Recently in Security Category

I've been thinking about building my own very small machine around the dual-core Intel Atom processor with Nvidia graphics. Yes, I know that Nvidia is freedom-hating and all, but I think that for the small form factors such as Mini-ITX, Intel and Nvidia are heading in the right direction when it comes to compactness, power consumption and graphical sophistication.

I usually begin my search with my favorite Mini-ITX vendor, Logic Supply, but I have also begun looking at pre-assembled systems that ship with Linux. Both ZaReason and System 76 are building small boxes around the Intel Atom/Nvidia platform, some single core, others dual core — and I do recommend the latter.

The one stopping point for me, other than money, is that I'm not sure whether or not these pre-built boxes have CPU fans or use passive cooling from massive heatsinks. For years now I've been leaning toward machines with no spinning fans either in the box itself (on the CPU or elsewhere) or the power supply. With Logic Supply I can easily make this happen.

At ZaReason, the Ion Breeze 4220, starting at $399 for single-core, offers a variety of options, including the above-mentioned dual-core Ion CPU. I don't know if Earl, the ultra-accommodating chief technology officer at ZaReason, is offering the option of a fanless motherboard — I'll ask him.

System 76 offers its Meerkat Ion NetTop with dual-core Ion starting at $359.

One thing that ZaReason offers in the Ion Breeze that I like is an optional external fanless power supply.

I've been running my converted Maxspeed Maxterm thin client as a standalone Linux/BSD box almost since the beginning of my foray into open-source operating systems, with only a single fan blowing across the Mini-ITX motherboard and its heat-pipe-cooled CPU. The fan doesn't work when the box is upright, so for all intents and purposes this is a fanless computer, and I've never had a problem with thermal issues — in fact, it runs quite cool, if not quickly with its VIA C3 Samuel processor (that's supposed to be a 1 GHz model but for some reason only runs at 500 MHz), maximum of 256 MB RAM and woeful sound and video chips.

Right now the Maxspeed is running Debian Lenny from an 8 GB CF card inserted in the thin client's built-in CF-to-IDE interface. Yep, no spinning hard drives either.

System 76 does offer solid-state drives on the Meerkat Ion, starting at $110 extra for a 40 GB Intel drive.

If the Intel Atom Ion processor isn't what you're looking for, both System 76 and ZaReason have plenty of other desktop, laptop and server machines to look at.

The best thing about buying a computer from a shop that ships with Linux (in the case of these two retailers, Ubuntu) is that your hardware is pretty much guaranteed to work. You'll have audio, video, suspend/resume, all that stuff that sometimes is hard to get straight on the box that shipped to you with Windows.

In the times I've spoken with ZaReason's Earl, and the company will build, test and ship pretty much anything you want. They specialize in Ubuntu, but you can ask for a box to be loaded with Debian or CentOS, and I believe they'll do it.

Do ZaReason and System 76 charge more than your standard computer seller? Probably. You can't get the kind of bottom-of-the-barrel deals that are offered on the cover of the Office Depot circular, but those machines often do have bits of hardware that you'll tear your virtual hair out to get working properly.

When you get a machine from a company that specializes in Linux, not only will everything work, but you'll get support that will help you clear up any issues.

And for many people — and I'm getting more like this myself with less time available for banging-my-head-against-the-wall tinkering — it's worth a little extra money for somebody else to have figured out all the issues, or in the case of these companies, to choose hardware components that work well with free, open-source operating systems from the start.

And even if you are a tinkerer, chances are it ZaReason or System 76 have built you a machine, it won't just work well in Ubuntu but will be a great platform for other Linux distros you might want to run.

Not wanting to leave out BSD, you can get a pre-built and -loaded PC-BSD (based on FreeBSD) laptop as well as two workstations (prices unknown) from IXsystems, the company behind PC-BSD. They seem to specialize in selling servers running FreeBSD and ask that interested buyers request a quote to receive pricing info. They're also offering CD and DVD sets of FreeBSD 8.0 if you don't want to bother downloading the ISOs and burning your own discs.

Not to go off on a tangent or anything, I've been giving FreeBSD a lot more thought lately. I've run OpenBSD on the desktop as my primary system for about six months, and I'm considering FreeBSD instead for a future test for the following reasons:

• Easier upgrades and much longer cycle
• More focus on desktop users with hopefully better (and more meta-style) packages for things like GNOME
• Flash 9 and possibly Flash 10 support through the Linux compatibility layer
• Better performance
• I really don't need it for architectures other than Intel/AMD (although PowerPC and SPARC 64 are available; side note — on the various pages emanating from its platforms page, FreeBSD offers not only official manuals from the makers of the hardware in question but also links to other BSDs that run on the architecture. A very nice touch, I think)
• Community that actually cares about end users who aren't developers

I need to try some live images of recent FreeBSD/PC-BSD releases. (Is PC-BSD a live CD yet? I haven't kept up, but I did utilize the live environment of DesktopBSD back when I was testing it).

I never did the full review I promised of Dru Lavigne's excellent "The Best of FreeBSD Basics" book, but I find it to be an excellent reference for the FreeBSD and PC-BSD user. Dru is one of the best writers around in the Unix community, and even if you don't run BSD you can learn a lot about using Unix/Linux from this book. I got a whole lot about the shell, file permissions and other Unix sys-admin tasks, from "Basics," just as Michael Lucas' discussion of sudo in "Absolute OpenBSD" makes that now-way-out-of-date book extremely relevant and useful for anybody running any kind of Unix/Linux today who wants to make the most of sudo in their own environment (and especially on the server).

On the same tangentially arrived-at topic, Dru Lavigne's latest book, "Beginning PC-BSD: Frugal Unix for Power Users," is slated to be released three days from now. If past work is any indication, this will be an excellent book for anybody contemplating the use of PC-BSD.

I'd rather Dru write a book on using FreeBSD on the desktop — not necessarily PC-BSD but building out a FreeBSD-based desktop through ports or packages — but I can understand her focusing on PC-BSD given that the iXSystems-led project is a lot closer to what Linux users are used to.

Not just the Internet but newspapers, TV and just about everybody you see on the street with just a little speck of geek in them is abuzz about the Conficker worm.

This malicious piece of code was supposed to get all medieval on us ... right about now, meaning April 1, with all sorts of nasty consequences, including the transmission of logins, passwords and other sensitive information out of our very own PCs and into the arms/hard drives of those who seek to harm us.

Could happen. Probably won't happen to you, but the danger persists.

For help on Conficker, I turned to my usual go-to source, ZDNet, where I perused the following:

• The "no bull" guide to Conficker by Adrian Kingsley-Hughes
• Are you ready for Conficker? by Christopher Dawson
• Conficker tracking — all's quiet, so far by Elinor Mills

Here are the high points:

Conficker, also known as Downup, Downandup, Conflicker and Kido, has been around for awhile in various forms — since last year, in fact. If you want to know much, much more about the worm, go to the Conficker Working Group wiki.

According to the Conficker Working Group, the worm can do some nasty things:

• Block system services on Windows PCs that include Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting
• Connect to another computer or computers and begin infecting them
• Collect sensitive information
• Install additional malware
• Attach itself to internal Windows utilities/services that include svchost.exe, explorer.exe and services.exe

And one of the main forms of entry for Conficker in its various forms are those ubiquitous USB flash-memory drives that we've all been using for the past many years ...

Also from the Conficker Working Group:

Experts say (Conficker) is the worst infection since the SQL Slammer. Estimates of the number of computers infected range from almost 9 million PCs to 15 million computers, however a conservative minimum estimate is more like 3 million which is more than enough to cause great harm.

OK, so it's bad.

What do you do about it?

Well if you don't run Windows, you're OK. While it's possible to spread Conficker via a Mac OS X or Unix/Linux computer, the worm itself won't affect those machines because like almost all malware, it's aimed at Windows PCs.

The way to protect yourself from Conficker and all manner of malware/worms/viruses/trojans/what-have-yous is to have a fully patched Windows system with all of Microsoft's security updates as well as an antivirus program with all of its current updates.

So if you're running, say, Windows XP or Vista, and if you have the Microsoft updates set to download and install automatically, you're OK on the first count, and Conficker probably won't hurt you.

And if you're running Norton Antivirus, McAfee Total Protection, AVG Internet Security or any number of competing products from reputable, well-known vendors, you'll also know about anything harmful before it affects your Windows installation.

For Windows users, I recommend Avast Home Edition, which is free for personal use, or Avast Professional Edition for the workplace.

But right here, right now, you can download Microsoft's Windows Malicious Software Removal Tool for free and do either a quick scan or full scan of your system. If you have Conficker and somehow don't know it, this tool should throw up a bunch of red flags sooner rather than later.

I downloaded the tool to try it. Once I ran it, a message in the window said that if you did have an infected PC, a quick scan (which takes only a few minutes) will tell you that you need to do a full scan — which could take several hours. I ran the quick scan, which didn't find anything amiss. So the antivirus on my work-supplied PC, which is Computer Associates' eTrust, seems to be doing its job.

Here's the bottom line: If your Windows box has all the latest Microsoft patches, if you have current antivirus software, and if you're not prone to downloading and running random .exe software files from all over the Web ... and if everything seems to be working fine, you're probably OK.

If you are running an unpatched version of Windows, don't use antivirus or haven't kept your "subscription" to its updates going, and if you regularly Google for free software from less-than-reputable sources, you might have a problem. If not now, then soon.

The last time I had to clear an XP machine of malware, there was no question that the machine was infected — it was barely functional. After a full day of scanning and malware-removal with Avast, all was well.

What we can learn from Conficker is that when there's a lot of publicity for a malicious attack on computers, the eventual outcome of that infection is usually not as bad as first thought. It's all those other times when you personally have a malware-infected PC that keeps you from using your computer and imperils your data. That's when you should really worry (and have more than one backup of your data).

And like my colleague Steven J. Vaughn-Nichols of Computerworld says, you could always avoid all of this angst by not running Windows.

What role does the Internet Explorer Web browser play in your life? In recent days, new vulnerabilities in the flagship Windows browser have come to light.

Alas, the fix is in, but pundits continue to suggest that running IE is just asking for trouble.

I'm not ready to say IE is such a security risk that instead browsing the Web with Firefox, Google's new Chrome, the super-quick Opera or even Apple's cross-platform Safari is enough to save your digital bacon.

Nope, it's all about what you do, where you go and what computing platform you choose to do it with.

The fast is that i386-based Windows PCs continue to be the most vulnerable platforms out there because of both their ubiquity and relative lack of built-in security when compared to Macintosh OS X and the vast number of Unix-like OSes out there (including Linux, the BSDs and Sun's offerings).

If you make a habit of downloading executable files (they're easy to spot in Windows because they end in .exe) without being absolutely sure they're totally legitimate and then double-clicking on them, bad things may very well happen.

Don't get me wrong. Searching for free software for Windows computers is something I do, too. Not often, but I do it. That's how I found some of my very favorite applications on any platform, including the terrific image viewer/editor IrfanView, the fast AbiWord word processor and Notepad++, the best Windows-native text editor ever.

Upon seeing 17 software updates waiting for me on my Debian Etch box this morning, I hurried over to the Debian security site and learned that the Debian security team issued a flurry of patches on Oct. 29, 2008, for all versions of OpenOffice.

On my system, this is a relatively huge 101 MB download.

The details are available at Debian.org and in the debian-security-announce mailing list:

Several vulnerabilities have been discovered in the OpenOffice.org office suite:

CVE-2008-2237

The SureRun Security team discovered a bug in the WMF file parser
that can be triggered by manipulated WMF files and can lead to
heap overflows and arbitrary code execution.

CVE-2008-2238

An anonymous researcher working with the iDefense discovered a bug
in the EMF file parser that can be triggered by manipulated EMF
files and can lead to heap overflows and arbitrary code execution.

For the stable distribution (etch) these problems have been fixed in
version 2.0.4.dfsg.2-7etch6.

For the unstable distribution (sid) these problems have been fixed in
version 2.4.1-12.

For the experimental distribution these problems have been fixed in
version 3.0.0~rc3-1.

There are some cases when a security patch will go to Debian's Testing branch (currently Lenny) at the same time as the other branches, but in this case, it appears that the patches will be "tested" in Sid and will shortly flow into Lenny (the usual path for software in Debian.

As always, in a default Debian desktop installation, the updates will be pushed to the system in the Update Manager. Otherwise, you can use Synaptic in a graphical environment, or at a console apt or Aptitude to apply the patches.

While Ryan Naraine of ZDNet says that the vulnerabilities don't affect OO 3.0, but Debian appears to be doing patches to that version anyway.

More on Debian security:

• Debian User Manuals (and the Securing Debian chapter)
• Debian security FAQ

It's called cramming.

What happens is that unscrupulous companies add bogus charges for things you never ordered and don't need to your phone bill.

Has this ever happened to you? Cram this: a firsthand account of my recent cramming by Nate Anderson at Ars Technica explains his tale of woe.

I've done some experimenting with encrypted filesystems in Debian, which are easy to do with the Debian installer — and which are just as easy to do in Ubuntu if you use the alternate installer.

Like I said, it's easy to do and to manage, unless you want to have a bunch of partitions under a single passphrase. This blog post helps you figure it out.

While full encryption is something you might want to use on a home desktop, although I wouldn't, it's almost mandatory for a laptop. If the thing gets stolen, whoever gets that drive has access to everything on it. And you really don't want that happening, do you?

Right now, neither of my two Linux laptops are encrypted, since I use them for testing and need to see one system's hard-drive partitions from the other, but in the near future, if I decided to single-boot either or both of these, you can bet I'll be encrypting the hard drive.