THE COMPLETE MAGAZINE ON OPEN SOURCE
Is Now Open Source For You
The Best Open Source Storage Solutions Available Volume: 02 | Issue: 10 | Pages: 108 | July 2014
Wireshark: An Essential Tool For Network Professionals Manage Your IT Infrastructure With Zentyal Set Up A Mock Wireless Deauthentication Attack Analyse Network Packets With PCAP Configure Ubuntu As A Router
Ramesh Vantipalli, Head EUC India & Regional SE Manager, South, VMware, Speaks On Virtualising Data Centre Services
Scale Out Your MongoDB Deployment
Automate Tasks With Anacron
Contents Developers 26
Haskell: The Purely Functional Programming Language
28
Customising OpenSSL for the Real World
34
It’s Easy to Scale Out a MongoDB Deployment
Admin 58
Beware: It’s Easy to Launch a Wireless Deauthentication Attack!
62
How to Configure Ubuntu as a Router
Essential for a Network 44 Wireshark: Professional’s Toolbox
66 Analyse Packet Capture to Protect Your Network
69
Run Automated System Tasks with ANACRON
75 “We want to virtualise all the services available in the data centre and control them at a software level”— Ramesh Vantipalli, head EUC India and regional SE manager - South, VMware India
FOR YOU & ME 77
Enterprise Mobility Management: A Bird’s Eye View
80
Open Source Software Engineering: An Introduction
82
48 Ghost: A Powerful Blogging Platform REGULAR FEATURES 08 You Said It...
43 Editorial Calendar
09 Offers of the Month
100 Tips & Tricks
to Open Source Tools
12 New Products
Backing Up Data with FOSS Tools
105 FOSS Jobs
16 FOSSBytes
4 | July 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
YOU SAID IT Articles related to sysadmins I subscribe to OSFY and I am very happy with it. I do have a suggestion to make, though. I feel the magazine's focus is on what interests developers. I would be happy if you could also incorporate some content for systems administrators. For example, you could start a column on some kind of server installation (like SSH server or VPN server with step-by-step installation guides, as seen on some blogs). Thanks in advance. —Amit Kulkarni; a.kulkarni888@gmail.com
A free DVD of Linux
Kalpesh Devmurari: How can I get a free DVD
OSFY in Hyderabad
of Linux?
Razzu Razzu: Hi Sir, I am not able to find OSFY in Hyderabad. Is it available? If yes, can you please share the contact details of the retailer? Open Source For You: You can check the
following link to locate the nearest bookstore/dealer selling OSFY. http://www. ezine.efymag.com/listwholeseller.asp?co untry=Andhra+Pradesh&city=Hydrabad.
Content on Linux device driver programming
Mayur Nandurkar: I am looking for information on Linux device driver programming. Could you please suggest some websites from which I can read or download the content I’m looking for. Open Source For You: We have run a
series of articles on the topic you’re interested in, and we have uploaded the content on our website: www. opensourceforu.com. Here’s the link: http://www.opensourceforu.com/.../linuxdevice-drivers.../
Share Your
ED: Thanks for reaching out to us with your suggestions. Our March 2014 and May 2014 editions were ‘Sysadmin Special’ issues, in which we focused a lot on this particular topic. Besides that, we have been incorporating a lot of articles related to sysadmins in the last few editions, too. And it is our constant endeavour to continue doing so. Do let us know your thoughts after going through the two recent sysadmin-specific editions mentioned.
Open Source For You: Hi Kalpesh!
Thanks for reaching out to us. Every month we bundle different flavours of Linux with the OSFY magazine. You need to subscribe to the magazine to get the free DVD. To subscribe to the mag, log on to http://electronicsforu. com/electronicsforu/subscription/subscr1.asp?category=india&magid=53. Hope this helps.
Programming with C++
Kalpesh Devmurari: I really need someone to help me out with my queries on programming with C++. Any help would be appreciated. Open Source For You: Hi Esfandyar!
Thank you for writing to us. We suggest you post your queries on our FB wall. We have an active and vibrant community out there that can help you find answers to your queries!
Please send your comments or suggestions to:
The Editor, Open Source For You, D-87/1, Okhla Industrial Area, Phase I, New Delhi 110020, Phone: 011-26810601/02/03, Fax: 011-26817563, Email: osfyedit@efy.in 8 | july 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
FOSSBYTES Powered by www.efytimes.com
Google releases Android 4.4.3
A new version of Android, 4.4.3, has been released by Google recently. While, the latest version of Android KitKat will be available via over-the-air rollouts, the Android maker has released the factory images for Nexus 5, Nexus 7 (2013), Nexus 10, Nexus 4 and Nexus 7 (2012) devices. Google has shared the source code of the Android 4.4.3 release at Android Open Source Project (AOSP). If the claims of US telecom operator T-Mobile are to be believed, Android 4.4.3 packs in loads of security enhancements and bug fixes. Google has included an all-new Google Dialler with Android 4.4.3 on Nexus 5. The updated version of Google Dialler offers a tweaked user-interface and other changes.
Red Hat releases Enterprise Linux 7.0 and promises support for 10 years After a 3.5-year lull, Red Hat has finally released version 7.0 of Red Hat Enterprise Linux (RHEL), its flagship operating system. RHEL 7.0 also updates the underlying Linux kernel that was used in RHEL 6.x from 2.6.32 to 3.10, bringing in much needed improvements for customers. Red Hat will support this release for 10 years, providing bug fixes, security releases and updates on a regular basis.
Here’s Mozilla’s very own open source browser-based gaming engine
Mozilla hails it as the “world’s easiest-touse WebGL game engine that is free, open source and backed by amazing developer tools.” Say hello to PlayCanvas, Mozilla’s very own JavaScript tailored, WebGL utilising browser-based gaming engine. Though this has taken more than three years to build, PlayCanvas is a fine example of how open source technology has arrived on a scale that was never imagined before. The fact that its code is out for all to see, marvel at, toil over and improve, goes to show how good the philosophy of open source technology is for the community, since it is based on sharing with the world at large, with no added costs. PlayCanvas comes with support for all major graphics, physics, animations, input devices and components that are the pre-requisites for building professional high-quality no-holds-barred 3D games meant for both browsers as well as mobile devices. Moreover, implementation of the entity-component system will let game developers build stuff using blocks in the game. Use of HTML5 and WebGL will allow developers to build games that are completely cross-platform: equally playable on Windows, OS X, Android and iOS. Once you’re done, the game engine’s highly scalable back-end will let you host your games for free as well.
Looking for an alternative to Ubuntu Software Centre? Try App Grid
Although the Ubuntu Software Centre is downright amazing since it lets you search, install, buy and manage applications with ease, there are always those who just can’t have enough of default programs and apps. They like to hunt 16 | July 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
RHEL 7.0 boasts of interoperability with Windows Active Directory and automated scripting. The latest release also changes the default file system from EXT4 to XFS, compared to RHEL 6.x, which had the former. However, RHEL 7.0 will offer support for a variety of other file systems at the same time. The Docker (Linux container) compatibility in the update will ensure service providers and customers get better version-toversion application portability. Further changes in RHEL 7.0 include: Rollback capabilities The ‘profiles’ feature that allows configuration definitions to be specified for particular workloads and deployed on demand Improved runtime management and monitoring capabilities
FOSSBYTES in their own time for alternatives that might be easier to work with and offer greater functionality at the same time. App Grid is a handy alternative to Ubuntu’s Software Centre that you could try! Written from scratch, App Grid claims to provide considerably better start up and response times as well as an intuitive interface. Of course, there are some shortcomings—it makes use of a gridded background pattern among some other minor drawbacks which users could ignore since it’s so responsive and takes such less time to load content. However, one aspect that open source fans might resent is that App Grid is closed source! If you’re ready to overlook these factors, App Grid is available for Ubuntu 12.04 LTS, 13.10 and 14.04 LTS. Simply add the following PPA to your software sources to install it: sudo add-apt-repository -y ppa:appgrid/stable sudo apt-get update && sudo apt-get install app grid
You can use the .deb installer, too.
Kwheezy to change its name to Kebian once Debian Jessie gets stable
In tune with how Kubuntu represents Ubuntu, Kwheezy will most likely change its name to Kebian, once Debian Jessie becomes the stable Debian version. Notably, Kwheezy is a Debian 7 Wheezy fork that uses KDE as the default desktop environment. Readers will recall that the latest version of the system is Kwheezy 1.5. It is based on Debian 7.4 and uses KDE 4.8.4 as the default DE and kernel 3.2. The Debian Installer team earlier announced the arrival of the first Alpha build of the Debian 8 ‘Jessie’ version. Debian developers are known for releasing highly stable builds. The Debian 8 Jessie Alpha 1 release is therefore being pitched as one that is almost free of all kinks. It can be recalled that Jessie is the development version of Debian, for which work has been under way for quite some time now. The Debian 8 Jessie Alpha 1 is the first major official release from the Debian stable. The default desktop environment in the new Debian 8 Jessie is Xfce; however, a final decision on the exact environment to be shipped with the final release is expected to come in August 2014.
Apache launches Spark to boost Hadoop
In a bid to speed up jobs that run on the Hadoop data-processing platform, the Apache Software Foundation has announced the first production-ready release of its analysis software, ‘Spark’. Data-analysis jobs created by Apache Spark could run almost 100 times faster as compared to standard Apache Hadoop MapReduce jobs. No wonder it has been dubbed as the ‘Hadoop Swiss Army knife’. MapReduce has been widely criticised for executing jobs in batch mode,
It’s official: Ubuntu One is now gone for good!
Canonical has finally withdrawn its Ubuntu One service after announcing it was axing the Dropbox competitor earlier this year, as the South African firm goes all out to focus on its operating system. Canonical clearly lives by the theory of ‘survival of the fittest’, since it has also stopped its streaming music service. Users must mark their calendars since stored data will be available for download only up to July 31, after which, all stored data will be lost forever. Canonical had earlier attributed the lack of paid users and increased competition from Google Drive, Dropbox and other cloud storage services as the reason behind its own service floundering. “If we offer a service, we want it to compete on a global scale. For Ubuntu One to continue to do that would require more investments than we are willing to make,” CEO Jane Silber was quoted in a blog post. So here’s how you can grab your data before July 31, 2014:
Simply log in to your Ubuntu One account and hit the orange button found under the main notice. You’ll receive all your data as a .zip file. If you’re looking for a direct import tool, Canonical has teamed up with cloud storage migration service, mover.io, for this very purpose. Simply create your account and transfer your data (approx 2 GB) to other services, such as Dropbox, Google Drive, etc, for free. Meanwhile, annual subscribers will receive a pro-rated refund soon.
www.OpenSourceForU.com | OPEN SOURCE For You | July 2014 | 17
FOSSBYTES
Linux Mint 17 Qiana launched The latest iteration of Linux Mint, a.k.a. ‘Qiana’, has finally been released by creator Clement Lefebvre. Both the Cinnamon and Mate versions are now available for download with the KDE and XFCE versions coming out as well. Leaving behind a lot of the annoying traits of its previous versions, Linux Mint 16, also known as ‘Petra’, emerged as a solid release. With Linux Mint 17, the developers are trying to reach a new level. To start with, Qiana is an LTS release and the Mint team will support it until 2019. While Linux Mint 16 was based on Ubuntu 13.10, Qiana is based on Ubuntu 14.04 LTS. The rock solid release (owing to its LTS nature) comes with a string of new improvements, particularly to the update manager, driver manager and the login screen. There is however no major overhaul in the design aspect. While Cinnamon and Mate users will feel at home, even Windows XP users could find Qiana a viable alternative.
Calendar of forthcoming events Name, Date and Venue
Description
Contact Details and Website
Deccan Ruby Conf. July 19, 2014; Pune
A one-day, single-track conference that boasts of workshops and talks, for both beginners and experts from the software development industry.
Gautam Rege; Ph: 09881935656; Website: http://www.deccanrubyconf.org
Interop. July 24-25, 2014; New Delhi. September 4-5, 2014; Mumbai
This event offers sessions and networking opportunities to all the attendees, and covers major areas like cloud computing and Big Data.
Sanket Karode; Ph: 9833525695; Website: http://www.interop.com
4th Annual Datacenter Dynamics Converged. September 18, 2014; Bengaluru
The event aims to assist the community in the data centre domain by exchanging ideas, accessing market knowledge and launching new initiatives.
Praveen Nair; Email: Praveen.nair@ datacenterdynamics.com; Ph: +91 9820003158; Website: http://www.datacenterdynamics.com/
Open Source India, November 7-8, 2014; NIMHANS Center, Bengaluru
This is the premier open source conference in Asia that aims to nurture and promote the open source ecosystem across the sub-continent.
Omar Farooq; Email: omar.farooq@ efy.in; Ph: 09958881862
CeBit November 12-14, 2014; BIEC, Bengaluru
This is one of the world’s leading business IT events, and offers a combination of services and benefits that will strengthen the Indian IT and ITES markets
Website: http://www.cebit-india.com/
5th Annual Datacenter Dynamics Converged; December 9, 2014; Riyadh
The event aims to assist the community in the datacentre domain by exchanging ideas, accessing market knowledge and launching new initiatives.
Praveen Nair; Email: Praveen.nair@ datacenterdynamics.com; Ph: +91 9820003158; Website: http://www.datacenterdynamics.com/
thereby not allowing real-time analysis of data. Whereas Spark lets you execute jobs in micro-batches, five seconds or less apart. It also provides greater stability compared to Twitter Storm, a real-time, stream-oriented Hadoop framework. Spark can be used for a variety of jobs such as analysing live data. Features of the version 1.0 release include: A stable API that developers can use to interact with Spark though their own apps. A Spark SQL component for accessing structured data, etc. Spark is fully compatible with Hadoop’s Distributed File System (HDFS), as also with other Hadoop components such as YARN and the HBase distributed database.
Samsung Galaxy Gear leaves Android behind as it receives a Tizen update! However, Qiana does have a fair share of known bugs: It has issues with both Skype and DVD playback in VLC. In some configurations, Qiana will not boot or will freeze in the presence of an NVidia graphics card, with the Mint team not disclosing which cards are affected. The Mate version ships without Bluetooth support. Users will have to manually install a package to enable it.
Samsung is slowly moving to its own Tizen platform, leaving Android behind. After launching a range of wearable devices that run on Tizen, the company has rolled out a Tizen update for its first and only smart watch running Android - the Samsung Galaxy Gear smart watch. The Korean smartphone maker has started rolling out the Tizen firmware update for Galaxy Gear. The update is now available via Kies in select countries, and the company plans to make it available across the globe in the coming weeks. The update reportedly comes with improved performance. It also offers a standalone music player, customisable shortcuts for tap-based inputs, voice
18 | July 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
FOSSBYTES commands in the camera and more. However, there are no major UI changes. The improved battery life is a major plus. Do remember that the software update will wipe out all the data from your smart watch; so before you check out the update, ensure that you have a backup of your data. Also, you will need to re-pair your device to your Samsung smartphone or tablet. It is possible that with the update, some of the applications might not work, as they were made for Android.
Alcatel to launch ‘Made for India’ Firefox smartphone soon
If you were waiting for the Firefox-based Alcatel Onetouch Fire to arrive in India, we should tell you that it is not happening, ever! Instead, the company has plans to launch another Firefox OS-based smartphone exclusively made for India. In a tête-à-tête with EFYTimes.com, Piyush A Garg, project manager, APAC, BU India, said, “We will not launch the first Firefox smartphone in India, but we are working on an India-exclusive Firefox-based smartphone. The smartphone will be priced strategically for the Indian market and will be launched by the end of this year.” Garg said that the upcoming Firefox phone will be launched in the budget price bracket and will not be carrier-independent. He said, “Firefox OS needs to grow in India. Considering the fact that Android has such a huge base in India, we are waiting for the right time to launch the Firefox-based smartphones.”
Here’s the smallest Linux PC you’ve ever seen!
Mini Linux boards are quite popular amongst the open source community. Raspberry Pi and BeagleBone board are pretty popular in this arena. But these aren’t quite as small as a new mini Linux PC known as VoCore. The device may very well be the smallest Linux PC that has ever been made by anyone. It is reportedly only a coin-sized board that is fitted with a 32 MB SDRAM along with 8 MB of SPI flash memory and a 360 MHz SoC. The PC doesn’t have video out capabilities and neither does it have a GPU. This means that the device isn’t powerful enough to be used to create a home theatre or for gaming and other such purposes. Moreover, reports suggest that its performance is quite sluggish compared to the Raspberry Pi. Don’t count it out just yet, though. The device has a 10/100 Ethernet along with USB and 802.11n Wi-Fi support. In addition, it is capable of running the OpenWrt, embedded Linux distro and can be used as an ultra portable super VPN router.
Ubuntu community manager Jono Bacon quits Canonical
Looks like it’s the summer of surprises for the open source community. After the very recent announcement of openSUSE community manager, Jos Poortvliet, quitting SUSE to join ownCloud, it’s now the turn of Ubuntu community manager Jono Bacon to hang up his boots. Jono will now be joining the XPRIZE Foundation as a senior director of community.
Microsoft’s Outlook app for Android exposes e-mails to hacking, reports Include Security
Security research firm, Include Security, has shockingly revealed that Microsoft’s Outlook.com app for Android-based smartphones is prone to exploitation. The fact that it stores email attachments in the file system area of Android OS means these are exposed to any rogue/third party app that has access to users’ smartphones. The issue particularly affects users on versions of Android prior to 4.4 (KitKat). “This app is described as having been created by Seven Networks in conjunction or in association with Microsoft (i.e., it looks as if it was outsourced),” Include Security was quoted as saying in a blog post. Ondevice email storage has nothing to ensure the privacy of messages and attachments, said the firm. Since emails are stored on the app-specific file system, the PIN code feature of Microsoft’s app can protect only the graphical user interface. Evidently, the PIN code feature of the app cannot ensure the privacy of messages on the file system of the smartphone. “We feel users should be aware of cases like this as they often expect their phone’s emails to be ‘protected’ when using mobile messaging applications,” the firm added. Microsoft, on its part, has denied any such privacy concerns being a direct result of its own actions. “We use a variety of security technologies and procedures to help protect your personal information from unauthorised access, use or disclosure,” Microsoft was quoted in a statement. “Additionally, customers who wish to encrypt their email can go through their phone settings and encrypt the SD card data,” it added.
www.OpenSourceForU.com | OPEN SOURCE For You | July 2014 | 19
FOSSBYTES Jono has been an iconic figure while building up the Ubuntu community that we know today. However, he leaves Canonical at a time when the company is reeling under a string of controversies, one of which involves Jono himself. He had called Richard M Stallman’s stand on Ubuntu’s privacy as childish, a statement he later apologised for. Jono however insists he is not leaving Canonical due to any controversy but has simply gone ahead and grabbed an excellent opportunity that came his way. “I am not leaving Canonical due to problems; I am moving on to a new opportunity at XPRIZE. I actually wasn’t looking for a move; I was quite content in my role at Canonical, but XPRIZE came out of nowhere, and it felt like a good next step to move forward to,” Jono was quoted as saying.
Google’s Apps Mobile Management for Android gets a major overhaul
As ‘bring your own device’ (BYOD) becomes a major part of how businesses operate today, global search engine giant Google has brought about a major overhaul in the Android management features. The overhaul is expected to help IT admins control access to the suite from their Android-powered devices. As part of the overhaul, IT departments can trigger an account wipe in case a device hasn’t been synced with the server for a pre-determined period of time, courtesy Google Apps Mobile Management for Android. “So a lost device that wasn’t reported or the old device left in a drawer does not cause a security risk,” Clayton Jones, a product manager in Google’s enterprise unit, was quoted in a blog post. Google Apps Mobile Management is available for the Business, Education and Government editions of the suite. In addition, it can manage devices running iOS and Windows Phone, as well as smartphones/tablets using Microsoft Exchange ActiveSync, like the BlackBerry 10.
Looking to get started with OpenStack? Try Canonical’s new cloud-in-a-box
If you’re looking for a quick, easy way to get started with the intricacies of the OpenStack cloud infrastructure, Canonical is around to help! After generating rave reviews at the recent OpenStack Summit in Atlanta, Canonical’s cloud-in-abox, a.k.a. the Orange Box, is now up for grabs. Encased within a rugged black flight-case frame with built-in handles, the Orange Box is meant to provide useful instructions on OpenStack and other technologies via the Ubuntu Jumpstart training program. It will come loaded with Ubuntu 14.04 LTS, Metal-as-a-Service (MaaS) and Juju. “We are delighted to introduce a new delivery mechanism for Jumpstarts, leveraging the innovative Orange Box,” sources in the company were quoted in a statement. The statement said, “We’ll deliver an Orange Box to your office, and work with you for two days, learning the ins and outs of Ubuntu, MAAS, Juju, Landscape, and OpenStack, safely within the confines of an Orange Box and without 20 | July 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
FOSSBYTES disrupting your production networks. You get to keep the box for two weeks and carry out your own testing, experimentation and exploration of Ubuntu’s rich ecosystem of cloud tools. We will join you again, a couple of weeks later, to review what you learned and discuss scaling these tools into your own data centre, onto your own enterprise hardware.” The 16.8 kg box features 16 GB of DDR RAM, 10 four-core nodes and 120 GB of SSD storage. It will have an Intel i5-3427U CPU, an Intel HD4000 GPU and an Intel Gigabit network interface card (NIC). Built by Tranquil PC, the Orange Box can deploy OpenStack, Cloud Foundry and Hadoop workloads.
No more Cinnamon for Ubuntu users!
The popular Cinnamon PPA desktop environment for Ubuntu is going to be discontinued soon. According to reports, Gwendal Le Bihan, maintainer of the desktop environment, has announced that there will be no more stable releases. Bihan wrote: “The stable PPA is indeed no longer being maintained. The nightly PPA is being kept for development purposes and should not be used on any sort of production machine (it can and will break at any time). To be honest, I don’t have an alternative to offer Ubuntu users at the moment, apart from switching to a distribution that does support Cinnamon. There are many such distributions out there, and I’m only hoping for someone to (finally) step up on Ubuntu’s side to provide proper packages to its users.”
Researchers discover first true Ransomware that attacks Android users!
A new Android malware has been discovered that can launch a full-blown ransom attack on a user’s device. According to reports, security firm ESET has discovered what is being called the first ever malware capable of encrypting data files on an Android smartphone, launching a ransom attack. The malware, known as Simplocker, is a Russian-language Trojan that reportedly scans the SD card of a user’s device or its internal storage, and encrypts data files with a range of extensions. This includes files with extensions .doc, .jpg, .avi and .mp4. It uses Stron 256-bit AES encryption to lock the files.
Google invites developers to submit Android Wear apps
Google has finally invited developers to take a shot at the new Android Wear platform. As the company’s I/O Developer Conference for this year approaches, Google has invited them to submit apps for the platform for feedback. Android Wear is Google’s platform for wearable devices, which will be showcased first on LG’s G Watch and Motorola’s Moto 360 smartwatches. In a tweet sent out by the company, the search giant wrote, “Have you created an app you’d like to get in the hands of #AndroidWear users? We’d like to see what you’ve built!…” Google’s Android Wear platform is a custom version of Android, which is tailored for wearable devices. The operating system was launched shortly after Samsung moved to its Tizen operating system for its new Gear smartwatches.
Ubuntu 12.10 Quantal Quetzal is no longer supported
Following 18 months of official support, Canonical has finally pulled the curtains down on Ubuntu 12.10 Quantal Quetzal. Ubuntu 12.10 is no longer supported, so users are advised to upgrade to Ubuntu 14.04 via Ubuntu 13.10. Ubuntu 12.10 was released on October 18, 2012. Canonical founder, Mark Shuttleworth, had announced that Ubuntu 12.10 would be named Quantal Quetzal on April 23, 2012, and it was the first of a series of three releases before the next LTS release. Meanwhile, support for the 13.10 release will also end in July. As such, Ubuntu’s latest release, 14.04 LTS, remains the only viable option for longterm Ubuntu users and its fan base.
Reports say that the splash screen from the malware states, as translated from Russian, “WARNING! Your phone is locked! The device is locked for viewing and distribution of child pornography, zoophilia and other perversions.” The malware then demands 260 Ukrainian Hryvnia (which is about £13 or $9) that can be paid using MoneXy, in exchange for the stolen data. According to ESET, the current prevalence of the malware is ‘very low’. It is reportedly targeting Android in Russian-speaking countries, where the virus is contracted after downloading an app called ‘Sex xionix’ from a third party app store.
www.OpenSourceForU.com | OPEN SOURCE For You | July 2014 | 21
Buyers’ Guide
Multi-Functional Printers: The Workflow Managers of Modern Workplaces
Gone are the days when printers just printed. Modern-day printers can do much more than what you expected five years ago. This article explores how multi-functional printers evolved and why you should consider buying them.
M
ulti-functional printers, commonly known as MFPs, have become the order of the day. With time, MFPs have evolved and reached a point where they can be complete productivity solutions that help businesses improve their workflow. The demand for MFPs is increasing as they have an additional edge (with respect to functionality) over single function devices. Companies dealing with these products have reported increased adoption by small, mediumsized businesses as well as large enterprises. The primary factors leading to MFP adoption include higher levels of efficiency, lower total cost of ownership, high quality prints, ease of use and the overall value they offer. Multifunction colour laser printers possess true multitasking abilities, while also offering users the competitive advantage of colour, when work demands it. Modern day MFPs have built-in capabilities that enable printing from the cloud and from mobile devices. MFPs now help workplaces of all sizes to significantly increase productivity and sustainability. They are also true enablers of the BYOD practice since they now have outstanding security features. But should you invest in MFPs when they are more expensive than regular printers? You can answer this allimportant question after a bit of analysis at your end. A few important things you must keep in mind before you make the final choice are listed below. 1. Evaluate your needs: Commenting on the points to consider while buying an MFP, Nitin Hiranandani, director, Printing Systems, PPS, HP India, says, “The first thing that one should look at is one’s requirements. Understanding the need of the end user is of prime importance. Also, knowing how exactly you can use the MFP to manage your documents, simplify workflow and reduce paper use is important. You should know how many print, copy, fax and email jobs you
22 | July 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
would need on a daily basis. Also, arrive at an estimate on how many users will share the device and whether or not they need a colour capable device.” Ideally, MFPs can be categorised based on their intended use, which is broadly—office or home. If you are looking to buy an MFP for your home, you probably would want to opt for a photo quality device, which means, you should go for an inkjet model. Besides, if you love photography and want to print photographs from all sources including your camera, USB drive, memory cards, et al, you need a photo-lab MFP. If you are looking for a device specifically for an office set-up, your documents are likely to have more text than photos, which means that a laser-class printer is the one for you. The device will help you fax and email, and includes an automatic document feeder (ADF) to scan, copy, fax and email multi-page documents. However, if you are looking for a device for both home and office purposes, an inkjet MFP is the right choice for you, for the photo quality that it offers, along with its office-centric features like an ADF and fax modem. 2. What features do you want? An MFP can offer a wide array of features. So it is advisable to make a list of features that you want. Hiranandani asserts, “It’s a given that an MFP will offer features like printing, scanning and copying, but these features may not be as straightforward as one may think. Some MFPs have restrictions on scanning over a USB connection. So, if you plan to connect your MFP to a network connection, ensure that the scanning function works on the network too.” Some MFPs require a computer for copying. In case you want to copy documents without the computer, ensure that the MFP can work as a standalone copier. When it comes to faxing by an MFP, it operates as a standalone device, in most cases, with the user having control through the MFP’s keypad.
Buyers’ Guide
However, not all MFPs include the PC fax function, which allows faxing documents directly from the PC without having to print them first. MFPs can have the PC Fax feature as a fax utility, as a fax driver that you use like a print driver, or both Most of the MFPs today come with flatbed scanners, which are good for scanning photos or single sheet documents. But an automatic document feeder (ADF) helps users easily scan, copy, fax and email multi-page documents. An ADF also lets you scan legal-sized pages in MFPs with letter-size flatbeds. However, not all MFPs offer this; so be sure to check if that is a feature you require. If you deal with two-sided documents, an ADF offering duplex scan (for both sides of a page) is an apt choice. 3. Cost/value benefits: For an IT admin, knowing the total cost of ownership is extremely important. While
evaluating the TCO of a multi-functional printer, just the initial cost of the hardware is not the only consideration. There are a number of other factors that should be considered, including the cost of supplies. After evaluating the ink costs, the inkjet multifunction printers tend to cost much more than the higher performing laser and solid ink multi-function printers. The TCO for MFPs that are hard to use and maintain is comparatively higher. So check this aspect thoroughly before you invest in a device. 4. Multi-tasking abilities: An MFP is called a multifunction device because of its multi-tasking capabilities. But does multi-tasking mean the ability to perform many functions or the ability to perform those functions simultaneously. There are some products in the market that may offer multiple functions but may not deliver all of them concurrently. This may eventually result in higher downtimes due to bottlenecks. So beware! 5. Bi-directional communication capabilities: Good bi-directional communication across the network and at the device is essential to keep the workflow running smoothly. Any delay or disconnect in communicating accurate information on time can result in more intervention by the IT admin, further adding to his burden. 6. Vendor’s long-term commitment: Before investing in an MFP, you should know what kind of device management, support and remote intelligence you will be offered. Do ensure the vendor’s commitment to providing a robust device. One of the features to check is the device’s relationship management software that helps in optimising its availability and uptime. You should look for a vendor who can provide superior response times and consistent quality of service. After all, to ensure a productive office, you must have your MFP up and running.
A few MFPs you could choose from
Xerox WorkCentre 7830, 7835, 7845 and 7855 MFPs
• All these devices offer 1200 x 2400 dpi, while advanced print heads with Digital Image Registration Control technology ensure precise control over colour matching. • These MFPs print at speeds of up to 55 ppm and include a high-capacity feeder that holds 2,000 sheets of paper. • They come with the ‘Earth Smart’ setting, helping businesses cut down on energy consumption with Xerox’s EA Toner, which produces high quality images using less toner per page and requiring lower temperatures during printing. www.OpenSourceForU.com | OPEN SOURCE For You | July 2014 | 23
Buyers’ Guide
Xerox WorkCentre
5845, 5855, 5865, 5875 and 5890 MFPs These devices print and copy up to 45 and 55 pages-perminute (ppm) (the 5845/5855 models). A speed of 90 ppm for businesses with higher print volumes is offered by the 5865, 5875 and 5890 MFPs. They can scan full-colour documents at the rate of up to 200 images per minute. Come with a more efficient toner—one that provides superior image quality, lasts longer and is easily replaceable by any user in the office, decreasing both maintenance and downtime. Have several environmentally-sensitive features including ENERGY STAR specifications, a ‘power save’ option that conserves electricity, and Xerox’s ‘Earth Smart’ setting to help users select the most environmentally conscious print options.
HP Color LaserJet Pro MFP M476
Supports embedded print options for Androidbased devices as well as simple, secure mobile print options including NFC touch-to-print and wireless direct. Comes with the Lightweight Directory Access Protocol (LDAP) feature that simplifies access control for the scan, fax or copy functions, and improves productivity with corporate email directory lookup. Comes in two variants - HP Color LaserJet Pro MFP M476nw and M476dn.
HP LaserJet Pro MFP M126nw
Offers print, copy, scan and fax features. Comes with wireless direct printing, allowing small business owners to stay productive with easy, intuitive printing from smartphones, tablets and PCs. First HP three-in-one, black-and-white laser printer that comes with network and wireless features, making it an affordable proposition for SMB customers. 24 | July 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
Buyers’ Guide
Canon imageRUNNER ADVANCE C2220
Offers productivity in a smaller form factor. 20 ppm speed in black and white, and for colour. Intuitive 17.7-cm (7-inch) TFT LCD touchscreen with tilt. Easy user access and usage control. Supports finishing and flexible media options. Offers cloud connectivity.
Samsung
SCX-4701ND Offers formats ranging from single-sided to double-sided booklets. The double-sided printing capabilities reduce costs significantly and ensure that your paper supplies last longer. Boasts of green performance due to EcoMode.
By: Diksha P Gupta The author is senior assistant editor at EFY.
With inputs from HP, Samsung and Xerox.
EB Times
An EFY Group publication
• Electronics • Trade Channel • Updates
is Becoming Regional Get North, East, West & South Edition at you doorstep. Write to us at myeb@efyindia.com and get EB Times regularly This monthly B2B Newspaper is a resource for traders, distributors, dealers, and those who head channel business, as it aims to give an impetus to channel sales
www.OpenSourceForU.com | OPEN SOURCE For You | July 2014 | 25
Developers
Let's Try
Haskell: The Purely Functional Programming Language Haskell, an open source programming language, is the outcome of 20 years of research. It has all the advantages of functional programming and an intuitive syntax based on mathematical notation. This article flags off a series in which we will explore Haskell at length.
H
askell is a statically typed, general-purpose programming language. Code written in Haskell can be compiled and also used with an interpreter. The static typing helps detect plenty of compile time bugs. The type system in Haskell is very powerful and can automatically infer types. Functions are treated as first-class citizens and you can pass them around as arguments. It is a pure functional language and employs lazy evaluation. It also supports procedural and strict evaluation, similar to other programming paradigms. Haskell code is known for its brevity and is very concise. The latest language standard is Haskell 2010. The language supports many extensions, and has been evoking widespread interest in the industry due to its capability to run algorithms on multi-core systems. It has support for concurrency because of the use of software transactional memory. Haskell allows you to quickly create prototypes with its platform and tools. Hoogle and Hayoo API search engines are available to query and browse the list of Haskell packages and libraries. The entire set of Haskell packages is available in Hackage. The Haskell platform contains all the software required to get you started on it. On GNU/Linux, you can use your distribution package manager to install the same. On Fedora, for example, you can use the following command: # yum install haskell-platform
On Ubuntu, you can use the following: # apt-get install haskell-platform 26 | july 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
On Windows, you can download and run HaskellPlatform-2013.2.0.0-setup.exe from the Haskell platform website and follow the instructions for installation. For Mac OS X, download either the 32-bit or 64-bit .pkg file, and click on either to proceed with the installation. The most popular Haskell interpreter is the Glasgow Haskell Compiler (GHC). To use its interpreter, you can run ghci from the command prompt on your system: $ ghci GHCi, version 7.6.3: http://www.haskell.org/ghc/ :? for help Loading package ghc-prim ... linking ... done. Loading package integer-gmp ... linking ... done. Loading package base ... linking ... done. Prelude>
The Prelude prompt indicates that the basic Haskell library modules have been imported for your use. To exit from GHCi, type :quit in the Prelude prompt: Prelude> :quit Leaving GHCi.
The basic data types used in Haskell are discussed below. A Char data type is for a Unicode character. You can view the type using the command :type at the GHCi prompt: Prelude> :type ‘s’ ‘s’ :: Char
Let's Try The ‘::' symbol is used to separate the expression on the left with the data type on the right. A Bool data type represents a logical value of either True or False: Prelude> :type True True :: Bool
Signed numbers with a fixed width are represented by the Int data type. The Integer type is used for signed numbers that do not have a fixed width: Prelude> 5 5
The Double and Float types are used to represent decimal values. The Double type has better precision for floating point numbers: Prelude> 3.0 3.0
The basic data types can be combined to form composite types. There are two widely used composite types in Haskell, namely, lists and tuples. A list is a collection of elements of the same data type enclosed within square parentheses. A list of characters is shown below: Prelude> :type [‘a’, ‘b’, ‘c’] [‘a’, ‘b’, ‘c’] :: [Char]
The static typing in Haskell produces errors during compile or load time (in GHCi) when you mix data types inside a list. For example: Prelude> [‘a’, 1, 2] <interactive>:7:7: No instance for (Num Char) arising from the literal `1' Possible fix: add an instance declaration for (Num Char) In the expression: 1 In the expression: [‘a’, 1, 2] In an equation for `it’: it = [‘a’, 1, 2]
You can have a list of lists as long as it contains the same data type: Prelude> :type [[‘a’], [‘b’, ‘c’]] [[‘a’], [‘b’, ‘c’]] :: [[Char]]
A tuple is an ordered list of elements with a fixed size, enclosed within parentheses, where each element can be of a different data type. For example:
Developers
Prelude> :type ('t', True) ('t', True) :: (Char, Bool)
Note that the tuple with type (Char, Bool) is different from the tuple with type (Bool, Char): Prelude> :t (False, 'f') (False, 'f') :: (Bool, Char)
Haskell originates from the theory of Lambda calculus, which was developed by Alonzo Church to formally study mathematics. In 1958, John McCarthy created Lisp, which relates programming with Lambda calculus. Robin Milner created a functional programming language called ML (meta language) for automated proofs of mathematical theorems in 1970. During the 1980s, there were a number of lazy functional programming languages scattered across the research community. Miranda was a very popular proprietary programming language released by Research Software Ltd in 1985. A need arose to unify the different research developments, for which a committee was formed and the first version of the standard was released in 1990. It was called Haskell 1.0, after the mathematician and logician, Haskell Brooks Curry. Subsequently, there were four revisions made - 1.1, 1.2, 1.3 and 1.4. In 1997, the Haskell 98 report was released. In 2009, the Haskell 2010 standard was published and is the latest standard, as on date. It has Foreign Function Interface (FFI) bindings to interface with other programming languages. The Hugs interpreter is useful for teaching, while the Glasgow Haskell Compiler (GHC) is very popular. The paper by John Hughes on ‘Why Functional Programming Matters?’ is an excellent paper to read. A number of software companies in the industry have begun using Haskell in production systems. We shall be exploring more features, constructs and uses of the language in future articles. References [1] Haskell. http://haskell.org/ [2] Haskell 2010. http://www.haskell.org/haskellwiki/Haskell_2010 [3] Hoogle. http://www.haskell.org/hoogle/ [4] Hayoo. http://holumbus.fh-wedel.de/hayoo/hayoo.html [5] Hackage. http://hackage.haskell.org/ [6] Haskell. Platform. http://www.haskell.org/platform/ [7] Glasgow Haskell Compiler. http://www.haskell.org/ghc/
By: Shakthi Kannan The author is a free software enthusiast and blogs at shakthimaan.com
www.OpenSourceForU.com | OPEN SOURCE For You | july 2014 | 27
Insight
Developers
Where does OpenSSL fit in?
OpenSSL is a commercial grade open source toolkit, under an Apache-style licence, which according to Wikipedia is implicitly used by two-thirds of all Web users, as of 2014! It is used in everything from quick personal scripts to some of the largest commercial email and Web services. It provides implementation for Secure Sockets Layer (SSL) v2 and v3, and Transport Layer Security (TLS) v1 protocols, as well as a default software implementation for general-purpose cryptographic algorithms. OpenSSL is now widely accepted and is applied in various ways in the real world. It is used as a command line utility and as a library that is linked to userland applications. It is used in Perl scripts, and there are open source projects that develop wrappers around the OpenSSL library (like pyOpenSSL, which provides a Python wrapper around the OpenSSL library). But, more importantly, it is used in commercial servers handling millions of SSL/TLS sessions.
Customising OpenSSL
For TLS communication, OpenSSL first establishes a TCP socket communication with the other end over the specified IP address and port number. Then it exchanges handshake messages over this connection to establish a TLS session. It then uses this secure connection to communicate data, as TLS records, with the other end. OpenSSL provides a library called Libcrypto, which is the default software implementation. This is used for cryptographic operations for TLS and is also exposed in the interface as utility crypto APIs. The software implementation of Libcrypto would ideally be good enough for many general purpose SSL/TLS clients/ servers like browsers, etc, and all general-purpose Libcrypto utility users. However, this may not be enough for many real world applications processing large amounts of traffic. OpenSSL developers understand this real world need and have found a way forward through customisation.
Dedicated hardware helps
Cryptographic operations are typically iterative and involve intense processing. Asymmetric key algorithms like RSA, especially, are used during the initial handshake while establishing a SSL/TLS connection. When processing a
Figure 1: SSL traffic growth
large number of TLS connections, for example, on a HTTPS server handling millions of connections, the encryption/ decryption being performed in the software on general-purpose processors can be very heavy. This slows down processing on the server, even affecting its core functionality. Dedicated hardware accelerators called Hardware Security Modules (HSMs) are commercially available in various forms, like PCI cards that can be hooked on to be used for faster encryption/ decryption. Some modules help in accelerating only certain asymmetric key algorithms like RSA, thus speeding up the initial handshake. Some can help in speeding symmetric key block cipher algorithms like AES, thus speeding up encrypted data throughput. Some can help in both. Based on the requirement, implementers can pick and choose the right hardware acceleration. Processing speed apart, hardware cryptographic modules are more secure than software implementations. Some standards like FIPS-140 and FIPS 140-2, defined by a US government body called the National Institute of Standards and Technology (http://nist.gov), define certain security levels to be maintained by a crypto module. Higher levels of security, like resistance to key disclosure, can be provided only by a hardware module. Based on these standards, certain businesses like banks mandate a higher-level security requirement. This would require external hardware for cryptographic operations.
Using HSMs with OpenSSL
As discussed earlier, OpenSSL is a commercial grade toolkit. It has a very robust, well-written TLS protocol
www.OpenSourceForU.com | OPEN SOURCE For You | july 2014 | 29
Developers
Insight
implementation. To take best advantage of this, OpenSSL provides an engine interface to hook an HSM for hardware acceleration for crypto operations but still use OpenSSL for the TLS protocol. The caller code for OpenSSL’s interface will remain the same, with or without hardware acceleration, as the EVP/SSL interface is not impacted. Also, though the engine interface is targeting primarily HSMs, it need not be hardware only. An external software implementation can also be hooked into OpenSSL using the engine interface, based on the implementation needs.
Overriding the default communication channel in OpenSSL
Contrary to the assumption in the default implementation, a TCP connection may not always be the medium to communicate TLS records. Sometimes, even if the default software crypto implementation of OpenSSL is good enough, a direct connection over TCP may not be possible. For example, in embedded systems, the communication stack may not be directly available. However, a TLS session would have to be established. The TLS records may be exchanged with higher layers over RPC or event notifications, and the higher layers will be involved in establishing a TCP/ application layer connection with the server side. This would mean overriding the communication behaviour of OpenSSL. For such an activity, OpenSSL provides an interface called the BIO interface.
The architecture of OpenSSL
As mentioned earlier, OpenSSL can be used as a command line utility or can be used as a library linked into the user’s application. Hence, the layering is as described in Figure 2. Below the command line interface are the EVP layer and the SSL interface layer. These are typically the interfaces for the caller code to use the cryptographic functions of OpenSSL. Below that is the actual SSL/TLS default implementation and interfaces to hook in external overrides. Figure 2 illustrates the layering and architecture of OpenSSL.
Going under the hood
In this section, we go into the open source code and see how OpenSSL is implemented by default. To follow this section,
Command Line Interface
EVP interface Default Crypto Implementation
SSL interface, implementation
Engine interface
BIO interface
External Hardware accelerators
External communication hooks
Utilities (data structures, error reporting, etc)
Figure 2: Different layers of SSL 30 | july 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
please download the OpenSSL sources tarball from http://www. openssl.org/source/ and extract it. At the time of writing this article, OpenSSL 1.0.1g is the latest version. So, all illustrations will be based on this version. Remember that since OpenSSL is an evolving toolkit, the file names, variable names, etc, might have changed if you download a different version. So, it is best to download the same version to avoid confusion. For convenience, we will refer to the directory into which OpenSSL has been extracted as $(ROOT).
Using the engine interface
The engine interface is declared in the header in $(ROOT)/ include/openssl/engine.h. There is support for specific hardware in $(ROOT)/crypto/engine/ directory. Each engine is designated an engine ID string, and OpenSSL ships with implementations for some software and interfaces for a few hardware engines, by default. A call to function ENGINE_by_id will return the corresponding engine object. For example, ‘cswift’ is used for CryptoSwift acceleration hardware, while ‘ubsec’ is for Broadcom uBSec acceleration hardware. The default engine ID is ‘openssl’, which uses the built-in default software implementation. Once the engine object is got, we need to call ENGINE_set_default to use the specified engine. It provides several functions to set external implementations for specific algorithms. To hook-in an external RSA implementation, write the following code: int ENGINE_set_RSA(ENGINE *e, const RSA_METHOD *rsa_meth); To hook-in an external DSA implementation: int ENGINE_set_DSA(ENGINE *e, const DSA_METHOD *dsa_meth); Likewise, other algorithms: int ENGINE_set_ECDH(ENGINE *e, const ECDH_METHOD *ecdh_meth); int ENGINE_set_ECDSA(ENGINE *e, const ECDSA_METHOD *ecdsa_ meth); int ENGINE_set_DH(ENGINE *e, const DH_METHOD *dh_meth); int ENGINE_set_RAND(ENGINE *e, const RAND_METHOD *rand_meth); int ENGINE_set_STORE(ENGINE *e, const STORE_METHOD *store_ meth);
Any one or more of the cryptographic functions can be overriden. For the other algorithms that are not set, the default implementation will be used. If you take a look at $(ROOT)/crypto/engine/eng_openssl.c you can see how the default engine is loaded in OpenSSL code. The code snippet below is taken from $(ROOT)/crypto/engine/eng_openssl.c. /* The constants used when creating the ENGINE */ static const char *engine_openssl_id = “openssl”; static const char *engine_openssl_name = “Software engine support”; /* This internal function is used by ENGINE_openssl() and possibly by the * “dynamic” ENGINE support too */
Insight static int bind_helper(ENGINE *e) { if(!ENGINE_set_id(e, engine_openssl_id) || !ENGINE_set_name(e, engine_ openssl_name) #ifndef TEST_ENG_OPENSSL_NO_ALGORITHMS #ifndef OPENSSL_NO_RSA || !ENGINE_set_RSA(e, RSA_get_ default_method()) #endif #ifndef OPENSSL_NO_DSA || !ENGINE_set_DSA(e, DSA_get_ default_method()) #endif #ifndef OPENSSL_NO_ECDH || !ENGINE_set_ECDH(e, ECDH_ OpenSSL()) #endif #ifndef OPENSSL_NO_ECDSA || !ENGINE_set_ECDSA(e, ECDSA_ OpenSSL()) #endif #ifndef OPENSSL_NO_DH || !ENGINE_set_DH(e, DH_get_default_ method()) #endif || !ENGINE_set_RAND(e, RAND_SSLeay()) #ifdef TEST_ENG_OPENSSL_RC4 || !ENGINE_set_ciphers(e, openssl_ ciphers) #endif #ifdef TEST_ENG_OPENSSL_SHA || !ENGINE_set_digests(e, openssl_ digests) #endif #endif #ifdef TEST_ENG_OPENSSL_PKEY || !ENGINE_set_load_privkey_ function(e, openssl_load_privkey) #endif ) return 0; /* If we add errors to this ENGINE, ensure the error handling is setup here */ /* openssl_load_error_strings(); */ return 1; } static ENGINE *engine_openssl(void) { ENGINE *ret = ENGINE_new(); if(!ret) return NULL; if(!bind_helper(ret))
Developers
{ ENGINE_free(ret); return NULL; } return ret; } void ENGINE_load_openssl(void) { ENGINE *toadd = engine_openssl(); if(!toadd) return; ENGINE_add(toadd); /* If the “add” worked, it gets a structural reference. So either way, * we release our just-created reference. */ ENGINE_free(toadd); ERR_clear_error(); }
The good thing about the engine interface is that an engine need not be the only software and hardware implementation supported by OpenSSL by default, but can be one’s own implementation. So, let us assume we have a software token implementation, which implements the RSA algorithm. Let us write a sample code that will register our implementation with the OpenSSL engine interface. Let’s call our engine ‘mytest’. if ( 0 == (ENGINE_set_id(eng, “mytest”) && ENGINE_set_name(eng, “MyTest OpenSSL Engine”) && ENGINE_set_load_privkey_function(eng, l_ LoadMyTestPrivateKey) && ENGINE_set_ciphers(eng, l_CiphersCb) && ENGINE_set_default_ciphers(eng) && ENGINE_set_digests(eng, l_DigestsCb) && ENGINE_set_default_digests(eng) && ENGINE_set_RSA(eng, l_EngineRsaMethod())) ) { LOG_AND_EXIT(“There was an error registering mytest engine ”) } if ( 0 == ENGINE_add(eng) ) { LOG_AND_EXIT(“There was an error adding mytest engine ”); } if ( 0 == ENGINE_init(eng) ) { LOG_AND_EXIT(“There was an error initing mytest engine ”) }
Customising the SSL/TLS communication channel The BIO interface is an I/O abstraction layer that allows different kinds of I/O mechanisms to be implemented to customise communication as per real world needs. This is basically needed for implementers who look at the TLS
www.OpenSourceForU.com | OPEN SOURCE For You | july 2014 | 31
Developers
Insight
implementation as a black box but want to customise the communication only as per their needs. The BIO interface can be found at $(ROOT)/include/openssl/bio.h There are two types of BIOs—a source-sink BIO and a filter BIO. The basic communication mechanisms—for example, communication over a socket or file (yes, TLS records can be written to and read from a file descriptor; remember, this could be a device file too)—can be overridden with a source-sink BIO. As the name suggests, this acts as the source of data on the sending end and the sink on the receiving end. For filtering, buffering and translation activities, you can use a filter BIO. As you can see, you can pick and choose one source sink BIO, many filter BIOs and stack up BIOs, one on top of the other, like building blocks. A BIO is overridden by registering a structure called BIO_ METHOD, which contains hooks for different I/O operations. Please find the snippet from $(ROOT)/include/openssl/bio.h to see the BIO methods provided by OpenSSL: BIO_METHOD *BIO_s_mem(void); BIO *BIO_new_mem_buf(void *buf, int len); BIO_METHOD *BIO_s_socket(void); BIO_METHOD *BIO_s_connect(void); BIO_METHOD *BIO_s_accept(void); BIO_METHOD *BIO_s_fd(void); #ifndef OPENSSL_SYS_OS2 BIO_METHOD *BIO_s_log(void); #endif BIO_METHOD *BIO_s_bio(void); BIO_METHOD *BIO_s_null(void); BIO_METHOD *BIO_f_null(void); BIO_METHOD *BIO_f_buffer(void); #ifdef OPENSSL_SYS_VMS BIO_METHOD *BIO_f_linebuffer(void); #endif BIO_METHOD *BIO_f_nbio_test(void); #ifndef OPENSSL_NO_DGRAM BIO_METHOD *BIO_s_datagram(void); #ifndef OPENSSL_NO_SCTP BIO_METHOD *BIO_s_datagram_sctp(void);
You may have noticed that the naming convention for the source sink BIO is BIO_s_* and for a filter BIO, it is BIO_f_*. These APIs return BIO_METHOD structures containing hooks, which implement the behaviour for each of these BIOs. These BIO methods are implemented by OpenSSL itself and are used for its default communication as well. So, the core functionality of a BIO is in its BIO_METHOD. Now, let’s look at how OpenSSL implements these BIOs. We will look at how a basic socket connection is implemented in OpenSSL and then at how we can override the default. If you take a look at $(ROOT)/crypto/bio/bss_conn.c, you can see the BIO_METHOD structure that contains hooks for different operations on a socket connection. The 32 | july 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
code snippet is as follows: static BIO_METHOD methods_connectp= { BIO_TYPE_CONNECT, “socket connect”, conn_write, conn_read, conn_puts, NULL, /* connect_gets, */ conn_ctrl, conn_new, conn_free, conn_callback_ctrl, };
In this code, BIO_TYPE_CONNECT specifies that it is a connection BIO. The function conn_write implements the functionality of writing to a socket, while conn_read implements reading from a socket. conn_ctrl implements control plane operations, like the current state of the machines in the whole TLS process (the implementations of these functions are also present in the same file). As explained earlier, this is the default implementation of OpenSSL. To override this, we need to implement our own hooks. Given below is a code snippet that implements our user defined BIO method and registers it with OpenSSL’s BIO interface: static BIO_METHOD methods_connect= { BIO_TYPE_CONNECT, “Connect overrides”, l_bio_WriteCallback, /* This is a locally implemented callback for write operations */ l_bio_ReadCallback, /* This is a locally implemented callback for read operations */ l_bio_PutsCallback, /* Likewise for puts */ NULL, l_bio_CtrlCallback, /* This is called to override/log commands being called */ l_bio_NewCallback, l_bio_FreeCallback }; /* Initialize OpenSSL library */ static void l_InitOpenSSL() { ERR_load_crypto_strings(); ERR_load_SSL_strings(); OpenSSL_add_all_algorithms(); SSL_library_init(); SSL_load_error_strings(); }
Insight int main() { BIO *out=NULL, *ret=NULL, *con=NULL, *ssl_bio=NULL; SSL_CTX *ctx = NULL; //SSL *ssl = NULL; int len = 0; FILE *fd = NULL; char tmpbuf[1024]; /* Initialize */ l_InitOpenSSL(); RET(ctx = SSL_CTX_new(TLSv1_client_method())); /* For client authentication */ if( 1 == l_SetPrivateKeyAndCert(ctx) ) { printf(" key init failed \n"); } /* =============================== */ RET(con=BIO_new(&methods_connect)); RET(ssl_bio=BIO_new_ssl(ctx,1)); RET(ret=BIO_push(ssl_bio,con)); BIO_get_ssl(ssl_bio, &ssl); if (!ssl) { fprintf(stderr, “Can’t locate SSL pointer\n”); goto EXIT; } SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); RET(fd = fopen(OUT_FILE, “w”)); RET(out = BIO_new_fp(fd, BIO_NOCLOSE)); if (BIO_do_connect(ssl_bio) <= 0) { fprintf(stderr, “Error connecting to server\n”); printf(“state = %s \n”,SSL_state_string_long(ssl)); ERR_print_errors_fp(stderr); goto EXIT; } BIO_puts(ssl_bio, “GET <some specific file> HTTP/1.1\nHost: <IP address>:443\n\n”); for (;;) { len = BIO_read(ssl_bio, tmpbuf, 1024); if (len <= 0) { break; } BIO_write(out, tmpbuf, len); } SSL_shutdown(ssl); printf(“state read = %s \n”,SSL_state_string_ long(ssl)); EXIT: BIO_free_all(ssl_bio); BIO_free(out); fclose(fd); return 0; }
Developers
Finally, customise only if you have to
Everything has a flip side to it. For example, hardware acceleration is a good thing, but it comes with its own drawbacks like initial costs, the cost of upgrading, defect fixing, etc. There may be easier alternatives already supported in OpenSSL. One such example is the AES-NI support. In order to achieve faster speeds, the x86 instruction set was extended to include the Advanced Encryption Standard New Instruction (AES-NI) set of instructions that are supported on some Intel and AMD processors as detailed in http://en.wikipedia. org/wiki/AES_instruction_set. From version 1.0.1 onwards, OpenSSL supports the use of the AES-NI instruction set in order to speed up AES operations. References [1] Accelerating OpenSSL using Intel QuickAssist technology: http://www.intel.co.uk/content/dam/www/public/us/en/ documents/solution-briefs/accelerating-openssl-brief.pdf [2] Global Internet Phenomena Report: www.electronics.dit.ie/staff/ dclarke/Other Files/Sandvine_Global_Internet_Phenomena_ Report_2H_2012.pdf [3] Wikipedia on OpenSSL: http://en.wikipedia.org/wiki/OpenSSL
By: Ravi Honnavalli The author is a software professional working extensively on open source software for network and embedded systems security.
PACKWEB
PACK WEB HOSTING ProX
Time to go PRO now
www.packwebhosting.com
0-98769-44977 support@packwebhosting.com
A Leading Web & Email Hosting Provider
Specialists in
Hosting Sites built with
OpenSource Technologies
ProX Plans
Have a High Traffic Website? Considering VPS/Server? Visit prox.packwebhosting.com Wordpress
Joomla
Why Us?
Magento
Drupal
• cPanel Hosting • One Click Installation • Solid Support • Multiple Hosting Plans
• 4000+ Hosting • 2000+ Clients • 6500+ Domains • 11+ Years Experience
Trust Us. Trust our Ability. www.OpenSourceForU.com | OPEN SOURCE For You | july 2014 | 33
Developers
Let's Try
It’s Easy to Scale Out a MongoDB Deployment MongoDB is a unique NoSQL open source database, which is scalable and adaptable. It is an application of choice for many Fortune 500 companies and start-ups alike. In this, our second article in the series on MongoDB, discover how to scale out a MongoDB deployment.
M
ongoDB is a big name among NoSQL databases. One of its most significant features is that you can scale out your deployments quite easily, i.e., additional nodes can easily be added to the deployment to distribute data between them so that all data needn’t be stored in one node. This concept is known as sharding, which when combined with replication, offers great protection against failover. So let’s take a closer look at sharding and how it can be implemented. I assume that you have MongoDB installed on your system. Well, just in case I am wrong, you can get it from http://www.mongodb.org/downloads. Download the zip file as per your operating system and extract the files once the download is completed. For this article, I am using MongoDB on a 32-bit Windows 7 system. Under the extracted directory, you will see a number of binary files. Among them, mongod is the server daemon and mongo is the client process. Let’s start the process by creating a lot of data directories that will be used to store data files. Now switch to the MongoDB directory that you extracted earlier. I have put that directory on my desktop (Desktop\mongodb-win32-i386-2.6.0\ bin). So I’ll open a command prompt and type: 34 | JUly 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
cd Desktop\mongodb-win32-i386-2.6.0\bin.
Let’s create the required directories, as follows: mkdir .\data\shard_1 .\data\shard_2 mkdir .\data\shard_1\rs0 .\data\shard_1\rs1 .\data\shard_1\rs2 mkdir .\data\shard_2\rs0 .\data\shard_2\rs1 .\data\shard_2\rs2
Here we’ve created directories for two shards, with each having a replica set consisting of three nodes. Let’s move on to creating the replica sets. Open another command prompt and type the following code: mongod --port 38020 --dbpath .\data\shard_1\rs0 --replSet rs_1 --shardsvr
This creates the first node of the first replica set rs_1, which will be using port 38020 and .\data\shard_1\rs0 as data directory. The --shardsvr option indicates that sharding will be implemented for this node. Since we’ll be deploying all the nodes in a single system, let’s just change the port number for additional nodes. Our first node is now ready and it’s time to
Let's Try
Developers
mongod --port 48020 --dbpath .\data\shard_2\rs0 --replSet rs_2 --shardsvr mongod --port 48021 --dbpath .\data\shard_2\rs1 --replSet rs_2 --shardsvr mongod --port 48022 --dbpath .\data\shard_2\rs2 --replSet rs_2 --shardsvr
The configuration information is as follows: config { _id { _id { _id }
Figure1: Replica set configuration
create the two others. Open two more command prompts, switch to the MongoDB root directory and type the following commands in each, respectively: mongod --port 38021 --dbpath .\data\shard_1\rs1 --replSet rs_1 --shardsvr mongod --port 38022 --dbpath .\data\shard_1\rs2 --replSet rs_1 --shardsvr
Three nodes for the first replica set are ready, but right now they are acting as standalone nodes. We have to configure them to behave as replica sets. Nodes in a replica set maintain the same data and are used for data redundancy. If a node goes down, the deployment will still perform normally. Open a command and switch to the MongoDB root directory, and type: mongo --port 38020.
This will start the client process and connect to the server daemon running on Port 38020 that we started earlier. Here, set the configuration as shown below: config { _id { _id { _id }
= : : :
{ _id: “rs_1”, members:[ 0, host : “localhost:38020”}, 1, host : “localhost:38021”}, 2, host : “localhost:38022”} ]
Initiate the configuration with the rs.initiate (config) command. You can verify the status of the replica set with the rs.status() command. Repeat the same process to create another replica set with the following server information:
= : : :
{ _id: “rs_2”, members:[ 0, host : “localhost:48020”}, 1, host : “localhost:48021”}, 2, host : “localhost:48022”} ]
Initiate the configuration by using the same rs.initiate (config) command. We now have two replica sets, rs_1 and rs_2, up and running; so, the first phase is complete. Let’s now configure our config servers, which are mongod instances used to store the metadata related to the sharded cluster we are going to configure. Config servers need to be available for a functional sharded cluster. In our production systems, we use three config servers, but for development and testing purposes, usually one does the job. Here, we’ll configure three config servers as per the standard practice. So, first, let’s create directories for our three config servers: mkdir .\data\config_1 mkdir .\data\config_1\1 .\data\config_1\2 .\data\config_1\3 Next open 3 more command prompts and type mongod --port 59020 --dbpath .\data\config_1\1 --configsvr mongod --port 59021 --dbpath .\data\config_1\2 --configsvr mongod --port 59022 --dbpath .\data\config_1\3 --configsvr
This will start the three config servers we’ll be using for this deployment. The final phase involves configuring the Mongo router or mongos, which is responsible for query processing as well as data access in a sharded environment, and is another binary in the Mongo root directory. Open a command prompt and switch to the MongoDB root directory. Type the following command: mongos --configdb localhost:59020,localhost:59021,localho st:59022
This starts the mongos router on the default Port 27017 and informs it about the config servers. Then it’s time to add shards and complete the final few steps before our sharding environment is up and running. Open another command prompt and again switch to the MongoDB root directory. Type mongo, which will connect to the mongos router on the default Port 27017, and type the following commands: www.OpenSourceForU.com | OPEN SOURCE For You | JUly 2014 | 35
Developers
Let's Try
Figure 2: Sharding configuration
Figure 4: Data distribution between shards
In this instance, student_id is our shard key, which is used to distribute data among shards. Do note that this collection does not exist right now. To use sharding, we need an index on the shard key. Here, the collection does not exist and the index will be created automatically. But if you have data in your collection, then you’ll have to create an index on your shard key. You can verify your sharding status by using the sh.status() command. We now have our sharded environment up and running, and it’s time to see how it works by inserting data in the grades collection. So type the following simple javascript code snippet to insert data: for (var I = 1; I <= 500000; i++) db.grades.insert( { student_id : I,Name:”Student”+I } )
Figure 3: Sharding status sh.addShard(“rs_1/localhost:38020,localhost:38021,localho st:38022”) sh.addShard(“rs_2/localhost:48020,localhost:48021,localho st:48022”)
These two commands will add the two shards that were configured earlier. Enable sharding for the test database using the following command: db.adminCommand({enableSharding:“test”})
Finally, enable sharding on the grades collection under the test database by using the code shown below: db.adminCommand({shardCollection:“test.grades”,key:{student_ id:1}}) 36 | JUly 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
Now if you type db.grades.stats(), you’ll find that some of these records are stored in the rs_1 shard and others are stored in the rs_2 shard. You can see that out of 500,000 records inserted, 377,819 are stored in shard rs_1 while the remaining 122181 go to shard rs_2. If you fire the sh.status() command, you can figure out how data is distributed between these two shards. In Figure 4, you can see that student IDs ranging from 1 - 9452 and 387,271 - 500,000 (represented by $maxKey) are stored on rs_2 while the remaining data is on rs_1.This data distribution is transparent to the end user; data storage and retrieval is handled by the mongos router. Try to configure and explore the overall process a few more times so that you can feel more confident in implementing sharding in MongoDB. By: Vinayak Pandey The author is an experienced database developer, with exposure to various database and data warehousing tools and techniques, including Oracle, Teradata, Informatica PowerCenter and MongoDB.
CODE Sandya Mannarswamy
SPORT
In this month’s column, we feature a set of interview questions based on algorithms and data structures.
F
or the past few months, we have been discussing information retrieval and natural language processing, along with the algorithms associated with them. Some of our readers had written in requesting if we could discuss a ‘practice set’ of questions in algorithms and data structures as it would help in preparing for campus interviews. Hence, in this month’s column, let’s take a break from natural language processing and, instead, explore potential interview questions on algorithms and data structures. 1. You are given a circular list of ‘n’ numbers that are strictly increasing. Since it is a circular list, the end of the list wraps over to the beginning of the list. You are given an arbitrary pointer to an element in the list. You need to find the minimum element in the list. To simplify things, you can assume that all the elements are distinct. 2. You are given an array of N integers. There are no duplicates in the array. Consider the subsets of this set, the cardinality of which is (N-1). There are (N-1) subsets of cardinality (N-1). For each such set, your program should output the product of the elements present in it. For instance, if you are given the array containing 10, 20, 30, 40, we have the three subsets: {10, 20, 30}, {20, 30, 40}, and {30, 40, 10}. The algorithm should output the three values 6000, 24000 and 12000. Can you come up with an O(N) algorithm for computing all the (N-1) products? 3. Given an NXN matrix of integers, where each row and each column is sorted independently, design an algorithm to search for an integer ‘k’. How many comparisons does your algorithm make before it can either find the integer or determine that the integer does not exist in the matrix? 4. You are given two strings: ‘s’ and ‘t’. You need to determine whether ‘t’ is a cyclic rotation of string ‘s’. For instance, string ‘t’ is obtained
5.
6.
7.
8.
9.
by rotating each character of string ‘s’ by ‘k’ positions. For example, the string ‘kite’ is a cyclic rotation of string ‘teki’. You are told that N is the maximum size of the string. Can you write code to determine this in O(N) time with constant additional storage? Let A be a sorted array of integers. You are given an integer K. Write a program to determine whether there are two indices ‘i' and ‘j’ such that A[i] + A[j] = K. Note that ‘i' and ‘j’ need not be distinct. Can you do this in O(N) time? Different sorting algorithms exhibit efficiency depending on the type of input data. 'As an example, some algorithms behave well if the input data is almost sorted. As an example, consider insertion sort. When the data is mostly sorted, how many comparisons do you need to make for sorting it using insertion sort? Let us consider the situation in which we need to process a stream of integers. Each integer is at most 100 positions away from its correct sorted position. Can you design an algorithm to sort the integers that use only a constant amount of storage, independent of the number of integers processed? You are given a sequence of ‘n’ numbers whose values vary between 1 to n-2, with two of the numbers repeating twice. For instance, instead of having <5,2, 3, 4, 1>, you are given <2,1,3,2,1>. You need to find out the two numbers that each get repeated. Can you find the two numbers if you are told that you can only use extra storage of a constant size? Assume that you are given a singly-linked list that does not contain a loop, and the last node of which has its next field set to NULL. How will you find the node that is Kth nodes away from the last node on the list? Given that you are asked to design a dictionary data structure for integer data elements, which
www.OpenSourceForU.com | OPEN SOURCE For You | july 2014 | 37
CodeSport
Guest Column
is expected to support, insert, delete and find operations, please compare the following data structures as potential candidates in terms of time complexity: • Unsorted array • Sorted array • Unsorted singly linked list • Sorted singly linked list • Unsorted doubly linked list • Sorted doubly linked list • Binary search tree • Hash table • Binary heap 10. We are all familiar with merge-sort. Given an array of N integer elements, let’s break up the array into two halves, sort each half separately and then merge the two sorted halves. This is a classic example of the ‘divide and conquer’ approach, by which the problem is broken down into several sub-problems. Each is solved recursively, and then you combine the solutions for the sub-problems to solve the original problem. Is it always possible to design a‘divide and conquer’ algorithm to all problems? If not, what characteristics should a problem exhibit to be amenable to this approach? Can you give an example of a problem which is not amenable to the ‘divide and conquer’ approach and explain why it is not suitable? 11. You are given a set ‘A’ containing N integer elements and asked to solve the problem of finding the minimum in a given range of A. For instance, if A is {8, 2, 9, 5,1,4, 11, 3, 14}, the range minimum for A[1…5] is given by the element A[5], since A[5] is 1 and that is the minimum element in the range A[1..5]. Can you come up with an O(N) algorithm for solving the range minimum query if you are allowed to preprocess the set A? 12. Let A be a multi-set of integers consisting of N numbers. You are allowed to pick up two integers at a time. If both are even or both are odd, you discard both and insert an even integer. If not, you discard the even integer. Given that there are an even number of odd integers initially in A, can you tell whether the last integer will be even or odd? What is the reasoning behind your answer? 13. You have 100 doors in a row, all of which are initially closed. You make 100 passes over these doors starting with the first door. The first time when you make the pass, you visit every door and toggle the door (i.e., if the door is open, you close it. And if it is closed, you open it). During the second pass, you visit every second door (doors numbered 2, 4, 6,8…). During the third pass, you visit only every third door (doors marked 3, 6, 9, 12…). You repeat these passes until you finish all the 100 passes. Now can you determine what state each door is in, after the 100th pass? Which doors are open and which are closed? 14. The lowest common ancestor (LCA) of two nodes ‘u’ and ‘v’ in a binary search tree is defined as node A, which has both ‘u’ and ‘v’ as its descendants (note that a node can be its own 40 | july 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
descendant). Write an algorithm to find the lowest common ancestor of a binary search tree. Instead of writing a new algorithm for finding the LCA, if you are given the in-order traversal of the binary search tree along with the nodes ‘u’ and ‘v’ for which the LCA needs to be found, can you use the in-order traversal information to determine the LCA? Does this work in all cases? If so, explain why. If not, give a counter-example. 15. You are given an undirected graph G (V, E) where V represents the set of vertices and E represents the set of edges, and a weight function c(u,v), which associates a non-negative weight with the edges of the graph. A minimum weighted cycle in the graph is defined as the cycle, whose sum of edge weights is the minimum over all cycles in the graph. A maximum weighted cycle is one whose sum of edge weights is the maximum over all the cycles in the graph. (i) Can you come up with an algorithm for finding the minimum weighted cycle? What is the complexity of your algorithm? (ii) Can you come up with an algorithm for finding the maximum weighted cycle? What is the complexity of your algorithm? Can you come up with a polynomial time algorithm for this problem? If not, why not?
My ‘must-read book’ for this month
This month’s book suggestion comes from one of our readers, Shruti, and her recommendation is very appropriate to this month’s column. She recommends an excellent resource for algorithmic problems—the website containing a discussion on algorithms from Jeff Erickson, available at http://www.cs.uiuc. edu/~jeffe/teaching/algorithms/. The link has pointers to lecture notes as well as additional exercises in algorithms and data structures. Thank you, Shruti, for sharing this link. If you have a favourite programming book/article that you think is a must-read for every programmer, please do send me a note with the book’s name, and a short write-up on why you think it is useful so I can mention it in the column. This would help many readers who want to improve their software skills. If you have any favourite programming questions/software topics that you would like to discuss on this forum, please send them to me, along with your solutions and feedback, at sandyasm_AT_yahoo_DOT_com. Till we meet again next month, happy programming!
By: Sandya Mannarswamy The author is an expert in systems software and is currently working with Hewlett Packard India Ltd. Her interests include compilers, multi-core and storage systems. If you are preparing for systems software interviews, you may find it useful to visit Sandya's LinkedIn group ‘Computer Science Interview Training India’ at http://www. linkedin.com/groups?home=HYPERLINK "http://www.linkedin.com/ groups?home=&gid=2339182"&HYPERLINK "http://www.linkedin. com/groups?home=&gid=2339182"gid=2339182
Exploring Software
Anil Seth
Guest Column
Exploring Big Data on a Desktop: Where to Start Big Data is the current buzz word in the world of computing. Typically, for computer enthusiasts with just a single desktop, experimenting with Big Data poses a problem since running a distributed data program requires many computers. But now, Big Data can be run on a single desktop.
I
read about Apache Spark in a news article titled ‘Run programs up to 100x faster than Hadoop MapReduce’, and I wanted to explore it. Spark applications can be written in Python. The trouble was that I hadn’t even got down to trying Hadoop MapReduce, in spite of wanting to do so for years. If all you have is a desktop, how do you experiment and learn systems that are inherently distributed? You can’t get an insight into them while using a single machine. Fortunately, even mid-range desktops now come with a quad-core and 8 GB of RAM. So, you can run at least a few virtual machines. Many tools, e.g., VirtualBox, are very good and easy to use. But are they enough?
The scope
Spark is a “…fast and general engine for large-scale data processing” (http://spark.apache.org). It allows you to build parallel applications. It can access the data from various sources, particularly, existing Hadoop data. It can run on the YARN cluster manager of Hadoop 2. So, you may want to understand and set up a Hadoop data source and, possibly, a YARN cluster manager. You need to set up a cluster of virtual machines on which the master and slave instances of Spark will run. Then set up a HDFS cluster of virtual machines for Hadoop data. There will be a NameNode to manage the file system metadata and DataNodes that will store the actual data. You may need to play around with the number of virtual machines in order to avoid manually creating each virtual machine that opens a separate window on the desktop display. It’s preferable to manage the machines from a single environment, conveniently. That brings us to the need to create a local cloud on the desktop. OpenStack is a popular, open source option and Red Hat offers an open source distribution (http://openstack. redhat.com). The RDO distribution of OpenStack will be included in the repositories of Fedora 21. You can add an additional repository for installing it on Fedora 20. A bare bones cloud image is available from Fedora’s download site. You can also build your own spin using or 42 | JUly 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
expanding the kick-start for a cloud image, fedora-x86_64cloud.ks, a part of the fedora-kickstarts package.
The plan
The process of exploring Big Data on a desktop needs to be broken up into smaller steps, with each step built on top of the previous step. Hopefully, it will run reasonably well on a quad-core desktop with 8 GB RAM to give you an understanding of the additional technology and the programming involved. The current exploration will be on Fedora because my desktop is Fedora 20. Fedora offers an OpenStack distribution and it will be difficult to experiment on multiple distributions simultaneously. The first step will be to create a local cloud.
Installing OpenStack
You could use a virtual machine to minimise the risk to your desktop environment. A useful utility is appliancecreator, which is a part of the appliance-tools package. You can use the kick-start file fedora-x86_64-cloud. ks, with a couple of changes in fedora-cloud-base.ks, to allow signing in as the root user. By default, the image requires cloud-init to create an account ‘fedora’ and inject ssh credentials for password-less logging in (see https://www. technovelty.org/linux/running-cloud-images-locally.html as an alternate solution). You need to increase the size of the disk and SELinux should be permissive or disabled. timezone --utc Asia/Kolkata selinux --disabled #rootpw --lock --iscrypted locked rootpw some-password part / --size 8192 --fstype ext4 #passwd -l root
You will need to make sure that the virtualisation packages are installed (https://fedoraproject.org/wiki/Getting_ started_with_virtualization). Just do the following: # yum install @virtualization
Guest Column Exploring Software
Install the image created by appliance-creator using virt-manager. You will probably need 3 GB of memory to successfully install OpenStack. Now you are ready to follow the RDO ‘quick start’ instructions (http://openstack.redhat.com/Quickstart). The following commands are fairly quick: # yum install -y http://rdo.fedorapeople.org/rdo-release.rpm # yum install -y openstack-packstack
The packstack command makes it simple to install OpenStack and the dependencies. It uses Puppet. However, the packstack command may take a long time, depending on the network and download speeds (I usually find it better to add ‘&country=us,ca’ to Fedora and update repositories for the Indian environment). # packstack --allinone
You may find that the above command fails to run the remote script after setting up the ssh keys. If so, you need to set up authorised keys. # cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
The first time Packstack is run, it creates an answer file with a name like packstack-answers-X-Y.txt. You will need to reuse the same answers in case you have to rerun Packstack.
Figure 1: OpenStack
After Packstack completes successfully, the local cloud is ready. You can browse the site http://$VM-IPADDRESS/dashboard.
Some things to think about
What do you do with the local cloud you have set up? How do you create and manage the virtual machines that you need?
# packstack –answer-file packstack-answers-X-Y.txt
By: Dr Anil Seth The author has earned the right to do what interests him. You can find him online at http://sethanil.com, http://sethanil. blogspot.com, and reach him via email at anil@sethanil.com
OSFY Magazine Attractions During 2014-15 Month
Theme
Featured List
buyers guide
March 2014
Network monitoring
Security
-------------------
April 2014
Android Special
Anti Virus
Wifi Hotspot devices
May 2014
Backup and Data Storage
Certification
External Storage
June 2014
Open Source on Windows
Mobile Apps
UTMs fo SME
July 2014
Firewall and Network security
Web hosting Solutions Providers
MFD Printers for SMEs
August 2014
Kernel Development
Big Data Solution Providers
SSD for servers
September 2014
Open Source for Start-ups
Cloud
Android devices
October 2014
Mobile App Development
Training on Programming Languages
Projectors
November 2014
Cloud special
Virtualisation Solutions Provider
Network Switches and Routers
December 2014
Web Development
A list of leading Ecommerce sites
AV Conferencing
January 2015
Programming Languages
IT Consultancy
Laser Printers for SMEs
February 2015
Top 10 of Everything on Open Source
Storage Solution Providers
Wireless routers
www.OpenSourceForU.com | OPEN SOURCE For You | JUly 2014 | 43
Admin
How To
Wireshark: Essential for a Network Professional’s Toolbox Wireshark, a free and open source tool, is a packet analyser. It is used for network troubleshooting, software-analysis, protocol development, and education. In this and the following few articles, the author will help readers gain in depth understanding of using wireshark for network troubleshooting.
I
n order to troubleshoot computer network related problems effectively and efficiently, an in-depth understanding of TCP/IP is absolutely necessary, but along with that, you also need to ‘see’ TCP/IP traffic. There are various open source and commercial tools available to capture and display network traffic for further analysis. Let us consider the essential features of effective traffic analysis and network troubleshooting tools: The ability to capture traffic from various networks such as wired, wireless, etc Layer-wise representation of captured traffic for easy readability Ability to save the packets in standard format Ability to drill down packets for traffic analysis All these features are an inherent part of Wireshark. Over and above this, the tool is available under GNU GPL (read, free). So Wireshark is an absolute must for any networking professional! This series of articles on Wireshark will familiarise readers with the Wireshark GUI and analysing various TCP/IP protocols by means of captured packets, explaining the features of Wireshark and discuss various scenarios to locate network related problems. 44 | july 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
The basics: Wireshark modules
To provide the desired functions, Wireshark uses a number of different modules integrated together by the Wireshark core. Module
Function
GTK (GIMP Toolkit)
GUI and handling of all user inputs/ outputs
Dumpcap
Packet capture engine
Pcap libraries
Actual packet capturing. The Linux version uses libpcap developed by the Tcpdump team (available under the BSD licence), while the Windows version uses winpcap developed by Riverbed Technologies, which is available as freeware
Dissector(s)
Detects the packet’s type and gets the maximum information out of it – you can also write custom dissectors
Wiretap libraries
Reading and writing captured files from and to various file formats
Here, I have taken the liberty of mentioning only the important or relevant modules and their functions for easy understanding. For more details, please refer to wireshark.org.
How To
Admin
Installation
The three Wireshark panes
sudo apt-get install wireshark
Capturing packets in a switched environment
Wireshark installation is very simple and straightforward. Windows: Download the latest 32- or 64-bit version installable, which is compatible with your Windows version; double-click on it and follow the instructions. During this installation, you will be asked to confirm installation of winpcap libraries. Here is an interesting point to remember for those paranoid about security: some of the websites, such as McAfee SiteAdvisor, rate winpcap libraries as security risk. This is primarily due to the ability of winpcap to capture network packets. So go ahead and install the libraries, which are a must to run Wireshark. Ubuntu: Search for Wireshark under Ubuntu Software Centre, and click to install or use the command line:
That’s it. Your system is ready for the first capture. Welcome to the exciting world of network troubleshooting and protocol analysis.
Capturing packets
Windows: Start Wireshark by clicking its icon. Linux: Use the command wireshark. You may require administrative privileges. The recommended way to do so is to use gksudo wireshark. Wireshark also has various command line options, which will be covered in a separate article. Optionally, you can capture packets using dumpcap (the packet capture engine), save them and use Wireshark for further analysis. This ensures minimum administrative privileges, limited only to the capture engine and not the entire Wireshark software. Select the capture interface on the first screen. Go through Figure 1; did you notice something interesting under the Interface List? You can capture traffic on USB ports as well! Click on the desired interface and Wireshark starts capturing and displaying packets, which are represented in three panes.
Figure 1: Wireshark interface selection
The topmost pane is called the ‘Packet List Pane’ and displays the captured packet’s number, its time stamps, source and destination addresses, protocol, length and other information about it. The middle pane displays ‘Packet details’ of the current packet as viewed from various layers. The captured data could be viewed as Frame – Physical, Ethernet – Data Link, IP – Network, UDP (or TCP) – Transport, and DNS (or any other application) – Application layers. (For more details about these layers, there is ample material, including excellent videos, on the Web to get a better understanding.) ‘Packet Bytes’ are displayed in the bottom most pane. If this sounds very simple, here is one interesting difficulty.
Capturing traffic towards and from Wireshark PC is simple enough; however, for network troubleshooting you require to capture various kinds of network traffic, such as what originates from any of the systems in the network, the entire network traffic from your network towards the Internet, etc. Capturing traffic in a switched environment is not easy. And here’s why. Let me start with the difference between an Ethernet hub and an Ethernet switch. The hub sends all packets received on a particular port to all the other ports. The switch forwards traffic only to the designated port. To achieve this, the switch maintains a table of MAC addresses (Layer 2 address corresponding to the port binding), and forwards the packet to the interface to which the device with the destination MAC address is connected. If the destination MAC is not known, it broadcasts to all ports (except the sender port), asking for the port that has the device with the destination MAC. Once a confirmatory reply is received, the actual packet is forwarded to the corresponding port only. From a security perspective, an Ethernet switch is definitely better (than the hub). However, the feature ensuring security poses a challenge while capturing network traffic. In a switched network, the default capture will contain packets to and from the Wireshark machine and broadcast traffic only. There are several ways to overcome this: 1. Hubbing out: Replace the switch with a hub and capture traffic by connecting the Wireshark system to the hub. 2. Using Wiretap: A‘tap’ is used to capture communication between two end points. The primary concern while inserting Wiretap is that it should not disturb any traffic between two hosts. Wiretap achieves this by sitting between two end points (the switch and device) and providing two Ethernet outputs. These are connected to the Wireshark computer system with dual Ethernet. This system captures all traffic between two nodes without disturbing existing traffic. If this tap is inserted between the firewall and the switch, it will capture all Internet traffic. Typically, this box can be constructed by wiring four information outlets. See the wiring diagram for more details (Figure 2). www.OpenSourceForU.com | OPEN SOURCE For You | july 2014 | 45
Admin
How To Background information on Wireshark.org
Wiretap Wiring Diagram
H 7 O S 8 3 T 6
H 7 O S 8 3 T 6
2
2
1
1
5
A 4
5
B 4
2
T 7 A 8 P
2
T 7 A 8 P
1 3 5
1
6
3
A 4
5
6
B 4
omegasystems.co.in
Figure 2: Wiretap
Figure 3: DNS query and ICMP echo request
3. Using Switched Port ANalyzer (SPAN), also called port mirroring: SPAN ports are available with some of the managed switches. Once enabled, this feature copies traffic from the defined ports to the SPAN port. The Wireshark system is connected to this SPAN port to capture the traffic. The disadvantage of this system is that the SPAN port can get overloaded since it receives all traffic from many ports. This results in loss of packets. 4. Using ARP spoofing: This requires using the ARP spoofing tool such as ettercap-NG, which is tricky and may result in network disruption if sufficient care is not taken.
The first capture
Let us start by capturing packets for the DNS (Domain Name Service) protocol. As you must be aware, DNS resolves URLs to IP addresses. It is a very simple UDP protocol (works on TCP as well). It sends out a DNS query and gets a DNS query response. To capture DNS, start Wireshark and select the desired interface to start packet capture. Go to the command prompt under Windows (or the terminal, in the case of Linux) and ping any URL—the associated screenshot (Figure 3) is for omegasystems.co.in. You will see several captured packets on the screen. Stop packet capture. 46 | july 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
In May 2006, Gerald Combs (the original author of Ethereal) went to work for CACE Technologies (best known for winpcap). Unfortunately, he had to leave the Ethereal trademarks behind. This left the project in an awkward position. The only reasonable way to ensure the continued success of the project was to change the name. This is how Wireshark was born. Wireshark is a network protocol analyser. It lets you capture and interactively browse the traffic running on a computer network. It runs on most computing platforms including Windows, OS X, Linux and UNIX. Wireshark's Sectools rating Sectools.org, maintained by the Nmap Project, has been cataloguing the network security community’s favourite tools for more than a decade. It ranks Wireshark as the No 1 among network security tools and describes it as follows: “Wireshark (known as Ethereal until a trademark dispute in Summer 2006) is a fantastic open source multi-platform network protocol analyser. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, delving down into just the level of packet detail you need. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. It also supports hundreds of protocols and media types.”
The command line request to ‘PING’ omegasystems. co.in triggered a 78-byte UDP DNS query from the computer system 192.168.1.2 (IP address in your capture will be the same as the TCP/IP configuration of your capture system) towards DNS server 208.67.222.222. A 94-byte reply was received with the IP address of omegasystems.co.in as 23.91.123.124. A 74-byte ICMP Echo Request is now sent to the resolved IP address of omegasystems.co.in, for which a 74-byte ICMP Echo reply is received. Please view the Time column, and you will notice that approximately 0.3 seconds were required to receive replies for both these queries.
A word of caution
The test scenarios described in this series of articles are capable of revealing sensitive information such as login names and passwords. Some scenarios, such as using ARP spoofing, will disturb the network temporarily. Make sure to use these techniques only in a test environment or avail explicit written permission before using them in a live environment. By: Rajesh Deodhar The author is an IS auditor and network security trainerconsultant for the last two decades. He is a BE in industrial electronics, as well as a CISA, CISSP, CCNA and DCL. He can be contacted at rajesh@omegasystems.co.in
Admin
How To
Ghost: A Powerful Blogging Platform
If you are on the lookout for a blogging platform, give Ghost a try. It’s a simple yet powerful publishing platform that opens up the world of online journalism to you. Ghost is used by thousands of people and companies.
M
y encounter with Ghost, not the one from the horror stories, started when I was wandering through the Internet looking for a blogging platform for my college group, which focused more on writing rather than the several options that offer plugins to do simple things. When I navigated to the official page of Ghost (https://ghost.org/), all it said was, “Just a blogging platform.” Ghost aims to be a simple, open source blogging platform focused on offering a good user experience.
Installation
Though it aims to be a simple platform, installation is not so simple for the average user. For a seasoned command line user, it’s a cakewalk. For this demonstration, I’ll be using Linux, so some of the steps will be Linux-specific. Ghost is built on node.js, and requires version 0.10.* (the latest stable version). For Linux, the easiest way to install node.js is via the available package manager, but it may or may not be the latest version. Therefore, the best way to install node. js is to download the latest tar.gz archive from http://nodejs. org/download/ to install the latest binaries from the section ‘Linux Binaries’ (if you like compiling), and then download 48 | JUly 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
the source code and compile. Before compiling, make sure Python is installed. wget http://nodejs.org/dist/v0.10.28/node-v0.10.28.tar.gz
Version number may vary. tar xzvf node-latest.tar.gz && cd node-v* ./configure make sudo make install
For Mac, Windows or other OSs, download the respective installer from http://nodejs.org/download/. If you still face any difficulties, refer to the wiki page https://github.com/joyent/node/wiki/Installing-Node.js-viapackage-manager After installing node.js, it’s time to download and set up Ghost. Before downloading, make sure you have the recommended version of node.js: nodejs -v
How To Download the latest version https://ghost. org/download/ and extract it to a folder named ‘ghost’. But if you have a terminal opening right in front of you, then the following commands will do the trick:
Admin
Full Name Email Address Password SIGN UP
curl -L https://ghost.org/zip/ghost-latest.zip -o ghost.zip unzip -uo ghost.zip -d ghost
Figure 1: Ghost sign-up page content
Now cd to the folder named ‘ghost’ that you created earlier. cd to the correct folder and run the npm commands as follows:
new post
SETTINGS
settings
JATIN DHANKHAR
GENERAL
SAVE
General Display a cover image on your site
User
cd path/to/ghost
Email Address
dhankhar.jatin@gmail.com Address to use for admin notifications
In my case it was in the Downloads folder:
Posts per pgae
Dated Permalinks
cd Downloads/ghost
Include the date in your post URLs Theme
Then install Ghost with: npm install -- production
froyo - 0.1.0 Select a theme for your blog
Figure 2: Dashboard theme section
After installation, type the following command to start Ghost: npm start
Mac and Windows users can refer to the respective documentation for installation instructions (http://docs.ghost. org/installation/). Ghost will be up and running on Port number 2368. Point your browser to http://127.0.0.1:2368/ to see your Ghost blog in action. Now it’s time to create an admin user. Change the URL to http://127.0.0.1:2368/ghost, and create your admin user to log in to the Ghost admin. For now, Ghost allows only one user per blog; multi-user support will be available in version 0.5, which is expected to be out early in July 2014. If you still want multiple user support, there are some hacks available like the one at http://lifewiththemacks. com/multi-user-support/. After signing in successfully, you may encounter a warning related to email configuration, which you can leave for now, as it will be used for resetting the password.
Writing
Writing a post in Ghost is simple. When you install it, there already is a post made for you which explains everything about writing. To put it simply, the writing is done in Markdown format.
Theming and customisation
6 How many posts should be displayed on each page
Theming and customisation are simple and straightforward. To add a new theme, just copy the folder that has theme files to the Themes folder, which is inside the Content folder section and update the theme in the dashboard. Here is an example of the
installation of a new theme named Froyo, which is available at https://github.com/adriannorman/froyo-ghost-theme. Download the zip file and extract it to ghost_folder ->content ->themes and restart Ghost. You can browse the themes at marketplace.ghost. org and then update them in the dashboard by navigating to / ghost/settings/general/.
Deployment
Now we are ready with a blog and, hopefully, can begin writing some interesting posts. But how do we share them? We can’t host our blog on our computer because of security reasons and also considering the fact that electricity is not cheap. So we need to deploy our Ghost blog, for which we have many options. But for now, we are interested only in free options, with custom domains also for free. This brings our options down to two places: Openshift and Github pages.
Openshift
Openshift allows easy deployment of Ghost blogs. Before getting started, get an account on Openshift and install the necessary tools from https://www.openshift.com/developers/rhc-clienttools-install. To create the app, type the following command: rhc app create ghost nodejs-0.10 --env NODE_ENV=production --from-code https://github.com/openshift-quickstart/openshiftghost-quickstart.git
…or follow the guide available at https://www.openshift. com/quickstarts/ghost-on-openshift. Whenever you want to add a new theme or edit some configuration, use the following command: www.OpenSourceForU.com | OPEN SOURCE For You | JUly 2014 | 49
Admin
How To site live on Github and you don’t want to alter it, make a new repo and name it ‘ghost’, and it will be available at username. github.io/ghost. Installing Buster is easy; just issue the following command: pip install buster # prefix with sudo, if following command fails
Also make sure you have wget installed. To store the static content, create a separate folder for proper management, which I will name as buster_files: mkdir buster_files cd buster_files
From the folder, run the following command: buster setup
Figure 3: Deployment messages
…and enter the address of the Github repo you created above. In my case, I was deploying to a repo named ghost, so it was https://github.com/jatindhankhar/ghost.git. Once you are done with this, run the following code: buster generate -- domain=http://127.0.0.1:2368 # If ghost is running locally # or if you already have a ghost running somewhere else, use buster generate – domain=http://address-to.ghost.blog # Run it only on the ghost you own, otherwise you may violate some data mining laws
Figure 4: Buster generating static files git add file_name_to_be_added git commit -m “Commit Message” git push origion master
After Buster is done, it will store all the files in a folder named static. Switch to the static folder and add, commit and push the files to the repo using Git.
rhc app restart ghost # Replace ghost with the name of app
cd static git add. git commit -m “Your commit message here” git push origin gh-pages
After this, you will see something similar to what is shown in Figure 3.
If you have some money to spare, I would recommend that you go in for hosted ghost blogs.
Github pages
Github provides an excellent service to serve static pages. But Ghost requires node.js on the server side; so let’s look at a workaround. The solution lies in Buster, a brute force static site generator for Ghost. Buster can be pointed at any Ghost blog—a blog hosted on an external website or one running locally on your own computer—and output a directory with the static content of the site. Before this, create a repo on Github with the name username.github.io (replace username with your Github username) if you don’t have one already. If you already have a 50 | JUly 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
References [1] http://docs.ghost.org/ [2] https://ledtechnica.com/free-ghost-hosting-on-github-pages/ [3] https://github.com/axitkhurana/buster [4] http://ghost-chops.rhcloud.com/hosting-ghost-on-openshift/
By: Jatin Dhankhar The author, who is currently doing his B. Tech in computer science from Ramanujan College, University of Delhi, is crazy about computers and loves to learn about anything related to them. He can be reached at jatin@jatindhankhar.in
Admin
Insight
Make Your Network Secure with PCAP and Snort PCAP is an application programming interface (API) for capturing network traffic (packets). Snort is a tool for detecting network intrusion. This article explains how they can be used in tandem to analyse network traffic and detect any attacks on the network.
P
acket capture is a classic, frequently performed task carried out by network administrators. This is done to detect any suspicious activity in the network. Any out-of-the-way or abnormal activity is analysed by intrusion detection system (IDS) tools in order to classify the attack or the type of traffic. There are numerous IDS tools available, including open source products, that classify the attacks or traffic based on information gathered from the PCAP (packet capture) files fetched from honey pots or servers.
PCAP (packet capture)
Issues of intrusion in the network by different media can be tackled by making use of PCAP (packet capture), which has an application programming interface (API) for capturing network traffic from ports, IP addresses and associated parameters. In the case of UNIX-like systems, PCAP is implemented in the Libpcap library. In Windows, it is implemented through WinPcap, which is the Windows version of Libpcap. The base API of PCAP is in the C programming language. To implement PCAP in other programming languages such as Java, .NET and Web-based scripting languages, a wrapper is used, but remember that neither Libpcap nor WinPcap provide these wrappers by default. In the case of C++, the programs can link directly to the C API or make use of an object-oriented wrapper.
52 | july 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
The MIME type for the file format that is created and read by Libpcap is application/vnd.tcpdump.pcap. The classical file extension for PCAP is .pcap. In some tools, .cap and .dmp file extensions are also used. Libpcap and WinPcap are associated, in terms of packet capturing as well as filtering engines, with many open source and commercial network tools. These include protocol analysers (packet sniffers), network investigators, network IDEs, traffic generators and network analysers. A feature of Libpcap is that the captured files can be exported and saved to a file. A captured file that is saved in the format that Libpcap and WinPcap use can be easily analysed by applications that understand this format, including tcpdump, Wireshark, NetworkMiner and many others.
Tools for reading Libpcap
Here is a list of network analysis tools that make use of Libpcap. Tcpdump: A tool to capture and dump packets for forensics and investigation. ngrep (Network Grep): Shows packet data in a userfriendly output scenario.
Insight Wireshark (earlier called Ethereal): A GUI-based packetcapturing and protocol forensic tool. Snort: An open source network intrusion detection system. Nmap: A port-scanning and fingerprinting network utility. Bro IDS: An IDS and network analysis tool. URL Snooper: Locates the addresses of audio and video files to enable recording them. Iftop: Displays the usage of bandwidth in the network. EtherApe: GUI-based tool for monitoring network traffic and bandwidth usage in real time. Bit-Twist: Ethernet packet generator. Pirni: Network security tool used with jailbroken iOS devices. Firesheep: An extension for the Mozilla Firefox Web browser. It intercepts the unencrypted cookies from different websites. It is also used for session hijacking and network vulnerabilities. Suricata: A network intrusion analysis and prevention platform. WhatPulse: A statistical measurement tool (input, network, uptime, etc) in the network. Xplico: A network forensics analysis tool (NFAT).
Snort
Snort is an open source tool developed by Sourcefire and written in C. It is used as a network intrusion prevention as well as a network intrusion detection system. It is an excellent combination of signature, protocol and anomaly-based inspection. Snort’s user statistics are impressive with millions of downloads and nearly 400,000 registered users. It is not only an IDS but is also used as an IPS (Intrusion Prevention System) to avoid any unwanted activity or unauthorised access to resources. Snort can easily implement protocol analysis and content investigation with a number of other features. The excellent features of the tool include detection of a variety of attacks and probes such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts and many others. The main configuration file is /etc/snort/snort.conf. In this, the actual information about the network or system under investigation is specified. All values and parameters are commented in the file so that the changes can be made very easily.
Other free intrusion detection systems (IDS)
Admin
on the system. Packet logger mode: Packet logger mode is used to log the packets to the disk. Network IDS mode: Network IDS mode is associated with configurable parameters that allow the tool to analyse network traffic by matching it against specific user-defined rules. Finally, it performs several actions based on what the tool investigates at the time of execution.
Sniffer mode
To view only the TCP/IP packet headers to the screen, the following command is used: ./snort -v
This will execute Snort and show the IP and TCP/UDP/ ICMP headers. To display the application data in transit, the following command is used: ./snort -vd
With this, Snort displays the packet data as well as the headers. To view a detailed analysis or description, showing the data link layer headers, use the following command: ./snort -vde
as:
This command, with different switches, can also be executed
./snort -d -v –e
Packet logger mode
To record the packets to a disk, we need to specify the directory for logging. Snort will automatically execute the packet logger mode: ./snort -dev -l ./log
Other free intrusion detection systems are given below: ACARM-ng AIDE Bro NIDS OSSEC HIDS Prelude Hybrid IDS Samhain Suricata
Running in this mode, Snort will collect every data packet that it encounters and place it in a directory hierarchy that is based upon the IP address of one of the hosts in the datagram. If you specify a switch ‘-l’, you will see that Snort uses the address of the remote computer as the directory in which it places packets. In some scenarios, it makes use of the local host address. For the logging of packets relative to the home network, you have to specify this network with the following command:
Different modes for Snort network forensics
./snort -dev -l ./log -h 192.168.1.0/24
Snort can be configured in three different modes. Sniffer mode: Sniffer mode is used to read the packets of the network and display them to the user in a continuous stream
This command and rule will specify that you want to view the data link and TCP/IP headers as well as application data www.OpenSourceForU.com | OPEN SOURCE For You | july 2014 | 53
Admin
Insight
into the directory ./log, and log the packets relative to the 192.168.1.0 class C network. All incoming data packets will be recorded in the sub-directories of the main directory log with the names of the directory based on the address of the remote host. If you are working on a high speed network or want to log the packets in a compressed form for later analysis, consider logging in ‘binary mode’. In the binary mode, the logging of the packets is done in the ‘tcpdump format’ to a single binary file in the logging directory: ./snort -l ./log -b
We should note that we have not specified a home network in the command above because the binary mode logs everything to a single file, in which there is no need to specify how to format the output directory structure.
Network intrusion detection mode
To run the tool in network intrusion detection (NIDS) mode, execute the following command: ./snort -dev -l ./log -h 192.168.1.0/24 -c snort. conf
snort.conf is the name of the file that has different rules. The rules set is applied from the snort.conf file to each packet to finally decide whether or not to take a particular action based upon the rule type in the file. If we do not specify the output directory for the program, it will be /var/log/snort by default.
Reading PCAP using Snort and alert files
PCAP files can be analysed very easily using Snort. The PCAP file is passed with a Snort command. Once the command is executed, Snort generates the alert file from that specific PCAP file. To read a single PCAP file, use the following commands: $ snort -r mynetwork.pcap $ snort --pcap-single= mynetwork.pcap
To read multiple PCAPS from a file, use the following: $ cat mypcaps.txt pcap1.pcap pcap2.pcap $ snort --pcap-file=mypcaps.txt
This command will read pcap1.pcap, pcap2.pcap and all files under /home/mynetwork/pcaps. Snort will not attempt to check whether the files under that directory are really PCAP files or not. To read PCAPS from a command line list, use the following command: 54 | july 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
$ snort --pcap-list=“MyNetwork1.pcap MyNetwork2. pcap MyNetwork3.pcap”
This will read MyNetwork1.pcap, MyNetwork2.pcap and MyNetwork3.pcap. To read PCAPS under a directory, type: $ snort --pcap-dir=”/home/MyNetwork/pcaps”
This will include all of the files under /home/MyNetwork/ pcaps. You can also use filters to read a PCAP file: $ cat MyNetwork.txt MyNetwork1.pcap MyNetwork2.pcap
Here, the current directory is /home/MyNetwork/pcaps $ snort --pcap-filter=”*.pcap” --pcapfile=MyNetwork.txt $ snort --pcap-filter=”*.pcap” --pcap-dir=/home/ MyNetwork/pcaps
The above will only include files that match the shell pattern ‘*.pcap’; in other words, any file ending in ‘.pcap’. $ snort --pcap-filter=”*.pcap --pcapfile=MyNetwork.txt \ > --pcap-filter=”*.cap” --pcap-dir=/home/ MyNetwork/pcaps
In the above, the first filter ‘*.pcap’ will only be applied to PCAP files in the file ‘MyNetwork.txt’ (and any directories that are recursed in that file). The addition of the second filter ‘*.cap’ will cause the first filter to be forgotten and then be applied to the directory /home/MyNetwork/pcaps; so only files ending in ‘.cap’ will be included from that directory. $ snort --pcap-filter=”*.pcap --pcapfile=MyNetwork.txt \ > --pcap-no-filter --pcap-dir=/home/MyNetwork/ pcaps
In this example, the first filter will be applied to MyNetwork.txt. Subsequently, no filter will be applied to the files found under /home/MyNetwork/pcaps; so all the files found under it will be included. $ snort --pcap-filter=”*.pcap --pcapfile=MyNetwork.txt \ > --pcap-no-filter --pcap-dir=/home/MyNetwork/ pcaps \ > --pcap-filter=”*.cap” --pcap-dir=/home/
Insight
Admin
Figure 1: Bookmark the line
Figure 2: Segregating bookmarked lines MyNetwork/pcaps2
In this example, the first filter will be applied to MyNetwork.txt. Subsequently, no filter will be applied to the files found under /home/MyNetwork/pcaps; so all files found under it will be included. Then, the filter ‘*.cap’ will be applied to files found under /home/MyNetwork/pcaps2.
Printing the PCAPS $ snort --pcap-dir=/home/MyNetwork/pcaps --pcap-show
The above example will read all the files under /home/ MyNetwork/pcaps and will print a line indicating which PCAP is currently being read.
Snort’s full file format
From the specified alert file given below that is fetched by Snort, we can plot the graphs/charts or any other pattern related to data mining. www.OpenSourceForU.com | OPEN SOURCE For You | july 2014 | 55
Admin
Insight
[**] [1:2010935:2] ET POLICY Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] 07/25-20:31:31.817217 232.11.237.105:1000 -> 233.29.20.24:1433 TCP TTL:102 TOS:0x0 ID:256 IpLen:20 DgmLen:40 ******S* Seq: 0x43EE0000 Ack: 0x0 Win: 0x4000 TcpLen: 20 [Xref => http://doc.emergingthreats.net/2010935] [**] [1:2010935:2] ET POLICY Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] 07/25-20:31:31.838622 17.1.27.05:6000 -> 23.12.20.17:1433 TCP TTL:103 TOS:0x0 ID:256 IpLen:20 DgmLen:40 ******S* Seq: 0x6D5F0000 Ack: 0x0 Win: 0x4000 TcpLen: 20 [Xref => http://doc.emergingthreats.net/2010935] [**] [1:2010935:2] ET POLICY Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] 07/25-20:31:31.898603 17.1.27.5:6000 -> 23.19.20.22:1433 TCP TTL:103 TOS:0x0 ID:256 IpLen:20 DgmLen:40 ******S* Seq: 0x262F0000 Ack: 0x0 Win: 0x4000 TcpLen: 20 [Xref => http://doc.emergingthreats.net/2010935]
Extraction of relevant patterns and data from Alert files using Notepad++
Once the alert file is generated, it can be opened in Notepad++, which has the unique feature of bookmarking specific lines. To separate the lines that have Classification, Priority and IPLen from the Alert file, the Find and bookmark feature can be used. Once the lines are marked with bookmarks, you can easily cut these selected lines. Finally, let’s paste these lines to a separate file, and the following file will be generated: [Classification: Potentially [Priority: 2] Dgmlen: 233 [Classification: Potentially [Priority: 2] Dgmlen: 233 [Classification: Potentially [Priority: 2] Dgmlen: 234 [Classification: Potentially [Priority: 2] Dgmlen: 232 [Classification: Potentially
Bad Traffic]
[Priority: 2] Dgmlen: 234 [Classification: Potentially [Priority: 2] Dgmlen: 231 [Classification: Potentially [Priority: 2] Dgmlen: 232 [Classification: Potentially [Priority: 2] Dgmlen : 231 [Classification: Potentially [Priority: 2] Dgmlen : 232 [Classification: Potentially [Priority: 2] Dgmlen : 230
Bad Traffic] Bad Traffic] Bad Traffic] Bad Traffic] Bad Traffic]
The extracted alert file can be moved to a spreadsheet package to plot graphs or apply any formula using the following steps: 1. In MS-Word => Use Find-Replace for replacing every paragraph with a tab 2. For this, simply replace SPACE with ^t 3. It will generate the file with fields separated by tabs 4. Copy the full file with the tab to MS-Excel 5. MS-Excel will place all tab fields in different columns 6. Now, you can easily apply any formula Using this method, you can get the following type of output in the Spreadsheet Package: Classification
Priority IPLen dgmLen
Attempted Administrator Privilege Gain
1
20
231
Potentially Bad Traffic
1
20
231
Attempted Administrator Privilege Gain
1
20
231
Potentially Bad Traffic
2
20
231
Attempted Administrator Privilege Gain
1
20
231
Attempted Administrator Privilege Gain
1
20
231
Potentially Bad Traffic
2
20
231
Attempted Administrator Privilege Gain
1
20
23
Attempted Administrator Privilege Gain
1
20
23
Potentially Bad Traffic
2
20
24
This method can be used to analyse any network traffic captured by APIs like PCAP, enabling detailed investigation of the packets and associated parameters.
Bad Traffic] Bad Traffic] Bad Traffic] Bad Traffic]
56 | july 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
By: Dr Gaurav Kumar The author is associated with various academic and research institutes, where he delivers lectures and conducts technical workshops on the latest technologies and tools. You can contact him at kumargaurav.in@gmail.com
Insight Client
Attacker
Admin
AP
Authentication Response Association Request Association Response Deauthentication Figure 3: Setting wlan0 to mon0
Data Deauthentication
Figure 1: Deauthentication attack
Figure 4: Showing information about APs
Figure 2: Showing the wireless card’s name
Windows 7 as the victim Kali Linux was installed in a VMware machine with a USB wireless card (Atheros-based), and it successfully recognised the wireless card. I then followed the steps given below to launch the attack. Step 1. To know the name of the wireless card, I typed the command airmon-ng as shown in Figure 2. The wireless card’s name is wlan0. Step 2. The next command airmon-ng start wlan0 sets your wireless card on monitor mode 0, which means mon0 as shown in Figure 3. Step 3. I then typed iwlist wlan0 scanning as shown in Figure 4 to find out about all the APs in the vicinity. In Figure 4, important information like the MAC address, channel number and ESSID of the AP is highlighted in red rectangle boxes. Step 4. Here, I set mon0 to Channel 1, using the following command: airodump-ng mon0 -c <channel> --bssid <mac address of AP>
…as shown in Figure 5. The consequences can be seen in Figure 6, where BSSID is the MAC address of AP, and STATION means all wireless devices are connected to the AP. I now chose one victim: 88:53:2E:0A:75:3F Now it’s time to mount the attack! Step 5. In the attack, I used aireplay to send the deauth packet. The following command does the job: aireplay-ng -0 10 -a 84:1B:5E:50:C8:6E -c 88:53:2E:0A:75:3F mon0
Here’s a description of the above command: • -0 sends the deauth packet • 10 refers to the number of packets • -a is the MAC address of the AP • -c is the MAC address of the client to be deauthenticated. The MAC address of the client has been spoofed here. Figure 7 shows the effect of the command. Now, it’s time to look at the victim’s PC. Figure 8 shows the full story of the attack, which is sure to upset the victim.
Analysing the deauthentication attack
Figure 9 shows the packet flow. The first frame comes from the victim's machine (spoofed), which contains the deauthentication www.OpenSourceForU.com | OPEN SOURCE For You | july 2014 | 59
Admin
Insight
Figure 5: Command to set mon0 to Channel 1
Figure 9: The packet flow Figure 6: Showing all wireless devices connected to the AP
Figure 10: Deauth frame Figure 7: Sending the deauth packet
Figure 8: Wi-Fi signal gone
flag. The second deauthentication flag frame is sent from the AP to the victim. A local packet capture session is initiated using Wireshark to capture the frames generated by the attacker.
Who is behind the attack?
This attack is made at the data-link layer, which is associated with the MAC address. The book, ‘Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet’ (Second Edition) by Eoghan Casey, states that the data-link layer addresses (MAC addresses) are more easily identifiable than network layer addresses (e.g., IP addresses). This is because a MAC address is usually directly associated with the network interface card in a computer, whereas an IP address can be easily reassigned to different computers. However, in Wireshark-captured data, the source is the victim and the destination is the AP, and vice versa. Therefore, it is impossible to find out the attacker’s identity.
So how do we detect the attack?
The deauthentication frame is sent by a station to another station when it wishes to terminate communications. When we manually disconnect from the AP, we can see three dauth packet after restarting AP three times as shown in figure 10. By using aireplay we have sent one deauth packet but on Wireshark, we captured 256 frames. 60 | july 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
Wireshark captured frames from one side and we have sent packets from the other side; so I can say that, from our side, 256/2 = 128 frames were sent. In this way, this attack also falls in the category of a DOS attack. After seeing a large number of frames, a wireless intrusion detection system (WIDS) can raise the alarm. At the user level, there is still no fool-proof way to prevent this attack. But at the organisation level, a WIPS/WIDS system like AirMagnet Enterprise can specifically detect these attacks, preventing major enterprise-wide damage. Going ahead, wireless cards or APs should have some mechanism to protect users from deauthentication attacks. References [1] Timothy R. Schmoyer, Yu Xi Lim and Henry L. Owen, ‘Wireless Intrusion Detection and Response’, Wireless Communications and Networking Conference, 2004. WCNC. 2004 IEEE, 883 – 888, Vol. 2 [2] Rupinder Cheema, Divya Bansal, Dr Sanjeev Sofat, June 2011. ‘Deauthentication/Disassociation Attacks: Implementation and Security in Wireless Mesh Networks’, International Journal of Computer Applications (0975 – 8887) Volume 23– No. 7 [3] Thuc D Nguyen, Duc H M Nguyen. August 3 -7, 2008, ‘ A light weight solution for defending against deauthentication /disassociation attacks on 802.11 networks’, the 17th International Conference on Computer Communications and Networks, at St Thomas, US Virgin Islands, USA. [4] http://www.aircrack-ng.org/doku.php?id=aireplay-ng
By: Mohit Raj The author, who is a certified ethical hacker and EC Council Certified Security Analyst, has completed a Masters in Engineering (ME) in computer science from Thapar University, Patiala. He currently works in IBM India, and can be contacted at mohitraj.cs@gmail.com
Admin
How To
How to Configure Ubuntu as a Router Did you know that your Ubuntu system could be configured to act as an immensely powerful router? Surprised? Read on to discover how to achieve this with just a few simple steps.
62 | july 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
How To
Admin
Client
192.168.1.8
10.10.6.205 Switch
Host A
Host B
Ubuntu Machine 10.10.6.203 (eth0) 10.10.6.204 (eth1)
Figure 1: Ubuntu as a router
Figure 2: Configuration of eth0
Figure 3: Setting up network on eth0
Figure 4: Configuration of eth1
Figure 5: Setting up network on eth1
www.OpenSourceForU.com | OPEN SOURCE For You | july 2014 | 63
Admin
How To
Figure 6: Enable IP forwarding Figure 7: Result
By: Mandar Shinde The author works in the IT division of one of the largest commercial automotive organisations in India. His technical interests include Linux, networking, backup and virtualisation.
Customer Feedback Form Open Source For You
None
OSFY?
You can mail us at osfyedit@efy.in You can send this form to ‘The Editor’, OSFY, D-87/1, Okhla Industrial Area, Phase-1, New Delhi-20. Phone No. 011-26810601/02/03, Fax: 011-26817563
64 | july 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
Admin
Let's Try
Analyse Packet Capture to Protect Your Network For a network administrator or someone in a production environment who gets paranoid about whether anybody is snooping on the network, tools such as tcpdump act as a reassurance, as they help to counter such threats. This article discusses the processing and analysis of packets that have been captured by tcpdump or Wireshark.
W
hen it comes to network security, the first thing that people should be taking care of is their own network. This can be achieved by analysing your data and making sure that no one is intruding on your network. The name ‘PCAP’ comes from the two words, ‘packet capture’. The type of file is the Ethernet packet sniffer, which means that this file format is used by the tools that analyse the network traffic. In this article, I will start with the basics so that even a newbie can easily analyse the data, using the tools mentioned.
The basics
Anyone who is new to network security needs to have a good grasp of the various types of networks. The basic types are TCP (Transmission Control Protocol) and IP (Internet Protocol). We do have many versions of IP and the address varies with the type. This understanding is necessary because, with the help of the IP address, we can determine the location of someone who is mounting an attack. I would suggest
66 | july 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
you visit some of the links below, which will be helpful to get an understanding of the basics of networking. http://en.wikipedia.org/wiki/Network_security http://cse.hcmut.edu.vn/~minhnguyen/NET/Computer%20 Networks%20-%20A%20Tanenbaum%20-%205th%20edition.pdf http://www.cert.org/historical/tech_tips/home_networks.cfm The best way to get a strong foundation on the subject would be to Google for information, instead of just reading many books. It is better to concentrate on a single book and try out various tools to get a good command over them.
Tools
Many tools are available for the analysis of packets, the most basic and most powerful one being tcpdump. It can be installed or updated by using the following command: sudo apt-get install tcpdump
Let's Try Many open source tools are available to us but none match tcpdump. It is the best tool to capture and filter packets using a basic C code – something that I will discuss briefly, subsequently. For Windows, there are many tools such as Wireshark and WinPcap. The links are given below. http://www.winpcap.org/install/default.htm http://wiki.wireshark.org/Tools You can get a list of all the tools in open source from here. http://www2.opensourceforensics.org/tools/network Everything can be done in the terminal with the help of tcpdump. The remaining tools give us easy access, some benefits and some ready-made features.
Capturing one’s own data
It’s very easy to capture your data in Linux by using the terminal (Ctrl+Alt+T) and typing the following command:
Admin
Figure 1: Installing tcpdump
Figure 2: Using tcpdump to capture data
file to ‘head’ so that we can get a clear view of it. This can be achieved by using the following command: tcpdump -nn -r capture.pcap | head
sudo tcpdump -w capture.pcap
This command invokes the tool tcpdump and writes the data into the file name ‘capture.pcap’ (remember .pcap is the extension for the packets captured). This goes on until you give it a keyboard interrupt (Ctrl+C) or temporarily stop the job with Ctrl+Z. Packet capture can be resumed by giving the command fg which is the same as the normal command. Packet capture can also be done by using online tools such as Wireshark. Have a look at the man page of tcpdump before going ahead with the article.
The fields of the PCAP file would be in the following order: 1. Time 2. Network protocol 3. Source IP 4. Source Port 5. Destination IP 6. Destination Port To concentrate on one of the above fields, remove some of them by using commands for piping and filtering. For example, the following command is used to get only the source IP address and its Port:
tcpdump -nn -r capture.pcap | cut -f 3 -d “ “ | head man tcpdump
Analysis
I assume that you have a good knowledge of commands (such as ‘|’ and ‘*’) used in the terminal, for this section. If not, here are some links to tutorials that will teach you the basics. http://linuxcommand.org/lc3_learning_the_shell.php http://ss64.com/bash/ http://www.pas.rochester.edu/~pavone/particle-www/ telescopes/ComputerCommands.htm The best way to learn about them is to refer the man page when you have a doubt about a particular command.
Count of packets
To determine the count of packets in the file, we use the following command:
To filter the file to get TCP/IP and exclude the Layer 2 traffic, add the option ‘tcp’ or ‘udp’ at the end of the command: tcpdump -nn -r capture.pcap ‘tcp’ or ‘udp’ | cut -f 3 -d “ “ | head
To get only the IP address without the Port, just cut the other columns starting from “.” tcpdump -nn -r capture.pcap ‘tcp’ or ‘udp’ | cut -f 3 -d “ “ | cut -f 1-4 -d “.” | head
The ‘uniq’ command
The ‘uniq’ command can be used to remove repeated lines
tcpdump -nn -r capture.pcap | wc -l
Since the file usually contains a large amount of data, instead of using the ‘cat’ command, it is better to pipe the
Figure 3: Count of packets www.OpenSourceForU.com | OPEN SOURCE For You | july 2014 | 67
Admin
Let's Try
in the PCAP file, because we are not interested in the same source and destination twice. This command saves you a lot of time and avoids repetition: tcpdump -nn -r capture.pcap ‘tcp or udp’ | cut -f 5 -d “ ” | cut - f 1-4 -d “.” | sort | uniq | head
The code below gives the top 10 destination IP addresses. ‘-nr’ gives the IP address in descending order: tcpdump -nn -r capture.pcap ‘tcp or udp’ | cut -f 5 -d “ ” | cut - f 1-4 -d “.” | sort -c | uniq -nr | head
You can try every option available and get your work done easily.
Web tools
If you have a PCAP file you want to analyse but don’t have the tools or the sudo password to do so, try online tools such as Wireshark. I am using the small example file which was used for the challenge in picoCTF, where we need to find the destination of the ship from the conversation between the robot and the spaceship. This
Please share your feedback/ thoughts/ views via email at osfyedit@efy.in
68 | july 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
is a very easy challenge and can be addressed by having a clear look at the conversation (https://www.cloudshark. org/captures/bc1c0a7fae2c). The alternatives for the cloud shark are given in the following urls. http://www.wireshark.org/ http://canyouseeme.org/ http://www.lovemytool.com/ http://www.yougetsignal.com/ http://sectools.org/ You can try any of the tools from the above links. Some of them provide tools from the browser itself. References [1] http://www.sans.org/ [2] http://www.tcpdump.org/ [3] https://picoctf.com/
By: Dhanvi Tummala The author is a security enthusiast and has studied at Amrita University in Amritapuri, Kerala. She can be contacted at dhanvicse@gmail.com
Admin
Insight
started at system boot up and exits when there are no more jobs to run. Upon start-up, Anacron reads the list of configured jobs from the Anacron table. For each job, it checks whether the current job has been executed in the last ‘n' days. If not, Anacron waits for the number of minutes specified as the delay parameter in the Anacron table, and starts executing the job. After this is done, it records the job execution date in a special timestamps file. At the next system boot up cycle, this timestamps file is checked to decide whether there is a need for a particular job to be executed or not. Anacron makes sure that only one instance of a job runs at a time by using a locking mechanism. After executing all jobs, Anacron exits.
Understanding the Anacron table
Now that we have understood the need for Anacron and its lifecycle, let us explore the format of the Anacron table. In the Anacron table, each field is separated by a space or a tab character. Shown below is the format of the Anacron table: {period} {delay} {job-identifier} {command(s)}
OR
sh. ‘HOME' is the home directory of the user. ‘LOGNAME' is the name of the user executing the Anacron job. The default value of ‘PATH' is /usr/bin:/bin. By default, after successful command execution, the output is mailed to the owner of the Anacron table (usually the root user). This default behavior can be overridden by setting up a ‘MAILTO' environment variable. If ‘MAILTO' is set up and is not empty, then the output of the command is mailed to the user so named. In ‘MAILTO', multiple recipients can be specified by a comma separated list. If the empty value is assigned to ‘MAILTO' (e.g., MAILTO="" ), then no mail is sent. In the Anacron table, we can assign values to environment variables in the same manner as shell assignment. The simple example given below will give you a clearer idea about the usage of environment variables. [root]# cat /etc/anacrontab # Set environment variables. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/ usr/bin HOME=/root LOGNAME=root MAILTO="jerry@acme.com"
{@period_name} {delay} {job-identifier} {command(s)}
Table 1 describes each field of the Anacron table. Table 1
Field
Description
period
This is a numeric value, which can be specified in days only.
delay
This can be specified in minutes. After starting, Anacron waits for the ‘n' number of minutes specified as the delay parameter, before actual job execution.
job-identifier This is the name of the timestamps file and should be unique for each job. Before job execution, Anacron examines the timestamps file to decide whether job execution is needed or not. command
This field, which is self-explanatory, can be a shell command or script.
Anacron provides a special string value that can be used in place of the period field. The currently supported value for this field is @monthly. This ensures that jobs will be executed once a month, regardless of the number of days in the current or previous month. Anacron also allows the assignment of values to environment variables in the Anacron table. Please note that Anacron tables are parsed from top to bottom; hence, any environment settings are applicable only to those commands that are specified after setting environment variables. By default ‘SHELL' is set to /bin/ 70 | july 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
# These replace Cron's entries 1 5 cron.daily run-parts --report /etc/cron.daily 7 10 cron.weekly run-parts --report /etc/cron.weekly @monthly 15 cron.monthly run-parts --report /etc/cron. monthly
Additionally, Anacron provides two more variables (given below) that control the scheduled time of the configured jobs. 1) RANDOM_DELAY: This is the maximum number of minutes that will be added to the delay field of each job. The minimum possible value for this variable is 6 minutes. Here is an example. Let us suppose the value of RANDOM_DELAY is 20 minutes and the value in the delay field is 10 minutes. Then, before job execution, Anacron will wait for 10 minutes (from the delay field) + a random number of minutes between 6-20 (because of RANDOM_DELAY). 2) START_HOURS_RANGE: Anacron overcomes one of the major drawbacks of Cron. If an Anacron job is scheduled for a particular time interval and the system is not running at that time, Anacron guarantees that the job will be executed when the system comes up. But here is a catch. What if the system does not go offline? When should the job be executed? The solution is to specify this range by defining the START_HOURS_RANGE variable. For example, if the value of START_HOURS_RANGE is ‘1218', then Anacron jobs can be run between 12 a.m. and 6 p.m. If START_HOURS_RANGE is defined and that time interval is missed, for example, because of a power outage,
Insight then the job will not run for that particular day.
Playing with Anacron tables
The two files below play an important role in the Anacron lifecycle. /etc/anacrontab: This is a configuration file, which stores the Anacron table and describes the jobs controlled by it. /var/spool/anacron: This is the default spool area used by Anacron to store timestamps files. Anacron stores its table in the /etc/anacrontab file. To create or edit an Anacron table, edit the /etc/anacrontab file directly using your favourite text editor. Please note that the user must be privileged to edit the Anacron table. An Anacron table file might look like the example listing below: [root]# cat /etc/anacrontab # Set environment variables. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/ usr/bin 1 5 cron.daily run-parts --report /etc/cron.daily 7 10 cron.weekly run-parts --report /etc/cron.weekly @monthly 15 cron.monthly run-parts --report /etc/cron. monthly
Additionally, we can instruct Anacron to use a specified Anacron table rather than the default one. Anacron's ‘-t' option will do the needful. Let us check it out with an example. Jerry has written his Anacron table in the jerry.anacrontab file and it has the following contents: [jerry]$ cat /home/jerry/jerry.anacrontab # Set environment variables. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/ usr/bin LOGNAME="jerry" HOME="/home/jerry" MAILTO="jerry@acme.com" 1 7
5 jerrcron.daily /home/jerry/daily_maintenance.sh 10 jerrycron.weekly /home/jerry/weekly_maintenance.sh
To use the above file as an Anacron table instead of the default one, execute the following command: [jerry]$ anacrontab -t /home/jerry/jerry.anacrontab
This method is useful for a non-root user to run Anacron. To execute a job successfully, Anacron needs its table in a particular format. It is good practice to check the Anacron table for syntax errors. One of the lengthy ways to test it is to copy
Admin
the Anacron table to the test machine and verify it by executing jobs. It's better to identify those syntax errors by static analysis, i.e., without running an actual job. Anacron provides the ‘-T' option. Using it, we can validate the Anacron tables. It validates the syntax of the Anacron table and if errors are found, it reports them on the standard error stream and sets the command exit status to 1. Let us check this out with an example. We know that Anacron does not support the ‘@hourly' string. Let us deliberately insert it into the Anacron table. Given below is an example of an Anacron table with a syntax error: [jerry]$ cat /home/jerry/jerry.anacrontab # Set environment variables. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/ usr/bin LOGNAME="jerry" HOME="/home/jerry" MAILTO="jerry@acme.com" 1 7
5 jerrcron.daily /home/jerry/daily_maintenance.sh 10 jerrycron.weekly /home/jerry/weekly_maintenance.sh
@hourly 10 jerrycron.hourly /home/jerry/check_disk_space.sh # Here is error.
Now, validate the Anacron table for syntax errors. [jerry]$ anacron -t /home/jerry/jerry.anacrontab -T Anacron: /home/jerry/jerry.anacrontab: Unknown named period on line 10, skipping
Also verify the exit status of command. [jerry]$ echo $? 1
Running Anacron
We have completed our discussion on Anacron tables. Let us now look at different ways of running Anacron. Running Anacron at system start-up: If your system’s start-up and shut-down cycles are very frequent, then launching Anacron at the time of system boot-up is a good choice. Upon system start-up, Anacron can check the list of configured jobs and execute them, if necessary. For the Ubuntu GNU/Linux distribution /etc/init/Anacron. conf is Anacron's start-up script which runs all the jobs from / etc/anacrontab. The contents of the /etc/init/Anacron.conf file might vary from version to version. If you are running any other GNU/Linux distribution, then go through your distribution’s documentation to find out or write the Anacron start-up script. Running Anacron via Cron: Another popular way to launch Anacron is to run it via Cron. If your computer shuts www.OpenSourceForU.com | OPEN SOURCE For You | july 2014 | 71
Admin
Insight
down or starts up less frequently, then this is a good choice. To launch Anacron via Cron, create a Cron table entry in the / etc/crontab file: @hourly * * * * root anacron
For the job above, Cron executes Anacron once every hour, and Anacron executes jobs only if necessary. Running Anacron via a non-root user: In our earlier discussion, we have seen how the root user can run Anacron. But it is a very common requirement to execute Anacron via an ordinary or non-root user. We can achieve this by simply creating a private Anacron table and by specifying a different spool area. To run Anacron via an ordinary user add the following entry into the user's Cron table or execute Anacron via login scripts: crontab -t /home/jerry/jerry.anacrontab -S /home/jerry/ crontab_spool
…where the ‘-t' option is used to specify a private Anacron table and the ‘-S' option is used to specify the spool area that stores the timestamps file.
Insights about Crontab
Anacron is sensitive to signals. The signal ‘SIGUSR1' can be used to stop Anacron gracefully. After receiving the
‘SIGUSR1' signal, if there are any running jobs, Anacron waits to finish them and exits gracefully. To know more about signals, refer to the manual page of the ‘kill' command from your distribution. By default, Anacron forks out and creates child processes. The parent process exits immediately and child processes start their execution in the background. By providing the ‘-d' option, we can instruct Anacron not to fork out in the background. In this mode, Anacron will print all messages to the standard error stream as well as send them to the ‘syslog' daemon. Additionally, it will also e-mail the output according to the MAILTO setting. Before job execution, Anacron does some pre-checks. Reading the timestamps file is one of them. Anacron then decides whether job execution is needed or not. We can override this default behaviour by using the ‘-f' option, which forces Anacron to execute the job by ignoring timestamps. We can also perform dry runs of jobs for testing purposes. The ‘-u' option of Anacron just updates the timestamps to the current date, but in reality does not run any job. We can instruct Anacron to start job execution in serial order. The ‘-s' option of Anacron takes care of that. In serial job execution, the next job will be started only when the previous job completes its execution. Anacron uses the /var/spool/anacron directory as a spool area to store the timestamps file. We can also use other directories as the spool area by specifying an argument to the ‘-S' option. This is needed when a non-root user wants to execute a job through Anacron.
Caveats
Although Anacron is a great utility and works intelligently by taking care of missed jobs, it also has some shortcomings. Let us discuss a few of them. For Anacron, the smallest possible granularity is days. It does not deal with hours or minutes. Anacron creates the timestamps file per job in the spool area, and those files never get removed automatically. If the user removes a particular job entry from an Anacron table, then he has to remove the timestamps file manually. For each job execution, Anacron uses up to two file descriptors; so we can easily run out of descriptors if we run a large number of jobs. Please note that this limit varies from one version of GNU/Linux to another. We have seen that, by combining Anacron with other utilities, we can manage a GNU/Linux system more efficiently. These simple but powerful command-line utilities make GNU/ Linux more interesting and reliable. By: Narendra Kangralkar
For any queries, please contact our team at efyenq@efy.in OR +91-11-26810601
72 | july 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
The author is a FOSS enthusiast and loves exploring anything related to open source. He can be reached at narendrakangralkar@gmail.com
How To
Admin
Managing Your IT Infrastructure with Zentyal Zentyal (formerly eBox Platform) is a program for servers used in small and medium enterprises (SMBs). It plays multiple roles—as a gateway, network infrastructure manager, unified threat manager, office server, unified communications server or a combination of all of the above. This is the second article in our series on Zentyal.
I
n the previous article, we discussed the installation of Zentyal in two scenarios. In this article, let’s consider DHCP, DNS and a captive portal set-up. Zentyal installation creates default settings that are not suitable for a production environment. Here, we will look at how to overrun those settings and create custom settings. I will start with DNS, then discuss the steps to be taken for DHCP, followed by a captive portal.
The DNS set-up
In my previous article, we had set up a domain name, which we will now use for setting up our DNS. The steps for configuration are as follows: 1. Open the Zentyal dashboard by using the IP address configured. 2. The URL will be https://your-ip-address. 3. Enter the user ID and password.
4. In the dashboard, you will see different categories like Core, Infrastructure, Office, etc. Click ‘DNS’ under ‘Infrastructure’. 5. Select ‘Enable transparent DNS cache’. With this setting, DNS will cache all the DNS requests, which will be routed through an internal DNS server. The clients have to use Zentyal as their gateway. Also enable the ‘Firewall’ module by traversing to ‘Module Status’ under the Core section. Click the ‘Save changes’ button on the top left of the screen to save the settings and enable the service. 6. The next option is ‘DNS forwarder’. With this option, all the DNS requests that come to the server will first be searched in local cache. If not found, they will be forwarded to external forwarders. Select ‘Add New’ and give your router address, and ISP-supplied gateway. VirtualBox users need to enter their DHCP gateway address. Click the ‘Save changes’ button on the top left of www.OpenSourceForU.com | OPEN SOURCE For You | july 2014 | 73
Admin
How To
the screen to save the settings and enable the service. 7. The next sub-category is ‘Domains’. This will list all the local domains. Click on the button under ‘Domain IP addresses’ and remove your public IP from this using the ‘Delete’ button under ‘Action’. Click the ‘Save changes’ button on the top left of the screen to save the settings and enable the service. 8. Click on the back button of your browser and click on the button under ‘Hostname’. Then click on the button under ‘IP address’ and delete your public IP from here too. This removal will prevent your public IPs from serving DNS requests from the Web. Click ‘Save changes’ at the top left of the screen to save the settings and enable the service.
DHCP set-up
The DNS has almost been setup. We will now set up the DHCP server. Follow the steps below: 1. Click DHCP under ‘Infrastructure’. 2. Uncheck ‘Enabled’ to stop DHCP requests on the external interface. Click ‘Save changes’ at the top left of the screen to save the settings and enable the service. 3. Click ‘Configuration’ of eth1 to set up DHCP. 4. Click ‘Custom IP address’ and add 172.22.22.1 for the default gateway. 5. For the search domain, select ‘Zentyal domain’. 6. For the primary nameserver, select ‘Custom’ and add 8.8.8.8. 7. For the secondary nameserver, add 8.8.4.4. 8. For NTP server, set ‘Local Zentyal NTP’. 9. Click the ‘Change’ button to temporarily save changes. 10. Under DHCP ranges, you can see the interface IP address set as 172.22.22.1, the subnet as 172.22.22.0/24 and the available range as 172.22.22.1 – 172.22.22.254. To provide the IP address to clients, you need to set up the DHCP range. Click the ‘Add new’ button under ‘Ranges’. Under ‘Name’ enter ‘lan’; under ‘From’ enter 172.22.22.2, and under ‘To’ enter 172.22.22.254. Click ‘Add’, and then click the ‘Save changes’ button at the top left of the screen to save the settings. 11. Then click ‘Dynamic DNS options’. 12. Select ‘Enabled’ under the ‘Dynamic DNS options’ and click the ‘Change’ button. Click the ‘Save changes’ button at the top left of the screen to save the settings. 13. In the end, click on ‘Modules status’ under ‘Core’. 14. Select DHCP and click on the‘ Save changes’ button at the top left of the screen to save the settings and enable the service.
Captive portal set-up
With these settings, clients will get IP addresses automatically. The next part involves setting up the captive portal. As discussed earlier, it is used to limit access to the network. Follow the steps below: 1. Click ‘Captive portal’ under ‘Gateway’. 2. Select ‘Limit Bandwidth usage’. 3. Define the bandwidth quota. Enter the size in MBs. 4. Select the period for that quota—from Day, Week and 74 | july 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
Month. Hit ‘Change’ to save. 5. Click ‘Checkbox enabled’ under captive interfaces and then click the ‘Save changes’ button at the top left of the screen to save settings and enable the service. With all the steps mentioned earlier, you will be able to configure and set up DNS, DHCP and captive portal on your server.
Test the configuration
To test the configuration on a client, which could be Windows or Linux, remove any IPs from the interface of the client. Connect it to the network. Wait for a few seconds. Your client will receive an IP address from the server. To check the IP address received on the client, type the following command: ipconfig /all
…on your Windows clients. And for Linux clients, type… $ ifconfig eth0
Things you might miss
Here’s a list of some of the commonly missed settings during set-up. If you missed them, you can configure them from the dashboard. 1. If you missed the IP set-up, then follow the steps below: • Click ‘Network’ under ‘Core’, then click ‘Interfaces’. • You can now set the external interface (eth0) from here. You can also set the internal interface (eth1). • Click ‘Save Changes’. 2. If you missed the gateway, follow the steps below: • Click on ‘Network’ under ‘Core’, then click ‘Gateway’. • Click ‘Add new’. • Provide the name to the gateway. • Provide the IP address of the gateway. • Select ‘Default checkbox’. • Click ‘Save Changes’. 3. If you missed some of the components from the installation, follow the steps below: • Click ‘Software Management’ under ‘Core’. • Click ‘Zentyal components’. • Then select any component that you have missed during installation. • In the end, click ‘Install’ to install the component. In my next tutorial I will discuss the HTTP proxy, traffic shaping, firewalls and users, and computers. By: Gaurav Parashar The author is a FOSS enthusiast, and loves to work with open source technologies like Moodle and Ubuntu. He works as assistant dean (for IT students) at Inmantec Institutions, Ghaziabad, UP. He can be reached at gauravparashar24@gmail.com
Interview Admin
“We want to virtualise all the services available in the data centre and control them at a software level” It is time for software defined data centres and the hybrid cloud to rule. VMware recently launched VMware Horizon 6, an integrated solution that delivers published applications and desktops on a single platform, for Indian enterprises. The company claims that Horizon 6 is the industry’s most comprehensive desktop solution with centralised management of enterprise applications and desktops, including physical desktops and laptops, virtual desktops and applications, and employee-owned PCs. This product is a step ahead in the company’s journey towards software defined data centres. Diksha P Gupta from Open Source For You spoke to Ramesh Vantipalli, head EUC India and regional SE manager - South, VMware India, about how things are changing for the cloud, data centres and virtualisation. Read on....
Q
HP has recently made a huge investment in the cloud space and is also banking on the hybrid cloud for its growth. There are other players also promoting the hybrid cloud over everything else. So what do you think will be a differentiator in this space, with respect to the services offered?
The hybrid cloud is clearly the future. But an organisation has to be very cautious while choosing the service providers. One important aspect is that seamless management tools are required in the case of hybrid clouds. It is about how seamlessly one manages the entire environment. Our vision is that the front-end tools we give to the administrator should be a single glass pane and a seamless extension, whether the workload is running in a private cloud or a public cloud. Ease of use and seamless integration are propositions that any service provider can offer. The second important thing for the cloud is virtualisation. Without virtualisation, working on the cloud is not possible. We work with vendors, including HP, to make their pieces pluggable. So it is about cooperation between us to actually integrate our technologies into their cloud. Besides, an IT admin must look at the solution being compatible with vendor-agnostic hardware. An organisation’s needs are best served when a vendor can offer a unified approach with respect to the hardware. Also, while choosing a hybrid cloud solution provider, an organisation should understand its own needs first. For example, in Bengaluru, we have an IT-ITeS company that takes on new projects from time to time. When it gets new projects, it wants the IT infrastructure to be in place. Everybody is working on SLAs these days and projects need to be delivered faster. If firms don’t have the compute capacity available locally, they want it seasonally. For instance, a firm might get a 3-month or 6-month long project and want to use a public cloud, but once www.OpenSourceForU.com | OPEN SOURCE For You | July 2014 | 75
Admin
Interview
its own hardware capabilities get enhanced locally, it should be able to move back to its own private cloud. That is where the interest in hybrid clouds comes into play. If a company wants to use a public cloud for some reason, or wants to host some of its workload on it, it would also want to be able to exercise control over it. What we are also seeing is that IT managers are moving the less critical applications on to the public cloud, whereas they manage their more critical applications internally.
Q
From tablets and smartphones, users are now moving on to wearable devices. How will wearables impact the cloud computing world? Wearables are designed to help us do our day-to-day tasks even more easily. They are still in the early stages of adoption, but imagine if you are able to do all your work on a wearable device without depending on any other device! It will change the entire landscape. It will impact the world of cloud computing tremendously. For example, let’s say there is a healthcare application that is hosted on the cloud. If you use that application on your wearable device, your doctor can analyse the state of your health in real time. So, if you as a patient come to me, a doctor, I know your entire health history. For instance, currently, patients have no data to present regarding the kind of workouts they do, their effect, the calories burnt, and so on. Sophisticated apps in wearable devices can help to give all such details to a doctor, helping him to analyse his patient’s state of health.
Q
What exactly is a software defined data centre (SDDC) and how is it changing cloud computing?
As I said, without virtualisation, there is no cloud. A software defined data centre is our architecture for the cloud. We believe that, in the cloud, you need to have a technology that will virtualise network and storage management. You need to have holistic management. These pillars are called ‘software defined data centres’. Our goal is to literally virtualise all the services available in the data centre and control them at a software level. Just as virtualisation is a component of the cloud, a software defined data centre is an architecture for the cloud. It would be difficult to do cloud computing without software defined data centres.
Q
It is said that SDDCs are synonymous with private clouds. Do you agree?
I don’t agree with this because it is an architecture and it is not restricted to the private cloud. It caters to public clouds as well. It’s a technology that you require to build a cloud with all the necessary components, be it management, self-service portals, multi-tenancy or security.
Q
Are Indian enterprises ready for SDDCs?
Absolutely. As per an IDC estimate, Indian companies will save around US$ 3.8 billion by 2020 just with virtualisation. 76 | July 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
Why not virtualise the entire data centre and save further? Life is all about speed, today. Everyone wants work to happen at a faster speed and if you can use software to manage your data centre requirements, there’s nothing like it!
Q
How is the end user computing space getting impacted by SDDCs?
At the end of the day, if the Software-Defined Data Center helps you run the applications because of a massive scale of end user requirements growing significantly by the day, having a model like this will not only boost up the end user computing technology better but will also assist organisations seamlessly deploy the applications with ease and deliver it to the end user anytime, anywhere.
Q
What are the steps involved in migrating to SDDCs from the traditional data centres?
At VMware, we say there are three ‘journies’ in the process. The first journey is IT production, which looks at virtualising the data centre and cutting down costs. It implies that customers do not want 1000 servers, but just 10-100 servers, especially since servers already have increased compute power these days. Once the capex saving is done, the second journey is about moving into business production, which is all about virtualising a business critical application, like SAP, Hannah, et al. The third journey involves moving into complete automation, that is, IT-as-a-service. That is the time you see the entire SDDC stack getting deployed, helping you to virtualise all the components that enable the data centres to provide you IT-as-a-service capabilities. These are the phases that result in the complete adoption of SDDCs.
Q
What is your strategy to make SDDCs popular in India amongst IT decision-makers?
We have a track record of IT decision-makers claiming that they could save money by deploying VMware SDDCs. If an IT manager is able to virtualise things beyond just servers, like the network (which is the biggest problem for all the organisations and involves high costs)—if he is able to build those functions into a software and control it, he can save a significant amount of money. That is the need of the hour. The modern-day IT managers want to do more with less.
Q
What trends will drive the adoption of SDDCs in the Indian enterprises?
Trends like cloud economics, having to decrease the cost per work load, the willingness to run more optimised data centres compared to anybody else, and the easy availability of applications will define the adoption of SDDCs. The beauty of it all is that developers don’t need to develop the applications for SDDCs any differently. They can make vendor-agnostic applications for an operating system, because we have already virtualised the operating system.
Overview For U & Me
Enterprise Mobility Management: A Bird’s Eye View Enterprise Mobility Management (EMM) is an emerging paradigm, and enterprises are rapidly jumping on to this bandwagon. The use of mobile devices is becoming increasingly popular as a work tool, bringing in its wake a few security concerns. Read on to learn more about EMM.
T
he BYOD (Bring Your Own Device) trend has spread to almost all enterprises to varying degrees. Along with the convenience of mobility, organisations face many challenges on the security and management front, forcing them to think about new ways on how to better manage their enterprise mobility solutions. Enterprise administrators are required to manage security and prevent IT threats at diverse endpoints. An Enterprise Mobility Management (EMM) product suite helps enterprises tackle this problem with ease. This article provides a bird’s eye view of what Enterprise
Mobility Management comprises and what established players offer.
The building blocks of Enterprise Mobility Management
The prime concerns of an enterprise CIO are endpoint protection and corporate data security. Also, users need complete privacy and control of their personal data with no compromises. Enterprise Mobility Management solutions are the new buzzword in the market to solve these problems. Gartner has defined the EMM space as: “Enterprise www.OpenSourceForU.com | OPEN SOURCE For You | July 2014 | 77
For U & Me
Overview
mobility management (EMM) suites consist of policy and configuration management tools and a management overlay for applications and content intended for mobile devices based on smartphone OSs. They are an evolution from the previous generation of MDM (mobile device management) products that lacked application and content management. IT organisations and service providers use EMM suites to deliver IT support to mobile end users and to maintain security policies.” Broadly speaking, there are three major categories of EMM solutions, namely: Mobile Device Management (MDM), Mobile Application Management (MAM) and Mobile Content Management (MCM). Let us take a brief look at each of these solution categories that together make up a major chunk of an EMM product suite.
MDM solutions
MDM solution provides for device level management functionality. For instance, a company may want to restrict an employee using a corporate-owned device to connect to a network through company Wi-Fi only. The features of an MDM solution are heavily dependent on the support provided by the target device platforms. As we know, Android, iOS and Windows Phone are the popular mobile platforms in the market today. A very limited number of management APIs are being supported by the vanilla Android platform. Many OEMs like Samsung have enhanced the Android platform on the devices they offer to make them ready for enterprise usage. The more manageability a platform provides, the better the control that an MDM solution will have on those devices. Administrators manage the policies to be set on the device through an admin console, and the policies are made effective dynamically on the target devices by the MDM solution. Enterprises usually adopt different strategies to manage corporate-owned and personally-owned devices using an MDM solution. Some policies typically used under MDM are passcode enablement, Wi-Fi restriction, application whitelisting, mandated VPN, storage encryption, etc. This solution plays a crucial role in managing CO (corporate owned) devices.
MAM solution
MAM focuses on securing corporate data from possible unauthorised access and misuse. The data downloaded by the enterprise apps on the mobile device is often available for offline access. Typically, an application management solution supports app level policies like blocking screen capture, copying of screen data, offline data encryption, etc, to ensure that the corporate data remains sandboxed and protected. These policies are supported through a corresponding admin console and get dynamically applied over the chosen enterprise apps. The users’ personal apps and data remain totally unaffected from the app level policies. In the event of a user leaving the firm or the loss of a device, the enterprise administrator can wipe out enterprise app data, thereby securing corporate data. This solution is very important in case of BYOD and COPE (corporate owned, personally enabled) devices. 78 | July 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
MCM solutions
MCM takes care of securing the corporate content accessed and shared on the devices in the form of files. It provides the users a way to access, store and view documents from enterprise content repositories while letting the administrator establish controls to protect this content from unauthorised and unsafe distribution. Some controls usually deployed under this category include document encryption, access control rules on sharing, file sync policy, etc. IT managers use MCM in powerful ways to secure and manage corporate content across devices and platforms, while complying with company standards set by the CIO. MCM is crucial for all devices to ensure secure and flawless collaboration among all enterprise users. The commercial EMM suites provide for various unique features being supported under these category heads. Some even provide for add-ons related to network management -- for example, secure apps for browser and personal information management. Let us now take a closer look at who the top players in the EMM space are.
Enterprise Mobility Management Players
There are innumerable EMM solutions out there, ranging from cloud-based to site-based deployment options. While the SaaSbased model is becoming the preferred choice in the industry, the EMM focal point is gradually shifting to data and unified endpoint management. As per Gartner’s ‘Magic Quadrant for EMM’ report 2014, the leaders in this space include AirWatch, MobileIron, Citrix, Good Technology and IBM. While each of these vendors provides a complete suite of EMM solutions from the technology perspective, they also lead in terms of overall revenue earned, compared to other vendors. A few companies have been listed under the ‘Visionaries’ category by Gartner, signifying that they offer some unique capabilities in certain aspects of EMM. These are: SOTI, Symantec and Sophos. Let us take a look at the major features offered by one vendor from each of the categories mentioned above.
Features of AirWatch
It provides a flexible model for asset management, policy enforcement and distributing profiles, apps and content, based on device ownership. It supports containerisation of apps, which helps to standardise enterprise security and data loss prevention strategies. It provides real-time device details and continuous compliance monitoring to ensure your devices and corporate data are secure. It integrates well with other enterprise solutions. AirWatch Secure Content Locker protects sensitive content in a corporate container, and provides users with a central application to securely access the latest sales material, board
Overview For U & Me books or financial reports from their mobile devices. It has advanced reporting and analytics including expense management and BI-like reporting features. You can control which mobile devices access email, prevent data loss, encrypt sensitive data, enforce advanced compliance policies and allow users to easily sync email through the self-service portal. It supports native email clients, enterprise services, cloudbased clients, as well as its own clients. AirWatch Browser allows administrators to define and enforce secure browsing policies from the admin console. It provides support for laptop management and multi-user management.
Features of SOTI
It supports remote diagnostics and troubleshooting issues anytime, anywhere with the help of BlitFire 10X technology. It establishes a virtual fence to keep devices in a specific area, or to trigger a warning or action if they enter or exit the fence. It provides advanced Web-filtering technology that allows companies to enforce the responsible use of mobile devices. It provides desktop grade anti-virus and malware protection to managed devices. Its secure content library integrates seamlessly with existing content management infrastructure to provide secure access to content. It supports the setting of thresholds, the management of wireless expenses, and prevents nasty surprises related to overshooting roaming budgets by sending timely alerts.
It gains extensive control over hardware and software features across managed devices. MobiControl provides security and protection of enterprise valuable data. It helps apply enterprise-wide policies or to tailor policies for specific organisational needs. It helps ensure no device is left behind by alerting and taking action on out of contact devices. It helps ensure responsible use of corporate voice minutes by whitelisting or blacklisting specific phone numbers for individual users or groups. MobiControl’s rich reporting capabilities allow companies to report on a wealth of live device data and generate meaningful insights. The idea of a post-PC world is quickly becoming a reality. EMM is becoming necessary for any organisation that manages more than a handful of mobile devices. Assessing your company’s needs and accordingly choosing the right EMM solution is the key to achieving the expected return on investment (ROI) for an enterprise mobility solutions.
By: Pooja Maheshwari
By: Anil Kumar The author is an enterprise Pugalia architect. She has been working in the software domain for more than 13 years, with wide exposure in analysis, design and the development of enterprise mobility solutions, mobility management solutions and Android-based custom device solutions for enterprises. She is currently involved in the challenges and opportunities linked to the applicability of mobility and cloud computing for enterprises in various verticals. She can be reached at pooja.a.maheshwari@iitbombay.org
www.OpenSourceForU.com | OPEN SOURCE For You | July 2014 | 79
For U & Me
Overview
Software development is one of the youngest branches of engineering. It is the study and application of engineering principles and methodologies to software development, with the aim of producing quality software products. In this series, the author will explore specific open source tools that are relevant to software engineering.
A
long time back, I remember reading a popular white paper on software engineering. It said that software engineers could be compared to a cobbler’s barefoot children: “They make tools and applications that enable users in many domains to perform their work more effectively and efficiently, yet frequently, they do not use those tools themselves.” To some extent this remains true even today, because software product engineering still requires a lot of support, from the tools point of view. Thanks to open source, we not only get the source code for development, but also get a bunch of tools to deliver high quality products.
The relevance of open source software engineering
Now, one may ask, “Why do we need to have such tools? What is the importance of following software engineering processes?” Well, the answer is simple. Based on experience, we know that building a product inside a lab and getting a momentary high is quite different from deploying a commercial quality product to a customer who pays for 80 | July 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
it. In order to achieve the later, project managers, product engineers, architects and quality professionals face multiple challenges. To a larger extent, these challenges are overcome by implementing various processes and adopting different lifecycles like Waterfall, Agile, etc. In each of these lifecycles, there are engineering activities that are defined, like requirement analysis, design, coding, customer demos, etc. These engineering activities help software teams to set up activities that are benchmarks and repeatable. This eventually builds quality in each cycle and ensures predictability in software delivery. Quality needs to be controlled and managed throughout the software development lifecycle, or it could lead to customer dissatisfaction or even major disasters, when projects fail on a large scale. The schedule is another critical element that needs to be managed throughout the software development process. There are innumerable organisations that have released various expensive tools to manage software products, but these are beyond the budget of startups and entrepreneurial ventures. Due to constantly
Overview For U & Me W A T E R F A L L
Requirements Design Implementation Verification
Documents
Documents
Unverified Code
software
A G I L E
Figure 1: Waterfall and Agile models Table 1
Functions
Tools
Code and build
Gvim, Yocto, QEMU, lxr
Check code quality
Cpp check, lcov, Code striker, Sparse
Security and scalability
Wireshark, Phoronix, Nmap
Qualification
Linux Test Project
Automation
Cruise control, Auto test
Diagnostics
Oprofile, Kprobe, LTTng
Project management OpenProj, Xplanner Defect tracking
Bugzilla
Team collaboration
Alfresco, Mediawiki
changing customer demands, fewer resources and shorter timelines, smaller organisations end up adopting an ad hoc approach to software product development. The concept of ‘perpetual beta’, which is often misunderstood as the engineering approach to product building, takes a back seat due to such challenges. While the practice of using open source software as the source code is already popular, using open source to ‘engineer open source software products’ is not yet popular or is relatively less known to many in the engineering community. Along with the engineering approach, having a strong management framework for planning, controlling and monitoring software development is equally important. At every point of development, certain metrics or measurements need to be captured for monitoring, in order to drive improvements in software project teams. If you can’t measure, you can’t improve. Thanks to the cross-functional nature of software product development, information flow among team members should happen in a seamless manner. Rather than having lengthy and formal communication methods, quick and easy-to-access communication and collaboration modes should be adopted for seamless information sharing and communication. In short, the engineering approach, management framework and communication framework are three critical elements
of software product development today. Fortunately, there are umpteen options available in open source itself, which can help teams to build great software products. From the engineers’ point of view, they may be associated with various activities like coding, code review, unit testing, defect fixing, estimation, etc, all of which are very critical elements that ensure a quality product is delivered to the market. Having the necessary tools becomes important to ensure quality is integrated in each of these activities. For example, for an engineer who has written 10K lines of a C program for an embedded system, answering the following questions is very important: How can I ensure I am always building on a stable base of software? How quickly will I come to know when I do a wrong code check-in? How can I ensure my code does not have any major issues like memory leaks? How can I ensure I am not missing any semantic aspects? How do I author unit test cases and then automate them? How do I ensure my unit testing covers the maximum lines of code I have written? All the above actions cannot be left to an individual’s capability, but need to be systematically and meticulously tracked and followed up. By ensuring each of them is done to the best possible extent, the quality of the code itself will be so high that it will prevent further issues getting into subsequent phases of software development. Open source has very simple and effective tools that can be used by both the engineering and the management communities to track the above list of actions. A simple snapshot of all these tools, along with their various functions, is provided in Table 1. Each of these tools, which are managed as individual open source projects, can be deployed at various stages of product development, yielding specific benefits. While writing on each of these tools would become too lengthy, we have chosen a specific set of tools to write about in this series on open source software engineering. Each of these tools has been tried out and been found to be very useful. On a concluding note, using open source tools in software engineering is not only cost effective, but also very productive. We sincerely hope this series will help product engineers, product managers, product architects and entrepreneurs, and enable them to build great software products that stand for long lasting quality.
By: Jayakumar Balasubramanian By: Anil Kumar Pugalia
The author is a director at Emertxe Information Technologies (http://www.emertxe.com), and has been associated with building Linux-based products for over a decade. His interest lies in building innovative models around open source. He can be reached at b.jayakumar@emertxe.com.
www.OpenSourceForU.com | OPEN SOURCE For You | July 2014 | 81
For U & Me
Overview
Backing Up Data with FOSS Tools Given that backing up data is an essential part of our digital activities, which tools would be best for the task? Naturally, our choice would be the open source variants! The author gives readers a choice of three such tools.
I
n a world of rapidly evolving technologies, data is everything. Organisations, and even individuals like you and me, are heavily dependent on data for our day-to-day work. System failures, corrupt hard drives, virus infections, etc, are a few of the causes of data loss. Protecting data from these hazards is not that difficult. An effective way to do so is to maintain a regular backup of data, which will ensure that at any given time you have at least one fail-safe copy of your data that you can rely upon. The tools discussed below have been chosen for their simplicity and as alternatives to advanced backup solutions.
Data backup terminology
There are certain terms related to data backup software that you should be familiar with, to help you in understanding the tools discussed below. Synchronisation: Maintaining two or more copies of files and folders (data), at different locations, such that any changes made (to data) in one location are reflected in others. Mono-directional synchronisation: Synchronisation happens in one direction only, i.e., changes made in Location A will be reflected in Location B but not vice versa. Bi-directional synchronisation: Synchronisation happens in both directions—changes made in either location will reflect in the other. Full backup: All files and folders will be copied to the backup location irrespective of whether they are changed 82 | July 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
or not. In a full backup, files are compressed and can be password protected. Mirror backup: This is identical to the full backup except that it does a straight copy of the original location without compression or password protection. Incremental/update backup: Only the files that were created or modified after the last backup will be copied or backed up. Mirror (incremental) backup: As the name implies, this is a combination of a mirror and an incremental backup. It copies only the newly created or modified files to the backup location without any compression or password protection. Contribute: Only new files will be copied to the backup location. Schedule: A time table for which backup job to run. This can be daily, weekly, monthly, annually, etc. Once a schedule is set, the tool will automatically start the backup job at the defined interval. With that out of the way, let us get down to exploring FOSS data backup tools.
Duplicati
Developed by Kenneth Skovhede, Duplicati is a powerful, easy to use backup client. It is free, open source, featurepacked and can work on multiple platforms. The best thing about this tool is that it provides an option to back up data onto cloud storage.
Overview For U & Me Notable features
Supports remote and cloud-based storage Password protects and encrypts backups, using AES-256 and GNU Privacy Guard Platform-agnostic Built-in scheduler Filters based on regular expressions
Getting the tool
Duplicati can be downloaded from https://code.google. com/p/duplicati/wiki/Downloads?tm=2. The download page lists 32-bit and 64-bit variants for Windows, and for other platforms. The current version, at the time of writing this article, is 1.3.4. For the purposes of this article, we will use the Windows version but feel free to download and install the one appropriate for your system.
Figure 1: Backup storage options (for file-based backups)
Using the tool
Duplicati features an intuitive user interface and configuring it is a breeze. The following section will walk you through how to set up a simple backup (file and cloud) and how to restore files from that backup.
Setting up a backup
Follow the steps shown below to set up a backup. Step 1: If you didn’t check the Launch Duplicati now option, you can also launch Duplicati via Start > All Programs > Duplicati Step 2: Since this is the first time you’re using this tool, in the welcome window select Setup a new backup option and click Next. Step 3: Give a name to the backup. Additionally, you can also create a group and place the backup in that group. For example, in the sample shown in Figure 1, the backup is named ‘Sample’ and it is placed in Critical group. This is helpful when you want to categorise your backup (e.g., Critical, Important, Normal, etc). Click Next once this is done. Step 4: The next window allows you to select the folders to be backed up. By default, the tool selects My Documents as the folder to back up and gives you an option to select the individual components. However, if you want to specify your own folder list, select the Custom folder list option, specify the folders (as shown in Figure 2) and click Next. Step 5: In the next window, set a password for this backup and select the encryption method. Let’s choose AES-256 encryption, built-in for the purposes of this article. Make sure that Use these settings on new backups option is checked. This will ensure that any future backups use the same settings. Click Next once this is done. The GNU Privacy Guard, external option also does the encryption but requires the user to separately install GNU Privacy Guard, which is free open source encryption
Figure 2: Select files to back up
software that can be downloaded from http://gpg4win. org/download.html (for Windows). For other platforms, please use http://www.gnupg.org/download/ to find the appropriate package. As stated earlier, one of the good things about Duplicati is that it provides an option for file-based and cloud-based storage of backups. Therefore, Steps 6 and 7 will differ based on your choice. The following text will explain Steps 6 and 7 for both file-based backup and cloud-based backup (using Google Docs). Step 6 (for file-based backup): In the Select a place to store the backups window select the File based option and click Next. Step 7 (for file-based backup): In the next window, set the path to the location in which you want to store the backup. This can be a local path or a network location. In case you’re entering a network path and it requires a separate set of credentials, make sure that the Use alternate credentials option is checked and credentials are set in the respective fields. Alternatively, you can also select the Removable disk option to store the backup on removable media such as a USB drive or a memory card. Select the desired disk from the drop-down box. www.OpenSourceForU.com | OPEN SOURCE For You | July 2014 | 83
For U & Me
Overview tool to perform incremental backups at the interval specified above and a full backup once every month. Step 10: In the next window, check the Run backup now option and click Next. To check the status/progress of the backup, locate the Duplicati icon in the system tray and click on it.
Restore
Figure 3: Backup should run time selection
This section will take you through the steps for restoring a backup. Step 1: Launch Duplicati via Start > All Programs > Duplicati Step 2: Select the Restore files from a backup option and click Next. Step 3: In the next window, select the backup you want to restore. Step 4: The next window will list all the available versions of the selected backup. Select the one you wish to restore and click Next. Step 5: Set the path to restore the backup. If you want to restore only selected files or folders, check the Restore only the items selected below option and select the desired files. Step 6: Click Finish in the next window to start the restore process. The status window will automatically appear above the system tray. Duplicati is a great tool for secure backups. A good collection of how-tos on other storage options like FTP, SSH, etc, is available at http://www.duplicati.com/howtos.
DirSync Pro
Figure 4: DirSync Pro console
Step 6 (for cloud-based backup): In the Select a place to store the backups window, select the Google Docs option and click Next. Step 7 (for cloud-based backup): In the next window, enter the credentials for your Google Drive account, specify a Google Docs Collection name (a folder with this name will be created in Google Drive). Click Next once done and press Yes in the Test Connection window that pops up. Step 8: In the Advanced Settings window check the Select when and how often the backup should run and leave other options as is. This is to schedule the backup at the desired frequency. Refer Figure 3. Step 9: In the next window, select the desired interval from the drop down list, check/uncheck the Allowed days as per your requirements, and set the time of day when this backup should happen. For any frequency other than ‘Daily’ make sure the current day is checked in the Allowed days option. In the Full/Incremental Strategy section select the Incremental, then full after this period option and select the month from the drop down list. This setting tells the 84 | July 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
Directory Synchronize Pro, developed by O Givi, is a Java-based file and folder synchronisation tool. It is light on system resources and does the job of data backups perfectly. It comes with a graphical interface that is userfriendly and is easy to learn.
Notable features
Portable Platform independent as it is Java-based Bi-directional and mono-directional synchronisation Provides standard synchronisation modes (Incremental, Mirror, Contribute and Custom) Users can set filters based on file names, file sizes, etc Bundles a powerful scheduling engine
Getting the tool and installing it
DirSync Pro can be downloaded from http://www. dirsyncpro.org/download.html. The download page lists variants for different operating systems. The current version, at the time of writing this article, is 1.48. Download the tool and install it.
Using the tool
Since this is a file and folder synchronisation tool, setting up a backup or restore job simply means creating a
Overview For U & Me mono-directional synchronisation job from one location to another.
First time backup
To create a backup for the first time, follow the steps given below: Step 1: Open the tool by running DirSyncPro.exe Step 2: Once the console opens, you’ll notice that the tool has already created a sample job for you. You can either edit this job by clicking on the Edit button or remove this job by clicking on the Remove button, and then create a new one by clicking on the New button. Step 3: Click on the Edit button. In the Edit Job window set the label for the job, set Dir A (the folder to back up) and Dir B (the folder where the backup should be stored; it can be a different partition, a USB drive or a network location) and set the Sync Mode. Since this is the first time, choose Backup A -> B (full). This will ensure that all the files, folders and sub-folders in the selected directory are copied to the location specified in the Dir B field. Do not forget to check the Include sub folders check box. Please note that even though it’s implied that this is ‘Full Backup’, it’s actually a ‘Mirror Backup’. Note: Before proceeding with the next step, make sure that the directory in which the backup will be stored is empty, or the contents of the directory will be deleted automatically.
Step 4: In the Schedule Options window, select the desired interval. Once an interval is selected, its corresponding tab gets enabled. Step 5: Select the tab corresponding to the selected interval and configure the desired pattern. Step 6: Press OK in the Schedule Options window. Press OK in the Edit Job window.
Restore
Creating a restore job is similar to creating the ongoing backup job. Open the configuration file and, for each of the jobs, modify the Sync Mode to Restore B -> A (full) for a full restore. Press OK and execute using the Play button. This will restore the entire data from the backup location to the original location. DirSync Pro is a powerful tool and is a good alternative to high-end backup solutions. While users can get started with the tool using the above tutorial, more resources can be found at http://www.dirsyncpro.org/
FreeFileSync
FreeFileSync, developed by Zenju, is another free and open source file and folder synchronisation and comparison tool. It can work on multiple platforms and can be easily used as data backup software. The graphical user interface is easy to navigate and simple to learn.
Notable features
Step 4: Press OK and click the Play button. Step 5: Once the backup is complete, click on the Save Job Set button, and save the current configuration. To add more jobs to the job set, simply click New and Configure as explained in Step 3. Once all the jobs have been configured, click the Play button to execute.
Ongoing backups
FreeFileSync is available for download at http://www.fosshub. com/FreeFileSync.html. The download page lists all the available variants. The current version, at the time of writing this article, is 6.3. For the purposes of this article, we will use the Windows version, but feel free to download and install the one appropriate for your system.
Using the configuration file saved earlier, the task of daily backups becomes simple. All you need to do is open the configuration file and for each of the jobs, in the job set, modify the Sync mode to Mirror A->B (incremental) and then execute by clicking the Play button. As explained earlier, the Mirror (incremental) function copies only the new and modified files to the backup location.
Scheduling backups
DirSync Pro comes with a scheduling engine, which enables users to schedule jobs at various intervals (once, every minute, every hour, or daily, weekly, monthly, yearly, or even a custom option). Unfortunately, it does not allow you to schedule the entire job set at once, so each job has to be scheduled individually. Follow these steps to schedule a job: Step 1: Select a job and click on the Edit button. Step 2: In the Edit window click on the Schedule tab. Step 3: Click on New button.
Portable Platform-agnostic Bi-directional synchronisation File comparison based on time, size and content Easy to navigate user interface
Getting the tool
Installing the tool
Once the file is downloaded, execute it and proceed with the installation.
Using the tool
FreeFileSync is similar to DirSync Pro. Since both are file and folder synchronisation tools, setting up a backup or restore job simply means creating a mono-directional synchronisation job from one hard drive to another.
First time backup
To backup files for the first time, please follow the steps below: www.OpenSourceForU.com | OPEN SOURCE For You | July 2014 | 85
For U & Me
Overview
Table 1
DirSync Pro
FreeFileSync
Duplicati
Current version
1.48
6.3
Type
File and folder synchronisation
File and folder synchronisation Backup client
OS supported
Windows, Mac and Linux
Windows, Mac and Linux
Windows, Mac and Linux
Types of backups supported
Synchronisation, Mirror, Incremental and Contribute
Two way synchronisation, Mirror and Update
Full backup and incremental
Backup storage options
File-based
File-based
File- and cloud-based
Schedule engine
Yes
No
Yes
Backup security
Nil
Nil
Password protection and encryption
File comparison
No
Yes (based on file size, type or No content)
Filters
Pre-defined (file type, size, date, path and attributes)
Pre-defined (file path and type)
1.3.4
Regular expression-based
Step 1: Open the tool by navigating to Start > All Programs > FreeFileSync Step 2: In the console, click on the icon of the green gear, select Mirror and click OK. Leave the other options intact. Step 3: On the left Drag & Drop window, click the Browse button and navigate to the directory to be backed up. In the right Drag & Drop window, click the Browse button and navigate to the directory where the backup is to be stored. It can be a different partition, a USB drive or a network location. Step 4: Click on Synchronize Mirror ->> (located on the top right corner of the console) and then on Start in the next window. Step 5: Once the backup is finished, navigate to Program > Save to save the current settings.
Ongoing backups
An ongoing backup can be taken by slightly modifying the settings saved earlier. Step 1: Navigate to Program > Open and select the settings file (SyncSettings.ffs_gui) saved in the previous section. Step 2: Click the green gear icon, select Update -> and press OK. Follow Steps 4 and 5 as mentioned earlier.
No scheduler
Unfortunately, FreeFileSync doesn’t come with a schedule engine but it does support creating a batch file of the tasks, which can then be executed using any of the task planner tools. Add the tasks using the + icon located in the left Drag & Drop window and save them as a batch file using Program > Save as the batch job option. This batch file can then be used with any third party task planner tool to schedule the backup.
Restore
To do a full restore, swap the links in the Drag & Drop window using the Swap sides button for each of the tasks. Change the 86 | July 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
Figure 5: FreeFileSync console
Synchronisation settings to Mirror ->> using the green gear button and follow Steps 4 and 5 as mentioned above. Though FreeFileSync comes with a limited feature set, it does the job of data backups just fine. Additional resources on FreeFileSync can be found at http://freefilesync.sourceforge.net/.
Comparing the tools
Table 1 briefly compares the three tools. We cannot afford to lose our data. It should be well protected. This article is sufficient to get you started but if you just leave it at that, no purpose is served. Backing up data is a continuous process and not a one-time task. Doing it on a regular basis will maintain data in its most up-to-date form, and save you from the nightmare of data loss.
By: Uday Mittal By: Anil Kumar Pugalia The author is an open source enthusiast and likes to experiment with new technologies. He works in the field of information security and can be reached at mailme@udaymittal.com
Let’s Try For U & Me
Explore Advanced Set Theory Concepts through Maxima
Maxima is a powerful free and open source Computer Algebraic System (CAS) that is capable of combining symbolic, numerical and graphical entities. This is the 19th article in our mathematical journey through open source, in which we explore advanced set theory concepts through Maxima.
W
ith the introduction to set theory fundamentals in the previous article in this series, we are all set to explore the advanced realms of set theory through Maxima.
More set operations
We have already worked out the basic set creation techniques and some basic set operations provided by Maxima. Here are some next-level set operations it provides: makeset(expr, vars, varslist) – Sophisticated set-creation using expressions adjoin(x, S) – Returns a set with all elements of S and the element x disjoin(x, S) – Returns a set with all elements S but without element x powerset(S) – Returns the set of all subsets of S subset(S, p) – Returns the subset of S, elements of which satisfy the predicate p symmdifference(S1, S2) – Returns the symmetric difference between the sets S1 and S2, i.e., the elements in S1 or S2 but not in both
And here is a demonstration of each one of these operations: $ maxima -q (%i1) makeset(a+b, [a, b], [[1, 2], [2, 3], [3, 4], [4, 5], [5, 6]]); (%o1)
{3, 5, 7, 9, 11}
(%i2) makeset(a-b, [a, b], [[1, 2], [2, 3], [3, 4], [4, 5], [5, 6]]); (%o2)
{- 1}
(%i3) makeset(a*b, [a, b], [[1, 2], [2, 3], [3, 4], [4, 5], [5, 6]]); (%o3)
{2, 6, 12, 20, 30}
(%i4) makeset(a + 2*a*b + b, [a, b], [[1, 2], [2, 3], [3, 4], [4, 5], [5, 6]]); (%o4)
{7, 17, 31, 49, 71}
(%i5) quit();
$ maxima -q (%i1) S: {-4, 6, 7, 32, 0}; (%o1)
{- 4, 0, 6, 7, 32}
(%i2) adjoin(3, S); (%o2)
{- 4, 0, 3, 6, 7, 32}
(%i3) adjoin(7, S);
www.OpenSourceForU.com | OPEN SOURCE For You | July 2014 | 87
For U & Me
Let’s Try
(%o3)
{- 4, 0, 6, 7, 32}
(%i4) S: adjoin(3, S); /* Updating S */ (%o4)
number of sets in each partition. Shown below are some examples to make sense of this concept:
{- 4, 0, 3, 6, 7, 32} $ maxima -q
(%i5) adjoin(7, S); (%o5)
{- 4, 0, 3, 6, 7, 32}
(%i1) S: {a, b, c}; (%o1)
(%i6) disjoin(7, S); (%o6)
{- 4, 0, 3, 6, 32}
{a, b, c}
(%i2) set_partitions(S); (%o2) {{{a}, {b}, {c}}, {{a}, {b, c}}, {{a, b}, {c}}, {{a, b, c}},
(%i7) disjoin(5, S); (%o7)
{- 4, 0, 3, 6, 7, 32} {{a, c}, {b}}}
(%i8) quit();
(%i3) set_partitions(S, 1); $ maxima -q
(%o3)
(%i1) S: {-4, 0, 3, 6, 7, 32};
(%i4) set_partitions(S, 2);
(%o1)
(%o4)
{- 4, 0, 3, 6, 7, 32}
{{{a}, {b, c}}, {{a, b}, {c}}, {{a, c}, {b}}}
(%i5) set_partitions(S, 3);
(%i2) S1: subset(S, evenp); (%o2)
{{{a, b, c}}}
{- 4, 0, 6, 32}
(%o5)
{{{a}, {b}, {c}}}
(%i3) powerset(S1);
(%i6) set_partitions(S, 4);
(%o3) {{}, {- 4}, {- 4, 0}, {- 4, 0, 6}, {- 4, 0, 6, 32}, {- 4,
(%o6)
0, 32}, {- 4, 6}, {- 4, 6, 32}, {- 4, 32}, {0}, {0, 6}, {0, 6,
(%i7) belln(3);
32}, {0, 32}, {6}, {6, 32}, {32}}
(%o7)
(%i4) S2: {-35, -26, 0, 7, 32, 100};
(%i8) cardinality(set_partitions(S)); /* Number of elements */
(%o4)
(%o8)
{- 35, - 26, 0, 7, 32, 100}
(%i5) symmdifference(S1, S2);
(%i9) belln(4);
(%o5)
(%o9)
{- 35, - 26, - 4, 6, 7, 100}
{} 5 5 15
(%i6) symmdifference(S, S2);
(%i10) belln(5);
(%o6)
(%o10)
{- 35, - 26, - 4, 3, 6, 100}
52
(%i11) belln(6);
(%i7) quit();
Advanced set operations
With Maxima, much more than this can be done with sets, using just the advanced functionalities provided by it. So now, let’s take a journey through them. Cartesian product: Given ‘n’ sets, the function cartesian_product() returns a set of lists formed by the Cartesian product of the ‘n’ sets. The following demonstration explains what this means:
(%o11)
203
(%i12) quit();
In the above examples, belln() or the nth Bell number is the number of partitions of a set with ‘n’ members. integer_partitions(n) is a specific function, which partitions a given positive integer ‘n’ into a set of positive integers, the sum of which adds up to the original integer. num_ partitions(n) returns the number of such partitions returned by integer_partitions(n). Examples follow:
$ maxima -q (%i1) cartesian_product({0, 1, 2}, {a, b, c});
$ maxima -q
(%o1) {[0, a], [0, b], [0, c], [1, a], [1, b], [1, c], [2, a],
(%i1) integer_partitions(1);
[2, b], [2, c]}
(%o1)
(%i2) cartesian_product({0, 1}, {a, b}, {X, Y});
(%i2) num_partitions(1);
(%o2) {[0, a, X], [0, a, Y], [0, b, X], [0, b, Y], [1, a, X], [1,
(%o2)
a, Y], [1, b, X], [1, b, Y]}
(%i3) integer_partitions(2);
(%i3) cartesian_product({0, 1}, {a, b, c});
(%o3)
(%o3)
(%i4) num_partitions(2);
{[0, a], [0, b], [0, c], [1, a], [1, b], [1, c]}
(%i4) quit();
{[1]} 1 {[1, 1], [2]}
(%o4)
2
(%i5) integer_partitions(3);
Set partitions: Given a set S, it can be partitioned into various subsets, based on various mathematical principles. Maxima provides a host of functions for such partitioning —the basic one being set_partitions(). It returns a set of all possible partitions of the given set. With a number as the second argument, it gives only the partitions with that exact 88 | July 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
(%o5)
{[1, 1, 1], [2, 1], [3]}
(%i6) num_partitions(3); (%o6)
3
(%i7) integer_partitions(4); (%o7)
{[1, 1, 1, 1], [2, 1, 1], [2, 2], [3, 1], [4]}
(%i8) num_partitions(4);
Let’s Try For U & Me (%o8)
5
(%i9) integer_partitions(0); (%o9)
{[]}
(%i10) num_partitions(0); (%o10)
1
(%i11) integer_partitions(5, 1); (%o11)
{[5]}
Notice the relation being defined using lamda for the property of divisibility by 2, 3, 5, 6, and among the set elements themselves, respectively. A closely related function partition_set(S, p) partitions S into two sets, one with elements satisfying the predicate ‘p’, and the other not satisfying the predicate ‘p’. A small demonstration follows:
(%i12) integer_partitions(5, 2); (%o12)
{[3, 2], [4, 1], [5, 0]}
$ maxima -q
(%i13) integer_partitions(5, 3);
(%i1) partition_set({-1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11,
(%o13)
19, 26, 37, 100}, primep);
{[2, 2, 1], [3, 1, 1], [3, 2, 0], [4, 1, 0], [5, 0,
0]}
(%o1) [{- 1, 0, 1, 4, 6, 8, 9, 10, 26, 100}, {2, 3, 5, 7, 11, 19,
(%i14) integer_partitions(5, 4);
37}]
(%o14) {[2, 1, 1, 1], [2, 2, 1, 0], [3, 1, 1, 0], [3, 2, 0, 0],
(%i2) quit();
[4, 1, 0, 0], [5, 0, 0, 0]} (%i15) integer_partitions(5, 5); (%o15) {[1, 1, 1, 1, 1], [2, 1, 1, 1, 0], [2, 2, 1, 0, 0], [3, 1, 1, 0, 0], [3, 2, 0, 0, 0], [4, 1, 0, 0, 0], [5, 0, 0, 0, 0]} (%i16) num_partitions(5); (%o16)
7
(%i17) num_distinct_partitions(5); (%o17)
3
(%i18) quit();
Note that like set_partitions(), integer_partitions() also takes an optional second argument, limiting the partitions to partitions of cardinality equal to that number. However, note that all smaller-sized partitions are made equal to the corresponding size by adding the required number of zeroes. Also, num_distinct_partitions(n) returns the number of distinct integer partitions of ‘n’, i.e., the integer partitions of ‘n’ with only distinct integers. Another powerful partitioning function is equiv_classes(S, r), which returns a partition of S, elements of which satisfy the binary relation ‘r’. Here are a few examples:
Miscellaneous: And, finally, let’s look at some general but mathematically interesting operations: divisors(n) – returns the set of positive divisors of ‘n’ permutations(S) – returns the set of all permutations of the elements of S random_permutation(S) – returns one of the elements of permutations(S), randomly extremal_subset(S, f, max | min) – returns the subset of S, for which the value of the function ‘f’ is maximum or minimum A demonstration of all the functions mentioned above, follows: $ maxima -q (%i1) divisors(9); (%o1)
{1, 3, 9}
(%i2) divisors(28); (%o2)
{1, 2, 4, 7, 14, 28}
(%i3) permutations({a, b, c}); (%o3) {[a, b, c], [a, c, b], [b, a, c], [b, c, a], [c, a, b], [c, b, a]} (%i4) random_permutation({a, b, c}); (%o4)
[c, b, a]
$ maxima -q
(%i5) random_permutation({a, b, c});
(%i1) equiv_classes({0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10},
(%o5)
lambda([x, y], remainder(x - y, 2) = 0));
(%i6) random_permutation({a, b, c});
(%o1)
(%o6)
{{0, 2, 4, 6, 8, 10}, {1, 3, 5, 7, 9}}
[c, a, b] [b, c, a]
(%i2) equiv_classes({0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10},
(%i7) extremal_subset({-5, -3, -1, 0, 1, 2, 3, 4, 5}, lambda([x],
lambda([x, y], remainder(x - y, 3) = 0));
x*x), max);
(%o2)
(%o7)
{{0, 3, 6, 9}, {1, 4, 7, 10}, {2, 5, 8}}
{- 5, 5}
(%i3) equiv_classes({0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10},
(%i8) extremal_subset({-5, -3, -1, 0, 1, 2, 3, 4, 5}, lambda([x],
lambda([x, y], remainder(x - y, 5) = 0));
x*x), min);
(%o3)
(%o8)
{{0, 5, 10}, {1, 6}, {2, 7}, {3, 8}, {4, 9}}
(%i4) equiv_classes({0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10},
{0}
(%i9) quit();
lambda([x, y], remainder(x - y, 6) = 0)); (%o4)
{{0, 6}, {1, 7}, {2, 8}, {3, 9}, {4, 10}, {5}}
(%i5) equiv_classes({1, 2, 3, 4, 5, 6, 7, 8, 9, 10}, lambda([x, y], remainder(x, y) = 0)); (%o5) (%i6) quit();
{{1, 2, 4, 8}, {3, 6}, {5, 10}, {7}, {9}}
By: Anil Kumar Pugalia
By:author Anil Pugalia The is aKumar gold medallist from NIT Warangal and IISc Bengaluru. Mathematics and knowledge-sharing are two of his many passions. He can be reached at email@sarika-pugs.com.
www.OpenSourceForU.com | OPEN SOURCE For You | July 2014 | 89
For U & Me
How To
Embed Your PC on a USB
and Plug it into Any System!
If you wish to enjoy the convenience of your own desktop even while on the move, this is just the article for you. Learn how to embed your PC on a USB stick, so that it can be used anywhere and on any desktop or laptop.
D
id you ever wish you could carry your PC, desktop or OS in your pocket and run it anywhere? This is now possible! You can create or install a full Linux desktop (OS) into your USB stick. This pocket Linux desktop also saves the state, which means that all your files will be saved in the USB for you to carry along. In other words, you will be able to view your desktop in exactly the way you left it the last time. The biggest advantage is that you can insert your USB PC into any modern laptop or computer hardware to launch, reboot and enter your ‘personal PC’. This is especially useful when you are visiting friends or travelling abroad and don’t want to carry your laptop (carrying around a computer is obviously not even an option). All you need is your USB PC in your pocket! The pre-requisites are: 1. One USB stick of a size that you can choose (I use a 16 GB Sony 3.0 USB for a reliable and fast response).
2. Temporary USB (4 GB). I used an 8 GB Sandisk USB for this experiment. 3. The latest Ubuntu ISO from the following link: http://www.ubuntu.com/download/desktop (I chose 64bit Ubuntu 14.04 LTS because I have 64-bit hardware computers and a laptop, but you can choose the 32-bit option too). 4. Linux installer: I used Startup USB Creator that is available on Ubuntu Desktop, but if you have Windows, you can use http://unetbootin.sourceforge.net/
Figure 1: Installing Ubuntu on USB
Figure 2: Boot option
90 | July 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
The procedure
Step 1: First download the latest Ubuntu ISO from the location mentioned in pre-requisite number 3. Use a Linux installer to install the downloaded Ubuntu into the temporary Sandisk USB (see Figure 1). Though this gives you a live Ubuntu desktop, it’s not good enough as it’s a trial version and asks for the Trial/Install option every time you use it. While installing the temporary
How To For U & Me
Figure 3: Welcome screen Figure 5: Installation type
Figure 4: Preparing to install
OS, you may be asked to input your sudo password. This step is essential to do a permanent install of the Linux/ Ubuntu desktop into the other USB (Sony 16 GB). In just a few minutes, the temporary OS installation will be completed. The temporary OS is now installed in the Sandisk 8 GB USB. Step 2: Insert the Sandisk USB into the laptop or computer and reboot. While rebooting, press F12 (or a similar key) for booting into the USB. For many laptops, you need to press F12 to boot from the USB; on some hardware, pressing Shift+Del keys works. Use Google to find out the USB boot key if your hardware is not USB bootable, using these keys. Step 3: You will see a few options after rebooting. Choose the option as seen in Figure 2, and then hit Enter. From this step onward, the procedure followed is a technique that I have developed for embedding a personal PC into a USB; so you probably will not find this anywhere on the Internet. Step 4: Keep hitting the Continue button when you see a screens like what’s shown in Figure 3 & 4. Continue till you see the Installation Type screen. Step 5: This is a critical step. Choose the option that can be seen in Figure 5. Please do not make any mistakes here, or you could lose the contents of the laptop or computer on which you are running this step. Step 6: Create two partitions on your Sony USB. The first one is ext 4 and the second is swap. See Figure 6. Please ensure that you select the Sony USB for Device for boot loader installation and select the Sony USB ext 4 partition before clicking the Install Now button. Step 7: Follow the usual steps of installation by clicking
Figure 6: Creating partitions
Figure 7: Location options
Continue/Next. See Figures 7 and 8. Step 8: When asked about User creation, input details similar to what is seen in Figure 9. Step 9: Follow the other screen by clicking Continue/ Next till you see Figure 10. Congratulations! You now have your OS ready to be carried around in your pocket, ready to be run anywhere! You can insert your USB PC into any computer or laptop and do a USB boot (remember, you need to press F12 or a similar key to boot from the USB). You will see the screen www.OpenSourceForU.com | OPEN SOURCE For You | July 2014 | 91
For U & Me
How To
Figure 10: The installation is complete!
Figure 8: Copying installation files
Figure 11: The first screen
One important point to note is that you should choose 32-bit Ubuntu (as mentioned in pre-requisite number 3) if you intend to use your USB PC on any hardware. The 64-bit version will work only when you run it on 64-bit hardware (laptops or PCs). And if you decide to choose the 64-bit option, then during embedding (Step 2), you should use a 64bit laptop or PC. Figure 9: Creating a user
shown in Figure 11 when you log in. You can install any software from the Ubuntu Software Centre and it will be available in your USB PC, no matter where you run it.
By: Rajesh Gheware
By: Anil Kumar The author works as a leadPugalia solutions architect for a multinational bank. He maintains his personal blog at http://rajeshg.info and can be reached at rajeshgheware@gmail.com.
Read more stories on Components in
www.electronicsb2b.com COMPONENTS STORIES
TOP
nverters • The latest in power co ntrollers • The latest in microco onic components industry • Growth of Indian electr of port significant amount • India continues to im components every year SFETs and relays • The latest in IGBTs, MO nds available in India • Top 12 connector bra
ELECTRONICS
INDUSTRY IS AT A
Log on to www.electronicsb2b.com and be in touch with the Electronics B2B Fraternity 24x7 92 | June 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
Open Biz For U & Me
For Cash-Strapped Start-Ups, Open Source Technology is a Boon Open source technology is not just about an economical solution but also about freedom, flexibility and a lot more. Sparsha Learning Technologies is making it big in the education space, courtesy open source technology. Diksha P Gupta from Open Source For You spoke to Debabrata Bagchi, founder, Sparsha, about how open source software proved to be a boon for this venture.
A
Debabrata Bagchi, founder, Sparsha Learning Technologies
successful start-up is all about having a great idea and backing that with the right technology. Sparsha Learning Technologies is one of the finest examples of an idea being transformed into reality with open source software. Sparsha Learning Technologies is a technology startup headquartered at IIT, Kharagpur, and has an extended R&D centre at PESIT CORI (Crucible of Research and Innovation), Bengaluru. Sparsha provides technology solutions to create active learning content and integrate it in existing learning solutions. Talking about his start-up, Debabrata Bagchi, founder, Sparsha Learning Technologies, says, “The instructional methodologies of Sparsha Learning Technologies are based on a central philosophy of ‘learning-by-doing’. Sparsha designs products for the engineering curriculum using simulation-based learning, which combines cutting-
edge technology with the social aspect of human interaction to create significantly more interesting and engaging learning experiences. We have two products built using open source technology: Electronics Virtual Labs - DoCircuits (www. docircuits.com) and Programming Virtual Labs - Coderipe (www.coderipe.com).” For both these products, the base platforms and technologies used are open source. Bagchi adds, “DoCircuits and Coderipe are cloud-based products and are based on the LAMP architecture, components of which are entirely open source.” The team at Sparsha is very clear about why it chose open source technologies. Bagchi explains, “Today, open source technologies have matured well enough to be used in production environments. They are more cost effective and, most importantly, the licensing models are open and flexible. For a start-up with limited capital and a fast runaway, using open source platforms makes more sense than proprietary solutions.” Sparsha has made complete use of open source technologies and is trying to promote OSS in sectors like higher education, online learning, e-learning, publishing and the hobbyist market. Within these industries, the company deals with engineering colleges, textbook publishers, test and measurement companies, training companies, MOOC publishers, etc. For all those who believe that cost is the main factor behind start-ups like Sparsha choosing open source technology, here’s a disclaimer from Bagchi. He says, “With open source technologies, one gets the convenience of easier on-premise deployments. Also, since there are no licensing restrictions involved, life gets a whole lot easier. Of course, affordability is the cherry on the cake and leads to better pricing of the end products for our customers.” If you are wondering about the challenges involved in the process, Bagchi confidently shares that there were none. He explains, “I have a great comfort level with open source technology. I know, for sure, that I have the controls in my hands. And also, if I am stuck somewhere, community support is something I can bank upon. Popular open source projects have a vibrant community around them. And there is a lot of help available from these communities for users struggling with issues.”
To be continued on page 95... www.OpenSourceForU.com | OPEN SOURCE For You | july 2014 | 93
For U & Me
Open Strategy
Motorola Bets on Pure Android for its Smartphones Motorola recently launched the Moto E smartphone, which has received a tremendous positive response in the market. The smartphone went out of stock in less than 24 hours after it was launched exclusively on the e-commerce portal Flipkart. Prasid Banerjee from Open Source For You, who was at the launch, had a chat with Punit Soni, vice president, Product Management for Motorola, about the company’s open source strategy. is better and it’s in line with our overall strategy. We haven’t done it yet because we’re still building ourselves up.” Soni explained that for things like touchless control and active notifications (both defining features of the company’s flagship Moto X smartphone), it is better to get developers involved. But the company’s focus right now is to deliver a good product rather than sell it in large numbers. So while the company is considering the option of going open, it doesn’t think that this is the right time to do so. Soni did not, however, rule out the possibility of Motorola launching its own open source initiatives in the future. Knowing Motorola, the chances of this happening could be high, considering that the company’s Rhomobile Suite for enterprise mobility is pretty well known. This is an application development platform that allows you to build applications that run on all kinds of devices, irrespective of the type of the device, its screen size or what operating system it runs on. Not only does it help with developing apps for use within the enterprise, but also addresses a wider user base. The company already enjoys partnerships with big names like Cognizant, Cell Software, Tata Consultancy Services, and many others. Motorola also has the Mx suite of enterprise features and the Enterprise Development Kit (EMDK) for Android, which are available to the developer community. Punit Soni, vice president, Product Management for Motorola
M
otorola has taken the smartphone universe by storm with three of its most recently launched smartphones—the Moto X, Moto G and Moto E. The company has been following a combination of running pure Android along with state-of-the-art engineering to bring out devices that are cheap, yet powerful, and high on features compared to their competitors. But Motorola has repeatedly refused to do its own customisation to the Android OS, maintaining that pure Android is the best way to go. So does this mean Motorola has no open source aspirations of its own? Apparently not.
Motorola and openness
According to Soni, “I think, in general, being open is better. Opening our platform so that people can take advantage of it 94 | JUly 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
Connecting with developers
Motorola has already announced the dates for its AppForum event for this year. The event is into its fifth edition and hosts three days of developer-oriented activities for those developing apps for the enterprise segment. A free-to-attend technical seminar will be held in the United Kingdom in July, apart from monthly webinars for developers, where experts from Motorola Solutions discuss various relevant topics to help developers in their work. It is evident that the company has a number of developer initiatives. Unlike other original equipment manufacturers (OEMs), Motorola currently doesn’t have its own platform. But Soni said that while layering on Android and adding UIs was pretty useless, Motorola would, sometime in the future (subject to conditions), consider developing its own platform. Right now, Motorola is focusing on delivering good products at a more than affordable price. The company made a killing in both foreign and domestic markets with the Moto G,
Open Strategy For U & Me and now its Moto E, in all probability, has already overtaken the G in terms of the number of units sold. If you use any of the three latest Motorola smartphones, you will be aware that the company doesn’t simply put in pure Android into its devices. Motorola has been bringing out its own apps based on what its customers want. With the Moto X and Moto G, the company had showcased the Motorola Assist app, which recognises what you are doing and sets up your phone accordingly. This includes a driving mode that reads your text messages or plays music automatically, a feature that allows only important calls after working hours, and so on. Although Assist has been downloaded by over 5 million users, it still has some issues that the company needs to iron out.
Apps that matter
At the launch event for the Moto E, the company showcased another of its apps—the Moto Alert app, which provides emergency services. This app lets you periodically notify your near and dear ones of your whereabouts to enable them to help you if necessary. You can set your locations as ‘home’, ‘work’, ‘school’, etc. In addition, the app also lets you trigger an alarm or automatically call your emergency contacts. You can also press the lock button five times to trigger an alarm on your phone. This app has received quite a few positive reviews from users. Previously owned by Google, Motorola has been sold to Chinese PC giant Lenovo, recently. The complete
Continued from page 93... Since open source is no more an alien phenomenon, the level of acceptance is far greater than what it may have been ten years ago. Bagchi says, “I think, today, almost everyone understands and acknowledges the advantages that open source technology brings with it. There is enough awareness, so we don’t have those issues coming our way so frequently. However, if any of our clients are not aware of the benefits offered by open source, we explain them at length, to propagate our product and philosophy. Some of the clients do raise questions on licensing issues, and we help them by providing licensing details in the Service Legal Agreement and End User Licence Agreement when we work with them. Also, since we sell products based on open source frameworks, rather than the open source frameworks themselves, things are not so challenging for us.” For many operating in the open source space, getting the right kind of talent can be quite a task. But things are radically different for Sparsha. Bagchi claims that getting the right kind of talent was never a struggle for him. “In fact, due to the fact that we use open source technologies, it’s much easier to get the right talent. Today, enterprising, young, talented men and women work and create their portfolio using open source technologies. They write blogs, etc; so, it’s much easier to locate and get them on board.”
While the company is considering the option of going open, it doesn’t think that this is the right time to do so. Soni did not, however, rule out the possibility of Motorola launching its own open source initiatives in the future. process of acquisition should be over by the end of the year. Motorola, though, has been on a mission to regain its share in the smartphone market. The company has repeatedly talked about how important the Indian market is for it, and with both the Moto G and Moto E doing well, this has been a good start for the firm. While it is still setting up its business in the country, the current partnership with Flipkart seems to be working well for Motorola. Soni said that Motorola’s focus right now is to set up its base in India, and the makers of the first mobile phone seem to be doing that well. This was also confirmed by Magnus Ahlqvist, corporate vice president for EMEA and APAC, Motorola. Whether Motorola will have open source initiatives for its smartphones in the future remains to be seen. But like we said earlier, there’s a good chance that it will. Soni did not rule out the possibility but the company is understandably focusing more on rebuilding its base in India rather than on developer initiatives. Pure Android is working for the firm at the moment. The Moto Assist and Moto Alert apps may lead to a lot more. Tip for open source businesses Today, there are a number of ‘marketplaces’ for known open source technologies, where a developer can make money. For example, if you are great at Twitter Bootstrap, then there are awesome marketplaces online where you can advertise and market your bootstrap themes, and have the right audience buy them. Developers have made tens of thousands of dollars in these marketplaces.
“With open source technologies, one gets the convenience of easier onpremise deployments. Also, since there are no licensing restrictions involved, life gets a whole lot easier.” The company chooses some innovative ways of reaching out to the desired candidates prior to hiring. Bagchi elaborates, “We organise coding hackathons and contests using our tool Coderipe (www.coderipe.com), and select those who do well for the face-to-face interviews. In some cases, we have taken the help of recruitment agencies as well.” Sparsha goes in for both lateral and fresh hiring. For R&D work, it primarily chooses freshers. For senior management roles, the firm does lateral hiring. www.OpenSourceForU.com | OPEN SOURCE For You | JUly 2014 | 95
For U & Me
Overview
The Best Open Source Storage Solutions: An Overview Millions of bytes of data are being generated every moment, every day, around the world, and this volume will only increase in the future. The storage of all these bytes has become a challenge. Simple storage is no longer enough—the data that is stored has to be safe, secure and retrievable. Of the many data storage solutions available today, this article evaluates the best open source storage solutions.
D
igital storage needs are increasing rapidly. According to IDC, there will be 40 zetta bytes of data in the digital universe by 2020. The open source community has developed a number of products to assist users to store, secure and manage all that data. Open source software defined storage provides the benefits of open source tools and the benefits of massive economies of scale by running the products on commodity hardware. The end result is scalable, agile, easily manageable, and loosely coupled environments for unstructured data storage. Software defined storage brings the power of virtualisation to data storage. It allows organisations to abstract and pool storage capacity, as well as compute and networking resources, across on-premise and cloud environments. Here is an overview of nine open source storage solutions that are considered top-of-the-line today.
Gluster: A NAS/SAN solution
Gluster is an open source and general-purpose distributed file system that aggregates storage exports over the 96 | July 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
network to provide a single unified namespace. It is written in C, with a GPLv3 licence and access APIs - libglusterfs and FUSE. It pools storage servers over TCP/IP or InfiniBand Remote Direct Memory Access, which allows rapid provisioning of additional storage based on storage requirements. It can be used with lowcost commodity computers. Some of the popular uses of GlusterFS are in: unstructured data storage, virtual machine image storage, archiving, disaster recovery, cloud storage for service providers, semi-structured and structured data, Big Data, content delivery and streaming media. It is very suitable for unstructured data such as audio and video files, images, documents and log files. Gluster’s open source community develops GlusterFS and related products. GlusterFS is based on the following concepts: Trusted Storage Pool is a collection of storage servers that work as a logical partition for all data and management operations Brick is the mixture of a node and an export directory Volume is a mountable entity and logical collection of bricks
Overview For U & Me
Figure 1: FreeNAS
Figure 2: OpenFiler
Features
It provides snapshot support, deduplication, a removable log device, etc.
Automatic failover without a centralised metadata server Layered approach to the file system, where features are added or removed on demand Disk file systems such as ext3, ext4, xfs, etc, are supported to store the data Can scale up to petabytes of storage Distributed geo-replication File snapshots Compression translator
FreeNAS: A NAS/SAN solution
FreeNAS is a FreeBSD-based operating system for network attached storage. It comes with an easy-to-use Web UI. NAS-oriented open source storage distributions of Linux and FreeBSD include FreeNAS, Gluster, Openfiler, etc, which can be connected and configured using a Web browser. It is released under a BSD licence. The FreeNAS Project was initially founded by Olivier Cochard-Labbe in 2005. It was PHP-based, easy to use and was based on an embedded firewall (also based on FreeBSD). FreeNAS can run from a USB disk or virtual machine. It is distributed as an ISO image. FreeNAS is available for both 32-bit and 64bit architectures (a 32-bit system can only address up to 4 GB of RAM). The FreeNAS stable version is 9.2.1.5.
Features
Supports protocols such as NFS, SSH, FTP, TFTP, BitTorrent, iTunes, CIFS (via Samba), etc Plug-in support for SlimServer and Xbox Media Stream Protocol iSCSI target feature is used to create virtual disks. ZFS, UFS, ext2, and ext3 are also supported. Read and write for FAT32 and NTFS Hard drives supported are (P/S)-ATA, SCSI, iSCSI, USB and FireWire; and booting is possible from a HDD, CDROM, floppy disk or USB flash drive.
Openfiler: A NAS/SAN solution
Openfiler is a free network storage OS created by Xinit Systems, and is based on the rPath Linux distribution. It supports file-based Network Attached Storage (NAS) and block-based Storage Area Networking (SAN) functionality in a single unified framework. Openfiler uses the Linux 2.6 kernel base to deliver a wide-ranging storage management solution that fulfils the needs of enterprise applications. Openfiler supports on-disk file systems such as XFS, ext3, ReiserFS v3 and JFS. XFS and ext3 are journalled file systems that enhance data security and reduce the need for regular file system checks. Openfiler has the following hardware requirements: an x86- or x64-based computer with at least a 64-bit processor with 1.6 GHz or more, 512 MB of RAM, a CD-ROM or DVD-ROM drive if you are performing a local install, 10 GB of hard disk space (8 GB for OS installation and 2 GB for swap space). It is licensed under the GNU General Public License version 2. It supports the i386/AMD64 platforms. Installable images are available for x86_64 architectures. The download options are available at http://www.openfiler.com/community/download
Features
Full industry-standard protocol suite: NFSv3 support for all UNIX-based clients with additional support for ACL protocol extensions; CIFS or SMB support for Microsoft Windows-based clients; FTP support, WebDAV and HTTP 1.1 support; and NFSv4 support (testing) Good block storage virtualisation: Point-intime snapshots support with scheduling; synchronous/ asynchronous volume replication and migration; optimal division of storage by full iSCSI target support. It also supports virtual iSCSI targets. Extensive share management: Support for multiple www.OpenSourceForU.com | OPEN SOURCE For You | July 2014 | 97
For U & Me
Overview
Figure 3: 7-zip
Figure 4: TrueCrypt
shares per volume; multi-level share directory tree; multigroup-based access control on a per-share basis; multi-host/ network- based access control on a per-share basis Accounts management: Authentication by utilising pluggable authentication modules; Web interface-enabled configuration; it supports network directories such as LDAP, Hesiod, NIS, NT4 domain controller, and Active Directory.
MB of RAM, a CD/DVD drive, a USB port, PXE or hard drive, and an x86 or x86-64 processor.
Amanda: A backup and synchronisation solution
Advanced Maryland Automatic Network Disk Archiver, or Amanda, is an open source backup solution that can be used to take backups of data stored on multiple computers over a network. It is written in C and Perl. Windows, Mac OS X, Linux and Solaris are supported operating systems. It is distributed under the GPL, LGPL, Apache and Amanda licences. Amanda is available in two different flavours—the community edition and a fully supported enterprise edition.
Features
Features
File systems supported for Microsoft Windows are: FAT12, FAT16, FAT32 and NTFS File systems supported for GNU/Linux are: ext2, ext3, ext4, reiserfs, reiser4, xfs, jfs and btrfs File system supported for FreeBSD, NetBSD, and OpenBSD is: UFS File systems supported for ESXi are: VMFS3 and VMFS5 File system supported for Mac OS is: HFS+ Cloning supported for 32-bit or 64-bit GNU/Linux, MS Windows, Intel-based Mac OS, FreeBSD, NetBSD, OpenBSD, Minix and VMware ESX
Pydio: An online data storage solution
Pydio is an open source tool that is used to utilises a server available on premise or in a cloud environment.
Features
It supports tape-based and disk-based backup It supports tape spanning if a backup set does not fit in one tape It uses utilities and formats such as dump and/or GNU tar It supports multiple simultaneous writes to storage devices
It provides more control, privacy, a better total cost of ownership and security Easy to install Easy integration with available employee directory
Clonezilla: A backup and synchronisation solution
Libvirt is an open source management tool for platform virtualisation. It also provides storage management on the physical host in different ways such as storage pools and volumes. A storage pool is a quantity of storage that is used by virtual machines (VMs). Storage pools are divided into storage volumes and assigned to VMs as block devices. Pools and volumes ensure that storage will be available for a VM. Management applications using libvirt enable users to allocate storage resources, run the virtual machines, shut them down, de-allocate the resources, etc.
Clonezilla is a partition and disk imaging/cloning program distributed under the GNU General Public License version 2. It is utilised for bare metal backup and recovery. It comes in two flavours—Clonezilla SE is used for group machine backups and restores, while Clonezilla Live is used for single machine backups and restores. It is written in Perl and UNIX shell. It supports POSIX GNU/Linux operating systems. The minimum system requirements for Clonezilla Live are 196 98 | July 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
Libvirt: A storage management solution
Overview For U & Me Table 1: File compression ratio
Archiver
Mozilla Firefox
Google Earth
161 files 15,684,168 bytes
115 files 23,530,652 bytes
Compressed size
Ratio
Compressed size
Ratio
7-Zip 4.23 (7z format)
4621135
100%
6109183
100%
WinRAR 3.50
5021556
109%
6824892
112%
CABARC 5.1
5131393
111%
7434325
122%
WinZip 10.0 beta (maximum-PPMd)
5277118
114%
8200708
134%
7-Zip 4.23 (zip format)
6222627
135%
8909446
146%
WinZip 10.0 beta (maximum-portable)
6448666
140%
9153898
150%
Source: 7-zip.org
Features
Libvirt supports storage pool types such as directory backend, logical backend, disk backend, local file system backend, network file system backend, iSCSI backend, SCSI backend, multipath backend, RBD (RADOS Block Device) backend, Sheepdog backend and Gluster backend.
7-Zip: A file compression solution
7-Zip is open source software written in C++ that is used to compress files in the 7z archive format. It was developed by Igor Pavlov and first released on July 18, 1999. A stable release has been available since November 18, 2010. It supports various operating systems such as GNU/Linux, Microsoft Windows and Mac OS X. Table 1 gives the file compression ratio of this storage solution. It has a graphical user interface and command line interface.
Features
Cascades, Serpent-Twofish-AES, Serpent-AES, AESTwofish-Serpent, Twofish-Serpent and AES-Twofish Supported cryptographic hash functions: TrueCrypt supports the SHA-512, RIPEMD-160 and Whirlpool hash algorithms. Roadmap for future versions includes features such as support for Windows 8 to encrypt Windows system partitions/drives on UEFI-based computers, ‘raw’ CD/ DVD volumes, command line options for volume creation on the Windows operating system, etc. You can download these from: http://www.truecrypt.org/downloads
Features
Confidentiality increases due to AES-256 encryption in 7z and ZIP formats Supports localisation for 79 languages It has a powerful command line version and file manager Provides integration with Windows Shell
TrueCrypt: An encryption solution
TrueCrypt is an open source application used for data encryption before it is saved and data decryption before it is consumed. It supports operating systems such as Linux, OS X, Microsoft Windows, etc. TrueCrypt currently uses the XTS mode [XEX-based Tweaked CodeBook mode (TCB) with CipherText Stealing (CTS)]. Password, keyfile(s) or correct encryption keys are only ways to access data stored on an encrypted volume. They are used to protect data confidentiality even if the OS is not active. Supported algorithms: Twofish, Serpent and AES Supported hybrid combinations of algorithms:
Two-factor authentication Individual disk partitions and swap space can be encrypted Encrypted container can be persisted in a file Hidden containers - one per ‘outer’ container is supported; hidden containers are similar to nested containers Pre-boot authentication on Windows is required before booting the computer to encrypt the boot disk More than one active key Passphrase strengthening - key strengthening is used with pure text passwords Hardware acceleration - cryptographic accelerator expansion cards can be used Windows MBR volumes can be encrypted and not UEFI GPT drives Complete physical disk or logical volume, including the partition tables and master boot record can be encrypted
References [1] http://www.truecrypt.org [2] http://en.wikipedia.org/wiki/FreeNAS [3] http://doc.freenas.org/index.php/Quick_Start_Guide
By: Mitesh Soni The author is a technical lead at IGATE Global Solutions Limited. He is into Cloud Practice and loves to write about new technologies. He blogs at: http://clean-clouds.com
www.OpenSourceForU.com | OPEN SOURCE For You | July 2014 | 99
TIPS
&
TRICKS
Comment specific lines in VI editor
Here is how we can comment a specific line in a file using a VI editor. The syntax is: :x,y s/^/#/g
Here, x,y: The starting and ending line number ^ : This points to the start of the line #: The usual way to comment in config files in Linux As an example, open a config file in VI Editor and run the following command: :450,500 s/^/#/g
This will comment lines numbered 450 to 500 in the opened file: :.,+10 s/^/#/g
Here, ‘.’ is the current line and ‘+10’ refers to ten lines from the current one. —Ranjith Kumar, ranjith.stc@gmail.com
Create a logical swap from a normal swap file
First, check the swap device:
#cat /proc/swaps [ex: given below] Filename Type Size Used /dev/sda2 partition 4095992 0
Priority -1
Then, swapoff the device: #swapoff /dev/sda2
Create PV, VG and LV: 100 | July 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
#pvcreate /dev/sda2 WARNING: swap signature detected on /dev/sda2. Wipe it? [y/n] - type Y
Create New_VG or assume that VG{New_VG] already is in the system, so just extend it: #vgextend New_VG /dev/sda2
You can check the vg using the command below: #vgdisplay
Let’s assume that we are going to create a 2 GB logical swap: #lvcreate -L 2G -n lvSwap New_VG
Now you can use the following command to see lvswap: #lvdisplay
To make this as a swap partition, use the following command: #mkswap /dev/New_VG/lvSwap
Here, the device name is the same as what we got as an output from lvdisplay command. It will show you the setting up version of the swapspace with the size and some other information. Finally, to complete the process swapon the lv device as shown below: #swapon /dev/New_VG/lvSwap
To make these changes permanent, change the swap entry in /etc/fstab by adding the following line:
/dev/mapper/New_VG-lvSwap swap swap
defaults
0 0
You can use the free command to verify the changes. #free
Note: If you try to extend/reduce the lvSwap, make sure you run swapoff first, then run mkswap and, finally, swapon. —Sujith S Pillai, sujithspillai90@gmail.com
Connecting Android phones to a Linux-powered computer
I was surprised to find that my newly bought Android phone was not able to connect to my Linux-powered laptop in file sharing mode. So I tried a few tricks, and would like to share these with those facing similar issues. Transferring files using mtfs Step 1: Update your udev rules by seeing the details picked up from lsusb. Open /etc/udev/rules.d/51-android.rules as the root user in any text editor, and add the following line: SUBSYSTEM==”usb”, ATTR{idVendor}==”<your-vendor-id>”, ATTR{idProduct}==”<your-product-id>”, MODE=”0600”, OWNER=”<your-username>”
The product and vendor’s ID can be fetched by running the lsusb command in the shell prompt. I am using a Samsung Galaxy S4, and shown below are the details of my phone: SUBSYSTEM==”usb”, ATTR{idVendor}==”04e8”, ATTR{idProduct}==”6860”, MODE=”0600”, OWNER=”pranavam”
Step 2: Install MTP modules on your Linux computer, by executing the following command: $sudo apt-get install mtpfs
Step 3: Install gMTP, a simple MTP graphical interface client, to browse and transfer files. Execute the command to install the gMTP client: $sudo apt-get install gmtp
Step 4: Open gmtp from the menu or use the Run window, and click the Connect option in the tool bar to connect to the device. Once successfully connected, you can enjoy transferring files from the device and vice-versa.
Note: You need a compatible USB cable to physically connect your phone and the computer. Transferring files using SSH Step 1: Install SSH Server on your mobile Step 2: Configure SSH Server Step 3: Use any file browser on your Linux computer to access the files. To do so, open the file browser and type the address as ssh://<<userid>>@<<ipaddress:port>> where ipaddress is the address assigned to your Android phone, and the port is the number on which the SSH server is listening. Note: You need your phone and computer to be connected to the same network either via Wi-Fi or via the direct Internet. Transferring files using Wi-Fi Explorer Step 1: Install Wi-Fi Explorer on your mobile. Step 2: Open the link provided by the app on your Linuxpowered computer to browse the files on the phone’s memory. Note: You need your phone and computer to be connected to the same network either via Wi-Fi or via the Internet, directly. —Pranavam Siddharthan, pranavam.s@gmail.com
Downloading the dump of a website
If you want to download the dump of the website, ‘some-name-of-site.org’, you can make use of the following command in the Linux terminal: wget --random-wait -r -p -e robots=off -U mozilla www.somename-of-site.org
Here, the parameters are: --random-wait: This causes the system to generate a random number, which represents the maximum time period that the system will wait to get a response. -r: This recursively downloads all the links present in the pages of the given website. robots=off: This does not follow the robots.txt associated with the website (if any). -U mozilla: This indicates that the user agent is Mozilla. —Mohammad Azimuddin, azim.chisty@gmail.com
Share Your Linux Recipes! The joy of using Linux is in finding ways to get around problems—take them head on, defeat them! We invite you to share your tips and tricks with us for publication in OSFY so that they can reach a wider audience. Your tips could be related to administration, programming, troubleshooting or general tweaking. Submit them at www.linuxforu.com. The sender of each published tip will get a T-shirt.
www.OpenSourceForU.com | OPEN SOURCE For You | July 2014 | 101
For U & Me
Overview
Quantum Cryptography: Enabling Secure Data Transmission Welcome to the world of spies and secret messages. This article focuses on the application of quantum mechanics to transmit secret messages. Wannabe cryptographers will find it an interesting read.
T
raditional cryptographic methodologies rely on mathematics and have theoretical limits on computational power. There are different mathematical tricks and techniques that facilitate the factorisation of extremely large numbers into their corresponding primes, hence making cryptanalysis—the study of finding security vulnerabilities in cryptographic systems—a popular and achievable task. The RSA has done reasonably well over the last two decades and remains most popular yet resilient to hackers. Named after its three inventors, Rivest, Shamir and Adleman, according to Wikipedia, it is one of the first practicable public-key cryptosystems and is widely used for secure data transmission. Factoring a modulus is referred to as a brute-force attack in the case of RSA. The most efficient factoring algorithm is general number field sieve (GNFS), that runs in , for ‘n bit’ integer; where c<2. Though GNFS is far from polynomial bounds and in current state doesn’t possess much threat to RSA. Several planned attacks to exploit its mathematical aspects are possible—like low exponent (both private and public), blinding, chosen cipher text, cycle attacks, 102 | July 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
etc. The computational power of electronic devices is increasing day by day, with even Moore’s law approaching obsolescence. Moreover, the onset of research and development on quantum computing makes current cryptographic methods prone to cryptanalysis. Quantum cryptography takes encryption and decryption to a different level. It brings physics into action rather than relying too much on mathematical computations and assumptions. The US government backed DARPA’s (Defense Advanced Research Projects Agency) quantum network is the world’s first fully functional quantum cryptographic network running between DARPA, Harvard University and Boston University. Let us now take a ride on quantum mechanics.
Perception and simulation
Qubit: The basis of quantum cryptography is a qubit (a quantum bit). The term ‘quantum’ is derived from the word quanta, which means a packet of energy. This packet contains photons, and these photons constitute a qubit. Thus, quantum computing and quantum
Overview For U & Me cryptography are based on the properties and the characteristics of these photons. In digital signal processing, a bit represents the state of 0 or 1 at a particular instant; quantum annealing defines a bit in three states of 0, 1 and in superposition state (simultaneous occurrence or orientation of both 0 and 1). The states of the qubit are represented in terms of probabilistic amplitudes, though different representations of the qubit are adopted by various research firms, the most common and standard being the ‘ket representation’, 0 as |0> and 1 as |1>. In general, the state of a qubit is defined on the complex plane by the equation: |q> = α|0> + β|0, where |α|2 + |β|2 = 1 and are called the amplitudes. The probability of the occurrence of |0> is |α|2 and of |1> is |β|2. The set of all possible orientations of |q> is plotted on Hilbert’s space (a complex unit circle). Often, a different geometrical representation (Bloch sphere) is done for qubits that have pure states or a two level quantum state. Discussing Hilbert’s space and Bloch sphere is beyond the scope of this article, so interested readers can contact the author via email. Figure 1 shows a normal bit plot and Figure 2 shows a qubit plot. Measurement of a qubit: Entanglement is a property specifically related to quantum mechanics, which increases the degree of co-relation among qubits. According to this property, if the quantum state of one qubit is known, then the quantum state of the other qubits in the same reference frame can be found. For example, in a hypothetical reference frame, if there are two qubits and if we know that one qubit is spinning clockwise, then due to analogous behaviour, the other qubit must spin in the anticlockwise direction. The latter qubit is called the mate of the former. Due to entanglement, qubits achieve inherent parallelism. As discussed before, qubits are the abstraction of photons with their control devices, and due to their potential to incorporate multiple states simultaneously, they are capable of processing millions of computations in a single instant. A single qubit, due to its superposition, is capable of carrying the two states, 0 and 1, in a single instant; hence, what two traditional bits can do is done by a single qubit. A 300 qubit quantum computer can process 2300 computations in an instant (more than the number of atoms in the known universe).
Quantum channel
Researchers are often confused over the paradox of dual transmission – encoding via qubits and transmitting encoded information with traditional bits over classical networking. Our communication channels follow laws and constraints of classical physics. Quantum mechanics out-performs these native laws and leads to the emergence of quantum channels. A property related to quantum mechanics, called ‘no-cloning’, states that we cannot clone (construct) an identical copy of the state (spin, orientation or polarisation) of an unknown qubit. The no-cloning property can be considered as a lemma to the ‘Uncertainty Principle’ of quantum mechanics, which formulates the precision inequality in signal processing. Thus, for a hypothetical situation of Alice and Bob, Bob cannot fully decode what Alice had encoded using qubits and dispatched using traditional bits via a classical
1
Classical bits
Bit number 0 Figure 1: Classical bit Quantum Bits
Figure 2: Quantum bit
channel. Even if Bob is aware of the qubit state (a less secure version, only fit for theoretical understanding), the classical channel needs to carry an infinite number of traditional bits so as to fully decode the information encrypted via qubits (as discussed above, a single qubit can have two states, resulting in 2x possibilities). Due to these limitations, our current networking media must be replaced by quantum networking to facilitate quantum mechanics in our day-to-day life.
Quantum cryptography
Quantum tips and techniques provide far more secure methodologies for various cryptographic tasks facilitating quantum information theory. Under current commercial communication systems, it is primarily government bodies and a few high-end security companies that are interested in quantum cryptographic techniques. A few firms have started providing networking solutions formulated on quantum mechanics—for example, Swiss Quantum, MagiQ, etc. One of the most fundamental aspects of any cryptographic system is the key distribution between sender and receiver. Quantum Key Distribution (QKD) is one of the most well established aspects of cryptography, governed by the laws of physics. In our quantum channel, the sender is Alice and the receiver is Bob. Now, as we have seen earlier, qubits follow the ‘no-cloning’ principle. So, if any eavesdropper tries to grasp the state of the qubit (i.e., polarisation) during the secret key exchange between Alice and Bob, the victim qubit is destroyed (either its polarisation, spin or both) and, hence, the eavesdropper is unable to decode the qubit. Bob gets a qubit with a failed checksum (a protocol to check data integrity) and asks Alice for retransmission. Thus, the only overhead is the retransmission of the victim qubit by Alice. In 1984, Charles Bennett and Gilles Brassarad (BB84) formulated a protocol for quantum key distribution. It assumes a quantum channel for key distribution and classical channel www.OpenSourceForU.com | OPEN SOURCE For You | July 2014 | 103
For U & Me
Overview
Figure 3: Quantum channel
Figure 4: Table showing qubit matching
for data transmission. The process starts with Alice choosing two strings, X and Y, and then encoding them with qubits. Let us now define a term called basis, which is a vector that defines a coordinate system; mathematically, this is a set of linearly independent vectors over a real or a complex plane. Hence, if a vector V {v1, v2, …… vn} is finite and X {x1, x2, ….. xn} denotes coordinates of vector X, then according to this principle, V forms the basis of X if the following two conditions hold: If x1v1 + x2v2 + x3v3 +... … … +xnvn = 0 then x1 = x2 = x3 = … … … = xn = 0 For all ‘x’ in X, x = x1v1 + x2v2 + x3v3 +... … … +xnvn where xi is called the coordinate of vector X with respect to basis V. In our key distribution, the ith bit of Y decides the basis of the ith bit of X. Since each bit of X is encoded using the basis of Y, it is practically impossible to decode X without knowing Y. Now, Alice transfers X to Bob over the quantum channel. During this transfer, an eavesdropper, say Eve, might try to obtain a state of X. At this point, three states of X co-exist, one each with Alice, Bob and Eve, while only Alice knows the basis Y. Both Bob and Eve predict their own version of Y, say B and E. Using their respective basis, Bob and Eve begin generating their own version (or state) of X. Now, Bob broadcasts to Alice, acknowledging his version of X calculated using basis B, say X’. Alice and Bob now begin checking or comparing each bit of X and X’. The bits where X and X’ are not equal are discarded. Of all the n bits in X, let m bits match with X’. There is always a lower limit on matching bits, below which the current vector X and its basis Y are discarded, and Alice repeats the whole process again. Alice chooses a random number of bits from among the matched bits (usually m/2) and declares it as a shared key. During this process of bit matching and declaration, Alice and Bob use another property of analytical physics called privacy amplification, which measures differences in amplitude of the signals transferred from Alice to Bob and vice versa. Any difference in amplitude means suspicious 104 | July 2014 | OPEN SOURCE For You | www.OpenSourceForU.com
behaviour (eavesdropper) in the channel, and hence a hand break is performed and the whole process is started again. If, at any instant, Eve using her own basis E, tries to replicate bits that are acknowledged between Alice and Bob, these bits change their spin, polarity or both at that very instant due to the no-cloning theorem; hence, Alice performs a hand break with Bob and repeats the whole process by selecting a new X and Y, and then retransmits. Figure 4 shows a hypothetical example of qubit matching. Hence, the agreed key between Alice and Bob in the above example is: 00101. As seen in the table in Figure 4, this protocol has single orientation and polarity for a bit. Therefore, the single photon source is used. Practically, a single photon is difficult to emerge, as photons exist in packets (quanta). Several other algorithms have been developed on the basis of BB84, which exploit the collective pattern and behaviour of photons and are under constant improvement. Some algorithms take advantage of the inherent co-relation of the polarity of photons (entanglement); such algorithms make a guess of bit orientation at Bob’s end, knowing its orientation at Alice’s end. Again, in such cases, the probability of eavesdropping or counterfeiting is nullified by the no-cloning property of the photons. Similar to the process of key distribution, data encoded with qubits can be transferred. One major drawback in data transfer is the error rate. Even the smallest disturbance in orientation will lead to a complete retransfer of data, creating bottlenecks in the quantum channel. Various error correcting codes are being researched but are still far from being implementable or even discussed in detail.
Limitations of quantum cryptography
1. Computers capable of transferring quantum information over a quantum channel are very large, complex and costly. Hence, only major IT firms, networking giants and a few well-supported educational institutes can pursue R&D in quantum cryptography. This leads to a monopoly and non-standard quantum information theories. 2. The error rate increases exponentially even if a fraction of sunlight interferes with the optic fibre cable. Even the most advanced shielding that exists today does not guarantee zero interference. 3. With increasing distances, qubits tend to become more error-prone. Amplifiers cannot be used in a quantum network, as it would make eavesdropper detection a difficult task. As a result, after a few hundred miles, the error rate becomes so high that reconstruction of qubits using entanglement is practically impossible.
By: Munawar Hasan The author is an algorithm developer with more than three years of experience in this field. He has recently developed a predictive algorithm for financial modelling to help detect several types of banking and insurance fraud. You can contact him at munawar.hasan08@gmail.com
