ClearMind Central Blog
Discussing data solutions and technology security, with occasional digressions
What I appreciate about this article over at RedHat (as I read):
1. This guy clearly will bounce between operating systems. He mentions “MSYS” (http://www.mingw.org/download.shtml) which also should be in one’s bag of tricks with cygwin.
2. He is willing to consider some old 8086 machines and dot-matrix printers as potential time-saving tools.
3. He mentions the Penguin Sleuthkit, which looks great as a forensic tool. It is incredibly important to use tools which protect the integrity of the scene — there can be no question of tampering with anything. This kit looks like it has the tools one would need to do a rapid look-over.
The linux world, in its fight to act like a point-for-point rebuttal to the Windows and Mac worlds, are busily adding features and bloat to desktop offerings. However, in the process, a regular mainstream Linux distribution like Mandrake or Red Hat take as much, and at times more, memory and processor speed as a Windows XP distribution does.
This came as something of a shock to me. Fedora just doesn’t run very well with 128MB, and barely does with 256MB. Yet, part of my reason for getting involved in the Linux services world is my belief that Linux is an excellent fit for older hardware. In other words, all those dusty computers from two generations ago, those Pentium Ones with 64MB RAM, could still be productive machines today.
Well, maybe so, but not with a recent mainstream distribution. Those distributions will occasionally work with older machines, especially if all you need is a really slow httpd or mysql server, but not (or not really) with a windowing environment. And if you can’t deal with something other than Gnome or KDE, well, forget it.
To figure out what to suggest to clients, I did a search on the state of the art in lighter-weight distributions.
Over at http://www.goosee.com/puppy/, this developer decided he wanted to take his operating system and his personal files with him in a USB 128MB pen drive. Along the way, he ended up making a fast and functional linux distribution.
It is especially usable for newbies, since it uses the MS Windows ‘clone’ Fvwm95. Much else is nice about it, and there is plenty to explore. It needs to be tested with dialup connections, but that is about it.
Ever wonder why Klaus Knopper has to put all that stuff into Knoppix? Well, he doesn’t, and never said that he did. You always could roll your own. Can now, too.
Feather Linux is an attempt at removing enough from Knoppix to make a slim and usable Linux distribution. It has only gone through one revision (it is at 0.1 as of 10/2004), but it is one to watch. Try it out at
Vector Linux is one of the original distributions aimed at older computers. Its installer leaves plenty to be desired, and requires a bit of an enthusiast’s or an expert’s knowledge of how disk drives work; it as well gives some choice as to which windowing environment one wants to use, which will be non-intuitive for most folks. Generally, however, it shows the way to how to build a distribution with lower-end computers in mind.
The Linux Terminal Server Project (LTSP)
Some computers are too old really to do much at all, or for some offices, it doesn’t make sense to maintain applications and settings on a several computers. That’s where LTSP comes in, offering packages which allow you to set up computers to run off a server, without a disk involved. Basically, any program runs only in RAM on a workstation, and therefore most everything (beyond floppy disks) will be stored on the server. This eases application maintenance, backups, and allows companies to clearly set rules on what is allowable to install and what isn’t.
A wonderful use of an old computer — set it to boot from network!
Open Source Is Fertile Ground for Foul Play contains important security concerns. One part of the Total-Cost-of-Ownership will be, basically, open source code auditing, for those companies who go that route. No way to gloss over that. It is most certainly possible to inject malicious code into distributions, but you will certainly have to make it past the review systems of the packages/distributions themselves (including MD5 checksums, diff reviews, the rather efficient ways in which vuln information works its way around the open source community, etc.).
As more companies go the open source route, however, they will have an economic incentive to keep the code clean. For instance, MySql would have a big problem on their hands if something happened to the MySql codebase. RedHat would if Postgresql had a problem. Mandrake if KDE had a problem. Thousands of companies, if Apache, PHP, or Python had a problem.
Fedora and Win2k3 don’t have many because they are relatively new. Fedora for one will certainly have scads, hundreds, and you’ll get hosed if you don’t keep things updated (and as much as possible shut off and/or removed from the system).
One interesting aspect is that many vulns have to do with optional, separable pieces of the distribution. For instance, if OpenSSH has a vuln of a certain version, it will touch Debian, Slackware, RH 9x, Mandrake 9x, etc. etc., but obviously SSH might or might not be used on a system. Same for PHP, which is part of almost all the dists. But only a certain subset of installations use it for anything.
To apply this to RH 9.0: Many RH 9.0 vulns (Xpdf, mutt, sendmail, postgresql, ethereal, etc.) won’t apply, depending on what you’re running. But the idiot factor will be in play; if you install a dist but then don’t remove/turn-off what you’re not using, then you’re in trouble.
(P.S. Nice Response: Who’s guarding the guards? That would be us)
One of the most enjoyable and potentially useful bits of linux paraphernalia has been the explosion of “bootable linux” distributions. For quite a while, the main ones which were well known were tomsrtbt and Knoppix. Since a couple years ago there has been a truly wonderful proliferation of bootable distributions, with more created all the time.
There are several direct and obvious benefits to bootable linux distributions:
- You can have a special-purpose linux dist for a single task
- You can boot up linux on basically any machine, or at least find one that works, and so work in a familiar linux environment wherever you are
- You can try out several distributions, in the spirit of getting more familiar with them
- The bootable media is (almost always) read-only, so it won’t change or get damaged due to user error or playing with configuration settings — just restart and you’re back to where you began — thus, the bootable linux firewall: in the event of a security intrusion, reboot and you’re back to where you were before the intrusion — bad for forensics but good for uptime and recovery
Anyway, here are a few of the up-and-coming ones, well, at least according to Jeff Honnold’s spindle of CDs:
MandrakeMove: this is the bootable CD from Mandrake, that wacky French company which makes one of the best and most user-friendly distributions currently.
PHLAK, a.k.a. Professional Hackers Linux Attack Kit: yes, if you want to set up a bunker and start your intrusion tests as a White Hat security consultant, this is one of the dists you’ll have in your spindle.
MenuetOS: Joe Lazar just mentioned this to me, currently playing with it.
MEPIS: out of Morgantown WV, of all places. Am thinking of making a pilgrimage down there.
Movix: great for playing your media
Slashdot discusses a review of 18 live CDs; lots to choose from!
Habeas apparently makes their money by giving folks tools to receive email which is ‘wanted’. Hilariously enough, however, one of the main ways they accomplish this is by: inserting a haiku into the headers of an email! A recent spam to my account showed the poetic verve of the company:
X-Habeas-SWE-1: winter into spring
X-Habeas-SWE-2: brightly anticipated
X-Habeas-SWE-3: like Habeas SWE ™
X-Habeas-SWE-4: Copyright 2002 Habeas ™
X-Habeas-SWE-5: Sender Warranted Email (SWE) ™. The sender of this
X-Habeas-SWE-6: email in exchange for a license for this Habeas
X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
X-Habeas-SWE-9: mark in spam to http://www.habeas.com/report/.
Well, I don’t know about anyone else, but isn’t it obvious that headers of email can be forged five ways to friday?
So no one should be shocked, SHOCKED, that some spammers have figured out that by including these headers, spam filters can be bypassed. Comic relief, spamku style (thanks Dan Sparvero for the word “spamku”!), is to be found here: http://www.theregister.co.uk/content/55/34969.html