azazil.net

If you’re interested on how to push machine lockdown to its absolute limits, including removing bash (and other shells) from a Linux installation among others, then you might enjoy my Industrial-strength Linux Lockdown tutorial, currently the top featured article in IBM developerWorks Linux Zone (registration required, sorry).

The second part of the tutorial is where things get really interesting, and that should be up in a week or so. Let me know what you think, either in the feedback form with the article, or in the comments here!

Earlier today, I found Ankesh Kothari’s Buy Me a Beer plugin, and reasoning that a man can never have too much beer, installed it right away. It turns out that something in the plugin doesn’t agree with WP-2.1, so I had to hand code a work-a-like into my sidebar. Ankesh, I’ll certainly buy a beer for you when you fix the plugin…

I’ve participated in several Memes recently, and thought it was about time I started one of my own. I’d like to incorporate my near legendary love of Guinness into this meme. Here are the rules:

1. If you haven’t already, you’ll need to signup for a PayPal business account so that you can receive payments. It only takes a few minutes to sign up.
2. If you have a blog, either install Ankesh Kothari’s Buy Me a Beer plugin on your wordpress blog, or paste some variant of the code below into an appropriate place. If you don’t have a blog, you can still participate by including a version of this code that points to your PayPal account in a comment on this post:
   

   <form name="beerexchangememe" action="https://www.paypal.com/cgi-bin/webscr"
            target="paypal" method="post">
     <input type="hidden" name="cmd" value="_xclick" />
     <input type="hidden" name="business" value="[your PayPal account email]" />
     <input type="hidden" name="return" value="" />
     <input type="hidden" name="item_name" value="Beer Exchange" />
     <input type="hidden" name="amount" value="$4" />
     <a href="https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&\
       business=[your PayPal account email]&amount=$4&\
       item_name=Beer+Exchange+Meme" target="paypal">Buy Me a Beer</a>
   </form>
   

3. Work through the comments on this post and follow each of the links to buy a beer for each of the commenters on this post, and then add your own to the end. If you don’t like beer, then a glass of wine or a cup of coffee is fine too. Just like when you go to the pub, arriving early means you buy a smaller round, and then reap the benefits of a beer from everyone else that arrives after you.
4. Feel free to tag your friends, and have them join in too — I’ll start the ball rolling by tagging everyone who has passed a Meme to me recently…
5. When you’ve collected enough beer for a serious session of drinking, have someone photograph or video the proceedings and post the results back to your blog.

This is a pretty cheap way to get some free links to your blog, and some free beer too! Aside from the Do Follow link you’ll get from the comment you leave, I’ll also link back to all participants’ photos. If you don’t want to buy a whole round, but do want to contribute towards seeing the photographic evidence of my attempt at the world record for most Guinness consumed in 24 hours, please feel free to Buy Me a Guinness!

I tag Ian, Charity and Bill! Remember first to respond buys the smallest round…

This is the first part of a short series of posts about installing Mac OS X. Today’s topic is nailing down the security. In the next part, I’ll look at setting up the standard applications.

Before I get started on this post, I should like to point out that, yes, I did work for the Ministry of Defence for many years. But, NO, it was not me that famously had a laptop full of national secrets stolen from a train! ;-)

Anyway… after more than 3 weeks in repair, I got my macbook back yesterday, complete with new logic board and optical drive, but still awaiting a new keyboard surround. Unfortunately, when I got it home I wasn’t able to log in to either my normal encrypted user account, or the unencrypted administrator accounts. So it seems that my password database had become corrupted somehow. Luckily, I had backed up all my important data before I took the machine in (secretly hoping they would toss it, and give me a new one), so I simply wiped the drive and reinstalled from the restore disks. In the process of manually setting up everything from scratch I thought I’d make notes on all the steps I had to go through to turn a pristine installation into a productive and secure work environment.

Before getting carried away with anything else, I like to lock down the System Preferences as securely as possible. Here are the steps you should use to do that:

1. Software Update

It’s a sure thing that Apple will have put out several point releases and security patches since the installation DVD’s were burnt, so run Software Update to make sure all those fixes are live on your mac. Often, not everything will be listed in the first attempt (it took 3 runs for me), so when it finishes, run it over until it explicitly says that there are no more updates.

Also, you don’t want your machine to be vulnerable for a week or more after Apple puts out their next security update. From the Software Update preferences, set the Check for Updates frequency to Daily. And, would you believe, just as I was collecting screenshots for this post, even though I ran Software Update myself 3 times this afternoon, I just automatically picked up Apple Security Update 2007-05!

2. System Name

No sense in making it easy for a hacker on your network by telling him this machine is a macbook, so in the Sharing preferences rename the machine (I’m not sure why Apple chose such a strange place to put the machine name, but I suppose the logic is that it is how people who use your shared resources will see you on the network… or something). All the computers, printers, routers etc. on my network are named after demons, and the macbook is no exception now that I’ve called it baal.

3. Firewall

I have no clue why Apple don’t enable it by default, but while we have the Sharing preferences open, start the firewall too. I also need ssh enabled to do day to day work, so I start Remote Login from the Services tab. Since I’m not running any UDP services from my laptop, I set Block UDP Traffic from the Advanced dropdown in the Firewall tab. I also like to make sure Enable Stealth Mode is on, which tells Mac OS to drop any packets it wasn’t expecting, rather than send an access denied message: this effectively makes my machine invisible to the network unless it knows my machine address and an open port number!

4. Apple Remote

Partly to stop the macBook from responding to someone else’s infrared remote shenanegins, and partly to stop my iPod from responding to my macBook remote, I always pair the remote with the machine it came with. You’ll need administrative rights to do the actual pairing, so make sure to do this before the next step.

With the remote just an inch or three from the IR sensor, press and hold menu on the remote, and when Frontrow has launched, also press and hold fast forward on the remote for about 5 seconds until the chain link is displayed.

5. Login Options

If someone steals my laptop, I don’t want to give them half of the information they need to get through the Login & Password screen to get access to my private data. From the Accounts preferences, select Display Login Window as Name and Password, and deselect Show password hints. Since I use the Dvorak keymap, if I shared this computer with anyone else, I’d need to enable show input menu in login window — but I don’t, so I leave it deselected to make life even harder for whoever stole my machine. Serves them right!

6. Administrator Access

I just discovered that if you turn off the Administrator privileges for your main login account, Mac OS prompts for an adminstrator enabled username and password if it needs it (to install software for instance). To make hacking the machine over the network more difficult, in the Accounts preferences create a brand new user and give them administrator rights before turning off your own Allow user to administer this computer option.

As a linux refugee, and GNU maintainer, I spend the vast majority of my development time in the Terminal. Unfortunately, removing the administrator rights of my login account means that sudo doesn’t work: luckily, it’s easy to reenable it:

$ su -c 'sudo visudo' admin-account

You have to enter the password for the admin-account once for su, and then again when it invokes sudo, after which you just add a new line to the file that is being editted:

gary ALL=(ALL) ALL

7. Filevault

I always used to be a little wary of this, but it is the best way to lock laptop thieves out of your personal data. Be aware that network logins over afp, and samba shares won’t work with an encrypted account when you’re logged out. I’ll explain how to work around that in the next part of this series.

First you have to select Set Master Password, and then you can Turn On Filevault from the Security preferences, and wait for a few minutes while your home directory is encrypted.

8. Login Security

Still in the Security preferences, for obvious reasons select all of the following: Require password to wake this computer from sleep or screen saver; Disable automatic Login; Require password to unlock each secure system preference; and Use secure virtual memory.

In order to be able to prompt for a password from the screen saver, you’ll also need to enable one from the Desktop & Screensaver preferences. If you’re machine will be left unattended at a desk, you should make triggering the screensaver as easy as possible — having the thing start up after you’ve been watching a compile for just a few minutes can be annoying, but if someone is going to “borrow” your machine for a spot of hacking while you’re away, they’ll want to get started quickly, so it’s best have the delay set to just the 3 minutes minimum. You can then use the Hot Corners pane to Disable Screensaver with the top corners, and Start Screensaver with the bottom corners. That way you just need to remember to to put the mouse in a bottom corner before you dash to the bathroom, and in the a top corner if you’re watching a slideshow or a long compile.

9. Bluetooth

In the Settings tab of the Bluetooth preferences, turn off discoverable, and unless you normally use a bluetooth mouse or keyboard, turn bluetooth itself off altogether, but leave it showing in the menu bar to make pairing with phones and so forth as easy as possible. In the Sharing tab, select Require pairing for security for all bluetooth sharing services.

10. Keychain Access

Especially if you’ve decided not to encrypt your home directory, you should launch the Keychain Access application and select Change Password For Keychain “login” from the Edit menu. In the Current Password text field, type your login password. Type a new password in the New Password field and again in the Verify field. You can also test how secure your password is by clicking the key icon next to the New Password field to bring up the Password Assistant.

Once you’ve unlocked the keychain, it normally remains open until you logout again. It’s much safer to have it automatically lock after a period of inactivity, say 5 minutes. You can set that from the Change Settings For Keychain “login” in the Edit menu. I always select the Lock when sleeping option here too.

Related Articles

1. Mac Installation Configuration 101
2. Mac Installation Applications 101
3. Mac Installation Email 101

George W. Bush thinks a good use for $456 billion is to wage war on Iraq. The Boston Globe thinks that money could have been put to better use, and so do I… Yesterday, I was tagged by Ian Hedges to take part in the $456 Billion meme, who was in turn instigated by Sam of Blog, MD.

Even using US billions, $456,000,000,000 is a tremendous sum of money that is hard to contemplate – more than $1500 for every man, woman and child in the USA; or, more than $70 for every man, woman and child on the entire planet; or, to really give it some perspective, almost $30 for every homo sapiens that has ever lived on the planet (looking at wikipedia’s earth population numbers, and assuming an even spread of ages and an average of 20 years between generations, there have been less than 7 billion deaths in all of human history according to my calculations).

In the current political and cultural climate, I don’t believe money alone can bring about world peace, nor make an end of world poverty or disease in any significant global fashion, so as a foil to other meme participants’ laudable goals, I’m behind using that money to revitalise the space programme. The money came from US tax dollars, so I think it is only fair to reinvest it in something that will particularly benefit the people who paid…

How much could $456 billion buy today?

About $24 billion was spent in the late 1960′s to put a man on the moon, or about $132 billion adjusted for 35 years worth of inflation. But technology has come a very long way since then. I have, as an example, considerably more computing power on my desk right now than was available to the entire Apollo programme between Kennedy’s famous 1961 speech and the Apollo 11 landing in 1969, 8 years later.

In the 1990′s, Robert Zubrin’s The Case for Mars estimated that NASA could put a man on Mars for no more than $20-30 billion ($30-40 billion in today’s money when adjusted for inflation). Although he sets out many strong arguments for why mankind needs to take a foothold on Mars (echoed in part by Stephen Hawking’s occasional pleas for us to Leave Earth, or Die!) Zubrin’s costings are little more than educated guesses, and he fails to take the relentless march of technological advancement into account.

New Vision for the Space Exploration Programme

Perhaps, in an attempt to gain some of the glory won by Kennedy in 1961, President Bush announced a new vision for the space exploration programme in January 2004, calling for a return to the moon by 2020 as a launchpad for putting a man on Mars before 2030!

Unfortunately, most of the skills and individuals that were key to the success of the Apollo program 35 years ago are no longer available. Particularly frightening is the loss of all plans and equipment used for the Saturn V rocket that was used to put the original Apollo spacecraft into Earth orbit. And yet, the key players at NASA in the 1960′s were able to conceive, build and execute the events that put Neil Armstrong on the moon in only 8 years — spending $132bn (inflation adjusted) along the way.

Various Opinions on the Cost

Bush proposed a budget increase of $12bn to help NASA fund his new vision, which is plainly not enough, but it is a sorry state of affairs that an opposition sponsored press release from Citizens Against Government Waste conjured a cost of $1 trillion without any substantiation, which caught the public attention and punctured what might have been a surge of public enthusiasm in rekindling the worlds pioneering spirit:

In a 5 April 2004 official press release titled ‘New Report Reveals $6 Trillion in Hidden Spending in Bush Budget’, the Kerry campaign says, “The True Cost of the Mars Mission ($160 billion to $1 trillion): President Bush has only included $1 billion in increased NASA funding to fulfill his ambitious plan to establish a lunar base and land people on Mars. Independent estimates of the cost of the Mars mission range from $160 billion to $1 trillion.[3]“The $1 trillion reference is listed as “[3] The $160 billion estimate is from Congressional Testimony by Michael Griffin, former Chief Engineer of NASA on 3/10/04. The $1 trillion estimate is from Gregg Easterbrook, ‘Red Scare,’ The New Republic, 2/2/04.”

At the other end of the scale, in his book New Moon Rising, Keith Cowing agrees with the lower bound cost of $160 billion. Given all those numbers, it seems to me that $456 billion is ample to establish a permanent base on the moon, and from there fund the beginnings of establishing a Martian colony… and how much more beneficial to the human race can we get than saving it from extinction due to natural disaster, cosmic cataclysm or over-population?? It is certainly a better option than carpet bombing the Middle East — no matter what your views on the relative importance of the US Space Programme.

A Cheaper Alternative

Interestingly, in the process of writing this post, I discovered that Buzz Aldrin (PhD), second man on the moon, has advocated an alternative cost effective means to assemble an on going Mars programme over the last few years.

Passing the Baton

Having enjoyed all the number crunching and deep thought required to contribute something interesting to this meme, I tag Chris, Dave, Zath and Leo. Hope you guys have time to contribute too :-)

Related Articles

1. Leave Earth, or Die!

Last week I was tagged by Charity of Design Adaptations to take part in Ben Yoskovitz’ Ultimate Guide to Productivity meme. The idea is to reveal my greatest personal secret to maintaining my productivity, before passing on the baton. The contributions may even be collected into an e-book, especially if you express an interest by commenting here.

Regular readers will already be familiar with my inability to make a short blog post, and true to form I can’t settle on one ultimate productivity tip, since the essence of my workflow comes about from the interplay between the following:

1. Time Mapping

I’ve been planning a more detailed post on this for some weeks now, and it when it arrives I’ll go into more detail about planning your life around time maps. Essentially, the process involves breaking the day into blocks of time that help maintain a good work/life balance. If you work in a cubicle, that might entail an hour for your morning routine, 30 minutes for the commute to work, 8 hours of project work surrounding a lunch break, 30 minutes to commute back home, and 6 hours of leisure time in the evening with your family and/or friends. Once you have the time blocked out at this high level you can set about filling the blocks with tasks: 2 evenings of Wing-Chun, specific project work during the day, and so on. Most people will need just 3 or 4 daily time maps, where each day starts from the work day, weekend day or vacation day layout, and can be filled in with tasks before getting started with the actual doing part.

Don’t forget to schedule a 30 minute block at the end of each day for planning the next day!

2. Uni-tasking

It’s especially poignant for a programmer where a short interruption by a phone-call might cause us to forget some of the enormous stack of context information in our heads. When the interruption is over a few minutes later, it might take half an hour just to regain the same train of thought we had already attained once before the call came in. To a greater or lesser extent the same problem afflicts us all, and the only means I know of to cope is not to deal with those interruptions until I’m ready to put the current task aside. GTD gives us context lists for that exact purpose: when I’ve got a 3 hour block devoted to programming, I let phonecalls go to voicemail and emails go unanswered until the end of the block to be dealt with when I reach a block of time for answering calls and emails, when I can work through my GTD @Phone and @Email context lists.

In a former life as a cubicle code monkey, my employer recognised this fact and had a rule that someone with a plastic gecko on their monitor could only be interrupted for life and death situations. If I needed to speak with someone urgently, but they were under the gecko, etiquette dictated that I leave a post-it note in their “In” tray for when they were able to attend to it without losing all that delicate state in their head. It worked surprisingly well, especially as it was made clear from the start that if you were considered to be abusing the gecko, it was okay to leave the post-it on your back instead of the “In” tray. It’s hard to ignore a post-it on your back if you know you’ve annoyed your colleagues by ignoring them too much. ;-)

3. Starting Small & Strong

Know what it is you need to achieve in the current block, and preferably in the next hour or two, and when the block arrives make a start at it immediately. Just a quick check of email before you get stuck in can easily derail the next hour and possibly the goal for the whole block. To maintain motivation it’s really important to have tasks broken down into bite size chunks that should take at most half a day to achieve, but preferably just an hour or two. Aiming at finishing a bigger task “by the end of the week” makes it too easy to procrastinate or goof-off chunks of time that won’t seem to impact the big task; knowing what small goal you need to reach before lunch makes it easier to stay focused.

I’d like to pass the baton to Bill, Alex and GTD Wannabe… looking forward to your own personal silver bullets :-D

With apologies to Jack Black for the mis-quote:

This is not the greatest productivity tip in the world, no. This is just a tribute.

Related Articles

1. Groundhog Resolution Review Day.
2. The Importance of Morning Routine.
3. On Being an Early Riser: Progress Report.
4. On Being an Early Riser
5. Moleskine Planner Time Tracker Hack.
6. Pocket Diary Moleskine Hack.