Operating Systems

PostgreSQL 9.1 Released

/*
Among the many new features, here's a snippet from the News page:
*/

Advancing the State of the Art
Our community of contributors innovates with cutting-edge features. Version 9.1 includes several which are new to the database industry, such as:

K-Nearest-Neighbor Indexing: index on "distance" for faster location and text-search queries

Serializable Snapshot Isolation: keeps concurrent transactions consistent without blocking, using "true serializability"

Writeable Common Table Expressions: execute complex multi-stage data updates in a single query

Security-Enhanced Postgres: deploy military-grade security and Mandatory Access Control

/*
The SE-Postgres looks to be particularly interesting. It allows you to use SELinux Mandatory Access Controls on the PostgreSQL users and data. Neat. Particularly the SECURITY LABEL.
*/

/*
Beware, however, that there are some incompatibilities with previous releases!

From the 9.1 Release Notes:
*/

Change the default value of standard_conforming_strings to on (Robert Haas)

By default, backslashes are now ordinary characters in string literals, not escape characters. This change removes a long-standing incompatibility with the SQL standard. escape_string_warning has produced warnings about this usage for years. E'' strings are the proper way to embed backslash escapes in strings and are unaffected by this change.

/*
Also from the Release Notes, it mentions the addition of synchronous replication.
*/

PostgreSQL streaming replication is asynchronous by default. If the primary server crashes then some transactions that were committed may not have been replicated to the standby server, causing data loss. The amount of data loss is proportional to the replication delay at the time of failover.

Synchronous replication offers the ability to confirm that all changes made by a transaction have been transferred to one synchronous standby server. This extends the standard level of durability offered by a transaction commit. This level of protection is referred to as 2-safe replication in computer science theory.

When requesting synchronous replication, each commit of a write transaction will wait until confirmation is received that the commit has been written to the transaction log on disk of both the primary and standby server. The only possibility that data can be lost is if both the primary and the standby suffer crashes at the same time. [...] ...it also necessarily increases the response time for the requesting transaction. The minimum wait time is the roundtrip time between primary to standby.

/*
There's also a What's New in PostgreSQL 9.1 wiki page that explains much of these new features in detail.
*/

How Linux mastered Wall Street

When it comes to the fast-moving business of trading stocks, bonds and derivatives, the world's financial exchanges are finding an ally in Linux, at least according to one Linux kernel developer working in that industry.

...

As an alternative to traditional Unix, Linux has become a dominant player in finance, thanks to the operating-system kernel's ability to pass messages very quickly, Lameter said in an interview with IDG. In fact, the emerging field of high-frequency trading (HFT) would not be possible without the open-source operating system, he argued. Lameter himself was hired as a consultant by one exchange -- he won't say which one -- based on his work in assembling large-scale Linux clusters.

/*
An interesting read regarding the use of Linux in high-frequency trading applications.
*/

Tunneling nmap through Tor

I looked at how to reduce your exposure using Tor earlier in the week. We installed Tor and Privoxy and configured our system to browse the Internet anonymously. We can use Tor and another great program called proxychains to Torify our network scans with nmap.

/*
I checked this out and it seems to work well. Other than the fact that Tor doesn't seem to carry UDP traffic (other than DNS) or ICMP traffic, you're limited to TCP traffic alone, which isn't too much of a limitation.

It is a little slow getting your scan results back - especially if you don't pass -p<port1>,<port2> to nmap(1), but it's certainly more secure than just trying to use an open proxy server out on the 'net.

All in all, a neat trick.
*/

Ubuntu SecurityTeam/Roadmap/KernelHardening

There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Ubuntu, and Linux in general. They have been controversial, so this page attempts to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations.

/*
This page describes various means of securing the Linux kernel on Ubuntu Linux systems. This includes symlink protection; ptrace protection; and NX emulation, among others.
*/

Linux Software RAID 1 Setup

/*
This is the article I used in creating my 2-device (2 x 250 GB SATA) RAID1 in my desktop.

The documentation is fairly straight-forward and easy to follow. One thing this article assumes is that you're going to boot off a soft-RAID. This was not the case in my scenario; I just wanted a redundant storage slice.

Now, to enable crypto on the slice.
*/

RIM Buys QNX to Tie Phones to Cars

Research in Motion said Friday (04/09/2010) that it had signed a deal with Harman International to acquire its QNX Software Systems unit to help tie its BlackBerry smartphones to car navigation systems.

Terms of the deal were not announced. It is expected to close within 30 to 45 days if it passes regulatory approvals.

...

QNX designs a real-time embedded OS, that it has tied to ARM, MIPS, PowerPC and other processors and embedded designs.

"The car is going to become the first-class citizen of the cloud, where inside the car you're going to have access to all the connected media, all the social services that are out there, and it will truly revolutionize the driving experience, the experience of the automotive makers making those cars, the ecosystem of people that are going to make applications for those cars," said Dan Dodge, the chief executive of QNX, in a recent video made with Alcatel-Lucent to retrofit a Toyota car with a cloud-connected entertainment system networked via the wireless LTE standard. "It's probably one of the most exciting times in automotive history."

/*
I wouldn't have named QNX as the software to buy if you're looking to get into car navigation systems, but they're certainly a good choice. I've used QNX here and there, but it's been quite a few years back. The software was always really neat looking (Photon is a beautiful GUI), was blazing fast, tiny footprint, and as stable as anything I've ever encountered.

For those unfamiliar, QNX is a Real-Time Operating System (RTOS) that's a perfect example of a microkernel architecture.
*/

Google Switching to ext4

Google is currently in the middle of upgrading from ext2 to a more up
to date file system. We ended up choosing ext4. This thread touches
upon many of the issues we wrestled with, so I thought it would be
interesting to share. We should be sending out more details soon.

/*
I caught this story on Slashdot today. The link to the mailing-list post is very sparse on details. Actually, it provides no details whatsoever.

I find it odd that Google would be using ext2, as opposed to ext3. I would have figured that the journaling would more than out-weigh the small performance hit.
*/

For our workloads we saw ext4 and xfs as "close enough" in performance
in the areas we cared about. The fact that we had a much smoother
upgrade path with ext4 clinched the deal. The only upgrade option we
have is online. ext4 is already moving the bottleneck away from the
storage stack for some of our most intensive applications.

/*
I find it odd that XFS and ext4 are "close enough" in performance. I've been a long time fan of XFS; been using it since it was a patch available at oss.sgi.com for early 2.4.x kernels. XFS, having many excellent features in the way of integrity, managing large files, etc, it has always been significantly slower than the ext[23] filesystems. So, either XFS has made huge strides in performance, or ext4 is considerably slower than ext3.
*/

/*
It's hard to believe, but it's been 40 years since the Unix epoch. Calling time(2) returns the number of seconds since the epoch, January 1, 1970. As of 00:00:00 January 1st, 2010, it has been 1,261,440,000 seconds since "the beginning of time."
*/

TSA Withdraws Subpoenas Against Bloggers

In the wake of public outcry against the Transportation Security Administration for serving civil subpoenas on two bloggers, the government agency has canceled the legal action and apologized for the strong-arm tactics agents used.

Travel writer and photographer Steven Frischling, who was served with a subpoena by two TSA agents on Tuesday, told Threat Level that he received a phone call Thursday evening from John Drennan, deputy chief counsel for enforcement at TSA, telling him the administration was withdrawing its subpoena.

/*
"Strong-arm tactics;" couldn't have said it better myself. I'm glad to hear that, given the publicity, they decided that they didn't want the negative PR and would do The Right Thing(tm). If only every case of over-reaching abuse of power could get this level of publicity. Sadly, people's privacy rights are trampled nearly every day, it just doesn't get the press that this case did.

In case you missed it, Slashdot linked to an article on the New York Times regarding the TSA subpoenas entitled "TSA Subpoenas Bloggers, Demands Names of Sources". You may want to read it first to familiarize yourself with the issue before reading the article about the TSA withdrawing the subpoenas.
*/

...

A second blogger who was also served a subpoena on Tuesday, Christopher Elliott, was also told his subpoena was being withdrawn. Elliott had refused to cooperate with the agent who served him the subpoena and had indicated to the TSA that he would be challenging the subpoena in federal court next week.

..

Frischling said the two agents who visited him arrived around 7 p.m. Tuesday, were armed and threatened him with a criminal search warrant if he didn’t provide the name of his source. They also indicated they could get him designated a security risk, which would make it difficult for him to travel and do his job.

"They came to the door and immediately were asking, 'Who gave you this document?, Why did you publish the document?' and 'I don’t think you know how much trouble you’re in.' It was very much a hardball tactic," he told Threat Level.

/*
So much for the First Amendment which includes freedom of the press. Granted, he was not obligated under any law to turn over the name(s) of his source(s), but they made it clear that if he did not cooperate, they would make his life unnecessarily difficult.
*/

The agents searched through Frischling’s BlackBerry and iPhone and questioned him about a number of phone numbers and messages in the devices.

The agents then tried to image his hard drive, but were unable to do so.

/*
There goes the Fourth Amendment, as well. The Fourth Amendment states, and I quote: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, ..."
*/

/*
I have the utmost respect for those who protect us from would-be attackers; I just feel that they go about it in the wrong way and overstep their boundaries. The TSA, CIA, NSA, FBI, and ATF have to be right every single time; while an attacker only needs to be right 1 time to be effective. That certainly makes the job of those who protect us very difficult.

"An ounce of prevention is worth a pound of cure" is most certainly true; but it also doesn't make sense to use a cannon to kill a mosquito.

If I were to be traveling, I would use the internet to transfer all files to before heading to the airport, and use strong encryption on my hard drive. That way, I am not entering the airport with any data on my computer, and anything left on the hard drive for the operating system and applications would be inaccessible due to the strong encryption. Unfortunately, if they cannot access the data easily, I believe the TSA has the ability (but I don't think the right) to confiscate your laptop indefinitely. If it takes them a thousand years to break your encryption and search your data - only to find nothing of use - you may never get your equipment back. Might I recommend GPG (for files) and the Linux cryptoloop driver (for file-systems - I recommend at least AES-256, if not AES-384, AES-512, or Twofish - all of which available in the Linux kernel)? It appears that FreeBSD also supports encrypted partitions. A Google search reveals several options for protecting your privacy on Windows; one appears to be a feature built into Windows XP, though I'm not sure I'd trust it to be free of back-doors. If you're looking for free, you might look into TrueCrypt. DISCLAIMER: I've never used TrueCrypt myself, so I cannot comment on it's features.
*/

IBM: UNIX to Linux Migration Rate Growing

/*
Skipping a few paragraphs to get to the meat of the article...
*/

Inna Kuznetsova, Director, Linux Strategy, led the meeting attended by IT analysts and painted a telling picture of what IBM's Linux business has been in recent months: in short, strong and growing. To give an idea of this strength, Kuznetsova reported that in the past three years, over 1,800 customers have migrated from competitive platforms to IBM, and nearly 50 percent of those IBM wins included Linux.

IBM is also picking up a lot of business from Sun, having doubled their number of Sun customer wins between first quarter and second quarter 2009. Kuznetsova attributed these recent moves to customer uncertainly regarding Sun following the recent takeover bid from Oracle.

DOJ Approves $7.4B Oracle-Sun Deal

Oracle on Thursday said the U.S. Department of Justice (DOJ) has approved its $7.4 billion acquisition of Sun Microsystems, although the deal is subject to certain conditions and still needs the blessing of European regulators.

Oracle first announced its bid in April and Sun shareholders approved the acquisition on July 16.

The combined company will give Oracle an array of new assets, including a stake in the computer hardware market, the open-source MySQL database and stewardship of the Java programming language.

/*
Oracle will undoubtedly cut a large portion of lesser-performing sectors of the company. I'm afraid that this might be the death-knell for SPARC-based processors; including the Niagara and UltraSPARC T-2.

Sun certainly has it right with these processors; they boast very low power consumption and up to 64-way SMT on 8 cores per chip. Compare that to your 4-way SMT AMD64 Phenoms and the like.

I don't forsee [Open]Solaris going anywhere anytime soon. Solaris has long been the platform of choice for large Oracle installations, and I see the Solaris+Java combination as being the crown jewels to Oracle. Oracle has embraced open-source to a pretty fair degree thus far, so I see no reason that they would try to close OpenSolaris or anything similar.

I could honestly not care less what becomes of MySQL. It's been a sub-standard RDBMS from the very get-go. PostgreSQL serves just fine for single-database solutions; and I'd recommend Oracle RAC for clustered/multi-master replication scenarios.
*/

London Stock Exchange to Abandon Failed Windows Platform

Anyone who was ever fool enough to believe that Microsoft software was good enough to be used for a mission-critical operation had their face slapped this September when the LSE (London Stock Exchange)'s Windows-based TradElect system brought the market to a standstill for almost an entire day. While the LSE denied that the collapse was TradElect's fault, they also refused to explain what the problem really wa. Sources at the LSE tell me to this day that the problem was with TradElect.

/*
Whoever Microsoft sent to sell this idea to the LSE could, undoubtedly, sell ice cubes to eskimos. Foolish, indeed.
*/

Since then, the CEO that brought TradElect to the LSE, Clara Furse, has left without saying why she was leaving. Sources in the City -- London's equivalent of New York City's Wall Street -- tell me that TradElect's failure was the final straw for her tenure. The new CEO, Xavier Rolet, is reported to have immediately decided to put an end to TradElect.

/*
The article goes on to describe the system's short-comings and compare it to their competitor, a Linux-based solution. Someone commented that the system should have been based on OpenVMS due to it's stability and availability; and I can't argue.

When it's mission-critical, it doesn't have to be Linux, it just can't be Windows. Simple as that.
*/

Spacewalk: Free & Open Source Systems Management

Spacewalk is an open source (GPLv2) Linux systems management solution. It is the upstream community project from which the Red Hat Network Satellite product is derived.

Spacewalk is an open source (GPLv2) Linux systems management solution that allows you to:

Inventory your systems (hardware and software information)

Install and update software on your systems

Collect and distribute your custom software packages into manageable groups

Provision (kickstart) your systems

Manage and deploy configuration files to your systems

Monitor your systems

Provision and start/stop/configure virtual guests

Distribute content across multiple geographical sites in an efficient manner.

/*
This is a beautiful management system! It's what RedHat used to sell as their RHN Satellite service. I've had the opportunity to work with it in the past, while it was still a commercial-only product. Not only does this sytem allow you to register all your hosts, and group in any fashion (by function, by OS version, by hardware type, etc), but it also keeps local caches of the packages for those systems. Instead of having to hit a busy ftp mirror every time you upgrade packages, it will hit the site once per package, and then distribute downstream from master to slave; somewhat like a tiered web proxy approach.

In terms of how happy I am to see this product become open source, I'd put it at an 8/10 or 8.5/10. This is truly a nice product. The only downside I can think of is the fact that you're _required_ to use an Oracle backend. But with the Oracle Express product being free, it should still be a no-cost setup.
*/

Mac OS X Root Escalation Through AppleScript

/*
Unfortunately, this is one of those root exploits that's so simple, you don't even need a canned 'sploit to hit. This is one you can write off the top of your head. Ouch!
*/

Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript: osascript -e 'tell app "ARDAgent" to do shell script "whoami"'; Works for normal users and admins, provided the normal user wasn't switched to via fast user switching. Secure? I think not.

/*
This does, however, require physical access to the box. I've found that you can generally crack anything you have physical access to.
*/

/*
Miscellaneous Microsoft Docs

Occasionally I come across some Microsoft articles that are of use to myself or those I know. I've gathered a list of Windows Server 2K3 and IIS 6.0 commands and tools that will help in automating processes.

How to Restart IIS
Additional Resources for the IIS 6.0 Metabase
Command-Line Tools Included in IIS
Using Command-Line Administration Scripts
Starting and Stopping Services (IIS 6.0)
*/

Wine 1.0 Released

It took them 15 years. During those years, the project grew from something that didn't work, to something that sometimes under special circumstances could maybe perhaps work, to something that sometimes just worked, all the way to something that works in a number of pre-defined cases. You won't believe it, but Wine 1.0 is here.

/*
I don't believe it! I haven't used Wine in quite some time (when I was unable to get PartyPoker to work through it!), I'm hoping this 1.0 release will stablize a lot of the bugs I'd seen previously. I mean, how hard is it to emulate a broken OS? Logic would dictate that you handle X this way, but no, it has to be Windows-compatible, so you take the wrong way. Their developers must be extreme masochists.

Check out the Application Compatibility List at AppDB.
*/

Linux Weather Forecast

Welcome to the Linux Weather Forecast. This page is an attempt to track ongoing developments in the Linux development community that have a good chance of appearing in a mainline kernel and/or major distros sometime in the near future. Your "chief meteorologist" is Jonathan Corbet, Executive Editor at LWN.net. If you have suggestions on improving the forecast (and particularly if you have a project or patchset that you think should be tracked), please add your comments to the Discussion page.

There's a blog that reports on the main changes to the forecast. You can view it directly or use a feed reader to subscribe to the blog feed. You can also subscribe directly to the changes feed for this page to see feed all forecast edits.

/*
This site is pretty neat. It tracks major features and enhancements to the kernel as they are merged and tested.
*/

Anatomy of Linux Journaling File Systems

In recent history, journaling file systems were viewed as an oddity and thought of primarily in terms of research. But today, a journaling file system (ext3) is the default in Linux. Discover the ideas behind journaling file systems, and learn how they provide better integrity in the face of a power failure or system crash. Learn about the various journaling file systems in use today, and peek into the next generation of journaling file systems.

You can define journaling file systems in many ways, but let's get right to the point. Journaling file systems are for people who tire of watching the boot-time fsck, or file system consistency check process. (Journaling file systems are also for anyone who likes the idea of a fault-resilient file system.) When a system using a traditional, non-journaling file system is improperly shut down, the operating system detects this and performs a consistency check using the fsck utility. This utility scans the file system (which can take a considerable amount of time) and fixes any issues that can be safely corrected. In some cases, the file system can be in such bad shape that the operating system boots into single user mode to allow the user to further the repair process.

/*
It is due to a lack of a journal that Windows must be cleanly shut down or else you risk damaging your file-systems.
*/

So, now you know for whom journaling file systems were created, but how do they obviate the need for fsck? In general, journaling file systems avoid file system corruption by maintaining a journal. The journal is a special file that logs the changes destined for the file system in a circular buffer. At periodic intervals, the journal is committed to the file system. If a crash occurs, the journal can be used as a checkpoint to recover unsaved information and avoid corrupting file system metadata.

To sum up, journaling file systems are fault-resilient file systems that use a journal to log changes before they're committed to the file system to avoid metadata corruption. But like many Linux solutions, more than one option is available to you. Let's take a short walk through journaling file system history, and then review the file systems available and how they differ.

/*
As usual, this is another excellent entry on IBM's DeveloperWorks. With my interest in file-system development, this was quite a worthwhile read.

The article also links to many other "Anatomy of..." articles, including all DeveloperWorks articles by M. Tim Jones:

Anatomy of Linux Flash File Systems
Anatomy of Real-Time Linux Architectures
Anatomy of the Linux SCSI Subsystem
Anatomy of the Linux File System
Anatomy of the Linux Networking Stack
Anatomy of the Linux Kernel
Anatomy of the Linux Slab Allocator
Anatomy of Linux Synchronization Methods

*/

BackTrack Linux

BackTrack is the most Top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes.

It's evolved from the merge of the two wide spread distributions - Whax and Auditor Security Collection. By joining forces and replacing these distributions, BackTrack has gained massive popularity and was voted in 2006 as the #1 Security Live Distribution by insecure.org. Security professionals as well as new comers are using BackTrack as their favorite toolset all over the globe.

...

Because Metasploit is one of the key tools for most analysts it is tightly integrated into BackTrack and both projects collaborate together to always provide an on-the-edge implementation of Metasploit within the BackTrack CD-Rom images or the upcoming remote-exploit.org distributed and maintained virtualization images (like VMWare images appliances).

Currently BackTrack consists of more than 300 different up-to-date tools which are logically structured according to the work flow of security professionals. This structure allows even newcomers to find the related tools to a certain task to be accomplished. New technologies and testing techniques are merged into BackTrack as soon as possible to keep it up-to-date.

/*
This live-CD Linux distribution truly has every tool you could imagine using for a security audit. There are 24 information gathering tools; 21 network mapping tools; 65 vulnerability identification tools; 11 penetration tools; 48 privilege escalation tools; 15 backdoors; a log cleaner; 29 wireless analysis tools; 7 VoIP analysis tools; 13 digital forensics tools; 7 reverse engineering tools; and the Snort IDS. Quite a collection!

The live-CD boots to a KDE desktop, with support for various ethernet NICs and wireless cards both natively and through ndiswrapper. The website even includes screenshots.

The current version is 141207 (12/14/2007 - Beta 3). MD5 checksums are available on the download page.
*/

Anatomy of Security-Enhanced Linux

Linux has been described as one of the most secure operating systems available, but the National Security Agency (NSA) has taken Linux to the next level with the introduction of Security-Enhanced Linux (SELinux). SELinux takes the existing GNU/Linux operating system and extends it with kernel and user-space modifications to make it bullet-proof. If you're running a 2.6 kernel today, you might be surprised to know that you're using SELinux right now! This article explores the ideas behind SELinux and how it's implemented.

/*
As expected, another great article from IBM's DeveloperWorks. I read and post so many of these, I've decided to create a category for them!
*/

/*
A while back, I set up a transparent Squid proxy at my border to limit my exposure to "drive-by downloads." It's a pretty standard setup; Squid running on the gateway/firewall, and iptables configured to route all tcp/80 traffic back into itself on port 3128.

An unfortunate side effect of this is that tcptraceroute breaks. As port 80 is the default port that tcptraceroute uses (as the destination port), you end up with a traceroute that looks something like this:

(root@desktop1) ~# tcptraceroute www.ebay.com
Selected device eth0, address 172.25.X.XXX, port 39068 for outgoing packets
Tracing the path to www.ebay.com (66.135.200.145) on TCP port 80 (www), 30 hops max
1 hp-core.ebay.com (66.135.200.145) [open] 0.558 ms 0.384 ms 0.315 ms

I can assure you, I'm not 1 hop off from www.ebay.com. Since iptables is mangling the packet at the very first hop, my gateway/firewall, I'm receiving the SYN-ACK from that first hop.

Keep in mind, tcptraceroute will use any destination port you specify, but the default is port 80 since it's usually allowed through most firewalls, and often open.

Given that the default TTL of a Linux-based computer is 64, I can use the TTL match in iptables to selectively capture what tcp/80 traffic goes to the proxy and what does not. Consider the following rule:

iptables -t nat -A PREROUTING -i $IF_INT -p tcp --dport 80 \
-j DNAT --to-destination 172.25.X.XXX:3128

This is the rule that routes all outbound traffic, originating on the internal network, to the Squid proxy. Now if we change that rule to match only packets with a TTL larger than, say, 48, we end up with the following:

iptables -t nat -A PREROUTING -m ttl --ttl-gt 48 -i $IF_INT -p tcp --dport 80 \
-j DNAT --to-destination 172.25.X.XXX:3128

With this rule in place, a tcptraceroute headed for www.ebay.com on tcp/80 looks more like the following:

(root@desktop1) ~# tcptraceroute -f6 www.ebay.com
Selected device eth0, address 172.25.X.XXX, port 57684 for outgoing packets
Tracing the path to www.ebay.com (66.135.200.145) on TCP port 80 (www), 30 hops max
6 so-1-2-0.gar2.chi1.bbnplanet.net (4.79.74.1) 76.668 ms 23.024 ms 30.840 ms
7 ae-31-55.ebr1.Chicago1.Level3.net (4.68.101.158) 57.014 ms 34.438 ms 36.097 ms
8 ae-68.ebr3.Chicago1.Level3.net (4.69.134.58) 25.716 ms 22.857 ms 32.941 ms
9 ae-3.ebr2.Denver1.Level3.net (4.69.132.61) 84.660 ms 49.091 ms 40.722 ms
10 ae-1-100.ebr1.Denver1.Level3.net (4.69.132.37) 79.996 ms 52.921 ms 52.897 ms
11 ae-3.ebr2.SanJose1.Level3.net (4.69.132.57) 71.323 ms 70.999 ms 71.651 ms
12 ae-82-82.csw3.SanJose1.Level3.net (4.69.134.218) 66.468 ms 70.863 ms 72.099 ms
13 ae-32-89.car2.SanJose1.Level3.net (4.68.18.132) 65.688 ms 62.794 ms 59.597 ms
14 EBAY-INC.car2.SanJose1.Level3.net (166.90.140.134) 60.576 ms 65.507 ms 58.566 ms
15 10.6.1.158 71.070 ms 59.413 ms 59.670 ms
16 10.6.1.146 61.397 ms 88.846 ms 68.280 ms
17 hp-core.ebay.com (66.135.200.145) [open] 84.341 ms 59.523 ms 62.286 ms

Now that looks a little more reasonable. Given that I'm 1 hop off from the gateway/firewall, and Linux uses a default TTL of 64, then all of my packets generated by, say, Firefox, will come into $IF_INT with a TTL of 64. With 64 > 48, the DNAT rule matches, and the request gets routed through the Squid. As tcptraceroute works like any other traceroute tool, only using TCP SYN packets, the first packet will only have a TTL of 1. With 1 < 48, it does not match the DNAT rule, and passes through unchanged. The second packet will have a TTL of 2, with 2 < 48, and so on. As most all destinations on the internet are reachable in 30 hops or less, this guarantees that my browser generated requests are proxied, while my diagnostic requests are passed through unchanged.

You can view/change your default TTL as such:
(root@desktop1) ~# cat /proc/sys/net/ipv4/ip_default_ttl
64

Needless to say, the IP addresses have been changed to protect the innocent. ;)
*/

XNU: The Kernel

/*
A great list of what features and subsystems in MacOS/X and their heritage. It lists all of the sections taken from the BSD world, and the others from the Mach 3.0 world. Very interesting!
*/

Microsoft Windows XP Dies June 30, as Planned

Microsoft will shutter its Windows XP line June 30, as planned, ceasing sales of Windows XP Professional and Windows XP Home to retailers and direct OEMs, Microsoft confirmed to eWEEK April 3.

The statement from Redmond executives ends weeks of speculation that Microsoft would extend the life of the operating system as users turn up their nose at Vista, the operating system meant to supplant XP, and OEMs argue lighter versions of desktops and notebooks don't have the juice to run Vista.

/*
This is a perfect time for someone (Linux, Apple, etc)... anyone... to really start chipping away at their desktop monopoly. I don't care who it is; choose your own OS, but someone is facing a very lucrative opportunity to snatch up a good chunk of the desktop market.

eWeek is also carrying an opinion piece entitled "Windows is Caught Between Mac and Linux". Both articles are worth a read.
*/

How to Win with OpenBSD

/*
This is a reply to a post on the OpenBSD misc@ mailing list regarding how to "sell" OpenBSD to the management people in your company. While most of this is aimed at OpenBSD directly, some of these selling points apply to other open source technologies.
*/

SELinux in Ubuntu 8.04 "Hardy Heron"

I’m really happy to announce that SELinux is now available in Ubuntu 8.04 “Hardy Heron”. This is the result of the amazing work of the ubuntu-security and ubuntu-hardened teams, as well as the huge contributions from the folks at Tresys. (note: SELinux will not be the default, but is available as a security option.)

/*
I'm really happy to read that SELinux is now available in Ubuntu 8.04! It is mutually exclusive with AppArmor, but this now gives us two options for Mandatory Access Control.
*/