I've been on the lookout for a decent forum package. I don't particularly like forums, but users seem to for one reason or another :-) Open Source is nice, but there's a lot of badly done OSS forums. I'm willing to spend money if it's good.

There's a few I ran across that stuck out:

• phpBB -- this is commonly used, seems to work well, reasonably pretty, etc etc. But, it has the track record of BIND and Sendmail in the 90's. For some of the security concious I know, it became the first source of a system breakin, and there's even worms running around knocking at it's doors. Ugh.
• Burning Board -- Wolf Labs offers Burning Board. It's half decent, costs about $50, and seems to be in use in at least a few places. I noticed it at the 77's site (which, incidentally, will be on tour in 2 weeks with Michael Pritzel, woohoo!). What caught my eye about this wasn't the product, it was the website. The company is clearly German. But on the top of their site is a pretty picture of Toronto. Odd.
• vBulletin -- this seems to be one of the more popular ones. It costs $160. There seem to be a lot of organizations with it in place for support forums, but it doesn't have the same aweful track record as phpBB.

Are there other decent forum packages available that you'd recommend?

For some reason or another, Shana's HDD blew up. I highly suspect it was purely because the warranty on her laptop expired 2 weeks ago (really, it did). It may also be because she just started teaching, as well as having begun a new grad class, and she needs her laptop for both of these every day. Either is a possibility, and each fairly evil.

On an unrelated note, it reminds me that I may want to perform backups a bit more often than I had been (2 months). But anyways...

Using Gentoo on both computers is nice. We tried an experiment with her using Mandrake that didn't go well at all. We each hated it for our own reasons. She found it abhorred to use, especially it's method of organizing the menu's, amongst other things. I really disliked administering it. And we both disliked the amount of packages available to it.

But, it would be nice to give her a distro that would be a bit simpler for her to make use of.

So, maybe it's time to try out Ubuntu -- it uses GNOME, which she likes. It's Debian-ish, which I like. And it has lots of packages, which we both like.

They say it's easy to use. We'll soon see -- I left the install CD sitting on top of her laptop, with the instructions "Install Me!", along with these three points:

• Power on and Insert CD
• Choose Wired, not wireless (she's used to wireless, but I hooked up a cable... she may not realized how large the speed difference is)
• It's okay to erase the hard disk (she may not know that there's absolutally nothing on the current drive)

That's all the help I gave. She gets home before me. I'm curious how far she'll get by then. I'll report back :-)

Remember what your mother used to tell you about validating parameters in web applications? That it was a good idea to do some checks via JavaScript to save a round trip to the server, but that these same checks must be done on the server as well?

The really crappy web app I use is one at work which we use for help desk / task management.

The problem is simple. The entire security scheme for the app is based in HTML and JavaScript. There are two parts to this security problem.

One is a series of JavaScript variables, which decide what queues you're allowed to read and write to, whether you are allowed to close tasks, and the like.

The other part is a Java Applet, defined with HTML parameters which decides silly little things like whether or not you are considered a support representative, or a user.

There was a day when, in order to mess around with all this, you'd have to go through a lot of hassle by saving the HTML, modifying it, and later loading it. With this particular app, doing that for the entire thing is a bit tough, due to it's rather complex usage of frames and Java.

But no worries, GreaseMonkey is here to the rescue. See, with GreaseMonkey, instead of having to bother with stuff like saving and reloading documents, we can simply instruct GreaseMonkey to change variables after they're loaded.

Really, GreaseMonkey is just a FireFox extension that runs user defined JavaScript on any given page. So, to start messing with this crappy web app, all we need is the following one line script loaded into GreaseMonkey:

write_perms_on_queue2 = true;

Well, the variable names in this app weren't quite that obvious, but you get the idea. That's all you need. Now repeat for all variables you want to modify.

There were also some JavaScript functions they had loaded that I considered annoying. They yelled when I clicked things they didn't think I was supposed to. They'd keep returning "false" (ie, failing) until I clicked things the way they wanted. No problem. Add this to your GreaseMonkey script:

document.annoying_function = function() { return true }

So far, we're on the first security problem. Lets talk about the second one. They have a Java applet which loads all the menu's. I dug around in the source a bit, and discovered tags like this in the applet definition:

Okay, good, I'm considered a 'Rep', but I think I'd like some more permissions.

Now, hard as I tried, I couldn't get GreaseMonkey to fix this. I think the Java Applet loads too early for it to do anything. So, I just saved the page which defines the permissions to my hard drive, and changed it to a more suitable number.

With the monotony of frames they had, I had to jump through a few other little hoops to make this work with this particular app. But, a couple of tweaks later, I load this app using the file on my hard drive, and viola, there it reads:

H4x0r3d Helpdesk Web Interface

There's not a whole lot I really gain by all this aside from some amusement (though, they should still be told about their lax coding, any of our users could do this as well... I guess I'm really not all that concerned though).

Moreso, I think this is a warning of where things are going. Where there used to be at least some hoops to jump through to change data on web pages we've loaded, there's now a mechanism for doing this automatically. There's a repository of such scripts online. I don't think most or maybe even any are bending any security; moreso, most are tweaking websites to better work for us. Which I think is great.

What I think we need to watch out for though is the ease with which one can bypass such poor security mechanisms. There may have been a day where coders could get away with such things, but thats long gone.

I'm trying to get some things a bit more organized here on the computer front. For someone who uses computers so much, I can be awefully disorganized.

I finally setup an RSS Aggregator. I'm trying out Sage for Firefox, which seems to do pretty well. I put all the blogs I frequent in there, and added other folders for World News, Tech News, and the like.

You'd be appauled at how my bookmarks currently look. I have a few folders on my toolbar, but in general, most of them are just in the big bookmark list.

I went through and made folders for all of them, and cleaned up a lot of junk that didn't need to be on the toolbar. Hopefully they'll actually be useful now.

I also added some Firefox plugins. As Nate's been mentioning, GreaseMonkey really does let you do some l33t hax0ring. In fact, it brought to light a mind boggling error on a web app I use that most certainly belongs on The Daily WTF. I'll discuss that in more depth shortly :-)

I had also forgotten to install the HttpHeaders plugin, which I have on there now.

Now I just need to find a way to keep the state between multiple FireFox instances. I have this suspicion that it wasn't made to work that way, but I'm undeterred :-) At the very least, closing FF should copy everything out to a central repository, and opening it should pull it down. But it'd be much better if there were a way to do that without having to close it down. Alas, the -HUP signal kills FF, so there needs to be some other way to have it reread everything.

The VMware workshop on Thursday was neat. A lot of their speakers seemed to be speaking for the first time ever, but they did manage to get a guy from Siemons to speak, who did an excellent job.

Nate, Mark, Shana, and I went to Mark-Jason Dominus's book release party Saturday evening. It was fun, and a lot of Perl folks were there (many of which we get to see at YAPC each year). Mark's book is High Order Perl.

I'd also like to say that the idea that Debian works so seemlessly that one can just run an "apt-get dist upgrade" is just a bunch of baloney :-) I've spent two days trying to get all the upgrades working on this upgraded server. It's working now, but it was anything but seemless.

That was a mailserver. Redoing the mailserver did give me an opportunity to redo some things. The new version of SpamAssassin is doing really well, and we're using RBL's like SpamHaus and Razor.

The even bigger thing is that it's using greylisting (Postgrey). Over the weekend, I could typically expect to collect around 200, which awaited my arrival on Monday. This weekend -- not one. Not everyone was so lucky, but there's been far fewer.

It's setup so that only the first email from someone is greylisted. Once they "pass the test", they become whitelisted. So I'm pretty thrilled about that.

Onto troublesome issues, first on the list is LDAP. What I thought was a successful LDAP migration (from the old mailserver to the new one) was anything but. I have now since determined that LDAP is annoying :-) I think for what we get out of it, that it may not be worth the hassle and headaches it gives us. I spend more time troubleshooting LDAP problems than anything else (during upgrades or changes anyway, once working it tends to work well).

We only need the users on two boxes, have them on the four that do LDAP now was mostly a convenience. The mailserver needs the users -- I think I may put them in a password file. The webserver used LDAP for webmail. Instead, it could use imap and remotely connect to the mail server, instead of accessing NFS mounted mail boxes. The rest of the servers only need some admin accounts, and those change so little that they can easily be added manualy.

I may also consider MySQL for this, but I don't think we'll start with that.

My father in law recently bought a Mac. A powerbook, to be exact. That entire side of the family is really into Macs, and his powerbook is an upgrade from a pre-OSX computer. It's a big step really, as this is his first portable computer. And he got rid of his desktop altogether.

Now, there was a dilemma in his recent purchase. He was this close " (see the space in the middle of the apostrophe?) from getting an x86 laptop at Circuit City, or maybe even a Dell or similar.

He did some exploring, however, and decided to stick with the Mac. He wanted a system that was intuitive, easy to figure out, nice looking, and would just work. Looking at Dell, it appears as if he could have saved over $1000 by going x86, but it was worth it to him.

Same with his printer and wireless. I hadn't seen these before, but apparently Apple has a wireless router / print server all in one. At the time, he spent $150 on it, as it was something that could just be plugged in and would work. I'm not familar with such a nice looking equivalent in the x86 world, but buying a wireless router and printer server seperatly would be under $100. But that's okay, he wants to be able to plug it all in, get it working, without having to bother us or anyone else to get it up and running.

I was a bit excited over all this, as he was going to have a nice setup at his house. I could bring my PDA or laptop over there and hop on the Net to do, well, whatever :-)

I hadn't been to his house much since last Christmas when he got all of this. Shana and I went over there this past weekend to meet up with him and some other folks. I stuffed my Zaurus into my back pocket, this was going to be fun to try out. Maybe I could show off my slick device a bit :-)

When I got there, I noticed something about the Mac wireless routers that I didn't know. They completely masked their signature when running (something I thought only enemy ships in Star Trek did to their warp trail), my Zaurus couldn't even see it. I know he was on the Net, he had just been using his laptop as we arrived. I'm not sure how it did it, but it seemed like a nice security feature. A device for people who don't necessarily know (or want to know) a lot about computers adding a significant layer of security. Hackers won't break into a network they can't see.

Then I looked a bit closer, and saw not one, but two cables coming out from his laptop. And even closer inspection revealed that one was ethernet. Aha! That's why I don't see the wireless.

I inquired as to why he wasn't using his new hi-tech gadgets. Apparently, he couldn't get them to work. Actually, not only could he not get them to work, but the Mac guru's in the family couldn't get them to work either (all the kings horses and all the kings men). The only way he could both get on the network, and be able to use the printer, was to not use the wireless (it's a bit more complicated than that, but we'll leave those details for anyone volunteering to help :-)

So, he happily announced that he was going to travel to Philadelphia, to the "local" Mac shop, to have them upgrade his machine to Tiger (which I believe he was, at this point, too nervous to do himself), as well as get the printer and wireless goodies working. They will certainly be able to get it working, while gladly taking what's left of his wallet. And he'll have a smile on his face the whole time, because he spent more money for the better product that just works :-)

The term Cognitive Dissonance is the first thing that comes to mind here (actually, it wasn't -- I thought of the idea, it took me an hour to remember the name for that :-)

While I suspect this situation isn't the norm, I can't help but be amused at the bigger picture.

After all is said and done, he'll have been some $1500 - $2000 richer if he had gone with a Dell, a Netgear router, and seperate wireless print server. Anyone -- including the kid across the street from him -- could have helped get those three things working. He'd be using them now (it's been since Christmas!), not waiting for when it's convenient to go to Philly to have someone else fix it. Yes, he'd be more prone to spyware in XP. But with the firewall in SP2, as well as using Firefox over IE, I think that could be minimized (my parents -- using Firefox, XP SP2, and good surfing habits, have very little Spyware trouble).

Actually, as a teacher -- his primary apps are Word, Excel, web based email, and surfing the Net. Even Linux could handle that well, though being a Gentoo user, I'm not prepared to say that's easier to setup than a Mac :-)

I can only hope that he's gaining something else by his choice of OS, such as improved usability in his day to day work.

Okay, I've been falling a bit behind here. That's a bit representative of other portions of my life as well ;-)

Star Wars was enjoyable, regardless of what anyone else says. As was Star Wars Risk, though that was far different from any other Risk game I've played.

Nate, Spartacus, Lon, and I enjoyed a game of standard Risk a week or two ago. We're looking forward to playing a game of Civilization sometime soon.

The CPLUG Server is going to lose it's home at the end of the month. The new server we've been building is nearing completion. I've setup most of the services that belong on here. The biggest things left are the mailing list migration, and the CPLUG website. I'll handle the cplug mailing list this weekend (hpm is already done), the CPLUG website has to be done by Andy. And if it's not completed soon, we'll switch to a wiki until it is ;-) (we have a wiki working for the HPM website, and figured out how we could use the existing CPLUG website template in a wiki)

The MythTV box I have at home keeps going haywire. It runs out of space, and that seems to be causing the filesystem to go corrupt. Odd. The drive was only 40GB though, so we bought a larger drive. 300Gb ought to do it (it was only $128!). Hopefully I'll get that setup this weekend.

The Arts Festival is this weekend. This is always fun, we'll probably head over there on Saturday.

Most of the cd's I've ordered have arrived. They're all great, it's been good having some new tunes at work.

I just received a notice about VMWare holding a number of half day workshops this June. They'll go through how to use the products effectively, both discussing ideas and doing live demo's.

This event is actually free -- and those who attend get a free copy of VMWare Workstation 5. It was hard to pass up, so I signed up (though I'll have to take off work, for some reason they won't give me half a day even if they save $200 on the product... odd). Since it's during the summer, Shana decided to attend as well.

You can see the locations, schedule, as well as sign up here.

My parents had gotten me a wireless presentation clicker for my birthday. It's really neat -- it's the size of a PCMCIA card -- and it has various buttons, and has a built in laser pointer. It's actually designed to fit inside a PCMCIA slot in your laptop so you don't forget your clicker :-)

It's harder to setup than one might expect, however. It's USB. I popped the dongle into the USB slot, and the light didn't come up. Nuts. Running Gentoo, I immediatly suspected the options I had compiled my kernel with. I went through, enabled a few more options, and recompiled. Nothing.

I tried it on Shana's Gentoo laptop, same problem. Huh.

I took it to work, maybe I'd have some better luck there. I stuck it into my desktop, and it lit right up. Well, at least it works. So, all I should have to do is copy that kernel config to my home box. After doing that, and recompiling -- nothing. Ugh!

I began looking around Google, but I saw very few mentions of this sort of thing in Linux. Thoughts of hardware incompatability began to cross my mind.

One last ditch effort -- I fired up an old laptop whose hard drive had died, simply to see if it might work. Unlike the laptop I had tried -- this USB slots in it were configured horizontally, not vertically. I had to think for a moment, which direction would the dongle fit. Wait a moment... if the dongle fits either way...

Bah! I was putting it in upside down. Correcting that, it works perfectly. The buttons all work, distance is good, and the laser pointer is a nice touch. No more filling up both hands with gadgets to give a presentation.

I have a presentation coming up in early may, on building a wireless router with Gentoo. Josiah and I had discussed some titles for a similar talk he had done. Since he passed it up, I'm going to go with "Pass Gentoo the Pipe". It just seems so, appropriate :-)

Finally, after four months, Verizon finally transferred my number over to Vonage. I had to whine to Vonage a bit, which seemed to speed things up actually.

As soon as I got the confirmation of the number being transferred, I raced outside, hunted down the Verizon box, and disconnected the phone line from the house. Which of course allows me to plugin the Vonage line into the house line (without fear of any interference from Verizon hiccups).

I get all these features from Vonage for $15 a month. For anyone who still uses dialup, if you're paying $20 for that, and $35 for Verizon phone service (what I was paying), It costs just a few dollars more for Comcast high speed ($42) and Vonage ($15). Plus you end up with high speed (4 Mb down (!)), all those telephone features mentioned above, and you're no longer paying Verizon :-)

Verizon, see ya :-)

It seems I have some buttons that can be pressed that cause me to spew out a blurb of text when I'm properly motivated (or perhaps, not motivated to be doing something else :-) I was sent the following:

Some interesting comments and counterpoints on Mac security
Security, damned security and Symantec

I found that article to be appropriatly aggravating to write up the following on it:

It appears as if the original article that's referred to was in fact poorly thought out and written.

However, I'm also not really following some of the counterpoints brought up by Ron Carlson.

Mac's do have a security architecture that has been working for them much better than does that of Windows. The original article is also correct though, that there have been more vulnerabilities found in Mac's recently. And Mac users tend to handle that well with quick upgrades.

However, I'm ultimatly not convinced that the reason there aren't more worms, viruses, and spyware for that Mac isn't simply because of the Mac's smaller marketshare.

Carlson counters that there are a number of worms wandering the Net attacking Linux, why aren't there similar worms for Mac? He points to an article that shows how desktop based Linux systems are similarly numbered to Mac.

But that's key -- those are *desktop* systems. According to IDC, Linux has 3% of the desktop market (about the same as Macs). However, IDC also shows that Linux has a 24% market share on the server:

Linux Inc
(search for "strange ground", which is midway through the article)

Linux *servers* are what run the services these Linux worms are targeting -- services like BIND, Apache, sendmail/postfix, DHCP and so on. You'll notice that all these are tools which are common to see on other UNIX systems, including Sun's Solaris, AIX, HPUX, and can even run on Macintosh. I think Carlson can get away with calling them "Linux worms" simply because Linux has the market share to be hit hardest by them, not because they only effect Linux. Further, most Linux admins have their systems updated far before they're affected by this. Mac users tend to be the same way.

My point is that I feel a large reason that Macintoshes don't see more "malware" is simply market share. There's nothing about the way that, say, Apache, works on Mac that makes it inherintly more secure than the way it works on Linux or Windows.

Another example -- the Firefox browser, a new derivative of Netscape, has a 6% market share:

Firefox Eats More Microsoft Market Share

It has had a flurry of security problems in the last few months (I count three groups of vulnerabilities this year for Firefox):

Gentoo Security Advisories

That competes with the amount found in IE. Firefox is commonly seen on Windows, Macs, and Linux. I have yet to see anything that takes advantage of any of these Firefox vulnerabilities, though it happens all the time in IE on Windows.

If something isn't soon done about the vulnerabilities in Firefox, we may start seeing spyware that takes advantage of vulnerabilities in it. At the moment, it's simply not worth the time, as only 6% of the people use it. This would be further divided by platform, as spyware in it's current form is generally going to be OS specific.

However, people using Firefox tout that it's more secure than IE. Well, that may be true. It also has a lot of other incredibly useful features. But it's a lot easier to say your castle is the strongest when the bandits are all attacking someone elses castle :-)

If today, someone wrote code to take advantage of one of these vulnerabilities in Firefox, and used it against someone who hasn't updated their browser, it would work. And they would be capable of at least installing the first spyware to be found in Firefox.

The same way, there are vulnerabilities that have appeared in the Macintosh that would allow people to take advantage of a system that hasn't yet been patched. They key is that they A) have been patched, and B) that it was done before someone bothered to write something to take advantage of it.

I am not suggesting that if Windows, Linux, and Mac's all had equal market share, that we'd see an identical amount of problems. Macs and desktop Linux systems tend to run less remotely accessible services (thus reducing exposure). I do think that none would be able to say they aren't hindered by problems. They'd probably be too busy fixing security problems in their apps :-)

Josiah pointed out that, for the TODO application I'm seeking to make, there make be some existing backends that do what I want. Prior to him mentioning that, I hadn't discovered any that seemed to be a good match. But the prospect of doing less work inspired me to look harder :-)

In my stumbling around, I ran across OpenGroupware. Most of us heard about this as a possible MS Exchange killer when it was made available as Open Source some time ago. At that point, it wasn't quite ready for use, so it went into heavy development and most of us never gave it a second thought. Well, it's about to hit 1.0 now believe it or not.

The idea behind OpenGroupware is that it's a server, running behind Apache, that can be accessed by other clients. It comes with it's own web interface, but other clients work fine -- Evolution, Mozilla, even Outlook if you pay a few bucks for a plugin.

It looks like they've been trying to make it flexible. There are several modules available for accessing it's external API (via XML-RPC), including PHP, Java, and Perl. Though, as a side rant, I have to say that I've been a bit dissapointed in Perl support for a lot of the new apps that come out. It used to be that whenever a new app was available, if there were a way to interface with it, Perl would be right on top of that. Two apps I've been excited about lately, OpenGroupware and DBus, do in fact have Perl modules -- but they seem to be very alpha-ish, and not officially supported by the project or even mentioned on the website. I'm not sure if these projects are just uninteresting to Perl developers, if other language developers are simply getting things done faster, or if we're seeing a lesser amount of Perl developers.

Anyhow, OpenGroupware is both flexible and complex. There's a lot to it. And one of the problems of it not being in the limelight is that -- as a terrible catch-22 -- there's a lot of rough edges that really slow me as a new developer down. Documentation is minimal, it can be tricky to install, and I need to learn how things work in general. There is apparently a way to add custom fields, so that I can turn the TODO items into a tree instead of a flat 2d list. I'll also need to be able to add ACL items to each piece of data in the list. It appears to support all this.

I did get it running on my laptop, but I spent two days of troubleshooting to find out that it just doesn't work with Apache2. Or at least, something about my version of Apache2, others have it working with that just fine.

Alas, it's going to take me weeks to get all the OpenGroupware stuff down. I'm excited to try it sometime, but I'm going to modify the order I do this in.

To get my TODO list application up and running, I'm going to build it to support a single backend database, which is straight forward. Once I have the ideas buzzing through my mind hashed out, and this actually works using a server I'm familar with -- we can migrate it to the more powerful OpenGroupware server. Or who knows, maybe we can support both.

I do have a basic curses interface working. This is my first experience developing with it. It took me awhile to get it to this point -- of course this is partly due to my learning curve, but again I'm noticing a huge difficiency in the usefulness of the Perl modules. I spoke with the authors about this -- they said they've been really busy and suggested themselves that there was a lot to be done. I've fixed a few of these issues so far, and hopefully I'll have some useful patches to offer shortly.

I had quite seriously considered writing this in another language which had existing and complete curses widget libaries -- not C, but maybe Python, Ruby, or OCaml. I still may switch, but again one thing at a time :-) What's a high level language with a decent library for developing curses widgets?

I got a peculiar email message today. It was from a girl named Gen, who apparently ran across my email address after typing in "Harrisburg Computer Geeks" into Google. First off, I find that in itself amusing :-)

This was her message:

Hi, my name is Gen and I found your name on the Perlmongers website. I actually typed in "computer geeks harrisburg" and that's what I came up with! Well, I read your profile and saw that you had an email address, so I thought it would be ok to email you. Here's the situation: I need some help with my computer. I would rather talk on the phone about it, though. I'm a decent person, so don't be scared. I'm 25, female, and go to . I don't know who else to ask. I'm getting my Master's in Applied Psychological Research. I live on Front street. I'm totally normal, I just suck at computers and don't know who else I can ask some question to. I have friends at , but they are all majoring in Psychology and don't know a thing about computers. Please take pity on me and talk to me about this!!!! Thank you so much, Eric. My phone number is . I thought about coming to the Brick Haus for one of your meetings, but I think I would be totally out of my element...seeing as how I read all about PERL and still don't know what the hell it is!

Huh. I don't get those every day. I'm also really not sure what to make of it :-) Shana was amused too.

So, I forwarded it to one of my computer savvy SWM buddies who has been in search for a SWF. I hope they each get what they want :-) Hopefully he's interested or I'll end up feeling bad and need to help her myself. But I haven't worked with a Windows computer in ages :-)

One of the issues, IMO, regarding the conference we recently held was the lack of a decent collaboration tool. It became somewhat unmanagable to work together on this project. This may account for why certain people seemed to get piles of work, when there may have been others available who could have helped. It was simply too much work to give it out, oddly enough.

To actually spread the workload amongst multiple people, you'd have to explain what needs done, how you've done things so far, who is involved, when it needs done by, and so on. By the time you're done explaining that to multiple people, you could have done much of it already. This is most certainly inefficient :-)

There are tools out there that are designed to help with this. After the conference, I had been thinking about what would make a good tool to handle this. Actually, I need two things. I wanted a decent todolist/taskmanager for myself. I also had been considering writing a package that helped people organize conferences. After thinking each of these through, I realized I was being silly; those two issues are the same thing.

Whether it's my personal todo list, or conference organization, they both deal with projects, contacts, files, dates, etc. Often times, both even deal with needing to work with multiple people to accomplish the job.

I'm also pretty certain that what I want doesn't already exist. There are a number of tools, mostly web based, that attempt to handle this. My feeling on on most of these is that you spend more time administering the application than you do accomplishing tasks.

I need something simple. The term "simple" could probably be defined as an application that works the way I think. Now, dealing with things that think the way I do gets into scary territory :-) It also needs to be really "fluid".

So, the first thing to go is the web interface. Even with an app built on OpenThought, the web is no where near as fluid as is, say, curses. A well-designed curses application can be incredibly fast and easy to use.

At the same time, not everyone likes curses. Others who do like it may not always have convenient access to a shell. It makes sense to allow for different frontends, be it curses, gtk, web based, or whatever else people are interested in, which access a central backend process.

As soon as we begin getting into multiple users, we deal with access control. We have multiple users who will be accessing the same database, who may not have rights to see or modify everything on there.

People also think in terms of "their list", not databases. When I fire up my frontend application, I want to see all my todo items, not just those from one database. For example, when I'm home, I want to be able to see the stuff I want to be able to see both the stuff I want to get done around the house, as well as the things I need to do for the upcoming conference. Those are all things I would work on that evening. Of course, maybe I don't care about stuff from work at that time, so I can filter out certain items.

This all means that we'd need access control not only within one database, but that an application like this might need to be able to speak to multiple databases at various locations at any given time, each with it's own set of access control.

I've already begun work on this. My primary interface would be curses, so that's what I'm starting with. There's a bit of a learning curve there for me, so I've been messing around with how to make curses work.

There's some things I'm not sure about as well. The more interactive and real-time this is, the more useful it would be. So, what should the interface to the backend process look like? If we begin thinking web services, that's trivial t build, but it's stateless. Someone performing updates wouldn't be noticed until the next time our frontend client connected. I'm not sure that's what we want.

To handle communication between the client and server both locally or over the Net, one thing that jumps out at me now is dbus. A more heavy-weight option would be dce. Dbus is new, underdocumented, and has a changing api. I'm also not entirely certain I understand it's networking model, but that may be related to the documentation. DCE is designed for distributed computing, but may be more than I need. We'll see, I have some research to do.

Of course, this is all getting way ahead of where I am now. The initial design will probably just work with a local database and one user, we can work up from there :-) But the rest of this will be kept in mind during the implementation to make it as easy as possible to add this in soon.

It also lacks a name. I had initially thought of "borg" (Brain ORGanizer), but that name seems to be taken by a similar project already.

I'm open to thoughts and suggestions on any of the above. I'm also accepting patches as of right now too ;-)

After this flurry of conferences, I've been really motivated to add this extra layer of security to the servers I have at home.

SELinux offers some incredible advantages in security for a server or desktop. Red Hat's Daniel Walsh explained it well by saying a server was like a house. You still lock all the doors and windows. But if someone manages to break into your house, SELinux confines them to that very room.

SELinux has a policy defined for the daemons that might run on your system. Only what that policy explicitely allows, can that daemon perform. A daemon not allowed to look at /etc/shadow by SELinux can't be persuaded to do so even if it's got the SUID bit and a gaping security hole.

Someone breaking in through Apache will never have rights to anything Apache can't do. They can't change the website content, for instance, because Apache shouldn't be allowed to modify website content. And it certainly wouldn't have permissions to mess with DNS settings. Even if an intruder finds something Apache has access to, that allows them to become root. It doesn't matter what UID they have, SELinux is deeper than that.

I made the final leap, and enabled SELinux on all the servers I had at home. They had been running Hardened Gentoo with SELinux in permissive mode. To run in enforcing mode, I had to create a few policies for non-standard daemons I was running. I had been holding out on that for awhile, but when I finally got down to it, it wasn't hard at all. I sent them off to Russell to see if it's worth including them in the main SELinux policy sources.

I haven't put that on my desktop yet, though I'd like to in the future. The desktop is an often overlooked component in security, even with all the vulnerability announcements going out. Image rendering libraries, IM clients, holes in Mozilla, and problems in OpenOffice all could easily allow a remote attacker to see personal data in your home directly. And that's if they aren't trying hard, and of those could be used to gain full access to your machine.

SELinux steps in and, with the proper policies, seperates programs from each other. Mozilla could be restricted to system libraries, ~/.mozilla, and ~/dowloads. It doesn't need access to your email or documents. Or, if you want to make it more permissive, that's fine. Allow it access to anything in your homedir if you want GAIM to be able to do such things. But there's no reason for GAIM to have access to your mysql data. So, we can restrict it to /home/. That's still a big deal.

Red Hat and Fedora have targeted policies. They attempt to restrict common daemons as opposed to everything. That would handle the case where you don't want to be bothered by the SELinux restrictions, but you still want some of it's benefits. There's a lot to be said for using the restrictive policies -- but if that's just not for you, having a targeted policy can still protect you from 0 day vulnerabilities or failures to upgrade applications in a timely manner.

In two weeks, on Saturday April 2nd, we're going to have a Hardened Server InstallFest of sorts. I'd encourage you to come out and give SELinux a try. If you're interested, let me know. You can do SELinux with Gentoo, Debian, Fedora, RHEL, and many others. Gentoo is my personal favorite, but we can probably help out with some of the others as well :-)