Community Matters

I’ve been fighting to get TweetDeck to work on my Linux system for a while. There simply is no comparable native client under Linux. I’ve used Gwibber which is ok, but no comparison to TweetDeck.

There are a couple of problems to solve: first, you need to get Adobe Air to work. And with all due respect to Adobe – they clearly haven’t figured out the kinks to making their software actually install easily on the various Linux distributions. A quick Google search seems to make that painfully clear.

Forget 64bit Linux. Yes, allegedly it works for a few people with various 32bit libraries installed, but after six weeks of trying to get this to work I came to the conclusion that this was a lost cause.

And even with 32bit Fedora-11 there still are a number of problems to solve. First you need to make sure that you have all the dependencies installed – even though it would be easy to have rpm do that for you, Adobe clearly hasn’t figured out how to do that… so you have to do this manually:

sudo yum -y install gnome-keyring rpm-build nss

Then (thanks to erik jacobs) you appear to need to manually create another link for librpmbuild:

sudo ln -s librpmbuild.so.0.0.0 /usr/lib/librpmbuild-4.7.so

Now you are ready to run the installer:

chmod +x AdobeAIRInstaller.bin
sudo AdobeAIRInstaller.bin

But this still doesn’t solve the problem of installing AIR applications. Adobe wants to install them into /opt by default (which a regular user can’t write to) – and even after changing that to do writeable by my user things still failed with cryptic (and useless) error messages. So I finally figured out that I needed to manually download the AIR installer packages (like TweetDeck_x_yz.air) and then run the AIR application installer from hand (again as root):

sudo Adobe\ AIR\ Application\ Installer

and then pick the .air file in the file select box; the installer is too dumb to allow you to pass a .air file on the command line. Come on guys…

With all these steps I got it to work – but frankly I think this is an embarrassing sign for how much further AIR has to go to be really useful on Linux. 2 out of 10 points, Adobe…

The clash of the titans. War! Fight! It’s fun to read what has been written about the GoogleOS. Clearly this is getting the juices flowing. Nothing sells newspaper (or online ads, I guess) like a good old conflict. And who better to pit against each other than the Evil Monster Microsoft (seriously?) against the “do no evil” Google.

But of course that’s missing the point. Google isn’t writing a new OS. They didn’t do that with Android, either. They are using the existing Linux kernel. They are using tons of existing user space code that the open source community has worked on for 20+ years and that the Linux vendors have perfected over the last 15 years (and that Ubuntu has taken a free ride on for… wait, I digress).

So what Google really is doing is that it is putting its well proven brand and marketing muscle behind something that mostly exists. And then it’s using its not-quite-so-proven productization muscle (hey, Gmail is no longer in beta after umpteen years) to shape the very flexible Linux OS to its liking.

More focus on web. Less focus on native apps. More focus on binding the user to a monopoly (sounds familiar?), less focus on freedom and choice. We’ve seen this play out. Many times.

What is interesting is that with Moblin (and all the Linux OSVs who have announced Moblin compliant versions of their Linux OS) there is a pretty interesting contender just about to go product – about a year ahead of Google’s Chrome OS. So is Google actually hurting Linux here with its “quick – don’t look – we’ll do something even better!” announcement? I wonder. The timing is sure odd. Long before they have anything to show for, just making sure that no other standard emerges?

Well, time will tell. Moblin needs to succeed on its own merit – and it has plenty of time to do so. And a year from now we’ll know more about Google’s ability to create a production quality OS for a broad set of hardware platforms. In the mean time I’m excited about all the opportunities.

Oh, you may have noticed that I didn’t talk about Microsoft Windows 7 and Apple OS X in this post. That’s right – those target different markets (I know, MS dreams of Windows 7 for Netbooks – but at a 20% price premium compared to a free OS… that will be a tough sell). I don’t think that Google Chrome OS (or Moblin, for that matter) will have a chance against W7 and OSX on full fledged notebooks, desktops and workstations. And I don’t think that either is trying to do that. On the other hand I think that there’s plenty of space for a free OS on limited capability. And that’s where Google’s Chrome OS is indeed competing with Moblin, Google’s Android and other Linux based offerings.

Peter Schütte is a local photographer here in Portland who does wonderful Oregon Photo Workshops – if you are a beginner or a more advanced photographer, check out his site and the classes that he offers. They are a lot of fun and extremely instructional – I certainly have learned a lot from him and can’t wait to find the time again to go to another workshop this summer.

I’ve already done his Central Oregon High Desert Safari, the Portland at Night and the North Coastal Photography workshops (and a couple others that I’m forgetting right now). Definitely worth it.

After seeing hosting providers offer Atom based dedicated servers I started wondering how they are doing that? A pile of EeePCs? Unlikely.

Turns out there are a couple of companies offering blade servers with Atom blades – one is SERVER8 in Italy which seems to have a very smart approach – off the shelf Micro-ATX or Mini-ITX motherboards, including Atom-based motherboards can be used in a custom 6U case following the Open Blade spec.

SuperMicro offers 1U Atom-based servers and has announced an Atom-based blade server as well. There are do it yourself 1U rack mounted servers available. And I’m sure there are more similar offerings out there.

In general I guess server processors are the better fit for servers – but for this interesting niche market of people who want a dedicated server but don’t need a ton of performance (i.e. for things like hosting your own blog) these atom-servers could really be the perfect solution.

After posting about hosting your own blog a couple of days ago, one of my co-workers pointed out to me an interesting new trend that he has seen… more and more server hosting providers offer entry level servers based on Intel Atom motherboards at prices that start to compete with virtual private servers.

That’s an interesting use of the Atom processor (which I tend to think of as the netbook CPU). But for many typical blog hosting scenarios a system like this offers plenty of performance with all the advantages of having your own dedicated server – and really good prices.

InterServer offers a dedicated server (cutely named “VPS Buster”) for $39/mo. Others offer similar pricing. Nice.

(and no, I don’t get money from linking to them, sadly. It was just the cheapest that I found in a few minutes of googling – feel free to comment if you see better deals elsewhere)

I have never hosted any of my personal blogs anywhere else. And every time I talk to people who do I am happy that I was never tempted. There are way too many issues with doing that. Lack of control would be my number one concern. I want to be able to decide which OS I’m running, which version of the web server, which libraries I have available. Which blogging software and which version of it. Etc.

If you host with Blogger or Typepad or even on WordPress.com you are restricted to the versions someone else is willing to give you. You can’t change the underlying blogging tool, can’t install a new library – often can’t even install a plugin.

The other day I started hosting my wife’s blog. That brought it home to me. You want a development blog? Sure, no problem. Let me add another WordPress instance under a different hostname. You need the GD library? No problem, apt-get install php5-gd and that’s taken care of (I decided to run Debian on my servers quite a while ago). There’s a problem with xyz? Let me take a look in the log file. Very powerful. Very liberating.

Yes, some of the hosters like Dreamhost allow you something almost as good. With lots of choices and lots of control. But still, you’re in a jail – it’s just bigger and more flexible. The only way to really control what you are doing is to host the blog yourself. On a VPS or (like this blog) on a dedicated server.

The alphas showed some of the work done on the underlying technologies – things around fast boot, battery optimizations, etc.

The beta for the first time shows the new user experience. This is not just another client OS – and definitely not a Windows 95 lookalike (which way too many Linux client OSs still are).

Check it out on the Moblin site.

This is a topic that I have been tossing around for a while. The fact that I gave a presentation about this at this week’s SambaXP conference in Göttingen has forced me to put some structure around my thoughts.

Single sign on is a commonly listed goal in the IT industry. You authenticate once and then have access to all kinds of applications or services via the net. This sounds good, but of course it comes at a price. The damage that can be done if your credentials are compromised increase dramatically if they can be used in many places.

A simple example. Let’s say you use your login credentials to also be able to access your email account. That’s wonderful – one less username and password to remember. But unfortunately a number of email clients (or email retrieval apps like getmail or offlineimap) have no convenient way to securely store your credentials – or are easily fooled into handing these credentials to a proxy server. Which suddenly exposes your “general pass key” to your account to an attacker.

Of course you can use SSL encryption on your email protocol (e.g., imaps) to make man in the middle attacks harder – but that only works if you have signed certificates and a correctly built and trusted CA in place with the CA certificates installed on all clients. Which gets a little harder with the proliferation of mobile clients. For example, when using your favorite email client on your Android phone (or Nokia N71, or…), who hasn’t clicked ‘accept’ when asked to verify the authenticity of an SSL certificate provided for the server that wasn’t signed with a key that’s installed in the client’s CA keychain. You may have looked at the certificate to make sure that it looked sane – but did you verify it?

That’s a huge risk when allowing authentication with typical username / password based single sign on credentials on internet-facing servers. Yet that’s a very common practice.

So what can you do? One school of thought is “just don’t do it”. Have separate credentials for all services, force distribution of CA certificates, enforce SSL or SSH as a minimum requirement to connect to any services and basically device and conquer the risk. But frankly, that makes mobile clients far less attractive, interaction with network facing applications and services more difficult and generally reduces productivity. And in the end, if users are forced to use too many distinct username / password combinations they tend to use simple algorithmic passwords (or simply write them down somewhere in clear text).

Another alternative is to look at ticket based systems like kerberos and the way they handle credentials. Kerberos (and it’s implementation in Microsoft’s Active Directory) encrypt all traffic and use a rather smart system to prevent man in the middle attacks. Assuming strong passwords (to prevent the well documented offline password guessing attacks) you can create a decent sign on system that can be used with mobile clients – assuming the client software stack includes the necessary code to authenticate against A/D – which unfortunately is not universally the case today.

Ideally for each account with a service provider you as the user would be able to pick how to authenticate – using a ticket authority of your choice – potentially with different identities between different services, potentially with the same. This way you could control which services share the same ID, ensure that all authentication is secure and at the same time make it easier to manage these identities securely in a mobile device.

Samba is a widely used open source implementation of the necessary pieces of A/D. It allows clients to authenticate against Active Directory servers or other kerberos based authentication servers and then only distribute tickets (that don’t include the actual credentials) to authenticate against services. One downside of using Samba’s model of implementing the different components of MSRPC as monolithic applications instead of APIs is that it makes it harder to use in this context (providing authentication services in the mobile world); also, Samba has gaps in its support for the full breadth of A/D (missing some of the SSPI providers).

Still, it’s a good start. An alternative could be Likewise Open as it matures. Kirshna and his team certainly are focused on a complete implementation of the necessary APIs – but the mobile client isn’t their focus area, either.

The discussion after my presentation showed some interest in the community to tackle the problem, but of course this will require the service providers and the device vendors to cooperate as well. But first more people need to understand the underlying problem that needs to be solved…

As part of my brief set of posts on getting Linux systems (and sometimes Macs) connected to wireless networks beyond WiFi, here’s a quick post on what’s different when connecting to Vodafone.de with their prepaid CallYa SIM in a Huawei USB stick (this is actually a stick that I bought in London for the O2 network – just switch out the SIM… one of the nice things about GSM based networks).

The first few problems that I ran into shouldn’t affect most people, but just in case… be warned, if you have setup your system to use Vodafone.uk in the past, you are likely to have incorrect settings laying around in conf files…

Once those are removed, plug in your modem and simply create a new connection under Network Manager / Mobile Broadband. Set the APN to event.vodafone.de (this is important – contract SIMs use web.vodafone.de but that doesn’t work with CallYa SIMs). You can type in your PIN in that dialogue as well, that way the system doesn’t ask you for it after every reboot. All the other information is optional or not needed – except for the phone number; the usual *99# does the trick.

Go to the Network Manager icon and click on the new connection you created (it should show up under Mobile Broadband, assuming your modem got recognized correctly). Once the connection is established (the NM icon changes to a broadcast tower) open a web browser and navigate to any arbitrary web page. Vodafone will redirect you to a page where you can pick whether you want to purchase 30 minutes, an hour or a day’s worth of “unlimited” internet. Once you went through that process, everything should work. If I tried to open an ssh connection (or something else) before doing the magic web page thing the system occasionally got confused…

After sitting on the sidelines for a long time I finally figured “what the heck” and started to use Twitter.

You can find me as dhohndel.