“Don’t run as root” is an oft-repeated mantra of *nix security. While I agree 100%, it’s not as big on the desktop as some would think. I’d like to point out why here. I still believe you shouldn’t login as root, but I also believe that it’s up to each user to make their own decision.

Think about the data on your computer. What matters to you? E-Mail? Documents? Images? Most of us have things like family photos, financial records, personal communications, saved passwords, or other sensitive or irreplaceable data. This is what we want to protect. When I backup my desktop, I backup my home directory. I don’t backup my OS install, software, or anything else that is not private or difficult to replace. Think of this as the “important stuff.”

So, let’s talk about the important stuff. What users have access to YOUR important stuff? Most likely, your own user, and the root user. So, great, not running as root eliminates one of the possible users that can access your file. So what user do you run as? Your own user. So it’s pretty obvious that not running as root doesn’t restrict access to the important stuff.

Need proof that your data is no safer under your own user? Think about running “rm -rf /” as root or as your own user. What happens to your data either way? It’s gone. Don’t run this, just think about it.

So what do you gain by not running as root? Well, your system is a lot less likely to be the victim of an ongoing compromise. As root, an attacker can modify your operating system to their liking. Think that’s not much? Guess what: your ssh client now sends the username, host, and password for any system you connect to to a server in China. Or maybe new files you create are uploaded to an anonymous file-sharing site on the internet. Perhaps every key you touch is recorded to grab usernames, passwords, credit card numbers, and your most personal conversations. Or maybe an attacker uses your computer as a middle man for downloading child pornography. That will be fun to explain to the FBI.

So, obviously some things need to run as root: system configuration tools, for example. However, running these using sudo limits your exposure to just these utilities, rather than the thousands (millions?) of lines of code in a full desktop environment.

In short, if you want to run as root on your desktop, go for it. But know the risks, and know the consequences. On the other hand, don’t chant “don’t login as root” as if it’s a magic bullet for security.

It’s a well-documented fact that RAM in modern computers is susceptible to occasional random bit flips due to various sources of noise, most commonly high-energy cosmic rays. By some estimates, you can even expect error rates as high as one error per 4GB of RAM per day! Many servers these days have ECC RAM, which uses extra bits to store error-correcting codes that let them correct most bit errors, but ECC RAM is still fairly rare in desktops, and unheard-of in laptops.

Makes me want to build my next desktop with ECC RAM.  Of course, that requires a motherboard that supports it, among other things.  When you’re using encryption, a single bit error can result in the inability to decrypt an entire file.  I wonder what steps could be taken to mitigate those sort of issues.

I sometimes feel that there’s this technological void in my life, with a desire to work on a project of some sort.  The big problem is that I have diverse interests: user experience, information security, embedded systems/robotics, etc.  I know it’s a ridiculous statement to make, but even at 25, I feel like I’m behind where I’d like to be in my life.

How do you all find your niche, and satisfy that urge?  Anyone got a favorite project that needs some love?

If you’ve been trying to use the Android SDK on Ubuntu 10.04, you might be getting an error like:

No command line parameters provided, launching UI.
See ‘android –help’ for operations from the command line.
Exception in thread “main” java.lang.UnsatisfiedLinkError: no swt-gtk-3550 or swt-gtk in swt.library.path, java.library.path or the jar file
at org.eclipse.swt.internal.Library.loadLibrary(Unknown Source)
at org.eclipse.swt.internal.Library.loadLibrary(Unknown Source)
at org.eclipse.swt.internal.C.<clinit>(Unknown Source)
at org.eclipse.swt.internal.Converter.wcsToMbcs(Unknown Source)
at org.eclipse.swt.internal.Converter.wcsToMbcs(Unknown Source)
at org.eclipse.swt.widgets.Display.<clinit>(Unknown Source)
at com.android.sdkmanager.Main.showMainWindow(Main.java:265)
at com.android.sdkmanager.Main.doAction(Main.java:249)
at com.android.sdkmanager.Main.run(Main.java:94)
at com.android.sdkmanager.Main.main(Main.java:83)

If you’re getting this, try installing libswt-gtk-3.5-java and then running the android SDK via: ANDROID_SWT=/usr/lib/java ./android

Hope this helps somebody.

Community-based support is not the same as commercial support.  Community-based support is a purely volunteer effort, and should not have particular expectations of response times.  For example, telling the community that a particular issue is “Urgent!” does not generally make it more urgent for the community.  Making no effort to solve the problem yourself generally leads to even less urgency from the community.  If you want a commercial level of support, pay for it.  For example, Canonical offers commercial support for Ubuntu.  There are many support vendors out there.

Open Source is not Public Domain software.  It has a copyright and a license.  I have seen several people complaining that particular libraries are GPL-licensed (or other so-called “viral” licenses) preventing them from using them in their commercial applications.  Please realize that you are asking to take someone else’s work for free and turn a profit on it.  Either participate in the social contract of open source, find another library, or approach the developer and offer to pay for a dual-license to allow use in your proprietary work.  Using GPL code without adhering to the copyleft provisions of the license is software piracy, which nobody should tolerate.  Presumably, if you don’t want your application to be open source, you’re looking for others to pay you for your work.  I don’t think you’d very much appreciate it being resold without a license and without revenue for you.

There is a social contract in addition to the legally-binding licenses behind FOSS.  Respecting it will continue to encourage the development of a productive software ecosystem.

H.264 Support

The h.264/RTP support in these camera doesn’t seem to fit to any real standard.  Multiple clients have complained about the malformed h.264 stream coming from these cameras.  (The I-frame numbering seems inconsistent, among other things.)

Hardware Capabilities

The manual claims the camera supports a maximum of 10 clients.  In our testing on a GigE network, video quality began to degrade at 3 Unicast clients (720p capture mode, h.264 streaming, GOV length of 32).  Looking at the CPU load on the cameras, load averages exceeded 5.0 with 3 clients.  This is completely unacceptable for our needs.  So we thought we would turn to multicasting.  We even called networking, confirmed that the network was setup for multicasting, and got a multicast IP allocation.  Seems that would fix things up, right?

Multicasting

Multicast support is an adventure.  Several readings of the manual found the only documented multicast capability was on Windows with IE and an Axis ActiveX control called Axis Media Control (AMC).  AMC, of course, requires administrator privileges to install.  Even that would leave Linux, Mac, and Firefox users in the cold.  I figured we were just missing something and we should contact AXIS Support.  Big mistake.  Big waste of time.  The response to the initial inquiry was, essentially, a nice RTFM:

Thank you for contacting Axis Communications. My name is <cut> and I will be happy to assist you today. The Axis Q1755 has multicast enabled by default, where as some of our older units required you to enable multicasting.

The manual is a good place to start
http://www.axis.com/files/manuals/um_q1755_35572_0905.pdf

On page 11 and 12 explains ways to pull the multicast stream from the camera.

Best regards,
Axis Customer Services

Ok, I figured that maybe they get a lot of people who haven’t read the manual.  Or maybe I missed something.  I reread the relevant section of the manual, but found nothing regarding standard RTP/multicasting support.  I typed up a longer description of the steps we had taken and asked about the location of a multicast-ready SDP file from the camera.  Their response, in its entirety, reads:

The Axis Q1755 has a configuration page for Multicasting.
http://<IP>/admin/config.shtml?group=Network
Under the section Network RTP R0:

Best regards,
Axis Customer Services

Clearly, this was what I asked, since I had included the current value of our multicast settings in a previous message.  Once more, I attempt to elicit useful information from Axis support.  Imagine my surprise when I received an informative, if disappointing response:

I have found another case which has this to say about multicasting.

Unfortunately RTP multicast using VLC doesn’t work on the new generation of products running firmware version 5.xx (like the Axis Q1755). Although multicast is only supported using AMC and Windows Media Player.
AMC is only available with Internet Explorer.

Best regards,
Axis Customer Services

In other words: we took out an industry standard and substituted our own homebrew multicast “solution” that only works with IE.  Thanks, Axis.  Removing functionality is always a market winner.

Conclusion: Don’t use Axis products unless you’re happy doing things the “Axis way.”  Forget industry standards.  With a little luck, this will be the last time I work on a project involving Axis cameras.  Fortunately, I think those who are making the buying decisions have seen the problems and will start looking at alternative suppliers.

Axis, and others: vendor lock-in = bad.  You might think it helps.  Think again.

I’ll probably lean towards working on an LPIC-1 certification next.

“The Art of Community” tackles a very difficult question in the Open Source world: how do you build a strong community around your project?  Jono addresses this by using anecdotal evidence of good community organization, and discussing the facets that apply to community development.  Jono’s varied experiences are shown through anecdotes about the Ubuntu community and other communities he has participated in.  The stories he shares are concise and clear, but demonstrate their points effectively and thoughtfully.  Jono’s writing skills are first-rate, with strong points made clearly.  He builds the community idea from grassroots to the enterprise and shows how community participation can help — and harm — at each step along the way.  It’s obvious that Jono knows what he’s talking about, and he communicates it well.  I highly recommend this book for anyone interested in the dynamics of a community or any project leader looking to build from the ground up.

Free IT Athens is a group of like-minded citizens who realize that computers are a necessary component of everyday life. We believe that everyone deserves access to low-cost computer equipment and computer-related services. Our goal is to provide access to information technology resources to Athens-Clarke County residents and organizations. We also aim to create well informed advocates in free software and open information technology.

I’m interested in helping/starting a similar organization here in the Atlanta area.  I know there are a lot of deserving individuals and community organizations, and it provides a great opportunity to showcase the strengths of open source software.  Unfortunately, there is no way I can get this off the ground myself.  I’m looking for some more individuals who might be interested in a meeting (either in-person or via IRC/dim dim/etc.) to discuss the feasibility and planning for such a group.  This (hopefully) serves as my “feeler” for others who might be interested in participating in/organizing such a group.