I've been reading about it everywhere and overall dismissing it so I thought I may as well have a look anyway. Yes, Novell have released this "next generation" X Server which combines OpenGL and hardware acceleration into a bog-standard X desktop.
Newsforge have an article about it and they're not the only ones.
Firstly, the use of a LiveCD for this is part of what they were designed for - tests of software you wouldn't want to even try and install but that someone's done the hard work for you, software that may well screw things up for you so you can test without having to install it.
Unfortunately, the demo AVI linked to in the above article shows you all it can do. And I have to say, I don't see what all the fuss is about. It's a minor point that all this is only supported on certain chipsets, almost all of which rely on a third-party binary-only driver (don't get me started again). If everyone in the world wants this, you'd better start complaining to nVidia and ATI now to open-source those drivers because otherwise it ain't gonna happen.
If a distribution (like, say, Suse) wants everyone to start running these sorts of desktops, there'd better be support and backing from someone who's going to keep this running once everyone in the world's got XGL... is that support going to come from Novell - I bet not, or at least without a hefty price. Bang goes advantage one of open-source operating systems. And what happens when nVidia change their support for OpenGL? Bye Bye Window Manager.
Anyway, skirting that minor issue - XGL looks very pretty. I've seen better effects in a few PC games menus, though. It's pretty but gimmicky. Having video overlaid over OpenGL graphics on a desktop that can spin around - very nifty. Now what could I use it for?
I've been able to have video play in the corner of my desktop for a while - it's called having a TV-card or a media player. My computer is also capable of transparencies (a feature which, incidentally, I turn off no matter what the operating system as there is very little legitimate use of it).
But personally, if I want something showing on the screen, it's because I'm watching it. If I don't, I don't want to have to squint to distinguish between different windows, or be distracted by a moving image somewhere else. Whether I'm working or just browsing, the normal use of my desktop ranges between one app full-screen and the rest minimized to another app full-screen and the rest minimized.
Before the advent of digital TV, I used to have a small window overlaying the bottom-right of my screen, in a position in which it did not obscure my use of scrollbars in my most common apps. However, I cannot remember a single occasion that I paid it any atttention like that. Occasionally, I would be waiting for a program to come on and would full-screen the TV when it did but there was nothing I did that would be aided by transparencies, hardware accelerated or not.
The only task I do where the apps aren't used full screen is if I'm doing janitorial work on my files. I would have several windows open on the filesystem, and drag-drop between them. Overlaps were eliminated by the simple precept of moving windows about. Granted, having a shortcut key to arrange/zoom windows would help but that's nothing that cannot be done in standard X.
Additionally, moving stuff between desktops is hardly a chore and a rare event - I use virtual desktops for different tasks. If something's not on the virtual desktop I'm using, it because it gets in the way or is part of a completely different task, e.g. games on a work desktop.
I frequently have my virtual desktops arranged by task, Internet, Work, Entertainment. Hence, the organisation of virtual desktops actually negates any need for transparency or some fancy 3D - I don't need to overlap windows if I can just throw them onto another, more relevant desktop. It also means that I can't be distracted while I'm working by stuff that shouldn't be on the screen at all.
Novell's XGL demo also demonstrates lot of other useless cruft - we won't even mention the bouncy windows or "snap to"... this stuff was done years ago and ignored because it's pure gimmick that's already working. It's the sort of stuff that appears in menus to games. Even there, it's only ever fun for the first minute and then you never dabble with it again.
Switching between virtual desktops as a cube - good metaphor but you could just as easily scrap it as an actual cube and just have four "sides" and still get work done without having to remember horrible keyboard combinations or have lots of OpenGL technology in place to be able to switch between desktops. It provides no advantage over much simpler, much less demanding methods.
Now it seems that the best bit of the XGL demos is, in fact, the hardware acceleration. Now that's a feature I won't knock unless it's for the fact that it only works on binary drivers at the moment. If they can resolve the driver issues and have hardware accelerated graphics on a desktop, maybe we can finally catch up the 90's with the rest of the world's operating systems! (And that's not a bash at Linux/X. It's a bash at the driver manufacturers who are holding us in that horrible position).
Novell, it seems, has spent two years making a stretchy GUI. To quote their website:
"Novell is announcing its contribution of the Xgl graphics subsystem and the 'Compiz ' compositing manager to the X.org project. These enhancements open up a whole world of hardware acceleration, fancy animation, separating hardware resolution from software resolution, and more. As a result, Linux desktops will become more usable, end-user productivity will increase, and Linux is firmly positioned at the forefront of client computing technology."
I'm sure that bouncy windows and video over a cube are so going to increase our productivity and make X more useable. I'm sure having to manually install a binary-only driver is phenomenally easy for your average potential Linux end-user that they'll even be able to do it in a bouncy window while watching Harry Potter playing over the top of Ice Age 2. I'm sure that those two years of adding to the configuration options of X.org.conf is going to just have us all blatting out our code twice as fast.
"Under the leadership of Novell's David Reveman, Novell has sponsored and led the development of this powerful new graphics subsystem for Linux since late 2004. Xgl is the X server architecture layered on top of OpenGL and takes advantage of available accelerated 3D rendering hardware. It is designed to integrate well with the composite extension and performs best when a compositing manager is running. 'Compiz' is the new OpenGL compositing manager from Novell and is the framework that enables the development of graphical plug-ins."
Let's get this straight - hardware acceleration is a good thing. I like to be able to run 3D apps as fast as possible. Rarely, however, does a working desktop require 3D acceleration. You might be a 3D designer all day long but your desktop really doesn't need it. If you have power to spare, a few bouncy windows would probably look lovely but otherwise all they've created is an add-on to window transparency, a feature most people have turned off or don't even notice that they can use.
Novell should have put their efforts into something a bit more practical. An OpenGL compositing manager, I'm sure, has one, maybe two uses where it's absolutely indispensible. What would have been much more use would have been simplified X configuration options, maybe even on-the-fly configuration for most options, tighter integration with layers like HAL or even a single damn hardware accelerated open-source driver.
XGL is a gimmick. It may convince some eight-year-old sap somewhere that "Linux is better than Windows" but that's about it. Just wait until he's thrown into the world of having to seperately compile a kernel-specific driver every time he wants to try out the next kernel assuming, that is, that nVidia has supported it at all yet. XGL brings nothing new to the table, no work that people couldn't get done before can now get done. No time is saved, no money is saved, no problem has been solved. All it does is make my computer even damn slower just to show me a file listing.
Friday, March 17, 2006
Kororaa Xgl Live CD
Tuesday, February 28, 2006
Windows Vista
Windows Vista (or whatever it will change name to seven times before they ever release the thing) is approaching and a lot of people are focusing on what it can do and what it can't do. What they don't seem to take account of is the history. People who complain that MS has given them a bad run in the past are told they are pessimists and that this is the time when everything will be perfect. I've heard that at least five times now, so will I be upgrading to Vista?
Would you buy again from a butcher that, five times, has sold you a bit of what he assures you is "the best beef in the world" only to discover that when you get home it tastes like old boots?
Not a chance.
DOS I adored. It worked. It was powerful. It was simple. It was fast. It did the job.
Windows 3.1 I gladly bought into and began to love. It was small, simple, worked and worked well. It was easy to use and just pretty enough without needing too much from the hardware (386 with 2Mb RAM).
Windows '95 was then thrust onto me by peer pressure; it was okay but nothing special. There was a lot of frills on an OS that was basically a 32-bit version of Windows 3.1. It was also very buggy. '95 OSR2 didn't help matters at all.
Windows '98 was pushed into my hands because '95 was such a disastrous attempt at trying to push a '98-style OS out too early. It improved next-to-nothing. '98SE came out and you were asked to pay again for it. Yeah. That's going to happen. It fixed a few of the problems and introduced a few new features, but nothing that anybody actually NEEDED at the time.
Windows ME I looked at and quickly became a disaster (things like major components of Windows supporting '98, 2000, XP but not ME... .Net anyone?). It was '98SE-with-knobs-on and didn't manage to do anything particularly exciting.
So from '95 to ME, there were very few, very small improvments in an OS that incorporated at least three major paid-for upgrades (as in major release versions, not just updates) over and above the base price. It was then that I told myself that I would not upgrade any further without good reason. My computers worked, it had cost an awful lot of money to get that far and I hadn't seen much improvement in my actual productivity over previous versions. They all ran the same software, at the same speed, with the same features, with little or no improvements in the areas that mattered - stability, compatibility with older software and hardware support.
Okay, '98SE+ incorporated USB mass storage properly and a nicer driver model but in essence it also killed ISA cards stone dead without giving people a say in the matter... is it really that hard to support a standard that was still in use at the time, had stabilised and standardised itself on things like hardware autodetection, and still works to this day in the Linux kernel which has a much stricter requirement on what stays in the kernel? To be in Linux, the hardware has to be stuff that's used, has support from several programmers willing to change their code constantly, work in the kernel at all times and get updated in line with everything else, from people who are not getting paid to do that job. Anyway...
I stuck to '98SE and I spent most of those years chasing Windows Updates, free antivirus, utilities to manage the computers, anti-spyware, etc.etc.etc. Windows 2000 I skipped entirely - it removed support for a lot of my then-current hardware and only provided a small stability bonus. XP was a "necessity" to run one single game that I wanted on one single machine and has also turned into more hassle than it's worth. XP I see as basically a games console - a bloody complicated and annoying one at that.
I didn't pay for XP, it came with a second-hand computer I was given, one thing I was glad of. XP offered me nothing over 98 except more restrictions, more problems, and much less system transparency - even the filesystem was relatively unreadable outside of XP without expensive utilities (though that's not so much of a problem now but still it's hard to correctly write to NTFS without buggering something up).
Despite several methods of recovery in case of system problems (Recovery Console, Safe Mode, System Restore), it was still perfectly possible to total a machine by installing an official update that would take more hours to fix than the computer was worth. Suddenly, I needed Ghost around constantly whereas before I'd only ever re-installed Windows '98SE from scratch once (and I later found out how I could have fixed that too). It wasn't something the average Windows '98SE user could do but I brought that OS back from numerous permanent blue-screens, booting problems etc. without having to worry that I wouldn't get the system back up and running.
There isn't going to be another chance for MS. This isn't blind MS-bashing, I've just had enough. There's posts on this blog telling you how I kept my own personal '98SE machine in tip-top condition from it's release to mid-2005 and even recommending that people stay with it.
I've always noticed it and never give it a second thought but now I can see the trend in MS OS's:
- More new features that I won't ever use and just get in my way. I end up turning half of them off within the first few days, the rest as time goes by and discover they are causing me problems. I end up setting half the settings to Classic or some other sort of compatibility or failsafe mode because that's how I liked it. Control Panel was prime candidate in XP, along with Autorun. Also disabling of things like power-save settings and screen blanking.
- More restrictions, barriers and brick walls, each of which stops me doing something I WANT to do and can CURRENTLY do. Connection limits, raw sockets, driver signing, not having to activate, the list goes on.
- More time and money, not just on the OS but its supporting programs to get it into a vaguely useable state. Anti-spyware, anti-virus, firewall (because the MS ones I won't trust to be any good from experience and may well be the next anti-competition case against MS), startup controls, Ghost (because, again from experience, the chances of any type of system restore working as it should are extremely minimal). Again, the list could be endless.
- More integration with stuff I don't want (starting with IE and WMP). I don't want stuff connecting to the net unless I SAY so and unless it's ABSOLUTELY necessary (i.e. it's a web browser which has been asked to connect to a website by me personally, or an autoupdate that I'VE scheduled to autoupdate). I don't even LISTEN to music, and I certainly don't want rubbish trying to get album covers and other nonsense from the internet just because I'm testing a drive with an Audio CD. I don't want my browser to even be ABLE to execute code directly in the webpage, or choose a search engine without asking me what one I want to use.
- Nothing that I absolutely *need* when it comes to upgrade time. My computer does lots of stuff already. What can I do in Vista that's totally 100% impossible in 98SE, XP or Linux? If you discount hard-coded restrictions and programming laziness, nothing. Vista is not a quantum computer conversion - it still does the same old stuff the same old way.
- Missing or just starting to introduce a lot of obvious stuff that SHOULD already be in the OS (**why** do I need a completely seperate, non-MS utility to tell me everything that's loading at Windows startup? Why have I gone from Windows 3.1 to Windows XP without MS incorporating such a simple, useful utility? Why can I not also click a button that LOCKS anything else from inserting itself into startup and kill half the spyware/viruses in one fell swoop? And yet they are bundling rubbish like media players and internet browsers that I DON'T want at all and have never even used)
- Still playing catchup to other systems. A database of your files that updates in the background and you can use to locate your files quickly? Got it, except my one doesn't slow the system down when I'm using it like Find Fast and the other MS "inventions" do. Admittedly MS may well be ahead in terms of hardware driver support but considering my Linux machine doesn't NEED half that new hardware and won't do until it's properly supported under Linux anyway... where's the incentive?
I quit Windows about a year ago hopefully forever. I was tired of my computer not doing what I tell it to. This is my biggest, absolute killer for not running Windows... if I say shutdown, you will shutdown, if I say delete that file, just delete the damn thing... I'm not an idiot, I know what I'm doing. The chances are that if I force a shutdown, there's a reason for it. It may not be an important one - I may be rushing to go out for the evening and want to make sure it's off - but that's not for you to decide. Unless I'm going to do permanent, irreparable damage just do what I say, and even then just make sure I'm AWARE of that. My OS of choice will *not* argue or crash or wait for every program on earth to voluntarily allow me to shutdown unless I ask it to.
I'm tired of having to be at the forefront of technology just to browse a simple web-page at a decent speed. I'm tired of "limitations" like XP Home's connection limits, raw socket limitations etc. when there is no technical or practical reason why they have to exist. If my OS is capable of it, it should offer it. It should not say "I COULD but... I'm not going to let you until you pay me money". It's like running a shareware operating system, except I've already paid for it.
I've worked as the only support for many years for a few hundred XP, 2000, 2003 and older machines and yet have only ever used XP on one laptop personally (my "games" machine) and on my girlfriend's computer (it came supplied with the computer and it was easier just to leave it on there for her... she had to "learn" Windows 2 years ago so learning a Linux desktop isn't a big problem at all... it's just easier for when she wants to play The Sims and other rubbish). Windows is "easy" until you need to maintain the thing and then it becomes a nightmare. My choice of OS at home reflects just how good Windows is - I work with Windows all day long, even recommend Windows systems and yet I won't touch it with a bargepole at home any more. On another note, the more broken Windows is, the more money I make because I have to then be paid by numerous schools to fix it for them. And I get paid by the hour. ;-)
I've lost count of the number of computers I've brought "back from the dead" by removing viruses, spyware, too many startups running, etc. When a user can sit at a new, fully-patched, antivirus-ed, antispyware-d machine and, without intent and within a matter of minutes, infect the machine so that it barely loads up in half-an-hour, taking hours to fix, is when I give up on that machine. What a user does SHOULD NOT affect the machine as a whole, only that user... even as a "limited" account on Windows you can wreak havoc.
Windows has an after-the-event method of fixing problems - once the virus is on there, and lots of people have also got it, some company might send out an update that may or may not catch all variants and won't help control the damage the virus has caused. Vista even includes special integration for antivirus apps. Do people not realise how ironic it is that the OS that "invented" the problems with modern-day viruses and spyware even has a special place that you can install anti-virus into so that it will integrate nicely? It's like having a car that comes with an easily accesible tool specially designed with the sole purpose of putting the wheels back on should they fall off on the motorway. So reassuring.
(Yes, DOS had viruses. DOS was back in the era of one-user full-admin home computers without sharing of disks or internet access and was a design disaster from the start... at least it bloody worked though. Sensible people had worked out in the 70's that that was just a stupid idea for multiple-users or internet-facing machines. Windows caught up with them in Windows XP/2003.)
There is actually a page on a website belonging to a Linux security enchancement package called SysMask that actually allows you to upload ANY bash, C or perl script. When you do, it compiles it, runs it and shows you the output! It will voluntarily and automatically run ANY code that ANYONE asks of it as an ordinary user because it's so sure of it's security, just to prove how good it is. This is on the same bloody server that runs their own website where you can download this code for free. It's never been taken down.
Like this site, I want before-the-event fixing - even IF someone runs some dangerous software deliberately, researching the latest holes, it can't affect the machine as a whole, can't destroy other people's files, can't put me in a state where I have to hope I have a recent image/backup. I don't trust Vista to do this... Windows 2000 was supposed to stop this. As was XP. As was 2003. Backups are for restoring files after unavoidable hardware damage - nothing else.
Now, on Linux, the damn computer actually bloody does what I ask of it. I don't have to be too careful about checking licensing for the software I install because it's *all* GPL or free (yes, I still check that it's GPL or otherwise free, though)... I'm not distributing my changes so it's all free for however many computers I want. No more license-counting, no more fighting activation systems that think they know better, no more serial codes, no more.
I used to spend HOURS on Windows hunting down decent freeware to get stuff done without having to shell out even more money but now I don't have to fill every system I own to the hilt with third-party freeware just to get the damn thing into a usable, secure state. It actually comes with everything I need, by default, installed securely.
At aboslute worst, an automated update command (one that WORKS, does it when it's convenient FOR ME, doesn't force updates that are dangerous and doesn't kill one machine or another on a regular basis) keeps me up to date. Rollback? How about a complete uninstallable plain TAR archive of every update I've ever installed, along with a copy of every single package ever installed on the machine? Any package I want, I install. I don't have to con the software into thinking it's NOT installing over a later version, not already been uninstalled, requiring the original setup disk etc.
It's also quite difficult (without doing something incredibly stupid and deliberate while logged in as root) to ruin the actual software on the machine. Windows relies on so much being intact to even boot, Linux just wants any half-recent kernel boot disk to get to a fully functioning command line and repair system (including uninstalling/reinstalling/upgrading/downgrading any single software package individually on the entire machine).
I get to choose what software runs without some arcane registry entry loading up something I'm not aware of, and am not even sure if I need it at all. Same for "services". Additionally, if I want a ten-second boot, I can have one. If I want flashy graphics, I can have them. If I WANT to boot into a command-line only environment, I can. I have that choice available. And you know what? From that environment I can control every single setting that I could control within the GUI if I wanted to. For every user. Without learning hexadecimal or what arcane GUID in the registry it's stored it under.
I can actually TRUST linux, from it's filesystems to it's hardware support to the individual software components to the firewall. I know that someone isn't going to say "well... we COULD let you have five users connected to your shares BUT we're not going to LET you". If something said that, the source code wouldn't know what had hit it after I'd put it back the way **I** want it. You're *my* computer, you can only do what you are told to do and **I** am the one in ultimate control of every single piece of software on my machine. If that means editing source, so be it. If that means I want to voluntarily install some binary (and therefore risk incompatibility, forced upgrades and undiagnosable problems) to get my job done, that's fine.
I don't have to feel like a criminal because I want to use one OS on two computers. I don't have to check in with mothership every time my motherboard changes (which is quite often because the only thing that's constant about my machine is it's data - the drives change, the hardware changes all the time; I've still got data from my DOS days on my current hard drives).
There's very little hardware I own that Linux doesn't support, and all of that is non-essential and easily replaceable (one USB IrDA adaptor, one 56k Winmodem out of eight). I don't need to have drivers on hand for each and every part of it, or a checklist of which manufacturers bothered to pay MS to get their drivers certified and which didn't. I don't need to worry about the drivers interfering or only being able to run them with the most horribly annoying pieces of GUI software known to man (HP printer drivers, some of the arcane school-specific hardware I have etc).
If I get a crash, there is something real, something productive that **I** can do about it. Someone, somewhere will be vaguely interested in finding out why my machine crashed and, hopefully, fixing it. There are constantly new free upgrades to try out, there are config files to play with, there is source to look through, there's one of the most complex debugging systems known to man sitting on my computer already waiting to find the exact spot that something crashed and why, there are many unique, discrete components that can be eliminated one at a time to diagnose and I can even single step individual changes to the kernel to find out which one caused my problem (git bisect's etc.).
I don't get (and could easily discover anyway) obscure problems like a certificate in a JAR file associated with a famous piece of UPS monitoring software expiring and thus killing the entire system without warning or a single error message, taking 100% CPU and stopping approximately 50% of programs from running at all.
Who knows, I may even be able to code a fix myself without having to wait a year for the manufacturer to even acknowledge my problem.
And at the end of the day, there's nothing I can't do on my machine that I ever wanted do on Windows. In fact, most of the tools I use now are so much more powerful it's saddening to think of the time that I've wasted trying to find Windows programs that could perform the same tasks. I **liked** batch files, I **wanted** to tweak every entry in my AUTOEXEC.BAT and CONFIG.SYS to get the most out of my very expensive hardware. I want to be able to choose and change between using my RAM for virtual storage, caching my drives when I organise all 500Gb of data on them, displaying a GUI so that I can get work done etc.
My hardware is, to put it bluntly, crap yet expensive (to me). A 1GHz serves all my needs but may well have cost me two years-worth of donated/disposed of hardware (which means several "free" jobs fixing other people's computers and a lot of effort and petrol), plus several hundred pounds of my hard-earned money plus the time and effort to get it working how I want it.
When £1000's of hardware is sitting there and telling ME that it won't do something because I haven't phoned Microsoft or haven't bought the right version, I find it diabolical that my most expensive appliance in the house is not controlled by me.
Windows 3.1 I bought into, 95/98 I used and tolerated for a LONG time, getting many useful hours out of it. By the time '98 was obsolete I'd fallen for MS's spiel far too many times and was getting tired of computers. An OS actually nearly put me, a computer fanatic, off of computers. I didn't believe in or buy 2000, or XP, or 2003 and I won't be doing the same for Vista.
I'll still have to use it, in work if nowhere else, but I'm hoping that I'm going to have made the right move here by moving away from cash-driven OS's to ones that are driven by a yearning for freedom, control, pride in their work and technical prowess. Not that it's got a new glass interface that looks cool.
Wednesday, February 22, 2006
Linux desktop update
First off, the computer is still running fine. Problems encountered since last post - umm... none? I updated a load of software (in keeping with my usual habits), everything from K3B to PHP even though I hardly use some of them. K3B is my primary CD writing app so that obviously had to be updated, the rest were just for my peace of mind. I very nearly downgraded K3B by several revisions after Swaret found a "new" version on a Slackware mirror but I already had installed a much higher revision from LinuxPackages that Swaret didn't seem to pick up on. Fortunately, I was watching out though and have confirmation turned on for every package upgrade Swaret tries.
Even if I had gone wrong, a simple upgradepkg command would solve the problem. I keep a directory full of packages that are installed on the machine (from LinuxPackages, my own, elsewhere etc.) seperate from the official Slackware packages so that I can upgrade, revert or remove such software. This is again kept seperate from software which I've had to manually compile to install on the machine so that I can always find either original source code or a package for anything I find on the machine.
If you remember, I did a full Slackware installation and that's EVERYTHING. I've got things like LaTeX installed which I haven't used since my university days but seeing that even with everything installed Slackware is still smaller than an equivalent Windows partition, I haven't bothered to remove anything (it's not like they are running as a background service or anything and I keep them up to date anyway so it's not a security risk).
I've been doing a lot of converting/copying/writing Video DVD's just lately which means that I've had to hunt down a suitable program. In the end a few choice command-lines did pretty much everything I needed them to.
Generally, I need to be able to convert anything (DivX, RealMedia, WMV, ASF, Quicktime, etc.) to MPEG-1 or MPEG-2 for putting onto a VideoCD or DVD-R for playing in ordinary DVD players. I also sometimes needed to copy a DVD when I didn't have any DVD-R's so that meant MPEG-2 DVD to MPEG-1 VCD conversion. We're talking home movies and web clips here, so there was no subtitles, chapters, multiple audio tracks or menus to worry about, just straight film clips. I'm sending them to Kuwait for my girlfriend's dad so they have to work in any region DVD player, his laptop, his school's machines, etc. without worrying about extra software, codec compatibility, regions or anything else.
In the process, I spent days looking for a program that could write correctly-formed MPEG's onto a CD in Video CD format (something which was never that easy in Windows anyway as you needed to have stuff not only in the right MPEG format but also a strict filesystem layout) until I found out that, if you don't want menus or anything, K3B can do it for you. I'd been using it for months without even knowing it did that!
K3B handles writing to DVD just the same once the data is in the correct VOB etc. formats and I've got QDVDAuthor to do that for me.
I solved a tiny minor problem to do with the clipboard contents transferring between TightVNC remote sessions and remote Windows computers (which I needed quite badly since I've logged into the machine via VNC every day since I installed x11vnc). Installing autocutsel solved that problem instantly. I like the idea of having seperate selection and clipboard buffers on Linux/Unix but if you haven't been brought up on them, they don't get used properly. Autocutsel synchronises the two and lets you just have a "normal" clipboard.
I also got NTP time synchronisation working after a "doh!" moment when I realised it needed UDP port 123 inbound to be open to the servers I wanted to use, not just outbound. A few good servers and it's ticking along nicely.
I've rewritten all of my firewall scripts so that now I can open ports on demand (for stuff like bittorrent to help it go faster), forward them to my girlfriend's machine, etc. In the process I "homogenised" all the scripts so that they are used on startup, from my rc.firewall, from my portknock daemon and from the command line. This means that I only have to maintain one script for all actions, so opening the SSH port to my work IP on bootup is using the same script as when I portknock from somewhere else or if I need to open a port to external access for remote VNC connections so that I can fix people's PC's. I can use a remote portknock to close a port that I opened from the command line locally without worrying about whether the rules will be implemented in the right order, whether the correct rules will be removed, unintentional doubling-up of iptables rules etc.
Because of the VNC setup, I am able to sit on a remote machine, securely access my network, take over my girlfriends computer to help do the bulk of things like MPEG conversions (her computer is 3 times faster than anything I use as I don't generally need CPU speed), that computer reads from and saves it's results to a Samba share on a journalled filesystem on the linux machine (which has the most disk space and which I can also control simultaneously to put that same files onto a DVD or VCD when they have finished converting).
I've also got UltraVNC running under Wine so that I can accept UltraVNC SC connections to my machine. So if a school has a problem they can login and double-click an icon that I've left on some of their servers, which will initiate an encrypted reverse connection to my machine which will then take over their machine and let me fix whatever the problem is. When I'm done, I close the connection and the software their end returns control. The beauty is that with UltraVNC SC, it's a single executable on the remote end that does not need configuration or installation and cleans up after itself when I'm done, so it's the sort of thing that I can tell people to download on the spur of a moment and, if they have a broadband connection, can easily fix their machines without leaving the sofa.
Because UltraVNC is Windows-only and uses non-standard VNC extensions, I had to use the Windows client for it under Wine. I've already got Crossover Office but I was hearing interesting things coming out of the main Wine releases so I decided to install Wine too. It ended up being easier than I thought and they didn't interfere at all after a bit of PATH-juggling, so now if I type wine, I get wine but my icons for Word etc. still use Crossover Office for which I can get support. Hence, the UltraVNC icon now uses Wine while the supported Office apps use Crossover. (I did try Word in Wine and it seemed fine but I'd rather stick with something that I know works, is a supported configuration and has someone I've paid money to on the other end so that I can shout at them if it goes wrong).
The computer consistently achieves 40-50 days of uptime and would be permanently on barring hardware failure were it not for my insistence on playing about with scripts that load at login so that, when I do next have to reboot, I don't have to worry about whether I enabled x11vnc on startup or configured the firewall to let through SSH connections from my work IP. I also upgrade the kernel to the latest stable release whenever I can, which means LILO changes and reboots, so a reboot once a month or so is no big deal, especially seeing as it is ME deciding that it needs a reboot (I still can't believe the number of times a Windows machine has to reboot from initial purchase through to a working system with all your software).
[On a side note - I noted the other day that my print server achieved over 380 days uptime being used quite a lot EVERY SINGLE DAY by myself and my girlfriend. Considering the fact that the lights go dim and the UPS switches to battery about twice a year, that's quite impressive, and it's not even running through the UPS.]
I've configured stuff like SMART and motherboard sensor logging using lmsensors (a long time ago) and now have more peace of mind that I did with Windows as I can see the exact factors that affect the values - this is very useful for hard disk temperatures and fan speeds. I can actually see which components produce the heat, which are cooled if I open a side panel, which ones are more sensitive to CD-Writers spinning up etc. My case is crammed full of hardware and cables and this is quite vital as there is no room for proper airflow in the case and I can't personally afford to upgrade when this system already works well within safe parameters.
I already have a hardware temperature/fan monitor which is seperate from the motherboard ones so that it throws an absolute wobbler if a fan does not start when the CPU is turned on. This happens sometimes (the fan seems to have trouble on startup on occasion - about once every 20 or so boots) and the computer is actually quite happy without that fan spinning at all but it's much nicer for me to know that it's not and to power down again. The hardware monitor was cheap but works on a very simple system (thermistors and fan connectors connected to an external chip powered by a drive power cable) and doesn't rely on my ageing BIOS having to notice the problem (which it generally doesn't with fan speeds) to shutdown the machine.
That same hardware monitor will also beep like hell and shut the power off if the power supply goes over-temperature (I use a fanless power supply so this was just another piece of paranoia). Additionally I now have motherboard monitoring and SMART monitoring (including disk temperature) which gives me peace of mind, especially considering the age of most of my hardware.
If any major component of the computer overheats, goes overvoltage, stops working, I KNOW for sure that either Linux, the hardware monitors or the UPS will shut the computer down. This is very important to me given that this computer runs 24-7 in a household environment. I doubt that Windows would shut you down if your drives starting to fail or go over temperature unless you spent a lot of time and effort to get some software that did it for you.
SMART also runs self-tests on the drives overnight (when things like slocate also do their business and update the filesystem search indexes for me) and constantly updates me on every performance change that occurs (for some reason one drive flickers back and forth between two consecutive values for Seek Time Performance which I assume is just natural variation) so hopefully I would catch most serious drive problems early enough to replace and restore the drive.
My girlfriend (someone who didn't know what Windows was until she had to use it on her law course a few years ago) is quite capable of turning the machine on or logging into it, doing whatever she needs to in Opera (web, email, etc.) and logging off again. When her computer's down and she needs to enter results for work, the Linux computer is always there and just works for her.
I've got OpenOffice installed now too, as an office backup and also to use for the spreadsheet as I have a licensed copy of Word for the Linux machine but nothing else (yes, I actually have a hologrammed original MS copy of just Word 2000 on CD). Because I am now also using Portable OpenOffice.org on my USB key this is also for compatibility and to familiarise myself with it. Something that's quite funny is that OpenOffice.org spreadsheet program manages to handle the complex XLS spreadsheet I use for my invoicing with the same functionality and without any of the weird "out of resources" errors I get with Excel (despite following every advice known to man on combatting that error in Excel). It's not even THAT complex a spreadsheet, it's just got a lot of conditional formatting to highlight monies owed to me etc.
Wireless works, when I need it to, and I'm thinking of having it permanently on now that I'm sure of the firewalling. This would be primarily so that I can set up an old relic of a computer in our spare room to form SSH tunnels over the wireless to the main Linux machine so that guests can check email etc. without me having to run cables upstairs. The setup works, I've tested it, but I've just got to shrink the machine a bit as it's only a small spare room and a big chunky desktop case is over the top for a remote-access port. If I had unlimited funds, I'd get a mini-ITX computer up there and I'd also fit it with a WinTV card and a security camera so that it can feed the signal back to the other computer in the house that's running a security camera and motion detection software.
Still no show-stoppers. In fact, if anything, my lack of disk space is my greatest problem at the moment, mainly due to the fact that slackware only uses a single 10Gb partition so I've filled the rest up with junk just because it was convenient. Stuff like Gb's of DVD VOB's and source MPEG's that I've already converted and have elsewhere but just haven't got around to deleting yet.
Saturday, January 14, 2006
My own piece of Linux "evangelism"
It's no surprise that I like to sing the praises of Linux. I've been using it, in one form or another, since the day I discovered it's existence.
Increasingly, however, when I read articles about Linux I am constantly annoyed at people's frustration that it's not how they want it. They read the part that said that Linux is Open Source (I don't usually capitalise those last two words but I feel I should start doing it) and can be customised and therefore they expect it to automatically do whatever they want.
I don't know when my annoyance at the lack of understanding of this particular "mantra" started but it has been recently exacerbated by articles on binary kernel drivers among others. I regularly contribute to several forums on Linux and School IT in general and a lot of people just don't seem to "get" Linux at all.
The binary kernel drivers argument was one of the first arguments I've had online where I've been so annoyed at the lack of understanding that I've pursued the question but only after going away for a while to make sure that my reply was calm enough. The discussion centred on the fact that Linux does not allow a stable kernel interface for binary drivers.
Now, the entire legality of binary drivers within Linux is one which hasn't surfaced properly yet and I can see that one day someone is going to get some nasty jaws appear out of the water and take them by surprise because they've misread the GPL. Leaving that aside for one moment, binary drivers are the bane of any Linux supporter.
Binary drivers are those without source code, like almost every hardware driver that exists for Windows. Companies like nVidia release drivers for their hardware in this form to avoid losing their precious patents etc. to a bunch of people who have bought their hardware and just want to use it. Fair enough, they have to make a living and if part of that living involves never releasing source code, that's up to them.
As a case in point, there do exist Open Source drivers for nVidia cards but they just don't feature the 3D acceleration that the binary drivers do (so you can use nVidia cards in a Linux system, but they won't have the same speed when playing games. The average desktop, however, would run just the same). Therefore, in this case, the drivers for the nVidia cards are only used by people who have spare 3D cards lying around in Linux machines that they are using at least some of the time for gaming. Professional users of 3D would probably not be using the nVidia binaries or even Linux.
nVidia achieved this marvel of modern technology (running 3D applications on a 3D compatible system with an nVidia card, where someone has already wrote 99% of the other necessary supporting code for them) by using binary drivers, which plug into the kernel at certain points. They evaded most of the technical and (possibly) legal limitations of interfacing with various versions of the linux kernel by releasing an Open Source kernel "wrapper" which lets the binary driver load itself without caring about what kernel it's actually running under and without the driver having to be rewritten for every kernel change.
The argument I had on Slashdot centred on people releasing binary drivers for Linux. The general overview was that Linux people were hostile and unhelpful to people writing binary drivers, that the manufacturers constantly had to keep updating the drivers for various kernels and that a stable binary driver API would help matters.
Needless to say, my reply was less than assistive in getting support for binary drivers in an Open Source kernel ("First, I think you're missing the fact that, overall, Linux doesn't care that you can't put your binary-only drivers on it").
The argument centred on the fact that companies will usually only release drivers as binary modules because they spend so long developing and testing their drivers that they are wasting an extraordinary amount of money if they then throw all that work out for anyone to copy it.
They don't seem to take account that Linux is entirely built on years of work that people, including many large corporations such as IBM itself, routinely give away for "nothing". Do you really think that the trade secrets in your hardware design are so fantastic that a) nobody has thought of them or that b) nobody who has your binary drivers and hardware couldn't reverse engineer them, legally, anyway?
Many of the network card drivers in Linux, for example, are reverse-engineered or written from open specifications and then placed under the GPL or other Open Source license. I can't see where this could pose a problem for the hardware manufacturer as they are effectively getting "free" drivers written for them, at little or no expense, as well as having those drivers supported and maintained for the forseeable future (at least until the hardware is considered obsolete and possibly even after that).
To quote Donald Becker's page (although this quote was written at an indeterminable date): "Linux now supports almost every current-production PCI Fast and Gigabit Ethernet chip!".
So every manufacturer of Ethernet cards has effectively had Open Source drivers written for them and distributed worldwide for free. I don't see any network card companies complaining about the fact that pretty much any network card inserted into a Linux machine is detected and used without having to download and install any driver, binary or otherwise.
It may be that the patents and trade secrets covering a network card are far fewer or of less importance than those covering a 3D graphics acceleration card. However, given the number of patents on items like TCP offload engines and the like, it seems unlikely.
If you are writing drivers for hardware, surely you'd be glad that someone is willing to ask you for the specifications of the hardware so that they can write and maintain such a massive, difficult piece of code as a hardware driver for another platform that you probably will never be able to support as well as your main platform?
The main misunderstanding comes from the binary driver "API" idea, the vision of a single standard interface to ANY piece of hardware within a computer and all of the associated kernel functions that will NEVER change. That sounds almost easy, no?
The Linux kernel is never easy. It changes every single day of its life. Unlike the major desktop operating system of Microsoft Windows, Linux is updated almost every minute by someone, somewhere. When the Linux IDE code was considered obsolete, unmaintainable and unsustainable, it was rewritten from the ground up. When that effort failed to stabilise quickly enough, it was restarted again on a smaller scale.
When the scheduler started experiencing problems on systems with hundreds of CPU's, it was ripped out, modularised and put back in. When USB and Firewire were introduced, they were bolted on to the existing frameworks and then rewritten time and time again to obtain a set of code that was maintainable and extendible for new standards like USB2.
At each point, everything was redesigned, not just re-engineered. People went back to the drawing board and said "Why are we still doing things for hardware we no longer support?", "Why are we bodging CD-writing by making an IDE-SCSI hybrid module?", "Why can't we use the SCSI code we already have to support these new fangled USB mass storage devices as well?"
Each time, any stable ABI would have broken. Each time, a new version of the stable ABI would have had to been released. It's not a stable ABI if it keeps breaking. On the other hand, if someone had said "SCSI works this way and you must not change it" then many things would not have been possible or would have meant reinventing the wheel for them to be supported.
When you consider the number of hardware interfaces that Linux supports (PCMCIA, PATA, SATA, PCI, ISA, MCA, PCI-E, PCI-X, AGP, USB, Firewire, I2C, the list goes on and that's just for the x86 platform) and take into account the amount of drivers for each style of interface (some of which share something like 99% of the code, most of which are completely individual) the fixing of a stable interface gets harder and harder without bringing the source code to an unmanageable level.
Yes, Windows does it to an extent. However, try to run a Windows 98 scanner driver in Windows XP. Most of them won't let you do it. The interfaces changed and are no longer compatible. Try and install an ISA card in a machine running XP, it won't recognise it. Microsoft obsoleted ISA cards because they felt like it. That's another issue, but what if Linux were to obsolete a major subsystem? First, there would be outcry, secondly, the code would be around so that people who WANTED it could still use it.
Try and get USB Mass Storage devices working on 98. You usually cannot without a specialised driver and even then, only on 98 Second Edition because the USB in 95/98 did not support it properly. The standard interface they chose in 95/98 WAS NOT COMPREHENSIVE ENOUGH to support Mass Storage Devices and had to be changed. 98SE made it possible by introducing new access methods but the drivers are usually totally different to those used for the same hardware under Windows 2000 or above.
Try and get most older games working in Windows 2000 or above. It's possible for the vast majority but far from easy and it's usually easier to run an emulator like DOSBOX or QEmu to do it because the interfaces and standards used in the DOS, Windows 3.1, Windows 95, 98 etc. era were obsoleted and changed and updated and even removed because they were incompatible with the "new" ideas going into later versions of Windows (e.g. early Windows versions had no real concept of multiple users on a single machine, early DOS games expected complete control of a processor in order to run and exact timings which aren't practical in a modern multi-threaded operating system).
Throughout the history of any operating system, and sometimes even applications, the set standards that seemed so perfect 10 years ago are never used properly or have to be worked around to make them work properly (consider things like 48-bit LBA drive access) and usually that means having to change the interface or corrupting it to your purposes.
Linux does not want to spend the next twenty years supporting it's own dreadful mistakes and misjudgements. Being Open Source, it does not need to. If something's wrong, they can change anything they like because no part of the system has to stay as it is. Linux is a liquid concept. However, should such changes occur many of the current binary drivers for Linux are likely to need substantial support in order to continue working properly, if at all. That support can only come from people with the driver's source code, i.e. the manufacturer.
When a kernel interface change stops PCI-Express cards from being accessed the same way they used to be, nVidia may be able to bodge something in their kernel wrappers or they may have to recompile their binary drivers to take account. Either way, they would have to spend a lot of time and money to support a change that is completely outside of their core business. People would be moaning at them for not doing their job. They would have to keep up, as they do today, with every change. And ten years from now, when they go bust, none of us will be able to use nVidia 3D acceleration on anything but the last kernel they supported.
Then again, they may just decide that it's too much bother and stop producing drivers for Linux. Were they Open Source or, ideally, in the kernel, the updating would *probably* be done for them automatically and without charge. They would be tested, without charge, by far more people than any beta test could summon up, with far more exotic configurations. Every time the kernel changed, they would be kept working until the day that there wasn't a single competent person in the world who wanted to keep supporting their hardware.
When IPv6 came along, Windows and Linux supported it by redesigning every piece of their networking code to take account of it. When IPv7 or whatever is next planned comes along, you're going to have to redesign everything all over again or put in some horrible backwards compatibility kludge to help older programs use it. That means that you will forever have to carry your older systems with you and all their backwards-compatibility layers, or you could just redesign the networking code to take account of it all for you so that old programs don't need to change and new programs can use the new features. They may be entirely seperate systems but why introduce a whole new layer if you could just slightly redefine one that's been working for years?
Binary drivers die a death as soon as the manufacturer stops updating them and are wounded by every kernel upgrade. Open Source drivers live for as long as there is a single person in the world willing to support them, barely feel a bump on a kernel upgrade and will stay in hibernation for as long as their source code exists, ready to be resurrected by anyone who wants to try them out (say, a computer museum curator who wants to run some ancient hardware card that has to be soldered onto a modern connector and have it's drivers tweaked to support the new, bodgeful interface).
A stable binary interface is impossible and totally against the idea of having a system that anyone can submit an idea for improvement to. When someone invents a better way of running hardware, all the internals HAVE to change or you end up with a mess of code that nobody in their right mind wants to touch and certainly not one which you would want people to be learning *from*.
Linux is bigger than an operating system. It's bigger than the companies that use it for commercial gain. It's bigger than the millions of people around the globe that use it every single day whether they know it or not. Linux (and Open Source in general) is about making things work, making them work well, making them work for the forseeable future, letting anyone see how they work, letting people come up with ideas for how to make them work better and keeping them working. None of those goals can be reliably met by using junk like source-less binary drivers or "stable" binary interfaces.
The annoying part is not that people disagree with the above, it's that they demand that Linux should change and not themselves. If Linux does not do what want, Linux is in the wrong. How often do they also swear at how stupid the design of some internal Windows API is? Linux is an emotional creature. It does not care about people who don't care about it.
If you want to rip Linux off and sell it with a thousand binary components and you can find a way to do it legally, even if you sell a unit to every single person on the planet, then you are on your own and Linux won't care that they break your system in their next upgrade. If you decide to Open your drivers and do the same, the chances are that someone will come along and help you to keep your stuff working, especially if it means that they get to play about with your system, ask questions, try new things, fix problems that only they have and can go off and learn from your code.
Open Source encourages software evolution. The better-written and better-performing man wins and their source code gets incorporated into more projects, their code gets learned by more people, who spread it to more code. Before long, every project needs this code to work properly, ensuring its own long life. However, if something EVEN BETTER comes along after that, it will be usurped for the greater good. If it's really better, it will take you over and smother you. If it's not, it will just linger and die and you will remain in your throne.
Binary drivers are one thing that I'd like to see smothered quite quickly. They are not necessarily better written or better performing but are kept there by corporations that are trying to gain money and recognition from Open Source without giving anything back. They legally, ethically and practically hinder alternatives from cropping up to usurp them as they know that they would be quickly smothered and left for dead. They need to maintain their little monopolies over their precious property. There is no analogy in nature for such a beast.
The fact that you can't manage to create a driver for the OS of my choice just means I won't buy your gear, or recommend it, or maybe even consider it. Whining about lack of co-operation from Linux people when I am happily running the product of years of their freely-given hard graft is not getting to get you any sympathy from me. If the drivers for your device came from your company along with the full co-operation of your company, I'd sing your praises and buy your gear. If you just want to cling onto the back of this Linux thing that people seem to be installing more of nowadays but not give anything back, don't expect Linux or its users to do you any favours either. I will only pile my money into something that I know will last me a long time and give me good value for money.
And now an admission... I own an nVidia graphics card - a weird one. It's a PCI Geforce4 440MX. Yes PCI. Not AGP or PCI-E. Bog-standard, old-fashioned PCI. I want to use it (it's my most expensive graphics card purchase ever at £50) and I don't want to replace it. That's not much money but the card is CAPABLE of doing everything I need. If I needed PCI-E levels of performance, I would have a PCI-E card.
I have it in my Linux desktop machine, primarily because that's what the machine used in it's previous Windows incarnation. I used to play Counterstrike and the motherboard does not have an AGP slot. The GeForce fitted the bill nicely. In Linux I have little or no use for it's 3D features (besides possibly the occasional game of TuxRacing) but it runs faster than the motherboard's onboard graphics.
I voluntarily use the nVidia binary drivers. The reason is that they provide better performance playing video, 3D etc. They prove that the card is capable of doing what I want. The binary drivers are not too much of a bind for me to recompile every time I change the kernel. They don't cause any crashes at all and the card works perfectly. If I need to diagnose a problem, rebooting without the nVidia driver but with the Open Source nv driver is not a big deal.
However, if nVidia updates their drivers to a version that doesn't support my card, introduces bugs, etc. I will not be upgrading to those drivers. If the Linux kernel people manage the technical/legal/ethical feat of making sure that nVidia cannot distribute any drivers but GPL ones, I will instaneously revert to the Open Source nv driver unless nVidia DO release a GPL one.
I won't be petitioning the Linux kernel people, I won't be rushing out to buy a new card that has got OS drivers, I won't buy nVidia's newest card that does run on Open Source drivers. I WILL be complaining to nVidia for not releasing the type of driver they should have released in the first place. I will use whatever works best for my current hardware to legally and technically interoperate with the rest of my machine's software.
If that means that, ultimately, my performance is reduced to poor levels because of having to use an inferior OS driver, I will be blaming nVidia for not bothering to contribute to that driver, to enable features that their hardware is perfectly capable of, and will adjust my next purchase according, to a company that does support OS and does not artificially limit the capabilities of a piece of hardware by refusing to openly publish code or specifications for it.
The nv driver already has what I need to run the card. Anything that isn't in the nv driver is due to nVidia not being co-operative.
I will not stop updating my kernel to the latest stable version, even if that means I break the nVidia card... an up-to-date kernel is worth much more than a single, replaceable driver.
I will not allow the kernel maintainers to be blamed for nVidia's lack of assistance. They do not care and never have cared about binary drivers and have stuck to their word on that.
I will not allow the nv maintainers to be blamed for nVidia's lack of assistance. They tried their best to get SOMETHING out of a company that wanted to give NOTHING.
I will accept it as inevitable that I knew I would eventually run into this problem, because I chose to use binary drivers for that component.
I will not be surprised if those same binary drivers stop working or fall into decay one day.
At least if I had open-source drivers which were capable of driving the card to it's full capabilities, I could keep running them through whatever legal or ethical turmoil Linux or nVidia goes through - that's the point of the GPL. If all else fails, I can still change the code myself (and I am capable of doing that) to make it work again. I don't have to rely on company X to keep my card working for me, breaking god-knows-what-else in the process. And I know that my hardware isn't part of some secret cover-up of something that I really don't care about when all I want to do is play TuxRacer.
Saturday, December 31, 2005
Laptop security
Recently, what with Christmas being seen as an ideal time for theft, I've been in meetings concerning the security of computer hardware, most notably laptops and projectors. Apparently I work in the second-worst location in the UK for thefts from schools.
As some of these meetings were sprung upon me without warning, I wasn't able to think them through as much as I'd like to have. As a result, I've been double-checking my advice to the schools to see if I can come up with any better ideas.
Current advice from the police includes chemical marking of property, securing the building, displaying signs and implementing CCTV (although the later is not really pushed as a solution, more a deterrent).
According to the second-hand feedback I've been hearing from the schools, the local police are having a tough time; schools are having lots of laptops and projectors stolen, the thieves are filing off the serial numbers and then the police are unable to confirm who the property belongs to. There are even stories of the stolen property having to be returned to the thief after a while as they are unable to prove that it's not theirs.
CCTV is proving all-but useless as the thieves are always ready and cover all identifying parts of their body or clothing. Chemical marks are easily discovered with UV lamps and removed even if it means damage to the property. There's also a growing black market in projector bulbs as these are not serialised and are therefore almost impossible to trace back to a source, as well as being an easily removeable, high-value commodity.
All this lead me to thinking about laptop security. Currently, the only physical way of securing laptops are so-called "kensington locks", small standardised holes in the chassis of laptops into which locks can be placed and also easily removed, sometimes without any damage at all to the laptop.
So if you can't prevent them being stolen, is there something else you could do? Each computer processor has a unique serial number burned into the silicon of the chip itself. However, there is usually no way to read this number from the chip as most manufacturers disable the option by default and also the thief can easily disbale the same option. This means that not only is it time-consuming to actually read this number from a laptop on purchase, it's easily disabled too. Although if the laptop is physically recovered the number could be checked, there's no way to read this number remotely.
Lots of software packages exist to "phone home". That is, every time the machine is connected to the internet, the software sends a small packet describing it's location/phone number/other identifying pieces of information to a central server. If the laptop is ever reported stolen, this information is passed to police so the thief is "caught" as soon as they go online.
The major flaw here is that a thief is going to be aware of such tricks and any professional would probably blank the hard drive upon receipt or even replace the entire drive unit and then install a clean version of the operating system. Software piracy would not be a big deal to a laptop thief.
Additionally, any hardware means of doing the same would also be detected and removed/circumvented. Or would it?
Why doesn't someone add to standard laptop chipsets a "call-home" modem/network card? Most laptops have built in modems/network cards nowadays and they would be the devices that actually physically connect to the Internet eventually (I'm assuming that any stolen laptop in use today would most probably go on the Internet at some time in it's life, which is not an unreasonable assumption).
Obviously, the modem/network card would have to call-home without the thief knowing. Let's assume, therefore, that the software driver for the modem/network card comes in two types - on the one hand, it will identify itself as a standard modem/network card, as supported by internal Windows drivers or the same drivers as a non-call-home device. In doing so, it will not give away it's purpose. However, the driver originally supplied with the hardware would also include an option to send a series of innocent-looking AT commands or even packets to localhost. This packets would set a hardware password, and maybe other information such as an IP address or email address, which would be stored inside the chipset firmware itself.
Once the password is set, every time the device connects to the Internet (which is fairly easy for the hardware itself to detect and intervene without software assistance), the device is "activated". From then on, if the device driver does not send the password by the series of special packets/AT commands, the hardware itself would inject packets with the intent on sending a call-home packet/email to a central server.
This central server would most probably be setup by the hardware manufacturer, but it could also be set by the customer themselves to be an email address of their own. Whenever a standard non-password driver is used for the device (such as you would get by a reinstallation of the operating system), it would attempt to send this packet/email, which would include such details as the phone number called or the external IP address or even a short history of phone numbers dialled.
However, even with the "correct" password-driven drivers installed you would HAVE to know the password in order for the device to activate normally (or even activate at all) without sending such call-home information. If the thief was wise enough to know that this laptop contained such hardware, they might try to install the specialised drivers. However, without the password that is etched into the chipset firmware by the manufacturer/owner there is no way the thief could disable the call-home functionality or change the password. This won't have stopped him stealing the laptop but it will seriously limit it's resale value, a laptop without Internet access is severely limited in it's capabilities.
You could even add functionality to the "secure" drivers (the ones that ordinary customers will have pre-installed for them) that the device won't initialise the modem/network unless it receives the correct password from the user. This would prevent the thief from just using the pre-installed drivers, effectively forcing you to "log on" to the modem/network card before you can use it.
With such controls in untouchable silicon on the device that controls the modem, network card, wireless card, etc. a thief would be left with a crippled laptop, unable to go online for fear of being caught.
Even wiping the entire disk would do nothing, the specialised drivers would be gone so the chipset would "know" that it was being used on a machine that may have been stolen and wiped. If the device runs on a standardised driver (e.g. a plain 56k AT command set or an NE2000-compatible network card), then a thief reinstalling the system would be unaware that by using the standard Windows driver they are advertising to the chipset that the system has been stolen. Only the NE2000 driver which also sends the correct password (most probably obtained from the user at boot-time) would be able to circumvent the call-home functionality.
The original owner would, of course, be perfectly capable of reinstalling their operating system as they know the password to the device and be in possession of the drivers to send the password to the device. Even if the original owner sold the laptop, the person they legitimately pass the laptop onto could still use non-secure drivers. The laptop could handshake with the central server to see if it has been reported stolen before sending such a packet or, at worst, send an email to an address whenever it connects. This might even be a good audit tool for companies to see just how much the laptops gets used.
Combine this with the fact that the concept is cross-platform and operating system independent (so long as two drivers exist: a standard one that can use the hardware normally and a specialised driver to send the special commands to the device upon initialisation) and you have a pretty foolproof system. You could ask for the password on boot (most corporate laptops have boot-time passwords anyway and the functionality could be implemented in the BIOS rather than the OS drivers), on login or on use of the device. Inexperienced theives would be caught the second they used the laptop online, experienced ones would be deterred or at least know that the value of a laptop with such a system would be severely limited.
Just an idea I had ticking away in the back of my mind.
