Apple recently released Mac OS X 10.4 Tiger, the latest update to the flagship operating system. Featuring developer-oriented features such as Core Data under the hood, the Unix-based Tiger and the introduction of powerful yet increasingly cost-effective Mac hardware is enticing many a curious Linux enthusiast to prowl over to the nearest Apple Store and get their paws on a Mac. And while the Mac OS opens up a world of elegant interface design and commercial software unseen on the Linux desktop, lacking out of the box is the plethora of open source software to which we are so accustomed. Luckily, a growing community of open source developers and advocates has been working since the birth of the platform to bring free software to Mac OS X.

There are multiple ways to install and use free software on the Mac. Each method offers varying degrees of convenience and integration with the system:

1. Developers can take advantage of OS X technologies by using the Cocoa GUI toolkit to create native Aqua user interfaces, which are then rendered through Quartz. These programs look and feel like native OS X applications.
2. Many more applications, particularly Linux ports, run in the the OS X Terminal application or, graphically, in Apple’s free implementation of the X Window System. While such applications can generally be ported faster than native Aqua programs, they aren’t integrated into the OS X user interface. Most of these apps can be installed with Fink, discussed below.

Native applications

When OpenOffice.org canceled development of its 2.0 Aqua port in March, Mac users were left searching for a native cross-platform open source office suite for OS X. Fortunately, the NeoOffice/J project was developing a version of OpenOffice.org 1.1.x using Java to provide users with a native Aqua interface. Along with all of the features present in OpenOffice.org 1.1.4, some of NeoOffice/J’s OS X-specific features include:

• No X11 requirement
• Native drag-and-drop support
• Native copy-paste support
• Aqua menus
• Integration with Finder and Mail
• Support for system fonts

NeoOffice is not a complete Aqua port of OpenOffice.org; at this point, its biggest advantage over OpenOffice.org is that it does not require X11 to run. As of v1.1 Release Candidate 1, many interface elements, such as the toolbars, do not use the Aqua theme or follow OS X interface design guidelines. Still, each NeoOffice release promises to improve Aqua integration and overall speed and stability, bringing NeoOffice/J closer to becoming a viable alternative to Microsoft Office on the Mac.

For now, if you do not need the full feature set of NeoOffice/J or want to have a lightweight, free, and fully native word processor for your Mac, AbiWord‘s OS X port takes about four seconds to load on a Mac Mini and takes up only 25MB of disk space. AbiWord’s interface, built entirely in Cocoa, is clean and user-friendly. In addition to standard text formatting, AbiWord has basic support for tables, images, mail merge, and Word import/export. Both AbiWord and NeoOffice/J have extensive internationalization support for non-English-speakers.

Mac OS X is bundled with the Safari Web browser, which renders HTML with an engine based on KDE’s KHTML. Safari renders pages quickly and accurately, but the browser interface is not customizable nor is it open source. One well-known alternative is Mozilla Firefox. The OS X port features a special default theme and minimal Cocoa support (an example is the native Preferences dialog.) However, like NeoOffice, Firefox is not a true Aqua program. The OS X version is buggier than the Windows and Linux versions.

Until some of the issues in Firefox are fixed for v1.5, Mac users should look instead to Mozilla’s Camino for a real Cocoa, Gecko-based browser. Designed from the ground up for the Mac, Camino blends into the OS X interface, using Keychain passwords, address book contacts, and other OS X settings. It also supports advanced browser features such as tabs, find-as-you-type search, and a search engine toolbar. One interesting feature in Camino’s dual-pane bookmark manager, modeled after that of Safari, is the ability to create “tab folders” that open all bookmarks located in a folder in separate tabs when you click on the folder. Camino is well-integrated and attractive; its one major drawback is that it doesn’t support the XUL extensions that make Firefox so useful, so you may want to use both browsers.

MPlayer OS X is an Aqua port of MPlayer, the open source world’s most compatible media player. MPlayer OS X sports a lightweight Cocoa interface that includes buttons to control playback and a simple playlist manager. Users can add video files quickly to the playlist queue by dragging and dropping them from a Finder window. MPlayer OS X is compiled to support the G4/G5’s AltiVec and outputs video through Quartz by default to provide smooth playback. As in the Linux version, MPlayer OS X is able to output through a variety of alternate video and audio devices, such as OpenGL, or even right onto the Desktop layer. And MPlayer OS X, just like its Linux equivalent, is bundled with enough codecs to play any media file you can throw at it. To play video in Apple’s X11 and have access to more fine-tunable command line options, you can install MPlayer with Fink, as described below.

Open source the Fink way

Fink is a project that aims to provide Mac OS X users with ports of common Linux open source applications. The Fink package manager facilitates installing programs from the OS X command line by downloading application source code from a database of more than 5,000 packages, compiling it, and installing it using a port of Debian’s APT. Fink’s feature set includes full dependency support and the ability to bypass installing certain packages (like X) if you have already installed them through other methods. Fink installs all packages to its own /sw directory so that they will not interfere with the rest of the system, making it safe and easy to uninstall Fink by removing /sw.

To use Fink, you need to install Apple’s Developer Tools and X Window System from the Mac OS X installation DVD. (There are binary and install it onto your system. Once Fink is installed, open Terminal.app (found in /Applications/Utilities) and type fink configure to set options such as which mirrors Fink should use and the verbosity level of its output. Next, run fink selfupdate to upgrade Fink to the latest release. This step is especially important for Tiger users since versions of Fink later than 0.24.5 use the newer 10.4-transitional tree to install software that is compatible with the new OS. Finally, run fink scanpackages to make sure the list of available packages is up-to-date.

Installing software with Fink is relatively simple. The command fink list keyword displays all packages in Fink’s database matching the keyword you are searching for. Type fink install packagename to make Fink download, compile, and install your requested application. For example, to install the metapackage containing all of the applications in KDE 3.3.2, type fink install bundle-kde. Applications installed with Fink do not show up in the Finder, but they can be run from Terminal.app provided that /sw/bin is in your $PATH, which should be taken care of automatically after installing Fink. Typical console applications, such as the Pine mail reader (installable with Fink), require no further setup to use. Graphical applications requiring X, such as the GIMP or Bluefish (both installable with Fink!), can be run from an xterm window in X11.app or by using the command open-x11 applicationname in Terminal. Apple’s X11 honors the contents of your ~/.xinitrc file and launches all commands found within it every time you start X. To make launching X applications a more transparent process, I add aliases to my ~/.bashrc file, such as: alias konq='open-x11 konqueror'.

Fink has many more commands and uses, including ports of the excellent apt-get and dselect programs from Debian. These are covered in the detailed documentation and FAQ on the Fink site. You can browse the Fink mailing lists for additional support. One community site that deserves special mention is Sao’s Place, an essential resource for anything and everything about Fink and X11 on Mac OS X. For another method of installing open source software similar to Fink in purpose but different in implementation, check out DarwinPorts.

IssueBridge is a project management tool that improves the productivity of your project team by allowing project management staff and team members to access and delegate all of the issues within a project. This user friendly and web based software product serves as an issue tracking and defect tracking system. It enables your team to make clear each step needed to meet the overall goal of the project. Please take a look at this exciting new deployment model for a reoccurring project management problem.”

As a recent ACM Queue article observes the evolution of computer language is toward later and later binding and evaluation. So while one might quibble about the virtues of Java or the CLI (also known as microsoft.net) it seems inevitable that more and more software will be written for or at least compiled to virtual machines. While this trend has many virtues, not the least of which is compatibility, current implementations have several drawbacks. However, by cleverly incorporating these features into the OS, or at least including support for them, we can overcome these limitations and in some cases even turn them into strengths.

Denial of service (DoS) attacks aim to take down Web servers and other Internet resources, often by swarming them with repeated requests, which knocks them out. LaBrea is honeypot software that cooks up a fake machine with virtual ports with virtual vulnerabilities for a cracker to play with.

A honeypot is software that attracts hostile activity by masquerading as a vulnerable system. While it’s running, the honeypot gathers information about attackers and their techniques and patterns. Honeypots distract crackers from more valuable machines on a network, and provide early warning about attacks and exploitation trends.

LaBrea was conceived in the aftermath of the Code Red worm attack in July 2001, when software developer Tom Liston posted an idea on the INTRUSIONS list at incidents.org for a means of combatting the constant scanning of his IP addresses and ports. A port scan is a method used by crackers to determine what ports are open or in use on a system in a network. By using various tools a cracker can send data to TCP or UDP ports one at a time. Based on the response received the port scan utility determines if that port is in use. The cracker uses this information to focus his efforts to exploit weaknesses on the ports that are open.

Liston’s idea got a positive response from Mihnea Stoenescu, who used a modified version of a comprehensive security program called Couic. Tom hacked Couic for his purpose and called it CodeRedneck. He further improved CodeRedneck to fake machines with fake vulnerabilities — in essence creating the honeypot which he now called LaBrea.

LaBrea keeps a watch to see if someone is trying to find a free IP address on your network. LaBrea looks for address resolution protocol (ARP) requests without any ARP replies to see whether that IP is in use. When LaBrea sees this behavior it assumes this is a cracker port-scanning your system, and creates an ARP reply with a bogus MAC address and sends it back to the requester. This helps determine the IP address of the port scanner.

LaBrea then listens to all incoming traffic to the bogus MAC address it just created. To convince the attacker that he is talking to a real machine, LaBrea allows TCP connections. The cracker sends an SYN (synchronize) packet, which is acknowledged with a SYN/ACK (acknowledgment). You can configure LaBrea to keep track of its activity in a log file or display it on your screen.

Please note that there are legal implications in some countries for using honeypots. For instance, some countries have laws against wiretapping, and in one sense, implementing a honeypot can be seen as a serious violation of wiretapping law [why?].

Setting it up

If the law doesn’t deter you, it’s easy to try LaBrea. Download it, and make sure your system also has libdnet, on which LaBrea is dependent.

As root, first install the libdnet RPM:

rpm -i libdnet-1.7-0.1.fc2.dag.i386.rpm

Next extract the LaBrea tarball and install it:

tar -zxvf labrea-2.5-stable-1.tar.gz
cd labrea
./configure --wth-libdnet=/usr
make
make install

LaBrea also needs to be run as root.

LaBrea has lots of switches. Understand which ones to use for better results. For instance:

labrea -i eth1 -o -v -z

This invokes LaBrea in the verbose (-v) mode sending all the log info to stdout (standard output) instead of syslog (-o). To specify which interface LaBrea listens to, specify the -i switch. The -z option turns off nag messages that your LAN cards might not support.

Testing the setup

To test your new software, find a machine on your network and try to ping an unused local IP address. After three ‘Request timed out’ messages you should start getting a response. You can increase or decrease the time period that LaBrea takes to respond using the -r switch.

On the machine you just set up, you’ll see the IP address of the machine from which the ping originated.

Now for the real stuff. Run Nessus on a free IP address. It’ll find the address as valid. On my network it reported security holes and security warnings on my unoccupied IP! Nmap showed more than 2,000 open ports and the services running on the virtual machine!

A honeypot like LaBrea is a useful security tool that complements intrusion detection systems and firewalls.

Mayank Sharma is a freelance technology writer and FLOSS migration consultant in New Delhi, India.

– Write for us – and get paid! –

NewsForge has determined that The SCO Group, which purports to have ownership of all Unix System V code, was actually fishing for usage of its proprietary code in Linux systems when it filed a lawsuit March 3 against multinational automaker DaimlerChrysler. The lawsuit alleged only that DaimlerChrysler had not recertified with SCO Group the use of its old Unix code, as required by the original 1990 contract between Chrysler Motors Corp. (now DaimlerChrysler) and AT&T Information Systems (which owned the Unix code at that time).

In fact, DaimlerChrysler proved that it had complied with the original contract by certifying its use of Unix System V code with SCO Group 11 weeks (on April 6, 2004) before Michigan Judge Rae Lee Chabot’s dismissal of most of the case on July 21. DaimlerChrysler IT manager Norman Powell did this by attesting that no SCO-owned code had been used in DaimlerChrysler’s shop for more than seven years, thus there were no CPUs to be counted. (With thanks to Pam Jones at Groklaw, see DaimlerChrysler’s Motion for Summary Dismissal, dated April 15, 2004.)

DaimlerChrysler: Full compliance with agreement

“DaimlerChrysler has provided SCO with a certification that complies with the express requirements of Section 2.05 (of the original contract with AT&T Information systems),” the company said on Page 24 of its 54-page Motion for Summary Dismissal. “Specifically, the DaimlerChrysler letter provides SCO with the required information about Designated CPUs (explaining that none are in use); certifies that an authorized person reviewed DaimlerChrysler’s use; and states that no software product licensed under the subject agreement is being used or has been used in more than seven years, and as a result, there is full compliance with the provisions of the subject agreement,” DaimlerChrysler said.

SCO Group then accepted DaimlerChrysler’s certification response, company spokesman Blake Stowell told Newsforge. In effect, an out-of-court agreement was reached, although it was not made public. At this point, SCO Group could have dropped the litigation, but its counsel elected not to do so.

“We’re satisfied that DaimlerChrysler did finally certify their compliance with the existing software agreement,” SCO Stowell said.

Then why didn’t SCO Group drop the suit, after its customer (DaimlerChrysler) offered its explanation of compliance on April 6?

“One of the reasons our lawyers decided to pursue the case is that I think they wanted to investigate further whether DaimlerChrysler had any possible misuse of our code within Linux in their systems,” Stowell said on Monday.

However, the SCO lawyers’ plan backfired when Judge Chabot stuck to the letter of the contract, which dealt strictly with certification of Unix System V code usage. As it turned out, DaimlerChrysler “was not obligated to tell us anything about their use of Linux,” Stowell said.

More litigation to come?

Will SCO Group continue its investigation into whether DaimlerChrysler is somehow misusing proprietary Unix code in its Linux systems?

“I don’t know,” Stowell said. “I can’t answer that. It’s up to our lawyers.”

For this particular case, SCO Group retained the Southfield, Mich., firm of Seyburn, Kahn, Ginn, Bess and Serlin. A call to case lead attorney Joel Serlin Monday afternoon was not returned to NewsForge.

Detroit-based DaimlerChrysler spokeswoman Mary Gauthier, who did not return calls requesting comment today, told ComputerWorld on July 21 — the day of the judgment — that “we are pleased with the judge’s ruling, and we look forward to finally resolving the one open issue.”

Stowell said he does not believe SCO Group will pursue the final point in the Michigan case that is still open — that SCO Group wants to know why DaimlerChrysler didn’t respond to the certification request in a reasonable amount of time.

In fact, DC responded to SCO on April 6 — about a month after the lawsuit was filed — explained its legal point of view, and offered certification information. This information is all included in the motion filed on April 15. That meant DaimlerChrysler took about three and a half months to respond to SCO’s first letter on Dec. 18, 2003 requesting an accounting of its Unix System V code.

Bob Findlay writes

“Back in December iCanProgram.com announced that it would be offering its
online “Introduction to Linux Programming” courses without fees in return
for a voluntary donation to Cancer Research by the participants. These donations were made in memory of one of our founding partners who lost her own battle with Cancer last summer.

This “learning for charity” formula has been a success far beyond our expectations. We have now offered our courses under this format to over 350 students worldwide.

For those of you who missed out the first time round there are still openings in the 2 remaining courses that will be offered in the 2002 spring session.

The 02 Apr edition of the

Introduction to Linux Programming course has room.

The 02 Apr edition of our newest advanced Linux Programming course titled

Linux Programming the SIMPL way
has room as well.

m as well.

Thanks once again to all those who have participated so far and given so generously to the cause of fighting Cancer.”

From Earthweb Networking and Communications:
“This article is a followup to an article entitled The Myth of Open Source Security Revisited. The original article tackled the common misconception
amongst users of Open Source Software(OSS) that OSS is a panacea when it comes to creating secure software. The article presented anecdotal evidence
taken from an article written by John Viega, the original author of GNU Mailman, to illustrate its point. This article follows up the anecdotal
evidence presented in the original paper by providing an analysis of similar software applications, their development methodology and the frequency of
the discovery of security vulnerabilities.”

Anonymous Reader writes “In a long interview, Miguel de Icaza discusses everything from why he thinks .NET is a good idea to the reason .GNU and Mono are at odds to the importance of Linux in third-world countries (and the future of Linux in general) to what makes programmers tick.”

From Avogato: “Apparently Compaq/Digital have been working on something called Vesta, a configuration management system, for about 10 years. It’s been ported to Linux and LGPL’d. It’s quite a bit different from CVS/etc.”

Slashdot readers discuss a shootout at NetworkComputing.com comparing free, Open Source Darwin Streaming Server to Real and Windows Media. The Slashdot intro says Darwin Streaming Server “edged out costly and closed source Windows Media & RealVideo streaming systems. Well, it edged out Real. It blew Microsoft away.”