may the force be with you

In Mac OS X, the root account is disabled by default. The first user account created is added to the admin group and that user can use the sudo command to execute other commands as root. The conventional wisdom is that sudo is the most secure way to run root commands, but a closer look reveals a picture that is not so clear.

What you get with sudo

What are you really gaining by using sudo in the default Mac OS X configuration? First, you gain some comfort that nobody can login as root, either locally or remotely via SSH or FTP and tamper with your machine. Second, you get a log entry in /var/log/system.log every time sudo is used showing you who used it and what command was executed. These appear good enough reasons to endure the slight inconvenience of using sudo.

However, the way sudo is configured out of the box, you only need to enter your own password for authentication. This means that if someone guesses your password or steals it (and has access to it locally or via SSH), they can take over your box just as if you had root enabled.

Worse, if you execute sudo -s to start a root shell, the only thing that shows up in your system.log is this:

Mar 20 07:49:12 my-mac-mini sudo: username : TTY=ttyp3 ; PWD=/Users/
username ; USER=root ; COMMAND=/bin/bash

Every other command after starting a root shell does NOT get logged at all. All you can tell from this is when someone started the root shell. Whatever happened after that is a mystery. The same problem exists if a command is executed that permits shell escapes like many text editors, telnet programs, etc. So, in fact, using sudo has gained us absolutely nothing over enabling and using root.

These deficiencies can be mitigated, and we'll get to that later.

Securing the root account

If you enable the root account, there are a couple of precautions you should take. First, give root a different password than your user account.

You can prevent root logins to SSH by changing this line in the sshd configuration file, /private/etc/sshd_config:
#PermitRootLogin yes
to this:
PermitRootLogin no

Then, stop and restart SSH in System Preferences / Sharing. To go one step further, disable all password logins to SSH and allow only public key authentication. This is how I configure my Linux servers. There are many fine resources on the web that describe the gory details of using SSH public key authentication.

FTP logins by root are disabled by default since the root account is listed in the /etc/ftpusers file. Users listed in that file are not allowed to login using FTP.

Finally, disable user access to sudo by commenting out the %admin line in /private/etc/sudoers:
#%admin ALL=(ALL) ALL

With two minor configuration changes, we have a system that is arguably more secure than the default system using sudo. Why? Because if someone guesses or steals your user password, they can't use sudo to take over the machine. They still have to guess the root password. Of course, if they have a local account, they may be able to use a privilege escalation vulnerability to gain root access, but that is an issue for Apple.

Back to sudo

Is there a way to make the sudo configuration more secure? There are many things that can be done to improve the default settings. Here are a couple.

The most obvious change is to require a different password than your user password to authenticate. This can be done while keeping root logins disabled with a little trickery. First, enable the root account, change the root password, then use Netinfo Manager to change the root shell to /usr/bin/false. Any attempt to login as root will immediately end. Then, you can force sudo to require the root password by adding this line to /private/etc/sudoers:
Defaults:ALL rootpw

Another security enhancement is to set up restrictions by user, and listing specific commands that are allowed to be run using sudo. By limiting the commands that can be run, you can limit the damage that can be done by a user account. This means changing the line in /private/etc/sudoers that grants all commands to users in the admin group. Check the sudoers man page for the details.

With these changes in place, sudo becomes much more secure, and is probably safer than using root directly. You should still change the SSH configuration to deny root logins and use public key authentication.

The real story

I've made arguments and suggestions for using the root account and for using sudo. But consideration should be given to the role of the computer and primary user(s) before making a decision on which may work best for you.

The main goal of sudo is to allow users limited access to root commands for the purpose of distributing the sysadmin load. On a single user box, you are only distributing the load to yourself. If you take a few precautions, enabling the root user is perfectly acceptable and can be more secure than the default configuration using sudo. On a multi-user box, sudo adds value and may be the best way to go. Given it's limitations, the notion that sudo is always the best choice is dubious. The real story is it depends on the configuration.

source:http://linuxboxadmin.com/articles/sudo-vs-root.php

As a government scientist, James Hansen is taking a risk. He says there are things the White House doesn't want you to hear but he's going to say them anyway.

Hansen is arguably the world's leading researcher on global warming. He's the head of NASA's top institute studying the climate. But this imminent scientist tells correspondent Scott Pelley that the Bush administration is restricting who he can talk to and editing what he can say. Politicians, he says, are rewriting the science.

But he didn't hold back speaking to Pelley, telling 60 Minutes what he knows.

Asked if he believes the administration is censoring what he can say to the public, Hansen says: "Or they're censoring whether or not I can say it. I mean, I say what I believe if I'm allowed to say it."

What James Hansen believes is that global warming is accelerating. He points to the melting arctic and to Antarctica, where new data show massive losses of ice to the sea.

Is it fair to say at this point that humans control the climate? Is that possible?

"There's no doubt about that, says Hansen. "The natural changes, the speed of the natural changes is now dwarfed by the changes that humans are making to the atmosphere and to the surface."

Those human changes, he says, are driven by burning fossil fuels that pump out greenhouse gases like CO₂, carbon dioxide. Hansen says his research shows that man has just 10 years to reduce greenhouse gases before global warming reaches what he calls a tipping point and becomes unstoppable. He says the White House is blocking that message.

"In my more than three decades in the government I've never witnessed such restrictions on the ability of scientists to communicate with the public," says Hansen.

Restrictions like this e-mail Hansen's institute received from NASA in 2004. "… there is a new review process … ," the e-mail read. "The White House (is) now reviewing all climate related press releases," it continued.

Why the scrutiny of Hansen's work? Well, his Goddard Institute for Space Studies is the source of respected but sobering research on warming. It recently announced 2005 was the warmest year on record. Hansen started at NASA more than 30 years ago, spending nearly all that time studying the earth. How important is his work? 60 Minutes asked someone at the top, Ralph Cicerone, president of the nation’s leading institute of science, the National Academy of Sciences.

"I can't think of anybody who I would say is better than Hansen. You might argue that there's two or three others as good, but nobody better," says Cicerone.

And Cicerone, who’s an atmospheric chemist, said the same thing every leading scientist told 60 Minutes.

"Climate change is really happening," says Cicerone.

Asked what is causing the changes, Cicernone says it's greenhouse gases: "Carbon dioxide and methane, and chlorofluorocarbons and a couple of others, which are all — the increases in their concentrations in the air are due to human activities. It's that simple."

But if it is that simple, why do some climate science reports look like they have been heavily edited at the White House? With science labeled "not sufficiently reliable." It’s a tone of scientific uncertainty the president set in his first months in office after he pulled out of a global treaty to reduce greenhouse gas emissions.

"We do not know how much our climate could, or will change in the future," President Bush said in 2001, speaking in the Rose Garden of the White House. "We do not know how fast change will occur, or even how some of our actions could impact it."

Annoyed by the ambiguity, Hansen went public a year and a half ago, saying this about the Bush administration in a talk at the University of Iowa: "I find a willingness to listen only to those portions of scientific results that fit predetermined inflexible positions. This, I believe, is a recipe for environmental disaster."

Since then, NASA has been keeping an eye on Hansen. NASA let Pelley sit down with him but only with a NASA representative taping the interview. Other interviews have been denied.

"I object to the fact that I’m not able to freely communicate via the media," says Hansen. "National Public Radio wanted to interview me and they were told they would need to interview someone at NASA headquarters and the comment was made that they didn’t want Jim Hansen going on the most liberal media in America. So I don’t think that kind of decision should be made on that kind of basis. I think we should be able to communicate the science."

Politically, Hansen calls himself an independent and he’s had trouble with both parties. He says, from time to time, the Clinton administration wanted to hear warming was worse that it was. But Hansen refused to spin the science that way.

"Should we be simply doing our science and reporting it rigorously, or to what degree the administration in power has the right to assume that you should be a spokesman for the administration?" asks Hansen. "I've tried to be a straight scientist doing the science and reporting it as best I can."

Dozens of federal agencies report science but much of it is edited at the White House before it is sent to Congress and the public. It appears climate science is edited with a heavy hand. Drafts of climate reports were co-written by Rick Piltz for the federal Climate Change Science Program. But Piltz says his work was edited by the White House to make global warming seem less threatening.

"The strategy of people with a political agenda to avoid this issue is to say there is so much to study way upstream here that we can’t even being to discuss impacts and response strategies," says Piltz. "There’s too much uncertainty. It's not the climate scientists that are saying that, its lawyers and politicians."

Piltz worked under the Clinton and Bush administrations. Each year, he helped write a report to Congress called "Our Changing Planet."

Piltz says he is responsible for editing the report and sending a review draft to the White House.

Asked what happens, Piltz says: "It comes back with a large number of edits, handwritten on the hard copy by the chief-of-staff of the Council on Environmental Quality."

Asked who the chief of staff is, Piltz says, "Phil Cooney."

Piltz says Cooney is not a scientist. "He's a lawyer. He was a lobbyist for the American Petroleum Institute, before going into the White House," he says.

Cooney, the former oil industry lobbyist, became chief-of-staff at the White House Council on Environmental Quality. Piltz says Cooney edited climate reports in his own hand. In one report, a line that said earth is undergoing rapid change becomes “may be undergoing change.” “Uncertainty” becomes “significant remaining uncertainty.” One line that says energy production contributes to warming was just crossed out.

"He was obviously passing it through a political screen," says Piltz. "He would put in the word potential or may or weaken or delete text that had to do with the likely consequence of climate change, pump up uncertainty language throughout."

In a report, Piltz says Cooney added this line “… the uncertainties remain so great as to preclude meaningfully informed decision making. …” References to human health are marked out. 60 Minutes obtained the drafts from the Government Accountability Project. This edit made it into the final report: the phrase “earth may be” undergoing change made it into the report to Congress. Piltz says there wasn’t room at the White House for those who disagreed, so he resigned.

"Even to raise issues internally is immediately career limiting," says Piltz. "That’s why you will find not too many people in the federal agencies who will speak freely about all the things they know, unless they’re retired or unless they’re ready to resign."

Jim Hansen isn't retiring or resigning because he believes earth is nearing a point of no return. He urged 60 Minutes to look north to the arctic, where temperatures are rising twice as fast as the rest of the world. When 60 Minutes visited Greenland this past August, we saw for ourselves the accelerating melt of the largest ice sheet in the north.

"Here in Greenland about 15 years ago the ice sheet extended to right about where I'm standing now, but today, its back there, between those two hills in the shaded area. Glaciologists call this a melt stream but, these days, its a more like a melt river," Pelley said, standing at the edge of Greenland's ice sheet.

The Bush administration doesn’t deny global warming or that man plays a role. The administration is spending billions of dollars on climate research. Hansen gives the White House credit for research but says what’s urgent now is action.

"We have to, in the next 10 years, get off this exponential curve and begin to decrease the rate of growth of CO₂ emissions," Hansen explains. "And then flatten it out. And before we get to the middle of the century, we’ve got to be on a declining curve.

"If that doesn't happen in 10 years, then I don’t think we can keep global warming under one degree Celsius and that means we’re going to, that there’s a great danger of passing some of these tipping points. If the ice sheets begin to disintegrate, what can you do about it? You can’t tie a rope around the ice sheet. You can’t build a wall around the ice sheets. It will be a situation that is out of our control."

But that's not a situation you'll find in one federal report submitted for review. Government scientists wanted to tell you about the ice sheets, but before a draft of the report left the White House, the paragraph on glacial melt and flooding was crossed out and this was added: "straying from research strategy into speculative findings and musings here."

Hansen says his words were edited once during a presentation when a top official scolded him for using the word danger.

"I think we know a lot more about the tipping points," says Hansen. "I think we know about the dangers of even a moderate degree of additional global warming about the potential effects in the arctic about the potential effects on the ice sheets."

"You just used that word again that you’re not supposed to use — danger," Pelley remarks.

"Yeah. It’s a danger," Hansen says.

For months, 60 Minutes had been trying to talk with the president’s science advisor. 60 Minutes was finally told he would never be available. Phil Cooney, the editor at the Council on Environmental Quality didn’t return 60 Minutes' calls. In June, he left the White House and went to work for Exxon Mobil.

source:http://www.cbsnews.com/stories/2006/03/17/60minutes/main1415985_page3.shtml

"There is a resurgence in interest lately in information-based systems and websites for data sharing, structured data, and enabling communities to work together better. I'm working a contract for a new business that is trying to build a community to support people who write software. What communities are you a part of now that help you write and develop software? I mean this question in a general way, including both online communities and offline interactions (your office, LUGs, etc.) -- where do you find connection with other people to get information, answers, and inspiration?"

source:http://ask.slashdot.org/askslashdot/06/03/21/0129214.shtml

"There is a resurgence in interest lately in information-based systems and websites for data sharing, structured data, and enabling communities to work together better. I'm working a contract for a new business that is trying to build a community to support people who write software. What communities are you a part of now that help you write and develop software? I mean this question in a general way, including both online communities and offline interactions (your office, LUGs, etc.) -- where do you find connection with other people to get information, answers, and inspiration?"

source:http://ask.slashdot.org/article.pl?sid=06/03/21/0129214

• The Earth revolves around the Sun.

• The speed of light is a constant.

• Apples fall to earth because of gravity.

• Elevated blood sugar is linked to diabetes.

• Elevated uric acid is linked to gout.

• Elevated homocysteine is linked to heart disease.

• Elevated homocysteine is linked to B-12 deficiency, so doctors should test homocysteine levels to see whether the patient needs vitamins.

ACTUALLY, I can't make that last statement. A corporation has patented that fact, and demands a royalty for its use. Anyone who makes the fact public and encourages doctors to test for the condition and treat it can be sued for royalty fees. Any doctor who reads a patient's test results and even thinks of vitamin deficiency infringes the patent. A federal circuit court held that mere thinking violates the patent.

All this may sound absurd, but it is the heart of a case that will be argued before the Supreme Court on Tuesday. In 1986 researchers filed a patent application for a method of testing the levels of homocysteine, an amino acid, in the blood. They went one step further and asked for a patent on the basic biological relationship between homocysteine and vitamin deficiency. A patent was granted that covered both the test and the scientific fact. Eventually, a company called Metabolite took over the license for the patent.

Although Metabolite does not have a monopoly on test methods — other companies make homocysteine tests, too — they assert licensing rights on the correlation of elevated homocysteine with vitamin deficiency. A company called LabCorp used a different test but published an article mentioning the patented fact. Metabolite sued on a number of grounds, and has won in court so far.

But what the Supreme Court will focus on is the nature of the claimed correlation. On the one hand, courts have repeatedly held that basic bodily processes and "products of nature" are not patentable. That's why no one owns gravity, or the speed of light. But at the same time, courts have granted so-called correlation patents for many years. Powerful forces are arrayed on both sides of the issue.

In addition, there is the rather bizarre question of whether simply thinking about a patented fact infringes the patent. The idea smacks of thought control, to say nothing of unenforceability. It seems like something out of a novel by Philip K. Dick — or Kafka. But it highlights the uncomfortable truth that the Patent Office and the courts have in recent decades ruled themselves into a corner from which they must somehow extricate themselves.

For example, the human genome exists in every one of us, and is therefore our shared heritage and an undoubted fact of nature. Nevertheless 20 percent of the genome is now privately owned. The gene for diabetes is owned, and its owner has something to say about any research you do, and what it will cost you. The entire genome of the hepatitis C virus is owned by a biotech company. Royalty costs now influence the direction of research in basic diseases, and often even the testing for diseases. Such barriers to medical testing and research are not in the public interest. Do you want to be told by your doctor, "Oh, nobody studies your disease any more because the owner of the gene/enzyme/correlation has made it too expensive to do research?"

The question of whether basic truths of nature can be owned ought not to be confused with concerns about how we pay for biotech development, whether we will have drugs in the future, and so on. If you invent a new test, you may patent it and sell it for as much as you can, if that's your goal. Companies can certainly own a test they have invented. But they should not own the disease itself, or the gene that causes the disease, or essential underlying facts about the disease. The distinction is not difficult, even though patent lawyers attempt to blur it. And even if correlation patents have been granted, the overwhelming majority of medical correlations, including those listed above, are not owned. And shouldn't be.

Unfortunately for the public, the Metabolite case is only one example of a much broader patent problem in this country. We grant patents at a level of abstraction that is unwise, and it's gotten us into trouble in the past. Some years back, doctors were allowed to patent surgical procedures and sue other doctors who used their methods without paying a fee. A blizzard of lawsuits followed. This unhealthy circumstance was halted in 1996 by the American Medical Association and Congress, which decided that doctors couldn't sue other doctors for using patented surgical procedures. But the beat goes on.

Companies have patented their method of hiring, and real estate agents have patented the way they sell houses. Lawyers now advise athletes to patent their sports moves, and screenwriters to patent their movie plots. (My screenplay for "Jurassic Park" was cited as a good candidate.)

Where does all this lead? It means that if a real estate agent lists a house for sale, he can be sued because an existing patent for selling houses includes item No. 7, "List the house." It means that Kobe Bryant may serve as an inspiration but not a model, because nobody can imitate him without fines. It means nobody can write a dinosaur story because my patent includes 257 items covering all aspects of behavior, like item No. 13, "Dinosaurs attack humans and other dinosaurs."

Such a situation is idiotic, of course. Yet elements of it already exist. And unless we begin to turn this around, there will be worse to come.

I wanted to end this essay by telling a story about how current rulings hurt us, but the patent for "ending an essay with an anecdote" is owned. So I thought to end with a quotation from a famous person, but that strategy is patented, too. I then decided to end abruptly, but "abrupt ending for dramatic effect" is also patented. Finally, I decided to pay the "end with summary" patent fee, since it was the least expensive.

The Supreme Court should rule against Metabolite, and the Patent Office should begin to reverse its strategy of patenting strategies. Basic truths of nature can't be owned.

Oh, and by the way: I own the patent for "essay or letter criticizing a previous publication." So anyone who criticizes what I have said here had better pay a royalty first, or I'll see you in court.