Friday, April 22, 2005

Another update.

Following on from my previous post, another update:

Kplayer & Mplayer are working perfectly now that I've got the codecs installed properly, have acceleration working with the right options and I now know to always use Alsa for sound wherever possible. I have one spurious AVI file which identifies itself as DivX which won't play properly under any of the codecs except one but that one's not automatically picked. Selecting that codec manually makes it work and it's only one file that does this.

I've associated most of the formats with their respective players. Upgrading to the just-released Opera 8 was simple enough, no glitches and it's much faster and more stable, although it was too clever for it's own good and tried to use the Win32 Opera directory from my previous Windows install to get its Java from.

The first Java site I visited, I noticed and a quick whereis pointed me to a seemingly good java directory which Opera refused but then managed to find some sort of clue and suggested I try another. The suggestion worked and Java runs better than ever inside the browser.

I've now bought Crossover Office because it does what I want it to, was cheap enough, though I'm not sure about the subscription module for update. However, I was paying for one piece of subscription-based software on Windows and at least if I stop paying for Crossover, I get to "keep" the last version. Crossover runs my Word 2000 without problem, also my Irfanview tool (at least for all the bits I've tried that I would ever need). I'm going to try JASC Paint Shop Pro 7 on it at a later date.

I've configured the login screen the way I want it and this way it has a simple "shutdown" button that my girlfriend can use to turn it off if she's the last to bed at night. Before it needed a console login and a shutdown command and she's not familiar with non-GUI systems.

KPlayer issues solved, I've set it to be the default player for every media file format and I've also tested GSpot in wine and it runs perfectly.

Sound was my biggest problem so far. SDL games were sometimes perfect, next time they were run the sound would lag by over a second. That was unacceptable and annoying. Eventually, after much Googling, an upgrade of SDL, a tweak of ALSA settings to enable basic hardware mixing (I'm not brave enough to attempt the dmix plugin yet and don't really have a need for it) and most importantly, disabling the aRTs system. This hasn't lost me any sound that I would like to keep and stops the sound that I do want from lagging so inconsistently. This is something that I hope upgrading to a later version (whether or ALSA, KDE, aRTs, or even the linux kernel) will fix because it's plainly a problem.

I've upgraded packages (simple) and also installed remote passwordless SSH (more difficult) by a combination of Googling and guessing. Already I've had a few SSH login attempts using basic passwords from various places in Taiwan and China but I'm not paranoid enough to worry about them. Passwordless-SSH was more of an educational distraction than a real need. And, yes, my ADSL router was forwarding unknown ports to a no-longer-existent local IP address instead of to my main machine (which used to have it's own firewall). A quick tweak of the settings and SSH showed up externally as responding.

Further on my quest for "work distractive technologies", I've played a bit with TuxRacer and it looks like 3D acceleration is working properly... :-)

Still fighting with the bloody KDE clock as it just insists on pissing about when set to a timezone that uses BST and says it's applied changes that it doesn't. Wonder if KDE 3.4 has fixed that issue?

Still no problems or major disappointments as of yet but rest assured that I'm hunting for some more show-stoppers..

Monday, April 18, 2005

Linux Conversion Update

Okay, so I've been running Linux for a few days now. I've managed to get all of my necessary apps and most of my "useful" apps working properly.

KDE provides most of the tools natively but I had to install some things like MPlayer (and Kplayer, a GUI for it), K3B and a few others. I've also downloaded Crossover Office having been disappointed at the conversion capabilities of AbiWord and KOffice (through no fault on the behalf of their authors, I want to add). I haven't got around to installing OpenOffice at the moment and Word 2000 is about the only thing that I will admit that Microsoft has done right so I have no problems with paying money to get that to work. It saves me time playing about, ensures compatibility and means I won't strip or corrupt important info in my DOC files. Similarly for Excel 97/Gnumeric.

Crossover + Word is working perfectly, not a sign of a glitch, but Wine isn't up to running much else that I want at the moment, but luckily most of what I want has nothing to do with actual work. :-) It does run Irfanview, Dreamweaver and Paint Shop Pro, though, and DW and PSP I consider to be my vital apps. I have yet to test it out on every feature of those programs.

I've also installed the nVidia drivers which sped up X's 2D drawing noticeably. That was the only time I needed to shut down X and restart. I'm still using a console login at the moment because I've never been afraid of a command line and I like to see what's been going on at boot before I start up a complex program like X.

Linux still hasn't crashed once so it's definitely better than my previous setup, and even X hasn't crashed out yet (which, from previous Linux experience, I was expecting, especially with a binary display driver).

I managed to download a Knoppix torrent and burn to a CD within an hour of deciding to do it, without meeting any unpassable shortfalls or annoyances along the way (just installed BitTorrent and K3B from LinuxPackages and it all just worked). In fact, K3B is better than most CD-Writing software I've used on Windows and I've pretty much used them all.

KPlayer/MPlayer was a little more tricky but hardly a vital program. The package I was using was missing a few symlinks, which were easily created, a little bit of configuration and I'm only having trouble now with one MPEG-4 avi that seems screwed in MPlayer but works in another, unaccelerated, media player that came with Slackware. I'm assuming that the Win32 codecs are faster but not as well supported as the OS codecs that came with Slackware and that a slight override somewhere will cure this. While fixing this, I did notice that I quite miss using GSpot, a codec-discoverer for any avi/mpg/etc. file. I'll have to find an OS equivalent or get it running under Wine.

Installing new and missing software has been a breeze thanks to LinuxPackages.net, not that I've ever been scared of compiling my own, it just makes it so much easier to keep track of what program is where. Thanks to Slackware's plain tgz packages, if I lose track of where the "executable" went, I can just browse the package in Ark and look for it. That's worth its weight in gold and useful for those packages that didn't have quite as much attention paid to their creation as others on LinuxPackages and might be missing a KDE shortcut icon or similar.

I've been upgrading a few libs like SDL et al and not run into any problems yet, in fact I can say that it's only made things work better. I'm looking at the prospect of upgrading to the latest -current Slackware packages as they include the latest version of KDE. I'm not too worried about the rest of the updates as they are mainly bugfixes and security updates. The computer is firewalled and not running any internet-bound services and the only bugs I've run into are Konqueror crashing a bit more than it should. It's hardly a problem as it doesn't even take down other instances of itself, let alone X or the OS, and a click on the Konqueror icon gets it straight back up.

I haven't managed to test remote SSH yet and I'm a bit worried that my firewall might be being a little overzealous and blocking it as the port appears "stealthed" to any web port-scanner. I'll have to see if that's because of the firewall, the way I've set it up or the SSH config. I've noticed this same problem on another 10.1 machine with this firewall so I will have to look into this. Internet access from the computer itself, though, works just fine, even over P2P and torrenting.

I've been trying out a couple of Linux games and they've been quite fun so far, just the sort of games I like, small, fast, not too fancy but fun. Am missing my other games a bit but knew I would be and will have to wait for a new PC for gaming.

Have yet to try the DVD but I see no reason why it should not work as MPlayer can play MPEG2 files off my hard disk and the computer can see the DVD drive, so there shouldn't be any problems. I have updated packages for libdvdcss etc. on standby just in case.

Had a few teething troubles with the KDE clock as it really messes up when you select timezones, whacking hours on and off of the clock a few seconds after selecting them and simultaneously resisting most attempts to stop it being too clever for it's own good and adding hours for BST etc. In the end, I just set it to a non-timezone until I can be bothered to fight with it again.

Altogether, it's been pretty painless, I haven't lost any work, my main apps are up and running and there's not much functionality that I didn't have before. The computer is more stable, turns itself off EVERY time I ask it to, boots up without issues or any error messages and runs most of the existing hardware (with the only exception being the old scanner) without me having to do anything at all.

Also, I've noticed the benefit of using a local network, printer-server and ADSL router again. To be able to have a network where everything important like printers and internet access are done over a standalone networked device is a real lifesaver but then, Slackware would easily handle my printer and any sort of NAT effortlessly. I have also recently set up a Slackware machine for my brother which does all of the above in one machine so that he just plugs in any computer and it all just works (firewall, NAT, printer sharing, Samba storage, etc.) once it has an IP. This has greatly aided his transition from a 500MHz 98 machine to a new mega-gaming-machine XP.

My entire changeover has gone mostly unnoticed by the other user of my home network, namely my girlfriend. The only comments she had were, when she used the machine once to save turning hers on, that it didn't have a seperate Opera icon for her like the old one did, with her bookmarks and emails. That was because I'd forgotten to transfer her settings across when I'd done mine. That's easily fixed, as all the old Windows drives are still present and mapped into the filesystem and, thanks to Opera being cross-platform again, it's simply a matter of copying them over to the right place.

The other comment was that she couldn't play PartyPoker on it, her favourite online game, because that's a Windows-only piece of software. I had tried that in Wine myself but it really didn't like it at all. She'll just have to stick to her own computer for that, which I knew she would.

Overall, quite happy with it so far and still waiting for the first showstopper.

Thursday, April 14, 2005

Plunge Taken...

Bandwagon firmly landed on with both feet...

Windows decided to play up. I thought to myself "I can fix this". Then I thought, "Why bother? This is my work machine and it should ALWAYS be up". Then I installed Linux. I now have Linux as my primary desktop.

Things I will miss:

- Games (but may well invest in a cheap XP machine for those)
- My plethora of "essential" programs (no more Zonealarm icon flashing away reassuringly, no more need for specialist programs like NAT32, virus scanners, spyware detectors etc.) which have become obsolete or unnecessary.

Things I won't miss:
- Bugs
- Blue screens
- Viruses (Only ever had one, personally, from a respected PC Games magazine CD)
- Spyware (Never had any but always kept checking)
- Endless drivers

I've moved onto a Slackware 10.1 system running KDE and it's working just fine. I plan to use it for work mainly, and to provide a fault-free stable system for the next few years. Already browsing the web, rss, irc & emailling (having Opera be multiplatform is a lifesaver and greatly helped the transfer), icq, msn, yim and aim (thanks to Kopete, the linux equivalent of Trillian without the ludicrous upgrades and skins), printing (via CUPS and the lovely people at linuxprinting.org for the PPD), access to all my parititions, a firewall, a version of PuTTY (yes, I know it's just an SSH frontend but I liked it on Windows and I'm used to it now).

Considering it's running on a plain VESA driver for now, it's actually faster than even my finely-tuned 98. Have still to set up my CD-RW and DVD-ROM but don't see them being a problem, using k3b and mplayer. My scanner is linux-incompatible but I have two others sitting under the desk that are 100% compatible, so just have to re-cable that. My "weird" hardware like my cheapy-RAID card, cheapy USB stick, USB IrDA, Intel QX3 are already supported and auto-detected without me having to touch anything. Will have a look see how hard it is to connect to my Nokia via IrDA and use my card-reader at some point but that's hardly a priority.

Collateral damage is minimal so far, just a lilo change to boot Linux by default. All my flaky FAT drives are still there and accessible. I am considering investing in Crossover Office to run my Word 2000 and Excel 97 combo and possibly even things like Dreamweaver but for the moment, KOffice is holding the fort.

Considering that 90% of my use of the computer is Web, Email and IM, the impact has not been too bad, it took minutes to get up and running with the exact same version of Opera that I was running on Windows and import all my stuff over. Scroll wheel on my mouse and the occasional segfault due to not having any swap were very quickly cured and I haven't managed to crash it since.

I need to switch on APM/ACPI but I haven't tried that yet. Normally a "modprobe apm" does all that for me but it appears to be missing so I will try and track that down. When it didn't work, I was too busy trying out all the silly card games to care. :-) Worst case scenario is that I recompile the stock kernel that Slackware provides to something a little more relevant. The only difference that that gives me to my old Windows 98 is that now I don't have a pretty screen up when I have to turn it off saying "Windows is shutting down..." :-)

I've decided to allocate one month of time to it, to see how I get on with it. I've resigned myself to the fact that it will not run my games but I may well be able to find emulators for my favourite older systems (Spectrum etc.), use things like DOSBox to run some of my older titles, and anything DirectX/OpenGL I can use on some other computer. That should be enough to distract me and I can use an XP machine as a games-console only.

The programs I have yet to find a suitable replacement for are Paint Shop Pro 7 (nice, simplified interface around a powerful image manipulation program), Dreamweaver (nothing quite like it), and a few tiny utilities I like to use.

I'll see how it goes and see whether I can hold of a nice games machine for myself. My ideal aim is to have a Linux desktop for work, browsing, email etc. and only power up a Windows XP machine for games, literally using it as a games console. Even then, what I want to do is make CD images of all my games and mount them over a Samba share via Daemon Tools on the windows side so that I don't have to track down every CD for every single game every time I want to play it. The samba share would be held on either the main Linux machine or on a small Linux storage server with a mini-RAID on it.

Thursday, April 07, 2005

The "Perfect" Virus

On the theme of my earlier article on viruses, I'd like to touch on how a perfect virus is not only possible but also, if ever created, extremely nasty to stop.

PLEASE NOTE: I do not condone the creation of viruses, nor of any program which resides or gains entry to a computer in illicit ways, including spyware, adware, forced updates, etc. This article is targetted at a particular operating system, notably the one most prevalant today and that which is subject to the greatest number of virus attacks... (two facts which are not, despite popular belief, cause and effect)... Windows in all its flavours. Most of the ideas listed below WOULD NOT WORK for any other operating system and the purpose of this article is to highlight just how Windows leaves itself open to mass destruction, and also to just how tame current viruses are compared to what they could be. I accept no responsibility if some idiot uses some of these ideas, in the same way as someone who says "the security on that building looks weak... someone could walk right in there and slip through unnoticed" has no responsibility if someone actually DOES do just that.
==========

Viruses in the last few years have changed tack. At first, the early DOS viruses merely spread over floppies, infecting already-present executables (because of the lack of any autorun facility in the operating system), the startup files or the computers boot sector. Later they became more sohpisticated and started to not only infect executables but to hide themselves in such a way that they could not be detected easily. These early viruses were highly destructive... reformatting hard drives, destroying hardware, even taking out the CMOS settings.

Then Windows become more prevelant and the viruses changed tack. No longer were they destructive, no longer did they have to hide themselves so well or use particular avenues to infect the machines. Network shares, badly coded files leading to security vulnerabilities, scripting and macro languages with WAY too much power over the computer are all open doors as far as a virus is concerned. And now, the viruses could turn your PC into a valuable commodity that would sell on the black market, useful for spamming, covering tracks, attack remote machines and taking down large corporation's websites.

At the same time, virus scanners were updated to cope. Nowadays hardly any virus scanners actually take control of your machine from boot but instead rely on Windows to initalise the anti-virus program. This, however, is a reversion to previous, bad ideas. The best anti-virus scanner is one that runs as the sole program in memory. Other protections were enabled though that did help, such as the BIOS options to protect your boot sector and guard against unauthorised BIOS flashing, Windows and Internet Explorer in particular were updated to stop scripting attacks working so well from remote websites.

Soon, traffic coming over the network cable could exploit the holes in the operating systems services to take control of a machine without even having to be on the hard disk or in RAM already. Firewalls stopped the majority of those attacks but lots of people who were unprotected were caught out by the early variants. Running Windows Update would have prevented many of these attacks but not all and, besides, what use is a cure if you have to open yourself up to attack to obtain it?

So, what would the perfect virus look like?

Hopefully, a number of infection methods would be available. Rather than just relying on a single hole through which to gain access to a machine, several methods would have to be available. The more entry methods, the greater the chances of spreading. Executable size is rarely an issue nowadays, what with broadband connections, so many methods could be implemented in a simple executable.

Secondly, detection avoidance would be a must. If the cause can be discovered, it can be cured. Having got on to a target machine, a passive analysis of it's hardware and software should be conducted. Does it have anti-virus? Are the BIOS options for boot-sector protection turned on? Where can I hide?

After the passive analysis, hopefully we still wouldn't have triggered anything that would alert the user to our presence. But how would we stop things like AV packages finding us? For that, we'd need to revert to the older tactics. AV packages, on the whole, rely on file "signatures", little pieces of identifying strings that match against a particular virus.

We'd have to be signature-less, as best we could. In the olden days of viruses, we had polymorphism: the ability to change size, shape and contents and yet still be the same executable. Look around your hard drive. Somewhere there will be files which are designed to hide their contents, be they encrypted, compressed or obfuscated. Programs like UPX (an executable compressor) are commonly used in viruses to reduce the size but for the same executable they would give the same compressed signature.

There are also such things as encrypted files. One of the lesser-known goals of encryption is to make the resulting file data appear as random as possible. Encyrpted files have no consistent signature between similar contents. A tiny change to the program would render any signature useless.

However, we would need a "key" with which to decrypt ourselves. That key could well be changed at will by the program itself as it transmits itself between computers, reencrypting its raw contents with the new key each time and somehow transmitting the key and the encrypted data inside itself. The code that it would use to decrypt itself would also be a signature, as that could not be encrypted if it were to be executed. Somewhere down the line we'd have to give ourselves away eventually.

Or would we? Surely a method could be devised where the decryption code is some kind of standard file access, such as the decryption engine of a ZIP program, for instance, or some other signature which couldn't be hunted without also turning up innocent programs. Nobody would trust AV vendors if there software suddenly started spouting out virus warnings for a perfectly innocent file. Maybe that could be a possibility. There are lots of genuine program out there that have a built-in decryption engine and some encrypted content inside an ordinary executable file. If we were to hide in one of those files, we could remain undetected at least until we'd had a chance to start executing our code, couldn't we?

Many programs misuse some low-level services within the computer to actually hide the files themselves from virus scanners, intercepting file system calls and substituting fake harmless data whenever the contents of themselves are requested by a program. Once activated, our program could well do this too. Why not? Any step to make it harder to remove would help it stay.

There are several places that a program can hide itself in to be automatically executed when the computer is started, the boot sector, windows itself, as a service or as another program that runs on startup. Why not, if we can verify that nothing is watching us doing so, try all of them. That way ALL of them would have to be cleaned up in order to stop us loading.

Most AV disinfection is done while the computer still has the virus present, i.e. while the infected computer is actually running. For a lot of viruses, the first thing you need to do is to terminate their processes in order to be able to remove their files. If you don't, you run the risk that the virus will notice this and try to compensate by reinstating all the entries that it needs to run.

So if someone is going to be trying to shut us down while we are running, why don't we spawn a few more copies of ourselves, as soon as we possibly can, and have them coexist. Have them watch each other. As soon as any one virus process disappears for no good reason, IMMEDIATELY reinstate another one, or even two. If you do it fast enough you will negate any manual attempt at shutting those processes down.

Sometimes, in Windows, programs are notified that they are about to be shutdown before they are actually terminated. Why not look out for these notifications and, if we get one, execute some code in the brief window of opportunity we are given to cancel the action, or spawn more copies of ourself?

With processes all watching each other, the user would have to be bloody quick to get rid of us all and may even need specialised tools or knowledge to do so. It might even baffle most automated programs that try to do so, at best sending them into an infinite loop where for every process they terminate, two more turn up. That's what the user gets for detecting us and trying to remove us. He'll have to do better than that.

On the subject of retribution there was a brief spate of DOS viruses that, when activated, removed a critical part of your machine's data, usually the partition table, and held it to ransom. "Co-operate with me or I won't put it back. Turn me off and you lose it forever." It might be an idea to do that while we're at it. Given the wealth of vital information on the computer, blackmail might not be a bad tactic for a virus to execute.

Setting vital computer passwords (such as the admin accounts) to random values, removing the password for encrypted files or disks, setting CMOS passwords or hard disk passwords if we think we know where they are stored. The ATA spec does include some facility for encrypting disks with a password that must be sent over the IDE cable before the disk is readable. If we could get that to work, that might be fun.

Of course, we'd only do this if someone tried to remove us. The worst case for a virus is that the computer gets formatted and replaced with a clean copy of Windows. We want to make sure that that is the ONLY way the user could remove us because we want to cause as much inconvenience as possible. That way, the virus gains a name for itself (which is actually a bad thing... much better if people aren't aware we exist) but also provides us with a fresh source of un-patched machines trying to get to Windows update before we can infect them via whatever hole Microsoft may have patched.

Obviously, though, we have more than one entry ticket up our sleeve and we can try a number of different ways to get in. In fact, it might even be an idea to use a plug-in style interface. Have the virus contact some location... or several such locations in case one is discovered and shutdown (file sharing networks, ftp and www sites, already-infected computers, there's no end of places) and download the latest "updates".

They could include plugins for new methods of infection to combat any patches that may become available, plugins for more advanced analysis of the computer to discover it's flaws, plugins which can update the update locations themselves in case the sites all get shutdown, plugins to change the way that the virus polymorphs itself, plugins to cater for more architectures (64-bit or even different processors), more machine types, plugins to take advantage of new technologies, new storage methods, new ways to hide inside different file formats, plugins that interact with your CD-Writing software to make any bootable CD contain the virus and/or any autorun entry to run the virus from the CD silently, plugins to infect over instant messaging network, plugins to swamp filesharing networks with fake files (or even better, real files) containing the virus, plugins to allow backdoor access, using UPnP or discovered passwords to disable or tweak any firewall protection blocking it. There is no end to the number of ways the virus could be upgraded, all of which would make it harder to detect and remove, easier for it to propogate, harder to block its attacks and harder to brush it aside as just a virus.

However, this plugin interface may well be a possible avenue for an anti-virus worm, a self-cleanser that would find virus-infected machines and exploit the virus itself to remove it instead of make it more powerful. Some sort of public-key-encryption signature (suitably obscured or encrypted within the executable itself) would be needed, to verify that any updates have been signed by the virus author themself. Defeating this would be a massive piece of work, involving defeating high-level encryption by working out the private key from the public key, something which only supercomputers are currently capable of. And if such an anti-virus virus should ever appear? Well.. send out a plugin update that changes the public-private key pair to those machines that still remain infected and on the Internet.

As people try to defeat the virus, hopefully new updates to it would ensure that the usual ageing process of a virus from obscurity to notoriety back to obscurity wouldn't occur. Instead of slowly dwindling away, more and more machines would succumb to the virus, taking advantage of every known hole as soon as it appeared. Those who had removed the virus and patched to the latest level would only be safe until the next plugin appeared. Generated from the few remnants of the virus remaining on the older, unpatched, unmaintained machines on the internet, the virus would reappear in new forms, taking advantage of new techniques which have taken account of whatever its previous weaknesses were.

The distribution of the virus would be controlled by a changeable plugin. Once one signature had been spotted by AV vendors, an update could be rolled out to change that signature so that the next generation of the virus would be different as it spread.

New plugins for analysis would recognise specific versions of the tools designed to remove the virus itself. The standalone removers would be blocked or fooled into thinking they had done their job, the major anti-virus tools would have to change signatures often to catch up with each new variant formed by the newer plugins. Newer virus versions would have detailed information on what virus scanners look like and how to defeat them, either by hiding themselves, faking some of their information, or, crudely, terminating the antivirus program (that actually seems quite amateur and noticable and we'd only want to do that if it were absolutely necessary for a particular version of that AV scanner/virus signatures).

Using the above, we'd aim to get onto as many machines as possible, whether we can sneak in past some ancient or poorly-crafted AV scanner or whether we have to get into the machine, terminate everything and attract the attention of anyone using the machine. Preferably, we'd do the first because we also want to stay on each machine for as long as possible, too. We want nobody to know we are there. We can sit dormant and wait for years for someone to hook us up to the Internet so that we can cause as much havoc as we can.

Thirdly, once we're on millions of machines worldwide, we need a purpose. Previous viruses have done everything from re-format the machine to send out spam, or even attack certain websites. Each of those is malicious and doesn't achieve much. Maybe the payload of the virus should be something simple. Demonstrate to people what you COULD have done. Pop up a message once a week showing what you could have achieved.

How's this sound?

"You have been infected with the Super-X virus. This virus was created with the goal of showing you just how insecure your operating system is and how the trust you have put into the company that made it, Company X, is misplaced. Company X left the following gaping holes in their software:

-A vulnerability caused by a buffer overflow in Service X.
-A poorly implemented software firewall which doesn't blocks packets of type X.
-A security oversight in the default settings of program X (created by Company X).
-A security oversight in the default settings of program Y (created by Company Y).
-Poorly checked security restrictions in module X.
-A failure of your anti-virus software, X, to discover my presence despite you paying for an up-to-date subscription, with your credit card XXXX-XXXX-XXXX-XXXX.

Using the above (and other) holes, I could quite easily have done any of the following without you knowing and without your permission:

-Formatted your hard drive, losing all your data.
-Send out spam email claiming to have come from anyone on the Internet, to anyone on the Internet.
-Attack any website that I chose, co-operating with NNN,NNN other infected computers globally, possibly resulting in a complete loss of that website.
-Stolen all your passwords and your credit card numbers from file XXX and website XXX and sent them to random, or selected, people on the internet for them to use to obtain further information about you.

Please inform any of the above software vendors if you are unhappy about my ability to do this so easily or, alternatively, vote with your feet.
"

It would become the most famous virus ever and, like the Millenium Bug and Black Monday, stick in the minds of users who might, just might, then ask for a computer that isn't susceptible to a virus the next time they buy one at PC World.

Can you imagine just what that would do to the Internet, to the way common people work and trust machines or companies and to the way people think about computer security?

Monday, April 04, 2005

Linux to the rescue

How's this for a Linux advocation? A school wanted to use their Intel QX3 computer microscope (which have a tendency at all schools to fester at the back of some cupboard, despite being a brilliant idea). They wanted a kiosk-style setup so that the computer could sit in the corridor (not networked), the screen showed the microscope view, the kids could play with objects under it but not break the computer in doing so. They also didn't want to have to pay for Windows licenses or buy a computer just for that job.

Pulled out an old 300MHz that they were going to scrap, bunged a bog-standard Knoppix CD in and booted off it. Ran xawtv... voila! Instant full-screen microscope view without having to load a single driver, or even touch the hard disk. It appears that the driver for the Intel QX3 is just an ordinary webcam driver (cpia) that Knoppix has bundled anyway. No configuration required to get the image on the screen apart from running a TV program (also built-in to Knoppix) and pressing F for fullscreen.

Next week, if they are happy with what they have, I'll install it to a permanent location on the hard disk (apparently a one-liner under knoppix), set up a simple script to turn the lights on the microscope on and off (echo toplight:on >/proc/cpia/video0 etc.), maybe even have that controlled by a joypad or similar simplistic setup, and automate the boot so that xawtv goes straight to a full-screen kiosk mode.

Cost: Nothing. Extras required: Knoppix ISO image + 1 CD-R. Time Required: About 20 minutes. Expertise required: A google for "Intel QX3 linux".

Now try that with Windows.

Making your own Firewall / Router / Fileserver / Print Server

As I have just done the above numerous times for myself and my brother, I thought that a little writeup might help. This is not designed to be complete or simple, but is for someone with a basic grasp of Linux and/or an advanced grasp of PC's in general.

I assume several things. You have a local Windows network. You have ADSL and an ADSL router that is connected to this local network. You know the basics of TCP/IP and are comfortable with command-line interfaces. You have a spare machine that has nothing of any value on it (e.g. Windows, documents etc.) that can safely be wiped and made to become a firewall/router/server. You have a spare parallel port laser printer (e.g. an HP Laserjet) that you want shared over the network. You know how to use Google and look things up for yourself if this article doesn't cover your problem.

First, get a computer and network it. I happen to have a source for old Pentium machines (233's) but for my brother's project, I gave him an old P400 with 64Mb RAM, two PCI network cards and an 80Gb hard drive - smaller harddrives are fine, down to about 4Gb, and may actually be more compatible with a machine with an old BIOS. 2Gb is an absolute minimum but it's then a struggle to keep up to date with such little free space.

[Author's Note: Yes, I'm being lazy and installing EVERYTHING from Slackware, I know perfectly well that you can do this from a single floppy but that's not the point. See Freesco if you want to be an expert and do it properly... I ran a Freesco install for about 4 years, making it do all of the above.]

The PC could really have done with a bit more RAM but it runs fine with just that much. Plug it into your network. At first, you can just add it onto an existing network by plugging into the hub/switch, to make installation easier. Later, we'll turn it into a router that can be put between your broadband connection and your computers to keep them much safer than they would normally be.

Next, blank the harddrive completely (or just be aware that you will be wiping everything on it, even Windows or whatever else is on there) and download Slackware. You can use any recent version but for me the version was 10.1. Download the first two ISO disk images and burn them to CD. CD Burner XP Pro is good for putting them onto CD if you don't have Nero or anything else to use, is free and runs fine under Windows 98 despite the name.

Next, boot the machine intended to be a firewall, file server etc. from the first CD. Follow the instructions until you get to the login prompt. Login as root and you'll be left hanging on a command line. Type cfdisk and delete any partitions on your hard drive (THIS WILL DELETE ALL YOUR DATA ON THAT HARD DRIVE, OBVIOUSLY). Then install one large partition over the whole disk and make it bootable. Exit out of cfdisk and reboot.

Boot back off of the CD again and login, then type setup. Go through the setup process (selecting a keyboard layout etc.), select the partition you just made to install into, don't set swap space, use the default kernel and make sure you install all packages, full install.

After a few hours, you should be done and rebooting without the CD in will take you straight into Slackware Linux. You would have been asked to set a root password. It's a bloody good idea and you'll need it to log in to this computer from then on. Now we have to set up your network card in order to connect to the internet and the rest of the network.

Login as root and type dmesg | more and scroll through, looking for anything that indicates that Slackware has found a network card. If it is a PCI or even an onboard card, it should find it without any assistance. Non-PNP ISA cards need a bit of a nudge beyond the scope of this article (Google isapnp).

If your network cards were successfully detected, type pico /etc/rc.d/rc.inet1.conf. This will allow you set IP's, network mask and (if need be) a gateway address (e.g. of an adsl router or any other device that all Internet-bound traffic should be directed through). You should set one card to an internal network address (e.g. 192.168.0.1 or 10.0.0.1) and the other card to an address which will be "external" (or enable DHCP for that card).

[For an example, my ADSL router gives out addresses in the 10.0.2.x / 255.255.255.0 range, which my server picks up as it's "external" address. The local network uses 10.0.1.x / 255.255.255.0 which the server has an address set for on its other card.]

Hit Ctrl-X when you're done.

After a reboot, both cards should now appear in the output of ifconfig as eth0 and eth1 (lo is a loopback interface that's always there, network or not).

Test your connection by ping'ing a website, ping www.example.com. This should come back with replies. Hit Ctrl-C to stop the pinging.

If you have two cards and the ping doesn't work, make sure you try this with a cable in both cards... sometimes the cards are chosen in a different order to what you might expect. Also, try pinging the address of other machines on the network, your ADSL router etc.

If you have a succesful website ping, it means that the Slackware machine is now able to connect to the internet. Now we can download a little program that will help us later on. Personally, I like Projectfiles.com's firewall... a simple script that enables all sorts of things without the complications of a GUI.

Type lynx http://projectfiles.com/firewall/. (Lynx is a text-based web browser that is simple enough to download files should you need them). Select the link for the latest stable release and hit d for download. Let it download it and then save it. It should have saved it in the home directory for root. Exit out of Lynx.

Copy it to /etc/rc.d (cp rc.firewall /etc/rc.d/)
Edit it to suit your network (pico /etc/rc.d/rc.firewall) using the output from ifconfig to remember which card (eth0 or eth1) has which IP address etc. There is a line in the file that tells you below which point you should not make any changes.

Make sure that you add the local network interface (e.g. eth0) to the list of internal interfaces. Any other network cards are considered external, i.e. anything that comes through them is NOT trusted, as if it were a direct connection to the Internet.

Press Ctrl-X when you are done.

Now, to turn the firewall on, you type chmod +x /etc/rc.d/rc.firewall and it will run at the next reboot. To turn it off, do the same with a -x instead and reboot. If you have done it correctly, you should get no errors and still be able to access the internet with ping etc.

While we're here, we need to turn a few other things on and off:

chmod +x /etc/rc.d/rc.dnsmasq
chmod +x /etc/rc.d/rc.samba
chmod +x /etc/rc.d/rc.cups

For these to work, however, they need some configuring. If in doubt, google for the name of the program or config file (e.g. dnsmasq.conf) and read their documentation.

DNSMasq
=======

This program forwards DNS lookup requests (i.e. resolving www.example.com to an address the computer can use) to an upstream DNS server. This is usually the same machine as your gateway if you have an ADSL connection (i.e. the IP address of your ADSL router) or it can be your ISP's DNS address (they will have these written down somewhere on their website but you may need to login to their website first... usually they can be found inside their instructions for connecting other types of computer to the internet, e.g. Mac, Linux, Playstation, XBox etc.)

Mostly, it needs no configuration at all but any can be done using pico /etc/dnsmasq.conf. It will get the IP of the upstream DNS server from /etc/resolv.conf which you can edit using pico too.

If this works properly, you should be able to set the other computers in your network to use your server's LOCAL ip address as a gateway and DNS server. E.g.

Internet (some address which your ISP has given you)
|
|
ADSL Router (10.0.2.1 / 255.255.255.0 and providing DHCP in that range)
|
|
10.0.2.100 / 255.255.255.0 on eth0
Server
10.0.1.1 /255.255.255.0 on eth1
|
|
Windows machines
10.0.1.x /255.255.255.0 using 10.0.1.1 as their gateway and DNS.

With this setup, the Windows machines should be able to connect to the internet as if the server wasn't even there. A quick trip to GRC to run their ShieldsUp! test should show all ports as Stealth, though.

That's routing, firewall and DNS-forwarding configured already!

Samba
=====

Samba is the piece of software that will allow you to produce network shares, which in Windows will appear as shares under Network Neighbourhood. pico /etc/samba/smb.conf to set it up. Generally, you should set the workgroup to the same for all computers on your local network, which you can do for your other computers using the settings inside Windows Control Panel. I use something like HOME or OFFICE for this so, for example, all the machines in the office have a workgroup of OFFICE. Also, for simple purposes, security=shareis fine.

You should also set a name for the server, which can be anything you like but which is probably better off as "server" or something simple. With just a name and workgroup configured, saving the file and rebooting (all this rebooting is *completely* unnecessary under Linux but it's quicker to type... :-)) the machine should appear under Network Neighbourhood of any Windows machine on the local network with the same workgroup.

If not, check whether you can ping the server from one of the Windows machines (type ping followed by the internal IP address in a command prompt) and also try disabling the firewall on the server (chmod -x /etc/rc.d/rc.firewall). If disabling the firewall works, check your firewall config... all machines on the local network should be able to have unrestricted access to the server if they are on a card which is listed in rc.firewall as being an internal interface.

Also, check any Windows firewall software you might have. Zonealarm, for instance, will sometimes through a wobbler when it sees file-sharing protocol traffic from the server and this may make it block the server... in this case sometimes the internet will work for five minutes or so and then stop. Add the server IP address as a "Trusted" IP address in Zonealarm on the client machines to fix this.

Now the hard part: read through the shares part at the bottom of the /etc/samba/smb.conf file and comment out any you aren't going to explicitly use (except for the printers one, leave that one there) and then make your own, following their example. If you want to create a basic, empty share using the hard drive space that you have left over on the server, that you can store stuff on from your Windows machines, it's best to do this:

Type mkdir /mnt/share. This makes a directory for us to use.
Type chown nobody:nogroup /mnt/share. This gives anyone permission to use that directory.
Type chmod +r +w /mnt/share. This lets anyone who has permission to read from and write to that directory.

Add the following share to smb.conf:-

[storage]
browseable = yes
comment = General storage
guest ok = yes
path = /mnt/share
read only = no

The share should now show up and be writable (i.e. you can save files to it) from the Windows machines.

If you install more hard drives into this machine, you can incorporate them into this share by putting a line for them into your /etc/fstab and making the directory inside /mnt/share.

An example fstab might be:

#
# /etc/fstab
#
#

/dev/hda1 / ext2 defaults 1 1
/dev/hdb1 /mnt/share/another ext2 defaults 0 0
1

To prepare this second harddrive and show it under the existing share, you can use:

mkdir /mnt/share/another (this creates the directory that it will "live" under).
Edit the /etc/fstab file as above
cfdisk /dev/hdb and delete any partitions on this new hard drive. THIS WILL LOSE YOU ANY DATA OBVIOUSLY. Type carefully. (Note that by using /dev/hdb, we are modifying the SECOND hard drive that the computer sees.)

Create one large Linux partition on it which should show as hdb1.

Similarly for hdc, hdd etc. as you add extra hard drives.

Printing
========

First pico /etc/rc.d/rc.modules and uncomment anything under the Parallel port sections (remove the # character from the beginning of the lines). When you reboot, typing lsmod should show up some stuff to do with "parport".

Then, use lynx to go to http://localhost:631 and in there you will find an interface that will let you add most laser printers. Any printers added should print a test page and should then appear under Network Neighbourhood as a shared printer.

If you have a non-laser printer or a strange standard one (e.g. Samsung), you can try with CUPS using Linux Printing.org's CUPS tutorial or use APSFilter:

/usr/lib/apsfilter/SETUP

(remember to cd back to the home directory when you are done).

APSFilter is more complicated and quite tricky to piece together.