Archive for October 2008

Mark Shuttleworth on the future of Ubuntu

October 31, 2008

The Register has an interesting bit on Mark Shuttleworth who is the founder of the Ubuntu Linux distribution. It is a great piece with Shuttleworth himself describing what his goals are for Ubuntu. Reading the article you can’t help but love the guy, but more importantly he engenders the open source and Linux attitudes that I was describing in my earlier post. It is interesting to note that so far all of the money that he has put into Ubuntu and Canonical (the commercial enterprise around Ubuntu) hasn’t returned any money, but he is still positive that eventually it will.

The bigger picture here is just exactly what his business model is. Towards the end the article highlights this:

When asked if anyone can make money selling a desktop Linux, Shuttleworth was blunt and candid. “No. I don’t think anybody can. And that is a good thing.” The revenue model that Shuttleworth had when he created the Ubuntu project and the Canonical support organization was to give away the software and patches and rely on tech support and other services that are required by some users and businesses to generate the revenues that give people at Canonical their jobs.

I see this as a major stepping stone in modern day society. I like the term Mike Masnick at Techdirt has said about the Economics of Free. The idea is using something free to generate revenue in a different way. Mike is often using this as a tell to why major label record companies need to adapt to new business models or face disappearing with the changing times. Essentially bands could give away recordings to generate a following and sell scarce goods (t-shirts, concert tickets, autographs). Google is probably the best example of this. You pay nothing to search on their website or use Gmail and yet they are generating billions of dollars, but how? They give away their search and in return have an audience for advertisers. That audience would not exist if google were charging for search privileges. In fact, we would likely not be referring to “search” as “googleing” if it weren’t for google using the economics of free, likely it would be an obscure search engine generating very little money. Obscurity pays nothing and the idea is that by giving things away for free you generate momentum that may help you move out of obscurity. Some seem to think that open source and Linux is a losing battle and that you cannot make money when you give things away, but this is simply untrue. Perhaps you can’t make money at this moment from Linux, but the tide seems to be changing and at least Shuttleworth seems confident that Canonical will be making money eventually. For his sake I hope he is right. I particularly hope that the ending paragraph is correct in asserting that one day even Microsoft might be giving away their OS and opt for a support model. We’ll see what the future holds.

The Netbook revolution

October 31, 2008

Perhaps you have heard the term Netbook around and wonder how is a netbook different from a notebook or maybe, “Did they misspell that?”. Well as with most made up terms nothing is solidified yet, but generally a netbook is a small lightweight, low cost computer. They have screen sizes under 12 inches (most are either 10 or 9), weigh under 3 pounds, and cost around $500 or less. Generally speaking they are good for internet purposes and lightweight use. In my opinion ideal for browsing the web or for students traveling a lot. In fact my wife has a Dell Mini 9 and absolutely loves it. She is a student in Boston and often has to park a distance from her class and carry multiple books. For her having a small and light computer was essential.

Generally these machines run on Intel’s Atom processor, which is a processor specifically engineered with netbooks in mind. The processor is adequate for running XP, but would tank on the resource heavy Vista. As a result netbooks tend to come with either XP or a version of Linux pre-installed. Netbooks also often run on 1 or 2 GB of RAM at most (generally I would recommend no less than 2GB, but with the smaller architecture of these machines 1GB is often sufficient). Also, depending on the model, you can choose from SSD (solid state drive, much like you thumb drive) or regular hard drives. Since these machines aren’t designed to be used as performance beasts, but rather mobile feathers, the SSD offers clear advantages over normal drives. However, if speed is of the utmost importance and you are going to be using Windows the normal hard drive may be a safer option. The Dell Mini 9 only comes with SSD option and so far my wife and I have been very pleased with the performance and notice minimal lag even using XP (note that you can optimize the Linux kernel for SSD performance). One other slight annoyance to some is that the keyboard must be altered and shrunk in order to fit in the space required. Nothing stops you from plugging in an USB keyboard when you are home, but if you are in class taking notes you will need a little bit of practice before hand. My wife and I found that the ASUS EEE PC’s keyboard was unbearable, but really liked the Acer and Dell keyboards.

So why buy one?
If price is a primary concern. These machines mostly start around $500 with plenty of options below and some barely above. All of them are below $1000. In a tough economy that is hard economics to dispute.

If mobility is important. Particularly if you are a student or someone who travels the better part of the day or of your work. I could see myself using one if I were riding the T in and out of Boston every day.

If you mostly just check the web. If all you need is web applications (gmail, facebook, twitter) these machines are perfect for you and designed with you in mind.

Why not buy one?
These machines are not intended to be your only machine. They are purposely limited for the sake of mobility and size. Very few have hard drives (whether ssd or hd) that are larger than 50 GB, and most don’t offer more than 2 GB of RAM (with 1GB being more common and 512 MB as an option). None of them have a CD or DVD drive (think about it to have one you need space in that tiny machine the same size as a DVD…not going to happen).

Performance…doing heavy lifting will be an arduous task with these machines. If you use photoshop or any movie creating software than this would not be your primary machine (it might make the perfect second machine, but not primary).

Fat fingers…if you fat finger a regular keyboard this machine will be hell. Now you might look at the larger 10 or 11 inch machines, but my wife’s 9 inch does take some getting used to. Again it is nothing that practice wouldn’t help, but they do rearrange some keys that I find very annoying.

So I gave you two recommendations. Dell and Acer, but I will say that everyone is talking about the ASUS EEE. If you want some more information check out this informative bit from The Register.

DNS, Networking, and Phishing

October 28, 2008

So in response to my  other post on the Chase Phishing scam I am writing a follow-up that serves two purposes. 1) It lets you know some networking internals which are great for troubleshooting purposes, and 2) gives you more detail about how phishing works.

So I mentioned in my last post that one of my clues that I was looking at a scam was the network address homeftp.net.  But the question is would it be possible for the phishers to use chase.com?  To explain that we need to back up to what is chase.com?  Is chase.com the actual address? The answer in short is no. The way computers talk to each other is through an IP address (internet protocol).  The IP address isn’t a name like Mark Rosedale, but a number (like your SS number). Each machine on a network has an IP address that lets other machines know where to find it and how to communicate with it. If you open up the Terminal (Mac=applications, utilities, terminal.app Linux=applications, terminal) you can type in ifconfig and see:

mrosedale$ ifconfig
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::217:f2ff:fed2:6e89%en0 prefixlen 64 scopeid 0x4
inet 172.30.254.193 netmask 0xffff0000 broadcast 172.30.255.255
ether 00:17:f2:d2:6e:89

Here for en0 (my first ethernet device, it counts starting at 0) my inet = 172.30.254.293.  That is my IP address.  Now any machine that wants to get a hold of mine can do so through this address. Now take Chase.com’s address. To find that in the terminal type nslookup chase.com:

mrosedale$ nslookup chase.com
Server:        172.30.1.2
Address:    172.30.1.2#53

Non-authoritative answer:
Name:    chase.com
Address: 159.53.60.105

That is Chase’s ip address according to my DNS servers (notice the “Non-authoritative answer). Note that you can use nslookup with an IP address to find out what the domain name is for that IP address (nslookup 159.53.60.105).  So what is DNS? In its simplest form it associates the chase.com with the actual IP address. Chase’s address is actually the string of numbers, but through a complex network of DNS (name) servers, that your computer can question, you are taken to the correct place. You can bypass the DNS servers if you know the IP already. Try typing in that IP address in your browser and you will see that it takes you directly to Chase’s website.

To see the string in action we can use another command called traceroute. Traceroute tracks every machine that your request goes through to get to the destination.  See for yourself:

mrosedale$ traceroute google.com
traceroute: Warning: google.com has multiple addresses; using 72.14.207.99
traceroute to google.com (72.14.207.99), 64 hops max, 40 byte packets
1  cam-mpls (172.30.0.2)  1.464 ms  1.342 ms  0.663 ms
2  east-gw.oreilly.com (209.58.173.1)  6.208 ms  6.812 ms  2.739 ms
3  cmbr1-br1-s1-1-1-11.wharf.shore.net (209.58.139.181)  219.762 ms  178.438 ms  163.300 ms
4  209.227.128.134 (209.227.128.134)  268.381 ms  306.392 ms  300.790 ms
5  p3-2.pr1-jfk.primustel.com (209.227.131.1)  275.102 ms  219.420 ms  233.960 ms
6  p6-1.pr1-dca.primustel.com (209.227.129.145)  213.833 ms  339.987 ms  333.944 ms
7  209.227.129.182 (209.227.129.182)  275.529 ms  170.010 ms  167.073 ms
8  eqixva-google-gige.google.com (206.223.115.21)  216.749 ms  277.703 ms  291.127 ms
9  209.85.130.12 (209.85.130.12)  256.757 ms 209.85.130.18 (209.85.130.18)  271.546 ms  381.697 ms
10  66.249.94.234 (66.249.94.234)  412.589 ms  344.461 ms 209.85.248.217 (209.85.248.217)  375.775 ms
11  72.14.233.113 (72.14.233.113)  336.960 ms 216.239.43.146 (216.239.43.146)  287.569 ms  309.612 ms
12  66.249.94.92 (66.249.94.92)  335.965 ms  359.242 ms  328.390 ms
13  * 66.249.94.118 (66.249.94.118)  384.661 ms 72.14.236.130 (72.14.236.130)  404.180 ms
14  eh-in-f99.google.com (72.14.207.99)  353.024 ms  327.035 ms  253.070 ms

You can see from here that that your request goes through an awful lot of machines to finally reach the destination of google.com (which as you can see from the warning above uses multiple addresses for load and balance purposes).  This is kind of a fun tool as you can see where the majority of your traffic gets routed to, but this shows the many DNS severs that process your request so that you get to the right destination. Who runs these DNS servers? Every domain does. That is how this relates to the phishing scam. You rely on your own dns and other people’s dns to get you to the proper IP address when you type in chase.com. It would be feasible that if one of those machines in the chain had been hacked or circumvented that when you type chase.com it actually takes you to a different location. It is an inherent weakness in our internet structure.

One more tool to help you determine information relevant to domain names. Whois is a wonderful tool that lets you know all of the registration information for a domain name (the output is too large to paste). It gives you information about who the domain name is registered and for how long, and gives you the name servers.  This is extremely helpful in our phishing case. If I do a whois chase.com and get some weird results there is a good chance that there is a DNS bug, of course it could be as simple as your DNS server has some out of date information, but it could be a sign of some more nefarious actions taking place.

Ultimately your best line of defense is the aforementioned ssl cert. Those certificates aren’t handed out to just anyone.  If the phishing scam had sent me to chase.com, but my log in was not https://chase.com, but http://chase.com that is a clear sign that I shouldn’t log in (all of your information is sent over clear text for anyone to read). And if the person were using an ssl cert that doesn’t match chase.com (ie registered to someone else or self signed) firefox would have sent up warnings.

I hope this gives you some good information about networking basics and a little more detailed information about phishing. The phishers in my case could have done a lot more to try and fool me.  Hopefully you will be well equipped the next time you receive such an email.

Thought of the day – newegg.com

October 27, 2008

If you build systems or fix them, you occasionally will have to buy parts.  As this is a hobby of mine as well as a vocation, I am very interested in finding the best parts for the best price.  And today I want to put in my plug for newegg. 

The amount of equipment I have purchased from Newegg is significant for a small-timer (I think it may be around $3,000 or so).  And on the various orders I have made, I found them to be consistent and inexpensive, with top-notch customer service (the one order I did have an issue with – which, by the way, was UPS’s problem, not Newegg’s).

All this to say that their site is fast, their processing is accurate and quick, their prices are basically the best out there for retailers (sign up for their newsletter to get the best deals), and their service is the kind that makes me proud.  If you don’t get their newsletter, you should.

Open source hardware?

October 27, 2008

On the issue of open source most people think of software, but there has been a growing trend towards open source hardware as well. Today I caught a very interesting article on Wired about Arduino. The article does a very good job at pointing out the advantages and disadvantages of using an open source business model for hardware, and has multiple examples (with some notable exemptions).

If open source intrigues you as much as it intrigues me than you should check out the wired article.

Here are a few more links to projects and resources around open source hardware.

P2P foundation is an excellent place to start finding open source hardware.

OpenMoko is an open source cell phone that has been around for a while. I am looking forward to seeing this product develop.

Daisy MP3 player looks very promising. Essentially you could build your own MP3 player just the way you like it.

And of course the already mentioned Arduino looks very promising.

I had already been following some of these products and look forward to seeing the development of open source in the hardware market. We are already seeing home fabricating printers and eventually the technology might be present where you could designed, tweak, and make all of the components in your home. The DIY pieces seem to be falling in place and fortunately most of them are already open source allowing you ultimate freedom.

Chase phishing scam…if you use chase please read.

October 25, 2008

I just received an email from customerservice@chaseonline.com about recent fraud activity. Here is the actual message:

Right away I was pretty certain that I was staring straight into the eyes of a phishing scam, but I decided to investigate. For one I checked the mail header and am pretty sure that a) chaseonline.com wasn’t a chase domain and b) that yokoi.deviantart.com wasn’t their mail relay for official messages. I went ahead and went to the linked website and it was a perfect copy of the actual chase website. But the dns address was pointing to a homeftp.net…yea not chase. But one other major flag was the lack of https (that s makes a huge difference). Even without all of the other research that I did one should never log into a bank/creditcard site that isn’t secured with a proper ssl cert. Of course if the scamers were good they could have used a self-signed ssl cert…which is where firefox comes in. Firefox will warn you before allowing you to enter any site with an improper ssl cert. Some people think this is a bad thing because self signed ssl certs aren’t necessarily a bad thing. I agree I use them where they are needed, but it is a pretty simple task to allow an exception in firefox, and I would rather know if the website I am going to has a proper cert or not.

I called chase to let them know and made sure that my account was, in fact, safe. But if you have a chase account be warned and don’t trust an email. When in doubt call the number on the back of your card.

How much is Linux worth

October 23, 2008

The Linux Foundation posted the estimated worth of Linux. According to them the kernel alone is worth 1.4 Billion and the entire OS is worth 10.8 Billion. Now the method they used isn’t the most scientific, but it isn’t a bad method either, especially considering there really is no fool proof method to monetizing Linux. You can see from the numbers that it is no small task that the Linux OS exists and has come to be as powerful as it is. You also come to realize how much Windows and Apple must be spending to keep their own OS offerings going.