LJ Archive

Letters

Doc Searls' June 2016 Column

I agree with most of Doc's comments. I started with IBM almost 50 years ago, and I have seen the computer infrastructure expand and contract in an endless cycle of centralized and distributed extremes.

As an early user of CompuServe, I can recall the frustration with both the expense and limitations of its idea of “email” and “networking”.

Although I can see some positive attributes of the social-media engines, to me, they don't really have a product other than trapping me into their maze of advertising.

Even the internet is becoming more and more frustrating. I would much rather subscribe to my favorite sites than deal with the barrage of unwanted ads. Many commercial sites are becoming nearly unusable as they try to second-guess my intentions.

Keep up the good work, I have enjoyed your ideas for many years.


John Crunk

Apache vs. nginx

Regarding Reuven M. Lerner's nginx article in the June 2016 issue: I use both nginx and Apache, and they both are very good servers. However, I would like to point out an inaccuracy in Reuven's article. He states that nginx's worker model is diametrically opposed to Apache's (i.e., async event model vs. process per user). That's actually true for the old default installation of Apache, and it's also true if you install mod_php under Apache. However, Apache has several different concurrency systems you can choose from (they are called MPMs). The MPM Reuven is referring to is one of the old ones: mpm_prefork. There are other MPMs (like mpm_event) that actually work the way Reuven is describing that nginx works, and they have much better performance with high concurrent connection counts. The reason people use the old mpm_prefork (needlessly in my view) is because a lot of people run PHP under Apache, and they use mod_php to do it. mod_php isn't compatible with mpm_event, because mod_php isn't really believed to be thread-safe. So, what you do in this case is precisely what you do in the nginx case; you run PHP-FPM and use the FastCGI interface.

So, what really should be compared is performance of Apache running mpm_event talking to php-fpm vs. nginx talking to php-fpm. The big difference I see there is that Apache actually permits an inefficient solution, while nginx does not. Apache suffers from having a lot of old blog posts on the internet that teach old bad habits; nobody should be running an app server inside the web server process anymore.


Daniel Waites

Reuven M. Lerner replies: Your points about comparing apples to apples is a very good one. But—and I'm embarrassed to admit this—I somehow managed to miss the existence of the event-based MPM in Apache! This probably demonstrates how I've moved toward nginx for all but my most trivial projects.

The very bright minds working on Apache haven't been resting on their laurels, and they have taken advantage of the MPM architecture to create an event-based system. I should have done some more investigation before basically accusing Apache of being old-school technology.

Comparing the event-based MPM with nginx would have been a fairer and more appropriate apples-to-apples comparison.

Screenshot Alternative

Regarding Shawn Powers' Non-Linux FOSS piece in the June 2016 issue: unfortunately, I too have grown accustomed to Snipping Tool, due to a proprietary OS at work, but home is a different story. Open a terminal within your GUI and enter scrot -s. The magic of this allows you to select an individual screen (if you have a dual-monitor setup) or draw a box around the item with the mouse to select the preferred item specifically.


Eion Williamson

Shawn Powers replies: Cool! Several versions of my home OS ago (Xubuntu), I had compiz set up so that I could hold down a fairly simple key combination and take a screenshot at will. I haven't ever gotten that working again since compiz isn't really used anymore. I always have at least one (or 15) terminal windows open though. Thanks!

Appeal to Media: Help Stop This False Sense of Security from Spreading Any Further

Biometric authentications are good for physical security, but they ruin the security of password protection and generate a false sense of security in cyberspace. More specifically, deployed with a fallback password against a false rejection, they provide a level of security that is even poorer than a password-only authentication and yet trap people by giving the wrong impression that security is better than with the password-only authentication.

There is nothing wrong with a biometric product that is operated with a fallback password when that product is offered as a tool for increasing convenience. However, it would not be only foolish but also unethical and antisocial to make, sell and recommend such a product as a tool for increasing security, thereby spreading a false sense of improved security.

Take a few minutes to watch this short video, “Biometrics in Cyber Space—'below-one' factor authentication” (https://youtu.be/wuhB5vxKYlg), and you will certainly have no difficulty in realizing how the false sense of security has been generated. You might, however, reckon that this fact may well be very inconvenient to the media and reporters who have, perhaps unknowingly, lent a hand to spreading this misconception and false sense of security.

This is not an issue of the relative comparison between “good” and “better”, but the absolute judgment of “harmful” against “harmless”. Something must be done before such critical sectors as medicine, defense and law enforcement are contaminated in a horrible way.

Furthermore, according to the article “Biometric Market Set to Skyrocket to $30Bn” (www.infosecurity-magazine.com/news/biometrics-market-set-to-skyrocket), the revenues of biometrics companies are expected “to reach more than $30 billion by 2021”. Biometric solutions are used for physical security, including both forensic and cyber security. The budget for physical security might be well spent, but it is not the case for cyber security.

Assuming that the market for cyber security is no smaller than that for physical security, the figure of $30 billion tells us that no less than $15 billion would be wasted by 2021 for making negative contributions to cyber security, while making criminals and despotic regimes delighted. What a waste! What a folly! Becoming liberated from such a wasteful fate, the $15 billion could be better spent elsewhere for productive, constructive and ethical ends.

A dozen media outlets, including Elsevier, have started to help blow away this false sense of security generated by the misuse in cyberspace of biometric technology (“Misuse in Cyberspace of Biometrics Discussed on Media”, www.slideshare.net/HitoshiKokumai/discussed-on-elseviers-btt-62502162) ). Please consider joining them quickly as one of the front-runner media outlets and reporters.


Hitoshi Kokumai

Shawn Powers replies: Hitoshi, I think security must be one of the biggest areas we focus on as technologists in the present and near future. Thank you for the info, and our readers will be able to read your links as well. It seems our very concept of security, especially as it pertains to authentication, is broken. It's 2016, and I still see passwords on sticky notes attached to monitors. It's scary.

Secure Desktops with Qubes: Compartments

Thank you Kyle Rankin for another article about Qubes OS in the June 2016 issue. I've been using it since your first article in the April 2016 issue. The third article provided me a bit more information about organizing Qubes, and I'll try it.

One thing about Qubes that really impresses me is the available documentation to customize and do more things beyond what you get from the original installation. I am using an HP ProBook 6450 series with i5, 8GB RAM and 300GB HDD. It works fine except with Wi-Fi that has its button feature disabled from the BIOS to work properly. Recently I installed Win 7 with tools and Win 8.1 (no tools available yet) as standalone VMs. I am aware that there are more things to improve; however, for my daily use, it's been very stable and usable at my work, including some testing while visiting some public Wi-Fi networks. Great job Kyle!


Antonio Misaka

The Tiny Internet Project, Part I

Regarding John S. Tonello's Tiny Internet Project beginning in the May 2016 issue: I am really excited about this project! The problem with Linux is that there are too many choices. That is a good problem to have, but it is a problem—especially if you don't know what you are doing and don't have time to try everything out. That is why I am excited about this project. When I am finished with the project, I expect to know enough to put together a small network. That is a valuable tool for almost anyone who enjoys Linux as a hobby, wants to teach it or just needs a working, secure network. Thanks John Tonello!


Mike J. Nordyke

John S. Tonello replies: I'm glad to hear you're diving into the Tiny Internet Project! For new users in particular, it can be frustrating to know just which flavor of Linux to adopt. If you're like most, once you commit to one, you tend to live with it (and favor it) for the rest of your Linux life.

Nowadays, there are essentially two main tracks that are most easily identified by their package types: .rpm or .deb. For the former, it's Red Hat, Fedora, CentOS, SUSE or Mandrake. For the latter, it's Debian, Ubuntu and derivatives like Linux Mint, Xubuntu or Lubuntu. The more significant differences are related to how the filesystems are organized, so if you start with Fedora, you may get a little lost on Ubuntu—and vice versa.

For the Tiny Internet Project, I use Ubuntu, which is popular for both servers and desktops. It's also very popular with developers. I personally use Linux Mint as my daily driver and manage a number of Linux servers running Ubuntu 14.04, so everything is seamless. But even Linux Mint comes in four different flavors: Cinnamon, MATE, KDE and Xfce. Each provides a different desktop experience, but the underlying systems are the same.

I'd recommend you make a couple bootable live USB drives, using a couple flavors of Linux Mint and a couple flavors of Fedora. You can test them without installing them, and once you explore a bit, you'll get a feel for the differences. Then you can more confidently decide on your “forever Linux”.

Comments on the June 2016 Issue

Here are a few comments that the June issue elicited as I read.

initrd (see the Letters section):

Traditionally, an initrd was built using a loop-mounted file on which a filesystem was made and to which dirs and files were added. It took a few steps, but worked well.

The more modern method is to use an initramfs; no block device is needed, no loop-mounting, no filesystem. And, an initramfs is really trivial to create:

1) Create a directory (for example, /root/myinitramfs).

2) In that directory, place the standard directories and files Linux needs to run. Include as much or as little as you wish.

3) Change to that directory and execute find . | cpio -o -H newc | gzip > /root/myinitramfs.gz).

Pretty much every installed Linux kernel today uses an initramfs. It really is that easy to create an initramfs.

ANSI 3.64 (see Dave Taylor's Work the Shell “Publishing the wegrep Wrapper Script”):

This is just a pedantic nit. ANSI 3.64 and ECMA-48 were merged and became ISO-6429; ANSI 3.64 was withdrawn in the mid-1990s. But ANSI 3.64 will live decades longer, just as the async serial spec hasn't been a Recommended Standard since 1984, and has been twice revised—it is now TIA-232-E.

Doc Searls' EOF “What's Our Next Fight?”:

We can start the fight by accelerating the change to IPv6 because that protocol's built-in multicast capabilities will further enhance peoples' ability to form their own common-interest groups.

We can continue the fight by producing simple, free software that makes it trivial to make peer-to-peer cross-platform voice and video connections over the internet where “peer-to-peer” explicitly means that no third-party “service” is needed or involved, and cross-platform means the program is readily available for MacOS, iOS, Android, Windows, Linux and other systems. People don't mind paying to use the information highways and streets, but they sure do get annoyed when they have to pay for that use and pay tolls every time they turn onto a different street.


Neal Murphy

Note for Shawn Powers' “Build Your Own RPi Camera”in the June 2016 Issue

You've probably heard this from many others already, but just in case you haven't, you can disable the red LED on the camera by adding the line:

disable_camera_led=1

to the file /boot/config.txt. At least that works for me.


Roger

Shawn Powers replies: Ha! Actually, Roger, no one has sent that valuable information my way. Thank you!

LJ Archive