Linux Journal January 2014

Since 1994: The Original Magazine of the Linux Community
JANUARY 2014 | ISSUE 237 | www.linuxjournal.com

SECURITY
SOLID-STATE DRIVES
Are They Worth It?
+
ENCRYPTED
BACKUP
SOLUTIONS
With TrueCrypt
and SpiderOak
An Introduction to
QUANTUM
CRYPTOGRAPHY
TOR
Browse the Web
Anonymously
TAKING
ADVANTAGE OF
ENCRYPTION
TIPS FOR
USING
THE PAX
ARCHIVING
UTILITY
HOW TO
HARDEN
YOUR SSH
CONNECTIONS
LJ237-Jan2014.indd 1 12/17/13 3:42 PM
Stay Connected...

www.usenix.org/facebook

twitter.com/usenix

www.usenix.org/youtube

www.usenix.org/linkedin

www.usenix.org/blog

www.usenix.org/gplus
UPCOMING CONFERENCES
FAST 14: 12th USENIX Conference on File and
Storage Technologies
February 1720, 2014, Santa Clara, CA, USA
www.usenix.org/conference/fast14
2014 USENIX Research in Linux File and Storage
Technologies Summit
In conjunction with FAST 14
February 20, 2014, Mountain View, CA, USA
Submissions due: January 17, 2014
NSDI 14: 11th USENIX Symposium on
Networked Systems Design and Implementation
April 24, 2014, Seattle, WA, USA
www.usenix.org/conference/nsdi14
2014 USENIX Federated Conferences Week
June 1720, 2014, Philadelphia, PA, USA
USENIX ATC 14: 2014 USENIX Annual Technical
Conference
www.usenix.org/conference/atc14
Paper titles and abstracts due January 28, 2014
HotCloud 14: 6th USENIX Workshop on
Hot Topics in Cloud Computing
WiAC 14: 2014 USENIX Women in Advanced
Computing Summit
HotStorage 14: 6th USENIX Workshop
on Hot Topics in Storage and File Systems
UCMS 14: 2014 USENIX Configuration
Management Summit
ICAC 14: 11th International Conference on
Autonomic Computing
USRE 14: 2014 USENIX Summit on Release
Engineering
23rd USENIX Security Symposium
August 2022, 2014, San Diego, CA, USA
www.usenix.org/conference/usenixsecurity14
Submissions due: Thursday, February 27, 2014
Workshops Co-located with USENIX Security 14
EVT/WOTE 14: 2014 Electronic Voting Technology
Workshop/Workshop on Trustworthy Elections
USENIX Journal of Election Technology
and Systems (JETS)
Published in conjunction with EVT/WOTE
www.usenix.org/jets
Submissions for Volume 2, Issue 2, due: December 5, 2013
Submissions for Volume 2, Issue 3, due: April 8, 2014
HotSec 14: 2014 USENIX Summit on Hot Topics
in Security
FOCI 14: 4th USENIX Workshop on Free and Open
Communications on the Internet
HealthTech 14: 2014 USENIX Workshop on Health
Information Technologies
Safety, Security, Privacy, and Interoperability
of Health Information Technologies
CSET 14: 7th Workshop on Cyber Security
Experimentation and Test
WOOT 14: 8th USENIX Workshop on Offensive
Technologies
OSDI 14: 11th USENIX Symposium on Operating
Systems Design and Implementation
October 68, 2014, Broomfield, CO, USA
www.usenix.org/conference/osdi14
Abstract registration due April 24, 2014
Co-located with OSDI 14:
Diversity 14: 2014 Workshop on Diversity
in Systems Research
LISA 14: 28th Large Installation System
Administration Conference
November 914, 2014, Seattle, WA, USA
https://www.usenix.org/conference/lisa14
Submissions due: April 14, 2014
For a complete list of USENIX and USENIX co-sponsored events,
see www.usenix.org/conferences
Do you know about the USENIX
Open Access Policy?
USENIX is the first computing association to offer free
and open access to all of our conferences proceedings
and videos. We stand by our mission to foster excel-
lence and innovation while supporting research with a
practical bias. Your membership fees play a major role
in making this endeavor successful.
Please help us support open access.
Renew your USENIX membership and ask your
colleagues to join or renew today!
www.usenix.org/membership
coe_lj_10-29-13.indd 1 10/30/13 9:37 AM
LJ237-Jan2014.indd 2 12/17/13 3:42 PM
!"#$% "#'()'(* ZFS Unied SLorage rom Silicon
Mechanics is Lruly soLware dened sLorage.

!"#$% "#'()'(* +,
!"#$% "#'()'(* -.,
ZFS Unified Storage
Are you considering soLware-dened sLorage
!"#$"%& (")* +,$-& .*",$%*
Unied SLorage is Crucial ParL o
Search and Discovery or Lhe Cloud
!!!"#$%$&'()*&+,($&#"&')-&,#*#./0$*#
From modesL daLa sLorage needs Lo a mulLi-Liered producLion sLorage environmenL, Lhe !"#$% "#'()'(*
ZFS unied sLorage appliances have Lhe righL mix o perormance, capaciLy, and reliabiliLy Lo L your needs.
1alk wiLh an experL Loday. 866-352-73
!!!"#$%$&'()*&+,($&#"&')-1#.,2
LJ237-Jan2014.indd 3 12/17/13 3:42 PM
4 / JANUARY 2014 / WWW.LINUXJOURNAL.COM
CONTENTS
JANUARY 2014
ISSUE 237
FEATURES
68 Quantum
Cryptography
Classical cryptography
may not be good
enough in providing
security in the
near future.
Subhendu Bera
80 More Secure
SSH Connections
Secure shell
connections can
be hardened for
extra security.
Federico Kereki
94 Encrypted Backup
Solution Home
Paranoia Edition
A solution for
safeguarding your
personal information.
Tim Cordova
SECURITY
C
o
v
e
r

I
m
a
g
e

C
a
n

S
t
o
c
k

P
h
o
t
o

I
n
c
.

/

m
a
x
k
a
b
a
k
o
v
ON THE COVER
how to hardeo Yo0r SSh 0oooect|oos, p. 80
ocrypted 8ack0p So|0t|oos w|th Tr0e0rypt aod Sp|der0ak, p. 94
Ao |otrod0ct|oo to 00ao0tm 0ryptography, p. 68
Tor: 8rowse the web Aoooymo0s|y, p. 50
Tak|og Advaotage oI ocrypt|oo, p. 56
T|ps Ior 0s|og the pax Arch|v|og 0t|||ty, p. 21
So||d-State 0r|vesAre They worth |t?, p. 108
LJ237-Jan2014.indd 4 12/17/13 3:42 PM
WWW.LINUXJOURNAL.COM / JANUARY 2014 / 5
LINUX JOURNAL (ISSN 1075-3583) is published monthly by Belltown Media, Inc., 2121 Sage Road, Ste. 395, Houston, TX 77056 USA. Subscription rate is $29.50/year. Subscriptions start with the next issue.
INDEPTH
108 Solid-State DrivesGet
One Already!
If youve been on the fence, this
article should convince you to give
SSDs a try.
Brian Trapp
COLUMNS
36 Reuven M. Lerners
At the Forge
Talking to Twitter
44 Dave Taylors Work the Shell
Easy Watermarking with
ImageMagick
50 Kyle Rankins Hack and /
A Bundle of Tor
56 Shawn Powers The
Open-Source Classroom
Encrypting Your Cat Photos
120 Doc Searls EOF
Returning to Ground from the
Webs Clouds
KNOWLEDGE HUB
106 Webcasts and White Papers
IN EVERY ISSUE
8 Current_Issue.tar.gz
10 Letters
16 UPFRONT
34 Editors Choice
64 New Products
125 Advertisers Index
26 MANDELBULBER
94 TRUECRYPT
50 TOR
LJ237-Jan2014.indd 5 12/18/13 10:15 AM
Executive Editor
Senior Editor
Associate Editor
Art Director
Products Editor
Editor Emeritus
Technical Editor

Senior Columnist
Security Editor
Hack Editor
Virtual Editor
Jill Franklin
jill@linuxjournal.com
Doc Searls
doc@linuxjournal.com
Shawn Powers
shawn@linuxjournal.com
Garrick Antikajian
garrick@linuxjournal.com
James Gray
newproducts@linuxjournal.com
Don Marti
dmarti@linuxjournal.com
Michael Baxter
mab@cruzio.com
Reuven Lerner
reuven@lerner.co.il
Mick Bauer
mick@visi.com
Kyle Rankin
lj@greeny.net
Bill Childers
bill.childers@linuxjournal.com
Publisher
Director of Sales
Associate Publisher
Webmistress
Accountant
Carlie Fairchild
publisher@linuxjournal.com
John Grogan
john@linuxjournal.com
Mark Irgang
mark@linuxjournal.com
Katherine Druckman
webmistress@linuxjournal.com
Candy Beauchamp
acct@linuxjournal.com
Contributing Editors
lbrahim Haddad Poberl Love Zack 8rown Dave Phillips Marco liorelli Ludovic Marcolle
Paul 8arry Paul McKenney Dave Taylor Dirk Llmendorl Juslin Pyan Adam Monsen
Linux Journal is published by, and is a registered trade name of,
Belltown Media, Inc.
PO Box 980985, Houston, TX 77098 USA
Editorial Advisory Panel
8rad Abram 8aillio Nick 8aronian Hari 8oukis Sleve Case
Kalyana Krishna Chadalavada 8rian Conner Caleb S. Cullen Keir Davis
Michael Lager Nick lallys Dennis lranklin lrey Alicia Cibb
Viclor Cregorio Philip Jacob Jay Kruizenga David A. Lane
Sleve Marquez Dave McAllisler Carson McDonald Craig Oda
Jellrey D. Parenl Charnell Pugsley Thomas Quinlan Mike Poberls
Krislin Shoemaker Chris D. Slark Palrick Swarlz James Walker
Advertising
E-MAIL: ads@linuxjournal.com
URL: www.linuxjournal.com/advertising
PHONE: +1 713-344-1956 ext. 2
Subscriptions
E-MAIL: subs@linuxjournal.com
URL: www.linuxjournal.com/subscribe
MAIL: PO Box 980985, Houston, TX 77098 USA
LINUX is a registered trademark of Linus Torvalds.
LJ237-Jan2014.indd 6 12/17/13 3:43 PM
has the tools to keep you afoat.
TrueNAS Unifed Storage features the Intel Xeon Processor
5600 series and supports high availability, remote replication,
deduplication, encryption, compression, and snapshots. It has
the tools to deal with any storage challenge you may face.
Key Features:
Dual Intel Xeon Processors 5600 Series
Support for CIFS, NFS, iSCSI, and more
Active Directory, LDAP, and NIS
integration
Multi-Petabyte Scalability
Call iXsystems toll free or visit our website today! 1-855-GREP-4-IX | www.iXsystems.com
Intel, the Intel logo, and Xeon Inside are trademarks or registered trademarks of Intel Corporation in the U.S. and other countries.
LJ237-Jan2014.indd 7 12/17/13 3:43 PM
Current_Issue.tar.gz
SHAWN POWERS
Lapsang
Souchong!
B
ack when we were kids,
security meant little more than
having a secret password to keep
little siblings out of the treehouse. Thats
still the case in some situations. Take the
title of this column, for instance. If you
go to the #linuxjournal IRC channel on
FreeNode, saying Lapsang Souchong
will mark you as part of the inner circle.
(Note, this does not make you one of the
cool kids...possibly the exact opposite!)
When it comes to computer security,
however, things are quite a bit more
complex. Whether you want to encrypt
your data or lock down network
access, Linux provides a wide variety of
security tools. This month, we focus on
using those tools in our Security issue.
Reuven M. Lerner starts off the issue
with instructions on how to integrate
Twitter into your applications. Whether
you need your app to tweet results,
error messages or automatic cat photos,
Reuven walks through implementing
the API. Dave Taylor follows up with a
tutorial on using the ImageMagick suite
to watermark and copyright photos.
Since I use ImageMagick extensively with
my BirdCam project (which youll hear
more about in a month or so), I found
his column particularly interesting. If you
need to work with photos, especially if
direct interaction isnt possible, Daves
column will be interesting for you too.
Kyle Rankin gets into the security
mindset this month by approaching
privacy. Specifically, he explains how
to set up Tor in order to browse the
Web in private. Tor is just as useful as
it once was, but thankfully, its gotten
easier and easier to implement. I follow
Kyles column with The Open Source
Classroom, and this month, I talk
about file encryption. Many people are
intimidated by the notion of encryption,
but it doesnt have to be scary. This
month, well do just enough encryption
to wet your whistle, and hopefully get
you interested in learning more.
Although I may have introduced
encryption in my column, Subhendu Bera
takes things to a whole new level with
Quanlum Cryplography. Malhemalics-
based encryption is complex, for sure, but
will it be enough as technology advances?
Subhendu gives an explanation of
LJ237-Jan2014.indd 8 12/17/13 3:43 PM
CURRENT_ISSUE.TAR.GZ
Quanlum Cryplography and a quick lesson
in Quanlum Mechanics as well. ll you're
interested in the future of cryptography,
youll love his article.
Remember Telnet? Telnet has been
replaced in almost every situation by the
much more secure SSH protocol. Granted,
there still are a few situations that warrant
the use of Telnet, but those generally are
inside your network and never over the
Internet. Just switching to SSH, however,
isnt enough to ensure that youre secure.
Sure, the connection itself is encrypted,
but what if you have a user with a
simplistic password? Or a script kiddie
scanning for vulnerabilities? Federico
Kereki describes how to harden SSH this
month, making the wonderful and exible
SSH protocol a little safer to use. Whether
you want to limit your allowed users or
disable password connections altogether,
Federicos article will guide you down the
path of better SSH.
I may have started this issue with the
basics of le and disk encryption, but if
you are looking for more, Tim Cordova is
about to be your favorite person. Going
far beyond single le or even removable
drive encryption, Tim shows how to
encrypt your entire hard drive. Then,
Tim goes even further and explains how
to congure TrueCrypt in conjunction
with SpiderOak to make sure your data
is not only encrypted, but backed up as
well! If youre interested in privacy and
encryption, dont miss this article.
We nish off the security issue with
Brian Trapps article on solid-state drives.
SSDs have been around for a number
of years now, and were nally to the
point that we can provide some longevity
statistics and reliability information. Have
you been avoiding SSDs because you
thought they would wear out? Did you
think they had a signicantly higher failure
rate? Were you worried that you need
Windows-specic drivers to make them
work? Brian assuages many of those fears
and validates those that are valid. SSDs are
fast, and they can provide an incredible
performance boost in most situations. You
owe it to yourself to see if your scenario
warrants an SSD. Brians article will help.
This issue also contains tons of
other Linux goodies. We have product
announcements, opinion pieces and even
fractals. You dont have to be one of
the cool kids to enjoy this issue of Linux
Journal, but it helps to be one of the
smart kids. Thankfully, our readers tend
to have that attribute in plentiful supply.
We hope you enjoy this issue as much as
we enjoyed putting it together.
Shawn Powers is the Associate Editor for Linux Journal.
Hes also the Gadget Guy for LinuxJournal.com, and he has
an interesting collection of vintage Garfield coffee mugs.
Dont let his silly hairdo fool you, hes a pretty ordinary guy
and can be reached via e-mail at shawn@linuxjournal.com.
Or, swing by the #linuxjournal IRC channel on Freenode.net.
LJ237-Jan2014.indd 9 12/17/13 3:43 PM
letters
rss2emailExcellent Article
Thanks to Kyl e Ranki n for hi s
Command-Li ne Cl oud rss2emai l
arti cl e i n the October 2013 i ssue.
I ve been l amenti ng my l oss of
RSS feeds for some ti me, and thi s
i s a perfect sol uti on!
Steve Hier
I love that Linux affords us multiple
solutions to our tech problems. Ive
tried a handful of Google Reader
alternatives (settling on commafeed),
but I love seeing how other people
tackle the problem as well. Kyles
penchant for simplicity certainly
comes through with his preference for
rss2email. Im pretty sure Kyle would
be happy with just a constant stream
of 1s and 0s, but hes not quite willing
to admit it!Shawn Powers
LVM, Demystified
Regarding Shawn Powers article
LVM, Demystified in the December
2013 issue: Ive been a fan of LVM2
from the beginning. (LVM1 really
wasnt ready for Prime Time.)
You said in your article LVM is an
incredibly flexible, ridiculously useful
and not terribly complicated to use
system. I agree totally. However, it is
not without its idiosyncrasies.
I f you do a fol l owup arti cl e, you may
menti on a few thi ngs.
1) There was a bug where tryi ng
to pvmove an enti re vol ume wi th
mul ti pl e LVs on i t someti mes hung
up LVM (at l east the progress of
the move), necessi tati ng a reboot.
The recommendati on i f you had a
l evel wi th thi s bug was to move
each LV i ndi vi dual l y.
This had the side benefit of allowing
you to defragment the segments
of your LV (by moving the segments
in order and filling each PV). This
makes no difference to performance,
LJ237-Jan2014.indd 10 12/17/13 3:43 PM
[ LETTERS ]
but makes it easier to see what you
have where. Tedious, but it makes
the neat freak in me happy.
The Red Hat Advi sory was
PH8A-20!2.0!6!-!, 8ugzilla 8Z#706036.
2) The metadata present on each PV
now eats up a PE (that is, in your
case, not usable 3.00 MiB, but its
usually 4MB), and it is a good practice
to have metadata on every PV! That
means that, for example, if you have
5 * 100GB PVs, you dont have 500GB
to use, you have 499.9something
GBthat is, 500GB minus 20MB
(5 PEs, each 4MB in size). This is a
problem mainly with SAN LUNs, as
they are usually precisely some size.
Thi s means that i f you al l ocated
!" $%%&, i t woul d fai l , tel l i ng you
that you were sl i ghtl y short of
what you needed. A subsequent
!' ($)*% woul d gi ve you al most
500GB and woul d work. (I thi nk I
have my math ri ght here, but you
get the pi cture.)
3) '+,-./'01 !!20/. 333 and
/+,-./'01 !!20/. are your best
fri ends i f you want to understand
basi c LVM.
4) Dont try to pvmove a swap
vol ume. Si mpl y al l ocate a new one
and del ete the ol d one.
Excel l ent arti cl e. I ts not an easy
concept to get across to the novi ce,
but once you understand i t, i t seems
so si mpl e.
Tom Lovell
Its always tough for me to decide
Since 1985
OVER
28
YEARS OF
SINGLE BOARD
SOLUTIONS
Phone: (618} 529-4525 Fax: (618} 457-0110 www.emac|nc.com
2.6 KERNEL
EQUIPMENT MONITOR AND CONTROL
LoW 6ost FaneI F6
F0I-090I
ortex86MI+ 1 6hz FanIess
to 168 of 8kM
LoW FoWer 6onsumtIon
1 8$232/422/485 serIaI ort
MInI-F6l ExansIon sIot
2 $8 2.0 host Forts
10/100 8aseI Ethernet
F$/2 k8 ort, kudIo 0ut
6omact FIash & MIcro$0 card sockets
9 Inch 1024 x 600 N$ 6k IFI L60
8esIstIve Iouch $creen
06-l 5 {or) +8 -+35 otIon
NI-FI {0tIonaI)
T|e P0X-090T cores ready lo rur W|l| l|e 0peral|rg 3ysler |rsla||ed or l|as|
d|s|. App|y poWer ard Walc| l|e L|rux X-w|rdoWs des|lop user |rlerlace appear
or l|e v|v|d co|or LC0. lrleracl W|l| l|e P0X-090T us|rg l|e respors|ve |rlegraled
louc|screer. Everyl||rg Wor|s oul ol l|e oox, a||oW|rg you lo corcerlrale or your
app||cal|or ral|er l|ar ou||d|rg ard corl|gur|rg dev|ce dr|vers. Jusl wr|le-ll ard
Rur-ll... Starting at $450 Qty 1.
http://www.emacinc.com/saIes/Iinux_journaI_dec
LJ237-Jan2014.indd 11 12/17/13 3:43 PM
how far to travel down the rabbit hole
when approaching a topic like LVM.
By sysadmin standards, Im a noob
myself, since I avoided LVM for so
long. I figured it was worthwhile to
bring folks up to my comprehension
level, even if I wasnt a zen master.
I said all that to say that I really, really
appreciate letters like yours. Not only
do I get to learn more, but it benefits
everyone who reads Linux Journal as
well. And, now I get to go play with
more LVM stuff!Shawn Powers
Bird Feeder
Shawn Powers bi rd-feeder arti cl e
(see I ts a Bi rd. I ts Another Bi rd!
i n the October 2013 i ssue) was
one of the most appeal i ng I ve read
i n LJ si nce 1994. I ts somethi ng
I often contempl ated, but never
got beyond that. Many thanks for
poi nti ng the way.
An FYI , I al one have turned about
si x peopl e i nto acti ve vi ewers,
so I do hope you have pl enty of
capaci ty, i f onl y so I dont get
l ocked out now. I ts a very pl easant
di versi on. And youve put out a
great bi rd buffet. Based on my
own feeders, you wi l l be kept qui te
busy keepi ng them ful l as word
spreads i n bi rd l and. And of course,
one real l y has to keep doi ng i t
throughout the wi nter now, as some
bi rds become dependent on them.
Bob Kline
I t was my favori te arti cl e to wri te, up
there wi th the arti cl e on the arcade
cabi net I bui l t and submi tted back
when I was a freel ancer. I m starti ng
a fol l owup arti cl e now, whi ch wi l l
probabl y be publ i shed...hmm...i n
February? I ve been ti nkeri ng wi th
Bi rdCam, addi ng mul ti pl e cameras,
moti on detecti on wi th moti on,
archi ve vi deo creati onal l sorts
of cool stuff.
Thank you for the e-mai l . I m real l y
gl ad you enj oyed the arti cl e and
the camera. I have i t scal ed out to
my Dreamhost account, so i t shoul d
be abl e to handl e l ots of hi ts. I
zoomed i n the camera cl oser to the
feeders (you probabl y noti ced), and
embedded the wi ndow cam and
a cl oseup of the bi rd bath. I ts so
funny to see the starl i ngs i n the bi rd
bath. I mi ght poi nt a camera there
to capture vi deo!Shawn Powers
Linux Archive DVD
I woul d be very tempted by the
Archi ve DVD, i f there were PDF or
Mobi versi ons of the back i ssues
avai l abl e on the Archi ve. I l ove the
[ LETTERS ]
LJ237-Jan2014.indd 12 12/17/13 3:43 PM
i dea of usi ng grep to search the
HTML versi ons, but i t woul d be ni ce
to send an i ssue (once found) to
your favori te readi ng devi ce.
I know matchi ng the ori gi nal
pri nt format wi th a di gi tal format
i s a pai nstaki ng process. Maybe
you coul d make i t cl ear i t i s an
approxi mati on or use a new
di fferent automated format for
the back i ssues?
The di gi tal versi ons of the back
i ssues woul d be useful for LJ readers
who have become accustomed to
carryi ng our LJ i ssues on Ki ndl es,
tabl ets or phones.
Rob
The Archi ve DVD used to confuse
and frustrate me as wel l . I thought i t
was a si mpl e col l ecti on of past i ssues
that I d be abl e to fl i p through l i ke
a pi l e of magazi nes. I ts grown on
me over the years, however, because
I see i t as more of a col l ecti on of
arti cl es unbound from the magazi ne
format. Organi zati on i s sti l l by
i ssue, yes, but cl i cki ng through i s a
di fferent experi ence.
Subscri bers have access to back
i ssues i n whatever di gi tal format
i s avai l abl e (al l formats for i ssues
goi ng back to September 2011,
and PDFs of al l formats from Apri l
2005). We dont, unfortunatel y,
have di gi tal versi ons goi ng al l the
way back, but those that exi st
shoul d be accessi bl e on your
subscri ber page. Hopeful l y that
hel ps!Shawn Powers
iPad App Issues
I ve been usi ng my i Pad for vi ewi ng
the di gi tal subscri pti on si nce the
pri nted versi on ceased to exi st. I
thi nk there needs to be a maj or
update to your newsstand app.
I ve downl oaded every i ssue to
my i Pad, but I cannot vi ew any of
the downl oaded i ssues wi thout
an acti ve I nternet connecti on. For
some reason, thi s eveni ng I m not
abl e to connect to whatever servi ce
control s your downl oads. Not onl y
can I not downl oad the l atest i ssue,
but I cannot vi ew/read any of my
exi sti ng al ready-downl oaded i ssues!
Readi ng my previ ousl y downl oaded
i ssues shoul d not rel y on nor requi re
an acti ve connecti on to anythi ng.
When I m not havi ng a probl em
connecti ng to your servers, al l my
downl oaded i ssues say Read next
to them; when I am havi ng an i ssue,
they al l swi tch back to Downl oad.
Pl ease address thi s i ssue as soon
as possi bl e. Havi ng to gi ve up my
[ LETTERS ]
LJ237-Jan2014.indd 13 12/17/13 3:43 PM
[ LETTERS ]
pri nt i ssues was hard enough, but thi s j ust
compounds the probl em.
Thanks for a great magazi ne!
Jon Simonds
I dont have an i Pad personal l y, but I ve
noti ced wi th my wi fes that the i OS7
i mpl ementati on of Newsstand, at l east as i t
pertai ns to the Li nux Journal app, i s frustrati ng
at best. To be honest, I downl oad ei ther the
.epub or .pdf di rectl y and peruse the i ssue
from there. Wel l work wi th our vendor to
try to get thi ngs worki ng ri ght wi th
Newsstand, but I expect the process to be
l engthy and frustrati ng! The downl oadabl e
copi es you get l i nks for as a subscri ber shoul d
l oad ri ght i nto the i Books app i f youre havi ng
i ssues wi th the Newsstand app. Hopeful l y,
thi ngs wi l l be strai ghtened out soon. I have
found i n the past that del eti ng and then
re-i nstal l i ng the Li nux Journal app someti mes
hel ps as wel l .Shawn Powers
At Your Service
SUBSCRIPTIONS: Linux Journal is available
in a variety of digital formats, including PDF,
.epub, .mobi and an on-line digital edition,
as well as apps for iOS and Android devices.
Renewing your subscription, changing your
e-mail address for issue delivery, paying your
invoice, viewing your account details or other
subscription inquiries can be done instantly
on-line: http://www.linuxjournal.com/subs.
E-mail us at subs@linuxjournal.com or reach
us via postal mail at Linux Journal, PO Box
980985, Houston, TX 77098 USA. Please
remember to include your complete name
and address when contacting us.
ACCESSING THE DIGITAL ARCHIVE:
Your monthly download notications
will have links to the various formats
and to the digital archive. To access the
digital archive at any time, log in at
http://www.linuxjournal.com/digital.
LETTERS TO THE EDITOR: We welcome your
letters and encourage you to submit them
at http://www.linuxjournal.com/contact or
mail them to Linux Journal, PO Box 980985,
Houston, TX 77098 USA. Letters may be
edited for space and clarity.
WRITING FOR US: We always are looking
for contributed articles, tutorials and
real-world stories for the magazine.
An authors guide, a list of topics and
due dates can be found on-line:
http://www.linuxjournal.com/author.
FREE e-NEWSLETTERS: Linux Journal
editors publish newsletters on both
a weekly and monthly basis. Receive
late-breaking news, technical tips and
tricks, an inside look at upcoming issues
and links to in-depth stories featured on
http://www.linuxjournal.com. Subscribe
for free today: http://www.linuxjournal.com/
enewsletters.
ADVERTISING: Linux Journal is a great
resource for readers and advertisers alike.
Request a media kit, view our current
editorial calendar and advertising due dates,
or learn more about other advertising
and marketing opportunities by visiting
us on-line: http://ww.linuxjournal.com/
advertising. Contact us directly for further
information: ads@linuxjournal.com or
+1 713-344-1956 ext. 2.
PHOTO OF THE MONTH
Remember, send your Linux-related photos to
ljeditor@linuxjournal.com!
WRITE LJ A LETTER
We love hearing from our readers. Please
send us your comments and feedback via
http://www.linuxjournal.com/contact.
LJ237-Jan2014.indd 14 12/17/13 3:43 PM
J
o
i
n

t
h
e
W
e
a
r
a
b
l
e
s

R
e
v
o
l
u
t
i
o
n
!
A conference for Designers, Builders and
Developers of Wearable Computing Devices
Wearable computing devices are the Next Big Wave
in technology. And the winning developers in the next decade
are going to be the ones who take advantage of these new tech-
nologies EARLY and build the next generation
of red-hot apps.
Choose from over 35 classes and tutorials!
G Learn how to develop apps for the coolest gadgets like Google
Glass, FitBit, Pebble, the SmartWatch 2, Jawbone, and the
Galaxy Gear SmartWatch
G Get practical answers to real problems, learn tangible
steps to real-world implementation of the next generation
of computing devices
March 5-7, 2014
San Francisco
WearablesDevCon.com
A BZ Media Event
Linux Journal_Layout 1 12/2/13 10:58 AM Page 1
LJ237-Jan2014.indd 15 12/17/13 3:43 PM
UPFRONT
NEWS + FUN
diff -u
WHATS NEW IN KERNEL DEVELOPMENT
A recent bug hunt by kernel
devel opers ended up i denti fyi ng
a l ong-standi ng bug i n GCC. The
i ndi cati ons were there from the
start, but i t took some i nvesti gati on
to nai l i t down.
Originally, Fengguang Wu reported
a kernel oops, and used git bisect
to i denti fy the speci fi c patch that
reveal ed the probl em. I t was an
opti mi zati on suggested by Linus
Torvalds and i mpl emented by
Peter Zijlstra that aimed at freeing
up a hardware register by using the
asm goto instruction in the kernels
modify_and_test() functions.
The first indication that the problem
mi ght boi l down to a compi l er bug
was that the patch j ust seemed
correct to fol ks. Nei ther Peter nor
Linus were able to see anything wrong
wi th i t, so they suggested tryi ng
to reproduce the oops on kernel s
compi l ed wi th di fferent versi ons of
GCC, and Li nus suggested di sabl i ng
asm goto di rectl y to see i f that
had any effect.
At first, Fengguang found that
earlier compilers made no difference.
Hed started off using GCC 4.8.1,
but 4.6.1 also produced a kernel
that would reproduce the oops. But
as Linus suspected, disabling asm
goto in the kernel code did fix the
problem. After a while, Fengguang
also discovered that the older GCC
version 4.4.7 also produced a working
kernel, because that compiler had no
support for asm goto.
Gradual l y, other fol ks began to
be abl e to reproduce the probl em
on thei r own systems. Ori gi nal l y,
the i ssue seemed to affect onl y
32-bi t Li nux systems, but ul ti matel y,
Li nus was abl e to reproduce the
probl em on hi s own 64-bi t system.
I t was harder to tri gger on a 64-bi t
system, but i t boi l ed down to bei ng
the same probl em. As the scope
of the probl em began to reveal
i tsel f, Li nus remarked, I t makes
me nervous about al l our tradi ti onal
uses of asm goto too, never mi nd
the new ones.
Jakub Jelinek opened a Bugzilla
ticket against GCC, and folks started
thinking about workarounds for the
kernel. Even after GCC got a fix for this
LJ237-Jan2014.indd 16 12/17/13 3:43 PM
[ UPFRONT ]
particular bug, it wouldnt do to allow
the kernel to miscompile on any version
of GCC, if it possibly could be avoided.
A workaround did end up going into
the next Linux kernel release candidate,
and a fix went into GCC 2.8.2. Shortly
afterward, Greg Kroah-Hartman also
adopted the kernel workaround in the
3.11.x stable tree.
The reason the kernel needed a
workaround in spite of the fact that
a real fix went into GCC was because
the kernel needs to support the widest
possible dispersion of host systems.
Anyone, anywhere, with any particular
hardware setup, using any particular
versions of the various development
tools, should be able to build and run
the kernel. In some cases that ideal
cant be reached, but it remains an
ideal nonetheless.
Traditionally, software could mount
a filesystem only after registering it
with the kernel, so the kernel would
know its name and a bit about how
to manage it. This has been true even
for internal filesystems like ia64,
pfmfs, anon_inodes, bdev, pipefs
and sockfs. But, Al Viro recently
said there was no longer any reason
to require registration for these
filesystems, and he submitted a patch
to take out the requirement.
First of all, he and Linus Torvalds
agreed that there probably isnt any
user code that actually looks up those
filesystems in the registry. Theres just
no reason anyone would want to.
As Al expl ai ned on the mai l i ng
l i st, there used to be a need to
regi ster al l fi l esystems. But about a
decade ago, the kern_mount() cal l
changed to take onl y a poi nter to
the fi l esystem, rather than needi ng
to l ook i t up by name.
Ever since then, the need to
register these internal filesystems has
been minimal. The only remaining
dependency was a single data structure
initialized by register_filesystem()
that was needed by al l fi l esystems.
But, Al sai d that even thi s
dependency was el i mi nated a coupl e
years ago, when the data structure
was opti mi zed no l onger to need
regi ster_fi l esystem(). By now, Al
sai d, theres no reason to regi ster
the fi l esystem types that can onl y
be used for i nternal mounts.
With this change, /proc/filesystems
would no longer list internal
filesystems. And as Linus pointed out,
those filesystems wouldnt reliably be
listed anywhere on the system. Even
/proc/modules, Linus said, would list
those filesystems only if theyd been
compiled as modules.
So, with some mild trepidation,
Linus accepted the patch. If no one
howls, itll probably stay.ZACK BROWN
LJ237-Jan2014.indd 17 12/17/13 3:43 PM
[ UPFRONT ]
Blu-ray Encryption
Why Most People
Pirate Movies
I get a fair amount of e-mail from
readers asking how a person could do
questionable things due to limitations
imposed by DRM. Whether its how to
strip DRM from ebooks, how to connect
to Usenet or how to decrypt video, I
do my best to point folks in the right
direction with lots of warnings and
disclaimers. The most frustrating DRM
by far has been with Blu-ray discs.
Unless Ive missed an announcement,
there still isnt a proper way for
Linux users to watch Blu-ray movies on
their computers. Its hard enough with
Windows or Macintosh, but when it
comes to Linux, it seems that turning
to the dark side is the only option. In
the spirit of freedom, let me point you
in the direction of how, and leave it
up to you to decide whether its a road
you want to travel.
When ripping a movie from Blu-ray, I
know of only one program that can do
the job. MakeMKV is a cross-platform
utility that will extract the full,
uncompressed movie from most Blu-
ray discs. Unfortunately, you have to
download the source code and compile
it. You need both the binaries and the
source download files, and then follow
the included directions for compiling
the software. Yes, its a bit complex.
Once you compile MakeMKV, you
should be able to use it to extract
the Blu-ray disc to your computer.
Be warned, the file is enormous, and
youll most likely want to compress
it a bit. The tool for that thankfully
is much easier to install. Handbrake
has been the de facto standard video
encoding app for a long time, and
when paired with MakeMKV, it makes
creating playable video files close to
painless. I wont go through the step-
by-step process, but if the legally
questionable act of ripping a Blu-ray
disc is something youre comfortable
doing, http://www.makemkv.com
and http://www.handbrake.fr are
the two software packages youll want
to explore.SHAWN POWERS
LJ237-Jan2014.indd 18 12/17/13 3:43 PM
[ UPFRONT ]
Non-Linux FOSS:
Persistence of Vision
Raytracer (POV-Ray)
Back in the mid-1990s, a college
friend (hi Russ!) and I would put our
old 8088 computers to work rendering
ray-traced images for daysliterally.
The end result would be, by todays
standards, incredibly low resolution
and not terribly interesting. Still,
the thought of a computer system
creating realistic photos from nothing
more than math equations was
fascinating. As you
probably already
guessed, Russ and
I werent terribly
popular.
Al l these years
l ater, the same
ray-tracing software
we used back
then is now up to
version 3.7, and it
has been released
as free, open-
source software.
The developers
kindly have created
a downloadable
Windows installer
for those folks stuck on a Microsoft
operating system. If you think the
world is nothing more than math,
and youd like to prove it with
ray-traced images, head on over
to http://www.povray.org and
download your copy today. I cant
promise it will make you popular, but
at least by my standards, it will make
you cool!SHAWN POWERS
This image is completely computer-generated, created by
Gilles Tran, released into public domain.
LJ237-Jan2014.indd 19 12/17/13 3:43 PM
[ UPFRONT ]
Stream and Share Your
Media with PlexWeb
Plex is one of those applications I
tend to write about a lot. Its not
because I get any sort of kickback or
even a discount, but rather its just an
incredible system that keeps getting
better. For this piece, I want to talk
about PlexWeb, which functions much
like the Android app Ive mentioned
before, but works completely inside
a Web browseralmost any Web
browser, on any operating system.
You can access PlexWeb by surfing
to http://my.plexapp.com and
logging in with your free account.
(If you have a static IP at home, you
also can connect directly to your
home server by bookmarking the
URL generated by
pl exapp.com.) You
wi l l be redi rected to
your home server,
and youl l be abl e to
transcode and stream
your movi es to any
computer, anywhere.
I freely admit that
I wish Plex was open
source. Thankfully,
however, its proprietary
code doest mean Linux
users are excluded. Whether youre
using the Plex app on your Android
device, installing Plex Home Theater
on your Linux machine or even
streaming video to your Aunt Ednas
Web browser while visiting over the
holidays, Plex is an incredible tool
that keeps getting better. PlexWeb
is free, but if youre interested
in experiencing the latest and
greatest Plex has to offer, a PlexPass
subscription will get you access
to features like Cloud Sync before
anyone else gets to see them! To get
started with Plex, visit the Web site
at http://www.plexapp.com.
SHAWN POWERS
LJ237-Jan2014.indd 20 12/17/13 3:43 PM
[ UPFRONT ]
Make Peace with pax
pax is one of the lesser known utilities
in a typical Linux installation. Thats
too bad, because pax has a very good
feature set, and its command-line
options are easy to understand and
remember. pax is an archiver, like
tar(1), but it's also a better version of
cp(1) in some ways, not least because
you can use pax with SSH to copy
sets of files over a network. Once you
learn pax, you may wonder how you
lived without it all these years.
pax has four modes: list, read,
write and copy. Reading and writing
are controlled by the !4 and !5
options, repectively. In combination,
!45, pax acts a little bit like 6/ !7.
If neither is used, pax lists the
contents of the archive, which may
be a file, device or a pipe.
By default, pax operates as a filter:
it reads from standard input and
writes to standard output, a feature
that turns out to be very useful. But
usually these days, the target is an
archive file, the familiar tarball. Lets
start by creating one:
8 6, 9:2/
8 2;,-4 /0<02/'=
8 :>?6@ /0<02/'=9A>>
8 /0< !5A /0<02/'=3:04 /0<02/'=
The !5 option means writethat
is, create an archive. The !A option
provides the name of a file to which to
write the archive. If desired, pax can
gzip or bzip the file at the same time:
8 /0< !5BA /0<02/'=3:043CB /0<02/'=
Like most tar implementations,
pax, by default, uses the Posix ustar
file format. Because pax was born
of a desire to unify archive file
formats, many other formats also are
supported, but in practice, theyre
seldom used. Likely as not, any .tar.gz
file you download from the Internet
actually will be a ustar archive:
8 /0< !5BA /0<02/'=3:043CB /0<02/'=
S 1c paxamp1c.1a*
/0<02/'=3:04D EFGHI :04 046@-+=
/0<02/'=3:043CBD CB-/ 6>2/4=..=, ,0:0
The first thing you nearly always
want to know about any archive is
whats in it. Listing the contents is the
default action in the absence of either
a !4 or !5 option:
8 /0< !A /0<02/'=3:04
/0<02/'=
/0<02/'=9A>>
LJ237-Jan2014.indd 21 12/17/13 3:43 PM
[ UPFRONT ]
Note that the archi ve retai ns the
di rectory name you speci fi ed on the
command l i ne. That comes i nto pl ay
l ater when you read i t.
To read an archi ve, use !4:
8 2;,-4 :
8 6, :
8 /0< !4A 339/0<02/'=3:04
What di d that do? Lets l ook at
the source and target di rectori es:
8 6, 9:2/
S nd paxamp1c 1 # 1avcsc bo1h 1ccs
/0<02/'=
/0<02/'=9A>>
:
:9/0<02/'=
:9/0<02/'=9A>>
When pax read the paxampl e.tar
archi ve, i t created fi l es i n the
current di rectory, t. Because the
archi ve i ncl uded a di rectory name,
paxampl e, that di rectory was
re-created i n the output.
Copying Sets of Files To my
mi nd, paxs !4 and !5 opti ons make
more sense than thei r !< and !6
equi val ents i n tarreason enough
to swi tch. But, pax can do more
than tar: i t can copy fi l es too:
8 42 !4A :
8 /0< !45 /0<02/'= :
S nd 1
:
:9/0<02/'=
:9/0<02/'=9A>>
Unl i ke cp(1), pax i s an archi ve
uti l i ty. I ts j ob i snt to make copi es,
but to archi ve fi l es. When pax
creates a fi l e, i t preserves the fi l es
metadata from i ts i nput. The form
of the i nput doesnt matter. I n thi s
case, the i nput i snt from an archi ve,
i ts the fi l e i tsel f:
8 '. !' /0<02/'=9A>> :9/0<02/'=9A>>
-W----- 1 k1oWdcn Whcc1 0 Scp !! 1S.4S paxamp1c1!oo
-W----- 1 k1oWdcn Whcc1 0 Scp !! 1S.4S 11paxamp1c1!oo
Yestwo i denti cal fi l es wi th two
i denti cal ti mestamps. The permi ssi on
bi ts and ownershi p can be control l ed
too, i f desi red. Take that, cp(1)!
Perhaps you dont want to re-create
the di rectory, or perhaps you want to
change i t i n some way. One opti on
i s not to menti on the i nput di rectory
on the command l i ne, but i nstead
provi de fi l enames:
8 42 !4A :9/0<02/'=9
S {cd paxamp1c1 && pax -W * ..111)
S nd 1
:
:9A>>
LJ237-Jan2014.indd 22 12/17/13 3:43 PM
[ UPFRONT ]
Thats usual l y easi est. But
i f you need somethi ng more
sophi sti cated, the !. opti on
rewri tes the pathactual l y, any
part of the fi l enameusi ng a
regul ar expressi on:
S m -! 11*
S pax -W -s `.paxamp1c.my1ncW1pa1h.` paxamp1c1 1
S nd 1
:
:921
11my1ncW
11my1ncW1pa1h
11my1ncW1pa1h1!oo
The !. opti on i s handy, for
i nstance, when unpacki ng a
tarbal l that doesnt have versi on
i nformati on i n the di rectory name.
What Coul d Go Wrong? I f
you gi ve the wrong fi l ename to
wri te, you j ust get an archi ve by
the wrong nameno harm no
foul . I f you mi stype an i nput
archi ve fi l ename though, you l l
!"#$%&%'()*+
,,,-.$%$ '()*+ / 01#2&#3 4&)5$%6$
!"#$% &'$()*)(+,)"-& +-# +.+)%+/)%),0 1+0 .+203
!!!"#$%&'(')*+,-".($
/0111023/02212
4(!&'5,67 89*+( :;<6&=7 8;>&+
8,??&@7 :;';+=,6;
8;>&+ ABCDEABCD :;<6&=
45)-67+# 89:;<89:; ,+/%$, /0 =$-"."
>93?@ AB =CB D< 8E>:FFGHFI
93FJ93K LAM N"2$ )H
O' ," >F LP QR!
H?; LP 5+2# #2).$ < >I; LP SSB
4&+E5*+?&' *+%,= ," &(2$$-T 2",+,)"-
F=;'=G ;= H/IBD
J3CDK :LCDK :3CDK A/ +%&" +.+)%+/%$
:;';+=,6; MN0C/
7+-+&"-)( 4"UV5/""6 NWJ:>
WU%%0 2UVV$# OP)0F4#M01/DQ ,$&,$#X
#2"'&T #U&,T 1")&,U2$ Y 1"2$
>:3>@ 8LR 4"U(5S(2$$-
93ZJ93I LAM N"2$ )?
O' ," >F LP QR!
:9;JH?; LP 5+2# #2).$ < ?>9 LP SSB
MN0/IK MN03BK MN0RB +%&" +.+)%+/%$
89*+( OLSDDEO2SDD
B$%% 72$()&)"- !ZH;;<!FH;;
D< N"2$ )H [U+# \I ("2$]
>?3F@J>H3:@ WAB =CB
D< 8E>K9;G>;I;
^_)#)+ [U+#2" `?;;;!
H?; LP J / :T 9;'@ @'*>&
O' ," :9 LP QR! \>IFF !AM]
B_BaQb "2 P%UJ2+0
I;93>>+</<V<-
F=;'=G ;= H/CS3
#2BCDK #2CCDK #2LCDK #23CD
+%&" +.+)%+/%$
A)V5 '$2*"21+-($ ^_)#)+ :JB "- +- WAB QLP<=CB
A)V5 '$2*"21+-($ N"2$ )H [U+# N7O&T :9 LP QR!
O%,)1+,$ ("-*)VU2+/)%),0 c (5""&$ 0"U2 %+',"'d& *$+,U2$&
e-$ 0$+2 =)-UG ,$(5 &U''"2, c '5"-$ +-# $1+)%
452$$ 0$+2 1+-U*+(,U2$2d& "-J&),$ D+22+-,0
M9(*.& (5 %'&0*+G=;66&@ )*+,- @*G='*<,=*(+7
LJ237-Jan2014.indd 23 12/17/13 3:43 PM
[ UPFRONT ]
fi nd yoursel f i n 1985:
8 /0< !4A /0<02/'=35@>>/.-=
pax. Fa11cd opcn 1o cad on paxamp1c.Whoops1c {ho such 1c
o d1cc1oy)

A11h110h! pax ach1vc vo1umc chanc cqu1cd.
7=0,1 A>4 046@-+= +>'?2=D (
1npu1 ach1vc namc o "." 1o qu11 pax.
Ach1vc namc >
Thi s i s an i dea that outl i ved
i ts useful ness before i t was
i mpl emented. You coul d type i n
the fi l ename here, agai n, wi thout
readl i ne support or tab compl eti on.
Wel l , at l east i t says what to do:
Ach1vc namc > .
pu1111n pax!
How exci ti ng!
As menti oned previ ousl y, pax
uses standard i nput and standard
output by defaul t. That i s a feature,
but the fi rst ti me you forget to
provi de a fi l ename, you may thi nk
pax i s very, very sl ow:
8 /0< !4 /0<02/'=3:04
Oops! No !A. Al so no message
and no prompt. pax i s i gnori ng
the archi ve fi l ename argument and
readi ng standard i nput, whi ch i n
thi s case, i s the keyboard. You coul d
type ^D, for end-of-fi l e, but that
forms i nval i d i nput to pax. Better to
send up a smoke si gnal :
JK
pax. S1na1 cauh1. c1can1n up.
I ts even worse the fi rst ti me
you acci dental l y wri te to standard
output whi l e i ts connected to your
termi nal . You heard i t here fi rst:
dont do that.
Putting Standard Input to
Work Standard i nput and standard
output do have thei r uses, and here
pax real l y comes i nto i ts own. For
one thi ng, you can veri fy the effect
of the !. opti on wi thout creati ng
an archi ve or the fi l es:
S pax -W -s `.paxamp1c.my1ncW1pa1h.` paxamp1c1 | pax
my1ncW1pa1h
my1ncW1pa1h1!oo
Absent the !A opti on, /0< !5
wri tes to standard output. So
rewri te the pathname wi th !., and
pi pe the output to pax agai n, thi s
ti me usi ng i ts l i st mode, wi th
nei ther the !4 nor !5 opti on. By
defaul t, pax reads from standard
i nput and, i n l i st mode, pri nts the
fi l enames on the termi nal .
That can save a l ot of ti me, not to
LJ237-Jan2014.indd 24 12/17/13 3:43 PM
[ UPFRONT ]
menti on a mess on the di sk, when there are
thousands of fi l es.
Suppose you want to copy the paxample
directory to another machine. One approach
would be to create a tarball, copy to the target,
log in to the target and unpack the tarball:
8 /0< !5A /0<02/'=3:04 /0<02/'=
8 .6/ /0<02/'=3:04 >0;D9:2/9
/0<02/'=3:04 (%%L (%MN (%3%MN9. %%D%%
8 ..@ >0;
>0;OPQ8 6, 9:2/
>0;O:2/Q8 /0< !4A /0<02/'=3:04
>0;O:2/Q8 '. /0<02/'=9
A>>
But theres a much easi er way. I nvoke pax
on both machi nes, and connect the output of
one to the i nput of the other:
S pax -W paxamp1c | ssh oak `cd 11mp1 && pax - && nd paxamp1c`
/0<02/'=
/0<02/'=9A>>
/0< !5 wri tes to standard output. ..@
reads standard i nput and attaches i t to
whatever uti l i ty i s i nvoked, whi ch of course
i n thi s case i s pax agai n. /0< !4 reads from
standard i nput and creates the fi l es from
that archi ve.
pax i s one of the l esser known uti l i ti es i n a
typi cal Li nux i nstal l ati on. But i ts both si mpl e
and versati l e, wel l worth the ti me i t takes to
l ear nrecommended.
JAMES K. LOWDEN
Never let the future
disturb you. You will
meet it, if you have
to, with the same
weapons of reason
which today arm you
against the present.
Marcus Aurelius
Antoninus
Temptation rarely
comes in working
hours. It is in their
leisure time that
men are made or
marred.
W. N. Taylor
We turn not older
with years, but
newer every day.
Emily Dickinson
The human tendency
to regard little
things as important
has produced very
many great things.
Georg Christoph
Lichtenberg
Getting fired is
natures way of
telling you that you
had the wrong job in
the first place.
Hal Lancaster
They Said It
LJ237-Jan2014.indd 25 12/17/13 3:43 PM
[ UPFRONT ]
Taking Fractals
off the Page
Fr act al s are one of t he wei rder
t hi ngs you may come across
when st udyi ng comput er sci ence
and progr ammi ng al gor i t hms.
From Wi ki pedi a: A f r act al i s a
mat hemat i cal set t hat has a f r act al
di mensi on t hat usual l y exceeds i t s
t opol ogi cal di mensi on and may f al l
bet ween i nt eger s. Thi s i s a real l y
odd concept t hat you coul d have
somet hi ng l i ke an i mage t hat i snt
made up of l i nes or of sur f aces,
but somet hi ng i n bet ween. The
t er m f r act al was coi ned by Benoi t
Mandel brot i n 1975.
A key proper t y of f r act al s i s
t hat t hey are sel f - si mi l ar. Thi s
means i f you zoom i n on a f r act al ,
i t wi l l l ook si mi l ar t o t he way
t he f r act al l ooked or i gi nal l y.
The concept of recur si on al so i s
ver y i mpor t ant here. Many t ypes
of f r act al al gor i t hms use recur si on
t o gener at e t he val ues i n t he
gi ven set . Al most ever yone
has seen comput er gener at ed
i mages of cl assi c f r act al s, l i ke
t he Mandel brot set or t he
Cant or set . One t hi ng about al l
of t hese cl assi c i mages i s t hat
t hey are t wo- di mensi onal ( or
act ual l y great er t han one and
l ess t han t wo- di mensi onal , i f
you want t o be pedant i c) . But
t here i s not hi ng t hat f orces t hi s
t o be t he case. Fr act al s can be
any di mensi on, i ncl udi ng great er
t han t wo. And wi t h moder n 3- D
gr aphi cs cards, t here i s no reason
why you shoul dnt be abl e t o
exami ne t hese and pl ay wi t h
t hem. Now you can, wi t h t he
sof t ware package Mandel bul ber
( http: / / www. mandel bul ber. com) .
Mandel bul ber i s an exper i ment al ,
open- source package t hat l et s
you render t hree- di mensi onal
f r act al i mages and i nt er act wi t h
t hem. I t i s wr i t t en usi ng t he GTK
t ool ki t , so t here are downl oads
available for Windows and Mac OS X
as wel l as Li nux. Act ual l y, most
Li nux di st r i but i ons shoul d i ncl ude
i t i n t hei r package management
syst ems. I f not , you al ways can
downl oad t he source code and
bui l d i t f rom scr at ch.
I f you want some i nspi rati on on
what i s possi bl e wi th Mandel bul ber,
I strongl y suggest you go check
LJ237-Jan2014.indd 26 12/17/13 3:43 PM
[ UPFRONT ]
out the gal l ery of i mages that have
been generated wi th thi s software.
There are some t r ul y i nnovat i ve
and amazi ng i mages out t here,
and some of t hem i ncl ude t he
par amet er s you need i n order t o
regener at e t he i mage on your own.
The Mandel bul ber Wi ki provi des
a l ar ge amount of i nf or mat i on
( http: / / wi ki . mandel bul ber. com/
i ndex. php?ti tl e=Mai n_Page) .
When you are done readi ng thi s
arti cl e, check out everythi ng el se
that you can do wi th Mandel bul ber.
When you f i r st st ar t up
Mandel bul ber, t hree wi ndows
Figure 1. The main window gives you all parameters that control the generation of
your fractal.
LJ237-Jan2014.indd 27 12/17/13 3:43 PM
[ UPFRONT ]
open. The f i r st i s t he par amet er s
wi ndow ( Fi gure 1) . Al ong t he ver y
t op are t he t wo mai n but t ons:
render and st op. Bel ow t hat i s
a l i st of 12 but t ons t hat pul l up
di ff erent panes of par amet er s.
You get an i ni t i al set of def aul t
par amet er s t hat wi l l gener at e
a 3- D ver si on of t he cl assi c
Mandel brot set . Cl i cki ng on
t he render but t on wi l l st ar t t he
render i ng process. I f you have
mul t i pl e cores on your machi ne,
Mandel bul ber wi l l gr ab t hem t o
hel p speed up t he cal cul at i ons.
The rendered pl ot wi l l be drawn i n
i ts own wi ndow (Fi gure 2). The thi rd
wi ndow shows you some measures
of how the renderi ng progressed
(Fi gure 3). You get two hi stograms
Figure 2. This is what the default 3-D fractal looks like.
LJ237-Jan2014.indd 28 12/17/13 3:43 PM
[ UPFRONT ]
Figure 3. Histograms of the Rendering Progression
Figure 4. A Sierpinski sponge has infinite surface area and zero volume.
LJ237-Jan2014.indd 29 12/17/13 3:43 PM
[ UPFRONT ]
descri bi ng the number of i terati ons
and the number of steps.
To gener at e new i mages,
more t han 70 exampl es are
i ncl uded wi t h t he i nst al l at i on of
Mandel bul ber t hat you can use as
st ar t i ng poi nt s. Cl i cki ng on t he
but t on Load exampl e pul l s up a
f i l e di al og where you can l oad
one of t hem. For exampl e, you
coul d l oad menger sponge. f r act .
Cl i cki ng t he render but t on wi l l
gener at e a 3- D Si er pi nski sponge
( Fi gure 4) . Al t hough t echni cal l y,
t he set i s onl y one t opol ogi cal
di mensi on t hat encl oses zero
Figure 5. There are several different fractal types from which to choose.
LJ237-Jan2014.indd 30 12/17/13 3:43 PM
[ UPFRONT ]
vol ume ( arent f r act al s wei rd?) .
What can you change i n
Mandel bul ber ? Cl i cki ng on t he
f r act al but t on pul l s up t he pane
where you can set t he par amet er s
f or t he f r act al i t sel f ( Fi gure 5) . You
can sel ect f rom sever al di ff erent
t ypes of f r act al f or mul a t ypes,
such as mandel bul b, quat er ni on
or menger sponge. You can set
sever al opt i ons, dependi ng on
exact l y whi ch f r act al t ype you
choose. For exampl e, i f you sel ect
t he i t er at ed f unct i on syst em ( I FS) ,
Figure 6. You can create a hybrid system made from a mix of up to five different
fractal types.
LJ237-Jan2014.indd 31 12/17/13 3:43 PM
you t hen can cl i ck on t he I FS t ab
t o set sever al di ff erent par amet er s.
One of t he i ssues i s comi ng up
wi t h t r ul y uni que, yet aest het i cal l y
pl easi ng, set s of equat i ons wi t h
whi ch t o exper i ment . To hel p i n
t hi s regard, Mandel bul ber has a
hybr i d opt i on i n t he l i st of f r act al
t ypes. When you sel ect t hi s opt i on,
you t hen can choose t he hybr i d
but t on and set up t o f i ve di ff erent
f r act al equat i ons ( Fi gure 6) . Wi t h
t hi s opt i on, you can creat e ver y
compl ex and sophi st i cat ed f r act al s
t o render.
Mandel bul ber doesnt j ust
generate stati c i mages of these
hi gher di mensi onal fractal s. There
i s an opti on to generate ani mati ons
of how these i mages change when
some parameter i s swept over.
To start, you need to cl i ck on the
Ti mel i ne button at the bottom
of the vi ew pane. Thi s pul l s up a
ti mel i ne wi ndow where you can set
the parameters used to generate
your ani mati on. The record button
puts parameters i nto the actual
keyframe number ( Key no. fi el d
on the ri ght) . I t then l oads and
renders the next keyframe i f i t i s
not the l ast keyframe.
Then, you can add new
keyf r ames wi t h t he i nser t af t er
but t on or del et e keyf r ames wi t h
t he Del et e but t on. To modi f y a
gi ven keyf r ame, you can doubl e-
cl i ck i t t o set t he par amet er s, and
t hen you can cl i ck on record t o
render t he keyf r ame.
I nt er pol at i on bet ween t he
keyframes is handled by Catmull-Rom
spl i nes. Once you have t he
keyf r ames handl ed, you wi l l need
t o render t he f ul l ani mat i on.
Cl i cki ng on t he Ani mat i on but t on
i n t he mai n wi ndow br i ngs up t he
par amet er s you can set . These
i ncl ude t hi ngs l i ke t he number
of f r ames t o render f rom t he
keyf r ames, as wel l as t he st ar t
and end f r ame number s. You t hen
can cl i ck on t he Render f rom
key- f r ames but t on t o gener at e t he
ani mat i on. On my net book, t hi s i s
a pret t y l ong process. For i mage
gener at i on, you al so have cont rol
over camer a posi t i on, l i ght i ng and
shader opt i ons. You shoul d be abl e
t o gener at e t he exact i mage or
ani mat i on t hat you want .
I f you are l ooki ng t o gener at e
some amazi ng 3- D l andscapes
or uni que shapes f or somet hi ng
sci ence- f i ct i ony, you def i ni t el y
shoul d check out Mandel bul ber
j ust be prepared t o l ose sever al
hour s as you st ar t pl ayi ng wi t h al l
of t he par amet er s avai l abl e.
JOEY BERNARD
[ UPFRONT ]
LJ237-Jan2014.indd 32 12/17/13 3:43 PM
LJ237-Jan2014.indd 33 12/17/13 3:43 PM
Zedge, for All
Your Annoying
Ringtones!
I real l y dont under st and
f ol ks who use songs as t hei r
r i ngt ones. I snt i t annoyi ng or
conf usi ng when t he song comes
on t he r adi o? I f i t s your f avor i t e
song, dont you get desensi t i zed
t o i t when you l i st en t o t he CD
( or di gi t al equi val ent of CD) ?
Never t hel ess, you probabl y hear
dozens of r i ngt ones ever y day.
Those probabl y var y f rom super
annoyi ng t o what a cool
r i ngl one". Wi l h Zedge, you can
be t he per son annoyi ng your
f el l ow subway passenger sor
maki ng t hem j eal ous.
Zedge i s a l ree app i n l he
Googl e Pl ay st ore, and t he
r i ngt ones ( and not i f i cat i on
sounds and al ar m sounds)
are compl et el y f ree as
wel l . I cur rent l y use t he
WHAAAT?!?!??! sound f rom
t he mi ni ons on Despi cabl e Me
as a not i f i cat i on sound ( whi ch
i s cl ear l y super cool and not
annoyi ng) . My r i ngt one, whi ch
[ EDITORS' CHOICE ]
EDITORS
CHOICE
Screenshot from the Google Play store

LJ237-Jan2014.indd 34 12/17/13 3:43 PM
I hear much l ess of t en t han
i n year s past , i s one I made
mysel f f rom past i ng t oget her
sound cl i ps f rom St ar Tr ek t he
Next Gener at i on. Somehow, my
homemade r i ngt one ended up on
Zedge. l know i l 's mi ne, because
I past ed t oget her sounds t hat
dont act ual l y occur t oget her on
t he show. I m t er r i bl y proud of
my r i ngt one, and i f you d l i ke t o
hear i t f or your sel f , search f or
I ncomi ng Subspace Si gnal , i t
shoul d pop r i ght up. I f St ar Tr ek
i snt up your al l ey, t here are
t housands of ot her opt i ons f rom
whi ch l o choose. Wi l h Zedge,
i nst al l i ng t hem i s si mpl e and, of
cour se, f ree.
Due to i ts i ncredi bl e sel ecti on,
seamless integration and amazing price
lag, Zedge i s lhi s monlh's Ldi lors'
Choice winner. Check it out today at
https://play.google.com/store/apps/
details?id=net.zedge.android.
SHAWN POWERS
LINUX JOURNAL
now available
for the iPad and
iPhone at the
App Store.
linuxjournal.com/ios
For more information about advertising opportunities within Linux Journal iPhone, iPad and
Android apps, contact John Grogan at +1-713-344-1956 x2 or ads@linuxjournal.com.
LJ237-Jan2014.indd 35 12/17/13 3:43 PM
COLUMNS
Talking
to Twitter
Integrating Twitter into your application is easy, fun and useful.
Im a very quick adopter of many
new software technologies. I try new
programming languages, browsers,
databases and frameworks without
hesitation. But when it comes to
social networks, Im a bit of a Luddite,
waiting to see what all the fuss is
about before making them a part of
my life. Sure, I signed up for Facebook
almost as soon as it was available, but
I havent really posted much there.
I do use LinkedIn, mostly to collect
and find contacts, but I dont post
there very often either, unless Im
announcing a presentation that Ive
added to SlideShare.
Twitter is something of a different
story. There are people, it seems,
for whom Twitter is the ultimate in
communication. Ive been on Twitter
for some time, but other than an
occasional foray into that world, I
didnt really pay it much attention.
Even now, after having decided
several months ago that I should try
to get into Twitter more heavily, I find
that while I look through my feed
several times a day, I tweet only once
every few weeks. Call me a dinosaur,
but I still prefer to use e-mail to be in
touch with friends and family, rather
than 140-character messages.
Although I dont see Twitter as
a great medium for interpersonal
communication, I recently have begun
to appreciate it for other reasons.
Specifically, I have discovered (perhaps
long after the rest of the world has
done so) that using Twitter as a sort
of public logfile can make a Web
application more visible, updating
the rest of the world as to the
status of your work and your on-
line community. Doing so not only
lets people hear about what you are
doingand potentially rebroadcast it
to the world, by retweeting your
message to followersbut it also
increases your applications SEO, or
visibility on various search engines.
Finally, you can use Twitter to bring
attention to your on-line presence by
REUVEN M.
LERNER
AT THE FORGE
LJ237-Jan2014.indd 36 12/17/13 3:43 PM
COLUMNS
AT THE FORGE
following other people. (The idea is
that when they receive your follow
request, they may try to find out more
about you, exploring your site or even
following you back.)
I might sound like a social-
media consultant, but Ive seen the
difference that Twitter can make in
an application. I recently connected
my PhD dissertation project (the
Modeling Commons, at http://
modelingcommons.org) to Twitter,
such that each public action is sent to
the Twitter feed. The combination of
tweeting updates and following other
people has had a remarkable and
direct effect on the number of visitors
who come to my site, the length of
time they remain and the number of
pages they view. Now, Im not talking
about millions of visitors per month.
My application is still of interest
mainly to a small community of people
working with the NetLogo modeling
environment. But the change has been
obvious, and I grudgingly admit that I
owe some of it to Twitter.
In this article, I explore some of
the things I did to use Twitter in
my application. From a technology
perspective, youll see that
the implementation was fairly
straightforward. But I think that what
Ive learned can be of interest to
anyone running a Web application,
particularly one that is trying to
get the word out to the public. In
addition, although there are plenty
of good reasons to question Twitters
business practices and its relationship
with developers, there is no doubt
that its attention to detail with its API
offers a model for all of us who want
to provide APIs to our applications.
Registering with Twitter
Im going to assume that anyone
reading this article already has created
a Twitter account or is able to figure
out how to do so at Twitter.com. And
of course, via the Twitter.com Web
site, you can do all the things that
you might expect, such as tweeting,
retweeting, following and searching.
The combination of tweeting updates and
following other people has had a remarkable
and direct effect on the number of visitors who
come to my site, the length of time they remain
and the number of pages they view.
LJ237-Jan2014.indd 37 12/17/13 3:43 PM
COLUMNS
AT THE FORGE
Twi tters API al l ows you to do al l
of these thi ngs vi a code. That i s,
you dont need to go and compose
tweets personal l y. You can wri te a
program that wi l l do so for you. I n
order for thi s to happen, you need to
do two thi ngs: regi ster wi th Twi tters
API servi ce and i nstal l a l i brary that
knows how to communi cate wi th the
Twi tter API .
In order to register with the Twitter
API, you need to go to the developer
si te at http://dev.twitter.com.
Note that you need to si gn i n
wi th your Twi tter user name and
password, even i f you al ready are
si gned i n to the mai n Twi tter si te.
The two si tes do not seem to share
l ogi n sessi ons.
Once youre on the devel oper
si te, you need to create a new
appl i cati on. The appl i cati on name
needs to be uni que, but dont
worry about i t too much. You need
to provi de not onl y a name, but
al so a descri pti on and a URL that
i s associ ated wi th the appl i cati on.
Agree to the terms, fi l l i n the
Captcha, and youl l be on your way.
Note that many types of Twi tter
appl i cati ons exi st, wi th many
appl i cati ons (i ncl udi ng mobi l e) that
post to Twi tter on behal f of a user.
The model I demonstrate i n thi s
arti cl e i s of an appl i cati on sendi ng
updates to Twi tter, whi ch means you
wont have such i ssuesyou dont
need a cal l back URL or any speci al
l ogi n confi gurati on.
Perhaps the most confusi ng thi ng
(to me, at l east) about setti ng thi ngs
up wi th Twi tter was that the defaul t
permi ssi ons for an appl i cati on al l ows
you to retri eve tweets, but not post
to them. To al l ow your appl i cati on
read-wri te access, go to the setti ngs
tab and i ndi cate that you want the
read-wri te access, or even read,
wri te and di rect message. You wont
be usi ng al l of these capabi l i ti es
for thi s exampl e, but wi thout wri te
permi ssi on, your appl i cati on wi l l not
be abl e to post to Twi tter.
And now for the most
i mportant part, the keys: Twi tters
authenti cati on model requi res two
tokens. Fi rst, there i s your access
token, whi ch al l ows you to access
Twi tter vi a the API . The second i s the
consumer key, whi ch descri bes
your parti cul ar appl i cati on and
usage. Each of these keys has an
accompanyi ng secret, whi ch you
shoul d treat as a password. As such,
putti ng these secrets di rectl y i n your
appl i cati on probabl y i s a bad i dea.
You woul d be better off putti ng
them i n envi ronment vari abl es,
thus avoi di ng havi ng the secrets i n
versi on control .
LJ237-Jan2014.indd 38 12/17/13 3:43 PM
COLUMNS
AT THE FORGE
Twitter Gem for Ruby
Readers of this column know that I
love the Ruby language, so it wont
come as a surprise to hear that I intend
to use Ruby for my examples. However,
there are Twitter API clients in virtually
every modern language, making it easy
to access from whatever you prefer to
use in your programming.
The twitter Ruby gem, as is the case
for all Ruby gems (libraries), is available
for installation via the gem program,
which comes with modern versions of
Ruby. The gem currently is maintained
by Erik Michaels-Ober, also known as
sferik on GitHub. You can type:
cm 1ns1a11 1W111c -v
and the gem should be installed. On
many systems, including those not
running a Ruby version manager like
rvm, you need to execute the above
line while logged in as root.
Once you have installed the gem,
you can use it. There are three parts
to this process: bringing the gem
into the program, configuring it
to use your keys and secrets, and
then executing a Twitter command.
The first is handled with the Ruby
cqu1c command, which looks at
installed gems, as well as the Ruby
core and standard libraries.
Configuration of the client is
handled fairly straightforwardly from
within a block that looks like this
(filling in the values you got from
Twitters API documentation):
1W111c_c11cn1 = 1W111c..RS1..C11cn1.ncW do |con|
con.consumc_kcy = C0hSLhR_KY
con.consumc_sccc1 = C0hSLhR_SCR1
con.oau1h_1okcn = 0AL1_10Kh
con.oau1h_1okcn_sccc1 = 0AL1_SCR1
cnd
Notice that you are not merely
executing the new method on
1W111c..RS1..C11cn1, but that
you also are returning a value. Thus,
in contrast to previous versions of
Rubys Twitter gem, you should accept
the returned object, which is then the
basis for all of the additional actions
you wish to take.
Finally, you send the tweet with the
update method:
1Wcc1 = 1W111c_c11cn1.upda1c{"c11o. Wo1d. 1Wcc1 1Wcc1.")
I nvoki ng the #update method has
the effect of sendi ng the message to
Twi tter. I f you go to the Web page
for your Twi tter user, youl l fi nd that
a new message has been sent, as i f
you had typed i t.
I f you capture the return
val ue from the i nvocati on of
1W111c_c11cn1.upda1c, youll
LJ237-Jan2014.indd 39 12/17/13 3:43 PM
COLUMNS
AT THE FORGE
see that it is an instance of
R5-::=4DDR5==:, a Ruby object that
represents a tweet. This object provides
the functionality that you would want
and expect from something associated
from Twitter. For example:
1Wcc1.usc # 1c11s us Who Wo1c 1hc 1Wcc1
1Wcc1.c1Wcc1cd? # 1nd1ca1cs Whc1hc 11 Was c1Wcc1cd
1Wcc1.!avo11cd? # 1nd1ca1cs Whc1hc 11 Was makcd as a !avo11c
Now, its also possible that you will
not get a tweet object back at all, but
rather that the update method will
raise an exception. For example, Twitter
forbids users from sending an identical
tweet, at least within a short period of
time. Thus, if you send the above Hello,
world tweet (from the example above)
a second time, youll get an exception:
1W111c..o..Fob1ddcn. S1a1us 1s a dup11ca1c.
Of course, you can catch such
errors with:
bc1n
1Wcc1 = 1W111c_c11cn1.upda1c{"c11o aa1n.
@cuvcnm1cnc 1Wcc1 1Wcc1.")
cscuc 1W111c..o..Fob1ddcn => c
pu1s "You a1cady 1Wcc1cd 1ha1."
cscuc => c
pu1s c.c1ass # 1W111c..o..Fob1ddcn
pu1s c.mcssac # `S1a1us 1s a dup11ca1c.`
cnd
If you include a Twitter @username,
hashtag or URL in your tweet, the
appropriate magic will happen
automatically. Thus:
1Wcc1 = 1W111c_c11cn1.upda1c{"Co 1o @cuvcnm1cnc`s
s11c a1 h11p.111cnc.co.111")
I n the above tweet, the URL
automati cal l y wi l l be shortened,
usi ng Twi tters standard t.co domai n.
Si mi l arl y, the @reuvenml erner (my
Twi tter handl e) wi l l turn i nto a l i nk.
You can access both of these usi ng
methods on your tweet:
1Wcc1.u1s # c1uns an aay o! 1W111c..n111y..LR1
1Wcc1.usc_mcn11ons # c1uns an aay o!
# 1W111c..n111y..Lschcn11on
You can more general l y ask
Twi tter for i nformati on about
tweets. For exampl e, you can get
the most recent tweets a user has
sent wi th:
1W111c_c11cn1.usc_11mc11nc{"cuvcnm1cnc")
whi ch returns an array of tweet
obj ects. You can appl y the text
method to the fi rst el ement, thus
getti ng the text back from the users
most recent tweet:
1W111c_c11cn1.usc_11mc11nc{"cuvcnm1cnc")|0|.1cx1
LJ237-Jan2014.indd 40 12/17/13 3:43 PM
COLUMNS
AT THE FORGE
I f there are URLs embedded i n the
tweet, you can get those back:
1W111c_c11cn1.usc_11mc11nc{"cuvcnm1cnc")|1|.u1s
Thi s method returns an array of
1W111c..n111y..LR1 obj ects,
each of whi ch has attri butes, such
as url and expanded URL.
Integrating into Your Application
As you can see, worki ng wi th
Twi tter i s surpri si ngl y easy. The
startup ti me for connecti ng to
Twi tter can take a l i ttl e bi t of
ti meup to two seconds, i n my
experi encebut tweeti ng and
queryi ng Twi tter take very l i ttl e
ti me. I ts obvi ous, as a consumer
of the API , that they have worked
hard to make i t execute as qui ckl y
as possi bl e. Thi s i s a l esson to
al l of us who create API s. We al l
know that Web pages shoul d l oad
qui ckl y, and that sl ow l oad ti mes
can di scourage peopl e from stayi ng
on a si te.
API cal l s typi cal l y are embedded
wi thi n another appl i cati on, meani ng
that i f the API cal l takes ti me, the
appl i cati on i tsel f wi l l feel sl uggi sh.
As a resul t, a sl ow API cal l wi l l l ead
to sl ow responses from the API
cl i entsand may di scourage peopl e
from usi ng your API .
But where woul d you use such API
cal l s? Why woul d you want to use
Twi tter on your si te?
One si mpl e use of t he Twi t t er
API woul d be t o di spl ay a
user s most recent t weet s. For
exampl e, i f your company ( or you
per sonal l y) use Twi t t er t o send
messages about what you are
doi ng, you can see t hat i t woul d
be f ai r l y easy t o i ncl ude t hose
t weet s i n a Web page. Usi ng an
MVC syst em, such as Rai l s, you
si mpl y woul d gr ab t he t weet s
( wi t h t he user _t i mel i ne met hod,
as shown above) , and st i ck t he
resul t s on your home page. Now
your home page provi des anot her
vi ew t o your Twi t t er f eed,
re- enf orci ng i t s i mpor t ance and
usage t o your company.
I have been doi ng somethi ng
sl i ghtl y di fferent. As I menti oned
previ ousl y, I have begun to use
Twi tter to l og publ i c acti vi ty i n
the appl i cati on I ve devel oped for
my di ssertati on. Every ti me a new
But where would you use such API calls? Why
would you want to use Twitter on your site?
LJ237-Jan2014.indd 41 12/17/13 3:43 PM
COLUMNS
AT THE FORGE
user j oi ns, new content i s posted
or someone adds a posti ng to a
di scussi on forum, I send a new
tweet on the subj ect. I n and of
i tsel f, thi s doesnt do very much;
Twi tter i s ful l of text and URLs. But
I have certai nl y found by ensuri ng
that my tweets are fol l owed and
seen by a l arge number of peopl e, I
have i ncreased the number of users
comi ng to my si te.
I n other words, by tweeti ng about
acti vi ty on my si te, I have gi ven
my si te addi ti onal exposure to the
worl d. Moreover, peopl e who real l y
want to see what my appl i cati on i s
doi ng can fol l ow the l i nk i n thei r
Twi tter feed and fol l ow al ong.
By addi ng a #NetLogo hashtag
to my tweets, I al so have made i t
possi bl e, and even easy, for my
tweets ( and thus my si te) to be
found and i denti fi ed by peopl e
searchi ng Twi tter for menti ons of
our model i ng envi ronment. The
fact that Googl e i ndexes tweets
i ncreases my si tes vi si bi l i ty on-l i ne
among peopl e who are searchi ng
for model i ng-rel ated si tes.
The net effect has been rather
huge. Wi thi n two weeks of starti ng
to use Twi tter to announce updates
on my si te, the number of peopl e
comi ng to vi si t has i ncreased
dramati cal l y. Not coi nci dental l y,
my si tes ranki ng i n Googl e has
i mproved noti ceabl y.
Now, i f thi s were a commerci al
si te, rather than a free
i nfrastructure for col l aborati ve
model i ng, I woul d want to check
a second thi ng, namel y the
conversi on ratethat i s, how
many peopl e who came to my si te
al so became payi ng customers. But
for my smal l , educati onal si te, i t
has been fasci nati ng to see what a
di fference tweeti ng made.
And what di d I do? Truth be tol d,
not much. I set up thi ngs such that
a new tweet woul d be sent, usi ng
the update method demonstrated
above, every ti me a new model
versi on, forum posti ng or person
was added to the system. Because
of the rel ati vel y l ow l atency on the
update method, I even do thi s
i nl i ne on an 0A:=4S64=0:= cal l back
wi thi n Rai l s, rather than queuei ng i t
i n a background j ob.
The bi ggest techni cal chal l enge
I have faced so far i n al l of thi s i s
The biggest technical challenge I have faced so
far in all of this is the issue of duplicate tweets.
LJ237-Jan2014.indd 42 12/17/13 3:43 PM
COLUMNS
AT THE FORGE
the i ssue of dupl i cate tweets. When
I fi rst set up the Twi tter feed, I
defi ned the tweet for an addi ti onal
di scussi on forum post to be:
Rcuvcn Lcnc has addcd a commcn1 abou1 1hc Fooba modc1!
The probl em wi th thi s styl e of
tweet i s that i t qui ckl y can l ead to
dupl i catesand thus errors from
wi thi n the appl i cati on. As a resul t, I
have made sure that every tweet has
a uni que number i n i t somewhere,
typi cal l y counti ng how many si mi l ar
obj ects al ready have been created.
For exampl e:
Rcuvcn Lcnc Wo1c 1hc S1h commcn1 abou1 1hc Fooba modc1!
The above ensuresassumi ng that
user and model names are uni que
that there cannot be dupl i cates,
thus avoi di ng the probl em.
Beyond the advantages for
users, SEO and peopl e i nterested
i n fol l owi ng my work, I al so have
found i t to be enormousl y sati sfyi ng
to see tweets come out even when
I m not aware of i t. I ts si mi l ar i n
some ways to seei ng my chi l drens
creati ve output, but (obvi ousl y) l ess
emoti onal l y charged.
Conclusion
Addi ng automati c tweets to a
Web appl i cati on i s easy to do and
can have si gni fi cant benefi ts. For
your users, i t gi ves them a way to
fol l ow what i s happeni ng i n your
appl i cati on wi thout needi ng to vi si t
the si te or use an RSS reader. For
your si te, automati c tweets wi l l
hel p bri ng i n new vi si tors, i mprove
SEO and general l y i mprove your
proj ects vi si bi l i ty.
Web developer, trainer and consultant Reuven M. Lerner
is finishing his PhD in Learning Sciences at Northwestern
University. He lives in Modiin, Israel, with his wife and three
children. You can read more about him at http://lerner.co.il,
or contact him at reuven@lerner.co.il.
Send comments or feedback via
http://www.linuxjournal.com/contact
or to ljeditor@linuxjournal.com.
Resources
Twi tter, of course, i s at http://twitter.com. The devel oper and API documentati on
i s at http://dev.twitter.com. The Ruby gem for Twi tter, whi ch apparentl y has been
downl oaded more than one mi l l i on ti mes (!), i s at http://sferik.github.io/twitter.
LJ237-Jan2014.indd 43 12/17/13 3:43 PM
COLUMNS
WORK THE SHELL
DAVE TAYLOR
Easy
Watermarking
with ImageMagick
Script auteur Dave Taylor explores smart ways to use ImageMagick
and Bash to copyright and watermark images in bulk.
Lets start with some homework.
Go to Google (or Bing) and search for
privacy is dead, get over it. I first
heard this from Bill Joy, cofounder of
Sun Microsystems, but its attributed to
a number of tech folk, and theres an
element of truth to it. Put something
on-line and its in the wild, however much
youd prefer to keep it under control.
Dont believe it? Ask musicians or
book authors or film-makers. Now,
whether the people who would
download a 350-page PDF instead of
paying $14 for a print book are hurting
sales, thats another question entirely,
but the Internet is public and open,
even the parts that we wish were not.
This means if youre a photographer
or upload images youd like to protect
or control, you have a difficult task
ahead of you. Yes, you can add some
code to your Web pages that makes
it impossible to right-click to save
the image, but its impossible to shut
down theft of intellectual property
completely in the on-line world.
This is why a lot of professional
photographers dont post images on-
line that are bigger than low-resolution
thumbnails. You can imagine that
wedding photographers who make
their money from selling prints (not
shooting the wedding) pay very close
attention to this sort of thing!
Just as people have learned to accept
poor video in the interest of candor
and funny content thanks to YouTube,
so have people also learned to accept
low-res images for free rather than
paying even a nominal fee for license
rights and a high-res version of the
photograph or other artwork.
There is another way, however, thats
demonstrated by the stock photography
companies on-line: watermarking.
Youve no doubt seen photos with
LJ237-Jan2014.indd 44 12/17/13 3:43 PM
COLUMNS
WORK THE SHELL
embedded copyright notices, Web site
addresses or other content that mars the
image but makes it considerably harder
to separate it from its original source.
It turns out that our friend
ImageMagick is terrific at creating
these watermarks in a variety of
different ways, and thats what I
explore in this column. Its an issue for
a lot of content producers, and I know
the photos I upload constantly are
being ripped off and reused on other
sites without permission and without
acknowledgement.
To do this, the basic idea is to create
a watermark-only file and then blend
that with the original image to create a
new one. Fortunately, creating the new
image can be done programmatically
with the convc1 program included as
part of ImageMagick.
Having said that, its really mind-
numbingly complex, so Im going to start
with a fairly uninspired but quick way
to add a watermark using the 1abc1.
feature. In a nutshell, you specify what
Figure 1. Original Image, Kids at a Party
LJ237-Jan2014.indd 45 12/17/13 3:43 PM
COLUMNS
WORK THE SHELL
text you want, where you want it on the
image, the input image lename and the
output image lename. Lets start with
an image (Figure 1).
You can get the dimensions and so forth
of the image with 1dcn11!y, of course:
S 1dcn11!y k1ds-pa1y.pn
k1ds-pa1y.pn PhC 493x380 493x380+0+0 8-b11
L1cc1C1ass 487K 0.000u 0.00.000
You can ignore almost all of this; its
just the size that you care about, and
thats shown as 493x360.
Now, lets use 6>2/>.-:= to add a
simple label:
S compos11c 1abc1.`AskLavc1ay1o.com` k1ds-pa1y.pn \
k1ds-pa1y-1abc11cd.pn
Figure 2 shows the image with the
label applied.
Thats rather boring, although its
effective in a rudimentary sort of way.
Lets do something more interesting
now, starting by positioning the text
Figure 2. Label Added, No Styling
LJ237-Jan2014.indd 46 12/17/13 3:43 PM
COLUMNS
WORK THE SHELL
centered on the bottom but also adding
space below the image for the caption:
S convc1 k1ds-pa1y.pn -backound Khak1 \
1abc1.`AskLavc1ay1o.com` \
-av11y ccn1c -appcnd pa1y-khak1.pn
Here Ive added a background color
for the new text (khaki) and tapped the
complicated but darn useful C40+-:1
capability to center the text within the
new appcnd (appended) image space.
Figure 3 shows the result.
Im not done yet though. For the
next example, lets actually have the
text superimpose over the image, but
with a semi-transparent background.
This is more ninja ImageMagick,
so it involves a couple steps, the first
of which is to identify the width of
the original source image. Thats
easily done:
W1d1h=S{1dcn11!y -!oma1 W k1ds-pa1y.pn)
Figure 3. Caption against a Khaki Background
LJ237-Jan2014.indd 47 12/17/13 3:43 PM
COLUMNS
WORK THE SHELL
Run it, and youll find out:
8 =6@> 85-,:@
493
Now, lets jump into the convc1
command again, but this time, lets
specify a background color, a fill
and a few other things to get the
transparency to work properly:
S convc1 -backound `#0008` -11 Wh11c -av11y ccn1c \
-s1zc S{W1d1h)x30 cap11on.AskLavc1ay1o.com \
k1ds-pa1y.pn +sWap -av11y sou1h -compos11c \
pa1y-Wa1cmak.pn
I di d warn you that i td be
compl ex, ri ght? Lets j ust j ump to
the resul ts so you can see what
happened (Fi gure 4).
You can experiment with different
backgrounds and colors, but for now,
lets work with this and jump to the
second part of the task, turning this
into a script that can fix a set of
images in a folder. The basic structure
Figure 4. Improved Semi-Transparent Label
LJ237-Jan2014.indd 48 12/17/13 3:43 PM
COLUMNS
WORK THE SHELL
for this script will be easy actually:
!o cvcy 1mac 1c
60'6?'0:= 5-,:@
cca1c ncW Wa1cmakcd vcs1on
mv o11na1 1o a h1ddcn d1cc1oy
cnamc Wa1cmakcd vcs1on 1o o11na1 1mac namc
donc
Because Linux is so dot file-
friendly, lets have the script create
a .originals folder in the current
folder so that its a nondestructive
watermark process. Heres the script:
savcd1=".o11na1s"
2;,-4 8.0+=,-4

1! | S? -nc 0 | . 1hcn
ccho "o. !a11cd mak1n Ssavcd1."
=<-: (

!o 1mac 1n *pn *p *1!
,>
1! | -s S1mac | . 1hcn # non-zco 1c s1zc
W1d1h=S{1dcn11!y -!oma1 W S1mac)
convc1 -backound `#0008` -11 Wh11c -av11y ccn1c \
-s1zc S{W1d1h)x30 cap11on.AskLavc1ay1o.com \
S1mac +sWap -av11y sou1h -compos11c ncW-S1mac
2+ 8-20C= 8.0+=,-4
mv ncW-S1mac S1mac
ccho "Wa1cmakcd S1mac succcss!u11y"

donc
You can see that i t transl ates
pretty easi l y i nto a scri pt, wi th the
shuffl e of taki ng the ori gi nal i mages
and savi ng them i n .ori gi nal s.
The output i s succi nct when I run
i t i n a speci fi c di rectory:
Wa1cmakcd uc-01.pn succcss!u11y
Wa1cmakcd uc-0!.pn succcss!u11y
Easi l y done.
You defi ni tel y can go further
wi th al l the watermarki ng i n
I mageMagi ck, but my personal
preference i s to tap i nto the
reference works that al ready are
on-l i ne, i ncl udi ng thi s useful , al bei t
somewhat confusi ng, tutori al :
http://www.imagemagick.org/
Usage/annotating.
However you sl i ce i t, i f
you re goi ng to make your
i mages avai l abl e on-l i ne i n hi gh
resol uti on, or i f they re uni que and
copyri ghted i ntel l ectual property,
knowi ng how to watermark them
from the command l i ne i s a dar n
hel pful ski l l .
Dave Taylor has been hacking shell scripts for more than
30 years. Really. Hes the author of the popular Wicked Cool
Shell Scripts and can be found on Twitter as @DaveTaylor
and more generally at http://www.DaveTaylorOnline.com.
LJ237-Jan2014.indd 49 12/17/13 3:43 PM
COLUMNS
HACK AND /
A Bundle
of Tor
For privacy, windows have blinds, and Internet users have the
Tor browser bundle.
I dont know how many readers
know this, but my very first Linux
Journal column (Browse the Web
without a Trace, January 2008)
was about how to set up and use
Tor. Anonymity and privacy on the
Internet certainly take on a different
meaning in the modern era of privacy-
invading software and general
Internet surveillance. I recently went
back and read my original column,
and although the first few paragraphs
were written six years ago, they seem
just as relevant today:
Is privacy dead? When I think
about how much information
my computer and my gadgets
output about me on a daily
basis, it might as well be. My cell
phone broadcasts my general
whereabouts, and my Web browser
is worseevery site I visit knows I
was there, what I looked at, what
browser and OS I use, and if I have
an account on the site, it could
know much more.
Even if you arent paranoid (yet),
you might want to browse the Web
anonymously for many reasons.
For one, your information, almost
all of it, has value, and you might
like to have some control over
who has that information and who
doesnt. Maybe you just want to
post a comment to a blog without
the owner knowing who you are.
You even could have more serious
reasons, such as whistle-blowing,
political speech or research about
sensitive issues such as rape, abuse
or personal illness.
Whatever reason you have for
anonymity, a piece of software
called Tor provides a secure,
easy-to-setup and easy-to-use
Web anonymizer. If you are curious
about how exactl y Tor works,
KYLE RANKIN
LJ237-Jan2014.indd 50 12/17/13 3:43 PM
COLUMNS
HACK AND /
you can vi si t the offi ci al si te
at http://tor.eff.org), but in a
nutshell, Tor installs and runs on
your local machine. Once combined
with a Web proxy, all of your traffic
passes through an encrypted tunnel
between three different Tor servers
before it reaches the remote server.
All that the remote site will know
about you is that you came from a
Tor node.
The rest of the article went into
detail on how to use the Knoppix
live disk to download and install
Tor completely into ramdisk. Tor has
come a long way since those days
though, so I decided it was high
time to revisit this topic and explain
the best way to set up Tor on your
personal machine today.
Get the Tor Browser Bundle
In the past, Tor installation meant
installing the Tor software itself,
configuring a proxy and pulling down
a few browser plugins. Although you
still can set it up that way if you want,
these days, everything is wrapped up
in a tidy little package called the Tor
browser bundle. This single package
contains Tor, its own custom Web
browser already configured with
privacy-enhancing settings and a user
interface that makes it easy to start
and stop Tor on demand.
The fi rst step i s to vi si t
https://www.torproject.org and
check the lock icon in your navigation
bar to make sure the SSL certificate
checks out. If your browser gives you
some sort of certificate warning, its
possible you arent visiting the official
Tor site, and you should stop right
there and attempt to get Tor from a
different computer. On the main page
is a large Download Tor button for you
to click. If you are browsing the site
from a Linux system (which of course
you are), you will be presented with
links to a 32-bit and 64-bit browser
bundle package, so click the one that
corresponds with the appropriate
architecture for your system.
While the software downloads, I
highly recommend you do two things.
First, next to the button you clicked
to download Tor, there should be a
hyperlink labeled sig. Click this link
to download the signature you will
use to verify that the Tor package you
downloaded was legitimate (Ill talk
about how to do that in a minute).
The second thing you should do is
scroll down the page and start reading
the section titled Want Tor to really
work? to familiarize yourself with
some of the extra habits you should
take on if you really do want to
browse the Web anonymously.
LJ237-Jan2014.indd 51 12/17/13 3:43 PM
Verify the Software
After you downl oad the Tor
browser bundl e and the si gnature
fi l e, you shoul d have two fi l es i n
your di rectory:
tor-browser-gnu-linux-x86_64-
2.3.25-14-dev-en-US.tar.gz
tor-browser-gnu-linux-x86_64-
2.3.25-14-dev-en-US.tar.gz.asc
The fi rst of these fi l es i s the
software i tsel f, and the second fi l e
i s the GPG si gnature. Al though a
l ot of software uses MD5 or SHA1
checksums so you can val i date
the software you downl oaded was
complete, this checksum is different.
The .asc fi l e i s a cryptographi c
si gnature you can use to prove that
the software you j ust downl oad
actual l y was provi ded to you by
the Tor proj ect and not by some
malicious third party. The site provides
documentation on how to verify this
signature for different operating
systems at https://www.torproject.org/
docs/verifying-signatures.html.en,
but si nce you use Li nux, here you
wi l l run the fol l owi ng commands.
Fi rst, pul l down the key that was
used to si gn thi s package.
Currentl y, thi s woul d be Eri nn
Cl arks key (0x416F061063FEE659),
whi ch you can i mport wi th the
fol l owi ng command:
S p --kcyscvc x-hkp.11poo1.sks-kcyscvcs.nc1
--ccv-kcys 0x418F081083F8S9
Once the key has been imported,
you should check its fingerprint:
S p --ncp1n1 0x418F081083F8S9
pub !048R183F8S9 !003-10-18
Kcy ncp1n1 = 8738 A880 84 3031 A830 F!L 418F 0810 83F 8S9
u1d 1nn C1ak <c1nn@1opocc1.o>
u1d 1nn C1ak <c1nn@dcb1an.o>
u1d 1nn C1ak <c1nn@doub1c-hc11x.o>
sub !048R1399FL7 !003-10-18
If the fingerprint doesnt match
what you see above, something fishy
is going on and you shouldnt trust
this package. Of course, if you are
frequent GPG users, you may want
even better assurances. Hopefully, you
have someone you already trust within
your GPG keyring who has been to a
key-signing party with Erinn Clark. If
so, it would help validate that the key
is legitimate.
Once you have validated the
fingerprint, 6, to the directory that
has the browser bundle and .asc file,
and run the following command:
8 C/C !!+=4-A1
1o-boWsc-nu-11nux-x88_84-!.3.!S-14-dcv-cn-LS.1a.z{.asc.)
COLUMNS
HACK AND /
LJ237-Jan2014.indd 52 12/17/13 3:43 PM
p. S1na1uc madc F1 01 hov !013 01.!S.10 Ph PL1
us1n RSA kcy 1L 83F8S9
p. Cood s1na1uc !om "1nn C1ak <c1nn@1opocc1.o>"
p. aka "1nn C1ak <c1nn@dcb1an.o>"
p. aka "1nn C1ak <c1nn@doub1c-hc11x.o>"
p. WARh1hC. 1h1s kcy 1s no1 cc11cd W11h a 1us1cd s1na1uc!
p. 1hcc 1s no 1nd1ca11on 1ha1 1hc s1na1uc
bc1ons 1o 1hc oWnc.
P1may kcy ncp1n1. 8738 A880 84 3031 A830
F!L 418F 0810 83F 8S9
If the output says Good
signature, everything checked out.
Again, you will see a warning if you
dont have someone in your chain of
trust that already trusts this key.
Install and Use Tor
At thi s poi nt, i ts rel ati vel y tri vi al
to i nstal l and use Tor. Just use tar
to extract the .tar.gz fi l e i nto your
home di rectory or wherever el se
youd l i ke i t to be, and then run the
start-tor-browser scri pt i nsi de:
S 1a zxv! 1o-boWsc-nu-11nux-x88_84-!.3.!S-14-dcv-cn-LS.1a.z
S .11o-boWsc_cn-LS1s1a1-1o-boWsc
You should see a GUI window pop
up that looks like Figure 1.
I t may take a l i ttl e ti me for your
Tor network to fi ni sh confi guri ng,
but once i t does, you wi l l know,
because a browser that l ooks l i ke
Fi gure 2 wi l l appear.
The initial Tor check page not
only validates that you are using the
Tor network, it also displays your
current IP address. If you ever notice
that IP address matches your home
IP address, or if you dont see this
congratulations window at all, for
some reason your Tor instance isnt
working properly, so you shouldnt do
anything within the browser that is
privacy-sensitive. Note that because
you may be exiting the Tor network
from an exit node in a different
country, certain sites like Google,
for instance, that try to be helpful
and display the site in a countrys
native language may present you
Figure 1. The Vidalia Control Panel
Window
COLUMNS
HACK AND /
LJ237-Jan2014.indd 53 12/17/13 3:43 PM
with Japanese, German or some other
language as you visit.
I f you go back to the Vi dal i a
Control Panel , youl l noti ce a
number of di fferent opti ons. You
can vi ew a map of the current gl obal
Tor network; you can cl i ck the Setup
Rel ayi ng button to add your machi ne
to the network of Tor nodes, and i f
you cl i ck Use a New I denti ty, you wi l l
stop usi ng the three Tor nodes you
currentl y are usi ng and wi l l set up
a new connecti on wi th di fferent Tor
nodes. Al though Tor i tsel f does thi s
routi nel y as you use i t, someti mes
you may want to get a di fferent
endpoi nt so a Web si te stops
di spl ayi ng output i n a l anguage you
dont understand.
Special Tor Browser Plugins
I ts i mportant to note that thi s
speci al Tor browser has been
confi gured wi th extra pl ugi ns and
setti ngs to enhance your pri vacy.
For i nstance, by defaul t, the
Figure 2. Congratulations, Tor works.
COLUMNS
HACK AND /
LJ237-Jan2014.indd 54 12/17/13 3:43 PM
Noscri pt pl ugi n i s i nstal l ed and
enabl ed, whi ch bl ocks JavaScri pt,
Java and other pl ugi ns and al l ows
them onl y for si tes that you trust.
The browser al so i ncl udes the HTTPS
Everywhere pl ugi n that defaul ts to
usi ng HTTPS for any si te you try
to vi si t. You al so wi l l see a smal l
oni on i con i n the navi gati on bar
that you can use to tweak your Tor
preferences i nsi de the browser.
Once you are done browsi ng
anonymousl y, cl ose your browser
and go back to the Vi dal i a Control
Panel . I f you are done usi ng Tor
compl etel y, cl i ck the Stop Tor
button, and then cl i ck exi t to cl ose
the appl i cati on. Browsi ng the Web
anonymousl y and pri vatel y has
never been thi s easy.
Kyle Rankin is a Sr. Systems Administrator in the San Francisco
Bay Area and the author of a number of books, including The
Ofcial Ubuntu Server Book, Knoppix Hacks and Ubuntu Hacks.
He is currently the president of the North Bay Linux Users Group.
COLUMNS
HACK AND /
LINUX JOURNAL
on your
Android device
www.linuxjournal.com/android
For more information about advertising opportunities within Linux Journal iPhone, iPad and
Android apps, contact John Grogan at +1-713-344-1956 x2 or ads@linuxjournal.com.
Download app now in
the Android Marketplace
LJ237-Jan2014.indd 55 12/17/13 3:43 PM
COLUMNS
THE OPEN-SOURCE CLASSROOM
Encrypting
Your Cat Photos
Encryption is powerful and scary. Lets remove the scary.
The truth is, I real l y dont have
anythi ng on my hard dri ve that
I woul d be upset over someone
seei ng. I have some cat photos. I
have a few text fi l es wi th i deas for
future books and/or short stori es,
and a coupl e hal f-wri tten starts to
NaNoWri Mo novel s. I t woul d be
easy to say that theres no poi nt
encrypti ng my hard dri ve, because I
have nothi ng to hi de. The probl em
i s, we wrongl y correl ate a desi re
for pri vacy wi th havi ng somethi ng
to hi de. I thi nk where I l i ve, i n
Ameri ca, weve taken our ri ghts to
pri vacy for granted. Rather than the
tradi ti onal he must be hi di ng porn
or bombs, thi nk about somethi ng a
l i ttl e more mundane.
I l i ve i n Mi chi gan. I ts col d here i n
the wi nter, and I tend to keep my
thermostat set around 75 degrees.
That mi ght seem hi gh to you, but
for my fami l y, i ts j ust ri ght. Thanks
to the pri vacy of my own home, my
nei ghbors dont know how toasty
warm we keep i t. Some of those
nei ghbors woul d be very upset to
see how wasteful the Powers
fami l y i s i n the wi nter. I n fact,
theres one l ocal man who makes
i t a poi nt to l et everyone know
that anythi ng over 60 degrees i s
ecol ogi cal l y wasteful . I dont want
to get i nto a fi ght wi th Ol d Man
I cebri tches, so we j ust keep our
comfortabl e house a secret. We
dont have anythi ng to hi de, but i ts
not somethi ng everyone needs to
know about.
Obvi ousl y my exampl e i s si l l y,
but hopeful l y i t makes you thi nk.
Modern Li nux al l ows us to encrypt
our data easi l y and rel i abl y, so why
not take advantage of i t?
How Does It Work?
I wont go i nto too much detai l
about how encrypti on works, but a
basi c understandi ng i s necessary for
even the si mpl est i mpl ementati on.
To encrypt and decrypt a fi l e, two
SHAWN POWERS
LJ237-Jan2014.indd 56 12/17/13 3:43 PM
keys are requi red. One i s the
pri vate key, whi ch i s j ust that,
pri vate. I l i ke to thi nk of the pri vate
key as an actual keyyou can make
copi es i f you want, but i ts not wi se
to do so. The more copi es of your
pri vate keys you make, the more
l i kel y someone nefari ous wi l l get one
and break i nto your apartmenter, I
mean fi l es.
The publ i c key i s more l i ke a
schemati c for a l ock that onl y you
can open (wi th your pri vate key).
You make thi s key avai l abl e for
anyone. You can post i t on a Web
si te, put i t i n your e-mai l , tattoo
i t on your back, whatever. When
others want to create a fi l e that onl y
you can see, they encrypt i t usi ng
your publ i c key.
Thi s one-to-many scenari o al so
has a cool si de effect. I f you encrypt
somethi ng usi ng your pri vate key,
anyone can decrypt i t usi ng your
publ i c key. Thi s may sound si l l y, but
what makes such a scenari o useful
i s that al though the encrypted fi l e
i snt protected from pryi ng eyes, i t
i s guaranteed to be from you. Onl y
a fi l e encrypted wi th your pri vate
key can be decrypted wi th your
publ i c key. I n thi s way, encrypti ng
somethi ng wi th your pri vate key
di gi tal l y si gns the fi l e.
Usually it works like this:
1. You have a fi l e you want to send
to Suzy, so you encrypt i t wi th
Suzys publ i c key. Onl y Suzy can
open i t, but theres no way for
Suzy to know that you are the one
who sent i t, si nce anyone coul d
encrypt a fi l e wi th her publ i c key.
2. Therefore, you take the fi l e you
encrypted wi th Suzys publ i c key
and encrypt that fi l e wi th your
pri vate key. Suzy wi l l have to
decrypt the fi l e twi ce, but shel l
know i t came from you.
3. Suzy recei ves the fi l e and decrypts
the fi rst l ayer wi th your publ i c
key, provi ng i t came from you.
4. Suzy then decrypts the second
l ayer of encrypti on wi th her
pri vate key, as thats the onl y key
abl e to decrypt the ori gi nal fi l e.
(Because you ori gi nal l y encrypted
COLUMNS
Modern Linux allows us to encrypt our data easily
and reliably, so why not take advantage of it?
LJ237-Jan2014.indd 57 12/17/13 3:43 PM
COLUMNS
i t wi th her publ i c key.)
That scenari o i s when encrypti on i s
used for safel y transferri ng fi l es, of
course. I ts al so qui te common si mpl y
to encrypt your fi l es (or parti ti ons)
so that no one can see them unl ess
you decrypt them fi rst. Lets start
wi th fi l e encrypti on, because thats
what most peopl e wi l l want to do on
thei r systems.
Starting Simple
Before I go i nto more compl ex
type setti ng, l ets di scuss si mpl y
encrypti ng a fi l e. There are vari ous
programs to handl e encrypti on. I n
fact, i ts easy to get overwhel med
wi th the avai l abl e opti ons for fi l e
and system encrypti on. Today, l ets
use a basi c (but very powerful )
command-l i ne tool for encrypti ng
a fi l e. GPG (Gnu Pri vacy Guard) i s
an open-source i mpl ementati on of
PGP (Pretty Good Protecti on).
I t al l ows encrypti on and si gni ng,
and manages mul ti pl e keys and so
on. For thi s exampl e, l ets si mpl y
encrypt a fi l e.
Lets say you have a fi l e cal l ed
secret_mani festo.txt, whi ch contai ns
the secrets to l i fe, the uni verse and
everythi ng. Usi ng GPG, you can
encrypt the fi l e wi th a passphrase.
Usi ng a passphrase i s far si mpl er
than usi ng a publ i c and pri vate key
pai r, because i ts si mpl y encrypted
usi ng your passphrase. Thi s does
make your fi l e more suscepti bl e to
cracki ng (usi ng rai nbow tabl es or
other hacki ng tool s), but l i ke the
l abel on the ti n says, i ts Pretty Good
Protecti on. To encrypt your fi l e, you
can do thi s:
# p -c sccc1_man1!cs1o.1x1
# n1c passphasc.
# Rcpca1 passphasc.
Once compl ete, youl l have a new
fi l e i n the same di rectory. I t wi l l be
named secret_mani festo.txt.gpg by
defaul t. Thi s i s a bi nary fi l e, whi ch
means i ts fai rl y smal l , but i t cant be
copy/pasted i nto an e-mai l or I M. For
portabi l i ty, you can add the -a fl ag,
whi ch wi l l create an encrypted fi l e
that contai ns onl y ASCI I text:
# p -a -c sccc1_man1!cs1o.1x1
# n1c passphasc.
# Rcpca1 passphasc.
# 1s -1
-W-W--- 1 spoWcs spoWcs 8 hov !3 1.!8 sccc1_man1!cs1o.1x1
-W-W--- 1 spoWcs spoWcs 174 hov !3 1.!7 sccc1_man1!cs1o.1x1.asc
-W-W--- 1 spoWcs spoWcs SS hov !3 1.!8 sccc1_man1!cs1o.1x1.p
Noti ce there i s now a fi l e wi th
.asc as the extensi on. Thi s i s text-
onl y, but you can see i n the code
LJ237-Jan2014.indd 58 12/17/13 3:43 PM
COLUMNS
sni ppet that i ts al so much l arger
than the bi nary encrypted fi l e, and
much much l arger than the ori gi nal
text fi l e. Once youve encrypted your
fi l e, i f you trul y want to keep your
i nformati on secret, i t woul d be wi se
to del ete the ori gi nal text fi l e.
To decrypt the fi l e, youl l agai n
use the gpg program. The same
command wi l l decrypt ei ther fi l e,
whether i ts bi nary or ASCI I :
# p sccc1_man1!cs1o.1x1.asc
# p. CAS1S cncyp1cd da1a
# n1c passphasc.
# p. cncyp1cd W11h 1 passphasc
# F11c `sccc1_man1!cs1o.1x1` cx1s1s. 0vcW11c? {y1h)
Noti ce i n the exampl e above, I
hadnt del eted the ori gi nal text
fi l e, so gpg gave me the opti on of
overwri ti ng. Once compl ete, I have
my ori gi nal fi l e back, unencrypted.
I f you j ust have a fi l e or two you
want to protect, the command-l i ne
gpg program mi ght be al l you need.
I f youd rather have an area on your
system that automati cal l y encrypts
everythi ng you save, i ts a l i ttl e more
compl i cated. I ts sti l l not terri bl y
di ffi cul t, but l ets start wi th a fai rl y
si mpl i sti c model .
Encrypting a USB Drive
Li ke I menti oned earl i er, there
are many opti ons when i t comes
to encrypti on. One of the more
popul ar methods of encrypti ng
parti ti ons i s the LUKS (Li nux Uni fi ed
Key Setup) system. A USB dri ve
wi th a LUKS-formatted parti ti on
shoul d be detected automati cal l y
by most systems. I n fact, i f youre
usi ng a desktop envi ronment l i ke
Ubuntu Desktop, encrypti ng a USB
dri ve i s a si mpl e check box duri ng
the formatti ng process. Al though
thats a perfectl y acceptabl e way to
encrypt your USB dri ve, I m goi ng
to demonstrate how to do i t on the
command l i ne, so you understand
whats actual l y happeni ng behi nd
the scenes.
Step 1: identify your USB drive.
I f you type ,2=.C after pl uggi ng
i n your USB dri ve, you shoul d get
al l sorts of system i nformati on,
i ncl udi ng the devi ce name of your
freshl y pl ugged-i n USB devi ce. Make
sure you have the correct devi ce
i denti fi ed, because what youre
doi ng wi l l destroy any data on the
dri ve. You woul dnt want to format
the wrong di sk acci dental l y. (I t
shoul d go wi thout sayi ng, but I l l say
i t anyway, make sure theres nothi ng
on your USB dri ve that you want to
savethi s i s a destructi ve process.)
Step 2: partition the USB drive.
Assumi ng that your USB dri ve i s the
LJ237-Jan2014.indd 59 12/17/13 3:43 PM
COLUMNS
/dev/sdb devi ce on your system, you
need to create a si ngl e parti ti on on
the dri ve. Lets use fdi sk. Bel ow i s
the i nteracti on wi th fdi sk requi red.
Basi cal l y, you create a new empty
parti ti on wi th the > command, then
wri te changes wi th 5. Then, youl l
restart fdi sk and use the n command
to create a new pri mary parti ti on,
usi ng the defaul ts so that the enti re
dri ve i s used:
# sudo !d1sk 1dcv1sdb

Command {m !o hc1p). o
u11d1n a ncW L0S d1sk1abc1 W11h d1sk 1dcn11c 0x1!34S87.
Chancs W111 cma1n 1n mcmoy on1y. un111 you dcc1dc 1o W11c 1hcm.
A!1c 1ha1. o! cousc. 1hc pcv1ous con1cn1 Won`1 bc ccovcab1c.

Command {m !o hc1p). W
1hc pa1111on 1ab1c has bccn a11ccd!

# sudo !d1sk 1dcv1sdb
Command {m !o hc1p). n
Command ac11on
c cx1cndcd
p p1may pa1111on {1-4)
/
Pa1111on numbc {1-4. dc!au11 1). 1
Ls1n dc!au11 va1uc 1
F1s1 scc1o {!048-1018S!!. dc!au11 !048).
Ls1n dc!au11 va1uc !048
Las1 scc1o. +scc1os o +s1zc{K.h.C) {!048-1018S!!. dc!au11 1018S!!).
Ls1n dc!au11 va1uc 1018S!!

Command {m !o hc1p). W
1hc pa1111on 1ab1c has bccn a11ccd!
Now you have a USB dri ve wi th
a si ngl e parti ti on (/dev/sdb1), but
there i s no fi l esystem on i t. Thats
exactl y what you want, because the
LUKS system creates an encrypti on
l ayer on the parti ti on before you
put a fi l esystem on i t. So before
creati ng a fi l esystem, l ets create
the LUKS l ayer on the parti ti on,
usi ng the cryptsetup program. I f you
dont have cryptsetup, search for i t
i n your di stri buti ons reposi tory; i t
shoul d be there. To create the LUKS
encrypted parti ti on l ayer:
# cyp1sc1up 1uksFoma1 1dcv1sdb1

WARh1hC!
========
1h1s W111 ovcW11c da1a on 1dcv1sdb1 1cvocab1y.

Ac you suc? {1ypc uppccasc ycs). YS
n1c LLKS passphasc.
vc1!y passphasc.
Fol l ow the di recti ons, and be
sure to remember your passphrase!
Note, that a passphrase i s usual l y
more than j ust a word. I ts most
often a phrase, thus the name.
The l onger the phrase, the tougher
to crack.
LJ237-Jan2014.indd 60 12/17/13 3:43 PM
Once the process compl etes, you
have an encrypted parti ti on, but
i ts not mounted or formatted
yet. The fi rst step i s to mount the
parti ti on, whi ch agai n uses the
cryptsetup uti l i ty:
# cyp1sc1up 1uks0pcn 1dcv1sdb1 my_cyp1o_d1sk
n1c passphasc !o 1dcv1sdb1.
When you type i n your
passphrase, the devi ce name you
entered wi l l be mounted l i ke a
vi rtual hard dri ve. Usual l y, i ts
mounted under /dev/mapper/
devi cename, so thi s exampl e
mounts a parti ti on at /dev/mapper/
my_crypto_di sk.
Thi s devi ce i s now bei ng accessed
as an unencrypted vol ume. As l ong
as i t stays mounted, i t wi l l act l i ke
any other unencrypted vol ume. That
means you need to wri te a fi l esystem
to i t i f you want to use i t:
# mk!s.v!a1 1dcv1mappc1my_cyp1o_d1sk -n my_cyp1o_d1sk
mk!s.v!a1 3.0.9 {31 Jan !010)
Now the dri ve i s ful l y functi onal
and can be mounted l i ke any other
di sk. I n fact, when you put the USB
dri ve i nto your computer, i f you have
a modern GUI desktop, i t shoul d
prompt you for a password and
mount i t automati cal l y. Then you
can ej ect i t l i ke a normal di sk, and
i t wi l l be encrypted unti l you next
enter your passphrase. I ts si mpl e to
unmount and, therefore, re-encrypt
the dri ve on the command l i ne too,
usi ng cryptsetup:
# cyp1sc1up 1uksC1osc my_cyp1o_d1sk
Thats Only the Tip of the Iceberg
I n t hi s ar t i cl e, my hope i s t o peel
back some of t he myst er y behi nd
encr ypt i on. I t s si mpl e t o encr ypt
and decr ypt a f i l e. I t s not t oo
much more di ff i cul t ( especi al l y i f
you use t he GUI deskt op t ool s) t o
encr ypt an ent i re USB dr i ve. Wi t h
most di st r i but i ons, i t s possi bl e t o
encr ypt t he ent i re home di rect or y
dur i ng t he i nst al l at i on process!
COLUMNS
In fact, when you put the USB drive into your
computer, if you have a modern GUI desktop, it
should prompt you for a password and mount
it automatically.
LJ237-Jan2014.indd 61 12/17/13 3:43 PM
COLUMNS
When encr ypt i on i s set up on your
ent i re home di rect or y, however,
t here are some i ssues you need t o
address. For exampl e, j obs t hat
r un whi l e you re not l ogged i n
most l i kel y wi l l not have access t o
your home di rect or y. I f you have
cron j obs t hat need access t o your
home di rect or y, you shoul d rewr i t e
t hem t o access dat a el sewhere on
t he syst em. I f i nd a happy medi um
bet ween secur i t y and conveni ence
i s t o encr ypt a USB dr i ve and st ore
my per sonal dat a on i t .
Once you get the encrypti on
bug, I must warn you, youl l want
to start encrypti ng everythi ng.
Thats not a bad thi ng, but l i ke the
home di rectory scenari o, youl l run
i nto a few snags. Cross-pl atform
accessi bi l i ty i s a bi g one i f you go
between systems. For si tuati ons l i ke
that, I hi ghl y recommend TrueCrypt
(http://www.truecrypt.org). I ve
menti oned TrueCrypt i n UpFront
pi eces before, but i ts basi cal l y
an open-source, cross-pl atform
encrypti on system that al l ows you
to encrypt fi l es, fol ders, parti ti ons
and more whi l e bei ng abl e to
access that data on any system.
Wi ndows, Mac and Li nux cl i ents are
al l avai l abl e, and the communi ty has
great support.
You dont have to have
somethi ng to hi de i n order to
desi re encrypti on for your fi l es. Just
l i ke i ts wi se to l ock your house at
ni ght, even i f you l i ve i n a good
nei ghborhood, i ts a smart move to
encrypt your personal data. I f you
want to share your photos of Mr
Whi skerton i n hi s cute l i ttl e beani e
hat wi th everyone on the I nter net,
thats your ri ght. But others dont
need to see those thi ngs i f they re
bei ng nosey and poki ng around
your hard dri ve!
Shawn Powers is the Associate Editor for Linux Journal.
Hes also the Gadget Guy for LinuxJournal.com, and he has
an interesting collection of vintage Garfield coffee mugs.
Dont let his silly hairdo fool you, hes a pretty ordinary guy
and can be reached via e-mail at shawn@linuxjournal.com.
Or, swing by the #linuxjournal IRC channel on Freenode.net.
Once you get the encryption bug, I must warn you,
youll want to start encrypting everything.
LJ237-Jan2014.indd 62 12/17/13 3:43 PM
LINUX JOURNAL
ARCHIVE DVD
NOW AVAILABLE
www. l i nuxj our nal . com/dvd
Save $10.00 by using discount code DVD2013 at checkout.
Coupon code expires 2/3/2013
LJ237-Jan2014.indd 63 12/17/13 3:43 PM
NEW PRODUCTS
Innodisks FlexiArray SE108
and HD224 Storage Appliances
The secret to the performance advances in Innodisks
FlexiArray line of storage appliances is the companys novel FlexiRemap Technology, which
deals with the challenges of I/O performance, data endurance and affordability. FlexiRemap,
notes Innodisk, innovates in software and rmware, creating a new category of Flash-
collaborating storage appliances (in contrast to Flash-aware or Flash-optimized) that deliver
sustained high IOPS, even for random write operations. Innodisks rst storage appliances
to leverage this technology, the new FlexiArray SE108 and HD224, are designed to provide
cost-effective performance for high-performance computing, cloud computing and I/O
bound server applications. Typical application areas include cloud computing, virtualization
and HPC. The slim SE108 offers up to 2TB of storage in a 1U-rackmount package; the
HD224 provides up to 8TB in a 2U-rackmount unit, with 8x 10GbE SFP+ interfaces. Both
units offer redundant hot-swappable SSDs and power modules.
http://exiarray.innodisk.com
Magic Software
Enterprises Magic xpi
Integration Platform
With most core enterprise systems in place,
organizations of all sizes are looking to business process
integration and automation to increase operational efciency and competitiveness. The updated
Magic xpi Integration Platform from Magic Software Enterprises is a cloud-ready integration
platform that enables users to unlock data from enterprise systems like SugarCRM, Sage and
SYSPRO. In the new release, the aforementioned three platforms now enjoy certied, prebuilt
adapters for optimized integration, which complement existing adapters for Oracle JD Edwards
EnterpriseOne, JD Edwards World, SAP, IBM Lotus Notes, Microsoft Dynamics, Microsoft
SharePoint and Salesforce, and more. In addition, an In-Memory Data Grid (IMDG) architecture
is the new standard. IMDG offers cost-effective elastic scalability, built-in clustering and failover
capabilities, which support enterprise needs for business continuity, faster processing and
increasing transaction loads spurred by new mobile, cloud and big-data use cases.
http://www.magicsoftware.com
LJ237-Jan2014.indd 64 12/17/13 3:43 PM
NEW PRODUCTS
AdaCores GNAT
Programming Studio
Usability is the word that best captures the
essence of the new version 6.0 release of AdaCores
GNAT Programming Studio (GPS) graphical IDE. This
major engineering effort features a signicantly
revised and cleaner user interface that eases
program navigation and editing. The revised look
and feel, which exploits the latest Gtk+/GtkAda
graphical toolkit, is supported by a new relational
database at the heart of the GPS engine, making code navigation much more efcient. GPS
6.0 also brings improved performance and new functionality, including language support
for SPARK 2014, syntax highlighting and tool tips for Ada 2012 and SPARK 2014 aspects,
editor enhancements and a number of additions to the scripting API.
http://www.adacore.com
Rahul Singhs Kali Linux Social
Engineering (Packt Publishing)
The new book Kali Linux Social Engineering by Rahul Singh
exists to help you master the social engineering toolkit, or
SET, found in the security-focused Kali Linux distribution.
With Singhs book in hand, readers can learn how security
can be breached using social-engineering attacks, as
well as attain a very unique ability to perform a security
audit based on social engineering attacks. Starting with
attacks using Kali, this book describes in detail various
Web site attack vectors and client side attacks that can
be performed through SET. This book covers some of the most advanced techniques that
currently are being utilized by attackers to get inside secured networks, covering phishing
(credential harvester attack), Web jacking attack method, spear phishing attack vector,
Metasploit browser exploit method, Mass mailer attack and more.
http://www.packtpub.com
LJ237-Jan2014.indd 65 12/17/13 3:43 PM
NEW PRODUCTS
OpenLogics
AWS Marketplace
Offerings
OpenLogics vision is to keep enterprise customers running on some of the worlds best
open-source packages. To convert this vision into reality, the rm intends to make
available more than 50 new precongured stacks through the Amazon Web Services
(AWS) Marketplace, including production-level support for JBoss, Apache HTTP, Tomcat,
MySQL, PoslgreSQL, AcliveMQ and lhe CenlOS operaling syslem. These are in addilion
to OpenLogics existing offerings on AWS. Enterprise support will include both 12x5
business-hour support and 24x7 production-level support. Products will be offered for use
at an hourly rate. OpenLogic adds that OLEX, its open-source scanning, governance and
provisioning portal, allows organizations to embrace open source with condence.
http://www.openlogic.com
Jack Moftt and Fred Daouds
Seven Web Frameworks in Seven
Weeks (Pragmatic Bookshelf)
Theres something to the Seven in Seven Weeks
concept in the tech books from Pragmatic Bookshelf. The
latest addition in this practical series is Jack Moffitt and
Fred Daouds Seven Web Frameworks in Seven Weeks:
Adventures in Better Web Apps. Whether you need a new
tool or merely a dose of inspiration, this work explores
your options and gives you sufficient exposure to each one,
along with tips for creating better apps. The authors cover frameworks that leverage
modern programming languages, employ unique architectures, live client-side instead
of server-side or embrace type systems. Covered frameworks include Sinatra, CanJS,
AngularJS, Ring, Webmachine, Yesod and Immutant. The breakneck evolution of Web
apps demands innovative solutions, and this survey of frameworks and their unique
perspectives is designed to inspire and promote new thinking for dealing with daily
programming challenges.
http://www.pragprog.com
LJ237-Jan2014.indd 66 12/17/13 3:43 PM
NEW PRODUCTS
Stackinsider
Deployment-as-a-Service
Cloud Platform
Stackinsiders approach to OpenStack is
packaging it as a Deployment-as-a-Service (DaaS)
cloud platform, which the company says is the
first of its kind to be public and free. Designed
to make OpenStack technology adoption significantly easier and faster than conventional
approaches, the Stackinsider DaaS approach consolidates and streamlines key OpenStack
distributions and real-world applications for a wide range of uses. DaaS has integrated
all popular IaaS deployment toolchains including RDO, FUEL, Puppet, DevStack and
Chef. Some popular applications like Moodle and SugarCRM also are provided for PaaS
prototyping. This public DaaS cloud is available for download at Stackinsiders Web site.
http://www.stackinsider.com
Please send information about releases of Linux-related products to newproducts@linuxjournal.com or
New Products c/o Linux Journal, PO Box 980985, Houston, TX 77098. Submissions are edited for length and content.
JetBrains PhpStorm
For JetBrains, developing a new version of the PhpStorm
IDE for PHP means more than keeping on top of the latest
changes in Web languages. It is also about supporting and
integrating modern tools and popular frameworks, not
to mention removing obstacles on the road to productive
Web development. Of course, the new PhpStorm 7
supports the latest PHP 5.5 with improved PHP syntax
coloring, new refactorings, code inspections and quick-fixes. Support also has been added
for various front-end Web technologies, such as different JavaScript templates, Web
Components and modern stylesheets. Built-in tools for Vagrant, SSH console and local
terminal and Google App Engine for PHP have been added too. Finally, support has been
enhanced for various frameworks, including Drupal, Symfony2 and others.
http://www.jetbrains.com/phpstorm
LJ237-Jan2014.indd 67 12/17/13 3:43 PM
FEATURE Quantum Cryptography
QUANTUM
CRYPTOGRAPHY
Classical cryptography provides security
based on unproven mathematical assumptions
and depends on the technology available
to an eavesdropper. But, these things might
not be enough in the near future to guarantee
cyber security. We need something that
provides unconditional security. We need
quantum cryptography.
SUBHENDU BERA
LJ237-Jan2014.indd 68 12/17/13 3:43 PM
I
magi ne you want to send a
message to your fri end, and you
dont want others to be abl e to
read the message. You l ock your
message i n a box usi ng a key and
send the box to your fri end. Your
fri end al so has a key to unl ock that
box, so he easi l y can open the box
and read the message. I n general ,
thi s i s the techni que used by
cryptographi c al gori thms. Locki ng
the message i n the box i s l i ke
encrypti on, and unl ocki ng the box i s
l i ke decrypti on. Before sendi ng the
message to the recei ver, the data
i s encrypted usi ng an encrypti on
al gori thm and a secret key. On
the recei ver si de, the encrypted
data i s decrypted usi ng the reverse
encrypti on al gori thm.
Cl assi cal cryptographi c al gori thms
mostl y rel y on mathemati cal
approaches to secure key
transmi ssi on. The securi ty they offer
i s based on unproven assumpti ons
and depends on the technol ogy
avai l abl e to an eavesdropper.
But, rapi dl y growi ng paral l el and
quantum technol ogi es may be a
threat to these cl assi cal cryptography
techni ques i n the near future. One
of the sol uti ons to these threats i s
quantum cryptography.
What i s quantum cryptography?
Quanlum cryplography i s a compl ex
topi c, because i t bri ngs i nto pl ay
somethi ng most peopl e fi nd hard
to understandquantum
mechani cs. So fi rst, l ets focus
on some basi c quantum physi cs
that you l l need to know to
understand thi s arti cl e.
Simple Quantum Physics
Quanlum, in physics, is a discrele
natural unit, or packet of energy,
charge, angular momentum or
other physical property. Light, for
example, appears in some respects
as a continuous electromagnetic
wave, but on the submicroscopic
level, it is emitted and absorbed in
discrete amounts or quanta. These
particle-like packets (quanta) of
light are called photons, a term also
applicable to quanta of other forms
of electromagnetic energy, such as
QUANTUM CRYPTOGRAPHY IS A COMPLEX TOPIC,
BECAUSE IT BRINGS INTO PLAY SOMETHING MOST PEOPLE
FIND HARD TO UNDERSTANDQUANTUM MECHANICS.
LJ237-Jan2014.indd 69 12/17/13 3:43 PM
X rays and gamma rays.
One uni que thi ng about quanta
i s that they can exi st i n al l of thei r
possi bl e states at once. Thi s al so
appl i es to photons. Thi s means
that i n whatever di recti on a photon
can spi nsay, di agonal l y, verti cal l y
and hori zontal l yi t does so al l
al once. Quanlum ol l i ghl i n lhi s
state i s cal l ed unpol ari zed photons.
Thi s i s l i ke someone movi ng north,
south, east, west, up and down
al l at the same ti me. Thi s property
i s cal l ed superposi ti on. One thi ng
you shoul d keep i n mi nd i s that
measuri ng somethi ng that i s i n i ts
superposi ti on causes i t to col l apse
i nto a defi ni te state (one of al l the
possi bl e states). Fi gure 1 shoul d
hel p descri be superposi ti on.
Looking at Figure 1, you can
identify one of four possibilities:
either both squares are protruding
forward or both are backward, or one
is forward and the other is backward.
Each time you look at the diagram,
only one possibility is true. In a
sense, all four options exist together,
but when you look at the diagram,
it collapses into just one. This is the
essence of quantum superposition.
Through the use of polarization
filters, you can force the photon to
Figure 1. Necker Cubes
Figure 2. Polarizing Photons
LJ237-Jan2014.indd 70 12/17/13 3:43 PM
take one of its states, or technically,
polarize it. If you use a vertical
polarizing filter, some photons will
be absorbed, and some will emerge
on the other side of the filter. Those
photons that arent absorbed will
emerge on the other side with a
vertical spin. Thus, you can polarize
the photons to your required
orientation using suitable filters.
The foundation of quantum physics
is the unpredictability factor. This
unpredictability is pretty much defined
by Heisenbergs Uncertainty Principle.
This principle says that certain pairs of
physical properties are related in such
a way that measuring one property
prevents the observer from knowing
the value of the other. But, when
dealing with photons for encryption,
Heisenbergs Principle can be used to
your advantage. When measuring the
polarization of a photon, the choice
of what direction to measure affects
all subsequent measurements. The
thing about photons is that once they
are polarized, they cant be measured
accurately again, except by a filter
like the one that initially produced
their current spin. So if a photon with
a vertical spin is measured through
a diagonal filter, either the photon
wont pass through the filter or the
filter will affect the photons behavior,
Figure 3. Effect of Various Basis on Polarized Photons
LJ237-Jan2014.indd 71 12/17/13 3:43 PM
causing it to take a diagonal spin. In
this sense, the information on the
photons original polarization is lost.
I n the di agram i n Fi gure 3, I have
used the wrong basi s for the l ast
two cases, and you can see that I
have changed the pol ari zati on of
two photons.
Quantum Information
The bit is the fundamental concept
of classical computation and classical
inlormalion. Quanlum compulalion
and quantum information are built
upon an analogous concept: the
quantum bit, or qbit for short. Just
as a classical bit has a state of either
0 or 1, a qbit is like a bit, but it is
in superposition between 0 and 1.
Two possible states for a qbit are
the states |0 > and |1 > . This
notation is called Dirac notation.
A qbit can be fully expressed as:
a|0 > +b|1 > with a
2
+ b
2
= 1. When
we measure a qbit, we get a 0 with
probability a
2
and 1 with b
2
.
Now consider a quantum computer
with two qbits. There are four
possible states: |00 >, |01 >, |10 >
and |11 >, and its superposition is
a|00>+b|01>+c|10>+d|11>, where
a
2
, b
2
, c
2
and d
2
are the probabilities
of finding two qbits in any of the
four states. In a quantum computer,
the two bits are in all possible states
at one time. So it is possible to add
a number to the two bits, which
means we can add the number to
00,01,10,11 and compute the result
at the same time. This ability to
operate on all states at one time
makes it so powerful.
Here the number of parallel
operations depends on the number
of qbits used. If N number of qbits
are used, then 2
N
operations can be
done in parallel, and this inherent
parallelism makes quantum computers
so fast. But the question is, how do
you encode a photon as a qbit? We
know a photon has its own spin in
all possible directions. As in certain
Figure 4. Encoding Polarized Photons as Binary Values
LJ237-Jan2014.indd 72 12/17/13 3:43 PM
digital systems, we consider +5 volts
as 1 and 0 volts as 0, and we can
use the spin property of a photon to
encode a photon as a qbit. We can
use the photons spin in a particular
direction as 1 and the spin in the
other direction as 0say, a photon
with vertical spin will be considered
as 1 and a photon with an angular
spin as 0.
Quantum Cryptography
Before starting to describe what
quantum cryptography is, let
me introduce three names I use
throughout this article: Alice, Bob
and Eve. Alice is sending the message,
and Bob is receiving the message.
Eve is in between them, trying to
intercept the message. What Eve
does is somehow collect the secret
key to the message and decrypts it.
Now, if Alice somehow can send the
key of the message to Bob without
any interception, she can send the
message without problems.
Now, let me discuss the BB84
protocol. It is based on the name of
the inventors Charles Bennet and
Gilles Brassard, and it was invented in
!984. Quanlum cryplography lollows
two steps. The first one is sending
the secret key, and the second step is
sending the message. Here, Alice and
Bob make use of two fundamentally
different communication channels:
Figure 5. Binary Encoding of Photons in My Examples
LJ237-Jan2014.indd 73 12/17/13 3:43 PM
a classical channel and a quantum
channel. A classical channel is
something that you use on the
Internet to transfer data. In a classical
channel, Eve can observe the bit-
stream without affecting the data.
But, a quantum channel is something
different. It is capable of sending
information in terms of quantum,
and Eve cant observe the data
without affecting the data. In the
BB84 protocol, the secret key is sent
through the quantum channel, but the
message is sent through the ordinary
channel but encrypted by the secret
key. The lirsl slep is called Quanlum
Key Dislribulion (QKD). ln lhis slep,
Alice and Bob use the quantum
channel for communication.
First, lets imagine there is no Eve
between Alice and Bob. Lets assume
that Alice is using two types of
polarizer: one is a diagonal polarizer
(X) and one a rectilinear polarizer (+).
In a rectilinear basis, a photon with
a spin | (that is, up to down ) is
considered as 1, and a - (that is,
left to right) is 0. In a diagonal basis,
a photon with a spin / is considered
as 1, and \ is 0. The diagram
shown in Figure 5 should help you
understand how Im representing
photons as binary values.
Now Alice has a key, and for each
bit, she will select a random basis
(either diagonal or rectilinear) to
encode the bit to send. Nobody, not
even Bob, knows what basis Alice is
using. Bob will receive the encoded
qbits, and Bob will use random basis
to decode the qbits. If he uses the
same basis, he will get the exact
bit that Alice sent; otherwise, there
is a 50% chance that he will get a
wrong bit. For example, if Alice uses
a diagonal basis to encode 1, and Bob
also uses diagonal basis to decode
that, then he will get a 1. If he uses a
rectilinear basis, then there is a 50%
Table 1. Alice Sending the Secret Key 100101
ALICE BOB
Basis used +,X,+,+,X,X +,+,+,X,+,X
IF HE USES THE SAME BASIS, HE WILL GET
THE EXACT BIT THAT ALICE SENT; OTHERWISE, THERE IS
A 50% CHANCE THAT HE WILL GET A WRONG BIT.
LJ237-Jan2014.indd 74 12/17/13 3:43 PM
chance that he will get a 1 and a 50%
chance of getting 0. As Bob is also
using random basis, theres a 50%
chance that he will use the right basis
(that is, he will use the basis that Alice
used) and will decode 50% of qbits
exactly, and for the 50% wrong basis,
he will decode 25% of qbits exactly,
and that means Bob will decode 75%
of qbits exactly.
Alice and Bob will exchange the
basis they used for each bit using the
normal channel without revealing
their bits. They can check for which
bits they both used the same basis,
and those bits will be used as the
secret key. Consider the example
shown in Table 1 where Alice is
sending the secret key 100101.
In this case, Bob will decode the
key as 1,0/1,0,0/1,0/1,1. Because
Bob has used some wrong basis to
measure the qbits, he may get a 0
or 1 randomly on those cases. Then,
they will exchange their basis with
others, and they will find that in
positions 2, 4 and 5, Bob used the
wrong basis. So they will use the
rest of the bit (1st, 3rd and 6th bit)
string as the secret keythat is, 101.
The rest is simple, just encrypt the
message using that key and send it.
The situation becomes critical when
Eve comes into action. As they are
connecting using the public channel,
it is quite possible that Eve will
intercept the communication. In this
case, as with the previous case, Alice
encodes the bit information using any
basis and sends it to Bob, but now
Eve intercepts the qbits. Like Bob, Eve
also has a decoder of the qbit. But Eve
also doesnt know the basis Alice is
using, so like Bob, she also randomly
uses basis to decode the qbits. There
is a 50% chance that Eve will use the
right basis, and a 50% chance she will
use the wrong basis. For the correct
50%, the photons spin direction will
not be affected, but for the wrong
50%, the photons spin direction will
be changed. For the 50% of qbits
for which Eve used the right basis,
Bob will use a 25% right basis and
25% wrong basis, and for the right
25% of qbits, he will get a 25% right
qbit, and for the wrong 25% basis
Bob used, he will get 12.5% of qbits
correct j ust due to probabi l i ty. That
means from the fi rst 50% for whi ch
Eve used the ri ght basi s, Bob wi l l get
37.5% correct qbi ts. For the rest of
the 50%, agai n Bob wi l l use 25%
ri ght and 25% wrong basi s. From
thi s, Bob wi l l get 12.5% and 12.5%
due to probabi l i ty, whi ch means he
wi l l get 25% ri ght qbi ts. So when
Eve i s between them, Bob wi l l have
37.5 + 25 = 62.5% accuracy. Figure 6
demonstrates thi s cal cul ati on.
LJ237-Jan2014.indd 75 12/17/13 3:43 PM
In Figure 6, the node with **,
like C**, represents the nodes where
Bob decoded the qbits correctly, and
the node with *, like F*, represents
the nodes where Bob decoded the
qbits incorrectly. One question that
may arise is why does Bob get 12.5%
accuracy (in E,L) when he used the
wrong basis? Remember that when
you use a wrong basis to decode
a qbit, there is a 50% chance that
you will get a 0, and a 50% chance
that you will get a 1. By this logic,
Bob will have 12.5% accuracy from
D. Similarly, in the case of I, when
Bob has used the correct basis (with
respect to Alices basis) but Eve
already has changed the polarization
of the qbits using the wrong basis,
Bob has a 50% chance of being right
and a 50% chance of being wrong.
So overal l , Bob gets 12.5% ri ght
qbi ts i n I and 12.5% wrong qbi ts
i n J. Now they wi l l match the basi s
they used for each qbi t, and they
wi l l use the bi ts where Bob used the
correct basi s, and they wi l l throw
out the bi ts for whi ch Bob used
the wrong basi s. Now they need to
check whether Eve i s l i steni ng. For
that purpose, they wi l l use a subset
of the matched key (after throwi ng
out the bi ts for whi ch Bob used
wrong basi s) and compare wi th
others usi ng the normal channel .
Bob wi l l have 100% accuracy i f Eve
Figure 6. Accuracy Calculation for Bob When Eve Is Intercepting
LJ237-Jan2014.indd 76 12/17/13 3:43 PM
i s not there; otherwi se, Bob wi l l
have 75% accuracy i n the basi s
compari son. I f the accuracy i s 100%,
they wi l l di scard the set of bi ts they
used for matchi ng, and the rest of
the bi t stri ng wi l l be used as the key
to encrypt the message. I f 100%
accuracy i s not observed, they wi l l
lry agai n lo gel a key usi ng QKD.
In Table 2, Alice is sending a key of
01101011 to Bob using two types
of polarization as stated above.
Now Al i ce and Bob wi l l compare
thei r basi s, and they wi l l fi nd that
Bob has guessed the 1st, 3rd, 7th
and 8th basi s correctl y. So they wi l l
throw out the bi ts for the remai ni ng
posi ti onsthat i s, the 2nd, 4th, 5th
and 6th. Now the key i s 0011.
They wi l l choose the fi rst two bi ts
for matchi ng, and then they wi l l
fi nd that thei r second bi t i n the
key i s di fferent, whi ch means Eve i s
between them. Then they wi l l repeat
the same procedure agai n unti l they
get a 100% key match. When they
get a key, they easi l y can encrypt the
message usi ng the key and send i t
vi a the publ i c network.
Limitations
In practice, the quantum channel also
will be affected by noise, and it will
be hard to distinguish between noise
and eavesdropping.
If Eve wants, she can intercept the
quantum channel just to not allow
Alice and Bob to communicate.
No amplifiers are used on the
optical fiber carrying the quantum
signal. Such devices would disrupt the
communication in the same way an
eavesdropper does. This implies, in
lurn, lhal QKD's range is limiled.
Table 2. Alice Sending a Key of 01101011 to Bob Using Two Types of Polarization
Alices
basis
+ X + + X X X X
Alices
data
0 1 1 0 1 0 1 1
Eves
basis
+ + X + X X X +
Eves
data
0 1 0 0 1 1 1 0
Bobs
basis
+ + + X + X X X
Bobs
data
0 0 0 0 0 1 1 1
LJ237-Jan2014.indd 77 12/17/13 3:43 PM
Following the no-cloning
lheorem, QKD can provide only a
1:1 connection. So the number of
links will increase N(N 1)/2, as N
represents the number of nodes.
Research
Researchers have been developing
such systems for more than a decade.
The DAPPA Quanlum Nelwork,
which became fully operational in
BBNs laboratory in October 2003,
has been continuously running in
six nodes, operating through the
telecommunications fiber between
Harvard University, Boston University
and BBN since June 2004. The DARPA
Quanlum Nelwork is lhe world's lirsl
quantum cryptography network, and
perhaps also lhe lirsl QKD syslem
providing continuous operation across
a metropolitan area (http://arxiv.org/
abs/quant-ph/0503058).
NIST performs core research on the
creation, transmission, processing
and measurement of optical qbits.
ll demonslraled high-speed QKD
systems that generate secure keys
for encryption and decryption of
information using a one-time pad
cipher, and extended them into a
three-node quantum communications
network (http://w3.antd.nist.gov/
qin/index.shtml).
Toshiba's Quanlum Key Dislribulion
System delivers digital keys for
cryptographic applications on fiber-
optic-based computer networks
based on quantum cryptography. In
particular, it allows key distribution
over standard telecom fiber links
exceeding 100km in length and bit
rates sufficient to generate 1 megabit
per second of key material over a
distance of 50kmsufficiently
long for metropolitan coverage
(https://www.toshiba-europe.com/
research/crl/qig/quantumkeyserver.html).
The current status of quantum
cryptography in Japan includes an
inler-cily QKD leslbed based on
DPS-QKD, a lield lesl ol a one-way
BB84 system over 97km with noise-
free WDM clock synchronization,
and so on (Toward New Generation
Quanlum CryplographyJapanese
Strategy by Nukuikita, Koganei).
The 973 Program and 863 program
of China have funded support to
lhe QKD research (Posl-Quanlum
Cryptography: Third International
Workshop, Pqcrypto 2010, Darmstadt,
Germany, May 2528, 2010,
Proceedings, 1st ed.).
In Europe, the SEcure COmmunication
based on Quanlum Cryplography
(SLCOQC, 20042008) projecl was
funded for the same reason
(http://vcq.quantum.at/publications/
all-publications/details/643.html).
LJ237-Jan2014.indd 78 12/17/13 3:43 PM
l n 2004, l D Quanli que was
the fi rst i n the worl d to bri ng
a quantum key di stri buti on
system to a commerci al market.
l D Quanli que's QKD producl
was used i n conj uncti on wi th
l ayer 2 Ether net encrypti on to
secure el ecti ons i n Geneva.
Olher compani es, l i ke Magi cQ,
Qi neli Q and NLC, al so are
worki ng i n thi s fi el d. Compani es
cl ai m to offer or to be devel opi ng
QKD producls, bul l i mi led
i nformati on i s publ i cl y avai l abl e.
However, i ts l i kel y that the
situation will evolve in the near future
(http://swissquantum.idquantique.com/
?-Quantum-Cryptography-#).
Subhendu Bera is from West Bengal (India). He completed his
Master of Science degree in Computer Science from Banaras
Hindu University and his Bachelor of Science degree in Computer
Science from University of Calcutta. Currently, he is preparing for
entrance for a PhD. He likes to play with machine learning tools,
and in his spare time, he reads, blogs and plays cricket and chess.
Resources
W. Chen, H.-W. Li, S. Wang, Z.-Q. Yin, Z. Zhou, Y.-H. Li, Z.-F. Han and G.C. Guo (2012).
Quantum Cryptography, Applied Cryptography and Network Security, Dr. Jaydip Sen (Ed.),
ISBN: 978-953-51-0218-2, InTech, available from http://www.intechopen.com/books/
applied-cryptography-and-network-security/quantum-cryptography
Quantum Cryptography Hits the Fast Lane by Adrian Cho: http://news.sciencemag.org/
sciencenow/2010/04/quantum-cryptography-hits-the-fa.html
Do we need quantum cryptography? by Peter Rohde:
http://www.peterrohde.org/2012/06/29/do-we-need-quantum-cryptography
A Little (q)bit of Quantum Computing by Douglas Eadline:
http://www.linux-mag.com/id/8753
What is a quantum computer? by Dr Boaz Tamir:
http://thefutureofthings.com/column/5/what-is-a-quantum-computer.html
Quantum Computation and Quantum Information by Michael A. Nielsen and Isaac L. Chuang,
Cambridge University Press, 2011.
Quantum Communication: http://w3.antd.nist.gov/qin/index.shtml
LJ237-Jan2014.indd 79 12/17/13 3:43 PM
FEATURE More Secure SSH Connections
More
Secure
SSH
Connections
Thwart would-be attackers
by hardening your SSH connections.
FEDERICO KEREKI
LJ237-Jan2014.indd 80 12/17/13 3:43 PM
!
f you need remote access to a
machine, youll probably use
SSH, and for a good reason. The
secure shell protocol uses modern
cryptography methods to provide
privacy and confidentiality, even over
an unsecured, unsafe network, such
as the Internet. However, its very
availability also makes it an appealing
target for attackers, so you should
consider hardening its standard setup
to provide more resilient, difficult-to-
break-into connections. In this article,
I cover several methods to provide
such extra protections, starting with
simple configuration changes, then
limiting access with PAM and finishing
with restricted, public key certificates
for passwordless restricted logins.
Where Is SSH?
As defined in the standard, SSH uses
port 22 by default. This implies that
with the standard SSH configuration,
your machine already has a nice target
to attack. The first method to consider
is quite simplejust change the port to
an unused, nonstandard port, such as
22022. (Numbers above 1024 are usually
free and safe, but check the Resources
at the end of this article just to avoid
possible clashes.) This change wont
affect your remote users much. They will
just need to add an extra parameter to
their connection, as in ssh -p !!0!!
:@=3?4'3A>431>?43.=4+=4. And
yes, this kind of change lies fully
in whats called security through
obscuritydoing things obscurely,
hoping that no one will get wise to
your methodswhich usually is just
asking for problems. However, it will
help at least against script kiddies,
whose scripts just try to get in via
port 22 instead of being thorough
enough to try to scan your machine
Knock for SSH
Trying to attack your machine will be harder if the would-be invader cannot
even find a possible SSH door. The methods shown in this article are
compatible with the port-knocking technique I wrote about in a previous
article (Implement Port-Knocking Security with knockd, January 2010), so
I wont go into knockd configuration here. By using all techniques together,
attackers will have an even harder time getting to your machine (where all
the other measures shown in this article will be waiting), because they wont
even be able to start trying to attack your box.
LJ237-Jan2014.indd 81 12/17/13 3:43 PM
for all open ports.
In order to implement this change,
you need to change the /etc/ssh/
sshd_config file. Working as root, open
it with an editor, look for a line that
reads Port 22, and change the 22
to whatever number you chose. If the
line starts with a hash sign (#), then
remove it, because otherwise the line
will be considered a comment. Save
the file, and then restart SSH with
1c1c11n11.d1sshd cs1a1. With
some distributions, that could be
1c1c1c.d11n11.d1sshd cs1a1
instead. Finally, also remember to close
port 22 in your firewall and to open
the chosen port so remote users will be
able to access your server.
While you are at this, for an extra
bit of security, you also could add
or edit some other lines in the SSH
configuration file (Listing 1). The
E4>:>6>' line avoids a weaker,
older version of the SSH protocol.
The Lo1nCacc11mc gives the user
30 seconds to accomplish a login.
The haxAu1h11cs limits users to
three wrong attempts at entering the
password before they are rejected.
And finally, Pcm11Roo1Lo1n forbids
a user from logging in remotely as
root (any attacker who managed to
get into your machine still would
have to be able to break into the root
account; an extra hurdle), so would-
be attackers will have a harder time at
getting privileges on your machine.
Be sure to restart the SSH service
dmon after these changes (.?,>
1c1c11n11.d1sshd cs1a1 does
it), and for now, you already have
managed to add a bit of extra safety
(but not much really), so lets get
down to adding more restrictions.
Who Can Use SSH?
Your machine may have several
servers, but you might want to limit
remote access to only a few. You
can tweak the sshd_config file a
bit more, and use the A11oWLscs,
LcnyLscs, T''>5&4>?/. and
LcnyCoups parameters. The first
one, A11oWLscs, can be followed by
a list of user names (or even patterns,
using the common * and ? wild cards)
or user@host pairs, further restricting
access to the user only from the given
host. Similarly, T''>5&4>?/. provides
a list of group name patterns, and
login is allowed only for members
Listing 1. These little SSH conguration
changes can add a bit of security
Po1 !!0!!
Po1oco1 !
Lo1nCacc11mc 30
haxAu1h11cs 3
Pcm11Roo1Lo1n no
LJ237-Jan2014.indd 82 12/17/13 3:43 PM
of those groups. Finally, LcnyLscs
and LcnyCoups work likewise,
but prohibit access to specific users
and groups. Note: the priority order
for rules is LcnyLscs first, then
A11oWLscs, LcnyCoups and finally
T''>5&4>?/., so if you explicitly
disallow users from connecting with
LcnyLscs, no other rules will allow
them to connect.
For example, a common rule is
that from the internal network,
everybody should be able to access
the machine. (This sounds reasonable;
attacks usually come from outside
the network.) Then, you could say
that only two users, fkereki and
eguerrero, should be able to connect
from the outside, and nobody else
should be able to connect. You
can enable these restrictions by
adding a single line A11oWLscs
*.19!.188.1.*.!kcck1.cucco
to the SSH configuration file and
restarting the service. If you wanted
to forbid jandrews from remote
connections, an extra LcnyLscs
andcWs would be needed. More
specific rules could be added (say,
maybe eguerrero should be able to
log in only from home), but if things
start getting out of hand with too
many rules, the idea of editing the ssh
configuration files and restarting the
server begins to look less attractive,
and theres a better solution through
PAM, which uses separate files for
security rules.
The PAM Way
If you google for meanings of PAM,
you can find several definitions,
ranging from a cooking oil spray
to several acronyms (such as Power
Amplitude Modulation or Positive
Active Mass), but in this case, you are
interested in Pluggable Authentication
Modules, a way to provide extra
authentication rules and harden
access to your server. Lets use PAM
as an alternative solution to specify
which users can access your server.
From a software engineering
viewpoint, it would just be awful
if each and every program had to
invent and define and implement its
From a software engineering viewpoint, it would
just be awful if each and every program had
to invent and dene and implement its own
authentication logic.
LJ237-Jan2014.indd 83 12/17/13 3:43 PM
PAM, PAM Everywhere
Although there is no official list of PAMs, most distributions are likely to include the following:
pam_access: allows or denies access according to the file /etc/security/access.conf.
pam_cracklib: checks passwords against dictionaries.
pam_debug: used for testing only.
pam_deny: always denies access.
pam_echo: displays the contents of a file.
pam_env: sets or unsets environment variables.
pam_exec: lets you run an external command.
pam_group: grants group memberships to the user.
pam_lastlog: shows the date and time of the users last log in.
pam_ldap: allows authentication against an LDAP server.
pam_limits: lets you set system resource limits, through the file /etc/security/limits.conf.
pam_listfile: an alternative to pam_access, with some extra options.
pam_mail: checks if the user has pending mail.
pam_make: runs 20;= in a given directory.
pam_motd: displays the message of the day file, usually /etc/motd.
pam_nologin: blocks all logins should file /etc/nologin exist.
pam_permit: always allows access.
pam_pwcheck: checks passwords for strength.
pam_pwhistory: checks new passwords against recently used ones to avoid repetition.
pam_rootok: usually is included in /etc/pam.d/su as a sufficient test so root can act as any
other user without providing a password.
pam_selinux: sets the default security context for SELinux.
pam_sepermit: allows or denies login depending on SELinux state.
pam_shells: allows access only if the users shell is listed in the file /etc/shells.
pam_succeed_if: checks for account characteristics, such as belonging to a given group.
pam_tally: just keeps count of attempted accesses and can deny access if too many attempts fail.
pam_time: restricts access based on rules in the file /etc/security/time.conf.
pam_umask: lets you set the file mode creation mask (think ?20.;) for newly created files.
pam_unix (or pam_unix2): provides classical UNIX-style authentication per the /etc/passwd
and /etc/shadow files.
pam_userdb: authenticates the user against a Berkeley database.
pam_warn: records logs in the system logs.
pam_wheel: provides root access only to members of group wheel.
File locations vary, but you can check /usr/lib/security or /lib/security (or read lib64 for lib,
for 64-bit Linux) to see what modules you actually have. For more information on each module,
try man namc.o!.1hc.modu1c, but dont try to execute them from the command line, for they
cant be run that way.
LJ237-Jan2014.indd 84 12/17/13 3:43 PM
own authentication logic. How could
you be certain that all applications
did implement the very same
checks, in the same way, without
any differences? PAM provides a
way out; if a program needs to, say,
authenticate a user, it can call the
PAM routines, which will run all the
checks you might have specified in
its configuration files. With PAM,
you even can change authentication
rules on the fly by merely updating its
configuration. And, even if thats not
your main interest here, if you were
to include new biometrics security
hardware (such as fingerprint readers,
i ri s scanners or face recogni ti on)
wi th an appropri ate PAM, your
devi ce i nstantl y woul d be avai l abl e
to al l appl i cati ons.
PAMs can be used for four security
concerns: account limitations
(what the users are allowed to do),
authorization (how the users identify
themselves), passwords and sessions.
PAM checks can be marked optional
(may succeed or fail), required (must
succeed), requisite (must succeed, and
if it doesnt, stop immediately without
trying any more checks) and sufficient
(if it succeeds, dont run any more
checks), so you can vary your policies.
I dont cover all these details here, but
rather move on to the specific need
of specifying who can (or cannot) log
in to your server. See the PAM, PAM
Everywhere sidebar for a list of some
available modules.
PAM configurations are stored
in /etc/pam.d, with a file for each
command to which they apply. As
root, edit /etc/pam.d/sshd, and add an
accoun1 cqu1cd pam_acccss.so
line after all the accoun1 lines, so it
ends up looking like Listing 2. (Your
specific version of the file may have
some different options; just add
the single line to it, and thats it.)
Youll also have to modify the sshd
configuration file (the same one that
you modified earlier) so it uses PAM;
add a LscPAh ycs line to it, and
restart the sshd dmon.
The accoun1 part is what is
important here. After using the
standard UNIX methods for checking
your password (usually against the
files /etc/passwd and /etc/shadow), it
uses the module /02S066=..3.>
to check if the user is in a list, such
as shown in Listing 3. Both accoun1
modules are cqu1cd, meaning
that the user must pass both checks
in order to proceed. For extra
restrictions, you might want to look
at /02S'-.:A-'=, which is similar
to /02S066=.. but provides even
more options, and /02S:-2=, which
lets you fix time restrictions. You also
would need to add extra accoun1
LJ237-Jan2014.indd 85 12/17/13 3:43 PM
lines to the /etc/pam.d/sshd file.
You need to edit /etc/security/
access.conf to specify which users
can access the machine (Listing 3).
Each line in the list starts with either
a plus sign (login allowed) or a minus
sign (login disabled), followed by a
colon, a user name (or ALL), another
colon and a host (or ALL). The
/02S066=..3.> module goes down
the list in order, and depending on
the first match for the user, it either
allows or forbids the connection. The
order of the rules is important. First,
jandrews is forbidden access, then
everybody in the internal network
is allowed to log in to the server.
Then, users fkereki and eguerrero are
allowed access from any machine.
The final !DT""DT"" line is a catchall
that denies access to anybody not
specifically allowed to log in in the
previous lines, and it always should
be present.
Note that you could use this
configuration for other programs
Listing 3. The le /etc/security/access.conf
species which users have access and from
which hosts.
-.andcWs.ALL
+.ALL.19!.188.1.
+.!kcck1.ALL
+.cucco.ALL
!DT""DT""
Listing 2. Adding /02S066=..3.> to the account PAM checks lets you specify which users
have SSH access to your machine.
accoun1 cqu1cd pam_un1x!.so
accoun1 cqu1cd pam_acccss.so

au1h cqu1cd pam_cnv.so
au1h cqu1cd pam_un1x!.so
au1h cqu1cd pam_no1o1n.so

passWod cqu1s11c pam_pWchcck.so nu11ok cack11b
passWod cqu1cd pam_un1x!.so usc_au1h1ok nu11ok

scss1on cqu1cd pam_11m11s.so
scss1on cqu1cd pam_un1x!.so
scss1on op11ona1 pam_umask.so
LJ237-Jan2014.indd 86 12/17/13 3:43 PM
and services (FTP, maybe?), and the
same rules could be applied. Thats
an advantage of PAM. A second
advantage is that you can change
rules on the fly, without having to
restart the SSH service. Not messing
with running services is always a
good idea! Using PAM adds a bit of
hardening to SSH to restrict who can
log in. Now, lets look at an even safer
way of saying who can access your
machine by using certificates.
Passwordless Connections
Passwords can be reasonably secure,
but you dont have them written down
on a Post-It by your computer, do you?
However, if you use a not-too-complex
Listing 4. Generating a public/private key pair with ssh-kcycn is simple. Opt for using a
passphrase for extra security.
S ssh-kcycn
Ccnca11n pub11c1p1va1c sa kcy pa1.
n1c 1c 1n Wh1ch 1o savc 1hc kcy {1homc1!kcck11.ssh11d_sa).
K4=0:=, ,-4=6:>41 U9@>2=9A;=4=;-93..@U3
n1c passphasc {cmp1y !o no passphasc).
n1c samc passphasc aa1n.
You 1dcn11ca11on has bccn savcd 1n 1homc1!kcck11.ssh11d_sa.
You pub11c kcy has bccn savcd 1n 1homc1!kcck11.ssh11d_sa.pub.
1hc kcy ncp1n1 1s.
84.13.c8.07.a3.b1.b4.c8.9!.!9.b8.40.S8.!S.!3.!8 !kcck1@!cdoax!cc
1hc kcy`s andoma1 1mac 1s.
+--| RSA !048|----+
| ..+ = |
|.. o 0 = |
|.. 0 * o |
|. = o |
|. . . + S |
| . . . |
| . |
| |
| |
+-----------------+
LJ237-Jan2014.indd 87 12/17/13 3:43 PM
password (so it can be determined by
brute force or a dictionary attack),
then your site will be compromised
for so long as the attacker wishes.
Theres a safer way, by using public/
private key logins, that has the extra
advantage of requiring no passwords
on the remote site. Rather, youll
have a part of the key (the private
part) on your remote machine and the
other part (the public part) on the
remote server. Others wont be able to
impersonate you unless they have your
private key, and its computationally
unfeasible to calculate. Without going
into how the key pair is created, lets
move on to using it.
First, make sure your sshd
configuration file allows for
private key logins. You should have
RSAAu1hcn11ca11on ycs and
PubkcyAu1hcn11ca11on ycs lines in
it. (If not, add them, and restart the
service as described above.) Without
those lines, nothing I explain below
will work. Then, use ssh-kcycn to
create a public/private key pair. By
directly using it without any more
parameters (Listing 4), youll be asked
in which file to save the key (accept
the standard), whether to use a
passphrase for extra security (more on
this below, but youd better do so),
and the key pair will be generated.
Pay attention to the name of the file
in which the key was saved. Youll
need it in a moment.
Now, in order to be able to
connect to the remote server, you
need to copy it over. If you search
the Internet, many sites recommend
directly editing certain files in order to
accomplish this, but using ..@!6>/1!-,
is far easier. You just have to type
Listing 5. After generating your public/private pair, you need to use ..@!6>/1!-, to copy the
public part to the remote server.
S ssh-copy-1d -1 1homc1!kcck11.ssh11d_sa.pub !kcck1@19!.188.1.107
1hc au1hcn11c11y o! hos1 `19!.188.1.107 {19!.188.1.107)`
can`1 bc cs1ab11shcd.
RSA kcy ncp1n1 1s 18.a4.d8.8a.cc.c0.8d.!4.7!.a8.a!.4!.7S.1d.!8.3b.
Ac you suc you Wan1 1o con11nuc conncc11n {ycs1no)? ycs
Wan1n. Pcmancn11y addcd `19!.188.1.107` {RSA) 1o 1hc 11s1
o! knoWn hos1s.
!kcck1@19!.188.1.107`s passWod.
LJ237-Jan2014.indd 88 12/17/13 3:43 PM
..@!6>/1!-, !- :@=3A-'=35@=4=3
:@=3;=1350.3.0+=, 4=2>:=3?.=4V
4=2>:=3@>.: specifying the name of
the file in which the public key was
saved (as you saw above) and the
remote user and host to which you
will be connecting (Listing 5). And
youre done.
In order to test your new
passwordless connection, just do
..@ 4=2>:=3?.=4V4=2>:=3@>.:.
If you used a passphrase, youll be
asked for it now. In either case,
the connection will be established,
and you wont need to enter your
password for the remote site (Listing 6).
Now, what about the passphrase?
If you create a public/private key pair
without using a passphrase, anybody
who gets access to your machine
and the private key immediately will
have access to all the remote servers
to which you have access. Using
the passphrase adds another level
of security to your log in process.
However, having to enter it over and
over again is a bother. So, you would
do better by using ssh-acn1, which
can remember your passphrase and
enter it automatically whenever you
try to log in to a remote server. After
running ssh-acn1, run ..@!0,,
Listing 6. After youve copied the public key over, you can log in to the remote server without a
password. You will have to enter your passphrase though, if you used one when generating the
public/private pair.
S ssh !kcck1@19!.188.1.107
n1c passphasc !o kcy `1homc1!kcck11.ssh11d_sa`.
Las1 1o1n. hon Jan 10 18.40.11 !011

8.0 L1h1 F1na1 bu111 on hach 31. !009 on L1nux !.8.!7.1!
You ac Wok1n as !kcck1
Fcqucn11y uscd poams.
Conua11on . vasm
F11c manac . mc {pcss F! !o usc!u1 mcnu)
d11o . mccd11. nano. v1
hu111mcd1a . a1sam1xc. p1ay
+=6:>4D9P
8 '>C>?:
Conncc11on 1o 19!.188.1.107 c1oscd.
LJ237-Jan2014.indd 89 12/17/13 3:43 PM
to add your passphrase. (You could
run it several times if you have many
passphrases.) After that, a remote
connection wont need a passphrase
any more (Listing 7). If you want to
end a session, use ssh-acn1 -k, and
youll have to re-enter the passphrase
if you want to do a remote login.
You also may want to look at
kcycha1n, which allows you to
reuse ssh-acn1 between logins.
(Not all distributions include this
command; you may have to use your
package manager to install it.) Just
do kcycha1n 1hc.pa1h.1o.you.
/4-+0:=3;=1, enter your passphrase
(Figure 1), and until you reboot the
server or specifically run kcycha1n
!; 0'' to stop kcycha1n, your
passphrase will be stored, and you
wont have to re-enter it. Note: you
even could log out and log in again,
and your key still would be available.
If you just want to clear all cached
keys, use kcycha1n --c1ca.
If you use a passphrase, you could
take your private keys with you on a
USB stick or the like and use it from
Listing 7. Using ssh-acn1 frees you from having to re-enter your passphrase.
S ssh-acn1
SS_AL1_S0CK=11mp1ssh-Rvhhx309431acn1.30943. cxpo1 SS_AL1_S0CK.
SS_ACh1_P1L=30944. cxpo1 SS_ACh1_P1L.
ccho Acn1 p1d 30944.

8 ..@!0,,
n1c passphasc !o 1homc1!kcck11.ssh11d_sa.
1dcn111y addcd. 1homc1!kcck11.ssh11d_sa {1homc1!kcck11.ssh11d_sa)

S ssh !kcck1@19!.188.1.107
Las1 1o1n. hon Jun 10 18.44.1S !013 !om 19!.188.1.108
8.0 L1h1 F1na1 bu111 on hach 31. !009 on L1nux !.8.!7.1!
You ac Wok1n as !kcck1
Fcqucn11y uscd poams.
Conua11on . vasm
F11c manac . mc {pcss F! !o usc!u1 mcnu)
d11o . mccd11. nano. v1
hu111mcd1a . a1sam1xc. p1ay
LJ237-Jan2014.indd 90 12/17/13 3:43 PM
any other machine in order to log in
to your remote servers. Doing this
without using passphrases would
just be too dangerous. Losing your
USB stick would mean automatically
compromising all the remote servers
you could log in to. Also, using a
passphrase is an extra safety measure.
If others got hold of your private key,
they wouldnt be able to use it without
first determining your passphrase.
Finally, if you are feeling quite
confident that all needed users have
their passwordless logins set up, you
could go the whole mile and disable
common passwords by editing the
Figure 1. By entering your passphrase
once with kcycha1n, it will be
remembered even if you log out.
Using SSH and PuTTY
You can use SSH public/
private pairs with the
common PuTTY program,
but not directly, because it
requires a specific, different
key file. In order to convert
your SSH key, you need to
do pu11ycn S0h1.ssh1
1>?43/4-+0:=3;=1 !>
you.p1va1c.kcy.1c.
A>43/?::1. Afterward, you
simply can open PuTTY, go
to Connection, SSH, Auth
and browse for your newly
generated Private key file
for authentication.
LJ237-Jan2014.indd 91 12/17/13 3:43 PM
sshd configuration file and setting
PassWodAu1hcn11ca11on no and
LscPAh no, but youd better be quite
sure everythings working, because
otherwise youll have problems.
Conclusion
Theres no definitive set of security
measures that can 100% guarantee
that no attacker ever will be able to
get access to your server, but adding
extra layers can harden your setup
and make the attacks less likely to
succeed. In this article, I described
several methods, involving modifying
SSH configuration, using PAM for
access control and public/private
key cryptography for passwordless
logins, all of which will enhance
your security. However, even if these
methods do make your server harder
to attack, remember you always need
to be on the lookout and set up as
many obstacles for attackers as you
can manage.
Federico Kereki is a Uruguayan systems engineer with more
than 20 years of experience developing systems, doing
consulting work and teaching at universities. He currently is
working with a good jumble of acronyms: SOA, GWT, Ajax, PHP
and, of course, FLOSS! Recently, he wrote the Essential GWT
book, in which you also can nd some security concerns for Web
applications. You can reach Federico at fkereki@gmail.com.
Resources
The SSH protocol is defined over a host of RFC (Request for Comments) documents; check
http://en.wikipedia.org/wiki/Secure_Shell#Internet_standard_documentation for a list.
Port numbers are assigned by IANA (Internet Assigned Numbers Authority), and you can go
to http://www.iana.org/assignments/port-numbers for a list.
The primary distribution site for PAM is at http://www.linux-pam.org, and the developers
site is at https://fedorahosted.org/linux-pam.
Read http://www.funtoo.org/wiki/Keychain for more on kcycha1n by its author, Daniel Robbins.
You can see the RSA original patent at http://www.google.com/patents?vid=4405829 and
the RSA Cryptography Standard at http://www.emc.com/emc-plus/rsa-labs/pkcs/files/
h11300-wp-pkcs-1v2-2-rsa-cryptography-standard.pdf.
For extra security measures, read Implement Port-Knocking Security with knockd, in the January
2010 issue of Linux Journal, or check it out on-line at http://www.linuxjournal.com/article/10600.
LJ237-Jan2014.indd 92 12/17/13 3:43 PM
Instant Access to Premium
Online Drupal Training
!"#$%"$ %''(## $) *+",-(,# ). *)+-# ). /-+0%1
$-%2"2"3 42$* "(4 52,()# %,,(, (5(-6 4((78
9(%-" .-): 2",+#$-6 (;0(-$# 42$* -(%1 4)-1,
cxpcricncc huilding high prolc sitcs
9(%-" )" $*( 3) 4*(-(5(- 6)+ %-( 42$* %00#
.)- 2<=> ?",-)2, @ A)7+
B( %1#) )..(- 3-)+0 %'')+"$#C D25( 6)+-
4*)1( $(%: %''(## %$ % ,2#')+"$(, -%$(8
!"#$% #'()* ()$ +#*",* -./"( $"+"#,", #%/
offers rst by following us on Facebook and
Twitter (@drupalizeme)!
"# $# %$$&'(()*+&,-./0120 ,3)
40$ 5*+&,-./0) $#),67
LJ237-Jan2014.indd 93 12/17/13 3:43 PM
FEATURE Encrypted Backup Solution Home Paranoia Edition
Encrypted
Backup
Solution
HOME PARANOIA EDITION
How to safeguard your personal data
with TrueCrypt and SpiderOak.
TIM CORDOVA
LJ237-Jan2014.indd 94 12/17/13 3:43 PM
T
here are so many cases of
personal identifiable information
(PII) or any type of data exposed
on the Internet today. The details
provided in this article may assist in
safeguarding your tax information,
social security number or password
file. The setup this article describes
will help keep your personal data
at home safe and secure in this
cyber-security-connected world.
This includes virtual/physical security
compromisesthe only truly secure
system is one that is unplugged and
locked in a vault. This solution is
not all-encompassing and does have
limitations, but it is sound enough for
safeguarding personal data.
The first step is addressing the
physical aspect of security. This is a
critical step, because some notable
compromises are a direct result of
someone having physical access to a
system. You always should prepare
yourself for the possibility that your
beloved electronic devices could be
in hands of someone other than you
at any given moment. This situation
could occur on a train, or in a coffee
shop, automobile or home, and you
must assume your data is lost when it
is outside your control.
Figure 1. Setup screen for encrypting your home directory in Ubuntu during initial
operating system installation.
LJ237-Jan2014.indd 95 12/17/13 3:44 PM
This article describes utilizing whole
disk encryption to reduce some of the
risks provided by a great open-source
Linux operation system (Ubuntu
12.10). Whole disk encryption is a key
factor, especially when considering all
of the recent events concerning stolen
government laptops that contained
millions of social security numbers.
The next key step in safeguarding
Figure 2. If encrypting your home folder was missed during initial installation, use
cncyp1!1-u111s to encrypt your home directory.
Figure 3. This is important feedback information record passphrase as soon as
possible that will be generated from the cncyp1!s-m1a1c-homc command.
LJ237-Jan2014.indd 96 12/17/13 3:44 PM
your personal information is by
adding another security layer by
encrypting home directories during
the initial installation (Figure 1).
You may be the only one using this
system; however, if others are able to
access your system while its running,
this may slow them down from trying
to access information contained in a
home directory.
You will need to run the command:
sudo ap1-c1 1ns1a11 ccyp1!s-u111s cyp1sc1up
using an advanced packaging tool-
capable distribution. This will install
the encrypting utilities needed to
encrypt your home directory.
The next step is to log in or
create another user account with
root privileges to run the following
command on the users home
directory (Figure 2):
sudo ccyp1!s-m1a1c-homc -u you-usc-namc
Then, you need to l og i n to the
encrypted home di rectory account
before rebooti ng the machi ne
(as stated i n the i mportant note
screen), provi di ng a rol l -back
opportuni ty i n the event of any
unexpected compl i cati ons duri ng
the encrypti on process.
Use cncyp1!s-unWap-passphasc
to record your randomly generated
mount passphrase. Keep this
passphrase safe, because you may
need it to recover your encrypted files.
Also, ensure that you reboot your
system and remove the un-encrypted
backup folder (Figure 3).
Figure 4. TrueCrypt Installation Button
LJ237-Jan2014.indd 97 12/17/13 3:44 PM
A thi rd step i n the process i s to
utilize a great open-source application
called TrueCrypt to provide encrypted
containers to store personal
information. This easy process includes
visiting the TrueCrypt Web site at
http://www.truecrypt.org/downloads
to downl oad the l atest package
(truecrypt-7.1a-l i nux-x86.tar.gz,
at the ti me of thi s wri ti ng), and
run the fol l owi ng commands
and scri pt:
1a -xv! 1uccyp1-7.1a-11nux-x88.
:043CB
sudo .11uccyp1-7.1a-11nux-x88
sc1cc1 ? 1ns1a11 1ucCyp1 a1 1hc
u1 mcnu.
Figure 5. TrueCrypt Create Volume Button Screen
LJ237-Jan2014.indd 98 12/17/13 3:44 PM
The next step i s to create an
encrypted contai ner. Thi s contai ner
wi l l store personal i denti fi abl e
i nformati on (PI I ) or any fi l e that
you want to keep safe on your l ocal
computer, and i t wi l l create another
l ayer of securi ty. The process for
creati ng a basi c contai ner i s by
sel ecti ng the defaul t opti ons duri ng
i ni ti al i nstal l ati on (Fi gure 4). Once
the software i s i nstal l ed, starti ng
the appl i cati on i s a breeze usi ng the
command :4?=641/: W or vi a the
GUI menu system by sel ecti ng the
create vol ume button.
There are two opti ons when
creati ng a vol ume: choosi ng an
encrypted fi l e contai ner or a
vol ume wi thi n a parti ti on/dri ve
(Fi gures 5 and 6). You al so wi l l
have a choi ce of usi ng a
standard TrueCrypt vol ume or
a hi dden TrueCrypt vol ume
(Fi gure 7). The i dea behi nd a
hi dden contai ner i s to reveal an
outsi de contai ner password, and
your hi dden contai ner encrypted
wi thi n the outsi de contai ner
(http://www.truecrypt.org/docs/
hidden-volume).
On the next menu, simply select
an encryption algorithm, hash
algorithm and size of container.
Multiple books and papers provide
Figure 6. After the create volume button is selected, you will be presented with two options
for creating an encrypted le container or creating a volume within a partition/drive.
LJ237-Jan2014.indd 99 12/17/13 3:44 PM
Figure 7. The next menu item gives you the option of creating a standard or hidden volume.
Figure 8. After the standard volume is selected, the next options are to select the
encryption and hash algorithms, and size of the volume.
LJ237-Jan2014.indd 100 12/17/13 3:44 PM
specific information on the differences
between these al gori thms and
hashes (AES with a 256/14 rounds
and Sha-512 default hashing function).
The size of your container depends on
the amount of information you want to
protect (Figure 8).
The next step i s to sel ect
your preferred fi l esystem type
(ext3, ext4 and so on). Once
the vol ume-creati ng process i s
compl eted, mount your vol ume
usi ng the TrueCrypt appl i cati on and
start savi ng your pri vate fi l es to thi s
encrypted contai ner.
A safe and secure on-line storage
location for your newly created
encrypted container is essential
for backing up data in the cloud.
A couple options are available for
Figure 9. Select the newly created standard volume to mount an accessible
unencrypted share.
LJ237-Jan2014.indd 101 12/17/13 3:44 PM
an on-line storage location, such
as Dropbox, Evernote, AWS and
SpiderOak. The final choice for secure
cloud storage is with the company
called SpiderOak, and this is based
on the companys Zero-Knowledge
privacy policy that states: we never
have any knowledge of your password
and no way to retrieve or reset it,
even in emergencies. Its our way of
ensuring that our customers data is
always completely secureeven from
us! (https://spideroak.com/faq/
category/privacy_passwords).
The company al so provi des
two-factor authenti cati on for
extra protecti on of requi ri ng a
user name, password and a token.
The token wi l l be sent to your
mobi l e phone whenever you need
Figure 10. The backup tab in the SpiderOak application allows you to select your
encrypted volume.
LJ237-Jan2014.indd 102 12/18/13 10:14 AM
to l og i n to a Web si te or mobi l e
devi ce. The maj ori ty of bi g-name
provi ders are offeri ng two-factor
authenti cati on si nce the tradi ti onal
password/passphrase does not
offer enough protecti on. Seei ng
how thi s sol uti on i s depl oyed on a
dedi cated desktop and requi res the
token to authenti cate, i t provi des
a true two-channel authenti cati on
sol uti on. Of course, usi ng two-
factor authenti cati on does not
guarantee safety, but i t does requi re
the attacker to use sophi sti cated
methods, and attackers general l y are
l azy and l ook for easy targets.
Installing SpiderOak is
straightforward for all the Debian
users out there. It includes
downloading and installing the
spideroak_4.8.4_i386.deb package
from https://spideroak.com/
opendownload and using .?,>
dpk -1 sp1dcoak_4.8.4_1388.dcb
to install this package on your favorite
Ubuntu platform.
I denti fy a l ocal upl oad fol der
as the stagi ng poi nt for your
TrueCrypt contai ner. Once you
have a shared l ocati on that wi l l host
your TrueCrypt contai ner, si mpl y
open your Spi derOak appl i cati on
Figure 11. A SpiderOak application status and backup menu provides a means to
back up your encrypted volume automatically in specified intervals.
LJ237-Jan2014.indd 103 12/17/13 3:44 PM
Listing 1. SpiderOak/TrueCrypt Backup Script
#!1us1b1n1py1hon
UUU
Sp1dc0ak. 1ucCyp1. d1s-moun1. ackup Sc1p1
V0?:@>4D R-2
UUU
-2/>4: >.
1mpo1 s11n
-2/>4: ,0:=:-2=
1mpo1 hash11b
Fo1dcandF11cLoc = "Fo1dcandF11cLoc"
Sp1dc0akPa1h = " "
1ucCyp1Pa1h = " "
LoF11cpa1h = " "
sa!c1c = " "

dc! cadcon1c{Sp1dc0akPa1h.1ucCyp1Pa1h.LoF11cpa1h.sa!c1c.
Sc1up1copcn).
# 1h1s W111 cad 1hc conua11on and ass1n pa1h 1oca11on
noW = da1c11mc.da1c11mc.noW{)
ho1ds1 = ""
!o 11nc 1n Sc1up1copcn.
ho1ds1 = s1.sp111{11nc)
1! s11n.nd{11nc."Sp1dc0akPa1h") > -1.
Sp1dc0akPa1h = ho1ds1|1|
c11! s11n.nd{11nc."1ucCyp1Pa1h") > - 1.
1ucCyp1Pa1h = ho1ds1|1|
c11! s11n.nd{11nc. "LoF11cpa1h") > -1.
LoF11cpa1h = ho1ds1|1|
c11! s11n.nd{11nc."sa!c1c") > -1.
sa!c1c = ho1ds1|1|

!o = opcn{LoF11cpa1h."a")
:41D
!o = opcn{LoF11cpa1h."a")
!o.W11c {s1{noW) + "- Pa1h va1ab1c Sp1dc0akPa1h
uscd -> " + Sp1dc0akPa1h + "\n")
!o.W11c {s1{noW) + "- Pa1h va1ab1c 1ucCyp1Pa1h
uscd -> " + 1ucCyp1Pa1h + "\n")
!o.W11c {s1{noW) + "- Pa1h va1ab1c LoF11cpa1h
uscd -> " + LoF11cpa1h + "\n")
!o.W11c {s1{noW) + "- Pa1h va1ab1c ho1d
uscd -> " + sa!c1c + "\n")
=<6=/:D A>3=44>4
shu1doWn1uccyp1{!o.noW)
copycon1a1nc{!o.Sp1dc0akPa1h.1ucCyp1Pa1h.
LoF11cpa1h.sa!c1c.noW)
A>36'>.=

dc! shu1doWn1uccyp1{!o.noW).
# 1cs1 1o scc 1! 1hc 1uccyp1 1s unn1n
# 1! no1 1hcn Shu1 11 doWn
!ounds11n = 0
:41D
! = os.popcn{ "ps ax" )
=<6=/:D >.3=44>4

!o 11nc 1n !.
1! s11n.nd{11nc. `1uccyp1`) > -1.
!ounds11n = 1
bcak

1! !ounds11n == 1.
:41D
d1smoun1 = os.sys1cm{"1uccyp1 -d")
1! d1smoun1 == 0.
!o.W11c {s1{noW) + "- 1uc Cyp10scv1cc !ound
and 1hc vo1umc 1s d1s-moun1cd \n").
='.=D
!o.W11c {s1{noW) + "- Fa11cd 1o
d1smoun1 scv1cc \n ").
=<6=/:D >.3=44>4
='.=D
!o.W11c {s1{noW) + "- moun1 Was no1 opcn \n ").

dc! copycon1a1nc{!o.Sp1dc0akPa1h.1ucCyp1Pa1h.
LoF11cpa1h.sa!c1c.noW).
#Sc1 Lcs11na11on and Copy 1o ncW 1oca11on

o1ddcs11csum = 1ucCyp1Pa1h + sa!c1c
o1do11csum = Sp1dc0akPa1h + "1" + sa!c1c
chccksumdcs1 = mdS1cchcck{o1ddcs11csum)
chccksumo1 = mdS1cchcck{o1do11csum)

uns11n = "cp " # 1h1s W111 on1y copy ovc upda1cs
# 1o 1h1s 1c
uns11n += 1ucCyp1Pa1h
uns11n += sa!c1c
uns11n += " "
uns11n += Sp1dc0akPa1h # 1h1s W111 on1y scnd ovc any
# upda1cs 1o 1h1s 1c
1cs1d1!! = os.sys1cm{"d1!! " + o1ddcs11csum + "
" + o1do11csum)

1! 1cs1d1!! !=0.
:41D
os.sys1cm{uns11n)
1cs1d1!! = os.sys1cm{"d1!! " + o1ddcs11csum + "
" + o1do11csum)
1! 1cs1d1!! != 0 .
!o.W11c {s1{noW) + 1ucCyp1Pa1h + sa!c1c +
" F11c Cop1cd 1o " + Sp1dc0akPa1h + "\n")
!o.W11c{s1{noW) + " ---- Poccss1n Comp1c1c ----")
='.=D
!o.W11c{s1{noW) + 1ucCyp1Pa1h + sa!c1c +
"F11c !a11cd 1o copy " + Sp1dc0akPa1h + "\n")
=<6=/:D >.3=44>4

='.=D
!o.W11c {s1{noW) + " F11c has no1 bccn chancd
no copy Was pc!omcd\n")

Sc1up1copcn = opcn{Fo1dcandF11cLoc."")
cadcon1c{Sp1dc0akPa1h.1ucCyp1Pa1h.LoF11cpa1h.sa!c1c.
Sc1up1copcn)
Sc1up1copcn.c1osc{)
LJ237-Jan2014.indd 104 12/17/13 3:44 PM
and sel ect the backup tab. Then,
dri l l down unti l you fi nd your
TrueCrypt contai ner l ocati on, such
as home/username/Spi derO/Upl oad.
The next step i s to confi gure
your backup frequency usi ng the
overvi ew tab and sel ecti ng the
change button (Fi gures 10 and 11).
Many other confi gurati on opti ons
are avai l abl e usi ng thi s i nterface.
For thi s exampl e, use onl y these two
opti ons for a secure cl oud backup.
The last couple steps in this
encrypted backup solution are
to move the TrueCrypt container
from the working location to the
designated SpiderOak export folder
and create a cron job to run the script.
I created a Python scri pt to
accompl i sh the copy functi on, but
I coul d have created any type of
scri pt. Thi s scri pt i s used to ensure
that the TrueCrypt appl i cati on i s
not runni ng, veri fy whether there
were changes to the contai ner
and then copy over the contai ner
i f there were changes. Thi s scri pt
requi res a confi gurati on fi l e cal l ed
Fol derandFi l eLoc to functi on and
the Python scri pt BackupScri pt.py.
The confi gurati on fi l e parameters
are Spi derOakPath, TrueCryptPath
and LogFi l epath, a runni ng l og
to veri fy whether a copy was
successful and the Safefi l e fi l ename.
The fi nal step i s to create a cron
j ob to cal l the Python scri pt:
0 S * * * cd 1homc111Wokspacc1ackupSc1p11sc. 1us1b1n1py1hon
9@>2=9:95>4;./06=9N06;?/G64-/:9.469N06;?/G64-/:3/1
Thi s personal encrypted sol uti on i s
somethi ng that works great at home
when uti l i zed on a dai l y basi s. Many
apps are avai l abl e on the I nternet for
managi ng passwords and data, but
thi s one i s easy to i mpl ement and
provi des l ayers of encrypti on. I am
confi dent that usi ng the descri bed
encrypted contai ners and storage
l ocati on provi des enough securi ty for
pri vate personal data, but i t may not
be an i deal sol uti on for an enterpri se
wi th vari ous regul atory agenci es. Use
the descri bed methods at your own
ri sk, and ensure that your passwords
or passphrases are safeguarded,
because your data wi l l be l ost wi th
a forgotten password.
Tim Cordova is a computer geek who had a Commodore 64 at
age 9, and has a love for Linux, family, information security
and longboard surfing. He currently works as an information
security professional at a large contracting company and
has more than 15 years of experience.
LJ237-Jan2014.indd 105 12/17/13 3:44 PM
KNOWLEDGE HUB
A Call to Arms for Private Cloud Builders
Sponsor: ActiveState | Topic: Cloud Computing ON DEMAND
The era of elastic IT is here. Businesses are realizing that the cloud not only allows cost reduction, but provides opportunities
for innovation and growth. Elastic clouds enable next-generation applications that drive revenue opportunities, increase agility,
and make IT teams competitive with public cloud systems.
In this presentation, Randy and John talk about the forces driving this change, and outline an action plan for building an elas-
tic cloud infrastructure and dynamic applications using DevOps and Platform-as-a-Service.
> http://lnxjr.nl/CTACloud
WEBCASTS
Linux Backup and Recovery Webinar
Sponsor: Storix | Topic: Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However,
fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, ap-
plications, settings, patches and more, reducing their system(s) to bare metal. After all, before data can be restored to a
system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using
Storix System Backup Administrator (SBAdmin), a highly exible bare-metal recovery solution for UNIX and Linux systems.
> http://lnxjr.nl/StorixWebinar
Private PaaS for the Agile Enterprise
Sponsor: ActiveState | Topic: Virtualization
If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization
offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesnt scale? In to-
days hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations
need more benets from cloud computing than just raw resources. They need agility, exibility, convenience, ROI, and control.
Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a
private PaaS to provide on-demand availability, exibility, control, and ultimately, faster time-to-market for your enterprise.
> http://lnxjr.nl/privatepaasAE
Learn the 5 Critical Success Factors to Accelerate
IT Service Delivery in a Cloud-Enabled Data Center
Today's organizations face an unparalleled rate of change. Cloud-enabled data centers are increasingly seen as a way to accelerate
IT service delivery and increase utilization of resources while reducing operating expenses. Building a cloud starts with virtualizing
your IT environment, but an end-to-end cloud orchestration solution is key to optimizing the cloud to drive real productivity gains.
> http://lnxjr.nl/IBM5factors
LJ237-Jan2014.indd 106 12/17/13 3:44 PM
KNOWLEDGE HUB
WHITE PAPERS
Linux Management with Red Hat Satellite:
Measuring Business Impact and ROI
Sponsor: Red Hat | Topic: Linux Management
Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to de-
ploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT
organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility
workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows
in importance in terms of value to the business, managing Linux environments to high standards of service quality
availability, security, and performance becomes an essential requirement for business success.
> http://lnxjr.nl/RHS-ROI
Standardized Operating Environments
for IT Efficiency
Sponsor: Red Hat
The Red Hat Standard Operating Environment SOE helps you define, deploy, and maintain Red Hat Enterprise Linux
and third-party applications as an SOE. The SOE is fully aligned with your requirements as an effective and managed
process, and fully integrated with your IT environment and processes.
Benefits of an SOE:
SOE is a specification for a tested, standard selection of computer hardware, software, and their configuration for use
on computers within an organization. The modular nature of the Red Hat SOE lets you select the most appropriate
solutions to address your business' IT needs.
SOE leads to:
Dramalically reduced deploymenl lime.
Sollware deployed and conligured in a slandardized manner.
Simplilied mainlenance due lo slandardizalion.
lncreased slabilily and reduced supporl and managemenl cosls.
There are many benelils lo having an SOL wilhin larger environmenls, such as.
Less lolal cosl ol ownership (TCO) lor lhe lT environmenl.
More elleclive supporl.
lasler deploymenl limes.
Slandardizalion.
> http://lnxjr.nl/RH-SOE
LJ237-Jan2014.indd 107 12/17/13 3:44 PM
INDEPTH
Solid-State
Drives: Get One
Already!
Brian describes how SSDs compare to HDDs with regard to
longevity and reliability and provides the results from some
real-world performance benchmarking.
BRIAN TRAPP
I ve been building comput er s
si nce t he 1990s, so I ve seen a
l ot of new t echnol ogi es wor k
t hei r way i nt o t he mai nst ream.
Most were t he st eady, i ncrement al
i mprovement s predi ct ed by
Moores l aw, but ot her s were
game- changer s, i nnovat i ons t hat
real l y rocket ed per f or mance
f or ward i n a sur pr i si ng way. I
remember boot i ng up Quake af t er
i nst al l i ng my f i r st 3- D cardwhat
a di ff erence! My f i r st boot off a
sol i d- st at e dr i ve ( SSD) brought
back t hat same f eel i ngwow,
what a di ff erence!
However, at a recent gatheri ng of
l i ke-mi nded Li nux users, I l ear ned
that many of my peers hadnt
actual l y made the move to SSDs
yet. Wi thi n that group, the pri mary
rel uctance to try a SSD boi l ed down
to three mai n concer ns:
I m wor r i ed about t hei r
rel i abi l i t y; I hear t hey wear out .
I m not sure i f t hey wor k wel l
wi t h Li nux.
I m not sure an SSD real l y woul d
make much of a di ff erence on
my syst em.
Lucki l y, these three concer ns are
based ei ther on mi sunderstandi ngs,
outdated data, exaggerati on or are
j ust not correct.
LJ237-Jan2014.indd 108 12/17/13 3:44 PM
INDEPTH
SSD Reliability Overview
How SSDs Differ from Hard Drives:
Traditional hard disk drives (HDDs)
have two mechanical delays that
can come into play when reading or
writing files: pivoting the read/write
head to be at the right radius and
waiting until the platter rotates until
the start of the file reaches the head
(Figure 1). The time it takes for the
drive to get in place to read a new file
is called seek time. When you hear
that unique hard drive chatter, thats
the actuator arm moving around to
access lots of different file locations.
For example, my hard drive (a pretty
typical 7,200 RPM consumer drive
from 2011) has an average seek time
of around 9ms.
Instead of rotating platters and
read/write heads, solid-state drives
store data to an array of Flash memory
chips. As a result, when a new file is
requested, the SSDs internal memory
can find and start accessing the
correct storage memory locations in
sub-milliseconds. Although reading
from Flash isnt terribly fast by itself,
SSDs can read from several different
chips in parallel to boost performance.
Thi s paral l el i sm and the near-
i nstantaneous seek ti mes make
sol i d-state dri ves si gni fi cantl y
faster than hard dri ves i n most
benchmarks. My SSD (a pretty typi cal
uni t from 2012) has a seek ti me of
0.1msqui te an i mprovement!
Reliability and Longevity:
Reliability numbers comparing HDDs
and SSDs are surprisingly hard to find.
Fail rate comparisons either didnt
have enough years of data, or were
based on old first-generation SSDs
that dont represent drives currently
on the market. Though SSDs reap the
benefits of not having any moving
parts (especially beneficial for mobile
devices like laptops), the conventional
wisdom is that current SSD fail rates
are close to HDDs. Even if theyre
a few percentage points higher or
lower, considering that both drive
types have a nonzero failure rate,
youre going to need to have a backup Figure 1. Hard Drive
LJ237-Jan2014.indd 109 12/17/13 3:44 PM
INDEPTH
solution in either case.
Apart from rel i abi l i ty, SSDs do
have a uni que l ongevi ty i ssue, as
the NAND Fl ash cel l s i n storage have
a uni que l i fe expectancy l i mi tati on.
The l ongevi ty of each cel l depends
on what type of cel l i t i s. Currentl y,
there are three types of NAND
Fl ash cel l s:
SLC (Single Later Cell) NAND: one
bit per cell, ~100k writes.
MLC (Multi-Layer Cell) NAND: two
bits per cell, ~10k to 3k writes,
slower than SLC. The range in
writes depends on the physical
size of the cellsmaller cells are
cheaper to manufacture, but can
handle fewer writes.
TLC (Three-Layer Cel l ) NAND:
~1k writes, slower than MLC.
I nteresti ngl y, al l three types of
cel l s are usi ng the same transi stor
structure behi nd the scenes. Cl ever
engi neers have found a way to
make that si ngl e Fl ash cel l hol d
more i nformati on i n MLC or TLC
mode, however. At programmi ng
ti me, they can use a l ow, medi um-
l ow, medi um-hi gh or hi gh vol tage
to represent four uni que states (two
bi ts) i n one si ngl e cel l . The downsi de
i s that as the cel l i s wri tten several
thousand ti mes, the oxi de i nsul ator
at the bottom of the fl oati ng gate
starts to degrade, and the amount
of vol tage requi red for each state
i ncreases (Fi gure 2). For SLC i ts
not a huge deal because the gap
between states i s so bi g, but for
MLC, there are four states i nstead
of two, so the amount of room
between each states vol tage i s
shortened. For TLCs three bi ts of
Figure 2. A NAND Flash Cell
LJ237-Jan2014.indd 110 12/17/13 3:44 PM
INDEPTH
i nformati on there are si x states, so
the di stances between each vol tage
range i s even shorter.
The final twist is write amplification.
Even though the OS is sending 1MB
of data, the SSD actually may be
doing more writes behind the scenes
for things like wear leveling and
inefficient garbage collection if TRIM
support isnt enabled (see the TRIM
section later in this article). Most
real-world write amplification values
Ive seen are in the 1.1 to 3.0 range,
depending on how compressible the
data is and how clever the SSD is at
garbage collection and wear leveling.
So, how long can you expect an SSD
to last for you? Longevity depends
on how much data you write, and
the tune2fs utility makes it really
easy to estimate that from your
existing filesystems. Run 1unc!!s
-1 1dcv1<dcv1cc>. (Tip: if youre
using LVM, the stats will be under
the dm-X device instead of the sdaX
device.) The key fields of interest are
Filesystem created and Lifetime
writes. Use those to figure out the
average GB/day since the filesystem
was created. For my laptop, it was
2.7GB/day, and for my workstation it
was 6.3GB/day. With those rates, plus
a rough guess for write amplification,
you can estimate how much life youd
get out of any SSD.
Est. Lifespan (y) = SSDCapacity(GB) * (WriteLimit based on cell type)
---------------------------------------------------------------
DailyWriteRate (GB/day) * WriteAmplication * 365 (days/yr)
So if I was sizing a 256GB Samsung
840 Evo (which uses TLC cells), with
a 6.3GB/day write rate and a write
amplification of 3, it should give me
around 37 years of service before
losing the ability to write new data.
SSD Considerations for Linux
TRIM: Undelete utilities work because
when you delete a file, youre really
only removing the filesystems pointer
to that file, leaving the file contents
behind on the disk. The filesystem
knows about the newly freed space
and eventually will reuse it, but the
drive doesnt. HDDs can overwrite
data just as efficiently as writing to a
new sector, so it doesnt really hurt
them, but this can slow down SSDs
write operations, because they cant
overwrite data efficiently.
An SSD organizes data internally
into 4k pages and groups 128 pages
into a 512k block. SSDs can write
only into empty 4k pages and erase
in big 512k block increments. This
means that although SSDs can write
very quickly, overwriting is a much
slower process. The TRIM command
keeps your SSD running at top speed
by giving the filesystem a way to tell
the SSD about deleted pages. This
LJ237-Jan2014.indd 111 12/17/13 3:44 PM
INDEPTH
gives the drive a chance to do the
slow overwriting procedures in the
backgroupd, ensuring that you always
have a large pool of empty 4k pages
at your disposal.
Linux TRIM support is not enabled
by default, but its easy to add. One
catch is that if you have additional
software layers between your
filesystem and SSD, those layers need
to be TRIM-enabled too. For example,
most of my systems have an SSD,
with LUKS/dm-crypt for whole disk
encryption, LVM for simple volume
management and then, finally, an ext4
formatted filesystem. Heres how to
turn on TRIM support, starting at the
layer closest to the drive.
dm-crypt and LUKS: If youre not
using an encrypted filesystem, you can
skip ahead to the LVM instructions.
TRIM has been supported in dm-crypt
since kernel 3.1. Modify /etc/crypttab,
adding the discard keyword for the
devices on SSDs:
#1ac1hamc Lcv1cc KcyF11c 0p11ons
sdaS_cyp1 LL1L=9cbb4c49-37c3...dS14ac18bc09 nonc 1uks.d1scad
Note: enabl i ng TRI M on an
encrypted parti ti on does make i t
easi er for attackers to brute-force
attack the devi ce, si nce they
woul d now know whi ch bl ocks
are not i n use.
LVM: If youre not using LVM,
you can skip ahead to the filesystem
section. TRIM has been supported in
LVM since kernel 2.6.36.
I n the devi ces secti on of
/etc/l vm/l vm.conf, add a l i ne
1ssuc_d1scads = 1:
,=+-6=. X
333
1ssuc_d1scads = 1
33
Y
333
Filesystem: Once youve done any
requi red dm-crypt and LVM edi ts,
update i ni tramfs, then reboot:
sudo upda1c-1n11am!s -u -k a11
Al though Btrfs, XFS, JFS and
ext4 al l support TRI M, I cover onl y
ext4 here, as that seems to be the
most wi del y used. To test ext4
TRI M support, try the manual TRI M
command: !s11m <moun1po1n1>.
I f al l goes wel l , the command wi l l
work for a whi l e and exi t. I f i t exi ts
wi th any error, you know theres
somethi ng wrong i n the setup
between the fi l esystem and the
devi ce. Recheck your LVM and
dm-crypt setup.
Heres an example of the output for
LJ237-Jan2014.indd 112 12/17/13 3:44 PM
INDEPTH
/ (which is set up for TRIM) and /boot
(which is not):
P8 .?,> A.:4-2 9
~S sudo !s11m 1boo1
!s11m. 1boo1. F11R1h 1oc11 !a11cd. 1nappop1a1c 1oc11 !o dcv1cc
I f the manual command works,
you can deci de between between
usi ng the automati c TRI M bui l t i n
to the ext4 fi l esystem or runni ng
the A.:4-2 command. The pri mary
benefi ts of usi ng automati c TRI M
i s that you dont have to thi nk
about i t, and i t nearl y i nstantl y wi l l
recl ai m free space. One down si de
of automati c TRI M i s that i f your
dri ve doesnt have good garbage-
col l ecti on l ogi c, fi l e del eti on can be
sl ow. Another negati ve i s that i f the
dri ve runs TRI M qui ckl y, you have
no chance of getti ng your data back
vi a an undel ete uti l i ty. On dri ves
where I have pl enty of free space,
I use the fstri m command vi a cron.
On dri ves where space i s ti ght, I use
the automati c ext4 method.
I f you want to go the automati c
route, enabl i ng automati c TRI M i s
easyj ust add the ,-.604, opti on
to the options section of the relevant
/etc/fstab entri es. For manual TRI M,
j ust put the !s11m <moun1po1n1>
i n a cron j ob or run i t by hand at
your l ei sure.
Regardl ess of whether you use
the ,-.604, opti on, you probabl y
want to add the noa11mc opti on
to /etc/fstab. Wi th ati me on
(the defaul t), each ti me a fi l e i s
accessed, the access ti me i s updated,
consumi ng some of your preci ous
wri te cycl es. (Some tutori al s ask
you to i ncl ude nodi rati me too, but
noati me i s suffi ci ent.) Because most
appl i cati ons dont use the ati me
ti mestamp, turni ng i t off shoul d
i mprove the dri ves l ongevi ty:
1dcv1mappc1ba1dy1-oo1 1 cx14 noa11mc.d1scad.cos=cmoun1-o 0 1
Partition alignment: When
SSDs fi rst were rel eased, many of
the di sk parti ti oni ng systems sti l l
were based on ol d sector-based
l ogi c for pl aci ng parti ti ons. Thi s
coul d cause a probl em i f the
parti ti on boundary di dnt l i ne up
ni cel y wi th the SSDs i nternal 512k
bl ock erase si ze. Lucki l y, the maj or
parti ti oni ng tool s now defaul t to
512k-compati bl e ranges:
fdisk uses a one megabyte
boundary since util-linux version
2.17.1 (January 2010).
LVM uses a one megabyte boundary
as the default since version 2.02.73
(August 2010).
LJ237-Jan2014.indd 113 12/17/13 3:44 PM
INDEPTH
If youre curious whether your
partitions are aligned to the right
boundaries, heres example output
from an Intel X25-M SSD with an
erase block size of 512k:
P8 .?,> .A,-.; !, 9,=+9.,0
Wan1n. cx1cndcd pa1111on docs no1 s1a1 a1 a cy11ndc bounday.
L0S and L1nux W111 1n1cpc1 1hc con1cn1s d1!!ccn11y.
# pa1111on 1ab1c o! 1dcv1sda
un11. scc1os

1dcv1sda1 . s1a1= !048. s1zc= 497884. 1d=83. boo1ab1c
1dcv1sda! . s1a1= S017S8. s1zc=1SS799SS4. 1d= S
1dcv1sda3 . s1a1= 0. s1zc= 0. 1d= 0
1dcv1sda4 . s1a1= 0. s1zc= 0. 1d= 0
1dcv1sdaS . s1a1= S01780. s1zc=1SS799SS!. 1d=83
Since the primary partition (sda5)
starts and ends at a number evenly
divisible by 512, things look good.
Monitoring SSDs in Linux:
I already covered running 1unc!!s
-1 <dcv1cc> as a good place to get
statistics on a filesystem device, but
those are reset each time you reformat
the filesystem. What if you want to
get a longer range of statistics, at
the drive level? smartctl is the tool
for that. SMART (Self-Monitoring,
Analysis and Report Technology)
is part of the ATA standard that
provides a way for drives to track
and report key statistics, originally
for the purposes of predicting drive
failures. Because drive write volume
is so important to SSDs, most
manufacturers are including this in the
SMART output. Run .?,> .204:6:'
-a 1dcv1<dcv1cc> on an SSD
device, and youll get a whole host
of interesting statistics. If you see the
Figure 3. smartctl Output (Trimmed)
LJ237-Jan2014.indd 114 12/17/13 3:44 PM
INDEPTH
message Not in smartctl database
in the smartctl output, try building the
latest version of smartmontools.
Each vendors label for the
statistic may be different, but you
should be able to find fields like
Media_Wearout_Indicator that will
count down from 100 as the drive
approaches the Flash wear limit and
fields like Lifetime_Writes or Host_
Writes_32MiB that indicate how
much data has been written to the
drive (Figure 3).
Other Generic Tips
Swap: if your computer is actively
using swap space, additional RAM
probably is a better upgrade than an
SSD. Given the fact that longevity is
so tightly coupled with writes, the
last thing you want is to be pumping
multiple gigabytes of swap on and
off the drive.
HDDs sti l l have a rol e: i f you have
the space, you can get the best of
both worl ds by keepi ng your hard
dri ve around. I ts a great pl ace for
stori ng musi c, movi es and other
medi a that doesnt requi re fast
I /O. Dependi ng on how mi l i tant
you want to be about SSD wri tes,
you can mount fol ders l i ke /tmp,
/var or even j ust /var/l og on the HDD
to keep SSD wri tes down. Li nuxs
fl exi bl e mounti ng and parti ti oni ng
tool s make thi s a breeze.
SSD free space: SSDs run best
when theres pl enty of free space
for them to use for wear l evel i ng
and garbage col l ecti on. Si ze up and
manage your SSD to keep i t l ess than
80% ful l .
Thi ngs that break TRI M: RAI D
setups cant pass TRI M through to
the underl yi ng dri ves, so use thi s
mode wi th cauti on. I n the BI OS,
make sure your control l er i s set to
AHCI mode and not I DE emul ati on,
as I DE mode doesnt support TRI M
and i s sl ower i n general .
SSD Performance
Now lets get to the heart of the
matterpractical, real-world examples
of how an SSD will make common
tasks faster.
Test Setup Pri or to
benchmarki ng, I had one SSD for
my Li nux OS, another SSD for when
I needed to boot i n to Wi ndows 7
and an HDD for stori ng medi a fi l es
and for doi ng l ow-throughput,
hi gh-vol ume work (l i ke debuggi ng
JVM dumps or encodi ng vi deo). I
used /04:-20C= to back up the
HDD, and then I used a Cl onezi l l a
bootabl e CD to cl one my Li nux
SSD onto the HDD. Al though most
sources say you dont have to worry
about fragmentati on on ext4, I used
LJ237-Jan2014.indd 115 12/17/13 3:44 PM
INDEPTH
the ext4 defrag uti l i ty c4dc!a on
the HDD j ust to gi ve i t the best shot
at keepi ng up wi th the SSD.
Heres the hardware on the
Figure 4. bootchart Output
LJ237-Jan2014.indd 116 12/17/13 3:44 PM
INDEPTH
development workstation I used for
benchmarkingpretty standard stuff:
CPU: 3.3GHz Intel Core i5-2500k CPU.
Motherboard: Gigabyte
Z68A-D3H-83 (Z68 chipsel).
RAM: 8GB (2x4GB) of 1333 DDR3.
OS: Ubuntu 12.04 LTS (64-bit,
kernel 3.5.0-39).
SSD. !28C8 OCZ Verlex4.
HDD: 1TB Samsung Spinpoint F3,
7200 RPM, 32MB cache.
I picked a set of ten tests to try
to showcase some typical Linux
operations. I cleared the disk cache
after each test with ccho 3 | sudo
:== 9/4>69.1.9+29,4>/S606@=.
and rebooted after completing a set.
I ran the set five times for each drive,
and plotted the mean plus a 95%
confidence interval on the bar charts
shown below.
Boot Times: Because Im the only
user on the test workstation and use
whole-disk encryption, X is set up
with automatic login. Once cryptsetup
prompts me for my disk password, the
system will go right past the typical
GDM user login to my desktop. This
complicates how to measure boot
times, so to get the most accurate
measurements, I used the bootchart
package that provides a really cool
Gantt chart showing the boot time
of each component (partial output
shown in Figure 4). I used the Xorg
process start to indicate when X starts
up, the start of the Dropbox panel
applet to indicate when X is usable
and subtracted the time spent in
cryptsetup (its duration depends more
on how many tries it takes me to type
in my disk password than how fast
any of the disks are). The SSD crushes
the competition here.
Figure 5. Boot Times
Table 1. Boot Times
Test HDD (s) SSD (s) % Faster
Xorg Start 19.4 4.9 75%
Desktop
Ready
33.4 6.6 80%
LJ237-Jan2014.indd 117 12/17/13 3:44 PM
INDEPTH
Application Start Times: To test
application start times, I measured the
start times for Eclipse 4.3 (J2EE version),
Team Fortress 2 (TF2) and Tomcat
7.0.42. Tomcat had four WAR les at
about 50MB each to unpackage at start.
Tomcat provides the server startup time
in the logs, but I had to measure Eclipse
and Team Fortress manually. I stopped
timing Eclipse once the workspace was
visible. For TF2, I used the time between
pressing Play in the Steam client and
when the TF2 Play menu appears.
There was quite a bit of variation
between the three applications, where
Eclipse benefited from an SSD the
most, and the gains in Tomcat and
TF2 were present but less noticeable.
Single-File Operations: To
test single-file I/O speed, I created
a ~256MB file via :-2= ,,
1!=1dcv1zco o!=!1 bs=1048S78
coun1=!S8, copied it to a new file
and then read it via 60:, redirecting to
/dev/null. I used the time utility to capture
the real elapsed time for each test.
Multiple File Operations: First,
I archived the 200k files in my 1.1GB
Eclipse workspace via :04 !6
~1Wokspacc > W.1a to test
Table 2. Application Launch Times
Eclipse 26.8 11.0 59%
Tomcat 19.6 17.7 10%
TF2 72.2 67.1 7%
Table 3. File I/O
create 1.5 0.5 67%
copy 3.3 1.1 69%
read 2.2 0.2 63%
Figure 6. Application Launch Times Figure 7. File I/O
LJ237-Jan2014.indd 118 12/17/13 3:44 PM
INDEPTH
archiving speed. Second, I used !1nd
-namc "*.ava" -cxcc !cp
"Foo" {) > 1dcv1nu11 to simulate
looking for a keyword in the 7k java les.
I used the time utility to capture the real
elapsed time for each test. Both tests
made the HDD quite noisy, so I wasnt
surprised to see a significant delta.
Summary
If you havent considered an SSD,
or were holding back for any of the
reasons mentioned here, I hope this
article prompts you to take the plunge
and try one out.
For reliability, modern SSDs are
performing on par with HDDs. (You
need a good backup, either way.) If you
were concerned about longevity, you
can use data from your existing system
to approximate how long a current
generation MLC or TLC drive would last.
SSD support has been in place in Linux
for a while, and it works well even if you
just do a default installation of a major
Linux distribution. TRIM support, some
ext4 tweaks and monitoring via tune2fs
and smartctl are there to help you
maintain and monitor overall SSD health.
Finally, some real-world performance
benchmarks illustrate how an SSD will
boost performance for any operation
that uses disk storage, but especially
ones that involve many different files.
Because even OS-only budget-sized
SSDs can provide signicant performance
gains, I hope if youve been on the
fence, youll now give one a try.
Brian Trapp serves up a spicy gumbo of Web-based yield reporting
and analysis tools for hungry semiconductor engineers at one of
the leading semiconductor research and development consortiums.
His signature dish has a Java base with a dash of JavaScript, Perl,
Bash and R, and his kitchen has been powered by Linux ever since
1998. He works from home in Buffalo, New York, which is a shame
only because that doesnt really t the whole chef metaphor.
Table 4. Multi-File I/O
tar 123.2 17.5 86%
nd &
fgrep
34.3 12.3 64%
Figure 8. Multi-File I/O
LJ237-Jan2014.indd 119 12/17/13 3:44 PM
DOC SEARLS
Returning to
Ground from the
Webs Clouds
Fixing problems of centralization with more centralized
systems only makes the problem worse.
T
he Net as we know it today first
became visible to me in March
1994, when I was among
several hundred other tech types
gathered at Esther Dysons PC Forum
conference in Arizona. On stage was
John Gage (http://en.wikipedia.org/
wiki/John_Gage) of Sun Microsystems,
projecting a Mosaic Web browser
(http://en.wikipedia.org/wiki/
Mosaic_(web_browser)) from a flaky
Macintosh Duo (http://en.wikipedia.org/
wiki/PowerBook_Duo), identical to
the one on my lap. His access was to
Sun over dial-up.
Everybody in the audience knew
about the Net, and some of us had
been on it one way or another, but
few of us had seen it in the fullness
John demonstrated there. (At that
date, there were a sum total of just
three Internet Service Providers.) James
Fallows (http://www.theatlantic.com/
james-fallows) was in the crowd,
and he described it this way
(http://listserv.aera.net/scripts/
wa.exe?A2=ind9406&L=aera-
f&D=0&P=351) for The Atlantic:
In the past year millions of people
have heard about the Internet, but
few people outside academia or
the computer industry have had a
clear idea of what it is or how it
works. The Internet is, in effect,
a way of combining computers
all over the world into one big
computer, which you seemingly
control from your desk. When
connected to the Internet, you can
boldly prowl through computers
in Singapore, Buenos Aires, and
EOF
LJ237-Jan2014.indd 120 12/17/13 3:44 PM
EOF
Seattle as if their contents resided
on your own machine.
In the most riveting presentation
of the conference, John Gage, of
Sun Microsystems, demonstrated
the World Wide Web, the gee-
whizziest portion of the Internet,
in which electronic files contain
not only text but also graphics
and sound and video clips. Using
Mosaic, a free piece of navigator
software that made moving around
the Web possible, Gage clicked
on icons on his screen exactly as
if he were choosing programs
or directories on his own hard
disk. He quickly connected to a
Norwegian computer center that
had been collecting results during
the Winter Olympics in Lillehammer
and checked out a score,
duplicating what Internet users
had done by the millions every day
during the games, when CBS-TV
was notoriously late and America-
centric in reporting results.
Note the terms here. John used
Mosaic to control, boldly prowl
and navigate his way around the
Web, which was the gee-whizziest
portion of the Net.
That portion has since become
conflated with the whole thing. Today
we use browsers to do far more than
navigate the Web. Protocols that
once required separate appsfile
transfer, e-mail, instant messaging
are now handled by browsers as well.
We now also can use browsers to
watch television, listen to radio and
read publications. Its hard to name
anything a computer can do that isnt
also doable (and done) in a browser.
Serving up most of those capabilities
are utility Web services, provided by
Amazon, Apple, Dropbox, Evernote,
Google, Yahoo and many more, each
wi th thei r own cl ouds. The growth
of the Web, atop the Net, al so has
provi ded a conceptual bri dge from
computers to smartphones and
tabl ets. Today nearl y every mobi l e
app woul d be usel ess wi thout a
back-end cl oud.
While relying on the Web and its
clouds has increased the range of
While relying on the Web and its clouds has
increased the range of things we can do on the Net,
our freedom to act independently has declined.
LJ237-Jan2014.indd 121 12/17/13 3:44 PM
things we can do on the Net, our
freedom to act independently has
declined. The browser that started
out as a car on the information
superhighway has become a
shopping cart that gets re-skinned
with every commercial site it visits,
carrying away tracking beacons
that report our activities back to
centralized servers over which
we have little if any control. The
wizards among us might be adept at
maintaining some degree of liberty
from surveillance, but most muggles
are either clueless about the risks or
make do with advertising and tracking
blockers. This is less easy in the
mobile world, where apps are more
rented than owned, and most are
maintained by vendor-side services.
Thus, weve traded our freedom for
the conveniences of centralization.
The cure for that is decentralization:
making the Net personal, like it
promised to be in the first placeand
still is, deep down.
EOF
Figure 1. Servers Generating a Hypertext Representation
LJ237-Jan2014.indd 122 12/17/13 3:44 PM
It should help to remember that the
Web is polycentric while the Net is
decentralized. By polycentric, I mean
server-based: every server is a center.
So, even though Tim Berners-Lee
wanted the Web to be what he called
a distributed hypertext system
for universal linked information
(http://www.w3.org/History/1989/
proposal.html), what he designed
was servers generating a hypertext
representation, as shown in Figure 1.
Today this looks like your e-mail on
a Google serveror your photos on
Instagram or your tweets on Twitter.
Theres nothing wrong with any of
those, just something missing: your
independence and autonomy.
Meanwhile, the Net beneath the
Web remains decentralized: a World
of Ends (http://worldofends.com)
i n whi ch every end i s a functi onal
di stance of zero from every other
end. The end-to-end pri nci pl e i s
the core archi tectural gui del i ne
of the I nternet says RFC 3724.
Thus, even though the I nternet i s
a col l ecti on of networks, what
col l ects them are the transcendent
purposes of the Nets ends, whi ch
EOF
Figure 2. It helps to think of the Net as the ground we walk and drive on, and the Web
as clouds in the sky.
LJ237-Jan2014.indd 123 12/17/13 3:44 PM
consi st of you, me, Googl e and
every other node.
If you want to grok the problems of
centralization fully, and their threat
to personal freedom, to innovation
and to much else, watch, listen to
or read Eben Moglens lectures titled
Snowden and the Future
(http://snowdenandthefuture.info),
gi ven i n November and December
2013 at Col umbi a Uni versi ty, where
Eben has been teachi ng l aw for 26
years. The l ectures are bi bl i cal i n
tone and carry great moral wei ght.
For us i n the Li nux communi ty, they
are now i n the canon.
What Eben cal l s for i s not
merel y to suffer the probl ems of
central i zati on, but to sol ve them.
Thi s requi res separati ng the Net and
the Web. For me, i t hel ps to thi nk of
the Net as the ground we wal k and
dri ve on, and the Web as cl ouds i n
the sky, as I ve i l l ustrated wi th the
photo i n Fi gure 2.
There are many possi bi l i ti es for
decentral i zed sol uti ons on the Nets
ground, and I hope readers wi l l
remi nd us of some. Meanwhi l e, I l l
vol unteer a pai r I ve been watchi ng
l atel y. One i s Tel eHash, and the
other i s XDI .
Tel eHash (http://telehash.org)
i s the brai nchi l d of Jeremi e Mi l l er,
father of Jabber and the XMPP
protocol for i nstant messagi ng.
I ts sl ogan i s JSON + UDP + DHT
= Freedom, and i t i s descri bed
as a new wi re protocol enabl i ng
appl i cati ons to connect pri vatel y
i n a real -ti me and ful l y di stri buted
manner, freei ng them from rel yi ng
on central i zed data centers. The
rest of the i ndex page says:
What
I t works by sendi ng and recei vi ng
smal l encrypted bi ts of JSON
(wi th opti onal bi nary payl oads)
vi a UDP usi ng an effi ci ent routi ng
system based on Kademl i a
Kademlia), a proven and popular
Distributed Hash Table.
Demo
Its very much in the R&D stages
yet, but check out hash-im
(https://github.com/quartzjer/
hash-im) for a simple demo.
EOF
What Eben calls for is not merely to suffer the
problems of centralization, but to solve them.
LJ237-Jan2014.indd 124 12/17/13 3:44 PM
Status
The current spec (https://github.com/
telehash/telehash.org/blob/
master/protocol.md) is
implemented in a few languages
(any help here would be great!),
and prototype apps are being
crealed lo lesl il. Queslions
can be directed at Twitter
(https://twitter.com/jeremie),
or to Jeremie Miller directly.
XDI (http://xdi.org) is a mostly-
baked standard. Its purpose is to
define a generalized, extensible service
for sharing, linking, and synchronizing
data over digital networks using
structured data formats (such as
JSON and XML) and XRIs (Extensible
Resource Identifiers), a URI-compatible
abstract identifier scheme defined by
the OASIS XRI Technical Committee
(https://www.oasis-open.org/
committees/tc_home.php?wg_
abbrev=xdi). Wikipedia (at the
moment) says (http://en.wikipedia.org/
wiki/XDI):
The main features of XDI are:
the ability to link and nest RDF
graphs to provide context;
full addressability of all nodes
in the graph at any level of
context; representation of XDI
operations as graph statements
Advertiser Index
Thank you as always for supporting our
advertisers by buying their products!
ADVERTISER URL PAGE #
Drupalize.me http://www.drupalize.me 93
Emac, Inc. http://www.emacinc.com 11
EmperorLinux http://www.emperorlinux.com 23
iXsystems http://www.ixsystems.com 7
SCALE https://www.socallinuxexpo.org/scale11x/ 33
Silicon Mechanics http://www.siliconmechanics.com 3
USENIX Conferences https://www.usenix.org/conferences 2
WearablesDevCon http://www.wearablesdevcon.com 15
ATTENTION ADVERTISERS
The Linux Journal brands following has
grown to a monthly readership nearly
one million strong. Encompassing the
magazine, Web site, newsletters and
much more, Linux Journal offers the
ideal content environment to help you
reach your marketing objectives. For
more information, please visit
http://www.linuxjournal.com/advertising.
LJ237-Jan2014.indd 125 12/17/13 3:44 PM
so authorization can be built into
the graph (a feature called XDI link
contracts); standard serialization
formats including JSON and XML;
and a simple ontology language
for defining shared semantics
using XDI dictionary services.
XDI graphs can be serialized in a
number of formats, including XML
and JSON. Since XDI documents
are already fully structured, XML
adds very little value, so JSON is
the preferred serialization format.
The XDI protocol can be bound
to multiple transport protocols.
The XDI TC is defining bindings to
HTTP and HTTPS, however it is also
exploring bindings to XMPP and
potentially directly to TCP/IP.
XDI provides a standardized portable
authorization format called XDI link
contracts (http://en.wikipedia.org/
wiki/Link_contract). Link contracts
are themselves XDI documents
(which may be contained in other
XDI documents) that enable control
over the authority, security, privacy,
and rights of shared data to be
expressed in a standard machine-
readable format and understood by
any XDI endpoint.
Thi s approach to a gl obal l y
di stri buted data shari ng
network model s the real -worl d
mechani sm of soci al contracts
Social_contract), and legal
contracts that bind civilized people
and organizations in the real world
today. Thus, XDI can be a key
enabler of the Social Web
Social_Web). It has also been
cited as a mechanism to support a
new legal concept, Virtual Rights
(http://www.virtualrights.org),
which are based on a new legal
entity, the virtual identity, and a
new fundamental right: to have or
not to have a virtual identity.
Its early for both of these. But I
know in both cases the mentality of
the developers is on the ground of the
Net and not lost in the clouds of the
Web. Well need a lot more of that
before we all get our freedom back.
Doc Searls is Senior Editor of Linux Journal. He is also a
fellow with the Berkman Center for Internet and Society
at Harvard University and the Center for Information
Technology and Society at UC Santa Barbara.
EOF
LJ237-Jan2014.indd 126 12/17/13 3:44 PM

Linux Journal January 2014

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Linux Journal January 2014

Diunggah oleh

Hak Cipta:

Format Tersedia

Since 1994: The Original Magazine of the Linux Community

JANUARY 2014 | ISSUE 237 | www.linuxjournal.com

ortex86MI+ 1 6hz FanIess

LoW FoWer 6onsumtIon

1 8$232/422/485 serIaI ort

MInI-F6l ExansIon sIot

2 $8 2.0 host Forts

10/100 8aseI Ethernet

F$/2 k8 ort, kudIo 0ut

6omact FIash & MIcro$0 card sockets

9 Inch 1024 x 600 N$ 6k IFI L60

8esIstIve Iouch $creen

06-l 5 {or) +8 -+35 otIon

Screenshot from the Google Play store

Anda mungkin juga menyukai