Network Attached Storage (NAS)

Once you hear what a NAS appliance does, you might be tempted to think (as I did) what all the fuss might be about. But there are reasons for a NAS appliance, though a NAS isn’t for everybody.

Network Attached Storage is nothing more than a server with a pile of disks and a dozen different ways to access them. For most intents and purposes, the difference between a File Server of yesteryear and the Network Attached Storage of today is conceptually rather minimal.

NAS typically provides access to files via such methods as Windows shares, NFS, iSCSI, Appleshare and others.

So what does a NAS appliance provide that a NFS server does not? There are several benefits:

• Special purpose. Since the system is solely for the purpose of serving up files for users, there is no need for any other facilities except those that deal with its specified purpose. Thus, a lot of potentially vulnerable or unreliable code can be removed, and the speed and reliability of the system can be increased. Some systems do not come with a general purpose operating system of any kind, but rather a specially designed operating system for serving files alone.
• Extensive support. In many cases, since the system is specifically designed for serving up file storage, the innumerable variations of network storage protocols come supported out of the box.
• Ease of use. With the system designed to serve one purpose – and to provide the customer with the best possible experience – the system is generally made much easier to configure and easier to use than having to configure the varying servers and protocols independently.

There are two different NAS products that are the heavy-weights in the free and open source arena: FreeNAS (freenas.org) and OpenFiler (openfiler.com).

The most obvious difference between these two is their base (and their associated licenses). The base for FreeNAS is FreeBSD, and like FreeBSD, is licensed using the BSD license. However, OpenFiler uses Linux as its base, and is likewise covered by the General Public License version 2.

This week, I’ll focus on FreeNAS with the assistance of a book entitled Learning FreeNAS by Gary Sims and published by Packt Publishing.

Powered by ScribeFire.

A vulnerability walk-through

The FreeBSD kernel recently had a issue in the kenv(2) kernel call, and this article describes very well what it is – and why it is bad. The vulnerability itself is not terribly bad, but the problem exposed is a common one and shows how all user data must be vetted before it is used: a programmer must treat all user data as suspect.

In fact, there have been studies done by Professor Barton Miller at the University of Wisconsin showing that both commercial and open source programs (in a variety of operating systems) are vulnerable (to differing extents) to a constant barrage of random data.

If your code is to be secure, you absolutely must treat user data as hostile and unknown: any trust placed in the user will be abused by someone, either accidentally or purposefully. If by accident, the user will think your software broken and unreliable; if by purpose, your system (or someone else’s!) could be compromised.

Two excellent books on this topic (from two different angles) are these: Hacking: the Art of Exploitation (by Jon Erickson) and Secure Coding Principles (by Mark Graff and Kenneth van Wyk). The first will show you how broken code can be taken advantage of; the second will show you how not to write broken code.

Ten Linux Applications You Must Have!

I read this article of Ten Linux Apps That You Can’t Do Without and was surprised. Why was I surprised?

I was surprised to see how little of the list I consider “must have” applications. Most of the applications I probably would never use, and would be quite happy without. Even the two stalwart entries from Mozilla, Firefox and Thunderbird, aren’t really must have applications.

Of course, this sets one to thinking – if those aren’t the Top 10, then what is? What are the Top 10 Applications you must have?

This is an interesting question – especially as I’m leaning toward using my MacMini more and more these days (but that’s a future topic).

1. BasKet. This is a very nice note-taking application, which provides for beautifully done notes with links, application launchers, hyperlinks to the web, and full color graphics et al.
2. Kontakt. This is a PIM that combines KMail, BasKet, KTimer, and many more into one single PIM. Very nicely done, and well worth using.
3. KMyMoney. This is quite possibly the most advanced personal budgeting tool for KDE, and it is very nice.
4. Thinkfree Office. There are some extremely capable office suites, such as KOffice and OpenOffice. However, only Thinkfree not only synchronizes with an online repository, but also provides a way to edit online as well as on other platforms.
5. Amarok. What’s productivity without some background music? Amarok is easy to use and provides all the capabilities you could hope for.
6. Zim. A personal wiki: empty your brain here!
7. KPDF. Why try to utilize a presentation tool when you can just create a PDF and use KPDF instead?
8. digiKam. Store your photos, tag them, and more.
9. KRDC. Access your desktop with this application, and work like you are at your desk.
10. Keep. Back up those files! Keep is simple enough to run every day and not get in your way. You won’t have any qualms about backing up if you use this tool.

What’s on your list?

Wandering through the Linux Kernel

This is just too fun to let go. Go for a online interactive visit into the depths of the Linux kernel.

And if that’s not enough, there is a poster of the same that you can hang on your wall.

A technical examination of the Linux kernel was never this much fun…

Pwn2Own 2009: Browsers Fall

With the Pwn2Own contest at CanSecWest nearly over, nearly all of the major browsers have quickly fallen – which is unfortunate. In fact, Safari on the Macintosh MacBook fell in less than 10 seconds.

This year’s contest strongly brings the security of current browsers under scrutiny: Internet Explorer, Firefox, and Safari all quickly fell, allowing compromise of the machine they were running on. Google’s Chrome browser will come under fire on Friday.

ComputerWorld had a nice writeup.

IBM to Buy Sun?

This is big news, apparently broken by the Wall Street Journal on Wednesday (18 March). Vivian Yeo had an short article on it in ZDNet, and Stephen Shankland of CNET had an extensive piece on it – suggesting that the sale would have some severe stumbling blocks, including a clash of cultures between Sun and IBM.

The New York Times discussed the possibility at length on 19 March. The piece in the NYT posits that such a merger would invite antitrust scrutiny from the U.S. government – which I believe it would.

According to the NYT, Sun went looking for a buyer and was turned down by Hewlett-Packard among others.

The possibility of a sale of Sun Microsystems is by no means new; in 1996 there was raised (by the Wall Street Journal on 23 January) the possibility of an Apple-Sun merger, which was finally put to rest by a succinct press release from Apple (then under Gil Amelio): Apple is “not currently in merger discussions with any party.” (This was also covered in the February 1996 edition of SunWorld).

In 2006, there was some discussion in the 4 June 2006 San Francisco Chronicle about the possibility that Sun was preparing itself for sale, having just jettisoned its poison pill and laying off 5,000 workers.

In August of that year, the possibility of a Sun-Apple merger was brought up again with the ascent of Eric Schmidt, Google’s CEO, to the board of Apple. John Dvorak suggested on 30 August that Schmidt could be an intermediary to a Sun-Apple deal.

That same day, Dan Farber, senior editor at ZDNet, replied, essentially stating that such a possibility was unthinkable.

So, we will have to wait and see what happens.

The Dark Side of Cloud Computing

If you have information in “the cloud” instead of on your personal computer, there is a dark side that you should be aware of.

The information that you save to the cloud resides on servers elsewhere, such as California or Korea or Canada. Wherever those servers reside, there are laws that govern them and the corporation that controls them. These laws may permit access to that information that is much looser than where you are.

Even within the United States, there is a big difference between the data stored on your personal computer or laptop and the information stored on external servers. The United States government must get a warrant signed by a judge before searching your home (and home computer); however, a warrant is not necessary to get a corporation such as an Internet Service Provider (ISP) or others to give the police your data. Companies such as Google and others can be forced to give the police data without notifying you.

This data is not just on the servers, but can also be found on backup tapes as well. Some services – either by their nature or by design – will keep multiple versions of your data, so all past versions can be scanned.

Cloud computing can be brought in-house to some extent, most notably by using open source projects such as eyeOS (which provides a remote desktop). If you are truly concerned by leaving your data open, do not use unsecured network protocols, and do not set up a server with a hosting service: you must run your own server internally.

Other services will provide a key which encrypts the data on their servers – such that the hosting service cannot read any of your data. These are the best services to use, although they may be harder to find. The most likely cloud computing services to do this are backup services as well as those specializing in privacy.

For example, SpiderOak keeps all data on their servers encrypted – so even they can’t read it. Mozy appears to offer the same capability.

Password storage sites also have security built-in; both Clipperz and PassPack have encrypted all of the data on their servers, preventing anyone from reading your data.

However, Google Docs, Zoho, and Thinkfree Office all appear to keep data on their servers readable by anybody – thus, your data could be subponeaed by a court of law if necessary.

It’s unlikely that any of the “micro” services would offer encryption of your data – services like del.icio.us or Joe’s Goals or Zotero.

There is also the possibility of losing all of your data due to a site shutting down. Some sites, polished though they may be, are run by individuals or tiny companies; thus one should not rely on cloud computing alone. Backups should be replicated internally – including backups of all data stored externally.

One good example of this would be the service Magnolia – the service suffered a total data loss stemming from a disaster that took place in February.

Thus, like RAID, cloud computing alone is not a backup!

The Surveillance Self-Defense Project

The Electronic Frontier Foundation recently created the Surveillance Self-Defense Project, with this focus:

Surveillance Self-Defense (SSD) exists to answer two main questions: What can the government legally do to spy on your computer data and communications? And what can you legally do to protect yourself against such spying?

This will help you take back your privacy (in as much as it can ever be taken back).

This information is specific to the United States government, but there are other parties that are very interested in spying on you: your employer, advertisers, foreign governments, online stores, and many copyright holders.

Read the documents at the SSD Project and see how to increase your privacy in the surveillance society of today.

Nagios Tips: Did You Know… ?

There are a number of things within Nagios that I did not know it could do until I had used it for some time.  I thought I would pass these facts on to you.  Once you know them, it seems simple – but only afterwards.

For example, consider the Host and Service Status Totals at the top of the screen.

All text (except the title) is clickable.  If you click on “All Problems” it will show the appropriate problem entries (assuming they can be seen in the current view!).

Another example is the Service Overview: if you click on the extended title for a service group, you’ll see all details for that service group.  However, if you click on the short title for a service group, you’ll be able to take actions on the entire service group as a whole (very nice!).  You can schedule downtime, enable or disable notifications, and enable or disable active checks.

This capability extends to the Host Groups as well: you can (at the appropriate screen) enable downtime for a hostgroup, enable or disable notifications for a hostgroup or for all services in a hostgroup, and enable or disable active checks for all services in a hostgroup.

Don’t forget to look at the inocculous-looking info box at the top left of the main Nagios data window; this window often provides ways to look at details of the current view.  For example, when looking at the Service Details for a particular host group, you can switch to a number of other views relating to the current host group, or for all host groups.

There is also the ability to sort the Status Details report.  This allows you to answer questions like these:

• What is the most recent check completed?  (order by “Last Check”)
• What is the longest status duration? (order by “Duration”)

Any column can be sorted except “Status Information” – click on the arrows at the title.  Normally this report is sorted alphabetically by Host then by Service.

However, suppose you want only one particular service group?  Click on the Service name, then under “Member of” in the next screen click on the group name.  Thus you see the Service Overview for that service group.  From there you can see the Service Details (by clicking the full title) or Actions (by clicking on the short title).

With all of these ways to view problems, you can answer your questions quicker and view the results faster.

Powered by ScribeFire.

Email Productivity: Smack Down that Email!

I believe I have a somewhat unusual approach to email – at least, unusual in that it doesn’t seem to be discussed much. It works for me, and might just work for you.

I get a ton of emails – mainly because I either a) have notices and warnings and logs coming from systems I manage, or b) subscribe to way too many newsletters, mailing lists, and so forth. At work, I get notices; at home, I get mailing lists…

This is what I do.

Sort everything!

If you can quantify it, put it into a folder. Nothing should be in your inbox except mail you’ve not had a chance to quantify yet – or haven’t seen before.

Create rules to sort things automatically. This is the crux of the system: everything is sorted as it comes into your mailbox. Also, if necessary, force the rules to sort only once: once the rule is triggered, it should quit and stop processing rules. Thunderbird does this automatically; Outlook has to be told.

As you create the rules, most email clients will allow you to create a folder at the same time. Use this capability.

Many clients also have the ability to create a rule from a message – sometimes even to the point of automatically creating a filter on a sender or on a mailing list sender: use it. Both Thunderbird and Outlook will provide much of this capability from a right click on the message to be sorted.

Also remember to apply the rules as you create them to all messages currently in the inbox: that is the whole purpose. Before the rule was created, they couldn’t be sorted – so sort them afterwards.

Here are some examples:

• Mail from the boss. Move it to a folder with his name.
• Mail from the system administration mail group. Put into a folder named according the the group’s name.
• Newsletter from a system manufacturer. Move to a folder named according to the newsletter name or the manufacturer’s name.
• Automatic log messages sent by mail from a system. If these are “alarm” type messages, separate them. System messages could go into a folder named after the system, or into a folder according to the monitor tool reporting.

The last example brings up the next point:

Use saved searches to sort in different ways.

For example, all automated messages from a system could go into a folder by system name. Then created saved searches that show all messages from a particular monitoring system (such as Nagios or HP’s EMS).

Add alarms for vital mail.

In contrast to what others have said, I believe in message alarms: however, only use them for mail that is truly important. For example, when the boss sends you an email, you’d better look it, yes? Likewise, if you are responding to help desk tickets, you’d better know about it right away.

The general suggestion still holds however: turn off global message alarms!

Change view of inbox to only show unread mail.

This is how I achieve Inbox Zero (I cheat!). I do still create rules as much as possible for everything that comes in – but there are stragglers.

Create a list of favorites.

Lastly, create a list of favorites. Outlook allows you to mark a folder as a favorite; KMail has a similar capability. This provides you with a way to sort everything but only see (directly) what is most important.