Dongle Pi

DonglePi  set up for use from the laptop

DonglePi set up for use from the laptop

High Res Image for detail inspection

This is a Raspberry Pi board (the $35 B type with ethernet and 2x USB connectors) set up with a TP-Link TL-WN722N type WiFi Dongle. The 722N comes in two types, one with an external antenna (shown) and one without an external antenna that looks just like this one, but without the antenna connector on the side. This one cost $5 more at Fry’s (where I paid $19.xx for it, not willing to wait for internet shipping…) Why this one? Because it is known to work as an Access Point under Debian on a Raspberry Pi and I have that as the next project. What I really wanted was the “button sized” dongle for about $9 with the RAlink chipset in it, but Fry’s didn’t have those. (It is known to work in both A.P. mode and Mesh mode at the same time, where this one is only ‘one at a time’)

So this is a little under twice as long as it needs to be for portable / pocket use. With the button type, it would also have less risk of torque on the USB connector causing some damage… The adapter comes with a USB extension cable in the box, so one could use that for more “fixed” locations. In this case I just wanted a quick field test so left it a bit long, gangly, and potentially liable to having the WiFi adapter torqued… For actual day to day use, I expect it to be on the extension cable and up on the dashboard of the car (if in a parking lot and needing the added range to reach the nearest StarBucks WiFi hotspot while sipping my coffee in the comfort and quiet of my car – I generally make it a habit to always buy something at the places where I use the hotspot from the car; but Starbucks doesn’t always have power plugs open and some are way too loud / noisy… where I come equipped with power in the car, a comfy seat, and music of my choice / loudness…)

For actual clandestine use, I’d get the button dongle on the RPi and then put the device into a small box. In use, in the Starbucks, nobody noticed me assemble it and slip it into a pants pocket. (Folks are remarkably focused on themselves, generally.) Even after I pulled it out and put it on the table, nobody seemed to notice. (With the antenna on it, I think anyone who did see it would take it for a WiFi Dongle only; and in fact that’s a decent “cover story”; just say “the WiFi in the laptop died and this is an add-on” or even “The laptop is old and slow, this is a 150 Mbps high speed I’m working on.” which is actually true in my case. ;-)

Here’s a picture of it in the cargo pants pocket. Note that with the button dongle it would not show up at all. Just two wires into a pocket…

Dongle Pi in Cargo Pants Pocket

Dongle Pi in Cargo Pants Pocket

For anyone wondering if I’m “into camo” or a wild eyed Militia Type or “whatever” just because the pants are camouflage pattern: I bought these when in Florida (they are ‘shorts’, though you can’t see that in the picture) as I desperately needed something that wasn’t “long dress pants”. I went into Target and had exactly and only one criterion: “Shorts that are damn cheap and not an offensive color, on me, like pink…” These were the cheapest ( $10 IIRC on sale / clearance). They have been very useful over the years, thanks to the pockets, but were purely an accidental pattern choice. It’s really silly to wear camo shorts for the camo effect; with Neon White / Pink legs sticking out of them anyway ;-) ( I have a full cover camo suit for any actual camo needs – such as hunting for food – that I’ve worn all of once as a Halloween costume; there not being much need for camo-survival-hunting in the Urban Jungle where a charcoal suit is more effective “camo” than is green blotch…) I don’t have anything against Militia Types either; our history says we adults ARE the militia, like it or not. It’s just a bald faced lie to use “Militia” in a derogatory put-down way. The Militia is any adult, during times of need / crisis. (Historically any male adult, but times have changed.) So while I do endorse the idea of the Militia groups, holding onto the historical root of power originating from We The People; I’m just not “into it” myself. Nor do I do the “camo thing” as any kind of statement. I just buy cheap ass clothes… So, that out of the way, back to Geek Stuff…

The laptop provides power to the RPi and WiFi dongle via the little black USB / MICRO-USB connector. ( I emphasize the micro as I thought I had lots of ‘those small USB’ cables… and found out that my cameras et. al. were using MINI not Micro… they are almost the same to visual inspection unless side by side.) Ethernet is provided by the blue ethernet cable. In practical use, a better color would be ‘wood brown’ as that’s the color of many Starbucks chairs / walls / tables, or any of: black, gray, putty, dark brown. I.e. all the ‘not a color’ colors ;-)

Why not just connect to it from the laptop via WiFi? Well, in fact, I can see a use for that. BUT: Part of the ‘design goal’ here was just to make the laptop VERY secure and private. If I’m advertizing my MAC address via the WiFi in the laptop, I’m leaving records of my laptop presence on any WiFi system that cares to record it. It is also open to various kinds of sniffing and attack on the packet stream and potentially to folks breaking in to the laptop. So while a “WiFi to the Pi” ;-) would be useful at home, it’s less useful “in the wild” where part of the goal is to eliminate records of where the laptop has been and protect it as a place were more personal stuff can be kept more private. At home, I have connected via WiFi to the Pi and used it as a web proxy surfing appliance. Works fine. In the field, by using the hard wire connection and shutting off the laptop WiFi, I can have a truly private link to my “proxy” on the internet. IFF doing anything “clandestine”, I could also just pitch a $9 button dongle when done, and not worry about some forensics tying that MAC address to me or my laptop. (Spark Plug Wires to a great job of frying electronic parts prior to pitching ;-)

Still to be done things include encrypting that laptop / RPi link (though it isn’t really needed), and putting TrueCrypt on the RPi so on powerfail there isn’t anything left open. Alternatively (and a longer term project) is to make the RPi a “boot from locked USB image” as opposed to boot from active file system image. (Think “Live CD” type instead of “From Disk” type). That way nothing is ever written to the SD card anyway. At present the Operating System is a live pseudo-disk on SD card, not a “Live CD” type. I’m sure that will change over time. I have a copy of Puppy Linux on it that I’ve not tried yet, and it has a “Live CD” type structure. So another “someday” project…

What Good Is It?

The laptop holds a locked / standard image of the RPi OS fully configured and lacking anything at all distinctive or ‘about me’. I can “flash” that image onto the SD card in a couple of minutes and it is a ‘pristine’ web appliance. Now, from the laptop, I can connect to the RPi and use it to do things like web surfing or “whatever”. IFF I land on some site that tries to put crap on my machine or “track me” with cookies or “whatever”, they do that to the RPi. At the end of my session, it gets powered down, and the SD card gets “flashed” again back to pristine. (Eventually, with a write locked SD card, even that step becomes unnecessary). In essence, it is like using a “Bootable Live CD” Linux on the laptop.

So why not just do that Live CD thing?

First off, it leaves my hard disk “available” to the Linux that is running. Even if I don’t “mount” it, someone who breaks into the system while in use could do so. Only if I’m “watching” would I see that happen. (Yes, I watch. I use “w” which is a Linux / Unix command to keep up a panel of active processes and look at it from time to time. Anything happening out of the ordinary will show up. In another panel, I have “df -ks” on a ‘once a minute’ cycle. That shows me the mounted file systems – in kB – and ought not to change…) So it’s some protection, but not full protection.

Second, and most important for me, this particular HP Laptop has a funky video driver that was not supported in Linux last time I looked ( 2 years ago?) and I just didn’t want to deal with it. Making a custom built Linux isn’t for everyone, where a generic RPi dongle is more “approachable”.

Finally, it still imprints my MAC (network hardware unique number) Address into various tracking and forensics logs. Not that I have any reason to care, I just don’t like it. This whole “excursion” in my life path came about when The Constable decided to raid Tallbloke and run off with his computers. As he had his laptop confiscated (no doubt to be scrubbed for anything that could be used to tie him to FOIA-2011 including the MAC address from any email / file upload records at WordPress or elsewhere) that was a bit “chilling”. FOIA had simply posted a message on TallBlokes blog. THAT, was enough to get him raided on suspicion he had posted to himself as a foil. OK, I run a blog. What if FOIA had posted on my blog? So time to “get defensive”. (So right off the bat I put TrueCrypt on the laptop and stuff is all inside encrypted containers; which also prevents hackers seeing it either. I only decrypt / mount a container if I need what is in it at that moment; and even then often have the WiFi NOT connected when the container is open…) But really what I wanted was a way to simply not use the laptop for anything other than a “screen server”. So any old “crap top” can be a keyboard / monitor. Then, if it “goes away”, I don’t give a damn. Similarly, if the RPi “goes away”, I don’t give a damn. All the “important stuff” will be in encrypted containers and stored off site. (Another project for some future posting). Essentially, I’m breaking the link between any particular bit of hardware and “my stuff” and “my actions”. Having a “disposable Linux Dongle” is part of that. It’s 100% disposable, from computer board to SD chip to WiFi dongle. And it’s 100% generic. Someone takes it, they get nothing (after the SD is re-flashed and WiFi dongle ditched, or once it’s write protected) and I’m back up and running in minutes off the reserve copy and spare parts.

Can it be used by Black Hats to do bad things? Certainly. They also use cars and wear clothes too. Shall we ban cars, hats, sunglasses and gloves because Bad Guys use them? How about banning airplanes? They were used to kill thousands in NYC. Banning is a lousy way to attempt crime control. It just doesn’t work worth a damn. So we now have confiscate first, prove innocence later behaviour from the cops (that also doesn’t work well / properly ) and this is simply a prudent response by a private blog operator to abusive policing actions. Essentially, too much police state behaviour causes more innocent folks to act like Bad Guys and use tools (build tools) usable by Bad Guys in response to bad policing policy. That doesn’t make the innocent citizen a Bad Guy, it means the Police are acting in a negative way, and everyone, Bad Guys and Innocents alike, find “common cause” in the methods to “dial back” the police intrusion. (This is a common issue in law enforcement, BTW. I taught a forensics class to White Hats and one of the things I did was hand out “cracking tools” CDs. Forensics often uses the very tools created by Black Hats to break into machines. It gets dressed up a “Ethical Hacking”, but the reality is that the tool knows not who uses it. Be that tool a gun, a car, or a computer.) I’ve generally worked on the White Hat side, and this tool too can be a White Hat tool. One of the “Live CDs” I downloaded and tested was a U.S. Govt. issued one for secure email reading for government employees “on the road” and connecting from hotel WiFi. They could just as easily use one of these for their email reading platform to protect their laptop from intrusion.

As a sidebar advantage: It’s just nice to have a Linux machine to play on. I’m an “Old Unix / Linux Guy” who has been using it as my dominant compute platform since the early ’80s. I find Microsoft a PITA (though more usable now, in a stupid kind of way) and the Mac a very pleasant warm fluffy safe jail… it’s possible to get ‘under the covers’ to the Unix like world under the Mac skin, but it’s just so much trouble… I like my wild and wooly Linux / Unix machine where at a couple of characters I can be SuperUser and do anything I want. I like being able to pop open a command line interface and do all those things I’ve learned to do over 35 years or so of practice and NOT have some ass telling me I can’t via some software trap. And, frankly, all the commercial software folks are larding on ever more auto-update auto-tracking auto-buggering crap that is just offensive to anyone who wants their computer to be their computer and other folks keep their damn nose out. So I just like having “my world” where I can go do what I want, how I want, and not worry that the next “auto-update” will break things, open a security hole (thanks, Java… /sarc;) or or just nag me to death. Linux is a “from the people up” world, and I like it that way.

Building Dongle Pi

I’ve got a fairly long write up on how to do it. I’ve not yet done my usual “Q.A.” on the write up. That is, to start from scratch, doing only what is on the written sheets, and prove it all works as written. (In F.D.A. terms, a “Qualified Installation”. I did those once. Any drug company must send a document to the F.D.A. stating exactly how to recreate their equipment used in any computer operation. So, for example, if you used a NetApp to store your data for your drug trials, you have to say how to set on up. If you write “Turn the red power switch to on” that will fail if the color of the switch is changed to yellow, and is ‘questionable’ due to the use of ‘turn’ for a rocker switch… yes, it’s that ‘nutty / picky’. So you write the directions as “the power switch is located and put into the ‘on’ position applying power to the system”. Yes, it pays well to be able to do “qualified installs” ;-) I’ll get back to that level of “proving up” after Mother’s Day is over…

For now, here’s a ‘rough notes’ version.

Making Dongle Pi.

Materials:

Raspberry Pi B (A to come later via USB Ethernet).

Ethernet Cable – 1 ft to 10 ft ( 1 to 3 ft preferred)
MICO – USB w/power to USB cable ( 3ft – cost 99 cents at Fry’s)

TV (composite with RCA video, or hi definition with hdmi and HDMI cable)
USB Mouse
USB Keyboard – All three only for initial ‘bring up’. Can be skipped with pre-built Pi SD card

SD Card – minimum 4 GB, preferably 8 GB. Up to 32 GB Ultra SanDisk if desired. I used the “Ultra” Sandisk and a Patriot Micro 8 GB and both worked.

Creation Station – Windows Laptop or Desktop with SD card slot or added SD / USB adapter and USB slot. Basically, a way to write the SD card and a ‘terminal server’ to control the Dongle Pi. Preferably the laptop that will be used as workstation.

Laptop / MS Windows box software needed:

PuTTY –

Purpose: To provide a relatively generic terminal session on various equipment, such as a Raspberry Pi or any other Linux / Unix machine (and many other kinds of routers, switches, whatever…) A ‘command line interface’ for configuring things and turning things on, like that nice graphical interface you really want…

Get from: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

download via: http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe for M.S. Windows executable

VNC –

Purpose: A remote graphical desktop interface to the target system. It lets you have a graphical desktop environment on the Puppet Pi via a screen / keyboard / mouse on your laptop.

Get from: http://www.tightvnc.com/download.html

download via:

32 Bit Machines: http://www.tightvnc.com/download/2.7.1/tightvnc-2.7.1-setup-32bit.msi

64 Bit Machines: http://www.tightvnc.com/download/2.7.1/tightvnc-2.7.1-setup-64bit.msi

Win32Disk.Imager –

This works much more easily than the manual process of card formatting on the Mac / Linux world. At some future point I’ll work out a simple / easy way from the Linux side, but as most folks do have a M.S. Windows computer (and as mine has a built in SD card slot while the Linux White Box didn’t…) this was just a lot easier on that laptop.

Purpose: To store SD Card images onto the laptop, or copy them from the laptop to SD cards.

Get from: http://sourceforge.net/projects/win32diskimager/

download via: http://sourceforge.net/projects/win32diskimager/files/latest/download

TrueCrypt – optional. Only needed if you wish to keep the contents secret / really secure.

Purpose: To encrypt files, file systems, whole disks, and generally keep your files private.

Get from: http://www.truecrypt.org/

download via: http://www.truecrypt.org/downloads

The Raspberry Pi install method:

http://www.raspberrypi.org/phpBB3/viewtopic.php?f=41&t=6225

how to use: IFF you want all the Raspberry Pi configuration files and software hidden away when not in use, so that they can not be buggered, hacked, or even just noticed, you will make a “TrueCrypt Container” and mount it as an encrypted file system. It will only be mounted when needed, and the rest of the time will look like some other innocuous file.

I’ve not installed TrueCrypt on the RPi yet, so you are on your own on that one, for now.

Basic System Install

Basic Debian Wheezy:

Download the basic system image from the Raspberry Pi site:
http://www.raspberrypi.org/downloads

Direct download: http://downloads.raspberrypi.org/images/raspbian/2013-02-09-wheezy-raspbian/2013-02-09-wheezy-raspbian.zip

Via a Torrent: http://downloads.raspberrypi.org/images/raspbian/2013-02-09-wheezy-raspbian/2013-02-09-wheezy-raspbian.zip.torrent

Then using Win32Disk.Imager, write it to the SD card.

Put the SD card into the Raspberry Pi board.

First Life configuration and connection to laptop ( ICS )

Configure ICS Internet Connection Sharing in your Laptop or Desktop (and have it connected to the Ethernet). Settings, network, “share” the interface to the internet (the wireless interface for my laptop). Alternatively, plug a wire from the Ethernet of the RPi into your home network router / hub as a wired connection.

This, ICS, will cause the wired interface or your laptop to become 198.168.0.1 / 255.255.255.0 and start a rather obnoxiously brain dead DHCP server on it. (It gives out near random IP numbers and can not be configured). When the Raspberry Pi is powered up, it will be given some IP number, but not one you can predict, so you need to have a keyboard, mouse, and monitor long enough to find out what it is. Alternatively, you can have an external Ethernet hub with cables and connect into your existing home network then ask your router what IP numbers are assigned to which devices (mine has a nice display in a web page).

Connect the Ethernet cable from the RPi to the laptop. Connect the keyboard, mouse, and video monitor. Then connect the MICRO – USB cable from the Raspberry Pi to the USB power source (laptop or USB Hub or other USB power source of 1000 mA.)

This will start the Pi booting up. A screen will appear on the TV set with several options. For mine, the display sometimes “rolled” and hitting return would stop it. Use the tab key to select “expand file system to use whole SD card”. Then the ‘select’ button. It is also a good time to choose the “update” option at the bottom of the panel, but we can also do that later. When done, choose “finish”. The RPi will now bring up a standard desktop. This selection panel only appears once. If you don’t do this now, you will need to use config-Pi later. IFF you want your RPi to launch a nice graphical environment on the TV ports on boot, you choose that option here as well. This will suck up about 150 MB of memory, so don’t do that on systems that will be almost always run “headless” (no need wasting that memory…)

At this point, the Raspberry Pi is up and running in a standard Debian mode. You can connect to it with a telnet server like PuTTY and get a line oriented terminal server that is sufficient for most all of the configuration. Eventually, you will want a graphical interface to it, and it is possible once the graphical interface is up, to open a ‘terminal window’ on the Raspberry Pi from inside that graphical desktop. The default user id is “pi” and the default password is “raspberry”.

Update Firmware

I didn’t do this step. I’m only putting these notes here as reference should it ever be needed.

From: http://www.megaleecher.net/Raspberry_Pi_Firmware_Update

We will be using the rpi-update tool developed by Hexxeh, to install it use the commands below at terminal.

sudo wget http://goo.gl/1BOfJ -O /usr/bin/rpi-update && chmod +x /usr/bin/rpi-update

sudo apt-get install ca-certificates

Once installed, user can use rpi-update anytime at the terminal to fetch and install the most current version of the Raspberry Pi firmware and kernel. Make sure to reboot your RasPi after every update.

Update the Debian Operating System

To get the current list of software package dependencies (so following additions work) do the following at a command prompt (in PuTTY from the laptop; or via a ‘terminal’ in the LXE windows environment on the TV screen):

sudo apt-get update

Or can be done at first boot of generic w/ bottom menu item of ‘update’.

To upgrade the kernel do:

I didn’t do this step either, as the kernel was working fine.

sudo apt-get upgrade -y

VNC Install

The Virtual Network Computer interface is used to get that graphical windows manager on your laptop screen, driving the Raspberry Pi board. The VNC Manual Page (called a ‘man page’) is at:

http://linux.die.net/man/1/xvnc

You can do this step via the Raspberry Pi keyboard, and TV Monitor, or via PuTTY from the laptop. As I find the TV an annoyance (mine is ‘composite’ – i.e. old and low resolution), I used PuTTY. In either case, open a “terminal session”.

the commands to get and install VNC on the Raspberri Pi are listed at this web site:

http://elinux.org/RPi_VNC_Server

As of now, the directions say:

Instructions
Log in to your Pi and install the Tight VNC Package
$ sudo apt-get install tightvncserver
Next Run TightVNC Server which will prompt you to enter a Password and an optional View Only Password

*(do a ‘touch .Xauthority’ first? Chmod 664? -EMS )*

$ tightvncserver
Once that is done you can start a VNC server from the shell prompt. This example starts a session on VNC display zero (:0) with full HD resolution:
$ vncserver :0 -geometry 1920×1080 -depth 24
(If fonts appear the wrong size, add ‘-dpi 96’ to the end.) Or you could create a script to save typing in the whole thing.
$ nano svnc.sh (call the file whatever you like)
*(I used vncsrv.sh and :2 1280 x 640 x 16 -EMS )*
Add the lines:
#!/bin/sh
vncserver :0 -geometry 1920×1080 -depth 24 -dpi 96
Ctrl-x y (To Exit Nano and Save)
Set the file to Execute
$ chmod +x svnc.sh
then to run
$ ./svnc.sh
Run at boot.
Start a root session
sudo bash

Create a file in /etc/init.d with a suitable name such as vncboot with the following content.
### BEGIN INIT INFO
# Provides: vncboot
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start VNC Server at boot time
# Description: Start VNC Server at boot time.
### END INIT INFO

#! /bin/sh
# /etc/init.d/vncboot

USER=root
HOME=/root

export USER HOME

case “$1” in
start)
echo “Starting VNC Server”
#Insert your favoured settings for a VNC session
/usr/bin/vncserver :0 -geometry 1280×800 -depth 16 -pixelformat rgb565
;;

stop)
echo “Stopping VNC Server”
/usr/bin/vncserver -kill :0
;;

*)
echo “Usage: /etc/init.d/vncboot {start|stop}”
exit 1
;;
esac

exit 0
Modify the file permissions so it can be executed
chmod 755 /etc/init.d/vncboot
Enable dependency based boot sequencing
update-rc.d /etc/init.d/vncboot defaults
If enabling dependency based boot sequencing was successful, it says
update-rc.d: using dependency based boot sequencing
But if it says
update-rc.d: error: unable to read /etc/init.d//etc/init.d/vncboot
then try the following command
update-rc.d vncboot defaults
Reboot your Raspberry PI and you should find a vncserver already started.

As I didn’t want a “root” VNC window just a single password away, I changed that to a different user in the script (pi). I also needed to use 1280 x 640 and 16 bit color depth to get things to fit the laptop screen and have better performance. VNC sends the whole bit map of the screen (no Graphics Processor Unit in use…) so its a big performance and network hit to be computing and sending large deep screens every time to change a bit… So I changed that ‘launch’ line to:

sudo -u pi /usr/bin/vncserver :2 -geometry 1280×640 -depth 16 -pixelformat rgb565

that gives me a “pi” VNC session instead, and cuts the size back to fit. I also put it on “2” so I connect with (your ip range):5902 for example: 192.168.1.100:5902 if you had that IP number assigned to the RPi. (At a terminal window, type “ifconfig” and note the IP number assigned to eth0 to see what you have gotten.)

I have also put “sudo -u pi” in front of the kill command line, but that is likely optional and I’ve not tested it.

Install Tight VNC on your desktop from the link below; or most VNC clients work I believe.

http://www.tightvnc.com/download.php

These instructions are for Ubuntu and are only noted as I’m going to try putting it on a Pi later just to see how bad it get using one RPi to log onto another in a chain ;-) For most folks, it will be ‘download the M.S. Windows version and click to install”. Realize that you do NOT need the “server” on your laptop. That is to let you connect TO the laptop from some other machine and see the laptop screen. You need only the “Viewer” (that any normal software person would call a client… but X Server folks are a bit silly on that…)

Or install it using your package manager. The following works on my ubuntu 11.10 workstation
sudo apt-get install xtightvncviewer
Then use :1 (e.g. 192.168.1.2:1) as the host name when connecting.[1]
Works Great, select full screen from the tool bar and a full 1080p 24bit desktop is yours from anywhere.
1. ↑ You can put your raspberry pi in /etc/hosts on Linux systems. I think you can make such a file on windows too. Then you can refer to your raspberry pi as “rpi” or whatever you called it.

As noted above that config will give you a ‘root’ desktop, and is ‘risky business’. Better to use a user desktop. I didn’t use this method, but it’s in that link. I hacked the ‘at boot’ script instead…

Getting VNC Server to Work on a Specific User
Instead of using the script in the Raspberry Pi wiki, use this one provided by “PenguinTutor”:
#!/bin/sh
# /etc/init.d/tightvncserver
# Customised by Stewart Watkiss
#http://www.penguintutor.com/linux/tightvnc
# Set the VNCUSER variable to the name of the user to start tightvncserver under
VNCUSER=’pi’
eval cd ~$VNCUSER
case “$1” in
start)
su $VNCUSER -c ‘/usr/bin/tightvncserver :1’
echo “Starting TightVNC server for $VNCUSER ”
;;
stop)
pkill Xtightvnc
echo “Tightvncserver stopped”
;;
*)
echo “Usage: /etc/init.d/tightvncserver {start|stop}”
exit 1
;;
esac
exit 0
Now, change the VNCUSER=pi to your desired username, so for example: VNCUSER=jsmith
That’ll make it boot on the username of which you want it to boot on… but I then received the grey screen error when remotely accessing the Pi from my computer, now the way you fix this is, open up the xstartup file that was created when VNCSERVER executes on your desired username. Now the way you access it and edit it is by:
sudo nano .vnc/xstartup
.vnc is usually in the home directory.
Delete everything that is in xstartup (or not in as mine was), and add this:
!/bin/sh
xrdb $HOME/.Xresources
xsetroot -solid black
/usr/bin/lxsession -s LXDE &
Now it should work.

Desktop / Apps enhancement

To add “Iceweasel” (firefox) browser:

sudo apt-get install iceweasel

You can do the same thing for “chromium” (an open / free version of Chrome) but I don’t know why anyone would ;-)

Change the Hostname:

Open a terminal server. Set the new hostname to whatever you like by editing two files and restarting the “hostname” service. (Yes, it’s a full blown service… who knows why…)
sudo leafpad /etc/hostname
or sudo vi /etc/hostname for us old Unix guys ;-)
(In reality, I get tired of typing “sudo” all the time, so I just do “sudo bash” and get a “root shell” and just type the regular commands… CTL-C to exit the root shell when done).
change “raspberrypi” to whatever you like.
sudo leafpad /etc/hosts or sudo nano /etc/hosts for the new kids ;-)
change “raspberry pi” to the same thing everywhere.
sudo /etc/init.d/hostname.sh start

Set A Fixed IP Number

For use as a ‘plug in a DHCP world and go’ machine, the process is basically done. Other than installing “transmission”, that’s what I did for my Torrent Server. Yet for use on a laptop dongle, you really really want a fixed IP. Why? Because Brain-Dead Microsoft can’t assign the same IP number to the same computer two times in a row and doesn’t let you see the IP assignment table, that’s why. (Or buried it somewhere I couldn’t find, nor the dozen sites a web search turned up who also said to ‘give it up’…)

So since you connect via IP, and have 253 of them to search if you leave it on DHCP, “that’s a problem”. I used a single digit IP number, since MS seems to be assigning them in the 2 and 3 digit ranges, but not in the single digit range. (However, since you can not see nor change the assignment ranges, that’s a guess…) So something like 192.168.0.8 ought to work OK.

Since nothing else is on the wire, if MS assigns that number to something, it still ought to be ok. (Yes, I know that nothing ought to be asking for an assignment so no assignment ought to be done; but I’ve seen stranger things happen in M.S. Land. Like letting you see “dueling default gateways” where you can set one for each of two different interfaces, then it swaps between them about every 20 minutes. Took me most of a day to figure out that the way the ‘mail guy’ at a client site had set things up was with dueling default gateways and that was why they had sporadic 20 minute email delays. It would pick up for 20 minutes out one interface, then deliver for 20 minutes out the other. Setting ONE default gateway outbound, and fixed routing the private network inbound, fixed it. On the M.S. support site, in describing this bug, they said: “This behavior is by design”… and folks wonder why Unix / Linux guys don’t like M.S. products… too many weeks of my life wasted by them deliberately building bugs and calling them features…)

To set a fixed IP:

$ sudo nano /etc/network/interfaces

This will allow you to edit the file using nano.  Personally, I use “sudo vi”… as I’m an old Unix geek. One can also use leafpad in the graphical environment if logged in to a VNC window as root.

Change the line that reads
iface eth0 inet dhcp
to

iface eth0 inet static

Below this line enter the following.
address 192.168.137.8
netmask 255.255.255.0
network 192.168.137.0
broadcast 192.168.137.255
gateway 192.168.137.1

That “gateway” line lets you get from the Dongle Pi out to the internet through your laptop wireless connection for any further software updates / testing and until you get the wireless dongle installed. Once you have the dongle working wireless, you would remove that “gateway” line from this file so you stop using the laptop as your internet gateway. At this point, you have a “Dongle Pi” that works through the laptop, but not via wireless. Useful for some things, like having a private Linux on a Dongle where you could put things or just use Linux tools.

Realize that older version of M.S. Windows used “192.168.0.x” and newer versions use “192.168.137.x” and you have no idea what M.S. will do to you in the future… so it’s best to check what the actual range is being used by your laptop prior to entering those numbers. It is possible, after ICS is turned on, to go to the network control panel and set the Windows IP to a ‘use this one’ value that you control and still have it work (though it stops doing DHCP, which is a feature IMHO given how brain dead their DHCP happens to be). That can be a ‘feature’ in that you can set it to an unusual ‘non routing’ value and anyone who DOES break into the RPi will not see “194.168.137.1” and think “Oh, a M.S. Windows box doing ICS; attack with M.S.Windows cracking tool kit”.

The non-routing blocks are:

10.0.0.0 – 10.255.255.255

single class A network
10.0.0.0/8 (255.0.0.0)

172.16.0.0 – 172.31.255.255

16 contiguous class B networks
172.16.0.0/12 (255.240.0.0) or you can do:

172.22.4.0 mask 172.22.4.255 to break out a class C sized chunk of it that will be just a bit obscure ;-)

192.168.0.0 – 192.168.255.255

192.168.0.0/16 (255.255.0.0)

Most often seen as things like 192.168.0.0 / 192.168.0.255 or 192.168.0.0/24

FWIW, I also set mine to use a specific set of DNS servers. The WiFi dongle will tend to pick up a DHCP address and the associated DNS servers when used to connect that way, or if used with DHCP on the ICS side, it will get DNS servers there along with default route information. But using chosen DNS servers has benefits. You can use DNS services that put in blocking of offensive sites or places that are known security risks. (Norton provides those) Or you can just use a known “nice” DNS server that doesn’t track you and / or tattle on you to “agencies” or is just in another country so doesn’t “localize” you. (Google provides fast DNS from their own custom software, but given their “track everything” business model, I have to suspect they track who contacts whom on their DNS requests… So I’d avoid them for anything you wish to keep ‘private’. Also, as your ISP tends to give you their DNS services on their wire, IFF an agency tracks you down to, say, Starbucks at this ISP, they could put monitoring on that DNS server to see what you are looking up. In that case, looking elsewhere for DNS is also a feature. Finally, some, like OpenDNS, redirect failed lookups to their web site to “help” you… you might not want that…

Configuring DNS is something most folks choose to avoid, and with good cause, but it also can be made much more robust with just a little work, and can fix many problems. For example, if you are using Bell South networking and their default DNS and they come under a DNS DDS (Destributed Denial of Service attack) you will slow down as your Domain Name Service lookups fail / slow. If, instead, you had many DNS servers in your list, failed DNS would just move down the list to other servers.

This is all completely optional, but nice to do.

If you will be doing much with networking, you will want the usual networking / DNS tools:

sudo apt-get install dnsutils

Initially I put the DNS list in /etc/resolv.conf where it belongs. But network guys are a confused sort. They have had ongoing ‘turf wars’ forever. The “old” method of using “config files” didn’t appeal to some, so they added other layers. And them more layers. And then things didn’t ways work. And DHCP was supposed to be ‘no thinking required’, so having an /etc/resolve.conf file in charge was Not Acceptable, so the DHCP guys think THEY are in charge… eventually Sun added nsswitch (Name Service Switch) to let you sort out “who is in charge”… that then some other folks crowbarred their way around…

So there’s a bit game of “who is really in charge?” that gets played in Network Land on Linux machines. For the RPi it looks like nsswitch might be ignored, and /etc/resolv.conf just gets over written by DHCP in any case. (My nsswitch says ‘files’ first, so the ‘files’ ought to rule, but… back at “I’m in charge!” network wars…)

So it looks like the place to edit is:

/etc/dhcp/dhclient.conf

where you add a line like:

prepend domain-name-servers 184.169.143.224,208.67.222.222,4.2.2.4,8.8.4.4;

Listing whatever DNS servers you like. There’s lots of choices in the “Open DNS” world, and choosing one is up to you. Some pointers though:

http://pcsupport.about.com/od/tipstricks/a/free-public-dns-servers.htm

has this list:

Provider Primary DNS Server Secondary DNS Server
Level31 209.244.0.3 209.244.0.4
Google2 8.8.8.8 8.8.4.4
Securly3 184.169.143.224 184.169.161.155
omodo Secure DNS 8.26.56.26 8.20.247.20
OpenDNS Home4 208.67.222.222 208.67.220.220
DNS Advantage 156.154.70.1 156.154.71.1
Norton ConnectSafe5 198.153.192.40 198.153.194.40
ScrubIT6 (may be out of service) 67.138.54.120 207.225.209.77
SafeDNS7 195.46.39.39 195.46.39.40
DNSResolvers.com8 205.210.42.205 64.68.200.200
OpenNIC9 74.207.247.4 64.0.55.201
Public-Root10 199.5.157.131 208.71.35.137
SmartViper 208.76.50.50 208.76.51.51 Dyn 216.146.35.35 216.146.36.36
censurfridns.dk11 89.233.43.71 89.104.194.142
Hurricane Electric12 74.82.42.42
puntCAT13 109.69.8.51

Google claims innocent desire to speed things up. Yeah, sure…
https://en.wikipedia.org/wiki/Google_Public_DNS

Google Public DNS is a freely provided DNS (Domain Name System) service announced on 3 December 2009, as part of Google’s self-proclaimed effort to make the web faster. According to Google, as of 2013 Google Public DNS is the largest public DNS service in the world, handling more than 130 billion requests on an average day.
Google Public DNS provides the following recursive nameserver addresses for public use, mapped to the nearest operational server location by anycast routing:
IPv4 addresses
8.8.8.8
8.8.4.4

Think if The Govt asked for some info or to block certain IP lookups that Google would be more than glad to help in exchange for favorable business treatment? (Having your own DNS table / server lets you prevent that …)

Norton has some they claim are a value added set:

https://en.wikipedia.org/wiki/Norton_DNS

According to Symantec’s website their DNS service for home users offers the following options depending on how much filtering the user would like the DNS servers to perform for them.

Security
198.153.192.40
198.153.194.40

Security and Pornography
198.153.192.50
198.153.194.50

Security, Pornography and “Non-Family Friendly”
198.153.192.60
198.153.194.60

Open DNS offers:

208.67.222.222
208.67.220.220

and some folks don’t like their re-direct behaviour of failed lookups.

Yahoo has a DNS server at: 68.180.131.16 named ns1.yahoo.com

The Telcos usually have them. Some I know are:

dnsr1.sbcglobal.net 68.94.156.1
ns1.swbell.net 151.164.1.1

where I’d expect S.W.Bell has others named ns2, ns3, … but have not looked them up. Similarly, SBC likly has a dnsr2 and dnsr3.

I’m sure there are more, but you get the idea.

Well, enough on DNS. Just realize that most networking problems start with checking out what is the default gateway (or “route of last resort” where packets go if you don’t have a specific routing table to say “take that interface there”) and then look to DNS failures. So “ping yahoo.com” first does a DNS lookup, while “ping 206.190.36.45” goes directly via the default route without an DNS lookup. (Yes, Yahoo! has generally been very nice about providing a ping responder. I typically have used them for diagnostics and they engender lots of good will in me by that. It’s a little thing, but much nicer than just blocking pings.)

So first try “ping yahoo.com” and if that does not work, while a direct IP ping does, you have a DNS problem…

In Conclusion

As noted, this is the ‘rough notes’. If you use them and “have issues”, please note what it was and I’ll fix it / provide consultation (on where I wrote it up badly ;-)

I have a DonglePi working as an attached Linux (via the laptop as default gateway) and as a “Wireless Dongle Pi” with the laptop as only an attached screen viewer. (that “gateway” choice and the added WiFi dongle)’)

Why no directions on installing the WiFi dongle? Because by selecting one known to work, it just plugs in and works. Open a VNC session to the ‘pi’ desktop and click on the WiFi Config application. “Scan” for networks, enter any security options needed (for public hot spots, that’s none) and go.

With that, I’ve got a BBQ to start for today’s “burnt offering” and it’s time for me to take a break from hacking Pi. It’s been a fun couple of days, but I tend to go “down the rabbit hole” and everything else stops for a while ;-)

Hopefully this “cookbook” is helpful to folks and it will save someone some time. I’m also willing to “flash” an SD card with an image, test it in my RPi, and drop one in the mail to anyone who needs it done for them. For now, $20 + SD card cost ($5 for 4 GB, $8 for 8 GB at Best Buy near me) to the tip jar and a note that you want one in email with an address. Delivery “when I get around to it” but likely in the mail inside of a week.

Subscribe to feed

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits and tagged , , , , , , , . Bookmark the permalink.

24 Responses to Dongle Pi

  1. Bloke down the pub says:

    Here’s a picture of it in the cargo pants pocket. Note that with the button dongle it would not show up at all. Just two wires into a pocket…

    Expect a bunch of DHS guys in black overalls to jump on you in 5,4,3,2….

  2. punmaster says:

    They also use cars and wear clothes too.

    I really do not want to see the nude Black Hat squad, of either gender. Wait, how many genders are there these days, not that it matters? I don’t want to see any of them.

  3. E.M.Smith says:

    @Punmaster:

    I’ve seen ’em. It ain’t pretty…
    ;-)

    Female, male, transgender male, transgender female, gay female, gay male, ( I suppose one could have a ‘gay transgender’ but then isn’t that just “normal with kinky ideas”? ;-) then there’s the sporadic hermaphrodite (that might have ‘preferences’) along with “asexual”. After that, I think it ends up being more “fetishes” than “genders”, so “cross dresser” isn’t really a gender thing and I’d just put the transvestites in with the B&D folks and other roll play types.

    But I could be wrong. Lots of folks have strange preferences and can be mighty creative in dreaming things up…

    @Bloke Down The Pub:

    I’d ask “Why?” since all I’ve done is make a computer and wear short pants… but since Tallbloke was raided, well, I no longer put anything past possible…

    But: Nobody have any comments on the Dongle Pi idea / project itself?

  4. J Martin says:

    At some point I think I’d like to get an rpi, will probably look at using it as a NAS controller, need one for music and laptop backup. Might be fun to experiment first and try it out as a DNS server though, must admit, I never thought of using it for DNS.. Would also be fun to use it as a breadboard PC for a while, attach it to the back of the monitor somehow.

  5. E.M.Smith says:

    @J. Martin:

    Depending on what kind of monitor you have, you can get HDMI “converters” to DVI or other inputs (at various costs…) Best is just to have an LCD monitor with HDMI input or a TV with HDMI input and use that. IIRC, HDMI to VGA was an expensive converter cable…

    I’m using one of mine for Torrent server and DNS cache server and it’s doing fine. “eventually” I’m going to put NAS on it, so if you are slow enough I’ll have a ‘recipe’ up for you ;-)

    I’m pretty sure one such recipe already exists, but have not looked for it. I’ve seen a “how to turn on Samba” for your PC to get the files, so that implies NAS on it… I’m just more interested in the NFS file services between unixoids than the PC Samba CIFS type.

    FWIW, I get saturation of my internet connection out of it, and it seems quite able to drive ethernet at fast speeds. Likely 100 Mbits near as I can tell.

    Looks like a LOT of folks have already done the NAS recipe thing:

    https://duckduckgo.com/?q=Raspberry+pi+NAS+setup

  6. E.M.Smith says:

    @J. Martin:

    Well, I’ve gotten Samba working and mounted the RPi “disk” (SD card) onto my laptop. At present I’m not sure exactly how ;-)

    (I’m not a big M.S. Windows guy… I can often make it work, but rarely explain exactly which bit of “outside the box” I tried was the “magic bit”… it’s just not rational enough to map well into my thinking… )

    So I followed the directions here:
    http://www.simonthepiman.com/how_to_setup_windows_file_server.php

    Which, given the state of my RPi dns/Torrent server and not plugging in a new disk, was mostly just installing and turning on Samba.

    sudo apt-get install samba
    sudo apt-get install samba-common-bin

    Then you add the user ‘pi’ to the samba password file:
    sudo smbpasswd -a pi

    They also say that there are two other things needed to get a USB drive to auto-mount:
    sudo apt-get install autofs

    9. However we need to set up a config file to allow the automounting of the usb disk.
    pi@raspberrypi~$ sudo vi /etc/auto.master
    At the end of the file is the following
    ——————————————————
    +auto.master
    ——————————————————
    You need to add the following below the +auto.master entry
    ——————————————————
    +auto.master
    /media/ /etc/auto.ext-usb –timeout=10,defaults,user,exec,uid=1000
    ——————————————————

    Now you can reboot and the server will keep on working and sharing your windows files on boot

    But as I was using the SD card file system, I didn’t test the USB mount.

    They then have you edit /etc/samba/smb.conf and set it one way, that didn’t work for me. I think it is a “version 7 vs XP” thing… in that the laptop seems to think it is in domain “PAVILION” while the XP thing seems to not expect “homegroups” (but that could be ‘crazy talk’ as the whole way domains and homegroups and all mutated over the years is just annoying…)

    So I “fooled around” with smb.conf and now I can mount the file system onto the laptop. I don’t know if it’s just letting me in as a ‘guest’ (but I don’t think so, since I gave it user id and password) but at present I can ‘read but not write’ files. ( Again, I think that is because I have write permission shut off… as I didn’t want to be opening up security holes on my dns / torrent server just to test things… ) Getting the “workgroup” to match PAVILION seems to have been the important bit, but perhaps turning on Domain Controller status in the Pi was also important?

    I see 4 “shares” at present, one of which is the user ‘pi’ home directory (so again I think it took my login as ‘pi’ not as guest). I get “Netlogon”, along with “pi”, “pidir” and “usb”. The last three being expected and the first one a bit of a mystery to me (but I think I turned on a ‘feature’ that uses it… ;-)

    I donno… needs a real MS Windows guy to say what was right, and what was mindless…

    Here’s the suggested smb.conf changes, and then my smb.conf content for comparison.

    pi@raspberrypi~$ sudo vi /etc/samba/smb.conf
    The things that possibly need changing are the workgroup entry set to WORKGROUP for XP and previous operating systems and HOME for Windows 7 and above (not sure what is the default for Vista).
    workgroup = WORKGROUP
    Then i would comment out the following lines by adding a ; to the front of the item as this makes initial setup and testing easier.
    ——————————————————
    ;[homes]
    ; comment = Home Directories
    ; browseable = no
    ;[printers]
    ; comment = All Printers
    ; browseable = no
    ; path = /var/spool/samba
    ; printable = yes
    ; guest ok = no
    ; read only = yes
    ; create mask = 0700
    ;[print$]
    ; comment = Printer Drivers
    ; path = /var/lib/samba/printers
    ; browseable = yes
    ; read only = yes
    ; guest ok = no
    ;[cdrom]
    ; comment = Samba server’s CD-ROM
    ; read only = yes
    ; locking = no
    ; path = /cdrom
    ; guest ok = yes
    ; preexec = /bin/mount /cdrom
    ; postexec = /bin/umount /cdrom
    ——————————————————
    Then finally at the end add your windows share name – i will use a share name of usb and will share out the content of /mnt/disk1 – to share the other disk, add another entry as below with the share name within the [ ] and the path to the other disk drive.
    ——————————————————
    [usb]
    comment = USB Share
    path = /mnt/disk1
    writeable = Yes
    only guest = Yes
    create mask = 0777
    directory mask = 0777
    browseable = Yes
    public = yes
    ——————————————————

    8. At last we can restart samba and test the configuration so to restart samba.
    pi@raspberrypi~$ sudo service samba restart
    and to check the shares and configuration run
    pi@raspberrypi~$ sudo testparm -s
    this should show something similar to that below
    ——————————————————
    Load smb config files from /etc/samba/smb.conf
    rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
    Processing section “[usb]”
    Loaded services file OK.
    Server role: ROLE_STANDALONE
    [global]
    server string = %h server
    obey pam restrictions = Yes
    pam password change = Yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    unix password sync = Yes
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    dns proxy = No
    wins support = Yes
    panic action = /usr/share/samba/panic-action %d

    [usb]
    comment = USB Share
    path = /mnt/disk1
    read only = No
    create mask = 0777
    directory mask = 0777
    guest only = Yes
    guest ok = Yes
    ——————————————————

    What I have right now, but will shortly be trying to pare back to see what was really the important bits:

    #
    # Sample configuration file for the Samba suite for Debian GNU/Linux.
    #
    #
    # This is the main Samba configuration file. You should read the
    # smb.conf(5) manual page in order to understand the options listed
    # here. Samba has a huge number of configurable options most of which
    # are not shown in this example
    #
    # Some options that are often worth tuning have been included as
    # commented-out examples in this file.
    # – When such options are commented with “;”, the proposed setting
    # differs from the default Samba behaviour
    # – When commented with “#”, the proposed setting is the default
    # behaviour of Samba but the option is considered important
    # enough to be mentioned here
    #
    # NOTE: Whenever you modify this file you should run the command
    # “testparm” to check that you have not made any basic syntactic
    # errors.
    # A well-established practice is to name the original file
    # “smb.conf.master” and create the “real” config file with
    # testparm -s smb.conf.master >smb.conf
    # This minimizes the size of the really used smb.conf file
    # which, according to the Samba Team, impacts performance
    # However, use this with caution if your smb.conf file contains nested
    # “include” statements. See Debian bug #483187 for a case
    # where using a master file is not a good idea.
    #

    #======================= Global Settings =======================

    [global]

    ## Browsing/Identification ###

    # Change this to the workgroup/NT-domain name your Samba server will part of
    workgroup = PAVILION

    # server string is the equivalent of the NT Description field
    server string = %h server

    # Windows Internet Name Serving Support Section:
    # WINS Support – Tells the NMBD component of Samba to enable its WINS Server
    # wins support = no

    # WINS Server – Tells the NMBD components of Samba to be a WINS Client
    # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
    ; wins server = w.x.y.z

    # This will prevent nmbd to search for NetBIOS names through DNS.
    dns proxy = no

    # What naming service and in what order should we use to resolve host names
    # to IP addresses
    ; name resolve order = lmhosts host wins bcast

    #### Networking ####

    # The specific set of interfaces / networks to bind to
    # This can be either the interface name or an IP address/netmask;
    # interface names are normally preferred
    ; interfaces = 127.0.0.0/8 eth0

    # Only bind to the named interfaces and/or networks; you must use the
    # ‘interfaces’ option above to use this.
    # It is recommended that you enable this feature if your Samba machine is
    # not protected by a firewall or is a firewall itself. However, this
    # option cannot handle dynamic or non-broadcast interfaces correctly.
    ; bind interfaces only = yes

    #### Debugging/Accounting ####

    # This tells Samba to use a separate log file for each machine
    # that connects
    log file = /var/log/samba/log.%m

    # Cap the size of the individual log files (in KiB).
    max log size = 1000

    # If you want Samba to only log through syslog then set the following
    # parameter to ‘yes’.
    # syslog only = no

    # We want Samba to log a minimum amount of information to syslog. Everything
    # should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
    # through syslog you should set the following parameter to something higher.
    syslog = 0

    # Do something sensible when Samba crashes: mail the admin a backtrace
    panic action = /usr/share/samba/panic-action %d

    ####### Authentication #######

    # “security = user” is always a good idea. This will require a Unix account
    # in this server for every user accessing the server. See
    # /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
    # in the samba-doc package for details.
    # security = user

    # You may wish to use password encryption. See the section on
    # ‘encrypt passwords’ in the smb.conf(5) manpage before enabling.
    encrypt passwords = true

    # If you are using encrypted passwords, Samba will need to know what
    # password database type you are using.
    passdb backend = tdbsam

    obey pam restrictions = yes

    # This boolean parameter controls whether Samba attempts to sync the Unix
    # password with the SMB password when the encrypted SMB password in the
    # passdb is changed.
    unix password sync = yes

    # For Unix password sync to work on a Debian GNU/Linux system, the following
    # parameters must be set (thanks to Ian Kahan < for
    # sending the correct chat script for the passwd program in Debian Sarge).
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

    # This boolean controls whether PAM will be used for password changes
    # when requested by an SMB client instead of the program listed in
    # ‘passwd program’. The default is ‘no’.
    pam password change = yes

    # This option controls how unsuccessful authentication attempts are mapped
    # to anonymous connections
    map to guest = bad user

    ########## Domains ###########

    # Is this machine able to authenticate users. Both PDC and BDC
    # must have this setting enabled. If you are the BDC you must
    # change the ‘domain master’ setting to no
    #
    domain logons = yes
    #
    # The following setting only takes effect if ‘domain logons’ is set
    # It specifies the location of the user’s profile directory
    # from the client point of view)
    # The following required a [profiles] share to be setup on the
    # samba server (see below)
    ; logon path = \\%N\profiles\%U
    # Another common choice is storing the profile in the user’s home directory
    # (this is Samba’s default)
    # logon path = \\%N\%U\profile

    # The following setting only takes effect if ‘domain logons’ is set
    # It specifies the location of a user’s home directory (from the client
    # point of view)
    ; logon drive = H:
    # logon home = \\%N\%U

    # The following setting only takes effect if ‘domain logons’ is set
    # It specifies the script to run during logon. The script must be stored
    # in the [netlogon] share
    # NOTE: Must be store in ‘DOS’ file format convention
    ; logon script = logon.cmd

    # This allows Unix users to be created on the domain controller via the SAMR
    # RPC pipe. The example command creates a user account with a disabled Unix
    # password; please adapt to your needs
    ; add user script = /usr/sbin/adduser –quiet –disabled-password –gecos “” %u

    # This allows machine accounts to be created on the domain controller via the
    # SAMR RPC pipe.
    # The following assumes a “machines” group exists on the system
    ; add machine script = /usr/sbin/useradd -g machines -c “%u machine account” -d /var/lib/samba -s /bin/false %u

    # This allows Unix groups to be created on the domain controller via the SAMR
    # RPC pipe.
    ; add group script = /usr/sbin/addgroup –force-badname %g

    ########## Printing ##########

    # If you want to automatically load your printer list rather
    # than setting them up individually then you’ll need this
    # load printers = yes

    # lpr(ng) printing. You may wish to override the location of the
    # printcap file
    ; printing = bsd
    ; printcap name = /etc/printcap

    # CUPS printing. See also the cupsaddsmb(8) manpage in the
    # cupsys-client package.
    ; printing = cups
    ; printcap name = cups

    ############ Misc ############

    # Using the following line enables you to customise your configuration
    # on a per machine basis. The %m gets replaced with the netbios name
    # of the machine that is connecting
    ; include = /home/samba/etc/smb.conf.%m

    # Most people will find that this option gives better performance.
    # See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/speed.html
    # for details
    # You may want to add the following on a Linux system:
    # SO_RCVBUF=8192 SO_SNDBUF=8192
    # socket options = TCP_NODELAY

    # The following parameter is useful only if you have the linpopup package
    # installed. The samba maintainer and the linpopup maintainer are
    # working to ease installation and configuration of linpopup and samba.
    ; message command = /bin/sh -c ‘/usr/bin/linpopup “%f” “%m” %s; rm %s’ &

    # Domain Master specifies Samba to be the Domain Master Browser. If this
    # machine will be configured as a BDC (a secondary logon server), you
    # must set this to ‘no’; otherwise, the default behavior is recommended.
    # domain master = auto

    # Some defaults for winbind (make sure you’re not using the ranges
    # for something else.)
    ; idmap uid = 10000-20000
    ; idmap gid = 10000-20000
    ; template shell = /bin/bash

    # The following was the default behaviour in sarge,
    # but samba upstream reverted the default because it might induce
    # performance issues in large organizations.
    # See Debian bug #368251 for some of the consequences of *not*
    # having this setting and smb.conf(5) for details.
    ; winbind enum groups = yes
    ; winbind enum users = yes

    # Setup usershare options to enable non-root users to share folders
    # with the net usershare command.

    # Maximum number of usershare. 0 (default) means that usershare is disabled.
    ; usershare max shares = 100

    # Allow users who’ve been granted usershare privileges to create
    # public shares, not just authenticated ones
    usershare allow guests = yes

    #======================= Share Definitions =======================

    [homes]
    comment = Home Directories
    browseable = no

    # By default, the home directories are exported read-only. Change the
    # next parameter to ‘no’ if you want to be able to write to them.
    read only = yes

    # File creation mask is set to 0700 for security reasons. If you want to
    # create files with group=rw permissions, set next parameter to 0775.
    create mask = 0700

    # Directory creation mask is set to 0700 for security reasons. If you want to
    # create dirs. with group=rw permissions, set next parameter to 0775.
    directory mask = 0700

    # By default, \\server\username shares can be connected to by anyone
    # with access to the samba server.
    # The following parameter makes sure that only “username” can connect
    # to \\server\username
    # This might need tweaking when using external authentication schemes
    valid users = %S

    # Un-comment the following and create the netlogon directory for Domain Logons
    # (you need to configure Samba to act as a domain controller too.)
    [netlogon]
    comment = Network Logon Service
    path = /home/samba/netlogon
    guest ok = yes
    read only = yes

    # Un-comment the following and create the profiles directory to store
    # users profiles (see the “logon path” option above)
    # (you need to configure Samba to act as a domain controller too.)
    # The path below should be writable by all users so that their
    # profile directory may be created the first time they log on
    ;[profiles]
    ; comment = Users profiles
    ; path = /home/samba/profiles
    ; guest ok = no
    ; browseable = no
    ; create mask = 0600
    ; directory mask = 0700

    ;[printers]
    ; comment = All Printers
    ; browseable = no
    ; path = /var/spool/samba
    ; printable = yes
    ; guest ok = no
    ; read only = yes
    ; create mask = 0700

    # Windows clients look for this share name as a source of downloadable
    # printer drivers
    ;[print$]
    ; comment = Printer Drivers
    ; path = /var/lib/samba/printers
    ; browseable = yes
    ; read only = yes
    ; guest ok = no
    # Uncomment to allow remote administration of Windows print drivers.
    # You may need to replace ‘lpadmin’ with the name of the group your
    # admin users are members of.
    # Please note that you also need to set appropriate Unix permissions
    # to the drivers directory for these users to have write rights in it
    ; write list = root, @lpadmin

    # A sample share for sharing your CD-ROM with others.
    ;[cdrom]
    ; comment = Samba server’s CD-ROM
    ; read only = yes
    ; locking = no
    ; path = /cdrom
    ; guest ok = yes

    # The next two parameters show how to auto-mount a CD-ROM when the
    # cdrom share is accesed. For this to work /etc/fstab must contain
    # an entry like this:
    #
    # /dev/scd0 /cdrom iso9660 defaults,noauto,ro,user 0 0
    #
    # The CD-ROM gets unmounted automatically after the connection to the
    #
    # If you don’t want to use auto-mounting/unmounting make sure the CD
    # is mounted on /cdrom
    #
    ; preexec = /bin/mount /cdrom
    ; postexec = /bin/umount /cdrom

    [pidir]
    comment = Raspberry Pi System
    path = /
    writeable = no
    only guest = yes
    browseable = yes
    public = yes

    [usb]
    comment = USB Disk
    path = /mnt/disk1
    writable = Yes
    only guest = Yes
    create mask = 0777
    directory mask = 0777
    browsable = Yes
    public = Yes

    Note that “usb” is only “for future use” as I don’t have a USB disk being mounted at present.

    “pidir” is the whole file system. It is exporting fine (read only).

    I had to create /home/samba/netlogon by hand as a world readable / executable directory to get it to be accessible (though it showed up in the export / mount list on the laptop even before it was created…)

    You will notice I turned domain logons to yes. My working assumption is that the Pavilion Laptop thinks it is the primary domain controller PDC. But that could be a wrong assumption that gives the working answer ;-)

    At any rate, it works for read of files. Next I’m going to set “read only” to no for one of them and see what happens. (I expect it to work). Then try backing out various changes one at a time to find out what makes it work, and what was a shot in the dark that did something else and I have no idea what it was and really ought to turn it off ;-)

    Next I’ll set up NFS exports (but I’ve done that a LOT in my life…) however I need a second system to do the NFS mounts onto… so that will likely wait for tomorrow when I’m not doing Mother’s Day stuff too…

    Hope this encourages you that using the RPi as a file server isn’t very hard. I did it in about an hour and I’m not even very experienced with the whole Domains / Homegroups / MS Way of doing things…

  7. Pingback: MicroSoft Access Point Sharing | Musings from the Chiefio

  8. Bloke down the pub says:

    E.M.Smith says:
    12 May 2013 at 9:05 pm

    @Bloke Down The Pub:

    I’d ask “Why?” since all I’ve done is make a computer and wear short pants… but since Tallbloke was raided, well, I no longer put anything past possible…
    #####
    Mostly because it looks like you’re wired to explode!
    ~~~~~~~~~~~~~~

    But: Nobody have any comments on the Dongle Pi idea / project itself?
    #####
    Sorry, above my pay grade.

  9. E.M.Smith says:

    Hadn’t thought of that… I suppose wires heading into a pocket does look a bit like… Hmmm… maybe having the board visible and just calling it a WiFi dongle is the better approach ;-)

  10. punmaster says:

    Sorry, above my pay grade.

    I’m with Bloke down the pub here. I get the outlines of your idea, Chiefio, but the details sound like
    Differential Mathematical Models of Electron Flow At Absolute Zero. I get the feeling that is actually what you proposed and simply covered it with computer language. :-) You did, didn’t you? And I still don’t want to see any of All Gender Black Hat squad naked.

    I can tell you how guitar pickups work, though.

  11. Steve C says:

    Alas, along with those of the rest of us who have grown old playing with the firm’s Windows machines, I’m another of the “above my pay graders” on all this. OTOH, as a self-confessed “Old Unix / Linux Guy”, could you point us unfortunates to a “best” place to pick up what we’ve been missing out on? Don’t much care if it’s a book, website, hypnotism course or whatever, so long as it looks right to somebody who already understands what it’s on about. Plenty of “scrap” hardware (as other people call it) available. ;-)

  12. E.M.Smith says:

    @Punmaster:

    My son plays guitar and even built up an electric one. I think he doesn’t have a guitar pickup though; he’s got a station wagon for his gear.

    ;-) of course…

    Seriously though, I think I see what I left out. The basic “what is this and why do it?” and just launched into “how to do it” (as the other stuff has gone by in comments on other articles).

    So, a short form:

    The whole idea is a “disposable system”. Every part low enough cost that you don’t care if it needs to be tossed in the trash, or gets taken by The Constable in a surprise raid like happened to TallBloke (eventually he got his equipment back once they decided he really was just running a blog where FOIA-2011 made a comment.)

    So 2 sides to it. A “TallBloke and the Constable” side, where you want things that are damn cheap and can be ‘re constructed’ as soon as the door closes with your computer going walkies with the cops. And an Anonymous system where the things that are used to tag and track you get “flushed” along with any “tools” and cracker crap at the end of a session. (Either those you used, or those shoved down your throat by the Black Hats you might run into…)

    For a “disposable system”, everything is put on an SD card. About $15 for a 16 GB card. The Constable knocks on the door, or breaks it down, just pull the power and the chip. Now “the computer” is a $35 board that does nothing. The “personality” is all on the chip. Furthermore, that personality is downloaded to the chip from a secure archive (think “encrypted on the internet cloud”…) So IFF they find and take the chip, you flash a new one shortly after they are gone and are back in business. (A supply of spare boards also being easy to arrange). BUT, the odds are that the typical cop doing a “get all the computers” sweep is not going to be looking at bare boards about the size of a cigarette pack. It just doesn’t “click” to most folks that “That IS the computer”. So most likely the whole thing would just be left there and they would run off with the monitor and keyboard or the laptop (that only is used as terminal server, so $30 on Ebay and you have a replacement…)

    For a “clandestine FOIA station”, you want to leave no forensic evidence that it was you doing what was “not approved”. So take that Liberator plastic gun. Yes, I downloaded the plans via Torrent just as a political statement. Clearly I’m not going to make one ( I’m reaching that point in life where I’m getting rid of my old hobby stuff, not getting more; looking more at food and friends than things.) I also have no need to dig up an $8000 3D printer to make something that goes bang. So I’m willing to make that statement AS political speech. But some folks are not. And what if TPTB did go after the folks? (Hey, Obama’s admin had the IRS hunting “Patriot” and “Tea Party” folks…) So there’s a need for privacy and anonymity.

    Most of the time, the forensics crew is looking to tie a particular bit of hardware or the operating system to a given set of activities. The two biggest ways to do this are the network identifiers and the bits of crap left around in files on the system. So you want ways to encrypt / hide those, or to destroy them. The IP Address is what is assigned to your computer when you join a network. It can be traced back to a physical place. So you don’t do things from home, but use public access WiFi spots. Those, though, still capture the low level unique identifier of the network device, called a MAC Address. So you want a disposable MAC address. Some hardware lets you change it, but the WiFi dongles are cheap enough (at $10 to $20) that one could be used, and just destroyed / tossed when done.

    That just leaves the system files. Microsoft leaves crap all over the place. SO much that I have to think “Agencies” asked them to do it. Linux does far less of that. Furthermore, by having a pristine image (i.e. “as built” not “post use”) that can be written back to the SD card, you can overwrite it in about 2 minutes. Finally, the card is so small, it can be simply removed and hidden in a panic moment (i.e. “dynamic entry”…) With a Micro-SD adapter, the actual card is about the size of my little finger fingernail.

    That, then, leaves you with the R.Pi naked hardware (that says nothing of interest to forensics), a laptop that has nothing on it (having been only a terminal server, and that traffic all being over a dedicated ethernet wire, so not broadcast) and even then it can have an encrypted disk (using TrueCrypt) so any bits you missed are hard to crack anyway. Now anyone who says “We have you on camera at that Starbucks at that time. Give us your computer.” gets a laptop with a terminal server on it, and not much else. It has a MAC address on the WiFi adapter that doesn’t match “the perp”, and it has no log files or other stuff that would indicate it was the computer used for “whatever” was done. Essentially the typical forensics are all going to point to your innocence. The Dongle Pi has two identifying bits, the WiFi Dongle MAC address and the SD chip contents. Both can be simply burned and tossed (say FOIA were uploading all the UEA stuff, that’s worth burning $40 of hardware) or can have the SD card re-written when done while the WiFi dongle may have a MAC rewritten for some, but more likely is just “lost” in the river on the way home…

    Once at home, you have a laptop that testifies you are innocent, a generic Raspberry Pi with a generic OS on the SD chip, and no WiFi on it at all. Good luck getting any kind of a conviction out of that…

    The rest of the article is mostly just a “how to make it” recipe.

    Now I have no need at all for the “clandestine disposable system”, but some folks might. However, as TallBloke was just a guy running a blog, and I’m just a guy running a blog, and his equipment got taken simply because someone made a COMMENT at his blog (saying “pick up FOIA email here” in essence), I have a big need for the “Knock on the door computers go away” recovery package.

    For that reason, I’m moving everything off of the laptop other than stupid terminal services and generic storage. (So that canonical set of weather PDF downloads and captures of GHCN data copies can stay, anything “me” gets a new home…) Now if the laptop gets taken, they get a disk full of academic crap (that I want to keep, and will have duplicated on DVD off site) and a terminal server. In about an hour I can recreate it. My “servers” (so, for example, the Torrent Server) are Raspberry Pi boards, so dirt cheap, and the “personality” is on an SD card (that is also duplicated off site). Again, I can recreate the system pretty fast. (Depending on how many Raspberry Pi boards I have stashed elsewhere and / or what other systems I can restore into instead). Essentially, I’m separating the hardware from the personality/OS and making both fast to recreate (and useless to someone who takes them for anything forensics oriented via encrypted file systems – still a ‘to be done’ step).

    All in all, it’s called “Defensive Computing”. With defense in depth.

    The final point is just that the security holes have gotten so large that it’s not possible to keep the desktop secure over years of use. For example, the Javascript hole is a giant one and is still there, last I looked. Run a browser, you pretty much must use Java… Since I “go hunting” for interesting stuff, and sometimes that lands me on “less than nice” web sites (you don’t know what a Google Search link does till you click it…); I want the ability to ‘restore to known safe’ after making a posting and wandering the internet for fodder. The only way I can see to guarantee that is a full system reset after use. So a pristine image that gets shoved down onto the box after each use. Easiest way to do that is to use an SD card in an R.Pi or a Virtual Machine image or a LiveCD. I’ve now tried all three. Performance is about the same from all three, but the R.Pi has some advantages. Mostly in that the LiveCD and the Virtual Machine are still running on the laptop, so have a small risk that a hacker can breakout into the wrapper space and see the laptop directly, while the R.Pi is completely stand alone. I’ll likely continue to use all three, and tune just which is used for what over time.

    So that’s the “why”. Hopefully without too much jargon…

    As to the “recipe”, well, it is what it is. It’s just the steps you must do to make it “go”. Since it IS a bit dense, I offered to make an SD card for about my costs for anyone who wanted one.

    Hopefully that makes things a bit more clear…

  13. E.M.Smith says:

    @Steve C.

    I think I’ll work up a “Linux Starter” posting… I once taught a “Intro To Unix” class for a living, so I’m “into this” ;-)

    Best way to get started, IMHO, is just get a LiveCD and play with it. I’ve got a Virtual Machine posting up here somewhere, detailing what I went through getting it installed and learning it. Then you just put Linux on it; but it’s bit more messy than a LiveCD. Those you just download, burn to CD, and boot from it. Then play…

    But give me a few days and I’ll work up a “starting from scratch” posting…

  14. Gail Combs says:

    E.M.
    ….Microsoft leaves crap all over the place. SO much that I have to think “Agencies” asked them to do it….
    >>>>>>>>>>>>>>>>>>>>>>>>>
    FWIW, Bill Gates was at the 2010 Bilderberg conference and Mitt Romney and Gates were at the last conference Guardian UK link

  15. Steve C says:

    @EM – Thanks – it would be appreciated. Most of my previous attempts have been via “Learn Linux In 20 Minutes” type books (where what they really mean is “Learn the Basics of Driving the Linux on the CD In The Back of This Book in 20 Minutes”, and somebody’s nicked the CD), or “Essentials of Unix Systems”, written mostly in a language I don’t recognise. The first sort only teach you the basics of using a GUI, the second sort seem to assume you’ve already done that “Intro to Unix” class. ;-(

    I know how the things work – I built one of my first computers from a kit and made it go. I know roughly what I want to do, most of the time (in Windows-speak), my Windows machines all have the same look, caused by using my favourite alternate shell on all of them, and I’ve messed around with the AutoIt scripting language, which is sweet – it lets you design your own GUIs and call any DLL in the system. That’s all I want, really – the ability to do easily anything that’s in there (and preferably the knowledge of how to stop anybody else taking the thing over, although that’s not really an option in Win32).

    Pity about the C (+, ++, etc.), though, as I always got on best with Forth. Maybe I should heed that vague intention to “get into PICs one day” and get back to the land where I actually understand exactly what’s going on.

    Gail – And I recall having seen (think it was just before Vista came out) that Microsoft and the NSA were ‘collaborating’ on the design of the new operating system. (Sorry, no link saved at the time – just filed mentally under “Totally Unsurprising News”.) Another good reason for being interested in open source.

  16. punmaster says:

    @E.M.Smith:
    Thank you. I begin to get the idea. BTW, I googled ” station wagon. ” How in the world did something the size of a Ford Country Squire with a 351 ever get built? Pocket carriers aren’t that big! ;) And, AFAIK, Ford never built a guitar pickup. Who would leave a nice guitar, say a Benedetto ( around $6000 ), in a pickup, anyway?

    I have also built up a guitar. Refinished the body with stain and sanded the stuff off four times before I finally covered the bare wood with polyurethane. My wife liked that better. If she couldn’t cook . . .

    Now back to the regularly scheduled program.

  17. anthonyvenable110 says:

    Reblogged this on anthonyvenable110.

  18. Gail Combs says:

    Steve C says: …I recall having seen (think it was just before Vista came out) that Microsoft and the NSA were ‘collaborating’ on the design of the new operating system. (Sorry, no link saved at the time ….
    >>>>>>>>>>>>>>>>>>>>
    Interesting read on that subject….

    Microsoft, the CIA and NSA Collude to Take Over the Internet
    Microsoft, the NSA, the CIA have all been colluding to create the most bloated covert piece of malware known to exist for 5 years [1] undetected. Microsoft decided somewhere along 2006 and 2007, that it was willing to throw away half of their market share (128 billion) in allowing this to occur…

    Die Welt, Germany The U.S. Secret Services Control Windows Vista
    For many years it was only wild speculation. But now Microsoft has confirmed: ‘Yes, we have collaborated with the National Security Agency, the most secretive of all U.S. intelligence services, in the development of our new Vista operating system.’”….

    Senate votes to let the NSA keep spying on you without a warrant until 2017
    The US Senate has voted to approve the FAA Sunsets Extension Act of 2012, which will authorize warrantless surveillance of Americans for counter-terrorism purposes for another five years. The bill extends the Foreign Intelligence Surveillance Act (FISA) Amendments Act of 2008, which granted retroactive immunity for wiretaps and email monitoring under the Bush Administration and created a framework for future warrant-free surveillance as long as one party is located outside the US and terrorism is suspected.

    Whistleblowers like former NSA codebreaker William Binney have long since revealed that surveillance programs catch hundreds of thousands of American citizens in their dragnet. But attempts to criticize the law have been blocked by the fact that no one — including the Senate’s intelligence committee — is allowed to know much of anything about how it actually works. That means this vote represented the last chance for Congress to enact meaningful review of surveillance activities for the next five years…..

  19. E.M.Smith says:

    @Gail & Steve C:

    That NSA cooperation is both a significant worry and not nearly as onerous as it sounds.

    Early on in encryption the NSA offered a “modification” of a hash table for the proposed encryption standard. Nobody could see what difference it could possibly make. A decade or so later, a “new” method of encryption attack was published. Upon inspection it was found that the NSA recommendations made the encryption standard more robust against that kind of attack…

    Much of the time the NSA is just making available advice to folks on how to prevent OTHER agencies from other countries from cracking in to things. They are the hottest crypto folks on the planet, near as I can tell, and don’t seem so worried about folks making things they can’t crack (most of the time). Though when PGP came along they had their panties in a bunch for a while. Usually it was other TLAs (Three Letter Agencies) that were more pissy about folks doing too good of a lock down / lock out and wanting back doors in things (like IIRC the CIA wanted a back door into RSA chips… and that ill fated attempt to force serial numbers into CPUs from Intel…)

    At this point, I’m pretty sure that they have given up on keeping very solid encryption out of the public square and also realized that WE are getting cracked more by others… AES, Blowfish, et. al. are pretty much a done deal on public hard to crack. (So we’ve seen more “contact tracing” and less “content” based forensics). But the police agencies very much want the content ON the computer. So I suspect more an FBI / Domestic agency pushing for Microsoft to “leave convenient bits laying around”… (Were I going after someone, I’d use a ‘screen scraper’ and not worry so much about how they handled the container from which the bits were being displayed…)

    Fundamentally, a spy agency wants to watch what you DO, while police want to see what you HAVE or HAD. So leaving bits of files around help the police see what you have more… bugging keystrokes and screen scrapers help spy agencies more. Contact tracing helps both. So a whole lof of effort goes into contact tracing (and GPS tracking and video cameras and … ) A spy agency would be more interested in a “backdoor” to turn on the microphone and camera than in a way to see what’s in your download log…

    (One of the other advantages of the Dongle Pi… no microphone and no camera ;-)

    At any rate, “best practices” has a program remove all it’s misc files when done with them and zero the contents. When folks leave a lot of such files laying around, it’s either hideously bad programming, or somebody wants to be able to dig in the trash…

    @Punmaster

    Y’all need ta’ visit Texas… 4 door 4×4 and Cadillac Pickups… Some cost more than a limo…

    @Steve C:

    If you like Forth, you will love “Shell Scripts”. Frankly, shell scripts and “pipes” are two of the most useful things in the world of computing, IMHO. I’ll cover this more in the “tutorial”, but essentially the world of Linux / Unix has a “3 way split”. There’s the GUI / User layer, the programmer tech layer, and the Administration / SysAdmin layer. For programmers, just about any language you want, and loads of tools, are built in. From FORTRAN to C to whatever. For most of the “stuff” commonly seen, it’s all about the GUI and the Applications. So there are loads of choices for “Look and Feel” and “desktop manager”. Names like LXE and Enlightenment and Gnome and more. But I’m from the SysAdmin school. A little bit of both of those first two, but a whole lot more of “build up a system and make it go”. At that level, you use scripting A Lot.

    Scripts are a recursive reentrant interpreter world, just like FORTH. So you can “make a command” in one of the directories where the system looks for commands, and that is now fully available to you. And to all other scripts and can include compiled programs too. Some of the exact syntax can look a little cryptic at first, but it tends to be consistent across loads of tools, so worth it to learn it once… and use many times.

    An example.

    Most commands live in a directory with “bin” in the name. so /usr/bin is common programs for all users. ( user / binaries was the original meaning, but scripts work too, not just binaries..) Now I have a “Search Path” where things look for commands. Typically it will look like: /bin /usr/bin /usr/local/bin and maybe some others, I could add to it /home/emsmith/bin. Now, anytime I want, I can add a file in /home/emsmith/bin that becomes a generally usable tool.

    To make a file “executable”, you “change to mode to add execution”. In unix terms, that’s:
    chmod +x filename

    Linux is for folks who don’t like to type, IMHO. Most commands have a mnemonic, but 75% of the letters are missing ;-)

    Now say you don’t like typing “chmod +x” because that reach for the + tends to be missed… I typically make a little command that I name “allow”. In the file named /home/emsmith/bin/allow I put:
    chmod +x $*

    That $ says “this is a passed parameter substitution” and the “*” says “stick all of them here”.

    Now I have to make “allow” executable, via a chmod +x allow, but after that, I can just type:
    allow foo
    to make ‘foo’ executable.

    Next, it’s a bit of an annoyance to type out /home/emsmith/bin every time, so I often make a command that I name “cmd”:
    cd /home/emsmith/bin
    vi $1
    allow $1

    Here we see numbered parameters. I say “only use the first passed parameter and toss the rest”. “cd” is “change directory” and says “go to my home directory, into my binary library”. Then I use “vi” which is the “visual editor”, mostly because I’ve used it for decades.. you can use others that are less cryptic ;-) Essentially this just tosses me into an editor where I can type in any text I like.

    When I exit the editor, it “allows” that same file to be executable.

    So now I say “allow cmd”, and that’s the last time I ever need to do any of those steps. From then on I just type:
    cmd BAR
    and type in the command content I want to be named BAR.

    Just like in FORTH, each little nibble you build gets added to the tool kit and is reusable.

    But wait, there’s more! Pipes.

    Each command has a ‘standard in’ and a ‘standard out’. They can be glued together with a ‘pipe’ symbol. One of my favorite examples, and only a little hinky, is how to use a “word count” to do something else… “grep” is Global Regular Expression Print. It lets you use wild cards to find things in files. So ‘grep frog /home/junk’ will find every line that contains ‘frog’ in the file /home/junk. And print it out. That’s all well and good, but you might want to just know how many there are, not see all 30,000 of them! Well, “wc” is Word Count. One of the options to it is -l that means ‘count of lines, please; not words’. (There are options for characters, words, lines,…) Now put them together with the vertical bar pipe symbol and all the lines found by ‘grep’ get fed into ‘wc -l’ that gives you the count of them:

    grep frog /home/junk | wc -l

    nice… but say I don’t want to type that all the time?
    cmd linecount
    then in the editor enter:
    grep $1 $2 | wc -l
    and exit the editor.

    Now you can just say:
    linecount frog /home/junk
    or linecount any other combinations too.
    linecount emsmith /posting/logs
    linecount pwned /var/syslog
    etc. etc.
    And if you had some other script that was to nag you if some error log got too large, you could make a little script (call it webnag):
    cmd webnag
    in the editor put:
    linecount ERR404 /var/weblog | mail -s “ERR404 count” sysadmin
    exit the editor, and add ‘webnag’ to the things run on a regular schedule…

    So just like FORTH, things can just keep building on prior work. At this point there are about 4 decades of accumulated tools and options that can be used to ‘get stuff done’…

    Yes, there’s dozens of programming language kits. Yes, more GUIs than I can name. Yes, lots of eye candy and fancy packages. But it’s that shell scripting and pipes that are the core workhorse of so many things. Anything I do on a regular basis, I end up making a little script so that it it is done in just a few keystrokes… I think you will find that rather useful ;-)

    BTW, there are at least 4 “shells” that I can think of right off, but they generally fall into one of two syntax families. (And even those are more alike than different). The “sh” shell was the first. It has the same basic pattern show up in ksh (Korn Shell developed by Mr. Korn) and in “bash” seen in Linux. (Born Again Shell – there was also a Bourne Shell that replace sh in about the late 80’s? so it’s a bit of play on names … but is a free software re-write of it, more or less). The other syntax family is the csh or “C Shell” (yes, another pun…) It uses a more C language like syntax and was developed at Berkeley. Usually all of csh, sh, bsh, bash, and sometimes ksh are available for your use. In practice, I find little difference between sh, bsh, bash, and ksh for most scripting. “csh” I can sort out, but it takes a minute or two to adjust… though for the basics, even it tends to be more the same than different. So don’t worry about it…

    Hopefully that helps make it a bit more interesting rather than more of an alien presence…

    Well, before I end up writing the whole class notes here, I ought to wrap up this ‘taster’ ;-)

  20. E.M.Smith says:

    @Steve C:

    Well, for $35 you can get a Raspberry Pi, make a “Dongle Pi” out of it, and have a dedicated Forth processor at your disposal! ;-)

    http://www.raspberrypi.org/phpBB3/viewtopic.php?f=7&t=5364

    by gordon@drogon.net » Tue May 01, 2012 9:31 am
    Well there’s GForth for a start – a standard package in Debian – many others, I’m sure.

    And not a Pi, but cheaper ;-) is the Fignition board – amazing. I saw it being demoed by its creator at the weekend – outputs to composite video done entirely in software on an 8-bit Amel microcontroller.

    ok – after sudo apt-get install gforth:

    gordon @ dot: gforth
    Gforth 0.7.0, Copyright (C) 1995-2008 Free Software Foundation, Inc.
    Gforth comes with ABSOLUTELY NO WARRANTY; for details type `license'
    Type `bye' to exit
    1 2 3 * + . 7  ok
    : hi ." Hello, world" ;  ok
    hi Hello, world ok
    

    So there you are – just remember, its running bog-standard (Debian) Linux, so if there’s a package for it, then it’s almost certian it’ll run on the Raspberry Pi. (Although it’s not a dedicated Forth “distro” as such)

    Gordon

    They go on to list 3 or so more various versions of Forth that either are already installed or can be installed.

    That’s one of the things I like about Linux… Odds are that if there is some language or tool you like, it’s already there. (Just the M.S. “stuff” that isn’t always available, though “wine” has gotten good enough at running MS Windows stuff that a lot of it does work now…)

    So, you want Forth, you got it… and a whole lot more…

  21. Pingback: Dear A.P. – Encrypt your telephones. | Musings from the Chiefio

  22. R. de Haan says:

    E. M. do you know if you can do a full hard drive encrypt with TrueCrypt under OSX 10.6.8?

  23. E.M.Smith says:

    @R. de Haan:

    On the Mac, eh? Didn’t know that (but I’m not using a Mac these days… only due to lack of money, really). I looked into it on the PC, where’s it is essentially a requirement if you really want privacy as M.S. leaves chunks of things all over the place… but my needs are much more modest so I’ve not “gone there”.

    For all I need, a little Dongle Pi is a great solution. Take the chip out and tuck it “somewhere” and it’s all nice and secure. No worries about what M.S. does, or doesn’t do. No worries about killing the machine and trying to get it recovered with everything encrypted end to end and the support guys saying “not my problem”…

    I’d likely do it on a special purpose laptop, though…

  24. Pingback: Speaking of ways around net censorship… | Musings from the Chiefio

Comments are closed.