Chad Perrin: SOB

3 April 2007

article: Take a tangible step toward sustainable software development with TortoiseSVN

Filed under: Geek,Profession — apotheon @ 03:23

I now post notices when articles I’ve written are published online. This is meant in part as a service to any of my readers who might be interested in the subject matter — if you’re reading what I write, you might want to read more of it. Today, the following article was published:

Take a tangible step toward sustainable software development with TortoiseSVN This article is also available as a PDF download.

published by: TechRepublic

Takeaway: If you are not familiar with Subversion, or think it is not a Windows tool and cannot be used for development on Microsoft Windows, this is your introduction to TortoiseSVN, the Windows client for Subversion.

Other articles published online are listed and linked at my Online Publication Credits page.

Disclaimer: I do not exercise final editorial control over TechRepublic articles. They pay someone else to do that.

the decay of the Debian distribution

Filed under: Geek — apotheon @ 02:30

For quite some time, my OS of choice was Debian GNU/Linux. I had found my way to it by a winding path through several other Linux distributions, thanks in part to some guidance from friends (thanks, Ratha and Joseph — did I forget anyone?). I loved quite a lot about Debian, including (but not limited to):

  • Stability: Debian was by far the most stable Linux distribution I’d yet encountered. Even though I used the so-called “testing” release almost exclusively, it was more stable in operation than the stable releases of every other distribution I’d encountered. This was due in large part to the extensive compatibility and stability testing Debian packages undergo in the process of moving them down the chain from Experimental releases, through Unstable and Testing releases, and ultimately into the Debian Stable release branch.
  • Ease of Installation: The process of installing Debian proved simple, easy, fast, and well suited to getting exactly what I wanted on the system — or, perhaps more importantly, not getting a bunch of software I didn’t want.
  • Software Management: The incredible ease of software management with APT just blew me away. That was the real coup, for me — the big one. The fact that APT worked quickly, smoothly, and without hiccups, allowed me to make of Debian exactly the operating environment I wanted. I could start from a bare minimum CLI-only install and install every piece of software I needed for my day to day work and a productivity-enhancing GUI environment in about ten or fifteen minutes. Security patching was a few seconds of time. Installing and uninstalling software was easier than opening software that’s already installed can be on MS Windows sometimes.
  • Software Archives: The stability of the packages in Debian’s software archives was not their only virtue. The sheer number of packages in them was mind-boggling — at around 20k discrete packages, we’re talking about several times as many packages as the next runner-up Linux distribution.
  • Upgrade Path: Unlike most OSes, when I wanted to upgrade the OS itself, I just updated the software versions for each component as it became available in a stable form. This included the kernel itself. There was no stair-stepping upgrade process as Version Foo Dot Zero of WhateverOS hit the market. It was a beautiful thing.

I had some minor concerns, of course. One thing that bothered me was my increasing unease with the GPL, the license under which the core toolset and even the Linux kernel are distributed. I don’t think this is the paragraph in which I should get into the subject of what’s wrong with the GPL, but suffice to say I was (and am) much more comfortable with the BSD License. For a long time, I thought about trying out FreeBSD and/or OpenBSD, but I simply never got around to it. Part of it was complacency — Debian did so much for me, provided me with so much convenience and productivity enhancement and other wonderful stuff, that I’d never imagined I could get from an OS, that I just couldn’t be arsed to try something else without a compelling reason. In truth, the licensing issue was a compelling reason, and became more so after some threatened litigation related to the GPL, but I still needed a bit of a push in terms of technical benefits to a different OS.

Finally, that motivation came in the form of the degradation of the Debian distribution’s benefits. It has become gradually less warm and fuzzy for me over the course of the last year. All of these problems, it seems, center around the collapse of the smoothness, stability, and ease of use of APT. It has degraded to the point now where I wonder whether Fedora’s YUM might not be better. Mandriva’s urpmi, judging by my experience, still doesn’t compare if only because it’s structured a bit like someone threw darts at a dart board, then didn’t bother to tell anyone what decisions were made. In any case, problems that I’ve encountered with APT and Debian software archives used by APT include:

  • GPG errors: The frequency of GPG key errors in Debian’s APT has been steadily on the rise, in my experience. Sometimes the problem clears itself up in a few days. Sometimes, you need to give APT a swift kick. Sometimes you need to rebuild your GPG key database for APT. Sometimes you need to wave chicken bones over it and chant, as if you were troubleshooting MS Windows.
  • software configuration problems: I have found that software configuration would sometimes break after an update. This ranged from the mildly annoying, like having to reset a specific option in some application, through the incredibly annoying, like a recent episode where Postfix and/or Mutt started creating mail headers that would get my emails rejected as spam or otherwise illegitimate by recipient mail servers, to the downright painfully awful, like when a Firefox upgrade not only wiped out all my bookmarks but somehow managed to destroy my backup of bookmarks as well.
  • package management errors: The incidence of errors in how the system tracks package versions and available packages is on the rise. My current frustration relates to the fact that APT seems incapable of properly managing a Wine install unless I regularly wave chicken bones over it, chant some evil chants, and refrain from trying to use version pinning to use the version of Wine that I actually need. This is not keen.
  • software stability/compatibility: At one point, ndiswrapper just stopped working on a laptop of mine. A new kernel version with native Broadcom chipset support was released, so I tried upgrading it — and it broke everything related to networking, apparently unfixably. I had to roll back to the previous kernel version and hack configuration basically like cutting my way through the thick of a South American jungle with a pocket knife just to get it working again without wireless. Eventually I got wireless working again — but I never figured out why kernel 2.6.18 hated my laptop so much. It wasn’t even a hardware failure — the package dependencies just screwed everything up, somehow, with incompatible software being necessary for different parts of the same solution.

I got my motivation, my push, to try out something non-Linuxy — to try out something new. This was especially the case when my laptop’s screen crapped out, and I got a desktop system set up to replace it for my day-to-day work (I’m using it now). I decided I’d use this opportunity to install FreeBSD on something and see how I like it. Thus far, I’m in heaven. It’s not only better than the Debian of recently degraded quality: it’s better, at least for my purposes and tastes, than the Debian I remember from back when everything in Debian “Just Worked” without hassle.

Debian still offers a lot. It’s still my favorite Linux distribution — don’t take my above complaints to be as dismayingly negative as they probably seem. Debian is still relatively stable and easy to use — relative to most other Linux distributions, and so much more so than MS Windows that it beggars the imagination for someone who hasn’t given it a shot and doesn’t know what (s)he’s missing. It just doesn’t measure up to FreeBSD, or even to itself from a couple years ago. I suspect some of these problems are related to the accelerated release cycle pressure for the distribution in the last year or so.

If Debian were to clean up its act and get things back to the level of stability and slickness to which I had become accustomed — well, I’d still use FreeBSD, but at least it wouldn’t make me sad to think about it any longer.

Security Analysis: Symantec ISTR XI (Attack Trends Highlights)

Filed under: Security — apotheon @ 01:31

In yesterday’s analysis I presented some coverage of the executive summary of Symantec’s Internet Security Threat Report, volume XI. Today, I’ll present an analysis of the Attack Trends Highlights from the Executive Summary Highlights section of Symantec’s report. I will be providing analysis of further content of the ISTR XI on a (hopefully) daily basis, until I decide I’m finished.

Interesting Numbers:

Symantec’s Internet Security Thread Report volume XI provides a number of interesting statistics in its “Attack Trends Highlights”. The following is commentary on some of the more suggestive statistics.

  • 25% of identity theft related breaches occurred in “the government sector”, according to Symantec. In one respect at least, this is unsurprising — most of government’s more accessible data in peripheral agencies is related to personally identifying information, and the government loves to use social security numbers to keep track of people. In addition, the higher than average level of data integration and sharing across organizations that occurs in government agencies turns what would be multiple separate targets into one huge, almost homogeneous buffet serving of information useful for “identity theft” activities. It’s one-stop shopping for identity theives. Some may find this startling nonetheless because of decades of Hollywood treatments of the extremely paranoid security of government agencies, but it’s worth noting that organizations like the VA and IRS are not the same as the NSA and CIA — and even agencies like the NSA and CIA have pulled some bone-headed maneuvers, like the publicly released redacted PDF that we all know and love, wherein classified data was marked out as if with a black marker. All one had to do is strip away the PDF layer that rendered the black mark, and the text was fully visible. Additional attack types show similarly government weighted trends, indicating that it is not solely in the area of identity theft that government agencies are the targets of choice, however.
  • 54% of identity theft related data breaches involved the theft or loss of data storage media, according to Symantec. The VA’s storied loss of a laptop with identifying data for thousands of veterans stored on it in a database really illustrates this problem. The statistic is very misleading in its inclusion in the “Attack Trends Highlights”, however, as loss is not the same as theft. There’s no attack involved in some idiot civil servant leaving a laptop on a commuter train, for instance. For real relevance, this metric should have been confined to actual data security attack trends, rather than improperly including irrelevant statistical data such as by conflating carelessness and lack of effective physical security policy with computer security cracking attacks.
  • 5,213 DoS attacks took place per day, according to Symantec. This is almost certainly a lower-bound number, as obviously Symantec is not privy to all Internet activity everywhere. These were statistics gathered by attack detection by Symantec software or culled from DoS attack reports to which Symantec had access. The number seems to indicate a downward trend, but it is still such a high rate of DoS attacks (especially as a lower bound estimate) that anyone running a production deployment network with Internet connectivity cannot afford to ignore the necessity of DoS countermeasures at the firewall.
  • 77% of all attacks that target Web browsers specifically targeted Internet Explorer, according to Symantec. The only surprise here might be that the number is not higher. Interestingly, this statistic nearly matches the best estimates of Internet Explorer’s market share among Web browser applications. Unfortunately, I do not have access at this time to any statistics related to frequency of browser-specific attacks that come with raw data and collection methodology explications, so I cannot really comment authoritatively on whether Symantec’s data gathering is flawed. Assuming it is not, one possible interpretation of this data is that all browsers receive roughly equivalent attention from malicious security crackers, contrary to common beliefs about the largest target getting the lion’s share of attention in an exponentially increased fashion. This is, if accurate, an even stronger refutation of the “security through obscurity” arguments all too common among those who fancy themselves security experts without any real understanding of the principles than even I had expected (see my article Security through visibility: The secrets of open source security for more on that subject). In fact, it’s suspiciously almost too good, and I’m inclined to be distrustful of Symantec’s methodology.
  • 93% of all targeted attacks targeted the “home user sector”, according to Symantec. This is as contrasted with untargeted attacks, which include spam, phishing, and other security threats that are not tailored to a specific intended victim. The next time someone says he doesn’t use a firewall because there’s nothing on his computer that anyone wants, you might want to show him this statistic.
  • 63,912 bots (aka “zombies”) per day, on average, were observed in operation by Symantec. It’s an increase over the previous reporting period, but not an unexpected increase, as the number of computers that are vulnerable to this sort of abuse increases daily, and as Symantec’s measuring process presumably improves. The indicator you should draw from this is that it is important to check your systems regularly for signs of compromise. A single virus scanning application like Norton AntiVirus is by no means sufficient.
  • Israel, Taiwan, and Poland were the three top-ranked countries for malicious activity per capita, amongst Internet connected computer users, according to Symantec. I don’t have any further comment on the matter at this time, as I’m not sufficiently familiar with the similarities in legal systems and Internet infrastructure of these three nations to provide any authoritative analysis.

Closing:

This has been the second installment in my security analysis of the Symantec Internet Security Threat Report, volume XI. This is a series of daily posts collected under the SOB category Security. You may follow this series (and further security-specific posts) via RSS using the Security Category RSS Feed.

Next, I will continue my overview of Symantec’s “Executive Summary Highlights”, with specific attention on the “Vulnerability Trends Highlights”, in brief.

All original content Copyright Chad Perrin: Distributed under the terms of the Open Works License