LINUX JOURNAL (ISSN 1075-3583) Is Published Monthly by Belltown Media, Inc., 2121 Sage Road, Ste

™ HOW TO HARDEN YOUR SSH CONNECTIONS

Since 1994: The Original Magazine of the Linux Community JANUARY 2014 | ISSUE 237 | www.linuxjournal.com SECURITY ENCRYPTED BACKUP SOLUTIONS With TrueCrypt and SpiderOak

An Introduction to TAKING ADVANTAGE OF QUANTUM ENCRYPTION CRYPTOGRAPHY TIPS FOR USING TOR THE PAX Browse the Web ARCHIVING Anonymously UTILITY + SOLID-STATE DRIVES Are They Worth It?

LJ237-Jan2014.indd 1 12/17/13 3:42 PM UPCOMING CONFERENCES For a complete list of USENIX and USENIX co-sponsored events, see www.usenix.org/conferences

FAST ’14: 12th USENIX Conference on File and 23rd USENIX Security Symposium Storage Technologies August 20–22, 2014, San Diego, CA, USA February 17–20, 2014, Santa Clara, CA, USA www.usenix.org/conference/usenixsecurity14 www.usenix.org/conference/fast14 Submissions due: Thursday, February 27, 2014 2014 USENIX Research in Linux File and Storage Workshops Co-located with USENIX Security ’14 Technologies Summit EVT/WOTE ’14: 2014 Electronic Voting Technology In conjunction with FAST ’14 Workshop/Workshop on Trustworthy Elections February 20, 2014, Mountain View, CA, USA USENIX Journal of Election Technology Submissions due: January 17, 2014 and Systems (JETS) Published in conjunction with EVT/WOTE NSDI ’14: 11th USENIX Symposium on www.usenix.org/jets Networked Systems Design and Implementation Submissions for Volume 2, Issue 2, due: December 5, 2013 April 2–4, 2014, Seattle, WA, USA Submissions for Volume 2, Issue 3, due: April 8, 2014 www.usenix.org/conference/nsdi14 HotSec ’14: 2014 USENIX Summit on Hot Topics 2014 USENIX Federated Conferences Week in Security June 17–20, 2014, Philadelphia, PA, USA FOCI ’14: 4th USENIX Workshop on Free and Open Communications on the Internet USENIX ATC ’14: 2014 USENIX Annual Technical Conference HealthTech ’14: 2014 USENIX Workshop on Health www.usenix.org/conference/atc14 Information Technologies Paper titles and abstracts due January 28, 2014 Safety, Security, Privacy, and Interoperability of Health Information Technologies HotCloud ’14: 6th USENIX Workshop on Hot Topics in Cloud Computing CSET ’14: 7th Workshop on Cyber Security Experimentation and Test WiAC ’14: 2014 USENIX Women in Advanced Computing Summit WOOT ’14: 8th USENIX Workshop on Offensive Technologies HotStorage ’14: 6th USENIX Workshop on Hot Topics in Storage and File Systems OSDI ’14: 11th USENIX Symposium on Operating UCMS ’14: 2014 USENIX Configuration Systems Design and Implementation Management Summit October 6–8, 2014, Broomfield, CO, USA www.usenix.org/conference/osdi14 ICAC ’14: 11th International Conference on Abstract registration due April 24, 2014 Autonomic Computing Co-located with OSDI ’14: USRE ’14: 2014 USENIX Summit on Release Engineering Diversity ’14: 2014 Workshop on Diversity in Systems Research Do you know about the USENIX LISA ’14: 28th Large Installation System Open Access Policy? Administration Conference USENIX is the first computing association to offer free November 9–14, 2014, Seattle, WA, USA and open access to all of our conferences proceedings https://www.usenix.org/conference/lisa14 and videos. We stand by our mission to foster excel- Submissions due: April 14, 2014 lence and innovation while supporting research with a practical bias. Your membership fees play a major role in making this endeavor successful. Please help us support open access. Renew your USENIX membership and ask your colleagues to join or renew today! www.usenix.org/membership

twitter.com/usenix www.usenix.org/youtube www.usenix.org/gplus

Stay Connected... www.usenix.org/facebook www.usenix.org/linkedin www.usenix.org/blog

LJ237-Jan2014.indd 2 12/17/13 3:42 PM coe_lj_10-29-13.indd 1 10/30/13 9:37 AM $UH\RXFRQVLGHULQJVRIWZDUHGHÀQHGVWRUDJH"

zStax StorCore =)68QLÀHG6WRUDJH IURP6LOLFRQ ZFS Unified Storage 0HFKDQLFVLVWUXO\VRIWZDUHGHÀQHGVWRUDJH

)URPPRGHVWGDWDVWRUDJHQHHGVWRDPXOWLWLHUHGSURGXFWLRQVWRUDJHHQYLURQPHQWWKHzStax StorCore =)6XQLÀHGVWRUDJHDSSOLDQFHVKDYHWKHULJKWPL[RISHUIRUPDQFHFDSDFLW\DQGUHOLDELOLW\WRÀW\RXUQHHGV

zStax StorCore 64 January Case Study Feature

zStax StorCore 104

8QLÀHG6WRUDJHLV&UXFLDO3DUWRI 6HDUFKDQG'LVFRYHU\IRUWKH&ORXG 7DONZLWKDQH[SHUWWRGD\ www.siliconmechanics.com/casestudies www.siliconmechanics.com/zstax

LJ237-Jan2014.indd 3 12/17/13 3:42 PM JANUARY 2014 CONTENTS ISSUE 237 SECURITY FEATURES 68 Quantum 80 More Secure 94 Encrypted Backup Cryptography SSH Connections Solution “Home Classical cryptography Secure shell Paranoia Edition” may not be good connections can A solution for enough in providing be hardened for safeguarding your security in the extra security. personal information. near future. Federico Kereki Tim Cordova Subhendu Bera Cover Cover Image © Can Photo Stock Inc. / maxkabakov

ON THE COVER /V^[V/HYKLU@V\Y::/*VUULJ[PVUZW ,UJY`W[LK)HJR\W:VS\[PVUZ^P[O;Y\L*Y`W[HUK:WPKLY6HRW (U0U[YVK\J[PVU[V8\HU\[T*Y`W[VNYHWO`W ;VY!)YV^ZL[OL>LI(UVU`TV\ZS`W ;HRPUN(K]HU[HNLVM,UJY`W[PVUW ;PWZMVYVY[O0[&W

4 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 4 12/17/13 3:42 PM INDEPTH 108 Solid-State Drives—Get One Already! If you’ve been on the fence, this article should convince you to give SSDs a try. Brian Trapp COLUMNS 36 Reuven M. Lerner’s At the Forge 26 MANDELBULBER Talking to Twitter 44 Dave Taylor’s Work the Shell Easy Watermarking with ImageMagick 50 Kyle Rankin’s Hack and / A Bundle of Tor 56 Shawn Powers’ The Open-Source Classroom Encrypting Your Cat Photos 120 Doc Searls’ EOF Returning to Ground from the Web’s Clouds 50 TOR KNOWLEDGE HUB 106 Webcasts and White Papers IN EVERY ISSUE 8 Current_Issue.tar.gz 10 Letters 16 UPFRONT 34 Editors’ Choice 64 New Products 125 Advertisers Index 94 TRUECRYPT

LINUX JOURNAL (ISSN 1075-3583) is published monthly by Belltown Media, Inc., 2121 Sage Road, Ste. 395, Houston, TX 77056 USA. Subscription rate is $29.50/year. Subscriptions start with the next issue.

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 5

LJ237-Jan2014.indd 5 12/18/13 10:15 AM Executive Editor Jill Franklin [email protected] Senior Editor Doc Searls [email protected] Associate Editor Shawn Powers [email protected] Art Director Garrick Antikajian [email protected] Products Editor James Gray [email protected] Editor Emeritus Don Marti [email protected] Technical Editor Michael Baxter [email protected] Senior Columnist Reuven Lerner [email protected] Security Editor Mick Bauer [email protected] Hack Editor Kyle Rankin lj@greenﬂy.net Virtual Editor Bill Childers [email protected]

Contributing Editors )BRAHIM (ADDAD s 2OBERT ,OVE s :ACK "ROWN s $AVE 0HILLIPS s -ARCO &IORETTI s ,UDOVIC -ARCOTTE 0AUL "ARRY s 0AUL -C+ENNEY s $AVE 4AYLOR s $IRK %LMENDORF s *USTIN 2YAN s !DAM -ONSEN

Publisher Carlie Fairchild [email protected]

Director of Sales John Grogan [email protected]

Associate Publisher Mark Irgang [email protected]

Webmistress Katherine Druckman [email protected]

Accountant Candy Beauchamp [email protected]

Linux Journal is published by, and is a registered trade name of, Belltown Media, Inc. PO Box 980985, Houston, TX 77098 USA

Editorial Advisory Panel "RAD !BRAM "AILLIO s .ICK "ARONIAN s (ARI "OUKIS s 3TEVE #ASE +ALYANA +RISHNA #HADALAVADA s "RIAN #ONNER s #ALEB 3 #ULLEN s +EIR $AVIS -ICHAEL %AGER s .ICK &ALTYS s $ENNIS &RANKLIN &REY s !LICIA 'IBB 6ICTOR 'REGORIO s 0HILIP *ACOB s *AY +RUIZENGA s $AVID ! ,ANE 3TEVE -ARQUEZ s $AVE -C!LLISTER s #ARSON -C$ONALD s #RAIG /DA *EFFREY $ 0ARENT s #HARNELL 0UGSLEY s 4HOMAS 1UINLAN s -IKE 2OBERTS +RISTIN 3HOEMAKER s #HRIS $ 3TARK s 0ATRICK 3WARTZ s *AMES 7ALKER

Advertising E-MAIL: [email protected] URL: www.linuxjournal.com/advertising PHONE: +1 713-344-1956 ext. 2

Subscriptions E-MAIL: [email protected] URL: www.linuxjournal.com/subscribe MAIL: PO Box 980985, Houston, TX 77098 USA

LINUX is a registered trademark of Linus Torvalds.

LJ237-Jan2014.indd 6 12/17/13 3:43 PM ® has the tools to keep you a!oat. Key Features:

t Dual Intel® Xeon® Processors 5600 Series TrueNAS® Uni"ed Storage features the Intel® Xeon® Processor t Support for CIFS, NFS, iSCSI, and more 5600 series and supports high availability, remote replication, t Active Directory, LDAP, and NIS integration deduplication, encryption, compression, and snapshots. It has t Multi-Petabyte Scalability the tools to deal with any storage challenge you may face.

Intel, the Intel logo, and Xeon Inside are trademarks or registered trademarks of Intel Corporation in the U.S. and other countries.

Call iXsystems toll free or visit our website today! 1-855-GREP-4-IX | www.iXsystems.com

LJ237-Jan2014.indd 7 12/17/13 3:43 PM Current_Issue.tar.gz

Lapsang SHAWN POWERS Souchong! ack when we were kids, my BirdCam project (which you’ll hear “security” meant little more than more about in a month or so), I found Bhaving a secret password to keep his column particularly interesting. If you little siblings out of the treehouse. That’s need to work with photos, especially if still the case in some situations. Take the direct interaction isn’t possible, Dave’s title of this column, for instance. If you column will be interesting for you too. go to the #linuxjournal IRC channel on Kyle Rankin gets into the security FreeNode, saying “Lapsang Souchong” mindset this month by approaching will mark you as part of the inner circle. privacy. Specifically, he explains how (Note, this does not make you one of the to set up Tor in order to browse the cool kids...possibly the exact opposite!) Web in private. Tor is just as useful as When it comes to computer security, it once was, but thankfully, it’s gotten however, things are quite a bit more easier and easier to implement. I follow complex. Whether you want to encrypt Kyle’s column with The Open Source your data or lock down network Classroom, and this month, I talk access, Linux provides a wide variety of about file encryption. Many people are security tools. This month, we focus on intimidated by the notion of encryption, using those tools in our Security issue. but it doesn’t have to be scary. This Reuven M. Lerner starts off the issue month, we’ll do just enough encryption with instructions on how to integrate to wet your whistle, and hopefully get Twitter into your applications. Whether you interested in learning more. you need your app to tweet results, Although I may have introduced error messages or automatic cat photos, encryption in my column, Subhendu Bera Reuven walks through implementing takes things to a whole new level with the API. Dave Taylor follows up with a 1UANTUM #RYPTOGRAPHY -ATHEMATICS tutorial on using the ImageMagick suite based encryption is complex, for sure, but to watermark and copyright photos. will it be enough as technology advances? Since I use ImageMagick extensively with Subhendu gives an explanation of

8 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 8 12/17/13 3:43 PM CURRENT_ISSUE.TAR.GZ

1UANTUM #RYPTOGRAPHY AND A QUICK LESSON encryption, don’t miss this article. IN 1UANTUM -ECHANICS AS WELL )F YOURE We finish off the security issue with interested in the future of cryptography, Brian Trapp’s article on solid-state drives. you’ll love his article. SSDs have been around for a number Remember Telnet? Telnet has been of years now, and we’re finally to the replaced in almost every situation by the point that we can provide some longevity much more secure SSH protocol. Granted, statistics and reliability information. Have there still are a few situations that warrant you been avoiding SSDs because you the use of Telnet, but those generally are thought they would wear out? Did you inside your network and never over the think they had a significantly higher failure Internet. Just switching to SSH, however, rate? Were you worried that you need isn’t enough to ensure that you’re secure. Windows-specific drivers to make them Sure, the connection itself is encrypted, work? Brian assuages many of those fears but what if you have a user with a and validates those that are valid. SSDs are simplistic password? Or a script kiddie fast, and they can provide an incredible scanning for vulnerabilities? Federico performance boost in most situations. You Kereki describes how to harden SSH this owe it to yourself to see if your scenario month, making the wonderful and flexible warrants an SSD. Brian’s article will help. SSH protocol a little safer to use. Whether This issue also contains tons of you want to limit your allowed users or other Linux goodies. We have product disable password connections altogether, announcements, opinion pieces and even Federico’s article will guide you down the fractals. You don’t have to be one of path of better SSH. the cool kids to enjoy this issue of Linux I may have started this issue with the Journal, but it helps to be one of the basics of file and disk encryption, but if smart kids. Thankfully, our readers tend you are looking for more, Tim Cordova is to have that attribute in plentiful supply. about to be your favorite person. Going We hope you enjoy this issue as much as far beyond single file or even removable we enjoyed putting it together.Q drive encryption, Tim shows how to encrypt your entire hard drive. Then, Shawn Powers is the Associate Editor for Linux Journal. Tim goes even further and explains how He’s also the Gadget Guy for LinuxJournal.com, and he has to configure TrueCrypt in conjunction an interesting collection of vintage Garfield coffee mugs. with SpiderOak to make sure your data Don’t let his silly hairdo fool you, he’s a pretty ordinary guy is not only encrypted, but backed up as and can be reached via e-mail at [email protected]. well! If you’re interested in privacy and Or, swing by the #linuxjournal IRC channel on Freenode.net.

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 9

LJ237-Jan2014.indd 9 12/17/13 3:43 PM letters

of 1s and 0s, but he’s not quite willing to admit it!—Shawn Powers

LVM, Demystified Regarding Shawn Powers’ article “LVM, Demystified” in the December 2013 issue: I’ve been a fan of LVM2 from the beginning. (LVM1 really wasn’t ready for Prime Time.)

You said in your article “LVM is an incredibly flexible, ridiculously useful and not terribly complicated to use system.” I agree totally. However, it is rss2email—Excellent Article not without its idiosyncrasies. Thanks to Kyle Rankin for his “Command-Line Cloud rss2email” If you do a followup article, you may article in the October 2013 issue. mention a few things. I’ve been lamenting my “loss” of RSS feeds for some time, and this 1) There was a bug where trying is a perfect solution! to pvmove an entire volume with —Steve Hier multiple LVs on it sometimes hung up LVM (at least the progress of I love that Linux affords us multiple the move), necessitating a reboot. solutions to our tech problems. I’ve The recommendation if you had a tried a handful of Google Reader level with this bug was to move alternatives (settling on commafeed), each LV individually. but I love seeing how other people tackle the problem as well. Kyle’s This had the side benefit of allowing penchant for simplicity certainly you to “defragment” the segments comes through with his preference for of your LV (by moving the segments rss2email. I’m pretty sure Kyle would in order and filling each PV). This be happy with just a constant stream makes no difference to performance,

10 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 10 12/17/13 3:43 PM [ LETTERS ]

but makes it easier to see “what you 4) Don’t try to pvmove a swap have where”. Tedious, but it makes volume. Simply allocate a new one the neat freak in me happy. and delete the old one.

The Red Hat Advisory was Excellent article. It’s not an easy 2("! "UGZILLA ": concept to get across to the novice, but once you understand it, it seems 2) The metadata present on each PV so simple. now eats up a PE (that is, in your —Tom Lovell case, “not usable 3.00 MiB”, but it’s usually 4MB), and it is a good practice It’s always tough for me to decide to have metadata on every PV! That means that, for example, if you have 5 * 100GB PVs, you don’t have 500GB to use, you have 499.9something GB—that is, 500GB minus 20MB Low Cost Panel PC (5 PEs, each 4MB in size). This is a PDX-090T problem mainly with SAN LUNs, as l Vortex86MX+ 1 GHz Fanless l Up to 1GB of RAM they are usually precisely some size. l Low Power Consumption l 1 RS232/422/485 serial port l Mini-PCI Expansion slot l 2 USB 2.0 Host Ports This means that if you allocated l 10/100 BaseT Ethernet l PS/2 KB port, Audio Out -L 500G, it would fail, telling you l Compact Flash & MicroSD card sockets l 9 inch 1024 x 600 WS VGA TFT LCD that you were slightly short of l Resistive Touch Screen what you needed. A subsequent l DC-IN 5V (or) +8 ~+35 option l Wi-Fi (Optional) 2.6 KERNEL

-l 15980 would give you almost The PDX-090T comes ready to run with the Operating System installed on flash 500GB and would work. (I think I disk. Apply power and watch the Linux X-Windows desktop user interface appear on the vivid color LCD. Interact with the PDX-090T using the responsive integrated have my math right here, but you touchscreen. Everything works out of the box, allowing you to concentrate on your application rather than building and configuring device drivers. Just Write-It and get the picture.) Run-It... Starting at $450 Qty 1. http://www.emacinc.com/sales/linux_journal_dec

3) lvdisplay --maps ... and Since 1985 OVER pvdisplay --maps are your best 28 YEARS OF SINGLE BOARD friends if you want to understand SOLUTIONS EQUIPMENT MONITOR AND CONTROL basic LVM. Phone: (618) 529-4525 · Fax: (618) 457-0110 · www.emacinc.com

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 11

LJ237-Jan2014.indd 11 12/17/13 3:43 PM [ LETTERS ]

how far to travel down the rabbit hole one really has to keep doing it when approaching a topic like LVM. throughout the winter now, as some By sysadmin standards, I’m a noob birds become dependent on them. myself, since I avoided LVM for so —Bob Kline long. I figured it was worthwhile to bring folks up to my comprehension It was my favorite article to write, up level, even if I wasn’t a zen master. there with the article on the arcade cabinet I built and submitted back I said all that to say that I really, really when I was a freelancer. I’m starting appreciate letters like yours. Not only a followup article now, which will do I get to learn more, but it benefits probably be published...hmm...in everyone who reads Linux Journal as February? I’ve been tinkering with well. And, now I get to go play with BirdCam, adding multiple cameras, more LVM stuff!—Shawn Powers motion detection with “motion”, archive video creation—all sorts Bird Feeder of cool stuff. Shawn Powers’ bird-feeder article (see “It’s a Bird. It’s Another Bird!” Thank you for the e-mail. I’m really in the October 2013 issue) was glad you enjoyed the article and one of the most appealing I’ve read the camera. I have it scaled out to in LJ since 1994. It’s something my Dreamhost account, so it should I often contemplated, but never be able to handle lots of hits. I got beyond that. Many thanks for zoomed in the camera closer to the pointing the way. feeders (you probably noticed), and embedded the window cam and An FYI, I alone have turned about a closeup of the bird bath. It’s so six people into active viewers, funny to see the starlings in the bird so I do hope you have plenty of bath. I might point a camera there capacity, if only so I don’t get to capture video!—Shawn Powers locked out now. It’s a very pleasant diversion. And you’ve put out a Linux Archive DVD great bird buffet. Based on my I would be very tempted by the own feeders, you will be kept quite Archive DVD, if there were PDF or busy keeping them full as word Mobi versions of the back issues spreads in bird land. And of course, available on the Archive. I love the

12 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 12 12/17/13 3:43 PM [ LETTERS ]

idea of using grep to search the going back to September 2011, HTML versions, but it would be nice and PDFs of all formats from April to send an issue (once found) to 2005). We don’t, unfortunately, your favorite reading device. have digital versions going all the way back, but those that exist I know matching the original should be accessible on your print format with a digital format subscriber page. Hopefully that is a painstaking process. Maybe helps!—Shawn Powers you could make it clear it is an approximation or use a new iPad App Issues “different” automated format for I’ve been using my iPad for viewing the back issues? the digital subscription since the printed version ceased to exist. I The digital versions of the back think there needs to be a major issues would be useful for LJ readers update to your newsstand app. who have become accustomed to I’ve downloaded every issue to carrying our LJ issues on Kindles, my iPad, but I cannot view any of tablets or phones. the downloaded issues without —Rob an active Internet connection. For some reason, this evening I’m not The Archive DVD used to confuse able to connect to whatever service and frustrate me as well. I thought it controls your downloads. Not only was a simple collection of past issues can I not download the latest issue, that I’d be able to flip through like but I cannot view/read any of my a pile of magazines. It’s grown on existing already-downloaded issues! me over the years, however, because Reading my previously downloaded I see it as more of a collection of issues should not rely on nor require articles unbound from the magazine an active connection to anything. format. Organization is still by When I’m not having a problem issue, yes, but clicking through is a connecting to your servers, all my different experience. downloaded issues say “Read” next to them; when I am having an issue, Subscribers have access to back they all switch back to “Download”. issues in whatever digital format Please address this issue as soon is available (all formats for issues as possible. Having to give up my

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 13

LJ237-Jan2014.indd 13 12/17/13 3:43 PM [ LETTERS ]

print issues was hard enough, but this just compounds the problem. At Your Service

Thanks for a great magazine! SUBSCRIPTIONS: Linux Journal is available in a variety of digital formats, including PDF, —Jon Simonds .epub, .mobi and an on-line digital edition, as well as apps for iOS and Android devices. Renewing your subscription, changing your e-mail address for issue delivery, paying your I don’t have an iPad personally, but I’ve invoice, viewing your account details or other noticed with my wife’s that the iOS7 subscription inquiries can be done instantly on-line: http://www.linuxjournal.com/subs. implementation of Newsstand, at least as it E-mail us at [email protected] or reach us via postal mail at Linux Journal, PO Box pertains to the Linux Journal app, is frustrating 980985, Houston, TX 77098 USA. Please remember to include your complete name at best. To be honest, I download either the and address when contacting us.

.epub or .pdf directly and peruse the issue ACCESSING THE DIGITAL ARCHIVE: from there. We’ll work with our vendor to Your monthly download notiﬁcations will have links to the various formats try to get things working right with and to the digital archive. To access the digital archive at any time, log in at Newsstand, but I expect the process to be http://www.linuxjournal.com/digital.

lengthy and frustrating! The downloadable LETTERS TO THE EDITOR: We welcome your letters and encourage you to submit them copies you get links for as a subscriber should at http://www.linuxjournal.com/contact or mail them to Linux Journal, PO Box 980985, load right into the iBooks app if you’re having Houston, TX 77098 USA. Letters may be issues with the Newsstand app. Hopefully, edited for space and clarity. things will be straightened out soon. I have WRITING FOR US: We always are looking for contributed articles, tutorials and found in the past that deleting and then real-world stories for the magazine. An author’s guide, a list of topics and re-installing the Linux Journal app sometimes due dates can be found on-line: helps as well.—Shawn Powers http://www.linuxjournal.com/author. FREE e-NEWSLETTERS: Linux Journal editors publish newsletters on both a weekly and monthly basis. Receive late-breaking news, technical tips and tricks, an inside look at upcoming issues and links to in-depth stories featured on WRITE LJ A LETTER http://www.linuxjournal.com. Subscribe We love hearing from our readers. Please for free today: http://www.linuxjournal.com/ enewsletters. send us your comments and feedback via ADVERTISING: Linux Journal is a great http://www.linuxjournal.com/contact. resource for readers and advertisers alike. Request a media kit, view our current editorial calendar and advertising due dates, or learn more about other advertising PHOTO OF THE MONTH and marketing opportunities by visiting us on-line: http://ww.linuxjournal.com/ Remember, send your Linux-related photos to advertising. Contact us directly for further information: [email protected] or [email protected]! +1 713-344-1956 ext. 2.

14 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 14 12/17/13 3:43 PM Linux Journal_Layout 1 12/2/13 10:58 AM Page 1

Join the Wearables Revolution!

A conference for Designers, Builders and Developers of Wearable Computing Devices

Wearable computing devices are the Next Big Wave in technology. And the winning developers in the next decade are going to be the ones who take advantage of these new technologies EARLY and build the next generation of red-hot apps.

Choose from over 35 classes and tutorials! G Learn how to develop apps for the coolest gadgets like Google Glass, FitBit, Pebble, the SmartWatch 2, Jawbone, and the Galaxy Gear SmartWatch

G Get practical answers to real problems, learn tangible steps to real-world implementation of the next generation of computing devices

March 5-7, 2014 San Francisco WearablesDevCon.com

A BZ Media Event

LJ237-Jan2014.indd 15 12/17/13 3:43 PM UPFRONT NEWS + FUN diff -u WHAT’S NEW IN KERNEL DEVELOPMENT

A recent bug hunt by kernel He’d started off using GCC 4.8.1, developers ended up identifying but 4.6.1 also produced a kernel a long-standing bug in GCC. The that would reproduce the oops. But indications were there from the as Linus suspected, disabling “asm start, but it took some investigation goto” in the kernel code did fix the to nail it down. problem. After a while, Fengguang Originally, Fengguang Wu reported also discovered that the older GCC a kernel oops, and used “git bisect” version 4.4.7 also produced a working to identify the specific patch that kernel, because that compiler had no revealed the problem. It was an support for “asm goto”. optimization suggested by Linus Gradually, other folks began to Torvalds and implemented by be able to reproduce the problem Peter Zijlstra that aimed at freeing on their own systems. Originally, up a hardware register by using the the issue seemed to affect only “asm goto” instruction in the kernel’s 32-bit Linux systems, but ultimately, modify_and_test() functions. Linus was able to reproduce the The first indication that the problem problem on his own 64-bit system. might boil down to a compiler bug It was harder to trigger on a 64-bit was that the patch just seemed system, but it boiled down to being correct to folks. Neither Peter nor the same problem. As the scope Linus were able to see anything wrong of the problem began to reveal with it, so they suggested trying itself, Linus remarked, “It makes to reproduce the oops on kernels me nervous about all our traditional compiled with different versions of uses of asm goto too, never mind GCC, and Linus suggested disabling the new ones.” “asm goto” directly to see if that Jakub Jelinek opened a Bugzilla had any effect. ticket against GCC, and folks started At first, Fengguang found that thinking about workarounds for the earlier compilers made no difference. kernel. Even after GCC got a fix for this

16 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 16 12/17/13 3:43 PM [ UPFRONT ]

particular bug, it wouldn’t do to allow user code that actually looks up those the kernel to miscompile on any version filesystems in the registry. There’s just of GCC, if it possibly could be avoided. no reason anyone would want to. A workaround did end up going into As Al explained on the mailing the next Linux kernel release candidate, list, there used to be a need to and a fix went into GCC 2.8.2. Shortly register all filesystems. But about a afterward, Greg Kroah-Hartman also decade ago, the kern_mount() call adopted the kernel workaround in the changed to take only a pointer to 3.11.x stable tree. the filesystem, rather than needing The reason the kernel needed a to look it up by name. workaround in spite of the fact that Ever since then, the need to a real fix went into GCC was because register these internal filesystems has the kernel needs to support the widest been minimal. The only remaining possible dispersion of host systems. dependency was a single data structure Anyone, anywhere, with any particular initialized by register_filesystem() hardware setup, using any particular that was needed by all filesystems. versions of the various development But, Al said that even this tools, should be able to build and run dependency was eliminated a couple the kernel. In some cases that ideal years ago, when the data structure can’t be reached, but it remains an was optimized no longer to need ideal nonetheless. register_filesystem(). By now, Al Traditionally, software could mount said, “there’s no reason to register a filesystem only after registering it the filesystem types that can only with the kernel, so the kernel would be used for internal mounts.” know its name and a bit about how With this change, /proc/filesystems to manage it. This has been true even would no longer list internal for internal filesystems like ia64, filesystems. And as Linus pointed out, pfmfs, anon_inodes, bdev, pipefs those filesystems wouldn’t reliably be and sockfs. But, Al Viro recently listed anywhere on the system. Even said there was no longer any reason /proc/modules, Linus said, would list to require registration for these those filesystems only if they’d been filesystems, and he submitted a patch compiled as modules. to take out the requirement. So, with some mild trepidation, First of all, he and Linus Torvalds Linus accepted the patch. If no one agreed that there probably isn’t any howls, it’ll probably stay.—ZACK BROWN

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 17

LJ237-Jan2014.indd 17 12/17/13 3:43 PM [ UPFRONT ]

Blu-ray Encryption— Why Most People Pirate Movies

the job. MakeMKV is a cross-platform utility that will extract the full, uncompressed movie from most Blu- ray discs. Unfortunately, you have to download the source code and compile I get a fair amount of e-mail from it. You need both the binaries and the readers asking how a person could do source download files, and then follow “questionable” things due to limitations the included directions for compiling imposed by DRM. Whether it’s how to the software. Yes, it’s a bit complex. strip DRM from ebooks, how to connect Once you compile MakeMKV, you to Usenet or how to decrypt video, I should be able to use it to extract do my best to point folks in the right the Blu-ray disc to your computer. direction with lots of warnings and Be warned, the file is enormous, and disclaimers. The most frustrating DRM you’ll most likely want to compress by far has been with Blu-ray discs. it a bit. The tool for that thankfully Unless I’ve missed an announcement, is much easier to install. Handbrake there still isn’t a “proper” way for has been the de facto standard video Linux users to watch Blu-ray movies on encoding app for a long time, and their computers. It’s hard enough with when paired with MakeMKV, it makes Windows or Macintosh, but when it creating playable video files close to comes to Linux, it seems that turning painless. I won’t go through the step- to the dark side is the only option. In by-step process, but if the legally the spirit of freedom, let me point you questionable act of ripping a Blu-ray in the direction of “how”, and leave it disc is something you’re comfortable up to you to decide whether it’s a road doing, http://www.makemkv.com you want to travel. and http://www.handbrake.fr are When ripping a movie from Blu-ray, I the two software packages you’ll want know of only one program that can do to explore.—SHAWN POWERS

18 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 18 12/17/13 3:43 PM [ UPFRONT ]

Non-Linux FOSS: Persistence of Vision Raytracer (POV-Ray)

fascinating. As you probably already guessed, Russ and I weren’t terribly popular. All these years later, the same ray-tracing software we used back then is now up to version 3.7, and it has been released as free, open- source software. The developers This image is completely computer-generated, created by kindly have created Gilles Tran, released into public domain. a downloadable Windows installer Back in the mid-1990s, a college for those folks stuck on a Microsoft friend (hi Russ!) and I would put our operating system. If you think the old 8088 computers to work rendering world is nothing more than math, ray-traced images for days—literally. and you’d like to prove it with The end result would be, by today’s ray-traced images, head on over standards, incredibly low resolution to http://www.povray.org and and not terribly interesting. Still, download your copy today. I can’t the thought of a computer system promise it will make you popular, but creating realistic photos from nothing at least by my standards, it will make more than math equations was you cool!—SHAWN POWERS

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 19

LJ237-Jan2014.indd 19 12/17/13 3:43 PM [ UPFRONT ]

Stream and Share Your Media with PlexWeb

URL generated by plexapp.com.) You will be redirected to your home server, and you’ll be able to transcode and stream your movies to any computer, anywhere. I freely admit that I wish Plex was open source. Thankfully, however, its proprietary code does’t mean Linux Plex is one of those applications I users are excluded. Whether you’re tend to write about a lot. It’s not using the Plex app on your Android because I get any sort of kickback or device, installing Plex Home Theater even a discount, but rather it’s just an on your Linux machine or even incredible system that keeps getting streaming video to your Aunt Edna’s better. For this piece, I want to talk Web browser while visiting over the about PlexWeb, which functions much holidays, Plex is an incredible tool like the Android app I’ve mentioned that keeps getting better. PlexWeb before, but works completely inside is free, but if you’re interested a Web browser—almost any Web in experiencing the latest and browser, on any operating system. greatest Plex has to offer, a PlexPass You can access PlexWeb by surfing subscription will get you access to http://my.plexapp.com and to features like Cloud Sync before logging in with your free account. anyone else gets to see them! To get (If you have a static IP at home, you started with Plex, visit the Web site also can connect directly to your at http://www.plexapp.com. home server by bookmarking the —SHAWN POWERS

20 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 20 12/17/13 3:43 PM [ UPFRONT ]

Make Peace with pax

pax is one of the lesser known utilities The -w option means “write”—that in a typical Linux installation. That’s is, create an archive. The -f option too bad, because pax has a very good provides the name of a file to which to feature set, and its command-line write the archive. If desired, pax can options are easy to understand and gzip or bzip the file at the same time: remember. pax is an archiver, like tar(1), but it's also a better version of $ pax -wzf paxample.tar.gz paxample cp(1) in some ways, not least because you can use pax with SSH to copy Like most tar implementations, sets of files over a network. Once you pax, by default, uses the Posix ustar learn pax, you may wonder how you file format. Because pax was born lived without it all these years. of a desire to unify archive file pax has four modes: list, read, formats, many other formats also are write and copy. Reading and writing supported, but in practice, they’re are controlled by the -r and -w seldom used. Likely as not, any .tar.gz options, repectively. In combination, file you download from the Internet -rw, pax acts a little bit like cp -R. actually will be a ustar archive: If neither is used, pax lists the contents of the archive, which may $ pax -wzf paxample.tar.gz paxample be a file, device or a pipe. ÀOHSD[DPSOHWDU By default, pax operates as a filter: paxample.tar: POSIX tar archive it reads from standard input and paxample.tar.gz: gzip compressed data writes to standard output, a feature that turns out to be very useful. But The first thing you nearly always usually these days, the target is an want to know about any archive is archive file, the familiar tarball. Let’s what’s in it. Listing the contents is the start by creating one: default action in the absence of either a -r or -w option: $ cd /tmp $ mkdir paxample $ pax -f paxample.tar $ touch paxample/foo paxample $ pax -wf paxample.tar paxample paxample/foo

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 21

LJ237-Jan2014.indd 21 12/17/13 3:43 PM [ UPFRONT ]

Note that the archive retains the $ pax -rw paxample t directory name you specified on the ÀQGW command line. That comes into play t later when you read it. t/paxample To read an archive, use -r: t/paxample/foo

$ mkdir t Unlike cp(1), pax is an archive $ cd t utility. Its job isn’t to make copies, $ pax -rf ../paxample.tar but to archive files. When pax creates a file, it preserves the file’s What did that do? Let’s look at metadata from its input. The form the source and target directories: of the input doesn’t matter. In this case, the input isn’t from an archive, $ cd /tmp it’s the file itself: ÀQGSD[DPSOHWWUDYHUVHERWKWUHHV

paxample $ ls -l paxample/foo t/paxample/foo

paxample/foo UZUUMNORZGHQZKHHO6HSSD[DPSOHIRR

t UZUUMNORZGHQZKHHO6HSWSD[DPSOHIRR t/paxample t/paxample/foo Yes—two identical files with two identical timestamps. The permission When pax read the paxample.tar bits and ownership can be controlled archive, it created files in the too, if desired. Take that, cp(1)! current directory, t. Because the Perhaps you don’t want to re-create archive included a directory name, the directory, or perhaps you want to paxample, that directory was change it in some way. One option re-created in the output. is not to mention the input directory Copying Sets of Files To my on the command line, but instead mind, pax’s -r and -w options make provide filenames: more sense than their -x and -c equivalents in tar—reason enough $ rm -rf t/paxample/ to switch. But, pax can do more FGSD[DPSOH SD[UZ W than tar: it can copy files too: ÀQGW t $ rm -rf t t/foo

22 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 22 12/17/13 3:43 PM [ UPFRONT ]

That’s usually easiest. But WP\QHZSDWK if you need something more WP\QHZSDWKIRR sophisticated, the -s option rewrites the path—actually, any The -s option is handy, for part of the filename—using a instance, when unpacking a regular expression: tarball that doesn’t have version information in the directory name. UPUIW What Could Go Wrong? If SD[UZV SD[DPSOHP\QHZSDWKJ SD[DPSOHW you give the wrong filename to ÀQGW write, you just get an archive by t the wrong name—no harm no t/my foul. If you mistype an input WP\QHZ archive filename though, you’ll

Powerful: Rhino Tablet: Raven

Rhino M4700/M6700 Raven X230/X230 Tablet r Dell Precision M4700/M6700 r ThinkPad X230/X230 tablet by Lenovo w/ Core i7 Quad (8 core) r 12.5" HD LED w/ X@1366x768 r 15.6"-17.3" FHD LED r 2.6-2.9 GHz Core i7 w/ X@1920x1080 r Up to 16 GB RAM r NVidia Quadro K5000M r 750 GB hard drive / 180 GB SSD r 750 GB - 1 TB hard drive r Pen/finger input to screen, rotation r Up to 32 GB RAM (1866 MHz) r Starts at $1920 r DVD±RW or Blu-ray r W530, T430, T530, X1 also available r 802.11a/b/g/n r Starts at $1375 r E6230, E6330, E6430, E6530 also available Rugged: Tarantula

r High performance NVidia 3-D on an FHD RGB/LED Tarantula CF-31 r High performance Core i7 Quad CPUs, 32 GB RAM r Panasonic Toughbook CF-31 r Ultimate configurability choose your laptop's features r Fully rugged MIL-SPEC-810G tested: r One year Linux tech support phone and email drops, dust, moisture & more r Three year manufacturer's on-site warranty r 13.1" XGA TouchScreen r Choice of pre-installed Linux distribution: r 2.4-2.8 GHz Core i5 r Up to 16 GB RAM r 320-750 GB hard drive / 512 GB SSD r CF-19, CF-52, CF-H2 also available

EmperorLinux www.EmperorLinux.com ...where Linux & laptops converge 1-888-651-6686

Model specifications and availability may vary.

LJ237-Jan2014.indd 23 12/17/13 3:43 PM [ UPFRONT ]

find yourself in 1985: this case, is the keyboard. You could type ^D, for end-of-file, but that

$ pax -rf paxample.whoopsie forms invalid input to pax. Better to

SD[)DLOHGRSHQWRUHDGRQSD[DPSOHZKRRSVLH 1RVXFKÀOH send up a smoke signal:

RUGLUHFWRU\

$77(17,21SD[DUFKLYHYROXPHFKDQJHUHTXLUHG SD[6LJQDOFDXJKWFOHDQLQJXS

Ready for archive volume: 1

,QSXWDUFKLYHQDPHRUWRTXLWSD[ It’s even worse the first time

$UFKLYHQDPH! you accidentally write to standard output while it’s connected to your This is an idea that outlived terminal. You heard it here first: its usefulness before it was don’t do that. implemented. You could type in Putting Standard Input to the filename here, again, without Work Standard input and standard readline support or tab completion. output do have their uses, and here Well, at least it says what to do: pax really comes into its own. For one thing, you can verify the effect $UFKLYHQDPH! of the -s option without creating 4XLWWLQJSD[ an archive or the files:

How exciting! SD[ZV SD[DPSOHP\QHZSDWKJ SD[DPSOH_SD[ As mentioned previously, pax P\QHZSDWK uses standard input and standard P\QHZSDWKIRR output by default. That is a feature, but the first time you forget to Absent the -f option, pax -w provide a filename, you may think writes to standard output. So pax is very, very slow: rewrite the pathname with -s, and pipe the output to pax again, this $ pax -r paxample.tar time using its “list” mode, with neither the -r nor -w option. By Oops! No -f. Also no message default, pax reads from standard and no prompt. pax is ignoring input and, in “list” mode, prints the the archive filename argument and filenames on the terminal. reading standard input, which in That can save a lot of time, not to

24 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 24 12/17/13 3:43 PM [ UPFRONT ]

mention a mess on the disk, when there are thousands of files. They Said It Suppose you want to copy the paxample directory to another machine. One approach Never let the future would be to create a tarball, copy to the target, disturb you. You will log in to the target and unpack the tarball: meet it, if you have to, with the same weapons of reason $ pax -wf paxample.tar paxample which today arm you $ scp paxample.tar oak:/tmp/ against the present. paxample.tar 100% 10KB 10.0KB/s 00:00 —Marcus Aurelius $ ssh oak Antoninus

oak[~]$ cd /tmp Temptation rarely oak[tmp]$ pax -rf paxample.tar comes in working oak[tmp]$ ls paxample/ hours. It is in their foo leisure time that men are made or But there’s a much easier way. Invoke pax marred. on both machines, and connect the output of —W. N. Taylor one to the input of the other: We turn not older with years, but SD[ZSD[DPSOH_VVKRDN FGWPS SD[U ÀQGSD[DPSOH newer every day. paxample —Emily Dickinson

paxample/foo The human tendency to regard little pax -w writes to standard output. ssh things as important reads standard input and attaches it to has produced very whatever utility is invoked, which of course many great things. in this case is pax again. pax -r reads from —Georg Christoph standard input and creates the files from Lichtenberg that “archive”. Getting fired is pax is one of the lesser known utilities in a nature’s way of typical Linux installation. But it’s both simple telling you that you and versatile, well worth the time it takes to had the wrong job in learn—recommended. the first place. —JAMES K. LOWDEN —Hal Lancaster

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 25

LJ237-Jan2014.indd 25 12/17/13 3:43 PM [ UPFRONT ]

Taking Fractals off the Page

Fractals are one of the weirder they are two-dimensional (or things you may come across actually greater than one and when studying computer science less than two-dimensional, if and programming algorithms. you want to be pedantic). But From Wikipedia: “A fractal is a there is nothing that forces this mathematical set that has a fractal to be the case. Fractals can be dimension that usually exceeds its any dimension, including greater topological dimension and may fall than two. And with modern 3-D between integers.” This is a really graphics cards, there is no reason odd concept—that you could have why you shouldn’t be able to something like an image that isn’t examine these and play with made up of lines or of surfaces, them. Now you can, with the but something in between. The software package Mandelbulber term fractal was coined by Benoit (http://www.mandelbulber.com). Mandelbrot in 1975. Mandelbulber is an experimental, A key property of fractals is open-source package that lets that they are self-similar. This you render three-dimensional means if you zoom in on a fractal, fractal images and interact with it will look similar to the way them. It is written using the GTK the fractal looked originally. toolkit, so there are downloads The concept of recursion also is available for Windows and Mac OS X very important here. Many types as well as Linux. Actually, most of fractal algorithms use recursion Linux distributions should include to generate the values in the it in their package management given set. Almost everyone systems. If not, you always can has seen computer generated download the source code and images of classic fractals, like build it from scratch. the Mandelbrot set or the If you want some inspiration on Cantor set. One thing about all what is possible with Mandelbulber, of these classic images is that I strongly suggest you go check

26 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 26 12/17/13 3:43 PM [ UPFRONT ]

Figure 1. The main window gives you all parameters that control the generation of your fractal.

out the gallery of images that have a large amount of information been generated with this software. (http://wiki.mandelbulber.com/ There are some truly innovative index.php?title=Main_Page). and amazing images out there, When you are done reading this and some of them include the article, check out everything else parameters you need in order to that you can do with Mandelbulber. regenerate the image on your own. When you first start up The Mandelbulber Wiki provides Mandelbulber, three windows

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 27

LJ237-Jan2014.indd 27 12/17/13 3:43 PM [ UPFRONT ]

Figure 2. This is what the default 3-D fractal looks like.

open. The first is the parameters the render button will start the window (Figure 1). Along the very rendering process. If you have top are the two main buttons: multiple cores on your machine, render and stop. Below that is Mandelbulber will grab them to a list of 12 buttons that pull up help speed up the calculations. different panes of parameters. The rendered plot will be drawn in You get an initial set of default its own window (Figure 2). The third parameters that will generate window shows you some measures a 3-D version of the classic of how the rendering progressed Mandelbrot set. Clicking on (Figure 3). You get two histograms

28 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 28 12/17/13 3:43 PM [ UPFRONT ]

Figure 3. Histograms of the Rendering Progression

Figure 4. A Sierpinski sponge has infinite surface area and zero volume.

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 29

LJ237-Jan2014.indd 29 12/17/13 3:43 PM [ UPFRONT ]

describing the number of iterations file dialog where you can load and the number of steps. one of them. For example, you To generate new images, could load “menger sponge.fract”. more than 70 examples are Clicking the render button will included with the installation of generate a 3-D Sierpinski sponge Mandelbulber that you can use as (Figure 4). Although technically, starting points. Clicking on the the set is only one topological button Load example pulls up a dimension that encloses zero

Figure 5. There are several different fractal types from which to choose.

30 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 30 12/17/13 3:43 PM [ UPFRONT ]

volume (aren’t fractals weird?). types of fractal formula types, What can you change in such as mandelbulb, quaternion Mandelbulber? Clicking on the or menger sponge. You can set fractal button pulls up the pane several options, depending on where you can set the parameters exactly which fractal type you for the fractal itself (Figure 5). You choose. For example, if you select can select from several different the iterated function system (IFS),

Figure 6. You can create a hybrid system made from a mix of up to five different fractal types.

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 31

LJ237-Jan2014.indd 31 12/17/13 3:43 PM [ UPFRONT ]

you then can click on the IFS tab the Delete button. To modify a to set several different parameters. given keyframe, you can double- One of the issues is coming up click it to set the parameters, and with truly unique, yet aesthetically then you can click on record to pleasing, sets of equations with render the keyframe. which to experiment. To help in Interpolation between the this regard, Mandelbulber has a keyframes is handled by Catmull-Rom hybrid option in the list of fractal splines. Once you have the types. When you select this option, keyframes handled, you will need you then can choose the hybrid to render the full animation. button and set up to five different Clicking on the Animation button fractal equations (Figure 6). With in the main window brings up the this option, you can create very parameters you can set. These complex and sophisticated fractals include things like the number to render. of frames to render from the Mandelbulber doesn’t just keyframes, as well as the start generate static images of these and end frame numbers. You then higher dimensional fractals. There can click on the Render from is an option to generate animations key-frames button to generate the of how these images change when animation. On my netbook, this is some parameter is swept over. a pretty long process. For image To start, you need to click on the generation, you also have control Timeline button at the bottom over camera position, lighting and of the view pane. This pulls up a shader options. You should be able timeline window where you can set to generate the exact image or the parameters used to generate animation that you want. your animation. The record button If you are looking to generate puts parameters into the actual some amazing 3-D landscapes keyframe number (Key no. field or unique shapes for something on the right). It then loads and science-fictiony, you definitely renders the next keyframe if it is should check out Mandelbulber— not the last keyframe. just be prepared to lose several Then, you can add new hours as you start playing with all keyframes with the “insert after” of the parameters available. button or delete keyframes with —JOEY BERNARD

32 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 32 12/17/13 3:43 PM LJ237-Jan2014.indd 33 12/17/13 3:43 PM [ EDITORS' CHOICE ]

™

EDITORS’ Zedge, for All CHOICE Your Annoying ★ Ringtones!

I really don’t understand folks who use songs as their ringtones. Isn’t it annoying or confusing when the song comes on the radio? If it’s your favorite song, don’t you get desensitized to it when you listen to the CD (or digital equivalent of CD)? Nevertheless, you probably hear dozens of ringtones every day. Those probably vary from “super annoying” to “what a cool RINGTONEv 7ITH :EDGE YOU CAN be the person annoying your fellow subway passengers—or making them jealous. :EDGE IS A FREE APP IN THE Google Play store, and the ringtones (and notification sounds and alarm sounds) are completely free as well. I currently use the “WHAAAT?!?!??!” sound from the minions on Despicable Me as a notification sound (which is clearly super cool and not annoying). My ringtone, which Screenshot from the Google Play store

34 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 34 12/17/13 3:43 PM I hear much less often than should pop right up. If Star Trek in years past, is one I made isn’t up your alley, there are myself from pasting together thousands of other options from sound clips from Star Trek the WHICH TO CHOOSE 7ITH :EDGE Next Generation. Somehow, my installing them is simple and, of homemade ringtone ended up on course, free. :EDGE ) KNOW ITS MINE BECAUSE Due to its incredible selection, I pasted together sounds that seamless integration and amazing price don’t actually occur together on TAG :EDGE IS THIS MONTHS %DITORS the show. I’m terribly proud of Choice winner. Check it out today at my ringtone, and if you’d like to https://play.google.com/store/apps/ hear it for yourself, search for details?id=net.zedge.android. “Incoming Subspace Signal”, it —SHAWN POWERS

LINUX JOURNAL now available for the iPad and iPhone at the App Store.

linuxjournal.com/ios

For more information about advertising opportunities within Linux Journal iPhone, iPad and Android apps, contact John Grogan at +1-713-344-1956 x2 or [email protected].

LJ237-Jan2014.indd 35 12/17/13 3:43 PM COLUMNS AT THE FORGE

Talking REUVEN M. LERNER to Twitter Integrating Twitter into your application is easy, fun and useful.

I’m a very quick adopter of many that while I look through my feed new software technologies. I try new several times a day, I tweet only once programming languages, browsers, every few weeks. Call me a dinosaur, databases and frameworks without but I still prefer to use e-mail to be in hesitation. But when it comes to touch with friends and family, rather social networks, I’m a bit of a Luddite, than 140-character messages. waiting to see what all the fuss is Although I don’t see Twitter as about before making them a part of a great medium for interpersonal my life. Sure, I signed up for Facebook communication, I recently have begun almost as soon as it was available, but to appreciate it for other reasons. I haven’t really posted much there. Specifically, I have discovered (perhaps I do use LinkedIn, mostly to collect long after the rest of the world has and find contacts, but I don’t post done so) that using Twitter as a sort there very often either, unless I’m of public logfile can make a Web announcing a presentation that I’ve application more visible, updating added to SlideShare. the rest of the world as to the Twitter is something of a different status of your work and your on- story. There are people, it seems, line community. Doing so not only for whom Twitter is the ultimate in lets people hear about what you are communication. I’ve been on Twitter doing—and potentially rebroadcast it for some time, but other than an to the world, by “retweeting” your occasional foray into that world, I message to followers—but it also didn’t really pay it much attention. increases your application’s SEO, or Even now, after having decided visibility on various search engines. several months ago that I should try Finally, you can use Twitter to bring to get into Twitter more heavily, I find attention to your on-line presence by

36 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 36 12/17/13 3:43 PM COLUMNS AT THE FORGE

The combination of tweeting updates and following other people has had a remarkable and direct effect on the number of visitors who come to my site, the length of time they remain and the number of pages they view.

following other people. (The idea is In this article, I explore some of that when they receive your follow the things I did to use Twitter in request, they may try to find out more my application. From a technology about you, exploring your site or even perspective, you’ll see that following you back.) the implementation was fairly I might sound like a social- straightforward. But I think that what media consultant, but I’ve seen the I’ve learned can be of interest to difference that Twitter can make in anyone running a Web application, an application. I recently connected particularly one that is trying to my PhD dissertation project (the get the word out to the public. In Modeling Commons, at http:// addition, although there are plenty modelingcommons.org) to Twitter, of good reasons to question Twitter’s such that each public action is sent to business practices and its relationship the Twitter feed. The combination of with developers, there is no doubt tweeting updates and following other that its attention to detail with its API people has had a remarkable and offers a model for all of us who want direct effect on the number of visitors to provide APIs to our applications. who come to my site, the length of time they remain and the number of Registering with Twitter pages they view. Now, I’m not talking I’m going to assume that anyone about millions of visitors per month. reading this article already has created My application is still of interest a Twitter account or is able to figure mainly to a small community of people out how to do so at Twitter.com. And working with the NetLogo modeling of course, via the Twitter.com Web environment. But the change has been site, you can do all the things that obvious, and I grudgingly admit that I you might expect, such as tweeting, owe some of it to Twitter. retweeting, following and searching.

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 37

LJ237-Jan2014.indd 37 12/17/13 3:43 PM COLUMNS AT THE FORGE

Twitter’s API allows you to do all updates to Twitter, which means you of these things via code. That is, won’t have such issues—you don’t you don’t need to go and compose need a callback URL or any special tweets personally. You can write a login configuration. program that will do so for you. In Perhaps the most confusing thing order for this to happen, you need to (to me, at least) about setting things do two things: register with Twitter’s up with Twitter was that the default API service and install a library that permissions for an application allows knows how to communicate with the you to retrieve tweets, but not post Twitter API. to them. To allow your application In order to register with the Twitter read-write access, go to the settings API, you need to go to the “developer” tab and indicate that you want the site at http://dev.twitter.com. read-write access, or even read, Note that you need to sign in write and direct message. You won’t with your Twitter user name and be using all of these capabilities password, even if you already are for this example, but without write signed in to the main Twitter site. permission, your application will not The two sites do not seem to share be able to post to Twitter. login sessions. And now for the most Once you’re on the developer important part, the keys: Twitter’s site, you need to create a new authentication model requires two application. The application name tokens. First, there is your access needs to be unique, but don’t token, which allows you to access worry about it too much. You need Twitter via the API. The second is the to provide not only a name, but “consumer key”, which describes also a description and a URL that your particular application and is associated with the application. usage. Each of these keys has an Agree to the terms, fill in the accompanying secret, which you Captcha, and you’ll be on your way. should treat as a password. As such, Note that many types of Twitter putting these secrets directly in your applications exist, with many application probably is a bad idea. applications (including mobile) that You would be better off putting post to Twitter on behalf of a user. them in environment variables, The model I demonstrate in this thus avoiding having the secrets in article is of an application sending version control.

38 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 38 12/17/13 3:43 PM COLUMNS AT THE FORGE

“Twitter” Gem for Ruby handled fairly straightforwardly from Readers of this column know that I within a block that looks like this love the Ruby language, so it won’t (filling in the values you got from come as a surprise to hear that I intend Twitter’s API documentation): to use Ruby for my examples. However, there are Twitter API clients in virtually WZLWWHUBFOLHQW 7ZLWWHU5(67&OLHQWQHZGR_FRQÀJ_ every modern language, making it easy FRQÀJFRQVXPHUBNH\ &21680(5B.(< to access from whatever you prefer to FRQÀJFRQVXPHUBVHFUHW &21680(5B6(&5(7 use in your programming. FRQÀJRDXWKBWRNHQ 2$87+B72.(1 The twitter Ruby gem, as is the case FRQÀJRDXWKBWRNHQBVHFUHW 2$87+B6(&5(7 for all Ruby gems (libraries), is available HQG for installation via the gem program, which comes with modern versions of Notice that you are not merely Ruby. The gem currently is maintained executing the “new” method on by Erik Michaels-Ober, also known as 7ZLWWHU5(67&OLHQW, but that “sferik” on GitHub. You can type: you also are returning a value. Thus, in contrast to previous versions of JHPLQVWDOOWZLWWHU9 Ruby’s Twitter gem, you should accept the returned object, which is then the and the gem should be installed. On basis for all of the additional actions many systems, including those not you wish to take. running a Ruby version manager like Finally, you send the tweet with the rvm, you need to execute the above “update” method: line while logged in as root.

Once you have installed the gem, WZHHW WZLWWHUBFOLHQWXSGDWH +HOORZRUOG7ZHHWWZHHW you can use it. There are three parts to this process: bringing the gem Invoking the #update method has into the program, configuring it the effect of sending the message to to use your keys and secrets, and Twitter. If you go to the Web page then executing a Twitter command. for your Twitter user, you’ll find that The first is handled with the Ruby a new message has been sent, as if UHTXLUH command, which looks at you had typed it. installed gems, as well as the Ruby If you capture the return core and standard libraries. value from the invocation of Configuration of the client is WZLWWHUBFOLHQWXSGDWH, you’ll

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 39

LJ237-Jan2014.indd 39 12/17/13 3:43 PM COLUMNS AT THE FORGE

see that it is an instance of If you include a Twitter @username, Twitter::Tweet, a Ruby object that hashtag or URL in your tweet, the represents a tweet. This object provides appropriate magic will happen the functionality that you would want automatically. Thus: and expect from something associated from Twitter. For example: WZHHW WZLWWHUBFOLHQWXSGDWH *RWR#UHXYHQPOHUQHU V

´VLWHDWKWWSOHUQHUFRLO

WZHHWXVHUWHOOVXVZKRZURWHWKHWZHHW

WZHHWUHWZHHWHG"LQGLFDWHVZKHWKHULWZDVUHWZHHWHG In the above tweet, the URL

WZHHWIDYRULWHG"LQGLFDWHVZKHWKHULWZDVPDUNHGDVDIDYRULWH automatically will be shortened, using Twitter’s standard t.co domain. Now, it’s also possible that you will Similarly, the @reuvenmlerner (my not get a tweet object back at all, but Twitter handle) will turn into a link. rather that the “update” method will You can access both of these using raise an exception. For example, Twitter methods on your tweet: forbids users from sending an identical

tweet, at least within a short period of WZHHWXUOVUHWXUQVDQDUUD\RI7ZLWWHU(QWLW\85,

time. Thus, if you send the above “Hello, WZHHWXVHUBPHQWLRQVUHWXUQVDQDUUD\RI

world” tweet (from the example above) 7ZLWWHU(QWLW\8VHU0HQWLRQ a second time, you’ll get an exception: You can more generally ask 7ZLWWHU(UURU)RUELGGHQ6WDWXVLVDGXSOLFDWH Twitter for information about tweets. For example, you can get Of course, you can catch such the most recent tweets a user has errors with: sent with:

EHJLQ WZLWWHUBFOLHQWXVHUBWLPHOLQH UHXYHQPOHUQHU

WZHHW WZLWWHUBFOLHQWXSGDWH +HOORDJDLQ ´#UHXYHQPOHUQHU7ZHHWWZHHW which returns an array of tweet UHVFXH7ZLWWHU(UURU)RUELGGHQ !H objects. You can apply the “text” SXWV

HQG WZLWWHUBFOLHQWXVHUBWLPHOLQH UHXYHQPOHUQHU >@WH[W

40 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 40 12/17/13 3:43 PM COLUMNS AT THE FORGE

But where would you use such API calls? Why would you want to use Twitter on your site?

If there are URLs embedded in the As a result, a slow API call will lead tweet, you can get those back: to slow responses from the API clients—and may discourage people WZLWWHUBFOLHQWXVHUBWLPHOLQH UHXYHQPOHUQHU >@XUOV from using your API. But where would you use such API This method returns an array of calls? Why would you want to use 7ZLWWHU(QWLW\85, objects, Twitter on your site? each of which has attributes, such One simple use of the Twitter as “url” and “expanded URL”. API would be to display a user’s most recent tweets. For Integrating into Your Application example, if your company (or you As you can see, working with personally) use Twitter to send Twitter is surprisingly easy. The messages about what you are startup time for connecting to doing, you can see that it would Twitter can take a little bit of be fairly easy to include those time—up to two seconds, in my tweets in a Web page. Using an experience—but tweeting and MVC system, such as Rails, you querying Twitter take very little simply would grab the tweets time. It’s obvious, as a consumer (with the “user_timeline” method, of the API, that they have worked as shown above), and stick the hard to make it execute as quickly results on your home page. Now as possible. This is a lesson to your home page provides another all of us who create APIs. We all view to your Twitter feed, know that Web pages should load re-enforcing its importance and quickly, and that slow load times usage to your company. can discourage people from staying I have been doing something on a site. slightly different. As I mentioned API calls typically are embedded previously, I have begun to use within another application, meaning Twitter to log public activity in that if the API call takes time, the the application I’ve developed for application itself will feel sluggish. my dissertation. Every time a new

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 41

LJ237-Jan2014.indd 41 12/17/13 3:43 PM COLUMNS AT THE FORGE

The biggest technical challenge I have faced so far in all of this is the issue of duplicate tweets.

user joins, new content is posted to use Twitter to announce updates or someone adds a posting to a on my site, the number of people discussion forum, I send a new coming to visit has increased tweet on the subject. In and of dramatically. Not coincidentally, itself, this doesn’t do very much; my site’s ranking in Google has Twitter is full of text and URLs. But improved noticeably. I have certainly found by ensuring Now, if this were a commercial that my tweets are followed and site, rather than a free seen by a large number of people, I infrastructure for collaborative have increased the number of users modeling, I would want to check coming to my site. a second thing, namely the In other words, by tweeting about “conversion rate”—that is, how activity on my site, I have given many people who came to my site my site additional exposure to the also became paying customers. But world. Moreover, people who really for my small, educational site, it want to see what my application is has been fascinating to see what a doing can follow the link in their difference tweeting made. Twitter feed and follow along. And what did I do? Truth be told, By adding a #NetLogo hashtag not much. I set up things such that to my tweets, I also have made it a new tweet would be sent, using possible, and even easy, for my the “update” method demonstrated tweets (and thus my site) to be above, every time a new model found and identified by people version, forum posting or person searching Twitter for mentions of was added to the system. Because our modeling environment. The of the relatively low latency on the fact that Google indexes tweets “update” method, I even do this increases my site’s visibility on-line inline on an after_create callback among people who are searching within Rails, rather than queueing it for modeling-related sites. in a background job. The net effect has been rather The biggest technical challenge huge. Within two weeks of starting I have faced so far in all of this is

42 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 42 12/17/13 3:43 PM COLUMNS AT THE FORGE

the issue of duplicate tweets. When I’m not aware of it. It’s similar in I first set up the Twitter feed, I some ways to seeing my children’s defined the tweet for an additional creative output, but (obviously) less discussion forum post to be: emotionally charged.

5HXYHQ/HUQHUKDVDGGHGDFRPPHQWDERXWWKH)RREDUPRGHO Conclusion Adding automatic tweets to a The problem with this style of Web application is easy to do and tweet is that it quickly can lead to can have significant benefits. For duplicates—and thus errors from your users, it gives them a way to within the application. As a result, I follow what is happening in your have made sure that every tweet has application without needing to visit a unique number in it somewhere, the site or use an RSS reader. For typically counting how many similar your site, automatic tweets will objects already have been created. help bring in new visitors, improve For example: SEO and generally improve your project’s visibility.Q

5HXYHQ/HUQHUZURWHWKHWKFRPPHQWDERXWWKH)RREDUPRGHO Web developer, trainer and consultant Reuven M. Lerner The above ensures—assuming that is finishing his PhD in Learning Sciences at Northwestern user and model names are unique— University. He lives in Modi’in, Israel, with his wife and three that there cannot be duplicates, children. You can read more about him at http://lerner.co.il, thus avoiding the problem. or contact him at [email protected]. Beyond the advantages for users, SEO and people interested in following my work, I also have Send comments or feedback via found it to be enormously satisfying http://www.linuxjournal.com/contact to see tweets come out even when or to [email protected].

Resources

Twitter, of course, is at http://twitter.com. The developer and API documentation is at http://dev.twitter.com. The Ruby gem for Twitter, which apparently has been downloaded more than one million times (!), is at http://sferik.github.io/twitter.

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 43

LJ237-Jan2014.indd 43 12/17/13 3:43 PM COLUMNS WORK THE SHELL Easy DAVE TAYLOR Watermarking with ImageMagick Script auteur Dave Taylor explores smart ways to use ImageMagick and Bash to copyright and watermark images in bulk.

Let’s start with some homework. the image, but it’s impossible to shut Go to Google (or Bing) and search for down theft of intellectual property “privacy is dead, get over it”. I first completely in the on-line world. heard this from Bill Joy, cofounder of This is why a lot of professional Sun Microsystems, but it’s attributed to photographers don’t post images on- a number of tech folk, and there’s an line that are bigger than low-resolution element of truth to it. Put something thumbnails. You can imagine that on-line and it’s in the wild, however much wedding photographers who make you’d prefer to keep it under control. their money from selling prints (not Don’t believe it? Ask musicians or shooting the wedding) pay very close book authors or film-makers. Now, attention to this sort of thing! whether the people who would Just as people have learned to accept download a 350-page PDF instead of poor video in the interest of candor paying $14 for a print book are hurting and funny content thanks to YouTube, sales, that’s another question entirely, so have people also learned to accept but the Internet is public and open, low-res images for free rather than even the parts that we wish were not. paying even a nominal fee for license This means if you’re a photographer rights and a high-res version of the or upload images you’d like to protect photograph or other artwork. or control, you have a difficult task There is another way, however, that’s ahead of you. Yes, you can add some demonstrated by the stock photography code to your Web pages that makes companies on-line: watermarking. it impossible to right-click to save You’ve no doubt seen photos with

44 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 44 12/17/13 3:43 PM COLUMNS WORK THE SHELL

embedded copyright notices, Web site acknowledgement. addresses or other content that mars the To do this, the basic idea is to create image but makes it considerably harder a watermark-only file and then blend to separate it from its original source. that with the original image to create a It turns out that our friend new one. Fortunately, creating the new ImageMagick is terrific at creating image can be done programmatically these watermarks in a variety of with the FRQYHUW program included as different ways, and that’s what I part of ImageMagick. explore in this column. It’s an issue for Having said that, it’s really mind- a lot of content producers, and I know numbingly complex, so I’m going to start the photos I upload constantly are with a fairly uninspired but quick way being ripped off and reused on other to add a watermark using the ODEHO sites without permission and without feature. In a nutshell, you specify what

Figure 1. Original Image, Kids at a Party

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 45

LJ237-Jan2014.indd 45 12/17/13 3:43 PM COLUMNS WORK THE SHELL

text you want, where you want it on the that’s shown as 493x360. image, the input image ﬁlename and the Now, let’s use composite to add a output image ﬁlename. Let’s start with simple label: an image (Figure 1). You can get the dimensions and so forth FRPSRVLWHODEHO $VN'DYH7D\ORUFRP NLGVSDUW\SQJ? of the image with LGHQWLI\, of course: NLGVSDUW\ODEHOOHGSQJ

LGHQWLI\NLGVSDUW\SQJ Figure 2 shows the image with the NLGVSDUW\SQJ31*[[ELW label applied. ´'LUHFW&ODVV.%X That’s rather boring, although it’s effective in a rudimentary sort of way. You can ignore almost all of this; it’s Let’s do something more interesting just the size that you care about, and now, starting by positioning the text

Figure 2. Label Added, No Styling

46 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 46 12/17/13 3:43 PM COLUMNS WORK THE SHELL

centered on the bottom but also adding Figure 3 shows the result. space below the image for the caption: I’m not done yet though. For the next example, let’s actually have the FRQYHUWNLGVSDUW\SQJEDFNJURXQG.KDNL? text superimpose over the image, but ODEHO $VN'DYH7D\ORUFRP ? with a semi-transparent background. JUDYLW\FHQWHUDSSHQGSDUW\NKDNLSQJ This is more ninja ImageMagick, so it involves a couple steps, the first Here I’ve added a background color of which is to identify the width of for the new text (khaki) and tapped the the original source image. That’s complicated but darn useful gravity easily done: capability to center the text within the new DSSHQG (appended) image space. ZLGWK LGHQWLI\IRUPDWZNLGVSDUW\SQJ

Figure 3. Caption against a Khaki Background

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 47

LJ237-Jan2014.indd 47 12/17/13 3:43 PM COLUMNS WORK THE SHELL

Run it, and you’ll find out: NLGVSDUW\SQJVZDSJUDYLW\VRXWKFRPSRVLWH?

SDUW\ZDWHUPDUNSQJ $ echo $width I did warn you that it’d be complex, right? Let’s just jump to Now, let’s jump into the FRQYHUW the results so you can see what command again, but this time, let’s happened (Figure 4). specify a background color, a fill You can experiment with different and a few other things to get the backgrounds and colors, but for now, transparency to work properly: let’s work with this and jump to the second part of the task, turning this

FRQYHUWEDFNJURXQG ÀOOZKLWHJUDYLW\FHQWHU? into a script that can fix a set of

VL]H^ZLGWK`[FDSWLRQ$VN'DYH7D\ORUFRP? images in a folder. The basic structure

Figure 4. Improved Semi-Transparent Label

48 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 48 12/17/13 3:43 PM COLUMNS WORK THE SHELL

for this script will be easy actually: You can see that it translates pretty easily into a script, with the IRUHYHU\LPDJHÀOH shuffle of taking the original images calculate width and saving them in .originals. FUHDWHQHZZDWHUPDUNHGYHUVLRQ The output is succinct when I run PYRULJLQDOWRDKLGGHQGLUHFWRU\ it in a specific directory: UHQDPHZDWHUPDUNHGYHUVLRQWRRULJLQDOLPDJHQDPH

GRQH ZDWHUPDUNHGÀJXUHSQJVXFFHVVIXOO\ ZDWHUPDUNHGÀJXUHSQJVXFFHVVIXOO\ Because Linux is so “dot file”- ZDWHUPDUNHGÀJXUHSQJVXFFHVVIXOO\ friendly, let’s have the script create ZDWHUPDUNHGÀJXUHSQJVXFFHVVIXOO\ a “.originals” folder in the current folder so that it’s a nondestructive Easily done. watermark process. Here’s the script: You definitely can go further with all the watermarking in

VDYHGLU RULJLQDOV ImageMagick, but my personal

mkdir $savedir preference is to tap into the

reference works that already are

LI>"QH@WKHQ on-line, including this useful, albeit

HFKR(UURUIDLOHGPDNLQJVDYHGLU somewhat confusing, tutorial:

exit 1 http://www.imagemagick.org/

À Usage/annotating.

However you slice it, if

IRULPDJHLQ SQJ MSJ JLI you’re going to make your

do images available on-line in high

LI>VLPDJH@WKHQQRQ]HURÀOHVL]H resolution, or if they’re unique and

ZLGWK LGHQWLI\IRUPDWZLPDJH copyrighted intellectual property,

FRQYHUWEDFNJURXQG ÀOOZKLWHJUDYLW\FHQWHU? knowing how to watermark them

VL]H^ZLGWK`[FDSWLRQ$VN'DYH7D\ORUFRP? from the command line is a darn

LPDJHVZDSJUDYLW\VRXWKFRPSRVLWHQHZLPDJH helpful skill.Q

mv $image $savedir

PYQHZLPDJHLPDJH Dave Taylor has been hacking shell scripts for more than

HFKRZDWHUPDUNHGLPDJHVXFFHVVIXOO\ 30 years. Really. He’s the author of the popular Wicked Cool

À Shell Scripts and can be found on Twitter as @DaveTaylor

GRQH and more generally at http://www.DaveTaylorOnline.com.

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 49

LJ237-Jan2014.indd 49 12/17/13 3:43 PM COLUMNS HACK AND /

A Bundle KYLE RANKIN of Tor For privacy, windows have blinds, and Internet users have the Tor browser bundle.

I don’t know how many readers an account on the site, it could know this, but my very first Linux know much more. Journal column (“Browse the Web without a Trace”, January 2008) Even if you aren’t paranoid (yet), was about how to set up and use you might want to browse the Web Tor. Anonymity and privacy on the anonymously for many reasons. Internet certainly take on a different For one, your information, almost meaning in the modern era of privacy- all of it, has value, and you might invading software and general like to have some control over Internet surveillance. I recently went who has that information and who back and read my original column, doesn’t. Maybe you just want to and although the first few paragraphs post a comment to a blog without were written six years ago, they seem the owner knowing who you are. just as relevant today: You even could have more serious reasons, such as whistle-blowing, Is privacy dead? When I think political speech or research about about how much information sensitive issues such as rape, abuse my computer and my gadgets or personal illness. output about me on a daily basis, it might as well be. My cell Whatever reason you have for phone broadcasts my general anonymity, a piece of software whereabouts, and my Web browser called Tor provides a secure, is worse—every site I visit knows I easy-to-setup and easy-to-use was there, what I looked at, what Web anonymizer. If you are curious browser and OS I use, and if I have about how exactly Tor works,

50 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 50 12/17/13 3:43 PM COLUMNS HACK AND /

you can visit the official site and stop Tor on demand. at http://tor.eff.org), but in a The first step is to visit nutshell, Tor installs and runs on https://www.torproject.org and your local machine. Once combined check the lock icon in your navigation with a Web proxy, all of your traffic bar to make sure the SSL certificate passes through an encrypted tunnel checks out. If your browser gives you between three different Tor servers some sort of certificate warning, it’s before it reaches the remote server. possible you aren’t visiting the official All that the remote site will know Tor site, and you should stop right about you is that you came from a there and attempt to get Tor from a Tor node. different computer. On the main page is a large Download Tor button for you The rest of the article went into to click. If you are browsing the site detail on how to use the Knoppix from a Linux system (which of course live disk to download and install you are), you will be presented with Tor completely into ramdisk. Tor has links to a 32-bit and 64-bit browser come a long way since those days bundle package, so click the one that though, so I decided it was high corresponds with the appropriate time to revisit this topic and explain architecture for your system. the best way to set up Tor on your While the software downloads, I personal machine today. highly recommend you do two things. First, next to the button you clicked Get the Tor Browser Bundle to download Tor, there should be a In the past, Tor installation meant hyperlink labeled “sig”. Click this link installing the Tor software itself, to download the signature you will configuring a proxy and pulling down use to verify that the Tor package you a few browser plugins. Although you downloaded was legitimate (I’ll talk still can set it up that way if you want, about how to do that in a minute). these days, everything is wrapped up The second thing you should do is in a tidy little package called the Tor scroll down the page and start reading browser bundle. This single package the section titled “Want Tor to really contains Tor, its own custom Web work?” to familiarize yourself with browser already configured with some of the extra habits you should privacy-enhancing settings and a user take on if you really do want to interface that makes it easy to start browse the Web anonymously.

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 51

LJ237-Jan2014.indd 51 12/17/13 3:43 PM COLUMNS HACK AND /

Verify the Software which you can import with the After you download the Tor following command: browser bundle and the signature file, you should have two files in JSJNH\VHUYHU[KNSSRROVNVNH\VHUYHUVQHW your directory: ´UHFYNH\V[))((

Q tor-browser-gnu-linux-x86_64- Once the key has been imported, 2.3.25-14-dev-en-US.tar.gz you should check its fingerprint:

Q tor-browser-gnu-linux-x86_64- JSJÀQJHUSULQW[))((

2.3.25-14-dev-en-US.tar.gz.asc SXE5)((

.H\ÀQJHUSULQW $%%$)'%))((

The first of these files is the XLG(ULQQ&ODUN HULQQ#WRUSURMHFWRUJ!

software itself, and the second file XLG(ULQQ&ODUN HULQQ#GHELDQRUJ!

is the GPG signature. Although a XLG(ULQQ&ODUN HULQQ#GRXEOHKHOL[RUJ!

lot of software uses MD5 or SHA1 VXE5(%)' checksums so you can validate the software you downloaded was If the fingerprint doesn’t match complete, this checksum is different. what you see above, something fishy The .asc file is a cryptographic is going on and you shouldn’t trust signature you can use to prove that this package. Of course, if you are the software you just download frequent GPG users, you may want actually was provided to you by even better assurances. Hopefully, you the Tor project and not by some have someone you already trust within malicious third party. The site provides your GPG keyring who has been to a documentation on how to verify this key-signing party with Erinn Clark. If signature for different operating so, it would help validate that the key systems at https://www.torproject.org/ is legitimate. docs/verifying-signatures.html.en, Once you have validated the but since you use Linux, here you fingerprint, cd to the directory that will run the following commands. has the browser bundle and .asc file, First, pull down the key that was and run the following command: used to sign this package.

Currently, this would be Erinn $ gpg --verify

Clark’s key (0x416F061063FEE659), ´WRUEURZVHUJQXOLQX[[BGHYHQ86WDUJ]^DVF`

52 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 52 12/17/13 3:43 PM COLUMNS HACK AND /

JSJ6LJQDWXUHPDGH)UL1RY303'7

´XVLQJ56$NH\,')((

JSJ*RRGVLJQDWXUHIURP(ULQQ&ODUN HULQQ#WRUSURMHFWRUJ!

JSJDND(ULQQ&ODUN HULQQ#GHELDQRUJ!

JSJDND(ULQQ&ODUN HULQQ#GRXEOHKHOL[RUJ!

JSJ:$51,1*7KLVNH\LVQRWFHUWLÀHGZLWKDWUXVWHGVLJQDWXUH

JSJ7KHUHLVQRLQGLFDWLRQWKDWWKHVLJQDWXUH

´EHORQJVWRWKHRZQHU

3ULPDU\NH\ÀQJHUSULQW$%%$

´)'%))((

If the output says “Good signature”, everything checked out. Again, you will see a warning if you don’t have someone in your chain of trust that already trusts this key. Figure 1. The Vidalia Control Panel Window Install and Use Tor At this point, it’s relatively trivial The initial Tor check page not to install and use Tor. Just use tar only validates that you are using the to extract the .tar.gz file into your Tor network, it also displays your home directory or wherever else current IP address. If you ever notice you’d like it to be, and then run the that IP address matches your home start-tor-browser script inside: IP address, or if you don’t see this congratulations window at all, for

WDU][YIWRUEURZVHUJQXOLQX[[BGHYHQ86WDUJ] some reason your Tor instance isn’t

WRUEURZVHUBHQ86VWDUWWRUEURZVHU working properly, so you shouldn’t do anything within the browser that is You should see a GUI window pop privacy-sensitive. Note that because up that looks like Figure 1. you may be exiting the Tor network It may take a little time for your from an exit node in a different Tor network to finish configuring, country, certain sites like Google, but once it does, you will know, for instance, that try to be helpful because a browser that looks like and display the site in a country’s Figure 2 will appear. native language may present you

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 53

LJ237-Jan2014.indd 53 12/17/13 3:43 PM COLUMNS HACK AND /

Figure 2. Congratulations, Tor works.

with Japanese, German or some other nodes. Although Tor itself does this language as you visit. routinely as you use it, sometimes If you go back to the Vidalia you may want to get a different Control Panel, you’ll notice a endpoint so a Web site stops number of different options. You displaying output in a language you can view a map of the current global don’t understand. Tor network; you can click the Setup Relaying button to add your machine Special Tor Browser Plugins to the network of Tor nodes, and if It’s important to note that this you click Use a New Identity, you will special Tor browser has been stop using the three Tor nodes you configured with extra plugins and currently are using and will set up settings to enhance your privacy. a new connection with different Tor For instance, by default, the

54 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 54 12/17/13 3:43 PM COLUMNS HACK AND /

Noscript plugin is installed and completely, click the Stop Tor enabled, which blocks JavaScript, button, and then click exit to close Java and other plugins and allows the application. Browsing the Web them only for sites that you trust. anonymously and privately has The browser also includes the HTTPS never been this easy.Q Everywhere plugin that defaults to using HTTPS for any site you try Kyle Rankin is a Sr. Systems Administrator in the San Francisco to visit. You also will see a small Bay Area and the author of a number of books, including The onion icon in the navigation bar Ofﬁcial Ubuntu Server Book, Knoppix Hacks and Ubuntu Hacks. that you can use to tweak your Tor He is currently the president of the North Bay Linux Users’ Group. preferences inside the browser. Once you are done browsing anonymously, close your browser Send comments or feedback via and go back to the Vidalia Control http://www.linuxjournal.com/contact Panel. If you are done using Tor or to [email protected].

LINUX JOURNAL on your Android device Download app now in the Android Marketplace

www.linuxjournal.com/android

For more information about advertising opportunities within Linux Journal iPhone, iPad and Android apps, contact John Grogan at +1-713-344-1956 x2 or [email protected].

LJ237-Jan2014.indd 55 12/17/13 3:43 PM COLUMNS THE OPEN-SOURCE CLASSROOM

Encrypting SHAWN POWERS Your Cat Photos Encryption is powerful and scary. Let’s remove the scary.

The truth is, I really don’t have warm we keep it. Some of those anything on my hard drive that neighbors would be very upset to I would be upset over someone see how “wasteful” the Powers seeing. I have some cat photos. I family is in the winter. In fact, have a few text files with ideas for there’s one local man who makes future books and/or short stories, it a point to let everyone know and a couple half-written starts to that anything over 60 degrees is NaNoWriMo novels. It would be ecologically wasteful. I don’t want easy to say that there’s no point to get into a fight with Old Man encrypting my hard drive, because I Icebritches, so we just keep our have nothing to hide. The problem comfortable house a secret. We is, we wrongly correlate a “desire don’t have anything to hide, but it’s for privacy” with “having something not something everyone needs to to hide”. I think where I live, in know about. America, we’ve taken our rights to Obviously my example is silly, privacy for granted. Rather than the but hopefully it makes you think. traditional “he must be hiding porn Modern Linux allows us to encrypt or bombs”, think about something a our data easily and reliably, so why little more mundane. not take advantage of it? I live in Michigan. It’s cold here in the winter, and I tend to keep my How Does It Work? thermostat set around 75 degrees. I won’t go into too much detail That might seem high to you, but about how encryption works, but a for my family, it’s just right. Thanks basic understanding is necessary for to the privacy of my own home, my even the simplest implementation. neighbors don’t know how toasty To encrypt and decrypt a file, two

56 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 56 12/17/13 3:43 PM COLUMNS THE OPEN-SOURCE CLASSROOM

Modern Linux allows us to encrypt our data easily and reliably, so why not take advantage of it?

“keys” are required. One is the key can be decrypted with your private key, which is just that, public key. In this way, encrypting private. I like to think of the private something with your private key key as an actual key—you can make digitally “signs” the file. copies if you want, but it’s not wise Usually it works like this: to do so. The more copies of your private keys you make, the more 1. You have a file you want to send likely someone nefarious will get one to Suzy, so you encrypt it with and break into your apartment—er, I Suzy’s public key. Only Suzy can mean files. open it, but there’s no way for The public key is more like a Suzy to know that you are the one schematic for a lock that only you who sent it, since anyone could can open (with your private key). encrypt a file with her public key. You make this key available for anyone. You can post it on a Web 2. Therefore, you take the file you site, put it in your e-mail, tattoo encrypted with Suzy’s public key it on your back, whatever. When and encrypt that file with your others want to create a file that only private key. Suzy will have to you can see, they encrypt it using decrypt the file twice, but she’ll your public key. know it came from you. This one-to-many scenario also has a cool side effect. If you encrypt 3. Suzy receives the file and decrypts something using your private key, the first layer with your public anyone can decrypt it using your key, proving it came from you. public key. This may sound silly, but what makes such a scenario useful 4. Suzy then decrypts the second is that although the encrypted file layer of encryption with her isn’t protected from prying eyes, it private key, as that’s the only key is guaranteed to be from you. Only able to decrypt the original file. a file encrypted with your private (Because you originally encrypted

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 57

LJ237-Jan2014.indd 57 12/17/13 3:43 PM COLUMNS THE OPEN-SOURCE CLASSROOM

it with her public key.) than using a public and private key pair, because it’s simply encrypted That scenario is when encryption is using your passphrase. This does used for safely transferring files, of make your file more susceptible to course. It’s also quite common simply cracking (using rainbow tables or to encrypt your files (or partitions) other hacking tools), but like the so that no one can see them unless label on the tin says, it’s Pretty Good you decrypt them first. Let’s start Protection. To encrypt your file, you with file encryption, because that’s can do this: what most people will want to do on their systems. JSJFVHFUHWBPDQLIHVWRW[W (QWHUSDVVSKUDVH Starting Simple 5HSHDWSDVVSKUDVH Before I go into more complex type setting, let’s discuss simply Once complete, you’ll have a new encrypting a file. There are various file in the same directory. It will be programs to handle encryption. In named secret_manifesto.txt.gpg by fact, it’s easy to get overwhelmed default. This is a binary file, which with the available options for file means it’s fairly small, but it can’t be and system encryption. Today, let’s copy/pasted into an e-mail or IM. For use a basic (but very powerful) portability, you can add the -a flag, command-line tool for encrypting which will create an encrypted file a file. GPG (Gnu Privacy Guard) is that contains only ASCII text: an open-source implementation of

PGP (Pretty Good Protection). JSJDFVHFUHWBPDQLIHVWRW[W

It allows encryption and signing, (QWHUSDVVSKUDVH

and manages multiple keys and so 5HSHDWSDVVSKUDVH

on. For this example, let’s simply OVO

encrypt a file. UZUZUVSRZHUVVSRZHUV1RYVHFUHWBPDQLIHVWRW[W

Let’s say you have a file called UZUZUVSRZHUVVSRZHUV1RYVHFUHWBPDQLIHVWRW[WDVF

secret_manifesto.txt, which contains UZUZUVSRZHUVVSRZHUV1RYVHFUHWBPDQLIHVWRW[WJSJ the secrets to life, the universe and everything. Using GPG, you can Notice there is now a file with encrypt the file with a passphrase. .asc as the extension. This is text- Using a passphrase is far simpler only, but you can see in the code

58 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 58 12/17/13 3:43 PM COLUMNS THE OPEN-SOURCE CLASSROOM

snippet that it’s also much larger are many options when it comes than the binary encrypted file, and to encryption. One of the more much much larger than the original popular methods of encrypting text file. Once you’ve encrypted your partitions is the LUKS (Linux Unified file, if you truly want to keep your Key Setup) system. A USB drive information secret, it would be wise with a LUKS-formatted partition to delete the original text file. should be detected automatically To decrypt the file, you’ll again by most systems. In fact, if you’re use the gpg program. The same using a desktop environment like command will decrypt either file, Ubuntu Desktop, encrypting a USB whether it’s binary or ASCII: drive is a simple check box during the formatting process. Although JSJVHFUHWBPDQLIHVWRW[WDVF that’s a perfectly acceptable way to JSJ&$67HQFU\SWHGGDWD encrypt your USB drive, I’m going (QWHUSDVVSKUDVH to demonstrate how to do it on the JSJHQFU\SWHGZLWKSDVVSKUDVH command line, so you understand )LOHCVHFUHWBPDQLIHVWRW[W H[LVWV2YHUZULWH" \1 what’s actually happening behind the scenes. Notice in the example above, I Step 1: identify your USB drive. hadn’t deleted the original text If you type dmesg after plugging file, so gpg gave me the option of in your USB drive, you should get overwriting. Once complete, I have all sorts of system information, my original file back, unencrypted. including the device name of your If you just have a file or two you freshly plugged-in USB device. Make want to protect, the command-line sure you have the correct device gpg program might be all you need. identified, because what you’re If you’d rather have an area on your doing will destroy any data on the system that automatically encrypts drive. You wouldn’t want to format everything you save, it’s a little more the wrong disk accidentally. (It complicated. It’s still not terribly should go without saying, but I’ll say difficult, but let’s start with a fairly it anyway, make sure there’s nothing simplistic model. on your USB drive that you want to save—this is a destructive process.) Encrypting a USB Drive Step 2: partition the USB drive. Like I mentioned earlier, there Assuming that your USB drive is the

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 59

LJ237-Jan2014.indd 59 12/17/13 3:43 PM COLUMNS THE OPEN-SOURCE CLASSROOM

/dev/sdb device on your system, you &RPPDQG PIRUKHOS Z

need to create a single partition on 7KHSDUWLWLRQWDEOHKDVEHHQDOWHUHG the drive. Let’s use fdisk. Below is the interaction with fdisk required. Now you have a USB drive with Basically, you create a new empty a single partition (/dev/sdb1), but partition with the o command, then there is no filesystem on it. That’s write changes with w. Then, you’ll exactly what you want, because the restart fdisk and use the Q command LUKS system creates an encryption to create a new primary partition, layer on the partition before you using the defaults so that the entire put a filesystem on it. So before drive is used: creating a filesystem, let’s create the LUKS layer on the partition,

VXGRIGLVNGHYVGE using the cryptsetup program. If you

don’t have cryptsetup, search for it

&RPPDQG PIRUKHOS R in your distribution’s repository; it

%XLOGLQJDQHZ'26GLVNODEHOZLWKGLVNLGHQWLÀHU[ should be there. To create the LUKS

&KDQJHVZLOOUHPDLQLQPHPRU\RQO\XQWLO\RXGHFLGHWRZULWHWKHP encrypted partition layer:

$IWHUWKDWRIFRXUVHWKHSUHYLRXVFRQWHQWZRQ WEHUHFRYHUDEOH

FU\SWVHWXSOXNV)RUPDWGHYVGE

&RPPDQG PIRUKHOS Z

7KHSDUWLWLRQWDEOHKDVEHHQDOWHUHG :$51,1*

VXGRIGLVNGHYVGE 7KLVZLOORYHUZULWHGDWDRQGHYVGELUUHYRFDEO\

&RPPDQG PIRUKHOS Q

&RPPDQGDFWLRQ $UH\RXVXUH" 7\SHXSSHUFDVH\HV <(6

HH[WHQGHG (QWHU/8.6SDVVSKUDVH

SSULPDU\SDUWLWLRQ 9HULI\SDVVSKUDVH

3DUWLWLRQQXPEHU GHIDXOW Follow the directions, and be

8VLQJGHIDXOWYDOXH sure to remember your passphrase!

)LUVWVHFWRU GHIDXOW Note, that a “passphrase” is usually

8VLQJGHIDXOWYDOXH more than just a word. It’s most

/DVWVHFWRUVHFWRUVRUVL]H^.0*` GHIDXOW often a phrase, thus the name.

8VLQJGHIDXOWYDOXH The longer the phrase, the tougher

to crack.

60 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 60 12/17/13 3:43 PM COLUMNS THE OPEN-SOURCE CLASSROOM

In fact, when you put the USB drive into your computer, if you have a modern GUI desktop, it should prompt you for a password and mount it automatically.

Once the process completes, you Now the drive is fully functional have an encrypted partition, but and can be mounted like any other it’s not mounted or formatted disk. In fact, when you put the USB yet. The first step is to mount the drive into your computer, if you have partition, which again uses the a modern GUI desktop, it should cryptsetup utility: prompt you for a password and mount it automatically. Then you FU\SWVHWXSOXNV2SHQGHYVGEP\BFU\SWRBGLVN can eject it like a normal disk, and (QWHUSDVVSKUDVHIRUGHYVGE it will be encrypted until you next enter your passphrase. It’s simple to When you type in your unmount and, therefore, re-encrypt passphrase, the device name you the drive on the command line too, entered will be mounted like a using cryptsetup: virtual hard drive. Usually, it’s mounted under /dev/mapper/ FU\SWVHWXSOXNV&ORVHP\BFU\SWRBGLVN devicename, so this example mounts a partition at /dev/mapper/ That’s Only the Tip of the Iceberg my_crypto_disk. In this article, my hope is to peel This device is now being accessed back some of the mystery behind as an unencrypted volume. As long encryption. It’s simple to encrypt as it stays mounted, it will act like and decrypt a file. It’s not too any other unencrypted volume. That much more difficult (especially if means you need to write a filesystem you use the GUI desktop tools) to to it if you want to use it: encrypt an entire USB drive. With most distributions, it’s possible to PNIVYIDWGHYPDSSHUP\BFU\SWRBGLVNQP\BFU\SWRBGLVN encrypt the entire home directory PNIVYIDW -DQ during the installation process!

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 61

LJ237-Jan2014.indd 61 12/17/13 3:43 PM COLUMNS THE OPEN-SOURCE CLASSROOM

Once you get the encryption bug, I must warn you, you’ll want to start encrypting everything.

When encryption is set up on your access that data on any system. entire home directory, however, Windows, Mac and Linux clients are there are some issues you need to all available, and the community has address. For example, jobs that great support. run while you’re not logged in You don’t have to have most likely will not have access to something to hide in order to your home directory. If you have desire encryption for your files. Just cron jobs that need access to your like it’s wise to lock your house at home directory, you should rewrite night, even if you live in a good them to access data elsewhere on neighborhood, it’s a smart move to the system. I find a happy medium encrypt your personal data. If you between security and convenience want to share your photos of Mr is to encrypt a USB drive and store Whiskerton in his cute little beanie my personal data on it. hat with everyone on the Internet, Once you get the encryption that’s your right. But others don’t bug, I must warn you, you’ll want need to see those things if they’re to start encrypting everything. being nosey and poking around That’s not a bad thing, but like the your hard drive!Q home directory scenario, you’ll run into a few snags. Cross-platform Shawn Powers is the Associate Editor for Linux Journal. accessibility is a big one if you go He’s also the Gadget Guy for LinuxJournal.com, and he has between systems. For situations like an interesting collection of vintage Garfield coffee mugs. that, I highly recommend TrueCrypt Don’t let his silly hairdo fool you, he’s a pretty ordinary guy (http://www.truecrypt.org). I’ve and can be reached via e-mail at [email protected]. mentioned TrueCrypt in UpFront Or, swing by the #linuxjournal IRC channel on Freenode.net. pieces before, but it’s basically an open-source, cross-platform encryption system that allows you Send comments or feedback via to encrypt files, folders, partitions http://www.linuxjournal.com/contact and more while being able to or to [email protected].

62 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 62 12/17/13 3:43 PM LINUX JOURNAL ARCHIVE DVD

NOW AVAILABLE

Save $10.00 by using discount code DVD2013 at checkout. Coupon code expires 2/3/2013 www.linuxjournal.com/dvd

LJ237-Jan2014.indd 63 12/17/13 3:43 PM NEW PRODUCTS

Innodisk’s FlexiArray SE108 and HD224 Storage Appliances The secret to the performance advances in Innodisk’s FlexiArray line of storage appliances is the company’s novel FlexiRemap Technology, which deals with the challenges of I/O performance, data endurance and affordability. FlexiRemap, notes Innodisk, innovates in software and firmware, creating a new category of Flash- collaborating storage appliances (in contrast to Flash-aware or Flash-optimized) that deliver sustained high IOPS, even for random write operations. Innodisk’s first storage appliances to leverage this technology, the new FlexiArray SE108 and HD224, are designed to provide cost-effective performance for high-performance computing, cloud computing and I/O bound server applications. Typical application areas include cloud computing, virtualization and HPC. The slim SE108 offers up to 2TB of storage in a 1U-rackmount package; the HD224 provides up to 8TB in a 2U-rackmount unit, with 8x 10GbE SFP+ interfaces. Both units offer redundant hot-swappable SSDs and power modules. http://flexiarray.innodisk.com

Magic Software Enterprises’ Magic xpi Integration Platform With most core enterprise systems in place, organizations of all sizes are looking to business process integration and automation to increase operational efﬁciency and competitiveness. The updated Magic xpi Integration Platform from Magic Software Enterprises is a cloud-ready integration platform that enables users to unlock data from enterprise systems like SugarCRM, Sage and SYSPRO. In the new release, the aforementioned three platforms now enjoy certiﬁed, prebuilt adapters for optimized integration, which complement existing adapters for Oracle JD Edwards EnterpriseOne, JD Edwards World, SAP, IBM Lotus Notes, Microsoft Dynamics, Microsoft SharePoint and Salesforce, and more. In addition, an In-Memory Data Grid (IMDG) architecture is the new standard. IMDG offers cost-effective elastic scalability, built-in clustering and failover capabilities, which support enterprise needs for business continuity, faster processing and increasing transaction loads spurred by new mobile, cloud and big-data use cases. http://www.magicsoftware.com

64 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 64 12/17/13 3:43 PM NEW PRODUCTS

AdaCore’s GNAT Programming Studio “Usability” is the word that best captures the essence of the new version 6.0 release of AdaCore’s GNAT Programming Studio (GPS) graphical IDE. This “major engineering effort” features a signiﬁcantly revised and cleaner user interface that eases program navigation and editing. The revised look and feel, which exploits the latest Gtk+/GtkAda graphical toolkit, is supported by a new relational database at the heart of the GPS engine, making code navigation much more efﬁcient. GPS 6.0 also brings improved performance and new functionality, including language support for SPARK 2014, syntax highlighting and tool tips for Ada 2012 and SPARK 2014 aspects, editor enhancements and a number of additions to the scripting API. http://www.adacore.com

Rahul Singh’s Kali Linux Social Engineering (Packt Publishing) The new book Kali Linux Social Engineering by Rahul Singh exists to help you master the social engineering toolkit, or SET, found in the security-focused Kali Linux distribution. With Singh’s book in hand, readers can learn how security can be breached using social-engineering attacks, as well as attain a very unique ability to perform a security audit based on social engineering attacks. Starting with attacks using Kali, this book describes in detail various Web site attack vectors and client side attacks that can be performed through SET. This book covers some of the most advanced techniques that currently are being utilized by attackers to get inside secured networks, covering phishing (credential harvester attack), Web jacking attack method, spear phishing attack vector, Metasploit browser exploit method, Mass mailer attack and more. http://www.packtpub.com

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 65

LJ237-Jan2014.indd 65 12/17/13 3:43 PM NEW PRODUCTS

Jack Mofﬁtt and Fred Daoud’s Seven Web Frameworks in Seven Weeks (Pragmatic Bookshelf) There’s something to the “Seven in Seven Weeks” concept in the tech books from Pragmatic Bookshelf. The latest addition in this practical series is Jack Moffitt and Fred Daoud’s Seven Web Frameworks in Seven Weeks: Adventures in Better Web Apps. Whether you need a new tool or merely a dose of inspiration, this work explores your options and gives you sufficient exposure to each one, along with tips for creating better apps. The authors cover frameworks that leverage modern programming languages, employ unique architectures, live client-side instead of server-side or embrace type systems. Covered frameworks include Sinatra, CanJS, AngularJS, Ring, Webmachine, Yesod and Immutant. The breakneck evolution of Web apps demands innovative solutions, and this survey of frameworks and their unique perspectives is designed to inspire and promote new thinking for dealing with daily programming challenges. http://www.pragprog.com

OpenLogic’s AWS Marketplace Offerings OpenLogic’s vision is to keep enterprise customers running on some of the world’s best open-source packages. To convert this vision into reality, the firm intends to make available more than 50 new preconfigured stacks through the Amazon Web Services (AWS) Marketplace, including production-level support for JBoss, Apache HTTP, Tomcat, -Y31, 0OSTGRE31, !CTIVE-1 AND THE #ENT/3 OPERATING SYSTEM 4HESE ARE IN ADDITION to OpenLogic’s existing offerings on AWS. Enterprise support will include both 12x5 business-hour support and 24x7 production-level support. Products will be offered for use at an hourly rate. OpenLogic adds that OLEX, its open-source scanning, governance and provisioning portal, allows organizations to embrace open source with confidence. http://www.openlogic.com

66 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 66 12/17/13 3:43 PM NEW PRODUCTS

Stackinsider Deployment-as-a-Service Cloud Platform Stackinsider’s approach to OpenStack is packaging it as a Deployment-as-a-Service (DaaS) cloud platform, which the company says is the first of its kind to be public and free. Designed to make OpenStack technology adoption significantly easier and faster than conventional approaches, the Stackinsider DaaS approach consolidates and streamlines key OpenStack distributions and real-world applications for a wide range of uses. DaaS has integrated all popular IaaS deployment toolchains including RDO, FUEL, Puppet, DevStack and Chef. Some popular applications like Moodle and SugarCRM also are provided for PaaS prototyping. This public DaaS cloud is available for download at Stackinsider’s Web site. http://www.stackinsider.com

JetBrains’ PhpStorm For JetBrains, developing a new version of the PhpStorm IDE for PHP means more than keeping on top of the latest changes in Web languages. It is also about supporting and integrating modern tools and popular frameworks, not to mention removing obstacles on the road to productive Web development. Of course, the new PhpStorm 7 supports the latest PHP 5.5 with improved PHP syntax coloring, new refactorings, code inspections and quick-fixes. Support also has been added for various front-end Web technologies, such as different JavaScript templates, Web Components and modern stylesheets. Built-in tools for Vagrant, SSH console and local terminal and Google App Engine for PHP have been added too. Finally, support has been enhanced for various frameworks, including Drupal, Symfony2 and others. http://www.jetbrains.com/phpstorm

Please send information about releases of Linux-related products to [email protected] or New Products c/o Linux Journal, PO Box 980985, Houston, TX 77098. Submissions are edited for length and content.

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 67

LJ237-Jan2014.indd 67 12/17/13 3:43 PM FEATURE Quantum Cryptography

QUANTUM CRYPTOGRAPHY Classical cryptography provides security based on unproven mathematical assumptions and depends on the technology available to an eavesdropper. But, these things might not be enough in the near future to guarantee cyber security. We need something that provides unconditional security. We need quantum cryptography.

SUBHENDU BERA

68 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 68 12/17/13 3:43 PM magine you want to send a quantum technologies may be a message to your friend, and you threat to these classical cryptography I don’t want others to be able to techniques in the near future. One read the message. You lock your of the solutions to these threats is message in a box using a key and quantum cryptography. send the box to your friend. Your What is quantum cryptography? friend also has a key to unlock that 1UANTUM CRYPTOGRAPHY IS A COMPLEX box, so he easily can open the box topic, because it brings into play and read the message. In general, something most people find hard this is the technique used by to understand—quantum cryptographic algorithms. Locking mechanics. So first, let’s focus the message in the box is like on some basic quantum physics encryption, and unlocking the box is that you’ll need to know to like decryption. Before sending the understand this article.

QUANTUM CRYPTOGRAPHY IS A COMPLEX TOPIC, BECAUSE IT BRINGS INTO PLAY SOMETHING MOST PEOPLE FIND HARD TO UNDERSTAND—QUANTUM MECHANICS.

message to the receiver, the data Simple Quantum Physics is encrypted using an encryption 1UANTUM IN PHYSICS IS A DISCRETE algorithm and a secret key. On natural unit, or packet of energy, the receiver side, the encrypted charge, angular momentum or data is decrypted using the reverse other physical property. Light, for encryption algorithm. example, appears in some respects Classical cryptographic algorithms as a continuous electromagnetic mostly rely on mathematical wave, but on the submicroscopic approaches to secure key level, it is emitted and absorbed in transmission. The security they offer discrete amounts or quanta. These is based on unproven assumptions particle-like packets (quanta) of and depends on the technology light are called photons, a term also available to an eavesdropper. applicable to quanta of other forms But, rapidly growing parallel and of electromagnetic energy, such as

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 69

LJ237-Jan2014.indd 69 12/17/13 3:43 PM FEATURE Quantum Cryptography

all at the same time. This property is called superposition. One thing you should keep in mind is that measuring something that is in its superposition causes it to collapse into a definite state (one of all the possible states). Figure 1 should help describe superposition. Figure 1. Necker Cubes Looking at Figure 1, you can X rays and gamma rays. identify one of four possibilities: One unique thing about quanta either both squares are protruding is that they can exist in all of their forward or both are backward, or one possible states at once. This also is forward and the other is backward. applies to photons. This means Each time you look at the diagram, that in whatever direction a photon only one possibility is true. In a can spin—say, diagonally, vertically sense, all four options exist together, and horizontally—it does so all but when you look at the diagram, AT ONCE 1UANTUM OF LIGHT IN THIS it collapses into just one. This is the state is called unpolarized photons. essence of quantum superposition. This is like someone moving north, Through the use of polarization south, east, west, up and down filters, you can force the photon to

Figure 2. Polarizing Photons

70 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 70 12/17/13 3:43 PM Figure 3. Effect of Various Basis on Polarized Photons

take one of its states, or technically, prevents the observer from knowing polarize it. If you use a vertical the value of the other. But, when polarizing filter, some photons will dealing with photons for encryption, be absorbed, and some will emerge Heisenberg’s Principle can be used to on the other side of the filter. Those your advantage. When measuring the photons that aren’t absorbed will polarization of a photon, the choice emerge on the other side with a of what direction to measure affects vertical spin. Thus, you can polarize all subsequent measurements. The the photons to your required thing about photons is that once they orientation using suitable filters. are polarized, they can’t be measured The foundation of quantum physics accurately again, except by a filter is the unpredictability factor. This like the one that initially produced unpredictability is pretty much defined their current spin. So if a photon with by Heisenberg’s Uncertainty Principle. a vertical spin is measured through This principle says that certain pairs of a diagonal filter, either the photon physical properties are related in such won’t pass through the filter or the a way that measuring one property filter will affect the photon’s behavior,

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 71

LJ237-Jan2014.indd 71 12/17/13 3:43 PM FEATURE Quantum Cryptography

causing it to take a diagonal spin. In Now consider a quantum computer this sense, the information on the with two qbits. There are four photon’s original polarization is lost. possible states: |00 >, |01 >, |10 > In the diagram in Figure 3, I have and |11 >, and its superposition is used the wrong basis for the last a|00>+b|01>+c|10>+d|11>, where two cases, and you can see that I a2, b2, c2 and d2 are the probabilities have changed the polarization of of finding two qbits in any of the two photons. four states. In a quantum computer, the two bits are in all possible states Quantum Information at one time. So it is possible to add The bit is the fundamental concept a number to the two bits, which of classical computation and classical means we can add the number to INFORMATION 1UANTUM COMPUTATION 00,01,10,11 and compute the result and quantum information are built at the same time. This ability to upon an analogous concept: the operate on all states at one time quantum bit, or qbit for short. Just makes it so powerful. as a classical bit has a state of either Here the number of parallel 0 or 1, a qbit is like a bit, but it is operations depends on the number in superposition between 0 and 1. of qbits used. If N number of qbits Two possible states for a qbit are are used, then 2N operations can be the states “|0 >” and “|1 >” . This done in parallel, and this inherent notation is called Dirac notation. parallelism makes quantum computers A qbit can be fully expressed as: so fast. But the question is, how do a|0 > +b|1 > with a2 + b2 = 1. When you encode a photon as a qbit? We we measure a qbit, we get a 0 with know a photon has its own spin in probability a2 and 1 with b2. all possible directions. As in certain

Figure 4. Encoding Polarized Photons as Binary Values

72 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 72 12/17/13 3:43 PM digital systems, we consider +5 volts Eve is in between them, trying to as 1 and 0 volts as 0, and we can intercept the message. What Eve use the spin property of a photon to does is somehow collect the secret encode a photon as a qbit. We can key to the message and decrypts it. use the photon’s spin in a particular Now, if Alice somehow can send the direction as 1 and the spin in the key of the message to Bob without other direction as 0—say, a photon any interception, she can send the with vertical spin will be considered message without problems. as 1 and a photon with an angular Now, let me discuss the BB84 spin as 0. protocol. It is based on the name of the inventors Charles Bennet and Quantum Cryptography Gilles Brassard, and it was invented in Before starting to describe what 1UANTUM CRYPTOGRAPHY FOLLOWS quantum cryptography is, let two steps. The first one is sending me introduce three names I use the secret key, and the second step is throughout this article: Alice, Bob sending the message. Here, Alice and and Eve. Alice is sending the message, Bob make use of two fundamentally and Bob is receiving the message. different communication channels:

Figure 5. Binary Encoding of Photons in My Examples

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 73

LJ237-Jan2014.indd 73 12/17/13 3:43 PM FEATURE Quantum Cryptography

a classical channel and a quantum left to right) is 0. In a diagonal basis, channel. A classical channel is a photon with a spin “/” is considered something that you use on the as 1, and “\” is 0. The diagram Internet to transfer data. In a classical shown in Figure 5 should help you channel, Eve can observe the bit- understand how I’m representing stream without affecting the data. photons as binary values. But, a quantum channel is something Now Alice has a key, and for each different. It is capable of sending bit, she will select a random basis information in terms of quantum, (either diagonal or rectilinear) to and Eve can’t observe the data encode the bit to send. Nobody, not without affecting the data. In the even Bob, knows what basis Alice is BB84 protocol, the secret key is sent using. Bob will receive the encoded through the quantum channel, but the qbits, and Bob will use random basis

IF HE USES THE SAME BASIS, HE WILL GET THE EXACT BIT THAT ALICE SENT; OTHERWISE, THERE IS A 50% CHANCE THAT HE WILL GET A WRONG BIT.

message is sent through the ordinary to decode the qbits. If he uses the channel but encrypted by the secret same basis, he will get the exact KEY 4HE FIRST STEP IS CALLED 1UANTUM bit that Alice sent; otherwise, there +EY $ISTRIBUTION 1+$ )N THIS STEP is a 50% chance that he will get a Alice and Bob use the quantum wrong bit. For example, if Alice uses channel for communication. a diagonal basis to encode 1, and Bob First, let’s imagine there is no Eve also uses diagonal basis to decode between Alice and Bob. Let’s assume that, then he will get a 1. If he uses a that Alice is using two types of rectilinear basis, then there is a 50% polarizer: one is a diagonal polarizer (X) and one a rectilinear polarizer (+). Table 1. Alice Sending the Secret Key 100101 In a rectilinear basis, a photon with a spin “|” (that is, up to down ) is ALICE BOB considered as 1, and a “-” (that is, Basis used +,X,+,+,X,X +,+,+,X,+,X

74 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 74 12/17/13 3:43 PM chance that he will get a 1 and a 50% it is quite possible that Eve will chance of getting 0. As Bob is also intercept the communication. In this using random basis, there’s a 50% case, as with the previous case, Alice chance that he will use the right basis encodes the bit information using any (that is, he will use the basis that Alice basis and sends it to Bob, but now used) and will decode 50% of qbits Eve intercepts the qbits. Like Bob, Eve exactly, and for the 50% wrong basis, also has a decoder of the qbit. But Eve he will decode 25% of qbits exactly, also doesn’t know the basis Alice is and that means Bob will decode 75% using, so like Bob, she also randomly of qbits exactly. uses basis to decode the qbits. There Alice and Bob will exchange the is a 50% chance that Eve will use the basis they used for each bit using the right basis, and a 50% chance she will normal channel without revealing use the wrong basis. For the correct their bits. They can check for which 50%, the photon’s spin direction will bits they both used the same basis, not be affected, but for the wrong and those bits will be used as the 50%, the photon’s spin direction will secret key. Consider the example be changed. For the 50% of qbits shown in Table 1 where Alice is for which Eve used the right basis, sending the secret key 100101. Bob will use a 25% right basis and In this case, Bob will decode the 25% wrong basis, and for the right key as 1,0/1,0,0/1,0/1,1. Because 25% of qbits, he will get a 25% right Bob has used some wrong basis to qbit, and for the wrong 25% basis measure the qbits, he may get a 0 Bob used, he will get 12.5% of qbits or 1 randomly on those cases. Then, correct just due to probability. That they will exchange their basis with means from the first 50% for which others, and they will find that in Eve used the right basis, Bob will get positions 2, 4 and 5, Bob used the 37.5% correct qbits. For the rest of wrong basis. So they will use the the 50%, again Bob will use 25% rest of the bit (1st, 3rd and 6th bit) right and 25% wrong basis. From string as the secret key—that is, 101. this, Bob will get 12.5% and 12.5% The rest is simple, just encrypt the due to probability, which means he message using that key and send it. will get 25% right qbits. So when The situation becomes critical when Eve is between them, Bob will have Eve comes into action. As they are 37.5 + 25 = 62.5% accuracy. Figure 6 connecting using the public channel, demonstrates this calculation.

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 75

LJ237-Jan2014.indd 75 12/17/13 3:43 PM FEATURE Quantum Cryptography

Figure 6. Accuracy Calculation for Bob When Eve Is Intercepting

In Figure 6, the node with “**”, of the qbits using the wrong basis, like C**, represents the nodes where Bob has a 50% chance of being right Bob decoded the qbits correctly, and and a 50% chance of being wrong. the node with “*”, like F*, represents So overall, Bob gets 12.5% right the nodes where Bob decoded the qbits in I and 12.5% wrong qbits qbits incorrectly. One question that in J. Now they will match the basis may arise is why does Bob get 12.5% they used for each qbit, and they accuracy (in E,L) when he used the will use the bits where Bob used the wrong basis? Remember that when correct basis, and they will throw you use a wrong basis to decode out the bits for which Bob used a qbit, there is a 50% chance that the wrong basis. Now they need to you will get a 0, and a 50% chance check whether Eve is listening. For that you will get a 1. By this logic, that purpose, they will use a subset Bob will have 12.5% accuracy from of the matched key (after throwing D. Similarly, in the case of I, when out the bits for which Bob used Bob has used the correct basis (with wrong basis) and compare with respect to Alice’s basis) but Eve others using the normal channel. already has changed the polarization Bob will have 100% accuracy if Eve

76 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 76 12/17/13 3:43 PM Table 2. Alice Sending a Key of 01101011 to Bob Using Two Types of Polarization Alice’s + X + + X X X X basis Alice’s 0 1 1 0 1 0 1 1 data Eve’s + + X + X X X + basis Eve’s 0 1 0 0 1 1 1 0 data Bob’s + + + X + X X X basis Bob’s 0 0 0 0 0 1 1 1 data

is not there; otherwise, Bob will key is different, which means Eve is have 75% accuracy in the basis between them. Then they will repeat comparison. If the accuracy is 100%, the same procedure again until they they will discard the set of bits they get a 100% key match. When they used for matching, and the rest of get a key, they easily can encrypt the the bit string will be used as the key message using the key and send it to encrypt the message. If 100% via the public network. accuracy is not observed, they will TRY AGAIN TO GET A KEY USING 1+$ Limitations In Table 2, Alice is sending a key of In practice, the quantum channel also “01101011” to Bob using two types will be affected by noise, and it will of polarization as stated above. be hard to distinguish between noise Now Alice and Bob will compare and eavesdropping. their basis, and they will find that If Eve wants, she can intercept the Bob has guessed the 1st, 3rd, 7th quantum channel just to not allow and 8th basis correctly. So they will Alice and Bob to communicate. throw out the bits for the remaining No amplifiers are used on the positions—that is, the 2nd, 4th, 5th optical fiber carrying the quantum and 6th. Now the key is “0011”. signal. Such devices would disrupt the They will choose the first two bits communication in the same way an for matching, and then they will eavesdropper does. This implies, in find that their second bit in the TURN THAT 1+$S RANGE IS LIMITED

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 77

LJ237-Jan2014.indd 77 12/17/13 3:43 PM FEATURE Quantum Cryptography

Following the no-cloning System delivers digital keys for THEOREM 1+$ CAN PROVIDE ONLY A cryptographic applications on fiber- 1:1 connection. So the number of optic-based computer networks links will increase N(N – 1)/2, as N based on quantum cryptography. In represents the number of nodes. particular, it allows key distribution over standard telecom fiber links Research exceeding 100km in length and bit Researchers have been developing rates sufficient to generate 1 megabit such systems for more than a decade. per second of key material over a 4HE $!20! 1UANTUM .ETWORK distance of 50km—sufficiently which became fully operational in long for metropolitan coverage BBN’s laboratory in October 2003, (https://www.toshiba-europe.com/ has been continuously running in research/crl/qig/quantumkeyserver.html). six nodes, operating through the The current status of quantum telecommunications fiber between cryptography in Japan includes an Harvard University, Boston University INTER CITY 1+$ TESTBED BASED ON and BBN since June 2004. The DARPA $03 1+$ A FIELD TEST OF A ONE WAY 1UANTUM .ETWORK IS THE WORLDS FIRST BB84 system over 97km with noise- quantum cryptography network, and free WDM clock synchronization, PERHAPS ALSO THE FIRST 1+$ SYSTEM and so on (“Toward New Generation providing continuous operation across 1UANTUM #RYPTOGRAPHY*APANESE a metropolitan area (http://arxiv.org/ Strategy” by Nukuikita, Koganei). abs/quant-ph/0503058). The 973 Program and 863 program NIST performs core research on the of China have funded support to creation, transmission, processing THE 1+$ RESEARCH 0OST 1UANTUM and measurement of optical qbits. Cryptography: Third International )T DEMONSTRATED HIGH SPEED 1+$ Workshop, Pqcrypto 2010, Darmstadt, systems that generate secure keys Germany, May 25–28, 2010, for encryption and decryption of Proceedings, 1st ed.). information using a one-time pad In Europe, the SEcure COmmunication cipher, and extended them into a BASED ON 1UANTUM #RYPTOGRAPHY three-node quantum communications 3%#/1# n PROJECT WAS network (http://w3.antd.nist.gov/ funded for the same reason qin/index.shtml). (http://vcq.quantum.at/publications/ 4OSHIBAS 1UANTUM +EY $ISTRIBUTION all-publications/details/643.html).

78 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 78 12/17/13 3:43 PM )N )$ 1UANTIQUE WAS situation will evolve in the near future the first in the world to bring (http://swissquantum.idquantique.com/ a quantum key distribution ?-Quantum-Cryptography-#).Q system to a commercial market. )$ 1UANTIQUES 1+$ PRODUCT Subhendu Bera is from West Bengal (India). He completed his was used in conjunction with Master of Science degree in Computer Science from Banaras layer 2 Ethernet encryption to Hindu University and his Bachelor of Science degree in Computer secure elections in Geneva. Science from University of Calcutta. Currently, he is preparing for /THER COMPANIES LIKE -AGIC1 entrance for a PhD. He likes to play with machine learning tools, 1INETI1 AND .%# ALSO ARE and in his spare time, he reads, blogs and plays cricket and chess. working in this field. Companies claim to offer or to be developing 1+$ PRODUCTS BUT LIMITED Send comments or feedback via information is publicly available. http://www.linuxjournal.com/contact However, it’s likely that the or to [email protected].

Resources

W. Chen, H.-W. Li, S. Wang, Z.-Q. Yin, Z. Zhou, Y.-H. Li, Z.-F. Han and G.C. Guo (2012). “Quantum Cryptography”, Applied Cryptography and Network Security, Dr. Jaydip Sen (Ed.), ISBN: 978-953-51-0218-2, InTech, available from http://www.intechopen.com/books/ applied-cryptography-and-network-security/quantum-cryptography

“Quantum Cryptography Hits the Fast Lane” by Adrian Cho: http://news.sciencemag.org/ sciencenow/2010/04/quantum-cryptography-hits-the-fa.html

“Do we need quantum cryptography?” by Peter Rohde: http://www.peterrohde.org/2012/06/29/do-we-need-quantum-cryptography

“A Little (q)bit of Quantum Computing” by Douglas Eadline: http://www.linux-mag.com/id/8753

“What is a quantum computer?” by Dr Boaz Tamir: http://thefutureofthings.com/column/5/what-is-a-quantum-computer.html

Quantum Computation and Quantum Information by Michael A. Nielsen and Isaac L. Chuang, Cambridge University Press, 2011.

“Quantum Communication”: http://w3.antd.nist.gov/qin/index.shtml

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 79

LJ237-Jan2014.indd 79 12/17/13 3:43 PM FEATURE More Secure SSH Connections

More Secure SSH Connections Thwart would-be attackers by hardening your SSH connections.

FEDERICO KEREKI

80 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 80 12/17/13 3:43 PM f you need remote access to a with the standard SSH configuration, machine, you’ll probably use your machine already has a nice target I SSH, and for a good reason. The to attack. The first method to consider secure shell protocol uses modern is quite simple—just change the port to cryptography methods to provide an unused, nonstandard port, such as privacy and confidentiality, even over 22022. (Numbers above 1024 are usually an unsecured, unsafe network, such free and safe, but check the Resources as the Internet. However, its very at the end of this article just to avoid availability also makes it an appealing possible clashes.) This change won’t target for attackers, so you should affect your remote users much. They will consider hardening its standard setup just need to add an extra parameter to to provide more resilient, difficult-to- their connection, as in VVKS break-into connections. In this article, the.url.for.your.server. And I cover several methods to provide yes, this kind of change lies fully such extra protections, starting with in what’s called “security through simple configuration changes, then obscurity”—doing things obscurely, limiting access with PAM and finishing hoping that no one will get wise to with restricted, public key certificates your methods—which usually is just for passwordless restricted logins. asking for problems. However, it will help at least against script kiddies, Where Is SSH? whose scripts just try to get in via As defined in the standard, SSH uses port 22 instead of being thorough port 22 by default. This implies that enough to try to scan your machine

Knock for SSH Trying to attack your machine will be harder if the would-be invader cannot even find a possible SSH door. The methods shown in this article are compatible with the port-knocking technique I wrote about in a previous article (“Implement Port-Knocking Security with knockd”, January 2010), so I won’t go into NQRFNG configuration here. By using all techniques together, attackers will have an even harder time getting to your machine (where all the other measures shown in this article will be waiting), because they won’t even be able to start trying to attack your box.

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 81

LJ237-Jan2014.indd 81 12/17/13 3:43 PM FEATURE More Secure SSH Connections

for all open ports. The 0D[$XWK7ULHV limits users to In order to implement this change, three wrong attempts at entering the you need to change the /etc/ssh/ password before they are rejected. sshd_config file. Working as root, open And finally, 3HUPLW5RRW/RJLQ forbids it with an editor, look for a line that a user from logging in remotely as reads “Port 22”, and change the 22 root (any attacker who managed to to whatever number you chose. If the get into your machine still would line starts with a hash sign (#), then have to be able to break into the root remove it, because otherwise the line account; an extra hurdle), so would- will be considered a comment. Save be attackers will have a harder time at the file, and then restart SSH with getting privileges on your machine. HWFLQLWGVVKGUHVWDUW. With Be sure to restart the SSH service some distributions, that could be dæmon after these changes (sudo HWFUFGLQLWGVVKGUHVWDUW HWFLQLWGVVKGUHVWDUW does instead. Finally, also remember to close it), and for now, you already have port 22 in your firewall and to open managed to add a bit of extra safety the chosen port so remote users will be (but not much really), so let’s get able to access your server. down to adding more restrictions. While you are at this, for an extra bit of security, you also could add Who Can Use SSH? or edit some other lines in the SSH Your machine may have several configuration file (Listing 1). The servers, but you might want to limit Protocol line avoids a weaker, remote access to only a few. You older version of the SSH protocol. can tweak the sshd_config file a The /RJLQ*UDFH7LPH gives the user bit more, and use the $OORZ8VHUV, 30 seconds to accomplish a login. 'HQ\8VHUV, AllowGroups and 'HQ\*URXSV parameters. The first Listing 1. These little SSH conﬁguration one, $OORZ8VHUV, can be followed by changes can add a bit of security a list of user names (or even patterns, 3RUW using the common * and ? wild cards) 3URWRFRO or user@host pairs, further restricting /RJLQ*UDFH7LPH access to the user only from the given 0D[$XWK7ULHV host. Similarly, AllowGroups provides 3HUPLW5RRW/RJLQQR a list of group name patterns, and login is allowed only for members

82 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 82 12/17/13 3:43 PM From a software engineering viewpoint, it would just be awful if each and every program had to invent and deﬁne and implement its own authentication logic.

of those groups. Finally, 'HQ\8VHUV specific rules could be added (say, and 'HQ\*URXSV work likewise, maybe eguerrero should be able to but prohibit access to specific users log in only from home), but if things and groups. Note: the priority order start getting out of hand with too for rules is 'HQ\8VHUV first, then many rules, the idea of editing the ssh $OORZ8VHUV, 'HQ\*URXSV and finally configuration files and restarting the AllowGroups, so if you explicitly server begins to look less attractive, disallow users from connecting with and there’s a better solution through 'HQ\8VHUV, no other rules will allow PAM, which uses separate files for them to connect. security rules. For example, a common rule is that from the internal network, The PAM Way everybody should be able to access If you google for meanings of PAM, the machine. (This sounds reasonable; you can find several definitions, attacks usually come from outside ranging from a cooking oil spray the network.) Then, you could say to several acronyms (such as Power that only two users, fkereki and Amplitude Modulation or Positive eguerrero, should be able to connect Active Mass), but in this case, you are from the outside, and nobody else interested in Pluggable Authentication should be able to connect. You Modules, a way to provide extra can enable these restrictions by authentication rules and harden adding a single line $OORZ8VHUV access to your server. Let’s use PAM INHUHNLHJXHUUHUR as an alternative solution to specify to the SSH configuration file and which users can access your server. restarting the service. If you wanted From a software engineering to forbid jandrews from remote viewpoint, it would just be awful connections, an extra 'HQ\8VHUV if each and every program had to MDQGUHZV would be needed. More invent and define and implement its

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 83

LJ237-Jan2014.indd 83 12/17/13 3:43 PM FEATURE More Secure SSH Connections

PAM, PAM Everywhere

Although there is no “official” list of PAMs, most distributions are likely to include the following:

Q pam_access: allows or denies access according to the file /etc/security/access.conf. Q pam_cracklib: checks passwords against dictionaries. Q pam_debug: used for testing only. Q pam_deny: always denies access. Q pam_echo: displays the contents of a file. Q pam_env: sets or unsets environment variables. Q pam_exec: lets you run an external command. Q pam_group: grants group memberships to the user. Q pam_lastlog: shows the date and time of the user’s last log in. Q pam_ldap: allows authentication against an LDAP server. Q pam_limits: lets you set system resource limits, through the file /etc/security/limits.conf. Q pam_listfile: an alternative to pam_access, with some extra options. Q pam_mail: checks if the user has pending mail. Q pam_make: runs make in a given directory. Q pam_motd: displays the “message of the day” file, usually /etc/motd. Q pam_nologin: blocks all logins should file /etc/nologin exist. Q pam_permit: always allows access. Q pam_pwcheck: checks passwords for strength. Q pam_pwhistory: checks new passwords against recently used ones to avoid repetition. Q pam_rootok: usually is included in /etc/pam.d/su as a “sufficient” test so root can act as any other user without providing a password. Q pam_selinux: sets the default security context for SELinux. Q pam_sepermit: allows or denies login depending on SELinux state. Q pam_shells: allows access only if the user’s shell is listed in the file /etc/shells. Q pam_succeed_if: checks for account characteristics, such as belonging to a given group. Q pam_tally: just keeps count of attempted accesses and can deny access if too many attempts fail. Q pam_time: restricts access based on rules in the file /etc/security/time.conf. Q pam_umask: lets you set the file mode creation mask (think umask) for newly created files. Q pam_unix (or pam_unix2): provides classical UNIX-style authentication per the /etc/passwd and /etc/shadow files. Q pam_userdb: authenticates the user against a Berkeley database. Q pam_warn: records logs in the system logs. Q pam_wheel: provides root access only to members of group wheel.

File locations vary, but you can check /usr/lib/security or /lib/security (or read lib64 for lib, for 64-bit Linux) to see what modules you actually have. For more information on each module, try PDQQDPHRIWKHPRGXOH, but don’t try to execute them from the command line, for they can’t be run that way.

84 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 84 12/17/13 3:43 PM own authentication logic. How could in to your server. See the PAM, PAM you be certain that all applications Everywhere sidebar for a list of some did implement the very same available modules. checks, in the same way, without PAM configurations are stored any differences? PAM provides a in /etc/pam.d, with a file for each way out; if a program needs to, say, command to which they apply. As authenticate a user, it can call the root, edit /etc/pam.d/sshd, and add an PAM routines, which will run all the DFFRXQWUHTXLUHGSDPBDFFHVVVR checks you might have specified in line after all the DFFRXQW lines, so it its configuration files. With PAM, ends up looking like Listing 2. (Your you even can change authentication specific version of the file may have rules on the fly by merely updating its some different options; just add configuration. And, even if that’s not the single line to it, and that’s it.) your main interest here, if you were You’ll also have to modify the sshd to include new biometrics security configuration file (the same one that hardware (such as fingerprint readers, you modified earlier) so it uses PAM; iris scanners or face recognition) add a 8VH3$0\HV line to it, and with an appropriate PAM, your restart the sshd dæmon. device instantly would be available The DFFRXQW part is what is to all applications. important here. After using the PAMs can be used for four security standard UNIX methods for checking concerns: account limitations your password (usually against the (what the users are allowed to do), files /etc/passwd and /etc/shadow), it authorization (how the users identify uses the module pam_access.so themselves), passwords and sessions. to check if the user is in a list, such PAM checks can be marked optional as shown in Listing 3. Both DFFRXQW (may succeed or fail), required (must modules are UHTXLUHG, meaning succeed), requisite (must succeed, and that the user must pass both checks if it doesn’t, stop immediately without in order to proceed. For extra trying any more checks) and sufficient restrictions, you might want to look (if it succeeds, don’t run any more at pam_listfile, which is similar checks), so you can vary your policies. to pam_access but provides even I don’t cover all these details here, but more options, and pam_time, which rather move on to the specific need lets you fix time restrictions. You also of specifying who can (or cannot) log would need to add extra DFFRXQW

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 85

LJ237-Jan2014.indd 85 12/17/13 3:43 PM FEATURE More Secure SSH Connections

Listing 2. Adding pam_access.so to the account PAM checks lets you specify which users have SSH access to your machine. DFFRXQWUHTXLUHGSDPBXQL[VR DFFRXQWUHTXLUHGSDPBDFFHVVVR

DXWKUHTXLUHGSDPBHQYVR DXWKUHTXLUHGSDPBXQL[VR DXWKUHTXLUHGSDPBQRORJLQVR

SDVVZRUGUHTXLVLWHSDPBSZFKHFNVRQXOORNFUDFNOLE SDVVZRUGUHTXLUHGSDPBXQL[VRXVHBDXWKWRNQXOORN

VHVVLRQUHTXLUHGSDPBOLPLWVVR VHVVLRQUHTXLUHGSDPBXQL[VR VHVVLRQRSWLRQDOSDPBXPDVNVR

lines to the /etc/pam.d/sshd file. allowed access from any machine. You need to edit /etc/security/ The final -:ALL:ALL line is a catchall access.conf to specify which users that denies access to anybody not can access the machine (Listing 3). specifically allowed to log in in the Each line in the list starts with either previous lines, and it always should a plus sign (login allowed) or a minus be present. sign (login disabled), followed by a Note that you could use this colon, a user name (or ALL), another configuration for other programs colon and a host (or ALL). The pam_access.so module goes down Listing 3. The ﬁle /etc/security/access.conf the list in order, and depending on speciﬁes which users have access and from the first match for the user, it either which hosts. allows or forbids the connection. The MDQGUHZV$// order of the rules is important. First, $// jandrews is forbidden access, then INHUHNL$// everybody in the internal network HJXHUUHUR$// is allowed to log in to the server. -:ALL:ALL Then, users fkereki and eguerrero are

86 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 86 12/17/13 3:43 PM and services (FTP, maybe?), and the log in. Now, let’s look at an even safer same rules could be applied. That’s way of saying who can access your an advantage of PAM. A second machine by using certificates. advantage is that you can change rules on the fly, without having to Passwordless Connections restart the SSH service. Not messing Passwords can be reasonably secure, with running services is always a but you don’t have them written down good idea! Using PAM adds a bit of on a Post-It by your computer, do you? hardening to SSH to restrict who can However, if you use a not-too-complex

Listing 4. Generating a public/private key pair with VVKNH\JHQ is simple. Opt for using a passphrase for extra security. VVKNH\JHQ *HQHUDWLQJSXEOLFSULYDWHUVDNH\SDLU (QWHUÀOHLQZKLFKWRVDYHWKHNH\ KRPHINHUHNLVVKLGBUVD Created directory '/home/fkereki/.ssh'. (QWHUSDVVSKUDVH HPSW\IRUQRSDVVSKUDVH (QWHUVDPHSDVVSKUDVHDJDLQ 56$@ _ _ _R2 _ _(2 R_ _ R%_ _6_ __ __ __ __

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 87

LJ237-Jan2014.indd 87 12/17/13 3:43 PM FEATURE More Secure SSH Connections

password (so it can be determined by it. (If not, add them, and restart the brute force or a dictionary attack), service as described above.) Without then your site will be compromised those lines, nothing I explain below for so long as the attacker wishes. will work. Then, use VVKNH\JHQ to There’s a safer way, by using public/ create a public/private key pair. By private key logins, that has the extra directly using it without any more advantage of requiring no passwords parameters (Listing 4), you’ll be asked on the remote site. Rather, you’ll in which file to save the key (accept have a part of the key (the “private” the standard), whether to use a part) on your remote machine and the passphrase for extra security (more on other part (the “public” part) on the this below, but you’d better do so), remote server. Others won’t be able to and the key pair will be generated. impersonate you unless they have your Pay attention to the name of the file private key, and it’s computationally in which the key was saved. You’ll unfeasible to calculate. Without going need it in a moment. into how the key pair is created, let’s Now, in order to be able to move on to using it. connect to the remote server, you First, make sure your sshd need to copy it over. If you search configuration file allows for the Internet, many sites recommend private key logins. You should have directly editing certain files in order to 56$$XWKHQWLFDWLRQ\HV and accomplish this, but using ssh-copy-id 3XENH\$XWKHQWLFDWLRQ\HV lines in is far easier. You just have to type

Listing 5. After generating your public/private pair, you need to use ssh-copy-id to copy the public part to the remote server. VVKFRS\LGLKRPHINHUHNLVVKLGBUVDSXEINHUHNL# 7KHDXWKHQWLFLW\RIKRVW ´FDQ WEHHVWDEOLVKHG 56$NH\ÀQJHUSULQWLVDGDHHHGIDDIGE $UH\RXVXUH\RXZDQWWRFRQWLQXHFRQQHFWLQJ \HVQR "\HV :DUQLQJ3HUPDQHQWO\DGGHG 56$ WRWKHOLVW ´RINQRZQKRVWV INHUHNL# VSDVVZRUG

88 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 88 12/17/13 3:43 PM ssh-copy-id -i the.file.where. Now, what about the passphrase? the.key.was.saved remote.user@ If you create a public/private key pair remote.host specifying the name of without using a passphrase, anybody the file in which the public key was who gets access to your machine saved (as you saw above) and the and the private key immediately will remote user and host to which you have access to all the remote servers will be connecting (Listing 5). And to which you have access. Using you’re done. the passphrase adds another level In order to test your new of security to your log in process. passwordless connection, just do However, having to enter it over and ssh [email protected]. over again is a bother. So, you would If you used a passphrase, you’ll be do better by using VVKDJHQW, which asked for it now. In either case, can “remember” your passphrase and the connection will be established, enter it automatically whenever you and you won’t need to enter your try to log in to a remote server. After password for the remote site (Listing 6). running VVKDJHQW, run ssh-add

Listing 6. After you’ve copied the public key over, you can log in to the remote server without a password. You will have to enter your passphrase though, if you used one when generating the public/private pair. VVKINHUHNL# (QWHUSDVVSKUDVHIRUNH\ KRPHINHUHNLVVKLGBUVD /DVWORJLQ0RQ-DQ

/LJKW)LQDOEXLOWRQ0DUFKRQ/LQX[

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 89

LJ237-Jan2014.indd 89 12/17/13 3:43 PM FEATURE More Secure SSH Connections

to add your passphrase. (You could do NH\FKDLQWKHSDWKWR\RXU run it several times if you have many private.key, enter your passphrase passphrases.) After that, a remote (Figure 1), and until you reboot the connection won’t need a passphrase server or specifically run NH\FKDLQ any more (Listing 7). If you want to -k all to stop NH\FKDLQ, your end a session, use VVKDJHQWN, and passphrase will be stored, and you you’ll have to re-enter the passphrase won’t have to re-enter it. Note: you if you want to do a remote login. even could log out and log in again, You also may want to look at and your key still would be available. NH\FKDLQ, which allows you to If you just want to clear all cached reuse VVKDJHQW between logins. keys, use NH\FKDLQFOHDU. (Not all distributions include this If you use a passphrase, you could command; you may have to use your take your private keys with you on a package manager to install it.) Just USB stick or the like and use it from

Listing 7. Using VVKDJHQW frees you from having to re-enter your passphrase. VVKDJHQW 66+B$87+B62&. WPSVVK5YKK[DJHQWH[SRUW66+B$87+B62&. 66+B$*(17B3,' H[SRUW66+B$*(17B3,' HFKR$JHQWSLG

$ ssh-add (QWHUSDVVSKUDVHIRUKRPHINHUHNLVVKLGBUVD ,GHQWLW\DGGHGKRPHINHUHNLVVKLGBUVD KRPHINHUHNLVVKLGBUVD

VVKINHUHNL# /DVWORJLQ0RQ-XQIURP /LJKW)LQDOEXLOWRQ0DUFKRQ/LQX[

90 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 90 12/17/13 3:43 PM just be too dangerous. Losing your USB stick would mean automatically compromising all the remote servers you could log in to. Also, using a passphrase is an extra safety measure. If others got hold of your private key, Figure 1. By entering your passphrase they wouldn’t be able to use it without once with NH\FKDLQ, it will be first determining your passphrase. remembered even if you log out. Finally, if you are feeling quite confident that all needed users have any other machine in order to log in their passwordless logins set up, you to your remote servers. Doing this could go the whole mile and disable without using passphrases would common passwords by editing the

Using SSH and PuTTY You can use SSH public/ private pairs with the common PuTTY program, but not directly, because it requires a specific, different key file. In order to convert your SSH key, you need to do SXWW\JHQ+20(VVK your.private.key -o \RXUSULYDWHNH\ÀOH for.putty. Afterward, you simply can open PuTTY, go to Connection, SSH, Auth and browse for your newly generated “Private key file for authentication”.

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 91

LJ237-Jan2014.indd 91 12/17/13 3:43 PM FEATURE More Secure SSH Connections

sshd configuration file and setting your security. However, even if these 3DVVZRUG$XWKHQWLFDWLRQQR and methods do make your server harder 8VH3$0QR, but you’d better be quite to attack, remember you always need sure everything’s working, because to be on the lookout and set up as otherwise you’ll have problems. many obstacles for attackers as you can manage.Q Conclusion There’s no definitive set of security Federico Kereki is a Uruguayan systems engineer with more measures that can 100% guarantee than 20 years of experience developing systems, doing that no attacker ever will be able to consulting work and teaching at universities. He currently is get access to your server, but adding working with a good jumble of acronyms: SOA, GWT, Ajax, PHP extra layers can harden your setup and, of course, FLOSS! Recently, he wrote the Essential GWT and make the attacks less likely to book, in which you also can ﬁnd some security concerns for Web succeed. In this article, I described applications. You can reach Federico at [email protected]. several methods, involving modifying SSH configuration, using PAM for access control and public/private Send comments or feedback via key cryptography for passwordless http://www.linuxjournal.com/contact logins, all of which will enhance or to [email protected].

Resources

The SSH protocol is defined over a host of RFC (Request for Comments) documents; check http://en.wikipedia.org/wiki/Secure_Shell#Internet_standard_documentation for a list.

Port numbers are assigned by IANA (Internet Assigned Numbers Authority), and you can go to http://www.iana.org/assignments/port-numbers for a list.

The primary distribution site for PAM is at http://www.linux-pam.org, and the developers’ site is at https://fedorahosted.org/linux-pam.

Read http://www.funtoo.org/wiki/Keychain for more on NH\FKDLQ by its author, Daniel Robbins.

You can see the RSA original patent at http://www.google.com/patents?vid=4405829 and the RSA Cryptography Standard at http://www.emc.com/emc-plus/rsa-labs/pkcs/files/ h11300-wp-pkcs-1v2-2-rsa-cryptography-standard.pdf.

For extra security measures, read “Implement Port-Knocking Security with knockd”, in the January 2010 issue of Linux Journal, or check it out on-line at http://www.linuxjournal.com/article/10600.

92 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 92 12/17/13 3:43 PM Instant Access to Premium Online Drupal Training

Instant access to hundreds of hours of Drupal training with new videos added every week!

Learn from industry experts with real world H[SHULHQFHEXLOGLQJKLJKSURȴOHVLWHV

Learn on the go wherever you are with apps for iOS, Android & Roku

We also offer group accounts. Give your whole team access at a discounted rate!

Learn about our latest video releases and RIIHUVȴUVWE\IROORZLQJXVRQ)DFHERRNDQG 7ZLWWHU #GUXSDOL]HPH

Go to http://drupalize.me and get Drupalized today!

LJ237-Jan2014.indd 93 12/17/13 3:43 PM FEATURE Encrypted Backup Solution “Home Paranoia Edition”

Encrypted Backup Solution “HOME PARANOIA EDITION” How to safeguard your personal data with TrueCrypt and SpiderOak.

TIM CORDOVA

94 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 94 12/17/13 3:43 PM here are so many cases of limitations, but it is sound enough for personal identifiable information safeguarding personal data. T (PII) or any type of data exposed The first step is addressing the on the Internet today. The details physical aspect of security. This is a provided in this article may assist in critical step, because some notable safeguarding your tax information, compromises are a direct result of social security number or password someone having physical access to a file. The setup this article describes system. You always should prepare will help keep your personal data yourself for the possibility that your at home safe and secure in this beloved electronic devices could be “cyber-security”-connected world. in hands of someone other than you This includes virtual/physical security at any given moment. This situation compromises—the only truly secure could occur on a train, or in a coffee system is one that is unplugged and shop, automobile or home, and you locked in a vault. This solution is must assume your data is lost when it not all-encompassing and does have is outside your control.

Figure 1. Setup screen for encrypting your home directory in Ubuntu during initial operating system installation.

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 95

LJ237-Jan2014.indd 95 12/17/13 3:44 PM FEATURE Encrypted Backup Solution “Home Paranoia Edition”

This article describes utilizing whole factor, especially when considering all disk encryption to reduce some of the of the recent events concerning stolen risks provided by a great open-source government laptops that contained Linux operation system (Ubuntu millions of social security numbers. 12.10). Whole disk encryption is a key The next key step in safeguarding

Figure 2. If encrypting your home folder was missed during initial installation, use HQFU\SWIWXWLOV to encrypt your home directory.

Figure 3. This is important feedback information “record passphrase as soon as possible” that will be generated from the HQFU\SWIVPLJUDWHKRPH command.

96 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 96 12/17/13 3:44 PM your personal information is by command on the user’s home adding another security layer by directory (Figure 2): encrypting home directories during the initial installation (Figure 1). VXGRHFU\SWIVPLJUDWHKRPHX\RXUXVHUQDPH You may be the only one using this system; however, if others are able to Then, you need to log in to the access your system while it’s running, encrypted home directory account this may slow them down from trying before rebooting the machine to access information contained in a (as stated in the important note home directory. screen), providing a roll-back You will need to run the command: opportunity in the event of any unexpected complications during VXGRDSWJHWLQVWDOOHFU\SWIVXWLOVFU\SWVHWXS the encryption process. Use HQFU\SWIVXQZUDSSDVVSKUDVH using an advanced packaging tool- to record your randomly generated capable distribution. This will install mount passphrase. Keep this the encrypting utilities needed to passphrase safe, because you may encrypt your home directory. need it to recover your encrypted files. The next step is to log in or Also, ensure that you reboot your create another user account with system and remove the un-encrypted root privileges to run the following backup folder (Figure 3).

Figure 4. TrueCrypt Installation Button

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 97

LJ237-Jan2014.indd 97 12/17/13 3:44 PM FEATURE Encrypted Backup Solution “Home Paranoia Edition”

A third step in the process is to at the time of this writing), and utilize a great open-source application run the following commands called TrueCrypt to provide encrypted and script: containers to store personal information. This easy process includes WDU[YIWUXHFU\SWDOLQX[[ visiting the TrueCrypt Web site at tar.gz http://www.truecrypt.org/downloads VXGRWUXHFU\SWDOLQX[[ to download the latest package VHOHFW",QVWDOO7UXH&U\SWDWWKH (truecrypt-7.1a-linux-x86.tar.gz, JXLPHQX

Figure 5. TrueCrypt Create Volume Button Screen

98 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 98 12/17/13 3:44 PM The next step is to create an encrypted file container or a encrypted container. This container volume within a partition/drive will store personal identifiable (Figures 5 and 6). You also will information (PII) or any file that have a choice of using a you want to keep safe on your local standard TrueCrypt volume or computer, and it will create another a hidden TrueCrypt volume layer of security. The process for (Figure 7). The idea behind a creating a basic container is by hidden container is to reveal an selecting the default options during outside container password, and initial installation (Figure 4). Once your hidden container encrypted the software is installed, starting within the outside container the application is a breeze using the (http://www.truecrypt.org/docs/ command truecrypt & or via the hidden-volume). GUI menu system by selecting the On the next menu, simply select create volume button. an encryption algorithm, hash There are two options when algorithm and size of container. creating a volume: choosing an Multiple books and papers provide

Figure 6. After the create volume button is selected, you will be presented with two options for creating an encrypted ﬁle container or creating a volume within a partition/drive.

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 99

LJ237-Jan2014.indd 99 12/17/13 3:44 PM FEATURE Encrypted Backup Solution “Home Paranoia Edition”

Figure 7. The next menu item gives you the option of creating a standard or hidden volume.

Figure 8. After the standard volume is selected, the next options are to select the encryption and hash algorithms, and size of the volume.

100 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 100 12/17/13 3:44 PM specific information on the differences the volume-creating process is between these algorithms and completed, mount your volume hashes (AES with a 256/14 rounds using the TrueCrypt application and and Sha-512 default hashing function). start saving your private files to this The size of your container depends on encrypted container. the amount of information you want to A safe and secure on-line storage protect (Figure 8). location for your newly created The next step is to select encrypted container is essential your preferred filesystem type for backing up data in the cloud. (ext3, ext4 and so on). Once A couple options are available for

Figure 9. Select the newly created standard volume to mount an accessible unencrypted share.

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 101

LJ237-Jan2014.indd 101 12/17/13 3:44 PM FEATURE Encrypted Backup Solution “Home Paranoia Edition”

an on-line storage location, such ensuring that our customer’s data is as Dropbox, Evernote, AWS and always completely secure—even from SpiderOak. The final choice for secure us!” (https://spideroak.com/faq/ cloud storage is with the company category/privacy_passwords). called SpiderOak, and this is based The company also provides on the company’s “Zero-Knowledge” two-factor authentication for privacy policy that states: “we never extra protection of requiring a have any knowledge of your password user name, password and a token. and no way to retrieve or reset it, The token will be sent to your even in emergencies. It’s our way of mobile phone whenever you need

Figure 10. The backup tab in the SpiderOak application allows you to select your encrypted volume.

102 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 102 12/18/13 10:14 AM to log in to a Web site or mobile Installing SpiderOak is device. The majority of big-name straightforward for all the Debian providers are offering two-factor users out there. It includes authentication since the traditional downloading and installing the password/passphrase does not spideroak_4.8.4_i386.deb package offer enough protection. Seeing from https://spideroak.com/ how this solution is deployed on a opendownload and using sudo dedicated desktop and requires the GSNJLVSLGHURDNBBLGHE token to authenticate, it provides to install this package on your favorite a true two-channel authentication Ubuntu platform. solution. Of course, using two- Identify a local upload folder factor authentication does not as the staging point for your guarantee safety, but it does require TrueCrypt container. Once you the attacker to use sophisticated have a shared location that will host methods, and attackers generally are your TrueCrypt container, simply lazy and look for easy targets. open your SpiderOak application

Figure 11. A SpiderOak application status and backup menu provides a means to back up your encrypted volume automatically in specified intervals.

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 103

LJ237-Jan2014.indd 103 12/17/13 3:44 PM FEATURE Encrypted Backup Solution “Home Paranoia Edition”

Listing 1. SpiderOak/TrueCrypt Backup Script

XVUELQS\WKRQ EUHDN ''' 6SLGHU2DN7UXH&U\SWGLVPRXQW%DFNXS6FULSW LIIRXQGVWULQJ @author: Tim try: ''' GLVPRXQW RVV\VWHP WUXHFU\SWG import os LIGLVPRXQW LPSRUWVWULQJ IRZULWH VWU QRZ 7UXH&U\SWVHUYLFHIRXQG import datetime ´DQGWKHYROXPHLVGLVPRXQWHG?Q LPSRUWKDVKOLE else: )ROGHUDQG)LOH/RF )ROGHUDQG)LOH/RF IRZULWH VWU QRZ )DLOHGWR 6SLGHU2DN3DWK ´GLVPRXQWVHUYLFH?Q 7UXH&U\SW3DWK except: os.error /RJ)LOHSDWK else: VDIHÀOH IRZULWH VWU QRZ PRXQWZDVQRWRSHQ?Q

GHIUHDGFRQÀJÀOH 6SLGHU2DN3DWK7UXH&U\SW3DWK/RJ)LOHSDWKVDIHÀOH GHIFRS\FRQWDLQHU IR6SLGHU2DN3DWK7UXH&U\SW3DWK ´6HWXSÀOHRSHQ ´/RJ)LOHSDWKVDIHÀOHQRZ 7KLVZLOOUHDGWKHFRQÀJXUDWLRQDQGDVVLJQSDWKORFDWLRQ 6HW'HVWLQDWLRQDQG&RS\WRQHZORFDWLRQ QRZ GDWHWLPHGDWHWLPHQRZ KROGVWU +ROGGHVWÀOHVXP 7UXH&U\SW3DWKVDIHÀOH IRUOLQHLQ6HWXSÀOHRSHQ +ROGRULJÀOHVXP 6SLGHU2DN3DWKVDIHÀOH KROGVWU VWUVSOLW OLQH FKHFNVXPGHVW PGÀOHFKHFN +ROGGHVWÀOHVXP LIVWULQJÀQG OLQH6SLGHU2DN3DWK ! FKHFNVXPRULJ PGÀOHFKHFN +ROGRULJÀOHVXP 6SLGHU2DN3DWK KROGVWU>@ HOLIVWULQJÀQG OLQH7UXH&U\SW3DWK ! 7UXH&U\SW3DWK KROGVWU>@ UXQVWULQJ FS7KLVZLOORQO\FRS\RYHUXSGDWHV HOLIVWULQJÀQG OLQH/RJ)LOHSDWK ! WRWKLVÀOH /RJ)LOHSDWK KROGVWU>@ UXQVWULQJ 7UXH&U\SW3DWK HOLIVWULQJÀQG OLQHVDIHÀOH ! UXQVWULQJ VDIHÀOH VDIHÀOH KROGVWU>@ UXQVWULQJ UXQVWULQJ 6SLGHU2DN3DWK7KLVZLOORQO\VHQGRYHUDQ\ IR RSHQ /RJ)LOHSDWKD XSGDWHVWRWKLVÀOH try: WHVWGLII RVV\VWHP GLII+ROGGHVWÀOHVXP IR RSHQ /RJ)LOHSDWKD ´+ROGRULJÀOHVXP IRZULWH VWU QRZ 3DWK9DULDEOH6SLGHU2DN3DWK ´XVHG!6SLGHU2DN3DWK?Q IRZULWH VWU QRZ 3DWK9DULDEOH7UXH&U\SW3DWK LIWHVWGLII ´XVHG!7UXH&U\SW3DWK?Q try: IRZULWH VWU QRZ 3DWK9DULDEOH/RJ)LOHSDWK RVV\VWHP UXQVWULQJ ´XVHG!/RJ)LOHSDWK?Q WHVWGLII RVV\VWHP GLII+ROGGHVWÀOHVXP IRZULWH VWU QRZ 3DWK9DULDEOHKROG ´+ROGRULJÀOHVXP ´XVHG!VDIHÀOH?Q LIWHVWGLII except: fo.error IRZULWH VWU QRZ 7UXH&U\SW3DWKVDIHÀOH VKXWGRZQWUXHFU\SW IRQRZ ´)LOH&RSLHGWR6SLGHU2DN3DWK?Q FRS\FRQWDLQHU IR6SLGHU2DN3DWK7UXH&U\SW3DWK IRZULWH VWU QRZ 3URFHVVLQJ&RPSOHWH ´/RJ)LOHSDWKVDIHÀOHQRZ else: fo.close IRZULWH VWU QRZ 7UXH&U\SW3DWKVDIHÀOH ´)LOHIDLOHGWRFRS\6SLGHU2DN3DWK?Q except: os.error GHIVKXWGRZQWUXHFU\SW IRQRZ 7HVWWRVHHLIWKHWUXHF\SWLVUXQQLQJ else: ,IQRWWKHQ6KXWLWGRZQ IRZULWH VWU QRZ )LOHKDVQRWEHHQFKDQJHG IRXQGVWULQJ ´QRFRS\ZDVSHUIRUPHG?Q try: I RVSRSHQ SVD[ except: os.error 6HWXSÀOHRSHQ RSHQ )ROGHUDQG)LOH/RFU IRUOLQHLQI UHDGFRQÀJÀOH 6SLGHU2DN3DWK7UXH&U\SW3DWK/RJ)LOHSDWKVDIHÀOH LIVWULQJÀQG OLQH WUXHFU\SW ! ´6HWXSÀOHRSHQ IRXQGVWULQJ 6HWXSÀOHRSHQFORVH

104 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 104 12/17/13 3:44 PM and select the backup tab. Then, The final step is to create a cron drill down until you find your job to call the Python script: TrueCrypt container location, such

as home/username/SpiderO/Upload. FGKRPHWZRUNVSDFH%DFNXS6FULSWVUFXVUELQS\WKRQ

The next step is to configure /home/t/workspace/BackupScript/src/BackupScript.py your backup frequency using the overview tab and selecting the This personal encrypted solution is change button (Figures 10 and 11). something that works great at home Many other configuration options when utilized on a daily basis. Many are available using this interface. apps are available on the Internet for For this example, use only these two managing passwords and data, but options for a secure cloud backup. this one is easy to implement and The last couple steps in this provides layers of encryption. I am encrypted backup solution are confident that using the described to move the TrueCrypt container encrypted containers and storage from the working location to the location provides enough security for designated SpiderOak export folder private personal data, but it may not and create a cron job to run the script. be an ideal solution for an enterprise I created a Python script to with various regulatory agencies. Use accomplish the copy function, but the described methods at your own I could have created any type of risk, and ensure that your passwords script. This script is used to ensure or passphrases are safeguarded, that the TrueCrypt application is because your data will be lost with not running, verify whether there a forgotten password.Q were changes to the container and then copy over the container Tim Cordova is a computer geek who had a Commodore 64 at if there were changes. This script age 9, and has a love for Linux, family, information security requires a configuration file called and longboard surfing. He currently works as an information FolderandFileLoc to function and security professional at a large contracting company and the Python script BackupScript.py. has more than 15 years of experience. The configuration file parameters are SpiderOakPath, TrueCryptPath and LogFilepath, a running log Send comments or feedback via to verify whether a copy was http://www.linuxjournal.com/contact successful and the Safefile filename. or to [email protected].

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 105

LJ237-Jan2014.indd 105 12/17/13 3:44 PM KNOWLEDGE HUB

WEBCASTS A Call to Arms for Private Cloud Builders Sponsor: ActiveState | Topic: Cloud Computing ON DEMAND The era of elastic IT is here. Businesses are realizing that the cloud not only allows cost reduction, but provides opportunities for innovation and growth. Elastic clouds enable next-generation applications that drive revenue opportunities, increase agility, and make IT teams competitive with public cloud systems.

In this presentation, Randy and John talk about the forces driving this change, and outline an action plan for building an elastic cloud infrastructure and dynamic applications using DevOps and Platform-as-a-Service.

> http://lnxjr.nl/CTACloud Private PaaS for the Agile Enterprise Sponsor: ActiveState | Topic: Virtualization If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more beneﬁts from cloud computing than just raw resources. They need agility, ﬂexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, ﬂexibility, control, and ultimately, faster time-to-market for your enterprise.

> http://lnxjr.nl/privatepaasAE

Learn the 5 Critical Success Factors to Accelerate IT Service Delivery in a Cloud-Enabled Data Center Today's organizations face an unparalleled rate of change. Cloud-enabled data centers are increasingly seen as a way to accelerate IT service delivery and increase utilization of resources while reducing operating expenses. Building a cloud starts with virtualizing your IT environment, but an end-to-end cloud orchestration solution is key to optimizing the cloud to drive real productivity gains.

> http://lnxjr.nl/IBM5factors

Linux Backup and Recovery Webinar Sponsor: Storix | Topic: Backup and Recovery Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly ﬂexible bare-metal recovery solution for UNIX and Linux systems.

> http://lnxjr.nl/StorixWebinar

106 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 106 12/17/13 3:44 PM KNOWLEDGE HUB

WHITE PAPERS Linux Management with Red Hat Satellite: Measuring Business Impact and ROI Sponsor: Red Hat | Topic: Linux Management

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

> http://lnxjr.nl/RHS-ROI

Standardized Operating Environments for IT Efficiency Sponsor: Red Hat

The Red Hat® Standard Operating Environment SOE helps you define, deploy, and maintain Red Hat Enterprise Linux® and third-party applications as an SOE. The SOE is fully aligned with your requirements as an effective and managed process, and fully integrated with your IT environment and processes.

Benefits of an SOE:

SOE is a specification for a tested, standard selection of computer hardware, software, and their configuration for use on computers within an organization. The modular nature of the Red Hat SOE lets you select the most appropriate solutions to address your business' IT needs.

SOE leads to:

s $RAMATICALLY REDUCED DEPLOYMENT TIME

s 3OFTWARE DEPLOYED AND CONFIGURED IN A STANDARDIZED MANNER

s 3IMPLIFIED MAINTENANCE DUE TO STANDARDIZATION

s )NCREASED STABILITY AND REDUCED SUPPORT AND MANAGEMENT COSTS

s 4HERE ARE MANY BENEFITS TO HAVING AN 3/% WITHIN LARGER ENVIRONMENTS SUCH AS

s ,ESS TOTAL COST OF OWNERSHIP 4#/ FOR THE )4 ENVIRONMENT

s -ORE EFFECTIVE SUPPORT

s &ASTER DEPLOYMENT TIMES

s 3TANDARDIZATION

> http://lnxjr.nl/RH-SOE

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 107

LJ237-Jan2014.indd 107 12/17/13 3:44 PM INDEPTH Solid-State Drives: Get One Already! Brian describes how SSDs compare to HDDs with regard to longevity and reliability and provides the results from some real-world performance benchmarking. BRIAN TRAPP

I’ve been building computers actually made the move to SSDs since the 1990s, so I’ve seen a yet. Within that group, the primary lot of new technologies work reluctance to try a SSD boiled down their way into the mainstream. to three main concerns: Most were the steady, incremental improvements predicted by Q I’m worried about their Moore’s law, but others were reliability; I hear they wear out. game-changers, innovations that really rocketed performance Q I’m not sure if they work well forward in a surprising way. I with Linux. remember booting up Quake after installing my first 3-D card—what Q I’m not sure an SSD really would a difference! My first boot off a make much of a difference on solid-state drive (SSD) brought my system. back that same feeling—wow, what a difference! Luckily, these three concerns are However, at a recent gathering of based either on misunderstandings, like-minded Linux users, I learned outdated data, exaggeration or are that many of my peers hadn’t just not correct.

108 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 108 12/17/13 3:44 PM INDEPTH

SSD Reliability Overview Instead of rotating platters and How SSDs Differ from Hard Drives: read/write heads, solid-state drives Traditional hard disk drives (HDDs) store data to an array of Flash memory have two mechanical delays that chips. As a result, when a new file is can come into play when reading or requested, the SSD’s internal memory writing files: pivoting the read/write can find and start accessing the head to be at the right radius and correct storage memory locations in waiting until the platter rotates until sub-milliseconds. Although reading the start of the file reaches the head from Flash isn’t terribly fast by itself, (Figure 1). The time it takes for the SSDs can read from several different drive to get in place to read a new file chips in parallel to boost performance. is called seek time. When you hear This parallelism and the near- that unique hard drive chatter, that’s instantaneous seek times make the actuator arm moving around to solid-state drives significantly access lots of different file locations. faster than hard drives in most For example, my hard drive (a pretty benchmarks. My SSD (a pretty typical typical 7,200 RPM consumer drive unit from 2012) has a seek time of from 2011) has an average seek time 0.1ms—quite an improvement! of around 9ms. Reliability and Longevity: Reliability numbers comparing HDDs and SSDs are surprisingly hard to find. Fail rate comparisons either didn’t have enough years of data, or were based on old first-generation SSDs that don’t represent drives currently on the market. Though SSDs reap the benefits of not having any moving parts (especially beneficial for mobile devices like laptops), the conventional wisdom is that current SSD fail rates are close to HDDs. Even if they’re a few percentage points higher or lower, considering that both drive types have a nonzero failure rate, Figure 1. Hard Drive you’re going to need to have a backup

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 109

LJ237-Jan2014.indd 109 12/17/13 3:44 PM INDEPTH

solution in either case. Interestingly, all three types of Apart from reliability, SSDs do cells are using the same transistor have a unique longevity issue, as structure behind the scenes. Clever the NAND Flash cells in storage have engineers have found a way to a unique life expectancy limitation. make that single Flash cell hold The longevity of each cell depends more information in MLC or TLC on what type of cell it is. Currently, mode, however. At programming there are three types of NAND time, they can use a low, medium- Flash cells: low, medium-high or high voltage to represent four unique states (two Q SLC (Single Later Cell) NAND: one bits) in one single cell. The downside bit per cell, ~100k writes. is that as the cell is written several thousand times, the oxide insulator Q MLC (Multi-Layer Cell) NAND: two at the bottom of the floating gate bits per cell, ~10k to 3k writes, starts to degrade, and the amount slower than SLC. The range in of voltage required for each state writes depends on the physical increases (Figure 2). For SLC it’s size of the cell—smaller cells are not a huge deal because the gap cheaper to manufacture, but can between states is so big, but for handle fewer writes. MLC, there are four states instead of two, so the amount of room Q TLC (Three-Layer Cell) NAND: between each state’s voltage is ~1k writes, slower than MLC. shortened. For TLC’s three bits of

Figure 2. A NAND Flash Cell

110 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 110 12/17/13 3:44 PM INDEPTH

information there are six states, so Est. Lifespan (y) = SSDCapacity(GB) * (WriteLimit based on cell type) ------the distances between each voltage DailyWriteRate (GB/day) * WriteAmpliﬁcation * 365 (days/yr) range is even shorter. The final twist is write amplification. So if I was sizing a 256GB Samsung Even though the OS is sending 1MB 840 Evo (which uses TLC cells), with of data, the SSD actually may be a 6.3GB/day write rate and a write doing more writes behind the scenes amplification of 3, it should give me for things like wear leveling and around 37 years of service before inefficient garbage collection if TRIM losing the ability to write new data. support isn’t enabled (see the TRIM section later in this article). Most SSD Considerations for Linux real-world write amplification values TRIM: Undelete utilities work because I’ve seen are in the 1.1 to 3.0 range, when you delete a file, you’re really depending on how compressible the only removing the filesystem’s pointer data is and how clever the SSD is at to that file, leaving the file contents garbage collection and wear leveling. behind on the disk. The filesystem So, how long can you expect an SSD knows about the newly freed space to last for you? Longevity depends and eventually will reuse it, but the on how much data you write, and drive doesn’t. HDDs can overwrite the tune2fs utility makes it really data just as efficiently as writing to a easy to estimate that from your new sector, so it doesn’t really hurt existing filesystems. Run WXQHIV them, but this can slow down SSDs’ OGHY GHYLFH!. (Tip: if you’re write operations, because they can’t using LVM, the stats will be under overwrite data efficiently. the dm-X device instead of the sdaX An SSD organizes data internally device.) The key fields of interest are into 4k pages and groups 128 pages “Filesystem created” and “Lifetime into a 512k block. SSDs can write writes”. Use those to figure out the only into empty 4k pages and erase average GB/day since the filesystem in big 512k block increments. This was created. For my laptop, it was means that although SSDs can write 2.7GB/day, and for my workstation it very quickly, overwriting is a much was 6.3GB/day. With those rates, plus slower process. The TRIM command a rough guess for write amplification, keeps your SSD running at top speed you can estimate how much life you’d by giving the filesystem a way to tell get out of any SSD. the SSD about deleted pages. This

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 111

LJ237-Jan2014.indd 111 12/17/13 3:44 PM INDEPTH

gives the drive a chance to do the LVM: If you’re not using LVM, slow overwriting procedures in the you can skip ahead to the filesystem backgroupd, ensuring that you always section. TRIM has been supported in have a large pool of empty 4k pages LVM since kernel 2.6.36. at your disposal. In the “devices” section of Linux TRIM support is not enabled /etc/lvm/lvm.conf, add a line by default, but it’s easy to add. One LVVXHBGLVFDUGV : catch is that if you have additional software layers between your devices { filesystem and SSD, those layers need ... to be TRIM-enabled too. For example, LVVXHBGLVFDUGV most of my systems have an SSD, .. with LUKS/dm-crypt for whole disk } encryption, LVM for simple volume ... management and then, finally, an ext4 formatted filesystem. Here’s how to Filesystem: Once you’ve done any turn on TRIM support, starting at the required dm-crypt and LVM edits, layer closest to the drive. update initramfs, then reboot: dm-crypt and LUKS: If you’re not using an encrypted filesystem, you can VXGRXSGDWHLQLWUDPIVXNDOO skip ahead to the LVM instructions. TRIM has been supported in dm-crypt Although Btrfs, XFS, JFS and since kernel 3.1. Modify /etc/crypttab, ext4 all support TRIM, I cover only adding the discard keyword for the ext4 here, as that seems to be the devices on SSDs: most widely used. To test ext4 TRIM support, try the manual TRIM

7DUJHW1DPH'HYLFH.H\)LOH2SWLRQV command: IVWULP PRXQWSRLQW!.

VGDBFU\SW88,' HEEFFGDHEHQRQHOXNVGLVFDUG If all goes well, the command will work for a while and exit. If it exits Note: enabling TRIM on an with any error, you know there’s encrypted partition does make it something wrong in the setup easier for attackers to brute-force between the filesystem and the attack the device, since they device. Recheck your LVM and would now know which blocks dm-crypt setup. are not in use. Here’s an example of the output for

112 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 112 12/17/13 3:44 PM INDEPTH

/ (which is set up for TRIM) and /boot Regardless of whether you use (which is not): the discard option, you probably want to add the QRDWLPH option

~$ sudo fstrim / to /etc/fstab. With atime on

aVXGRIVWULPERRW (the default), each time a file is

IVWULPERRW),75,0LRFWOIDLOHG,QDSSURSULDWHLRFWOIRUGHYLFH accessed, the access time is updated, consuming some of your precious If the manual command works, write cycles. (Some tutorials ask you can decide between between you to include nodiratime too, but using the automatic TRIM built in noatime is sufficient.) Because most to the ext4 filesystem or running applications don’t use the atime the fstrim command. The primary timestamp, turning it off should benefits of using automatic TRIM improve the drive’s longevity: is that you don’t have to think

about it, and it nearly instantly will GHYPDSSHUEDOG\OURRWH[WQRDWLPHGLVFDUGHUURUV UHPRXQWUR reclaim free space. One down side of automatic TRIM is that if your Partition alignment: When drive doesn’t have good garbage- SSDs first were released, many of collection logic, file deletion can be the disk partitioning systems still slow. Another negative is that if the were based on old sector-based drive runs TRIM quickly, you have logic for placing partitions. This no chance of getting your data back could cause a problem if the via an undelete utility. On drives partition boundary didn’t line up where I have plenty of free space, nicely with the SSD’s internal 512k I use the fstrim command via cron. block erase size. Luckily, the major On drives where space is tight, I use partitioning tools now default to the automatic ext4 method. 512k-compatible ranges: If you want to go the automatic route, enabling automatic TRIM is Q fdisk uses a one megabyte easy—just add the discard option boundary since util-linux version to the options section of the relevant 2.17.1 (January 2010). /etc/fstab entries. For manual TRIM, just put the IVWULP PRXQWSRLQW! Q LVM uses a one megabyte boundary in a cron job or run it by hand at as the default since version 2.02.73 your leisure. (August 2010).

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 113

LJ237-Jan2014.indd 113 12/17/13 3:44 PM INDEPTH

If you’re curious whether your Monitoring SSDs in Linux: partitions are aligned to the right I already covered running WXQHIV boundaries, here’s example output O GHYLFH! as a good place to get from an Intel X25-M SSD with an statistics on a filesystem device, but erase block size of 512k: those are reset each time you reformat the filesystem. What if you want to

~$ sudo sfdisk -d /dev/sda get a longer range of statistics, at

:DUQLQJH[WHQGHGSDUWLWLRQGRHVQRWVWDUWDWDF\OLQGHUERXQGDU\ the drive level? smartctl is the tool

'26DQG/LQX[ZLOOLQWHUSUHWWKHFRQWHQWVGLIIHUHQWO\ for that. SMART (Self-Monitoring,

SDUWLWLRQWDEOHRIGHYVGD Analysis and Report Technology)

XQLWVHFWRUV is part of the ATA standard that

provides a way for drives to track

GHYVGDVWDUW VL]H ,G ERRWDEOH and report key statistics, originally

GHYVGDVWDUW VL]H ,G for the purposes of predicting drive

GHYVGDVWDUW VL]H ,G failures. Because drive write volume

GHYVGDVWDUW VL]H ,G is so important to SSDs, most

GHYVGDVWDUW VL]H ,G manufacturers are including this in the SMART output. Run sudo smartctl Since the primary partition (sda5) DGHY GHYLFH! on an SSD starts and ends at a number evenly device, and you’ll get a whole host divisible by 512, things look good. of interesting statistics. If you see the

Figure 3. smartctl Output (Trimmed)

114 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 114 12/17/13 3:44 PM INDEPTH

message “Not in smartctl database” tools make this a breeze. in the smartctl output, try building the SSD free space: SSDs run best latest version of smartmontools. when there’s plenty of free space Each vendor’s label for the for them to use for wear leveling statistic may be different, but you and garbage collection. Size up and should be able to find fields like manage your SSD to keep it less than “Media_Wearout_Indicator” that will 80% full. count down from 100 as the drive Things that break TRIM: RAID approaches the Flash wear limit and setups can’t pass TRIM through to fields like “Lifetime_Writes” or “Host_ the underlying drives, so use this Writes_32MiB” that indicate how mode with caution. In the BIOS, much data has been written to the make sure your controller is set to drive (Figure 3). AHCI mode and not IDE emulation, as IDE mode doesn’t support TRIM Other Generic Tips and is slower in general. Swap: if your computer is actively using swap space, additional RAM SSD Performance probably is a better upgrade than an Now let’s get to the heart of the SSD. Given the fact that longevity is matter—practical, real-world examples so tightly coupled with writes, the of how an SSD will make common last thing you want is to be pumping tasks faster. multiple gigabytes of swap on and Test Setup Prior to off the drive. benchmarking, I had one SSD for HDDs still have a role: if you have my Linux OS, another SSD for when the space, you can get the best of I needed to boot in to Windows 7 both worlds by keeping your hard and an HDD for storing media files drive around. It’s a great place for and for doing low-throughput, storing music, movies and other high-volume work (like debugging media that doesn’t require fast JVM dumps or encoding video). I I/O. Depending on how militant used partimage to back up the you want to be about SSD writes, HDD, and then I used a Clonezilla you can mount folders like /tmp, bootable CD to clone my Linux /var or even just /var/log on the HDD SSD onto the HDD. Although most to keep SSD writes down. Linux’s sources say you don’t have to worry flexible mounting and partitioning about fragmentation on ext4, I used

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 115

LJ237-Jan2014.indd 115 12/17/13 3:44 PM INDEPTH

the ext4 defrag utility HGHIUDJ on at keeping up with the SSD. the HDD just to give it the best shot Here’s the hardware on the

Figure 4. bootchart Output

116 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 116 12/17/13 3:44 PM INDEPTH

development workstation I used for Table 1. Boot Times benchmarking—pretty standard stuff: Test HDD (s) SSD (s) % Faster Xorg Start 19.4 4.9 75% Q CPU: 3.3GHz Intel Core i5-2500k CPU. Desktop 33.4 6.6 80% Ready Q Motherboard: Gigabyte :! $( " : CHIPSET complicates how to measure boot times, so to get the most accurate Q RAM: 8GB (2x4GB) of 1333 DDR3. measurements, I used the bootchart package that provides a really cool Q OS: Ubuntu 12.04 LTS (64-bit, Gantt chart showing the boot time kernel 3.5.0-39). of each component (partial output shown in Figure 4). I used the Xorg Q 33$ '" /#: 6ERTEX process start to indicate when X starts up, the start of the Dropbox panel Q HDD: 1TB Samsung Spinpoint F3, applet to indicate when X is usable 7200 RPM, 32MB cache. and subtracted the time spent in cryptsetup (its duration depends more I picked a set of ten tests to try on how many tries it takes me to type to showcase some typical Linux in my disk password than how fast operations. I cleared the disk cache any of the disks are). The SSD crushes after each test with HFKR_VXGR the competition here. tee /proc/sys/vm/drop_caches and rebooted after completing a set. I ran the set five times for each drive, and plotted the mean plus a 95% confidence interval on the bar charts shown below. Boot Times: Because I’m the only user on the test workstation and use whole-disk encryption, X is set up with automatic login. Once cryptsetup prompts me for my disk password, the system will go right past the typical GDM user login to my desktop. This Figure 5. Boot Times

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 117

LJ237-Jan2014.indd 117 12/17/13 3:44 PM INDEPTH

Table 2. Application Launch Times Table 3. File I/O

Test HDD (s) SSD (s) % Faster Test HDD (s) SSD (s) % Faster

Eclipse 26.8 11.0 59% create 1.5 0.5 67%

Tomcat 19.6 17.7 10% copy 3.3 1.1 69%

TF2 72.2 67.1 7% read 2.2 0.2 63%

Figure 6. Application Launch Times Figure 7. File I/O

Application Start Times: To test Eclipse benefited from an SSD the application start times, I measured the most, and the gains in Tomcat and start times for Eclipse 4.3 (J2EE version), TF2 were present but less noticeable. Team Fortress 2 (TF2) and Tomcat Single-File Operations: To 7.0.42. Tomcat had four WAR ﬁles at test single-file I/O speed, I created about 50MB each to unpackage at start. a ~256MB file via time dd Tomcat provides the server startup time LI GHY]HURRI IEV in the logs, but I had to measure Eclipse FRXQW , copied it to a new file and Team Fortress manually. I stopped and then read it via cat, redirecting to timing Eclipse once the workspace was /dev/null. I used the time utility to capture visible. For TF2, I used the time between the real elapsed time for each test. pressing “Play” in the Steam client and Multiple File Operations: First, when the TF2 “Play” menu appears. I archived the 200k files in my 1.1GB There was quite a bit of variation Eclipse workspace via tar -c between the three applications, where aZRUNVSDFH!ZWDU to test

118 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 118 12/17/13 3:44 PM INDEPTH

Table 4. Multi-File I/O performing on par with HDDs. (You Test HDD (s) SSD (s) % Faster need a good backup, either way.) If you tar 123.2 17.5 86% were concerned about longevity, you

find & can use data from your existing system 34.3 12.3 64% fgrep to approximate how long a current generation MLC or TLC drive would last. SSD support has been in place in Linux for a while, and it works well even if you just do a default installation of a major Linux distribution. TRIM support, some ext4 tweaks and monitoring via tune2fs and smartctl are there to help you maintain and monitor overall SSD health. Finally, some real-world performance benchmarks illustrate how an SSD will boost performance for any operation that uses disk storage, but especially Figure 8. Multi-File I/O ones that involve many different files. Because even OS-only budget-sized archiving speed. Second, I used ILQG SSDs can provide significant performance QDPH MDYDH[HFIJUHS gains, I hope if you’ve been on the )RR^`!GHYQXOO to simulate fence, you’ll now give one a try.Q looking for a keyword in the 7k java files. I used the time utility to capture the real Brian Trapp serves up a spicy gumbo of Web-based yield reporting elapsed time for each test. Both tests and analysis tools for hungry semiconductor engineers at one of made the HDD quite noisy, so I wasn’t the leading semiconductor research and development consortiums. surprised to see a significant delta. His signature dish has a Java base with a dash of JavaScript, Perl, Bash and R, and his kitchen has been powered by Linux ever since Summary 1998. He works from home in Buffalo, New York, which is a shame If you haven’t considered an SSD, only because that doesn’t really fit the whole chef metaphor. or were holding back for any of the reasons mentioned here, I hope this article prompts you to take the plunge Send comments or feedback via and try one out. http://www.linuxjournal.com/contact For reliability, modern SSDs are or to [email protected].

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 119

LJ237-Jan2014.indd 119 12/17/13 3:44 PM EOF

Returning to DOC SEARLS Ground from the Web’s Clouds Fixing problems of centralization with more centralized systems only makes the problem worse.

he Net as we know it today first three Internet Service Providers.) James became visible to me in March Fallows (http://www.theatlantic.com/ T 1994, when I was among james-fallows) was in the crowd, several hundred other tech types and he described it this way gathered at Esther Dyson’s PC Forum (http://listserv.aera.net/scripts/ conference in Arizona. On stage was wa.exe?A2=ind9406&L=aera- John Gage (http://en.wikipedia.org/ f&D=0&P=351) for The Atlantic: wiki/John_Gage) of Sun Microsystems, projecting a Mosaic Web browser In the past year millions of people (http://en.wikipedia.org/wiki/ have heard about the Internet, but Mosaic_(web_browser)) from a flaky few people outside academia or Macintosh Duo (http://en.wikipedia.org/ the computer industry have had a wiki/PowerBook_Duo), identical to clear idea of what it is or how it the one on my lap. His access was to works. The Internet is, in effect, Sun over dial-up. a way of combining computers Everybody in the audience knew all over the world into one big about the Net, and some of us had computer, which you seemingly been on it one way or another, but control from your desk. When few of us had seen it in the fullness connected to the Internet, you can John demonstrated there. (At that boldly prowl through computers date, there were a sum total of just in Singapore, Buenos Aires, and

120 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 120 12/17/13 3:44 PM EOF

While relying on the Web and its clouds has increased the range of things we can do on the Net, our freedom to act independently has declined.

Seattle as if their contents resided Mosaic to “control”, “boldly prowl” on your own machine. and “navigate” his way around the Web, which was the “gee-whizziest In the most riveting presentation portion” of the Net. of the conference, John Gage, of That portion has since become Sun Microsystems, demonstrated conflated with the whole thing. Today the World Wide Web, the gee- we use browsers to do far more than whizziest portion of the Internet, navigate the Web. Protocols that in which electronic files contain once required separate apps—file not only text but also graphics transfer, e-mail, instant messaging— and sound and video clips. Using are now handled by browsers as well. Mosaic, a free piece of “navigator” We now also can use browsers to software that made moving around watch television, listen to radio and the Web possible, Gage clicked read publications. It’s hard to name on icons on his screen exactly as anything a computer can do that isn’t if he were choosing programs also doable (and done) in a browser. or directories on his own hard Serving up most of those capabilities disk. He quickly connected to a are utility Web services, provided by Norwegian computer center that Amazon, Apple, Dropbox, Evernote, had been collecting results during Google, Yahoo and many more, each the Winter Olympics in Lillehammer with their own clouds. The growth and checked out a score, of the Web, atop the Net, also has duplicating what Internet users provided a conceptual bridge from had done by the millions every day computers to smartphones and during the games, when CBS-TV tablets. Today nearly every mobile was notoriously late and America- app would be useless without a centric in reporting results. back-end cloud. While relying on the Web and its Note the terms here. John used clouds has increased the range of

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 121

LJ237-Jan2014.indd 121 12/17/13 3:44 PM EOF

things we can do on the Net, our from surveillance, but most muggles freedom to act independently has are either clueless about the risks or declined. The browser that started make do with advertising and tracking out as a car on the “information blockers. This is less easy in the superhighway” has become a mobile world, where apps are more shopping cart that gets re-skinned rented than owned, and most are with every commercial site it visits, maintained by vendor-side services. carrying away tracking beacons Thus, we’ve traded our freedom for that report our activities back to the conveniences of centralization. centralized servers over which The cure for that is decentralization: we have little if any control. The making the Net personal, like it wizards among us might be adept at promised to be in the first place—and maintaining some degree of liberty still is, deep down.

Figure 1. Servers Generating a Hypertext Representation

122 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 122 12/17/13 3:44 PM EOF

It should help to remember that the There’s nothing wrong with any of Web is polycentric while the Net is those, just something missing: your decentralized. By polycentric, I mean independence and autonomy. server-based: every server is a center. Meanwhile, the Net beneath the So, even though Tim Berners-Lee Web remains decentralized: a World wanted the Web to be what he called of Ends (http://worldofends.com) “a distributed hypertext system” in which every end is a functional for “universal linked information” distance of zero from every other (http://www.w3.org/History/1989/ end. “The end-to-end principle is proposal.html), what he designed the core architectural guideline was servers “generating a hypertext of the Internet” says RFC 3724. representation”, as shown in Figure 1. Thus, even though the Internet is Today this looks like your e-mail on a “collection of networks”, what a Google server—or your photos on collects them are the transcendent Instagram or your tweets on Twitter. purposes of the Net’s ends, which

Figure 2. It helps to think of the Net as the ground we walk and drive on, and the Web as clouds in the sky.

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 123

LJ237-Jan2014.indd 123 12/17/13 3:44 PM EOF

What Eben calls for is not merely to suffer the problems of centralization, but to solve them.

consist of you, me, Google and lately. One is TeleHash, and the every other node. other is XDI. If you want to grok the problems of TeleHash (http://telehash.org) centralization fully, and their threat is the brainchild of Jeremie Miller, to personal freedom, to innovation father of Jabber and the XMPP and to much else, watch, listen to protocol for instant messaging. or read Eben Moglen’s lectures titled Its slogan is “JSON + UDP + DHT “Snowden and the Future” = Freedom”, and it is described (http://snowdenandthefuture.info), as “a new wire protocol enabling given in November and December applications to connect privately 2013 at Columbia University, where in a real-time and fully distributed Eben has been teaching law for 26 manner, freeing them from relying years. The lectures are biblical in on centralized data centers”. The tone and carry great moral weight. rest of the index page says: For us in the Linux community, they are now in the canon. What What Eben calls for is not It works by sending and receiving merely to suffer the problems of small encrypted bits of JSON centralization, but to solve them. (with optional binary payloads) This requires separating the Net and via UDP using an efficient routing the Web. For me, it helps to think of system based on Kademlia the Net as the ground we walk and (http://en.wikipedia.org/wiki/ drive on, and the Web as clouds in Kademlia), a proven and popular the sky, as I’ve illustrated with the Distributed Hash Table. photo in Figure 2. There are many possibilities for Demo decentralized solutions on the Net’s It’s very much in the R&D stages ground, and I hope readers will yet, but check out hash-im remind us of some. Meanwhile, I’ll (https://github.com/quartzjer/ volunteer a pair I’ve been watching hash-im) for a simple demo.

124 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 124 12/17/13 3:44 PM Status The current spec (https://github.com/ Advertiser Index telehash/telehash.org/blob/ Thank you as always for supporting our master/protocol.md) is advertisers by buying their products! implemented in a few languages (any help here would be great!),

and prototype apps are being ADVERTISER URL PAGE # CREATED TO TEST IT 1UESTIONS Drupalize.me http://www.drupalize.me 93 can be directed at Twitter (https://twitter.com/jeremie), Emac, Inc. http://www.emacinc.com 11 or to Jeremie Miller directly. EmperorLinux http://www.emperorlinux.com 23

XDI (http://xdi.org) is a mostly- iXsystems http://www.ixsystems.com 7

baked standard. Its purpose is “to SCALE https://www.socallinuxexpo.org/scale11x/ 33 define a generalized, extensible service Silicon Mechanics http://www.siliconmechanics.com 3 for sharing, linking, and synchronizing data over digital networks using USENIX Conferences https://www.usenix.org/conferences 2

structured data formats (such as WearablesDevCon http://www.wearablesdevcon.com 15 JSON and XML) and XRIs (Extensible Resource Identifiers), a URI-compatible abstract identifier scheme defined by the OASIS XRI Technical Committee” (https://www.oasis-open.org/ ATTENTION ADVERTISERS committees/tc_home.php?wg_ The Linux Journal brand’s following has abbrev=xdi). Wikipedia (at the grown to a monthly readership nearly moment) says (http://en.wikipedia.org/ one million strong. Encompassing the magazine, Web site, newsletters and wiki/XDI): much more, Linux Journal offers the ideal content environment to help you The main features of XDI are: reach your marketing objectives. For more information, please visit the ability to link and nest RDF http://www.linuxjournal.com/advertising. graphs to provide context; full addressability of all nodes in the graph at any level of context; representation of XDI operations as graph statements

WWW.LINUXJOURNAL.COM / JANUARY 2014 / 125

LJ237-Jan2014.indd 125 12/17/13 3:44 PM EOF

so authorization can be built into distributed data sharing the graph (a feature called XDI link network models the real-world contracts); standard serialization mechanism of social contracts formats including JSON and XML; (http://en.wikipedia.org/wiki/ and a simple ontology language Social_contract), and legal for defining shared semantics contracts that bind civilized people using XDI dictionary services. and organizations in the real world today. Thus, XDI can be a key XDI graphs can be serialized in a enabler of the Social Web number of formats, including XML (http://en.wikipedia.org/wiki/ and JSON. Since XDI documents Social_Web). It has also been are already fully structured, XML cited as a mechanism to support a adds very little value, so JSON is new legal concept, Virtual Rights the preferred serialization format. (http://www.virtualrights.org), The XDI protocol can be bound which are based on a new legal to multiple transport protocols. entity, the “virtual identity”, and a The XDI TC is defining bindings to new fundamental right: “to have or HTTP and HTTPS, however it is also not to have a virtual identity”. exploring bindings to XMPP and potentially directly to TCP/IP. It’s early for both of these. But I know in both cases the mentality of XDI provides a standardized portable the developers is on the ground of the authorization format called XDI link Net and not lost in the clouds of the contracts (http://en.wikipedia.org/ Web. We’ll need a lot more of that wiki/Link_contract). Link contracts before we all get our freedom back.Q are themselves XDI documents (which may be contained in other Doc Searls is Senior Editor of Linux Journal. He is also a XDI documents) that enable control fellow with the Berkman Center for Internet and Society over the authority, security, privacy, at Harvard University and the Center for Information and rights of shared data to be Technology and Society at UC Santa Barbara. expressed in a standard machine- readable format and understood by any XDI endpoint. Send comments or feedback via http://www.linuxjournal.com/contact This approach to a globally or to [email protected].

126 / JANUARY 2014 / WWW.LINUXJOURNAL.COM

LJ237-Jan2014.indd 126 12/17/13 3:44 PM