Weak SSL key vulnerabilities not so funny
Yesterday evening I had the pleasure to pick up the following three security notices:
- [USN-612-1] OpenSSL vulnerability
- [USN-612-2] OpenSSH vulnerability
- [USN-612-3] OpenVPN vulnerability
I can tell you these are really not funny. They really generate a lot of work indirectly. Annoying but doable are things like regeneration SSH keys. The PITA situation is with OpenVPN, looks like we have the push new keys out to all the clients in a few setups. That really deserves a curse or two.
As a special bonus:
Once the update is applied, weak shared encryption keys and
SSL/TLS certificates will be rejected where possible (though
they cannot be detected in all cases). If you are using such
keys or certificates, OpenVPN will not start and the keys or
certificates will need to be regenerated.
Which means I am happy to read security notices. Just updating might result in a broken setup.
If anybody could give extra information on how weak those keys actually are and how easy they are to crack, I would be delighted. In the meanwhile, looking at the amount of servers, I guess I can schedule a teambuilding event where we can mass regenerate keys.
ps. I can tell you I'm quite happy that our backup machines which use SSH+RSYNC for automatic incremental backups are not vulnerable.
Edubuntu presentation
Yesterday Mediaplaza organized an afternoon program about the possibilities of Linux and Open Source software in the educational system. As part of the program I gave an presentation where I introduced Edubuntu and the possibilities it offers. Followed up by a tour/workshop which allowed participants to get a little bit familiar with the Edubuntu GNOME environment.
I uploaded the presentation at https://wiki.ubuntu.com/DutchTeamPresentations. Thanks to another presentation on this page I was also able to use a decent template instead of wasting time on making one which would look worse.
I didn't have time to follow edubuntu development for the last two releases but I was quite impressed with the LTSP improvements when I dived in a little in preparation of the presentation. Good work!
Ubuntu software raid performance problems
We recently experienced some performance problems with an Ubuntu machine with software raid1. To localize it a bit further I ran some tests on different setups. For comparison I also included a setup with hardware raid and a setup with software raid on CentOS, I will also post the specs of the machines in question but I don't believe the specs have a noteable influence.
I tested with the transfer speeds with the following commands:
Write: dd if=/dev/zero of=test.img count=300 bs=10M
Read: dd if=test.img of=/dev/null bs=10M
Setup 1:
HP DL145 (Dual-Core AMD Opteron(tm) Processor 2210 HE, 1GB ECC reg)
RAID: 3ware Escalade 8006-2LP, PCI-X in RAID1
Disks: 2x Western Digital 80GB, 7200rpm, SATAII, 8MB cache
Distribution: Ubuntu 6.06 LTS, kernel 2.6.15-28-amd64-server
Write Results: 3145728000 bytes (3.1 GB) copied, 113.433 seconds, 27.7 MB/s
Read Results: 3145728000 bytes (3.1 GB) copied, 63.1678 seconds, 49.8 MB/s
Setup 2:
HP DL145 (Dual-Core AMD Opteron(tm) Processor 2210 HE, 1GB ECC reg)
RAID: md software raid1
Disks: 2x HP certified 80GB Seagate disks, 7200rpm, SATAII, 8MB cache
Distribution: Ubuntu 6.06 LTS, kernel 2.6.15-28-amd64-server
Write results: 3145728000 bytes (3.1 GB) copied, 753.233 seconds, 4.2 MB/s
Read results: 3145728000 bytes (3.1 GB) copied, 85.2566 seconds, 36.9 MB/s
Setup 3:
HP DL145 (Dual-Core AMD Opteron(tm) Processor 2210 HE, 1GB ECC reg)
RAID: md software raid1
Disks: 2x HP certified 80GB Seagate disks, 7200rpm, SATAII, 8MB cache
Distribution: Ubuntu 6.10, kernel 2.6.17-11-server (x86_64)
Write results: 3145728000 bytes (3.1 GB) copied, 729.397 seconds, 4.3 MB/s
Read results: 3145728000 bytes (3.1 GB) copied, 49.0884 seconds, 64.1 MB/s
Setup 4:
HP DL145 (Dual-Core AMD Opteron(tm) Processor 2210 HE, 1GB ECC reg)
RAID: md software raid1
Disks: 2x HP certified 80GB Seagate disks, 7200rpm, SATAII, 8MB cache
Distribution: Ubuntu 7.04, kernel 2.6.20-15-server (x86_64)
Write results: 3145728000 bytes (3.1 GB) copied, 528.52 seconds, 6.0 MB/s
Read results: 3145728000 bytes (3.1 GB) copied, 58.7009 seconds, 53.6 MB/s
Setup 5:
Intel(R) Celeron(R) CPU 2.66GHz, Intel 3000 serverboard, 1GB DDR2 RAM
RAID: md software raid1
Disks: 2x Westerm Digital 500GB disks, 7200rpm, SATAII, 16MB cache
Distribution: CentOS 4, kernel 2.6.9-42.0.10.EL (x86_64)
Write results: 71 seconds should be ~44MB/s
Read results: 47 seconds should be ~67MB/s
Notes: The CentOS4 time is measured with `time` since dd version in CentOS doesn't give stats itself. It might differ from the way dd measures the time. The hardware raid setup has western digital disks vs. seagate disks in the Ubuntu software raid setups. Personally we have the feeling the 80GB seagate disks are a bit faster then then 80GB WD disks but that might be an illusion. The Ubuntu setups all use JFS as filesystem and the CentOS ext3.
Conclusion: We can see that the Ubuntu software raid at least has a write performance issue. The software raid performance in CentOS seems to be much more decent. We would conclude that its something in the Ubuntu kernel area which makes the software raid suck balls and not software raid perse. The only other factor which might make a difference is the filesystem, however we never had JFS performance problems and filesystems are a different layer in the kernel AFAIK.
Suspicions: We have the feeling that if you have concurrent write actions, the performance will go down much more then the crappy 4-6MB/s. We also noticed that the load goes skyhigh if you do disk stuff with software raid on Ubuntu (breaks 15.00 easily with a 3GB mysql import with binlog on, leaving most things unresponsive). The load on CentOS doesn't seem to go up too much. IIRC we got the same crap performance in Debian which we gave a quick test (etch).
Random update
Decided:
- Install a wordpress plugin make the comment spam less annoying (before I go on holiday).
Bought (21 euro):
- The Hitch Hikers Guide to the Galaxy (the tv serie).
- Harold and Kumar go to Whitecastle
- Dogma
- The Big Lebowski
Work & School:
- Busy
- Internship almost finished
Opinion:
- I think that the dapper-commercial repository is quite cool. Ofcourse I prefer opensource happiness, but its a good thing that non-free stuff Just Works on Ubuntu as well.
Last weeks
Ubuntu Dapper Release Party
Last friday at Wyldebeast & Wunderliebe, a succes. Kim Chee decorated the place with some artwork and installed a demo setup with several thin clients. To make it more then just drinking I held a talk as "our local ubuntu guru". In the talk I highlighted some features and other coolness of the Dapper release and looked forward on what Edgy may bring us.
In anycase I had a great evening, thanks W&W for hosting the release party and ofcourse thanks to all the Ubuntu developers and community for making Dapper a reality. 
Internship
Finishing up my internship, only a few weeks left. Working on the final report.
Work: Xen / Network toys
Playing around with Xen. I'm quite happy with it. Some of the nasty things are: its bad integration with with Ubuntu, the available documentation sucks, and that TLS stuff. Mono apps don't work properly and/or a big tls emulation warning pops up (even when the tls lib was disabled). Xen is nice, but its just not really finished up. Well we decided to use it anyway.
We got some supermicro servers in, 1U & halfsized. Perfect for in a patch cabinet(?), nice and hot as well. Its like someone is vacuum cleaning the room when the cabinet door is opened.
Shipping Epiphany or Firefox by default
I just read roozbez's explaination on planet GNOME to why Sharif Linux shipped Firefox by default instead of Epiphany. The most important reason was marketing. Firefox is well known in the computer savvy user arena and ofcourse this is an advantage. But does it really matter?
First of all from what I understand Mozilla doesn't allow custom builds of their products to use the official branding. In this case the whole "user recognizes the logo argument" is void. It basicly cancels out most of the branding advantage besides that you can put on your website you ship Firefox. Not really impressive.
Then secondly how well known is Firefox really? My guess is that only a few procent of the actual computer users knows about it. My experience is a really high percentage of end users have no idea what it is and small percentage associates it with "a browser". A person who actually responds enthausiasticly when mentioning Firefox still has to pop up.
Ofcourse I'm not talking about my friends here who actively use Linux or who study computer sciences. I'm talking about real end users.
I think if you ship a Linux distribution that is aimed at the tech savvy it is probably the best choice by default. But this audience is same as the one that customizes their environment immediatly after install right?
So what would be the case if you ship a distribution for the general crowd or for rollout in a organization? Or what is really important anyway?
- The most important criteria is that it works. Websites should work and look the way they suppose to. For this criteria it doesn't matter if you use Epiphany or Firefox, they both use the Gecko engine to render webpages. So lets move on.
- The user experience! Is the graphical interface easy and friendly? Or confusing? In my opinion both interfaces are acceptable. However Epiphany is obviously the winner here. It just makes more sense and the interface is clean (no clutter as in Firefox).
- Consistancy and Integration! Although there are many afforts to integrate Firefox more in GNOME its just not it (really happy that it uses the GNOME filechooser in Ubuntu though!). To me Firefox doesn't feel part of the desktop for the end user its just less obvious.
- Features. Firefox is (over)loaded with features. Epiphany is really simple and elegant. You want some extra feature? Switch it on in the extension dialog. Another advantage about the Epiphany approach is that you actually know what features exist. Firefox pushes more and more features every release but I don't know about them and I certainly don't use them. The term bloatware comes to mind.
To be clear I don't think Ubuntu should switch to Epiphany (at least not now). Although I hope that it will in the future. I think Epiphany should become more populair first to justify such a switch. If you switch default browsers you simple piss off a lot of people.
I blogged about this because I don't agree or am not impressed with the common reasons to ship Firefox. Although I do believe that "just because its the most popular available" is a valid reason (would you ship Internet Explorer by default if it was opensource?). 
About the branding: I think the only branding that matters is the distribution. What do you use? "I use Ubuntu!".
I really recommend you to give Epiphany a try. I predict you will get to hang of it really quickly and just love it. Personally I love the way bookmarking is handled (much better then in Firefox ).
Link: Why you should try Epiphany as your default browser with GNOME 2.14
ps: sudo apt-get install epiphany-browserÂ
Ubuntu/Edubuntu on german TV
Ogra came up with the following video clip during the Edubuntu meeting today:
Quite cool. I hope that Ubuntu gets more media exposure after the dapper release. It is certainly ready for it with dapper.
ps. German sounds so cute. :p
Ubuntu member
Since this afternoon I'm an Ubuntu member!
Besides the school project where I blog about regularly I have some other current work in the pipeline:
- Writing a part of the EdubuntuDocumentation/EdubuntuCookbook
- Extensive (end-user) feedback from school project to Edubuntu.
- Writing some documentation regarding LTSP use.
Epiphany as default browser?
An interesting discussion: https://wiki.ubuntu.com/EpiphanyDefaultBrowser
Personally I hate Firefox for being sluggish and not consistant with GNOME. All the menus are different. But when I use Epiphany I miss some advanced functions of Firefox (especially when I right-click).
And I totally hate the latest function in Firefox which makes you zap to next or previous page if you scroll to fast.
Biggest reason I didn't switch to Epiphany atm is that I have a lot of usernames/passwords stored in Firefox which I don't remember.
Bad thing about a switch would be the branding advantage of Firefox. But that doesn't last longer then 5 minutes.
In related news I read that someone hacked Evolution to have working spam filtering out of the box (not requiring some spamassassin magic IIRC). Before it didn't work for me out of the box and Thunderbirds spamfiltering is just great. I might consider switching to Evolution if this really works and if it has something equal to Enigmail. Enigmail is simply nice. The Thunderbird interface pisses me off in different ways as well but not as much as Firefox. But they are both ugly.
I get the feeling more and more that the mozilla guys are screwing up Firefox and Thunderbird by putting more and more features in it. Bloat... Keep it simple and do that very very well is what I like.
Twitter: hpbos
- Gisteren the men who stare at goats gezien. :-) jeff bridges++
- @Ronald_R: Anders heb je nog Zombie Strippers! als optie.
- @Ronald_R Lesbian Vampire Killers... http://www.pajiba.com/trailers/new-lesbian-vampire-killers-trailer.php
- @joostdrijver stink voetbal, mijn reistijd naar kantoor verdubbeld in de laatste 500m.
- wie wil er vanavond "the men who stare at goats" met mij kijken? :P
- Rabobank internetbankieren is buggy as hell.
- Net film the fountain gezien. Wel mooi gemaakt maar niet mijn ding.
- Groningen binnen. Niet bijzonder. Nu coma tijd.
- Wat een kak verhaal van rouvoet. Ook met 4 procent geteld, lame.
Categories
- Advocacy
- Development
- Entertainment
- Evil
- Humor
- In the news
- Orbit Ubuntu
- Personal life
- Security
- Tech
- Travel
- Work
