JDPFu.com 2025

Update 7/2015 Oracle isn’t screwing just F/LOSS projects, if appears. Is Oracle really forcing enterprise customers to use their cloud?

Seems that MSFT might be doing the same for Office 365 to get higher client counts. At least 1 major company who never intends to use Office 365 got a better license deal just by signing up. They never intend to use the service and are migrating to Postgres and LibreOffice as quickly as possible.

Original Text:
Oracle is effectively killing some of the most important, fantastic, open source and FLOSS tools that we’ve come to depend upon. This is really sad for the FOSS world. It will not be long before these currently open tools disappear because Oracle can’t directly make any money from supporting them. Let me explain.

Oracle is the New Evil Empire

Oracle has never been very friendly to FOSS or FLOSS, but since buying Sun Microsystems, they have effectively killed some of the most important projects.

The Almost Dead List – Some Already DEAD

• OpenSolaris
• ZFS
• MySQL
• InnoDB
• Java
• OpenJDK
• NetBeans
• VirtualBox
• Oracle VM
• GlassFish
• OpenOffice

Here’s a list of FOSS from Oracle that will probably be only useful for historical purposes soon. Most of the leaders for these projects that Oracle got with the Sun purchase have left Oracle after trying to fit into the new corporate culture. Full disclosure: I’ve owned Oracle AND Sun Microsystems stock over the years. Since the Sun purchase, I sold ORCL and haven’t owned any shares on over a year.

If you are currently using any of those tools, you need to make strategic plans for alternates. Oracle *will be killing them off. Some will be saved by creating new FLOSS projected based on the last open license version.

Alternatives for Some

• ZFS – BTRFS
• MySQL – Postgres
• Java – Ruby or C++ (or any number of lesser known languages like D for F#)
• VirtualBox – KVM or VMware Player
• OpenOffice – LibreOffice

Or you can just plan to purchase the right to use the tools at Enterprise Software Costs. Not cheap.

I’m not actively using most of the software listed above except VirtualBox, OpenOffice and MySQL. For those, I have alternatives, but like almost everyone else, change isn’t easy until it is forced on us.

I’m not anti-corporations, but Oracle has not been a good steward and I have no reason to believe they will change. Just look at the handling of the OpenSolaris shutdown. I was a member of a local OpenSolaris UG. The leader was a well known and respected former Sun Systems Engineer, currently working for Oracle. I miss the UG. Oracle has proven they cannot be completely trusted. They are willing to change the rules.

Without the GPL, BSD and similar FOSS licenses, we’d be completely screwed. Now is a good time to donate to the EFF or FSF. A $20 donation will go a long way.

Came across an article on Linux.com about replacing Power Point with a different solution. S5 is a tool that I use to give presentations. It means the presentation is ready to be put on the web immediately, it is already a web page. It works and you can customize the way it looks, but the default is fine too.

S5 stands for Simple Standards-Based Slide Show System – it is an HTML file with javascript and CSS support files to control navigation and slide presentation, so it works the same on every platform. Just a browser is needed to view the presentation – pretty much any reasonable browser will work. Get the S5 files. and get started.

It had to happen eventually. Regardless of how careful we all are, if we run MS-Windows-something, our PCs will get infected. One of my family members, who lives a few states away, got infected with at least 1 virus, probably a botnet and a keylogger too.

I’m working on a plan to deal with the issue over Thanksgiving. Below are the initial thoughts.

Open WiFi is convenient, but not secure. All of us need to help people and businesses providing Open WiFi understand the issues so they will stop providing it.

The real problem is that most people do not understand how insecure Open WiFi is. There’s a new Firefox extension that grabs social network connection credentials from people around on an open wifi network. That extension works on Windows, Mac OSX, and soon, Linux. It is named FireSheep and anyone can get the FireSheep extension here AND it is trivial to use. This extension lets the nearby cracker act as if they are you on the social websites. They can post to twitter as you, they can update photos on facebook. For all important uses, they ARE you with just a click of a button.

The Fix – Easy

What is the fix? It is simple, just enable a trivial WPA passphrase for the WiFi access point. That’s it. This method is useful for all those small businesses to prevent most of the hijacking computer attacks, while still not really causing issues for their clients. For a simple example passphrase, Starbucks could use … er … “starbucks.” That would be enough to foil the FireSheep extension.

Not Secure Enough for Home or Business WiFi Networks

Ok, so this fix is just for places that provide an open wifi hotspot for clients and definitely should not be used by any business for their private network or by any of us in our homes. For small businesses and homes, you really want to follow my WiFi Security Checklist.

The Best Fix

Another way to solve this issue – a better way – is for all websites with a login to use SSL encryption for everything, all data. No exceptions. 10 yrs ago, that would have been computationally unreasonable. These days, having everything SSL encrypted adds about 3% overhead to bandwidth and compute requirements. That isn’t a big deal for almost any website to handle. The newest CPUs from Intel include special instructions to make AES encryption/decryption even less computationally intensive – becoming a non-issue.

If you have a website with encryption, please force SSL connections. There are some very easy ways to do this without touching the website. Simply use a reverse proxy like pound to provide the SSL connection handling, then forward the request to the back end web servers. This web site, jdpfu, uses pound to proxy both SSL and to perform load balancing of traffic across 3 server instances. Connections with logins stay on the same server instance, so there’s no session confusion between the different server. All the web servers read and write to the same DB instance. SSL connections are all handled in pound and the application doesn’t know anything about it.

If you need help setting up pound, let me know below.

To have a web site on the internet, you need just 4 things.

1. Registrar – these guys sell you the .com, .net, .org, .co.country, etc …. They maintain the ‘whois’ record. That’s it. The Registrar needs a record that points to your … DNS provider – also called a name server and backup name server record.
2. DNS – Domain Name Service. This connects the domain name that you bought to the IP address(es) of the computers where the web site runs.
3. Public IP Address – Any public IP address that is not on a private network or filtered for the service you want to make available. The service is usually HTTP on port 80 and/or HTTPS on port 443. Those are the default ports. Most people/companies will pay a hosting provider for both an IP and a server.
4. Web Server – this is the computer program that listens on either port 80 or 443 and responds with the content you specify. While any ports can be used, end users are use to ports 80 and 443, so it is unusual to see other ports used. I’ve used other ports and seen how that lowers traffic, but it also breaks many content spamming programs.

Optionally, you may also need an SSL Certificate for encrypted web connections. These days, many websites have decided that only allowing SSL-based connections is worthwhile.

That’s all you need. Do you see how each of these things fit together so my-neat-domain.com becomes an IP and then shows a web page from a web server? Simple and it works billions of times every hour.

The 7 Uncommon Uses of iptables over at linuxaria shows fairly easy to use solutions for the following:

1. Block known dirty hosts from reaching your machine; block spammers and other known bad networks
2. unlock a pre-determined port, once someone “knocks” ; ie "port knocking_
3. use a restricted externally, but a high port on the server – port forwarding
4. use your proxy only for external access, not in the local LAN – I’ve done this with PAC files
5. Limit the number of ssh connections to 10
6. Limit ssh to have just 1 session every 15 seconds
7. Give multiple directives with a single command

Fail2ban can be used to address some concerns, but you may need to limit the connection count and rate from some IP addresses that could be considered system abusers.

The BBC is reporting that internet connectivity with Burma (Myanmar) has been effectively shut down in advance of the first elections held there in 20 years.

Only 200 PCs Needed

If the BBC report is true, it would only take 200 relatively low speed internet connected PCs to take the country of Burma off line. Let me explain. In the BBC story about Burma, it is stated the entire country is connected to the internet over a 45Mbps link, that’s a DS3 to the network and telecom people. It isn’t much bandwidth for an entire country.

To take any network or servers off line, all that any attacker needs to do is effectively cause your network to be too busy for user connections to get through. Just like a busy signal on your telephone. Doing that’s isn’t very hard.

Only 15 PCs connected with common home bandwidth could take down the country of Burma. That isn’t many PCs is it. Even the slowest broadband connections have 256 Kbps, which means only 200 PCs are needed with that upstream connectivity to take Burma effectively off line. If a botnet controller wanted to attack an IP and they have 100,000 PCs, that translates to 25 Gbps. Most companies, even with large pipes like a Fortune 100 company has, would be taken off line. 200 PCs is a small number and could be quickly blocked, which is why botnet owners have 100,000 – 5M PCs.

So the HD-Nation video-cast (available online or on your TiVo) did a few episodes about what you can do with MKV containers for your media.

• Episode 68-MKV Basics
• Episode 69-User Feedback – MKV part is about 28 minutes in.

Below are a few other links about MKV Containers and a few shell scripts to get the MKVs to playback correctly.

Seems that 2GB isn’t enough for some specialized PBX Linux solutions to build, so I found myself needing to increase the size of a KVM virtual machine image on running Ubuntu Server 10.04 Lucid Lynx in the VM. This technique probably will not work for sparse or VMDK-based VM images. It should work for Xen and KVM IMG-base VM files, however. Anyway, below is how I did it.

This morning, I decided to install KVM and OpenQRM on a spare machine here. The machine is suitable to be a VM host with lots of CPU and 8GB of RAM. It is not a blank machine, rather, I wanted to add openQRM to it and leave the existing services running there … untouched. The existing services are for a storage server and DLNA/media server. Nothing too fancy, but there are some non-default settings that proved to be small issues when attempting the OpenQRM install.

Following the sparsely written guide Setup_your_own_openQRM_Cloud_on_Ubuntu_Lucid_Lynx from the openQRM team, I was hopeful that this complex system wouldn’t be too complex that I couldn’t get it running quickly and easily.