The ERACC Web Log

This article is a rebuttal to Michael Gartenberg’s Opinion: Linux on the desktop: Still not happening over at Computerworld Operating Systems. Executive Summary: Michael Gartenberg is wrong.

I am seriously annoyed by the constant disingenuous articles that state GNU/Linux is not ready for the average user’s desktop PC as the primary, or only, operating system. What a dump truck load of manure! The majority of the people making such spurious claims are usually ignorant end-users, clueless “reporters”, Microsoft fanatics or Apple worshippers. I am not sure which of these categories may contain Mr. Gartenberg. But I suspect it is one or more of the above. If not, then someone point out to me just exactly where Mr. Gartenberg stands in the operating systems wars. Yes, these are wars. If you do not believe that, fine. You can be wrong if you want to.

Edit: the following paragraph is not an ad hominem directed at Mr. Gartenberg. It is written to illustrate Mr. Gartenberg’s logic used in the article URL above.

First off, I am already tired of typing “Mr. Gartenberg” so I will just call him MG. Not that I want to disrespect him or anything like that. It is just that the last name Gartenberg is just not ready for my company technical web log. It is too long and cumbersome to type. It takes too much effort. Also, Richard M. Stallman doesn’t use Gartenberg in a sentence every day. We all know that what Richard M. Stallman does is What We Should All Do. I mean, MG holds up RMS as The Guy that proves Linux just ain’t ready for the average user.

ARGH! Do you see how ignorant and disingenuous is MG’s premise? Okay, his puff of effluvia aside I will state what I as a small business owner use GNU/Linux for on my desktop system. You can decide for yourself which things I do that are too arcane for an average user with average intelligence.

My PC stays up and running for days and weeks on end. So, I rarely have to wait for it to boot when I need to get some work done. I do occasionally log out of my X session (Graphical desktop, for those of you who have no experience with GNU/Linux desktops). Mainly I do this when I get an update that requires me to log out of X for it to apply. These are rare though, and they never require me to reboot. Is this something that is important to an average desktop end user? Probably not. But it is a nice feature of GNU/Linux none the less.

I use Firefox and Opera web browsers every day. I watch Flash videos on YouTube, play a few Flash games, read news and opinion on several different web sites, check the weather using www.accuweather.com or just by looking at the Forecastfox AccuWeather plugin. I use Firefox to write articles on this company web log. I also use Firefox to login to our web host to manage our web sites. These last two may or may not be something an average user would do. But many businesses large to small surely would be doing some things similar on their desktop PCs. These solutions are definitely ready for the desktop end-user on GNU/Linux.

I use GnuCash to manage my personal and business finances. It has a straightforward interface and is as easy to use as any personal finance management software I have ever used. I can use the small business features of GnuCash to keep up with accounts payable and accounts receivable. I can input clients and create and print invoices for same. There is not just GnuCash, there are other financial management software packages available for GNU/Linux. Surely desktop based financial management is something the average user does and could do on a GNU/Linux desktop. Yup, that is ready.

In my role as a small business owner I also use OpenOffice.org writer often. I use it to create proposal documents, quote documents and client labor document forms. I also use OpenOffice.org Calc spreadsheets to calculate costs for quotes. The “Export Directly as PDF” feature is one I use frequently for preparing documents to send in e-mail. Certainly these are things done by many desktop system users using costly and proprietary software. For those people, the GNU/Linux desktop is ready. A friend of mine asserts that she is convinced the OpenOffice.org suite is the “killer application” for GNU/Linux systems, Apple systems, Microsoft systems or anywhere else it may be ported. I agree with her. What about Microsoft Office you say? What about it? I certainly do not need it, nor do probably 99% of desktop PC users.

I receive and send e-mail using Kmail with Kontact on my GNU/Linux desktop PC every day. It works and it works very well. I also use Akregator RSS feed reader with Kontact on my GNU/Linux desktop PC every day. That also works and works very well. I use the Calendar in Kontact regularly to schedule appointments and keep up with recurring events. Works great. Of these the one most average end-users would be doing is probably e-mail. There are several excellent e-mail applications for the GNU/Linux desktop. All work as expected. Definitely e-mail on the GNU/Linux desktop is ready for the average end-user.

There is more, much more that I do that is not at all like an average end-user. For example I occasionally play some FPS 3D games. Most average end-users are not playing FPS 3D games, that would be hard core gamers. Hard core gamers are a breed unto themselves. However, there is no need to go into most of these other things since most end-users are not going to think they have to emulate me or Richard M. Stallman to use a GNU/Linux desktop. That would just be silly.

Is GNU/Linux happening on the desktop? On my PC desktop it is. On the PC desktops of some of my non-geek friends and acquaintances it is. On the PCs of many businesses world wide it is. Desktop GNU/Linux is making small inroads in other businesses that are still undecided about moving to Windows 7. Is GNU/Linux happening on your desktop? If not, it should be … unless you have a serious reason that prevents it. Such as proprietary software that does not yet have a good equivalent on the GNU/Linux desktop. If so, you fall into that 1% of people who are not ready for GNU/Linux.

This article has had this many unique views:

click for free hit counter

Notice: All comments here are approved by a moderator before they will show up. Depending on the time of day this can take several hours. Please be patient and only post comments once. Thank you.

I have a friend who is suffering from a degenerative chronic disease. It is slowly destroying his ability to use his hands to type and interact with his personal computer. This makes it difficult for him to correspond in e-mail, type documents in a word processor or do any other task that requires much interaction using the keyboard and/or mouse interface. He has recently purchased Dragon NaturallySpeaking to use with his Microsoft Vista based PC in an attempt to overcome his problem. As of now he is in limbo over starting up with training NaturallySpeaking for use due to another reason.

That other reason is my friend wants me to assist him to move to GNU/Linux on his new Dell PC (8 GB memory, 500 GB hard disk, a 16x DVD±RW drive, plus a second read only DVD-ROM drive, AMD Phenom 2.4  MHz 9750 quad processor, Vista Home Premium OS, MS Works, etc.) He will run the Vista that came with it in a virtual machine in case he needs something that is not available on Linux. One of the primary requirements is assistive software that will allow him to interact with the PC for command and control. I am happy to report there is at least this level of voice support available. But this assistive software must also take dictation fairly accurately so he can more easily use e-mail and a word processor.

For the past three weeks I and my research assistant have been searching the WWW for dictation software that works under GNU/Linux. We have discovered this to be an exercise in frustration with several dead ends. My assistant found projects that some forum post or blog post would purport to be for the purpose of dictation and sent me the URLs for follow up. Yet, when I follow up on the projects they are either “dead”, cannot be made to actually work for dictation or are active but in a state of perpetual research. The developers of the latter seem to be more interested in getting a Masters degree or a PhD than actually driving the projects forward to be usable for people with real needs. Up until recently no project seems to have been actively solving the problem of desktop dictation software for modern GNU/Linux systems. If any were, I nor my assistant can find evidence of it in the form of even alpha level software to try. This is quite discouraging for those of us currently seeking a solution for a disabled friend or loved one who needs voice dictation to be able to effectively use a GNU/Linux based PC.

One particularly discouraging find was that IBM has stopped development of ViaVoice for GNU/Linux and has pulled what was available from the market. As a former user of ViaVoice on IBM OS/2 Warp 4 I know it to be an excellent product. I did not need ViaVoice when I was using it, I just used it because it was available and had a bit of a “This is neat!” factor about it for me. I know from experience with it back then that it can be used as a voice dictation system once properly trained. It also handles voice command and control quite well. I had no reason to think the GNU/Linux version would no longer be available and had hopes I could get that for my friend. Unfortunately, someone or some committee at IBM has decided our disabled friends do not need ViaVoice any longer. This is shameful. Some things should be done regardless of the “bottom line”. Assistive technology for our disabled fellow man is one such thing.

With the discouraging part behind us I want to look at what is being done and recent developments as of February 2010. Just recently the simon project announced an upcoming 1½ year benefit project on its web log. The announcement includes the following:

Abstract:
With the help of verbal control provided by simon using terms of everyday language, useful scenarios and areas of application shall be created to enable an easy use of new communication technologies such as the internet, telephone and multimedia applications for elderly people. Moreover, additional security can be provided, for example, a reminder for the user to take a medication.

While this announcement does not specifically state work on solving the dictation problem there is at least proof that the assistive software simon is moving forward with its user voice interface. We can only hope that the research done will turn simon into a useful, dictation capable, voice interface for GNU/Linux. Unfortunately, simon uses the HTK-Toolkit which is not GPL and has its own rather restrictive license that includes this clause:

2.2 The Licensed Software either in whole or in part can not be distributed or sub-licensed to any third party in any form.

This restrictive license means the HTK-toolkit cannot be distributed with a GNU/Linux distribution. Which also means it is unlikely that simon will be included in many distributions as it relies on this toolkit for the heavy lifting of back-end speech processing.

I am very glad to report there is hope for open source, GNU/Linux distribution friendly, back-end processing with the CMU Sphinx project started in the School of Computer Science at Carnegie Mellon University. CMU Sphinx uses a BSD style license which does not restrict redistribution. With my apologies to the project members with whom I have interacted, it does seem the CMU Sphinx project is one of those that is more interested in only the speech engine for research purposes to get those Masters degrees and PhDs I mentioned above. If there is any work being done by this project for a useful front-end I could not find it. While a back-end processor is necessary for speech recognition and dictation it is only half of the problem. I think a PhD or three could be had by working on that useful front-end voice dictation system for GNU/Linux.

There are other projects I could mention but I will leave those for anyone who wants to comment about them.

Here is what I see is needed today. Some project needs to work on both speech back-end processing and voice dictation using a license or licenses that allow free distribution of the source code and binaries for the entire project. Then this project needs to put the pieces together for the FOSS community to start using right away, reporting on bugs and making feature requests. We need a 1960’s era “moon shot” starting in 2010 for GNU/Linux voice dictation for our disabled fellow man. However, instead of taking several years of careful research and planning to “get to the moon” this project would use the model of release early, release often and let us all work on this together starting with an early alpha as soon as possible. After all, no one is likely to die from trying alpha level software and we will all benefit with a usable voice processing system for dictation sooner.

This article has had this many unique views:

design schools directory

Notice: All comments here are approved by a moderator before they will show up. Depending on the time of day this can take several hours. Please be patient and only post comments once. Thank you.

Edit Mon Mar 1 13:20:03 CST 2010: Correct the phrase “second read only Blu-ray drive” as that was incorrect. The correct drive type is now mentioned.

Notice: This article is not specifically about GNU/Linux. It is under our GNU/Linux category because the server in the article was and is a GNU/Linux based server. Some portions of the article deal with solving upgrade problems for applications that run on the underlying GNU/Linux distribution. In summary, this is a hardware and software article.

Recently my company had the opportunity to upgrade a server to Mandriva 2010 that was running an old version of the Mandriva GNU/Linux distribution. The system had been in place running along nicely  for a few years and had not been upgraded to a new release in all that time except for some security patches. Then it started hanging mysteriously whenever under load from users opening Squirrelmail with large amounts of mail in the INBOX. Looking at logs, checking settings and system files revealed nothing. However, once the system was taken off-line, brought in-house to ERACC and the cover removed we discovered there were several popped capacitors on the old motherboard. This was determined to be the source of the hangs:

Gigabyte Motherboard Blown Capacitors

This old Gigabyte motherboard was from near the beginning of the AMD dual-CPU era when one could first put together a system with two AMD Athlon™ MP CPUs in it. It had a pair of these installed (AMD Athlon™ MP 2400+) and 512 MB of RAM. The Gigabyte board also had two PCI 64-bit slots, one of which was in use with an Adaptec 29160 SCSI controller that controls two SCSI drives. These were in a Linux MD RAID1 configuration except for the “/boot” partition. The small business owner of the server did not want to buy an entirely new server due to the current poor economy (Thanks to our current USA presidential administration and a complicit Congress. The bums.) and cash-flow being so tight. A new server could easily end up costing well over a thousand dollars. So my company was given the task of replacing this old motherboard with another from the same time frame and then doing an upgrade on the installed OS. Searching the web turned up some “recovered” (a.k.a. used.) Tyan S2469GN dual-CPU boards. These were not new but they were the best we were able to find for this system.

Luckily this particular server only handles smtp send/receive, some webmail and serves a few HTML pages for a small off-shoot business of the parent business. It would not be catastrophic for it to be down for a while. So, we could take the time to get things right while trying to keep things as inexpensive as possible. The client ordered one of the S2469GN boards and called us to come get it when it came in. Once we had the S2469GN here we discovered it was just slightly too large for the existing case. The S2469GN is a full sized Extended ATX, full CEB specification motherboard (12″ x 13″). We also discovered that the Gigabyte motherboard used a 20-pin power plug where the S2469GN uses a 24-pin power plug and requires an 8-pin power plug as well. So, we informed the client he would need a different case and an ATX EPS12V power supply. A search of old cases and power supplies at our offices and at the client site did not turn up anything we could use.

A search of new cases turned up the Antec P193 to handle the full sized EATX S2469GN motherboard. A search of power supplies came up with the BFG GX-550 ATX12V 2.2 550 Watt modular power supply. Both were found at online retail shops at a decent price that would not break the budget for this job. (ERACC does not sell individual components, only complete systems and some software licenses.) The client ordered these and once again called us to come get them when they arrived. For the record, the Antec P193 is a beautiful, roomy, well designed case.

Assembly of the system went smoothly due to the excellent design of the P193 case. The Adaptec and RAID1 configured drives were installed. The floppy drive (It is beige! Ack!) and CD drive (Also beige! Good Grief!) were installed. Then all power and data cables were connected, tied off and routed for air flow. The  S2469GN has on-board ATI video. Powering up the system went well except for the floppy drive which failed to be recognized. This was replaced with a new (Still beige though!) floppy drive. Then the system passed POST and the old Mandriva distribution booted without a hitch. Now it was time to upgrade the system to the latest Mandriva 2010 release.

The Linux MD configured RAID1 was accessed using a Mandriva 2010 Live CD. The Mandriva 2010 KDE4 Live CD was found to be too “fat” for the old system with 512 MB of RAM so we used the Mandriva 2010 Gnome Live CD which was not quite so bad. We mounted one of our NFS server shares and backed up the critical data and configuration from the system by copying the relevant files and directories to a subdirectory on the NFS share. Then the system was rebooted to the installed OS. We selected the next version up from the installed Mandriva version from online repositories using http://easyurpmi.zarb.org/old/ because a big upgrade jump from the old version to the new 2010 release would probably fail. Then began the process of running updates with urpmi –auto-update -v to get the new version, then getting the new kernel, rebooting, and doing it all over again for the next release in line.

After going through several of these upgrade/reboot cycles one of the reboots was done before getting the newer Linux kernel installed. This usually would not be a problem, but for some reason the system completely lost access to the RAID due to this. After talking it over it was determined the best choice to go on would be to do a fresh install. Sure, we could have managed to get the new kernel on there and gone on with the upgrade cycles. But a decision was made to recommend the fresh install to make sure old cruft was gone from the system. After all, we had a backup of the important data and configuration files. The client was contacted and gave the “go ahead”. We decided to get rid of the RAID and just use both disks as discrete drives. The primary disk would hold the /boot files, /root, etc/, opt/, and so on. The second drive would hold /home and /var/www.

After replacing the old CD drive with a used DVD±RW drive (At least this one is silver and black.) a fresh install of Mandriva 2010 was done and the needed applications were installed. Including Apache, Postfix, Squirrelmail, Courier (authdaemon, pop and imap) and so on. The backup of /home was copied back over. Settings for daemons were copied and edited as needed. Then, once all was in place, we began testing the system. While doing testing it was discovered that the old IMAP with Squirrelmail had created mbox style mail boxes under /home/(username)/Mail/* while the new setup needs maildir style mail directories and files under /home/(username)/Maildir/*. This was a conundrum as we did not want the end-users to lose access to their archived mail that was in the /home/(username)/Mail/* mbox style files.

After a bit of research three tools were used to solve this problem. One was built in-house and calls the other two to do the work:

• maildirmake - a tool included with the Courier-IMAP package.
• mbox2mdir - a mailbox to maildir converter by Sergey A. Galin.
• convertmbox - a bash script built in-house to use the other tools and get the job done.

The maildirmake tool will create a maildir structure that can be used with modern IMAP maildir servers. Here is how a basic maildir will appear:

/home/user/Maildir/
/home/user/Maildir/cur/
/home/user/Maildir/new/
/home/user/Maildir/tmp/

When instructed to create new “folders” the Courier-IMAP server will create subdirectories off this structure like so:

/home/user/Maildir/.Saved/
/home/user/Maildir/.Saved/cur/
/home/user/Maildir/.Saved/new/
/home/user/Maildir/.Saved/tmp/

Here are the contents of the convertmbox script:

#!/bin/bash
for i in *; do
case "$i" in
Trash) echo "Skipping Trash file." ;;
*) maildirmake $HOME/Maildir/."$i" && mbox2mdir ./"$i" $HOME/Maildir/."$i"/cur ;;
esac
done

The convertmbox script is gzipped in the URL above. Use gzip -d convertmbox.gz to extract it if getting it from the URL above.

To use this one logs in as root, uses “su - username” to switch to a user, changes to the directory containing mbox style mail files and types /path/to/convertmbox to convert the files. After verifying a successful conversion one may then use “rm -rf mbox_mail_directory” to get rid of the old mbox style files and containing directory.

Testing the system with Squirrelmail following conversion of the user’s mail files showed that the conversion was successful. The old Mail directories were then removed. Then the system was ready to be delivered and placed back in operation following on-site testing to make sure nothing was amiss.

This article has had this many unique accesses:

get a free hit counter

Notice: All comments here are approved by a moderator before they will show up. Depending on the time of day this can take several hours. Please be patient and only post comments once. Thank you.

Earlier today I decided to upgrade the firmware on my SOHO’s Linksys WRT54G v5 router. I usually do such things on the weekends in case something breaks. It is a good thing I waited until the weekend this time. My Linksys WRT45G is now “bricked”. For some unknown reason the firmware update never finished although I waited for over an hour for it to complete. Of course no internet access was happening during this time and I could not get to any web sites to try to discover what I could do to fix the router.

Enter an old Dell Dimension XPS R400 PC that has been gathering dust in the closet. It has an 80GB Western Digital IDE drive, a Startech 10/100 NIC and 192MB of RAM in it. I received this old PC from a client that bought a new, custom built system from my company in October 2007. He no longer needed the Dell and was just going to trash it. Instead I convinced him to let me wipe the drive, install Mandriva 2008 on it and try to sell it on eBay. It did not sell when I listed it. The client did not want it back, so I just stuck it in the IT junk closet with several other old systems and flaky monitors. I decided to make this old Dell PC into my “new” router. Since it already has Mandriva 2008 on it I figured I could use that to get routing going and then upgrade the Mandriva later.

I also have an even older custom built PC that has been running a very old Mandriva for years as a file share and a Hylafax send / receive server. It has been giving drive errors so I knew it was going to need to be repaired soon. Once I decided to use the Dell I figured I would scavenge this old PC for its 3Com 10/100 NIC and its hard drive so I could easily copy the Hylafax settings to the “new” router PC. I began shutting things down and taking apart PC systems. After a bit of dust cleaning, parts rearranging and cable connecting I had the Dell ready to boot up with the 3Com NIC installed as a second NIC and the hard drive from the old Hylafax server in place. A small 5-port Linksys switch is taking the place of the built-in switch on the Linksys WRT54G.

I booted up the Dell and tried to login as root at a CLI “login:” prompt. However, I had forgotten the password. Luckily it has LILO boot loader on it and I know I can reboot with “linux single” on the boot line to get to a root prompt and reset the password for root. This was done and a few minutes later I was in the command line version of Mandriva Control Center (MCC) setting up the network. Then I go to set up “Internet connection sharing” and it keeps failing with an error stating it cannot find a network adapter when I choose the NIC that is connected to the internet in preparation for choosing the NIC that is connected to the LAN.

After scratching my head and thinking about this a bit I have an epiphany. The second NIC is on the internet and is probably configured in the firewall settings as the local network. Sure enough when I check the settings in /etc/shorewall/interfaces (Shorewall is a set of scripts included in Mandriva to manage the Linux iptables firewall for one.) the second NIC, eth1, is set as loc. Meaning it is set to be the local interface for the LAN instead of the WAN interface, called net, for the internet. Changing these around is a matter of a few seconds in ‘vim’. I then restart Shorewall with ’service shorewall restart’ to reconfigure the iptables settings in memory. Then I can finish configuring “Internet connection sharing”. Once that is done I test sharing from my SOHO desktop PC and find I am back online. Total time from completely down to back online with a Linux system based router - about 3 hours.

Now that I am back online with a “new” Linux / iptables based router my next task will be to set up my port forwards and maybe some QoS (Quality of Service) settings for the company VoIP phone. I know how to do the port forwards but I have no clue how to set up QoS for a service. Time to do some web searching for that QoS stuff.

Edit Sat Jan 23 18:47:20 CST 2010: Fix some typographical errors.

This article has had this many unique views:

hit counter code

Notice: All comments here are approved by a moderator before they will show up. Depending on the time of day this can take several hours. Please be patient and only post comments once. Thank you.

You know the type. The technical reporter that tries to do something on GNU/Linux, cannot figure it out and thus states to the planet the equivalent of Chicken Little saying, “The sky is falling!”, regarding GNU/Linux. We see them over and over coming back to the same point, “Until ‘Linux’ solves [insert the technical reporter's failure to do something here], it won’t be ready for prime time.” What a crock of compost.

In this case the technical reporter in question is Preston Gralla over at Computerworld Blogs. Specifically his recent article I just finished reading titled, Installing Firefox 3.6: One more reason Linux isn’t ready for the prime-time mass market. The problem here is that Mr. Gralla and those like him seem to think it is absolutely necessary to have the latest release of [insert software here] on [insert Linux distribution here]. When that is absolutely not the case in the majority of situations.

I run Mandriva 2010 at the moment on my desktop system here at the ERACC Intergalactic Spaceport and Karaoke Bar, otherwise known as my home office. I have been running releases of Mandriva for several years now. At first I too wanted to always have the latest, cutting edge release of every package out there. After a while I came to understand that if Mandriva package maintainers saw that a patch was necessary for an application I run then they would patch the version in the distribution and release the patched version in the update repository. If there were a new version of a software application that had security implications for a desktop user, then after testing the new version it would be included as an update for the life of that desktop release, usually 12 to 18 months. Long term desktop releases would get these updates if needed for their lifetime as well, usually 3 years. Then the next time I install updates I get the patched or new version.

I have come to appreciate and accept this. After all, it is highly unlikely that a zero day exploit would be found that could crack my Mandriva system from a user-space application, like we see happen so often on Microsoft systems. The default security in a GNU/Linux system makes creating a zero day exploit that can “pwn” a GNU/Linux desktop system slightly less difficult than a single person being the first to find the next Mersenne Prime[1][2] with pencil, paper and an abacus. Is it possible? Maybe, by a long shot. Is it likely? Not really. As a result, I can just be patient and wait for the new or patched software to appear in my update list. If I really want to be on the cutting edge, along with all the problems that may imply, I can install Mandriva’s Cooker version. This is the untested, it may break, it may slap you around with a large trout, developer version of Mandriva. Not recommended for the faint of heart and those who like their system to “just work”. Or I can go with a distribution like Gentoo Linux.

Honestly, I do not really want to be on the cutting edge. I want stable, known to be working with my distribution, software packages. For that I can wait for the updates or the next major Mandriva release. Regarding Firefox versions, I just updated to Firefox 3.5.7 a week or two ago using Mandriva’s updates. I do not see a pressing need to get Firefox 3.6 Right Now. I can wait for it. Mr. Gralla and his ilk can too, once they figure out how this GNU/Linux thing really works. Of course they can also stick with Microsoft and keep getting “pwned” with web based drive-by exploits that take advantage of Microsoft’s poor design decisions.

This article has had this many unique views:

hit counter code

Notice: All comments here are approved by a moderator before they will show up. Depending on the time of day this can take several hours. Please be patient and only post comments once. Thank you.

Time does pass quickly. I just realized it has been over two months since I had time to write an article here. I finally found something new I want to write about, so I am taking time to do that now. Please feel free to leave a comment.

Today I am working to finish setting back up a Microsoft XP Professional based Dell Optiplex 755 system for one of my local clients. It had a dinked-up Windows Registry and needed to have a fresh install done. This model does not include PS/2 mouse and keyboard ports. When I took this system in on Friday I did not realize I have no available USB optical mouse to use. Nor do I have a PS/2 to USB adapter on hand. While this will be corrected in the future, the only USB mouse I have on hand is a small Belkin mouse for use with a laptop. This mouse uses a ball instead of optics to move the pointer and it has a very short cord. A USB extension cable solved the short cord problem. This would be a good solution if the mouse were not worn out from use causing the pointer to not be easy to move all the time. As a result, to say I hate using this mouse is an understatement. During the reinstall of XP Professional on this PC I finally got to the point where I had to do something to relieve the pain.

When I originally worked on the systems for this client I set up TightVNC on all the systems at the location. Then, using non-standard ports, I configured their router for remote access to be able to support these systems remotely using the Java based web connector in TightVNC from my Firefox web browser. This works wonderfully for all the systems at the location … except for this #@$% Dell Optiplex 755. For some reason TightVNC would never receive a remote connection on this system. I tried over and over to get it working but never was able to resolve the problem. However, in reinstalling the system I had hopes that TightVNC would now work so I would not have to use this awful mouse to finish setting up the system. Unfortunately, even after a wipe and reinstall of Microsoft XP Professional TightVNC will not make a connection. At this point I suspect it may have something to do with the Intel video built-in on the motherboard. Apparently the Microsoft Windows driver for this Intel video chip is incompatible with TightVNC. It is rare that TightVNC will not work, but it does happen. However, I still needed a way to connect to this PC for remote support as well as to end my scroll-mouse pain trying to set it up using this horrid, worn out Belkin mouse.

Suddenly, as if a light from Heaven illuminated my head, I recalled there is another tool for remote access to Microsoft Windows based computers. I could not remember the name so I did a quick web search. Sure enough I found references to ‘rdesktop‘ for connection to Microsoft based Remote Desktop Protocol (RDP) servers from Unix and GNU/Linux. A check of the installed packages on my Mandriva 2010 PC found that rdesktop was already installed and waiting for me to use. I checked the rdesktop manual page (man rdesktop) to see how it works. Following that I set up remote desktop support on the Microsoft XP Professional PC. Then I used the following line to connect to the Microsoft XP Professional PC:

rdesktop -a 16 -u MSUSER -p MSPASS -g 1024×768 REMOTEIP:REMOTEPORT

Success! It worked! Not that I had doubts it would work … okay, I admit I did have some doubt. After the TightVNC problem I was concerned that no remote access would work on this PC. Fortunately for me I was wrong.

I will explain what that rdesktop line above does. The “-a 16″ specifically sets the color depth to 16 bpp for the connection. One may use 8, 15, 16 or 24 bpp for the color depth. I tried 24 bpp but received a message from rdesktop that it was not supported in this instance. The “-u MSUSER -p MSPASS” passes the Microsoft user login name and password for that user to rdesktop to send to the RDP server on the Microsoft PC. This bypasses the login prompt one would otherwise have to use. The “-g 1024×768″ sets the local rdesktop window geometry to 1024 width by 768 height. The “REMOTEIP:REMOTEPORT” in this case are 10.10.10.101:3389, which are the values for the system while connected to my LAN. One may leave off the port number of 3389 as that is the default port. However, I am going to be using this over the internet with a non-standard port so I am practicing including the port now to ingrain it in my memory.

Below is a screen shot showing this working on my system:

XP Pro in rdesktop at ERACC

Click to view the full size image.

Now I have a new, to me, tool to use to support my clients that insist on running Microsoft operating systems. After about ten years of looking into and using GNU/Linux for my own use I have not found a thing that I need to do that I cannot do using GNU/Linux. I expect over the next ten to twenty years more and more people will discover the same results with GNU/Linux for themselves. I look forward to watching that happen.

This article has had this many unique views:

design schools

Notice: All comments here are approved by a moderator before they will show up. Depending on the time of day this can take several hours. Please be patient and only post comments once. Thank you.

We pray for you a Merry Christmas and a офис обзавежданеHappy New Year from all of us at ERA Computers & Consulting.

hit counter download

We have all heard the GNU/Linux naysayers posit that, “No one will use Linux until (insert application name here) runs natively on Linux.” Other than the fact that this is almost pure hyperbole there is some kernel of truth there. This article demonstrates one solution.

Many small business owners may want to move to Linux for any number of reasons. A large number of them hold back because their business relies on Windows XP Pro or Vista Business to run QuickBooks with Payroll, which has no strong Linux equivalent. Sure, there are accounting applications with Payroll available for GNU/Linux but most accountants that support small businesses only know QuickBooks. To be able to use these accountants the small business owner must use QuickBooks. Running QuickBooks in WINE is not always the best answer as that has its own set of drawbacks.

Adding to this problem is many small businesses are very small businesses and may only need one computer for the entire business. This one computer must be used for web browsing and e-mail reading. Both of which are major inroads for malware on Microsoft systems. Yet the PC is also used for the accounting of the small business. Accounting data has a great deal of information that may be useful to criminals. However, malware is rife on Microsoft based systems making problematic any accounting data’s safety on a single multi-use Microsoft PC. What is the FOSS loving small business owner to do? Enter Virtualbox for GNU/Linux to the rescue.

I have just such a client that faced this same dilemma a couple of years ago when deciding to get a computer from my company for his small, family owned business. The fellow is a GNU/Linux user at his home but found that he needed to use QuickBooks at the business so his long-time accountant could “do her thing” as she is one of the QuickBooks accountants I mention above. This computer at the business also had to handle e-mail and web browsing safely. This gentleman did not want to risk his accounting data on a Microsoft based PC that was multi-tasked with e-mail and web browsing. Yet he had to have all of those on his one office computer.

I sat down with him and went over his options. After talking it over for a few days he decided to go with a new computer preloaded with the Mandriva Linux distribution like he used at home. Why? Because I had explained to him we could solve his problem by running a real Microsoft OS in a virtual machine on Linux. At the time all I knew how to use was VMware. So, I set him up with VMware on his new GNU/Linux system and he bought a Microsoft OEM CD and license for XP Professional to install in the virtual machine. I installed and set up the XP Professional in the VM and got his QuickBooks set up to save backups to a shared directory on his office system that would be transfered via rsync to his home GNU/Linux system for a daily backup of his important accounting data. He could web browse and e-mail to his heart’s content on his GNU/Linux desktop without fear of infecting his XP Professional that was running his QuickBooks in a virtual machine in a window on his desktop. Printing was (and is) handled by a Samsung small business network laser printer that works with both GNU/Linux and Microsoft systems.

This worked great until the first time I ran an update for him where Mandriva update installed a new kernel. After the reboot … bye bye virtual machine. I had to reinstall VMware and ran into a problem with the kernel headers that I had to fix by hand. This was not good. I was able to get him working again but it took more time and cost him more in support fees than it should have. I began to look for an alternative to VMware and found Virtualbox.

I discovered that Virtualbox is open source and can be distributed with GNU/Linux as opposed to VMware which is not open source and cannot be so distributed. We had a planned upgrade to upgrade his GNU/Linux to Mandriva 2009.1 this past Spring. This was the time designated to switch his virtual machine tasks to Virtualbox. Of course there is no easy way to migrate a VMware setup to Virtualbox. Following the upgrade of Mandriva I did a fresh install of his XP Professional in Virtualbox, reinstalled his QuickBooks and recovered his accounting data from the latest backup file on the shared directory. This has been working well ever since.

So, if you are a FOSS loving small business owner that must have QuickBooks for your accountant, check out GNU/Linux with Virtualbox running a real Microsoft OS. While this is not getting completely away from Microsoft, which may be your goal, it is a step in the right direction. In the future maybe Intuit will see the light and develop QuickBooks for the GNU/Linux desktop as well. Or maybe accountants will learn to use FOSS accounting software and save Intuit the trouble of having to make QuickBooks on GNU/Linux for everyone to buy.

This article has had this many unique views:

download free hit counter

Notice: All comments here are approved by a moderator before they will show up. Depending on the time of day this can take several hours. Please be patient and only post comments once. Thank you.

This is the second article in my series about GNU/Linux security for the GNU/Linux curious and new GNU/Linux user. The first article is here: GNU/Linux Security: Ubuntu has been Cracked!

There are many attempts to explain the differences between GNU/Linux and Microsoft products when it comes to security. In this article I am going to make yet another attempt. I want to make this as simple as I can for the non-technical users out there. Especially those that are using Microsoft products and cannot conceive of anything that is more secure by default. If you are a technogeek god then ignore the fact that the explanations here are very simple. If you, in your great geekness, want to expound further then feel free to post a comment.

At base the Microsoft products all go back to a core that is built on the MS-DOS concept of a single task, on a single computer for a single user. There is little need to be concerned about security with such a design. This is a fine concept if one never attempts to use such a system for anything other than a single task, on a single computer for a single user. But that is not what Microsoft has done. The Microsoft products simply kept that single user, single computer base technology and added on multi-tasking (Running many programs at one time.) and networking (Connecting many computers together for sharing data, printers and so on.) Later multi-user capability (More than one user on a computer at the same time.) was added on top of this single user, single tasking core. Granted the multi-user capability is not really present in Microsoft desktop products, so we can ignore the fact that one may create multiple user accounts on a modern Microsoft based desktop system. I will call the Microsoft model a one-one-one model. (See comment #15 below from “paul”, he explains what I mean here better than I have myself.)

The problem with adding on these multi-tasking, networking and multi-user capabilities to the Microsoft one-one-one products is that there appears to originally have been no concern for securing these systems. The security concern only began once people began to see systems being cracked and exploited “in the wild”. However, there was a serious problem with securing these systems. To correctly raise the security bar for Microsoft systems “out of the box” the core of the operating system should have been redesigned from scratch. The backwards compatibility that has its roots in that single task, single user, single computer model would have to go away at some point. Apparently the high and mighty Muckity Mucks at Microsoft made an executive decision to not do that, ever. So, today we have Microsoft Windows 7 released and containing roots going back to that insecure one-one-one operating system design.

How is GNU/Linux different? A GNU/Linux desktop system is designed from the ground up along the Unix model of multiple tasks with multiple users among multiple computers on a network. I will call this a many-many-many design. As such the basic design also includes consideration for securing the operating system and data on same when many users may have access to the same system simultaneously. Therefore, when a GNU/Linux computer is taken out of the box for the first time it already has a higher security capability. This is because of the many-many-many design that included consideration for security from the beginning.

How does this apply in a real world scenario? Okay, because of the original flawed design decisions by Microsoft many third party software packages require that a user be running as a system administrator with full access rights to the computer, including to system files. So, by default when one pulls out a new computer with a Microsoft system installed the users are created as “administrator” users. This is a problem because now this administrator user can browse to an infected web page and see a pop-up with an “anti-virus” warning. Then our poor user will click the close button on the pop-up and become infested with “Antivirus 2010″ or other fake anti-virus program that at minimum is irritating but may also have broader security implications by then installing other malware (Malicious Software) that can steal personal information. Because the user is an administrator with full access to the operating system’s files the malware that starts from the web page also has full administrator access and can install itself with impunity.

How can I blame Microsoft for these third party software packages and/or users being set up as administrators? Why not blame these third party software designers? Well, I do blame poorly written software that requires administrator access to work correctly. But I also blame Microsoft. Because Microsoft made the poor decision to stay with their one-one-one design and just “improve” it. At first the only way for any software to work correctly with these “improvements” was to have administrator access. Over the years this has changed, but rewriting all software to these new, more secure specifications is a slow and expensive process for the software companies involved. Microsoft should have scrapped that one-one-one model and redesigned the core operating system from scratch. That redesign should have looked something like Unix … or like GNU/Linux.

The GNU/Linux many-many-many system on the other hand works just fine when a plain user who is not an administrator uses programs on it. So, no software run by the user can affect system files. Further, no software on GNU/Linux is designed to automatically allow software to run from a web browser or e-mail application without the user’s knowledge. No open source developers I know are silly enough to think having such “capabilities” is a good idea. So, when our dear user browses to an infected web site and sees a pop-up about an anti-virus infection she can safely close that pop-up without worrying that an infection will occur in the background that will take over her computer. It is very unlikely that a web based malware script written with GNU/Linux as the target could find a way to even infect the user’s home directory. Why? Well, software that is downloaded from a browser instance is not set as executable. So, even if a browser could be made to download a file without the user knowing it the user would have to make changes to the file permissions to make it executable. There are no .EXE, .COM, .BAT or other files on GNU/Linux that can be run just because of their file extension. A file has to be a compiled application or a script and be set as executable before it will run. This automatically makes it much more difficult to infect a GNU/Linux system behind the user’s back. The effort required is much greater than with Microsoft based systems where the file extension makes the application or script able to be run.

I created a script and uploaded it to my web site to demonstrate this. Here is what a “ls -l” file listing of that script looks like when first downloaded:

-rw-r–r– 1 gene users 73 2009-10-23 22:28 a_script_for_you

See that “-rw-r–r–”? That means the owner of the file, the “gene” shown after the “1″, can read it and write to it but not execute it, “rw-”. The group, the “users” shown following “gene’, and everyone else, not shown but implied, can read but not write and not execute the script, “r–r–”. The dashes are placeholders for the bits that allow writing, “w”, and executing, “x”, of files. Now I will change the permissions on the script by hand and run it:

[gene@era4 ~]$ chmod 700 a_script_for_you
[gene@era4 ~]$ ./a_script_for_you
I can only run if you use the command ‘chmod 700 ./a_script_for_you’ or similar!

See? I had to explicitly intervene to make that script run. I would have to do the same if I downloaded a program from a web site. Browsers on GNU/Linux have no ability to change the script to be executable on my system without my knowledge. I have to be involved in the process, so I have to be convinced that making this program or script executable is a good idea. If this script comes from the “Joe’s Bar and Grill” web site and purports to be an upgrade for Firefox I am going to be very suspicious about making it where it will run on my computer. So should you. Social engineering attacks, where the bad guys convince a user to do something stupid, can still occur with GNU/Linux. So beware and be informed about those. But automated attacks that get system level malware installed through the browser or through e-mail are quite impossible on GNU/Linux.

This brings me to my illustration of the Linux House versus the Microsoft House. The Linux House is built with bullet-proof windows that are closed and locked. There are thick steel bar grills over all the windows. The Linux House has thick concrete walls, roof and floors. The Linux House has thick solid steel, bunker doors that bolt at both sides, the top and the bottom. Any thief that wants to get in and steal your family heirlooms is going to have to have some serious means of breaking and entering, like a bazooka or a tank. Yet all the security of the Linux House is behind beautiful and functional facades and the typical resident can be blissfully unaware of it most of the time. On the other hand the Microsoft House is pretty much like your house you live in now. It is quite adequate for day to day living but it is no serious impediment to a thief that wants to get in and steal your jewelry. It has plain old Windows. The thief can pretty much just break those Windows and climb in at will. You see, plain old Windows are no real way to stop a thief.

Can Microsoft operating systems be secured? Yes, they can, up to a point. But the starting point to secure Microsoft operating systems is far lower than the starting point for GNU/Linux systems. However, the flawed original design of Microsoft operating systems that underlie all modern versions of Microsoft operating systems keeps them more amenable to attack even when as locked down as possible. Of course, in reality, the only truly secure computer is one that is never used, by anyone. But then again, no one is going to spend money on a computer that cannot be used.

Any of you serious security types that want to share more information about GNU/Linux and its security by design model or have better illustrations than mine, please leave a comment.

This article has had this many unique visitors:

Powered by votectdirect.com school website.

Notice: All comments here are approved by a moderator before they will show up. Depending on the time of day this can take several hours. Please be patient and only post comments once. Thank you.

[Notice: If you do not like the title, read the article anyway. Otherwise, there is no point in sending me a comment as I will not post comments that state something like, "Your title suxxors! I refused to read your article after I read the first paragraph! You're just trying to boost traffic to your site! You're lame!!" Do you also go around judging books by their covers? ]

Okay, I admit I created that title just to get your attention. It worked, you’re here. What is the reason for such a provocative title? Other than the obvious tabloid hook, I want to explore the future of GNU/Linux. You know, the time in the near future when “Once ‘Linux’ is (as|more) popular (as|than) ‘Windows’ it will start getting all those viruses too.”

First off, the problem with that statement is that there is no single homogeneous ‘Linux’ to be attacked, meaning GNU/Linux of course, as there is a single ‘Windows’ to be attacked. There are several hundred distributions of GNU/Linux all with differing release versions of software and underlying software libraries. The very heterogeneous nature of the GNU/Linux ecosystem makes creating a far reaching automatic malware attack difficult to unlikely. While one may find a way to automatically attack a large user base of a single distribution, like that of Ubuntu, the attack will not likely work across all or even most other GNU/Linux distributions due to the diverse nature of the versions of included software.

Calls from people without and within the FLOSS community to create a “single Linux” or to standardise all distributions are a danger to the security that is inherent in the healthy heterogeneity of GNU/Linux. No, I do not mean “security through obscurity”, I mean security through diversity. Part of the problem with the Microsoft install base is that the Microsoft systems in use are all very similar. An automated attack that works on one of them will more than likely work on most of them. If there ever becomes a single GNU/Linux that contains 80% or more of the market then GNU/Linux will be less secure as a result. (See my correction for the previous sentence in comment #25.) In such a future a theoretical automated attack that could infect one GNU/Linux system would have far reaching consequences. Just as the malware that affects Microsoft systems has today.

We all know the weakest security link in a system is the user. I predict that social engineering attacks will be the most prevalent method of attempting to subvert GNU/Linux users. Even today a naive user running GNU/Linux could still be subverted with a phishing scam. However, since GNU/Linux has traditional Unix privilege separation an automated attack that can take over the computer from an unprivileged user login becomes much more difficult. Under traditional Unix privilege separation a non-root (”root” equals “administrator”), unprivileged user cannot change the system files. Could one overcome this privilege separation? Perhaps on a single distribution one could if one put enough time and effort into it at the time a security flaw that allows privilege escalation^[1] is first discovered. But to make such an attack work across the huge diverse GNU/Linux ecosystem would be near to zero. That is, as long as GNU/Linux remains a diverse ecosystem.

What about the users that do not ever update their systems? Yes, this will still be a problem under GNU/Linux in the future of its World Dominance. There will always be users that do not update their systems either through apathy or ignorance. Any update that requires user intervention is unlikely to be installed by these users. Automated updates that are on by default can do much to overcome this problem. There are problems with automated updates too though. In some cases an automated update may cause a system problem. For example an update to the X windowing system that includes a new 3D driver may cause the GUI to not work on some systems. Should a problem like this affect a huge user base it would be a PR disaster. So, turning on automated updates by default is not encouraged in most cases.

What is the answer to the apathetic user problem? I do not have it. Some people just do not care about the security processes they need to know to be secure. There is no way to make them care unless they actually end up with a malware infection. Of course at that point these people are more likely to blame the operating system or the malware authors than themselves.

We can address the ignorant user problem though. Just because a user is ignorant does not mean the user is “stupid”. Almost all users that fall in the ignorant category can be taught to protect themselves if they have an opportunity to learn good security processes and know they need to learn them. A local Linux User Group (LUG) can be an excellent source of training for our world full of future GNU/Linux users. If you do not have a LUG near you, then start one. Once you have, or discover, a local LUG then occasionally offer a Security Process Training Day through your LUG that covers the basics of what users need to know to keep their GNU/Linux systems secure and happy. Then encourage everyone you know that uses GNU/Linux near you to attend. You may even be able to get “free” advertising through local media outlets for a non-profit LUG.

The Bottom Line: We in the GNU/Linux community need to be proactive with our family, friends and neighbours that decide to use a GNU/Linux distribution. Since most of us already know and practice good security processes we can pass along our knowledge to the new user that may be ignorant but is willing to learn. For any user we run across that is apathetic about security we can encourage them to stick with Microsoft. After all, the apathetic users are already a drag on the Microsoft user base, let’s not encourage them to bring their problems to our platform. Am I blaming these users? Yes, I am in the case of apathy. Sometimes the blame falls squarely in the lap of the user. Apathy about security is one of those “sometimes”.

[1] Privilege escalation attacks take advantage of a flaw in a system level service that may be running with higher level privilege than a regular user. Exploiting the flaw gives the attacker a higher level of access which may allow compromising the operating system itself. These types of flaws can be found in any operating system at any time. GNU/Linux is no exception.

Read the next article in this series: GNU/Linux Security: Linux House vs Microsoft House

This article has had this many unique views:

Powered by votectdirect.com school website.

Notice: All comments here are approved by a moderator before they will show up. Depending on the time of day this can take several hours. Please be patient and only post comments once. Thank you.

Edit Tue Oct 20 13:01:16 CDT 2009: Change “blatant deception” to “provocative title” in the first paragraph. I think some folks are imploding after seeing the words “blatant deception”.