Webmonkey » Backend

We Should Retire Aaron’s Number

Dave Winer — Wed, 16 Jan 2013 15:15:38 +0000

Aaron Swartz. Image: Wikimedia Commons.

[Editor's Note: Coder and activist Aaron Swartz committed suicide Jan. 11, 2013 in New York. He was 26 years old. See Wired's early coverage for details.]

When a great baseball or basketball player leaves the game they retire his or her number. That means the jersey hangs from the ceiling, or there’s a plaque at the stadium, and no player on the team ever wears that number again.

Babe Ruth’s number, 3, is retired. Michael Jordan’s too (23). Jackie Robinson’s number, 42, is retired for all baseball teams.

On the web, retiring a number would mean the website is permanently registered, and the content is preserved so it lasts as long as the web does. That means the contents of aaronsw.com will be there forever. It will never become a porn site, or a landing page, or whatever.

Right now there is no way to do this. Isn’t that strange. We could fix it if we want. The internet is just software. It would be a small but worthwhile hack and could set a precedent for future memorials.

Something to think about!

This post first appeared on Scripting News. Also see the related thread on Hacker News.

Dave Winer, a former researcher at NYU and Harvard, pioneered the development of weblogs, syndication (RSS), podcasting, outlining, and web content management software. A former contributing editor at Wired magazine, Dave won the Wired Tech Renegade award in 2001.
Follow @davewiner on Twitter.

Host Your Static Website on Amazon S3, No WWW Necessary

Scott Gilbertson — Thu, 03 Jan 2013 16:24:41 +0000

Amazon’s S3 file storage service started life as just that — a simple way to store static files and pay for only the data you used. When you don’t need an always-on server, S3 fits the bill.

But if you can store static files, why not whole static websites? In 2011 Amazon began allowing you to point your own domain to an S3 “bucket”, a folder in Amazon parlance. Custom domain support made it simple to host entire static sites; the catch was that you needed to use a subdomain — for example, www.

Now the www restriction has been lifted and you can point any root domain at S3 and serve your files directly. The only catch is that Amazon has created its own non-standard DNS workaround, which means you must use Amazon’s Route 53 service to host the DNS data for your domain.

Unfortunately, while the new root domain support is great news for anyone using a static blog generator like Jekyll, Amazon’s documentation leaves much to be desired. To help you get started with S3 hosting, here’s a quick guide to setting up S3 to serve files from a root domain (rather than making the root domain redirect to www.mydomain.com, as the Amazon blog post instructions do).

First, register a domain name and point your DNS records to Amazon’s Route 53 service (the Route 53 docs have detailed instructions on how to do this). The next step is to create an S3 bucket for your domain. In other words, a bucket named mydomain.com.

Now click the Properties button, select the Website tab and make sure that the option is enabled and the Index Document is set to index.html. You’ll also need to click the Permissions tab and set a bucket policy (you can use this basic example from Amazon).

Now upload your site to that bucket and head back to Route 53. Here comes the magic. To make this work you need to create an A “Alias” DNS record. Make sure you name it the same as your domain name. Sticking with the earlier example, that would be mydomain.com. Now click the Alias Target field and select the S3 endpoint you created earlier when you set up the bucket.

And that’s it. Behind the scenes that Route 53 “Alias” record looks like a normal DNS A record. That means things like email will continue to work for your domain and at the same time Route 53 directs requests to your S3 bucket. If you want to make www redirect to the root domain you can either set that up through Route 53 (see Amazon’s instructions) or handle it through another service.

Google Drive’s New ‘Site Publishing’ Takes on Amazon, Dropbox

Scott Gilbertson — Thu, 29 Nov 2012 20:18:45 +0000

Google’s demo site, served entirely by Google Drive. Image: Screenshot/Webmonkey

Google has unveiled a new feature dubbed “site publishing” for the company’s Drive cloud hosting service. Drive’s new site publishing is somewhere between a full-featured static file hosting service like Amazon S3 and Dropbox’s public folders, which can make hosted files available on the web.

Google has set up a simple demo site served entirely from Google Drive to give you an idea of what’s possible with the site publishing feature. Essentially site publishing gives your public folders a URL on the web — anything you drop in that folder can then be referenced relative to the root URL. It’s unclear from the announcement how these new features fit with Google’s existing answer to Amazon S3, Google Cloud Storage.

The API behind site publishing works a lot like what you’ll find in Amazon’s S3 offering. If you use the Drive API’s files.insert method to upload a file to Drive, it will return a webViewLink attribute, something like https://googledrive.com/host/A1B2C3D4E5F6G7H8J. That ugly, but functional URL becomes the base URL for your content. So, if you uploaded a folder named images, with a file named kittens.jpg, you could access it on the web at https://googledrive.com/host/A1B2C3D4E5F6G7H8J/images/kittens.jpg

There’s one drawback though, Drive’s site publishing doesn’t appear to support custom domains, which means it works fine for assets like images, CSS or JavaScript, but unless you don’t mind serving your site from some funky URLs, it’s probably not the best choice for hosting an entire site.

There are already numerous static file hosting solutions on the web including Dropbox and Amazon’s S3, as well as whole publishing systems that use Dropbox and S3 to host files, but for those who would prefer a Google-based solution, now you have it.

For more details on the new API see the Google Apps Developer Blog and be sure to read through the Drive SDK docs. If you need help, Google is answering questions over on Stack Overflow.

Behind the Scenes at Instagram: Tools for Building Reliable Web Services

Scott Gilbertson — Tue, 10 Apr 2012 16:58:59 +0000

In case you missed it, yesterday Facebook acquired Instagram, a photo-sharing service with some 30 million users and hundreds of millions of images on its servers.

The reported sale price of one billion dollars no doubt has many developers dreaming of riches, but how do you build a service and scale it to the size and success of Instagram? At least part of the answer lies in choosing your tools wisely.

Fortunately for outside developers, Instagram’s devs have been documenting the tools they used all along. The company’s engineering blog outlined its development stack last year and has further detailed how it uses several of the tools it’s chosen.

Instagram uses an interesting mashup of tried-and-true technologies alongside more cutting-edge tools, mixing SQL databases with NoSQL tools like Redis, and chosing to host its traditional Ubuntu servers in Amazon’s cloud.

In a blog post last year Instagram outlined its core principles when it comes to chosing tools, writing, “keep it very simple, don’t reinvent the wheel [and] go with proven and solid technologies when you can.”

In other words, go with the boring stuff that just works.

For Instagram that means a Django-based stack that runs on Ubuntu 11.04 servers and uses PostgreSQL for storage. There are several additional layers for load balancing, push notifications, queues and other tasks, but overwhelmingly Instagram’s stack consists of stolid, proven tools.

Among the newer stuff is Instagram’s use of Redis to store hundreds of millions of key-value pairs for fast feeds, and Gunicorn instead of Apache as a web server.

All in all it’s a very impressive setup that has, thus far, helped Instagram avoid the down time that has plague many similar services hit with the same kind of exponential growth. (Twitter, I’m looking at you.) For more details on how Instagram looks behind the scenes and which tools the company uses, be sure to check out the blog post as well as the archives.

Microsoft Unveils New Plan to Speed Up the Web

Scott Gilbertson — Tue, 27 Mar 2012 15:58:58 +0000

Photo: Lindsey Turner/Flickr

Microsoft wants in on the drive to speed up the web. The company plans to submit its proposal for a faster internet protocol to the standards body charged with creating HTTP 2.0.

Not coincidentally, that standards body, the Internet Engineering Task Force (IETF), is meeting this week to discuss the future of the venerable Hypertext Transfer Protocol, better known as HTTP. On the agenda is creating HTTP 2.0, a faster, modern approach to internet communication.

One candidate for HTTP 2.0 is Google’s SPDY protocol. Pronounced “speedy,” Google’s proposal would replace the HTTP protocol — the language currently used when your browser talks to a web server. When you request a webpage or a file from a server, chances are your browser sends that request using HTTP. The server answers using HTTP, too. This is why “http” appears at the beginning of most web addresses.

The SPDY protocol handles all the same tasks as HTTP, but SPDY can do it all about 50 percent faster. Chrome and Firefox both support SPDY and several large sites, including Google and Twitter, are already serving pages over SPDY where possible.

Part of the IETF’s agenda this week is to discuss the SPDY proposal, and the possibility of turning it into a standard.

But now Microsoft is submitting another proposal for the IETF to consider.

Microsoft’s new HTTP Speed+Mobility lacks a catchy name, but otherwise appears to cover much of the same territory SPDY has staked out. Though details on exactly what HTTP Speed+Mobility entails are thin, judging by the blog post announcing it, HTTP Speed+Mobility builds on SPDY but also includes improvements drawn from work on the HTML5 WebSockets API. The emphasis is on not just the web and web browsers, but mobile apps.

“We think that apps — not just browsers — should get faster,” writes Microsoft’s Jean Paoli, General Manager of Interoperability Strategy.

To do that, Microsoft’s HTTP Speed+Mobility “starts from both the Google SPDY protocol and the work the industry has done around WebSockets.” What’s unclear from the initial post is exactly where HTTP Speed+Mobility goes from that hybrid starting point.

But clearly Microsoft isn’t opposed to SPDY. “SPDY has done a great job raising awareness of web performance and taking a ‘clean slate’ approach to improving HTTP,” writes Paoli. “The main departures from SPDY are to address the needs of mobile devices and applications.”

SPDY co-inventor Mike Belshe writes on Google+ that he welcomes Microsoft’s efforts and looks forward to “real-world performance metrics and open source implementations so that we can all evaluate them.”

Belshe also notes that Microsoft’s implication that SPDY is not optimized for mobile “is not true.” Belshe says that the available evidence suggests that developers are generally happy using SPDY in mobile apps, “but it could always be better, of course.”

The process of creating a faster HTTP replacement will not mean simply picking any one vendor’s protocol and standardizing it. Hopefully the IETF will take the best ideas from all sides and combine them into a single protocol that can speed up the web. The exact details — and any potential speed gains — from Microsoft’s HTTP Speed+Mobility contribution remain to be seen, but the more input the IETF gets the better HTTP 2.0 will likely be.

Twitter Catches the ‘SPDY’ Train

Scott Gilbertson — Fri, 09 Mar 2012 15:49:07 +0000

Photo: dark_ghetto28/Flickr

Twitter has embraced Google’s vision of a faster web and is now serving webpages over the SPDY protocol to browsers that support it.

SPDY, pronounced “speedy,” is a replacement for the HTTP protocol — the language currently used when your browser talks to a web server. When you request a webpage or a file from a server, chances are your browser sends that request using HTTP. The server answers using HTTP, too. This is why “http” appears at the beginning of most web addresses.

The SPDY protocol handles all the same tasks as HTTP, but SPDY can do it all about 50 percent faster.

SPDY started life as a proprietary protocol at Google and worked only in the company’s Chrome web browser. SPDY has since won support elsewhere. Firefox will have SPDY support when version 11 hits prime time in the near future [Update: As Mozilla's Chris Blizzard points out, SPDY is disabled by default in Firefox 11. If you're using the beta and want to give it a try, you'll need to visit about:config, search for network.http.spdy.enabled and set the value to true. If all goes well SPDY will be turned on by default in Firefox 13.]. Amazon also baked SPDY support into its Silk browser for the Kindle.

The IETF’s HTTPbis Working Group — the standards body charged with creating and maintaining the HTTP specification — is now considering adding SPDY to HTTP 2.0, which will improve the speed of HTTP connections.

Despite the web standards backing, SPDY still has a long way to go before it’s an everyday part of the web. With only Chrome and Firefox behind it, SPDY is still only available for about 40 percent of desktop users. But with large services like Twitter throwing their weight behind it, SPDY may well start to take the web by storm — the more websites that embrace SPDY the more likely it is that other browsers will add support for the faster protocol.

If you’d like to follow Twitter’s lead and get your own site serving over SPDY, check out mod_spdy, a SPDY module for the Apache server (currently a beta release).

OpenDNS and Google Working with CDNs on DNS Speedup

Ryan Paul - Ars Technica — Wed, 31 Aug 2011 14:05:19 +0000

A group of DNS providers and content delivery network (CDN) companies have devised a new extension to the DNS protocol that that aims to more effectively direct users to the closest CDN endpoint. Google, OpenDNS, BitGravity, EdgeCast, and CDNetworks are among the companies participating in the initiative, which they are calling the Global Internet Speedup.

The new DNS protocol extension, which is documented in an IETF draft, specifies a means for including part of the user’s IP address in DNS requests so that the nameserver can more accurately pinpoint the destination that is topologically closest to the user. Ensuring that traffic is directed to CDN endpoints that are close to the user could potentially reduce latency and congestion for high-impact network services like video streaming.

The new protocol extension has already been implemented by OpenDNS and Google’s Public DNS. It works with the CDN services that have signed on to participate in the effort. Google and OpenDNS hope to make the protocol extension an official IETF standard. Other potential adopters—such as Internet ISPs—are free to implement it from the draft specification.

It’s not really clear in practice how much impact this will have on network performance. It’s worth noting that GeoIP lookup technology is already used by some authoritative DNS servers for location-aware routing. The new protocol extension will reportedly address some of the limitations of previous approaches.

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

Google’s New Cloud Storage Service Takes on Amazon S3

Scott Gilbertson — Thu, 20 May 2010 14:48:39 +0000

Google plans to go head to head with Amazon’s popular S3 cloud storage service with the new Google Storage for Developers. Like S3, Google’s new service offers developers a cheap, scalable way to store data online.

While it isn’t exactly the fabled “GDrive,” Google Storage for Developers certainly lays the groundwork for Google to create a user-friendly online storage service.

Google Storage for Developers offers a RESTful API, backups across multiple data centers and even has support for storing large files up to hundreds of gigabytes in size.

Google Storage for Developers is currently an experimental Google Labs project. For now the service is available by invitation only and limited to U.S. developers. You can head over to the sign up page to request an invite which will give you access to 100GB of data storage and 300GB per month of data-transfer bandwidth.

After your application hits those limits a pay-as-you-go scheme kicks in. The pricing is roughly analogous to Amazon’s S3 service. Google’s version will run you 17 cents per GB per month for simple storage, 10 cents per GB for uploading data and 15 to 30 cents per GB for downloads. There’s also a fee for the number of requests — $.01 per 1000 PUT, POST or LIST requests and $0.01 per 10,000 requests using GET or HEAD.

Unfortunately that’s just different enough from Amazon’s pricing structure (which decreases the per GB price as your usage goes up) that it’s hard to say which is cheaper. At first glance Amazon’s S3 service looks marginally cheaper for storage, but in the end the total cost — and which is cheaper — will vary depending on the nature of your web app and how you use either storage service.

Hopefully, now that there’s some competition in the cloud storage space, both services will eventually become even cheaper.

Google does offer some extra tools that Amazon doesn’t have — the BigQuery API and the Prediction API.

According the Google Code announcement, BigQuery is designed to explore the history of your data, and the more interesting Prediction API gives you access to Google’s machine learning algorithms which are designed to “make your apps more intelligent.”

The Prediction API can help make real-time decisions “such as recommending products, assessing user sentiment from blogs and tweets, routing messages or assessing suspicious activities,” says the Google Code blog.

For now there is no charge for using the extra APIs, though noting that in the announcement seems to indicate that, when Google Storage for Developers moves out of Labs, there will be an additional charge.

Because Google Storage for Developers is a beta Labs project, you won’t want to switch from Amazon’s services just yet, but if you’d like to take Google Storage for Developers for spin, head over to the sign up page and request an invite.

See Also:

Learn Enough Unix for Your Resume

Pam Statz — Tue, 16 Feb 2010 00:45:47 +0000

On the resume that convinced Wired to hire me, I said that I knew enough about Unix that it didn’t scare me anymore. This wasn’t exactly true. Unix was still a chilling concept for me when I arrived at the San Francisco office armed with a copy of Unix for Dummies. The managing editor steered me to my desk and instead of the Macintosh I was hoping for, there sat a purple SGI machine.

I realized then that I needed to learn a lot about Unix fast. Initially I tried using SGI’s graphical user interface, which mimicked the Macintosh desktop fairly well, but soon realized that it was just too damn slow. So I stole some better Unix books from the engineering staff and found a nice Unix expert to help me. Soon I was cp-ing, mv-ing, and chmod-ing like lightning. Unix still gives me the occasional nightmare, but basically I love it. It’s fast, it makes sense (most of the time), and anyone can figure it out with a little work. Plus, it looks great on a résumé. If you can convince a prospective employer that you have a working knowledge of Unix, you’re one step ahead of everyone else who is too scared even to try figuring it out.

I’ve put together a very basic explanation of Unix to get you started. But first, a warning. Unix is very powerful. The wrong collection of keystrokes can blow away files that you’ll probably never be able to recover, so practice on sample files before you move on to anything important.

Getting started
Telnet
Basic Commands
Permissions
1. What the Heck is rwx?
Text Editors
1. VI
2. Emacs
3. PICO

Getting started

Before you can do anything, you need an account. Find someone at your school or workplace whose title is webmaster, server administrator, systems administrator, or Unix god. Be very nice to this person. Bring gifts and libations, and then ask them to set up an account and user directory for you. Promise that you won’t bug them very often with questions, even though this may indeed turn out to be a white lie.

Keep in mind that Unix installations vary widely. If something doesn’t work for you here, it may be that a program wasn’t installed or your account was misconfigured. There’s also a strong possibility that you’re using one of several different kinds of Unix, which means your commands may vary slightly from what you learn here. If you run into trouble, go ask the person who set up your account to help you — but don’t forget to bring a gift.

Once you’ve got your account, go to the bookstore and purchase a few Unix books. My favorite is O’Reilly & Associates’ UNIX in a Nutshell. It’s a fabulous dictionary of commands.

Telnet

To access your account, you’ll need a shell (a program that sends whatever you type to the host computer). The easiest way to go about this is to open a Telnet window. (If you’re sitting at the host computer, you’ll already have a shell.) Accessing files with Telnet is essentially the same as opening the Finder on your Mac or opening the Windows Explorer on a Microsoft machine — except that when you get into the file structure, you won’t find all those sissy color-coded directories.

So open Telnet, and choose Open Connection from the File menu. Fill in the Host/Session Name slot with your host’s address and hit Connect. You’ll be asked to enter the username and password that your nice sysadmin assigned you when your account was set up. You should also have a user directory, which is the first place you’ll end up when you Telnet to your Host. When you log on, you should get something that looks like this:

 IRIX (sutro)



 login:pam



 Password:



 IRIX Release 5.3 IP20 sutro



 Copyright 1987-1994 Silicon Graphics, Inc. All Rights Reserved.



 Last login:Fri Dec 13 14:04:59 PST 1996 by UNKNOWN@hill.hotwired.com



 You have mail.



 sutro[~]%

Although you probably won’t see it when you log on, the actual location of your user directory is

 sutro.hotwired.com[~]%pwd



 /usr/people/pam

Basic Commands

I’ve put together a few commands to get you started. Most of these commands have several options that make them even more powerful, but I won’t go into those here. You can find them in the Unix Online Manual, which I’ll explain in a minute (or you can use that book you went out and bought).

ls – list files in a directory syntax:ls [options] [names]

You should get something that looks like this:

 sutro.hotwired.com[~]% ls

 airwolf.au          goo.html    unixclass

 apanel.parameters   graphics

In this example I have two files ( airwolf.au and goo.html) and three directories (unixclass, apanel.parameters, and graphics) in my user directory.

cd – change directory syntax:cd [dir]

Here’s an example of it what the result might be:sutro.hotwired.com[~]% cd unixclass

 sutro.hotwired.com[~/unixclass]% ls

 one       one.html  two       two.html

 sutro.hotwired.com[~/unixclass]%

In this case, I’ve changed from my user directory to the unixclass directory, which holds one directory and two files (if you want to move back one directory use % cd ../).

mv – moves or renames a file or directory syntax:mv [options] sources target

Here’s what it might look like:

 sutro.hotwired.com[~/unixclass]% mv one/ two/

 sutro.hotwired.com[~/unixclass]% ls

 one.html  two       two.html

 sutro.hotwired.com[~/unixclass]% ls two/

 one

 sutro.hotwired.com[~/unixclass]%

I moved the directory one into directory two.

If you use mv to rename a file, it will look something like this:

 sutro.hotwired.com[~/unixclass]% mv two/ somethingdifferent

 sutro.hotwired.com[~/unixclass]% ls

 one.html            somethingdifferent  two.html

In this example, I’ve renamed the directory two. Now it is called somethingdifferent.

rm – removes a file syntax:rm [options] [files]

Here’s an example of removing a file:

 sutro.hotwired.com[~/unixclass]% rm one.html

 sutro.hotwired.com[~/unixclass]% ls

 somethingdifferent  two.html

I removed the file one.html from the directory unixclass.

rm -ir – removes a directory

Here’s what happens when you remove a directory:

 sutro.hotwired.com[~/unixclass]% rm -ir somethingdifferent/

 Directory somethingdifferent/. Remove ? (yes/no)[no] :yes

 Directory somethingdifferent//one. Remove ? (yes/no)[no] :yes

 sutro.hotwired.com[~/unixclass]% ls

 two.html

In this example, I’ve used rm -ir to remove the directory somethingdifferent. Before the directory is removed, I must confirm that I really want it gone. Once I do, somethingdifferent no longer exists. Be very careful with rm, because once files or directories are gone, they’re probably gone forever.

mkdir – creates new directory syntax:mkdir [options] directories

Here’s how you do it:

 sutro.hotwired.com[~/unixclass]% mkdir waga

 sutro.hotwired.com[~/unixclass]% ls

 two.html  waga

I used mkdir to create the directory waga.

more – more a file when you just want to read it (not edit it)

less – less really is more. It does the same thing as more, but it allows you to search through a file (among other things).

exit – allows you to log out of your host

date – prints the current date and time

cal 1997 – prints the 1997 calendar

whoami – prints who is currently logged on to your terminal

mail – brings up a simple mail editor

pwd – tells you where you are; it prints the full pathname of the current directory

Unix online manualIf you want more details about a particular command, you can check out the Unix main page, which is basically just a manual for Unix. For example, if you want to find out more about ls, type

 sutro.hotwired.com[~/unixclass]% man ls

And you’ll get:ls(1)

NAME

      ls - list contents of directory



SYNOPSIS



      ls [-RadLCxmlnogrtucpFbqisf1AM] [names]



DESCRIPTION



      For each directory argument, ls lists the contents of the directory; for

      each file argument, ls repeats its name and any other information

      requested. The output is sorted alphabetically by default.

To quit man, type q.

Permissions

As you travel around your host computer, you’re going to find there are lots of things you can’t do. You won’t have the freedom to move and edit files as you did in your user directory.

Remember ls from our basic commands? One of this command’s options (ls -l) gives you loads of information about files and directories.

Here’s an example:

sutro.hotwired.com[~/unixclass]% ls -l



total 20



drwxrwxr-x    2 pam      staff        512 Dec  5 09:34 one



-rw-rw-r--    1 pam      staff       4233 Dec  5 09:35 one.html



drwxrwxr-x    2 pam      staff        512 Dec  5 09:34 two



-rw-r--r--    1 pam      staff       4233 Dec  5 09:36 two.html

Here we have the contents of the directory unixclass, which contains two directories (one and two) and two files (one.html and two.html). The first column of letters determines who can read, write, or execute your files and directories. (I know it just looks like a bunch of letters, but give me a second and I’ll explain.)

The second list (pam, pam, pam, pam) tells who owns the file. In this case, it’s me.

The next column tells which group I was part of when I made these files. To find out what groups you belong to, type groups and your name, like this:

 sutro.hotwired.com[~/unixclass]% groups pam

 infomgr staff prod edit

The fourth column shows the size of the files.

The fifth is the date and time the file was last modified; the sixth is the name of the file.

What the Heck is rwx?

As I mentioned before, these letters determine who can read, write, or execute your files. They break down like this:

For files:

r = read – you can read the file (more or less it)

w = write – you can write to the file (edit it with vi, Emacs, or Pico)

x = execute – you can execute the file (run a Perl program)

For directories:

r = read – you can read the directory

w = write – you can create, move, rename, or remove files or directories

x = execute – you can search the directory

Take a look at this ls -l example:

 drwxrwxr-x    2 pam      staff        512 Dec  5 09:34 one/

 -rw-rw-r--    1 pam      staff       4233 Dec  5 09:35 one.html

For every folder and file there are four sets of rwx. In the example above, they are easy to spot because they’re set apart by hyphens. The first set shows your permissions, the second is for a group, the third is for anything else (other), and the fourth is for everyone (all).

Now, to make things a little more complicated, each one is referred to by a single letter:

you = u

group = g

other = o

all = a

To add permissions on a file or directory, you use +, and to remove them, you use -. Let’s try it out. We’ll remove group write privileges for this file:

 -rw-rw-r--    1 pam      staff       4233 Dec  5 09:35 one.html

To do this, we must also use the chmod command to change the access mode of the file.

 sutro.hotwired.com[~/unixclass]% chmod g-w one.html

 sutro.hotwired.com[~/unixclass]% ls -l

 total 19

 -rw-r--r--    1 pam      staff       4233 Dec  5 10:59 one.html

To make a program executable for everyone, we’d do this:

 sutro.hotwired.com[~/unixclass]%ls -l svensprogram.pl

 -rw-rw-r--    1 pam      staff          0 Dec  5 11:02 svensprogram.pl

 sutro.hotwired.com[~/unixclass]% chmod a+x svensprogram.pl

 sutro.hotwired.com[~/unixclass]% ls -l

 total 19

 -rwxrwxr-x    1 pam      staff          0 Dec  5 11:02 svensprogram.pl

To change who actually owns a file, use the chown command:

 sutro.hotwired.com[~/unixclass]% ls -l svensprogram.pl

 -rwxrwxr-x    1 pam      staff          0 Dec  5 11:02 svensprogram.p

 sutro.hotwired.com[~/unixclass]% chown sven svensprogram.pl

 sutro.hotwired.com[~/unixclass]% ls -l

 total 19

 -rwxrwxr-x    1 sven     staff          0 Dec  5 11:02 svensprogram.pl

To change which group can access the file, use the chgrp command:

 sutro.hotwired.com[~/unixclass]% ls -l svensprogram.pl

 -rwxrwxr-x    1 sven     staff          0 Dec  5 11:02 svensprogram.pl

 sutro.hotwired.com[~/unixclass]% chgrp infomgr svensprogram.pl

 svensprogram.pl - Not privileged

D’oh! Not privileged. Until you become a powerful Unix god, you will see this message many times. But keep at it, and deityhood may be closer than you think.

Text Editors

VI

The most commonly available text editor is [[Tutorial:Vi Tutorial for Beginners|vi] (pronounced vee-eye), which I especially recommend for Mac users. You really only need to know a few commands to get started.

To start vi, simply type vi at the command prompt:

 sutro.hotwired.com[~/unixclass]% vi myfile.html

and you’ll be instantly thrown into this crazy-looking environment with a ~ on every line. Don’t be afraid. The annoying thing about vi is that you have to tell it when you’re adding and deleting text. You can’t simply type and delete, you have to use the following commands:

To add text – hit the esc key and the letter i (for insert)
To delete text – hit the esc key and the letter x (for delete)
To delete an entire line – hit the esc key and the letters dd
To save your file – hit the esc key and type :w and then hit return
To save and exit vi – hit the esc key and type :wq and hit return

Emacs

Emacs is the favorite editor of many, but Macintosh users may tell you not to bother because they find it really irritating. PC users will probably offer a different opinion.

PICO

If you’re a beginner, pico is probably your best bet. Simply type in

 sutro.hotwired.com[~/unixclass]%pico myfile.html

and you’ll be thrown into the editor. All the commands are listed on the top and bottom of the screen. Be sure to save frequently.

Set Up a Linux Firewall on Your Network

Webmonkey Staff — Tue, 16 Feb 2010 01:45:47 +0000

Go outside and pop the hood of your car. You should see a thick metal barrier at the back of the engine compartment. This is called the firewall. To see how it works, poke a small hole in the fuel line so that a tiny amount of gasoline starts dripping on the engine block. Now close the hood, start the car, and head out on the highway (Some of you may choose to save life and limb (and time!) by merely visualizing this exercise).

If you have positioned the puncture correctly, within a few minutes the escaped gasoline should ignite and cause a small engine fire. At this point you may see smoke emerge from the engine compartment. Continue driving. You should be able to proceed a considerable distance before the heat becomes uncomfortable and toxic fumes and flames start to enter the passenger compartment.

The reason you can drive so far with a flaming engine is because the firewall is a highly effective barrier between the engine compartment and the passenger compartment. If your car had no firewall, the engine fire would have already melted the dashboard electronics and plastic, destroyed the upholstery, and toasted you to a crisp.

Now. Pull over and very carefully extinguish the fire.

A similar principle can be applied to networked computers. Picture your machine as the cozy, tricked-out interior of your automobile, and the outside world as the dirty but powerful engine that makes it go. It won’t do to have the vulnerable components of your network exposed to the engine’s maliciously raging heat — it’s best to install a firewall.

Let us abandon our weakening metaphor here before it carries us into a ping-pong tournament without a paddle. A firewall, in the networking sense, is a machine that straddles the interface between a private network and the Internet at large, and follows predetermined rules for allowing certain traffic to pass, while blocking traffic that’s unwanted.

So, how to get yourself one of those disaster-averting firewalls? You can start by reading on.

A Firewall for the Home
1. Sharing and Masquerading
Tables and Chains
Set up a Firewall with iptables
Set up PMFirewall with ipchains

A Firewall for the Home

There are a hundred ways to build a firewall, from turnkey machines (am I the only one who always misreads that word as “turkey”?) that you can just plug in and ignore to a vast variety of software packages.

The elves who bring us Linux, though, have seen fit to incorporate into the Linux kernel the capacity to filter incoming and outgoing packets. They’ve also incorporated tools into Linux distributions to manage these packet-filtering capabilities, making it easy to turn a basic Linux box into a firewall. And all for free! Since we’re now saving up for a new car, we’ll go the thrifty route and set up our system using inexpensive hardware and gratis software.

For purposes of illustration, let’s imagine that you have a small home network. You have just one broadband line running into the house, and you want to share it amongst all the computers:your big desktop system, your laptop, the entertainment system in the livingroom, your live-in boyfriend’s laptop, and the iMac that the boyfriend’s mother, who lives in the basement, uses to surf eBay all day. (Just a temporary arrangement, the boyfriend assures you, until she gets back on her feet and finds a reasonably priced mobile home. Fine, you say, but you both know he owes you big.) Obviously, this is a small-scale example, but the principles can be applied to anything from a single machine to a gigantic network.

Or perhaps you want to run a web server and want it to be a bit less crackable. Whatever your setup, you need a firewall.

Sharing and Masquerading

First, if you want to share one connection among several machines, you can use a gateway masquerading machine for your firewall. As long as traffic is relatively low, it doesn’t have to be particularly powerful.

So exhume that old Pentium 150 from the closet, evict the dust bunnies, stick in US$20 worth of RAM to bring it up to 128 MB, and install a nice new copy of Linux. You will also need two network interface cards — one to talk to the outside world via the broadband line, and one to talk to the rest of the machines in the house. You split your connection amongst the machines in your house with an Ethernet hub, either the shmancy wireless laptop-on-the-roof kind or the traditional kind that you can trip over.

An IP masquerading setup means that, as far as the internet at large is concerned, there’s only one computer here in your house. It has one IP address. When packets come from the outside world, they are sent to that IP address. Our firewall and masquerading box figures out which of the computers inside the house (each of which has its own internal IP address known only to its LAN-mates) should get that packet.

Now you want to configure your firewall. There are a few major versions of the Linux kernel that are in widespread use — version 2.2, which is older but more tried-and-true, and versions 2.4 and 2.6, which are newer, with more and better features. Typically a Linux distribution that you acquire today will use 2.6, but some distros use older kernel versionss. Somewhat inconveniently for us, the firewalling code has changed significantly between these versions.

The Linux Firewall How-To and the Firewall FAQ are indispensable as well.

The first step, though, is to make sure your Linux box is reasonably secure in and of itself. The Linux Security HOWTO is an excellent guide. Basically you want to download any security updates that may exist for the version of Linux that you’re running, turn off any services you’re not using (which should mean most services), and generally lock everything down. A firewall that gets broken into is no good at all.

Tables and Chains

The 2.2 Linux kernel packet-filtering tool is called “ipchains.” The updated version that ships with version 2.4 and 2.6 is known as “iptables.” (There is an older version still, called “ipfwadm,” that works with the 2.0 kernel, but one can’t live in the past.) All of these tools operate on a very simple principle — apply sets of rules to control which sorts of traffic are allowed in and out, and which are not.

Each workstation in the house knows that the firewall machine is its gateway. When workstation number one sends a packet to the firewall machine, the latter assigns the packet to a particular port number (so as to keep track of where it came from), replaces the IP number in the originating header with its own real-world IP address, and sends the packet out. When it receives a reply to the packet from the outside world, the reply will come to the same TCP/IP port. The firewall machine knows that traffic on that port goes to workstation number one, so it replaces the port number and IP address with their original values and passes the packet on to the workstation. This process is completely transparent to both parties.

There are a number of tools that configure ipchains and iptables for you automatically. These easy-to-use tools include PMFirewall and Mason. PMFirewall involves making choices about the configuration you desire. Mason has a “learning mode” that simply looks at how you use your network and sets up firewalling rules automatically to accommodate you. Download and install one of these tools, and configuring your firewall is approximately as easy as pie.

Set up a Firewall with iptables

This section needs expanding. Please log in and edit it.

Set up PMFirewall with ipchains

Just for fun, let’s go over how to set up a firewall with PMFirewall. The installation of Mason is similar, but Mason takes care of detecting your network setup automatically. First, you have to make sure that you have ipchains installed. It should come with your Linux distribution. If you can’t find it on your system (and you’re running the 2.2 kernel), check the CDs or DVDs you installed from. If it’s not there either, it can be downloaded from here. You’ll also want to make sure your kernel is configured to work with ipchains. Chances are that it is … if you get a message that it’s not, the ipchains HOWTO will tell you how to check, and how to fix your configuration if you have to.

Download the zipped PMFirewall from the creator’s site and save it wherever you like to save such things on your system. Unpack the file by typing

tar -xzvf ./pmfirewall-x.x.x.tar.gz

where x.x.x is the version number. Then cd to the pmfirewall directory thus created, and, as the root user, type

sh install.sh

The installation process will prompt you for answers to some preliminary questions – where do you want config files installed, where does your copy of ipchains live, how are you connected to the Internet – for which the default answers should typically suffice. Then it will ask about how you want the firewall set up. Are there machines that you want to give unquestioned access to? Are there machines that you want to prohibit unilaterally? You will be asked to enter their IP addresses.

You also have to tell PMFirewall whether you have a static IP address or whether you’re given a new one every time you log on, via DHCP. Then it asks what services you are running on the firewall machine:FTP? SSH? Telnet? SMTP? DNS? POP? a Web server? IMAP? and so forth. And are there any other ports that you want left open?

Finally, you are asked to configure masquerading, supply information about your internal network, and specify startup behavior. Voila! PMFirewall has configured your firewall automatically. You can proceed to tweak the settings manually if you want or need to.

When your firewall is set up, you can test it by going to the Self Port Scan, which will check your machine for open ports. Try accessing the page from your firewall machine with the firewall turned off and then with it turned on. The difference should be striking … like, say, the difference between slightly elevated temperatures and third-degree burns all over your body.