Archive for March, 2007

So long, and thanks for all the phish

My bank sent me an email recently warning of an increase in phishing attacks. Today I heard a director of the bank talk about the attacks on the radio, stating that the fake website targeting their users not only asks for account number, PIN number, password etc but also for the user’s email credentials – and reportedly, users are falling for this!

The reason these credentials are being asked for is because the internet banking system sends out a one time password (OTP) via SMS or email when certain transactions are conducted – so if the attacker can own your inbox as well as your login, they can transfer all your money to an account of their choosing.

However, I disagree with the bank’s advice. The email stated:

Remember, it is safer to type Standard Bank’s web address ( into your browser instead of clicking on a link in an email.

For sure, don’t click on a link in an email to get to your internet banking – but typo-squatters are just waiting for you to mis-type such an important URL and if you got it wrong, would you notice if the site looked just the way you expected it to?

My advice, for all important websites: The first time you go there, type the address – and make very sure you are on the right site. Then bookmark it, and only use the bookmark to get there. This will avoid the risk of spelling it wrong when you are a bit more relaxed and ending up at a fraudulent site.

Even better: Use the petname plugin for Firefox. This will clearly show you if you are visiting the same site (with the same SSL certificate) as you visited before.

Linux preloaded – useful out of the box?

First a story, then a point…

dell.jpgBack in 2000 I purchased a handful of Dell servers for Thawte. Since we were going to run Debian on them, I didn’t really care about having anything preloaded, but I opted for RedHat for the joy of switching the boxen on and seeing something boot. (And seeing that everything did work, in some known state…)

I think the servers – 2450s mostly – arrived with RedHat 7 installed if my memory serves me correctly. Given that we ran Debian without X, and admined the machines with ssh (from 12700 km away) I was shocked to encounter servers with not only a GUI installed, but an office suite! And games! On a rackmount server!

Of course, it was simply a desktop installation on a server, and did actually serve to show me that everything was working, so I’m not complaining. It did serve to make me wonder how many people actually run the default install – which IIRC had an insecure version of wu-ftpd installed and running by default in this case…

Fast forward to now, and we have an excellent Ubuntu server edition with no GUI and minimal default packages (and a secure-by-default philosophy) which I’m very happy to recommend for preloading. However, 7 years later, vendors are (still) preloading Linux in ways that cannot possibly be useful to most people.

In South Africa, a large hardware vendor who shall not be named, although they share their name with the largest hot desert in the world, has a special offer on a Laptop with “Linux” as the operating system. It took me hours on the phone to get hold of somebody who could tell me what Linux… “The latest, 10.2” they told me… Turns out it is Slackware! (This is not a distro war, I have nothing against Slackware.)

This laptop was first offered a few weeks after I spoke to said hardware vendor about Ubuntu, and they informed me there were too many support issues with Linux compared with Windows, and so they would only offer Linux when they had the same level of support (certified engineers, toll-free numbers…) as Microsoft had provided them with. Blah blah blah, and then they offer a distro which they cannot support as they don’t even know which “10.2” it is…

I cannot imagine what percentage of customers keep Slackware on the machine. Hopefully, some percentage are installing Ubuntu, and not pirate copies of Windows.

My point is this: It is difficult to come up with a default distro setup that a majority of people will use. However, vendors can mess things up waaay further through a lack of understanding of what available…

Ubuntu preloaded – business factors

I’ve been working alongside Impi Linux with one of South Africa’s major hardware vendors, to get them to offer Ubuntu preloaded on a desktop PC.

This is not a retail situation, but rather for a corporate/government client where a specific hardware model has a long lifetime. In other words, PC models destined for the shopping mall are replaced on the vendor’s price list more frequently because nobody wants last year’s models – but in the corporate market, the customers want a standard model that they can roll out over six months or even a year, without changing the hardware spec.

This is a good scenario for the vendor to try out Ubuntu preloaded, because each model we “certify” has the possibility of a large number of sales in identical configuration.

Mark Shuttleworth wrote in Pre-installing Linux,

First, margins on PC’s are razor-thin.

This is probably the most significant factor in whether this hardware vendor will offer Ubuntu preloaded. A PC with Windows earns them a higher margin than a PC without, so they will need to sell more units to make up the same revenue. It has been pointed out to them that they will be selling more PCs anyway, since the customer(s) do not have to pay for Windows and can therefore spend more on the hardware – however this message has to be “sold” within the organisation for Ubuntu (or the derivative, Impi Linux), to gain acceptance for preloading.

Happy PI Day

As they say in the USA, it’s 3/14 today. Happy PI Day!

(Darn, I intended to post this at 1:59pm…)

Thoughts on Free Software

I’ve had a fascinating exchange of emails recently with a South African software author who has taken his project open source – GPL in fact – and moved his business model to supporting it. Here are some of my thoughts, as provoked by his comments…

I simply do not get excited by Operating systems. It would suit me down to the ground if Microsoft would Open Source Windows and we could end this and just get on with it.

I think very few people should get excited about operating systems. Most people should see it in the same way as when you pick up the telephone – you get dial tone and you can use it.

Usability should ultimately be the most important factor in IT – are you more productive in the actual job you are doing? Or if you threw the computer out the window and used pencil and paper, would you be more productive? (Some time I wonder…)

Then, I see usability incorporating freedom. While some would restrict what you may do with their software (“Here’s a hammer. You may knock nails into the wall, but you may not fix your car’s engine with it”…) others go out of their way to ensure certain freedoms, like the Free Software Foundation and Richard Stallman.

We have a choice, ranging from completely proprietary to completely Free Software. The software market is tending toward zero cost and increasing freedom. This applies to the whole software stack – applications, utilities, operating system – oh, and web services too.

In some cases, I think the best approach is to look at IT, application by application, and select which app, proprietary or open or Free, suits their needs. The more usable, the less skills required. The lower the cost, the less risk in trying it and the more freedom in an economic sense. The more Free, the less dependency on a particular vendor.

When you have replaced all your desktop applications with Free Software, it almost doesn’t matter what operating system runs beneath – then you can switch from a pure cost perspective.

In other cases, people prefer to evaluate the entire software stack and make a more strategic choice.

The result of all this is an increasing amount of choice. Linux is the poster child of Free Software, but it is by no means the only operating system kernel available on which to run all the rest of the desktop or server environment – there’s FreeBSD and a host of others. Ditto for desktop environment, web server, office suite, web browser, etc.

This diversity is a good thing, and if Windows were open sourced, I for one would cheer – but continue to use Linux. My reasons include the level of technical understanding and control I have over the software, and my perceptions of reliability, security, adaptability etc.

I see Ubuntu as an opportunity – not as a crusade.

Of course. Some do see Free Software and Open Source as a crusade, and to some extent it hurts adoption within business, where the bottom line reigns supreme. (I think these people have made such significant contributions that they are very necessary – but not the best people to “sell” to business…)

I think the “Do what I love, love what I do” thing is very prevalent in Open Source since people can more easily contribute and hence feel some degree of ownership. It can become a fine line between passion and crusading.

I don’t mind erring on the side of crusading, but I certainly see Ubuntu as an opportunity, especially in South Africa and developing countries, for so many people.

Finally my laptop can shut down!

My Sony Vaio S460 has been unable to shut down cleanly with Ubuntu 6.06 or 6.10. Here’s the bug, which seems to affect some small percentage of laptop, desktop and even server users: Bug #43961: Power down after shutdown does not work…

With Feisty Herd 5 installed, it can power off – and hibernate. Finally I don’t have to shut down when battery runs out – or remember to hold down the power switch to really power off!

Ubuntu 7.04’s due out in April – I can’t wait. If ADSL bandwidth wasn’t so expensive ($10 per GB usage!) I would install now as my primary desktop, and do the daily update thing until release. Perhaps I’ll wait for the beta…

Migrating from Evolution to Thunderbird

I was a die-hard Thunderbird user. Back in the Warty or Hoary days I tried Evolution briefly, but it was too buggy for my taste.

However when I installed Edgy on my notebook I decided to try Evolution out for the calendar and todo list – which until that point I had been keeping only on my Nokia 9500 as it was always on me.

Finally I must admit that I’m not using Evo’s calendar or todo list. Depite the promise of syncing my Nokia E61 to Evolution, I’ve given up on that as it always grinds to a halt after only half my contacts have been copied over. After it duplicated those it had copied I gave up on synchronisation.

So… back to Thunderbird. The mail was easy as my two primary mailboxes are IMAP – but getting the Address Book copied over has been painful.

In summary, Evolution only exports to VCard, and Thunderbird only imports from CSV or LDIF.

Despite the promise of this script, it only extracted the names from Evo, without email addresses, so I tried this method of exporting Evolution’s Address Book to CSV and importing that into Thunderbird:

evolution-addressbook-export --format=csv > contacts.csv

It took some fiddling on the CSV import to get the fields to line up, but it worked – except that none of the contacts have display names now so they look weird in Thunderbird. Somehow the automatic concatenation of first and last names when you are entering a new contact doesn’t work when editing an existing contact…

There is also apparently a two-step process of using KAddressbook (a KDE app) which can import VCard and export LDIF. Perhaps I’ll try this out if editing all the displaynames in Thunderbird proves too painful.

I’ll let Evo’s development catch up for the next year or two and try again…