This article has some really interesting pictures of the Gigabyte motherboard and video card factory. Check it out!
buy free software developers dinner
In response to my post about buying dinner for developers (as an alternative to “professional networking sessions”) Kris notes that his company has been doing it for years. He goes a little further than I did in my post and advocates buying dinner for developers as a way of thanking them for their work.
I agree that buying dinner for people is a good way of thanking them for their work. I didn’t suggest it in my post though because I didn’t expect that there would be much interest in such things. I’m glad that Kris has proved me wrong. I’m not sure whether Kris was talking about personally buying dinner or getting his company to do so. In either case it’s a really good thing, and I encourage others to do the same!
right-side visual migraine
This afternoon I had another visual migraine. It was a little different from the previous ones in that it had more significant visual affects and in that it affected the right side of my vision. My central vision was OK, the left side was quite good, but the right side was mostly occluded by bright flashes. Closing my right eye seemed to make it a little better – apparently my right eye was more affected than my left. Previous visual migraines had only affected my central vision.
It happened shortly after going outside and it was a sunny afternoon, so maybe the bright light helped trigger it. The Australian optometrist chain OPSM advertise transitions – lenses that darken when exposes to UV light so they act as sun-glasses when outdoors, this sounds interesting (I don’t want to have prescription sun-glasses as well as regular glasses). However there is one concerning item in the advert – “protect your eyes from dazzling sunlight, harsh artificial lighting and the glare from computer screens“, I don’t want my glasses to go dark when I’m looking at a computer screen (a large portion of my waking hours)!
mac vs PC vs Linux
Apple has a series of funny commercials comparing the Macintosh with a PC running Windows. They are very well written and presented. I recommend viewing them for the amusement value (view them here – but you need Quicktime).
Novell has produced a few short parodies of those adverts, they don’t have the same production quality but are well written and not nearly as cheesy as I had feared (view them here). Novell’s ads are in OGG and MP3 format.
Update: A comment pointed me to this site which has other parodies of the Mac adverts. There is quite a bit of bad language and the parodies will offend some people in several ways. But they are amusing and do make some interesting points.
hybrid Porsche
The April 2007 issue of the RACV magazine announces that Porsche is working on a hybrid vehicle. It seems that the award-winning Lexus hybrid vehicle has demonstrated the value of hybrid petrol-electric technology for performance vehicles and that Porsche want to catch up.
The trend seems to be towards all vehicles that are desirable being available in either hybrid or Diesel variants, and we’ll probably see hybrid Diesel vehicles on Australian roads soon.
Trusted Solaris vs SE Linux
Karl MacMillan writes an interesting review of a Sun article about SE Linux. Not only does he correct errors in the Sun article but he also summarises some of the features of SE Linux design and terminology that we use. If you are interested in computer security and want to learn some of the basic concepts then Karl’s review is worth reading.
questions regarding SE Linux
I just received a question about SE Linux via email. As I don’t want to post private messages containing material that’s globally useful I’ll answer through my blog:
> other than strict and targeted policies……other policies like
> RBAC, MCS, Type Enforcement are also there….how are these policies
> implemented
The two main policies are the strict policy and the targeted policy. The strict policy is the earliest and was originally known as the sample policy (but was given the name “strict” after targeted was developed).
The strict policy aims to give minimal privileges to all daemons. The targeted policy aims to restrict the programs that are most vulnerable (network facing daemons) and not restrict other programs (for ease of use). There is currently work in progress on combining those policies so the person who compiles the policy can determine which features of strict they desire.
RBAC means Role Based Access Control. The strict policy assigns users to roles and the role then limits the set of domains that can be entered. For example the user_r role does not permit the sysadm_t domain so a user who is only permitted to enter the user_r role can not perform sys-admin tasks. Like many terms RBAC is used in different manners, some people consider that it means direct control by role (EG role user_r can not write to /dev/hda), while SE Linux has a more indirect use of roles (role user_r can not run programs in domain sysadm_t or any other domain that allows writing to type fixed_disk_device_t – the type for /dev/hda). You may consider that the strict policy supports RBAC depending on which definition of the term you use.
Generally the targeted policy is not considered to support RBAC, although if you consider a role to merely be a container for a set of accesses that are permitted then a SE Linux domain could be considered a in the RBAC sense. I don’t think of targeted policy as being a RBAC implementation because all user sessions run in the domain unconfined_t which has no restriction. I think that to be considered RBAC a system must confine user logins.
Type enforcement is the primary access control mechanism for SE Linux. Every object that a process may access (including other processes) has a type assigned to it. The type of a process is known as a domain. The system has a policy database which for every combination of domain, type, and object class (which is one of dir, file, blk_file, etc – all the different types of object that a process may access) specifies whether the action is permitted or denied (default deny) and whether it is audited (default is to audit all denied operations and not audit permitted operations).
MCS is a confidentiality protection mechanism where each file has a set of categories assigned to it. The set may be empty, may contain all 1024 categories, or any sub-set. Each process has a set of categories that determines which files it may access. File access is granted if Unix permissions allow it, if the domain-type model allows it, and if MCS allows it (on an MCS system). I have just had an article on MCS published in Linux Journal.
MCS is an optional feature for people compiling Linux from source or for distribution vendors. For Red Hat Enterprise Linux, Fedora, and Debian the decision was made to include it, so the strict and targeted policies for those distributions include MCS.
There is another policy known as MLS. This is a policy build that comprises the strict policy plus Multi-Level Security. Multi-Level Security aims to give the highest confidentiality protection and comply with the LSPP (Labeled Security Protection Profile – roughly comparable to B1) Common Criteria certification. It would be possible to build a targeted policy with MLS but that wouldn’t make sense – why have the highest protection of confidentiality with anything less than the highest protection of integrity?
As for how the policies are implemented, I’m not about to write a tutorial on policy writing for a blog post, I’m sure that someone will post a link to a Tresys or Fedora web page in the comments. ;)
> there r some packages of linux in which some changes has been made
> to support linux……for eg:- coreutils, findutils
That is correct. Every program that launches a process on behalf of a user at a different privilege user (EG /bin/login, sshd and crond) and every program that creates files for processes running in different domains (EG logrotate creating new log files for multiple daemons) needs to be modified to support SE Linux. Also ls and ps were modified to show SE Linux contexts as well as the obvious programs in coreutils.
> ‘Z’ is the new thing that have been added to most of the
> utilities……wherever I search I get the changes made only in few
> utilities like ps, mv, cp, ls
>
> Can u help me by giving all the changes made in each of the utilities…..
Unfortunately I can’t. This has been identified as an issue and there is currently work in progress to determine the best way of managing this.
death threats against Kathy Sierra
The prominent blogger and author Kathy Sierra has recently cancelled a tutorial at a conference after receiving death threats.
Obviously this is a matter for the police to investigate – and the matter has been reported to them.
It’s also an issue that is causing a lot of discussion on the net. The strange thing is that a large portion of the discussion seems based on the idea that what happened to Kathy is somehow unusual. The sexual aspect of the attacks on Kathy is bizarre but campaigns of death threats are far from unusual in our society. The first post I saw to nail this is the I had death threats in high school blog entry. Death threats and campaigns of intimidation are standard practice in most high schools. After children are taught that such things are OK for six years straight it’s hardly a surprise that some of them act in the same manner outside school!
But I don’t expect anything to change. Columbine apparently didn’t convince anyone who matters that there is a serious problem in high-schools, I don’t expect anything else to.
I can clearly remember when I first heard about the Columbine massacre, a colleague told me about it and explained that he barracked for the killers due to his own experiences at high-school. While my former colleague probably had not given his statements much consideration, any level of support for serial-killers is something to be concerned about.
This is not to trivialise Kathy’s experience. But I think that discussion should be directed at more fundamental problems in society instead of one of the symptoms. If the causes are not addressed then such things will keep happening.
Xen and eth device renaming
Recently I rebooted one of my Debian Xen servers and suddenly all the Ethernet devices which used to be eth0 in the domU’s became eth1.
vif = [ ”, ‘bridge=xenbr1’ ]
I used to have the above as the interface definition and for domU’s that had only a single interface that worked well (if there is only one interface then it should be eth0). However in a recent etch update this changed, so I had to use ifrename as documented in my previous blog post. It’s annoying when things break because a reasonable assumption which previously worked suddenly stops working.
Even if the bug in question (if it is regarded as a bug) is fixed I’ll keep using ifrename, it doesn’t do any harm.
Update: I have changed my Xen configuration to use fixed MAC addresses which seems to be a better solution than using ifrename. See the Wikipedia page about MAC addresses for information on how to choose them. I’m currently using manually assigned MAC addresses from the range 00:16:3e (which is assigned to Xen).
Save Babe
There’s an advertising campaign at the moment opposing cruel treatment of pigs, the web site is at http://www.savebabe.com/ . They have rented advertising space at train stations to publish the URL.
One thing that they don’t mention is the health issues related to factory farming. It makes sense to concentrate on one message at a time and they are concentrating on animal cruelty. But probably more people will be concerned with the risks of disease, parasites, and anti-biotic resistant bacteria present in meat produced from the factory farms.
Also wild boar tastes better!