In 2007, XenSource was leading the commercial push for the open source Xen Hypervisor. XenSource was acquired by Citrix for $ 500 million that year, bringing in some of the leaders of the Xen community, including Simon Crosby who served as the CTO of XenSource. In 2011, Crosby left Citrix to start something new -– a company called Bromium.

Bromium is led by Crosby along with Xen co-founder Ian Pratt and Gaurav Banga, formerly the CTO and senior vice president of engineering at computer BIOS maker Phoenix Technologies. Bromium to date has raised $ 9.2 million in venture funding. The company has remained for the most part in stealth mode — but in an interview with InternetNews.com, Crosby talked about the big problems that Bromium is aiming to solve, and why he thinks it holds the potential to change IT.

“It is a challenging problem in computer science. We’re trying to build trustworthy computing infrastructure,” Crosby said.

Read the full story at eSecurityPlanet:
Secure by Design: The Future of IT Security?

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals Follow him on Twitter @TechJournalist.

InternetNews.com All News

“Zuckerberg doesn’t think about his wealth.”

David Kirkpatrick, author of ‘The Facebook Effect,” commenting about the Facebok IPO (Bloomberg)

“The Internet is a big multi-tenant network.”

John Engates, CTO of Rackspace taking aim at the myth that a multi-tenant public cloud is not secure (eSecurityPlanet)

“I wish we had more management for virtualization in initially. By not doing that, it forced our customer base to go back to the proprietary model with hypervisors.”

Paul Cormier, Executive Vice-President of Red Hat, taking about regrets he has over the last 10 years of Enterprise Linux (ServerWatch)

“If the newest and most exciting thing at SAP is the acquisition of SuccessFactors, well, then God help SAP, because that just isn’t that exciting.”

Salesforce.com CEO, Marc Benioff berating his competition during Salesforce’s Q1 earnings call (EnterpriseAppsToday). 

“When we started out, many people thought that all the server vendors would hate virtualization, but the opposite has happened.”

Steve Herrod, CTO of VMware commenting on how virtualization is now embraced by server vendors (InternetNews)

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals Follow him on Twitter @TechJournalist.

InternetNews.com All News

UGP (Ubuntu Gaming Project)

If you’re like me, you sometimes get an omni-potent feeling when staring down the proverbial ‘barrel’ of the BASH shell.  And why shouldn’t you?  It’s built-ins have everything you need to conquer the world.  In fact, you might even use it to get away with murder.  Of course, we’re not here to kill anyone.  …We just want to cover our asses when the boss comes looking for our TPS reports.

Scenario 

You are habitually late meeting your deadlines at work.  Your boss asks for April’s TPS report and demands that it be completed and in his inbox by Friday, 05/04/12.  Friday has come and gone, though luckily your boss was out of town that day.  You know that he is still expecting to see a PDF in his inbox, so you use imagemagick to make a phony, 3-page PDF.

Imagemagick has a great tool built into it called convert.  We can use that to generate a 3 page PDF easily.

First, install imagemagick, though you probably already have it installed.

Ubuntu/Mint/Debian

sudo apt-get install imagemagick

Now, let’s make the phony document.  We will start out by making 3 blank images.  In order to elicit the right response from the recipient and pull this off proper, it has to be believable.  This command will produce 3 jpegs in portrait mode, with 8×10 dimensions at 300 dpi

convert -size 2550x3300 -density 300 xc:white apriltpsreport1.png

convert -size 2550x3300 -density 300 xc:white apriltpsreport2.png

convert -size 2550x3300 -density 300 xc:white apriltpsreport3.png

If you wants the pages to be in landscape, just reverse the dimensions.

convert -size 3300x2550 -density 300 xc:white apriltpsreport1.png

Next, we can use convert to combine all of these images into a PDF.

convert apriltpsreport* apriltpsreport.pdf

NOTE:  If you’ve actually put the hard work into making a real report, and you need to combine all of those elements into a multipage PDF, don’t use the wildcard (*) like I have above.  List each image successively in the order you would want it to appear in the document.

Now, here is the full command that will create all of the images, combine them into a PDF, and clean up the mess that it wants to leave behind.

convert -size 2550x3300 -density 300 xc:white apriltpsreport1.png && convert -size 2550x3300 -density 300 xc:white apriltpsreport2.png && convert -size 2550x3300 -density 300 xc:white apriltpsreport3.png && convert apriltpsreport* apriltpsreport.pdf && rm apriltpsreport*.png

The Setup

Now, we’re not ready to send this file just yet.  You see, the boss man is not the sharpest tool in the shed, but at the same time he is desperate to catch you in a surreptitious act.  He might have the notion to check the file creation date.  If that time is just a minute or two before you sent the email to his inbox, you are toast.  This is your chance to make yourself look good.  The project was due on the 4th, but as far as he can be concerned, you finished it on the 1st!

touch -d '1 May 2012' apriltpsreport.pdf

Great!  Now you’ve successfully modified the file.  It will now show that you created it on May the 1st, but since we are playing psychological warfare, we need to consider all things.  What does your boss really expect?  Well, for starters, he doesn’t expect you to finish things on time.  That’s what we are here to overcome- and we did- so what else?  If you do finish a project on time, it’s at the last minute.  So, this is the command we really should be running…

touch -d '1 May 2012 16:49' apriltpsreport.pdf

There, that’s better.  Now he can see that the project was completed at 4:49pm, right before you walked out the door.  Though, that might not be enough.  What about the last accessed time.  You don’t want him to think that you’ve been fooling with it since the first.  Let’s fix that.

touch -amt 201205011649 apriltpsreport.pdf

Pages: 1 2

The Powerbase

From the ‘I told you so’ files:

When Apache OpenOffice 3.4 was released last week — the first OpenOffice release under Apache – I *guessed* that it was likely a better fit for Windows and Mac users than for Linux users.

As it turns out, after a week of availability, that’s exactly the case.

The Apache OpenOffice project today announced that after a week of availability they have had over 1 million downloads. Not a bad number, except for the fact that:

ONLY 2 PERCENT WERE ON LINUX.

87 percent of downloads were for Microsoft Windows and 11 percent for MacOS. Yes, I know, Linux users could potentially have downloaded OOo from a different repo as opposed to just getting it from Sourceforge. Still, the numbers are telling, OpenOffice is a great alternative for Windows and Mac users to the proprietarylock-in of Microsoft.

Linux users however, know better. They know that while OpenOffice is good software, LibreOffice is better. Time will tell if the Linux numbers improve for OpenOffice, but I strongly suspect they won’t.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals Follow him on Twitter @TechJournalist.

InternetNews.com All News

The cloud makes it easy to build out pools of compute resources. But how do you scale out applications in the same way? That’s the goal of VMware’s latest vFabric 5.1 release.

The vFabric application development platform first debuted back in 2010 and has been evolving ever since. The vFabric 5.1 release now includes the vFabric Application Director, integration with in-memory database and traditional SQL database technology as well as full support for the open source Apache Tomcat application server.

“The vFabric Application Director is a tool that allows you to leverage the construct of a virtual machine to automate the deployment of application architecture,” David McJannet, VMware’s director of Cloud and Application Services, told InternetNews.com. “Application Director lets you create a blueprint so that every new web application you create for an environment for deployment can be replicated and automated.”

The vFabric Application Director approach fits into VMware’s overall Software Defined Data Center vision that CTO Steve Herrod articulated at Interop last week. It’s a vision where software is the platform that defines how things work in a data center, instead of relying solely on hardware. While vFabric can automate application deployments, on its own it doesn’t handle the infrastructure piece of the puzzle.

“Application Director is simply an exercise in creating common blueprints for application deployment,” McJannet, said. “It presupposes that you already have a pool of infrastructure already setup, secured and available. Application Director is about leveraging infrastructure that is already in place.”

Read the full story at Datamation:
VMware Advances Cloud Automation with vFabric 5.1

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals Follow him on Twitter @TechJournalist.

InternetNews.com All News

In a webcast event Tuesday, Red Hat executives reminisced about that milestone event and offered a few predictions about the future of their server operating system platform. Now after 10 years of releases and innovations, Paul Cormier, Executive Vice-President of Red Hat, sees the most important event in the history of RHEL as being the creation of the RHEL model itself.

Cormier he does have regrets about how his company initially implemented virtualization.

“I wish we had more management for virtualization in initially,” Cormier admitted. “By not doing that, it forced our customer base to go back to the proprietary model with hypervisors.”

That said, Red Hat now has a full virtualization management offering integrated with RHEL, so users can migrate to an open source solution.

Another area where Red Hat is trailing its rivals is in commercial deployment of the OpenStack open source cloud platform. Rival vendor Ubuntu Linux has been supporting OpenStack for over a year, while Red Hat only officially embraced the platform this year.

Read the full story at ServerWatch:
Red Hat: No Regrets About Moving to the Enterprise Model

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals Follow him on Twitter @TechJournalist.

InternetNews.com All News

Now, not only can I take advantage of my Amazon Prime membership on our
55″ TV, but also my family can watch clips of The Target
Lady on Hulu. I
don’t think the add-ons in the bluecop repo are endorsed by any of the
streaming-media providers, but it seems they pull video only from the
Web. If you want to extend your XBMC setup to include a huge selection
of streaming media, check out the bluecop repository (http://code.google.com/p/bluecop-xbmc-repo). Richard, thanks
for the tip!

Retro TV image via Shutterstock.com

Linux Journal – The Original Magazine of the Linux Community

From the ‘Most Successful Open Source Foundation’ files:

For many, the name Apache is synonymous with the most successful open source project of all time – the Apache HTTP Web Server. The Apache Web Server has dominated the web server landscape for the majority of the Internet Era, even as rivals (open source and otherwise) have attempted to make in-roads.

While the Web Server is primary to Apache, it’s important to remember that it’s only one project out of MANY. The Apache Software Foundation today issued a momentum release highlighted just how many project it has now and how large an impact it now has on a wide range of technologies.

There are no 104 Top Level Projects (TLPs) at Apache. That’s a record number of actively developed projects for the foundation. For me, the big names are Tomcat which dominates the Java Application Server space and of course Hadoop, which is now the standard by which all other Big Data technologies are measured.

Looking beyond the 104 TLPs are 51 incubated projects (or Podlings) including big names like Wave (formerly Google Wave) and OpenOffice (formerly Oracle/Sun). The Apache Way provides a lifeline for those cast-off corporate effort to find new vibrancy and grow in a way that they would not be able too, anywhere else.

And let’s not forget about the Apache HTTP Server, the one that I still think of as just ‘Apache’ after 17 years, it’s still going strong. The Apache 2.4 release came out in February and it’s just made of pure awesome.

The Apache Software Foundation is THE great open source success story. Yes Eclipse and the Linux Foundation are fine efforts as well, but the sheer volume and influence of the ASF is undeniable. From web serving, to apps serving to Big Data to office applications, the ASF is where open source development projects thrive.

“There’s no stopping the interest in Apache-led projects –from the number of innovations in the Incubator, to best-in-breed solutions powering mission-critical applications, to the widespread popularity of the Apache License,” ASF President Jim Jagielski said in a statement. “The Apache community at-large is driving this momentum by providing code, documentation, bug reports, design feedback, testing, evangelizing, mentoring, and more. There’s always a way to contribute!”

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals Follow him on Twitter @TechJournalist.

InternetNews.com All News

When the Bitcoin mining craze hit its peak, I felt the tug to join this new
community and make some easy money. I wasn’t drawn only by the money; the
concepts behind Bitcoin mining intrigued me, in particular the new use of
graphics processors (GPUs). With a moderately expensive video card, you
could bring in enough money to pay off your initial investment and your
electricity bill in a relatively short time.

Then Bitcoin tanked. That’s okay though, because I hadn’t gotten around to
building my mining rig yet, and what’s more, I found an even more
interesting use for Bitcoin mining hardware: password cracking. Bitcoin
mining and password cracking are quite similar operations, and a GPU can
crack passwords much faster than a CPU or even a small cluster of CPUs. In
this two-part article, I explain how to set up and use a password-cracking computer. In this first piece, I focus on the principles
behind password cracking and the overall hardware setup. I’ll cover the
specific attacks and command-line examples in the following article.

Legitimate Reasons to Crack Passwords

Before I get started, let’s admit that there are some pretty shady reasons
to crack passwords. Every so often you will hear a story of a Web site that
was hacked, a password database that was compromised and the thousands of
weak passwords that were discovered. Often people get into password
cracking because they are trying to break into someone else’s system, or
they already broke into someone’s system, stole their password hashes and
are cracking the passwords so they can attack yet another system.

That said, like with lock picking, there are legitimate reasons to crack
passwords, particularly for a sysadmin or Webmaster:

• Test local users’ password strength.

• Prove that users follow your password policy.

• Understand what your password policy should be.

• Cryptography is interesting.

• Bitcoin mining is no longer profitable.

In fact, many Linux systems will run a basic dictionary attack when you
change your password to evaluate how weak it is. Although it’s true that these
days most password systems will not allow users to enter passwords that
don’t fit the password policy, some systems simply let users know
their passwords are weak but store them anyway. In either case, it makes sense
to audit your passwords at a company just to ensure that a random hacker
with a $ 300 video card can’t crack your passwords in a day or two. When you
put yourself in the role of the password cracker, you’ll start to realize
which passwords are easy to crack and which ones are almost impossible, and
that will help inform you when it’s time to update your password policy.

An Introduction to Password Hashes

Password hashes were created to solve a particularly tricky problem. If
users must enter passwords to log in, you have to store those passwords on the
system somehow. How do you store those passwords so that they’re not plain text,
yet when users enter their passwords, you can tell that they are correct?
The solution is to encrypt passwords with a one-way hash. The idea
behind a one-way hash is that it is relatively easy for input to get
encrypted into the hash, but almost impossible to convert the hash back to
the original input. If you’ve ever downloaded a Linux .iso and ran md5sum
on it to make sure it matched the original, you were using a very popular
one-way hashing algorithm, MD5. Other popular one-way hashes include the
SHA family (SHA1, SHA256 and SHA512), and phpass is the modern default for
PHP-based sites like WordPress.

When you log in to a Linux system, the password you enter gets converted
into a hash with the same algorithm originally used when you first set your
password. The system compares this new hash with the hash it has stored on
the system, and if they match, it assumes you entered the correct password
and you are logged in. So for instance, on a modern PHP site, if your
password was 123456, it might get stored as
$ P$ BPlIiO5xdHmThnjjSyJ1jBICfPkpay1.

How Password Cracking Works

On a very basic level, password cracking works much like a regular login.
You take a password guess, run it through a hashing algorithm and compare
it to the existing hash. If it matches, you cracked the password. The main
difference between cracking and a regular login is that you are doing
hundreds of thousands if not millions of these comparisons a second.

/etc/passwd and /etc/shadow

The most important thing you need before you crack a password is the
password hash. Because we are talking about perfectly legitimate uses of
password cracking, this is simple. After all, you should have root access
on your own systems or databases, and it should be easy to retrieve the
password hashes. In the case of Linux logins, these password hashes used to
be stored in /etc/passwd. That seems like a logical place to store
passwords on a Linux system. The problem is, that file also stored the
user names and user IDs in use on the system, and because of that, the file
needs to be world-readable. Back when passwords were stored in that file,
any local user could pull the full list of password hashes and start
cracking. These days, Linux stores the password hashes in /etc/shadow, where
they are readable only by root. In the case of Web site passwords, the
hashes usually are stored either somewhere on the filesystem itself or
often in a special user table in a database.

The second important thing you need is to know what hashing algorithm
was used for those hashes. Without that, you won’t know what type of
hashing algorithm to use for your attack. In the case of login hashes, the
hash type is stored in the password hash itself. If you look at a password
hash in /etc/shadow, you’ll notice a log of strange characters along with a
few $ thrown in. These $ characters delimit different sections of the hash
as follows:

$  id $  salt $  encrypted

The id section tells you what hash is being used:

• 1 = MD5

• 5 = SHA-256

• 6 = SHA-512

These days, you are most likely to run into SHA-256 and SHA-512 passwords.
Because the hashing algorithm and the salt are stored along with the
password itself, Linux password hashes are pretty portable. If you have one
hash, you can copy it to another system and use the same password to log in.

Why Use a GPU?

The simple reason to use a GPU instead of a CPU for password cracking is
that it’s much faster. It turns out that cracking passwords is a lot like
mining Bitcoins, so the same reasons GPUs are faster for Bitcoin mining
apply to password cracking. The short answer is that there are many more
specialized chips on a GPU that perform 32-bit operations really quickly.
Although a CPU can perform a lot of general-purpose calculations, the chips on
a GPU can perform specific types of operations much faster, and in a much
more parallel way. If you want more specifics, this site explains in more
detail from the perspective of Bitcoin mining:
https://en.bitcoin.it/wiki/Why_a_GPU_mines_faster_than_a_CPU.

The Hardware

The most important piece of hardware you need to crack passwords is a fast
GPU. Because cracking passwords is like mining Bitcoins, you can get a good
idea of how your GPU would perform by how well it would mine Bitcoins.

This
site provides a good list of available video cards and describes their
performance: https://en.bitcoin.it/wiki/Mining_hardware_comparison. When
you look at that site, what you’ll notice is that AMD GPUs tend to be much
faster than NVIDIA GPUs, even though for gaming often the reverse is true.
The reason for this is explained in detail in the explanation of why a GPU
mines faster than a CPU, but in short, AMD GPUs tackle the problem of
graphics rending with a lot of small, simple chips that perform 32-bit
operations quickly. NVIDIA GPUs have fewer, but more sophisticated chips
that are closer to a CPU in complexity. For the purposes of Bitcoin mining
or password cracking, which can be highly parallel, those larger number of
simple chips work the fastest. Also note that cracking software can take
advantage of multiple GPUs, so if you can afford it, and your motherboard
can support it, you may find you’ll get the same performance out of two
cheaper GPUs than a single expensive one.

In my case, I didn’t have a desktop PC lying around I could use for this,
so I built a special desktop just for password cracking. In case you want
to follow in my footsteps, here is my exact hardware along with prices:

• GPU: SAPPHIRE FleX 100312FLEX Radeon HD 6950 2GB: $ 280

• Power supply: RAIDMAX HYBRID 2 RX-730SS 730W: $ 60

• Motherboard: ASUS M4A88T-V: $ 95

• CPU: AMD Phenom II X6 1090T Black Edition Thuban 3.2GHz: $ 170

• RAM: Corsair CMX4GX3M2B2000C9 4Gb 240-pin DDR3: $ 55

• Storage: Seagate ST95005620AS 500GB 7200 RPM Hybrid Drive: $ 100

• Case: already owned

• Total: $ 760, $ 930 with monitor, $ 340 just GPU + PS

If you already have a desktop that supports a modern video card, you may
need to purchase only the GPU and power supply. Keep in mind that modern
high-performance video cards require a lot of power, so you’ll want at
least a 700W power supply in your case, and more than that if you intend to
chain two video cards together. I found that the AMD 6950 had good
performance for my budget, plus this particular model can theoretically be
turned into a 6970 with a firmware update. If you have a larger budget
though, you may want to buy two or more 6950s and chain them together.

So there you have it. You now have a month to get your hardware together,
and next month, I’ll discuss the software side of password cracking, explain
dictionary, brute-force and mask attacks, and give specific examples with
my password-cracking system.

Resources

Why a GPU Mines Faster Than a CPU:
https://en.bitcoin.it/wiki/Why_a_GPU_mines_faster_than_a_CPU

Mining Hardware Comparison: https://en.bitcoin.it/wiki/Mining_hardware_comparison

Password image via Shutterstock.com.

Linux Journal – The Original Magazine of the Linux Community