CCleaner security risk

0 comments


CCleaner contains a major security risk.  If you use it, please update ASAP!

Singularity: the cool container you've never heard of

0 comments


Unless you've been in suspended animation hibernation, you've heard of Docker, the container technology that has taken the IT world by storm.

If you've been following that movement closely you've probably heard of rkt (an alternative from the CoreOS group), LXC/LXD (an alternative from Canonical, the creators of Ubuntu), and Project Atomic (a Red Hat initiative to address security concerns over Docker).

If you've been around longer, you'll probably mention to those youngsters that Solaris zones offered this functionality many years prior.  Fans of (Parallels) Virtuozzo Containers will say the same thing.

With all these options you'd think we could put this topic to rest.  Decide on your favorite and move on, right?  Well, there may be need to add one more to the mix: Singularity.

Singularity was born in a very different environment than DevOps shops and web hosting: HPC.  High Performance Computing centers have a lot more hardware and security constraints because "escaping root" would mean hackers would have access to supercomputing power.  In this regard, it's probably closest to Solaris zones which is used in similar work environments.  Unlike Solaris though, which needs to emulate Linux functionality with lx branded zones, Singularity is native Linux.  Also, unlike Docker which runs the container daemon as root, Singularity can run the container daemon as a read-only, rights-limited regular user on the host, greatly reducing (but not altogether eliminating) security concerns.  As a bonus, it supports Docker container images (although the integration with Docker Hub is at the mercy of Docker developer whims).  As a personal aside, I find their CLI arguments and parameters easier to understand and use than Docker.  If you are keen on security and need to run Linux containers in a more controlled environment, check out Singularity.

M.2 saga with MSI B150 PC MATE

0 comments


I decided to build a new machine for my kids so I purchased an MSI B150 PC MATE motherboard and evaluated my options for a hard drive.  Since it supported the newer M.2 SSDs, I figured I'd splurge.

First mistake: somewhat novice with the M.2 form factor, I didn't realize it supported both SATA and PCIe with no visible distinction.  I researched various M.2 drives and picked a WD Black PCIe before realizing that the MSI B150 PC MATE only supports M.2 SATA, not M.2 PCIe drives.  Doh!

Fortunately there's an adapter to so solve that problem, although it will use up a PCIe 3.0 x4 connector on your motherboard.  For that reason I recommend you return the motherboard for an M.2 PCIe-compliant board (like H170A PC MATE) or return the PCIe drive and get an SATA equivalent.

However, I like a challenge ;) so I forged ahead with the adapter!

Second mistake: My kids need Windows for certain programs and my only copy is Windows 7.  Unfortunately Windows 7 and NVMe drives (like M.2) don't get along.



According to Intel:
"Windows 7 does not support native UEFI booting without a Compatibility Support Module [CSM].  As a result, system compatibility is limited and varies by vendor.  In order to properly boot Windows 7 from an NVMe SSD, your system must support loading UEFI drivers when the Compatibility Support Modules is enabled."
Bottom line: use Windows 8.1 or later.

However, I like a challenge ;) so I forged ahead with Windows 7!

This is possible because the MSI B150 PC MATE supports

  • UEFI, which requires a Windows 7 DVD in an optical drive -- i.e. you cannot install Windows 7 with a USB stick (press Delete on startup > BIOS > Boot > Boot Mode Select  -- set it to LEGACY+UEFI)
  • CSM (press Delete on startup > BIOS > Advanced > Windows OS Configuration > Windows 7 Installation  -- set it to enabled)
Now, if you boot from the Windows 7 DVD you'll see the familiar Windows setup wizard and feel all warm and fuzzy until you get to the screen above where no drives are listed.  Arghh!

Third mistake: After searching the all-powerful Internet for a ridiculously long time, I finally broke down and did what no man likes to do: read the manual.

Buried on page 4 is this crucial lead:
"Microsoft Windows 7 installation on NVMe devices that use the PCIe bus requires a Hotfix.  Use this Microsoft KB Article for assistance: KB 2990941"
That article provides an 11-step "Method 1" process that involves slipstreaming the hotfix into a custom Windows 7 ISO and burning a new DVD.  Sigh...  Good thing I like a challenge  ;)

FYI, if you're not in the mood to go through all the tedious steps, you can download the final ISO here.

Note: the first step in that article mentions "Windows 8.1" but it is the correct link and software needed for Windows 7.  The Internet installation of the Windows ADK also takes quite a while to load the initial install screen so be patient and wait up to 10 minutes before assuming the install is frozen.

Note: step 3 means copy everything from your Windows 7 installation cd to the c:\temp\src folder (not just the 'sources' folder).

Note: you can ignore step 5 since we don't need additional drivers, just the hotfix.


If you get an "Error: 87 The mount-image option is unknown", use the following commands instead of those provided in step 7:

dism /Mount-Wim /WimFile:c:\temp\src\sources\boot.wim /Index:1 /MountDir:c:\temp\mount
dism /Image:C:\temp\mount /Add-Package /PackagePath:c:\temp\hotfix
dism /Unmount-Wim /MountDir:C:\temp\mount /Commit
dism /Mount-Wim /WimFile:c:\temp\src\sources\boot.wim /Index:2 /MountDir:c:\temp\mount
dism /Image:C:\temp\mount /Add-Package /PackagePath:c:\temp\hotfix
Manually sort the folder C:\temp\mount\sources by date, and then copy the updated files to c:\temp\src\sources.
dism /Unmount-Wim /MountDir:C:\temp\mount /commit

If you get an "Error: 87 The mount-image option is unknown", use the following commands instead of those provided in step 9:
dism /Mount-Wim /WimFile:c:\temp\src\sources\install.wim /Index:1 /MountDir:c:\temp\mount
dism /Image:C:\temp\mount /Add-Package /PackagePath:c:\temp\hotfix
dism /Mount-Wim /WimFile:c:\temp\mount\windows\system32\recovery\winre.wim /Index:1 /MountDir:c:\temp\winremount
dism /Image:C:\temp\mount /Add-Package /PackagePath:c:\temp\hotfix
dism /Unmount-Wim /MountDir:C:\temp\winremount /Commit
dism /Unmount-Wim /MountDir:C:\temp\mount /Commit


Before you can run step 10, install Oscdimg.  Then use the Legacy and UEFI BIOS multiple Boot mode option.

Whew!  After all that mess, and burning the ISO to a DVD, I was able to boot Windows 7 on my PCIe M.2 drive!!


...next challenge: getting a Linux dual-boot setup (since Grub and LILO apparently don't like NVMe either)

________________


Update: I finally got Linux dual-boot to work!

Fourth mistake: I was selecting the normal DVD-ROM entry in the BIOS boot list instead of the "UEFI: " prefixed entry for the same DVD-ROM.  Because of this, Lubuntu was booting in "Legacy" mode and couldn't see the Windows OS in "UEFI" mode.  Once I booted the Lubuntu LiveCD using the UEFI entry in the BIOS boot options, it saw the existing Windows install and automatically configured Lubuntu to boot alongside Windows.

...Unfortunately, after Lubuntu finished installing and the machine rebooted, Windows automatically booted.  Arghh!

After some trial and error, I finally discovered if I loaded the BIOS boot list I could see an entry for "ubuntu" and that loaded GRUB which then displayed both ubuntu (Lubuntu) and Windows as boot options.

I wanted to avoid entering the BIOS boot screen every time I wanted to load Linux so I dug a bit further and finally discovered a setting buried in the BIOS which allowed me to set the "ubuntu" option as default: BIOS > Boot > UEFI Hard Disk Drive BBS Priorities

Now that GRUB was loading by default, I just had to edit /etc/default/grub to change GRUB_DEFAULT=2 to load my Windows option by default and I'm a happy camper  :)

Pandora alternative: Jango

0 comments


Tired of constant Pandora ads and pressure to pay for a subscription?  Me too.  Having difficulty wading through all the lame commercial Spotify, Last.fm, Google Play, etc. etc. etc.?  Save yourself the trouble and just head over to Jango.

You're welcome  :)

AWS - a retelling of The Emperor's New Clothes

0 comments


Most of us are familiar with Hans Christian Andersen's classic tale The Emperor's New Clothes where an emperor is swindled into thinking he has received a beautiful new suit when in fact he gets nothing and no one is brave enough to admit it.

My experience with Amazon Web Services (AWS) and other major cloud vendors feels like déjà vu.  With so much hype and management pressure and sales pitches with promises of free tiers and effortless scaling, I naively drank the punch like everyone else.

Slowly, painfully, the reports and the realization started to sink in.

I've been wanting to summarize my experience for some time but have found it challenging to describe exactly why the emperor's clothing from AWS seems so removed from reality.  Fortunately, I recently came across this fantastic article by Pedro Sostre that describes it perfectly!  READ IT before committing to any cloud provider!

...whew!  my civic duty and conscience are now complete.

Wasabi - new cloud storage king in town?

0 comments


Wasabi (code named BlueArchive), a cloud storage provider from the creators of Carbonite, came out of stealth mode today swinging hard at Amazon S3:


Wasabi's storage price point of $.0039 per gigabyte per month and $.04 per gigabyte of network egress (downloads) is significantly cheaper than the large cloud providers and even dethrones the current object storage price champion, Backblaze:


Now, the real question is... can they follow through with their promises?



Welcome to the Borg

0 comments

"Imagine a world where we're no longer looking up at Tech Titans such as Apple, Google, Microsoft, Amazon, and Facebook, and wondering what it would be like to operate at their extraordinary scale -- because we're one of them."
- LinkedIn (in their merger announcement with Microsoft)


MTG cards for learning about computers

0 comments

My sons really enjoy the Magic The Gathering card game so I thought it would be fun to reference it while teaching them a bit about computers:

          

          



You can print them out using these instructions (make sure to change layout to landscape before printing).

Notes:

  • computer case provides electricity (sun mana)
  • you can overclock a CPU for more power but you risk system damage (negative toughness)
  • solid state drives (SSD) are superior to standard SATA/SAS HDD but they cost more
  • a hard drive's top priority is reliability (hence higher toughness over power)
  • the hard drive quote also references the difference between hard drive persistence vs. ephemeral memory
  • memory special ability references scalability of adding more memory to a system to improve performance
  • motherboard is what pulls all the systems together
  • a video card offers "flying" speed and GPU processing is more powerful than CPU processing but at a higher cost

Lubuntu 17.04 lands tomorrow!

0 comments

Let the countdown begin!

Ubuntu.me

The return of SSI

0 comments


Single System Image (SSI), sometimes referred to as a distributed operating system and not to be confused with Server Side Includes, is a compute cluster technology that was assumed dead many years ago.  It hails from prehistoric roots where mainframes ruled among dinosaurs and monolithic architectures were the norm.  In our snazzy modern society where diminutive microservice mammals like Docker have evolved to dominate the landscape and pets are not allowed, it would seem logical that ancient behemoths would simply fade away into historical obscurity.  The gradual die-off of most SSI solutions would certainly support that theory.  

However, one hope remains: Stateful Big Data


Microservices work well for stateless horizontal scaling.  Need more umph?  Add a node (or 50).  Easy!

Things get trickier when you add state to the equation.  User sessions, personalized dashboards, ad-hoc queries...  Fortunately, load balancers can do clever things like sticky sessions and state can often be offloaded to scalable architectures like object storage and NewSQL databases.

So we're good, right?  Not quite.

Unfortunately, load balancers and offloading state won't help you if you run into a situation where a given operation requires more than a single node's resources can handle.  At that point you generally have two choices: scale vertically or break the operation into smaller tasks that can be processed in parallel.

Scaling vertically is much easier nowadays with big beefy cloud instance types and the ability to snapshot images or live migration.  However, there is a practical limit to how far you can scale vertically (>2TB memory, for example).  There's also additional risk if a node goes down and complexity when you need to upgrade versions or move to another server.

Accordingly, many companies hoping to data mine, or troll their data lake (or whatever hip analogy is in vogue nowadays), turn to distributed MapReduce-based cluster solutions like Hadoop.  This architecture allows you to process and analyze massive amounts of data efficiently.  However, older non-cloud-ready applications cannot take advantage of this new computing paradigm and often require a significant code rewrite to do so.  It also requires more staffing overhead as DevOps need to familiarize themselves with new, complex tools.

So, when it comes to stateful big data, SSI really begins to outshine the competition.  SSI provides both horizontal and vertical cluster scaling but exposes those resources in a way that to the end user it appears to be a single server.  This is in contrast to other cluster architectures that simply manage a cluster of machines as separate entities.  As more nodes are added to the cluster, that single virtual server appears to magically grow more powerful.  All the complexity regarding memory management, load balancing, file management, etc. is handled for you transparently!  Since the interface appears to be a single server, user interaction is as intuitive as working on a local tower under your desk.  It also supports a far broader array of applications, including legacy applications not originally designed for cloud scalability.

So what's the catch?  Well, it's hard to do so most people either give up trying or attempt to sell/license it.  Currently, the most active communities for SSI are:
Only LVS is open source but it's more like a loose collection of tools and methodologies than a single installable product.  The HP and IBM solutions are very complex and include vendor/hardware lock-in.  MOSIX appears to be the most user-friendly but its closed source, lack of high availability, Australian proprietary license, and failed commercial attempt have hampered community interest.

Bountysource payment process (backer tutorial)

0 comments


UPDATE: Bountysource has poor customer support, expensive fees, and a non-intuitive workflow.  Use FreedomSponsors instead


_________________________________________________

original article for historical documentation...


Bountysource is a helpful service that allows companies, groups, and individuals to incentivize specific development tasks via bounties and fundraisers.  Many big companies have used the service, including IBM, Facebook, GitHub, and Adobe.  Although the process is fairly straightforward, there are areas for improvement -- especially the payment process.  Here's the "missing manual":

0. If you haven't already, create a free Bountysource account

1. On the Bountysource homepage, find the Post section and submit the issue tracker URL for an issue you want to incentivize.  Bountysource currently supports GitHub, Bugzilla, Google Code, Jira, Trac, LaunchPad, and Pivotal issue trackers.


2. Click the Post button

3. Select a pre-determined amount or enter your desired bounty amount:


4. Select a payment option and checkout to complete the order:

Once processed, Bountysource displays the new bounty on their homepage.  You can also post a link to the bounty on the target issue's tracker or other advertising means, like social media.

Bountysource holds the funds until the issue is marked closed and awaits a bounty claim by a developer.  Simple, right?

Well, what happens when a developer claims the bounty?  The Bountysource FAQ describes a straightforward process: The backer(s) receive email notifications indicating a claim has been filed.  They can either accept the claim, refute the claim within two weeks, or if a claim goes uncontested for two weeks the claim is automatically paid.

Easy...until you try to accept the claim.  The FAQ states:

"If all Backers vote to accept the claim, it is processed immediately and the developer is awarded the bounty."

But how do I "accept the claim"?  There's no button that says accept and the link emailed to backers doesn't explain it or provide an accept button either.  It turns out the solution is a non-intuitive three-step process:

1. Click the thumbs-up button to vote your approval:


2. Once all the backers vote their approval, an Accept button will appear which you should click:


3. The backers will be notified of the successful payment via an online message and email:



Not hard if you know the process, but super confusing if you don't!

Tutorial: Install LineageOS 14.1 (Nougat) on Verizon HTC 10

2 comments

Now that LineageOS pre-official nightlies are available for the HTC 10, I thought I'd take it for a test drive...




WARNING: THE FOLLOWING GUIDE IS ONLY FOR U.S. VERIZON WIRELESS HTC 10 SMARTPHONES (VZW pme).  I CANNOT BE HELD RESPONSIBLE FOR ANYTHING THAT GOES WRONG IN THE PROCESS OF FOLLOWING THIS TUTORIAL.  USING YOUR DEVICE IN THE WAYS DESCRIBED BELOW WILL VOID YOUR WARRANTY.  PROCEED AT YOUR OWN RISK.


0. Important: this process will wipe your internal storage so transfer all desired settings and files to your external SD card or PC beforehand!

1. To ensure you have the latest official Verizon firmware, make sure your HTC 10 is fully up to date (Settings > Software updates > Check now).  If the OTA update via your phone fails, you can also update using the HTC Sync Manager wizard (recommended) or manually by downloading the latest Verizon HTC 10 RUU zip file here and following the instructions for installing it here.

2. Gain root access (similar to "jailbreak" on iOS devices) and install the latest TWRP recovery by following this guide.

3. Copy the latest LineageOS image onto the phone's external SD card.

4. Copy your preferred variant of GAPPS 7.1 ARM64 onto your external SD card -- I like the micro version but you can pick the one that best suits you (...and yes, this step is required).

5. Charge your phone to 100%

6. Boot into TWRP recovery by holding the Volume-down and Power keys simultaneously until the device powers off (about 15 seconds) and then remove finger from power key as soon as it powers off but keep pressing Volume-down until the boot menu appears.  Press the Volume-down key multiple times until "reboot to bootloader" is selected and then press the Power key.  Press the Volume-down key multiple times until "BOOT TO RECOVERY MODE" is selected and then press the Power key.


8. After the backup completes, in the TWRP menu choose "Mount" and uncheck "System" if it is checked

9. From the TWRP menu, press "Wipe" and Swipe to Factory Reset

10. Press "Back"

11. Press "Format Data", type yes and press the blue checkmark button on the screen keyboard to continue (note: this step will NOT wipe your external SD card contents)

12. Press the home icon (house-shaped icon at the bottom of the screen)

13. Press "Reboot"

14. Press "Recovery"

15. On the TWRP menu choose "Install" and select the zip of LineageOS, then press "Add more Zips" and select the zip of GAPPS.  Swipe to confirm Flash (note: if you see "E:unknown command [log]" in red twice during the flash process you can safely ignore it; when the process completes you should see "done").

16. Press the "Wipe cache/dalvik" button and Swipe to Wipe

17. Press the "Reboot System" button

18. It will take about 5 minutes upon first boot so be patient if it just displays the generic "android" screen for a while...

19. After your phone boots, follow the wizard prompts and then go to "Settings > About" to verify the version.

Enjoy!




LineageOS replaces CyanogenMod

0 comments



In case you didn't see it elsewhere, CyanogenMod has ceased operations and its spiritual successor is LineageOS.