JDPFu.com 2024

May 2021 Update

• Added kernel, header, module removed command to purge them from APT.


• Clarified /forcefsck options, slightly.

Jan 2020 Update
A little cleanup.

June 2018 Update
The big ideas below haven’t changed. Really the main change is to using apt instead of aptitude or apt-get for package management. apt is a newer, simpler, front-end to apt-get that does some housekeeping things automatically. I’ve been using apt for about 2 yrs.

Nov 2015 Update
If you want 5 years of support for your Ubuntu system, then it is important to check the Ubuntu Release Support webpage to verify the official support dates. For example,

• 14.04.1 support ends April 2019
• 14.04.2 support ends August 2016
• 14.04.3 support ends August 2016
• 15.10 support ends July 2016
  What does this mean?
  Use aptitude update on 14.04.1 systems to maintain the LTS support. If aptitude dist-update is used, then support time is significantly reduced. For a desktop that will be updated to 16.04 LTS, it probably doesn’t matter. For a server that will not be update before August 2016, this is very important.

2014 Update
After years of using apt-get, I’ve finally seen the aptitude light. Aptitude has solved a few dependency problems that apt-get puked over. It is smarter. Now I’m recommending that aptitude be used over apt-get. That is the only change below and for almost every common use, swapping apt-get for aptitude is the only change. That is the situation in this article. I did not update any comments to reflect this change. Learn more about aptitude from the Debian Wiki.

2013 Update
With newer Linux installs, there has been a huge problem with old kernels not being cleaned up automatically. For some people, this has caused their package manager to get stuck with an out of storage error. Until they can remove the issue, their system is stuck in APT-Hell. Not good at all. This article has been updated to add cleaning up kernels to the list.

Original Article Continues

I decided to write this entry after reading an article over a Lifehacker by Whitson Gordon titled What Kind of Maintenance Do I Need to Do on My Windows PC.

What kind of maintenance do I need to do on my Ubuntu/Debian/APT-based PC? Good question. It is pretty simple … for desktops. This article is for APT-based desktop system maintenance, NOT for Linux servers. Linux servers need just a little more love to stay happy. I haven’t used RPM-based distros in many years, so I’m not comfortable providing commands to accomplish the things you need to do, but the methods will be similar.

Let’s get started.

Install System and Application Patches/Updates

This will patch the OS and all your applications.

$ sudo apt  update; sudo apt full-upgrade

Done.

Don’t worry. This only updates the current distro to new packages and new kernels. It will not install a new release. If you need to stay on the current kernel, use

sudo apt safe-upgrade

. I’ve needed this only a few times in 15+ yrs of being a Linux administrator.

The apt manpage is pretty good and explains the subtle differences between upgrade, safe-upgrade and full-upgrade options. man apt will show it.

Read about more tips below.

There’s an old SSL/TLS security hole (from 11/2009) that has been out and patched for over a year (since 2/2010), but it appears that many major websites haven’t bothered patching it. CVE-2009-3555

The guys over at ssltls.de have a list. Seems that consistently patching is tough for many organizations. The list is pretty shocking for who is and isn’t patched. Take a look and be afraid. There are lots of big banks on the unpatched list. Scary. The list is not comprehensive, so just because your site or bank aren’t listed, doesn’t mean they are consistently patched.

• home.americanexpress.com is patched, but
• www.americanexpress.com cannot be confirmed as patched.

There are attacks in the wild that take advantage of this issue. I need to check whether my SSL sites are vulnerable too. Here’s an SSL checker

Adobe has decided to stop development for their fairly new Adobe-AIR platform on desktop Linux. For some reason, they will continue development on Android. Huh? Doesn’t Adobe know that Android is Linux?

AIR on 64-bit Linux Sucked

I tried AdobeAIR on a 64-bit Linux desktop about a yr ago to try a stock tracking app. It was slow and heavy so I removed it. Where I work, we dislike proprietary solutions that force vendor lock-in. AIR will not be installed on any of our machines regardless of OS and we advise our clients of the issues with AIR and all proprietary tools. The same applies to Silverlight. We won’t install it here and recommend that our clients do not as well. I would remove Flash if there wouldn’t be a revolt and I’ve already removed Adobe Acrobat from all our systems. We use alternatives with better security (or just fewer attackers). Adobe management doesn’t seem to understand how to build software that can be secure. They certainly haven’t shown a desire to do this based on the number of unfixed zero day exploits published continuously.

Whenever I visit a new website and they ask me to create a new login, I always wonder how that data is stored, especially the password. Some clues to poor password management:

1. plain text
2. hashed without a salt
3. reversible
4. support knows it
5. the system can email your password back to you
6. the system displays your password on a web page.

Theres a website that tracks sites with poor password management called PlainTextOffenders.com . That site estimates that 30% of all websites aren’t handling passwords appropriately. If you know of an offending website, let the plain-text-offenders know and publicize it. Sometimes that spotlight is enough to get the company to change.

The folks over at PenDriveLinux have been busy. They have a new version of their multi-boot creation tool for flash drives, YUMI (Your Universal Multiboot Installer). YUMI-0.0.1.7.exe is the current released version, replacing MultibootISO.

The MultibootISO tool never worked for me. I was using unetbootin to load a single ISO onto a single flash drive, but often I’ve needed gparted, then DBAN, then PARTIMG, then an full Linux like Ubuntu 10.04 or Puppy or TinyCore. With YUMI, you can have all of those on a single flash drive and select which to use at boot time. It seems to work fine.

They finally added an Unknown ISO option so ANY ISO you have with a distro can be added to the boot menus. The boot-up screens are automatically organized nicely by type of tool.

I just placed about 5 ISO files onto a single 2GB flash drive. As I write this, Android-x86 is booting on a netbook. SWEET! I can’t wait to try it out for an hour or so before trying out the new MeeGo x86 release. As long-time readers know, I run Maemo today, so MeeGo would be the next update for that device.

Well, I’ve attempted to boot 3 different OSes.

1. MeeGo failed almost immediately.
2. Lubuntu displayed the boot screen, asked for a language and eventually failed.
3. Android x86 was left to boot for over 30 minutes – the ……………. just kept coming.

The gparted ISO that I specified didn’t show up in the boot menu – I used a different ISO at the 3rd decimal point – mine was newer. I probably should have put it into the Unknown ISO group.

Some Good News

SpinRite did work perfectly. It is running now across all the partitions to refresh any lazy bits.
I moved the gparted ISO into the Unknown ISO group. Hopefully, it will work better there.

Today I wanted to add another OS to a netbook, an Asus Eee. My common practice is to boot a gparted ISO from a USB flash drive, move some data and partitions around and add a new logical partition to the end of the extended partition space. Write everything back out to disk. Then I’d boot the install disk/ISO and install to that newly created partition. Life was good, usually.

Today, I was greeted with gparted showing unallocated for the entire drive, all 160GB – unallocated. Ouch. This is the first time I’ve had partition table issues, ever, in over 20 yrs.

Today I was notified by my DNS provider that someone had requested the password be reset. They sent the reset link in the email on file and told me the IP address of the requester – in this case it was from Taipei, Taiwan 112. Good thing the DNS guys have a correct email address for me, huh? I suspect they hacked the ISP email address which I haven’t used in about … 10 years. Sometimes you get lucky. DNS – Domain Name Service is the telephone book of the internet. Learn more about DNS from Wikipedia.

• I won’t be resetting that password anytime soon. It is fairly long and random.
• I will be blocking all access to this blog from that ISP, however.

Subnet Blocked

Almost everyone likes Facebook and Twitter. We reconnect with our friends, they connect with us. People we don’t even know want to know us – that’s pretty cool, until it isn’t.

This will be old news for some folks. Keep reading … Here’s a story about someone named Wigginbottom who tweeted just a few too many details.

I’ve been a Skype user for many years. I’ve even had the paid subscription for months at a time. Generally, it did what I needed better than other solutions, until I tried to make it my home phone too. That worked, but not as well (quality) as I’d like.

Anyway, I find myself trying to get the latest versions of Skype for my systems this morning and ran into a few issues.

Here are things that didn’t work for me – for a normal user, these would be show stoppers.

So I was watching the HNN show for this week and near the end they showed a list of companies and the counts for unpatched, yet known vulnerabilities in their software. Below is the list. Not surprising me, but Adobe is at the top … again.

Company	Count
Adobe	25
HP	18
Apple	15
Oracle	14
Novell	12
Mozilla	8
Microsoft	7
Sybase	6
Symantec	4
RealNetworks	4

What does this information tell me?

• Stop using Adobe software. I think Adobe needs 3+ more years to create software that includes security by design aspects. Patching their old code-base, which is what they’ve been doing, doesn’t help. The design flaws from a security perspective are too large.
• I’m pretty impressed that Microsoft is so low with their huge number of software products.
• Oracle has never been very good at pushing patches for their products, IME. Their tools tended to be used on internal networks, not on the internet, so being lax wasn’t as big a deal. With the purchase of Sun, Oracle really needs to step up their patch fixes.
• I don’t use any Apple software … but they are involved with CUPS (UNIX printing) in some way.
• The HP issues seem to be mostly connected to backup software that I doubt most people have or use.