Related link: http://www.mutt.org

So I’ve written about mutt a few times before, but for the most part I’ve jumped ahead into advanced usage. Since I’ve recently gotten a few beginner-level mutt questions, I’ve decided to devote a few blog entries to mutt basics.

In case you haven’t heard of mutt, it’s a text-based mail client along the lines of pine or elm. Mutt is known for being a fast and highly configurable mail client, and since it’s text-based, it’s ideal for checking email quickly over ssh.

In this entry I’m just going to talk about a standard no-frills mutt config and some basic tips on how to use mutt. I’m going to focus on accessing IMAP folders since that seems to be the most common way people access their email these days (and one of the most common ways people get tripped up with mutt). Also notice I’ve set myself up for a multi-part blog entry, this way I’m forced to follow-up with a bit more advanced usage since if you stop here, you’ll miss out on a lot of great things about mutt.

(Note: About halfway through writing this entry, I noticed that another introduction to mutt article was posted at http://www.linux.com/article.pl?sid=05/10/07/172259. That article mostly covers using fetchmail and POP with mutt, which I wasn’t planning on talking about anyway, so if you use POP check out that article for POP-specific info.)

Why Use Mutt?

There are many different email clients out there, so what is it about mutt that so many people like? Well, there are a few things:

• Mutt is fast

  One of the advantages of being a text-based email client is that mutt is lightweight and performs a lot faster than other clients when reading through email. The fact that you only use the keyboard with mutt also means that after you get down the initial keybindings for things, you can really quickly blast through all of your new mail.

• Mutt is configurable

  Basically every mutt default can be changed. Anything from keybindings to which email headers it displays to when to use PGP and when not to can be configured.

• Mutt is vim-like by default

  Okay, maybe this is just a feature to me, but many of the keybindings and general behavior of mutt follow vim conventions. And just in case you don’t like vim’s conventions, like I said, it’s configurable so you can change it.

• Mutt can be accessed remotely

  Since mutt is a text-based browser, no matter what computer you are in front of, you can ssh to one of your own computers that has mutt and check up on your email quickly–even over a dialup connection.

• Mutt has hooks

  While I won’t get into hooks in this entry, mutt hooks basically let you tie settings or functions to an attribute of an email or an email folder. For instance, you can easily set up multiple signatures and use mutt’s send-hook feature to bind one signature and FROM address to your friends and family, and one signature and FROM address to your clients. You can also use the save-hook feature to automatically set the default saved message folder for an email based on the contents of that email.

Install Mutt

I’m not going to go into great detail on how to install mutt, since it will vary depending on what Linux distribution, or OS you are installing it on. It’s a popular-enough program that your distribution or OS should at least have the “stable” mutt series (1.4) but if you can, you should try to track down a packaged version of the “development” series (1.5.*) if you use IMAP for the single reason that it uses header caching (more on that below). Install mutt using your OS’s package management tool, or you can always download the source from http://www.mutt.org and compile it yourself. In either case, once you are finished it’s time for the initial configuration.

Configure Mutt

Okay here is where things get interesting. One of the nicest features of mutt is how configurable it is, but the downside of all that configurability is that there are lots of options for the beginner to choose from. Mutt doesn’t use an interactive tool for configuration, instead it expects a ~/.muttrc file containing all of your options. In another part of this series I may cover my personal methodology for managing mutt options, but for now what’s important is a limited-frills general-purpose ~/.muttrc file that will let you check your mail on an IMAPS server.

I’m going to split this off into a few parts so I can talk about each part, but if you wanted all of these settings you would open up a text editor, paste it all in, and save it as ~/.muttrc. The first part contains some basic foundation settings:

set folder=imaps://imap.example.com/  # Point to IMAP server
set imap_user=jmuttley   # Your IMAP username
set imap_pass=password   # Your IMAP password. This is in plain text!
set spoolfile=+INBOX     # Your main mailbox
set from="Joe Muttley <joe@example.com>" # Default address for outgoing mail

set copy=yes             # Whether to save sent messages
set record=+Sent         # Where to save sent messages
set beep_new=yes         # Beep when new messages arrive?
set move=no              # Move read messages to another folder?
set forward_quote=yes    # Quote the email body when forwarding?
set include=yes          # Quote the email body when replying?
ignore *        # this means "ignore all headers by default"
                # I do want to see these fields, though
unignore        date from subject to cc

The above settings are enough to get you started so you can check your IMAP share INBOX. In fact some of these settings aren’t even really necessary, but they set up some decent defaults (or at least expose them so you can change them easily). The first two lines configure my default “folder” (or in this case my IMAP server) and my IMAP user, respectively. Note that if you do specify your IMAP password, it will be in plain text in this file. If you don’t want that, remove that line and mutt will just prompt you for your password when you connect to the IMAP server. In the example I use imaps, but change that to imap if you don’t want to use IMAPS.

SMTP support (or lack thereof)

Note that I didn’t configure any sort of SMTP server. Unlike most other mail clients, mutt is strictly a mail user agent and doesn’t contain code to communicate directly with an SMTP server. Mutt hands off the mail to the mail delivery system on your local machine, so you need to make sure that it is configured properly so that you can send mail using the “mail” command. This is a common thing that trips up new mutt users, as most people are used to the mail client talking directly to a mail server using SMTP.

Non-essential (but Useful) Settings

Next I’ll cover some less essential settings that I still think are worth mentioning and adding to your .muttrc file. Most of these are commented but reference mutt’s documentation page if you want more information on any of these settings.

I like to create a ~/.mutt directory where I store all of mutt’s other configuration files such as my signatures and the alias list (so you can email “fred” and fred’s full email address will be filled in for you). You’ll see how I reference that in the config below. Also I’ve added a number of other settings that I like using or that I think are important to at least highlight in case you want to change them:

set alias_file="~/.mutt/aliases"
source ~/.mutt/aliases
set signature="~/.mutt/sig"
set sig_on_top           # Don't do this on mailing lists!
set mail_check=90        # check for new mail every 90 seconds
set timeout=15           # after 15 secs of no keypresses, start checking for new mail
set reverse_name         # Reply with the address used in the TO/CC header
set ascii_chars=yes      # Use ASCII arrows
set reverse_realname=yes # Reply with the name used in FROM
set reverse_alias=yes
set fast_reply="yes"
set confirmappend=no     # Confirm when appending messages to an existing mailbox?
set pager_index_lines=5  # Show 5 message headers from your message index above an email you are reading
# h will take you to the folder list in the index
macro index     h "c?t"

# VIM with special startup settings
set editor="vim -c 'set nohlsearch noshowmatch modelines=0 tw=75 et noai'"

I should probably explain that last line in more detail. Mutt by default uses VIM as its text editor when you write an email. That last configuration option lets me configure the program that mutt launches when editing an email and in that case it launches mutt with a number of options that are suitable for writing emails. You could also use this option to change the editor from vim to whatever console text editor you prefer to use.

IMAP Folders

With the above config, by default mutt will only check your INBOX for new mail. You can hit the ‘h’ key (due to the macro I added) to access the list of mailboxes, but you will have to hit the tab key to see them all. What is better is to configure mutt with all of the mailboxes you want to be able to check with the mailboxes configuration option.

Each mailbox added to mutt will be automatically checked for new mail, and when there is new mail, mutt will give precedence to a folder based on the order you specify them. When you hit ‘c’ to change to another folder (more on the keybindings and how to use mutt below), mutt will automatically fill in the name of the next folder in the list that contains new mail. I like this feature since I can quickly go through all of my “important” folders first followed by the less-important folders.

Say you want to add three folders: Work, Friends, and SPAM in that order, you would add the following three lines to your .muttrc:

mailboxes "=Work"
mailboxes "=Friends"
mailboxes "=SPAM"

Header Caching

One of the best new features in the development version of mutt (and mutt-ng, which I mention here) is header caching. If you use IMAP and have folders with lots of messages, it can be annoying to have to sit while mutt downloads every header each time, even though mutt does it relatively quickly. Header caching makes mutt behave like a lot of other mail clients and it caches the headers it already has downloaded locally so it only needs to retrieve new email headers. This results in a big boost in speed when opening new folders and if you use mutt and IMAP I highly recommend getting the mutt development version just for this feature.

Header caching isn’t enabled by default, so to enable it you will need to create a new directory on your machine to store headers (I made one called ~/.muttheaders) and then add the following line to your ~/.muttrc:

set header_cache="~/.muttheaders"

Using Mutt

Now that mutt is configured, it’s time to start it up. I’m going to go over some of the basic keybindings you will use to navigate through mutt, but this is far from an exhaustive list. To start mutt, open a terminal and type mutt.

Navigate the message index

Mutt by default will open up into your main mailbox file, which should be configured to be your INBOX. You can use the arrow keys or j and k to move up and down through the list of messages (which mutt calls the “index”). The Tab key will take you to the next New message in the index. In this mode you can hit ‘n’ to make a message as new, ‘d’ to delete a message, or ‘u’ to undelete a message.

If you use the key macro I added above, you can hit the ‘h’ key and mutt will take you to a the folder view where you can view any configured mailboxes. Highlight one and hit Enter to change to it.

Read a Message

To read a message, highlight it and hit Enter. You can page forward through the message one line at a time with the enter key and backwards with the backspace key. Pgdn and Pgup will let you move down and up a message one page at a time. If you want to reply to or forward the message, hit ‘r’ or ‘f’ respectively. If you want to return to the message index, hit ‘q’.

Compose a Message

To compose a message, hit the ‘m’ key. Mutt will prompt you for the address to mail to, the subject, and then will launch the text editor of your choice (vim by default) to edit your message. When you are finished typing your message, save it and close the editor. Mutt will then take you to a screen where you can add CC, BCC, or edit the To or From headers of the message. In this mode hit ‘a’ to add attachments. If you want to go edit your message again, highlight it and hit ‘e’. When you are ready to send the email, hit ‘y’, or otherwise hit ‘q’ to exit. If you exit in the middle of a message, mutt will prompt you to postpone it for later if you want. The next time you hit ‘m’ to compose a message, mutt will prompt you for whether you want to open the postponed message.

Get Help

If you can’t remember a particular keybindings, just hit ? to open into the mutt help screen. To go back to where you were, hit ‘q’.

Exit Mutt

When you are finished using mutt, hit ‘q’ in the message index to leave, or otherwise hit ‘x’ to immediately close the program without saving any unsaved changes.

How I Check My Mail

Here’s a quick overview of a normal mail-checking session of mine using mutt. I start mutt, and hit Tab if I’m not automatically over the next New message. I then hit Enter, read the message, and without hitting ‘q’, I hit Tab to skip ahead to the next message. I do this until there aren’t any more new messages in this particular folder. Then I hit ‘c’ to show me whether there are any other folders with new mail and hit Enter to change to that folder. Then I hit Enter to open the first new message in that folder and then Tab through that folder of messages. I repeat these steps for any other folders with new mail. Once you get the hang of it, you can go through all of your mail really rapidly this way.

Conclusion

This is far from an full explanation of how to use mutt effectively. I hope in the next part to talk more about how I personally use mutt to blast through my email. I may also cover some of mutt’s hook settings and how I organize my mutt settings.

Do you have any other beginner-level tips for new mutt users? Post them here.

Related link: http://lxer.com/module/forums/t/18462/

During the last month, we conducted a survey of readers who use Linux. We asked them why they switched to Linux and received a plethora of answers. Surprisingly, anti-Microsoft sentiment had less to do with the choice than one might imagine.

Could the pundits have it all wrong? Is it possible that Linux stands on its own merits? Most Linux users would yes. Use of Linux does not represent a rebellion against Microsoft and Linux stands on its own as a user preference.

In this article, we will look at excerpts from the survey and see why people have adopted Linux. You might find the reasons interesting, maybe fascinating and probably not what you thought.

First, let’s clear the air about this so-called anti-Microsoft sentiment.

From Where Does the Anti-Microsoft Sentiment Originate?

Linux users consider Microsoft’s paranoia a threat. When a monopolistic powerhouse says that they will crush you under their boot because you use a competing product, you might find yourself annoyed. Imagine General Motors saying that they will put your car in a museum so people will remember someone built it once.

A media factor comes into play also. Imagine you like using Linux and you read articles stating you’re a FANATIC. Then imagine lots of writers implyng Microsoft will crush you under their boot. When threatened, people become defensive.

When someone threatens another, it makes the latter angry. Is it logical that you’ll win someone over by thretening them? The only reason one would ask such a rhetorical question lies in the fact that some people believe a threat will endear others to them.

The Survey

We conducted the survey on-line informally, so people could freely express themselves. I’ll provide a link to the thread a little later in this article. First, I have some random excerpts:

* I was at work one day and one of the sys admins said, dial out to my box at home. I did and was greeted by something that smelled a lot like System V “What is it?”, I asked, expecting that he had gotten hold of “free” copy of UnixWare or something (which was probably about $1500-2000 at the time). He said, “It’s Linux.”

* I converted to Linux (from NetBSD) because of two factors:
1. Price - I got a 1 GHz Duron PC from Walmart for $300
in 2002.
2. All the cool software - User mode linux, Reiserfs,
although NetBSD is pretty posix-compliant.

* I like Linux because it’s unix, it’s cheap and for a scientist it’s a pleasure to use on the desktop.

* I first touched a computer when I was 6 (and that was 23 years ago, when the PC 1512 was still a new thing!). My primary school was the first in France to give computer classes to pupils.

When I took up high scientific studies, I came in a university-like school with a computer network… The computers we used were Windows (95 and 98), but the network itself was handled by a Linux server. I first heard of Linux because I became romantically involved with one of the maintainers of the network.

Then four years ago I got my first job, just fresh out of University. I moved to the Netherlands, and got the possibility to buy a computer, partly paid by my employer…It took me a while but I finally (installed) it last summer… All in all, I feel I have been naturally evolving towards GNU/Linux, and that it is just the right thing for me.

* The challenge to try and alternative (and sticking with it)…had enough off computers troubles (but hey let’s try that Red Hat Linux CD out of curiosity)…forced up by a Linux enthusiast (husband, wife, brother, etc) and after years got too accustomed to it…comes from a strong UNIX background…financial reasons, cutting budget, etc…. moral reasons (rare)…governmental reasons or desktop at workplace.

I chose Linux simply because I thought the mascot looked cute enough.

* Linux gives me the pretty (and convenient) graphics plus all of the tools I can eat…Cut my teeth on an Alpha Micro AM-100 (PDP-11 clone(ish)) at the University Computer Club at the University of Western Australia in 1980 running AMOS.

* I was not unhappy with Microsoft or Windows, but I was motivated to learn more about Unix…When the first betas of KDE came out, I installed it. From that point, I began spending more time on the Linux box — especially after StarOffice was made gratis — and less on the Windows PC.

As I went on, I began trying things that I couldn’t do with Windows. I added boxes to the network, I started doing graphics with the Gimp. I experimented with apache and postgresql, all manner of things…Now, Linux is my primary platform.

* I just wanted to try something different back in 1996, got an install of Slackware 2.0 from Lasermoon in the UK came on about 25+ floppies, bought a copy of Dr.Linux from them as well and on I went.

* because my best friend was a Gentoo-fan, he set up Gentoo for me. First I didn’t like it, because everything just worked as it should in only one day (compare that to OpenBSD!) But when I got to know portage I was convinced I would be using this from now on. It (Gentoo) was also ideal for studying for my LPIC level 1.

* I changed to Linux because of the Fiddle factor… I like computers not only for what they can do but I like them intrinsically… I have build my own computers…It is a hobby. I try to wring as much performance out of what I have. It has nothing to do with bragging right but just a fun challenge to myself.

*It took me about a year to switch from W2K to Linux. The timing in the development of all of the Desktop elements has obviously been critical. If I’d tried any sooner, the whole thing would never have come together. Improved hardware support and equivalent apps have been a big part of the successful transition, and, I owe thanks to many in the Linux community for making that happen at an astounding rate and giving me my functional Desktop OS.

* I first tried Linux out of curiousity mainly. But after I’d tried it I was fascinated. Yeah, woody was much harder to install than Windows, but I didn’t feel solated/insulated from my computer any more. I welcomed the opportunity to learn. I wasn’t confined by the wizards that MS uses to “help” you work on your computer. I could play with the kernel. (Something I’d been wanting to do for a long time.) I could modify, customize, and learn to my hearts content. Linux was what I had always expected computing to be.

* Started with Vic 20 - 1983? then dos on a 286 then windows 3.1 on 286 what a nightmare… Saw QNX and wanted it for years …Windows 95 (was) ok but lacked the ability I had on the VIC 20…Lotus Notes / Domino Programmer on Windows and Unix…Still wanted QNX. Came across a CD from a friend - Lyrocis. BANG “Head ringing”…OH this love affair is not going away soon… As an IT Manager the TCO is the savings of the sanity of the IT staff.. They dont have to chase those pesky hidden bugs in MS.

* Running a Windows enterprise was like working in the emergency room of Cook County Memorial. Working on Linux was like being a Maytag repair man.

You can read the comments and add your own if you wish. The url is: http://lxer.com/module/forums/t/18462/

Who are My Readers?

They come from: United States, France, Europe, Germany, Australia, Canada, Great Britain(UK), Netherlands, Italy, Hong Kong, Sweden, Austria, Spain, Brazil, Switzerland, Poland, Finland, Japan, Portugal, Ireland, China, Belgium, Czech Republic, India, Singapore, Greece,Norway,Ukraine, New Zealand (Aotearoa),Slovenia, Mexico, Denmark, South Africa, Taiwan, Colombia, Romania, Hungary, Israel, Russian Federation, Bulgaria, Korea(South), United Arab Emirates, Indonesia, Argentina, Philippines, Kyrgyzstan, Thailand, Latvia, Slovak Republic, Venezuela, Chile, Turkey, Uruguay, Malaysia, Luxembourg, Estonia, Lithuania, Croatia (Hrvatska), Pakistan, Vietnam, Yugoslavia, Iceland, Egypt, Iran, Jordan, Saudi Arabia, French Polynesia, Macedonia, Jamaica, Bermuda, Costa Rica, Puerto Rico, Peru, Bosnia and Herzegovina, Gibraltar, Cyprus, Guatemala, Barbados, Malta, Saint Lucia, Sri Lanka, Dominican Republic, Tunisia, Qatar, Algeria, Belarus, Kenya, Nigeria, Uganda, Kuwait, Lebanon, Trinidad and Tobago, Bangladesh, Brunei Darussalam, Kazakhstan, Mauritius, Nepal, El Salvador, Ecuador, Bahamas, Morocco, Paraguay, Antigua and Barbuda, Bahrain, Panama, Guam, Zimbabwe, Moldova, Bolivia, Ethiopia, Macau,Mongolia, Senegal, Oman, Andorra, Libya,Palestinian Territory, Tanzania, Cambodia, Ghana, Liechtenstein, Namibia, Monaco, Armenia,Cayman Islands, Faroe Islands, New Caledonia, Syria, Georgia, Albania, Maldives, Nicaragua, Rwanda, Sudan,Togo, Aruba, Azerbaijan, Fiji, Papua New Guinea, Bhutan, Honduras, Anguilla, Myanma, Uzbekistan, Vanuatu, Guadeloupe, Gambia, Burkina Faso,Greenland, Virgin Islands (U.S.), Angola, Gabon, Guyana, Liberia, Mali, Vatican City State (Holy See), Cape Verde, Netherlands Antilles, Cameroon.

Linux users come from every part of the globe. Those who wish to crush Linux under their boot and put it in a museum may find that difficult. I also doubt that the boot crushers could muster up these kind of testimonials.

Final Thoughts

Why do people switch to Linux? Actually, I think having an alternative provides a small part of the answer. When I started using Linux, I really liked it. I remember installing Red Hat 5.0 back in 1998 and thinking it was really pretty cool.

Given what the media and many analysts say, I shouldn’t have liked Linux more than Windows because it did not have all the things they emphasize as important. I mean, fvwm wasn’t a great GUI desktop. Lots of hardware didn’t work. In fact, I had to hunt for older video cards to get X Windows to work.

Something about Linux though re-invigorates an interest in computers for many people, including me. It’s remarkable.

Related link: http://archives.seul.org/or/talk/Jun-2005/msg00087.html

By now, I am sure all of the blog readers are familiar with Tor, “an anonymous Internet communication system”. If you run a Tor node, should you monitor it? Can you (from a legal point of view)? It brings up an exciting and convoluted legal and ethical challenge. The discussion at the above link shows some of the deep issues around it.

I work in multiple Unix flavor environments. Sometimes commands on one host aren’t where I expect them to be on another. In one or two cases, my PATH variable could have 8 directories for me to search.

A long time ago, I wrote a .bashrc script to build my PATH based on what’s actually available on the host system.

# Set the path
PATH=""
PATHLIST="
/opt/subversion/bin
/opt/perl5/bin
/opt/security/bin
/usr/sbin
/sbin
/usr/local/bin
/usr/bin
/bin
/usr/sfw/bin
/opt/sfw/bin
/usr/ccs/bin
/opt/SUNWspro/bin
/usr/ucb
/opt/mysql/bin
/home/chrisj/bin
"
for p in $PATHLIST
do
   if [ -d $p ]; then
      PATH=$PATH$p:
   fi
done

It goes from specific directories, to root access directories, to common directories, then least used directories. If the directory doesn’t exist, it won’t be in the PATH variable.

That worked fine for awhile, but I had a problem with manpages. Some manpages on certain commands wouldn’t reflect the actual command I’m calling. I made another modification to the script to build a dynamic MANPATH.

# Set the manpath
MANPATH=""

for m in $PATHLIST
do
        BASE=`dirname $m`
        if [ -d $BASE/man ]; then
                MANPATH=$MANPATH$BASE/man:
        fi
done

If there’s a manpage directory outside of the scope of PATHLIST, just add it to the end of the variable in the form of “/path/to/bin”. If the bin directory doesn’t exist, it won’t be added to the command search path. But, if the corresponding man path exists, it will be added.

Related link: http://17799-news.the-hamster.com/breaking-news-2.htm

ISO have finally come with “Information Security Management Systems Requirements” or ISO/IEC 27001:2005. It “defines an Information Security Management System, creating a framework for the design, implementation, management and maintenance of IS processes throughout an organization.” The linked blurb also explains how this new 27001 standard relates to old 17799 standard.

So what? My point exactly! :-)

Related link: http://www.securityfocus.com/columnists/363

I just read an article by Kelly Martin over at Security Focus in which he endorses the idea that governments (US and otherwise) should mandate the use of two-factor authentication for banking. I disagree slightly with the need for legislation, because it seems like the market will eventually force banks to provide this service in order to compete. I strongly disagree with his notion that,

The forced use of two-factor authentication for banking systems accessible over the Internet is our only hope for the mitigating the phishing threat.

Two-factor authentication might be able to deter a few specific phishing schemes, but it will have almost zero effect on the long term problem. For example, it won’t prevent a man-in-the-middle attack or a root kit with remote view and control capability. In the first case, the attacker simply passes the extra authentication data, and in the second case, the user authenticates both parts for the attacker. At that point the attacker can view the session, and possibly use cached credentials to access the site while the user is idle. There is also little to stop a phisher from impersonating the challenge response portion of the login on a rogue web site. This might not be useful in terms of compromising the account (since the one-time password is useless for future sessions), but it could easily add credibility to a “Verify Your SSN” site or other information harvesting scheme.

Bruce Schneier has written on this topic, and I find that interesting since Martin cited another article by Schneier:

I have to agree with what Bruce Schneier wrote recently, that pushing all the responsibility from consumers to financial institutions (and most likely, doing it through legislation, if you ask me) is the only way to get this done.

Schneier’s article from Wired makes the point that “security works best when the entity that is in the best position to mitigate the risk is responsible for that risk” and argues that “Making financial institutions responsible for losses due to phishing and identity theft is the only way to deal with the problem.” But, he also notes that a recent anti-phishing law in California fails to address the issues. The article doesn’t mention two-factor authentication as a potential response either, and given his earlier writing on the subject, I wonder what his response to Martin might be.

Update: I just noticed that Bruce Schneier wrote a follow -up to his post on two-factor authentication. It sums up some of these issues nicely.

What’s your take on phishing legislation and do you think two-factor authentication will change anything?

Related link: http://www.hackoff.com

If you are looking for a fun (I do overuse the word, don’t I? :-)) way to start your day, start it at Hackoff.com. The site hosts a “blook” (a book published one chapter at a time on a blog) about trials and tribulations of a security-related startup in 1999 and 2003. The book is actually a pretty addictive crime novel, so read on!

Related link: http://blog.qaddisin.com/2005_10_16_archive.html#112957928164808628

A fellow blogger commented on the miserable state of security publications, such as magazines. So, what good, mediocre and, mmmm, “other” print security periodicals are out there? Note that what follows is my personal opinion and not any kind of ‘objective evaluation’

Have you ever heard the sound of a hard drive before it dies? If you haven’t, you will know it the next time even if it happens years later. Hard drives don’t usually fail for a few years depending on their use. Never-the-less, they can randomly fail for no apparent reason.

A Western Digital WD800 chose to start a rapid descent recently at an inopportune time. That’s the normal way these things happen: Early in the morning when you can hear an air conditioner running two blocks away with your doors and windows closed. Naturally, you have a deadline or a deliverable you cannot miss.

I quickly discovered a 4.2 Gigabyte IDE drive purchased some years ago and never used in a closet. I quickly swapped it out and hoped I would have enough space to install Linux quickly and hit the floor running again.

The desktop on the WD800, an 80 Gigabyte internal drive ran Fedora Core 4. I had the data files backed up and I felt even my little drive could get me through the night.

But Fedora in its most stripped down version filled the entire drive. I removed everything I could from the distribution including wallpapers and themes. That hungry little hatted Linux distribution wanted 3.5 Gigabytes of diskspace and insisted that’s all the drive could hold.

I had just finished testing and installing SUSE 10 but it didn’t like my disk either. Even when I minimized the installation it missed those X-org libraries and wouldn’t give me a desktop.

Two hours had passed and we were getting little done. I had cranked up my ThinkPad which I only use for making presentations and even though I was still about 50 % productive, I needed a complete desktop with my productivity tools.

I remember Ubuntu

I downloaded the most recent Ubuntu 5.10 distribution on one of my servers. Lucky, I have a lot of bandwidth. That single CD installation disk makes getting started easy. Fedora required four disks and SUSE needed five.

As I continued pecking on my laptop, I noticed that the Ubuntu web site had its pipes wide open. It’s nice to download an iso image in less than 30 minutes.

I burnt a CD-R and booted my storage-challenged PC from that disk. Ubuntu didn’t complain at all. It pulled down the entire distribution in only 1.4 Gigabytes. That’s correct. I installed the entire Ubuntu desktop on a 4.2 Gigabyte Western Digital hard drive and had plenty of space to maintain a home directory and put data files in my document directories. Not bad.

Finished and Curious

I finished my article and emailed it while the morning remained young. Did I call it a work day and fall asleep? Of course, I didn’t have the nerve to wait until I was rested to check out Ubuntu.

I learned several things as I rummaged through the installation. Most importantly, Ubuntu installed everything I usually get with Fedora or SUSE. I thought I could squeeze it down some but using Synaptic to remove some unwanted packages would have meant losing the Ubuntu desktop.

At least the developers warned me when I tried to remove things. With Fedora and SUSE I could remove packages and I would get a warning. But, those warnings didn’t prevent me from removing things. At some later time, I would discover something had stopped working and I would spend time finding libraries and other dependencies.

I also found that Ubuntu provided the same stock applications that came with SUSE and Fedora. So, the Ubuntu menus came filled up. In fact, a few more things came with Ubuntu than the others.

As much as I looked around, I could not readily tell why Ubuntu had such a small foot print. But I realized that the clever engineering made Ubuntu a nice fit for older equipment found at schools in developing nations.

A Better Ubuntu

I did a review of Ubuntu back in June 2005. You can read the article here. At the time of that article, the project released version 5.04. The current release I downloaded, 5.10 appeared as a drastically improved product.

I remember spending a significant amount of time fine tuning version 5.04. With the current distribution, the Ubuntu developers had already smoothed out the wrinkles. The current version ran faster, start-up times for applications were much faster and the look and feel improved dramatically.

I could see a noticeable difference between the current and previous releases. Fortunately, the project team didn’t make big changes in the user interface. The changes the made were subtle and gave the package an eloquent feel.

The big improvements in Ubuntu 5.10 had to do with the operating system itself. Better performance, the wheels didn’t fall off and the package didn’t seem to have a lot of bugs. The few patches I did download - six - downloaded rapidly and also installed in the same manner.

I appreciated the obvious work that the team put into Ubuntu. I elevate Ubuntu 5.10 from a hobbyist distribution to an enterprise desktop. I would be pleased to install it anywhere.

Final Thoughts

Normally, I would write a review of Novell’s SUSE 10 desktop with screen shots and recommendations. Then I would go to the next distribution and do a methodical review of it. I refer to that work as “covering the seasonal releases”.

I may not do that this time. The unusual circumstances I faced when needing to install Linux in a crunch made me really appreciate the carefully planned and engineered Ubuntu desktop. You guys helped me out and here’s a tip of the Stetson to ya.

Related link: http://www.threatchaos.com/archives/2005/10/dangerous_meme.htm

In my old SANS webcast titled “What’s NOT Working in Security in 2004″ I mentioned security awareness as one of the failures. This insightful blog entry from a controversial (due to the “death of an IDS” report of 2003) Richart Stiennon highlights the faults and inherent limitations of security awareness training.

Granted, it is very hard if not impossible to develop technical safeguards agains social problems (like employee abuse and ’social engineering’ attacks), but using security awareness training to plug the holes in technical security countermeasures is not going to work either. Here are some of the highlights: “Security awareness training is like the “Quidado!” sign a hotel or airport erects over a puddle in the middle of the hallway. A dangerous situation is addressed with a sign instead of the immediate application of a mop.”

And even harsher: “I say no. Education is not key to security. Good security technology is key to security.” He then continues to escalate to this: “If you have to educate people to not use the tools you have given them in a certain way to remain secure you have failed.”

Thoughts?

Related link: http://www.webappsec.org/projects/waf_evaluation/v1/wafec-draft-1-20051007.html

Often people find it very hard to compare security solutions (be it software or hardware appliances). Some solutions, like firewalls, have relatively well-established testing criteria, while others, in newer spaces of a security market, do not. A team from Web Application Security Consortium (with the author of this blog included) came up with the “Web Application Firewall Evaluation Criteria” document. It covers the following areas of functionality of a “web firewall”:

• Section 1 - Deployment Architecture
• Section 2 - HTTP Support
• Section 3 - Detection Techniques
• Section 4 - Protection Techniques
• Section 5 - Logging
• Section 6 - Reporting
• Section 7 - Management

If you are looking at that type of a technological safeguard, do read the guide.

Related link: http://search.cpan.org/~aburlison/Solaris-PerlGcc-1.3/pod/perlgcc.pod

Before Solaris 8, your perl options were pretty straightforward. You downloaded the perl source code, compiled it, and that was your perl distribution.

Then Sun added perl to Solaris 8, but it was still a mixed blessing. If you didn’t have the Sun Forte C compiler, you wouldn’t be able to easily install modules with bundled C code. You could download gcc, but the Config.pm module wouldn’t recognise it as the compiler that built the perl distribution.

Your options were to modify Config.pm, or just compile your own distribution. I think more people opted for the later decision as the Solaris release of Perl was a couple of versions behind.

Now in Solaris 10, you have a few more options.

1. Perlgcc. The perl 5.8.4 distribution comes with a program called perlgcc, which runs perl under a modified Config.pm module. It will believe it was originally compiled with gcc, so you don’t have to make any modifications yourself.

2. Sun Studio 10 Compiler. You can download the Sun Studio Compiler, and use that for the compilation.

Both methods work pretty well. I ran a few test builds of module distributions with no problems.

My bigger relief is that Sun is showing a better commitment to Perl now than in the past. Their default apache2 distribution actually comes with mod_perl installed, which is a nice touch.

Related link: http://www.securitymetrics.org/content/Wiki.jsp?page=Welcome_blogentry_061005_1

Here is a nice bunch of useful diagrams of various security processes, from general workflows to vulnerability management. It is labelled by the poster as “Hamster Wheels of Pain”. Also, check out the securitymetrics mailing list hosted at the same site.

Related link: http://www.chuvakin.org/rss2html/

Lots of fun info comes from RSS feeds nowadays (but then again, everybody knows this). I read a bunch of RSS feeds related to security and now you can too! I converted them to HTML and posted them at my site for better sharing.

Related link: http://www.misterpoll.com/results.mpl?id=1895245195

So, my vulnerability poll have been running for a while, and the results seem to be pretty consistent: so far, 87% of 55 respondents blamed the software vendors for the current security rampage. Not hackers, not users, not anybody else. Admittedly, I might have phrased the questions wrong or some other bias has crawled in (such as audience selection). So, is the question closed? Not really!

For example, this guy writing an nCircle blog seems to think that the results are “misplaced”. Users are to blame, but not becauase they don’t patch or harden. Users buy the buggy stuff that software companies write - and thus are the responsible party, according to the above blogger…

Disheartening as it seems, corporations, governments, start-ups and small businesses have difficulty recruiting and retaining talented Linux IT workers. That has become a familiar refrain whenever Linux fails the adoption test in many places across the globe.

Some Linux luminaries have suggested implementing in-house training for existing staff. Unfortunately, curriculum and trainers seem in short supply. Another aspect of this problem relates to cost. Those willing to provide training under price their services and wind up losing the respect and trust of decision makers.

The Problem?

Most human resource people believe Linux is an air conditioner company. They get confused between the term Linux and Lennox. So, HR recruiters define their job profiles like this:

Linux programmer needed by enterprise. Skills required:

REFRIGERANT METERING DEVICE CALIBRATION
LEAK TESTING
LIQUID & SUCTION LINE SERVICE VALVES KNOWLEDGE
START-UP
CHARGING FOR TXV SYSTEMS

Five to ten years of relevant training and master plumbers’ license required. Will accept equivalent for H1B applicants. Microsoft Certifications a plus.

I had a great deal of difficulty getting a job when I applied for positions such as these. I never made it past the first interview. Oh, I had the Microsoft Certifications, Novell, extensive programming skills and experience with Oracle reports and forms. I could tune numerous commercial databases, implement redundant systems, configure web servers. I also had hardware repair and maintenance knowledge and experience ranging from rebuilding large Sun Sparc systems to small Intel systems. But, I couldn’t charge TXV systems or handle the liquid & suction lines. Ethernet, Token Ring, ArcNet, but not those l&s systems.

So, I had to start my own firm. I landed a programming project and found four qualified people immediately. My best programmer came from Goodyear. He was an errand boy. He swept the shop, made deliveries and pickups, cleaned up after hours and took verbal abuse from everyone.

I doubled his salary to $11.75 per hour. He immediately came in and won the project lead position. I promised him a raise on his 20th birthday that fall. With a little guidance, he built the first version of a replacement for Microsoft exchange running on an IBM S/390.

I found a couple of older chaps, one already twenty and his cousin twenty one. The first young man had just started getting unemployment compensation as he has lost his job at a outsourcing call center where he made $10.50 supporting Microsoft MSN. His cousin left his spot when he heard about the opening. He had advanced to $13.75 per hour and was on a fast track to assistant mentor.

The fourth member of the group had spent over a year on the bench at a major outsourcing firm. He specialized in project management in a object oriented environment. His main drawback was a lack of experience with Microsoft Foundation Classes.

And You Say You Can’t Find Linux Talent

One of the better hires I made came from a city government. The city hired him to train and work with an assortment of mainframe and Microsoft programmers and admins. Suddenly, he went from a strong candidate to laughing stock of the IT department.

I called his former CIO and found out that everyone in department complained about him. He must have overstated his knowledge and experience on his resume. He was weak at best.

This employee turned out to be one of my better all around people. He could program in several languages and had excellent system administration skills. He did his job and managed several systems including CVS, web services and documentation. He also kept our Microsoft development servers functional. I had to back him up once he took the job off my plate, but I never had to reboot another system while he worked for me.

Linux Migration Nixed

OK. You have seen these stories, I’m sure. People say that not enough Linux talent exists. I have heard some uninformed statements in my day, but this one ranks up with if you eat everything in sight you will lose weight.

I read ads for Linux positions on several career sites when I thought about writing this story. I covered a two year period. I saw two positions for Linux system administrators with no conditions asked.

I also went into a thousand job ads that wanted Linux skills with CNE, MCSE and other certifications. Ads required experience with AS/400 and iSeries, S/390 and VM skills, knowledge of the Linux kernel and NT programming in C++.

What are you - of unsound mind? You guys can’t enter into a contract because of capacity? Too busy for your spouse and family?

Of course you can’t find Linux talent. Yet at every Linux User group and UNIX User group meeting I attend across the globe, I can find dozens of good Linux people looking for work - any work.

Here’s your perfect candidate: 5 years experience, MCSE, RHCE with S/390 programming experience, Linux device driver and kernel programming, documentation specialist with excellent written and verbal skills and the ability to interact with C-Level management. NO vacation or medical. One week vacation negotiable after two years of tenure. Minimum seventy hours per week, exempt. $28,000 annual salary, no relocation expenses. English as a second language a plus.

Some Final Thoughts

An abundance of people exist with excellent Linux skills. If you cannot find them, I suggest the breakdown exists on your end. You can fix that by changing your hiring practices and listening instead of telling or ordering.

You’re travelling through another dimension, a dimension not only of sight and sound but of mind; a journey into a wondrous land whose boundries are that of imagination. That’s the signpost up ahead - your next stop the, the Linux Zone!