That Blair Guy's Stuff

From the “So I can find it again” department…

Setting Up an Ubuntu Subversion Server

A friend just got her computer back from “the computer doctor.” Evidently it had been compromised with a root kit (the really nasty sort of software that runs at such a low-level your anti-virus software can’t see it). She uses three different anti-malware tools and was quite surprised that none of them caught it.

The problem with anti-virus software is it can only protect you against problems that are already known. The bad guys are constantly looking for new ways to attack your computer and the anti-virus programs are playing catch up. I’m not saying don’t use anti-virus software (the free version of Avast has saved me several times), just don’t count on it as your only defense.

So, is there any 100% guaranteed way to stop malware? Well, you could always unplug your computer from the Internet and never use it to access any USB drives or CDs, but that’s not exactly practical. And if you do stay online, even visiting only “known safe” sites doesn’t help much, since even legit sites get compromised on occasion.

But there are a few things you can do to help your odds. None of these approaches is 100% guaranteed to keep you safe, but they should help.

The Basics

This is “the usual stuff” you hear any time someone talks about how to stay safe online. It seems obvious, and yet it bears repeating because it’s easy to get careless:

• Don’t open attachments you weren’t expecting, not even from people you know and trust. Maybe that attachment from your friend Bob really is the really important document the email says, but if you weren’t expecting it, you have no way of knowing.
• Be skeptical of clicking links in unexpected emails. Your bank isn’t going to tell you to click a link to verify your account information. (If something like this ever does turn out to be legit, you need to change banks.)
• Don’t download pirated software. Aside from the legal issues, pirated software frequently contains malware.

Slightly more Difficult

Beyond the basics, there are a few other things that are easy enough to do, but don’t always make it into the “How to stay safe” discussions. Most attacks against your computer are targeting the applications you run, not the operating system. (Running Windows isn’t as risky as reading a PDF file with Acrobat reader.)

• Use a browser other than Internet Explorer. Microsoft’s made a lot of progress with the safety of Internet Explorer over the past few years. But even though IE recently dropped below 50% of the total browser market, it’s still the single most popular browser out there and therefore the one most likely to be targeted in online attacks.
• Keep your system up to date. Not just the Windows/Mac/Whatever Operating System patches, but also the software you use. Use Microsoft Update instead of Windows Update to get patches for Office. Install Secunia’s Personal Software Inspector tool to find out what other software on your computer is out of date.
• Uninstall software you don’t use. The more programs you have, the more likely you are to have something which has security problems. Bonus: You also save disk space!
• Run “alternate” software. The more widely-used a given program is, the more tempting a target it becomes for the bad guys. Instead of Acrobat Reader, use Foxit Reader. Instead of Microsoft Office, use Libre Office (fully compatible documents, but also available for free.)
• Uninstall Java. Most home users don’t need it, and older versions were not only laden with security problems, but the updates didn’t remove the older versions.
• Don’t run as the Administrator. When you set up your computer, reserve the main account for software installations and the like. Create a second, less-privileged login ID for day to day tasks.

Security journalist Brian Krebs talks a bit more about keeping software up to date and what to install or delete in his: 3 Basic Rules for Online Safety

Going for the Gusto

Wanna go really hard-core?

• Uninstall Flash (or install a flash blocker so that you have to approve any Flash scripts that run).
• Install NoScript (same idea).
• Don’t do any online banking with a Windows machine, use a Linux live CD instead. (For a business, I’d consider this one an absolute must.)
• Use a third-party DNS provider. Both Open DNS and Google Public DNS provide a facility where you change a couple system settings and if you then attempt to access a site which serves up malware, they’ll block the connection.

The Takeaway

There are no magic bullets. None of these suggestions will provide absolute protection for all users. What might be overkill for one person’s situation might not be nearly enough protection for another. But by choosing the practices which make the most sense for you personally, you can tilt the odds a bit more in your favor.

Bonus Reading: Get a Mac/Switch to Linux

In most discussions of online security, someone inevitably replies “Get a Mac!’ or “Switch to Linux.” It’s a bit like going to a concert and someone yelling, “Play Freebird.” It’s a wonderful song, and a few groups have done great covers in response, but it’s not always the best fit.

But if the suggestion is inevitable, I may as well be the one to make it and bring up some of the tradeoffs.

Switching to a Mac may actually make sense for some folks, but don’t make the switch thinking you’ll be invincible. At the annual CanSecWest security conference, there’s a “Pwn2Own” contest where security professionals attempt to break into computers running the latest versions of the Mac OS, Windows and Linux. The first one to succeed, wins the computer. Every year, the Mac is the first system compromised.

Now that’s what happens at a security conference. Macs are less common than Windows computers; so the bad guys have to work harder to find them. It’s much easier to attack the more common computers.

But malware targeting Macs has been cropping up too.

Other concerns with switching to a Mac:

• You’ll have to buy all your software again. Assuming a Mac version even exists. Otherwise, you might have to look for an equivalent program.
• Despite the marketing pitch, a Mac doesn’t always “just work.” Just two weeks ago a co-worker returned a Mac Notebook that was downloading over his WiFi at just 1/10 the speed of Windows computer. (Apple’s support wasn’t able to resolve the problem.)
• You may encounter problems with incompatible file formats when sharing files with people who use Windows. Particularly if the programs you were using on Windows aren’t available for Mac and you had to switch to something else.

Linux tends to be the most secure OS of all (as noted earlier, most of the problems these days are the software you run on top of it). The main downfalls of Linux are:

• Availability. Yes, it’s free to get a copy, but you still have to find where to download it, burn a CD, and install it. Although this is getting easier, it’s still not a set of tasks the average home user will be comfortable with.
• Commercial software. Few software vendors on Windows or Mac have Linux versions of their software. Some do, but most do not. You’ll generally have to find an open source equivalent, and then work out how to share files with others who are on Windows or Mac.

After converting the PogoPlug to run arbitrary programs, I was able to install subversion and manually run svnserve as a daemon (it’s in the manual, just run “svnserve -d”), but having to remember to do that after every boot is a nuisance.

A Google search for install svnserve as a daemon turned up instructions for setting up svnserve on Ubuntu, as well as a few scripts.  Obviously PlugBox Linux isn’t Ubuntu, but it was a step in the right direction.  Installing httpd during the initial PogoPlug hack had already introduced me to the /etc folder, the rc.conf file, and the rc.d subfolder.

Poking around in rc.d, I discovered the httpd startup script.  So now I knew where my svnserve script needed to go.  The Ubuntu setup instructions included several helpful bash scripts in the comments, my next step was to run “view httpd” and verify that it was also a bash script.  Knowing that, I could just use the new script verbatim.

Then I listed the files in /etc/rc.d and discovered that one of them was named svnserve.  Sonuvagun, the svn package included a script!

So in the end, all I had to do was go to /etc and edit rc.conf.  The very last line in the file is DAEMONS=(…..).  All I had to do was add svnserve to the list.

Well… that was actually the next to last thing.

After rebooting (“shutdown -r now”), TortoiseSVN would connect to the svn server, but it couldn’t find my repository at svn://plugbox/test.  I’d forgotten that by default, svnserve serves up repositories in any directory on the entire machine.  My test repository was now located at svn://plugbox/media/external_drive/Subversion/test.

To go back to a short URL, I went to /etc/conf.d,  edited svnserve, and set

SVNSERVE_ARGS=”-r /media/external_drive/Subversion/”

Next I ran

/etc/rc.d/svnserve stop

followed by

/etc/rc.d/svnserve start

and voila! My repository was back at svn://plugbox/test

I’ve had a PogoPlug for a little more than a year.

The pluses to the device are:

• It’s an easy way for a home user to convert old drives into network attached storage
• You can access your files from anywhere you have an internet connection.
• Drives connected to the device appear as local drives (even across the internet).
• It can convert video files to play on (supposedly) any device.

There are some down sides too:

• The video conversion is slow (not completely unexpected with a low-power, always-on device)
• The client software requires a new login after every boot.
• The attached drive sometimes “disappears” until you tell the software to “reload” it.
• My experience with the Android application has been that it’s a bit flaky.

All in all, it’s an interesting device and I can definitely see where home users might find it useful if they’re comfortable with the fact that you need to login via a third-party service (the My PogoPlug service), even when you’re accessing it a home.  (If Cloud Engines ever goes out of business, PogoPlug owners may find themselves with an unusable device.)

Part of my reason for acquiring the PogoPlug in the first place was that it seemed like a potentially inexpensive way to accomplish a few things on my home network:

1. File sharing between my various computers.
2. Running a private web server I could access without switching the main computer on.
3. Running a private subversion server.

Goal 1 was easy enough to accomplish straight out of the box.  Goals 2 and 3 were going to take some work.

When I finally decided to hack the PogoPlug, a Google search led me to LifeHacker’s tutorial on turning the device into a “Full-Featured Linux Web Server.”  It was a good starting place, but in the end I decided to follow the source instructions from PlugApps.com.   (CAUTION: As it says on the PlugApps instructions, hacking your PogoPlug will void the warranty.)

My initial install was onto a 4GB SanDisk Cruzer flash drive.  The initial reboot came up fine, but later boots tended to come back to PogoPlug Linux,  which after the first steps of the install would no longer connect to the MyPogoPlug service. If I manually mounted and mounted the thumb drive  before running /sbin/reboot, that would take me over to PlugBox Linux, but going through those steps repeatedly is a pain.  I reran the install for PlugBox Linux using a no-name 16GB drive and it’s been working reliably ever since  (I love that storage has become so cheap that I had a 16GB drive “just laying around”).

To accomplish Goal #1 (file sharing), I installed Samba.  It works like a champ and I’ve been able to back to doing my backups to a network drive.

To accomplish Goal #2 (private web sever), LifeHacker’s instructions did the job.  By default, the web site is served out of /srv/http, and there’s also an ftp site in /srv/ftp.

Goal #3 took some guesswork. I didn’t see any mention of Subversion on PlugApps, but I made a guess and ran  pacman -Sy subversion.  I haven’t got around to setting up svnserve to run as a daemon at boot time, but it’s running right now.  (Getting it set up as a daemon will require putting a script in /etc/rc.d/ and adding it to the list of daemons at the end of /etc/rc.conf.)

So mission accomplished.  Not bad for a $100 device.

Choosing to go from 32-bit Vista to 64-bit Windows 7, also meant choosing to do a “custom” installation of Windows. Meaning that I have to reinstall all my programs.

Still more to be added over the next few days, but here’s what I’ve got so far.

The List:

General Computing

• Open Office – compatible with MS Office
• Mozy Home Unlimited (paid version) – after a horrendous support experience this summer, I’m not as big a fan of this company as I used to be, but I do like the concept of automatic offsite backups.
• Avast! Anti-virus – free alternative to the various paid security suites. (The main deterrent to malware is still a healthy degree of skepticism when clicking links.)
• Foxit Reader – alternative PDF reader
• VLC media player – plays dang near everything in terms of video or audio, and doesn’t bring unwanted baggage.
• Paint.Net – Image editor.
• 7-Zip – Fairly universal archive/extract tool. Even opens ISO files!
• InfraRecorder – Burn CDs and DVDs
• Picasa – photo management.
• VMWare Workstation – For software I don’t trust, for experimenting with other software environments (e.g. Linux), and other situations where my primary computer isn’t the best choice.

Internet Tools

• Firefox – Web Browser
  • Firebug – Debugging tool for use with Firrefox.
• Thunderbird – because I like desktop email
• Putty – Client for Telnet, SSH and FTP, plus it’s scriptable. (I’m not sure where to find this anymore.)
• Chrome – Web Browser from Google.
• Adobe Flash Player
• FileZilla – Both regular and Secure FTP.

Developer Tools

• Visual Studio (Commercial version, but a free “Express” edition is also available).
• Subversion – Source code version control
• TortoiseSVN – Graphical User Interface for Subversion
• Notepad ++ – Semi-replacement for Windows Notepad.
• Microsoft Access – Because I haven’t moved everything to mySQL yet.
• Apache web server

I bit the bullet today and installed Windows 7 on my primary computer. All in all, it was a fairly painless process, though because I was switching from 32-bit to 64 (I can finally use that 4th GB of RAM!), I had to do a “custom” install which means I have to reinstall all my programs as well. For most purposes, it’s very much like moving to a new computer.

One of my gripes with Firefox and Thunderbird is that while the installers for both applications are very helpful about importing settings (passwords, network configurations, etc) from competing products, neither one provides a facility for migrating settings from your previous computer.

Fortunately, with a little bit of knowledge, it’s not overly difficult to do this by hand (which is probably why nobody – myself included – has written an appropriate migration tool).

Disclaimer: I don’t use many plugins, so I don’t know if or how well these steps will work with plugin settings. You’ll probably want to wait until after the migration before installing any plugins on the new system.

Copying your Firefox settings

Start off by installing Firefox on the new computer, all we’re copying is the user settings, not the software installation. I recommend you make certain that both the old computer and the new one are running the same version of the browser. (I’m not certain this is completely necessary, but it’s better to be safe.)

Next, one the old computer, you’ll need to use Windows Explorer to visit the directory where Firefox stores its settings.

• On XP: the path is
  C:\Documents and Settings\<username>\Application\Data\Mozilla\Firefox
• On Vista or Win 7: the path is
  C:\Users\<username>\AppData\Roaming\Mozilla\Firefox

<username> is, of course, the username you use to log into the computer. (You can find this by going to a command prompt and typing “net config workstation”.)

The “Application Data” or “AppData” directory is usually hidden, so you may have to blind type the path into the Explorer address bar.

On the old computer, make a copy of the “profile.ini” file and the “Profiles” directory.

On the new computer, go the corresponding path on the new computer, delete the existing “profile.ini” file and the “Profiles” directory, and replace them with the copies you made from the old one.

Copying your Thunderbird settings

Start off by installing Thunderbird on the new computer, all we’re copying is the user settings, not the software installation. I recommend you make certain that both the old computer and the new one are running the same version. (I’m not certain this is completely necessary, but it’s better to be safe.)

Next, one the old computer, you’ll need to use Windows Explorer to visit the directory where Thunderbird stores its settings.

• On XP: the path is
  C:\Documents and Settings\<username>\Application Data\Thunderbird
• On Vista or Win 7: the path is
  C:\Users\<username>\AppData\Roaming\Thunderbird

<username> is, of course, the username you use to log into the computer. (You can find this by going to a command prompt and typing “net config workstation”.)

The “Application Data” or “AppData” directory is usually hidden, so you may have to blind type the path into the Explorer address bar.

On the old computer, make a copy of the “profile.ini” file and the “Profiles” directory.

On the new computer, go the corresponding path on the new computer, delete the existing “profile.ini” file and the “Profiles” directory, and replace them with the copies you made from the old one.

Other notes

• I don’t know why Thunderbird doesn’t store its settings under the Mozilla directory. Presumably this is a philosophical difference between the two projects.
• Everything I’d read about a “custom installation” of Windows 7 had me thinking that the hard drive would be reformatted. I was pleasantly surprised to find that this is not the case. (Doing a backup is still highly recommended!)
• Consequently, in the case where the “old computer” is the same physical box, you can find the old “users” directory stored in C:windows.old. Presumably this would also apply to the “Application Data” directory when upgrading from XP (XP users must do a custom installation when updating to Windows 7). My upgrade was on a Vista machine, so I can’t say for certain what happens with XP.

From the writing-things-down-so-I-can-find-them department….

Selectors in a nutshell:

• tagname — applies the style rules to all instances of that tag. (About the only place I use this is to “reset”, p, div, and some others to display the same way across all browsers.
• #idname — all HTML (or XML) tags can have an id attribute. The value of the id attribute must, must, must be unique across the entire page. #idname lets you set the style for that element. (For example, on the shoreleave site, all pages have a div with id=”content”. I then have a #content rule (in a shared CSS file) which forces all the content areas to look the same.
• .classname (note the leading period!) — these are the values which appear in the class= attribute. You can also specify this with a tag name as in p.class1 and div.class1 so class1 would have separate meanings when attached to a p versus a div. (This is not necessarily a good idea, name overloading is confusing after all.)

You can also group things like this…

div p.classname which would mean, ‘Anytime a div tag contains a p with class=”classname”, the p should be displayed according to this rule…’

I’ve been following the Washington Post Security Fix blog for the past year or so. Recently, Brian Krebs has been writing a series of post about businesses are having with thieves stealing their banking credentials, and then the subsequent financial problems since businesses don’t have the same protections as consumers.

One place where I do disagree with the author is the idea of the Macintosh as a safe-haven. In some of his other columns, he’s mentioned that Apple is actually less secure than Windows, but because Windows has more marketshare, that’s what thieves will mostly target. I agree with that much, but the logical leap of “therefore Macintosh is safe”…. I’m just not a big fan of “security through obscurity.”

Three recent articles dealt with the idea (including a How-To) of using a Linux Live CD for online banking.

• Avoid Windows Malware: Bank on a Live CD
• E-Banking on a Locked Down (Non-Microsoft) PC (Tutorial for creating and booting from a Linux Live CD)
• E-Banking on a Locked Down PC, Part II (Follow-up to the reader reactions)

Just to be clear: I don’t think Linux is any more of a panacea than Mac, it’s just a bit more obscure. What I like about this particular solution is that you’re booting from a read-only copy of the operating system. In effect, every time you boot the computer, it’s brand new. Once you’re done with the banking stuff, turn off the computer (you don’t even need to go through the normal shutdown!) and next time you fire it up from the CD, it’s back to the exact same state as when you started it the last time. Even if something does get on to the computer, it can’t save itself to that read-only OS.

I currently do my banking from a virtual machine which I use for absolutely nothing but banking. But I’m definitely digging this as an alternative.

As nearly as I can tell, I’m about the only person in North America who isn’t on Facebook. (Evidently all three of my brothers have joined – though apparently none of them are fully aware of the others’ presence yet.) But I have gone and joined a different cult — I now have a Google Android-based telephone (the T-Mobile G-1).

For me, one of the most appealing parts of the Android phone is the way it integrates your phone book and calendar with Google’s contact manager (built into GMail) and calendar. That’s a fairly killer application for me in that it makes everything a whole lot more portable. The only problem is, GMail isn’t my primary means of contact. I’ve had my email address on a personal domain for more than eight years and prefer to use that one.

GMail offers a partial solution to this in that you can set it up to send messages from another address. The down side to this is that messages go out saying they’re from the GMail address on behalf of the other one. So when other people see it (primarily folks who are using GMail as their main address), they tend to capture the GMail address in their contact lists. If they then write to me at GMail, it could be a while before I see it.

Being forced to move to GMail as my primary email address would have been a deal-breaker for me. A lot of people know to contact me through my existing address and I really don’t want to deal with managing two addresses. (It’s been more than four years since I got rid of my landline phone, but I still occasionally hear about people calling the old number.)

So I went looking to see if there was a way to get an Android to work with non GMail address. One of the free services Google makes available is “Google Apps for Your Domain“; essentially, they provide a version of GMail, Calendar and their online Documents and Spreadsheet tools that work with a domain name you own. (For example, thatblairguy.com!) I figured that would be my best bet.

The first stop in my investigation was a thread on the Android Community Forums where someone was asking the exact same question I was: Does Android work with Google Apps for Your Domain?

And the answer is a resounding yes. Brilliant! (Apparently Google didn’t plan to do this, but later changed their minds.)

The first thing you have to do is setup your email to go to Google’s mail server. The instructions for that show up in the administration panel when you activate the email system. It’s mildly tedious, but fairly straightforward. You do need to have the ability to set custom records in your domain’s DNS server. (Pair makes this fairly simple.)

When I’m at home, I prefer to use Mozilla Thunderbird for my email rather than Google’s web interface. Setting up a desktop email client is also fairly simple, though given the number of them in existence, it’s not possible to document the step-by-step for every system out there. Google’s instructions provide the basic information for server settings, plus a double-handful of the most common clients.

Throw in the Lightning calendar addon for Thunderbird (as well as the provider for Google calendar), and at this point you have something equivalent to Microsoft Outlook, except that along with Windows, you can also run on Mac, Linux and a few other platforms.

Bringing the Android phone into the mix requires that you dig into it’s settings a little (Home Screen | Menu | SD card & phone storage | Factory data reset) and click the button for “Factory data reset.” (Yeah, that step’s a little scary.) When the phone starts up again, when it asks for your Google account, you instead enter an email address and password for your newly Google-hosted email system.

The phone synchronizes its contact list, calendar and email with what’s on Google’s servers and voilà! The Android is now ready to do your bidding.