27 April 2011

Simple online security for non-techies - If your PC can't find the bad guy site, it can't download bad guy software

On the internet the Domain Name System (DNS) translates web site names like www.facebook.com to a string of numbers that is the website's location on the Internet. For example, without DNS translating computer names to IP addresses you would have to type http://69.171.224.14/ in your web browser to get to Facebook instead of www.facebook.com.

Normally you get DNS name translation from your Internet service provider, but DNS is a standardized service and you can use anyone's DNS services to provide DNS name translations.

There are several companies on the web that offer free DNS services for users which keep track of bad guy sites and intentionally do not translate bad guy web site DNS names to IP addresses. If you use their services you have what is essentially a firewall preventing you from accessing the bad guy sites. Both Google and a company called OpenDNS offer these services.

In order to keep this article short I'll just say that I would recommand you try out OpenDNS's Familyshield DNS services. They have straightforward instructions on how to set yourself up to use their DNS service.

Here's the link:

http://www.opendns.com/familyshield

26 April 2011

Simple online security for non-techies - know the threat

Windows PC Security isn't simple, but here is a simple explanation of the threat.

The bad buys have changed their tactics in the arena of viruses/malware/spyware over the years. No longer is it something that you notice right away as they delete your files and mess with your PC. Today when the bad guys get control of your PC they try hard not to be noticed. Because control of your computer is worth money to them and they can get control of thousands of computers a day with automated programs called malware, virus, whatever label you want to call the bad guy programs.

Once they've got control they have programs that comb through the PC to find logins and passwords or just have a program wait for you to login to a site and steal your passwords as you type them in.

It's important to realize this is not something they do personally, PC by PC, they run this on hundreds of computers at once. Probably while they are out partying, spending the money made from renting ten of thousands of compromised PCs to other bad guys.

They need to continue compromising other PC's as people get smarter and defensive software gets better. So they will use your mother or sisters Yahoo email account to send a link, which installs malware for Windows PCs, to everyone in her address book. And the cycle continues...

Not taking steps to protect your computer leaves your friends and relatives exposed to the bad guys.

You might not consider your computer access significant, but your identity online can be used to hurt those you know.

25 April 2011

Simple online security for non-techies - three simple steps to better online security; for Windows PC users

1. Think before you click on email links or attachments.

Don't click on links in emails from people you don't know, and Don't click on links from people you do know that you aren't expecting or have an odd sounding text in the message. Read that again, it's very important to follow.

Why? Because this is the #1 way for bad guys to own your computer.

2. Keep Adobe PDF reader up to date. If it's been a week since you've updated, check for updates right now.

Go here for Adobe Reader updates: http://get.adobe.com/reader/

Why? The PDF document format includes active content and that means bad guys can hide their programs in pdf documents.

3. Don't use Internet Explorer (IE). Use a widely used web browser alternative like Firefox.

Find it here: https://www.mozilla.com/en-US/firefox/new/

Why? IE is highly targeted by the bad guys and it has a long and continuing history of serious software vulnerablities that allow the bad guys to use your computer in any way they want, that's a bad thing.

20 October 2010

Watching Netflix Movies in VLC on Linux

I wanted to watch Netflix streaming movies on my Ubuntu 10.04 desktop in VLC Media Player. This is generally prevented by Microsoft's "PlayReady" digital restrictions and Microsoft Silverlight. At this point in time you are required to have a Microsoft OS in order to watch streaming Netflix movies, hopefully that will change in the future.

A number of people solved this problem by running Windows in VMplayer or Virtualbox. I didn't really like that solution, I wanted to watch streaming movies on my Linux desktop in VLC, so I found a different way.

My solution uses PlayOn Digital Media server as a proxy for Microsoft restricted Netflix streaming movies.

The PlayOn media server PC should be fairly modern, CPU power is important on this box, and more memory than the minimum required is a good thing. PlayOn is not free, but you can get a 14 trail license to see if this works for you. I purchased the software and it makes online multimedia available to my Linux desktop movie playing and my Popcorn Hour Networked Media Tank. Setup of the PlayOn software is fairly simple and they have a decent user manual available online. I won't go into details for setting up PlayOn since it isn't complicated and the folks over at playon.tv have that information very well covered.

Once the PlayOn media server is up and running, and your Netflix account is setup within PlayOn, you are ready to configure Ubuntu to view streaming movies from PlayOn. The PlayOn media server is now a UPnP multimedia source on your network. Anything you have on your network which can discover UPnP provided multimedia will probably see the PlayOn server.

From the Ubuntu desktop we are going to mount any UPnP sources that are available on your network to a file system directory. In this example it will be the directory /mnt/av.

You may need a few software packages installed on your desktop, some may already be installed. You need the libfuse2, fuse-utils, djmount, and VLC packages installed along with any dependancies. Once you have these installed you can create a directory where you will mount your UPnP multimedia sources.

For example:

sudo mkdir /mnt/av && sudo chown -R yourusername /mnt/av

Once /mnt/av is created, as your regular user account, run the following command.

djmount /mnt/av

You are likely to get the following message returned.

[I] Charset : successfully initialised charset='UTF-8'

The djmount command will discover UPnP sources on your network and make them available under the /mnt/av directory. Discovery of all your UPnP sources could take a minute after you first mount /mnt/av. A minute or so after running the djmount command you should be able to see directories representing your UPnP sources created under /mnt/av.

Running ls -al /mnt/av/Playon* should list the multimedia sources that are provided by the PlayOn media server.

For example:

username@desktop:/mnt/av/PlayOn (servername)$ ls -al /mnt/av/Playon*
total 11
dr-xr-xr-x 21 root root 512 2000-01-01 03:00 .
dr-xr-xr-x 5 root root 512 2000-01-01 03:00 ..
dr-xr-xr-x 6 root root 512 2000-01-01 03:00 BET
dr-xr-xr-x 9 root root 512 2000-01-01 03:00 CBS
dr-xr-xr-x 19 root root 512 2000-01-01 03:00 CNN
dr-xr-xr-x 6 root root 512 2000-01-01 03:00 Comedy Central
dr-xr-xr-x 12 root root 512 2000-01-01 03:00 Hulu
dr-xr-xr-x 2 root root 512 2000-01-01 03:00 .metadata
dr-xr-xr-x 6 root root 512 2000-01-01 03:00 My Media (Beta)
dr-xr-xr-x 6 root root 512 2000-01-01 03:00 Netflix
dr-xr-xr-x 5 root root 512 2000-01-01 03:00 Nick
dr-xr-xr-x 6 root root 512 2000-01-01 03:00 PBS
dr-xr-xr-x 5 root root 512 2000-01-01 03:00 PBS Kids
dr-xr-xr-x 5 root root 512 2000-01-01 03:00 PlayOn Info
dr-xr-xr-x 29 root root 512 2000-01-01 03:00 Revision3
dr-xr-xr-x 31 root root 512 2000-01-01 03:00 South Park Studios
dr-xr-xr-x 5 root root 512 2000-01-01 03:00 Spike TV
lr--r--r-- 1 root root 33 2000-01-01 03:00 .status -> ../.debug/PlayOn (firefly)/status
dr-xr-xr-x 4 root root 512 2000-01-01 03:00 Syfy
dr-xr-xr-x 6 root root 512 2000-01-01 03:00 TBS
dr-xr-xr-x 6 root root 512 2000-01-01 03:00 TED
dr-xr-xr-x 13 root root 512 2000-01-01 03:00 YouTube


Now you can use VLC to watch Netflix and other streaming movies that are shown under /mnt/av.

Tips and Notes:

* Some of the movies may have a .m3u playlist extension. If you can't get VLC to open and play that file you can open it with a text editor and copy the http: line from that file to VLC under the "Open Network Stream" menu.

* If VLC can't initially browse through the /mnt/av directory it is because /mnt/av is not listed in /etc/fstab. Just type /mnt/av in the location box in VLC.

* With the UPnP multimedia sources mounted under /mnt/av you can use other media players to watch streaming videos.

* The PlayOn media server only supports one stream at a time, you'd probably kill the PlayOn PC watching more than one.

* VLC can do many interesting things.

* If you ever want to unmount the /mnt/av directory use the following command.

fusermount -u /mnt/av

15 May 2010

Out of memory killer

I ran into an interesting issue the other day. Something I had not seen before and I thought I'd mention it here.

One of the servers I manage was having occasional issues with processes being killed. Syslog entries indicated processes were being killed because the system was out of memory. This on a system that has 32GB of RAM and monitoring shows has several gigs of RAM free which had me a little puzzled at first.

The out of memory killer kills processes if the system is out of memory, but the system did not appear to be out of memory. So what was going on?

Well, as it turns out the system was out of low memory.

The issue was that this system had 32bit Linux installed on it and should have had 64bit Linux installed. The reason that is a problem is that 32bit operating systems manage memory using memory space below 1024k. The more memory the OS manages the more low memory space is needed to manage it. In this case managing 32GB of memory consumed too much low memory.

For 64bit Linux all memory is essentially low memory so this issue does not exist.

A short term solution was to setup a bunch of huge pages which reduced the number of memory pages needing to be managed in low memory. The long term solution was to reinstall the server with 64bit Linux.

22 February 2010

System Entropy in Linux

Entropy is needed by many applications, SSL and Java in particular can be heavy consumers of entropy. Linux makes the devices /dev/random and /dev/urandom available to applications to pull entropy from. These two devices contain entropy collected from several system sources. Wikipedia has a good page on  /dev/random and /dev/urandom. Kernel.org has some good information here.

You can check the contents of your Linux entropy pool by using the command:

           cat /proc/sys/kernel/random/entropy_avail

A topped up entropy pool is indicated with an entropy_avail level around 4000(bits). An entropy pool of 200 or less can be a problem and cause application and connection slowness, especially if you are supporting many ssl or java applications.

This being said, you may find yourself with blocking or hanging applications due to lack of entropy.

If you find that you are running low on entropy it is important to identify what processes are using entropy.  You can do this using the lsof command like so:

lsof | grep /dev/random  

lsof | grep /dev/urandom

This two examples should show you what processes are accessing the /dev/random and /dev/urandom devices which provide entropy to applications.

31 December 2009

You can't manage what you can't measure.

Server health can flucuate as it goes through the process of receiving, consuming, and sending data. But you won't know unless you monitor system health. Without collecting system health information over a period of time one cannot know what is a normal state of the system and what is an emerging problem.

One of my favorite tools for system monitoring is Collectd (www.collectd.org). Simple and easy to setup, it covers many of the important aspects of system health and is highly customizable. The resulting system data collected is stored in rrdtool format and can be presented in typical fashion like so:




I have found the collectd documentation easy to follow so I won't cover configuration details here, but I wanted to mention collectd because one of my next articles will rely on it as a measuring tool.