SMEs really need to have a sense of what computers will do for their enterprise. Why do they have computers, and how do they add to the bottom line of the company? That reasoning then should have impacts with employee job roles and with information technology spends, no matter how small.

If an employee truly only needs to work with a web browser and with a spreadsheet, it is ridiculous to use a Windows machine. Technology choices should then go from there.

Employees will simply learn to copy, whatever the tasks. If Mozilla and OpenOffice are given for tasks, then the employees will cope. Once that is all they use, then if they show up one day and all their data is on a server of some sort (IMAP, shared backed up server, etc.), and they can still run Mozilla and OpenOffice, then there you go.

The “gravy” (media players, chat software, etc.) really can be duplicated for free on linux without incident. Be better, in fact.

This form of thinking can apply to lowering one’s Windows spend as well. There are open source alternatives on Windows, and they should be used as much as possible. Start with OpenOffice, Thunderbird, and Firefox. Gaim if you need chat. MS Access is still handy on Windows — a MySql/OpenOffice emulation is on its way.

The -C flag will tell SSH/SCP to compress stuff. In general I use it
all the time. CPUs are so much faster than networks still so
compression is your friend.

Depending on your platform, using the blowfish cipher should be a little
faster than using the default 3des or aes128 (don’t quote me on the
aes128 claim, they’re both pretty close).

Most people don’t realize, but you can configure all sorts of options on
a global and a per host level in your ~/.ssh/config file. This is nice
because you can force it to use a different port for certain hosts,
different ciphers, not allow password, only forward X for some hosts,
etc.

Here’s a little snippet to drop in your ~/.ssh/config that will make you
use blowfish for your cipher and compress all data going over the
network with GZip at level 6.

Host *
Compression yes
Ciphers blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc

I’m actually a little confused about why exactly this works, as the docs
say it is only for SSH1 and not SSH2, but testing a 11 meg text file
(about 20 copies of Huckleberry Finn repeated over and over), with
compression gave me an overall throughput of 90.6K (11 megs in 1 minute,
51 seconds), without compression gave an overall throughput of 32.8K (11
megs in 4:58). Totally non-scientific, but good enough for me to
conclude that it’s doing something, especially considering that my cable
modem says that it’s current upstream rate 384000bps.

At this point, I’ll also throw in a quick plug for using mod_gzip (or
the equivalent) on your servers, especially if hosting them over a cable
modem. For simple HTML you’ll usually get compression rates of about
66% or so. Works great for my server hosted on my cable modem, keeps
the pages zippy. Most clients support this (yes, even IE supports
compression of data).

1. This guy clearly will bounce between operating systems. He mentions “MSYS” (http://www.mingw.org/download.shtml) which also should be in one’s bag of tricks with cygwin.

2. He is willing to consider some old 8086 machines and dot-matrix printers as potential time-saving tools.

3. He mentions the Penguin Sleuthkit, which looks great as a forensic tool. It is incredibly important to use tools which protect the integrity of the scene — there can be no question of tampering with anything. This kit looks like it has the tools one would need to do a rapid look-over.

This came as something of a shock to me. Fedora just doesn’t run very well with 128MB, and barely does with 256MB. Yet, part of my reason for getting involved in the Linux services world is my belief that Linux is an excellent fit for older hardware. In other words, all those dusty computers from two generations ago, those Pentium Ones with 64MB RAM, could still be productive machines today.

Well, maybe so, but not with a recent mainstream distribution. Those distributions will occasionally work with older machines, especially if all you need is a really slow httpd or mysql server, but not (or not really) with a windowing environment. And if you can’t deal with something other than Gnome or KDE, well, forget it.

To figure out what to suggest to clients, I did a search on the state of the art in lighter-weight distributions.

PUPPY LINUX

Over at http://www.goosee.com/puppy/, this developer decided he wanted to take his operating system and his personal files with him in a USB 128MB pen drive. Along the way, he ended up making a fast and functional linux distribution.

It is especially usable for newbies, since it uses the MS Windows ‘clone’ Fvwm95. Much else is nice about it, and there is plenty to explore. It needs to be tested with dialup connections, but that is about it.

FEATHER LINUX

Ever wonder why Klaus Knopper has to put all that stuff into Knoppix? Well, he doesn’t, and never said that he did. You always could roll your own. Can now, too.

Feather Linux is an attempt at removing enough from Knoppix to make a slim and usable Linux distribution. It has only gone through one revision (it is at 0.1 as of 10/2004), but it is one to watch. Try it out at

VECTOR LINUX

Vector Linux is one of the original distributions aimed at older computers. Its installer leaves plenty to be desired, and requires a bit of an enthusiast’s or an expert’s knowledge of how disk drives work; it as well gives some choice as to which windowing environment one wants to use, which will be non-intuitive for most folks. Generally, however, it shows the way to how to build a distribution with lower-end computers in mind.

The Linux Terminal Server Project (LTSP)

Some computers are too old really to do much at all, or for some offices, it doesn’t make sense to maintain applications and settings on a several computers. That’s where LTSP comes in, offering packages which allow you to set up computers to run off a server, without a disk involved. Basically, any program runs only in RAM on a workstation, and therefore most everything (beyond floppy disks) will be stored on the server. This eases application maintenance, backups, and allows companies to clearly set rules on what is allowable to install and what isn’t.

A wonderful use of an old computer — set it to boot from network!

As more companies go the open source route, however, they will have an economic incentive to keep the code clean. For instance, MySql would have a big problem on their hands if something happened to the MySql codebase. RedHat would if Postgresql had a problem. Mandrake if KDE had a problem. Thousands of companies, if Apache, PHP, or Python had a problem.

Fedora and Win2k3 don’t have many because they are relatively new. Fedora for one will certainly have scads, hundreds, and you’ll get hosed if you don’t keep things updated (and as much as possible shut off and/or removed from the system).

One interesting aspect is that many vulns have to do with optional, separable pieces of the distribution. For instance, if OpenSSH has a vuln of a certain version, it will touch Debian, Slackware, RH 9x, Mandrake 9x, etc. etc., but obviously SSH might or might not be used on a system. Same for PHP, which is part of almost all the dists. But only a certain subset of installations use it for anything.

To apply this to RH 9.0: Many RH 9.0 vulns (Xpdf, mutt, sendmail, postgresql, ethereal, etc.) won’t apply, depending on what you’re running. But the idiot factor will be in play; if you install a dist but then don’t remove/turn-off what you’re not using, then you’re in trouble.

(P.S. Nice Response: Who’s guarding the guards? That would be us)

There are several direct and obvious benefits to bootable linux distributions:

• You can have a special-purpose linux dist for a single task
• You can boot up linux on basically any machine, or at least find one that works, and so work in a familiar linux environment wherever you are
• You can try out several distributions, in the spirit of getting more familiar with them
• The bootable media is (almost always) read-only, so it won’t change or get damaged due to user error or playing with configuration settings — just restart and you’re back to where you began — thus, the bootable linux firewall: in the event of a security intrusion, reboot and you’re back to where you were before the intrusion — bad for forensics but good for uptime and recovery

Anyway, here are a few of the up-and-coming ones, well, at least according to Jeff Honnold’s spindle of CDs:

MandrakeMove: this is the bootable CD from Mandrake, that wacky French company which makes one of the best and most user-friendly distributions currently.
PHLAK, a.k.a. Professional Hackers Linux Attack Kit: yes, if you want to set up a bunker and start your intrusion tests as a White Hat security consultant, this is one of the dists you’ll have in your spindle.
MenuetOS: Joe Lazar just mentioned this to me, currently playing with it.
MEPIS: out of Morgantown WV, of all places. Am thinking of making a pilgrimage down there.
Movix: great for playing your media

UPDATE:
Slashdot discusses a review of 18 live CDs; lots to choose from!

X-Habeas-SWE-1: winter into spring
X-Habeas-SWE-2: brightly anticipated
X-Habeas-SWE-3: like Habeas SWE ™
X-Habeas-SWE-4: Copyright 2002 Habeas ™
X-Habeas-SWE-5: Sender Warranted Email (SWE) ™. The sender of this
X-Habeas-SWE-6: email in exchange for a license for this Habeas
X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
X-Habeas-SWE-9: mark in spam to http://www.habeas.com/report/.

Well, I don’t know about anyone else, but isn’t it obvious that headers of email can be forged five ways to friday?

So no one should be shocked, SHOCKED, that some spammers have figured out that by including these headers, spam filters can be bypassed. Comic relief, spamku style (thanks Dan Sparvero for the word “spamku”!), is to be found here: http://www.theregister.co.uk/content/55/34969.html