Link to a shell escaping tutorial

A nearby LUG member just posted to the LUG's mailing list an explanation of how bash expands variables containing special characters and how various utilities interpret them. Give it a read. How to handle newlines was something I never thought about.

Ubuntu audio blog

Once upon a time, Daniel Chen was an Ubuntu core developer and maintained the audio stack. He's no longer a core dev, but he's still doing a ton of work on audio. I can tell you first hand that practically every waking moment that he's not at the office, he's working on trying to make PulseAudio and ALSA work better in Ubuntu. Well, since he's not a core dev anymore and he never went through the Ubuntu Membership process, you won't be seeing his blog on maintaining Ubuntu's audio stack showing up on Planet Ubuntu. But you should take a look anyway. He's got a post up right now explaining why PulseAudio really isn't to blame for all your audio problems. I suggest you check it out, especially if you're running Jaunty.

Scanning multipage documents in XSane

I have a flatbed scanner (part of my printer). I had no idea it was possible to scan a multipage document in Xsane. For a pull-through, sure, maybe, those can go through a stack of pages on their own. But a flatbed? Every time I've tried this before, I scanned individual pages, saved them as images, put them into an Open Office Writer document with one image per page, then saved that as a PDF. There's a better way!

So here's what you do. In the XSane window where you choose color/greyscale, gamma, brightness, etc, at the top there's a dropdown that defaults to Viewer. Change that to Multipage. A new window will open called "xsane multipage project." Choose the "New Project" button. Back to that first window, hit the Scan button. The scanner will do its part, and a page will be listed in the project window. Swap in a new sheet of paper and hit the Scan button again. Repeat until you've scanned all you need. If you scanned them out of order, use the arrow buttons on the project window to rearrange them. You can also delete any pages you don't need. The Show Image button lets you preview an individual page. The default output format is PDF, so just click the "Save multipage file" button at the bottom of the Project window when you're done.

This makes things so much easier.

That Green Bar in Firefox

I was just reading Dan Kaminsky's blog and saw something I found shocking. Let me quote it.

Moxie’s putting his energy on the old positive feedback attacks — simply disabling the security, and seeing if anyone notices. And here he shows up with some pretty astonishing data: Nobody noticed. To be specific, absolutely 0% of users presented with missing encryption on important web sites, being asked to provide sensitive financial data to those websites, refused on the basis of missing security.

Wow. 0%. Seriously.

Why don't users "get it"?

My first thought was "how do you not notice the address bar's not green?" Then I realized that a lot of people probably don't know why the address bar changes colours or what the different colours mean. Here's a hint: if it's a financial-anything, and that bar's not turning green, run away. I didn't know how it worked, to be honest. I knew it was more than certificate verification, designed to get around URLs that look like what you want but aren't, and that it involved paperwork. He's got the scoop on Extended Validation. Also, you can click the green bar to get more information about how the site is validated.

And by the way, that thing where phishers get a fake URL with a valid cert: that doesn't work (without a bunch of legal hula hoops to jump through) for the green bar. When a cert is the only valid thing going on, you'll see blue. Blue can still be phishing. Green is the good one.

Now, I know we're Linux users, and we're not likely to get viruses or trojans or things like that, but phishing is OS-agnostic. Phishing is about stupid users. Don't be a stupid user! When Firefox tells you a site is bad, be careful. When Firefox doesn't explicitly tell you a site is good, be careful. When I say be careful, I mean treat it as if its mode was 444 (read-only).

Oh, and use NoScript for Pete's sake!

/* Insert standard "do not click on login links in email" "do not use search engines to replace bookmarks" "do not use the same crappy password on every website" etc. warnings */

Malware Terminology: Trojans, Worms, & Viruses

Some guy wrote How To Write a Linux Virus in 5 Easy Steps, but he's wrong. What he describes is not a virus; it is a trojan. And he calls himself a geek!

Let me start by saying that "malware" and "badware" are two commonly used umbrella terms for these types of software.

It is a trojan because it relies entirely upon social engineering to install and run. Remember the Trojan Horse? The Greeks claimed the horse was a gift for the Trojans. It turned out to be hiding a bunch of armed men. This is the same thing. The malware claims to be something innocuous which the user might enjoy or believes is necessary. The user is thus tricked into installing it. That trickery? That's the social engineering. It's the same trickery the Greeks used. The user installs and maybe executes the malware. Since there was both trickery and user intervention, it is a trojan.

A worm does not require user intervention. A worm will often (as in the case of Blaster) use a remote exploit to infect the host machine. It will then procreate and attack any other machines it can reach. It thus spreads completely on its own. Worms do not need to piggyback onto other files like trojans and viruses do. They exist in their own right and behave independently of pretty much all else.

And then there's the generic virus. Viruses do usually require user intervention to spread, but they don't involve social engineering like a trojan does. Viruses will often infect innocuous files which are then shared without the sharer knowing that they are handing a virus to the other person. In the case of a trojan, the sender usually knows exactly what they're doing. The file being infected by the virus does not turn into a trojan by virtue of being infected. It is simply an infected file, possibly an infected program.

Drive-by downloads are a bit confusing. Is it a trojan or a virus? It sort of depends on the site. If it's an attack site, you'll usually receive an email or IM with a link. Then there's some social engineering involved, and you did follow directions by going to the site, but the fact that you don't have to manually install something claiming to be safe puts it in the virus category for me. If it's a usually-safe site that happens to have been infected, then there's no grey area. That's a virus.

K? So, let's stop calling every bit of malware we find "a virus," because that's just not right. We have words for the different types of malware. Let's use them.

I'm a traitor

I've been cheating on my desktop environment.

If you follow Planet Ubuntu, you saw Celeste's post about the KDE 4.2 release party. And yes, I'm in the photos. Scott Kitterman's trying to show me how to set what kind of window switcher I want when I hit Alt+Tab in KDE in one of the photos.

Yeah, I'm a traitor. As of last Friday, about 4 hours before the release party, I'm a KDE user. Scott actually said to me on IRC after that post about Ctrl+Alt+Backspace that I sound like a KDE user, so then I decided to attempt to get KDE working on my machine (deleting my ~/.kde fixed the problem I was having). I'm still using a bunch of GNOME apps, but I'm doing it inside KDE. While KDE still has the ability to overwhelm me with its options, 4.2 is definitely an improvement over 3.5, presenting many options in ways that are at least easier for me to parse.

I'm sticking to the same apps I use in GNOME for a couple reasons. They're the Devils I Know, and some I have a sort of investment in (transferring data would be annoying). Besides, if I switch back to GNOME, I'd prefer not to have to re-transfer the data.

I know Evolution doesn't let me choose which IMAP folder to use for Trash on each account like KMail does, but KMail crashes a lot in Jaunty (understandable, but annoying) and blocks all open tabs when loading a new view in only one of them. Evolution lets me have a bunch of signatures. Plus, all my data's in Evolution Data Server right now. Oh, the integration between EDS and the panel applets is something I'm missing. Celeste says it should be fairly straight-forward to implement a Plasmoid to handle it through Akonadi, just nobody's done it yet. I'd kind of like to figure out a way to let Akonadi and EDS talk to each other so I can switch mail clients, address books, and calendars without having to export and import a bunch of data. I do really like that KMail, KOrganizer, and KAddressBook are all separate apps with a unified backend, though. Evolution's monolithic UI annoys me.

Kopete, like Empathy, forces groups in the buddy list to be arranged alphabetically, something I do not want, so I'm sticking to Pidgin. Yes, I'm still using Firefox and Terminator.

I did try Amarok. I'm still not a fan of that sideways row of tabs, but I like the way queued songs are displayed on the Collection view. Maybe I can get used to that row of tabs just for that. If it lets me shuffle the queue (haven't tried yet), I'm sold. GNOME's refusal to let Rhythmbox shuffle the queue is really annoying. I'll have to see how it handles copying to my iAudio as well, but really, Dolphin's enough for that.

I really like the new KMenu and KRunnner. The filter search list is nice. I'm not as impressed with the panel. It'd be nice to be able to have a gap between plasmoids, an expanding separator. I can't figure out how to change the panel's background either.

Oh, and does anyone know what the difference between "Focus Follows Mouse" and "Focus Under Mouse" is? I know I don't want "Click to Focus," and we figured out at the party that "Focus Strictly Under Mouse" means that moving the mouse to the desktop makes the app lose focus. Those other two seem to be the same though. That'd be one of those "oh no, KDE is asking me questions with options that I don't understand" things. I don't mind having lots of options, just as long as I know what the heck they do.