Extending design with multi-touch technology

From the early days of Wacom tablets and drafting digitizers to the introduction of technologies like the Wii controler and the iPhone interface, the human's interaction with computing platforms is changing. The anticipation of the success of multi-touch technologies like that which is being developed by Perceptive Pixel and Microsoft is enough to kill me. Multi-touch technology, or surface computing, will enable designers and artisans to use computer technology to visualize and create on a computer as they would with physical medium such as wood or clay. In to order to fully understand the possibilities of multi-touch technologies like this, you'll need some experience working with popular design software like Adobe Photoshop, Maya and 3D Studio. Traditionally, these programs have depended largely on the usage of the keyboard and mouse as the primary working tool. After some time touch pen tablets were integrated into design software which ultimately increased the human touch factor. However, it did take some time for these devices to become useful. Don't take my word for it visit this site. Bill Buxton gives a pretty good history of the developments over the years. He also mentions some of the research that was done by the folks at Alias. The engineers and artists at Perceptive Pixel have pushed this usefulness into the next human-computing generation. You really have to see this to believe it. I'm guessing 4-5 years before it's marketable and affordable, unless Apple can beat everyone to it...

Microsoft is claiming consumer ready surface computing product release by the end of this year!!

Linux Tools That Work

So, since I have been so tough on "Linux", I thought I would give credit where credit is due. After years of providing enterprise class Linux system support in every imaginable form, here are the top 5x3 most useful Linux tools IMHO. Most will be of the fedora flavor, and most will work under any open source moniker. The catch is I'll be breaking the tools out into 3 different categories and 3 separate posts. The first is network security device/system, the second is linux as a server category, and the third is the Linux on a laptop category.


Linux systems as a network security device:

1) By far, the most useful firewall management tool for a kernel 2.4+ linux systems is FireWall Builder. I first came across fwbuilder sometime in 2000, and it has made incredible progress since then. The best thing about fwbuilder is that it just plain works. Installation is easy, it has a very intuitive interface and it can support very complex NAT, prerouting and postrouting functions. It is any easy transition for those of you familiar with CheckPoint. (Not to mention, it makes Cisco PIX, ipf, and ipfw management pretty easy as well.) Its free for GPL'd OS users. Windoze users will have to pay. Don't change the "deny all" rule at the bottom of the default policies!! Allow only specific access to and from networks.

Down side: There are no log management tools or log analysis tools. However, you can prefix log lines.

2) OpenVPN is next on my list. It's an SSL VPN package that makes virtual private networking pretty easy. Setup is relatively difficult for the newcomer, and for the openSSL newbie, it's not for the faint of heart. There is also a nice little windoze package as well. I have had some trouble with tun/tap interfaces in the windoze world. Linux client setup is a snap if you are using NetworkManager.

Down side: if you get into a pinch, documentation is lacking, and usage is not very widespread so you'll need to dig around for answers.

3) Snort, of course, makes this list. To use it in production rely on it you'll need to get it as close to the asset as possible and jettison all of the rules you don't need. Don't put the device in the line of a major network intersection and expect anything useful. (Sourcefire's RNA does a great job of handling this situation) Tune it for specific servers or services. For example, use windoze signatures in front of windoze hosts for specific applications. It's a great analysis tool, however, I won't leave it standing on it's own. Use ACID (great but dated), or BASE which is still maintained.

Down side: Too many people expect it to work "out of the box". Snort is a collection of tools and materials, you will still need to design and build the house.

4) The HoneyNet Security Console is one of my favorites. OK, I admit, I slid out of scope a little here, this one requires evil windoze and .NET, but the juice is all opensource. It provides great reports and correlation tools. Setup is straight forward, documentation is good and it will require other packages to work. It makes my list because if you intend to use Linux systems as your primary line of network security devices you will need something like HSC to analyze and respond to your security events.

Down side: Scalability of HSC is poor, usage is not widespread, and it is a reduced functionality version of a commercial tool.

5) The last tool on my list is ntop. OK, another cross platform tool, but if it counts for anything I first started using this tool pre-winpcap integration. Ultimately, if you plan to use a Linux flavored OS as a network security device, you'll want it to speak to you. ntop will do just that. Don't get me wrong, tcpdump is a great tool, but ntop will save you as a security analyst who depends on network security devices.

Down side: You may run into scalability issues. I would advise tighter scopes and close asset proximity placement.

These are just a few security-type tools that I have found very useful over time. It's hard not to list tools like ngrep, tcpdump, or syslog-ng. You'll find them in my tool bag, and they may make future lists, but for now these get the spotlight.

Linux systems as servers:

1) The most flexible and useful server tools are rooted (pun intended) in the command line. Some tools are scripts, some are compiled code. The first to make my list is chkconfig. This is a very useful tool to get servers setup and to get the correct services running at the right run-level. A simple 'chkconfig --list |grep on' will list all of the services that are currently set to run upon system startup, organized by run level. I believe chkconfig got its start in the BSD world and can be found in big unix OS's like IRIX. Fedora flavors can have an associated python gui through the 'system-config-levels' tool which can be used if you chose to admin you server through X.

2) For the next useful tool, see FireWall Builder above. :)

3) If you don't log it, it didn't happen. Check out syslog-ng. Syslog-ng provides a very flexible logging mechanism that goes beyond standard unix style syslog. This tool also supports logging to a database.

4) LVM. It was a wonderful day when file system tools and capabilities like this came to the Linux platform free of charge. The Logical Volume Manager tools are one of the most handy toolsets when you need to save a server from downtime. LVM is about managing and changing file systems on the fly. You can shrink and grow file systems without interrupting service, in most cases. LVM refers to a typical partition as a Physical Volume (PV). A Volume Group (VG) comprises one or more physical volumes. Each volume group must be divided into Logical Volumes (LV). You may also want to look at LVM2.

5) Today, most Linux servers will have the last tool as part of a default installation. Regardless of that fact, this tool is by far the most useful tool in any admin's tool bag. I'm talking about the OpenSSH2 protocol and the associated suite of tools. If you aren't using it, you should be. You could run the world through an OpenSSH tunnel. Now that server processor speeds scream upwards of 3Ghz, overhead is not an issue as it use to be. If you use this tool, Donate to Theo de Raadt. I did. With his leadership and the help of the open source community Linux server administration was forever changed. Now you can securely administer servers, transfer files and bypass security controls anywhere :)...

Linux on a Laptop

1) Coming soon...

Linux, linux, linux... Wherefore art thou? The dilution of responsibility...

Ok, I've been an avid linux user for a very long time now. I believe the first RedHat version I used was in the 4.0 release days. Before that I used some Slackware and played with Caldera of the same era. I can remember when getting X11 to run, after hours of head splitting compilers and library includes, was a huge accomplishment. Or, when the OSS sound drivers went from costly to free. I've seen the world open itself up to this wonderful caffeine and fructose fueled culture over the years. I have enjoyed being a part of it over the years. I even obtained an RHCE in 2001.

What really grinds my gears is that even after all that time, after all of the input, innovation, useful code and cool new kernel trickery, Linux, in general, daily, personal computer usability terms, is STILL IN BETA.

Yeah, yeah, yeah... Oracle has certified on RHEL, IBM is doing this..., Novell and SuSE doing that ..., yada yada yada...

BETA
BETA
BETA

Let me tell you why. If you so dare to use a Linux platform beyond the configuration of a server, router or firewall be warned. (I feel very sacreligious right now.) Simple things like USB mass storage devices may or may not work, the software support for the linux world still leaves much to be desired, and don't even get me started on wireless hangups, ACPI, HAL or hardware like laptops. SELinux is a great technology to enhance the security of your operating system. It's not so great if you don't want to take the time to RTFM or seek a doctorate in Linux kernel API's, MAC's, the LSM and role based access control. It isn't the fault of "Linux" either. However, "Linux" is the unfortunate victim of the cross between innovation and the dilution of responsibility. There are too many cooks in the kitchen and not enough consistency in the menu. In order to effectively use any of the current Linux platforms you have to be a good Linux cook and to be able to take care of your own plate.

The biggest problem is that the counter point to this entire argument is that "yes" you can do it all with Linux. Believe me, I have, but I don't want to. I don't want to compile software anymore. I've already learned too much about libraries and includes, I don't want to continue this forever. I don't want to look for, and subsequently install rpms that contain some not so frequently used libraries in order to get some other tool to work. I don't want to spend my time with one terminal running "tail -f /var/log/messages" and "strace" or "ptrace" in the other. I'm done with message board trouble shooting. I can remember when Deja News was the Google of the 90's. It was fun and exciting then. Now, it's just a pain it the neck.

I just want and OS I can trust (tricky when it comes to closed source), one that I know the interworkings of and one that just plainly works. I just want it to work, without having to visit rpmfind. I want an OS that digital cameras and USB printers can work together in bliss, while at the same time makes an excellent firewall or file server. I'm done. I'm switching to Apple and OSX for a while. Maybe I'll have better luck with this platform.

Don't get me wrong. Linux has been my ticket to success and understanding in many cases. I'm burnt out with having to RTFM just to use something as simple as a multi-function printer, or media devices and files (ah, the lost world of Linux and codecs).

Here are some tips from a long time, avid linux user, and an RHCE to boot:

1) Don't store important files under the root mount point (/). Linux is best used as a research platform. Expect everything under the system root to be temporary, don't use the main file system for long term storage. Place long term file storage on separate partitions or separate devices all together. (This is good practice for any OS.)

2) Contrary to many other resources, Linux platforms are not good media PC's. If you spend a lot of time working with music, video, or pictures you'll spend even more time finding and fixing the necessary resources and dependencies to work with such data. Use a mac instead.

3) Linux is not a business productivity tool. Open office works, but you would be a fool to depend on it to get you through the work day. Every laptop/projector combo I've used has been different and some don't even work. If business productivity is a requirement make sure you check your favorite distribution's hardware compatibility list, or better yet use a Windows OS and get a laptop or desktop with one of those "Designed for Windows" stickers on it.

4) Don't expect anything that you can buy at any major computer product retail chain to work with your favorite Linux distribution. Again, check you distribution's hardware compatibility list.

5) Linux is best suited for a specific technology function. Set up the system for that function and leave it alone. You will stand a very good chance of the system outlasting the necessity of the function. For example, a firewall, a VPN device, a proxy server, a file server or a web server. Linux distributions are very flexible and dynamic if you want to spend hours working them over to be flexible and dynamic. However, be warned, that flexibility may end when some library or dependency changes without your knowledge. Anyone ever tried to run Beryl or Compiz with nVidia hardware? You can get it to work pretty well but compatibility and consistency is built like a house of cards.

Get with the program, security spending in the wrong place

I just read an article that covered a discussion on the subject of information security investments and return or ROSI. They focused on these questions:

Are we spending enough to ensure the desired security posture? and How much security spending is enough? are asked in boardrooms of security conscious companies around the world. These questions are difficult to answer because today's spending is 'enough' as long as the enterprise is secure and 'not enough' the day after a security breach makes the headlines. What is needed today is a pragmatic approach for assessing the current security posture and determining whether security spending is in fact enough to sustain the state of security.

Sustain the state of security?? You've got to be kidding me. I want to get to a better place, not sustain the state. I am disappointed to know that CSO's in such high positions and companies like intellitactics still support, practice and attempt to run a security program based on this reasoning. Please step aside...

The fact of the matter is that over the past 10 years security spending has significantly increased. While at the same time so has the cost of poor security. Sensitive records continue to end up in the wrong hands. Companies are still being vaporized even after spending millions on these so called security programs.

Why is that? Because we will not solve the problem in the name of security. It shouldn't be "security" spending. The problem isn't that we need to strike a balance between security spending and risk. The problems is poor process, poor products and poor management. Talking about ROSI only works to treat the symptoms. It can be compared to fixing a leaky roof by painting the ceiling, once water has found a way in you can't stop the damage with paint. We will not be successful if you don't focus on the issue at hand, you're going to have to get up on top of the roof and fix the problem.

Spending should be directed toward better business process and education and it should be done in the name of the business, not security. Organizations must hold their product vendors responsible for delivering good product, not crappy product that requires a fix once a month or once a quarter. Imagine having to take you car in every month because some part or component failed. I bet you would eventually get rid of the car. "There are three alerts this month for your new Hum-esccal-excursion , the brakes will fail if you go over 55MPH, the steering wheel will collapse if left in the sun too long, and the fuel line was inadvertently open which could allow debris to enter the line which could result in catastrophic engine failure above 55MPH."

Security industy's response: Increase spending to buy a tow truck to take this hunk of junk to the destination...

First Post

Let's get this off on the right foot.