-<p>The last few days I have spent at work here at the <a
-href="http://www.uio.no/">University of oslo</a> testing if the new
-batch of computers will work with Linux. Every year for the last few
-years the university have organized shared bid of a few thousand
-computers, and this year HP won the bid. Two different desktops and
-five different laptops are on the list this year. We in the UNIX
-group want to know which one of these computers work well with RHEL
-and Ubuntu, the two Linux distributions we currently handle at the
-university.</p>
-
-<p>My test method is simple, and I share it here to get feedback and
-perhaps inspire others to test hardware as well. To test, I PXE
-install the OS version of choice, and log in as my normal user and run
-a few applications and plug in selected pieces of hardware. When
-something fail, I make a note about this in the test matrix and move
-on. If I have some spare time I try to report the bug to the OS
-vendor, but as I only have the machines for a short time, I rarely
-have the time to do this for all the problems I find.</p>
-
-<p>Anyway, to get to the point of this post. Here is the simple tests
-I perform on a new model.</p>
-
-<ul>
-
-<li>Is PXE installation working? I'm testing with RHEL6, Ubuntu Lucid
-and Ubuntu Maverik at the moment. If I feel like it, I also test with
-RHEL5 and Debian Edu/Squeeze.</li>
-
-<li>Is X.org working? If the graphical login screen show up after
-installation, X.org is working.</li>
-
-<li>Is hardware accelerated OpenGL working? Running glxgears (in
-package mesa-utils on Ubuntu) and writing down the frames per second
-reported by the program.</li>
-
-<li>Is sound working? With Gnome and KDE, a sound is played when
-logging in, and if I can hear this the test is successful. If there
-are several audio exits on the machine, I try them all and check if
-the Gnome/KDE audio mixer can control where to send the sound. I
-normally test this by playing
-<a href="http://www.nuug.no/aktiviteter/20101012-chef/ ">a HTML5
-video</a> in Firefox/Iceweasel.</li>
-
-<li>Is the USB subsystem working? I test this by plugging in a USB
-memory stick and see if Gnome/KDE notices this.</li>
-
-<li>Is the CD/DVD player working? I test this by inserting any CD/DVD
-I have lying around, and see if Gnome/KDE notices this.</li>
-
-<li>Is any built in camera working? Test using cheese, and see if a
-picture from the v4l device show up.</li>
-
-<li>Is bluetooth working? Use the Gnome/KDE browsing tool to see if
-any bluetooth devices are discovered. In my office, I normally see a
-few.</li>
-
-<li>For laptops, is the SD or Compaq Flash reader working. I have
-memory modules lying around, and stick them in and see if Gnome/KDE
-notice this.</li>
-
-<li>For laptops, is suspecd/hibernate working? I'm testing if the
-special button work, and if the laptop continue to work after
-resume.</li>
-
-<li>For laptops, is the extra buttons working, like audio level,
-adjusting background light, switching on/off external video output,
-switching on/off wifi, bluetooth, etc? The set of buttons differ from
-laptop to laptop, so I just write down which are working and which are
-not.</li>
-
-<li>Some laptops have smart card readers, finger print readers,
-acceleration sensors etc. I rarely test these, as I do not know how
-to quickly test if they are working or not, so I only document their
-existence.</li>
-
-</ul>
-
-<p>By now I suspect you are really curious what the test results are
-for the HP machines I am testing. I'm not done yet, so I will report
-the test results later. For now I can report that HP 8100 Elite work
-fine, and hibernation fail with HP EliteBook 8440p on Ubuntu Lucid,
-and audio fail on RHEL6. Ubuntu Maverik worked with 8440p. As you
-can see, I have most machines left to test. One interesting
-observation is that Ubuntu Lucid has almost twice the framerate than
-RHEL6 with glxgears. No idea why.</p>
-</div>
- <div class="tags">
-
-
-
- Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>.
-
- </div>
- </div>
- <div class="padding"></div>
-
- <div class="entry">
- <div class="title"><a href="http://people.skolelinux.org/pere/blog/Some_thoughts_on_BitCoins.html">Some thoughts on BitCoins</a></div>
- <div class="date">2010-12-11 15:10</div>
- <div class="body">
-<p>As I continue to explore
-<a href="http://www.bitcoin.org/">BitCoin</a>, I've starting to wonder
-what properties the system have, and how it will be affected by laws
-and regulations here in Norway. Here are some random notes.</p>
-
-<p>One interesting thing to note is that since the transactions are
-verified using a peer to peer network, all details about a transaction
-is known to everyone. This means that if a BitCoin address has been
-published like I did with mine in my initial post about BitCoin, it is
-possible for everyone to see how many BitCoins have been transfered to
-that address. There is even a web service to look at the details for
-all transactions. There I can see that my address
-<a href="http://blockexplorer.com/address/15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a>
-have received 16.06 Bitcoin, the
-<a href="http://blockexplorer.com/address/1LfdGnGuWkpSJgbQySxxCWhv8MHqvwst3">1LfdGnGuWkpSJgbQySxxCWhv8MHqvwst3</a>
-address of Simon Phipps have received 181.97 BitCoin and the address
-<a href="http://blockexplorer.com/address/1MCwBbhNGp5hRm5rC1Aims2YFRe2SXPYKt">1MCwBbhNGp5hRm5rC1Aims2YFRe2SXPYKt</A>
-of EFF have received 2447.38 BitCoins so far. Thank you to each and
-every one of you that donated bitcoins to support my activity. The
-fact that anyone can see how much money was transfered to a given
-address make it more obvious why the BitCoin community recommend to
-generate and hand out a new address for each transaction. I'm told
-there is no way to track which addresses belong to a given person or
-organisation without the person or organisation revealing it
-themselves, as Simon, EFF and I have done.</p>
-
-<p>In Norway, and in most other countries, there are laws and
-regulations limiting how much money one can transfer across the border
-without declaring it. There are money laundering, tax and accounting
-laws and regulations I would expect to apply to the use of BitCoin.
-If the Skolelinux foundation
-(<a href="http://linuxiskolen.no/slxdebianlabs/donations.html">SLX
-Debian Labs</a>) were to accept donations in BitCoin in addition to
-normal bank transfers like EFF is doing, how should this be accounted?
-Given that it is impossible to know if money can across the border or
-not, should everything or nothing be declared? What exchange rate
-should be used when calculating taxes? Would receivers have to pay
-income tax if the foundation were to pay Skolelinux contributors in
-BitCoin? I have no idea, but it would be interesting to know.</p>
-
-<p>For a currency to be useful and successful, it must be trusted and
-accepted by a lot of users. It must be possible to get easy access to
-the currency (as a wage or using currency exchanges), and it must be
-easy to spend it. At the moment BitCoin seem fairly easy to get
-access to, but there are very few places to spend it. I am not really
-a regular user of any of the vendor types currently accepting BitCoin,
-so I wonder when my kind of shop would start accepting BitCoins. I
-would like to buy electronics, travels and subway tickets, not herbs
-and books. :) The currency is young, and this will improve over time
-if it become popular, but I suspect regular banks will start to lobby
-to get BitCoin declared illegal if it become popular. I'm sure they
-will claim it is helping fund terrorism and money laundering (which
-probably would be true, as is any currency in existence), but I
-believe the problems should be solved elsewhere and not by blaming
-currencies.</p>
-
-<p>The process of creating new BitCoins is called mining, and it is
-CPU intensive process that depend on a bit of luck as well (as one is
-competing against all the other miners currently spending CPU cycles
-to see which one get the next lump of cash). The "winner" get 50
-BitCoin when this happen. Yesterday I came across the obvious way to
-join forces to increase ones changes of getting at least some coins,
-by coordinating the work on mining BitCoins across several machines
-and people, and sharing the result if one is lucky and get the 50
-BitCoins. Check out
-<a href="http://www.bluishcoder.co.nz/bitcoin-pool/">BitCoin Pool</a>
-if this sounds interesting. I have not had time to try to set up a
-machine to participate there yet, but have seen that running on ones
-own for a few days have not yield any BitCoins througth mining
-yet.</p>
-
-<p>Update 2010-12-15: Found an <a
-href="http://inertia.posterous.com/reply-to-the-underground-economist-why-bitcoi">interesting
-criticism</a> of bitcoin. Not quite sure how valid it is, but thought
-it was interesting to read. The arguments presented seem to be
-equally valid for gold, which was used as a currency for many years.</p>
+<p>The last few days I have looked at ways to track open security
+issues here at my work with the University of Oslo. My idea is that
+it should be possible to use the information about security issues
+available on the Internet, and check our locally
+maintained/distributed software against this information. It should
+allow us to verify that no known security issues are forgotten. The
+CVE database listing vulnerabilities seem like a great central point,
+and by using the package lists from Debian mapped to CVEs provided by
+the testing security team, I believed it should be possible to figure
+out which security holes were present in our free software
+collection.</p>
+
+<p>After reading up on the topic, it became obvious that the first
+building block is to be able to name software packages in a unique and
+consistent way across data sources. I considered several ways to do
+this, for example coming up with my own naming scheme like using URLs
+to project home pages or URLs to the Freshmeat entries, or using some
+existing naming scheme. And it seem like I am not the first one to
+come across this problem, as MITRE already proposed and implemented a
+solution. Enter the <a href="http://cpe.mitre.org/index.html">Common
+Platform Enumeration</a> dictionary, a vocabulary for referring to
+software, hardware and other platform components. The CPE ids are
+mapped to CVEs in the <a href="http://web.nvd.nist.gov/">National
+Vulnerability Database</a>, allowing me to look up know security
+issues for any CPE name. With this in place, all I need to do is to
+locate the CPE id for the software packages we use at the university.
+This is fairly trivial (I google for 'cve cpe $package' and check the
+NVD entry if a CVE for the package exist).</p>
+
+<p>To give you an example. The GNU gzip source package have the CPE
+name cpe:/a:gnu:gzip. If the old version 1.3.3 was the package to
+check out, one could look up
+<a href="http://web.nvd.nist.gov/view/vuln/search?cpe=cpe%3A%2Fa%3Agnu%3Agzip:1.3.3">cpe:/a:gnu:gzip:1.3.3
+in NVD</a> and get a list of 6 security holes with public CVE entries.
+The most recent one is
+<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0001">CVE-2010-0001</a>,
+and at the bottom of the NVD page for this vulnerability the complete
+list of affected versions is provided.</p>
+
+<p>The NVD database of CVEs is also available as a XML dump, allowing
+for offline processing of issues. Using this dump, I've written a
+small script taking a list of CPEs as input and list all CVEs
+affecting the packages represented by these CPEs. One give it CPEs
+with version numbers as specified above and get a list of open
+security issues out.</p>
+
+<p>Of course for this approach to be useful, the quality of the NVD
+information need to be high. For that to happen, I believe as many as
+possible need to use and contribute to the NVD database. I notice
+RHEL is providing
+<a href="https://www.redhat.com/security/data/metrics/rhsamapcpe.txt">a
+map from CVE to CPE</a>, indicating that they are using the CPE
+information. I'm not aware of Debian and Ubuntu doing the same.</p>
+
+<p>To get an idea about the quality for free software, I spent some
+time making it possible to compare the CVE database from Debian with
+the CVE database in NVD. The result look fairly good, but there are
+some inconsistencies in NVD (same software package having several
+CPEs), and some inaccuracies (NVD not mentioning buggy packages that
+Debian believe are affected by a CVE). Hope to find time to improve
+the quality of NVD, but that require being able to get in touch with
+someone maintaining it. So far my three emails with questions and
+corrections have not seen any reply, but I hope contact can be
+established soon.</p>
+
+<p>An interesting application for CPEs is cross platform package
+mapping. It would be useful to know which packages in for example
+RHEL, OpenSuSe and Mandriva are missing from Debian and Ubuntu, and
+this would be trivial if all linux distributions provided CPE entries
+for their packages.</p>
projects / homepage.git / blobdiff