAK IS ANOTHER 108 | April 2016 | LinuxJournal.com LJ264-April2016.indd 108 3/22/16 10:13 AM FEATURE: Stunnel Security matter: HTTPWWWTHEREGISTERCOUK CRYPTOPEAK?SUES? "EYOND THAT IN MY PREVIOUS COVERAGE OF THE 3TRIBIKA 33( UIDE ;SEE h#IPHER 3ECURITYv BY #HARLES &ISHER 3EPTEMBER = ) WROTE THAT THE AUTHOR IS hADVISING AGAINST THE USE OF .)34 elliptic curves because they are notoriously hard to IMPLEMENT CORRECTLY 3O MUCH SO THAT ) WONDER IF ITS intentional. Any simple implementation will seem to work but leak secrets through side channels. Disabling them doesn’t seem to cause a problem; clients either HAVE #URVE TOO OR THEY HAVE GOOD ENOUGH $( SUPPORTv 4ROJNARA HAS RESPONDED THAT THE QUESTION OF hSIDE CHANNEL ATTACKS ON %#$(% IS PURE NONSENSE SINCE BY DEFINITION THE LAST % STANDS FOR EPHEMERAL there is no persistent secret here an attacker might RETRIEVE WITH ;ANY AVAILABLE= SIDE CHANNEL
ATTACKSv )N ANY CASE (YNEK 3CHLAWACKS 7EB SITE ON THE SUBJECT HAS NOT ENDORSED ONE OVER THE OTHER SO FAR WHILE HIS SILENCE ON THE GROWING QUESTIONS BEHIND $IFFIE Hellman key exchange is somewhat unsettling HTTPSHYNEKMEARTICLESHARDENING YOUR WEB SERVERS SSL CIPHERS 9OUR LEGAL ENVIRONMENT AND ENCRYPTION stance will decide your cipher string. 5SE THE FOLLOWING SYSTEMD UNIT FILES TO CONFIGURE STUNNEL FOR INETD STYLE OPERATION IF YOU ARENT USING AN /3 BASED ON SYSTEMD SEE MY PREVIOUS ARTICLES FOR A DISCUSSION OF ;X=INETD -,?5:,f#:?f;>;:#67f;>;:#6f<@?5<7AT;A?G#:, 4@:], C#;?<@%:@A4*A<5?$#,;:944#$, )A?G#:], F@;:#4):<#56*PYgg, &??#%:*>#;, 14;:5$$], s54:#7q>*;A?G#:;T:5<=#:, OTHER ARTICLES BY CHARLES FISHER “Cipher Security”, LJ, September 2015: http://www. linuxjournal.com/ CONTENTCIPHER SECURITY HOW HARDEN TLS AND ssh?page=0,0 “Infinite BusyBox with systemd”, LJ, March 2015: http://www. linuxjournal.com/ CONTENTINFINITE BUSYBOX
SYSTEMD “Strengthening Diffie-Hellman in SSH and TLS”, LinuxJournal.com, October 29, 2015: http://www. linuxjournal.com/ content/ STRENGTHENING DIFFIE HELLMAN SSH AND TLS “Secure File Transfer”, LJ, January 2016: http://www. linuxjournal.com/ CONTENTSECURE FILE TRANSFER 109 | April 2016 | LinuxJournal.com LJ264-April2016.indd 109 3/22/16 10:13 AM FEATURE: Stunnel Security , , -,?5:,f#:?f;>;:#67f;>;:#6f<@?5<7AUT;#<H@?#, 4@:], C#;?<@%:@A4*A<5?$#,;:944#$,;#<H@?#, )#<H@?#], JL#?):5<:*!f9;<fE@4f;:944#$,f#:?f;:944#$f<@?5<7AT?A48, ):5475<714%9:*;A?G#: !SSUMING THAT THE ABOVE UNIT FILES ARE IN PLACE CONNECTIONS ON CAN BE ENABLED BOTH AT BOOT AND FOR THE PRESENT ENVIRONMENT with these commands: ;>;:#6?:$,;:5<:,<@?5<7AT;A?G#:, , ;>;:#6?:$,#45E$#,<@?5<7AT;A?G#: 4HE ENABLE COMMAND WILL PLACE SYSTEMDS STARTUP LINK B<#5:#7,;>6$@4G,8<A6,
f#:?f;>;:#67f;>;:#6f;A?G#:;T:5<=#:TK54:;f<@?5<7AT;A?G#:,:A, f#:?f;>;:#67f;>;:#6f<@?5<7AT;A?G#:T )T MIGHT BE USEFUL TO TELNET TO PORT AS STUNNEL WILL PRINT INFORMATIVE ERROR MESSAGES TO STANDARD OUTPUT IN CASE OF TROUBLE 4HE MOST PRACTICAL TELNET CLIENT IS LIKELY "USY"OX https://busybox.net/ downloads/binaries/latest 2EMOTE CONNECTIONS TO PORT MIGHT BE BLOCKED BY YOUR ,INUX FIREWALL 4HE ROOT USER CAN PERMIT THEM TO PASS TO STUNNEL WITH THE FOLLOWING @%:5E$#;,!1,12/Z0,!%,:?%,!!7%A<:,PYgg,!!;>4,![,&BBJ/0 4HE 4.3 ,ISTENER CAN BE INSTRUCTED TO RESTRICT THE ORIGIN OF SESSIONS AND IT CAN BE USED TO BAN CLEAR TEXT TRAFFIC COMPLETELY BY ADDING YOUR )0 EQUIVALENT TO THE FOLLOWING FRAGMENT OF THE 110 | April 2016 | LinuxJournal.com LJ264-April2016.indd 110 3/22/16 10:13 AM FEATURE: Stunnel Security It might be useful to telnet to port 1522, as stunnel will print informative error messages to standard output in case of
trouble. /2!#,%?(/-%NETWORKADMINSQLNETORA FILE ON THE SERVER 0B/T12v10JCa2.CJ)*RPglTdTdTP PTgTVTMX, 0B/Tv&F1C2.CJaBwJBI12(*>#; 0ERFORM THIS MODIFICATION AFTER ALL TESTING IS SUCCESSFUL AND NOTE THAT ANY CONFIGURED CLIENTS USING THE 4.3 ,ISTENER WILL BE SHUT DOWN IF AND WHEN THE CONFIGURATION IS THUS RESTRICTED It is likely wise to use a stunnel binary provided by Oracle #ORPORATION BUT THE VERSIONS THAT IT PROVIDES ARE RATHER OLD )F YOU can load stunnel version 5, you can omit the 2.a))F options shown ABOVE (OWEVER THE /RACLE VERSION STUNNEL BINARIES ARE SOMEWHAT more likely to be tolerated in a critical support situation involving /RACLE /N THE OTHER HAND COMMERCIAL SUPPORT FROM STUNNELORG DEFINITELY PREFERS VERSION https://www.stunnelorg/indexhtml )F SUPPORT IS AN IMPORTANT FACTOR THE EXPERIENCE AND AVAILABILITY OF THE USE OF BOTH VERSIONS WILL BE HELPFUL 3PECIAL THANKS TO -ICHAL 4ROJNARA THE AUTHOR OF STUNNEL FOR HIS HELPFUL COMMENTS ON THIS ARTICLE AND
WORK IN STUNNEL DEVELOPMENT #OMMERCIAL SUPPORT LICENSING AND CONSULTING FOR STUNNEL IS AVAILABLE FROM HIS ORGANIZATION PLEASE VISIT http://www.stunnelorg/supporthtml FOR HIS LATEST RELEASE Database Client 5SING THE SQLPLUS CLIENT UTILITY THAT IS BUNDLED WITH A LOCAL DATABASE SERVER A 4,3 SESSION CAN BE ESTABLISHED THROUGH THE STUNNEL THAT WAS PREVIOUSLY CONFIGURED ON THE REMOTE SERVER $OING SO REQUIRES A NEW CLIENT KEY THAT IS STORED IN A hWALLETv WHICH IS CREATED BELOW 5SE THE FOLLOWING COMMANDS TO CONFIGURE THE LOCAL SQLPLUS 111 | April 2016 | LinuxJournal.com LJ264-April2016.indd 111 3/22/16 10:13 AM FEATURE: Stunnel Security #L%A<:,.&BFJa)1C*>A9<7E,.&BFJawoJ*f"A6#fA<5?$#f.<5Pg?f7E, 6G7@<,f"A6#fA<5?$#fK5$$#:, Q.&BFJawoJfE@4fA<5%G@,K5$$#:,?<#5:#,!K5$$#:,f"A6#fA<5?$#fK5$$#:,c, , !%K7,)JBJ0PgV,!59:Aa$A=@4a$A?5$, Q.&BFJawoJfE@4fA<5%G@,K5$$#:,577,!K5$$#:,f"A6#fA<5?$#fK5$$#:,c, ,
!%K7,)JBJ0PgV,!74,+B2*^>A9<7E^+,!G#>;@r#,gdMn,c, , !;#$8a;@=4#7,!H5$@7@:>,VpYd 4HE OUTPUT OF BOTH CALLS TO THE ORAPKI UTILITY ABOVE SHOULD BE THIS BANNER .<5?$#,/I1,0AA$,3,v#<;@A4,PgTPTdTg, BA%><@=":,R?X,gddM ,gdPM ,.<5?$#,547fA<,@:;,588@$@5:#;T,&$$,, <@=":;,<#;#<H#7T $IRECTIVES ALSO MUST BE PLACED TO FIND THE NEW WALLET REPOSITORYADD THE FOLLOWING TO YOUR SQLNETORA FILE Q,?5:,Q.&BFJawoJf4#:KA<Gf576@4f;j$4#:TA<5, , s&FFJ0aF.B&012,*, ,,,R).ZBJ,*, ,,,,,RoJ0w.C,*,`1FJX, ,,,,,RoJ0w.CaC&0&,*, ,,,,,,,RC1JB0.{,*,f"A6#fA<5?$#fK5$$#:X, ,,,,,X, ,,,X, , ))FaBF1J20a&Z0wJ201B&01.2,*,`&F)J &INALLY CALL SQLPLUS WITH A DATABASE ACCOUNT AND A CONNECT DESCRIPTOR THAT INVOKES THE 4,3 PORT AT NOTE THAT THE NEWLINES WITHIN THE SINGLE QUOTES ARE OPTIONAL AND ARE INCLUDED HERE FOR CLARITY Q.&BFJawoJfE@4f;j$%$9;,#6A:#Z;#<UDR7#;?<@%:@A4*, R577<#;;*, ,R%<A:A?A$*:?%;X, 112 |
April 2016 | LinuxJournal.com LJ264-April2016.indd 112 3/22/16 10:13 AM FEATURE: Stunnel Security ,R"A;:*PTgTVTMX, ,R%A<:*PYggX, X, R?A44#?:a75:5*R;@76>7EXXXD !SSUMING SUCCESS ENTER THE PASSWORD FOR YOUR 2EMOTE5SER ACCOUNT THEN ISSUE AN 31, COMMAND )uFb/$9;3,#$#5;#,PgTPTdTgTd,/<A79?:@A4,A4,`<@,`#E,Pk,PV3gp3Yp,gdPp, , BA%><@=":,R?X,Pkng ,gdPM ,.<5?$#T,,&$$,<@=":;,<#;#<H#7T, , J4:#<,%5;;KA<73,, F5;:,)9??#;;89$,$A=@4,:@6#3,`<@,`#E,Pk,gdPp,PV3PY3YM,!dp3dd, , BA44#?:#7,:A3, .<5?$#,C5:5E5;#,Pg?,J4:#<%<@;#,J7@:@A4,#$#5;#,PgTPTdTgTd,!,pME@:, /<A79?:@A4, s@:",:"#,/5<:@:@A4@4= ,.F&/ ,&7H54?#7,&45$>:@?;,547,#5$,, &%%$@?5:@A4,0#;:@4=,A%:@A4;, , )uFN,)JFJB0,B.Z20RbX,`o,Cq&aq|JB0)h, , ,,B.Z20RbX, !!!!!!!!!!, ,,,,,PkpVV ! FEW POINTS TO CONSIDER Q Changing %<A:A?A$*:?%; to %<A:A?A$:?% AND FURTHER MODIFYING %A<:*PYgP ABOVE WILL LOG IN WITH A CLEAR TEXT SESSION IF YOUR FIREWALL
AND LISTENER ALLOW ACCESS Q 4HE "A;:* CLAUSE ABOVE CAN REFERENCE A $.3 HOSTNAME INSTEAD OF AN )0 ADDRESS IF THAT IS MORE CONVENIENT 113 | April 2016 | LinuxJournal.com LJ264-April2016.indd 113 3/22/16 10:13 AM FEATURE: Stunnel Security Q 4HE 0s.a0&)I environment variable can be set with the contents WITHIN THE SINGLE QUOTATION MARKS ABOVE )F THIS IS DONE THEN SQLPLUS WILL CONNECT SILENTLY TO THE REMOTE SERVER AS IF IT WAS LOCAL Q 4HE CONNECT DESCRIPTOR DEFINITION WITHIN THE SINGLE QUOTATION MARKS ABOVE WOULD LIKELY BE MOVED INTO YOUR 4.3!-%3/2! OR NETWORK 4.3 RESOLUTION METHOD LDAP ONAMES Q 4HE WALLET IS NOT REQUIRED ON THE SERVERTHIS FUNCTIONALITY IS HANDLED BY STUNNEL 4HE /RACLE CLIENT NEEDS THE WALLET IF THE CLIENTS 4,3 IMPLEMENTATION WILL BE USED )T IS POSSIBLE TO CONFIGURE STUNNEL IN CLIENT mode, then dispense with wallets on both sides. Q 7HILE THE SQLPLUS SESSION IS ACTIVE A STUNNEL PROCESS WILL APPEAR ON THE SERVER BE CAUTIOUS OF .02/# OR
OTHER KERNEL LIMITS -,%;,!#8,S,=<#%,;:944#$, , 4AEA7>,,,PpnPd,,,,,P,,d,PV3gp,W,,,,,,,,dd3dd3dd,f9;<fE@4f ;:944#$, ´f#:?f;:944#$f<@?5<7AT?A48 Database Link 7ITH TWO OR MORE /RACLE DATABASE SERVERS SESSIONS AND TRANSACTIONS CAN BE INITIATED BETWEEN THEM TO GATHER AND MODIFY DATA IN hTWO PHASE COMMITSv ,INKAGES BETWEEN ACCOUNTS AND SERVERS ARE ESTABLISHED WITH THE COMMAND BELOW IF YOU HAVE MOVED TCPS HOSTS INTO YOUR 4.3!-%3/2! YOU CAN REFERENCE THEM HERE ALSO )uFN,BJ&0J,C&0&q&)J,F12I,o>CqF@4G, ,B.22JB0,0,#6A:#Z;#<, ,1CJ201`1JC,q{,/5;;sA<7, ,Z)12(,DR7#;?<@%:@A4*, ,,R577<#;;*, ,,,R%<A:A?A$*:?%;X, ,,,R"A;:*PTgTVTMX, 114 | April 2016 | LinuxJournal.com LJ264-April2016.indd 114 3/22/16 10:13 AM FEATURE: Stunnel Security ,,,R%A<:*PYggX, ,,X, ,,R?A44#?:a75:5*R;@76>7EXXXDh, , C5:5E5;#,$@4G,?<#5:#7T /NCE THE LINK IS ESTABLISHED REMOTE TABLES CAN BE SUFFIXED BY THE LINK NAME WHICH CAN BE JOINED TO OTHER LOCAL OR REMOTE
TABLES )uFN,)JFJB0,B.Z20RbX,`o,&FFaq|JB0)Uo>CqF@4Gh, , ,,B.Z20RbX, !!!!!!!!!!, ,,,,,PnYP Server Verification )T MAY BE NECESSARY FOR KEYS TO BE VERIFIED ON EITHER SIDE OF THE CONNECTION TO ASSURE AUTHORIZED USE 4HE NATIVE /RACLE 4,3 IMPLEMENTATION REQUIRES ALL KEYS SUBJECT TO VERIFICATION TO BE SIGNED BY A RECOGNIZED #! THE #!S PUBLIC KEYS MAY NEED TO BE ADDED TO THE CERTIFICATE STORE USED BY /RACLE .OTE THAT STUNNEL ALSO CAN VERIFY KEYS AND ACT AS A CLIENT AS WELL AS A SERVER 4HE STUNNEL VERIFICATION OPTIONS ARE MUCH MORE FLEXIBLE THAN /RACLES AND IF #! SIGNATURES ARE NOT DESIRED BUT 4,3 VERIFICATION IS MANDATED THEN /RACLES 4,3 SHOULD BE DISABLED ENTIRELY In the examples below, let’s assume that the server’s public key has A #! SIGNATURE 4O EXTRACT THAT PUBLIC KEY THE FOLLOWING AWK PATTERN IS USEFUL 5KG,DfqJ(12,BJ01`1B&0Jf fJ2C,BJ01`1B&0JfD,c, , f#:?f%G@f:$;f?#<:;f;:944#$T%#6,N,f:6%f%G#> -OVE THE TMPPKEY FILE TO THE CLIENT THEN LOAD IT INTO
THE WALLET Q.&BFJawoJfE@4fA<5%G@,K5$$#:,577,!K5$$#:,f"A6#fA<5?$#fK5$$#:,c, , !%K7,)JBJ0PgV,!:<9;:#7a?#<:,!?#<:,f:6%f%G#> 115 | April 2016 | LinuxJournal.com LJ264-April2016.indd 115 3/22/16 10:13 AM FEATURE: Stunnel Security !FTER LOADING THE KEY VERIFY THAT IT IS NOW PRESENT IN THE WALLET Q.&BFJawoJfE@4fA<5%G@,K5$$#:,7@;%$5>,!K5$$#:,f"A6#fA<5?$#fK5$$#:,c, , !%K7,)JBJ0PgV 4HE KEY SHOULD APPEAR IN THE 4RUSTED #ERTIFICATES SECTION .<5?$#,/I1,0AA$,3,v#<;@A4,PgTPTdTg, BA%><@=":,R?X,gddM ,gdPM ,.<5?$#,547fA<,@:;,588@$@5:#;T,&$$,, <@=":;,<#;#<H#7T, , #j9#;:#7,B#<:@8@?5:#;3, Z;#<,B#<:@8@?5:#;3, )9E[#?:3,,,,,,,,B2*^>A9<7E^, 0<9;:#7,B#<:@8@?5:#;3, )9E[#?:3,J65@$&77<#;;*$@49;U%A;@LTA<= B2PTgTVTM .Z*s@7=#:,, ,´C@H@;@A4 .*&BoJ,BA<%A<5:@A4 FB"@?5=A )01F BZ), )9E[#?:3,,,,,,,,B2*^>A9<7E^ 4HE CLIENT CAN VERIFY THE SERVER KEYS WITH THE ))Fa)JvJaBJ0aC2
CLAUSE IN THE 4.3 DESCRIPTOR Q.&BFJawoJfE@4f;j$%$9;,8@;"#?[UDR7#;?<@%:@A4*, R577<#;;*, ,R%<A:A?A$*:?%;X, ,R"A;:*PTgTVTMX, ,R%A<:*PYggX, X, R?A44#?:a75:5*, ,R;@7*6>7EX, ,R;#?9<@:>*R))Fa)JvJaBJ0aC2+B2PTgTVTM .Z*s@7=#:,C@H@;@A4 , ´.*&BoJ,BA<%A<5:@A4 FB"@?5=A )01F BZ)+X, XXXD )F THE #! SIGNATURE IS NOT RECOGNIZED THE SQLPLUS LOGIN WILL FAIL WITH THE FOLLOWING 116 | April 2016 | LinuxJournal.com LJ264-April2016.indd 116 3/22/16 10:13 AM FEATURE: Stunnel Security J.3, .&!gkdgM3,B#<:@8@?5:#,H5$@75:@A4,85@$9<# !DDITIONALLY STUNNEL WILL RECORD THE FOLLOWING IN VARLOGSECURE F.(l3,))F,5$#<:,R<#57X3,85:5$3,94G4AK4,B&, F.(V3,))Fa5??#%:3,PMdkMMPn3,#<<A<3PMdkMMPn3))F, <A9:@4#;3))FVaJ&Caq{0J)3:$;HP,5$#<:,94G4AK4,?5 Such errors indicate that the CA is not properly loaded into the bundle used by the database. Conclusions Oracle database security has received pointed criticism through the years and
releases, which has slowly improved the architecture and closed EXPLOITABLE WEAKNESSES &OR MANY THESE IMPROVEMENTS ARE INADEQUATE IN BOTH SPEED AND SCOPE )N SUCH CASES STUNNEL IS A VALUABLE TOOL FOR AUTHENTICATION ISOLATION AND PRIVACY OF CRITICAL DATA WITHIN /RACLE Q Charles Fisher has an electrical engineering degree from the University of Iowa and works as a systems and database administrator for a Fortune 500 mining and manufacturing corporation. He has previously published both journal articles and technical manuals on Linux for UnixWorld and other McGraw-Hill publications. Send comments or feedback via http://www.linuxjournalcom/contact or to ljeditor@linuxjournal.com RETURN TO CONTENTS 117 | April 2016 | LinuxJournal.com LJ264-April2016.indd 117 3/22/16 10:13 AM FREE DOWNLOADS The Forrester Wave™: Digital Experience Platforms, Q4 2015 4HE DEMAND TO BE AT EVERY TOUCHPOINT IN THE CUSTOMER LIFECYCLE IS NO LONGER AN OPTIONITgS A REQUIREMENT 4O MANAGE AND DELIVER
EXPERIENCES CONSISTENTLY ACROSS ALL TOUCHPOINTS ORGANIZATIONS ARE LOOKING TO DIGITAL EXPERIENCE PLATFORMS AS THE FOUNDATION OF THEIR DIGITAL PRESENCE ET &ORRESTERgS EVALUATION OF THE BEST VENDORS INCLUDING s 4HE TEN PROVIDERS THAT MATTER MOST s How each vendor stacks up to Forresters criteria. s 3IX NEEDS A DIGITAL EXPERIENCE PLATFORM ARCHITECTURE MUST MEET > http://geekguide.linuxjournalcom/content/forrester-wave-digital-experience-platforms-q4-2015 The Ultimate Guide to Drupal 8 by Acquia 7ITH NEW FEATURES AND IMPROVEMENTS $RUPAL IS THE MOST ADVANCED VERSION OF $RUPAL YET $RUPAL SIMPLIFIES THE DEVELOPMENT PROCESS ENABLING YOU TO DO MORE IN LESS TIME WITH PROVEN TECHNOLOGIES THAT MAKE IT EASIER TO BE A FIRST TIME $RUPAL USER 2EAD THIS E"OOK WRITTEN BY !NGIE "YRON YOU MAY KNOW HER AS WEBCHICK TO GET UP TO SPEED ON the new changes in Drupal 8. Drupal 8s improvements include: s s s s s !0) DRIVEN CONTENT APPROACH 2EST FIRST NATIVE WEB SERVICES
Seamless integration with existing technologies. -ULTILINGUAL FEATURES AND CAPABILITIES 2ESPONSIVE BY NATURE AND MOBILE FIRST > http://geekguide.linuxjournalcom/content/ultimate-guide-drupal-8 How to Choose a Great CMS by Acquia 7EB #ONTENT -ANAGEMENT 3YSTEMS SERVE AS THE FOUNDATION OF YOUR DIGITAL EXPERIENCE STRATEGY 9ET MANY ORGANIZATIONS STRUGGLE WITH LEGACY PROPRIETARY PRODUCTS THAT CANgT KEEP PACE WITH THE NEW REALITIES OF DIGITAL MARKETING 4O DETERMINE IF YOU ARE IN NEED OF A NEW #-3 USE OUR GUIDE WHICH INCLUDES s s s s !N EVALUATION TO SEE IF YOUR CURRENT #-3 SUPPORTS YOUR DIGITAL BUSINESS STRATEGY 4HE TOP CONSIDERATIONS WHEN SELECTING A NEW #-3 ! REQUIREMENTS CHECKLIST FOR YOUR NEXT #-3 4EN QUESTIONS TO ASK #-3 VENDORS > http://geekguide.linuxjournalcom/content/how-choose-great-cms 118 | April 2016 | LinuxJournal.com LJ264-April2016.indd 118 3/22/16 10:13 AM FREE DOWNLOADS Fast/Flexible Linux OS Recovery (OW LONG DOES IT TAKE TO RESTORE A SYSTEM
WHETHER VIRTUAL OR PHYSICAL BACK TO THE EXACT STATE IT WAS PRIOR TO A FAILURE 2E INSTALLING THE OPERATING SYSTEM RE APPLYING PATCHES RE UPDATING SECURITY SETTINGS TAKES TOO DAMN LONG )F THIS IS YOUR $2 3TRATEGY WE HOPE YOUgVE DOCUMENTED EVERY CHANGE THATgS BEEN MADE ON EVERY SYSTEM -OST COMPANIES INCORPORATE BACKUP PROCEDURES FOR CRITICAL DATA WHICH CAN BE RESTORED QUICKLY IF A LOSS OCCURS (OWEVER THAT WORKS ONLY IF YOU HAVE AN /3 TO RESTORE ONTO AND THE /3 SUPPORTS THE BACKUP )N THIS LIVE ONE HOUR WEBINAR LEARN HOW TO ENHANCE YOUR EXISTING BACKUP STRATEGIES FOR COMPLETE DISASTER RECOVERY PREPAREDNESS USING 3TORIX 3YSTEM "ACKUP !DMINISTRATOR 3"!DMIN A HIGHLY FLEXIBLE FULL SYSTEM RECOVERY SOLUTION FOR 5.)8 AND ,INUX SYSTEMS 7EBINAR !PRIL AT 0- %ASTERN > http://www.linuxjournalcom/storix-recovery Mobile to Mainframe DevOps for Dummies )N TODAYS ERA OF DIGITAL DISRUPTION EMPOWERED BY CLOUD MOBILE AND ANALYTICS ITS IMPERATIVE FOR ENTER PRISE
ORGANIZATIONS TO DRIVE FASTER INNOVATION WHILE ENSURING THE STABILITY OF CORE BUSINESS SYSTEMS 7HILE INNOVATIVE SYSTEMS OF ENGAGEMENT DEMAND SPEED AGILITY AND EXPERIMENTATION EXISTING SYSTEMS OF RECORD REQUIRE SIMILAR ATTRIBUTES WITH ADDITIONAL AND UNCOMPROMISING REQUIREMENTS FOR GOVERNANCE AND PREDICT ABILITY )N THIS NEW BOOK BY 2OSALIND 2ADCLIFFE )"- $ISTINGUISHED %NGINEER YOU WILL LEARN ABOUT s s s s 2ESPONDING TO THE CHALLENGES OF VARIABLE SPEED )4 7HY THE MAINFRAME IS A UNIQUE AND IDEAL PLATFORM FOR DEVELOPING HYBRID CLOUD APPLICATIONS (OW MOBILE FRONT ENDS CAN REJUVENATE BACK END SYSTEMS TO REACH NEW CUSTOMERS !ND SPECIAL CONSIDERATIONS FOR USING A $EV/PS APPROACH TO ACCELERATE MAINFRAME SOFTWARE DELIVERY > http://devops.linuxjournalcom/devops/mobile-mainframe-devops-dummies BRAND-NEW EDITION! DevOps For Dummies - New Edition with SAFe® )N THIS .%7 ND EDITION LEARN WHY $EV/PS IS ESSENTIAL FOR ANY BUSINESS ASPIRING TO BE LEAN AGILE AND CAPABLE OF responding
rapidly to changing customers and marketplace. $OWNLOAD THE % BOOK TO LEARN ABOUT s s s s s 4HE BUSINESS NEED AND VALUE OF $EV/PS DevOps capabilities and adoption paths. How cloud accelerates DevOps. 4HE 4EN $EV/PS MYTHS And more. > http://devops.linuxjournalcom/devops/devops-dummies-new-edition-safe 119 | April 2016 | LinuxJournal.com LJ264-April2016.indd 119 3/22/16 10:13 AM EOF What’s the Kernel Space of Democracy? V No one pretends that democracy is perfect or all-wise. Indeed, it has been said that democracy is the worst form of government except all those other forms that have been tried from time to time.Winston Churchill DOC SEARLS Doc Searls is Senior Editor of Linux Journal. He is also a fellow with the Berkman Center for Internet and Society at Harvard University and the Center for Information Technology and Society at UC Santa Barbara. PREVIOUS Feature: Stunnel Security M IGHT THE SAME BE SAID OF OPERATING SYSTEMS and Linux? In both cases people
live atop, and depend on, a deeper protected and enabling structure. In democracies, it’s government )N ,INUX ITS THE KERNEL 4HERE ARE RESEMBLANCES For example, both need debugging, no matter how MUCH BIGGER AND BETTER THEY GET ! DIFFERENCE ONE 120 | April 2016 | LinuxJournal.com LJ264-April2016.indd 120 3/22/16 10:13 AM EOF OF TOO MANY )LL ADMIT IS THAT ,INUX GETS DEBUGGED BY CONTRIBUTORS AND MAINTAINERS WHILE IN DEMOCRACIES USERS ARE FREE TO MESS WITH THE government, and vice versa, by many means. Still, although government space bears little resemblance to kernel SPACE THE QUESTION HAUNTS ME BECAUSE ) CANT HELP THINKING DEMOCRACIES MIGHT LEARN SOMETHING FROM ,INUX )T CANT BE EASY 0OLITICS NEVER IS !LTHOUGH GOVERNMENT RUNS ON THE FORM OF CODE WE CALL LAW THOSE THAT OPERATE ON IT ARE NOT COMPELLED TO OBEY OR EVEN TO AGREE #RAIG "UTRON HIGHLIGHTS THE DIFFERENCE WHEN HE SAYS hALL technical problems are technical and politicaland you can always solve THE
TECHNICAL ONESv 4HE CONTRADICTIONS OF DEMOCRACY ARE OLD NEWS /TTO 6ON "ISMARCK SAID h0OLITICS IS THE ART OF THE POSSIBLETHE ART OF THE NEXT BESTv 9ET HE ALSO SAID h.OT BY SPEECHES AND VOTES OF THE MAJORITY ARE THE GREAT QUESTIONS OF THE TIME DECIDEDBUT BY IRON AND BLOODv 7HILE DEMOCRACY MIGHT be as old as Greece, war is as old as our species, and perhaps even its evolutionary antecedents. h#OMPARED TO WAR ALL OTHER FORMS OF HUMAN ENDEAVOR SHRINK TO INSIGNIFICANCEv SAID EORGE 3 0ATTON !MONG THOSE FORMS OF HUMAN ENDEAVOR ARE DEMOCRACY AND GOVERNANCE %VEN THE RULE OF LAW WHICH all democracies strive to maintain, is suspended gladly when battle FLAGS ARE RAISED )N War Is a Force That Gives Us Meaning, Christopher Hedges writes: 7AR MAKES THE WORLD UNDERSTANDABLE A BLACK AND WHITE TABLEAU OF THEM AND US )T SUSPENDS THOUGHT ESPECIALLY SELF CRITICAL THOUGHT !LL BOW BEFORE THE SUPREME EFFORT 7E ARE ONE -OST OF US WILLINGLY ACCEPT WAR AS LONG AS WE CAN FOLD IT INTO A
BELIEF SYSTEM THAT PAINTS THE ENSUING SUFFERING AS NECESSARY FOR A HIGHER GOOD FOR HUMAN BEINGS SEEK NOT ONLY happiness but also meaning. And tragically war is sometimes the most POWERFUL WAY IN HUMAN SOCIETY TO ACHIEVE MEANING /F COURSE MEANING TO ONE FACTION IS NOT THE SAME AS TO ANOTHER Many years ago, on a Linux Journal EEK #RUISE MAN THOSE WERE FUN ) GAVE A TALK ABOUT POLITICAL DIFFERENCESFOR EXAMPLE HOW ONE SIDE TENDS to see the market as a problem and government as a solution, while the 121 | April 2016 | LinuxJournal.com LJ264-April2016.indd 121 3/22/16 10:13 AM EOF other side tends to see government as a problem and the market as a SOLUTION -Y MAIN SOURCE FOR THAT TALK WAS EORGE ,AKOFFS BOOK Moral Politics: What Conservatives Know that Liberals Don’t RE SUBTITLED IN AS How Liberals and Conservatives Think %VEN IF YOU DISAGREE WITH EORGES CONCLUSIONS OR HIS POLITICS HE DOES AN OUTSTANDING JOB OF LAYING OUT HOW LIBERALS AND CONSERVATIVES TALK PAST
EACH OTHER WHILE CONSTANTLY CHARACTERIZING EACH OTHER SOMETIMES CORRECTLY AND HOW HARD IT IS FOR BOTH SIDES TO SEE TRUTH IN THE OTHERS FRAMINGS 3INCE THE TURN OF THE -ILLENNIUM EORGE HAS WRITTEN MANY OTHER BOOKS MOSTLY TO GIVE $EMOCRATS NEW WAYS TO FRAME DEBATES ) BELIEVE "ARACK /BAMA WOULD NOT HAVE BEEN ELECTED OR RE ELECTED TO THE 0RESIDENCY IN AND WITHOUT THOSE BOOKS 4HEY MATTERED ENORMOUSLY TO /BAMAS CAMPAIGNS !FTER MY TALK !NDREW -ORTON SAID h4HATS WHY THE LEFT THINKS THE RIGHT IS EVIL AND THE RIGHT THINKS THE LEFT IS STUPIDv ) STILL CANT THINK OF A BETTER summary statement. ) WAS GIVEN A SIMILAR HUNK OF WISDOM BY $AVID (ODSKINS MY BUSINESS PARTNER FOR TWO DECADES AND ONE OF THE SMARTEST BUSINESSMEN ) HAVE EVER KNOWN h2EPUBLICANS ARE THE PARTY OF WEALTH CREATION AND $EMOCRATS ARE THE PARTY OF WEALTH REDISTRIBUTIONv Consistent with that, I know Republicans who think all the good in the world is produced by business, while I know Democrats who THINK
NATURE PUT A SUM OF MONEY IN THE WORLD AND THAT ITS THE JOB OF GOVERNMENT TO MAKE SURE THOSE WHO HAVE TOO MUCH YIELD SOME OF IT TO those who have too little. At one extreme, we have people who don’t see HOW GOVERNMENT PRODUCES ANY GOOD BESIDES AS 2ONALD 2EAGAN PUT IT hDEFENDING THE BORDERSv AND AT THE OTHER EXTREME WE HAVE PEOPLE WHO DONT RESPECT MUCH OF WHAT BUSINESS DOES BESIDES PROVIDING JOBS !ROUND BOTH POLES GATHERS HOMOPHILY hTHE TENDENCY OF INDIVIDUALS TO ASSOCIATE AND BOND WITH SIMILAR OTHERSv 4HOSE ASSOCIATIONS AND BONDS ALSO COMPRISE ECHO CHAMBERS WITHIN WHICH EVEN FRIENDLY AND HELPFUL voices tend to go unheard or misunderstood. &OR EXAMPLE A FEW YEARS BACK ) SUGGESTED AT A UNIVERSITY MEETING THAT WE OUGHT TO DEFINE WHAT THE )NTERNET ACTUALLY IS BECAUSE THERE IS NO COMMON DEFINITIONAL GROUND BETWEEN NET HEADS AND BELL HEADS THOSE who see the Internet as a transcendent entity and those who see it as JUST A SERVICE OFFERED BY PHONE AND CABLE COMPANIES ) SAID THE
UNIVERSITY 122 | April 2016 | LinuxJournal.com LJ264-April2016.indd 122 3/22/16 10:13 AM EOF WOULD DO THE WORLD A SERVICE BY COMING UP WITH A CANONICAL DEFINITION ! PROFESSOR REPLIED h) DIDNT THINK WE WERE GOING TO WORK ON POLICY THIS YEARv ) REPLIED h7HOA 4HIS ISNT ABOUT POLICY )TS ABOUT LANGUAGE ,INGUISTICS $ICTIONARY STUFFv "UT THE DISCUSSION DRIFTED TOWARD POLICY ANYWAY AND THE DESIRE BY NEARLY ALL PRESENT FOR NET NEUTRALITY REGULATION WHICH MADE SENSE !FTER ALL THIS WAS AN ECHO CHAMBER FOR NETHEADS INCLUDING ME EXAMPLE #LUETRAINS .EW #LUES "UT )M ALSO A BUSINESS guy, and at the time had at least some hope that a university could think in more, um, universal ways. But universities tend to be castles, and this WAS AN EXAMPLE OF THE ONE ON THE LEFT IN &IGURE On the right were phone and cable companies who talk about hSAVING THE MARKETPLACEv AND hKEEPING GOVERNMENT OUT OF BUSINESSv EVEN THOUGH THEY ARE REGULATORY ZOO ANIMALS HOLDING THEIR
KEEPERS SO CAPTIVE THAT THEY HAVE SUCCESSFULLY LOBBIED LEGISLATION RESTRICTING BUSINESS TO THEMSELVES IN ALL BUT A HANDFUL OF STATES http://www.muninetworksorg/communitymap AND WOULDNT KNOW what to do in a truly open marketplace. 3PEAKING OF NETHEADS AND BELLHEADS ITS INTERESTING TO SEE HOW NET NEUTRALITY HAS GONE SINCE ) WROTE ABOUT IT IN THE *ULY ISSUE OF Linux Journal HTTPWWWLINUXJOURNALCOMARTICLE )N IT ) Figure 1. Two Castles 123 | April 2016 | LinuxJournal.com LJ264-April2016.indd 123 3/22/16 10:13 AM EOF SOURCED ,ARRY ,ESSIG 6INT #ERF AND -ICHAEL 0OWELL WHO WAS THEN A recently retired FCC chairman and is now cable’s top lobbyist. Here are A FEW ONE LINERS FROM A TALK HE GAVE AT &REEDOM TO #ONNECT THAT YEAR BE CAREFUL OF INVITING THE LEGISLATIVE PROCESS WHEN THEY HAVE A VERY BAD UNDERSTANDING OF THE TECHNICAL UNDERPINNINGS "ECAUSE THE SECONDARY CONSEQUENCES OF THEIR ERRORS CAN BE ENORMOUS ) WOULD RATHER TRY CONSTANTLY TO POSITION MY
INDUSTRY WHERE ) SUCCEED IF government does nothing, versus positioning it in a way where I need them to do something or I’m dead. ) CAN TELL YOU RIGHT NOW VERY FEW PEOPLE IN 7ASHINGTON UNDERSTAND NET NEUTRALITY 4HIS MEANS YOURE GOING TO GET A POTENTIALLY VERY AMBIGUOUS SUBJECT TO MASSIVE VARIATIONS IN INTERPRETATION PILE OF LAW GOVERNMENT HAS A WAY OF TURNING ON PEOPLE !SK "ILL ATES )T MAY BE about networks today, but those same principles can be used against innovative business models and applications in other contexts. And, I submit to you they would be. "E CAREFUL BECAUSE YOURE PLAYING THEIR GAME4HE AVERAGE ONE OF THESE INCUMBENTS WHETHER A CABLE OR A PHONE COMPANY HAVE LAWYERS IN 7ASHINGTON DEDICATED TO THIS WORK 2ESOURCES !BILITY /NE HUNDRED YEARS OF SKILL4HEN LET ME ADD THE JUDICIAL PROCESS %VERY DECISION YOU GET FROM THE #ONGRESS AND THE &## WILL SPEND THE NEXT THREE AND A HALF TO FOUR YEARS IN COURT Since then, no net neutrality
legislation proposed in Congress has moved past the committee stage. But on the regulatory side, the FCC in ISSUED THE PRO NEUTRALITY /PEN )NTERNET /RDER )N 3EPTEMBER THE &## ADDED A FINAL RULE TITLED 0RESERVING THE /PEN )NTERNET .ATURALLY 6ERIZON SUED EVENTUALLY WINNING 6ERIZON V &## IN THE $# #IRCUIT #OURT OF !PPEALS WHICH VACATED TWO OF THE THREE MAIN PORTIONS OF THE &##S /RDER 4HAT HAPPENED IN -AY RIGHT IN LINE WITH 0OWELLS ESTIMATE FOR TIME IN COURT 124 | April 2016 | LinuxJournal.com LJ264-April2016.indd 124 3/22/16 10:13 AM EOF "UT THE BATTLE IS HARDLY OVER )N &EBRUARY THE &## ISSUED hSTRONG SUSTAINABLE RULES TO PROTECT THE OPEN )NTERNETv BY RE CLASSIFYING hBROADBAND )NTERNET ACCESS SERVICEv UNDER 4ITLE )) OF THE 4ELECOMMUNICATIONS !CT ,IKE EVERYTHING &EDERAL ITS COMPLICATED which means it met mostly with approval by netheads and disapproval WITH THE BELLHEADS %XPECT SOME OF THIS TO BE WORKED OUT AND NOT OVER
THE NEXT FEW YEARS -EANWHILE ,INUX WON WITHOUT GOING TO WAR EVEN THOUGH IT HAD LOTS OF OPPOSITION FROM THE START -ICROSOFT HATED IT AS DID COMPETING 5.)8 AND 5.)8 ISH OPERATING SYSTEM CAMPS ) SHOWED UP WHEN ,INUX ITSELF WAS TO THE RIGHT OF THE DECIMAL POINT IN THE EARLY S ) WAS INVITED BY 0HIL (UGHES WHO INCLUDED ME IN AN E MAIL CONVERSATION ABOUT STARTING A FREE SOFTWARE MAGAZINE 4HIS BECAME Linux Journal IN !PRIL WHEN ,INUX ARRIVED AT V ,ITTLE KNOWN ITEM THE FIRST EDITOR WAS "OB 9OUNG WHO LEFT TO START 2ED (AT )N THOSE days, and to a large degree ever since, the Linux homophily has been LARGELY A LIBERTARIAN ONE 0ERHAPS THIS IS A MANIFESTATION OF THE DISTINCTION BETWEEN KERNEL SPACE AND USERSPACE 4HE PERSPECTIVE OF THE KERNEL ON USERSPACE IS LIKE THAT OF THE %ARTHS CORE TOWARD WHAT HAPPENS ON ITS SURFACE !S ,INUS OFTEN SAYS ABOUT USERSPACE h) DONT CAREv 9ET ALL OF US LIVE IN USERSPACE AND WE HAVE POLITICS HERE ESPECIALLY BETWEEN NOW AND .OVEMBER WHEN
THE 53 HOLDS ITS PRESIDENTIAL ELECTION 7HILE THATS HAPPENING ) SUGGEST WE TECHNICAL FOLKS LOOK AT THE PROCESS AS ADVERTISER INDEX ADVERTISER URL PAGE # $RUPAL#ON .EW /RLEANS HTTPNEWORLEANSDRUPALORG $RUPALIZEME HTTPDRUPALIZEME (0# 7ALLSTREET HTTPWWWFLAGGMGMTCOMLINUX Thank you as always for supporting our advertisers by buying their products! ,INUX&EST .ORTHWEST HTTPLINUXFESTNORTHWESTORG /g2EILLY /3#/. HTTPWWWOREILLYCOMPUBCPC 0EER (OSTING HTTPGOPEERCOMLINUX 0ERL HTTP0ERL#ONFERENCE/RG 304ECH#ON HTTPWWWSPTECHCONCOM 7)4) 7OMEN IN 4ECHNOLOGY 3UMMIT HTTPWWWWITICOMCONFERENCES SUMMIT ATTENTION ADVERTISERS The Linux Journal brand’s following has grown to a monthly readership nearly one million strong. Encompassing the magazine, Web site, newsletters and much more, Linux Journal offers the ideal content environment to help you reach your marketing
objectives. For more information, please visit http://www.linuxjournalcom/advertising 125 | April 2016 | LinuxJournal.com LJ264-April2016.indd 125 3/22/16 10:13 AM EOF ONE THAT REQUIRES DEBUGGING (ERE ARE MY SUGGESTED FEW ET MONEY AS FAR AS POSSIBLE OUT OF POLITICS ,ARRY ,ESSIG HAS REQUIRED READING ON THIS http://republic.lessigorg !MEND THE #ONSTITUTION TO ELIMINATE THE %LECTORAL #OLLEGE AND ALLOW DIRECT ELECTION OF THE 0RESIDENT %LIMINATE GERRYMANDERING AS FAR AS POSSIBLE %XPAND VOTING RIGHTS TO ALL CITIZENS !LL THOSE ARE SIMPLY FOR RESTORING DEMOCRACY AND NOTHING MORE ,IKE MANY IN OUR COMMUNITY ) NOT ONLY WANT BETTER GOVERNMENT BUT LESS OF it, especially as we work out what it means to be digital as well as analog creatures. For particulars on that, check out what I said about Ralph .ADER HERE IN HTTPWWWLINUXJOURNALCOMARTICLE ! SAMPLE #ONSUMERS AND WORKERS ARE RHETORICAL RELICS 4HE .ET IS UNITING BOTH AND THEYRE THROWING OFF THEIR
CHAINS )NDUSTRIAL COMMUNISM AND CAPITALISM ARE BOTH TERMINAL 4HEY CANT SURVIVE IN A NETWORKED MARKETPLACE WHERE h7E THE 0EOPLEv MEANS EXACTLY WHAT IT SAYS 7E HAVE REAL CHALLENGES IN THIS MARKETPLACE NOT THE LEAST OF WHICH IS UNDERSTANDING HOW ITS GOING TO WORK NOW THAT hTHE 0EOPLEv ARE WORKING BOTH SIDES OF THE SUPPLY AND DEMAND HANDSHAKE 7HAT ARE THE NEW SOCIAL CONTRACTS 7HAT LAWS DO WE REALLY NEED AND WHY ARE WE keeping the ones we don’t? How can we truly help those who can’t help THEMSELVES 7HAT ARE OUR AGREEMENTS ABOUT PRIVACY AND ANONYMITY AND HOW DO WE ORGANIZE THEM (OW DO WE BUILD THE NEEDED INFRASTRUCTURE around our new Commons, and how do we keep those stuck with dead INDUSTRIAL MARKET MODELS FROM WASTING OUR TIME 4HOSE QUESTIONS STILL STAND 3O DOES THE ONE IN THE HEADLINE ABOVE Q 126 | April 2016 | LinuxJournal.com LJ264-April2016.indd 126 3/22/16 10:13 AM Where every interaction matters. break down your innovation barriers power your business to its
full potential When you’re presented with new opportunities, you want to focus on turning them into successes, not whether your IT solution can support them. Peer 1 Hosting powers your business with our wholly owned FastFiber NetworkTM, solutions that are secure, scalable, and customized for your business. Unsurpassed performance and reliability help build your business foundation to be rock-solid, ready for high growth, and deliver the fast user experience your customers expect. Want more on cloud? Call: 844.8556655 | gopeer1com/linux | Vew Cloud Webinar: Public and Private Cloud LJ264-April2016.indd 127 | Managed Hosting | Dedicated Hosting | Colocation 3/22/16 10:13 AM EOF RESOURCES Otto Von Bismarck: HTTPSENWIKIPEDIAORGWIKI/TTO?VON?"ISMARCK George S. Patton: HTTPSENWIKIPEDIAORGWIKIEORGE?3?0ATTON Christopher Hedges: HTTPSENWIKIPEDIAORGWIKI#HRIS?(EDGES George Lakoff: HTTPSENWIKIPEDIAORGWIKIEORGE?,AKOFF George Lakoff’s Books:
HTTPGEORGELAKOFFCOM Andrew Morton: HTTPSENWIKIPEDIAORGWIKI!NDREW?-ORTON?COMPUTER?PROGRAMMER Homophily: https://en.wikipediaorg/wiki/Homophily “Netheads vs Bellheads” by Steve G. Steinberg, Wired: HTTPWWWWIREDCOMATM The Cluetrain Manifesto: http://cluetrain.com New Clues: http://newclues.cluetraincom Lawrence Lessig: HTTPSENWIKIPEDIAORGWIKI,AWRENCE?,ESSIG Vint Cerf: HTTPSENWIKIPEDIAORGWIKI6INT?#ERF Michael Powell: HTTPSENWIKIPEDIAORGWIKI-ICHAEL?0OWELL?LOBBYIST FCC Open Internet Order 2010: HTTPSENWIKIPEDIAORGWIKI&##?/PEN?)NTERNET?/RDER? Federal Communications Commission, Preserving the Open Internet; Final Rule: HTTPSWWWGPOGOVFDSYSPKG&2 PDF PDF Verizon Communications Inc. v FCC (2014): HTTPSENWIKIPEDIAORGWIKI6ERIZON?#OMMUNICATIONS?)NC?V?&##? “FCC Adopts Strong, Sustainable Rules to Protect the Open Internet”:
HTTPTRANSITIONFCCGOV$AILY?2ELEASES$AILY?"USINESSDB$/# !PDF Bob Young: HTTPSENWIKIPEDIAORGWIKI"OB?9OUNG?BUSINESSMAN “Cruise Report 3: New Species Discovered at Sea” by Doc Searls, Linux Journal: HTTPWWWLINUXJOURNALCOMARTICLE Gerrymandering: https://en.wikipediaorg/wiki/Gerrymandering ACLU: Voting Rights: HTTPSWWWACLUORGISSUESVOTING RIGHTS “Let Freedom Ping” by Doc Searls, November 2000, Linux Journal: HTTPWWWLINUXJOURNALCOMARTICLE Send comments or feedback via http://www.linuxjournalcom/contact or to ljeditor@linuxjournal.com RETURN TO CONTENTS 128 | April 2016 | LinuxJournal.com LJ264-April2016.indd 128 3/22/16 10:13 AM Instant Access to Premium Online Drupal Training !"#$%"$&%(##&$)&*+",-(,#&).&*)+-#&).&/-+0%1& $-%2"2"3&42$*&"(4&52,()#&%,,(,&(5(-6&4((78
9(%-"&.-):&2",+#$-6&(;0(-$#&42$*&-(%1&4)-1,& H[SHULHQFHEXLOGLQJKLJKSURȴOHVLWHV 9(%-"&)"&$*(&3)&4(-(5(-&6)+&%-(&42$&%00#& .)-&2<=>&?",-)2,&@&A)7+ B(&%1#)&).(-&3-)+0&%)+"$#C&D25(&6)+-& 4*)1(&$(%:&%(##&%$&%&,2#)+"$(,&-%$(8 !"#$%&#()*&()$&+#",&-./"(&$"+"#,",&#%/& RIIHUVȴUVWEIROORZLQJXVRQ)DFHERRNDQG 7ZLWWHU #GUXSDOL]HPH ! "#!$#!%$$&(()*+&,-./0120!,3)!! 40$!5*+&,-./0)!$#),67 LJ264-April2016.indd 129 3/22/16 10:13 AM