The (standard) native Spotify Linux buyer got support totally free accounts recently. This is one way to install the idea on Ubuntu along with fix some bugs including not having the capacity to play local tunes in Ubuntu 11. 10 Oneiric Ocelot.

You should be aware that Spotify for Linux is often a preview release and is also currently unsupported therefore you may encounter troubles!

Install the ancient Linux Spotify buyer under Ubuntu

1. Add the Spotify repository (are going to be used to deploy Spotify and stay up-to-date with the most up-to-date Spotify versions).

Launch Software Sources with all the following command:

gksu –desktop /usr/share/applications/software-properties-gtk.desktop /usr/bin/software-properties-gtk

2. Under Software Sources, switch to the “Other Software” tab, click “Add” and paste the following line:

deb http://repository.spotify.com stable non-free

As soon as you do this, two repository lines are in reality added and the next one (regarding source code) will display one when running “sudo apt-get update”, thus remove this series:

http://repository.spotify.com stable non-free (Source Code)

from the same “Other Software” tab in Software Sources. Once you’re done, close the Software Sources window.

3. Import the Spotify repository key and install Spotify for Linux:

sudo apt-key adv –keyserver keyserver.ubuntu.com –recv-keys 4E9CFF4E
sudo apt-get update
sudo apt-get install spotify-client-qt

Spotify fixes for Ubuntu

Spotify has been installed, but if you are using Ubuntu 11.10 Oneiric Ocelot (or newer), you can’t play local music, or at least some file types don’t work and you’ll get a sound decoder error:

“There is a problem with the sound decoder. Spotify can’t play music”

This may even occur for some Spotify tracks.

To fix this, you need to install libavutil50, libavcodec52 and libavformat52 from the Ubuntu 11.04 Natty Narwhal repository. To make it easier (thanks to yugnip!), you can get all 3 from here:

32bit
64bit

Download the .debs above in a new folder, then use the terminal to navigate to it (“cd /path/to/folder”) and run:

sudo dpkg -i *.deb

Another problem is that Spotify for Linux doesn’t show any artwork in the Ubuntu Sound Menu, at least in Ubuntu 11.10. To fix this, use the command below:

mkdir -p ~/.cache/indicators/sound/album-art-cache

Unfortunately I didn’t found a fix for the out of place “Upgrade” button.

The Solution :
To start, you should close Skype and kill the heart beat audio server. To achieve this in one fast command open any terminal and work

killall skype && killall pulseaudio

Next you should tell your heart beat audio server never to auto launch alone (which it can by default). To achieve this we simply must add one configuration setting with a file. To try this run the control:

nano ~/. pulse/client. conf

Inside the text file which is opened paste these line:

autospawn = no

Save and shut the file (ctrl+x when working with nano), launch Skype and you should be good to look.

Hope this will save you someone the 20 moments I spent running around Google to locate this information.

red letting are command that you need to issue as root

1. click on Computer > More Applications > YaST

2. Put in root password for YaST

3. Scroll down until you see Software Management and single click on it

4. Check for the following software. If you don’t have it installed, install it

   1. kernel-source

   2. gcc

   3. gcc-c++

   4. make (This is most likely already installed, but just to double check)

5. Once you have installed that software, lets head over to the command line. Right click on the desktop and select “open terminal”

6. Once you get into the terminal, you want to log in as a super user or root. You can do this by using the su command

   clmowers@linux-box:~> SUPassword:linux-box:/home/clmowers #

7. Next you want to run the following command. This will check for the needed software and it will also show you the kernel modules that are installed. You MUST have the same kernel numbers though out, or you will have issues later down the road

   rpm -qa kernel* gcc* make

   It will look like this when the command is run

   linux-box:/home/clmowers # rpm -qa kernel* gcc* make gcc-c++-4.2-24make-3.81-66kernel-source-2.6.22.17-0.1 gcc42-c++-4.2.1_20070724-17 kernel-default-2.6.22.17-0.1 gcc-4.2-24 gcc42-4.2.1_20070724-17

   Notice that both of the kernels are the same. If these numbers are diffent then you need to run the online updates to get the lastest ones and to make sure everything matches. ***Just remember that these numbers change, This was the latest kernel when I wrote this, yours might be different from mine.

8. OK, lets move on. Next we want to change the directory to /usr/scr/linux. We can do that by this command

   linux-box:/home/clmowers # cd /usr/src/linux

9. next we want to issue these commands. Don’t worry, we are almost done in the command line for the time being.

   linux-box:/home/clmowers # make mrproper; make cloneconfig; make modules_prepareYou will notice that it is done when you get back to this linelinux-box:/home/clmowers #

10. YEA!!! The moment we all have been waiting for, installing vmware server. But we are not done yet. Once vmware server is installed we will need to configure it. Then you can start adding all the VM that your heart desires.

11. Next you want to go to where you have downloaded the file and right click and select install software

12. Once the windows closes we are ready to configure it. I know I know, but we are almost done. Just 2 more minutes.

13. open up a new terminal window (or open the one you already had) and issue this command

    linux-box:/home/clmowers # cd /usr/binlinux-box:/usr/bin #

14. This will bring you to the /usr/bin directory. Next we want to run the pl script the vmware was so kind of to provide us. This will let us configure the server

    linux-box:/usr/bin # vmware-config.pl

15. We will start out by reading the EULA. Hit space or enter to go through the agreement. Once you are done reading hit Q and then type yes. Now what I did was just accept all the defaults. This will give you a very good install of vmware. My only suggestion would be to create a folder under your /home/username/ directory called vms. When you get to the question asking you where you want to have your virutual machine saved, type in that location.

16. You will be ask for your license key, so make sure that you have one. Type it in and press eneter.

Installing Ruby on Rails (RoR) on windows, OSX and Linux. Generally there are 3 installations: OSX, Windows and Linux, and Linux install is the most easy one.

Windows:

Go to http://www.rubyonrails.org/, and download the package containing gems (windows installer).

Install the package.

Update the gem system via:

gem update –system

Update installed gems via:

gem update

When this is done install the relevant gems. I would suggest the following as a minimum:
*rails (for the framework)
Please note, that rails 2.02 is the newest version, you can install an older version via

gem install v1.2.6 rails

*mysql (for database assess)
*mongrel (webserver better when webrick)

When asked for the version you want to use, choose the newst version, that has win32 in the option.

OSX 10.4 and 10.5

Go to http://www.macports.org/ and download the correct version of the file (tiger/leopard).

Read through the installation guide: http://www.macports.org/install.php

Quick guide:
Install the correct xcode for your system.
Install the macports program (this can take a little while)
When done, do:

sudo port install ruby
sudo port install rb-gems (enabling gems under ruby)
sudo gem install rails (framework)
sudo port install rb-mysql (mysql for use under RoR)
sudo gem install mongrel (webserver)
sudo port install subversion (for easy install for remote plugins)

Linux (Ubuntu like / Debian based)

sudo apt-get update && sudo apt-get upgrade (getting newst list, and updateing software before continuing).
sudo apt-get install ruby subversion mysql libmysql-ruby1.8

sudo gem install rails
sudo gem install mongrel

And you should be set to go.

IDE for use with RoR:
Textmate (OSX), has very poor subversion integration, but good RoR integration
Not free
Eclipse (good integration, via plugins)
http://www.eclipse.org/ download plugins via Aptana website, for RoR support.
Free

Aptana (good integration via plugins) http://www.aptana.com/
complete IDE, eclipse based. Free
IDEA (good integration via plugins)
Complete IDE suite, with great integration of subversion, mysql and even jira for bugtracking.
Professional, but expensive.

Remeber to point your IDE to where your RoR / rails is installed for best integration:
Windows most often: c:\ruby\bin
OSX: /opt/local/
Linux: /usr/bin/ruby

Errors:

Linux:

sudo gem update –system

Which introduced this error:

/usr/bin/gem:23: uninitialized constant Gem::GemRunner(NameError)

whenever I tried to run rubygems. On the rails forum, I found a fix for it!. Simply add the line to the file /usr/bin/gem (may be different on a mac):

require 'rubygems/gem_runner'

after

require 'rubygems'

Source: http://www.nickpeters.net/2007/12/31/fix-for-uninitialized-constant-gemgemrunner-nameerror/

This error when installing gems:

extconf.rb:1:in `require’: no such file to load—mkmf (LoadError)

from extconf.rb:1.

Do:

sudo apt-get install ruby1.8-dev

This document describes how to set up TrueCrypt with GUI on Ubuntu 7.10. TrueCrypt is a free open-source encryption software for desktop usage.

This howto is a practical guide without any warranty – it doesn’t cover the theoretical backgrounds. There are many ways to set up such a system – this is the way I chose.

1 Preparation

Set up a standard Ubuntu 7.10 system and update it.

2 Needed Packages

First we install some needed packages with the synaptic package manager.

• sun-java6-jre
• python-pexpect

You’ll see this window during the installation – mark the corresponding checkbox and proceed if you agree with the license agreement.

Afterwards check if all went well – open a terminal and enter.

java -version

The output should look like this:

java version “1.6.0_03″
Java(TM) SE Runtime Environment (build 1.6.0_03-b05)
Java HotSpot(TM) Client VM (build 1.6.0_03-b05, mixed mode, sharing)

3 Truecrypt

3.1 Installation

Open http://www.truecrypt.org/downloads.php within your browser and download the latest stable version for Ubuntu 7.10 (.tar.gz-file containing the .deb-package).

Afterwards unpack the .tar.gz-file, …

… switch to the folder with the unpacked files and install the .deb-package with the GDebi package installer (simply double click on the package). Click on “Install Package” to start the installation.

Enter the root password.

The package and its dependencies are being installed.

3.2 System Configuration

Please note, that the following steps (3.2.1 – 3.2.3) can be done automatically by the tcgui installer (step 4). Proceed if you have problems with the tcgui-installer or want to configure the system manually in the first place – otherwise go ahead with step 4.

3.2.1 Users & Groups

We have to add the group “truecrypt” to the system and afterwards we add the root-account and our user-account to it. The settings for users and groups are available in the gnome system menu.

Enter the root password.

Click on “Manage Groups“.

Click on “Add Group“.

Insert “truecrypt” (without the quotes) as name for the new group, mark the checkbox next to the root and your username and click on “OK“.

3.2.2 Sudo

Next we configure sudo in order that TrueCrypt is useable without a password query – open a terminal and enter:

sudo visudo

Add the following line:

%truecrypt ALL=(root) NOPASSWD:/usr/bin/truecrypt

It should look like this:

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
# Defaults
Defaults        !lecture,tty_tickets,!fqdn
# Uncomment to allow members of group sudo to not need a password
# %sudo ALL=NOPASSWD: ALL
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root    ALL=(ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
%truecrypt ALL=(root) NOPASSWD:/usr/bin/truecrypt

To save the changes press CTRL+O (STRG+O on a german keyboard) and hit enter. Close the editor via CTRL+X (STRG+X on a german keyboard).

3.2.3 TrueCrypt Group

As a last resort we have to assign TrueCrypt itself to the new group that we created at step 3.2.1. Open terminal and enter:

sudo chgrp truecrypt /usr/bin/truecrypt

Afterwards we check if all went well – enter:

truecrypt -l

If you’re NOT asked for a system password and the output looks like this …

No volumes mapped

… all is fine.

4 TrueCrypt GUI (tcgui)

Tcgui provides a GUI that is similar to the windows GUI for truecrypt. It’s licensed unter the GPL.

4.1 Download

Open http://tcgui.tc.funpic.de/en/download.htm (http://tcgui.tc.funpic.de/download.htm for German users) within your browser and download the latest version (When I was writing this howto the latest version was 0.4).

Afterwards unpack the file.

4.2 Installation

Open a terminal, switch to the unpacked files and run the installer.

cd Desktop/tcgui-0.4/
sudo bash install.sh $USER

Note: Don’t replace $USER with your username – simply copy & paste the line.

Choose your language (german or english) and answer the following questions with no (n) – unless you haven’t realized step 3.2.1 till 3.2.3. After the installation finished you have to log out and back in to take the changes effect.

4.3 Access The GUI

The TrueCrypt GUI is available in the gnome applications menu.

Click on “Yes” if you agree with the warranty agreement.

The GUI appears – make yourself familiar with it.

Note: Please have a look at the readme in the tcgui-folder (on your desktop). Which functions are working without problems and which not is described at the end of the file – so you should read it before you you’re playing around with the GUI

4.4 Deinstallation

If you want to deinstall the TrueCrypt GUI open a terminal and enter:

sudo bash /usr/share/tcgui/uninstall.sh

Note: The group “truecrypt” will not be deleted and the changes in the sudo configuration will not be restored.

5 Links

TrueCrypt: http://www.truecrypt.org/
TrueCrypt License: http://www.truecrypt.org/license.php
TrueCrypt Linux manpage: http://www.truecrypt.org/docs/linux-manpage.php
TrueCrypt GUI (en): http://tcgui.tc.funpic.de/en/index.htm
TrueCrypt GUI (de): http://tcgui.tc.funpic.de/index.htm
Ubuntu: http://www.ubuntu.com/

In this tutorial I will describe how to install and configure Snort (an intrusion detection system (IDS)) from source, BASE (Basic Analysis and Security Engine), MySQL, and Apache2 on Ubuntu 7.10 (Gutsy Gibbon). Snort will assist you in monitoring your network and alert you about possible threats. Snort will output its log files to a MySQL database which BASE will use to display a graphical interface in a web browser.

1. Gain root privileges

It is easiest to do this install as root user.

sudo su -

2. Install some packages

The following will install all the required packages to make this setup work:

apt-get install libpcap0.8-dev libmysqlclient15-dev mysql-client-5.0 mysql-server-5.0 bison flex apache2 libapache2-mod-php5 php5-gd php5-mysql libphp-adodb php-pear libc6-dev g++ gcc pcregrep

3. Get and compile snort

The Snort package in the Gutsy repo’s are out of date. So I prefered to download the most current and install that. This is the only thing we will compile from scratch.

The latest version of snort at the time of writing is 2.8.0.1

First let’s go to a working directory:

cd /usr/src/

Open a web browser and navigate to http://www.snort.org/dl right click on the most recent release and copy link location.

a. Download snort and snort rules

wget http://www.snort.org/dl/current/snort-2.8.0.1.tar.gz

There are a couple options for rules. The following will download the public rules, however with a quick registration at the snort site you can get more current rules. Your choice but the next command is run the same way with the appropriate URL:

wget http://snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz

b. Unpack and get them ready for compile

tar zxvf snort-2.8.0.1.tar.gz
cd snort-2.8.0.1
tar zxvf ../snortrules-pr-2.4.tar.gz

c. Now compile them

./configure -enable-dynamicplugin –with-mysql
make
make install

Keep this directory handy as you can simply run

make uninstall

To uninstall snort later if you choose

d. Move things into position

We now need to move the rules and config for snort into position

mkdir /etc/snort /etc/snort/rules /var/log/snort
cd /usr/src/snort-2.8.0.1/etc
cp * /etc/snort/
cd ../rules
cp * /etc/snort/rules

4. Configure Snort

We need to modify the snort.conf file to suite our needs.

Open /etc/snort/snort.conf with your favorite text editor (nano, vi, vim, etc.).

# vi /etc/snort/snort.conf

Change “var HOME_NET any” to “var HOME_NET 192.168.1.0/24” (your home network may differ from 192.168.1.0)
Change “var EXTERNAL_NET any” to “var EXTERNAL_NET !$HOME_NET” (this is stating everything except HOME_NET is external)
Change “var RULE_PATE ../rules” to “var RULE_PATH /etc/snort/rules”

Scroll down the list to the section with “# output database: log, mysql, user=“, remove the “#” from in front of this line.
Change the “user=root” to “user=snort”, change the “password=password” to “password=snort_password“, “dbname=snort”
Make note of the username, password, and dbname. You will need this information when we set up the Mysql db.
Save and quit.

5. Setup the Mysql database.

Log into the mysql server.

# mysql -u root -p

Create the snort database. Make sure you change the ‘snort_password’ to something else!

mysql> create database snort;
grant all privileges on snort.* to ‘snort’@'localhost’ identified by ‘snort_password’; mysql> exit

We will use the snort schema for the layout of the database.

# mysql -D snort -u snort -p < /usr/src/snort-2.8.0.1/schemas/create_mysql

NOTE: Use your snort DB user password when prompted.

6. Time to test Snort

In the terminal type:

# snort -c /etc/snort/snort.conf

If everything went well you should see an ascii pig.

To end the test hit ctrl + c.

NOTE: If you get errors you may want to try commenting out lines 97,98 and 452 of /etc/snort/rules/web-misc.rules. This was an issue in the past but doesn’t seem to be anymore.

7. Get and install BASE

Open a web browser and go to http://sourceforge.net/project/showfiles.php?group_id=103348.

Click on download then right click on the newest tar.gz package and select copy link (at the time of writing this is base-1.3.9).

In the terminal type:

cd
wget http://easynews.dl.sourceforge.net/sourceforge/secureideas/base-1.3.9.tar.gz

Now go to your web document root (by default this is /var/www), unpack the tarball and set the permissions needed to configure BASE:

cd /var/www/
tar zxvf ~/base-1.3.9.tar.gz cd .. chmod 757 base-1.3.9

We want to make sure that a couple of Pear modules are activated:

pear install Image_Color
pear install Image_Canvas-alpha
pear install Image_Graph-alpha

8. Set up BASE

Open a web browser and navigate to http://YOUR.IP.ADDRESS/base-1.3.9/setup.

Click continue on the first page.

• Step 1 of 5: Enter the path to ADODB.
  This is /usr/share/php/adodb.
• Step 2 of 5:
  Database type = MySQL, Database name = snort, Database Host = localhost, Database username = snort, Database Password = snort_password
• Step 3 of 5: If you want to use authentication enter a username and password here and check the box.
• Step 4 of 5: Click on Create BASE AG.
• Step 5 of 5: once step 4 is done at the bottom click on Now continue to step 5.

Bookmark this page.

Change the permissions back on the /var/www/base-1.3.9 folder.

# chmod 755 /var/www/base-1.3.9

We are done. Congrats!!!

To start Snort in the terminal type (make sure you change eth0 to the right interface for your machine:

# snort -c /etc/snort/snort.conf -i eth0 -D

This starts snort using eth0 interface in a daemon mode.

To make sure it is running you can check with the following command:

# ps aux | grep snort

If it’s running you will see an entry similar to snort -c /etc/snort/snort.conf -i eth0 -D.

If you would like to learn how to write your own Snort rules there is a guide at http://www.snort.org/docs/snort_manual/node16.html.
Good luck.

While you can find dozens of products to secure Windows laptops, security products for Linux laptops are scarcer — but they do exist. We found a range of products and fixes ranging from security patches for the operating system to encryption to the equivalent of computer bicycle locks which can help keep your Linux laptop or notebook safe.

Before we get to how to protect yourself, you need to accept a depressing statistic. According to the FBI, 97% of stolen computers are never recovered. While you can do things to better your odds (see the sidebar) you pretty much have to accept the fact that when your notebook disappears, it’s gone and so is everything that was on it.

There are three problems with having a computer stolen: the loss of the machine, the loss of the information on it, and the possible security breach if that information includes sensitive information or client data. Each of those problems requires a different approach.

Insurance

The economic loss is the easiest to deal with. Insure your system.

If you have homeowners or renters’ insurance, you may already be covered. If not, you can usually get a policy rider to cover your computers, including your laptop. This is usually the cheapest way to do it, but you may not like the terms and conditions. For example, there is likely to be a hefty deductible.

You can also insure through a specialist company like Safeware. Such policies are usually more expensive than a rider on your homeowner’s policy, but they tend to be more flexible. For example most specialist companies will allow you to insure your laptop for enough to completely cover replacement.

Be sure you understand just what you are getting. You need to make sure your computer is covered when you’re away from home. Also, make sure you’re covered for the current replacement value of your machine rather than something like the cash value, which is typically much lower.

The cost will depend on the value of your computer. Some homeowners’ policies automatically include several thousand dollars in computer coverage for free. A rider or a special policy will probably cost in the neighborhood of $100 to $200 a year.

Protecting your work

If you’re doing important work on your system, you want to get your data back even if you never see the computer again. One way to do that is to make frequent backups of your critical files to a device that isn’t left connected to the computer. This can be an external hard drive or, more conveniently, a USB thumb drive.

Another approach is to do your non-confidential work on Web applications such as the Google Docs word processor. Google then stores the information no matter what happens to your computer. (Of course this assumes you’ve properly secured your computer against Wi-Fi threats and such — but if you haven’t, you’ve got bigger problems.)

And of course you can just email your work to yourself at frequent intervals. If you want more security you can encrypt the emails before sending them.

Encrypt your disk

Encrypting your system doesn’t prevent someone from stealing your laptop, but it will prevent anyone from getting at the information on the system.

The actual risk that a thief will try to get at the information on your computer is pretty small. Although there are hundreds of thousands of laptops stolen each year, there are few cases reported in the news where the information on them was used by the bad guys. Mostly laptop thieves want to resell the hardware as quickly as possible and don’t care about the information.

Encrypting your disk is easy and cheap enough that there’s no reason to risk misuse of your data, even with a purely personal machine, where you may store passwords, credit card numbers and other personal information. Of course in the business case you have to be able to prove that thieves can’t get at the data. If you can’t definitely prove it, you’re probably in trouble. If the stolen laptop has customer information, such as Social Security numbers, on it, your whole company has a problem and you may show up in the news.

Encryption alternatives

When it comes to disk encryption there are two approaches. One is to encrypt only part of the information on the disk. The other is to encrypt everything.

While you can encrypt files or folders individually, you’re much more secure if you encrypt the entire disk. If the operating system is available, the attack surface is enormously increased. Not only are there unobvious vulnerabilities, such as files in the print spool, but there are more possibilities for getting around the file encryption.

One common method of full disk encryption allows the computer to begin to boot and then prompts for a user name and a password to complete the boot. This is convenient, which is why it’s common, but it does involve a certain amount of exposure since it uses the system’s boot routine.

Physical security

Linux will not keep your laptop from being stolen. You have to do that without help from the operating system. Here are some tools that can help.

Record it — Make a record of your computer’s serial number, exact specifications, etc. write it down, and keep it in a safe place, preferably with your sales receipt. That means don’t keep it on the computer and don’t keep it in the computer case!

Paint it — Mark your computer and its carrying case with a design that’s big, bright, unique and obvious. Subtle is right out. You want something that can be seen from across the room.

Warpaint on your computer does two things. First, it helps to uniquely identify it, which makes it harder for a thief to steal it unobtrusively. It’s also harder to sell a conspicuously marked system on eBay.

Engrave it — Engrave your name and some identifying number prominently on the case, either inside or outside. This not only reduces the value to a thief, it increases the chances you’ll get the computer back.

An alternative to engraving your laptop yourself is to attach a security plate. For about $25, Stoptheft will sell you an official-looking barcoded aluminum plate that leaves the words “Stolen computer” and a phone number on the case even if it’s pried off. The bar code can also help you get the machine back if it is stolen.

Guard it — Never leave your laptop unattended unless it is secured with a lock. Even then, try not to leave it alone. Taking a computer to the bathroom with you is annoying, but not nearly as bad as coming back and finding it gone.

Lock it — Most computers have a Kensington connection (named after the vendor that popularized it) for a lock. Computer cable locks usually cost between $20 and $50 and work like a bicycle cable lock.

Alarm it — In addition to locking cables, you can use an alarm that will sound if the laptop is moved. For example, Targus’s DEFCON 1 uses an alarm attached to the locking cable. If the cable is cut or the system is moved, it activates a motion sensor alarm that sounds off at 95 dB.

Hide it — Leaving a laptop on the seat of a car is asking for trouble; put it in the trunk or covered security compartment. And don’t leave your computer on your desk in a dorm room or office. Put it in a drawer and, if possible, lock the drawer.

Finally, remember that laptops aren’t status symbols anymore. A fancy computer bag may be convenient, but it tells everyone what you’re carrying. An attache case or portfolio is less conspicuous. One young lady of my acquaintance, who is into anime, carries her laptop in a Hello Kitty diaper bag. It’s colorful and waterproof, and no one is likely to steal a diaper bag.

An alternative method, using a USB flash drive, is described in our disk encryption HOWTO. This uses a USB flash drive holding GRUB, a minimal kernel and an initrd. The setup has just enough brains to ask for a password, set up the encryption mechanism and mount it. After mounting the device resumes the boot process from the encrypted disk.

The most common way to set up an encrypted Linux system is to establish a small partition to handle booting and encrypt everything else on the disk. This is more secure than file-level encryption, but it still exposes the boot partition to crackers. How much of a problem that presents is somewhat controversial. Some people think the added risk is negligible or non-existent, while others believe it poses a significant additional risk beyond true full disk encryption.

If you want stronger encryption than that you can use a utility that requires a separate key before you can even start booting.

A number of products let you encrypt only specific files, directories, and such. For example dm-crypt uses the device-mapper built into the Linux 2.6 kernel as a basis for block-level encryption. Device-mapper creates virtual block devices on physical virtual devices such as disks, and dm-crypt uses that ability to encrypt just about any kind of block you want encrypted.

Dm-crypt lets you pick the encoding method from among several symmetrical ciphers, as well as the key length, and then create a device in /dev. Writes and reads to the new device are then automatically encrypted and decrypted.

TrueCrypt creates encrypted devices, such as disk volumes, and encrypts and decrypts them on the fly without user intervention. Versions of TrueCrypt earlier than v4.1 suffer from the same vulnerability as older 2.6 kernels.

Of course, encryption implies keys, and those in turn imply key management. You need to be able to get into your system even if you lose a key. Needless to say, you don’t keep a physical key with your computer. One common practice is to put a memory stick containing the key on your (physical) key chain. If you use a disk to hold your key you can stick the disk in your pocket or purse. Don’t put it in your laptop case and always take it with you if you leave your machine.

Find your stolen system

If your system is stolen, you may be able to find it again if the thief connects to the Internet. There are a couple of products for Windows that do this, but none for Linux.

However, you can set up your own tracking system using a dynamic DNS provider, such as DynDNS, and setting up a client to keep track of the computer’s actual IP address. If your computer is stolen, you can can look for your DNS entry with ping. If you find it online, you can use traceroute or something similar to find the gateway your computer is using. Then you can contact the police and the thief’s ISP to get your computer back.

(Of course this technique is not foolproof. If the thief reformats the hard disk, you’re out of luck. Unfortunately a lot of thieves, or their fences, do reformat disks as a matter of course. Still, implementing this system simple enough to do and can work against an unsophisticated crook.)

Compliance policy issues

Increasingly, security is about compliance with various laws and regulations. HIPPA, Sarbanes-Oxley, and a host of others mandate that data be protected. More than that, most of these mandates require that companies be able to prove the data is protected.

Where this gets sticky for Linux is that to meet those requirements, many companies mandate that only approved products be used for security. Since the approved lists are typically Windows-centric, it can be hard for Linux users to get products for their laptops approved.

There are two ways for Linux users to deal with the situation. Either check and see if your company’s chosen security products come in a Linux version or get your security people to agree to let you use a Linux product.

A surprising number of security companies do offer Linux versions of their products, more than laptop Linux’ market penetration actually warrants. For instance, Check Point Software Technologies specializes in data protection with emphasis on big enterprises, and most of its business is focused solidly on Windows. Yet Check Point’s full disk encryption software also supports Linux. The reason, ironically, is that Check Point aims its business at large enterprises, in which a certain number of non-Windows laptops, running, say, Linux, need to be protected.

Alternatively, you can try to convince the IT security people that there are products available for Linux that offer equivalent levels of security, but this can be a long, hard slog.

And finally

Keep in mind that most of these methods are not foolproof. If a thief has your computer, technical knowledge, and persistence, it is hard to keep the information secure. But few thieves have the knowledge, equipment, or interest to break into a well-protected system.

The only truly foolproof security method is to not have sensitive data on your laptop or notebook in the first place.

How much protection is enough? Ultimately you have to decide.

Setting up Subversion

For detailed information on this, including alternate setups, have a look at Version Control with Subversion.

1. Install the required packages.

   sudo aptitude install enscript libapache2-mod-python python-docutils trac db4.3-util libapache2-svn subversion-tools

2. Create a virtual host directory for SVN. We’ll use /var/local/svn instead of /var/www so that Subversion instances don’t clog up the directory of web root directories.

   sudo mkdir -p /var/local/svn/svn.example.com

3. Create a development group, and add the web user to it.

   sudo addgroup example; sudo adduser www-data example

4. Add users to the development group. These are persons that need access to the repository.

   1. sudo adduser username1 example
   2. sudo adduser username2 example
   3. sudo adduser username3 example

5. Set the proper permissions.

   sudo chmod 2770 /var/local/svn/svn.example.com

6. Set up the repository.

   sudo svnadmin create /var/local/svn/svn.example.com

7. Clear the current password file. By default it’s for the svnserve protocol, but we’ll be using HTTPS (or just HTTP). We’ll be adding users to this file later in the process.

   sudo rm /var/local/svn/svn.example.com/conf/passwd
   sudo touch /var/local/svn/svn.example.com/conf/passwd

8. Allow the group to write to the repository.

   sudo chmod -R g+w /var/local/svn/svn.example.com

9. Set proper file ownership.

   sudo chown -R www-data:example /var/local/svn/svn.example.com

10. Set the repository access permissions. Information on how to do this can be found in the Path-Based Authorization section of Version Control with Subversion.

    sudo vi /var/local/svn/svn.example.com/conf/authz

11. Create a directory for the log files.

    sudo mkdir /var/log/apache2/svn.example.com

12. Add the site to the log rotation list.

    sudo vi /etc/logrotate.d/apache2

13. Configure the virtual host…

    sudo vi /etc/apache2/sites-available/svn.example.com

    …with the following data. If you don’t care about SSL, you can ignore the SSL options and run this on port 80.

    <VirtualHost [server's IP address]:443>
      ServerName svn.example.com
      <Location />
        DAV svn
        AuthType Basic
        AuthName "svn.example.com"
        AuthUserFile /var/local/svn/svn.example.com/conf/passwd
        AuthzSVNAccessFile /var/local/svn/svn.example.com/conf/authz
        SVNPath /var/local/svn/svn.example.com
        Require valid-user
      </Location>
      CustomLog /var/log/apache2/svn.example.com/access.log combined
      ErrorLog /var/log/apache2/svn.example.com/error.log
      SSLEngine on
      SSLCertificateFile /etc/apache2/ssl/apache.pem
    # Add this once there is a real (non self-signed) certificate.
    #  SSLCertificateKeyFile /etc/apache2/ssl/server.key
    </VirtualHost>
    <VirtualHost [server's IP address]:80>
      ServerName svn.example.com
      Redirect / https://svn.example.com/
    </VirtualHost>

    Reference:

    /etc/apache2/mods-enabled/dav_svn.conf

14. Enable the subversion virtual host.

    sudo a2ensite svn.example.com

15. Create user/password combinations.

    htpasswd /var/local/svn/svn.example.com/conf/passwd username

16. Restart the web server.

    sudo /etc/init.d/apache2 restart

17. If you’re going to have users working locally, set up svnwrap. (See the man page for details.)

    sudo ln -s /usr/bin/svnwrap /usr/local/bin/svn

Setting up Trac

1. Create the web directory. We’ll use /var/local/trac instead of /var/www so as not to clog up the directory of webroots.

   sudo mkdir /var/local/trac/trac.example.com

2. Set the proper permissions.

   sudo chmod 2770 /var/local/trac/trac.example.com

3. Create a Trac instance.

   sudo trac-admin /var/local/trac/trac.example.com initenv

4. Set proper ownership on the web directory.

   sudo chown -R www-data:example /var/local/trac/trac.example.com

5. Allow the group to write to the repository.

   sudo chmod -R g+w /var/local/trac/trac.example.com

6. Configure it.

   sudo vi /var/local/trac/trac.example.com/conf/trac.ini

7. Create a directory for the log files.

   sudo mkdir /var/log/apache2/trac.example.com

8. Add the site to the log rotation list.

   sudo vi /etc/logrotate.d/apache2

9. Configure the virtual host…

   sudo vi /etc/apache2/sites-available/trac.example.com

   …with the following data. If you don’t care about SSL, you can skip the SSL options and run this on port 80.

   # Trac Configuration
   <VirtualHost [server's IP address]:80>
     ServerName trac.example.com
     Redirect / https://trac.example.com/
   </VirtualHost>
   <VirtualHost [server's IP address]:443>
     ServerName trac.example.com
     DocumentRoot /var/local/trac/trac.example.com/
     Alias /trac/ /usr/share/trac/htdocs
     <Directory "/usr/share/trac/htdocs/">
         Options Indexes MultiViews
         AllowOverride None
         Order allow,deny
         Allow from all
     </Directory>
     <Location />
         SetHandler mod_python
         PythonHandler trac.web.modpython_frontend
         PythonInterpreter main_interpreter
         PythonOption TracEnv /var/local/trac/trac.example.com/
         PythonOption TracUriRoot /
         AuthType Basic
         AuthName "trac.example.com"
         # Use the SVN password file.
         AuthUserFile /var/local/svn/svn.example.com/conf/passwd
         Require valid-user
     </Location>
     CustomLog /var/log/apache2/trac.example.com/access.log combined
     ErrorLog /var/log/apache2/trac.example.com/error.log
     SSLEngine on
     SSLCertificateFile /etc/apache2/ssl/apache.pem
   # Add this once there is a real (non self-signed) certificate.
   #  SSLCertificateKeyFile /etc/apache2/ssl/server.key
   </VirtualHost>

   Reference:

   http://trac.edgewall.org/wiki/TracOnUbuntu

10. Enable the Trac virtual host.

    sudo a2ensite trac.example.com

11. Restart the web server.

    sudo /etc/init.d/apache2 restart

The last thing to do is add the subdomains “svn” and “trac” to the DNS configuration for your domain. Once this is done, Subversion and Trac will be integrated into your server environment, and will be accessible from the web.

Bookmarks Menu

On the face of it, the Bookmarks Menu just adds bookmarks to documents, but dig deeper and you’ll discover that this extension can do much more. Once you’ve installed the Bookmarks Menu, it appears only in the Tools -> Add-Ons menu. To add the Bookmarks menu to the main toolbar, choose the Bookmark Menu item and press OK. By default, the menu contains two items: Bookmark This Document and Edit Bookmarks. The former allows you to quickly bookmark the currently opened document, so you don’t have to navigate to the desired document every time you want to open it. Of course, you can use the Recent Documents feature to do that, but it has some limitations: it can hold only up to 10 entries and you can’t sort the entries. More importantly, the Bookmarks Menu can bookmark not only documents but also macros and shell commands, and you can do this in just a few clicks.

To bookmark, for example, an often-used macro, choose Edit Bookmarks and press the New button. Give the bookmark a name, select Macro from the Type drop-down list, press the Open button, and select the macro you want. Press OK to save the new bookmark, and you are done. In fact, it takes longer to explain how this works than actually bookmarking a macro.

The extension’s ability to bookmark shell commands can come in even more handy, since it allows you to create bookmarks that send commands to external applications. For example, you can create a bookmark that opens your favorite Web site in the default browser. To do this, choose Edit Bookmarks, press New, and give the new entry a name. Select the ShellCommand item from the Type drop-down menu, and type the Web address into the Arguments list. Then type firefox (or another browser) into the Url field, press OK to save the bookmark, and you are done.

By using the Menu button in the Edit Bookmarks window you can also export your shell commands and settings, which can be useful if you are using the extension on several machines.

OpenOffice.org2GoogleDocs

No prizes for guessing what OpenOffice.org2GoogleDocs does. Once installed, the extension adds a menu in the main toolbar that allows you to easily exchange documents between OpenOffice.org and Google Docs. The upload part of the extension supports not only ODT documents, but also SXW, DOC, and spreadsheets in ODS, XLS, and CVS formats, as well as PPT presentations. The download part of the OpenOffice.org2GoogleDocs extension is still under heavy development, and right now it can only import Google Docs documents as plain text files.

Code Formatter

If your Writer documents contain a lot of code, and you want to make it look pretty by adding syntax color, the Code Formatter extension can help you. The current version supports C++, Java, and OpenOffice.org Basic syntax only, but the extension comes with a detailed description of how it works, so you can add other languages yourself.

To apply syntax color to a code block, you have to apply the _OOoComputerCode paragraph to it and then run an appropriate macro (e.g. MacroFormatterADP -> Basic -> FMT_ColorCodeCurrentBasic for OpenOffice.org Basic code). Unfortunately, the extension doesn’t add a dedicated menu, so you have to manually select the coloring macro. Alternatively, you can use the Bookmarks Menu to create bookmarks for the Code Formatter macros.

OOoSVN

The idea of using Subversion for document versioning is nothing new, but OOoSVN allows you to use the system right from within OpenOffice.org, hiding Subversion’s complexity behind a few easy-to-use commands. Before you can make use of OOoSVN, you have to install Subversion on your machine, but most mainstream Linux distributions have Subversion in their repositories. During the first run, OOoSVN sets up a repository for your documents and moves the currently opened document into it. Using commands available under the SVN menu in OpenOffice.org, you can commit changes, revert the document to a previous version, and graphically browse the document’s versions. OOoSVN even allows you to compare two versions of the document using OpenOffice.org’s Compare feature.

mOOo Impress Controller

If you’ve got a Bluetooth-enabled mobile phone, why not use it for something fancy and useful like controlling Impress presentations? mOOo Impress controller allows you to do just that. It consists of an OpenOffice.org extension for the desktop and a Java-based client that must be installed on the mobile phone. The client’s functionality is rather limited: using it, you can launch the presentation and move between slides. On the other hand, its simplicity has one major advantage: with only three functions, you are less likely to do something wrong during the presentation.

Once you’ve installed the Java client on your mobile phone and extension in OpenOffice.org, open a presentation and launch the mobile client. In OpenOffice.org, choose mOOo Menu -> Select Device and press the Search button. Select your mobile phone from the list of found devices, and press OK. Choose mOOo Menu-> On, and you are ready to control your presentation from the mobile phone. To close the connection, choose again mOOo -> On.

Speaking of presentations, there is another nifty extension you might want to give a try. Sun Presentation Minimizer can shrink an Impress file to a fraction of its original size, which can come in handy if you need to email a presentation to colleagues. Interestingly, the tool can handle not only the native ODP files but also Microsoft Office PPT presentations.

The first rule of security when it comes to Joomla! is “update frequently,” because whenever a new version comes out, it usually comprises several user-reported bug and security fixes. If your host allows it, use PHP5 instead of PHP4, because it’s more advanced and offers better security.

Once your site is ready to be launched, make sure to set your configuration.php file to read-only — a critical step that most users neglect. Change file and directory permissions — chmod 644 for files and chmod 755 for folders — but be sure to keep temporary and cache directories writable, lest you get a site error.

Bear in mind that special folders used by Joomla! modules and components that deal with files are also writable. An image manipulation component that cannot upload files is useless. Within the Joomla! administration Panel go to Site -> Global Configuration, and choose the Server tab. Activate CHMOD new files to 0644 and CHMOD new directories to 0755 then apply the settings.

Don’t forget to delete your installation folder from Joomla!’s root once the install is finished; you will not be able to access your site with the directory still present in your server root. Change the administrator’s username from admin to something less obvious and be sure to use a good, long, hard-to-remember password. A good rule of thumb is to use a combination of lowercase and uppercase letters and numbers, at least eight characters long. Don’t write it down and don’t use it as a password anywhere else.

An important step in securing Joomla! is to create and configure an .htaccess file in the root of the site which decides access permissions for special directories and mod_rewrite settings, among other things. The contents of this file may vary depending on the options your hosting server provides and the components and modules you might use.

After a default Joomla! install, you’ll probably see the following message when you visit the back end administration panel: “PHP register_globals setting is ‘ON’ instead of ‘OFF’.” This means that Environment, GET, POST, Cookie, and Server variables are registered as global variables. If you turn register_globals off, you can prevent variable injection attacks. You’ll have to edit your php.ini file — but there’s a catch. Most hosting providers don’t allow direct access to the main php.ini file. You can work around the problem by creating a php.ini file in the root directory of the site and put your lines there. In some cases it might take up to an hour for the settings to be read by the provider’s servers, so be patient. Once you’ve done this, insert one of the following lines, depending on the PHP version the server is running (PHP 5 or PHP 4 respectively):

php_value register_globals off

or

register_globals = 0

There’s more you can do to further harden the php.ini file. To make SQL inject attacks bounce, put the following two lines in your php.ini file:

allow_url_fopen = OFF
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open

The first line disables URL-aware fopen wrappers that enable accessing URL object like files. The second one disables a lot of PHP functions:

• shows_source — an alias of highlight_file() which provides syntax highlighting for files;
• system — allows execution of external programs;
• shell_exec — allow execution of commands via a shell;
• exec — allow execution of commands;
• passthru — similar to the exec() function, allows execution of commands;
• phpinfo — outputs PHP information that could be used by potential intruders;
• popen — opens a pipe to a process being executed by a certain command;
• proc_open — similar to popen() but provides better control over command execution.

Thus this setting disables all means of executing commands and scripts. Again, this might cause problems with some components and modules that use PHP functions for launching commands, but their number is negligible. Look at it this way: you’ll probably have to do some manual backup, but at least you’ll sleep soundly at night.

To apply the lines above and secure the portal, you can use the .htaccess file. Since not all hosting providers let you use customized .htaccess files, and since some functions can be specified only in php.ini, we’ll stick to using the php.ini file for inserting the restrictions. Now comes the fun part: copy the php.ini file into every subfolder of your Joomla! installation that has .php files in it. Do it after your site is finished and ready to be launched, then check if everything works as it is supposed to.

Next, as an extra measure of security, protect the administration subfolder with an .htpasswd file. In /administrator, create two new files: .htaccess and .htpasswd.

The .htaccess file should contain the following lines:

AuthType Basic
AuthName "Joomla Administrator"
AuthUserFile /full/path/to/joomla/administrator/.htpasswd
<Limit GET>
require valid-user
</Limit>

Specify a username (different from the ones already registered within Joomla!) and cook up a strong password for it using an online .htpasswd generator like .htaccess Tools. Paste the output from the site — username and encrypted password — into the .htpasswd file, then save and reload the portal’s administration page. You’ll be prompted to enter a username and the password you just created, and will be granted access to the second Joomla! login screen. Be sure to use different usernames and passwords for each.

Delete temporary installation files and images you don’t need from Joomla!’s subdirectories, then uninstall modules you don’t plan to use. Check all installed extensions for vulnerabilities and visit Secunia’s Vulnerability Database often. Visit Joomla! Forums’s security category and read what others have to say and, in case of disaster, follow these guidelines. I also recommend reading the Joomla! Administrator’s Security Checklist.

The key in maintaining security is to keep yourself informed. Check security lists, and update your extensions whenever new versions are launched. Also, keep in mind that fewer extensions mean less time spent securing them. Check server logs from time to time for SQL injection strings and notify your hosting provider if any serious problems should come up.