As regular readers will know, this is my occasional series of what I have read this week on the supersized interwibble.

Charting your command history

Firstly, a guy called Tom wrote in with a link to his blog:

Hi Zeth,

I recently came across your commandline blog and have found it a good read. It reminded my that a couple of weeks earlier (for no reason other than curiosity) I had done this

http://www.tomgibara.com/misc/command-history

Given the thrust of your blog, I thought it might be interesting to you and maybe your readers.

Tom

So his idea is to do a little analysis of the your shell's command history. I followed his methodology on one of my computers, although I only used the default size (500 commands) as the sample and I have ditched the less popular ones to make it narrow enough to fit on this blog; so here are my results:

(enlarge image)

Blocking Firefox

Marcin has a great post about some shills who are blocking Firefox from their webpages because some Firefox users install third-party adblocking extensions. Nutcases. Like refusing to sell newspapers to people whose secretaries might own scissors.

The kind of people who use Firefox are probably also the type of people who can distinguish between a useful hyperlink that has context and some random advert, so most of them will mentally block out the majority of ads anyway. While it is true that only a minority of web site visitors use Firefox, they are a sizeable minority (one estimate is 34%) and often they are the most demographically important users. Firefox users are consciously self-selected, so they are younger, richer and more educated. Not the people that any serious website wants to lock out.

I seriously doubt that even half of Firefox users, probably a lot less, have an adblocking extension installed so this misguided approach is punishing the innocent.

An even more important point is that there are ad-blockers for Internet Explorer, such as this result , the first that came up in Google, and this second one, the second to come up. So what you are going to do now, block Internet Explorer too?

Anyway, as I always say, as a publisher of a website, you should be committed to giving the best impression that you can to your visitors, within the individual constraints that you have; not dictating who they are or how they access the site is an essential element of good web design.

tante responds in a different way, namely to look at models of funding websites and argues that creativity is the key to an advert strategy that users will not torpedo:

Get out of your "I add a banner ad to my page and get paid for the retards that click on it" state of mind. Don’t see your customers as click-machines. That’s disrespectful and if you treat your customers like crap, they’ll go as soon as they can.

Taking over the world

Robin Bloor asks Could Linux become the dominant OS? He argues that it gradually triumph over a long period of time.

The trends suggest that Linux will become the dominant OS - the commodity OS - both for the PC and the server, to the eventual detriment of Microsoft's revenues.

My view is that the monoculture of Windows is both unsustainable in the market and undesirable for society, and instead of replacing one dominant operating system with another, the majority of the market will be a diversity of free operating systems, whether based on Linux, BSD, Solaris or on things that have not been invented yet. We can say with more certainly that the future seems very Unix-like.

Cheer the Heroes

Seema has written a short article about how to make OpenOffice start faster, the screenshots are from Ubuntu, but the tips should apply to OpenOffice on any system.

I noticed that a guy called Rob Cakebread is developing a tool called g-pypi, here is the description:

"g-pypi automatically generates Gentoo ebuilds for Python packages by querying the Python Package Index (PyPI/Cheese Shop)"

As you can imagine, this has huge potential. Rob has already managed to apply the tool to the entire Cheese Shop, in the process creating some 1315 ebuilds, a thousand of which are not currently in Gentoo. There is already a tool called g-cpan which does a similar job for Perl.

The next one is not new, but first read by me this week. Those of you into programming might be interested in Richard Jones's article listing Python's anti-pitfalls. By that, he means that "because the language has these features, it is harder to make programming mistakes".

Boo the Monsters

Andrew is firmly on the blog train, with a recent post about how truly awful and dated Sourceforge feels as an interface (it really is), and he discusses the predicted monstrosity that is the iPlayer in How not to write a cross platform application.

Some poor yank found that England has no free speech, at least in Peterborough, where busybody council bureaucrats seem to have nothing better to do than send wardens to harass some bloke about his chosen T-shirt, is this the beginning of the end for the kiss-me-quick hat?

Matt Hartley writes that there is a 'coming divide' between community and corporate Linux distributions, an interesting perspective but sadly he does not substantiate his argument with much in the way of evidence. I think that the individual Linux distributions often seem more important than they actually are, when there is actually a lot of action upstream and downstream action which is more important. The divide is not so much between profit/non- profit organisational models but rather between Linux distributions that have a clue and those that make stupid short term choices to throw away their goodwill, brand value and community relationships.

Quantifying web-app insecurity

I say we take off, nuke the site from orbit. It's the only way to be sure. - Corporal Hicks, Aliens

Some Linux distros have been doing audits of their servers and found problems, Gentoo has taken the official online package database offline for a little while. This is not much of a loss, other online package search sites exist, such as GPNL or Gentoo Portage, and every Gentoo computer has package search facilities build in.

Slightly more interesting is that an Ubuntu sys-admin took down many of it's community maintained servers for 24 hours. Sounds like a good plan, I would have done the same. However I am not so sure about some of the reasoning behind it:

the servers, especially zambezi were running an incredible amount of web software (over 15 packages[1] that we recognised) and of all the ones where it's trivial to determine a version, they were without exception out-of-date and missing security patches. An attacker could have gotten a shell through almost any of these sites.

[1] art-web, gallery, drupal, phpmyadmin, wordpress, postnuke, phpbb, smf, moodle, planet, aspseek, moin, taskfreak, cms made simple, mediawiki, ...

I know most of these applications quite well, and some of them, due to the nature of the application are security nightmares in various ways, for example discussion forums are notoriously difficult security wise, as you are letting anyone come along and put arbitrary text in your database.

Fortunately, these are all open source projects, so they are hardly going to turn around and sue the guy for slander, however, I think his post is in danger of tarring all these projects with the same brush.

PlanetPlanet, for example is a very simple application, the only input is the RSS feeds. I am trying to think of how to get a shell through it (putting some specifically designed code in the blogs?). If PlanetPlanet has followed basic Python security practices then it should be more or less sandboxed from being able to do anything exciting.

MoinMoin's last known security problem appeared to be three years ago. The exploitability of the bug was classed as remote and the exploit theoretically allowed unauthorised users to revert or delete pages. A significant problem yes, but "could have gotten a shell", I'm not so sure about. I am not saying he is wrong, I just do not personally have any proof. Do you guys?

Anyone using a Windows server or desktop is betting that the numerous and real security problems will not affect them. I think sometimes we go a bit far in the open source world. If there is even the remotest academic possibility of a theoretical exploit then people go bananas. In this case it was justified, as there was a suspicion that one or more of the servers was actively attacking other machines.

Most of these PHP web apps are certainly liable to spam, however there is a difference between spam and insecurity.

The sys-admin goes on to state that:

Unfortunately it's simply not possible for us to maintain that amount of software in any sane or secure fashion.

Yes there is, get rid of Ubuntu from your server and install Gentoo, then you can use the `webapp-config`_ command to automatically update all the instances of your web applications.

Ubuntu is a desktop focused distribution and is good at that, it if is bad at virtual hosting these web applications then use a distro that has specialised server tools for that, like Gentoo.