Image via Wikipedia

For those who had been reading this blog for some time now, you may have stumbled across my blog post from 2008, regarding me buying a Nokia E90 - http://www.simionovich.com/2008/06/06/i-finally-purchased-a-nokia-e90.

Well, it’s a fact, since the year 1998, I’ve been an avid Nokia fan. I think I’ve ranged from the old Nokia 51XX, through the 6XXX up to the E61, E62 and E90 – if it was some funky Nokia phone that gave me some new feature, I most probably had it. I guess that the time I spent at m-Wise, working closely with various mobile content technologies had put its toll on me – and I became a Nokia Cell Phone addict. For many years I couldn’t imagine myself digressing from the Nokia clan. Even when my friends moved from their Nokia/Motorola/Ericsson phones to a star spangled iPhone – I remained faithful to my old habits – and remained with my trusty Nokia.

Image via Wikipedia

About two years ago I promised myself this: “If you ever decide to move to a touch screen phone, don’t go ala iPhone, stay for a Nokia phone” – so I waited. The initial Nokia touch phones came out. The first Nokia touch phone that came out, I believe shortly after the iPhone was the Nokia 5800, also known as the Nokia XpressMusic.

I’ve got one thing to say about this phone – “What the hell were you thinking???” – it’s a phone, not a bloody MP3 player – if I wanted an MP3 player, I would have bought an iPod. Apart from being the slowest phones I’ve ever encountered, its touch interface was annoying and disruptive.

So, I didn’t buy the Nokia 5800 – I simply had no use for it. At that point I decided to wait a bit more, and see what Nokia cooks up. Shortly after seeing the 5800 in dis-action, I met a new member of the Nokia clan: the Nokia 700.

The Nokia 700 was a totally new thing, not really a phone, not really a PDA – somewhat of a cross between the two. It was big and bulky, and I couldn’t imagine myself walking around with one of these – however, it showed some promise. Sure, it was big, bulky, slow and anything bad you can say about a device – however, it had one thing – it showed potential – something to look for. At that time, I decided that I needed a proper smart phone and purchased the Nokia E90 – and I was fairly happy with it till 8 months ago.

You are probably asking, why would an avid Nokia fan become displeased with his trusty E90 phone – the answer is simple – the plastics. The plastics are of such low quality, that after 18 months of usage, the paint job starts to peel away from the phone. As you run more and more applications, or store more data, the phone becomes sluggish and slow – to the point where you have to reset it.

So, 2 months ago I gave up, I said to myself: “that’s it, time to move forward and leave the Nokia clan” – but I still didn’t want to put myself with the iPhone clan – or to be more exact, the iPhone cult movement. While at the Amoocon convention, I came across some people who were using HTC phones, specifically the HTC Evo. Well, I was somewhat taken with this snazy piece of hardware. It was fast, it was fluid and for some funky reason, I felt at home with it. Could it be, have I found a new clan for my mobile needs? I returned back home starting to examine my options. The HTC Evo isn’t available in Israel, the next best thing is the HTC Desire.

The HTC Desire is also known as the Google Nexus-1, basically it’s the same phone. I tried using the Nexus-1, but I didn’t like it. Specifically, I didn’t like the fact that the four keys are touch based – on the HTC these are real keys, making my life much easier.

So now, I’m equipped with the HTC Desire, and apart from the occasional Android crash (not too often to be honest) – it is one of the best phones I ever had. It’s fast, syncs my life into a manageable construct and most importantly, it’s become a second nature to me. The only disadvantage of owning such a phone is that you need a massive Data plan with your carrier – this little machine can gobble up ten’s of megabytes on a daily basis. My old Nokia E90 was using 25MB of data per month, with the Desire, I consume that much in less than a day – that is an amazing number.

In order to get better into Android development, I’ve ordered an Eken M002 device. This is a 7″, Android based tablet PC. I’ll be posting information about that once it arrives.

Image via Wikipedia

When I started using Open Source software, it seemed like all Open Source projects are driven by philanthropic agendas. We were all focused on “sticking it to the man” – showing all these would be software vendors that community driven projects can do just as well – if not better.

"When I was a child I spoke as a child I
understood as a child I thought as a child;
but when I became a man I put away childish
things." - I Cor. xiii. 11.

Well, I’m not claiming that Open Source is childish – absolutely not, however, when you are a student you tend to look at things in one way, when you have a family to care for – you start looking at things differently. You remember these days in life when your dad said: “When you’ll have children you will understand” – well, now I do.

So, what am I rambling about exactly? I’ll tell you. The day before Passover I attended several meetings, which when I came back home had pissed me off immensely. I feel an urge to write all about these meetings, including who I met exactly, however – I won’t do that. However, I will give a rough idea of these.

Meeting 1 : A world recognized Mobile application player

I came into the meeting with this company, where the CTO of the company explained to me that they are looking to create an Asterisk based solution for their application’s users. My initial question was: how many users? what is your concurrency level? – The answer that I got was: “Oh, we don’t need something major, just a few lines of configurations in Asterisk config files in order to make this work”.

I left the meeting slightly pissed off, thinking to myself: “You bloody inconsiderate prick! You bring me to a meeting, spend my time – and then telling me that this is just a few lines of configuration. If it is that simple, why don’t you do it yourself? you have 20 developers in there, 4 IT people and god knows how many outsourced workers off-shore – if it was that simple, you would have done it already – so probably it isn’t – right?”

Meeting 2 : A well established IVR services vendor

The second meeting was with a well established IVR content vendor, this company runs around 16M minutes of inbound IVR traffic every month. They invited me in order to talk about expanding into new countries, wishing to get premium based access numbers in various countries. So, we started talking, and the guy indicates that he wants a certain kick-back payout, which I know is impossible – at least without charging the user more. Actually, the guy indicated that out of the interconnect fee, he wants to get almost 90% as a kick back.

Meeting 3 : A start up rendering IVR content

The third meeting was the most amazing one – these guys wanted to build an Asterisk system to server around 4000 concurrent channels – outsource the entire development to my company – and pay as a revenue share. When I asked for their business model, marketing plan, investors, profiles – I got a response of – we don’t yet have all of these, we only have an idea at this point that we want to implement.

Garage based companies are built by people who can do the work themselves, not the other way around.

At this point, you are probably asking yourself: “What does this have to do with the title?” – Well, all of these meetings had one thing in common. The people I met were under the impression that Open Source is some form of philanthropy. Or to be more exact, people who deal with the Open Source market are philanthropists. My question is this: “Why are we perceived as philanthropists? don’t we have families to care for? don’t we need to pay mortgages and bills just like everybody else?”. I guess when people read about the various Open Source entrepreneurs, such as Mark Shuttleworth – the immediately associate Open Source with Big Exists – this is not the case.

At some level, this is purely our fault – we educated people that Open Source is a highly economical methodology of solving technical challenges. No where along the way, had we educated the public that behind the model there are people, people who need to make a living.

If you are an Open Source consultant, developer, evangelist or just someone who may have an opinion on this, I’d love to read what you say.

Recently, I had to install the CheckPoint SecureClient on my notebook, which is currently running Windows 7 (ok, a linux guys running Windows 7 is something completely different, but let’s talk about that later). In any case, I’ve gone into the CheckPoint website, looking for SecureClient, and got a really funny Seinfeld flash-back:

This kinda reminded me of this:

Last night I met with a friend of mine, Mr. Doron Ofek. For those of you not familiar with the Open Source market in Israel, Doron is the one person most affiliated with RedHat in Israel, as Doron championed the adaptation of RedHat Linux servers in various enterprises and government offices in Israel. Doron is currently heavily involved in the OpenMoko project and its adaptation and promotion in Israel.

We spent a great deal of time last night, talking about the various aspects of Open Source training in Israel – as both us provide various training services to this market sector. While I’m mostly focused on Asterisk Training, Doron is focused on Linux and XEN training. Both of us have some our training routes knee deep in Israel’s computer/IT training companies, namely Matrix, Hi-Tech College and John Bryce. We both talked about our discontent with their inability to promote and market Open Source training courses, simply because they have no idea what these are.

For example, while Hi-Tech college were incapable of signing up a single person for an Asterisk Bootcamp course, I had signed up 10 people to a my first bootcamp – without any marketing or sales budget, simply by putting out the word in the right places. Now, Hi-Tech college has a list of over 5000 people who studied Linux and other Open Source and networking subjects in their college – should have they been able to gather up at least 10 people as well (less then 0.5% of their entire customer base)? the answer is a definite yes, why were they unable to do so? simply because they have no idea what Asterisk is, how it can be marketed, how it can sold and how the customer should be approached.

Doron had indicated a similar issue with both John Bryce and Matrix – however, due to other reasons. However, Doron had managed to sell quite a few training courses for Linux on his own – without any help from the big boys – how did that happen? how is it possible that Doron and I succeeded where the other colleges had failed? how can that be? – then we both realized why eventually, proprietary software will die and the Open Source movement, over the course of time, will simply negate the presence of proprietary software – simply because Open Source people provide for better marketing strategies and methodologies.

Did we learn how to do marketing on school? are we marketing people by nature? the answer is NO – we learned how to market our belief in the Open Source initiative over the course of time. We championed Open Source in various enterprises, events, public speakings and other places. We were the “soap box” speaker at Hide Park’s Speakers Corner, we were that crazy man on the street screaming: “The world is coming to an end, repent!” (well, you know what I mean) – but all in all, as time progressed we learned how to market the Open Source initiative and our belief – the large enterprises are stuck in their own belief and stagnant marketing strategies and plans. As time progressed, the various “champions” left the large enterprises, simply because they got fed up with the wrongful methodology of these and followed their own path – and doing so with moderate success.

In my belief, as time will progress, the large enterprises will surely migrate to the Open Source, and I won’t be surprised if within a period of 5-6 years Microsoft will be shipping out a version of Windows that is based on the Linux Kernel – or another Open Source distibution methodology. Call me crazy, call me chaotic, call me a dreamer – but mark my words – this will happen.

The Open Source movement had been in existence since the 60′s, and we can surely find its roots somewhere along the hippie culture and movement. While Free-Love had transcended to Free-Code, or to be more exact – Free-Knowledge, the question of the sources for your Open Source is still questionable. Comparing it with the Sixties, it’s easy to compare the various “Free-Love” movements with the various “Open Source Paradigms” of today. While GPL, BSD, MPL, ZPL and others preach for Open Source adaptation – each one took a different path.

While the paths differ, but the end result is more or less the same, all suffer from a serious lack – a bad reputation. While in the early 2000, Open Source usually meant – highly stable, state of the art technology, increased ROI, lowered TCO and most importantly for many – COOL. Coming 2008, Open Source is starting to get a bad rep, due to the ever increasing simplicity of entering the Open Source world.

I started using Linux somewhere around 1994. My first Linux distribution was a Slackware, with a kernel of 1.0.28 – I needed 99 floppy disks in order to install the system, and it took me a few hours to do so. However, I can’t forget my amazement at seeing the X-Windows environment booting up, and more than that, being completely overwhelmed with the fact that I have a fully functional UNIX environment in my house, just like the one I had in my Army office. Now, I basically had no one to teach me this new environment, so, I had to take my UNIX skills (Solaris and AIX) and adopt to Slackware Linux – it took me a few weeks to get around, but I got around and stuck to it ever since.

Now, let’s jump 14 years forward in time. The year is 2008, a graphic based environment for Linux is no longer a myth and it is getting better and better by the day. People are starting to adopt Linux beyond the academic and the ISP market sectors, slowly integrating Linux based distributions (Mandriva, Ubutnu) on to their desktops and notebooks. Linux is become simple and appealing to everybody.

When something becomes easy to use, people make good use of it – a good example is the Asterisk project. Projects such as TrixBox (AKA: AsteriskAtHome), PBXinaFlash, AsteriskNOW and others had made Asterisk into a simple installation product, that can be installed and managed by any half-decent sysadmin. Problem is, while a half-decent sysadmin will do a fair job of maintaining the system, a shitty sysadmin will crap everything to hell. But hell, that is true for almost anything related to computers or technology – there’s nothing new here! Well, there is nothing new and everything is now new. People who were more or less selling shoes 3 years, then 2 years decided to sell ISP routers, then a year ago started selling IP phones, are now selling Asterisk based systems – using these distibutions, while having no idea what they are selling or promoting. For these people, Asterisk is nothing more beyond FreePBX – once encountering deeper issues, will simply abandon the customer – leaving the Open Source product with a bad rap with the, now disappointed, customer.

I want to believe that other places in the world are different, I want to believe that Israel will reach a point in time when this doesn’t happen – however, I guess that only time will tell and I surely hope this will change in Israel.

After seeing well too many movies about the US and after visiting the US for a few times, many people tend to disrespect the FBI in the USA. While I have much respect for most law enforcement agencies, wherever these are located in the world, I must admit, that the latest warning from the FBI regarding Asterisk borderlines pure hystria and complete misunderstanding of the actual issue.

On Dec 8th, the FBI had issued the following warning:

New Technique Utilizing Private Branch Exchange (PBX) Systems To Conduct Vishing Attacks

The FBI has received information concerning a new technique used to conduct vishingⁱ attacks. The recent attacks were conducted by hackers exploiting a security vulnerability in Asterisk software. Asterisk is free and widely used software developed to integrate PBXⁱⁱ systems with Voice over Internet Protocol (VoIP), digital Internet voice calling services; however, early versions of the Asterisk software are known to have a vulnerability. The vulnerability can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone calls to consumers within one hour.

http://www.ic3.gov/media/2008/081205-2.aspx

Now, after a full weekend of frenzy trying to understand the cryptic warning the IC3 had issues, it was gathered that it is referring to an old time bug, related to Asterisk distributions prior to 1.4.18. Being familiar with the particular bug and the exploitation method – I can say this: They surely have no idea what they are talking about!

The exploitation of the bug requires several pre-requirements:

• A certain IAX2 configuration has to be deployed
• A certain version of Asterisk must be used
• A certain form of dialplan has to be existing
• You Asterisk server needs to be available on the Internet

Now, even when these 4 are met, the exploitation isn’t all that simple and that straight forward. So, in other words, if you are not utilizing any of the above, you can rest assured that your system is fine. In any case, any system is as secured as the dumbest user (in our case developer/sysamdin) who uses it.

As you probably already learned from a previous post, I’ve switched to Mandriva from my previous FedoraCore distro, running on my home PC and my old ThinkPad T42 notebook.

Recently, I’ve signed up with Cellcom, an Israeli cellular provider for data connection only. I’ve received a Sierra AirCard 880E, which installs easily on Windows and on MacOSX, however, Linux was a little tricky. While reading several sources around the internet, dealing mainly with some shell based scripts – Mandriva is different – simply requires a bit to know the Mandriva framework in order to get it working right.

Step 1: Know where your AirCard is

As the AirCard is inserted to the computer, Mandriva will automatically load the respected kernel module and will automatically assign the /dev/ttyUSB0 device to it.

Step 2: Mandriva Control Center

In the Mandriva control center, launch the network configuartion tool for creating a new connection. Here’s the trick, you need to create a “POTS” connection, not a 3G/EDGE connection. The reason is that the EDGE/3G functionality is maintained by the AirCard itself, Linux has nothing to do it.

Step 3: Configure your connection

I named my connection as Cellcom and setup the following as my dial-in number: *99# – this is very important. Select PAP/CHAP as your login type and set both the username and password to be “cellcom”.

From this point onwards, you should be just fine and up on the network in no time

Like most of the world, I’ve been following the recent market turmoil with a great burden on my shoulder. When you think about it, I’m not a stock broker, nor am I a multi-billionaire that has his funds invested in various stocks and bonds, that a single 0.1% shift in the NASDAQ translates to millions of dollars. I’m a software developer, a freelance one, dealing in the Open Source – and like anybody else, I’m worried about how this crisis immediately affects me.

Today, I came across two items, post on www.themarker.com – Israel’s topmost Internet based financial/business daily. The two items dealt with how three of the better known VC’s in Israel had started instructing their investees to start cutting down costs – mainly, firing people. The three VC’s that I’m talking about are: Carmel Ventures, Benchmark Israel and Sequoia Capital. You are probably wondering why is this interesting? the VC’s in the item had directly instructed their investees to cut down people, costs, operational costs, loose dead weight – in other words, find ways to reduce your costs. Sequoia even out did Carmel and Benchmark, by inviting the investees to a meeting called: “RIP: Good Times”!

Shortly after I finished reading the two items, I got a phone call from a friend working at one of Sequoia’s companies (a well known one in Israel) asking me if he can come work for me. I was surprised, this is the first time I’ve ever read something in the news, and was directly affected by it. As far as I gathered, his company basically took a team of 8 people and reduced it to 2. Now, I completely understand tightening up, but running an operation on a 25% man power is stupid! Running at 50% is manageable, but 25% is down right crazy. For 2 people to do the work of 8, they would need to eat, drink, sleep, live, do everything within the office – I know, I’ve been there. During the year 2003, m-Wise was more or less in the shit. In the year 2002 I had a team that consisted of another SysAdmin and 3 more support techs. In 2003 I was left alone, and I basically did everything myself! – how crazy is that. But again, I decided that I’m not going to have a life for a certain period of time – that is all, not everybody is willing to make that sacrifice.

Now, this case goes hand in hand with my previous post – the migration to Open Source technologies is no longer a myth or a “nice-to-have” issue, it is a matter of business continuity and good expense management. Think about it, the company that fired 75% of their team, could have easily replaced part of their server infrastructure from Windows to Linux, migrate their Oracle database to PostgreSQL and save thousands and thousands of dollars a year, and maybe even save a job or two in the process.

Now, here’s what I think (and I know for fact I’m gonna get slammed here): Hey, VC’s, stop telling the companies to let go people. Sure, get rid of dead weight – no one needs those M$ based shitty, money grabbing, time consuming, hardware intensive environment. Wouldn’t it be better to not pay M$ a few ten’s of thousands of dollars a year, and maybe save a man’s job, or maybe even 2? M$ has enough money of their own, all you are doing is making sure they keep on making money, while the rest are fighting for their lives. Why don’t the VC’s hire Open Source consultants, to help them examine their investees and maybe, just maybe, they will find ways to invest their funds in a wiser way and help these companies to survive the current financial turmoil.

OK, saying that the Tux pengiun is cute and fuzzy, and saying that it is one of the cutest mascots in the world is one thing. But using it as the logo of a company that manufactures “Fever Pads”, now that’s something completely different.

The following image was taken using my cell phone, when I was visiting “Super Pharm”, in Eilat. For all the people not from Israel, “Super Pharm” is the Israeli equivalent to the American “Duane Reede” (NYC) or CVS (world wide) or the UK based Boots.

Linux based Fever Pads

So, what do you think, are these guys using Linux as an integrated part of their “Fever Pads”?

Back in the year 1999, long before I started my Asterisk days, I spent most of my time as a security consultant and cyber forensics expert. I remember that in those days, most of the hacks were script kiddies exploiting some Windows IIS well known hole, and you would usually get the “Hacked by Chinese” black display on your website – how annoying!

In any case, I’ve recently replaced my co-location firewall. I’ve migrated from a Linux system running IPtables with a manual script, to a fully blown IPCOP installation. Ok, so IPCOP is nothing more than a fancy GUI for IPtables, but hey, it makes my life a whole lot easier on the management side – and it’s very stable – so who am I to complain?

I’ve decided to run a small experiment, I wanted to setup a Linux box, with a root password of 123456. My question was this, how much time will pass from the moment the machine was up, on a new IP address, till the machine gets hacked – and more importantly, from where and what got installed on the machine?

So, the machine fired up for the first time at Fri Jul 25 23:19, believe it or not, the machine got hacked at Sat Jul 26 00:50. A mere 90 minutes into the air, and the machine got hacked. The funny thing was that at Sat Jul 26 03:09 it got hacked again to the same account, then at Sat Jul 26 03:21, which also closed the root access via SSH at this point. Following below is the last log:

root     pts/0        77.127.137.52    Sat Jul 26 06:04   still logged in
reboot   system boot  2.6.18-53.1.14.e Sat Jul 26 06:02          (00:17)
root     pts/1        92.80.195.126    Sat Jul 26 03:21 - 03:24  (00:03)
root     pts/0        78.110.163.31    Sat Jul 26 03:09 - 05:20  (02:11)
root     pts/1        60.220.240.7     Sat Jul 26 00:50 - 00:50  (00:00)
root     pts/0        77.127.137.52    Fri Jul 25 23:24 - 01:39  (02:14)
root     tty1                          Fri Jul 25 23:22 - 23:24  (00:01)
reboot   system boot  2.6.18-53.1.14.e Fri Jul 25 23:19          (07:00)
root     tty1                          Fri Jul 25 22:14 - down   (01:03)
reboot   system boot  2.6.18-53.1.14.e Fri Jul 25 21:58          (01:19)

I admit it, putting a machine on the open net, with a root password of 123456 and open root access to SSH – that’s kind of a honey pot the size of the grand canyon. But what amazed me here was not the speed, but actually the locations of the hacks: 60.220.240.7, 78.110.163.31 and 92.80.195.126. One hacker is in China, the other in Romania and the third in the UK. What is this? a real hacker? maybe 3 different robots scanning? – I can’t really tell here. However, the traces they left were interesting enough – which lead me to believe we’re talking about robot hacking.

First off, a look at /var/log/audit/audit.log immediately showed the logins – the hacker didn’t even remove the log file – marking of a script kiddie running an automated script. So, what did they leave on my box, let’s take a look. Running ‘netstat -apn | less’ would show me open ports, unless netstat was replaced. However, lets start with this:

tcp        0      0 172.31.31.16:34183          195.47.220.2:6667           ESTABLISHED 2940/crond
tcp        0      1 172.31.31.16:57263          195.54.102.4:6667           SYN_SENT    2940/crond
tcp        0      1 172.31.31.16:46043          195.68.221.221:6667         SYN_SENT    2940/crond

Ok, so this is most probably an IRC bot waiting for instructions from the hacker – till now nothing special. The script tries to masquerade the bot with a legitimate process name: crond. Well, that may fool a beginner Linux Sysadmin, however, seeing crond connecting to 3 other hosts at TCP 6667 – ok, that’s kind’a lame – no?

I wonder where he hid the script? maybe he replaced crond?

root@pbx:~ $ find / -name "crond"
/usr/sbin/crond
/var/tmp/.www/crond
/var/lock/subsys/crond
/etc/sysconfig/crond
/etc/rc.d/init.d/crond
/etc/pam.d/crond
root@pbx:~ $

Hmm… /var/tmp/.www/crond looks promising, let’s see what’s in there:

root@pbx:~ $ ls -la /var/tmp/
total 24
drwxrwxrwt  4 root root 4096 Jul 26  2008 .
drwxr-xr-x 25 root root 4096 Jul 25  2008 ..
drwxr-xr-x  2 root root 4096 Jun 27 17:03 .spd
drwxr-xr-x  4  501  502 4096 Jul 26  2008 .www

Yummy! Let’s check it out:

root@pbx:/var/tmp $ ll .spd/

total 1316

-rwxr-xr-x 1 root root    265 Nov 19  2005 gen-pass.sh

-rwxr-xr-x 1 root root     72 Jun 26 19:43 pass_file

-rwxr-xr-x 1 root root  21407 Nov 19  2005 pscan2

-rwxr-xr-x 1 root root    218 Jun 27 16:59 s

-rwxr-xr-x 1 root root 453972 Nov 19  2005 ss

-rwxr-xr-x 1 root root 842736 Jun 26 19:20 ssh-scan

-rwxr-xr-x 1 root root    312 Jun 27 17:02 x

root@pbx:/var/tmp $ ll .www/

total 888

-rwxr-xr-x 1  501  502    353 Jul 26  2008 1.user

-rwxr-xr-x 1  501  502    349 Jul 26  2008 2.user

-rwxr-xr-x 1  501  502    353 Mar 14  2009 3.user

-rwxr-xr-x 1  501  502    317 Nov  6  2007 autorun

-rw-r--r-- 1 root root      0 Jul 26  2008 belgian.seen

-rwxr-xr-x 1  501  502    942 May 15  2003 checkmech

-rwxr-xr-x 1  501  502  23237 May 15  2003 configure

-rwxr-xr-x 1  501  502 492135 Mar  4  2005 crond

-rwxr-xr-x 1  501  502     48 Jul 26  2008 cron.d

-rwxr-xr-x 1  501  502    171 Jul 26  2008 cutitas

-rwxr-xr-x 1  501  502   4147 May 15  2003 genuser

-rwxr-xr-x 1  501  502    157 Jul 25 17:36 LinkEvents

-rwxr-xr-x 1  501  502      0 Oct 15  2007 lucifer.seen

-rwxr-xr-x 1  501  502   2154 May 15  2003 Makefile

-rwxr-xr-x 1  501  502     14 Jul 26  2008 m.dir

-rwxr-xr-x 1  501  502  22882 May 15  2003 m.help

-rwxr-xr-x 1  501  502    748 May 15  2003 mkindex

-rwxr-xr-x 1  501  502   1043 Jul 26  2008 m.lev

-rwxr-xr-x 1  501  502      5 Jul 25 17:35 m.pid

-rwxr-xr-x 1  501  502   1068 Jul 26  2008 m.ses

-rwxr-xr-x 1  501  502   1675 Mar 25  2009 m.set

-rwxr-xr-x 1  501  502 167964 Mar 16  2001 pico

-rwxr-xr-x 1  501  502  84476 Jun 23  2006 pico.tgz

drwxr-xr-x 2  501  502   4096 Jul 23 15:48 r

-rwxr-xr-x 1  501  502    661 Jul 12 22:00 shadow}{700.seen

-rwxr-xr-x 1  501  502    661 Jul 12 22:00 shadow}{800.seen

-rwxr-xr-x 1  501  502    715 Jul 12 22:00 shadow}{900.seen

drwxr-xr-x 2  501  502   4096 Jul 23 15:51 src

-rw-r--r-- 1 root root   1842 Jul 26  2008 zak.seen

Looks like .spd is the SSH scanner and the .www directory contains the actual bot binary – ok, I can respect that. The contents of the cron.d file suggested that the script utilizes crontab to verify that the bot is always up and running – and examination of its code assured me of that.

So, what have we learned from the above: just one thing! When installing a server for the first time, DON’T USE A SILLY PASSWORD LIKE 123456 – EVEN NOT FOR THE INSTALLATION PHASE! Scanning robots appear to be scanning the entire Internet over and over and over again, doing so in seconds – so by the time you install your server, set it up completely, there is a good chance it will already be compromised.

Lately I’ve come to the realization, that we are to blame for our own inability to promote Open Source and the adaptation of Open Source proficiency. Being an Open Source evangelist and consultant, this is very weird to be said by one like myself, however, this is my realization – and I will explain.

In the early days of Open Source adaptations (late 90′s, early 2000), Open Source software was a somewhat magical solution that meant: pay nothing, get more. Software packages like Linux, Apache, mySQL, PostgreSQL and programming languages like PERL and PHP had lowered the bar on the adaptation of new technologies, and enabled a prolific number of solutions and services.

I still remember the early days, when a Windows based Mail Relay would cost anything between 800$ to 1200$, and I would come in with a Linux based solution that would do the same thing for FREE – amazing. As time progressed, so did the technology and the penetration of Open Source into new fields. CRM, ERP, Telecoms, management – all of these now enjoy a diverse number of Open Source solutions. However, the original concept of ‘Open Source = Magical FREE Solution’ had still remained in the minds of managers and business people.

Today we are confronted with ‘would-be’ Open Source solution experts, which adopt and develop upon Open Source products and project various applications. In example, let’s take a look at Asterisk. Asterisk has a multitude of Open Source solutions, ranging from PBX system, Prepaid calling cards, Wholesale routing platforms, Attendance system, Presence systems – and even a plant watering solution. The problem with this ever growing number of solutions is that Asterisk is immediately considered to be: “A magical solution” capable of solving any problem – when it’s not even remotely related to Asterisk. For example, a friend of mine had been asked to develop an Asterisk based solution, that would support a total of 250 concurrent call initiations and up-to 3000 concurrent calls on the system. Any Asterisk developer would take a look at this, and would immediately say: “Hmmm…. this requires several servers, but hey, what about the application itself? that would also have an impact”. Now, the customer of the project has a ‘would-be’ Asterisk tech in his company which said: “I was able to initiate 200 concurrent SIP invites to Asterisk via SIPP, no problem’ – HELLO! STUPID! where’s the application? where’s the database? where’s the user information flow? comm’on, are you listening to yourself speak? or simply are filled with the gasses coming out of your ass that are affecting your brain?

Now, once the customer learns that Asterisk is most probably not the right solution for the problem, he becomes angry. Why? because he now learns that he needs to spend about 10 times more money than he anticipated for the creation of this tool – well, that’s life when you have no idea what you are doing/saying, and you believe in magical solutions. However, we – “The Open Source Community – is the one to blame for this scenario, because we got the world accustomed to the idea that Open Source is like magic – flip the Linux magic wand, and the rest will solve itself.

I’d like to open the floor for discussion on this, as I believe most of you will have something to say about this.

Ok, I admit it, the topic sounds ultra geeky and nurdy – but I can’t help it, there is something about booting up your computer from a USB pen drive, having all your nicely wrapped tools in there and having fun with it.

In this case, my pen drive is actually the driving force behind an extremely powerful call recording system, based on the Asterisk Open Source PBX system. Essentially, the Cruzer boots up a CentOS 5.1 system, fully equipped with an Asterisk + Zaptel + LibPRI + FreePBX. The system is configured to utilize up to 12 E1 circuits, with auto sensing scripts that will automatically configure your system upon first boot-up. Once the system had booted up, it will start identifying your hardware hard drives, and will start cataloging to these hard drives all the recordings according to the pre-determined logic.

I currently use a MySQL database on the Pen Drive to store catalog information only, which is working nicely – but I need to figure out a better way to store more information – 2GB of MySQL storage may be enough for a short while, but serving a large contact center won’t be much of a good idea – I think.

The Pen Drive was created using tools from www.pendrivelinux.com, which contains wonderful information about how to create your own custom Linux based Pen Drive – Excellent!

While Open Source projects around the world gather up the troops and become recognized for what they are: highly polished, highly effective, extremely economical products – the situation in Israel is fairly different. We’ve all heard about companies like Zimbra (recently acquired by Yahoo), MySQL (recently acquired by SUN) and others, which had struck BIG TIME. However, the situation in Israel differs immensely.

I’ve been invited to participate in a panel at the Garage Geeks, to discuss the various aspects of Open Source sustainability. I’ve made it my business to build a business completely surrounded by Open Source, devoted to the promotion and adaptation of Open Source – and when possible, the promotion of Open Source licensing models and the understanding of what they mean.

In one of my previous posts, I’ve indicated that Open Source projects are highly exploited in an illegal manner in Israel, thus, making Open Source business in Israel a high target for Open Crooks. The question immediately arises, how can an Open Source project become successful? In addition to that, what are the factors that make a good Open Source project a grand Open Source project.

Step 1: Features

For an Open Source project to become popular and frequently used, it should have an extensive range of features, which is constantly being upgraded and enhanced. Taking from my own personal favorite, let’s take a look at Asterisk – the Open Source PBX. Over the course of the past 5 years, Asterisk had evolved to include hundreds of features. Each new feature in an Open Source product expose it to a new market. With Asterisk, the introduction of an Answering machine detection tool had introduced it to the automatic dialer and contact center market. The introduction of LumenVox speech recognition had introduced it to the ASR market, and so on.

While features are important, it is also very important to make sure the features included are features that the community and users require. While it is really cool to have a mod_kitchensink for the Apache web server, no one really uses it.

Step 2: Community

In order for an Open Source product to become successful, it MUST have a vibrant and active community – better yet, more than one. While an active developer community is important for the advancement of the project, a set of auxiliary communities is required. A users community is a must, rendering support and usage ideas to its members. No less important is a business oriented community, one that speaks to the manager level people, those making the decisions in organizations. Tap into that level, and the Open Source project is now gaining followers from other side of the border.

Managers tend to be highly traditional in thinking, not inclined to utilize Open Source at first try. A vibrant business community of the Open Source project can do wonders to the project, especially with its promotion and adaptation into existing and new business structures.

Step 3: Funding and Sustainability

Funding an Open Source project doesn’t entirely mean – MONEY! Well, eventually it does mean money, but not in the normal way we think or work with money. Open Source developers don’t work primarily for the money, the driving force behind Open Source developers is different. Question be: “If Open Source developers aren’t motivated by money, why would you need funding?” – the reason is simple, the surroundings of an Open Source project require funding.

The surroundings of an Open Source project mainly include the following: public events, developer meetings, servers, hosting, travel fares, participating in trade shows and others. All of the above are generally associated with Marketing, however, marketing an Open Source project is sometimes as important as the project itself. If we are to examine the growth of the Linux community and user base in the world, we are mainly thankful to RedHat in its early days (1996-2001), closely followed by Debian with its recent off spring Ubuntu (2006-2008). Imagine, you can now go into an IBM dealer and ask to buy your notebook with Linux, how cool is that? how did that happen? did the world suddenly realise Linux is better than Windows? – the answer is NO! The marketing efforts of these companies had proven worth while, as the concept of using Linux as a desktop became common in recent years.

Step 4: Training and Certification

If your Open Source project is UberGeek targeted only, than you have a very slim chance of making it big. Lowering the bar on the requirements for the adaptation of an Open Source project is highly important and can be mostly achieved by training and certification. The training makes it possible for people to learn more about an Open Source project, while the certification makes the project seem more desirable and exclusive.

Why do people seek M$ and Ci$co certifications? simple, because they know these certifications mean something to manager level people and decision makers. The certification is a written (actually printed) proof that you know what you are talking about and that you are truly a professional working in the field of that Open Source project.

Conclusion:

If all of the above are met, you are surely on your way to create the next big Open Source project – and you are on your way to world fame and rock-star feeling.

Since I’ve released my dialer framework demo about 2 months ago, I’ve been swamped with many requests from various contact centers around the world – to utilize my dialer framework for the development of a custom made predictive dialer.

For those of you who are not in the know, a predictive dialer is a tool that is capable of analyzing the performance of each agent in a contact center, accurately predicting when his current call will be completed, and thus, start calling outbound to ensure that the agent is utilized as much as possible.

Most contact center managers believe that if an agent is utilized 100% of the day (or at least a close enough number), they will maximize their profits and work will be done faster. This is not always the case, and there are some cases where predictive dialers will be nothing more than a “White Elephant”, sitting in your call center, doing nothing.

Considering the following scenario: We have a contact center selling computer insurance plans by phone. Each agent is trained to make a sale, that is: “Don’t get off the bloody phone without a credit card!”. One of the issues with such a contact center is that there is no-way of predicting how long a sale will take. Lets imagine that one call a sale happens in 15 minutes, while in the next, we start with the kid in the house, move to the older brother, move to the mother, move to the father, ending up making a sale after 35 minutes. In other words, we have no way of profiling an agent, as there is no proper profile to the customers.

So you can argue that by utilizing statistical models and proper targeting of potential customers, we can go about and perform more accurate predictions. However, these predictions will all go up in flames, the minute a deviation from the norm of the statistic happens. We then immediately create a form of ripple effect, that is then carried across the entire contact center.

In the book “The Goal“, by Eliyahu M. Goldratt, the author tells us a story about a group of boys walking in the woods. The group of boys constantly are unable to walk the path at the designated speed, due to various timing and synchronization issues. In theory, a predictive dialer is used to better synchronize the contact center intake (numbers to be dialed), with the contact center’s ability to perform (the ability to make a sale). However, this model fails when the sale constraint is unknown, thus, making the entire model fail.

In most cases, contact centers are better off using “Preview Dialers” and not “Predictive Dialers”, unless, the contact center is highly targeted with its campaigns and sale strategy. A “sell or die” contact center strategy immediately negates the possibility of accurately measuring the contact center performance and bottle necks, thus, having an automatic pace creator in such a scenario will become redundant and will most probably just cost funds.

As an Open Source consultant and evangelist, I’m sometimes amazed at the sheer GPL violations companies do, in the persuit of an exit. First of all, let us understand that general aspects of utilizing a GPL product:

1. You are FREE to download, use and modify any given source code.
2. In case you re-distribute your modified code, one of the following MUST apply:
   • You must re-distribute your code in source form to your customer, and/or
   • You must contribute your modifications to the main source code of the project, and/or
   • You must obtain a proper license/permission from the original author of the open-source code you are using.

These are more or less the basics, in lamen’s terms – without getting into the legal stuff that is usually some acustomed to these issues. So, in general, the basic limitations about using Open Source in a commercial products are mainly related to re-distribution. Modifications for personal-commercial usage (as long as no-distribution is performed) is permitted.

My work mainly involves the Asterisk Open Source PBX project. The world PBX market is a multi-billion dollar market, thus, for a company to infringe on the Asterisk GPL code may be a highly lucrative violation.

I’ve recently learned that 4 different comanies in Israel, all operating within the office PBX market, are violating the Asterisk GPL code. One company had embedded Asterisk as an auto-attendant and voicemail, while another had embedded it as a smart call-routing engine. Now, in general, if they would have used Asterisk as-is, that wouldn’t have been a problem. However, they had performed modifications to the Zaptel drivers, to work with their proprietary cards, they had modified the Asterisk code to work with various processors (mainly ARM) – and when asked for the modified code, their immediate claim would be: “Sorry, that is proprietary information”.

My main concern here is different, as companies will always be companies. All these modifications are performed by Open Source consultants and evangelists. Question be asked, why would an Open Source aware consultant enable this? the answer is simple, he needs to EAT! For the sake of making a living, sometimes (usually most of the times), a consultant will put aside his belives and idiology and will perform a violation knowingly. He would usually explain the violation to the customer, in such a way, that makes him feel good about himself and will pass the responsibility to the customer.

While the above may pass the responsibility to the customer, the consultant is as guilty (from my POV) as the customer. A consultant permitting the violation of GPL code can’t be considered a true Open Source conultant and Evangelist. Open Source is not only a way to earn some money, it is a way of life and a methodology of behavior – if one truely believes in it, one should stick to it all the time. If you know that a project you are about to take is a GPL violation, you should do the following:

1. Don’t accept the project, till the customer had given you a written proof that they are aware of the GPL violation, and their commitment to contact the original authors to obtain a proper license to the code.
2. Don’t accept the project, till the customer had given you a written proof that they are aware of the GPL violation, and their commitment to release the modified version of the code to the public or to the up-stream project.
3. Don’t accept the project, till the customer had given you a written proof that they will re-distibute the modified source code to their customer.

 If one of the above is not met, simply DON’T TAKE THE PROJECT!