Capital Area Central Texas UNIX Society
CACTUS Newsletter

Volume 19, Number 8 - August 2003


Contents:


August Meeting

The August CACTUS meeting will be held at 7:00pm (6:30pm for pizza and lively, informal discussion) on Thursday, August 21st, 2003 in the auditorium of UT Applied Research Laboratories (see below for directions to the facility). This month, CACTUS welcomes President & CEO of Net-Sieve (and former CACTUS officer), Dewey Coffman, for a presentation of Net-Seive's Plug and Play Internet Filtering Solution.

Net-Sieve (http://www.net-sieve.com/) is a one year old Austin company that produces a Linux-based spam filtering appliance. Everyone hates spam, and with a plug and play appliance, everyone can now fight spam before it enters the corporate or ISP network. Dewey Coffman will present the details of how Linux was the obivous choice and how Linux software made the solution easier to implement as a gateway solution.

The presentation will be preceeded by a tutorial by Jay Engh from our friends at the High Tech Institute at Austin Community College, and undoubtedly some discussion about Lindsay Haisley's "Letter From the President."

Next month will we are planning a follow-up presentation by Gil Kloepfer with some features of FreeBSD ("beyond installation"). This presentation will be an informal demonstration/discussion and is being done in response to member requests after his presentation in May.

July Meeting Report

by Ron Roberts

President Lindsay Haisley invoked the meeting sporting a new spiffy T-shirt from OuterNet. Because program Chair Ray Schafer has done such a good job providing both a tutorial and a presentation for July, Lindsay spent little time on officer reports, old business and new. Attendance was so good that we ran out of pizza and soda. Treasurer Johnny Long reported that we're "about the same" in the financial department and certainly more solvent than the state of Texas. Member-at-large Randy Zagar reported that he had installed WEBMail on linux.cactus.org.

Lindsay introduced Randy's tutorial about Firewall Builder. Randy had set up IPtables several installs ago. He tinkered with it until he was satisfied. The system cratered on him, so he went out and bought a Linksys firewall/router because he lost all of the configuration files.

He found firewall builder at www.fwbuilder.org.

"Firewall Builder is multi-platform firewall configuration and management tool. It consists of a GUI and set of policy compilers for various firewall platforms. Firewall Builder uses object-oriented approach, it helps administrator maintain a database of network objects and allows policy editing using simple drag-and-drop operations. Firewall Builder currently supports iptables, ipfilter, *BSD ipfw and Cisco PIX."

Randy proceeded to create an object called Lindsay. The GUI is called a druid, not a wizard. Randy created for rules for the object, compiled the rules and saved the configuration. This didn't really "compile" anything, it just wrote lindsay.conf. Fwbuilder stores intermediate data in XML.

The pre-requisites for firewall builder are Gtkmm (a c++ wrapper), Gtk+, and libcg++. Gil Kloepfer wanted to know so he could try it with FreeBSD. Randy tried using rpm (it was a RedHat install) to show the pre-requisites, but could not get it to show what package management thought it to be.

Randy indicated that you can write rules based on time and create groups of objects for services, hosts, etc.

The main presentation was by Jamie Pugh and Mike Erwin. They brought a dual processor rack mount system and a Gentoo CDROM modified to omit networking. (They didn't want to rely on UT/ARL.) Gentoo Linux is "a special flavor of Linux that can be automatically optimized and customized for just about any application or need." This quote is from www.gentoo.org. Jamie said that the twenty-nine page installation manual intimidates most prospective users. Most everything in Gentoo is based upon the version of gcc, which it builds at least twice.

Jamie booted the cdrom, installed the SCSI driver, then ran "fdisk /dev/sda." There is no druid for the setup. From a shell prompt, he next made the filesystems: mke2fs -f /dev/sda1 and mkswap /dec/sda2.

Jamie said that Reiserfs is two times faster than ext3 for large filesystems--above one half terabyte. So he next configured the second drive: mkreiserfs /dev/sdb1. Then he activated the swap: swapon /devv/sda2.

The main benefit of Gentoo is speed. You compile it from source tailored to your hardware. It also gives complete control of the source code. Jamie mentioned an experience where he found that some package had a dependency on someone developers home directory. There's no extra cruft and no dependency nightmares.

He next mounted the first filesystem, made a boot and var mount point, then mounted those. Then he extracted a tar ball from the Gentoo CDROM. The next phase is building a new kernel, libraries, etc. This can take two days on a laptop. A full build on his demo box only takes three or four hours. The tar extract is stage one. Stage two is the first build. Stage three is the long build.

When the tar ball extraction was complete, Jamie rebooted. We saw four penguins of the splash banner. Each of the two 2.4 gHz processors in his machine were two-way processors. The Linux kernel assumed it had four processors. We had to wait for ethernet to time out because it wasn't connected to a network.

When the login prompt appeared, Jame ran: "emerge sync." At the request of the audience, he then ran: "emerge -p fwbuilder", which listed a bunch of pre-requisites for firewall builder.

The configuration for stage two involved editing /etc/make.conf. Jamie set a few optimization flags. By default, Gentoo builds all modules and builds everything with security in mind.

The next step was: emerge -up system.

Gentoo includes eight thousand packages downloaded from six thousand different sites. There are about forty different mirrors for Gentoo.

Jamie and Mike Erwin have been slowly replacing all of the Red Hat boxes at their office with Gentoo. They recommend it for performance and security.


Letter From the President

by Lindsay Haisley

It's not often that I get really steamed about issues related to Unix. Work with computers and the Internet requires focused thought, logic and reason, not usually passion. On the other hand, I have become passionate and excited about ongoing progress in open source software and open IT standards - powerful, revolutionary concepts in the same ballpark with the invention of printing. The open source movement deserves our wholehearted support. It has given us Linux, BSD, and even the Internet itself. It is, therefore, with growing anger and frustration that I've been following the actions of Santa Cruz Operation, Inc., commonly known as SCO, in their ongoing assault on the users and developers of Linux.

SCO long ago gave up making anything useful, and in fact the SCO which made the one marginally useful product formerly associated with the name - SCO Unix - is now known as Tarantella (albeit still based in Santa Cruz, CA). Instead, the new SCO (based in Utah), formerly known as Caldera, has specialized in buying and selling other companies, and in pursuing lawsuits against the likes of Microsoft and Computer Associates. This has been done under the direction of an outfit known as The Canopy Group headed by Ralph Yarro which owns a controlling interest in SCO. Lawsuits apparently bring in more revenue for them than does honest production of a useful product. SCO recently decided to hit the big-time with their legal antics and have sued IBM for a whopping $3 billion. Their contention is that IBM incorporated portions of AIX into their open source work on Linux, in violation of SCO's licensing agreement with IBM under which portions of SCO's Unixware are used in AIX. Not content with this, SCO now claims that because the v2.4 Linux kernel supposedly uses proprietary SCO code, every user of Linux anywhere in the world owes SCO a licensing fee. They've even established a program (see their web site at http://www.sco.com/) for you to purchase a license to use Linux in your company.

Pulling back from this fray a bit, what's the logical course of action for a company claiming that its intellectual property rights have been violated? The logical path, of course, would be to proclaim the details of the violation and direct the offending party to cease and desist from using the code in question, or to offer the choice of removing the code or paying a fee. SCO, however, has kept the details of the alleged violation a closely guarded secret, protected by a draconian NDA. SCO's NDA could require a person even to refrain from discussing or working with code which is public knowledge and with which the NDA signer may have previously worked openly, assuming this code were part of their supposed evidence. No Linux kernel developer in his right mind would sign such an agreement, and SCO has had few takers on their offer to view the supposedly violating code. Ian Lance Taylor of The Linux Journal did take SCO up on their offer, (see http://www.linuxjournal.com/article.php?sid=6956) and was shown a rapid fire prepared slide presentation, much of which had nothing to do with this issue. He wasn't given time or permission to even take notes regarding the small amount of supposedly infringing code he was shown. Instead of laying its cards on the table, SCO has engaged in an aggressive shakedown campaign designed to generate licensing revenue based on the undemonstrated premise that v2.4 Linux contains proprietary SCO code. SCO has sent letters to over a thousand corporations advising them that they face potential legal problems if they continue to use Linux without paying SCO a licencing fee.

So here's the cut to the chase. What kind of operation are we seeing here? Under the sun, few things are truly new, and SCO's actions are an example of a breed of enterprise with a long and dishonorable history. It's known as the protection racket. "You pay me, and I'll see that my brudda's don' busta you kneecaps wid a tire iron". Pay SCO their licensing fee and they'll see to it that their attorneys, including David Boies of Microsoft antitrust fame, won't come knocking on your corporate door, running up a big tab in your company's legal department and scaring away your customers. Never mind the evidence, they say, it's rock-solid. Why not reveal it? SCO claims that they don't want to be tried by the public and the media before having their day in court. Do I smell a dead fish here?

I've been encouraged to see corporate supporters of Linux start standing up to SCO. IBM has refused to stop their work with Linux and AIX, even though SCO claims that their license to Unixware is null and void because of their actions. On August 8, IBM counter-sued SCO. Red Hat has sued to get SCO to stop their FUD-slinging campaign against Linux. An open source advocacy group in Australia has filed an unfair trade practices suit against SCO in that country. Others are beginning to stand up and be counted as well. There is widespread doubt in the technical community that SCO's claims will hold up in court in the long run.

I, for one, would be very happy to see SCO enjoined in the US from collecting their licensing fees or spewing their FUD until their claims are judged in a court of law. This would hit them where they live since, of course, their objective is to collect licensing fees, not prevent the Linux kernel developers from using any particular piece of code. Several German companies have made considerable progress against SCO in the courts there. The Bremen Regional Court has issued an order which prohibits SCO-Caldera from circulating "the idea that the Linux Operating System illegitimately acquired and contains the Intellectual Property of SCO UNIX and/or that the end users of LINUX can be made liable for patent/copyright infringements against SCO's intellectual Properties."

Furthermore, I would be absolutely delighted to see SCO charged with criminal racketeering in this matter. In my humble opinion, this is the best one-word description of their actions that I can find.

If you want to read more, here are a few links I've found which you may find interesting,

http://www.forbes.com/2003/06/18/cz_dl_0618linux.html - an excellent article in Forbes giving background on SCO, The Canopy Group, their relationship and their history.

http://catb.org/~esr/hackerlore/sco-vs-ibm.html - Eric Raymond's constantly evolving analysis of the issue. This article contains a very interesting genealogy of Unix. It's long, but is a must read if you care about this issue.

http://mozillaquest.com/Linux03/ScoSource-19-Injunction_Story01.html - The situation in Germany, where courts and corporations have very little sympathy for this kind of skulduggery.

[Editor's note: I would normally consider Lindsay's letter more appropriate for the Editorial section of the newsletter. However, what he says here really does reflect the overall opinion of the membership at large (based on informal discussion at the previous meeting). The kind of actions Lindsay describes in his letter has the potiential to unravel the entire fabric of CACTUS' existence and what the group as a whole stands for (the proliferation of *NIX-like operating systems and open source software). Therefore, it is unfortunately not an Editorial.

One final thought... I was having a discussion about this same topic with someone at work. I think that there are a LOT of people steamed about this kind of tact in general. It wasn't long ago that Forgent tried to strong-arm the world into paying them licensing fees for the JPEG compression algorithm. The person I spoke with feared, and rightfully so, that if software patent lawsuits are allowed to continue, nobody will be able to write software anymore (open source or not) because they would likely be infringing on SOMEONE'S software patent. This wasn't the intent of patents.

Too many people are using semantics to make the law work in their favor rather than really looking at the spirit of the law and what it intended to solve. Semantics are important -- but when people start using them to produce loopholes to accomplish (in the name of law) what the original legislation was NOT meant to solve, then something is very very wrong. My opinion, of course.]


Spam Filtering On CACTUS E-mail

[This text was adapted to HTML by M.H. Khan from an e-mail message to the officers by Gil Kloepfer about how to use SpamAssassin(tm) to filter e-mail on linux.cactus.org. Note that this is not meant to be a cookbook tutorial, but rather it requires some knowledge of shell scripting and a reasonable understanding of e-mail on Unix systems. Some of the following may need to be implemented slightly differently for your login]

...how I got [SpamAssassin(tm)] working for my CACTUS mail account.  Here'd what I did:

  1. I made a shell script (/home/gil/bin/process-mail.sh) that contains the following:

  2.    #!/bin/sh
       PATH='/bin:/usr/bin:/usr/local/bin:/home/gil/bin'
       SPAMASSASSIN='/usr/bin/spamassassin'
       if [ -x $SPAMASSASSIN ] ; then
               $SPAMASSASSIN | /usr/bin/procmail
       else
               exec /usr/bin/procmail
       fi


  3. I created a .qmail file that contains the following:

           | preline /home/gil/bin/process-mail.sh

    (note that the vertical bar is present and important!)

    I think there is a way to do this without using a separate shell
    script.  I think I did the shell script as a failsafe in case
    SpamAssassin(tm) stopped working or disappeared, so I would continue
    to get mail.  If someone wants to see if putting the two commands
    directly into .qmail works, be my guest.

  4. I created a .procmailrc file with the following recipe:

         PATH=$HOME/bin:/usr/bin:/usr/local/bin:.
         MAILDIR=$HOME/Mail
         DEFAULT=$MAILDIR/incoming
         LOGFILE=$MAILDIR/from
         LOCKFILE=$HOME/.lockmail

         :0
         * ^Subject:.*\*+SPAM\*+
         spambox

         :0
         |/usr/sbin/sendmail {my real address @ home}


    I believe that most users will want to make the last part of the
    .procmailrc file:

         :0
         $HOME/Mailbox


    which will put it in the default mailbox.

    As far as I know, procmail doesn't grok maildir format (it uses mbox
    format).  When I use mutt on linux.cactus.org, the file above ($HOME/Mailbox)
    is what it wants to use.

    You will need to make sure that you've created the $HOME/Mail directory
    in order to hold your spam.

  5. Create $HOME/.spamassassin/user_prefs which have the following:


       rewrite_subject 1
       report_safe 1
       use_dcc 0
       use_pyzor 0
       use_razor1 0
       use_razor2 0
       bayes_path {your-home-directory}/.spamassassin/bayes
       bayes_file_mode 0770

    I believe that the rewrite_subject and report_safe *MUST* be in there
    for my procmail recipe to work (so I suppose this should be part of
    the process above).  The bayes_* stuff needs to be added in order to
    use the sa-learn command (see below).

  6. Sit back and watch a fair amount of spam go away.

SpamAssassin(tm) is not 100% effective.  What I've done is taken a bunch
of my old *VALID* CATCUS mail in mbox format and run it through:

        sa-learn --ham --mbox {file}

That trains SpamAssassin(tm) to recognize that kind of mail as "ham" or
not-spam.

Whenever I start getting spam that SpamAssassin(tm) doesn't catch, I collect
all the messages that come over a week's time or so and run:

       sa-learn --spam --mbox {file}

and train SpamAssassin(tm) to recognize that as spam.

I occasionally check my $HOME/Mail/spambox to see if any valid e-mail got zapped.  So far, I
have had no false positives.

For more information about SpamAssassin(tm), see their web site at http://www.spamassassin.org/.


CACTUS System News

by Lindsay Haisley

SPARC.CACTUS.ORG (Huh??)

Our Sparc 10 is once again unresponsive to service requests, although it's minimally alive and pingable. It seems as though the machine goes down almost every week or two, and Ray Solanik, the administrator for the box, has to make a trip to OnRamp every time to restart the machine. Ray can't determine why the box is having such problems.

On top of this, the box is severely under-utilized. The good people at OnRamp do us the great kindness of colocating the box, yet no one seems particularly interested in using a machine that runs at perhaps a tenth the speed of our Linux box. It's hardly worth OnRamp's trouble to make us the sponsorship grant of colocation.

I propose that we revisit the entire issue of the Sparc 10 and consider moving in a new direction. You may recall that some time ago CACTUS granted OuterNet (then called Tomorrow's Technologies) use of our portable class C IP block, of which they're making good use. In exchange, we have the option of colocating a 1U rack mount box in their rack at Inflow. We've never exercised this option, but now perhaps it's time to consider doing so.

I propose that CACTUS decomission the Sparc 10 altogether, with many thanks to OnRamp for their support, and dispose of it in whatever fashion is appropriate. Perhaps, like the old Sparc II, it would make a good door stop, or perhaps a wall ornament in a geek juice bar. In it's place, we could purchase a SuperMicro (or equivalent) rack-mount box and a 40G SCSI hard drive for well under $2000. With a view to providing an alternative to our Debian Linux system for those interested in exploring other OSes, we could install FreeBSD on it. It certainly seems that we have more BSD enthusiasts in CACTUS than we do Sparc fans, so perhaps the box might see better usage. Such a box would be substantially faster than the Sparc 10.

Y'all think about it.

[Editor's note (Gil Kloepfer): As one of the *BSD (FreeBSD) enthusiasts, I would consider taking responsibility for a FreeBSD box...and perhaps keeping it at OnRamp would be nice.]

In other news, CACTUS would like to once again thank BestRegistrar.com of Louisville, KY for their sponsorship in once again renewing our domain name. BestRegistrar, formerly Computer Analytical Systems, is a small CORE registrar with a very hands-on approach to their business. Unlike other registrars which I shall decline to name, the primary technician in charge of registrations (Steve Locke) is seldom more than a simple phone call and a 15 second wait away - no voicemail hell to wade through. Steve is clueful and on top of any problems which crop up. I've been using them as my domain name registrar of choice for several years and have never looked back :-)


July CACTUS Membership Report

by Luis Basto

We wish to thank Prog Corp. as the newest corporate sponsor for CACTUS. Prog Corp. was previously known as Multi-Media Arts and recently changed their name.

Prog Corp develops educational materials that address a range of ability levels and subject areas and are used for in-service training, classroom teaching, and independent study. They also provides consulting services for instructional program design, development, and implementation.

The contact person is David Mallis. He can be reached at 451-7191, or send email to prog [at] cactus <dot> org.

Back in April, we received a couple of pieces of mail from the U.S. Bankruptcy Court in Arizona and addressed to CACTUS COLL. This was someone's bankruptcy filing and CACTUS COLL is one of the creditors. We've returned the previous mail to the sender but since it's the government we received two more. This is clearly an example of the government trying unsuccessfully to give money away. Should we change our name to CACTUS COLL?

Membership

To renew your membership, please send check or money order payable to CACTUS ($25/yr for regular membership and $96/yr for corporate sponsorship):

     CACTUS
     PO BOX 9786
     AUSTIN, TX 78766-9786
You may also pay in person at the general meetings. Please direct any inquiries or address changes to membership [at] cactus <dot> org.


CACTUS Officers


CACTUS Sponsors

Significant Contributing Sponsors

Applied Research Laboratories/University of Texas at Austin (http://www.arlut.utexas.edu/)
(Gil Kloepfer, Computer Science Division (CSD), 835-3771, gil [at] arlut <dot> utexas <dot> edu)
OnRamp (http://www.onr.com/)
Internet service provider.
Outserv.net (http://www.outserv.net/)
IT operations and management solutions to small and midsized businesses.

CACTUS Sponsors

Auspex Systems (http://www.auspex.com/)
Fastest reliable network fileservers.
Covad/Laserlink (http://www.laserlink.net/)
(Chip Rosenthal)
Dresser Industries - Wayne Division (http://www.wayne.com/)
(Steve Cox, steve <dot> cox [at] dresser <dot> com, (512) 338-8444)
A leading supplier of integrated retail solutions to the global petroleum and convenience store industries, including point-of-sale systems, fuel dispensers, and after-sale support services.
Journyx (http://www.journyx.com/)
Provider of workforce management software and services
Prog Corp.
(David Mallis, prog [at] cactus <dot> org, (512) 451-7191)
Develops educational materials used for in-service training, classroom teaching, and independent study. They also provides consulting services for instructional program design, development, and implementation.
VoIPing, LLC (http://www.voiping.com/)
A Central Texas privately owned and operated partnership specializing in IT Consulting and Services. (Email info [at] voiping <dot> com. Phone 512-698-VOIP (8647) or 512-698-8031)

Friends of CACTUS

Applied Formal Methods, Inc.
(Susan Gerhart, 794-9732, gerhart [at] cactus <dot> org)
Austin Code Works
(Scott Guthery, 258-0785, info [at] acw <dot> com)
BestRegistrar.com (http://www.bestregistrar.com/)
(Steve Locke, (800) 977-3475), swl [at] cas-com <dot> net)
A top-level domain name registrar, CORE member.
CTG
(Maurine Mecer, 502-0190 [FAX 502-0287])
Professional recruiting.
EDP Contract Services
(Mark Grabenhorst, 346-1040) Professional recruiting.
Hewlett Packard (http://www.hp.com/)
(Bill Sumrall, 338-7221)
Hounix (http://www.texascomputers.com/hounix/)
(Marilyn Harper)
Houston's Unix Users Group.
Network Appliance Corporation (http://www.netapp.com/)
(Frank Mozina, fmozina [at] netapp <dot> com)
O'Keefe Search (http://www.okeefesearch.com/)
(John O'Keefe, john [at] okeefesearch <dot> com, 512-658-9224 or 888-446-2137)
Professional recuiting.
Sailaway System Design
(Chris J Johnson, 447-5243)
Schlumberger (http://www.slb.com/)
(Kathy O'Brien, obrien [at] asc <dot> slb <dot> com)
Technical services and products in over 100 countries.
Silicon Graphics (http://www.sgi.com/)
(Don Williams, 346-9342)
Solid Systems
(Pete Farrell, 442-2222)
Sterling Infomation Group (http://www.sterinfo.com/)
(Darrell Hanshaw, 344-1005, dhanshaw [at] sterinfo <dot> com)
Sun Microsystems (http://www.sun.com/)
(Rick Taylor)
Supplier of Unix client-server computing solutions.
Texas Internet Consulting (http://www.tic.com/)
(Smoot Carl-Mitchell, 451-6176, smoot [at] tic <dot> com)
TCP/IP networking, Unix, and open systems standards.
Technow
A Sun Authorized Training Center and a Hardware Reseller.
Unison Software
(Shelley St. John, 478-0611)
Supplier of networked systems management solutions.
UT Computer Science Department
(Patti Spencer)
UT Computation Center
(Mike Cerda, 471-3241, cerda [at] uts <dot> cc <dot> utexas <dot> edu)


CACTUS Meeting Location:
Applied Research Labs

CACTUS meets on the third Thursday of each month at the Applied Research Labs (ARL) in the JJ Pickle Research Campus (JJ PRC). We'll meet in the main auditorium located directly behind the guard's desk and main lobby.

Please do not show up earlier than 6:20 pm on the specified day. Enter through the main entrance at 10000 Burnet Road for ARL:UT. Tell the guard that you are here for the CACTUS meeting. You will be required to sign a log book, but not required to wear a badge. The guards will direct you to the auditorium entrance. Limited parking in the front of the building is available, but more extensive parking is available in the large parking lot just north of the ARL building. After 6:30 pm, all entrances to JJ PRC, except for the Burnet Road entrance, are closed and locked. You can still enter the parking lot in front of the ARL building. No parking tags are necessary after 6:00 pm. See map for further details.

Online maps are available at:

As always, please leave the facility as you saw it when you arrived.