As a home theater tech critic, I spend much of my time evangelizing for surround sound. I do it unashamedly and with all my heart. I love surround sound and I want everyone else to get as much pleasure from it as I do. But I worry that a lot of people still waiting to dip a toe in the sound-field are turned off by a bunch of seemingly conflicting numbers: 5.1 and 6.1 and 7.1.
I’ve seen this over and over with people who are just getting into home theater as a hobby. When told they have a choice of 5.1 or 6.1 or 7.1 channels, their eyes glaze over and they mumble something along the lines of: “Um, well, I guess I’ll just keep my two speakers and think about it.” When speaking with newbies, I’ve learned to discuss surround as a 5.1-channel medium, which it essentially is, and leave it at that.
Why bug people with a choice that most would rather not make? The expansion of the 5.1-channel standard was born in the moviehouse, where it’s easier to cover a large space with surround effects if you add a back channel served by speakers in the back of the house.
In film exhibition, 6.1- and 7.1-channel systems make sense. At home, however, 5.1 channels are quite enough. It’s easy to generate a solid soundfield in a small space with three speakers in front and two on the rear of the side walls. To me it’s self-evidently nonsensical to have four surround speakers outnumbering the three in front.
Your family’s attention is riveted on the screen and that’s where a home surround system should deliver most of its firepower. Adding more channels gives your surround receiver more work to do. That’s never a good thing. Despite the “100 watts per channel” specs you see in spec sheets, the majority of surround receivers measure at more like 35.
So when an action-movie soundtrack swells up, it drives the receiver into clipping. This might sound like a slight deflating of dynamics. Or the sound may get harsher as it gets louder. In the worst-case scenario, the receiver overheats and shuts down. If you don’t like what you hear when you turn up the volume, clipping is what you’re hearing.
There are two ways to minimize clipping. One is to dump your receiver for separate components—a multi-channel power amp and a surround preamp-processor. This will cost you more money and make your system bulkier and more complex. The alternative is buy speakers with a high sensitivity rating, measured in decibels (dB), say in the low to mid nineties. Unfortunately they’re not always the best-sounding ones. (Klipsch is one of the rare exceptions.)
Clipping is a fact of life in all except the most lavish home theater systems. But the goal should always be to minimize it. And adding needless surround channels makes it worse. When most folks go out to buy a surround receiver, what’s uppermost in their minds is the price point, not the size of the power supply. The slow, sinking feeling comes later—when they turn up the volume and don’t like what they hear.
At this point I should define a few terms. Feel free to skip this paragraph if you’ve just had a heavy meal. Dolby Digital and DTS are the surround formats used on DVDs; Dolby Digital also plays a role in DTV broadcasting. They originated as 5.1-channel formats. Their expanded cousins are Dolby Digital EX, also known as THX Surround EX, since the two companies co-developed it; and DTS-ES. In Dolby Digital EX, the side-surround channels are discretely encoded, while the back-surround channel (singular, though it may be served by two speakers) is derived from the side-surrounds by a technique called matrixing. Or as I prefer to call it, fakery. DTS-ES comes in two forms, Matrix (with the back-channel information faked) and the all-too-rare Discrete (with the back-channel information encoded in its own discrete channel). If you understood what I just said, you’re a fellow drooler; if you didn’t, you’re probably getting annoyed and losing interest, which is precisely the point I’m trying to make. I’ve limited myself to the barest essentials and just look at the length of this graf. Having to reread it makes me queasy.
If you’re worried about missing out on back-channel information in surround soundtracks, I’d advise you not to fret over it. Most DVD soundtracks are either Dolby Digital 5.1 or DTS 5.1. The high-res music formats, SACD and DVD-Audio, are strictly 5.1-channel affairs with no 6.1 or 7.1 equivalents. If you feed a 7.1-channel receiver with a 5.1-channel signal, it will usually fake something for the back-surrounds using Dolby Pro Logic IIx processing. For my own part, I’d rather listen to five (.1) honest channels and dispense with the sonic smoke and mirrors.
With the marketing of 6.1 and 7.1 surround, the industry has decisively outwitted itself. It has convinced many consumers to buy new receivers and more speakers. But it has also undermined the 5.1-channel standard, which is more appropriate for the home, slowing the acceptance of surround sound in general.
All right people, fess up. How many speakers are you using: five, six, or seven? And those of you who “upgraded” from 5.1, do you really feel your system has started sounding significantly better?
Mark Fleischmann is the audio editor of Home Theater and the author of Practical Home Theater (http://www.quietriverpress.com/).
Monday, February 27, 2006
Oedipus - Web application security analysis
Oedipus is an open source web application security analysis and testing suite written in Ruby. It is capable of parsing different types of log files off-line and identifying security vulnerabilities. Using the analyzed information, Oedipus can dynamically test web sites for application and web server vulnerabilities.
http://oedipus.rubyforge.org/
http://oedipus.rubyforge.org/
Thursday, February 23, 2006
New DHCP For Linux?
New DHCP For Linux?
By Sean Michael Kerner
A new DHCP (define) client for Linux is set to take advantage of an expected new feature in a future Linux kernel.
The new DHCP client is being proposed by kernel developer Stefan Rompf and will (when completed) automatically recognize when a Linux user has disconnected from a particular DHCP server and look for a new connection.
But the effort is not without its detractors who feel that a new DHCP client is not necessary for Linux.
DHCP (define) is a cornerstone of Internet connectivity assigning dynamic IP addresses to user connections.
According to Rompf, current DHCP clients on Linux do not recognize temporary disconnections. Such disconnections are common for notebook users that travel between different networks or that roam different hotspots and WLANs.
Rompf argues that the disconnection is not necessarily a limitation of the current 2.6 Linux kernel, as the kernel itself will notify userspace of a disconnection/reconnection event.
However, a feature that is expected to debut in the 2.6.17 Linux kernel will make it even easier to deal with disconnection/reconnection events. The most current Linux kernel release is 2.6.15 with 2.6.16 currently at the release candidate 4 stage.
Rompf said the 2.6.17 kernel will allow userspace to influence connection event signaling, so that a DHCP client could be notified that a connection has terminated and the client should attempt to obtain a new IP address.
The problem, though, is that in order to take advantage of the new feature, you need software that will support it, and that's where Rompf's new DHCP client comes into play.
"The DHCP client is a userspace program to obtain IP configuration when connected to a local network," Rompf told internetnews.com. "It won't be part of the kernel, but I hope for distributions to pick it up.
"There are already DHCP client packages, but they were all missing one feature that is important for my personal work: They do not automatically renew the configuration when I connect to a different network."
Not everyone agrees with Rompf's assessment.
Jean Tourrilhes, HP's Linux Wireless Extension and the Wireless Tools project leader, is known in the Linux community for his wireless Linux efforts.
Tourrilhes noted that Wireless Extension has supported the Wireless Events providing users with precise information about connection status since the 2.4.20 kernel release.
A new DHCP may also come with its own particular shortcomings.
"The traditional DHCP client has a lot of scripting features and API features that are in use, and that will take time to duplicate in the new client if ever they chose to do it," Tourrilhes told internetnews.com. "Personally, I think that fixing the traditional client would have been a better project.
"But, Stefan has the right to have his own opinion and motivation, and this is always progress."
The ISC, the group that is the lead sponsor of ISC DHCP (a popular reference implementation of DHCP), also disagrees with the assessment that a new DHCP client is needed for Linux.
"We don't think it needs to be done again from scratch, and it is something we are interested in including in future releases of DHCP," ISC spokesperson Laura Hendriksen said. "The one change we would like to make as we move forward with this is changing from a polling mode to an event-driven mode."
So far, Rompf's effort is in the alpha stage and is in active development.
"I hope to have it in good shape when Linux kernel 2.6.17 is released, because this kernel will allow interaction between the DHCP client and an 802.1x supplicant, so that authentication runs first, and after the success of the IP setup," Rompf said.
"This will increase usability quite a bit."
By Sean Michael Kerner
A new DHCP (define) client for Linux is set to take advantage of an expected new feature in a future Linux kernel.
The new DHCP client is being proposed by kernel developer Stefan Rompf and will (when completed) automatically recognize when a Linux user has disconnected from a particular DHCP server and look for a new connection.
But the effort is not without its detractors who feel that a new DHCP client is not necessary for Linux.
DHCP (define) is a cornerstone of Internet connectivity assigning dynamic IP addresses to user connections.
According to Rompf, current DHCP clients on Linux do not recognize temporary disconnections. Such disconnections are common for notebook users that travel between different networks or that roam different hotspots and WLANs.
Rompf argues that the disconnection is not necessarily a limitation of the current 2.6 Linux kernel, as the kernel itself will notify userspace of a disconnection/reconnection event.
However, a feature that is expected to debut in the 2.6.17 Linux kernel will make it even easier to deal with disconnection/reconnection events. The most current Linux kernel release is 2.6.15 with 2.6.16 currently at the release candidate 4 stage.
Rompf said the 2.6.17 kernel will allow userspace to influence connection event signaling, so that a DHCP client could be notified that a connection has terminated and the client should attempt to obtain a new IP address.
The problem, though, is that in order to take advantage of the new feature, you need software that will support it, and that's where Rompf's new DHCP client comes into play.
"The DHCP client is a userspace program to obtain IP configuration when connected to a local network," Rompf told internetnews.com. "It won't be part of the kernel, but I hope for distributions to pick it up.
"There are already DHCP client packages, but they were all missing one feature that is important for my personal work: They do not automatically renew the configuration when I connect to a different network."
Not everyone agrees with Rompf's assessment.
Jean Tourrilhes, HP's Linux Wireless Extension and the Wireless Tools project leader, is known in the Linux community for his wireless Linux efforts.
Tourrilhes noted that Wireless Extension has supported the Wireless Events providing users with precise information about connection status since the 2.4.20 kernel release.
A new DHCP may also come with its own particular shortcomings.
"The traditional DHCP client has a lot of scripting features and API features that are in use, and that will take time to duplicate in the new client if ever they chose to do it," Tourrilhes told internetnews.com. "Personally, I think that fixing the traditional client would have been a better project.
"But, Stefan has the right to have his own opinion and motivation, and this is always progress."
The ISC, the group that is the lead sponsor of ISC DHCP (a popular reference implementation of DHCP), also disagrees with the assessment that a new DHCP client is needed for Linux.
"We don't think it needs to be done again from scratch, and it is something we are interested in including in future releases of DHCP," ISC spokesperson Laura Hendriksen said. "The one change we would like to make as we move forward with this is changing from a polling mode to an event-driven mode."
So far, Rompf's effort is in the alpha stage and is in active development.
"I hope to have it in good shape when Linux kernel 2.6.17 is released, because this kernel will allow interaction between the DHCP client and an 802.1x supplicant, so that authentication runs first, and after the success of the IP setup," Rompf said.
"This will increase usability quite a bit."
A Word to the Wise on WiMax
A Word to the Wise on WiMax: "The approval of a mobile 802.16x standard could open the door to low-cost, wireless broadband -- but not for a few years. Investors might want to take the time to adjust expectations."
(Via Wired News.)
Friday, February 17, 2006
Network Filtering by Operating System
Network Filtering by Operating System
by Avleen Vig
02/16/2006
You manage a heterogeneous network and want to provide different Quality of Service agreements and network restrictions based on the client operating system. With pf and altq, you can now limit the amount of bandwidth available to users of different operating systems, or force outbound web traffic through a transparent filtering proxy. This article describes how to install pf, altq, and Squid on your FreeBSD router and web proxy to achieve these goals.
Mission Objective
In an ideal environment, there would be no need for bandwidth shaping, OS fingerprint-based filtering, or even Quality of Service (QoS). Several factors in the real world require a change of game plan. Bandwidth is not free, and many ISPs charge customers based on bandwidth usage. Worms, viruses, and compromised systems can all lead to higher bandwidth costs. In the wake of the W32.Slammer worm, which saturated the connections of infected networks, many companies saw their monthly connectivity bills skyrocket due to the worm's traffic.
Filtering your connections based on operating system can go partway to helping keep such situations from running away. While I will focus on filtering traffic from Windows systems, this process can equally apply to BSD, Linux, Mac OS, or a host of other operating systems listed in the pf.os file on your system. This may be especially useful to people running older versions of OSes that have not or cannot be patched but still require some network connectivity.
As an extension of transparent filtering, content filtering is also possible, with tools such as squidGuard allowing children and corporate desktops alike to browse in relative safety.
Tools of the Trade
During my research for this article, several people asked me why I chose to use BSD, pf, altq, and Squid for this task. Other tools come close to providing the required functionality, but none offers to fill the requirements as readily as these. Linux and iptables can work with Squid to provide a transparent proxy but cannot filter connections by operating system. Though other proxy servers exist, Squid is one of the best available today.
It is important to note that OS fingerprinting works only on TCP SYN packets, which initiate TCP sessions, and not on currently established connections or UDP sessions. While this will not be a problem for most systems and network administrators, you may want to pay more attention to your UDP filtering rules.
Installing pf and altq
pf and altq provide packet filtering and bandwidth shaping, respectively. Their relationship is not unlike that between IPFIREWALL and DUMMYNET, where the same rules file configures both pf and altq.
While pf is universally usable, altq requires a supported network card. The good news is that most network cards in common use are supported. Look at the Supported Devices section of man 4 altq to find a list of supported network cards.
Once you've confirmed you have a supported device, add pf and altq to your kernel. You will need to recompile your kernel as described in the FreeBSD Handbook. First, add a few options to the end of your kernel configuration file:
device pf
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_CDNR
options ALTQ_PRIQ
Note: If you are installing altq on a multiprocessor system, add options ALTQ_NOPPC to your configuration before you recompile your kernel.
After you have recompiled your kernel and rebooted, test pf to make sure it installed correctly with the command pfctl -s rules. If you see the error pfctl: /dev/pf: No such file or directory, pf did not install correctly. If you see the error No ALTQ support in kernel ALTQ related functions disabled, pf is working but altq is not. In the latter case, you will still be able to force users through a transparent proxy, but you won't be able to limit bandwidth using altq.
Installing Squid with Transparent Filtering Support
Install Squid with the command:
% cd /usr/ports/www/squid && make config install clean
This will present you with a list of options for compiling Squid. To enable transparent proxy support, select SQUID_PF. You can also select or deselect any other option. I often find SQUID_SNMP useful for gathering and graphing statistics using RRDTool. Once Squid is installed, edit /usr/local/etc/squid/squid.conf. Set at least the options:
http_port YOUR_PROXY_IP:3128
http_access deny to_localhost
acl our_networks src YOUR_NETWORK/24
http_access allow our_networks
visible_hostname YOUR_HOSTNAME
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Replace YOUR_PROXY_IP with the IP address your proxy server will listen on, YOUR_NETWORK/24 with your internal network address range (for example, 192.168.0.0/24), and YOUR_HOSTNAME with the hostname you want to show to users in error messages. YOUR_HOSTNAME is not required but extremely useful if you have a cluster of proxy servers sharing a common front end such as a load balancer.
While you can get by with changing only these options, you should spend some time going through the remainder of your squid.conf file and tuning it to your needs. Over time, you may need to tune various other options such as cache sizes or connection timeouts. The Squid configuration file is a behemoth; spending an hour now getting familiar with various options may save you time and trouble in the future.
by Avleen Vig
02/16/2006
You manage a heterogeneous network and want to provide different Quality of Service agreements and network restrictions based on the client operating system. With pf and altq, you can now limit the amount of bandwidth available to users of different operating systems, or force outbound web traffic through a transparent filtering proxy. This article describes how to install pf, altq, and Squid on your FreeBSD router and web proxy to achieve these goals.
Mission Objective
In an ideal environment, there would be no need for bandwidth shaping, OS fingerprint-based filtering, or even Quality of Service (QoS). Several factors in the real world require a change of game plan. Bandwidth is not free, and many ISPs charge customers based on bandwidth usage. Worms, viruses, and compromised systems can all lead to higher bandwidth costs. In the wake of the W32.Slammer worm, which saturated the connections of infected networks, many companies saw their monthly connectivity bills skyrocket due to the worm's traffic.
Filtering your connections based on operating system can go partway to helping keep such situations from running away. While I will focus on filtering traffic from Windows systems, this process can equally apply to BSD, Linux, Mac OS, or a host of other operating systems listed in the pf.os file on your system. This may be especially useful to people running older versions of OSes that have not or cannot be patched but still require some network connectivity.
As an extension of transparent filtering, content filtering is also possible, with tools such as squidGuard allowing children and corporate desktops alike to browse in relative safety.
Tools of the Trade
During my research for this article, several people asked me why I chose to use BSD, pf, altq, and Squid for this task. Other tools come close to providing the required functionality, but none offers to fill the requirements as readily as these. Linux and iptables can work with Squid to provide a transparent proxy but cannot filter connections by operating system. Though other proxy servers exist, Squid is one of the best available today.
It is important to note that OS fingerprinting works only on TCP SYN packets, which initiate TCP sessions, and not on currently established connections or UDP sessions. While this will not be a problem for most systems and network administrators, you may want to pay more attention to your UDP filtering rules.
Installing pf and altq
pf and altq provide packet filtering and bandwidth shaping, respectively. Their relationship is not unlike that between IPFIREWALL and DUMMYNET, where the same rules file configures both pf and altq.
While pf is universally usable, altq requires a supported network card. The good news is that most network cards in common use are supported. Look at the Supported Devices section of man 4 altq to find a list of supported network cards.
Once you've confirmed you have a supported device, add pf and altq to your kernel. You will need to recompile your kernel as described in the FreeBSD Handbook. First, add a few options to the end of your kernel configuration file:
device pf
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_CDNR
options ALTQ_PRIQ
Note: If you are installing altq on a multiprocessor system, add options ALTQ_NOPPC to your configuration before you recompile your kernel.
After you have recompiled your kernel and rebooted, test pf to make sure it installed correctly with the command pfctl -s rules. If you see the error pfctl: /dev/pf: No such file or directory, pf did not install correctly. If you see the error No ALTQ support in kernel ALTQ related functions disabled, pf is working but altq is not. In the latter case, you will still be able to force users through a transparent proxy, but you won't be able to limit bandwidth using altq.
Installing Squid with Transparent Filtering Support
Install Squid with the command:
% cd /usr/ports/www/squid && make config install clean
This will present you with a list of options for compiling Squid. To enable transparent proxy support, select SQUID_PF. You can also select or deselect any other option. I often find SQUID_SNMP useful for gathering and graphing statistics using RRDTool. Once Squid is installed, edit /usr/local/etc/squid/squid.conf. Set at least the options:
http_port YOUR_PROXY_IP:3128
http_access deny to_localhost
acl our_networks src YOUR_NETWORK/24
http_access allow our_networks
visible_hostname YOUR_HOSTNAME
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Replace YOUR_PROXY_IP with the IP address your proxy server will listen on, YOUR_NETWORK/24 with your internal network address range (for example, 192.168.0.0/24), and YOUR_HOSTNAME with the hostname you want to show to users in error messages. YOUR_HOSTNAME is not required but extremely useful if you have a cluster of proxy servers sharing a common front end such as a load balancer.
While you can get by with changing only these options, you should spend some time going through the remainder of your squid.conf file and tuning it to your needs. Over time, you may need to tune various other options such as cache sizes or connection timeouts. The Squid configuration file is a behemoth; spending an hour now getting familiar with various options may save you time and trouble in the future.
Tuesday, February 14, 2006
Powerful Remote X Displays with FreeNX
Powerful Remote X Displays with FreeNX: "
(Via Linux DevCenter.)
MSN TV Linux Cluster
MSN TV Linux Cluster: "
I just saw this MSN TV Linux Cluster over on
Engadget. The boxes have a 733mhz Celeron,
128MB RAM, 2 x USB, Ethernet, and a 64MB CF card for storage. That’s twice the RAM of an Xbox and with a node cost of
$0.99 it makes a much more sensible and compact cluster. The only limit right now seems to be a 64MB capacity cap for
the CF card.
You do need to build a level shifting serial cable to talk to it though. Microsoft included serial pins on the board,
which is convenient. I think that a TTL to RS-232 level shifting box is becoming the second most useful device behind
the bench power supply. You need to do serial level
shifting whether you are talking to an NSLU,
iPod, GP2X, or
WRT54G. You might as well
make the thing USB while you are at it. So, who wants to do
the how-to?
Read'|'Permalink'|'Email this'|'Linking'Blogs'|'Comments
© 2006 Weblogs, Inc.
 |
(Via hack a day.)
DEF CON 14 Beta FAQ v0.95 Now Available!
DEF CON 14 Beta FAQ v0.95 Now Available!: "An update to the official FAQ talking about DEF CON and DEF CON 14. Questions and Answers about the new hotel location, costs, events, resources and more. The next update will include a split into two FAQs. One for general DEF CON questions, and one for DEF CON 14."
(Via DEF CON Announcements.)
Sunday, February 05, 2006
Economically complex cyberattacks
Economically complex cyberattacks: "Most people working in cyber security recognize that the interconnections and complexities of our economy can have a huge effect on the destructiveness of cyber attacks. They refer casually to 'network effects,' 'spillover effects' or 'knock-on effects.' Yet there is little understanding of how such effects actually work, what conditions are necessary to create them, or how to quantify their consequences. People working in cyber security also generally acknowledge that combinations of cyber attacks could be much more destructive than individual attacks. Yet there is little understanding of exactly why this is the case or what the principles would be for combining attacks to produce maximum destruction. These two sets of problems are actually the same. It is by taking account of the interconnections and complexities in our economy that cyber-attackers could devise combinations of attacks to cause greater destruction. To understand how this would work, we need to look at three features of our economy that are responsible for much of its structural complexity: redundancies, interdependencies, and near monopolies. Then, as we examine these features, we need to see how each of them would prompt a different sort of attack strategy."
Network security basics
Network security basics: "Writing a basic article on network security is something like writing a brief introduction to flying a commercial airliner. Much must be omitted, and an optimistic goal is to enable the reader to appreciate the skills required. The first question to address is what we mean by 'network security.' Several possible fields of endeavor come to mind within this broad topic, and each is worthy of a lengthy article. To begin, virtually all the security policy issues apply to network as well as general computer security considerations. In fact, viewed from this perspective, network security is a subset of computer security. The art and science of cryptography and its role in providing confidentiality, integrity, and authentication represents another distinct focus even though it's an integral feature of network security policy. The topic also includes design and configuration issues for both network-perimeter and computer system security. The practical networking aspects of security include computer intrusion detection, traffic analysis, and network monitoring. This article focuses on these aspects because they principally entail a networking perspective."
Announce: OpenSSH 4.3 released
Announce: OpenSSH 4.3 released: "OpenSSH 4.3 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.
We have also recently completed another Internet SSH usage scan, the
results of which may be found at http://www.openssh.com/usage.html
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots and purchased
T-shirts or posters.
Read more..."
(Via OpenBSD Journal.)
LinuxForum 2006: Several OpenBSD speakers
LinuxForum 2006: Several OpenBSD speakers: "
Thomas Alexander Frederiksen writes:
LinuxForum 2006 is the 9th annual Open Source conference in Copenhagen, Denmark.
It is the largest IT-conference in the Nordic region, and it's very popular due to being a low budget, high quality event. It is a joint venture between three local user groups BSD-DK, DKUUG and SSLUG.
On March 4th, Henning Brauer and Felix Kronlage will be among the many speakers on the technical day of the conference.
Read more..."
(Via OpenBSD Journal.)
Subscribe to:
Comments (Atom)