That seems to be the scuttlebutt, based on information from various execs at Sun. Apparently Apple’s been so interested in ZFS because they’re planning on making it the default filesystem in OS X Leopard (10.5).

When I first heard that Apple was interested in ZFS, I hoped and prayed that it would come to this. I’m still fervently hoping that Apple really is planning on making ZFS “the” Mac OS X filesystem, because even though HFS+ works, I’ve still never really been entirely comfortable with it. Honestly, ZFS won’t really buy much for the average joe for things like laptops or other single-drive systems, outside of the amazingly better data integrity checking that’s built in, but for multi-drive systems, I think ZFS will really come into its own. A Mac Pro with four 750GB or 1TB hard drives installed is the perfect place for ZFS to be used for both speed and redundancy.

I’m definitely interested to see what will actually come out during the WWDC about Leopard.

Well, I’m not sure what’s been changed on the server yet, but I finally have Gallery2 up and running at gallery.unnerving.org. I suspect that Apache’s mod_security was getting in the way, and it might have been disabled. I’ll be able to confirm this when I hear back from my friend that’s running the hosting.

What’s most wonderful, in my opinion, is that the iPhoto2Gallery plugin works perfectly. This makes it almost painless for us to start uploading photos that we want to share, since all our recent photos (taken with our Canon digital camera) are managed in iPhoto on the iBook.

I love good technology days. Heck, I even solved some problems at work today.

So I wanted to keep my PowerBook from automatically mounting the backup drive if I happen to have it connected, and went trowelling through macosxhints.com to see what I could dig up. I can’t remember my search terms, unfortunately, but I did find a link in a comment to a MacGeekery.com article explaining how to hide partitions or volumes and keep them from automatically mounting. Bingo! Exactly what I was looking for.

In my searching, though, I found a very useful article detailing the voodoo necessary to install Mac OS X with multiple partitions for the OS, /Applications, /Users and a seperate swap volume. If I ever get myself that Mac Mini I’d love to have and a copy of OS X Server, I’ll have to give that a try.

Finally, as I’m getting ready to go to bed, I’m scanning through my RSS feeds inNetNewsWire and found this article on TUAW pointing to this article on TidBITS explaining how to stop your PowerBook, iBook, MacBook or MacBook Pro from waking up from sleep when you open the lid. Score.

Three helpful tips in less than five minutes.

I’ve been wanting, for a while now, to set up a FreeNX server on my linux box at home, and another on my linux box at work. I’d like to get both my home and work linux systems to the point where it doesn’t matter if I’m at the console or coming in over the network from my PowerBook and I get the same environment. It’s a laudable goal, in my opinion.

This is actually part of another project I’m undertaking at home, of setting up the free VMWare Server on my linux box to create virtual hosts. I’d like to create a virtual image for two Windows XP images (one for my wife and one for me, and yes, I have two XP licenses for this purpose.) I’m thinking at least one or two other virtual images for linux and some other experimentation I’d like to be doing. At any rate, I was figuring, if I can work out how to get FreeNX working, I can have my virtual Linux system make itself public via FreeNX, and each of the windows hosts available via RDP.

In short, I’m swinging very heavily into the “virtualization and remote access are good” camp. Because, well, it’s good. Having ready access to a stable host over low-bandwidth links and being able to disconnect and resume a work session without much in the way of hassle at all is really handy. Ask any sysadmin.

All that said, back to FreeNX. FreeNX is to Unix systems what Citrix MetaFrame is to Windows systems. Snappy, fast remote access to a full GUI desktop. NoMachine sells the Server in a variety of licensing packages, and the clients are available for free. I figured I’d play with FreeNX, since it’s a free re-implementation based on the GPL code that NoMachine released for their products. Basically, if I liked what I saw with FreeNX, I’d strongly consider paying for the commercial version if it’ll get me better support.

I’ve only just now found the proper links for good documentation on FreeNX, so it looks like I’ll have to make a report in the future about how it goes. In the meantime, I’m going to work on installing VMWare Server and cursing my current system install, which is never optimal.

In an effort to spare others the pain that I’ve gone through in the past week, here are some helpful pointers for avoiding giving an attacker an “easy” way in to your systems.

Don’t assume that because you lock down your network traffic at the firewall that you can avoid any of these issues.

0. I originally thought I didn’t have to mention this, but you’re already not allowing any unencrypted login access to the system, right? No telnet, no rsh/rexec/rlogin, no unsecured IMAP/POP3? You’re sure? You’d better be sure.

1. Whatever you do, block X11 traffic everywhere you can.  At the border.  On the individual hosts.  At any intermediary routers.  If you’re running a thin-client lab and the host server is on a different subnet, make an exception.  Otherwise, shut it the hell down. When a remote X app is needed, it can be tunneled by SSH.

2. Don’t automatically enable ForwardX11 or ForwardX11Trusted in SSH.  If you connect to a compromised host, you could very well be doomed.  It’s not that hard to toss an -X or -Y onto the command line when you really _do_ need to fire up a remote X app.

3. Never, ever, under any circumstances, allow root logins via ssh.  PermitRootLogin no is your sshd friend.  If you absolutely must allow root to log in, choose between without-password (only public key authentication) or forced-commands-only (which will only allow you to run commands and not get an actual shell, again by public-key authentication only.)

4. Never, ever, under any circumstances, use the same administrator/root password on more than one machine.  If you’re using LDAP or NIS, exclude all privileged users from your directory.  This does mean you need to keep a store of these passwords somewhere, if you have a lot of them. I’d suggest gpg-encrypting them onto a USB stick on a trusted host. We’re looking at PDAs that will allow us to lock/encrypt data on them, too (more useful). Change the root passwords periodically. A tool like apg (A Password Generator) is your bestest friend. I run it like:

   apg -n 10 -m 8 -x 8 -t -a0 -MNCl

   This will generate ten pronounceable eight-character passwords that will include at least one numeric, one capital letter and lowercase letters. Some people really want to have non-alpha-numeric characters in passwords, too. For that, just change the -MNCl to -MNClS and be happy with symbols.

5. On any machine that’s not meant for general use, disallow all but the absolute necessary logins (i.e., only admin staff).  On top of that, disallow SSH password authentication, and force all your staff to use public-key authentication.  Ensure that staff have workstations that have workstation-local home directories, to prevent the private keys from leaking out to insecure hosts.  This way, even if a password gets cracked, an attacker still can’t easily log in to these locked-down hosts without brute-forcing an SSH DSA private key.

6. Consider a career other than Systems Administration.

It seems the people over at University of Washington have a silly side.

The Ten Commandments of implementing IMAP clients.

When you have a chance to use some truely nice technology, you just want more.

So, a few weeks ago I was handed, gratis, a purple Indigo^2 Extreme, a 20″ Silicon Graphics monitor and a Silicon Graphics keyboard. The monitor needs some help (it’s all tinted green) and the keyboard is just a PS/2 101-key kit in SGI skin, but with the addition of a PS/2 mouse, I have a complete system.

Well, okay, I had to go on ebay and find some RAM and drive “sleds” so I could actually make it usable. But now it’s perfectly usable. After you let it warm up for about half an hour. Otherwise the graphics output looks unhappy.

While I was surfing around for the parts to make my Indigo^2 complete, I found someone selling an Octane for cheap, with no bidders. Nice box (once I fixed the damage from shipping with crappy packing), and I’m rooting around for an external SCSI cdrom so i can install the OS from scratch.

Yes, while looking around to fix up the SGI box I already had, I was somehow compelled to get another one. It’s newer! Faster! Better! I needed it! Really, I did! Because… well… Do I have to answer?

I’ll probably get rid of the Indigo^2 once I get it all patched up to IRIX 6.5.22 (the last version that supports that machine. It’s a heavy beast. I’ll probably get rid of the monitor, too, if it can’t be fixed, though I need to consult with an electronics wizard I know before I do that.

So, you may be asking, why, now, am I collecting more old computers? That’s actually a good question. Part of it is that I’ve decided I’d like to broaden my horizons and learn more than just Linux and Mac OS X in terms of Unix systems. To wit, I’ve got a Sun SPARCstation5 that I’m going to load Solaris 9 onto for learning and experimentation. I’ve got this SGI Octane. I might even do some graphics programming, and I’m one of the oddball people that likes to get his code working on as many platforms as possible.

And, as it should be already apparent, I’m just a geek.