OK, I’ve got my first “Safer Appliance Computer” (S.A.C.) running in regular service. Ive chosen a “Torrent Server” as the first application mostly because it’s what I’ve been doing a lot of lately. Having just learned to use BitTorrent, I’ve come to like it. ( It is a ‘peer to peer’ file sharing service commonly used by kids to share music and pirate movies, by geeks to share new releases of software, and by anyone needing to ‘share’ files broadly and rapidly with minimal infrastructure. Having no ‘central server’ also helps prevent shutting down services via police activity.)
The Hardware
I’ve “moved on” from the testing with the 266 MHz Toshiba Laptop as the initial target; due to it requiring an older 2.4 kernel and / or being ‘dog slow’ on anything that didn’t do RAM disks and other ‘special’ things. Works fine on very old Linux releases… that don’t have modern browsers or Torrent services… so it will take an ‘integration / porting’ effort. Something for ‘later’…
The first S.A.C up and in production is running on an old HP Vectra with 256 MB of memory and a 766 MHz Pentium III “Coppermine” CPU. For truly ‘private’ computing it is not an ideal platform. It is from the ill fated attempt to put a software readable unique serial number in Pentium processors. When the EU started voting to forbid that, and customers started looking at AMD more, well, Intel “left that feature out” of later chips. At any rate, in theory, this unique CPU could have a Serial Number read and tracked. So it’s “OK for playing” but not for anything seriously secret / having legal implications. For that you need either older or newer CPUs or run in a Virtual Machine.
https://en.wikipedia.org/wiki/Pentium_III
Controversy about privacy issues
The Pentium III was the first x86 CPU to include a unique, retrievable, identification number, called PSN (Processor Serial Number). A Pentium III’s PSN can be read by software through the CPUID instruction if this feature has not been disabled through the BIOS.
On November 29, 1999, the Science and Technology Options Assessment (STOA) Panel of the European Parliament, following their report on electronic surveillance techniques asked parliamentary committee members to consider legal measures that would “prevent these chips from being installed in the computers of European citizens.”
Eventually Intel decided to remove the PSN feature on Tualatin-based Pentium IIIs, and the feature was not carried through to the Pentium 4 or Pentium M. The feature does not exist in modern Intel x86 CPUs.
The things a “Security Guy” needs to worry about / watch… (Want to bet the new BIOS replacement can uniquely self identify?… it must if it is to implement the ‘software security’ that it is touted as ‘providing’…)
The Operating System / Applications Suite
I’ve gone with the generic “Crunch Bang” Linux (also written as “#!” which are “special” in that they start off many Unix / Linux scripts as a directive about what to do / what is to come in the script). This LiveCD release isn’t ideal. The system is NOT “hardened” and it does some “silly things” like launching you automatically into a “sudo user” (meaning that the default user account can ‘su’ to Super User abilities and do just about anything to the box). So ‘eventually’ I need to ‘harden’ it. Shut off services not wanted. Make the default account VERY limited in abilities. All the usual things.
But since it is running from a CD, it’s pretty well “locked down” already ;-) Major thing I needed to do was unplug the internal disks so that anyone ‘getting root’ (administrative privilege) via hacking into the live system can’t mount the disks, inspect them, write to them, whatever. Easy enough on this box. Couple of plastic clips, slide the lid back, unplug power to the disk, put the lid back.
Running the operating system from the CD drive is a little slow when it needs to load a new module (as you get to wait for the disk to spin up). Next on the “to do” list is to do a USB / Thumbdrive install (to a lockable USB chip like an SD card) for the added speed. It is tolerable from the CD, but would be faster with random access solid state ‘disk’. Even slow forms like SD cards. It also has the quirk that every so often it puts up an error message that it could not eject the CD. (Probably a good thing since I’m running from it ;-)
So why use that release / Linux Distribution?
It come with decent browsers built in. It has Libre Office (Open Office under any other name…) It has “Transmission” built in (so no need for package administration to get a bittorrent server going). The GUI is reasonably nice; and while it has what I find a bit annoying, the more ‘modern’ behaviour of ‘right click to get a menu’ ( I like naive user friendly visible menus that the novice can see and explore while doing nothing ‘special’ that isn’t visually cued); it’s OK and not that hard to ‘discover’ once you are used to the idea of randomly clicking on things with each mouse key (even an empty patch of desktop…). It seems to be the current fad, so harder to avoid lately. At any rate, it’s not that hard to adapt to it.
There is also an ‘application’ named ‘conky’ (IIRC) that puts hints on the desktop as to what chords to play to make ‘special things’ happen. (Like pressing CTL-ALT-DEL all at once). I’m not fond of “special key chords”, but lots of MicroSoft folks are; at least this lets you put them where they can be seen…
User Interface gripe aside; the choice of applications present by default is good for a ‘typical’ starter desktop. Things are reasonably well laid out (once you discover the need to right click ala MicroSoft… just to get a menu). They seem to work well, and the speed is ‘not too bad’ even on medium old hardware. Yeah, it won’t boot on the old Toyshiba LTop… Oh Well… The T-LapTop can stay with Puppy Linux or Damn Small Linux until I make a ‘custom’ release for it. Just doing basic ‘disposable browser’ duty.
Back at the Vectra #! Torrent Server:
I’ve been snagging a bunch of old Linux releases (they work better on the older hardware and they are evaporating from the Web at a surprising rate) via BitTorrent. Now it wants to “seed” them back to the internet; to act as a server. Sharing the files on to other folks who want them; which is how peer-to-peer works. As, for some of the files, I’m the only person now seeding them, I feel guilty about shutting down the laptop (in some cases I had to FTP the file and put it up linking back to the existing Torrent Tracker as no one else was seeding them) . That means either I leave it running 24 x 7 (not good for laptops…) or I find a better way. So my first “appliance” box is a Torrent Server.
I’ve copied the .torrent files (that describe what is being shared and who is the Torrent Tracker and has the file check data and…) along with the actual data files (the thing being downloaded or uploaded) onto an 8 GB “micro-SD” card (about the size of your little fingernail). That micro-sized card is placed into a standard SD card carrier (that has a ‘lock’ switch on it) that goes into a USB adapter. This is plugged into a USB hub (just because I don’t like getting to the back of the box where HP hid the USB ports on this box). Yes, I could just use a simple SD card. I was interested in seeing how small a ‘chip’ I could use as a ‘remove and hide’ data store.
Now I can lock the card for ‘read only’ use if desired. The “micro” SD cards lack a ‘lock’ option, so the adapter to standard SD size also provides that. Best of both worlds. A micro sized chip to hide / dispose and a write lock switch.
At the point where the SD card is locked and the operating system is loaded from a CD, not much can be changed by malicious code or people on the machine. The data being served is locked and the OS is from a CD (eventually to be a similarly locked USB / SD chip). Not much that a system cracker can do. If you reboot it every so often, anything on it ‘goes away’ anyway. IF it does get hacked, it’s only the copy of the OS running in RAM, and they can see the Torrent server running. Big whoop!
IFF someone breaks into that Torrent Server box, they could use it to “snoop” the rest of the network, so a reboot of the box before doing other things will “blow off” anyone who’s cracked into it. Eventually I’ll firewall it off and that step becomes optional.
Issues
One thing I discovered in making it go was that the “Transmission” torrent server will let me point uploads and downloads at directories other than the default (./download) BUT, it would not let me go into subdirectories. I’d put the .torrent files in a folder named ‘Torrent Files’ and the actual download / upload images into a folder named ‘Torrent Data’. That’s a negatory… They must be at the top level in that USB drive to be seen by the Transmission torrent server program. Not a big deal as that USB drive is dedicated to that use anyway; but if you have a load of things on a USB drive and think you can stick Torrent down in a subfolder… think again.
I need to turn on / configure whatever ‘Firewall’ code is built into CrunchBang Linux.
I need to make a dedicated USB installation of CrunchBang Linux (which means I need to go buy another USB adapter and SD card – 32 GB this time, I think ;-)
At some point I need to look at ‘hardening’ the system more.
I need to implement a “DMZ” Demilitarized Zone network structure. At commercial sites, there is the “inside” or private network, the “outside” or internet, and then a ‘special’ network that is more internet exposed, and still outside the strongest firewall, for ‘sharing’ things to the internet. Mail, file swaps, etc. all come from servers in this DMZ. As they are on all the time, they are more subject to attack and compromise. A firewall between THEM and the ‘private’ network lets ONLY the desired services from that server to / from the private network. So I need to bulid a DMZ behind my ISP connection / router. That mostly consists of adding a firewall between the home network and the hub on the telco line. Not essential, but ‘nice to do’ someday. While MicoSoft and Linux are building ‘firewalls’ into their OS code as a ‘sort of a firewall’, it is safer to have a dedicated, locked, limited function, firewall box. That will be another SAC project for “real soon now” ;-) At that point, the ‘browser’ and ‘desktop’ functions move to a machine behind that inner firewall box and the Torrent Server is left on the internet modem/router/hub.
Further, I’m not sure what virus checking is being done by the Transmission torrent server. I think there’s an open source virus checker floating around (that may already be built in?) but need to ‘figure that out’ and any/all of: install, turn on, configure, admire it. It is theoretically possible for a virus package to be on a Torrent download and that could then be passed on to others as the file is downloaded. (It would be a bit hard as there are data consistency checks all over the place in Torrent, and especially since I’m downloading pretty well known Linux binaries and sources, not random movies and music, the risk for me is low.) Still, it ought to be done.
I ought to get encryption going on a disk / USB drive. Not a big priority as I’ve already done that experiment on the HP laptop and it’s easy and works well. Still, doing it on the Linux box is an important ‘next step’. Also the data and OS on the CrunchBang Linux box are all in the public domain anyway, so I don’t really have anything to hide. It’s more a matter of testing and completion than any real need. To be able to demonstrate the process of “kill power and pull micro-SD chip” to a dark useless box. Just two fingernail sized encrypted chips to drop in the flowerpot…
I also need to install TOR (The Onion Router) and Tor Browser on it to assure I can do ‘really private’ browsing if desired. And relatively private downloads. Torrent file transfer is “discouraged” on The Onion Network (as it is a bandwidth suck on a system which is already using bandwidth to reroute packets a lot), so eventually I need to get some of the more “private” torrent oriented dark network codes going too. The clandestine music and movie pirates have a couple of them working. I’m pretty sure they would not mind my sending some legitimate download traffic over their networks ;-) But all that is pretty low priority for me right now.
For now, it will run “as is” as I try to catch up on other things I’ve let go too long. It’s “good enough for purpose”. Enhancements can come over time.
Links
You can download CrunchBang Linux here:
http://crunchbang.org/download
It lists both 32 bit and 64 bit versions. I’m running the 32 bit version.
They are making a new website to be available ‘real soon now’ and direct folks to the ‘old’ website until it is ready… why not just build the old one quietly? Who knows… but here’s the “old” one that is the only one with anything on it right now:
CrunchBang is a Debian GNU/Linux based distribution offering a great blend of speed, style and substance. Using the nimble Openbox window manager, it is highly customisable and provides a modern, full-featured GNU/Linux system without sacrificing performance.
The OneSwarm network is a JAVA based anonymizer for Peer to Peer (P2P) file sharing. Still in a bit of a Beta release status, but you can see where things are headed for ‘private sharing’.
OneSwarm is a privacy-preserving P2P client developed at the University of Washington. Although backward compatible with traditional BitTorrent clients, OneSwarm also includes new features designed to protect user privacy when sharing data among friends through creating a distributed darknet, so-called friend-to-friend sharing.
OneSwarm is based on the Azureus (Vuze) BitTorrent client.
As Java has some security ‘issues’ of its own, I’d rather a non-Java implementation. Still, OneSwarm is better than the alternatives at present. So on the ‘todo’ list is to put OneSwarm on the SAC Torrent Server and see how it all goes together. At that point you have Onion browsing and fetching, then a OneSwarm based ‘sharing’ from a system that resets on reboot and has everything on encrypted chips anyway. Pull the plug, pull the chips from the SD sockets (all of about 10 seconds) and in about 30 seconds the RAM has degraded to where it isn’t usable for a cold boot attack, where frozen RAM can be used to extract data. (Or if power is still available, just hit power back on after you turned the box off; and have the BIOS set to ‘test memory on boot’ – as mine is – that will scrub it…) So any physical breech requires only a 1 minute or so ‘delay’ to have a ‘brick’ against even the folks with liquid nitrogen cans…
So that’s about it for now. FWIW, as I’ve only just launched the Transmission Torrent Server on the ‘box’, I can only state that it looks to be working and talking to the Torrent Trackers and such. I’ve seen ‘transmission’ show up in the list of BitTorrent servers / clients, and it is typically one of the faster and more reliable agents on the lists. I’ve not seen actual data uploads happen yet. Then again, I’ve seeded it with under seeded and not very much in demand files, so not that frequently requested. It ought to work fine.
uTorrent is worst. It has some behaviours that interact badly with BitTorrent when BitTorrent is seeding many files, such that uTorrent seeders / peers on other downloads ‘snub’ often and only move data slowly / rarely. At those times, Transmission servers just fly and take on most of the providing work. Oddly, shutting off almost all ‘upload’ and ‘seeding’ on the Windows BitTorrent application lets the uTorrent seeds actually provide data at reasonable rates. May be some kind of resource allocation thing inside BitTorrent or perhaps that uTorrent uses a different protocol, uTP, that is sensitive. At any rate, as a server, Transmission ‘plays well with others’ from what I’ve seen as a BitTorrent client.
Oh, and a final sidebar on “client” and “server”: As this is a peer to peer function, there technically are no clients and no servers. As used here, “client” means a machine with an empty file downloading it, and “server” is a machine that has the file and is sending it. In the middle state of partly downloaded, the machine is both getting and sending data, so is both a client to some and server for others. While technically neither, I think this usage is clearer than being precise on it being ‘all peers’ and constantly needing to qualify by ‘download’ and ‘upload’.
Musings from the Chiefio 
No sooner posted this than I walked back in the office and looked at the monitor… it’s busy uploading Knoppix to somebody somewhere ;-)
So it’s working fine. Looks like I can shut off BitTorrent and turn off the laptop anytime I want (and guilt free ;-) now…
Way above my pay grade.
@GallopingCamel:
Short form:
Linux on a CD driving an old box to serve files out to ‘the public’. Files from a locked USB ‘drive’ that’s an SD card. Nobody can “hack” the CD or the SD card, so at most I’m one ‘reboot’ away from cleaning up anything someone did manage to do to the running image.
Means I can ‘share files’ via Torrent without worry about my laptop and being connected to a thousand machines all over the world (including places like Russia and China and Iraq and…)
Eventually I’m going to make 3 or 4 such “appliances” doing specific tasks. Then my compute environment is fairly robust. Yet, with encrypted storage, if I have a “Tallbloke and the constable moment”, I lose nothing, I’m back up with a simple install of new chip images and CDs (stored in a private place…) and life goes on…
Besides, it’s a fun technical issue to use to ‘keep current’…
Eventually the ‘images’ move onto Raspberry Pi cards in a shoe box… Keep a dozen as “spares” in the shed… with spare CDs. IFF the Constable even knows that the R-Pi is ‘the computer” and wants to take it, I’m about 10 minutes away from back in business. IFF they ever return what they take, the SD cards go to the ‘use in the camera’ pile and the R-Pi boards get inspected for evidence of parts changes (compare to archive board…) and then used for ‘safe’ things like a public Torrent server for Linux releases… so any ‘buggery’ can learn about Linux ;-) Or sold on E-Bay…
The rest is a lot of jargon and specifics…
I think i’ll stick to newsgroups :)
E. M. – Good luck.
I have tried a #! distro some time ago on a very old IBM T23 laptop(now defuct). Worked OK but Openbox X-windows user interface wasn’t that stable, sounds like they cleaned it all up. I’ll give it a try soon.
You mentioned the want of an antivirus program, the standard one that works with Linux boxes ( and in the Debian repository) is Clam ( http://www.clamav.net/). It’s quite basic file scanner and the user has to set-up the scheduling (it actually looks like it puts a chron date/time on the system). As far as I can see there is not any ‘live’ antivirus programs but there are programs/scripts that use clamav for mail servers (clamav-milter).
Another company that does Linux AV is Bit Defender (http://www.bitdefender.com and linux repository at http://download.bitdefender.com/repos/ ) but I’ve never used their product in Linux but have on Windows were it was very capable.
Hope this helps.
PS.
I tried CentOS not good – got in a real tizz over a PPP connection, I couldn’t fix it so moved on. Sabayon worked great until it said it required an update to the Broadcom chipset drivers and that was the end any communications. So I’m back with the trusty PCLinxOS-Gnome. It’s a bit slower and resource thug (for Linux) but it works. The Windows Xp style interface is kinda comfortable too.
@Tckev:
Surprised to hear that about CentOS. As it is Red Hat Enterprise via an open source path, I’d have figured it would be pretty well ‘shaken out’. PPP is pretty old code and ought not to be ‘having issues’… (IIRC I had a PPP link running under Red Hat 6.x with no issues). Wonder if they depricated PPP in their own minds and didn’t test it much after some other, more basic, change to the kernel or communications stack…
Well, so far the #! Linux release has been fairly stable, but “Transmission” has not.
I don’t know if it is related to running from a “read only” directory, or not, or what… but it didn’t make it through the night. The OS kept running, but this morning Transmission was crashed.
Guess I get to look around for what Logs this system supports….
As it all also is running from CD in RAMdisk, it’s possible that the “cramped quarters” is (part of?) the ‘issue’ and just running it from disk would fix it (but ‘break’ my primary feature of running from read only media…)
So looks like I needed on more step on my process prior to posting “hey, this worked”: Stability / Duration testing. Letting it run over a long weekend and not have issues…
I’ve also found that Transmission (at least to the extent I’ve learned to drive it…) is not oriented toward “restart from scratch”. EACH shared .torrent file has to started by hand. (Partly to tell it not to look in the ./downloads directory and partly to tell it ‘do not download, you already have it’.) My sense of it is that this is a ‘rarely used path’ of operation. That generally “they” expect it to have saved some stated somewhere for the restart. This means that it does a ‘verify’ on each data file as each one is started (which is a very slow process from USB slow mini-SD chip… which I’m suspecting are not as fast as the ones sold for high end cameras…)
So now my choices are:
1) Figure out these “bugs” and customize the process, code, installation, whatever to fix it.
2) Try a different Torrent client/server.
3) Try a different Linux OS.
4) Learn where I just don’t know how to set some “well known” hidden parameter(s) in the Transmission Torrent application…
As I’m interested in the “running from USB” aspects anyway, I’ll likely do a #! install to USB drive as a first test / effort. See if that changes anything (at a minimum it will let me save some ‘new state’ info to the USB and then lock it… probably avoiding the ‘restart’ issues.
After that, I’ll like try running from QEMU or similar Virtual Machine from a USB drive. (Just because I’m interested in performance / operational data). Likely to be even slower and not “worth it”, but we can see. (It lets a ‘saved state’ be loaded from the USB even if the main operation of the VM is from a real disk… or with scratch files on a real disk).
Along the way, see if just adding a real disk swap partition cures any memory size limit issues. ( It is very possible that when working a lot Transmission just needed some more space for data block staging and could not get any. The indicated RAM is something like 10k blocks ’empty’ after first launch, and any memory allocation requests would like run that out. Then there is no swap space to use… So my first instinct is just that it wanted more memory, could not get any, and quit…) IFF that’s the ‘issue’, I can just stick in an old P.O.S. disk for swap only (and “someday” figure out a way to mount a file from an encrypted file system on said disk for ‘swap on a file’… to prevent my favorite kind of data dredge from swap space…)
Ah the joys of “system administration and integration”…
If a few quick tests don’t turn up something promising (like a memory shortage log entry ;-) I’ll likely also look at doing an earlier add of the package for OneSwarm or the Torrent client it is based upon.
And folks wonder why systems programmers are reluctant to give dates for when the project will be done… ;-)
UPDATE: Well, that was quick. Looked in syslog (/var/log/syslog) and about 6 hours of running, then Transmission tries to get more memory, finds it can’t, and dies. So either need to reduce the memory foot print of what is running, install a Swap Space, or install to disk / USB drive such that it doesn’t use a RAM disk for the live file system… (Yes, I could just add more memory… but what’s the fun in that? ;-) At any rate, it looks like about 384 MB min to work ‘as is’ strait from the CD…) I was going to post the log file using the FireFox on the box itself, but opening FireFox caused the vi editor to crash… so looks like ‘only one big program at a time’…
Oct 26 10:17:05 localhost /USR/SBIN/CRON[2721]: (root) CMD ( cd / && run-parts –report /etc/cron.hourly)
Oct 26 11:17:05 localhost /USR/SBIN/CRON[2753]: (root) CMD ( cd / && run-parts –report /etc/cron.hourly)
Oct 26 12:17:05 localhost /USR/SBIN/CRON[2771]: (root) CMD ( cd / && run-parts –report /etc/cron.hourly)
Oct 26 13:17:01 localhost /USR/SBIN/CRON[2779]: (root) CMD ( cd / && run-parts –report /etc/cron.hourly)
Oct 26 14:17:02 localhost /USR/SBIN/CRON[2807]: (root) CMD ( cd / && run-parts –report /etc/cron.hourly)
Oct 26 15:17:06 localhost /USR/SBIN/CRON[2835]: (root) CMD ( cd / && run-parts –report /etc/cron.hourly)
Oct 26 16:17:03 localhost /USR/SBIN/CRON[2873]: (root) CMD ( cd / && run-parts –report /etc/cron.hourly)
Oct 26 16:46:23 localhost kernel: [30395.004411] transmission invoked oom-killer: gfp_mask=0x44d0, order=2, oom_adj=0
Oct 26 16:46:23 localhost kernel: [30395.004428] transmission cpuset=/ mems_allowed=0
Oct 26 16:46:23 localhost kernel: [30395.004440] Pid: 2599, comm: transmission Tainted: G C 2.6.32-5-686 #1
Oct 26 16:46:23 localhost kernel: [30395.004447] Call Trace:
Oct 26 16:46:23 localhost kernel: [30395.004481] [] ? oom_kill_process+0x60/0x201
Oct 26 16:46:23 localhost kernel: [30395.004495] [] ? __out_of_memory+0xf4/0x107
Oct 26 16:46:23 localhost kernel: [30395.004507] [] ? out_of_memory+0x5a/0x7c
Oct 26 16:46:23 localhost kernel: [30395.004524] [] ? __alloc_pages_nodemask+0x3ef/0x4d9
Oct 26 16:46:23 localhost kernel: [30395.004537] [] ? __get_free_pages+0xc/0x17
Oct 26 16:46:23 localhost kernel: [30395.004551] [] ? __kmalloc_track_caller+0x34/0x124
Oct 26 16:46:23 localhost kernel: [30395.004575] [] ? sock_alloc_send_pskb+0x8e/0x257
Oct 26 16:46:23 localhost kernel: [30395.004589] [] ? __alloc_skb+0x4a/0x115
Oct 26 16:46:23 localhost kernel: [30395.004601] [] ? sock_alloc_send_pskb+0x8e/0x257
Oct 26 16:46:23 localhost kernel: [30395.004631] [] ? __wake_up_sync_key+0x33/0x49
Oct 26 16:46:23 localhost kernel: [30395.004643] [] ? sock_alloc_send_skb+0xc/0xf
Oct 26 16:46:23 localhost kernel: [30395.004665] [] ? unix_stream_sendmsg+0x134/0x2c4
Oct 26 16:46:23 localhost kernel: [30395.004679] [] ? check_preempt_wakeup+0x196/0x202
Oct 26 16:46:23 localhost kernel: [30395.004691] [] ? __sock_sendmsg+0x43/0x4a
Oct 26 16:46:23 localhost kernel: [30395.004703] [] ? sock_aio_write+0xa3/0xb0
Oct 26 16:46:23 localhost kernel: [30395.004721] [] ? do_sync_readv_writev+0xb8/0xf9
Oct 26 16:46:23 localhost kernel: [30395.004733] [] ? update_curr+0x106/0x1b3
Oct 26 16:46:23 localhost kernel: [30395.004757] [] ? autoremove_wake_function+0x0/0x2d
Oct 26 16:46:23 localhost kernel: [30395.004770] [] ? rw_copy_check_uvector+0x59/0xc3
Oct 26 16:46:23 localhost kernel: [30395.004784] [] ? tick_dev_program_event+0x1e/0x81
Oct 26 16:46:23 localhost kernel: [30395.004809] [] ? security_file_permission+0xc/0xd
Oct 26 16:46:23 localhost kernel: [30395.004822] [] ? do_readv_writev+0x81/0xd6
Oct 26 16:46:23 localhost kernel: [30395.004833] [] ? sock_aio_write+0x0/0xb0
Oct 26 16:46:23 localhost kernel: [30395.004853] [] ? rcu_process_callbacks+0x33/0x39
Oct 26 16:46:23 localhost kernel: [30395.004871] [] ? __do_softirq+0x115/0x156
Oct 26 16:46:23 localhost kernel: [30395.004883] [] ? vfs_writev+0x37/0x43
Oct 26 16:46:23 localhost kernel: [30395.004894] [] ? sys_writev+0x3c/0x91
Oct 26 16:46:23 localhost kernel: [30395.004911] [] ? sysenter_do_call+0x12/0x28
I added a swap partition ( put entry in /etc/fstab and did ‘swapon -a’) so I can now edit, and run the browser, at the same time… At present, it has 50 MB on swap… so almost ran in the memory available… “Missed it by THAT much!”… ;-)
OK, I’m going to restart Transmission (with swap space) and see how much swap (thus added memory) it needs. Leaving things in swap is a security issue (especially for when folks steal the equipment…) so I’ll likely look into ‘encrypted swap’ options.
An old Thinkpad T23, huh? Sounds like the first laptop I got for my kid – second hand, of course. Finally replaced it this summer with a new Lenovo that had a nice discount. I still use my old Thinkpad (not the T23) a few times a month because it has my installation of Band in a Box on it, but most of the time I use the living room computer for general surfing and reference.
Also this summer, I helped a friend recover his docs from an old Dell laptop that his local support people wouldn’t even attempt. All they offered to do was restore it to original. (Friend is now 2 states away.) I found a way to use a Live CD of Ubuntu to boot up and get to the hard drive in the laptop, even though it wouldn’t boot to Windows anymore without being restored to original. I did finally restore it to original, but not until after retrieving about 25GB to 26GB of personal documents and placing them on the new laptop’s hard drive. Heh – the restoration took only about 10 minutes and didn’t require the use of a DVD because its own restoration image was intact – but the support people he had asked for help said they wanted $300 to do the restore, but without trying to salvage his documents. What a rip!
I happened to have a dock that can take 2 sizes of SATA drives and 5 sizes of SD cards and 2 USB slots, although I bought it on special as a way to have some more USB ports on my computer that has all the MP3 files and other media stuff. I was able to put the old laptop’s hard drive into the dock and boot the new laptop to Unbuntu, connected to the dock, and copied over the documents to the new laptop. (I had to boot to Ubuntu because the new laptop had Win7 and only offered to format the old hard drive that it could see in the dock.) However, when I took out the Ubuntu CD and booted it to Win7 again, it decided something was “broke” and spent some “fixing” it. After that, the documents I had copied over were nowhere to be found! (‘m guessing Win7 didn’t like seeing that the files that had been written using Ubuntu did not conform to its file system standards in some way.)
I finally ended up using a 32GB SD card that I just happened to have on hand to move the files from the old laptop (which had a slot for the SD card) to the new laptop (which doesn’t have a slot for the SD card). I used the dock to make the SD card available to the new laptop.
I haven’t been the deskside support person for the department since 1999, so I had to learn some new stuff this time. That’s OK. I keep telling myself, “You learn something new every day!”
Could I please make an off-topic request for help?
I have trouble on game days with people who park in my reserved spot illegally. In my current location, the first time they did it and I called the campus cops, they wanted to wait until after bedtime to see if the visitors would be gone. :-(
So haven’t tried calling the cops since then. However, this year I have been putting 2 cinder blocks into my space, to deter people from trying to park there. My neighbor has been putting one of his kitchen chairs in his parking space, which is one space away from mine. Well, last weekend someone not only parked in our spaces, they stole our stuff. (That’s why I didn’t use anything really important, like a piece of furniture.)
The weekend before, someone parked in my spot and I wrote down the details, but there were lots of open spaces so I didn’t call the cops. The car that used my spot last weekend was not the same car. They were both from out-of-state, though. I have tried to be long-suffering about it, but their taking our stuff is too much. Now they’re being jerks.
As I recall, last weekend when I came home for the night, there was a car in the middle of the drive way, with 3 people either getting in or getting out. I think one of them was an athlete, and the others were groupies, or call-girl-wannabees. When I drove up and gingerly pulled into the space next to mine, the girls flashed great big smiles at me. I thought that was weird. So I think they may be the ones who took our stuff.
Well, today I walked to work and left my car at home because I plan to call the cops as soon as someone uses my space again. I don’t want them to pull into my spot until the work week is over.
I have made some more calls today, and they say they will help me as long as it’s timed right. I found out from the towing company that it will cost them an extra $70 to have to call for their impounded vehicle after hours. So I expect they will be in my spot tomorrow night during the game when I get back from my errands, and I can call the cops and have them towed. It will be suppertime on Saturday, and it should cost them a couple hundred dollars to get their car, which suits me just fine. I talked to the parking people and the towing people and gave them a heads-up. Even though it troubles me to have to do stuff like this, at least it makes the people happy who issue the ticket and impound the car.
My request for help has to do with the fact that I’d rather not have to do sort of thing anyway. Is there any other way to get them to stop, seeing as being patient and losing property are not doing any good?
I am reminded of what a TV anchorman said a few weeks ago, that young people today are just a lot meaner than they used to be. :-(
Somewhat on topic, but showing how stupid and wasteful the government is … well, as if THAT were even necessary, but anyways …
“Unencrypted codes
The security information on the barcodes is only meant to be decoded by Transportation Security Administration (TSA) officers, so it was not thought to be a problem that PreCheck selected which users would get a less rigorous safety check in advance.
The fact that passengers can use their handsets to find out if they have been picked poses a problem, says Christopher Soghoian, principal technologist at the American Civil Liberties Union.
“The disclosure of this information means that bad guys are not going to be kept on their toes anymore,” he said.
The security issue was publicised by aviation blogger John Butler, but had been discussed in specialist online forums since last summer.
“The problem is, the passenger and flight information encoded in barcode is not encrypted in any way,” wrote Mr Butler.
“Using a website I decoded my boarding pass for my upcoming trip.”
http://www.bbc.co.uk/news/technology-20080621#?utm_source=twitterfeed&utm_medium=twitter
@PowerGrab:
Perhaps a nice long strip of red plastic film… ‘adhere’ it to the curb with something slightly gooey but not permanent when leaving, remove it when you return?
You could also try putting up a nice little sign saying “Parking Space Reserved for Resident. Towed cars may be retrieved at impound lot FOO”….
Just putting what looks like “junk” in the space does not have the ‘color of authority’ and just looks like some OTHER random trying to camp on the space. You want something that gives the look of authority about it.
Sidebar:
Once Upon A time… at Amdahl Corp, my office mate and I taught database classes and did database consulting. We typically ran a couple of classes a week with about 20 folks per class.
Our office overlooked the handicapped parking space (before folks were as careful about them as now and when fines were ‘only’ $50 instead of a few hundred…). Frequently non-handicapped folks would park in it. Some “just to run in for a minute”, a couple of delivery truck drivers thought of it as “their space” for unloading… Some folks for hours…
One day it is raining. Our co-worker in a wheel chair has to park in some other space, then can’t get up the ramp to the sidewalk as the truck in her space is also blocking the ramp. I end up picking up her, and her chair, and setting them on the sidewalk… in the rain…
Next week, we have a new “demonstration system” for use in our database class… “The Violator Database”… Loaded with live data. Make, model, color, plate on car. Description of driver (age, sex, race, clothing, hair and eye color, clothing, etc.) Time police called. Time police responded. Ticket issued time. Time Violator returned. (I wanted ‘reaction to ticket’ but my office mate didn’t…;-)
First presentation, we only have a couple of folks in the database, and no ticket. By about the third week, the cops have figured out that when we call, they can clip and easy $50, and response time is down to fairly short minutes… We’re now showing sample data with several ticket issued times and shortening response time…
By the third week (with us calling EVERY violator to the cops as they are parking in the space…) Ann, our workmate, is having No Problems getting parked in ‘her’ handicapped parking space ;-)
About the 2nd month some time we’re having zero new “events” (as word spread internally from ‘folks talking’ and as ‘habitual outside offenders’ being informed of their right to pay by the court…) and the rate of “issues” drops to about one ever few months. Some folks see us, inside our large window, looking pointedly at them as we pick up the phone and start dialing, and just get back in the car / truck and ‘move along’ ;-)
So moral of story: Let the Violator know what’s going to happen. Train the cops that they can pick up a nice easy few hundred bucks (and you need keep watch to cancel the call if the Violator leaves before the cops arrive, so the cops know you will not waste there time). Also consider asking if application of a ‘boot’ is an option… We got to be on nearly ‘first name’ basis with the dispatch officer due to our well presented calls: “Hello, this FOO and BAR. We have a violator in handicapped space at ADDRESS north side. Car is Make, Model, Plate, Color, guess at year, driven by Gender Race Age Hair color who arrived at TIME. Can an office come provide a ticket to them please? Thanks…” Some days the nice well trained officer would show up inside single digit minutes…. (They learned that about 8-10 ish AM they’d get a call. Ann showed up at work about 9 something as she needed more time to get ready in the mornings… Eventually some of them would just do a pro-forma cruise through about 8:30 to 9 ish and write one on their own ;-)
Also, if these are private spaces at a ‘complex’ (at least if your laws are at all like California) the property manager can call in for a “tow” here. No cops need approve… (as long as it is posted ‘somewhere’). You might want to check on that point. It is also possible for the property owner / manager to contract directly with the towing company and give them permission to just show up and take cars that do not have a parking sticker. Once the tow guy gets trained to collect a couple $Hundred several times a day, well, you will typically always have a nice open parking space… So find out what the local laws are on who can call for / delegate to, a tow company…
@Jim2:
In my experience, Government agencies (other than TLAs) that deal with “security” often have some of the least secure systems around…
Like cops are often some of the worst shots who know the least about guns… (not always, just often…)
Good point – something that looks more authoritative could work better. My cinder blocks used to be a block-and-board shelf inside, and they’re painted navy blue. They don’t look quite as trashy as plain ones might. But I have been trying to figure out a way to put an actual sign in front of my spot. I saw some others around town that said, “Tenant parking. We will tow!” They’re just little pieces of cardboard on what looks like a coat hanger that’s been re-purposed as a sign support. I don’t want to spend big bucks on a sign, since it could very well get stolen, too. I was considering covering a box and painting the wording on it.
I wish they would mount permanent signs at the places where people enter the neighborhood, telling them that all parking spaces with numbers are reserved, but un-numbered ones may be used by guests. They have been putting temporary signs out that say guests are required to get a parking permit, but the cars I saw the past two weekends, parked in my place, have had not permits of any kind on them.
I could put a web cam in one of my windows to record the activity at my parking space. It would record the rear of the cars parked there, which would mean the car tag might be picked up. But isn’t putting up a streaming web cam a different project than putting up a surveillance cam that can record? I have a computer in that room that has 500GB of space, but nowhere near that much stuff on it. I would think a few hours of surveillance could be stored on that disk.
When I spoke with the parking people, they did take down the description of my car, so they could tell if my parking place is occupied by my car. But they said they would rather I call them if someone needs ticketing and towing.
Thanks for the feedback!
ChiefIO, I thought you had a Raspberry Pi earmarked for this project…what happened :p
@PowerGrab:
THE classical portable sign is an old can, with a stick in it, and cement or plaster in the bottom. Then apply any stiff material of your choice with lettering. ( I would likely go with a simple plastic sheet with lettering applied )
Now you can set it out, or not, yet it looks like a ‘real sign’ and you can even make it big and use a 4 x 4 if you want… At one time, the local Police Department used 5 gallon cans with a 4″x4″ fence post and a STOP sign on top for “portable” stop signs… so sometimes these even ARE official!
A 5 gallon can is often available for free from the local fast food joint or house painter. A bag of ‘fence post mix’ runs a couple of bucks. Post even less. How you make and letter the sign is up to you. Heck, even a sheet of metal is cheap and then it’s just down to paint…
You can even keep it in the trunk of your car when parked in the space… though you might want to use a smaller can and less cement ;-)
Oh, and I’d put a little ‘placard’ on the dash that says “resident of FOO, parking space BAR”… just so it’s clear to the cop that your car belongs there…
Pingback: I ought to have Gone Danish for secure Linux | Musings from the Chiefio
@Intrepid_Wanderer:
Still going to do the Raspberry Pi.
What happened? I went to buy one and the wait was ‘weeks’ and / or indefinite. Not wanting to wait forever to start, I figured I’d get some of the software ‘search’ out of the way while the queue of folks ahead of me on the ‘buy a Pi wait list’ got cleared out.
So I looked at what Distributions ran on the Pi and I put up one of them in a Pi Emulator. So still working that direction, just minus the ‘board in hand’.
As I’ve pretty much got the software environment sorted out now, and the wait list on hardware has dropped, it’s getting higher priority to ‘move on’ to doing the same thing on the Pi.
https://chiefio.wordpress.com/2012/10/27/i-ought-to-have-gone-danish-for-secure-linux/
Has me using a public available ‘secure / private’ Linux distribution. They published the “build script” for it too. I’ve downloaded the script. It is built on Debian. There is a Debian ARM port. I’ve downloaded all the Debian ARM source code too… (Though it is changing fast. Common in a ‘young port’. Even the application binary interface is changing some). While I’d originally thought I’d be on Gentoo (or Arch) as they have ARM support, it looks like the extensive use of ARM in cell phones / pads (and maybe the Windoz ARM support) is pushing more ‘mainstream’ ports of Linux into the ARM camp.
Thus that use of the Debian base ‘mix’ is ‘reasonable’.
Also along the way I had to learn about Torrent (since many of those downloads are via Torrent files). I’ve now got it running in a “Secure Environment” on an old POS (Piece Of Sh..) white box PC. Is that a ‘distraction’ or a ‘side track’? Probably not. It’s a server I need to do the source code downloading / archiving without having my laptop “full of stuff”.
The other point is that far more folks have an old POS computer in the garage, closet, or available for $5 at a yard sale. So for others wanting to get their feet wet, having a non-Pi optional path is likely a big ‘feature’ (as it was for me during supply shortages of R-Pi boards…)
Oh, and my next “to do” is to buy a 32 GB SD chip (and USB adapter for it) to put on that Torrent Appliance box. At that point, doing the Debian based install onto the USB encrypted target lets me work out any “issues” in that process regardless of target hardware. When my R-Pi gets here, it may end up as easy as “install Debian. Compile the ‘security remix’ on the ARM. (work out any integration / compatibility surprises). Store backup image. Encrypt enable USB drives / SD chip in slot on Pi. Install security remix.”
At the same time, knowing approximate memory and resource demands of the Debian release lets me make ‘good guesses’ about the probablity it will work on a Pi as well. (it ought to…)
Short Form: Still going to do a R-Pi version. Using old POS PCs lets the project move forward even as I wait for easy hardware availability. I’m getting usable “appliances” now via using my ‘old junk’ PCs.
Besides, IFF I’m really lucky, I’ll have a “TallBloke and the Constable” moment and they will confiscate the old trashy boxes and clean out my junk pile / garage for me. ;-) Then If they come back broken at all, I can demand new stuff ;-)
OK, let CrunchBang Linux run overnight (doing Transmission based Torrent serving of the various Linux distributions I’d downloaded…. it’s ‘polite’ to ‘seed back’…) and got some answers. As I’d mounted a 2 GB disk for “swap space”, it didn’t crash this time.
But it has this habit of tossing up a ‘failed to eject CD’ error nag every so often (and I’ve not taken the time to figure out why and stop it). So this morning I start clicking the “OK’ boxes to dismiss the dozen or two of them… and notice that the swap space usage (displayed in the ‘top’ command) is about 180 MB. Each time I click one to close, that number drops. It ends up at about 80 MB. So about 100 megBytes of “swap” (thus memory demand) was sucked up in those bogus error messages…
Looks like “fix that” and the memory demand drops a lot for overnight survival…
As Privatix does NOT have that problem, and is based on substantially the same Debian distribution, it is clearly easily fixed. (Finding out why it is doing this is likely the hardest part).
So “mystery solved”, but “patch not yet available”…
It is highly likely that this is idiosyncratic to some particular aspect of my hardware. (The folks making the release will have tested on something, and this is pretty fast to manifest). So YMMV and you may not have that ‘issue’.
FWIW, at one point I ran the software QA group for a compiler tool chain. (That eventually got absorbed into Red Hat ). We had a collection of something like 50 different kinds of workstations of various vintages just so that we could test a lot of ‘odd stuff’. Probably part of why I keep some of my “old junk” around longer than most. It helps in QA and development in that it lets you do various kinds of ‘stress testing’ and gives a broader sample of hardware behaviours during development. It lets you find your ‘limits’ more quickly and identify problem decisions in the design before you commit too much to them (or worse, ship it…).
At this point I’m going to move CrunchBang off of the Vectra and onto the Evo to see if the “eject” bug continues there. Easy to do (halt one, boot the other, use it and watch). As the Privatix distribution / release has all the things I want anyway, plus some security things, I’ll likely just run it on the Vectra. (Only thing I’ve not figured out on it, is how to run a browser that is not using TOR. I’m sure it’s in there, and likely ‘easy’, just didn’t have much need for it… as I was mostly testing TOR at that time).
Oh, and I’ve done an install of “Vector Linux” into a virtual machine on the laptop. It is a fairly nice release. It was not a LiveCD, so did an actual install (to virtual disk). It comes with FireFox, Opera, and another browser already installed. Only complaint so far is not being able to get it to use my whole laptop screen. Likely my ‘issue’ in choosing the ‘wrong’ monitor settings during the X.config setting. I chose 1024 x 786 (or something close to that) and when swapped to ‘full screen’ it’s not using all the way to the sides. So some more ‘fiddling’ to do.
It is running from un-encrypted disk, so is not a ‘fully secure’ environment. (It is possible to mount Virtual Box VDI (Virtual Disk Image) disks into the ‘real world’…) But my earlier test running other Linux releases from a Virtual Disk did not show much performance ‘hit’. So on that “to do” list is settle on a ‘daily driver’ virtual machine image and do the final integration of all the bits onto an SD card encrypted container. I’d done it with test releases, but not tried it as a ‘daily driver’…
For now, I’ve got a laptop with a ‘secure enough’ way to resume web browsing / logging in to accounts with some sense of privacy. Being inside a virtual machine, (even if NOT in an encrypted container), means that the major risk is just a key logger on the host machine. As key logging doesn’t give much context, I’m not all that worried. I’ve not seen evidence of key logging on this machine (though havent looked too closely) and it’s likely ‘enough’ privacy to be using a VM system image to log in, via and encrypted https pipe, to my accounts. Each “startup” will be from a saved base image (NOT the ‘last state’), so any infection of the virtual machine image will evaporate with the shutdown (as the next start is from the saved snapshot). When all that is moved onto an encrypted SC card, it becomes secure from some added attacks (like looking at the disk image from the host level) but those are not much of a worry for me right now. Yeah, I need to do that “move to encrypted” and likely will in the next day or two, but not a big rush.
Summary:
Laptop with VirtualBox VM image is ‘good enough’ for many things. Once encrypted on SD card will be ‘even better’ (though subject to key logger attack).
CrashBang has a minor bug unlikely to show up on most hardware that causes overnight memory usage to grow (thus the crash on low memory). Likely easily fixed.
Privatix works just as well and has more security / privacy features built in.
Vector Linux is well endowed with browser choices and installed easily into a Virtual Machine space on the laptop. I need to tune the video settings a bit for the laptop, but generally like it.
I will be moving CrashBang to other hardware to see how it does there.
I will be using Privatix as a ‘daily driver’ on the Vectra (and trying it without swap as it does not have the eject CD bug).
I will be (eventually) putting a Linux (likely the Vector Linux as it has Opera to play with) and it’s virtual disk image onto an SC card and inside an encrypted (TrueCrypt) container. This will do a pretty good stress test of performance (mostly speed and usability).
At that point, I ought to have 3 platforms with various degrees of security and privacy and various performance envelopes. That, then, lets me evaluate what would be most comfortable and what would be most likely to work well on a Raspberry Pi. (Basically, at that point I need to do a “small Debian ARM” vs GenToo vs Arch evaluation… and that will either take doing some math on the relative performance specs on an ARM or, more likely, just getting a Raspberry Pi in hand and ‘doing the test’ on real hardware).
The Vectra becomes a ‘secure and private’ browser and Torrent Server (and test bed for daily usability of Privatix), while the Evo becomes a desktop “daily driver” for general web wandering (sans the privacy enhancements).
Pretty much at the point where ARM hardware is needed to move forward at the ‘best rate’. But at least now I’ll have a platform where I can put in the credit card number on the order and not feel too worried about it ;-)
I am glad to see that answers are beginning to replace questions. A safe web surfing machine that does little else is a good start. After you blaze the trail, then maybe those of us that are less talented can follow. ;-) pg
@P.G.Sharrow:
Well, I’ve already got 2 such solutions working in “production” now. The Privatix release is more stable and forgiving to environment on which it is run. (i.e. I like it a bit more).
Especially now that I’ve noticed that the “little red advisory” at the bottom of the FireFox browser that said “TOR Enabled” isn’t just an advisory. Click on it and it toggles to non-TOR. So you have 2 levels of “privacy” built in to the release. The standard FireFox “private browsing” settings, and then the “TOR” random routing / origin process. All that layered on top of a CD based LiveCD system. So any cookies and / or other intrusions can not persist from one use to the next.
A USB drive can be plugged in for removable storage (so things like bookmarks can be saved / reloaded if desired).
At present, the Vectra with Privatix is my default “secure browsing” platform (and part time Torrent Server). As a medium fast old Pentium with 256 MB of memory, it’s likely fairly representative of the kind of machine that can be picked up for about $20… or even free from some folks.
I’ve been testing CrunchBang on the Evo. It’s “OK”, but just a tiny bit more ‘quirky’. More error messages at boot (that can be ignored), and then has that “CD Eject” bug on the Vectra. Took it a couple of times to accept my email address on the WordPress login nag / page (perhaps a type by me, or a warping of some digits by it on first load).
So at this point I’d suggest that anyone thinking of ‘following’ the trail, get an old POS PC and burn a Privatix CD and try it. All the “fancy bits” can wait for later. (Things like mounting swap disks and all). I ran it as a Torrent Server AND opened FireFox to browse a bit with NO swap space and it did fine. Probably don’t want to open a few dozen high page weight pages with a low memory machine (as each page takes memory) but wasn’t as fussy as CrunchBang.
Just getting comfortable with the boot process (or reporting what didn’t work and I’ll advise) is a good place to start. If you already have a PC, the LiveCD boot options typically run just fine without touching your disk at all. While there is a theoretical ability to do something bad, the LiveCD process is pretty well debugged and “no bad thing happens” is the norm (by far). Unlike “Install to disk” which plays with the MBR (boot record) on your disk and does formatting of sectors and more; the LiveCD is designed to ‘leave no trace’. Usually all that you run into is that it may not run on some hardware (lack of drivers or just not enough memory – since it isn’t doing swap to disk).
I’m going to be living on Privatix (and some CrunchBang) for the next couple of weeks to do a ‘shakedown cruise’ and note what is missing, desired, doable in a strange way, whatever. Basically “spec” what I want in a system (and note what is already there, or not) in preparation for eventually making my own mix. But frankly, other than the occasional bit of German in the Browser ;-) I’ve not found anything I wanted that was missing so far.
I’m also going to be working out the process for some things (like bookmarks portability and such) using a USB / SD card for “persistence”. That “scripting” of behaviour will be posted, too. So “how to mount a USB drive” is fairly trivial; but a bit easier if you know where to look for which command….
Still fooling around / picking one for the VM Linux on the HP-Laptop. Major issue is just getting something that uses the whole screen ;-) Minor question on how to get things easily from the real LT environment to the VM and back. Not high on my list of issues, but needs working out. Mostly I need to clean up / toss out the dozen or two VM instances that I have cluttering the thing up ;-) Focus in a bit more on what was comfortable.
So I’d suggest to “not wait” to try some things. It’s really easy to download and burn a LiveCD. It’s really easy to try TrueCrypt and get comfortable with it. It’s modestly easy to set up VirtualBox and play. All of those skills are valuable. Getting a USB drive and getting familiar with it is a ‘good thing’ too. All of those ‘bits’ have ongoing utility. For learning a bit of Linux, most any of the LiveCDs is an easy first step. Heck, try a couple to see what you like! Gnome desktop is fat and full featured (but other things have to be left off the CD…) while xcfe is light and fast. KDE is in between. (I’ve slowly come to like xcfe more…)
OpenOffice (by whatever name, like Libre) is a bit different from MS Office, but just as capable IMHO. I first started using it ON a MSWindows box, so it’s not like that has to wait, either!
Oh, one final point: The choice of desktop environment (KDE, Gnome, xcfe, etc.) changes the look and feel. Which Linux is under it does more to say what hardware it lives on well. Or how a systems admin takes care of the box. So learning, for example, KDE, is a portable skill to other Linux Distributions. Ubuntu is ‘big and fat and wants lots of hardware’, but Knoppix that is built on the same underlying Debian code is small and fast. So if you have big hardware, Ubuntu LiveCDs can be workable. If not, Knoppix or even DSL typically work. That kind of thing depends more on the particular target box, so harder to choose up front without a box in mind. (Heck, even with one in mind it can be a bit ‘hunt and peck’ as I showed here ;-)
So some of it is a ‘search process’. BUT, the good thing is that you don’t have to shell out $70 a ‘try’ to see if the software is something you like. It’s all free ;-)
As I don’t want to trash my working box/system I will need to go “shopping” for a cheap POS to set up for a learning environment. Every time I do a duel boot it trashes my working system.
So I need to get an idea of the needed resources. I have Ubuntu on hand with a book and am using Open Office and Firefox on this XP Dell 2400 Dimension. My service provider is Hughes Sat.so we are a bit bandwidth limited. pg
@P.G.Sharrow:
One of the benefits of the LIveCD trials is that it does not install, so it’s not a ‘dual boot’.
Your XP Dell ought to be a Ghz / GB kind of machine. If so, you can even run a Virtual Machine environment fairly effectively. Download VirtualBox for free and install into that. Zero impact on your host running environment. (Though the LIveCD ought to do zero to the host as well…)
For the software download, you could always take a laptop to the local StarBucks ;-)
But serioiusly, look into “BitTorrent”. It will slowly suck down a file in parts, even with shutdowns and all, over several days (if the available bandwidth is low). It looks to me like it does 1K ‘chunks’ at a time, so every 1 K worth, you are checkpointed and can stop / start with no loss.
It has tunable speeds, too, and you can pause transfers. So that lets you give it all the bandwidth when you go to bed, and tell it to back off while you want to use the network.
For the MS Windows world, I’ve got both BitTorrent and uTorrent on my HP Laptop. I like BitTorrent better, but not by much. uTorrent seems more ‘picky’ about what speeds are available to it. Then again, it also seems more happy doing downloads while I was mostly grumpy at how the uploads were not as effective… (uTorrent ‘backs off’ more, near as I can tell).
At any rate, as long as you don’t INSTALL linux to the PC, but just run a LiveCD or a VirtualMachine like VirtualBox, you have avoided the risk of ‘dual boot hell’…
Then again, I always encourage folks to keep an old POS pc around for ‘experiments’… it’s dirt cheap and if the main box ever fries (say an EMP while plugged in) you have built in secondary services ;-)
For most things, a 700 MHz and 512 MB scale box with 8 GB of disk ought to be fine. I’m mostly running things on 400 -700 MHz and 256 MB, and often only 4 GB (or even 2… or in the case of LiveCDs, zero disk). As Windows 8 is now shipping, I think a lot of machines in that size class will “no longer work” with it, so will be cheap ;-)
Last spring, back-doors were discovered in computer chips that the U.S. military purchased from China. Coming soon to a computer near us.
In 2001, my firewall blocked some 5000+ outbound attempts per hour to access a Viewsonic corporate ip address with a url ending in “\red_chinese_military”. Turned out that the offending software had come ‘free’ with my LiteOn external DVD burner. Perhaps only a weird, unfunny joke…
In any event, it’s reasonable to assume that all hardware, security software and OS’s contain bugs which at some point will allow passwords and encrypted data to be compromised.
A simple way to safe-guard sensitive material is to disable internet access on those computers dedicated to maintaining such info (i.e. no bluetooth, wireless and nic cards). Use removable storage to transfer files to/from an internet pc.
Great work on the safer appliance, Chiefio.
Perhaps the following idea might be useful.
Some years ago I rolled some LiveCds which included FreeNx into Damn Small, Puppy, TinyCore and Knoppix. The idea was to be able to use public WiFi via a tiny netbook to tunnel to home PC – and use the big dog machine to run applications, browser, access the network ‘from home’, etc. My stripped down, heavily modified DSL booted in 12 secs and pulled up LibreOffice in less than 1 sec ( fast Wifi, not tested over slow Wifi.) Since FreeNX transmits compressed video diffs for refreshes – not full screen data – it can be startlingly fast.
@BlueIce2HotSea:
Glad you like it! I’ve not looked at FreeNX. I’ll take a look. I don’t own a ‘Netbook’ of any sort (in fact, the HP Laptop is the fastest box I’ve got, I might need to connect my home computer to IT for more processing power ;-)
Still, I’m always interested in distributed computing things…
Hmmm….. I know some folks who are still on ‘slow links’. Could be very interesting to put the “Big Dog” at a friends place with fast internet, then they ‘link in’ over a slower link that is just doing ‘video diffs’… Hmmm… That needs serious pondering…
On the security topic:
Yeah, I’ve never understood this ‘connect it all’ idea. If a computer is critical or does not need internet access, don’t hook up the wires. I’m a big advocate of “air gap security”. Heck, my backup data copy is on a disk that is not hooked up the computer more than ‘one backup time’ ever couple of months (and then with the network connection disabled and me watching the process table to make sure ONLY the backup is happening…) It’s darned easy to pull the wire and it is 100% secure.
On the HP Laptop, I often ‘punch the disconnect button’ on the WiFi when not actively using internet.
There was a minor scandal lately when “digital picture frames” from China were found to have a ttojan in them. Plug into a PC to download pictures, it uploaded a virus. I don’t buy ANY such stuff. I use SD cards from ‘known names’ that are widely distributed, and even for them I format them in the camera (older dumb one) prior to use. For USB disks it’s more problematic as they have more ‘smarts’ so easier to hide something. Part of why I don’t like disks with ‘backup software’ included… So it is more of a ‘buy the reputation of the vendor’ and high volume sellers (so ‘many eyes’ looking for that ‘what the?…’… and probably decent Q.A.)
It is also why I’ll never own a Lenovo nor use a motherboard from China. (Taiwan is still OK, near as I can tell.) But it is getting harder to avoid. I’ve kept a collection of older hardware “for that day”… Also part of the attraction of the Raspberry Pi and related boards is that they are very unlikely to be ‘buggered” and have a very large number of tech guy eyes looking closely at the bit flow. It is my longer term target platform. (NOT going with the new 100 MB of “boot OS” hardware. Just too much buggery possible that can not be checked nor shut off.)
Nice to know about the Lite-On hardware. In the long run, it is that kind of ‘reputation impact’ that will clamp down on the crap.
The things I have to do to just have a relatively usable and safe compute environment ;-)
Interesting stuff:
https://en.wikipedia.org/wiki/NX_technology
http://wiki.debian.org/freenx
https://help.ubuntu.com/community/FreeNX
http://wiki.centos.org/HowTos/FreeNX
http://www.linux.com/news/enterprise/networking/8251-faster-remote-desktop-connections-with-freenx
Doesn’t look very hard, but likely easier for an experienced Linux / Unix guy than a newbie. Looks like it works well and is fairly secure.
First thought that comes to mind is ‘buying’ a low cost Virtual Machine at a “cloud server” vendor and then setting this up. Then when you are “out in the boonies” you connect to it and get very high speed web services…
Downloads would need to go to the “cloud machine” for fetching later (via something like BitTorrent that works all night long, several nights if needed). But regular “interactions” ought to all seem like “high speed” even though living on a slow link.
Nice. Very nice.
Second thought that came to mind was “family and friends”. If you are on the end of a slow link, perhaps as part of a group working on a project, you set up a link like this to ‘one of the group’ who has a better connection. Now the “shared work” lives on the fast machine, and everyone gets what looks like very fast services. That has a lot of uses…
Need to check on what it does trying to work through my AT&T supplied firewall / router, but can’t see where it would fail (as it ought to be an outbound connection establish process… but one side or the other has to be ‘behind a firewall’… so that needs some looking at….)
Still, if the server sets up a port and periodically polls, things ought to connect. I think.
FWIW, for folks not familiar with it, X-Windows is what makes the windowing environment ‘go’ on just about all Linux / Unix / whatever systems. When reading about it, it looks like the usage of “Server” and “client” are backwards; yet the X folks are adamant (and by now so many folks have ‘gotten past that’ that inertia alone will prevent changing it). While in some obscure pedantic way the usage is correct, it’s more trouble than it is worth. They really ought to have used different custom words. Like “big computer” and “desktop”… At any rate, don’t let it throw you.
Now if only I had a reason to use it ;-)
@BlueIce2HotSea:
So, do you have a ‘recipe script’ for making that Distro? Or was it a one-off roll by hand?
@ E.M Smith
OK. You have me convinced to also get a Raspberry Pi, plus it would be nice to possibly contribute to your safer appliance project. I have modified the initrd of a few distros. It might come in handy if needs to be a custom mod.
Regardless, it really is essential to have a secure PC when traveling/living away from home to avoid the possibility of a hardware keystroke logger. Pocket size is ideal for security.
Oh, there’s a few more free NX clients to consider other than FreeNX, which is written in bash. Google took FreeNX and mostly recoded the bash scripts into Python – don’t recall the name – but it ought be even faster. There’s QVD in Perl. Finally x2go, which is in at least one of the Ubuntu distros. I only have tried FreeNX.
@E.M.Smith
Every distro was different and similar. As a programmer, you know there are many ways to accomplish the same thing. However, I have used openbox, zen & qemu virtual machines & that greatly helped with testing.
My current main distro is Scientific Linux LiveCd. I have modified it so as to run Oracle software suite after mounting an encrypted user partition post-boot. That way it doesn’t matter what physical device the Live Distro is booted from, I can mount the user space from another device. The big deal with this is that the software I am using is normally tied to a specific physical machine because of particular drivers. In case of a hardware failure you could be somewhat screwed in terms of recovery time. This way, I just boot up a different machine – 32 bit/64 bit, it doesn’t matter – and I am back to work. It is very portable for dev. work.
(Sometimes I earn a living). It’s nice to be able to
@E.M.Smith
So, do you have a ‘recipe script’ for making that Distro? Or was it a one-off roll by hand
Which one did you have in mind?
@BlueIce2HotSea:
Any with FreeNX on it, but the DSL sounded somewhat more interesting.
Mostly I’m just realizing that I need to “roll my own CDs” as I keep running into the same “issues” on many of them (like the FireFox runaway CPU problem, or not having the desktop I want with the browser I want, or not having the security aspects I want with a browser that does spell checking… etc.) Figured if you had a ‘build script’ that would make for a ‘quick study’. For DSL, they have done a lot of ‘strange stuff’; so I’m unlikely to learn all of it. To that extent, having a more ‘generic’ checklist would be better ( so Knoppix? But Knoppix has gotten rather fat lately…)
In short: Just looking for an example to make “roll your own” learning go faster. Pointer to an online tutorial / script download would be just as useful, I suspect.
I’m slowly coming around to Qemu. Have had one ‘pendrive’ run with it. Worked well. Mostly I’ve been using VirtualBox as it was the first one I installed. It’s OK, but not for things like a ‘plug and go’ USB chip based system.
Happy to have any help possible on the R-Pi version. As it’s a relatively “young” ARM port, I expect a few more “glitches”. OTOH, being only one hardware config makes it easier to find a fix that works widely.
Having a $35 or so “system” that fits in a paperback book form factor and doesn’t look like a computer, while has a locked OS and locked data (until to you unlock them) and everything encrypted (so if it ‘goes walkies’ at the airport safety grope and steal you don’t care) while having hardware that is more closely inspected at the ‘bit level’ by all those folks making embedded apps with it, well, it will make ME feel safer ;-)
At some places of entry to the country, the TSA (and perhaps in other countries as well) can simply duplicate your disk if they so desire. I’d rather that there not BE a disk (which ought to give a bit of pause) and that any data storage device be encrypted (so if they do figure out what it is, and have a device to copy with, they get a useless lump.) Being a LInux EXT3 or similar file system would likely cause some of them to fail to copy anyway ;-)
Your LiveCD / mounted data appliance approach is very similar to what I’m doing for other uses. At present, mostly searching for ‘which distribution’ has the right mix of ‘works well’ with ‘security’.
My first set of goals is:
1) PRIVATE browsing and downloading. I’ve go the browsing via Privatix / Tor and encryption. Not yet got a fully private Torrent (swarm?) installed.
2) SECURE browsing and downloading. Got that on either release with boot from CD and USB locked storage for .torrents to serve. Have encryption on Privatix, but not on #! that I’ve found. Do not have non-TOR browsing on Privatix (yet) due to the bug of runaway CPU usage I just found. Yeah, I can swap CDs, but it’s just not right… Need to add another USB / SD card combo for a download target directory so only it is unlocked in normal use. May need to add some kind of swap device / target (don’t think SD cards will take it…) or shrink the memory usage. DSL might be a better choice there, or Puppy.
3) Trivial ‘recovery’ and trivial ‘go dark’ via a power fail. Be it ‘knock on the door’ or hardware confiscation or lightning strike. Just take a backup CD / SD chip out of the snuff case and slide them into a replacement bit of generic hardware… So “knock on the door” you chop power. Everything reverts to encrypted and secure. Eventually to put the data on an encrypted server via network (and then to VPN to a ‘cloud’ solution), yet to be done. At that point, a ‘netboot and remote file mount’ onto a generic hardware target gets you going again. This part is still TB Done…
The FreeNX is interesting in the context of that eventual goal state. Having the ‘remote server’ doing all the heavy lifting has the added feature that you can physically secure it in a remote place with trusted folks, then when “on the road” all you ever have is a little bit of ‘who cares what’ that connects to it. Hadn’t considered that option before now…
Looks like at least one guy has a R-Pi tablet under construction:
http://theraspberrypitablet.com/
At any rate, that’s the general idea. For now I’m using the hardware I have (old and known clean) and the software is what I’m working on. Major issues were “figure out what bits I want” and “figure out what distribution has them”. Now it’s looking like “Roll your own distribution” may be a faster and easier path…
There are at least a couple of text-based browsers. Lynx and eLinks.
@Jim2:
I’ve never figured out why I’d want to use a text based browser other than out of desperation at things not working…
@E.M.Smith
Wow, blast from the past. When DSL went inactive in 2008 I moved on. But I see it’s back on Distrowatch…
With an initrd mod it can boot either the 2.4 or 2.6 kernel and run on basically anything Intel or AMD. And by using FreeNX over a LAN connection to a secure NX server with internet access, it might allow an ancient relic of a PC to cruise the internet with safety and alacrity which would otherwise be impossible.
Now, remastering. FreeNX has RSA certificates for accessing the user’s ssh account and these ought to be encrypted. DSL has a built-in option to create local or remote aes encrypted persistent storage, so this is a place to start. After everything is working, the image can be remastered with a nice FreeNX icon on the desktop and the encrypted FreeNX built into the image.
The wiki’s and forums have scripts for building images and I have written some also and there’s those from the Damn Small Linux book and Knoppix Hacks, etc. But it’s no biggie especially if you do not need support for 2.6 – NTFS, openssl, sata, modern wireless cards, FireFox 16.2, etc. (Although I have scripts for the 2.6 stuff, somewhere.)
My TinyCore Linux FreeNX is two yrs. old, v2.9, 11.3MB. It has no browser. It only provides an X server and a secure connection to the home PC! It’s just a gzipped cpio’d file system. So remastering was nothing – unzip, mount file system, copy NX files, rezip. Could boot faster and could be smaller, but runs like lightning. Just checked TinyCore’s extensions archive, still no FreeNX through v4.6.2. Huh.
I also setup FreeNX Puppy last spring on my daughter’s 2g Surf 600Mhz Eeepc. That only took about two minutes after setting up her account on the server. Puppy is another fast distro on old/weak PCs and very smart. I used Scientific Linux as the server. I have also used Knoppix and CentOS servers.
The real pita could be configuring the server with NoMachine’s NXServer and finding compatible versions of the client. OTOH, sometimes everything works easypeasy.
I am going to start pulling stuff out of mothballs and will share, if you’re interested. Will take a couple of days.
Thanks!
No hurry. I’m interested, but on a slow lane. Need to catch up the financial stuff first.
Don’t care about “commercial” interoperability much. Just “I have a server at home and want to link from slow town” and own both platforms.
Sounds like remastering isn’t all that hard, so I’ll give it a whirl first (as I need to do a custom browser anyway… tired of fighting FireFox mis-configs…)
The real pita could be configuring the server with NoMachine’s NXServer and finding compatible versions of the client
Sorry, I wrote that back-asswards. FreeNX is the server, NoMachine provides the NX client. Anyway, if you go with a mainstream distro, FreeNX server > v0.7 and NX client > v3 this will all be go alot easier, maybe even fun.
@E.M. This will interest you, as programmer:
Paranoid Notice: While running this on the PC laptop, I noticed an application launch icon flicker on my bottom app bar. There was some indication of CPU cycles being used and ‘something happening’. After the below note was typed, I shut down the laptop and it complained that some aplications would not shutdown – so I forced a shutdown. It’s quite possible I was just being paranoid about some normal ‘housekeeping’ program, like file indexing or ‘whatever’… but if anyone else notices anything like that, let me know. -E.M.Smith ]
[Reply: Not really news to me. Frankly, I saw this coming back in the ’80s and was talking to folks about it in the ’90s to 00’s. Now, mostly, I’m just working on how to have my own life stay modestly private. This is WHY I don’t ever do ANY “Social Media” like Facebook. Because EVERYTHING you put on such sites goes directly into various “agencies” archives (all over the world) if they so desire it. I regularly “catch flack” from folks over my reluctance to outright refusal to use everything from “Social Media” to “Tweets” to “Text Messages” even to email. While I’ve not gone so far as to demand that anyone sending me email use public key encryption – in fact, I’ve not even published a ‘public key’ for me – I’m on the edge of it. (If I really had any interesting email, I likely WOULD do that, but being terribly boring, figure “my contribution” to the cause of freedom is perhaps best served by having folks tied up reading my pointless and empty emails ;-) At one time, about the 90s?, a few friends and I adopted the habit of putting ‘key words’ into our email about trivia such that it would trigger the key word search engines and cause the email to be routed to a human observer for evaluation. Eventually got tired of the game and quit doing it. But yes, IMHO we are on the verge of a collapse into a global “Third Way Fascist Socialism” complete with the full police Stazi apparatus and surveillance. Don’t know what I can do about it, so I don’t ‘fret’ over it. I am making my own tools for some added security ‘as needed’. Thus this particular article above. Automated Text Search trigger keyword list: Arab Muslim Brotherhood bomb nuclear chemical weapon president Israel assassinate terrorism Allah infiltrate explode “death to the infidel” Castro (for the retro effect ;-) arrest torture intelligence agency يجب أن يموت كافرا، والحمد الله، قصف للسلام . (That’s probably enough to assure a decent trigger. Hi Clarence Clearance! Yes, It’s been a while. About 20 years. Say hi to the wife and kids for me… (It’s probably “Son of Clarence Clearance” by now…) we nicknamed the guys who were charged with ‘watching’ Clarence Clearance… back when I was dating the daughter of the Director of a major nuclear lab and ‘friends / classmates’ were working in secret DOD work. Привет, мой друг! )
FWIW, I’ve set up some of the equipment that is used in that kind of data gathering / archiving process. Not for Agencies, but for companies. It isn’t all that hard, nor rare. By law, many kinds of companies MUST archive all their email for up to 7 years. Network Appliance makes dedicated servers for just that kind of thing. Heck, after 911 I even sent my resume to some of the TLAs (Three Letter Agencies) and if any of them had called me for an interview, I’d likely be setting up or operating such equipment right now. But they didn’t. So I’m now more interested in keeping my stuff private. Thus my recommendation to folks to use TrueCrypt or equivalent and start using “disposable appliance computing” strategies. -E.M.Smith ]
Well, rerunning the video in a VBox Vmachine (Puppy Linux) had FireFox pop up a ‘feedback’ window. but no other “odd” process shows up. As I was using Opera on Windows before, this isn’t a ‘full test’. But at this point it’s most likely I was having a slightly paranoid reaction to some not so unusual “probing” behaviour (‘feedback’ or ‘adware’ or…)
At any rate: Yes, it’s important to practice “Paranoid Computing” because they ARE out to get you! Especially if you are a sys admin ;-)
Really funny. Can you imagine, in the future, studying the 21st. century history, what our great great grand children will say?. They will surely laugh at it, as these activities are really childish.
I believe that The Power or whatever controls nature is the ultimate conspirer. History shows that whomsoever engages in these games end facing reality, as in Nüremberg.
I just picked up “LINUX BIBLE” 8th edition by Christopher Negus. Mostly aimed to background Red Hat Trainees. But should get me more comfortable with jumping off the MSWindoz ship. Next I will need to find me a usable crappy old computer or a couple of used laptops maybe. For internet use only and set them up linux only. Mite need a brain up grade! ;-) pg
FWIW, I’m posting this comment from the “Iron” browser inside a VM “puppy” Linux. I was going through a few ‘efforts’ to find a FireFox / IceWeasel variant that worked, didn’t do a 100% CPU runaway, did have working spell checking, and wasn’t either lacking in features or so dog slow as to be a PITA. Along the way decided to try a “just install it” under VMBox rather than testing ‘live CD’ images. Turns out that Puppy has some easy to install browser options. Also turns out that a few of them crash on reading Wiki pages (and perhaps more).
At any rate, there was this browser choice of “Iron”… Curious, I tried it. Turns out it’s a “Chrome” variation with all the tracking BS stripped out. Guess I’m not the only one not wanting to be tracked and having a sense of ‘security issues’…
https://en.wikipedia.org/wiki/SRWare_Iron
@Adolfo:
The problem, of course, is that one must live through the precursor events to get to the ‘Nüremberg” events… and I’d rather avoid all of them…
@P.G.Sharrow:
Red Hat is far from the ‘easiest’ Linux to install these days. I’ve suggested before, and repeat again, that The Best First Leap into LInux is to just try a “liveCD”. Download one from any of dozens of places and just stick it in the CD drive. Either it works, or it doesn’t. NOTHING IS INSTALLED, so you can do it on a machine that is in daily use for other things. Similarly, you can download and install, for free, VM Box, and do trial runs / installs in it (again, no new hardware and the install goes into the VM “sandbox” so doesn’t damage the Windows world.)
For example, I’m running a Puppy version in VM Box on my Windows Laptop and posting this note from inside of it. The only thing about it that’s not ‘OK’ is that it is only using one core of the CPU and is a bit slow due to the emulation. Oh, and I need to turn of ‘mouse integration’ as it makes the mouse a bit ‘irregular’ in where it tracks… Like driving a boat instead of a car…
http://knoppix.net/get.php
http://www.puppylinux.com/download/
https://www.virtualbox.org/
While it is a lot better to learn to do “real installs on real hardware” you don’t need to wait on hardware to start playing and learning ;-)
OTOH, an old x86 400Mhz AMD chip box with a 5 Gig disk runs rings around this quad core but using only one HP Laptop… Real Hardware ™ has a big performance advantage…
Providers are building “Kill Switches” into your devices:
http://www.businessweek.com/articles/2012-02-17/the-kill-switch-comes-to-the-pc?campaign_id=otbrn.bw.tech
Goggle, Microsoft and others are installing back door means to edit or remove software from your device. pg
@P.G.Sharrow:
Yup. That’s why I shut off ‘auto update’ whenever possible and prefer a static install of Linux …
That’s why I’m building “roll your own” appliances where I have possession of the source code.
That’s why I’ll never willingly buy Windows 8. OR a “smart phone”.
There’s an invisible battle for ‘control’ of the electronic world, and the public is losing big time. But as long as I have Linux Source Code, I’m able to step away from it…
Oh, and realize that a TLA (Three Letter Agency) showing up at Microsoft or Oracle or Google and saying “We want you do load this special code on this list of devices. You wouldn’t want your Federal Contracts pulled and a combined IRS and SEC investigation to show up in the news tomorrow, would you?…” will get full “compliance”… heck, might not even need to mention the “Patriot Act” or “collaboration with the enemy” or….) So yes, if I want to have known privacy, I take the battery out of the cell phone. Otherwise you are just wearing a GPS tag and microphone / camera to be activated at will by “agencies”.
In the news today, saw that “Law Enforcement” is asking for a law to have ALL text messages held for 2 years. Just in case they want to take a look…. Time to go to PGP for ALL text messaging and email. Sigh.
Maybe it’s time to post my “Trivial extensible code system”. It’s theoretically possible for someone to stumble on the exact encoding you choose to use, but it’s pretty hard to do a full brute force search… There are many options… (Basic method: Pick anything that is uniquely number tagged and has text. Say the “bar code” on food cans. Use that code to state which can to use for text. Then have a number, like 123.33.1 that is agreed to be something like “first character count from start of text (top rear), word count from there, word in next sentence.” Yeah, PITA to encode / decode but hard to figure out. Similarly, one could agree to use, oh, the Bible. Then give 123.333.12 and agree that it’s “pages from the back”, words to skip, characters. and the person knows to always then use the fifth word from that point… As there can be any number of “key objects” and any agreed system of noting the particular word, character span, or even direction of count; it’s darned hard to figure out you chose to translate to Spanish and use the Encyclopedia of Mexico… Perfectly fine for short messages like “Dinner at 7, usual place”…
Then again, I don’t say anything that needs that kind of ‘care’ so haven’t had to do it. Sometimes I wish I had a more interesting life so I could use those kinds of tools and have a reason ;-) Instead I just dream them up and admire them…
I often figure out solutions to problems that I don’t have as mind exercise. Later when the problem is posed to me people are amazed how fast I present the solution. Ether that or I can see future needs because I am a wizard and can “see” the future ;-) pg
@EMSmith; This encryption thing needs to be laid out so it is as intuitive or automatic as possible. As the user is the weak link in making this work. The KISS method of design is the one I prefer. Make it too complex and written notes will be needed or too much error will occur. Some of the security could be in the firmware of the boot device? More details to consider. After I read this Linux Bible and then the Ubuntu manual maybe I will understand better the possibilities. pg
@P.G.Sharrow:
There are two reasons I’m being deliberately a bit ‘vague’ about some of the ‘encryption things’.
First, the more reasonable one:
There are a great many kinds and degrees of encryption so exactly which one a person chooses will change all the particulars. There are many pgp encryptors, or you can use TrueCrypt, or a few dozen other encryption methods built into Linux, or various email programs, or…. So you need to ‘pick one’ to be specific.
Second, the more, um, arguable one:
If I give a specific example of how to do the encryption process for some systems, it tells a ‘bad guy’ how best to attack your ‘stuff’. So, for example, the “use a numbered object” code generation method above: I can’t tell you which objects I use (and ought not tell you the best ones to use) in a public forum, as that reduces one of the ‘keys’. So things like saying:
Use the VIN number of your car, now ….
Just tells the ‘bad guy’ to make sure he checks for the vin number of your car…
So for some things, I can give slightly off optimal examples in a public forum, but you need to decide for yourself to, say, use the Sears Catalog vs The Bible, vs Soup Cans vs… (Or else I lay out the particulars of the method ‘in person’…)
Finally, per PGP:
There’s lots of examples of ‘particulars’ and it isn’t all that hard. IF / When getting to the point of needing it, I’ll be doing a ‘cook book’ on how. The basic process is to run a program that generates a ‘key pair’. Two VERY LARGE NUMBERS. One, you store (in a password protected file or on a flash drive or… the whole “Key Ring” problem). The other you make public. Anyone wanting to send you private email uses YOUR “public key” number to encrypt the message with their PGP magic encoder software, then sends you the bag of bits. You then use your private number to decrypt it. Specifics of steps depends on software used. But it really is just about that simple. For a hypothetical PGP encryptor named ‘pgpcrypt’, one may say “pgpcrypt keyfile crptextfile cleartextfile” or even just “pgpcrypt crypttext” and be prompted for the key and have the output go to the screen.
If you get to the point of wanting to play with it, let me know and I’ll ‘script’ some examples.
Oh, and there are a lot of ‘cyphers’ used throughout history. Often they depend on the person just not knowing which one is in use to ‘work’. One of my favorites was used by the Roman army for a very long time, despite being trivial. It would still work provided the person doing the interception didn’t know you were using this method. Though present computer attacks would crack it fairly quickly.
Romans had standard sized poles used for things like flags and standards. A cloth ribbon would be wound in a spiral on the pole. The ‘message’ is then written ‘long ways’ on the wound cloth in a few lines (each ‘below’ the other in the circle axis) . So write, from spear tip to butt, or from butt to spear tip, and each line a partial rotation of the spear to the next clear line. Now unwind the cloth from the spear. You have a bunch of letters (at a slight angle) on the cloth, but can’t read it. Send to your minions. They wind it on THEIR standard sized spear, and the message appears as the letters align. But it depends on anyone in the middle not knowing to wind the cloth on a standard diameter Roman pole… so telling you to do that in open text would make it worthless…
That’s where “Public Key” encryption really shines. You can tell folks “Use PGP and this, my public key” and that doesn’t help the “bad guy” crack the message… It was a great leap forward in private email. No longer do you need to have a ‘pre arranged secret’… (Though you can ‘double dip’ and have a preshared secret like “shift each letter by one” then encrypt. Called a ‘ring shift’ code or ‘magic decoder ring’ ;-) that makes it just a little bit harder if someone somehow did get their hands on your private key…)
Also, each language has peculiarities to it. Like in English, the letter “e” is the most common. So doing a ‘population count’ on some kinds of encryption can find the ‘e’ (probably…) letters. But if you just translate it to some other rare language first, that makes it harder to attack.
The Navajo “Code Talkers” of world war II used a ‘double dip’ of just that kind. First, put the message into code: Tanks were “turtle” and airplanes were “eagle” or some such. Then put it in Navajo. Japanese had virtually no Navajo speakers (and it’s hard to learn…). Even when the used a captured Navajo (not a ‘code talker’) to translate, they got things like “The Turtles are swimming in the pond” and it made no sense. ( The tanks are to attack the main enemy force – as a fictional example.) That simple two layer method was never cracked, even as late as the 1990s it was a classified secret (IIRC the date right). So even relatively simple methods can be entirely secure. as long as the bad guy doesn’t know what method you have chosen. Basically, not sharing the ‘shared secret’ of the ‘code book’ or that the language choice is not just a convenience…
I think I need to stop now before I write a whole book on the history of codes and encryption in comments ;-)
But yes, I likely ought to make a ‘intro to codes and cyphers’ posting…. that at least lays out the choices in a clear way.
BTW, one simple method: Have an agreed newspaper that is widely circulated. You send a message to someone that says:
Dec 2, 2012
Dear John,
So nice to see you last time we met. (etc etc).
The Dec 2 tells them what date of newspaper to pick up. Then some other agreed thing like “every third word a number” says to turn “to” into a number and “last” and “met”. Those numbers then give the location of word in the paper. So “to” could become 20 – 15. Or page 20, word 15. Which might be the word “Chicago” (or whatever) Other than things like unusual proper names, you can pretty much find any words you need in the average newspaper. The rest is just “hunt and find them” then “page number and count”. The ‘fun bit’ is laying out the encoding words and ‘filling in the blanks’ around them with text that looks valid, but is just fluff. (A variation on that kind of thing is used in some prison codes used by prisoners).
Unless the person knows what newspaper you are using, and knows how to turn letters to numbers the same way you do it, (is it 20 -15, or do you invert it to 15 -20? And are those page and letter count, or page and word count, or paragraph from the front and sentence/word?) they are pretty much stuck. Even if they do manage to figure out the top text is just ‘happy talk’ and the real message is steganographically encoded…
Worse, you can even have a system that says “the nth number in the clear text tells you the word skip”, so I might say: “It was so nice to see you on the third of last month, when we had 76 degree days and I ate 2 meals at once!” We might have agreed that the first (3) the second (7) the third (6) or the fourth (2) number was to be used as the ‘skip’ for picking out the encoded words in the text. Again, if the person doesn’t know that, they have to think of it as an option and test it. In that way each message can be encoded with a different skip, yet the chosen skip is communicated in a ‘hidden in plain sight’ way. (The more space between ‘code words’ the easier it is to make ‘top text’ that fits…but the lower the information density in the code text per unit of top text…), Or we might just agree that the 10th word is always a ‘count’ that tells what skip to use from that point forward, or from the rear inward, or…
Sigh. So many neat old cypher (hidden by number manipulation) and code (hidden by shared secret decoder rings / books) methods, now largely replaced by public key encryption…
At any rate, if you nave interest in any of them in particular, or just want a ‘how to use pgp’ tutorial put up or a link, just let me know. It’s one of the thing I really like playing with ;-)
But I’m sure you’d never have noticed ;-)
@EM – Some of those relatively simple cyphers can be surprisingly robust. On this side of the pond we recently heard the story of a pigeon, dead these 70 years, that turned up in a chimney in Surrey with a WWII message still wrapped around its leg (here) – the call has gone out for anyone who can help to crack the encoded message just to put it in its context. My guess would be “it’s one-time pad encryption and you’re on a hiding to nothing”, but if you fancy a go at it …
Here is a neat “mini” toy with a load of IO:
http://www.fit-pc.com/web/fit-pc/fit-pc3-info/#techinfo
fit-PC3
Tiny. Fanless. Extendable.
AMD APU up to 1.65GHz dual core
Dual-head Radeon HD graphics
Low power consumption
Ruggedized metal case
Customizable FACE Module
Injection molded metal case and will run on 10 to 16 volt unregulated 8 to 24watts. Nearly bullet proof as one would expect from the Israelis. pg
Here is a company that provides a complete package based on the the above:
http://blog.linuxmint.com/?p=2055
$500 to $600…….pg
Well, placed an order for 2 Raspberri Pi’s. Now we’ll see how long they take to get out of backorder and if they were on the ships backed up at Long Beach ( likely ).
There had been a brief (one day?) ‘in stock’ at Newark (that I saw just AFTER they were all sold out again… “Look, Newark has stock click link”… so I clicked, and they were back at zero…)
I’ve placed the order with Allied (even though they admit out of stock and have a ‘warn’ about could be weeks or months on backorder). Just gave up on having ‘in stock’ show up….
Also figured that the shipments from Asia to here were most likely sitting on a ship waiting for the California Dock Strike to end. (which started just about the time Newark had stock…) So given the end date, and some ‘queue’ time for ships to be run through the port and trucks to move, somewhere around ‘soon’ there ought to be shipment or three being unloaded at the VAR… and I’d rather be ‘in queue’ there, then; than waiting and hoping to hit the button Just On Time…
At any rate, we’ll see if this works, or not…
@EMSmith; This Raspberry PI availability is strange. RS (RadioShack) has the units in stock and ships next day all over the world except US. In the US, Allied is the distributor, and has no stock, 2 to 5 weeks delivery times. I thought that Allied-Radio Shack was the same corporation.
Among other things I am studying Linux and getting ready to hunt down a computer to practice on! pg
@P.G.:
Things can be the “same” corporation and different divisions… So RS likely must order from the “distributor” like everyone else. It’s also possible that Allied is not set up for international export while RS is (or who knows what).
At any rate, I’m hoping it’s not too long a wait. I’m ready to move onto the ARM chip and see what it takes…
IMHO the most difficult thing about Linux (unlike UNIX / BSD of old) is that every major distribution has started playing around with the Admin method and there are now a half dozen different window systems. Basically, it’s like having 5 x 6 different operating systems to “learn”. If you want to be good at all combinations…
Yes, under the skin somewhere there’s still an /etc/passwd file where the user accounts are kept, and you CAN edit it by hand (or script) as us old hands do… but increasingly there’s a different ‘admin tool’ on the different flavors and they hide it in different menu places on the different window systems.
So SuSe has YAST (Yet Another System Tool ;-) and others have their own tools and… Sigh.
So it’s not so important to “Learn Linux” (all of it) as to pick a ‘windows environment’ ( Gnome, KDE, XFCE, etc.) and know that the specific way ‘package update’ happens will be different between Red Hat (.rpm RedHat Packate Manager) and Debian (.deb and APT Advanced Package tool) and others…) Some, like Genoo, still used “tar” (Tape ARchive) files that are compressed (gzip or .z or zip or…).
Then there are some ‘changed over time’ complexities… Like the original compression program had two names. “compress” compressed a file and “uncompress” uncompressed it. Then new compression codings were developed. “compress” still exists. But they’ve added zip, and gzip (gunzip being the unzipper) and bz and…
The point? You can now spend forever reading the book trying to ‘learn it all’ and never cover all the bits. Frankly, in large part, you just don’t need to. It’s better to just jump in and start doing it. Learn what you need, as you need it.
Some releases of Linux tried to obsolete the manual pages. I’ve resisted that as have others. For two simple reasons. One command “apropos” will list all the manual pages related to a key word. So you can type “apropos backups” and get a list of interesting related commands. Then you can read about each command and decide what you like using the “man” command to display that manual page. ( “man man” tells you about the “man” command ;-) So you could do “man tar” or “man cpio” (CoPy In Out) or even “man passwd” to learn about the /etc/passwd file.
Basically, it makes “discovery” fairly quick.
So what’s the point of spending 2000 hours learning about many things you may never use (like how to do a bad block check on a hard disk by hand) when you could just do “apropos disk” and then “man fsck” to pick up the details? (File Systems ChecK)
Not to discourage you from ‘reading the book’. They are useful and I own dozens of them. But just to point out that doing an ‘install to hardware’ (even if it fails) and playing with it will go a lot faster… and often easier…
FWIW, I get by with a selected subset of about a dozen total commands these days. Most stuff is “doable” from the GUI / menus. (Sigh. Once Upon A Time I used hundreds of arcane commands to do truly exotic things… doing a manual disk partition and a mkfs (MaKe File System) with explicit cylinder counts and all… I still could, mind you, but that’s all buried under hand holding scripts and GUIs these days… Like the manual spark advance lever on the old Model T… gone and forgotten by most…) So it wouldn’t take long to talk you through any ‘issues’ if you get stuck.
The “nickel tour” is pretty quick. If interested. Things like “File names have the slash the other way from MS Windows.” and “Everything starts a ‘/’ that is named ‘root’ and pronounced ‘slash’ as it is the root of the file system, but don’t confuse that with the ‘root user account’ that is the God Like root of all power and authority on the system ;-) And administrative stuff tends to be in /etc while temporary scratch files are in /tmp or /usr/tmp most of the time. Oh, and there can be interesting stuff in /usr/etc too. Some recent distributions have put ‘stuff that changes’ in ‘/usr/var’ or ‘/var’, so you might find a /var/etc and sometimes users home directories are in /home/{username}. Then there is that whole stylized set of ‘regular expression characters’. It’s good to know ‘regular expression syntax’… It’s used in man pages and many commands…
Yes, “apropos regular expression” might be interesting ;-)
“ls” is the “LiSt” command to list your files. so ‘ls’ unadorned just lists everything. While: ls a*
would list everything that starts with ‘a’ and ‘ls b.a*’ would list everything starting with b, followed by any ONE character exactly, then with an ‘a’ followed by any characters at all including no character. So ‘baa’ and ‘bza’ and ‘btaForbush’ but not Bza… unless you give it the case insensitive flag…
One other really useful thing is the ‘pipe’. You can string commands together with a vertical bar. So while ls will list all the names of your files, one on a line, the ‘wc’ command (for Word Count) takes options to count words, characters, or lines. (-w -c or -l). You can glue these two together with the ‘pipe’ symbol like:
ls | wc -l
that will list all your files in that directory, one to a line, then pipe them into the word count program counting lines. It then prints out a single number. Which is the number of files in that directory…
That’s the real power of Linux / Unix. That under the skins shorthand tool kit of commands.
I’ve made command strings that span a few lines some times. And scripts of them that run many pages. But you don’t need to do any of that to ‘get your feet wet’ with an install and launching a web browser…
But to give an idea…
(cd /tmp; ls; tar cf – .) | (cd /usr/tmp; tar xvf -) &
The parenthesis say ‘treat this as one command launched in an isolated environment’ (called a sub-shell). Then pipe the result into the next command (also in a sub-shell). The & says “and put it running in the background so I can keep on doing what I’m doing on the terminal.”
That first sub-shell command says “change directory to /tmp then list the files there onto my screen then make a tar archive, but not to tape, do it to a file ‘c’ is create and ‘f’ is file. The magic bit is that – which says ‘send the result to a pipe interface’ not the tape drive. Normally you don’t need to say that, but the tar command default is tape…. That ‘.’ just in front of the close parenthesis says “and do it right here in this directory” that is now /tmp. Now the other side of the | pipe command says “now change directory into the /usr/tmp directory and then ‘x’ extract that tar archive in a ‘v’ verbose manner printing the info about each file as you do it from a ‘f’ file that is a ‘-‘ pipe.
This effectively picks up everything in one directory and moves it to another while printing out what it is doing along the way. (There’s a shorter way… using the cp copy command, but it doesn’t show as many of the Linux / Unix command features and isn’t as flexible ;-)
That’s the kind of ‘terse’ and ‘cryptic’ but way powerful stuff that’s under the skin of a linux / unix box. Want to completely erase every file in a sub-tree of the system? Just type:
rm -rf /foo &
That will launch a ‘background’ job that does a “rm” remove command, ‘r’ recursively descending the name space with ‘f’ forced removal of all files starting at /foo directory. (In this case the ‘-‘ does not mean pipe. As I mentioned above, that was a special use for the tar command. In most cases a ‘-‘ just says ‘the letters that follow are command options’)
Needless to say, that particular command (even just seeing it in a comment) causes an experienced systems admin to ‘have pause’… (A normal rule of thumb for newbie ‘root admins’ is to sit on your hands after each command typed as root and reread it prior to pushing the ‘return’ key ;-)
FWIW, if done AS the root user, in the / directory, it will utterly destroy the entire contents of the file system right up until it removes something critical that causes the system to crash … Typing “rm -rf / foo & ” is a classic mistake. It looks a lot like /foo but has an accidental space in it. That says “remove everything starting at / then come back and remove everything starting right here in the foo directory. It is equivalent to ‘rm -rf / ./foo & ‘ so you can see that an accidental hit of the space bar can have catastrophic consequences…
Much more fun than some old GUI thing that just hand holds you the whole time and only removes what it’s supposed to remove ;-)
Want to bring a system to a slow crawl? Write two small scripts. Name them “foo” and “bar”.
In “foo” you put:
while true
do
bar &
done
In “bar” you put:
while true
do
foo &
done
Now, all you need to do is type either of “foo” or “bar” at the command prompt to start a geometric cascade of new processes being created.
(Bonus points: What if you wrote a script ‘foobar’ that said:
While true; do; foobar & ; done
What happens if you type the command ‘foobar’? ;-)
Advanced version:
while true
do
for i in 0 1 2 3 4 5 6 7 8 9
do
echo $i
foobar&
done
done
What do you think it does?
See why hackers like it? ;-)
FWIW, there is an ‘obfuscated script’ competition that does some truly amazing things. Like one I saw that when printed looks like an old train steam engine… and prints out pictures of old steam engines via text characters…. And another that looked like it was all ilo0O. and a couple of other characters. (You can make scripts with names like oooo ooOo ioio etc. that do tings). So this script looked like a bit dump of 1lioO0 and was nearly impossible to read, yet did some fairly trick thing I can’t remember now… like build a user account…
So you can go ‘way over the top’ with scripting ;-)
Hopefully some of this ‘peek under the covers’ gives a bit of motivation to just ‘go for it’ …
“cat” is “concatenate and print” and roughly means “put this text in a file or on the screen”.
echo prints text from quotes.
A fun script I use to fill disks with ‘crap’ prior to erasing. Just to assure the bits are overwritten.
echo “shit” > junk
echo “shit too” > junk2
for i in 0 1 2 3 4 5 6 7 8 9
do
for j in 0 1 2 3 4 5 6 7 8 9
do
for k in 0 1 2 3 4 5 6 7 8 9
do
cat junk >> junk2
cat junk2 >> junk
done
done
done
The “>” says ‘erase the target file and put the output of this command in it.’
The “>>” says “do NOT erase, but concatenate this output to the end of the file pointed to’.
So this command does 10 x 10 x 10 iterations of putting junk on the end of junk2, then putting all of what is in junk2 on the end of junk, then putting all THAT on the end of junk2, then…
You can see how the exponential growth goes… roughly 12 characters to the 1000th …
(The actual command I use is name “mb” for ‘mega byte’ and is ‘tuned’ to make a one megabyte file. By typing “mb; mb; mb; mb &” I can make a 4 megabyte file of junk on command… but that’s a bit more complex…)
Efficient? No. Best way? Not at all. Easy way to drive hardware nuts? Oh Yeah ;-)
And yes, nothing prevents you from putting the text “junk” in a file named “shit” just so you could use the command:
cat shit
;-)
We need a WWW at at VLF, perhaps at the same frequency as the earth….but… it would be a kind of Akhashic records! :-)
Earth´s Wi Fi! and for free.
What would it be possible joining together Nikola Tesla and E.M.Smith? That´s what is needed as a next step in communications.
@Adolfo; the problem with using VLF for computer based communication is that it would be v……………..e………………..r…………….y………………………………s………………….l…………….o……………………….w…………………….. ……………………………..p……………………….g
@EMSmith; reading this “bible” has made your above desertion almost totally understandable. The thing with parenthesis to control commands is not one I have encountered yet. While I don’t expect to memorize things on the first read, I do like to have some Idea of what is under the hood. Most of my experience with computers has been with no help, in the dark, alone. Any illumination is helpful when you are totally in the dark. Hopefully by the time I get a box to work with I will have completed reading this book as well as the book on Ubuntu Linux and will have some idea of what is going on under the GUI hood. AT least with you looking over my shoulder, If I get stuck in a blind spot I may get some illumination. pg
@P.G.: You should then use as many waves as possible. What we will call “density of vibrations”, equal to the number of cycles contained in a unit of space (volume) during a certain time.
Dv= (ν)3 (the cube of frequency)
And it follows that “Mass” is m:= 1/(ν)3
@EMSmith: Check out this new toy that Roger, over at “Tallbloke”, has to play with for posting to WordPress. pg
http://tallbloke.wordpress.com/2012/12/12/ultralight-blogging-tallbloke-style/#more-10152
damn! forgot the link. pg
@EMSmith; this is a more direct approach to the information:
http://sonyfmngr.sourceforge.net/prsT1.htm
For modifying a Sony prs-1 e-reader pg
R&D kit for energy and data harvesting from nearby devices. Just the thing to up load data from nearby devices. ;-( pg
Kit Adds Energy Harvesting To NFC/RFID Apps
The M24LR Discovery Kit from STMicroelectronics integrates everything engineers need to design battery-free electronic applications that can exchange data with ISO-15693-compatible smart phones enabled with near-field communications (NFC) or radio-frequency identification (RFID) reader-writers, according to the company.
The turn-key development platform is designed to accelerate the creation and integration of energy-autonomous data collection, asset tracking, or diagnostics capabilities in phone and tablet accessories, computer peripherals, electronic shelf labels, home appliances, industrial automation, sensing and monitoring systems, personal healthcare products, and other applications.
By combining industry-standard serial bus (I2C) and contactless RF interfaces, the STMicroelectronics M24LR EEPROM memory can communicate with the host system “over the wire” or “over the air.” Its RF interface can convert ambient radio waves emitted by RFID reader-writers and NFC phones or tablets into energy to power its circuits and enable complete battery-free operation.
The Discovery Kit comprises an RF transceiver board with a 13.56-MHz multi-protocol RFID/NFC transceiver (CR95HF) driven by an STM32 32-bit microcontroller, which powers and communicates wirelessly with a battery-less board that includes the company’s dual-interface EEPROM memory IC (M24LR), an ultra-low-power 8-bit microcontroller (STM8L), and a temperature sensor (STTS75).
Sampling now, the M24LR Discover Kit costs $17.50.
STMicroelectronics
I don’t know whether to be happy that I can get an $18 toy that runs a micro-cpu with ambient energy (lots of ideas there…) or paranoid about all the folks with data scavengers that can be left all over the place for cheap and harvest data from your phone, and any products you have with RFID / NFC tags / transponding….
Yes my friend, We are walking into a strange jungle. Knowledge is better then ignorance. pg