http://www.freesoftwaremagazine.com/node/1234/issue_pdf by Imad Humayun

Issue 12

Table of Contents Issue 12................................................................................................................................................................1 .................................................................................................................................................................1 Editorial..............................................................................................................................................................3 Everybody's a server...............................................................................................................................3 Structured writing with LyX............................................................................................................................5 What you see is what you mean?............................................................................................................5 A beginnerâ&#x20AC;&#x2122;s introduction to the GNU/Linux command line......................................................................13 An introduction to the command line for novices that teaches some simple commands such as ls, cd and pwd and explains how to learn more.........................................................................................13 Secure your email communication with free software.................................................................................21 A guide for installing, configuring and using Mozilla Thunderbird, Enigmail, and GnuPG to provide secure and encrypted email......................................................................................................21 Stylish XML......................................................................................................................................................33 Part two: using XSL to transform your XML documents.....................................................................33 Hardening Linux Web Servers.......................................................................................................................39 Comprehensive security spans several disciplines, learn how to secure a system, to host securely coded PHP and Java web services........................................................................................................39 The GP2x PDA.................................................................................................................................................59 A PDA focused on games and GNU/Linux..........................................................................................59 Freedom, as in fighting for..............................................................................................................................67 Welcome to the battlefield....................................................................................................................67 I hope the year for Linux never comes...........................................................................................................71 Itâ&#x20AC;&#x2122;s only from lofty heights that empires fall........................................................................................71 Towards a free matter economy (Part 6).......................................................................................................75 Legal Landmines...................................................................................................................................75 Interview of Frank Mittelbach.......................................................................................................................87 A combined interview of the LaTeX Project director..........................................................................87

Issue 12

Issue 12 By Tony Mobily In Issue 12 of Free Software Magazine, Jerome Gotangco guides us through securing email communication and Yousef Ourabi shows us how to harden our Linux servers. Rosalyn Hunter introduces the GNU/Linux CLI for beginners and Terry Hancock explains LyX. We also get to have some fun when Robin Monks reviews some clones of a classic game: Tetris. And more... Source URL: http://www.freesoftwaremagazine.com/issues/issue_012

Published on Free Software Magazine (http://www.freesoftwaremagazine.com)

Issue 12

Editorial Everybody's a server By Tony Mobily The IT world has a reputation of being extremely fast-paced. And it is: an accounting program in the ’80s would have been written in COBOL. In the ’90s it would have been written with a RAD (Rapid Application Developer) environment such as Delphi or Visual Basic. In the... ’00s (noughties?), today, the same application would probably be written as a web system, possibly using all of the “Web 2.0” technologies to make it responsive and highly usable. I am not going to try and predict what it will be like in the ’10s and I am not going to try and make guesses, since I am notorious for being wrong (yes, I am one of those people who thought that Java would be “it”...). However, there is a shift that has indeed already happened, and hasn’t been highlighted as much by the media. This shift helps free software, and at the same time is helped by free software. Let me take a step back. At the beginning of this decade, the internet become the most important feature in any personal computer. There was a very strong distinction between PCs (which acted as “clients”) and servers (which often didn’t have a monitor and were stacked in a server rack in a data centre). The PCs served would request a page; servers would display pages; PCs would render them. Blogging systems and photo albums often worked with the same concepts: the PCs were often used as a means to transfer the data onto the servers, using a web interface or an unfortunate proprietary client. While I shouldn’t use the past tense just yet, something today has changed: people are using GNU/Linux and Mac OS, and therefore have fully featured servers hidden behind all the pretty icons they are used to. Windows users try to catch up, but they do seem to struggle in terms of available software or—more importantly—security; however yes, even Microsoft users can act as servers. This change is paramount. Computer users today are finding themselves with very fast permanent home-connections, as well as powerful server systems hidden behind fancy icons. They are realising that there is no point in paying a hosting company to have a web site: they can just run their own. The IP address changes? That’s not a problem: there’s dynamic DNS, free of charge, that comes to rescue. Everybody is becoming “a bit of a system administrator”, where their computer hosts their web sites, their photo album, or their music. Quite a few issues still remain, especially for security or problem solving when something “goes wrong”. However, none of these problems are really new: how many spam zombies run happily in client-only, Windows machines? How many times do client machines crash? To me, this is yet another fantastic opportunity for free software: if installing a web server, a blogging system or a Wiki becomes as simple as installing any desktop application (that is, no command line is needed), then less skilled people will have yet another good reason to use free software and free operating systems. For quite a few years, a lot of people predicted that “clients will be thinner and thinner, until most of the processing will happen in the server”. What a lot of people didn’t predict, is that all those servers would be in the hands of the end users through very fast internet connections, rather than dedicated data centres. I don’t know if this is only the beginning of yet another revolution, or just a temporary trend which will be relegated to geeks and computer experts. This will also depend on how easy it will be for the common user to install a pre-configured web server, photo albums, Wikis, etc. on their systems (right now, my mother wouldn’t manage any of those things and she knows as much as 90% of the computer users out there). In any case, it’s definitely something to keep an eye on.

Biography Tony Mobily (/user/2" title="View user profile.): Tony is the founder and the Editor In Chief of Free Software Magazine

Editorial

Issue 12

Copyright information Verbatim copying and distribution of this entire article is permitted in any medium without royalty provided this notice is preserved. Source URL: http://www.freesoftwaremagazine.com/articles/editorial_12

Published on Free Software Magazine (http://www.freesoftwaremagazine.com)

Everybody's a server

Structured writing with LyX What you see is what you mean? By Terry Hancock In the hubbub over the Open Document Format and competing “what you see is what you get” (WYSIWYG) word processors, a long-standing alternative model of word processing systems, with much deeper roots in the free software world, has been mostly overlooked. The author of LyX, Matthias Ettrich, calls this approach “what you see is what you mean” (WYSIWYM). However, it’s a philosophy that you will find in many “native” free software text-processing systems everywhere, from online “content management systems” to book publishing. You write what you mean, then you use some type of formatter to create presentation layouts. Sometimes it’s called “structured writing” or “structured authoring”, but whatever name it goes by, you’ll see this idea repeated in many places. LyX[1], with its integrated graphical environment, may be the friendliest place to learn it.

Starting an article in LyX WYSIWYM does take some getting used to if you’ve come fresh from the world of WYSIWYG. The problem is that you get an urge to control details about presentation (rather than meaning or “content”), and you may try to control them too early in the authoring process. With LyX, you don’t need to do such things. First of all, the general purpose styles that are provided with the program are good enough for everyday writing tasks (so you won’t often have to think about presentation at all). The main point, though, is that once you have the document created, you can apply transformations to the presentation after the fact, and they will be propagated throughout your document with a minimum of fuss. Let the program do the scutwork for you. Concentrate on what you are writing, not on how you are going to format it So, my first bit of advice when starting out with LyX has to be “let go”. Let the program do the scutwork for you. Concentrate on what you are writing, not on how you are going to format it. Just start typing. As the need arises, you can add styles to already written text. Styles If you take a look at the default “article” template for LyX, you can see what structured writing is all about. The document view in the window looks very much like it would in any WYSIWYG word processor, but you should notice that the style menu is prominent on the upper left. Most of your formatting work is done with this menu, and involves a single step of selecting the style for the current paragraph.

Figure 1: The most commonly used widget in the LyX interface is the style menu The main style you will use is the “Standard” style, which applies to ordinary paragraph text. After this, the

Structured writing with LyX

Issue 12 next most frequent types you will deal with are the heading styles, called: “Part”, “Section”, “Subsection”, “Subsubsection”, “Paragraph”, and “Subparagraph”. For most documents, you’ll only need two or three levels of headings, but, as you can see, it is possible for a structure to be quite finely divided. If you use the numbered styles (the ones with no special markings), then section numbers will automatically be generated alongside of the headings, and autogeneration and navigation tools will treat them specially. If you just want the “look” of a heading, but no numbering or special handling, there are variants of these styles (pre-pended with an asterisk, as in “*Subsection”) provided for that purpose. There are also less-commonly used styles, such as “Quotation” for block quotations.

Layout menus Styling of individual words is more limited, though there are provisions for bold, emphasis, and noun text on the “Layout” menu. These names may sound a little odd, because they describe the meaning of the typography rather than its implementation. So these terms are preferred to the literal terms for what happens in the standard article template: bold, italic, and small caps. For the feature-hungry, this may seem like sparse pickings, but it reflects the reality that for most writing applications it’s extremely good advice to stick to these simple choices. If you need more detail than this, however, it is there. Also in the Layout menu are options for the “Character...”, “Paragraph...”, and “Document...” layout characteristics. The character dialog will alter the text you currently have selected, while the paragraph dialog will affect the selected paragraphs or, if there is no selection, just the paragraph you are currently editing. The “Document...” options obviously affect the overall look of your document. Generally you won’t need to worry about document layout until you are ready to print or export your work. Most properties, such as text size, are indicated in generic or relative terms One thing you may notice, is that most properties, such as text size, are indicated in generic or relative terms. For example the sizes of text you are presented with have names like “Smaller” and “Larger”, rather than, say, exact point, metric, or pixel sizes. That’s because the sizes are all defined relative to the normal size of text in the document. Later on, this will be convenient, because it will allow you to change all of the sizes up or down for the whole document. So, it shouldn’t be surprising that the default behavior is not some fixed standard size, but simply “No Change”.

Figure 2: Dialogs for characters (left) and paragraphs (right), use relative terms rather than absolute ones, so that global document changes can be made later Paragraphs have a similar variety of style factors affecting alignment, spacing, and indentation. The inter-paragraph spacing is controlled, for example, by defining a “Vertical space” in the “Above” or “Below” paragraph settings. Furthermore, you have a range of choices, from internally-defined relative spacings such as “BigSkip” or “SmallSkip” to specified lengths, which may be in physical (absolute) units such as inches or millimeters, or in typographical units, such as “ex” or “sp” which are based on the size of font used (an “ex” is the height of the letter “x” in the font, while a “sp” or “space” is the full pitch between lines of typeset text). You will also note that you can choose to force a page break behind a certain paragraph or a horizontal line

What you see is what you mean?

Issue 12 (these are good ways to layout chapter beginnings, for example). One thing you will find missing, though, are the “natural” page breaks in the document. That’s because the editing interface doesn’t give them any special treatment—the handling of page breaks (aside from forced breaks) is handled as part of “document generation”, not “document editing”.

Generating output Once you’ve finished your document, or even a first draft, you will probably want to look at the result. Most likely, you’ll simply print it out on paper, which is easy enough to do. LyX actually accomplishes this, however, by converting the contents to LaTeX, then using the LaTeX interpreter to make a “Device Independent” DVI file, then a Postscript file, and possibly a Portable Document Format (PDF) file. The details of what kind of transformation is possible will vary according to what your system has installed on it. For example, figure 3 shows the LyX export menu on the system I am using to write this article. Because of the way that LyX generates output, you can make many changes after writing your article, and expect to see them correctly propagated throughout your document

Figure 3: Export options for LyX depend on what’s installed on the computer. This set is fairly typical Because of the way that LyX generates output, you can make many changes after writing your article, and expect to see them correctly propagated throughout your document. If you look in the “Layout” → “Document...” dialog, for example, you will find options to alter the margins, page numbering, fonts, and other overall properties. Since all of the individual elements of the document are defined in relative terms, the document will continue to look right after being altered. When not to use LyX No piece of software is the tool for every job. LyX is optimized for jobs where the writing is what’s important and you want the layout to take care of itself as invisibly and automatically as possible. It’s beyond the scope of this article, but it’s also an appropriate tool if you want to define templates, so that you control the layout and allow other people to apply it effortlessly to their own work. But, it’s probably not the best tool for laying out fancy advertising copy, comics, or other very creative layout and compositing jobs. For those tasks, you might think of reaching for a conventional WYSIWYG word processor, but they aren’t really the right tool for that job either (they’re usually rather limited in what type of layout they can do, or at least in how easily it can be done). When I’m confronted with such situations, I usually pick either a vector graphics editor (Skencil[2] or Inkscape[3], for example), or a full WYSIWYG desktop publisher, like Scribus[4].

Bells and whistles Naturally, LyX has some fancier features. Some of these will vary a lot in utility, depending on what kind of work you are using LyX for. One oddity you may wonder about is the way LyX will typeset “TeX”, “LaTeX”,

What you see is what you mean?

Issue 12 and “LyX”. This follows a tradition in the TeX community to use the name to show off the program’s typesetting capacity. So it’s really a logo as well as a name.

Figure 4: Some “stupid TeX tricks”—LyX automatically formats TeX-centric names according to their authors’ wishes Templates, styles, and layout Most people spend most of their time on very similar writing tasks. Some write lots of articles, reports, or technical documentation for which LyX’s default styles are excellent. Others only write letters or memos, and LyX has good templates for that, as well. More esoterically, there are LyX templates for everything from writing Hollywood movie scripts to American Astronomical Society journal articles. Designing completely new templates is an advanced topic with LyX, but it’s unlikely that you will need to anytime soon. There are LyX templates for everything from writing Hollywood movie scripts to American Astronomical Society journal articles Mathematics! Of course, deriving from TeX and LaTeX, it will be no surprise that LyX excels at typsetting mathematical equations. In fact, LyX includes a very nice GUI equation editor, which permits the most common mathematical typesetting jobs to be done without having to resort to TeX control sequences.

Figure 5: LyX has a very nice graphical equation editor What you see in the document you are editing is a representation of the equation, which may not look as professional as you had hoped. But don’t worry, LyX will typeset the result using TeX with all the perfectionism that you’d expect from a system written by a mathematician. Deriving from TeX and LaTeX, it will be no surprise that LyX excels at typsetting mathematical equations

What you see is what you mean?

Issue 12

Figure 6: The same equation, as it appears in the finished document Tables and graphics LyX has a native table creation facility based on the TeX/LaTeX model. Unfortunately, that model is a bit outdated; so you will find that it comes nowhere near the simplicity of use that HTML tables provide. It’s impossible, for example, to simply drop multiple lines of text into a table cell—the text will all be set on one line, possibly making the table far too wide (you have to create separate cells for each line, which can be made to look right, but it is time-consuming). This means that table typesetting natively in LyX can be pretty painful. Perhaps someday this will be fixed. In the meantime, however, I find that it’s usually more efficient to produce tables in a vector graphic program, and import the Postscript output as a graphic. LyX handles graphics quite naturally. If you want to see correctly scaled vector output, you’ll want to use Postscript graphics. Otherwise, LyX can handle the most commonly used bitmap (raster) formats. One thing that is nice, is that since LyX doesn’t attempt to use the literal WYSIWYG model, you can display the illustrations at a small size in your editor without affecting how they print (the “LyX View” and “Output” layout are separate blocks in the graphics dialog). Outlines and nested bullets The “Enumerate” and “Itemize” styles are used to create numbered or bulleted text, respectively. For a long time, I thought that LyX only supported a single level of bullets or numbers, but this is not true. It may not be the most intuitive naming scheme, but if you look in the “Layout” menu, you will find entries named “Increase Environment Depth” and “Decrease Environment Depth”. These allow you to create a nested hierarchy of bullets or numbered sections to any desired depth. The “Enumerate” and “Itemize” styles are used to create numbered or bulleted text If you do this a lot, it’s also worth noting that there are hot keys for both “S-M-left” and “S-M-right” which for mere mortals who didn’t cut their teeth on Emacs, means: “hold down the ‘shift’ and ‘alt’ keys and press the left or right arrow keys”. Emacs retains the term “meta” instead of “alt” from some archaic computer system predating the PC, if not recorded history. It’s a useful fact to file if you use anything touched by the GNU project (and you will). Evil red text You will note there is a button with a red TeX logo in the LyX interface. (Do not press the red button!) This is how you (or rather a LaTeX expert) can put “evil red text” into the document, which will be passed unaltered to LaTeX. So, if all else fails, you may be able to do what you need to do in LaTeX. If you’re the sort of person who reads “Do not the press the red button!”, and can’t stand not to, then you’re probably qualified to play with evil red text, but you have been warned.

What you see is what you mean?

Issue 12

Under the hood The typesetting engine for LyX is Donald Knuth’s TeX[5]. It was never designed to be particularly user-friendly, focusing instead on producing beautifully-formatted text for academic publications. TeX excels most notably at typesetting mathematical equations, which was a major breakthrough. However, it’s also an excellent system for setting conventional text. TeX is also legendary for its stability—being one of the few pieces of software that is almost certainly “bug-free”—in that it performs exactly as specified. There’s been a bounty available for anyone who can document an exception to this for over a decade. Which, has gone unclaimed. Knuth who is also the author of a popular set of computer science textbooks (maybe “classic” would be appropriate by now), is therefore accorded a great deal of respect in the programming community. On top of TeX, lies Leslie Lamport’s LaTeX[6], which is where the original idea of separating document structure from document presentation comes from. This idea was so successful, that it has become a standard design philosophy throughout the free software world. By separating these elements, the job of the writer (producing content) is cleanly separated from the job of publisher (presenting that content in an aesthetically pleasing way). This simplifies the writers’ jobs, because they no longer have to worry about petty details such as “what font size should sub-headings have?”. Instead, they can specify “sub-heading” and get on with their thesis. This idea is particularly useful in a collaborative context, where many different authors are submitting content to be published in a consistent way. This was important to the original users of LaTeX, who were mostly academic writers. Today it is common in the free software and free culture community, and on the world wide web in general, partly because collaboration is such an important part of those communities. However, LaTeX is still not “user friendly” by any stretch of the imagination. In order to write directly in LaTeX, you use a text editor, and you have to know a lot of arcane command sequences and codes to lay your text out properly. It is conceptually simpler than TeX, but it’s still not a “word processor”. That’s where LyX comes in—it is an interactive word processor, which keeps track of the arcane codes for you, and provides controls in graphical menus. This aspect of LyX probably looks very familiar; but, unlike WYSIWYG systems, LyX retains the “structured document” mindset of LaTeX. Although LyX does have its own native file format (*.lyx files), it easily exports to LaTeX format because it shares the same conceptual model.

Structured document authoring The structured document model is the one most native to the free software world. LaTeX has been in use for many years on Unix and Unix-like operating systems, and many tools have evolved around it. LyX provides a very comfortable “word processor” environment. However, it strictly adheres to the design ideals of the LaTeX model, maintaining a clean separation between content and presentation. LyX is a free software native! You will find the same ideas repeated throughout the free software world, with HTML, XML, and SGML authoring systems. The system on which Free Software Magazine itself is written is based on the same design principles. So, it’s well worth your while to learn how to use this tried and true approach to writing, even if it does feel a little strange at first. LyX is a free software native!

Notes and resources [1] LyX website (http://lyx.org) [2] Skencil website (http://skencil.org) [3] Inkscape website (http://inkscape.org) [4] Scribus website (http://scribus.net)

What you see is what you mean?

Issue 12 [5] TeX has no central website, but you can find good sources from Wikipedia (http://en.wikipedia.org/wiki/TeX). [6] LaTeX is also well-documented on Wikipedia (http://en.wikipedia.org/wiki/LaTeX)

Biography Terry Hancock (/user/5" title="View user profile.): Terry Hancock is co-owner and technical officer of Anansi Spaceworks (http://www.anansispaceworks.com/), dedicated to the application of free software methods to the development of space.

Copyright information This article is made available under the "Attribution-Sharealike" Creative Commons License 2.5 available from http://creativecommons.org/licenses/by-sa/2.5/. Source URL: http://www.freesoftwaremagazine.com/articles/documents_with_lyx

Published on Free Software Magazine (http://www.freesoftwaremagazine.com)

What you see is what you mean?

Issue 12

What you see is what you mean?

A beginner’s introduction to the GNU/Linux command line An introduction to the command line for novices that teaches some simple commands such as ls, cd and pwd and explains how to learn more By Rosalyn Hunter So you have decided to try a free software operating system such as GNU/Linux, congratulations. GNU/Linux is not that different from other operating systems on the surface. You point and click using the mouse and call down menus to get programs to work. However, these icons and windows are just the sweet candy coating on top of a much older system, a system of programs designed to be accessed by the command line. If you know the correct commands, then you can start any program, check your computer’s status, and see what files you have stored without having to find the listing in your menu The command line is an interface that allows you to talk directly to your computer using words called commands. If you know the correct commands, then you can start any program, check your computer’s status, and see what files you have stored without having to find the listing in your menu. Also, some functions can only be accessed through the command line, so if you want to truly understand your new system it is worth learning. Finding a terminal program To access the command line you will need to open a terminal which will allow you to talk directly to the computer. Look for a program called Xterm, terminal, Konsole, console or something similar. Since different versions of GNU/Linux have different menus, this may take a bit of searching. The icon for a terminal is usually a computer screen, and different windowing systems will have their preferred terminals. Gnome has a gnome-terminal and KDE has Konsole. On my Debian Linux system, I found a terminal called Xterm under Debian -->Xshells. First, open a terminal on your computer screen. It will usually list the computer name, or yourname @ yourcomputer and there will be some kind of punctuation mark like a $ or a # followed by a blinking box or line-shaped cursor. That blinking thing is called a prompt because it is prompting you to give it a command. Think of it as a genie coming out of a lamp asking you. “What is your command my master?”

What is your command my master?

A beginner’s introduction to the GNU/Linux command line

Issue 12 If you are at your computer now, you may want to follow along. Open a terminal and then type whoami. (Remember to run all of the words together with no spaces, and press enter.) Here's what you get: $ whoami rosalyn $

This may seem to be a bit of a philosophical question to be asking your computer, but don’t worry. Your computer has a very concrete world-view. It should return your login name. The word that you just typed is a command. The computer executed the command and returned a result, your username.

Using commands Commands are written in a particular way. The command is typed first with no spaces in the name. Then after a space, you can sometimes modify the command by adding what are called options. Options change or limit the way the command is executed. Options are usually preceeded by a dash. A command may also include the name of a file or directory that you want the command to work on. The finished command will look something like this. command -option file

The best way to understand the command line is to use it. Try typing ls. Remember that GNU/Linux is case sensitive so you must use lower case. When you press enter, the computer will return to you a list of file names in the directory that you are in. The command ls stands for list. When I type this command, I get the following response: $ ls captions.txt $

photo1.png

Files are documents, images or programs on your computer. Directories are like boxes that hold the files. You are always considered to be within some directory. Most of the time, commands only act on the files within the directory in which you are located. So, when you list using ls, you get a list of all of the files in the directory that you are in, not all of the files in the computer. When you use the command line, you are learning to talk “face to face” with your system. You can tell it precisely and concisely what you want it to do. There is something truly freeing about this power Command names are usually shorthand ways of representing a word, such as ls for list, or mv for move. Sometimes, however, they are oddly abbreviated. Using the command line requires you to learn the names of the commands. The advantage is that by learning the language you can talk directly to the computer without needing a point and click interpreter program explaining what you mean. When you type ls the names of all of the files in your current directory are written on the terminal screen, and the prompt returns waiting. It is asking, “What next my master?” Let’s ask the same question again, but we will modify it using an option. Type ls -a: $ ls -a . .. captions.txt

photo1.png

ovices 14 that teachessome simple commands such as ls, cd and pwd and explainshow to learn more

Issue 12 $

Remember to add an empty space between the command and the option. The -a option in this instance stands for all. This command prints a list of files and directories, only it adds some files at the beginning that start with a period. (We call that period a “dot”.) These “dot” files are hidden files, and you normally are not meant to see them. That's why they didn't come up the first time you typed ls. Even though they have been hidden, nothing malicious is meant by hiding them. Dot files are usually configuration files or other files used by the computer. They are hidden to keep you from modifying them by accident. Now that you can speak the computer’s language, you can ask it to show you things as they really are. This is part of the power of the command line, and the reason that most advanced GNU/Linux users prefer it. When you use the command line, there is no intermediary program only telling you what you need to know. The command line does not treat you like an idiot. The command line does not treat you like an idiot The option -a showed you all of your files. There are many other options for ls. The -p option helps you tell the difference between a file and a directory by writing a slash beside each directory. The -l option will print a table of your files that describes not only the name, but the size, the date created, the permissions, and who owns the file. You can type each of these options separately, or you can combine them. To see ls with all of the options that I described, type ls -alp. The following is what I get: $ ls -alp total 192 drwxr-xr-x drwxr-xr-x -rw-r--r--rw-r--r--

2 48 1 1

rosalyn rosalyn rosalyn rosalyn

rosalyn 4096 rosalyn 4096 rosalyn 8 rosalyn 178839

2006-01-13 2006-01-13 2006-01-13 2006-01-13

00:45 00:45 00:12 00:45

./ ../ captions.txt photo1.png

If you want to know what all of the options for a command are, and what they stand for, type --help after the command. It won’t work for every command, but it is often the easiest way to learn. When you type ls --help the computer tells you how to order the parts of the command and it lists the options for ls explaining what each option does. You may notice that many options have two forms. The short form has one dash and a letter, and a longer form has two dashes and a word. You use whichever one is easier for you to remember. Therefore you could have typed ls --all to get a list of all files including the dot files. It is an identical command to ls -a.

Getting help You can learn commands in many ways. Sometimes you will see them mentioned in articles, or someone might tell you of them. When you learn of a command, it is best to try to find out what it does BEFORE you use it. The computer assumes that you know what you are doing, and so it will happily erase the entire disk if you ask it to, without pausing to ask if you really meant to. My name is Mud Back in the cave days of personal computers, while trying to learn the Apple Disk Operating System, I created a file called mud and did all kinds of commands on it. To learn what the command init did, I typed init mud. I expected it to do whatever init did to a throw away file named “mud”. Instead, it erased my drive, and the only thing that came up when I started my computer was the sentence, “my name is mud”. Don’t make the same mistake I did. Always look up a command before you use it for the first time.

An introduction to the command line for novices that teachessome simple commands such15as ls, cd

Issue 12 So how exactly can you look up what a command does? One of the simplest ways is to use the command whatis. Try typing whatis and the name of the command in question. It will return a short explanation of a command. For example, when you type whatis mv you get: $ whatis mv mv (1) $

- move (rename) files

This is fine if you want to know simply what a command does. But if you want to know all of the options as well as seeing examples and more complete descriptions, then you need to look at the manual pages. Type man and a command name and a page will open up giving you lots of information about that command written in paragraph form. man stands for manual and most commands will have a manual page, although some are more complete than others. If you type man ls and press enter, then the terminal will fill the screen with the ls manual page. Hit the space bar to cycle through the pages. When you reach the end of the file, it will usually drop you back onto the command line, but if it doesnâ&#x20AC;&#x2122;t just hit the letter Q (quit) to exit.

The man page for the command ls There is also another system of help pages found on your computer called info pages. man and info pages are similar in content, although they vary a bit in how they are displayed. The display system in info pages is based on an editor called emacs. man pages are an older system. Even so, you might want to try both. I suggest that you try the following commands: man man info info

The first command takes you to the manual page for the command man, and the second takes you to the information page for the command info. If you want to know all of the options as well as seeing examples and more complete descriptions, then you need to look at the manual pages You may need to type a special command to exit from an info page. Try pressing the control button and the C button at the same time (Ctrl-C) or press control and Q (Ctrl-Q) to exit.

Navigating the file system

ovices 16 that teachessome simple commands such as ls, cd and pwd and explainshow to learn more

Issue 12 The files in a GNU/Linux system branch from large to small like the branching roots of a tree. The trunk of the tree is a directory called root represented by a forward slash (/). This directory will have a number of subdirectories with names such as bin, lib, usr, home, and etc. Another way to think of a directory is as a box. The box may contain objects called files, or it may contain other boxes. Each of those boxes may contain other boxes as well. Any location in this “file system” can be described by listing the boxes in order from the biggest box (/) to the smallest.

Your file tree is like a set of nested boxes. Let’s say I have a file called photo1.png which is a picture of me. I can put it in one of the boxes. Then if I want to explain where the photo is, I might write a list of box names such as /home/rosalyn/familyphotos/photo1.png

This is the complete filename of photo1.png. The list of boxes that tells where it is located (/home/rosalyn/familyphotos/) is called the path. If you are coming from a Microsoft Windows system, please notice that there is no drive letter in the path name. To find your current location type the pwd command: $ pwd /home/rosalyn/Familyphotos

pwd stands for “print working directory”. It will print your current path telling you where you are in the file system. You can navigate around the file system using the cd (change directory) command. Type cd followed by the name of the the directory that you wish to go to. If you type it without a destination it will return you to your home directory. Type ls -a again: $ ls -a . .. captions.txt $

photo1.png

The first two files listed are “.” and “..” called “dot” and “dot-dot”. The directory that you are currently in is the “dot” file, and the directory one above you is called “dot-dot”. Therefore, to go up to the next higher directory, you type cd .. (the letters “cd” followed by a space and then dot-dot).

An introduction to the command line for novices that teachessome simple commands such17as ls, cd

Issue 12 Once you learn the language, a whole new world is open to you First, let’s check our location with pwd. Then we will move up the file system and check it again: $ pwd /home/rosalyn/Familyphotos $ cd .. $ pwd /home/rosalyn

Notice that your pathname is shorter. If you started at /home/username now you will be at /home. Using pwd (print working directory), ls (list), and cd (change directory) you can now go all around your file system finding where everything is located. More command line help Try some of the following websites for more command line help. • Linux command.org (http://gd.tuwien.ac.at/linuxcommand.org/index.php) • Tuxfiles Linux command line tutorials for newbies (http://www.tuxfiles.org/linuxhelp/cli.html) • Wikibooks Linux for Newbies guide (http://en.wikibooks.org/wiki/Linux_For_Newbies) • Introduction to Unix (http://wks.uts.ohio-state.edu/unix_course/intro-1.html) • UNIXhelp for Users (http://star.pst.qub.ac.uk/help/unixhelp/) • Digital Unix Command and Shell User’s Guide (http://h30097.www3.hp.com/docs/base_doc/DOCUMENTATION/V40D_HTML/APS2HDTE/TITLETXT.HTM)

Enjoying the command line When you use the command line, you are learning to talk “face to face” with your system. You can tell it precisely and concisely what you want it to do. There is something truly freeing about this power. You can kill programs that hang up your system. You can view the history of the last several commands that you have typed, or a listing of the top twenty jobs running on your computer at the time. Once you learn the language, a whole new world is open to you. The point and click graphical interface limits you to what the designer of the system believes that you need. Language is still a much more powerful tool. When you learn to talk the language that your computer understands, there is no middle man. Try it and in time you too may learn to love the command line.

Biography Rosalyn Hunter (/user/36" title="View user profile.): Rosalyn Hunter has been on the internet since before the web was created. Born into a family of instructors, she has made it her life's goal to teach others about the important things in life, such as how to type kill -9 when a process is dead. She lives in a little house on the prairie in the American West with her husband, her three beautiful children, a cat and a dog.

ovices 18 that teachessome simple commands such as ls, cd and pwd and explainshow to learn more

Issue 12 Published on Free Software Magazine (http://www.freesoftwaremagazine.com)

An introduction to the command line for novices that teachessome simple commands such19as ls, cd

Issue 12

ovices 20 that teachessome simple commands such as ls, cd and pwd and explainshow to learn more

Secure your email communication with free software A guide for installing, configuring and using Mozilla Thunderbird, Enigmail, and GnuPG to provide secure and encrypted email By Jerome Gotangco Email is one of the most common activities we perform on the internet. However, email is also one of the most vulnerable internet services currently used. Email spam is common, but what most people are not aware of is that email identity theft is common as well. There is also continuous concern over the privacy and security issues surrounding the matter. However, most users dismiss security software as complex and still continue to send email messages with very little or no regard at all to security. In this article, you’ll learn how to install, setup, and use the Mozilla Thunderbird email client for secure, encrypted email using GnuPG and the Enigmail Mozilla Thunderbird extension. The examples in this article are based on Ubuntu 5.10, but any GNU/Linux-based operating system can be used. You’ll also get to tackle the basics of using GnuPG with Enigmail—just enough to get you started, as GnuPG is a very powerful suite that can extend to other applications. If you’d like to learn more about cryptography using GnuPG, the man pages are a good place to start. Don’t worry though, GnuPG is very well documented and you’ll be presented with some links online at the end of this article to get you started. If you’re still using Microsoft Windows, you can still apply the steps presented, but you’ll have to download and configure the Win32 counterparts of the software used.

Installing the essential applications Assuming you’re already running Ubuntu 5.10, you need to install three software packages to be able to start sending secure email. These are: • Mozilla Thunderbird (http://www.mozilla.com/thunderbird/)—a free software, full-featured and secure email client from the Mozilla project. It is currently available for GNU/Linux, Windows and MacOSX • Enigmail (http://enigmail.mozdev.org/)—Enigmail is an extension to the mail client of Mozilla Thunderbird which allows users to access the authentication and encryption features provided by GnuPG. • GnuPG (http://www.gnupg.org/)—GnuPG is a complete and free replacement for the PGP (Pretty Good Privacy) suite of cryptographic software; and it’s released under the GNU General Public License. You’ll also need an email account that has POP3, SMTP and/or IMAP support. Your Internet Service Provider (ISP) may have provided you one. If you are using a free email account, check your email provider if it has support for such. Gmail (http://gmail.google.com/) provides free POP3 and SMTP support, so you can make an account (if you haven’t already) and use it for this exercise. You’ll need an email account that has POP3/SMTP and/or IMAP support to be able to download your email messages to Thunderbird Ubuntu officially supports these packages and they can easily be installed from the network. You can use the Synaptic package manager to install them. From your GNOME desktop just click on System → Administration → Synaptic Package Manager. Once selected, you’ll be asked for your sudo user password (in Ubuntu, this is normally the first user you create during setup if you did a default install) and then you’ll be presented with the Synaptic Package Manager as shown in figure 1.

Secure your email communication with free software

Issue 12

Figure 1: The Synaptic Package Manager In Synaptic, click on “Search” and look for the following packages: mozilla-thunderbird, mozilla-thunderbird-enigmail and gnupg. The package gnupg was most likely installed already during your initial setup of Ubuntu, so you can skip this; but in case it wasn’t or you’ve removed it, you’ll have to include it. Once you have selected the three packages, click on “Apply”. Synaptic will then check for package dependencies and install them as needed. Once you have the packages installed, you can now close Synaptic.

Setting up your email client Now that Thunderbird, Enigmail and GnuPG are installed, you can open up Thunderbird and create your first key pair. From your desktop, click on Applications → Internet → Thunderbird Mail Client. This will open up Mozilla Thunderbird. You will be asked to create your email account when you open up Thunderbird for the first time. If you haven’t created one, it’s a good time to set it up now. Thunderbird provides a wizard to help you setup your email account. For this article, I’m going to use a fictitious email account named jerome@freesoftwaremagazine.com. Figure 2 shows how Thunderbird looks after setting up the email account.

Figure 2: The Mozilla Thunderbird email client with Enigmail installed

Setting up Enigmail and creating your Key Pair Once your email account is ready, you need to generate a new “key pair”. A key pair consists of two keys: the public and the private key. This pair (along with the other pairs used by other people worldwide) is essential to make Public Key Infrastructure (PKI) possible. To put it simply, people can send secure, encrypted email to you using your public key but you need your private key to decipher it, and vice-versa. All of this is made possible while using an unsecured public network such as the internet.

figuring22 and using MozillaThunderbird, Enigmail, and GnuPG to provide secure andencrypted email

Issue 12 A key pair consists of two keys: the public and the private key. This pair (along with the other pairs used by people worldwide) is essential to make Public Key Infrastructure (PKI) possible If you’ve used Thunderbird before, you’ll notice that after installing the mozilla-thunderbird-enigmail package, a new menu entry appeared: “Enigmail”. Before creating your first key pair, you need to configure Enigmail to use GnuPG by adding its executable path. Select “Enigmail” and click on “Preferences” and the Enigmail Preferences window will appear (as shown in figure 3).

Figure 3: Adding the GnuPG path in Enigmail preferences To begin with, just focus on the “Basic” settings to get Enigmail running. First, you’ll need to add the executable path of GnuPG. In Ubuntu, this is located at /usr/bin/gpg. So, add that to the “GnuPG executable path” field and click on “Ok”. Other settings such as additional parameters, passphrase settings and keyservers can be left as is for now. You can go back to those settings later when our key pair is done. After adding the executable path of GnuPG. You’re now ready to create your first key pair. From Thunderbird click on “Enigmail” and select “OpenPG Key Management”. (This is shown in figure 4.)

Figure 4: Empty keyring in OpenPGP Management Notice that you still have an empty keyring here. You’ll get to populate it later after creating your first key pair. From this window, click on “Generate”, and select “New Key Pair”. A new window should appear with your default email account for your new key pair already selected. If you have multiple email accounts in Thunderbird, you can select which key to use, or, if you prefer, have your key pair use different email accounts (as shown in figure 5) as additional User IDs (I’ll cover this more later).

A guide for installing, configuring and using MozillaThunderbird, Enigmail, and GnuPG to provide 23 se

Issue 12

Figure 5: Generating a new key pair From here, select the email account that you want to create your first key pair for. Selecting “Use generated key for the selected identity” makes this key your default if you have multiple keys installed. Since you’ll be using Enigmail to secure your email, it’s a good idea to assign a passphrase for your key pair. Your passphrase will be used everytime you sign, encrypt and decrypt email. Keep the passphrase to yourself and make sure you don’t forget it. If you need to write it down, make sure you place it in a secure place (don’t even think of putting it in your wallet or purse). Your passphrase is very important since your use of the key depends upon it. You can also opt to disable passphrases but this is not a good idea especially if you’re going to use your key to send and receive sensitive information. Keep the passphrase to yourself and make sure you don’t forget it. If you need to write it down, make sure you place it in a secure place (don’t even think of putting it in your wallet or purse) You can add a comment to your key if you want to. Comments are useful if have multiple keys installed in your machine. Make your comment descriptive enough that people will easily identify you with it. If you don’t want to add a comment, you can leave this field blank. You can also choose if you’d like your key to expire in a given period of time. Enigmail defaults this at 5 years, but you can also choose to increase or decrease the duration or to have a non-expiring key. Key size pertains to the length of the key which can determine how long it takes to encrypt an email message; hence using a 2048 bit key to encrypt a message will take much longer than using a 1024 bit key. The larger the key, the longer time it will take for a cracker to decipher your encrypted message. You are given the choice between 1024, 2048 and 4096 bit keys. Determining the size of key to use depends entirely upon your requirements, but 1024 bits is reasonable enough for everyday use. The larger the key, the longer time it will take for a cracker to decipher your encrypted message Once you have filled up the required fields, it’s time to generate your key! Click on “Generate key” to create it! It’ll take a few minutes to generate your key—much longer if you chose a higher key size. Feel free to continue on with your work and let the system run and generate the key from the background. When the key creation is done, you’ll be notified about it and asked if you want to create a revocation certificate. A revocation certificate is useful for if the secret key of your key pair gets lost. Just click “Yes” and Enigmail will prompt you to choose a location where you want your revocation certificate to be saved. (This is shown in figure 6.)

figuring24 and using MozillaThunderbird, Enigmail, and GnuPG to provide secure andencrypted email

Issue 12

Figure 6: Dialog box confirming the creation of a new key pair and recommending the creation of a revocation certificate You can move this revocation certificate to a USB flash disk along with your private and public key and store it in a secure place in case your machine dies along with your keys. That way, you’ll still be able to move to a new machine and just import your existing keys to be used again. Once this is done, you’ll get back to OpenPGP Key Management. But this time around, your key pair is now visible (and highlighted, which means it is your default key pair). But before you use it, it would be a good idea to make a backup of your key pair first and store it along with your revocation certificate which you did a while ago. From the OpenPGP Key Management window, select your default key pair, right-click and choose “Export Keys to File”. You’ll then be asked if you want to include your secret key. If you’re backing up your key pair for the first time since generating it, you should include your secret key. Click on “Yes” and store it in your computer; then, make sure you back it up in a USB flash disk or backup media that you’re familiar with. The secret key is very important and when your only copy gets lost (stolen machine, disk failure, etc.) your key pair becomes useless. You can export your public key to be sent to a peer or co-worker to add to their own keyrings. For this, do not include your secret key when exporting. Your secret key is for your own use and is needed when decrypting secure email. If someone gets hold of your secret key, it is already compromised and you’ll have to send the revocation certificate to people in your keyring to let them know that your key can no longer be trusted.

Adding keys of other people Now that you have generated and backed up your key pair, it’s time to add the public keys of other people you want to be in your keyring. For this, you’ll have to download their public keys from a public keyserver (or to receive their signed emails), and then add their key to your own key ring. To be able to send an encrypted email message to someone, first, you need to obtain his public key. A person’s public key can be obtained in two ways: • You have received the public key via email, or have it on file. • You have searched and downloaded the public key from a keyserver. If you have received another person’s public key via email or have it on file, you can import the key using OpenPGP Key Management by selecting File → Import Keys from File, and then selecting the key that you want to import (the key uses 3 possible file extensions: *.asc, *.gpg, and *.pgp). The public key should then be added to your default keyring. Obtaining public keys with this method is not practiced that much, since people can upload their public keys to a public keyserver available from the internet. You can just search the keyserver for a person’s public key then import it to your keyring. This is one of the compelling reasons why PKI is very useful from a global perspective.

A guide for installing, configuring and using MozillaThunderbird, Enigmail, and GnuPG to provide 25 se

Issue 12 You can easily add a new public key to your keyring using Enigmail. Let’s say you want to add Linus Torvald’s key to your personal keyring. To do this, just open up OpenPGP Key Management and click “Keyserver” then select “Search for Keys”. A small window will open up asking you what key you want to search for and what keyserver to use. For the keyserver, just leave the defaults as they are since this will work (you can add more keyservers later). As for the key you want to search for, you can use a person’s whole name, email address, or the key ID itself. For this example, I just wrote “Linus Torvalds”, used the default keyservers listed and clicked “Ok”. Figure 7 shows the result of this example search.

Figure 7: A list of public keys from the search result From the search results, you see a lot of keys with the name Linus Torvalds. Let’s assume that you personally know his public key (in reality, I don’t; we’re just using this key for the exercise), so click on the box bearing the email address torvalds@osdl.org and click “OK”. This public key will then be retrieved from the online keyserver and then added to your personal keyring. When the process is complete, your OpenPGP Key Management window will now look like figure 8.

Figure 8: A populated keyring in OpenPGP Management window Notice that I’ve also added my real public key for this exercise using the same method. When you are done importing public keys from a keyserver, you will have a simple keyring that can be used to send secure email to people as long as they are part of it.

Adding User IDs Some of us maintain more than one email address. The most common scenario is having one account for home, then another for work. You can create a key for each account that you maintain, but that would mean you’ll have to remember a lot of passphrases and Key IDs. What you can do, though, is have all those email addresses use one single Key ID and create multiple User IDs as needed. To do that, make sure OpenPGP Key Management is open, then right-click in the window and select Manage User IDs. Then select the key pair that you wish to add a new User ID (shown in figure 9).

figuring26 and using MozillaThunderbird, Enigmail, and GnuPG to provide secure andencrypted email

Issue 12

Figure 9: Creating a new User ID Select the key that you want to add a User ID to, then click “Add”. A window will appear where you can add your new User ID. From here, add your email address, name and comment to the User ID. You will then be asked for your passphrase before adding the new User ID to your key. Adding a new entry also makes it your new Primary User ID, but you can change this anytime by going back to the window and selecting the ID that you wish to become your primary. Now that you’ve created your key, made your backup and downloaded the public key of one popular free software personality, you’re all set to send secure messages—all of this without touching the command line! For sending email, you won’t use the command line anymore because your’e going to use Thunderbird.

Sending your public key by email or to a keyserver The next step, after adding a new user id to your primary key, is to make sure people all over the world will be able to get your public key and use it to communicate with you in a secure manner. Remember the key pair right? As I have said earlier, it has 2 parts: the public key and the private key. Again, the private key belongs to you and it should never be given to anyone at all. However, you do want people to know your public key and there are two ways for people to get it. The first method is send your public key to your contact by email. Since Thunderbird is an email client, it can send the email itself along with the public key in one click. From OpenPGP Key Management, click on your default key pair and select “Send Public Keys by Email” (see figure 10).

Figure 10: Sending an ASCII-armored public key by email This action creates an ASCII-armored file that contains your public key and is ready to be sent to your contact. Once your contact receives it, they’ll be able to add your public key and then connect with you using secure email.

A guide for installing, configuring and using MozillaThunderbird, Enigmail, and GnuPG to provide 27 se

Issue 12 The second method is to send your public key to a keyserver. This is the most convenient way for people to obtain your public key, rather than asking for it from you via email or other forms of communication. When you get to sign keys, you’ll be uploading the updated public keys of other people. Both actions employ the same routine on uploading the public key to the keyserver. To do this, from OpenPGP Manager, select your default key, right click and choose “Upload Public Keys to Keyserver”. This will open up a window where you can put what keyserver you want to use (as shown in figure 11).

Figure 11: Selecting a keyserver before uploading the public key The default keyservers work, but you can indicate any keyserver you want such as pgp.mit.edu, keyserver.ubuntu.com and more. Don’t worry about what keyserver to use; all of them should work fine because they synchronize with each other almost instantaneously. When signing another key, you’ll also be requested to upload the public key that you signed to a keyserver. The same actions apply here when uploading a signed public key.

Signing an email message with your key Unless you’re in a very sensitive position that involves national security, you’ll have very little need to encrypt all email messages to your contact list. Sometimes, you just want to make sure that your contacts are aware that it really was you who sent the email message that they just received. This is where GnuPG key signatures come in handy. You can also opt to have all messages signed by default with your key. You can do this by going to your Thunderbird Account Properties (Edit—Account Properties) and select your account. You’ll see a folder named “OpenPGP Security” (see figure 12)

Figure 12: OpenPGP options in your account

figuring28 and using MozillaThunderbird, Enigmail, and GnuPG to provide secure andencrypted email

Issue 12 From this window, make sure “Sign non-encrypted messages by default” is checked. This will mean that any email correspondence that is sent using this account are signed. Once you have filled out the details, click on “Ok” to close the window. With this setting, every email message that you send outside will be signed by your key. From Thunderbird, click on “Write” and you’ll get to compose an email; however, notice at the lower right side of the picture has a green pencil: this means the email will be signed using your key. For this example, I am sending a copy of the GPL V2 to Linus Torvalds, but I’m going to sign this email so that he’ll know that it was actually me who sent the email to him. When your email is done and about to be sent to your contact, you will be asked for your passphrase. When you are authenticated, the email will be sent to your recipient but will be signed as seen in figure 13.

Figure 13: Signed email from Thunderbird The email recipient will then be able to retrieve your public key from a keyserver using your signature. Having this email signed also assures the recipient that it was actually your own email account and its corresponding key that signed and sent this email message.

Encrypting and decrypting an email message with your key Encrypting the above email message which you have already signed is the next step. Fortunately, this is made simple with Enigmail. From the current email composition window, you can just click “OpenPGP” and select “Encrypt Message”. You also encrypt this message by just clicking on the small key icon on the lower right side of the composition window. When the key is colored green, it means the message will be encrypted. Once you send this email, you’ll then be asked for your passphrase and the message will be encrypted using your key. Encryption makes your email only readable to the person you intend it for—hence the need for the person’s public key to encrypt the message. Our GNU GPL V2 message to Linus Torvalds, once encrypted, looks like that shown in figure 14.

Figure 14: Encrypted email from Thunderbird

A guide for installing, configuring and using MozillaThunderbird, Enigmail, and GnuPG to provide 29 se

Issue 12 When Linus receives this encrypted email message, all he has to do is decrypt it using his passphrase and he would be able to read the GNU GPL V2 message that I sent. Assuming I received the same email, I can easily decrypt this email by selecting “Decrypt” from the menu and entering my passphrase when asked. Figure 15 shows how it looks once decrypted.

Figure 15: Decrypted email from Thunderbird Now that everything is in place, you can feel comfortable in the thought that you can send secure email messages with very little time and effort. There are still some precautions to consider, like keeping a secure copy of your key pair as well as your passphrase. But, when used properly, the software triumvirate of Mozilla Thunderbird, Enigmail and GnuPG makes a compelling choice for secure email for beginners and seasoned users. Since the software is cross platform, it can also be used in Microsoft Windows, but you will have to configure the software settings differently from what I have done here for Ubuntu.

Notes and resources Mozilla Thunderbird Homepage (http://www.mozilla.com/thunderbird/). Enigmail Homepage (http://enigmail.mozdev.org/). GnuPG Homepage (http://www.gnupg.org/). Ubuntu (http://www.ubuntu.com). The GNU Privacy handbook (http://www.gnupg.org/gph/en/manual.html). GnuPG Key signing Party HowTo (http://www.cryptnet.net/fdp/crypto/gpg-party.html). Biglumber (http://www.biglumber.com/)—key signing coordination site.

Biography Jerome Gotangco (/user/22" title="View user profile.): Jerome Gotangco is an active member of the Ubuntu Documentation Project, a free software volunteer project that develops and maintains documentation for the Ubuntu operating system. He currently serves as External Vice President of the Philippine Linux Users Group, the oldest Linux usersâ’ group in Asia. He is also a frequent speaker and author on the topic of Ubuntu and free software. He can be reached via email at â’ jgotangcoâ’ followed by the at sign followed by â’ ubuntu.comâ’

Copyright information Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is available at

figuring30 and using MozillaThunderbird, Enigmail, and GnuPG to provide secure andencrypted email

Issue 12 http://www.gnu.org/copyleft/fdl.html. Source URL: http://www.freesoftwaremagazine.com/articles/secure_email

Published on Free Software Magazine (http://www.freesoftwaremagazine.com)

A guide for installing, configuring and using MozillaThunderbird, Enigmail, and GnuPG to provide 31 se

Issue 12

figuring32 and using MozillaThunderbird, Enigmail, and GnuPG to provide secure andencrypted email

Stylish XML Part two: using XSL to transform your XML documents By David Horton Part one (/articles/stylish_xml) of this article looked at how Cascading Style Sheets (CSS) can be used to make XML documents look good in a web browser. In part two, I’ll explore the more complex eXtensible Style sheet Language (XSL) and how it can be used to transform XML into HTML and PDF documents.

Limitations of XML/CSS By the end of part one of this article I had a my tasty pico de gallo recipe marked up with XML tags and nicely styled using CSS. It looked great in my Firefox browser. Unfortunately, one of the major problems with using XML/CSS is that it doesn’t work for everyone. Older, proprietary browsers and text-only browsers can only understand HTML and get terribly confused when trying to interpret XML/CSS. If I want to share my delicious recipes with someone using Netscape 4 or Lynx, I’m going to have to convert my XML into a format that their browser can handle. This means leaving behind CSS and constructing a new style sheet using the eXtensible Style-sheet Language (XSL). Unfortunately, one of the major problems with using XML/CSS is that it doesn’t work for everyone As long as I’m in the mood for creating new things, I may as well create a new XML recipe to use for the examples in this article. You already have a recipe for a nice appetizer from part one, and now, for part two, you just need a drink to go with it. I can’t think of anything better to have with pico de gallo and tortilla chips than a cold margarita so that’s what I’ll use in the examples. By the way, the margarita recipe and all of the style sheets in this article are available as a compressed download.

Transforming with XSL An XSL Transformation, or XSLT, is the process of transforming an XML document into another type of XML document. Now why on earth would someone want to transform one XML document into another XML document? I’ll give you a hint, Grasshopper: HTML is another type of XML document. I can build a custom XSL style sheet, apply it with a tool called an XSLT processor and presto, my XML is magically transformed into HTML. In the examples, I will be using the XSLT processor called xsltproc to process the XSL style sheets. The xsltproc tool should be available as a package for most GNU/Linux distributions and Apple’s OS X, if you want to follow along. The basic syntax for the command is xsltproc -o [output-file] [style-sheet] [input-file]. Or, in the case of this article’s examples, xsltproc -o output.html recipe-style.xsl margarita.xml. If you don’t have access to xsltproc, or if you’re just feeling a little apathetic about typing all these commands, the output files from each of the examples are included alongside the other files in the compressed download. An XSL Transformation is the process of transforming an XML document into another type of XML document

Simple beginnings The most basic XSL style sheet is one that does nothing at all. Of course, there are a few headers that are required, but for the most part the style sheet is devoid of any processing instructions. When using a blank style sheet like this, it appears that xsltproc simply strips the tags from the XML recipe and dumps it as plain text to the output file. Close, but not quite. Take a look at the first line of the output and you will see a document-type declaration for HTML. This was added during processing, because the second line of the recipe-style.xsl specifies HTML as the output document. So I’m on the right track, but output.html displayed in a browser looks really bad. That’s because the only output I have produced so far is a plain-text file masquerading itself as HTML.

Stylish XML

Issue 12

Output produced by an “empty” style sheet

Introducing the XSL template A real HTML document should have tags and currently output.html has none. To make a valid HTML file I’ll need to fix up the XSL style sheet to at least produce <html>, <head> and <body> tags in the appropriate places. This can be done by adding a single XSLT processing rule called a template. You can think of an XSLT template as being like a word processor’s find-and-replace feature. You use the “match” attribute to tell the template what XML element it should find. Everything between the template’s starting and ending tags is the replacement text. To convert my margarita recipe to HTML I need my style sheet to match the recipe element in the XML source file and replace it with appropriate HTML elements in the output document.

HTML tags are here, but the recipe’s gone! It wasn’t hard to add the template rule to my recipe-style.xsl style sheet and get the HTML tags I wanted to see. Unfortunately, although I am one step closer to a valid HMTL document, it seems that all of the recipe’s content has now disappeared. This is because I have started using processing rules in my style sheet, but I have not followed through by specifying where to place the recipe’s content. Adding a simple <xsl:apply-templates /> element between the HTML <body> tags will fix things up and get my recipe content back.

Part two: using XSL to transform your XML documents

Issue 12

<apply-templates /> brings the recipe’s content back

Templates galore Now that I have created some basic HTML output, my recipe just needs a little aesthetic improvement. OK, so it needs a lot of improvement, especially in terms of appropriate line breaks and whitespace, but this is something I can easily do by employing more XSL templates. So far I’ve used a single XSL template in my recipe-style.xsl file. There’s no reason I should stop at just one. In fact, I can create a template for each XML element in my margarita.xml source file to give the HTML output a nice look. You can think of an XSLT template as being like a word processor’s find-and-replace feature Since I am to catering to people with older, proprietary browsers and text-only browsers, I’ll use standard HTML tags to achieve the basic style I want. A big improvement to my HTML output can be made by just by adding <p> and <br> tags to get line-breaks in the correct places. I can also change the font size for the title and section heading by using <h1> and <h2> tags, respectively. Four more simple templates added to recipe-style.xsl give the HTML output a more appealing look.

More templates for a better look

The value of a title My recipe already has the title displayed as a nice big level-one heading, but it really should have a title between the HTML <head> tags as well. It’s not a big deal in terms of the look of the document, but it is required for my output to be considered valid HTML. I already have a template for the XML title element that displays it between <h1> tags in the HTML output and now I need to use the title again in another place, this time between <title> tags. While it is possible to write two templates for the title element and apply them differently in different situations, it is far easier to use an XSL <value-of /> element.

Part two: using XSL to transform your XML documents

Issue 12 Remember when I said that templates were like using find-and-replace in a word processor? Well, <value-of /> is like using just the find without the replace, and it uses a select attribute to specify what to find. For example, if I want to know what text is between the <title> tags in my XML document I would simply use <value-of select="title" /> in my XSL style sheet to find it. Strategically placing this value-of element in my XSL style sheet will result in the recipe title appearing in the HTML header of my output as well as in the body. The result doesn’t look that much different in a browser, but by adding this title the HTML will now pass W3C’s markup validation (http://validator.w3.org).

HTML that validates

Transforming to PDF and more With just a few simple templates, XSL does a great job of transforming my XML-based margarita recipe into HTML, but that’s not all it can do. With a little more work I can also produce documents for Adobe Acrobat or OpenOffice all from the same XML source file. I’ll need to construct a new XSL style sheet and install a new tool called a Formatting Objects processor, but otherwise the procedure is very similar to what we’ve covered so far. The reason for the new style sheet and the new tool is that transforming to PDFs is a two-step process. First, I will use XSL templates to transform my XML-based margarita recipe into another type of XML document. Sounds familiar right? Only this time I’m not transforming into HTML, but rather into a markup language called Formatting Objects (FO). The second step is to take the FO markup and run it through the FO processor to get a PDF document. Formatting Objects markup may look scary at first, but it’s not bad after you play around with it a bit. To help you get comfortable I have included a sample XSL style sheet and Formatting Objects output as part of the files in the compressed download.

Further exploration This article barely scratches the surface of the everything that can be done with XSL and FO. For those of you who want to go further, I have listed some helpful references below. The W3 Schools website has some good tutorials covering XSL transforms (http://www.w3schools.com/xsl/) and XSL formatting objects (http://www.w3schools.com/xslfo/). There are some XSL style sheets that you can download and examine both from my web site (http://www.happy-monkey.net/recipebook/) and from the DocBook XSL repository (http://docbook.sourceforge.net/). You can also learn a lot from using the various tools. Available XSLT processors include xsltproc (http://xmlsoft.org/XSLT/xsltproc2.html) and Saxon (http://saxon.sourceforge.net/). A couple of my favorite Formatting Objects processors are Apache FOP (http://xml.apache.org/fop/) and XMLMind’s FO Converter (http://www.xmlmind.com/foconverter/). All but xsltproc are Java-based and may be used on a variety of

Part two: using XSL to transform your XML documents

Issue 12 platforms.

Biography David Horton (/user/13" title="View user profile.): David Horton got started with GNU/Linux in 1996 when he needed a way to share a single dial-up internet connection with his college room-mates. He found the solution he needed with an early version of Slackware and a copy of the PPP-HOWTO from The Linux Documentation Project. Ten years later he is older and wiser and still hooked on GNU/Linux. Many of Dave's interests and hobbies can be explored on his website (http://www.happy-monkey.net).

Published on Free Software Magazine (http://www.freesoftwaremagazine.com)

Part two: using XSL to transform your XML documents

Issue 12

Part two: using XSL to transform your XML documents

Hardening Linux Web Servers Comprehensive security spans several disciplines, learn how to secure a system, to host securely coded PHP and Java web services By Yousef Ourabi Security is a process, not a result. It is a process which is difficult to adopt under normal conditions; the problem is compounded when it spans several job descriptions. All the system level security in the world is rendered useless by insecure web-applications. The converse is also trueâ&#x20AC;&#x201D;programming best practices, such as always verifying user input, are useless when the code is running on a server which hasnâ&#x20AC;&#x2122;t been properly hardened. Securing forward facing GNU/Linux web servers can seem like a daunting task, but it can be made much easier by breaking the process into manageable portions. This article will cover installing, configuring and hardening free software web servers and associated software including Apache 2.2.0, MySQL 5.0.18, PHP 5.1.2, Apache-Tomcat 5.5.16 and common Apache modules such as mod_security, mod_ssl, mod_rewrite, mod_proxy and mod_jk. Common security mistakes in web-applications and how to fix them will also be discussed, focusing on PHP and Java environments. The most common and apt analogy for security is the onion. That is to say it is a layered approachâ&#x20AC;&#x201D;any one layer is inadequate, the onion is the sum of its layers. With that in mind, this article attempts to bridge the knowledge gap between system administrators and web developers, allowing individuals tasked with security to achieve a layered security solution. Only a basic understanding of GNU/Linux and common command line tools is assumed. Note: due to formatting constraints, long lines of code are often broken into several smaller lines using the \ character. This is not a return and when typing in the line you should not hit the enter key, it is just to prevent line wrapping. Output from commands will also be limited to relevant fields, so the output will look slightly different when you run the commands on your system. Security is a process, not a result

Security at the system level System level security is one of the most crucial layers in any defense. Hardening at the system level is roughly categorized into network security and file system security. Network level security can be increased by securing common services such as xinetd (otherwise known as the super server) and OpenSSH, by correctly configuring or disabling them and enabling a firewall (in our case, iptables. File-System security can be increased by: preventing common avenues of attack, such as root kits; enabling intrusion detections systems (IDS) to verify the integrity of key configuration files; by using tools to detect and remove root kits; and by configuring your logging system so that it will log to a remote host, thereby protecting the integrity of your system logs. Network security The first thing you need to do to secure a system from network attacks is find out which processes are listening for connections and on which ports. There are several time tested tools available for this: nmap and netstat.

Hardening Linux Web Servers

Issue 12 netstat The following command will show you which ports are being listened on, the IP address of the listening socket, and which program or PID is associated with the socket (note: running as the super-user or root is necessary for the program field to work properly). $ netstat -l -n -p -t -u -w (-l is for listening, -n is for IP information and -p is for program/PID information, -t, -u, -w are for tcp, udp and raw socket connections. By setting these flags, I disable displaying information about unix sockets which are not relevant to network security, as they are only used for interprocess communication on the current host.) The output will look something like this: Note: Certain columns have been omitted for space proto tcp tcp tcp tcp tcp tcp tcp tcp udp udp

Local Address 127.0.0.1:8005 0.0.0.0:8009 0.0.0.0:3306 0.0.0.0:80 0.0.0.0:8080 0.0.0.0:22 0.0.0.0:3128 127.0.0.1:25 0.0.0.0:3130 0.0.0.0:32870

State LISTEN LISTEN LISTEN LISTEN LISTEN LISTEN LISTEN LISTEN

PID/Program name 4079/java 4079/java 18542/mysqld 23736/httpd 4079/java 11045/sshd 23283/(squid) 24453/master 23283/(squid) 23283/(squid)

Understanding the output from netstat is pretty simple. The first field is the protocol, and you will notice that when the protocol is udp, there is no state (as obviously udp is stateless unlike tcp). The next interesting field is the Address field. 0.0.0.0:80 means that the server will respond to any IPs on port 80, while 127.0.0.1:80 means that the server is only listening to the loop back device. nmap Another tool in our arsenal is nmap, the network mapper. nmap is good for determining what ports and services are available on a server from other machines on the network. (Note: The default option is -sS. However, when the system being scanned is running a firewall, such as iptables, it won’t work, as firewalls that block icmp traffic will also block the subsequent scan and the results will be meaningless. The -P0 option disables pinging the host before scanning it, The -O (as in “oh” rather than zero) is to enable nmap’s operating system detection via the network stack fingerprint.) $nmap -P0 -O 10.0.2.10 The output will look something like this: The 1661 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 22/tcp open ssh 443/tcp closed https Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.7 - 2.6.8 Uptime 40.462 days since Mon Dec 26 10:05:57 2005

everal disciplines, 40 learn how tosecure a system, to host securely coded PHP and Java webservices

Issue 12 Now that I know what services are listening on which ports, I can go about securing them. In some cases, the solution will be disabling the unwanted service via inetd; in others, I will use iptables rules to block external access to that port. In the context of a web server, I would recommended disabling all services managed by inetd (if they aren’t already). /etc/xinetd.conf (Red Hat): this file usually has some minimalistic configuration of the logging software and then an include statement for all the files under /etc/xinetd.d, which are configuration files for each service run through the super server. /etc/inetd.conf (Debian): Debian has a much simpler configuration layout—one simple file /etc/inetd.conf containing one line for each service managed by inetd. iptables The venerable iptables has been the standard Linux firewall since the 2.4 kernel. The kernels that come with Red Hat and Debian have the proper modules enabled; however, on Debian systems you may need to install the iptables user land tools. Configuring iptables is fairly simple: iptables has chains, rules and targets. iptables has three built in chains: FORWARD, INPUT, and OUTPUT. To create an effective firewall I will append rules to chains that will be matched by connection type, source or destination address or state. In more advanced configurations, it is favorable to create custom chains and then reference them in the default chains; but, to demonstrate the basic principles, I am just going to append rules to the three default chains. When a connection is being matched against the configured rules, each rule is checked. If it matches, it is executed, if not, the next rule is tested. As such, the rules allowing traffic should be appended first, and the very last line in any chain should be a deny rule. This is the most secure firewall configuration, where everything is dropped except the explicitly allowed connections. If you use Debian, run: $apt-get install iptables ( to install iptables ) $apt-cache search iptables ( to search for packages related to iptables)

To get started with iptables I will list the current rule set using the following command: $iptables --list

(Note: Output has been modified due to formatting constraints.) Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all anywhere anywhere \ state RELATED,ESTABLISHED Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all anywhere anywhere \ state RELATED,ESTABLISHED Chain OUTPUT (policy ACCEPT) target prot opt source destination DROP tcp anywhere anywhere \ tcp dpt:ssh

The partial listing above shows rules that allow incoming traffic that isn’t new; that is to say: the connection has been established from inside the network. IP forwarding follows the same rule, and using ssh to connect out to other hosts is blocked.

Comprehensive security spans several disciplines, learn how tosecure a system, to host securely 41 c

Issue 12 The flush command with no options will flush all rules; if a chain is passed, all rules in that chain will be flushed. I’ll flush all rules and begin configuring the firewall. $iptables or $iptables $iptables $iptables

-F -F INPUT -F FORWARD -F OUTPUT

Next, I am going to append the rules to the appropriate chain. A high level overview of the firewall will be the following: 1. Allow outgoing connections initiated from the host 2. Allow inbound ssh connections on port 2 3. Allow inbound http connections on port 80 4. Allow inbound https connections on port 443 5. Block outbound ssh connections 6. Block everything else # Enable stateful filtering allowing connections # initiated on host be allowed. $iptables -A INPUT -m state --state \ RELATED,ESTABLISHED -j ACCEPT $iptables -A OUTPUT -m state --state \ NEW,RELATED,ESTABLISHED -j ACCEPT # Allow Incoming SSH, HTTP, HTTPS $iptables -A INPUT -p tcp -m tcp \ --dport 22 -j ACCEPT $iptables -A INPUT -p tcp -m tcp \ --dport 80 -j ACCEPT $iptables -A INPUT -p tcp -m tcp \ --dport 443 -j ACCEPT # Allow Everything from the local host $iptables -A INPUT -s 127.0.0.1 -j ACCEPT # Block Outgoing SSH connections $iptables -A OUTPUT -p tcp -m tcp \ --dport 22 -j DROP # Block Everything else $iptables -A INPUT -j DROP $iptables -A FORWARD -j DROP

To save the changes I have made to the firewall rules I use the iptables-save command: $iptables-save > /root/firewall

Later if I wanted to restore my saved rules I would run the iptables-restore command: $iptables-restore -c /root/firewall

It’s a very good idea to have these rules applied at boot time; check your distribution’s documentation for this. In general, on Debian systems the network configuration scripts can be used for this, and on Red-Hat systems a startup script in /etc/init.d is appropriate.

everal disciplines, 42 learn how tosecure a system, to host securely coded PHP and Java webservices

Issue 12 Changing the default port that OpenSSH listens on is a good way to avoid brute force attacks Hardening SSH The OpenSSH package comes installed by default on most distributions. The default configuration on most distributions is pretty lax and favors functionality over security. Allowing root logins, listening on all IPs on port 22, and allowing all system accounts to ssh-in are all potential security holes. Edit /etc/ssh/sshd_config in your favorite editor and change the following lines. # ListenAddress defines the IP address ssh will # listen on #ListenAddress 0.0.0.0 -> ListenAddress 10.0.2.10 #Only accept SSH protocol 2 connections #Protocol 2,1 -> Protocol 2 #Disable root login PermitRootLogin yes -> PermitRootLogin no #Disable allowing all system accounts to ssh in, # only allow certain users (space delimited) AllowUsers userName1 userName2 userName3 # Change Default port Port 22 -> Port 2200

After making the changes, restart the SSH server for the changes to take affect: $ /etc/init.d/ssh restart

Partition for security File system security The UNIX file system has several standard directories: /, /tmp, /var, /usr and /home. The two that present the weakest links for a variety of attacks are /tmp and /var. The two most common attacks are: “Denial of Service”, by causing the root partition to fill up with logs or other junk (assuming all these directories are mounted on one partition); and running rootkits from the /tmp directory. One solution to file system Denial of Service attacks is to have these directories mounted on their own partitions, this will prevent the / file system from filling up and stop that avenue of attack. Rootkits typically write to the /tmp directory and then attempt to run from /tmp. A crafty way to prevent this is to mount the /tmp directory on a separate partition with the noexec, nodev, and nosuid options enabled. This prevents binaries from being executed under /tmp, disables any binary to be suid root, and disables any block or character devices from being created under /tmp. Edit /etc/fstab with your favorite editor, find the line corresponding to /tmp and change it to look like this one. /dev/hda2

/tmp

ext3

nodev,nosuid, noexec

Wikipedia [6] defines rootkits as a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. This translates to custom versions of ps that won’t list the irc server the attacker installed, or a custom version of ls that doesn’t show certain files. Tools like

Comprehensive security spans several disciplines, learn how tosecure a system, to host securely 43 c

Issue 12 chkrootkit must be run in combination with IDS systems like fcheck to prevent the successful deployment of rootkits. chkrootkit is very simple to run, and doesnâ&#x20AC;&#x2122;t require any installation or configuration. Itâ&#x20AC;&#x2122;s a good idea to run chkrootkit at regular intervals, see the script below used by fcheck for inspiration. # Use the wget utility to download the latest # version of chkrootkit wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz tar -xzvf chkrootkit.tar.gz cd chkrootkit-version (whatever version is) ./chkrootkit

The next layer of file system security is maintaining and verifying the integrity of configuration files that are typically located under /etc. Intrusion Detection Systems (IDS) allow us to create cryptographic identifiers of important configuration files and store them in a database. They are then periodically re-created and verified against those stored in the database. If there is a mis-match, the file has been changed, you know your system integrity has been violated and which aspects of it are affected. Two well known IDS packages are tripwire and fcheck, which work equally well. However, fcheck has a much simpler configuration and installation process, which is why I favored it for this article. fcheck Download fcheck (see resources) and unpack it. fcheck is a cross-platform Perl script which runs on UNIX and Windows systems (as long as they have Perl installed). $mkdir /usr/local/fcheck $cp fcheck /usr/local/fcheck $cp fcheck.cfg /usr/local/fcheck

Edit /usr/local/fcheck/fcheck.cfg with your favorite editor and change the following values: Directory, FileTyper, Database, Logger, TimeZone, and Signature. # Directories that will be monitored # if there is a trailing / it will be recursive Directory Directory Directory Directory Directory Directory Directory TimeZone

= = = = = = = =

/etc/ /bin/ /sbin/ /lib/ /usr/bin/ /usr/sbin/ /usr/lib/ PST8PDT # For Pacific Standard

# Database of file signatures DataBase Logger

= /usr/local/fcheck/sol.dbf = /usr/bin/logger -t fcheck

# Utility to determin file type FileTyper = /bin/file # What to use to create signatures Database of # file signatures

everal disciplines, 44 learn how tosecure a system, to host securely coded PHP and Java webservices

Issue 12 $Signature DataBase Logger

= /usr/bin/md5sum# = /usr/local/fcheck/sol.dbf = /usr/bin/logger -tfcheck

# Utility to determin file type FileTyper

= /bin/file

Also edit the fcheck script and change the path of the configuration file to /usr/local/fcheck/fcheck.cfg Then run fcheck for the first time to create the baseline database. # # # # # #

Options explained: c create the database a is for all d is to monitor directory creation s is to create signatures for all files x is for extended permissions monitoring

$ ./fcheck -cadsx

To test that everything has been setup correctly run the following commands and fcheck should alert you to the difference. $ touch /etc/FOO $ ./fcheck -adsx

fcheck should display some information about /etc/FOO. $rm /etc/FOO will prevent future messages. Next, create a short shell script that will be run periodically by cron and check for changes. Open your favorite editor and create /usr/local/bin/fcheck_script. When using the cron utility lookout for symlink attacks #!/bin/bash # Use mktemp instead of $$ to prevent sym-link attacks FCHECK_LOG=`mktemp` # Grep for any changes /usr/local/fcheck/fcheck -adsx \ | grep -Ev ^PROGRESS: |^STATUS:^$ > $FCHECK_LOG # If there were any changes email the sys-admin if [-s $FCHECK_LOG ] then /usr/bin/mail -s fcheck \ `hostname` youremail@yourprovider.com < \ $FCHECK_LOG /bin/rm $FCHECK_LOG fi

The cron utility will be used to run periodic checks of the file-system and will compare it to the baseline database. The following command will edit rootâ&#x20AC;&#x2122;s crontab: $ crontab -e # Add this line to run the script every 15 minutes

Comprehensive security spans several disciplines, learn how tosecure a system, to host securely 45 c

Issue 12 # using nice lower priority when the system load # is high. */15 * * * * nice /usr/local/bin/fcheck_script > \ /dev/null

Symlink Attacks Side Note: Symlink Attacks running an IDS package usually involve running a script at a pre-configured time using the cron utility. This opens up systems to symlink attacks. Symlink Attacks rely on the attacker knowing that a certain file is going to be created at a certain time with a certain name. A common shell scripting technique that generates some randomness is the use of $$, which is the PID of the running script. However, this is vulnerable to Symlink Attacks because most PIDs are below 35K and most file systems can have 35K files. The correct technique is the use of mktemp, which is a truly random file name.

Install and configure common services At this stage, you should have a solid base to build upon. The next step is to compile and install the software servers you will use to serve up your web applications. Installing software from source can be tedious; and there is a great temptation to use the packaged binaries that come with your distribution of choice. I would recommend against this. In a world of zero day exploits, the time it takes the package maintainer to compile and distribute the binaries may be unacceptable. By compiling from the source, you will be in full control of your security situation. Apache 2.2.0 Now to start compiling and install the services you will be using. Apache is a good place to start, since other packages have compile time dependencies on it. Always verify the checksums of packages you download, if there is a mismatch start over and download it again md5sum httpd-2.2.0.tar.gz tar -xzvf httpd-2.2.0.tar.gz ./configure --prefix=/usr/local/apache \ --enable-ssl --enable-speling \ --enable-rewrite --enable-proxy make make install

MySQL 5.0.18 Download the MySQL binaries from the mysql site (see resources). This is an exception to my mantra of compiling from sourceâ&#x20AC;&#x201D;since the binaries come directly from MySQL, as soon as there is an update you can download the latest version. Note: due to space constraints {.} is shorthand for the version of the tarball. md5sum mysql-{.}-linux-i686-glibc23.tar.gz cp mysql-{.}-linux-i686-glibc23.tar.gz /usr/local tar -xzvf mysql-{.}-linux-i686-glibc23.tar.gz ln -s /usr/local/mysql-{.}-linux-i686-glibc23 \ /usr/local/mysql groupadd mysql useradd -g mysql mysql cd mysql scripts/mysql_install_db --user=mysql chown -R root . chown -R mysql data chgrp -R mysql .

everal disciplines, 46 learn how tosecure a system, to host securely coded PHP and Java webservices

Issue 12 bin/mysqld_safe --user=mysql & cp support-files/mysql.server /etc/init.d/mysql # Make sure that mysql is started if # there is a reboot cd /etc/rc3.d/ ln -s /etc/init.d/mysql S90mysql ln -s /etc/init.d/mysql K90mysql # Copy the configuration file cp support-files/my-medium.cnf /etc/my.cnf

PHP 5.1.2 Now download the php package from the php.net site (see resources). md5sum php-5.1.2.tar.gz tar -xzvf php-5.1.2.tar.gz ./configure --with-prefix=/usr/local/php \ --with-apxs2=/usr/local/apache/bin/apxs \ --with-mysql=/usr/local/mysql make make install cp php.ini-dist /usr/local/php/php.ini

Tomcat 5.5.16 Apache-Tomcat is also an exception to my always compile rule. md5sum apache-tomcat-5.5.16.tar.gz tar -xzvf apache-tomcat-5.5.16.tar.gz

mod_jk Download mod_jk from the the tomcat project page (see resources). tar -xzvf jakarta-tomcat-connectors.tar.gz cd jakarta/jk/native ./configure --with-apxs=/usr/local/apache/bin/apxs make make install

mod_security mod_security is the most excellent Apache module written by Ivan Ristic. md5sum modsecurity-apache-1.9.2.tar.gz tar -xzvf modsecurity-apache-1.9.2.tar.gz cd modsecurity-apache-1.9.2/apache2 /usr/local/apache/bin/apxs -cia mod_security.c

Configuring Apache 2.2.0 By this point, you should have installed all of the services and apache modules needed to host and secure PHP and Java environments. Now itâ&#x20AC;&#x2122;s time to take a look at properly configuring everything for security.

Comprehensive security spans several disciplines, learn how tosecure a system, to host securely 47 c

Issue 12 Apache 2.2.0 has the ability to list both statically compiled and shared modules with the -M option to apachectl Apache 2.2.0 introduces a new configuration layout and new default options in the httpd.conf file. In previous versions of Apache, there was only one configuration file by default, which was conf/httpd.conf; in the current version, the Apache project has taken another step towards its goal of making configuration more managable and modular. The conf/httpd.conf is the main configuration file with include statements for the various configuration files under conf/extra such as httpd-ssl.conf and httpd-vhosts.conf. Another new and exciting security feature in Apache 2.2.0 is that the root httpd.conf access is denied to all directories. This can be confusing to users coming from previous versions such as 2.0.55 but it is a great step forward in terms of security. Here is the configuration directive mentioned above; I would suggest leaving it the way it is. We will allow access for specific virtual-hosts and directories later on. # Default access control \ # Highly restrictive and applies \ # to everything below it. <Directory /> Options FollowSymLinks AllowOverride None Order deny,allow Deny from all </Directory>

Every host, which Apache will be responsible for, will be a virtual host or â&#x20AC;&#x153;vhostâ&#x20AC;?. So, start by uncommenting the Include directives at the bottom of conf/httpd.conf. This is done so that the httpd-vhosts.conf, httpd-ssl.conf and httpd-dedfault.conf are included in the main httpd.conf configuration file. Yet another cool new feature in Apache 2.2.0 is the ability to see all modules both statically compiled and shared with the -M option to apachectl. # Edit /usr/local/apache/conf/httpd.conf # Move the LoadModule Statement for mod_security # to the top of all module # statements. This is needed to use SecChrootDir # Add the following line to load mod_jk LoadModule jk_module modules/mod_jk.so # The default User and Group is set to daemon, # create and apache user and group and then # configure apache to run as such. User apache Group apache # List all modules to verify that mod_jk, # mod_security, mod_php, and mod_ssl # are correctly installed and loaded. /usr/local/apache/bin/apachectl -M # Virtual hosts Include conf/extra/httpd-vhosts.conf \ -> Include conf/extra/httpd-vhosts.conf # Various default settings

everal disciplines, 48 learn how tosecure a system, to host securely coded PHP and Java webservices

Issue 12 Include conf/extra/httpd-default.conf \ -> Include conf/extra/httpd-default.conf # Secure (SSL/TLS) connections Include conf/extra/httpd-ssl.conf \ -> Include conf/extra/httpd-ssl.conf

Now it’s time to descend into the extra directory to configure virtual hosts. Open httpd-vhosts.conf in your favorite editor. Next, configure the document root to be /srv/www/vhost1. Also, add the AddType directive for php. PHP files don’t have to have the .php file extension. In fact, it’s probably a good idea if they are .html files. By using the .php file extention you are advertizing more information about your setup than you need to. mod_security makes chrooting Apache easy! Here is the full vhost configuration stanza. It is annotated with inline comments: please take the time to read through it. # Enable mod_security engine SecFilterEngine On # Chroot Apache the easy way just make sure # your web content is under the chrooted directory # Note: The log directives must also be valid # directories releative to the chroot dir. # Note: THIS CANNOT GO INSIDE VHOST STANZA # as it applies to the entire apache configuration SecChrootDir /chroot/apache # Delete the 2nd Vhost stanza as you will only be # using one for now <VirtualHost *:80> ServerAdmin webmaster@mydomain.com DocumentRoot /srv/www/vhost1 ServerName vhost.mydomain.com ServerAlias www.mydomain.com ErrorLog logs/vhost.mydomain.com-error_log CustomLog logs/vhost.mydomain.com-access_log \ common # The PHP engine will interpret all # .php and .html files for php code AddType application/x-httpd-php .php .phtml \ .html AddType application/x-httpd-php-source .phps # Add a local Directory directive to override # the global Deny From all in conf/httpd.conf <Directory /> Options FollowSymLinks AllowOverride None Order deny,allow Allow from all </Directory> # Restrict Access to sensitive files <FilesMatch "\.(inc|txt|tar|gz|zip)$"> Deny from all </FilesMatch>

# Configure MOD_JK JkWorkersFile \

Comprehensive security spans several disciplines, learn how tosecure a system, to host securely 49 c

Issue 12 "/usr/local/apache/conf/workers.properties" JkLogFile \ "/usr/local/apache2/logs/mod_jk_www.log" JkLogLevel info JkLogStampFormat "[%a %b %d %H:%M:%S %Y] " JkOptions +ForwardKeySize +ForwardURICompat \ -ForwardDirectories JkRequestLogFormat "%w %V %T" # Any URL that begins with /java/ will be # forwarded to the java webapp in tomcat JkMount /java/* ajp13 # Enable and configure MOD_SECURITY # See the mod_security documentation # link in resources [3] # POST Scanning is disabled by default SecFilterScanPOST On # Make sure only content with standard # encoding types is accepted SecFilterSelective HTTP_Content-Type \ "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data;)" # Default Action is to reject request, log, and # then return HTTP Response 404 which is # File Not Found. # Another option would be 403 which is access # denied. SecFilterDefaultAction "deny,log,status:404" # Enable URLEncoding validation. This can # prevent Cross-Site Scripting attacks SecFilterCheckURLEncoding On # Catch and Prevent PHP Fatal Errors from # being displayed to the USER SecFilterSelective OUTPUT "Fatal error:" \ deny,status:500 # Obviously you have to code up this custom # Error Page ErrorDocument 500 /php-fatal-error.html # This can be useful to avoid stack overflow # attacks default is 0 255 ie All bytes allowed SecFilterForceByteRange 32 126 </VirtualHost>

Here is the mod_jk configuration file apache/conf/workers.properties (referenced above): worker.list=ajp13 workers.tomcat_home= \ /usr/local/java/apache-tomcat-5.5.12 workers.java_home=/usr/local/java/jdk1.5.0_06 worker.ajp13.type=ajp13 worker.ajp13.host=localhost worker.ajp13.port=8009

Apache can be used to configure other web consoles such as the Tomcat Manager application

everal disciplines, 50 learn how tosecure a system, to host securely coded PHP and Java webservices

Issue 12 The configuration stanza below is a variation on an article: <VirtualHost *:80> ServerAdmin webmaster@zero-analog.com DocumentRoot /srv/www/hercules.zero-analog.com ServerName hercules.zero-analog.com ErrorLog logs/hercules.zero-analog-error_log CustomLog logs/hercules.zero-analog-access_log \ common <Directory /> Options FollowSymLinks AllowOverride None Order deny,allow </Directory> <FilesMatch "\.(inc|txt|tar|gz|zip)$"> Deny from all </FilesMatch> # # # #

This whole stanza is really to forward http requests to https:// tomcat manager so appended /html to the rewrite target. since the full path is manager/html

<IfModule mod_rewrite.c> <IfModule mod_ssl.c> <Location /manager> RewriteEngine on RewriteCond %{HTTPS} !^on$ [NC] RewriteRule . \ https://%{HTTP_HOST}%{REQUEST_URI}/html \ [L] </Location> </IfModule> </IfModule> </VirtualHost> # This is the ssl-vhost under extra/httpd-ssl.conf <VirtualHost _default_:443> # General setup for the virtual host DocumentRoot "/srv/www/outpost.zero-analog.com" ServerName hercules.zero-analog.com:443 ServerAdmin webmaster@zero-analog.com ErrorLog /usr/local/apache2/logs/error_log TransferLog /usr/local/apache2/logs/access_log <Directory /> Options FollowSymLinks AllowOverride None Order deny,allow </Directory>

RewriteEngine on RewriteRule "^/manager$" \ "https://outpost.zero-analog.com/manager/html" \ [R,L] JkWorkersFile \ "/usr/local/apache2/conf/workers.properties" JkLogFile \ "/usr/local/apache2/logs/mod_jk_hercules.log" JkLogLevel info JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "

Comprehensive security spans several disciplines, learn how tosecure a system, to host securely 51 c

Issue 12 JkOptions +ForwardKeySize +ForwardURICompat \ -ForwardDirectories JkRequestLogFormat "%w %V %T" JkMount /manager/* ajp13 # Enable/Disable SSL for this virtual host. SSLEngine on # List the ciphers that the client is permitted # to negotiate. See the mod_ssl documentation # for a complete list. SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA: \ +HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # Server Certificate: Point SSLCertificateFile # at a PEM encoded certificate. SSLCertificateFile \ /usr/local/apache/conf/server.crt # Server Private Key: SSLCertificateKeyFile \ /usr/local/apache/conf/server.key SSLOptions +FakeBasicAuth \ +ExportCertData \ +StrictRequire <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "/usr/local/apache2/cgi-bin"> SSLOptions +StdEnvVars </Directory> BrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # # # #

Per-Server Logging: The home of a custom SSL log file. Use this when you want a compact non-error SSL logfile on a virtual host basis.

# *** Note there are \ characters in this # string. These are not my artificial line# breaks, please include them *** CustomLog /usr/local/apache2/logs/ssl_request_log %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>

Configuring PHP I have already copied the php.ini to /usr/local/php/php.ini so that it will be read by the PHP engine at startup. By default itâ&#x20AC;&#x2122;s fairly secure, but there are one or two things you can do to improve security. Disable PHP display_errors for security # Edit /usr/local/php/php.ini with your # favorite editor

everal disciplines, 52 learn how tosecure a system, to host securely coded PHP and Java webservices

Issue 12 # Since you're are going through the trouble of # hiding PHP files you might as well disable # this as well expose_php = On -> expose_php = Off # You really don't want users, or worse yet # an attacker to see error messages display_errors = On -> \ display_erros = Off # But you do want them logged \ log_errors = Off -> log_errors = On # Log to a file ;error_log = filename -> \ error_log = /var/log/php-err

Another option to consider is the Hardened-PHP project (see resources section). This is the brain child of three German developers, who continously perform code audits of popular PHP applications. They also release a patch for the standard PHP code, which fixes bugs and security holes in fringe configuration cases, where the main project developers have not had the time or the desire to find a fix. Configuring Tomcat The main configuration files from Tomcat are under $CATALINA_HOME/conf. The following files are of interest: • tomcat-users.xml • server.xml • web.xml As you might have guessed, the tomcat-users.xml file contains user access information. It is important to create a custom user with a hard-to-guess password for the manager application. # Edit tomcat-users.xml with your favorite # editor and append the following line. <user username="bob" password="subGen1us" \ roles="admin,manager,tomcat,role1"/>

Another important tenet of security is preventing information leakage. That’s why you enable PHP pages to masquerade as html files. It’s also why you want to disable directory listings in Tomcat. This is achieved by editing the tomcat/conf/web.xml file. # Open web.xml in your favorite editor and # look for the following lines: <init-param> <param-name>listings</param-name> <param-value>false</param-value> </init-param> # The default value is true, which enables # directory listings, simply change this to false # to prevent tomcat directory listings.

You can also hide JSP files by using a servlet-mapping directive in the webapps web.xml configuration file. The following lines will map all html files to the JSP servlet, which is internal to Tomcat.

Comprehensive security spans several disciplines, learn how tosecure a system, to host securely 53 c

Issue 12 Note: The listing above goes in the main tomcat/conf/web.xml, while this listing should go in the web.xml of each application. You can put it in the main web.xml. However, there may be cases where this is undesirable. <servlet-mapping> <servlet-name>jsp</servlet-name> <url-pattern>*.html</url-pattern> </servlet-mapping>

I want to restrict access to apache-tomcat to control the flow through Apache. iptables is already blocking port 8080 by default, but following the onion principle I’m going to bound Tomcat to loop-back device. This will prevent direct traffic to Tomcat in case of any unforeseen circumstances such as the iptables rules being flushed. # Open sever.xml in your favorite editor # and look for the following lines:  <Connector port="8080" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" /> # And change to this:  <Connector port="8080" maxHttpHeaderSize="8192" address="127.0.0.1" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" />

Configuring MySQL The default MySQL installation is not very secure. This is the case when it is installed manually and also when you use your distribution’s precompiled binaries. The default root password is blank, which means anyone can login is as the DBA. This is understandable, as, obviously, a DBA has to login to set the password. However, it’s too easy to forget that anyone can login as the MySQL root user and anonymous users are also enabled by default. # Set the root password mysqladmin -u root -h localhost password subGen1us # Once this is done, log in as the root user and # disable anonymous accounts mysql -u root -p # Drop the test database which comes installed # by default mysql> drop database test; # Disable anonymous accounts mysql> use mysql; mysql> delete from db where User=’’; mysql> delete from user where User=’’;

everal disciplines, 54 learn how tosecure a system, to host securely coded PHP and Java webservices

Issue 12 # Change DBA NAME mysql> update user set user="mydbadmin" \ where user="root"; mysql> flush privileges; # Make sure to login again to make sure # all the changes work mysql -u mydbadmin -p password: subGen1us # # # # # #

Configure /etc/my.cnf for security Uncomment the following line to disable TCP connections to mysql. As with tomcat this prevents remote connections event in the even of the firewall even in the even of the firewall rules being flushed.

skip-networking

Security mistakes in web applications Now that you are done with configuration, it’s time to put your web developer hat on. You now have a very solid base upon which to build your web applications. This brings me to the Achilles heal: the web applications themselves. What is Cross Site Scripting (XSS)? Wikipedia [4] defines the term Cross Site Scripting as inaccurate as it really refers to an entire class of vulnerabilities. In general XSS vulnerabilities come down to an age old security problem: not verifying user input. The most common vector of attack is when data is passed to a processing program such as a PHP or JSP script, and then printed back out to the page without being URLEncoded. The following (highly contrived) PHP code is vulnerable to XSS. If the database to this PHP script contains javascript, it will be executed. Never trust user input, it is the root of all evil # Vulnerable Code <?php $userInput = $_GET['input']; print $userInput; ?> # Secure Code <?php $userInput = urlencode($_GET['input']); print $userInput; ?>

JSP’s or Java Servlets are no less vulnerable. First of all, it is important to understand that all JSP’s are compiled to servlets the first time a JSP is called. So, the two are basically the same thing, with different source code representations. Here is the same vulnerability in the Java world. Note: JSP’s have access to the same HttpServletRequest object as the servlets they are compiled to. So, in a JSP page, this would manifest itself as request.getParameter(). # Vulnerable Code

Comprehensive security spans several disciplines, learn how tosecure a system, to host securely 55 c

Issue 12 public class myServlet extends HttpServlet { public static void doGet (HttpServletRequest req, HttpServletResponse res) { // Get User Input String userInput = req.getParameter("input"); // Print User Input to page PrintWriter out = response.getWriter(); out.write("<html>"); out.write(userInput); out.write("</html>"); } } # Secure Code import java.net.URLEncoder; public class myServlet extends HttpServlet { public static void doGet (HttpServletRequest req, HttpServletResponse res) { // Get User Input String userInput = req.getParameter("input"); // URLEncode Input userInput = URLEncoder.encode(userInput, "UTF-8"); // Print User Input to page PrintWriter out = response.getWriter(); out.write("<html>"); out.write(userInput); out.write("</html>"); } }

What is SQL Injection? SQL Injection is the ability to insert and execute arbitrary SQL code through a web-application. Like XSS attacks, it involves mishandling user input. In this case, properly escaping the input that is to become part of the SQL query. The PHP solution is to use the mysql_real_escape_string statement, and the java solution is to use PreparedStatements, with the user input as bind variables. The following code snippets are from Wikipedia [5]: # Partial PHP $query_result = mysql_query ( "select * from users where name = \"" . mysql_real_escape_string($user_name) . "\"" ); # Partial Java, ? is the bind variable Connection con = (acquire Connection) PreparedStatement pstmt = con.prepareStatement ("SELECT * FROM users WHERE name = ?"); pstmt.setString(1, userInput); ResultSet rset = pstmt.executeQuery()

everal disciplines, 56 learn how tosecure a system, to host securely coded PHP and Java webservices

Issue 12

Conclusion There is no magic bullet. “Conclusion” is a misleading heading: there is no conclusion when it comes to security. Security holes are constantly found and patched. Attackers change their methods, and security professionals respond; it is a process, rather than a result. When it's implemented correctly, this process can mitigate or prevent the damage done by attacks. There is a silver lining: there is an entire community of security professionals sharing their experience, tips and tricks on the web. Sites like Securityfocus.com (http://www.securityfocus.com/) provide heaps of useful information, and the latest trends in security. It’s also the home of bugtraq, a mailing list of security holes that I highly recommend you subscribe to. Sites like freshmeat.net (http://freshmeat.net/) are the yellow pages of free software projects, listing new releases and updates. All of these sites have RSS feeds, a resource I would also recommend you take advantage of to stay abreast of the latest news. Resources • FCheck Main Site (http://www.geocities.com/fcheck2000/fcheck.html) • Useful tools for configuring iptables (http://software.newsforge.com/software/05/05/09/1846213.shtml) • ModSecurity.org Main Site (http://www.modsecurity.org/) • ModSecurity Documentation (http://www.modsecurity.org/documentation/modsecurity-apache-manual-1.9.2.html#03-configuration) • MySQL Download (http://dev.mysql.com/downloads/mysql/5.0.html)

Notes and resources [1] Kofler, Michael The Definitive Guide to MySQL, 2nd Edition, Apress:2004 [2] Heironimus, Michael Securing Web Consoles with Apache, Sys Admin Magazine, Feburary 2006, Volume 15, Number 2 [3] Maj, Artur Securing MySQL: step-by-step, Security Focus, http://www.securityfocus.com/infocus/1726 [4] Unknown Autor/Authors Cross site scripting, http://en.wikipedia.org/wiki/Cross_Site_Scripting [5] Unknown Autor/Authors SQL injection, http://en.wikipedia.org/wiki/SQL_Injection [6] Unknown Autor/Authors Rootkits, http://en.wikipedia.org/wiki/Rootkit

Biography Yousef Ourabi (/user/43" title="View user profile.): Yousef Ourabi is a developer in the San Francisco bay area. He is currently working at the startup he recently founded, Zero-Analog (http://www.zero-analog.com " title="Zero-Analog). Zero-Analog is currently developing an enterprise application, however, one of its stated goals is "to increase the rate of open source adoption in companies of all sizes, across all industries". Zero-Analog also offers consulting services, all based around open source tools, frameworks and applications. He can be reached at: yourabi@zero-analog.com.

Comprehensive security spans several disciplines, learn how tosecure a system, to host securely 57 c

Issue 12

Published on Free Software Magazine (http://www.freesoftwaremagazine.com)

everal disciplines, 58 learn how tosecure a system, to host securely coded PHP and Java webservices

The GP2x PDA A PDA focused on games and GNU/Linux By Steven Goodwin Games under GNU/Linux have usually been a lacklustre affair. For every Tux Racer, there are a hundred sub-standard Pac-man clones you’d be embarrassed to advocate. For every commercial version of Quake, there’s a hundred other worthy games the publisher elected not to port to GNU/Linux. Without good games, there’s no market, and without the market, no effort is spared. And so the cycle continues. In this article, I will look at two of the areas in which GNU/Linux games have succeeded, and a new device that combines them both, which could help expose GNU/Linux to the populous.

Two success stories There are two main areas in which GNU/Linux games appear to thrive. The first is through the home-brew market of 2D platform and arcade games. Many of these are not necessarily written for GNU/Linux as a platform, but developed using a cross-platform API enabling a Windows code base to be ported across to GNU/Linux with the minimum of effort and vice-versa. The most popular API for this task is SDL. SDL SDL (Simple DirectMedia Layer) is a low-level game API that supports cross-platform development for graphics, audio and joystick input. It isn’t the only cross-platform API available (Allegro and G2 spring to mind in the 2D arena) but it’s probably the most widespread. Having been started in 1997 by Sam Lantinga, it has grown beyond its humble beginnings, and now supports a myriad of platforms across most operating systems. There are several GNU/Linux ports, including those for PlayStation Linux and Dreamcast Linux, and the API has been used in countless games because of its simplicity of use, stability, and power. Emulation It is often argued that one of things free software developers do better than anyone else is re-engineer (that is, rebuild existing software in a better way). Whether it’s true or not, the free software community has provided the world with a wealth of good emulation software, encompassing an entire range of 8- and 16-bit games consoles and home computers. It is for this reason that emulation can be considered the second of the big games-oriented contributions by free software.

Enter the GP2x One place where the SDL and emulation meet is with the GP2x. This is a new handheld games console designed and built by GamePark Holdings (GPH), and was released in South Korea in November 2005. To a very large degree it has been marketed as a portable entertainment player, and comes ready to play DivX and XviD movies, view photographs, read text files, and play MP3 and Ogg Vorbis music tracks. However, coming from the same genealogy as the GP32, GPH have adopted a games-style form factor with joystick, shoulder buttons and, now standard, ABXY controls. In any other life, the GP2x would be the illegitimate offspring of a game console and an MP3 player. But, what sets the GP2x apart from other media players and PDAs is its use of embedded GNU/Linux as an operating system. Naturally, this allows anyone to develop for it or even change the underlying system itself.

The GP2x PDA

Issue 12

The GP2x The use of GNU/Linux has allowed the GP2x to harness the rabid user base of developers and bedroom coders giving them a real opportunity to work on a handheld console. Armed with free software, developers can build software for the GP2x without the corporate intervention of Sony or Nintendo.

What’s so special about a handheld console? The first computer games were simply board games played on computer; multi-player games were single player games that supported more players; and network games were multiplayer games with a network option. So, the first generation of handheld games were (and are) “normal” games compressed to play on a handheld. Previously, the impetus to do something new was controlled by the gilded minority at Nintendo HQ. But in the hands of creative free software developers, these boundaries can be removed with the availability of a free console, such as the GP2x, and a free development environment. And unlike the Indrema, this exists! However, from the point of view of many developers, a handheld console introduces nothing but problems: it has a small screen, limited input, poor audio, and a fixed hardware set eliminating any attempt at scalability. Despite these apparent limitations, the machine is capable of: running a respectable version of Quake; running Mame; emulating the Commodore 64, ZX Spectrum and NES, among many others; and playing movies. The nature of handheld devices changes the type of games that are possible The current generation of GP2x software is focused in the games arena, with developers writing and porting a wealth of emulators to the console. But, emulation gives the opportunity to provide casual games with little outlay. Then, native applications are only a step away for those who wish to push in new directions, since the nature of handheld devices changes the type of games that are possible, and available. Behind the scenes The device itself is a relatively compact 143.6 x 82.9 x 34mm, but still holds two ARM CPUs (both running at 200 Mhz), an SD (Secure Digital) reader and 64MB of non-volatile NAND memory. This is done by employing the MP2520F “system on a chip” from MagicEyes, which combines both ARM chips, along with the video and graphic processors and various I/O components in a single component form factor. GP2x Specification Technical information CPU (dual core) NAND Flash memory RAM Storage

ARM 920T (200MHz, MMU) and ARM 940T (200MHz, no MMU) 64MB 64MB (each core is able to access 32MB of it) Secure Digital (SD) memory card, sizes up to 1GB are supported, although version 1.10 of the firmware reports an upper limit of 2GB

A PDA focused on games and GNU/Linux

Issue 12 Connection USB 2.0, without host control Display 320 x 240, 3.5 inch TFT LCD I/O Stereo speakers. Headphone socket. TV output cable (available seperately) Power 2 x AA batteries (but only rechargeables make sense!), 3.3 V AC (adapter not supplied) The first ARM CPU is the 920T, a general purpose processor which runs the Linux system stored on the NAND memory like a traditional memory drive. The second is a co-processor 940T with a smaller cache and no MMU which (among other things) performs hardware scaling, allowing DivX movies to be played from their original encoding without affecting the decoding process. This will scale the movies down to the 320 x 240 screen size when played on the GP2x, or provide a full 720 x 480 resolution when viewed on a connected TV (using an optional TV output cable). The NAND memory runs JFFS2 (as used on Familiar handhelds) and holds a complete GNU/Linux installation incorporating the standard file structure of /bin, /etc and /usr. While it is possible to store data and new libraries in this memory, it is not possible to do so from the USB connection. So, you must instead transfer it from the supplementary SD card (making it a mandatory addition). This is mounted on /mnt/sd. You can write to the SD either through the GP2x’s USB port, or by transferring it with a standard SD reader plugged into your host machine. There have been several reports of problematic USB connections, which can be solved in many cases with new firmware. Note, however, that unlike some PDAs, the GP2x doesn’t like you removing the SD card without first switching the machine off (there is no unmount interface). This is one instance where the duality of Linux machine and games machine conflict. The machine itself runs a Linux 2.4.25 kernel, using the framebuffer for graphics. It also has a large set of system binaries provided (mostly) by busybox—a size-optimised executable which implements a number of standard GNU/Linux shell commands. Each traditionally named command is symlinked to busybox, which examines its first argument (argv[0], which holds the command used to call it) and executes the appropriate code. This allows it to have a larger selection of commands in a smaller space. The distribution is compact, but usable for the basic tasks of running a games machine. Since it has no real networking abilities (the USB connection can not work as a host, for example), very little is needed outside the basic support for localhost. In true games console style, this hardware is fixed and will not change during the life of the machine. This provides a safe, stable backdrop upon which to develop. If it runs fine on one machine, it’ll work on them all (unlike GNU/Linux). This could help the GP2x succeed where the Indrema failed. In operation After booting up, the GP2x displays an eight-way menu, shown in Figure 1, which acts as a program launcher. Using the joystick to navigate, and the B button to select, you can call up games, utility scripts or play different types of media using the supplied software. Because this program sits on top of GNU/Linux, it employs specific customs not usual for the underlying operating system. To begin with, file extensions play an unconventionally important role, with the Utility menu allowing you to browse only files ending in GPU, and the Game menu showing files ending exclusively in GPE. In return it provides a consistent (if unpretty) interface to the device like all other consumer electronics.

A PDA focused on games and GNU/Linux

Issue 12 Figure 1: Main menu The main menu, along with the eight submenus, are all handled by custom software inside /usr/gp2x each with their own graphic files. This has enabled a sector of the community to produce different skins, include ones in the style of The Matrix, and the Amiga Workbench. Naturally, it is also possible to change these programs entirely at your whim, and another part of the community is looking into developing alternative program launchers. The system lacks polish in some areas (in both hardware and software) and could certainly do with a published set of standards to the bridge the gap between the current GP2x and the current handheld markets The primary supplied software is as follows.

Standard GP2x Software • Video playback—This is handled by a custom version of mplayer although the interface is minimal (don’t expect the control of gmplayer). However, it’s functional enough (and mostly smooth enough) to be watchable. • Music playback—This also uses mplayer for the playback engine, but it’s supplemented with a GUI. • Photo viewer—This is a simple JPG and BMP viewer contained within the main menu executable. It is usable for previewing holiday snaps, but currently contains no zoom option. You may find it necessary to downscale your images when using this program because it can take a couple of seconds for large JPGs to be decompressed, and anything over 1024x768 in size appears to not load at all. • EBookViewer—This is probably the most disappointing part of the package since the word “ebook” is little grandiose, as the software is less than less! It is a plain text viewer only, with minimal control to go forward and backwards. Bookmarks are planned for the future. • Explorer—This program lets you traverse the directory of your SD card (only) and delete files. Like its namesake in the Windows world, this displays only the filename, omitting the file system properties. • Game and Utility—These two options simply run programs, as mentioned above. • Settings—This elusive menu provides the menu option which initiates a USB connection to your host machine. It also shows the current battery level, switches on the TV out facility and details the system info. There is also a utility here to monitor the controls.

For developers As a development environment, writing for the GP2x is little different to any of the standard flavours of GNU/Linux. However, its work process is more akin to the console industry where all the code is cross-compiled from a PC (running either GNU/Linux, MacOS or Windows) into ARM assembler, ready for the GP2x. Naturally, GNU/Linux is easier since you can compile the same code natively to test it, without having to re-write any of the OS-specific components. Even sitting in front of an original Atari 2600 at home doesn’t have the coolness of playing the original Zelda on the pub sofa with a GP2x One notable difference when running on the GP2x is that every program is run as root. On a single-user games device, like the GP2x, this isn’t the security hole it would be elsewhere, but it does require more trust on the part of the application, particularly as the second ARM CPU has no MMU, meaning any faulty application can crash not only itself, but the whole GP2x. The speed difference between both a host (any host) and target machine is also very marked, so high power applications are never going to catch on. Even PDF viewing is currently a struggle. GamePark Holdings’ development API of choice is SDL, which provides an easy in-road for porters and developers since it is well known in the community and comes with a lot of existing applications and on-line documentation. To some extent this mirrors the practices of “real” console manufacturers who supply an SDK with their new console to would-be developers. And although SDL isn’t installed by default on the GP2x, most games and emulators use it, and is therefore a ubiquitous appearance on the machine. However, for those

A PDA focused on games and GNU/Linux

Issue 12 that want a lower level of access there is also a minimal library that writes directly into the memory registers. See the links at the end of the article for more information. You can read about the development process on the GP2x wiki (http://wiki.gp2x.org/wiki/Getting_started_with_GP2x_development). DRM No article on the GP2x would be complete without a note on the topic of DRM—but that is all it’s getting! Basically, there is no DRM on any of the music, video, text or game files that you can copy freely around the system, but GPH have said there will be a DRM facility to protect commercial games, as already exists on the Xbox, Xbox 360 and PlayStation 2. However, there is no clue as to how (or if) that will happen, or whether it will eventually affect other media. With the kernel source and SDK freely available, however, it’s unlikely they can do anything damaging, technically speaking. GPH have already shown themselves to be consumer-aware, rushing units out without adequate testing lest they withdraw their orders, so they will probably play fair on this, but only time will tell. Invented standards Because of the split between NAND and SD memory, there is one development choice you need to take seriously: static and dynamic linking. If your software uses only SDL (or another common set of libraries), there’s no problem with creating an application that uses it as a dynamic library. However, with limited space in the onboard memory (less than 20MB with the current install), you are advised to statically link applications. Or, at least to dynamically link to libraries on the SD card, and modify LDPATH when you start your application. This highlights another difference between the Linux and game worlds; since Linux has a standard directory structure, and games generally assume they own the whole machine, the decision of where to place particular files can differ between games. This extends to whether the software should be placed in the root of the SD, or within a subdirectory of it.

Figure 2: Running STerm The current thinking is to launch all code through a preceding bash script that can prepare the environment to its desire, run the executable, and then re-run the launcher menu when it exits. This is brought home when you realise there is no packaging system, and dependencies are left to the individual developers. The physical form factor, styling and current software catalogue of the GP2x all lend themselves to be the machine for gamers that haven’t grown up! Finally, remember that as this is also focused as a games machine (running as root), you are in control of the whole machine. This includes the buttons. So if your application uses sound, you must manually handle the volume control, the return to menu button and so on. This also breaks with GNU/Linux tradition.

A PDA focused on games and GNU/Linux

Issue 12

Conclusions In its intended capacity as a media player it works quite well (save the problematic earphone socket.) Most media that I’ve ripped works well on the device, although the interface is a little amateur in places. For example, the main menu does not support “down” on the joystick, and “X” allows you go to back to the previous menu in all cases... except back to the main menu, where you have to press “Start”. While the free software community is used to suffering minor quirks on the initial release, the general public is not and so are unlikely to leave their iPods at home, in favour of the GP2x. As a retro games machine, the GP2x shows its vocational colors. The physical form factor, styling and current software catalog of the GP2x all lend themselves to be the machine for gamers that haven’t grown up! While it doesn’t have the panache of a Sony PSP, or the dependability of the GBA, it does provide the best way to play retro games. Ever. Even sitting in front of an original Atari 2600 at home doesn’t have the coolness of playing the original Zelda on the pub sofa with a GP2x. However, this is an early adopter project. As mentioned previously, the system lacks polish in some areas (in both hardware and software) and could certainly do with a published set of standards to the bridge the gap between the current GP2x and the current handheld markets. So, provided Game Park Holdings release all of the GPL code they are required to (the kernel wasn’t released until nearly two months after initial shipping) the developer community should crowd around this beast and bring it to the attention of a deserving world. Hopefully, this will show GNU/Linux games in a new light, and provide a new generation of talented, innovative, games programmers. Essential GP2x links • Official UK site (http://www.gbax.com/)—the basic starting point • GP2x Archive (http://archive.gp2x.de/cgi-bin/cfiles.cgi)—the ultimate software repository for the GP2x • GP2x notes (http://www.bluedust.com/gp2x)—the authors GP2x page • User guide (http://archive.gp2x.de/cgi-bin/cfiles.cgi?0,0,0,0,23,933)—as created by the community • sterm (http://archive.gp2x.de/cgi-bin/cfiles.cgi?0,0,0,0,8,973)—a bash terminal program • Code snippets (http://www.gp32.co.nz/snippet.php)—includes assembler • Minimal library (http://www.emulnation.info/retrodev/forum/files/rlyeh’s-minimal-library-v0.A.zip)—for programming without SDL • fbgrab (http://archive.gp2x.de/cgi-bin/cfiles.cgi?0,0,0,0,8,890)—a screen grab utility

Biography Steven Goodwin (/user/39" title="View user profile.): When builders go down to the pub they talk about football. Presumably therefore, when footballers go down to the pub they talk about builders! When Steven Goodwin goes down the pub he doesnâ’ t talk about football. Or builders. He talks about computers. Constantly... He is also known as the angry man of open source. Steven Goodwin (http://www.bluedust.com/blog/) has another blog, but no one reads that, either.

A PDA focused on games and GNU/Linux

Issue 12

Published on Free Software Magazine (http://www.freesoftwaremagazine.com)

A PDA focused on games and GNU/Linux

Issue 12

A PDA focused on games and GNU/Linux

Freedom, as in fighting for Welcome to the battlefield By Pieter Hintjens The battle between individual rights and the powers of the State is reaching a frenzy across the globe. Never before has technology given us such freedom to create, to invent, and to escape traditional boundaries. And never before has technology given the State such a chance to control us. In this series of articles exclusive to Free Software Magazine, I’ll take you into some of the warzones and show you what it’s like at the front-line...

The rise of the machines As a teenager, I once played a Vic-20 cassette in a normal player and listened to the sounds it made. This was the first time I heard what machine voices sounded like. Ten years later in the nineties, to millions like me around the world, the machine voices of our modems were our Pavlov’s bell, signalling our connection to the wide world of bulletin boards, gopher sites, access points, remote shells, FTP sites, and finally web sites. If there is a single sound that represented the rise of the age of the machines, it was the sound of a modem blasting its square waves across crude copper wires, creating a circuit, carrying bits, bytes, kilobytes, megabytes down the ether to our PCs. If there is a single sound that represented the rise of the age of the machines, it was the sound of a modem blasting its square waves across crude copper wires Fast forward ten more years and the machines have literally taken over our lives. I can’t complain. Every technological wet dream I ever had has come true. My huge music library is digital, my friends are online, across the globe, my family are a mobile phone call away. The crutches of the physical world have fallen away, and we run free, carried by wave upon wave of chattering digital devices. The bitter irony is that the same technology that gives us Google has also enabled the rise of a new kind of autocracy, one based on the same information systems that I, as a programmer, helped build.

The virtual walls The European Union (where I live) is going to build the largest database in the world. Well, that’s what they say. I think there are larger databases, but this one is going to be pretty huge anyhow. The idea is that every time you apply for a visa to any Schengen country, your data will be registered centrally. Today it’s a mess. You can ask for a visa from the Spanish embassy, and if they say “no”, you pop down the road to the French embassy and try there. This is such a big loophole that millions of people from warm countries still manage to sneak into Europe every year. I’m often impressed by the courage of immigrants, who basically leave everything behind to start a new life in a cold, strange, basically hostile country. Most never regain any kind of prosperity. I’ve seen Congolese bankers and managers work as van drivers. They do it because at least their kids will get a chance at a decent education, and a life without violence. You’d think that the EU, starving of young people, with huge ranks of pensioners to feed and look after, would welcome these immigrants with open arms. After all, they are people who have crossed deserts and oceans and mountains. They are by definition the most ambitious, the hardest working, the toughest. You’d think that the US model, where generation after generation of immigrant has kept the economy vibrant and healthy, would inspire Europe to at least offering a green-card style programme. You’d be wrong. Europe’s elite considers immigrants to be alien, dirty, and noisy, and wants to keep them out. So, Europe is going to build a wall, the largest wall ever seen, that will protect Europe’s long borders from this wave of unwanted humanity. It can’t build a physical wall of stone and mortar, as China did during the Chin dynasty. So, it’s building a virtual wall, from databases and computers.

Freedom, as in fighting for

Issue 12

The mandarins Europe’s Great Wall, which will track the comings and goings of its unwanted aliens, is just one of many projects. Politics, you see, is not a single-minded thing. It’s all about ambitious individuals who spend their days and nights hacking their own systems to try to get more budget, more power, more leverage. Somewhere, in an office in Brussels, sits a man. He is not elected, he is a permanent part of the EU structures, a nameless mandarin who works for the Commission. He has been pushing to get the Great Wall project approved. There was huge resistance from the privacy and human rights organisations. National governments opposed his ideas, sensing that their electorates would distrust such a plan. But he was prepared for that. The plan is now a “Directive”, and will soon be put onto paper by his people, presented by the Commission to the Council for a vote, and thus to the Parliament. The European Parliament, who quite hate the Commission and Council, will try to change, or reject the directive. Our mandarin expects this; so, like a good negotiator, he has added a number of very extreme clauses and based the entire directive on the “need to fight terrorism”. Sometime next year, this directive will come before the Parliament, which will have only a week or two to study the large and complex text. Parliament votes on ten or more directives each month. Most votes follow party lines. The mandarin has spent considerable effort, money, and political favours, in making sure the leaders of the two main parties will promote his cause and force the MEPs to vote correctly. They will insist on a public show, for their parties, in which they will “force” the Council of Ministers to accept a “compromise agreement”, taking out all of the extreme articles and leaving just the essentials behind. The directive will pass, almost unnoticed by the media. Large businesses will tender for the project, and several billion Euro will be budgetted for the work. The genius who designed the Great Wall is now promoted as the man to make it work. He has a new salary, assistants, travel expenses, and for the four or five years it will take to build this system, plus ten years of running it, he will live like a king. You’d think that our political systems were driven by some higher purpose than the amoral self-interest of individuals, but this is what it comes down to: a few people who manipulate the system into spending billions on dubious projects so that they can take their direct or indirect cut. My story about the Great Wall of Europe is true, though I’ve imagined the main character, and the story is not yet finished. The directive has not yet been given any “legal basis”, it’s still just a well-developed plan. Like many plans—including a similar one to finger-print and ID every EU citizen—it depends on darkness and obscurity, on stealth and surprise.

The European elite The “new Europe” has brought many good things. We have a single currency, simpler VAT rules, free movement, and straighter cucumbers. But the new Europe has also created an elite of professionals who do nothing other than manipulate and exploit the European structures for their own use. These people are primarily the professional lobbyists, the political lawyers, and the mandarins. All states have such cliques. At the EU level this elite has grown so rapidly, and accumulated so much power, that there are no counterweights. We are entering an era in which laws are made by bureaucrats, not elected lawmakers or judges. To some extent the same has happened in the US and other countries, but the EU is unique in lacking the checks and balances that stop such elites from going too far. A good example is the patent cartel. This consists of: the European patent office (EPO), a body created by treaty but which operates independently of the EU structures; a species of lawyer specialising in “intellectual property”; a special kind of consultant who divides his time between working for the EPO as a patent examiner, for businesses as patent advisors, and for the EU commission to draft patent legislation; and finally, specialised firms that have amassed patents (especially software and business process patents) in the US, along with considerable amounts of funding. The patent cartel is a classic example of a new European elite, busy hacking the system in order to reap great profit. European businesses are mainly unprepared for the introduction of US-style software patents and there

Welcome to the battlefield

Issue 12 is going to be a boom for the people who control key software patents, if only these can be legalised. Few voices seem to warn: “software patents rob copyright holders of their intellectual property”. All the eyes are on the money.

Blurring the past The European Parliament once said, in a report: • “The only effective international instrument for the comprehensive protection of privacy is the European Convention on Human Rights.” • “It is binding on the three institutions which pledged to comply with it in the Formal Declaration adopted during the Nice European Council: the Council, the Commission and the European Parliament.” • “Article 8 lays down in law the fundamental right to the ‘protection of personal data’. This would have protected individuals in those cases involving the processing of their data, something which invariably does when [non-voice] forms of communication are intercepted.” • “Even if the intelligence service merely records data such as the time and duration of calls and the numbers dialled, this represents a violation of privacy” (under Article 8 of the ECHR). • “Any act involving the interception of communications, and even the recording of data by intelligence services for that purpose, represents a serious violation of an individual’s privacy. Only in a ‘police state’ is the unrestricted interception of communications permitted by government authorities.” These extracts come from the European Parliament’s 2001 Final Report on Echelon (http://cr.yp.to/export/2001/09.07-europe.html#1) a surveillance system built by the USA, UK, and other countries. Exactly four years later, the EU Commission drafted a “Data Retention” directive that forces all ISPs and telecom providers to register voice call data, email data, and all other internet communications. The law was drafted and passed in three months, in a single reading in the European Parliament, demonstrating the raw and unfettered power that the Commission bureaucrats now wield. Where just four years ago Europe was proud to say, “we have a convention that protects the rights of all people, while the US protects only US citizens and spys on all the rest”, today Europe is a ’police state’, in its own definition and words. The bogeyman that lets people force such laws through with little resistance or inspection is terrorism, of course. But, the Data Retention Directive makes no mention of this word, justifying the law only as a measure to fight “serious crime”. We are in an age in which the past is blurred into a cliche, in which spin is replacing history, in which democracy means voting in reality TV shows, not participating in government. Technology has accustomed us to ever faster change, and taught us to forget rapidly. This meme is now firmly rooted in the political world as well.

The insurgents Needless to say, there are people who have understood the dangers of allowing such accumulation of power to fall into the hands of a small group of unaccountable, selfish, and amoral individuals. I started working with one such group, the FFII, last summer, fighting an attempt by the Council and Commission to ram through a directive that would have enabled software patents. The FFII mostly consists of professionals, small software producers, students, patent experts and activists. I made a donation and became a member. The FFII asked me to speak at some presentations, which I did. Some people seemed surprised that a businessman would speak out against software patents. As more and more businesses began to support the FFII, and come and speak in the Parliament, it became painfully obvious that while our movement could stage dozens of live business people, all saying the same thing: “software patents will destroy our businesses and the jobs we provide”, the pro-swpat movement consisted mainly of professional lobbyists paid by Microsoft, SAP, and some other large firms.

Welcome to the battlefield

Issue 12 At the end of November, the FFII asked me to take over its presidency. I’ll briefly mention what this movement does, and why. The FFII fights for open standards, copyright, and competition. We are, essentially, fighting against the vested interests that want to turn the digital playfield into segregated monopolies and properties. We rely on individual donations and memberships, and on donations from businesses and other organisations. It is painfully obvious that “soft patents”, i.e. broad patents on abstractions, rather than hard inventions, are bad for business. So, when we fight soft patents, it’s not from a free software perspective, but a pure economic one. What we do is mainly lobby against bad laws and for good ones, mostly in the “intellectual property” arena. We are the only organisation that tries to effect a political solution to the soft patent problem. We work a lot with the European Parliament: this is, in the whole EU political structure, the only representative body. In my next article for Free Software Magazine I’ll show you the life of an FFII lobbyist. How does a small, underfunded, overworked group of determined individuals challenge billion-Euro laws? I’ll tell you. Maybe one day you’ll find yourself in Brussels, inside the Parliament building, speaking to an MEP, and changing the world, one mind at a time.

Conclusion The last twenty years have brought us a new world of gadgets and information beyond our wildest dreams. But the same technology that makes our lives such fun is also forming the basis for a new kind of technological police state, based on a subversion of the European process by a new political elite. Software patents are a key example of how a small group is distorting the European process so that it can claim ownership of large parts of our common wealth. This was the first article in the “Freedom, as in fighting for” series, that will examine the dark side of the European Project, and explore the lives of those who are fighting on the side of freedom and liberty.

Biography Pieter Hintjens (/user/31" title="View user profile.): Pieter Hintjens is the CEO of iMatix Corporation, and the author of numerous free software tools published by iMatix. He wrote his first GPLed software (Libero) in 1992. His team is currently working on what has been called: â’ the most secret open source project everâ’ . He is also the president of the FFII, an information rights organisation based in Munich, with chapters in 20 countries.

Published on Free Software Magazine (http://www.freesoftwaremagazine.com)

Welcome to the battlefield

I hope the year for Linux never comes It’s only from lofty heights that empires fall By Edmundo Carmona Toward the end of 2005 I was reading about “the year for Linux” everywhere I went. No matter where I looked, I always found articles by GNU/Linux fans (like me) that expected this year (2006) to be “the year for Linux” (once and for all). In fact, it’s been quite a few years now that I’ve been reading that “this will be the year for Linux”. And let me tell you something: I don’t want the year for Linux to come... ever! Period. This issue mostly surrounds the desktop arena. It’s already well known that GNU/Linux is powering the 500 most powerful computers in the world (http://www.top500.org/lists/2005/11/l/Operating_System_Family) (Microsoft, of course, wants to get a piece of the supercomputing pie with its HPC version—I always rejoice at the thought of 100,000 bluescreens of death popping up in an otherwise beautiful Windows-powered cluster), and Apache’s web serving market share has never been jeopardized (http://news.netcraft.com/archives/web_server_survey.html) by IIS (even they have had to learn the hard way that the tightly-coupled fashion just wasn’t the way). There are other places in the enterprise where Windows will be difficult to dislodge... But, even in those places, there’s a battle going on. Let me tell you something: I don’t want the year for Linux to come... ever! In the four and a half years since I first used a GNU/Linux box, it has been amazing for me to see how handling Linux has gone from being such a pain to get used to (for a winuser like I was back then), to what it is today. There are distributions now that are so simple to use that all you have to do is put a Live-CD in your computer, and you have a working environment up and running in less than 5 minutes with tons of desktop applications that can even make their Windows counterparts look rough. That’s a lot of progress. I still remember the faces of my Windows using co-workers at the hospital when I showed them how Knoppix could help them recover data from a virus-possesed non-starting Windows without much hazzle. It was like they’d seen an oasis after having walked through Death Valley without water.

A bunch of Ubuntu CDs There’s been a buzz about GNU/Linux for a long time now. It’s been expected to change the landscape of the IT world, and people (particularly people like me) have been expecting that moment to come any day now. But after thinking it over, I can tell you that I actually don’t want that moment to come at all. That’s right, I don’t. About now I can almost hear you thinking: “What’s this (so called pro-Linux) wacko going on about?”, “What... does he always want to be on the losing side?”, or even worse, you might be thinking: “Maybe he’s working for Microsoft”. Ugh! That last one hurt. It’s okay... I understand if you’re thinking things like that at this point. Please, let me explain myself a little better. There are distributions now that are so simple to use that all you have to do is put a Live-CD in your computer and you have a working environment up and running in less than 5 minutes

I hope the year for Linux never comes

Issue 12 What do you know about Egypt? I know it’s a country located in North Africa, it’s hot like hell, and it’s a place which attracts thousands of tourists each year who go to see the remains of what was once a great empire. How about Rome? It’s not a country in North Africa this time but a city in Italy. However, it’s still very similar to Egypt: it’s a place which attracts thousands of tourists each year who go to see the remains of what was once a great empire.

The Coliseum of Rome Now think about IBM? It’s not a country or a city and okay it doesn’t attract tourists. But, it is still similar to Egypt and Rome... I think you can tell what I’m getting at now, can’t you? How many times have you seen someone or something become “The Ultimate Hit”, only to be fade into obscurity? Think about it: • The New Kids on the Block • The Spice Girls • Napster • IBM • Even Netscape • .Net and every product delivered by Microsoft. (Okay I’m being a little hopeful with this one, I admit it.) How many times have you seen someone or something become “The Ultimate Hit”, only to be fade into obscurity? Some of them are not exactly in ashes. A couple of examples seem to be coming back from the underworld to scare the life out of their undertakers, so to speak. Others have just changed and are still present though not in the same “package”, like Napster. But it seems to be a law of nature: once you get to the top... there’s nowhere else to go but down. It all makes perfect sense. Now it seems to be the time for free software to be “The Ultimate Hit”—time for it to be carried to the top by the momentum of GNU/Linux. Everybody is willing to make cheerful statements about FOSS. Some people have even envisioned a Microsoft-maintained Linux kernel and distribution or that Microsoft will one day release all of its source code under the GPL and place it on SourceForge (I personally believe those “visions” are unlikely). Seriously now, I’m concerned that it’ll become just another in the long list of sad examples of “Ultimate Hits”—that it’ll get to the top only to nose-dive into obscurity, to be spoken of only in history books. The thought of it almost brings a tear to my eye. I’ve been in love with GNU/Linux since I started working with it over four years ago, and I most certainly do not want to see it become another fallen empire. Perhaps it’d be better for it to remain ever the “Next Big Hit” in the IT World. I wouldn’t mind that at all. Would you?

It’s only from lofty heights that empires fall

Issue 12

Biography Edmundo Carmona (/user/17" title="View user profile.): Edmundo is a Venezuelan Computer Engineer. He is working as a Freelance Java Developer in Colombia since very recently. He has also been a GNU/Linux user and consultant for several years.

Published on Free Software Magazine (http://www.freesoftwaremagazine.com)

Itâ&#x20AC;&#x2122;s only from lofty heights that empires fall

Issue 12

Itâ&#x20AC;&#x2122;s only from lofty heights that empires fall

Towards a free matter economy (Part 6) Legal Landmines By Terry Hancock This article explores the legal problems that will be faced by free-design communities developing hardware for space. I have learned that distributed problems require distributed solutions—that centralization of power, the first resort of politicians who feed on crisis, is actually worse than useless, because centralizers regard the more effective coping strategies as threats and act to thwart them.—Eric Raymond A strong free design economy will have to deal with the realities of the legal systems in which it must operate [1]. Intellectual property law is currently changing, inconsistent between nations, and under substantial pressure from those with a vested interest in preserving outmoded business models against the inevitable changes that new communications technology has brought. Furthermore, putting the ability to design and create in the hands of ordinary people creates a threat to the power elite, who will then have a harder time controlling forbidden technology and the forbidden knowledge required to create it. The result has been the mining of the noosphere—a net of legal obstacles intended to ensnare free thought and keep the old power structures intact. There is more at stake here than is usual in the field of free software—free-designed nuclear weapons or biological weapons could destroy civilization just as easily as their proprietary, government-controlled cousins. We can’t shirk that responsibility. Nor, however, can we allow it to halt human progress by turning our free society into an unnavigable maze of professional guilds and corporate fiefdoms. Putting the ability to design and create in the hands of ordinary people creates a threat to the power elite, who will then have a harder time controlling forbidden technology and the forbidden knowledge required to create it

Patents The most prominent hazard for individual inventors today is the proliferation of patents. How did we get into this ironic position? After all, the basis for patent law (at least in the United States), is supposed to be the encouragement of invention by allowing inventors a proprietary period to cash in on their inventions before they enter the public domain. Or, as Abraham Lincoln put it: Next came the Patent laws. These began in England in 1624; and, in this country, with the adoption of our constitution. Before then, any man might instantly use what another had invented; so that the inventor had no special advantage from his own invention. The patent system changed this; secured to the inventor, for a limited time, the exclusive use of his invention; and thereby added the fuel of interest to the fire of genius, in the discovery and production of new and useful things [2].

Towards a free matter economy (Part 6)

Issue 12

Abraham Lincoln was the only US president to hold a patent (Number 6469) The reality is further from the ideal, however. Filing for a patent is a difficult and expensive process that most inventors would be hard-pressed to do on their own; the volume of patents which must be searched to prove the absence of prior art is enormous; and the cost of expert help in this process is too high for the average individual. The result is that very few individual inventors use the patent system at all. The most prominent hazard for individual inventors today is the proliferation of patents Even for the ones who do file, the patent process is unlikely to be helpful. Having a patent on an idea does not commercialize it—you still have all the usual problems of an entrepreneurial startup. Furthermore, until a patent is granted, the inventor is likely to hold back on describing their invention, even to people who might be interested in helping them. In a world of free information interchange, it is often not the original spark of an idea that proves profitable, but the results of exchanging shared information in an open forum of interested parties. The possibility of proprietary gain retards this free exchange of information and thus creates an infertile intellectual landscape. Intellectual landmines The most serious thing about patents, though, is that they can harm you even if you don’t use them, know nothing about them, and never see or make use of anyone else’s ideas. Because, independent invention, though it might rightly be regarded as proof of “obviousness”, is no defense against a patent infringement claim: even if your design is completely original, you may have accidentally reinvented something to which someone else has exclusive claim. Patents can and do blindside designers What’s more, such claims can be truly devastating to your project, because the patent-holder can not only sue you for “damages”, but may also get a court order to stop you from using your own ideas (and any ideas that depend on them). This makes patents even more of a landmine than accidental copyright infringement: at least with copyright, you cannot really infringe unless you have copied someone’s work—and you can be expected to know when you’ve done that. But patents can and do blindside designers.

Legal Landmines

Issue 12

Excerpt from â&#x20AC;&#x153;Bound by Lawâ&#x20AC;?, a comic expounding on the problems of copyright and the public domain. Patents are even more of a minefield than copyrights (Duke Center for the Study of the Public Domain, CC-By-NC-SA/Fair Use) This has recently become a serious issue for software patents, but in truth, it is a problem with all patents: obvious designs, natural phenomena, and mathematical truths are now being granted as patents, due to a severely-flawed patents system in the United States, and through a series of treaty organizations [3], the same pathology is spreading to other nations as well. Too much of a good thing? These problems with granting proprietary rights to information are not new, by any means. Thomas Jefferson argued famously that there are no natural rights to intellectual property: He who receives an idea from me, receives instruction himself without lessening mine; as he who lights his taper at mine, receives light without darkening mine. [...] That ideas should freely spread from one to another over the globe, for the moral and mutual instruction of man, and improvement of his condition, seems to have been peculiarly and benevolently designed by nature. Inventions then cannot, in nature, be a subject of property [4]. He went on to argue that such rights, being artificial, may be freely managed by nations (or not) according to what is perceived as the most effective way to spur innovation. This is pretty important, because Jefferson also wrote this famous bit of text: The Congress shall have power [...] to promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries [5] This is, of course, the constitutional basis for all copyrights and patents under United States law.

Thomas Jefferson opposed the idea of intellectual property as a natural right

Legal Landmines

Issue 12 Considering this sensible starting point, it is ironic that abuses of patents and copyright laws in the United States have presented the greatest danger to innovation worldwide. In other parts of the world, as in Europe, the theory has been worse, but the practice better. European law regards intellectual property as a natural human right, which makes its infringement a criminal offense. Lax enforcement has kept this from becoming a serious problem so far, and Europe has avoided the spectre of software patents, but it remains to be seen how long this amicable arrangement will last. Originally, it was intended that patents should be rare Originally, it was intended that patents should be rare. Mechanical devices and processes of the type that could be found in 1800 were always “open source” in the sense that anyone could immediately “reverse engineer” them by simple visual inspection [6]. There was also very little natural advantage in having the processing equipment or tools and dies for production, since the assembly line was still many years in the future, and even printing technology was fairly primitive. This made the need for patents appear evident and the harm small.

Patent applications have grown enormously since about 1980 Since the 1980s, however, there has been an explosion in patent applications, to more than 300,000 per year [7]. This may mean there is more innovation going on, it’s also because the bar for receiving a patent has been made extraordinarily low, and the breadth of what can be patented, ridiculously wide. Due to this overload of applications, the US Patents and Trademarks Office (USPTO) has seen a great reduction in the quality of its patent searches. And, lacking sufficient personnel trained in the various “arts” that it issues patents for, it cannot effectively gauge the merit of patent applications. This has resulted in even more bad patents being granted, encouraging further abuse, and so on.

The overwhelming majority of the post-1980 boom in patent applications is coming from corporations, not individual inventors Since the 1980s, there has been an explosion in patent applications, to more than 300,000 per year

Legal Landmines

Issue 12 Who’s getting all these patents? Are there millions of lone inventors in America who need our protection? No. The bulk of patents are filed by corporations, and the current patents free-for-all is primarily due to enormous amounts of filings by corporations, which use their “patent portfolios” both as advertising to stock-holders (who continue to regard the acquisition of patents as synonymous with innovation), and as weapons to use against each other (ironically, to defend themselves from the same mines that endanger individual inventors). Minesweeping? Recently, there have been four initiatives (Patent Commons [8], Peer to Patents [9], Open Source as Prior Art [10], and the Patent Quality Index [11]), which have grown out of the software industry, the free software community, and the USPTO’s concern with its workload. These initiatives have primarily targeted software patents, though the same techniques might help patents in general, by reducing the number of patents granted, increasing the quality of those patents, increasing community knowledge of patent quality, and increasing the recognition of community-developed prior art. These initiatives offer some hope, but they are an incomplete solution: laws to raise the standards for patents and reduce the scope of information that can be patented are desperately needed. These initiatives are best regarded as stop-gap measures—indications of a failure in the system itself. We might even need to start asking ourselves if it wouldn’t be better to simply ban patents entirely Considering the realities of the information age we live in, we might even need to start asking ourselves if it wouldn’t be better to simply ban patents entirely. While it’s almost certainly true that patents do some good, it’s also pretty obvious that they do much damage, and a system without any patents might be a safer place for innovation than what we have now.

Trade secrets Even if there were no patents, there would still be trade secrets. The basis for a trade secret is in contract law: it is common practice to insist upon the signing of a “Non-disclosure Agreement” (NDA) before being shown certain kinds of information that an individual considers critical to a new business plan. This allows potential business partners and investors to be aware of the information needed to evaluate the company without sacrificing the advantage provided by secrecy. Even if there were no patents, there would still be trade secrets NDAs have also become fairly common in the electronics industry, to protect product lines that are already in production. This is intended to maintain the company’s competitive edge in the same way that a patent would, but without the legal overhead. Courts recognize these obligations to secrecy, and it is through contract law that trade secrets violations can be enforced. A trade secret is relatively innocuous, because it specifically requires you to have copied the idea—independent invention is not affected, and you may, under most circumstances, reverse-engineer a product in order to extract design information about it. The primary threat to free innovation is the unfortunate practice of using trade secrets against the end-user by not publishing necessary interfaces to hardware—something that has recently become a serious problem for free software multimedia users.

Copyright Copyright is the form of intellectual property that most programmers and software users are familiar with. It applies to most software and many integrated circuit and printed-circuit board designs. Copyright doesn’t protect “ideas”, but rather specific “expressions”. Therefore, it is much narrower in that it affects only nearly exact copies of the design. An independent design which expresses the same ideas in a different way is different under copyright, and so does not infringe. The rules of “fair use” are being unfairly restricted, and the durations of copyright are effectively unlimited in that they may persist longer than so-called permanent rights The problem copyright creates is primarily that, by imposing costs on reuse of already-existing designs, it results in reduplicated effort. In the present legal regime, the boundaries of copyright have been extended too

Legal Landmines

Issue 12 far: the rules of “fair use” are being unfairly restricted, and the durations of copyright (initially intended to be granted only for “limited times”) are effectively unlimited in that they may persist longer than so-called “permanent” rights (such as real property ownership) [12]. The result is that existing rights-holding corporations (which profit from intellectual property, but do not create it) are very happy, but the public domain material that serves inventors, artists, and the general public in the process of new innovation is being starved [13].

Copyright protection has gotten out of hand, with extended terms and a diminished interpretation of “fair use” (Duke Center for the Study of the Public Domain, CC-By-NC-SA/Fair Use) Fortunately, the free-licensing of software [14], artistic works [15], scientific publications [16], and hardware designs [17] is proving to be an effective solution. The invention of “copyleft” by Richard Stallman, has made it possible to establish communities with higher degrees of information exchange and therefore higher levels of innovation. This reduces the threat of the current legal problems with abuse of the copyright system, although recent developments such as “Digital Rights Management”, “Trusted Computing”, and the “Digital Millenium Copyright Act” show that there are still important problems that require legislative solutions.

Telling cannons from canoes Space technology is real power. In fact, much of the real power used by governments to exercise their “monopoly on the use of licit force”, as Libertarian political philosophy describes it, is embodied in space technology, like Inter-Continental Ballistic Missiles (ICBMs) or intelligence-gathering satellites which can read your car’s license plate from low Earth orbit. Nuclear power, essential to many space development plans, is widely regarded as one of the most dangerous technologies in existence—nuclear material is contraband, and designs for nuclear plants (let alone explosive devices) are closely-guarded secrets. The US has the “International Traffic in Arms Regulations”, which are supposed to prevent various “blackhats” from acquiring access to technology that could be damaging to its national security In the interest of reducing public hazards and in maintaining the United States’ military advantage against other countries, the US has the “International Traffic in Arms Regulations” (ITAR), which are supposed to prevent various “blackhats” from acquiring access to technology that could be damaging to its national security. This sounds sensible enough on the surface—but what exactly are “arms” and what are not? In the 1990s, US computer free software developers had to deal with onerous restrictions on what they could host on their webservers, simply because “strong cryptography” (as implemented in several internet web browsers) was on the ITAR “munitions list” [18]. This was the original reason for the Debian “Non-US” distribution. Ironically, this did nothing to support US supremacy in cryptography—the algorithms could be printed in a book and shipped overseas (even with complete program listings) without violating ITAR. The same book could, for that matter, contain instructions for building a nuclear weapon. In the end, the software was hosted on servers outside the United States, and much to their shame, US users had to download their cryptographic software from overseas servers! ITAR continues to promote the longstanding myth that space development is state-controlled territory, too powerful for ordinary citizens to participate in

Legal Landmines

Issue 12 Unfortunately, this did not break the ITAR laws. Instead, the US legislated a special exemption to the law for software which was downloadable for free. Meanwhile, the “munitions list” remains remarkably broad. Among other things, it includes satellites of almost any kind, as well as nuclear devices (both power-generating and explosive), rockets, and propellants. ITAR continues to promote the longstanding myth that space development is state-controlled territory, too powerful for ordinary citizens to participate in. ITAR has been blamed by space industry professionals as a major obstacle to US companies remaining competitive internationally, noting that European companies have used their lack of such onerous regulations as a selling point to acquire communications satellite contracts [19]. ITAR is a loose cannon for individual space developers, because it doesn’t seem to be able to distinguish essential technologies for space development from weapons.

Controlled substances Most rocket experimenters have already learned that explosives are usually controlled substances. In the United States, they are monitored by the US Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF), a division of the Department of Justice [20]. Other nations have similar rules. In the UK, for example, explosives must be registered with the police [21]. Various licenses and permits will allow you to use limited quantities of these substances. Most rocket experimenters have already learned that explosives are usually controlled substances “Explosives” of course, includes most substances that would be used as solid rocket fuels. There is some obvious sense to these kinds of regulations, since the exact same material that you might want to use to send your amateur rocket up to the edge of space [21], might be used by more nefarious actors to blow up a neighbor’s apartment. Sensible regulations are needed for such dangerous substances, of course, but it is also important that the licensing processes be simple enough for amateur developers to gain access to them, and that merely acquiring them does not become perceived as “evidence of terrorist activity” [23]. Nuclear power is an even more volatile subject Nuclear power is an even more volatile subject. In the United States, this is managed by the Nuclear Regulatory Commission [24], and getting a license from them makes the ATF licensing for explosives seem easy. Nevertheless, licenses have been given to academic institutions—several universities operate nuclear reactors for research and teaching of nuclear engineering [25] and there is an experimental tokamak for researching high-temperature plasmas at the University of Texas [26].

No fly zones Space is straight over your head. There is an internationally recognized “boundary” of space at 100 kilometers altitude. This number is based on the fact that at just about that altitude, a vehicle stops acting like an aircraft and starts acting like a spacecraft (aerodynamics breaks down). Most courts now recognize the idea that there is some ceiling to terrestrial property rights and to the legal authority of terrestrial nations It used to be that real property rights were imagined to extend down to the center of the Earth and upwards to infinity. Fortunately, this absurdly geocentric view of the universe has begun to be redefined legally—most courts now recognize the idea that there is some ceiling to terrestrial property rights and to the legal authority of terrestrial nations. The 100km limit, also known as the “K??Line”, is beginning to acquire this legal significance [27]. It would be overstating the case to say that this is firmly established in law—space law is far too young a field for that. However, events such as the X-Prize [28] flight of SpaceShipOne [29], have established the idea that “space begins at 100km”.

Legal Landmines

Issue 12

SpaceShipOne, imaged at the “Edge of Space”, above 100 km altitude (Scaled Composites) However, that still leaves 100km of airspace between your launch pad and freedom; all of which are protected by some national organization in your country. In the United States, this is the Federal Aviation Administration (FAA). The FAA is the agency that must provide waivers for amateur rockets to be launched to high altitudes (you can launch "model rockets" in most parts of the United States without any special license, fortunately—these are the small rockets you can find in hobby stores in the US). It is also the FAA that regulates airports and the fledgling commercial spaceports that are currently active in the US [30]. Other limitations include treaty agreements requiring national sponsorship of any object launched into space Other limitations include treaty agreements requiring national sponsorship of any object launched into space (requiring such launches to be registered with some national government), and treaty agreements on the management of the (relatively limited) use of geostationary orbit (also called “geosynchronous” or “Clarke” orbit, in which objects orbit such that they appear stationary from the surface—this is the preferred orbit for most communications satellites) [31].

Explosively decompressing our values Perhaps the most suffocating of all the regulations that stand in the way of space development are those which are intended to protect consumers from risk. Living with risk is an essential part of every frontier, and the ancestors who pioneered the place you are sitting now—whether they were wagon train colonists or islanders in outrigger canoes—took risks. Sometimes horrible risks: the death toll on settlers crossing the American West in covered wagons in the first half of the nineteenth century was appalling by today’s standards, as were the adventures of immigrants crossing the Atlantic in sailing ships only a century before. Perhaps the most suffocating of all the regulations that stand in the way of space development are those which are intended to protect consumers from risk Our blood seems to have thinned, however: the deaths of seven astronauts have twice halted the entire space transportation system of the country which likes to call itself “the home of the brave”. The Challenger accident shut down all crewed transportation into space for Americans for over 18 months; the Columbia accident shut down all US-based space transport for over two years (Fortunately, Russian-based Soyuz launches have been available to keep the International Space Station crewed for this entire time). It’s true that the Space Shuttle has design problems, and I don’t doubt that those problems contributed to the deaths of fourteen people. The problems need to be fixed. But I also know that every one of those fourteen people knew about that risk, and were still willing to board those Shuttles. As would I. The risk is not negligible, but exploring (and developing) the space frontier is an important task—one worthy of some risk of life. Our society has become obsessed with “safety” to an unhealthy degree

Legal Landmines

Issue 12 But our society has become obsessed with “safety” to an unhealthy degree. Frivolous liability torts have made most smaller companies (and nearly all individuals) financially unable to support the development of any product which might be used in “life-critical” applications. Even software frequently bears notices disclaiming suitability for such uses. Ironically, this is true even for extraordinarily stable free-software packages that would probably be the safest available bet. But, although that’s probably true, there are serious legal consequences to asserting that it is true, and the present legal regime makes the sale of a product tantamount to that kind of assertion.

Amateur rocketry can be a pretty wild hobby. The Mini (which is unmanned!) is being powered down a ski slope by three rocket engines for a BBC 2 stunt. Amateur rockets can be quite large (upper left inset), and the launch of such a vehicle can be impressive (lower right inset). Obviously, this is only possible in a society that lets people get access to high-powered propellants. (Wirral Rocket Society, CC-By-SA) The basic legal principles behind liability laws do not appear to recognize two fundamental realities of life, especially on a frontier: risk is unavoidable, and it’s not anybody’s “fault”. Even if everyone is being as careful as is humanly possible, there will still be serious risks to any enterprise as fundamentally adventurous as exploring, developing, and settling in space. Some kind of adjustment in social attitudes is necessary if we are ever going to regain the pioneering courage of our ancestors. Settlers, developers, and experimenters need to be able to legally assume risks for themselves—or they will be unable to find suppliers. This is a problem, because existing laws only recognize that kind of assumed risk for companies, but individual experimenters and inventors are usually classified as consumers. Ironically, it is more legal for an employer to order you to take risks than for you to choose to take them on your own volition! Experimenters need to be able to legally assume risks for themselves—or they will be unable to find suppliers This applies to obvious things like explosive or rocket-propelled devices, but also to less obviously dangerous technology, like spacesuits. An amateur spacesuit can kill you, just like sticking your head in a plastic bag can—if the life-support system doesn’t work properly but the airtight seal does. Yet, how can an amateur developer be expected to bear the liability burden for this? It could be argued that you ought to be able to make this kind of safety decision for yourself—but although seller and buyer may both agree to this high level of assumed risk, present liability standards do not. This kind of legal risk, and the high cost of insuring against it, is a large part of why there are few commercial life support suppliers to which hobbyists can turn for parts, and it’s part of the reason that such equipment, when it is available, is so expensive (It is likely that SCUBA gear is only available today because it largely predates the changes in liability standards). Informed consent Some solutions for liability problems have been developed. Amateur rocket societies, which are often engaged in intrinsically risky activities such as igniting large amounts of explosive fuel in order to launch their

Legal Landmines

Issue 12 creations (which occasionally fail—becoming “lawn darts” or “land sharks”), sometimes get around public safety laws by not allowing “the public” to attend launches. Instead, only members of the society who have signed a liability waiver are allowed to attend. This can be fairly painless since such societies often extend membership to attendees who are willing to join and sign the waiver. Amateur rocket societies sometimes get around public safety laws by not allowing “the public” to attend launches I would argue that free-design, as “full disclosure” should make any risks as accessible to the user as to the manufacturer, and should therefore be an adequate defense against liability cases. It should be possible to make purchases on this “experimental” basis, signing off the right to sue for personal damages, in order to avoid incurring the prohibitive expenses of liability insurance. This has not yet been effectively implemented.

Making the world safe for innovation We are already on an crowded planet. We’ve long since passed the point where we could just put down technology and go back to the way things were. Either we develop space and a sustainable economy that uses its resources; or we face a bleak future of dwindling resources and a global dark age until the attrition of war, poverty, pestilence, and famine reduce our population to a sustainable equilibrium (and we have another chance to choose space). We could easily lose fifty generations that way, as Europe did at the end of the Roman civilization. Facing these choices, as our overpopulated and underprovided civilization tracks down its present collision course with the limitations of a closed Earth, we have to ask ourselves, “Do we have the luxury to be less innovative in the name of preserving outdated business models?”.

SpaceShipOne’s flights have been the flashiest of the achievements of independent space companies to date. (Scaled Composites, inset from Wirral Rocket Society) Space technology is not the only area where community-based production of fundamental technologies may be important in the coming century, but it is one of the most exciting, and probably the one that raises the largest variety of legal issues. Yet we cannot afford to ignore it. Our civilization needs to develop space, and after thirty years of snail’s pace development by government agencies and corporate contractors, it’s fairly obvious that the “NASA owns space” attitude needs to be canned. Current developments in conventionally-financed entrepreneurial space start-up companies like Scaled Composites [32], Virgin Galactic [33], and SpaceDev [34] are showing a lot of promise. But, there is a need for the broader involvement of a free design community to develop the everyday technologies of the frontier—and a legal climate that is more conducive to the fertile growth of ideas.

Notes and resources [1] And yet, I Am Not A Lawyer. [2] Abraham Lincoln, Discoveries and Inventions (http://showcase.netins.net/web/creative/lincoln/speeches/discoveries.htm), 1858.

Legal Landmines

Issue 12 [3] E.g. WIPO (http://www.wipo.int). [4] Thomas Jefferson, Letter to Isaac McPherson (http://etext.lib.virginia.edu/etcbin/foley-entry?id=JCE4045), 1813. [5] Constitution of the United States of America (http://en.wikisource.org/wiki/Constitution_of_the_United_States_of_America), 1781. [6] Like the wagons in TFME2 (http://freesoftwaremagazine.com/articles/free_matter_economy_2). [7] Charts based on USPTO statistics (http://www.uspto.gov/web/offices/ac/ido/oeip/taf/reports.htm). [8] Patent Commons (http://www.patentcommons.org). [9] Peer to Patents (http://dotank.nyls.edu/communitypatent). [10] Open Source as Prior Art (http://developer.osdl.org/dev/priorart). [11] Patent Quality Index (http://www.law.upenn.edu/blogs/polk/pqi). [12] Dennis S. Karjala, Opposing Copyright Extension (http://homepages.law.asu.edu/%7Edkarjala/OpposingCopyrightExtension). [13] Duke Center for the Study of the Public Domain (http://www.law.duke.edu/cspd). [14] Free Software Foundation (http://www.fsf.org). [15] Creative Commons (http://creativecommons.org). [16] Science Commons (http://sciencecommons.org). [17] Open Cores (http://www.opencores.org). [18] International Traffic in Arms Regulations (http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?tpl=/ecfrbrowse/Title22/22cfrv1_02.tpl) (see section ‘M’). [19] Ryan Zelnio, The effects of export control on the space industry (http://www.thespacereview.com/article/533/1). [20] ATF (http://www.atf.gov). [21] Wirral Rocket Society (http://www.rokits.org). [22] Civilian Space eXploration Team (http://www.civilianspace.com). [23] USA PATRIOT Act (http://en.wikipedia.org/wiki/USA_PATRIOT). [24] Nuclear Regulatory Commission (http://www.nrc.gov). [25] Texas A&M, Nuclear Science Center (http://nscr.tamu.edu/about/nuclearlinks.html). [26] University of Texas, Fusion Research (http://w3fusion.ph.utexas.edu). [27] K??Line (http://en.wikipedia.org/wiki/Karman_line). [28] X-Prize Foundation (http://www.xprizefoundation.com). [29] Scaled Composites, SpaceShipOne/TierOne (http://scaled.com/projects/tierone/index.htm).

Legal Landmines

Issue 12 [30] Archimedes Institute (http://www.permanent.com/archimedes). [31] Space Rocket Launch Sites Around the World (http://www.spacetoday.org/Rockets/Spaceports/LaunchSites.html). [32] Scaled Composites (http://scaled.com). [33] Virgin Galactic (http://www.virgingalactic.com). [34] SpaceDev (http://www.spacedev.com).

Published on Free Software Magazine (http://www.freesoftwaremagazine.com)

Legal Landmines

Interview of Frank Mittelbach A combined interview of the LaTeX Project director By Frank Mittelbach, Gianluca Pignalberi and Dave Walden Free Software Magazine and the TeX Users Group (TUG (http://www.tug.org/)) both like to publish interviews. Recently, Gianluca Pignalberi of Free Software Magazine and Dave Walden of TUG both approached Frank Mittelbach about interviewing him. Rather than doing two separate interviews, Mittelbach, Pignalberi, and Walden decided on a combined interview in keeping with the mutual interests already shared by Free Software Magazine and TUG. DW: Frank, please start by telling us a bit about yourself and how you got involved with LaTeX. FM: I have lived with my family in Mainz (Germany) since the early eighties, i.e., by now the larger part of my life. Besides my primary hobby (typography), which can effectively be called my second job, I enjoy playing good board games, listening to jazz music, and reading (primarily English literature). Professionally I work for Electronic Data Systems where these days I’m responsible for concepts and implementation for remote monitoring and management of distributed systems and networks. While I was studying Mathematics and Computer Science at the Gutenberg-University Mainz, I was first introduced to TeX and later LaTeX and, eventually, this got me interested in typesetting and in particular in research on algorithms for automated high quality typesetting.

Figure 1: Frank Mittelbach During my student days in the eighties, a friend brought back a source tape from Stanford University containing something like TeX 1.1 and fascinating news about the quality of that program (back then we did our theses using a typewriter and either hand-pasting symbols in or, in case of some sophisticated IBM typewriter, changing the “ball” every couple of seconds). He tried to implement that program on the Multics system we had at the university and in fact succeeded—it probably was the first if not the only implementation of TeX on this operating system. This way I got introduced to TeX and AmSTeX and typed my first paper, achieving beautiful results. The only catch was that back then the Stanford tape only contained Almost Computer Modern fonts in 200 dpi resolution (and no METAFONT) and the only graphical printing device available to us had a resolution of 72 dpi. So the output we got was of the size of the formula in figure 2 (or bigger).

Interview of Frank Mittelbach

Issue 12

Figure 2: oversized output Wonderful to plaster the walls with, but not necessarily suitable for handing in your thesis. As a result, my friend finally had to type his diploma thesis in the traditional way, despite his efforts. Sometime afterwards I was asked by the department to install a commercial TeX installation on our shiny new PCs and to give a series of lectures to students and professors on how to use it. And that distribution came with LaTeX 2.08 and a loose-bound copy of the manual (which later became Leslie Lamport’s book on LaTeX). LaTeX compared to plain TeX looked very good to me, but alas, when trying to produce any document with it, it died while loading the “article document style” due a lack of memory on those PCs. So my introduction to LaTeX stopped after I read the manual, and I was forced to develop my own TeX macro package that implemented similar concepts while requiring less memory. A year later it became possible to actually use LaTeX at the department, and we could retire my macro package. But this initial exercise gave me a good insight into the inner workings and concepts of a system like LaTeX and enabled me later to constructively criticize certain aspects of LaTeX—something that eventually led to Leslie passing on the development and maintenance of LaTeX to me. GP: Many of our readers are familiar with LaTeX, but for those who aren’t, can you introduce LaTeX to them? FM: LaTeX is a batch-oriented typesetting system that uses the typesetting engine TeX or one of its variants (ε-TeX, pdfTeX, Omega). The TeX program itself (developed by Professor Donald Knuth in the early eighties) is a programmable low-level typesetting engine, whose concepts and algorithms provide micro-typography (1) knowledge of highest quality in these days when this knowledge is slowly declining due to the fact that more and more authors are forced to become their own designer and typesetter without proper training. TeX is especially known for its excellent paragraph breaking algorithm and for its math formula typesetting capabilities, both of which are unsurpassed even though the program and its algorithms have been freely available for more than twenty years. LaTeX is a macro package written for the TeX engine which allows the user to step back from the low-level formatting capabilities of TeX by providing higher-level interfaces that give the author the ability to mark up the text with logical markup rather than procedural markup (e.g., specifying that something is a list or a section, rather than stating that something should be set in a bold typeface with a little space above and below). The actual transformation of a LaTeX source into a typeset document is done with the help of “style sheets” and configuration adjustments that allow even radical changes to the design and layout in a consistent manner without touching or changing the source (2). Historically speaking, LaTeX was largely influenced by a system called Scribe (by Brian Reid). In turn, LaTeX’s concept of logical markup was quite influential on HTML and various SGML/XML DTDs, as were its approaches for turning such logical markup into visual representation.