TheCaptainsLatest.Blogspot.com! Linux/Windows7 Security-Admin-Apps Realization, Tricks and Tips

Blog is on hold until my book titled, “The Ultimate Open Source Small Business & Home Computing Security Guide to the World” is written and published

2011-11-06T20:16:00.004-05:00

After all my research for the blog I decided to write and publish a book on Home Computing Security. After all, with all the projects I have completed and posted on the blog I should just have to tweak things a bit and the chapters will write themselves. All I should need to do is learn how to self-publish a book and watch the money pour in. I found out the hard way that this thinking was completely wrong.

Writing a book is one of the most difficult, and rewarding endeavors I have ever embarked upon. I find myself working on one thing or another from the time I wake up till the time I go to sleep. To keep the book current with today’s ever changing technology I am studying new hardware and reworking every chapter how-to over and over again as hardware, techniques and Operating Systems change. I am constantly upgrading, studying, and surfing the internet for the best answers to present to my potential book readers.

I am writing authors everywhere to get permission to quote material from their web sites, books, and magazines that I have found useful for the book. All of this is very time consuming. I had to round up someone skilled in artwork, an editor, and a test audience for the book. As I write I have address every feedback I get over and over again. I had to take classes, buy books and magazines and study self-publishing. Many questions about book writing had to be answered and addressed. For example, originally I had a long “Forward” at the beginning of the book, but after study a Forward is what someone else writes about you. The Forward had to be redone and broken apart into a Preface and an Introduction. The book is in constant flux as I find a good tip, article or book that gives me a better approach to a paragraph or chapter. I am reworking the how-to sections over and over again each time tweaking this and that. I had to learn how to generate a Table’s of Content’s and a Index automatically. I am not a Microsoft Word 2010 expert but I an learning many of its advanced features. I don’t have the budget to pay someone to format the book.

To keep progress moving along on the book I cannot afford to take time to keep the blog updated. I apologize to my blog readers but the information I put on the blog has been freely given and does not put bread on table. I have resisted putting advertisements and other money making schemes up on the blog to keep it non-commercial for your easy reading benefit. My blog has no pop-ups or hidden links that take you to some web site you did not intend to surf to making me money as many blogs do.
The blog will come alive again in 2012 when book is complete and in print. A few of the things I have learned, the number of pages must be divisible by 48, and computer books need over 300 pages to sell.

Originally the book was going to be full of general computer tips and security measures for the home computer user. But I had to narrow the focus for two reasons, the book was getting to long for my limited budget to publish, and the books I am reading about self-publishing said I will need a narrow focus to sell books. To write over 400 pages strictly about home computing security is quite an undertaking. I presently have well over 400 pages but I have to rework the projects and perform many more rewrites to get the book ready for publishing. These project/chapters take a lot of work and many hours/weeks to write so stay tuned. I think you will find the book very interesting and essential to anyone who exposes their household computers and mobile devices to the internet, a dangerous place to be!

See you in 2012 and if you buy my book I will keep this blog free and open without advertising to annoy you.

The Captain.

KeePass Password Safe Debian/Ubuntu package works in Ubuntu 11.04!

2011-10-10T22:59:00.001-04:00

Sometimes good things come to those who procrastinate. Six months ago I promised a local university that I would investigate setting up travel bootable USB drives where half of the drive was encrypted with TrueCrypt and the other half was bootable into Ubuntu Linux. This would enable the corporate/government/individual traveler to safely carry confidential information like passwords, documents, etc. and bring them up on any computer booting off of their USB drive. I never had time to look into the project till now.

My individual goal was I want to be able to view my double encrypted KeePass password file in Ubuntu off my USB drive. My thought is to place the encrypted KeePass pasword file in the TrueCrypt encrypted section of the USB drive. This would provide double encryption for a traveling password file… making it double the work for a cracker to get at those passwords if my/our USB drive is lost or stolen.

The project is in the works. Turns out KeePass now has a Debian/Ubuntu package that works so the first portion of this project is done. To use your KeePass password file in Ubuntu do the following:

# sudo su -
# apt-add-repository ppa:jtaylor/keepass
# apt-get update
# apt-get upgrade
# apt-get install keepass2

Copy the KeePass password file into Ubuntu and bring it up. Everything worked great! If you don’t use KeePass you can obtain it at http://keepass.info/.

The ultimate computer build begins, starting with the new Logitech MK550 keyboard and mouse combo

2011-10-06T22:26:00.001-04:00

The first purchase has been made on the 2011/2012 ultimate computer I blogged about in the past. I started with the keyboard and mouse combination. This was because I could try it out in my current home network/computer configuration without too much hassle. My wife and I chose the Logitech MK550 Combo because of its good reviews and its ergonomic design. I took my wife to Best Buy and had her try out all the keyboards and she liked the feel of the Logitech MK550 the best. Is curves up slightly in the center; unlike some of the ergonomic keyboards that really curve up in the center requiring some getting used to. This is a more natural position for the hands and should help prevent carpel tunnel syndrome.

The keyboard has a nice feel. It is padded in the front where you can rest your wrists. My keyboards in the past provided a cheap plastic piece for this purpose. There is also the usual extra keys that do all kinds of wonderful things that you will have to learn about from the limited manual.

Install the latest software to from Logitech. Don’t use the disk provided with the combo. My SetPoint disk was at version 6.1. The software at Logitech was at version 6.3. Always surf to the manufactures web site to get the latest and greatest drivers and software for any new device.

My problem was making the new keyboard work with my DVI switch so I could use the keyboard with all my computers. I could not figure out how to do this. The keyboard operates off of Logitech’s Unifying technology. You plug a very small USB transmitter into a USB port and that transmitter sync’s up with your keyboard and mouse. I tried moving the transmitter to other computers to no avail. It would only sync up on the original computer. I purchased more of the Unifying Receivers from Logitech with the thought of and plugging them into my other computers and then using the keyboard and mouse combo with all my computers. This worked somewhat after many hours of experimentation. In hindsight, if you install Logitech’s software on all your computers, then move the transmitter around as needed… syncing everything up you will be good to go without the added expense. In my case having the extra transmitters plugged in ready to switch over to with a few mouse clicks is better.

The manual states that one keyboard/mouse combo will only work with one unifying receiver at time. But what does that really mean? My hope was to cut one computer off, cut another computer on and have the keyboard/mouse combo work (sync up to the new receiver automatically). This did not happen. There is little help in the small manual provided and searching Logitech’s web site was not much help. I finally determined that you have to run the Logitech “Unifying” software “Start > All Programs > Logitech > Unifying > Logitech Unifying Software” on each computer you switch to that has a “Unifying Receiver”. The easiest way I found was click on the “Advanced…” button and then the “Un-pair” button for the keyboard and mouse. Then use the “Pair a New Device” to re-sync the keyboard and mouse to the new receiver. You sync up the combo by cutting off each device (keyboard and mouse, up to six devices) one at a time and cutting them back on. While this in inconvenient it is a solution. The problem is you will have to have another keyboard/mouse combo hooked to each computer to sync everything up so you can use the MX550.

Recycle your failed hard drives and obsolete CD’s and DVD’s, save the environment! How to properly sanitize a hard drive without software and a sledge hammer.

2011-09-26T18:11:00.001-04:00

After searching everywhere on the internet I found http://www.freeharddriverecycling.com/ that says there will recycle a failed hard drive properly. They also accept CD’s and DVD’s. Now I don’t have to feel guilty about all my obsolete CD’s and DVD’s ending up in the local dump polluting our world. The companies name is “Back Thru The Future” based out of Franklin, NJ. Their web site points out:

Each hard drive contains approximately one pound of aluminum Recycling one hard drive saves enough energy to:

light a 100 watt bulb for 134 hours, or
run your television for 102 hours or
the energy equivalent of 1.5 gallons of gasoline

Recycling aluminum is 95% more energy efficient than producing aluminum from ore Recycling aluminum results in 95% less air pollution and 97% less water pollution than producing aluminum from ore. The following information on CD’s and DVD’s:

A CD/DVD is considered a class 7 recyclable plastic
To manufacture a pound of plastic (30 CD’s per pound), it requires 300 cubic feet of natural gas, 2 cups of crude oil and 24 gallons of water
It is estimated that AOL alone has distributed more than 2 billion CDs. That is the natural gas equivalent of heating 200,000 homes for 1 year
It is estimated that it will take over 1 million years for a CD to completely decompose in a landfill

Back Thru the Future Microcomputers, Inc. is not Better Business Bureau Accredited. It has no BBB rating. It also has 0 complaints registered against it in the last 3 years. I asked the company about that and their reply was, “The National Association for Information Destruction http://www.naidonline.org/ is the association we belong to that can vouch for the integrity of our company.”

There is also http://www.harddriveshredding.com/ where you can pay to have them maintain detailed, auditable records of your entire hard drive destruction process. In my case I will go the free route.

Below is what their web site has to say about the company:

Founded in 1990, Back Thru the Future is one of the oldest computer recycling companies in the US. It was one of the first electronic recyclers to receive both US EPA and State DEP registration as a qualified electronic recycler and we were the first electronic recycling facility in the country to receive the National Association for Information Destruction (NAID) certification as an AAA certified secure destruction facility. We were a member of both the NAID and ARMA committees that established their industry guidelines for the destruction of electronic media. We were a member of the State of NJ stakeholder committee that helped develop NJ’s new e-scrap regulations.

If you are 100% confident that your drives no longer contain sensitive data and you are looking to dispose of the drives in the most environmentally friendly fashion, look no further. The materials used in the manufacture of hard drives are valuable recyclable materials. We have developed a sophisticated materials sorting system that allows us to recapture 100% of the hard drives component materials.

Simply box your drives up, write “HD” on the container and ship to the address below. For quantities in excess of 1000 we will pay the cost of transportation.

But that is the tricky question. How can I/we be 100% confident our home drive no longer contains sensitive data? Normally we could use software to erase everything on the drive. It will take more than 5 full days to sanitize a 1 terabyte capacity hard drive using DOD specification overwrite software… but that would be OK. But in this case the drive has completely failed. It cannot be sanitized that way. If we take a sledge hammer to the drive or drill holes in it will they then accept the drive for recycling? Do they have a recommended method for the “home” computer user to sanitize a drive that can no longer be written to?

I called “Back Thru the Future” and asked them what is the best way to sanitize a hard drive for a home user? They said that soaking a hard drive in water overnight will completely sanitize a hard drive. I had never heard of that. So I did a ton of research on the internet. This is what I found about soaking a drive in water:

The PC technician at http://askbobrankin.com/how_to_destroy_a_hard_drive.html says it would damage the hard drive to the point where you couldn't just pop it into a computer and get it working, but the data would still be recoverable. One PC technician says that one of their clients dropped their laptop into their swimming pool. They sent the drive to DriveSavers (which I assume to be http://www.drivesaversdatarecovery.com/), and they were able to recover all of the information on the drive.

To actually destroy a drive through physical means, you'll either need to melt the drive platters or at least sand down the surfaces.

After reading everything I could find about physically destroying a hard drive the only sure method that I could find is what Bob Rankin said, I will have to destroy the platter surfaces. So I set out to take the drive apart and sand down the platter surfaces. The screws holding the drive together are Torx head screws which are characterized by a 6-point star pattern. No problem I thought, I have all kinds of bit sets in the house. After examining all my bit sets the smallest Torx bit I could come up with was a T10 which was too big to fit the screw. I went to the Black and Decker outlet and the smallest Torx they had was a T10. I then went to Sears with the hard drive in hand and discovered that a Torx T9 was the tool that was needed. I could have purchased one Torx T-10 driver for $4.00 but I decided that the 10 piece Precision Craftsman Screwdriver set which was on sale for $21.00 was a better option. This set is a very nice with a Torx T8 and T7 for working on computers and hard drives. Plus if you break any of the Screwdrivers in the set the have the Craftsman lifetime guarantee.

The sledge hammer approach would also work but that would make packaging the drive in box the new drive came in and recycling difficult. Remember we are trying to save the environment… if you care nothing for the environment just smash the drive in to pieces and throw it in the trash… but being an environmentalist I ask you not do that and use the method I described above. I am also packaging all my obsolete DVD’s and CD’s with the drive to send to them also.

Degraded NVIDEA Mirror, is running a redundant home RAID setup worth the cost?

2011-09-24T22:01:00.001-04:00

Unequivocally YES! In these days of cheap hard drives and motherboards that support RAID, why risk an important home computer to hard drive failure? In all my years of home computing the component that fails most often in my custom built computers is the hard drive. Makes sense if you think about it. The hard drive is the most mechanical device in the computer. It has spinning platters, read write heads moving around, data being written and read constantly, etc.

Yesterday my wife screamed down there was a problem with the computer. I came up expecting the usual boot up problem, but instead I saw the error message “Degraded NVIDEA Mirror” flashing in RED on the screen. In the life of this computer I had never seen this message before. I groaned… I had just rebuilt this computer from scratch about 10 months ago and everything on it was purring along perfectly. Not to mention the 10 Linux virtual environments I have installed and updated. My wife has tasted what real computing power can mean working from home and she loves working on this computer. It took me an entire evening to get her working on the old backup computer and I slept on how to attack this latest computing disaster.

First off be careful what you read out on the internet. I surfed in my one virtual Operating Systems using Tor to all kinds of questionable web sites and see what others had to say about this problem. I saw crazy solutions from testing the RAM to unplugging one drive at a time and rebooting. While testing memory is never a bad idea, just unplugging drives and rebooting might be. What happens to the RAID configuration in the scenario? Suppose it got corrupted somehow? Or you corrupted the drive that has not failed? I did not want to RISK that.

I implemented the following successful plan:

Originally, I set this home computer up as a RAID 1 mirror buying two cheap refurbished drives. So in theory, if the mirror was degraded I should still be able to boot off of the drive that was still working. If I got the computer booted, I would back up everything and create a system image using, “Start > Control Panel > Backup and Restore > Create a System Image”. The system booted and the backup was successful to my 2TB USB drive.
Next, I Download all the latest tools from from my hard disk manufacturer (in my case Seagate). I had two refurbished Seagate Barracuda 750 GB drives in the mirror. If the mirror was degraded then the most likely problem was one of the hard drives.
I installed Seagate SeaTools in Windows but it would not run. I burnt a copy of the latest bootable SeaTools DOS utilities to CD. If you don’t use CD/DVD-RW disks you should consider them. They save a bit of money keeping up with all the latest releases. About every 6 months I have to update all my diagnostic bootable CD’s to troubleshoot the latest PC hardware disasters.
I booted the SeaTools CD and tried to look at the hard drives. SeaTools was only displaying one hard drive. I wondered how I was going to figure out which drive has failed? I thought to take the computer apart and see if one of the drives was not spinning by feeling the drives during startup. Both drives were spinning… dead end.
I went back into SeaTools and wonderfully it was displaying both drives. I quickly tested both drives and one drive failed all tests and eventually died completely… but not before I wrote down the serial number from the SeaTools diagnostics. In hind sight I could have just written down the serial number of the good drive and pulled the one that SeaTools could not see.
I pulled the drive out noting the serial number and put it aside. I went to Seagate’s web site to see if the drive was under warranty, it was not.
I ordered another refurbished drive from Newegg.com for a mere $40. The Seagage Barracuda 750GB drive comes with a 16MB cache or 32MB cache. Always get the bigger cache. Because I run a mirror I did not purchase any sort of extended warranty. From my experience refurbished drives are a roll of the dice. I’ve had pretty good luck with them lasting 4 or more years… which puts them just outside any sort of warranty I could purchase.
Upon arrival, I put the drive in the computer and used SeaTools to run diagnostic tests on the new drive.
I then rebuilt the mirror, and booted the computer up to see it running as good as new.
I opened up the failed driver and sanded the platters to destroy my data. I then sent the drive off with some CD’s and DVD’s to be properly recycled. See my blog entry http://thecaptainslatest.blogspot.com/2011/09/recycle-your-failed-hard-drives-and.html.

The moral of the story is running a RAID 1 mirror saved me weeks of work rebuilding a computer at a cost of about $60 per drive originally. You have to ask yourself… how much is your time worth? RUN RAID 1, 5 or 10 at home! If you can afford it RAID 10 is optimal (best of both worlds). It yields close to the performance of RAID 0, has the benefits of the redundancy of RAID 1… without the performance hit of RAID 5. I called ASUS to see if their motherboards could run RAID 10 on two drives and did not get an answer (the technician had no idea what I was talking about). The standard RAID 10 configuration takes a minimum of 4 drives. I will be building a new computer soon, capable of supporting RAID 10, so I will let you know.

If you wish to read about the various RAID levels the wiki https://secure.wikimedia.org/wikipedia/en/wiki/Standard_RAID_levels and https://secure.wikimedia.org/wikipedia/en/wiki/RAID_10#RAID_10_.28RAID_1.2B0.29 are a excellent places to start. In summary from the link above with a few words added:

RAID 0 strips the data over multiple hard drives. RAID 0 would be a good choice if you have 2 hard drives of different sizes. RAID 0 will give a minimal boost in the performance of the system. Bear in mind that a set of two disks is roughly half as reliable as a single disk.
RAID 1 creates an exact copy (or mirror) of a set of data on two or more disks. To maximize performance benefits of RAID 1, independent disk controllers are recommended, one for each disk. RAID 1 should be implemented on two identical drives but does not have to be. When reading, both disks can be accessed independently and requested sectors can be split evenly between the disks. For the usual mirror of two disks, this would, in theory, double the transfer rate when reading. When writing, the array performs like a single disk, as all mirrors must be written with the data. How the data is read is dependent on the controller.
RAID 5 uses block-level striping with parity data distributed across all member disks. RAID 5 has achieved popularity because of its low cost of redundancy. A minimum of three disks is required for a complete RAID 5 configuration. RAID 5 implementations suffer from poor performance when faced with a workload which includes many writes which are smaller than the capacity of a single stripe. This is because parity must be updated on each write, requiring read-modify-write sequences for both the data block and the parity block. The read performance of RAID 5 is almost as good as RAID 0 for the same number of disks. Except for the parity blocks, the distribution of data over the drives follows the same pattern as RAID 0. The reason RAID 5 is slightly slower is that the disks must skip over the parity blocks.
RAID 10 is a stripe of mirrors. RAID 10 requires a minimum of 4 drives. Linux "RAID 10" can be implemented with as few as two disks. In most cases RAID 10 provides better throughput and latency than all other RAID levels except RAID 0 (which wins in throughput). It is the preferable RAID level for I/O-intensive applications such as database, email, and web servers, as well as for any other use requiring high disk performance. As in RAID 1, all but one drive from each RAID 1 set can fail without damaging the data. So in a 4 drive configuration 2 drives can fail as long as they are not the mirror of the other. If a failed drive is not replaced, the single working hard drive in the set then becomes a single point of failure for the entire array. Some RAID 10 vendors address this problem by supporting a "hot spare" drive, which automatically replaces and rebuilds a failed drive in the array.

Adding Polipo caching web proxy in Ubuntu to speed up browsing using Tor

2011-09-13T00:54:00.001-04:00

First step is apply the Ubuntu updates as root:

# apt-get update
# apt-get upgrade
# apt-get dist-upgrade

See my entry, “Adding Polipo caching web proxy in Fedora to speed up browsing using Tor” as reference. Now get Polipo:

# apt-get install polipo

Much of the following is taken from the work done in Fedora setting up the Polipo caching web proxy. There were a few differences setting up Polipo between Fedora and Ubuntu but not many. One difference was the “polipo” service was configured to start automatically by just installing the package.

Setup the configuration file recommended by Tor:

# cd /etc/polipo
# mv config config.orig

Copy the recommended configuration file from Tor at https://gitweb.torproject.org/torbrowser.git/blob_plain/HEAD:/build-scripts/config/polipo.conf to /etc/polipo directory. There is some good information about setting up Polipo with Tor at http://www.pps.jussieu.fr/~jch/software/polipo/tor.html. The main thing in the file to setup Tor with Polipo is

# Uncomment this if you want to use a parent SOCKS proxy:

socksParentProxy = "localhost:9050"
socksProxyType = socks5

# chmod 644 config

Because I want Polipo to run as a daemon I added the following to the /etc/polipo/config file copied into the /etc/polipo directory above:

### Setup Polipo to run as a Daemon
### *****************************
daemonise = true
pidFile = /var/run/polipo/polipo.pid

Now if you go to /etc/init.d and type “./polipo start”

In Ubuntu the daemon will start automatically on the next reboot. You can look at the services using:

# service –-status-all

The only tool I could find for Ubuntu to configuring services is:

# apt-get install sysv-rc-conf
# sysv-rc.conf

So now we have Polipo installed, configured, and running automatically at start up. We now need to setup our browser (Firefox) to use the proxy to access the Tor network. Right click on the “Torbuttown > select Preferences > Proxy Settings”. Set your configuration up like below:

When done click on the “Test Settings” button and you should get:

If you want disk caching, the default Tor configuration had the following set:

# If diskCacheRoot is an empty string, no disk cache is used.
# Uncomment this if you want to disable the on-disk cache:

diskCacheRoot = ""

From the Polipo manul, “The on-disk cache consists in a filesystem subtree rooted at a location defined by the variable
diskCacheRoot, by default "/var/cache/polipo/". This directory should normally be writeable, readable and seekable by the user running Polipo.” So just comment out this line and caching will be enabled by default.

# diskCacheRoot = ""

You can check later to see if disk caching is actually taking place by looking at the /var/cache/polipo directory.

[root@localhost polipo]# ll /var/cache
drwxr-x---. 115 polipo polipo 4096 Sep 12 21:43 polipo

Be advised that the default Tor config also sets:

# Uncomment this if there's only one user using this instance of Polipo:

cacheIsShared = false

So if you have more than one user you might want to stick with the Tor setting of having no disk cache or comment the above out and see if everything works OK.

Getting an intermittent ISP connection fixed! You will eventually get the problem solved with these simple steps.

2011-09-12T01:07:00.001-04:00

My wife recently started working from home. When working from home it is amazing how dependent your life becomes on your Internet Service Provider (ISP). Where before you could live with an occasional outage you now need 24/7 support and an uninterrupted connection to the internet. I have been happy with my ISP, and really went the whole nine yards with them these past few months trying to get our intermittent connection outage problems resolved. Many times I thought of trying other companies, only to read about even worse horror stories with the other ISP providers.

Employers who send their employees home to work really need to think about helping their home working employees with potential ISP issues. Their voice in an ISP battle would hold a lot more weight than our lone voices. Employer contracted IT departments do not seem to understand the mechanics behind VPN connections into work networks and the problems employees have. The security concerns this lack of IT department knowledge brings to mind for the company in question (and its sensitive data), I can only wonder… perhaps none. In our case the companies technical support had no clue why our VPN connection could not pick up where it left off after a connection loss to the ISP. My wife would have to completely shut everything down… and log in again costing her valuable time. The companies final response was, “get the ISP to quit dropping your connection...” yes that is true… but some help from them dealing with the ISP would have been greatly appreciated.

The company IT department said it was not possible to use multiple monitors with the VPN software. I knew this had to be wrong because it is the Operating System that allows the use of multiple monitors… not the applications running on the operating system. For the companies IT departments benefit, if they were to ever read my blog… if you are using Jupiter Networks software for VPN connections you can spread the monitor viewing screen across both monitors by clicking on the Window’s Explorer middle icon in the upper right corner… spread the window across both monitors… and then maximize the window… shazam… the user can now use two monitors. Something that the the IT contract department help desk at a multi-billion dollar corporation said was not possible to my wife. Here is my shameless promotion, read my upcoming book “The Ultimate Home Computing and Security Guide to the World” for other useful tricks and tips.

Everything used to be free for service issues with my ISP. I did not know that had changed since my last service call and it cost me $80 before I learned that costly lesson. Most ISP’s now charge for service calls unless you pay a monthly service fee. That service fee now runs me $3 extra per month on my bill. Well worth it once you understand that most of the ISP technicians have minimal training and experience… it can take MANY visits to solve your home connection problems. The technicians test equipment, while expensive and will do the job, is useless without trained personnel to use it. So plan on many calls and visits from untrained ISP technicians (using that title loosely) to solve your problem. In my case three visits and about 20 calls… and many hours of my valuable time.

In the Cable companies defense, from my own life’s experience I worked for years in the Air Force and for one of the top three US banks in a huge data center. On both jobs I/we had all the expensive equipment to analyze any problem in cabling but little or no training on how to use it. In the Air Force the (old guard) did not want to admit they could not use the Time Domain Reflectometer http://en.wikipedia.org/wiki/Time-domain_reflectometer to locate faults in the metallic cables in the airplanes. More than once I would be instructed to change the connectors by cutting the wire an re-splicing the cables. This is very bad because shortening a cable in a plane can cost millions of dollars in labor and work, once the wires become too short to splice anymore. But the Air Force would rather pay millions than provide proper training for personnel in the thousands of dollars. As a Senior Airman I argued more than once for use of the TDR’s as a troubleshooting tool (which would sit back in the shop on the shelf). Even as a Staff Sergeant I could not change the culture. A shop chief has total authority… whose knowledge is many times 15 years too old and does not want to admit how modern day technology has improved on the the old way of doing things.

I encountered the same type of thing in the civilian world. My experience at a major data center of a US bank had us leaving all the advanced Fluke cable analysis equipment on the shelf and doing stupid stuff like pulling new cable and throwing out the old, perfectly good cable, without determining what the real problem was. My influence helped change that culture a bit and eventually the data center personnel learned how reference and use some of the equipment... Even though we never got the corporate paid for training we needed. So seeing the cable companies lack of training in its personnel is not new to me. Cheap, inexperienced, untrained employees somehow makes more sense to management in today’s technical world… both in corporate America and in the military.

If you are experiencing intermittent outages with your ISP just give in to the fact that you don’t know more than the technical support person you are talking to in some foreign country. The problem has to be your home computer Network Interface Card (NIC), your home router, or your cable modem. The first thing to do is go to your nearest cable service provider office and rent one of their cable modems. My cable modem was of superior quality to the rented ISP cable modem technology but this modem was obviously the problem to any technician. All the ISP technical support personnel know is a few simple steps with the rented cable modem to solve your problem. Most of the time it will be unplug the power from the modem… wait 10 seconds… and like magic this will solve you problem (almost never will this solve your fundamental problem… but for the technician it will get you off the telephone!). Yes you may become reconnected with the internet but these untrained people have NOT solved your fundamental problem… only postponed the inevitable… having an unknowledgeable ISP technician visit your home which will have to come at your time and expense!

Now your ISP will all say your state of the art advanced router is causing the problem. You will have to take your router out of the loop and connect your computer directly to the cable modem exposing your computer to all kinds of internet attacks. Record each loss of signal to the internet using the ISP cable modem and call your ISP every time it happens. You have to become a thorn in their side!

Your ISP will now point to your computer’s Network Interface Card (NIC) as causing the problem. Hopefully you have the luxury of a second computer to connect it’s NIC card the ISP’s cable modem and start noting the outages…. again with the second computer. Call you ISP and tell them the intermittent outage problem is happening using a second computer using a second NIC card! Eventually your ISP will yield to another technician visit… you may finally get one skilled in the use of their equipment.

The first technician blamed my splitters. While cheap splitters can be the problem I did not think they had a clue because I had a perfectly good internet connection for years on those same splitters. Observe the DB gain as the technician looks at on your TV’s to see if they are pulling the wool over your eyes. Since we are not cable technicians we are looking for an increase in DB and assume life is good.

The second technician checked the noise on the lines. Cable TV/Internet is a closed network and all connections must be secure. This requires more than a finger turn on the TV and cable modem connections. I had noise on two of my connections which the technician easily corrected with the turn of wrench... my bad for not giving them the final turn with a wrench. Finger tight is not enough with cable connections. Finally I saw correct use of a cable analyzer.

But noise was not the problem either. The intermittent outages continued. After many more calls to the ISP a third technician was dispatched. This guy really knew how to use the cable analysis equipment. I guess they were tired of hearing from me and dispatched their top dog. He changed the splitters the original technician replaced. He then went out to the pole and determined my local squirrels had been chewing on the line leading into the house. There was water in the line causing the intermittent outages as the wind blew. He replaced the cable from the pole to the house and checked the DB on the TV explaining everything to me… problem finally fixed. After he was done we had a flawless connection to the internet. No more listening to my wife stomp on the floor screaming and stomping on the floor… life is good. Based on our experience you will have to beat you ISP over the head many 20 times to get their top level support. A huge expense for them due to their lack of training personnel and outsourcing their help desks. This is the new reality in America…

I quickly switched back to my router for security… and then to my home modern modem to quit paying rent. I finally has to use REVO UNINSTALL to remove all my wife Jupiter Networks software and reinstall it so she can work from home in bliss. So here is my bullet point list for dealing with an ISP:

Go get a ISP rental modem.
Sign up for your ISP’s service plan costing you $3.00 per month.
Note every network outage, call your ISP at least twice daily, preferably during an outage.
Take your router out of the loop and hook your NIC directly to the rented cable modem.
If you have a second computer hook that directly to the cable modem and note every outage… continuing to call your ISP.
Explain to each technician exactly what the previous technician looked at, said, and did.
Be patient, it is not the technicians fault if there was not trained properly. Eventually you will get the top dog!

Adding Polipo caching web proxy in Fedora Linux to speed up browsing using Tor

2011-09-08T01:07:00.001-04:00

Tor recommends using the Polipo proxy to connect to the Tor network. If you are like me, I always thought of a proxy as the evil middle man that companies/schools set up to limit access to the internet, and track everything that students/employees are doing with their browsers. So I was curious how implementing an individual proxy in one Linux environment could benefit my web surfing.

Under a proxy type of setup, when a client tries to access the Internet from a Web browser the web page request goes to the proxy server. The proxy server then makes the request to the Internet. This server can act as a filter both to and from the internet… and it can log all activity both ways. This is very useful finding students/employees using their computer improperly.

So how can a proxy benefit individual web surfing? The Polipo proxy was designed with the individual in mind. It was built with a focus on individual users, or use a small office. It has limited capabilities for filtering but its focus is actually on performance. It caches your internet activity and communicates with web servers as optimally as possible. You can read about Polipo at http://www.pps.jussieu.fr/~jch/software/polipo/. From the web page here are some reasons to consider using Polipo with Tor:

Polipo has some features that are, as far as I know, unique among currently available proxies:

Polipo will use HTTP/1.1 pipelining if it believes that the remote server supports it, whether the incoming requests are pipelined or come in simultaneously on multiple connections (this is more than the simple usage of persistent connections, which is done by e.g. Squid);
Polipo will cache the initial segment of an instance if the download has been interrupted, and, if necessary, complete it later using Range requests;
Polipo will upgrade client requests to HTTP/1.1 even if they come in as HTTP/1.0, and up- or downgrade server replies to the client's capabilities (this may involve conversion to or from the HTTP/1.1 chunked encoding);
Polipo has complete support for IPv6 (except for scoped (link-local) addresses).
Polipo can optionally use a technique known as Poor Man's Multiplexing to reduce latency even further.
Since it can speak the SOCKS protocol, Polipo can be used together with the tor anonymising network.
Since it can speak both IPv4 and IPv6, Polipo can be used as a bridge between the IPv4 and IPv6 Internets: to allow an IPv6-only host to access IPv4 servers or vice versa.

In short, Polipo uses a plethora of techniques to make web browsing (seem) faster.

After reading the manual I decided to set it up. First thing I did was:

# yum install polipo

====================================================================
Package Arch Version Repository Size
====================================================================
Installing:
polipo i686 1.0.4.1-3.fc15 fedora 198 k

Transaction Summary
====================================================================
Install 1 Package(s)

Total download size: 198 k
Installed size: 545 k
Is this ok [y/N]: y

Now setup the configuration file recommended by Tor:

# cd /etc/polipo
# mv config config.orig

I then copied the recommended configuration file from Tor at https://gitweb.torproject.org/torbrowser.git/blob_plain/HEAD:/build-scripts/config/polipo.conf to /etc/polipo directory.

# chmod 644 config

Because I want Polipo to run as a daemon I added the following to the /etc/polipo/config file copied into the /etc/polipo directory above:

### Configuration from Fedora RPM
### *****************************
daemonise = true
pidFile = /var/run/polipo/polipo.pid

Now if you go to /etc/init.d and type “./polipo restart” you will get the following:

[root@localhost init.d]# ./polipo restart
Stopping polipo:                                           [FAILED]
Starting polipo:                                           [ OK ]
[root@localhost init.d]# ps -ef | grep polipo | grep –v grep
polipo    2019     1 0 00:03 ?        00:00:00 /usr/bin/polipo -c /etc/polipo/config

Now we want the daemon to start automatically on the next reboot. You can see it is not starting automatically by typing:

# serviceconf

Type the following at the command line to get it starting automatically:

# chkconfig polipo on

So now we have Polipo installed, configured, and running automatically at start up. We now need to setup our browser (Firefox) to use the proxy to access the Tor network. Go into Firefox and setup the Proxies:

And then test everything as seen in the above screen shots. The final steps are to tweak the /etc/polipo/config file for a few final updates (personal preferences). I first looked at the memory settings.

From the Polipo manual, “Unless set explicitly, both chunkLowMark and chunkCriticalMark are computed automatically from chunkHighMark.” I checked to see if we might want to adjust this and the default configuration from Tor has it set to:

chunkHighMark = 67108864

Which is higher than the recommended values in the Polipo sample config of:

# Uncomment this if you've got plenty of memory:

# chunkHighMark = 50331648
# objectHighMark = 16384

So I have to assume this is more than adequate. Second I wanted to use disk caching. From the manual, “The on-disk cache consists in a filesystem subtree rooted at a location defined by the variable diskCacheRoot, by default /var/cache/polipo/.” The default Tor configuration had the following set:

# If diskCacheRoot is an empty string, no disk cache is used.
# Uncomment this if you want to disable the on-disk cache:

diskCacheRoot = ""

So I commented this out. Please be advised that the default Tor config also sets:

# Uncomment this if there's only one user using this instance of Polipo:

cacheIsShared = false

So if you have more than one user you might want to stick with the Tor setting of having no disk cache. Another thing I check on was the logging. I found this in the manual, “The variable logFile defaults to empty if daemonise is false, and to ‘/var/log/polipo’ otherwise. So there was no reason to uncomment the following:

# logFile = /var/log/polipo

I did not want the this log file to grow and grow unchecked. But not to worry. Upon install Polipo puts the following entry in the /etc/logrotate.d directory:

/var/log/polipo {
    create 0640 polipo polipo
    missingok
    notifempty
    delaycompress
    postrotate
/sbin/chkconfig polipo && /sbin/service polipo reload 2>/dev/null >/dev/null || :
    endscript
}

In a future project I will get all this working in Ubuntu. Read my upcoming book “The Ultimate Home Computing Guide to the Galaxy” to get all these up-to-date home computing tips and much, much more… in one read. I will be shamelessly promoting it in all my upcoming blog entries. If you are tired of all the other computer reference books out there glossing over topics and not giving you all the useful details… the captain is out there!

https://help.ubuntu.com/community/Polipo

https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms

Using Tor Network to Cloak Your Browser Activity (surf anonymously) in a virtual environment… and adding HTTPS Everywhere for even more security.

2011-09-03T18:41:00.001-04:00

I have blogged about using the Tor network in the past… but sometimes blog entries are worth repeating and expanding upon. The inadequate PC World article titled “Tor Network Cloaks Your Browsing”, in their September, 2011 issue, while a decent article, cried out to be expanded upon. Tor (acronym of “The Onion Router”) is free and open source software that helps users remain anonymous on the Internet.

Please understand that telecom companies, search engines, retail companies, governments, etc. track your internet activity. This information is used to record your IP address, where you live, what you like (are looking at), who you have been talking to, what you type (search for), etc. This information is a gold mine for businesses storing this data to target their advertising. Google, for example, has entire server farms storing the search information on millions of “open surfers” worldwide. When you visit a Web page, your browser submits a request for the data on that page and returns it to your home PC. When you receive a Web page like this “out in the open” it exposes your IP address, the URL of the website, and the contents of the site, among other information to third parties. For example, when you visit Amazon.com you will see advertisements based on what you purchased and looked at on your previous visits. At Google.com, Bing.com, Dogpile.com, etc. you will see advertisements based on your past search engine activity.

From wiki, “On May 26, 2011, President Barack Obama signed a four-year extension of three key provisions in the USA PATRIOT Act: [2] roving wiretaps, searches of business records (the "library records provision"), and conducting surveillance of "lone wolves" — individuals suspected of terrorist-related activities not linked to terrorist groups.” Thanks to this invasion of privacy NSA can still track your internet activity using Tor. But most of the rest or world, and unscrupulous individuals, cannot.

I’ve have tried to explain this insidious invasion of our internet privacy to friends and family and the response I get is, “let them track me… I’m not doing anything wrong on the Internet.” What they don’t understand is snoopers and deceitful crackers use this open information to steal your identity and target their scams. Also the US government can subpoena this information from any business that tracks your internet activity… anytime (can you say the George Bush/Obama Patriot Act still in place). This information that you freely provide to criminals and governments can be used to cost you your life (in some countries), many thousands of dollars in litigation, years of frustration getting back your identity, ruin your credit, and destroy your life as you know it. But if you spend a few hours following the captain (for free) I will show you how to protect yourself somewhat. No technique is perfect and some crackers/governments will have a work around to anything (NSA for example). But you will be safe from most of the rest of the world… which is a lot more secure than “open surfing” exposing you home PC to criminals everywhere! You can read about Tor’s limitations at https://www.torproject.org/download/download.html.en#Warning

From September, 2011 PC World, “For true privacy while surfing the Web, you need to encrypt the data that you exchange with websites and mask where the data is coming from. Enter the Tor Network, a free service maintained by the nonprofit Tor Project and a worldwide network of volunteers who are dedicated to keeping the Internet free and private. With the Tor Network’s servers, your request enters the Tor Network via and entry point known as a relay. Most relays are servers running a copy of the Tor software, which encrypts the request and sends it through a random series of server relays to confuse surveillance and frustrate anyone monitoring your Internet activity.

As your request passes through nodes, layers of encryption strip off, until your request hits an exit relay and returns to the Internet to request data from the Web page that you are trying to visit. Even if the server hosting that Web page logs your search queries or IP, the data isn’t associated with your name or home computer. Backtracking the request to your location is much more difficult, too, because after the server dispatches the relevant data, the data bounces back through the Tor network before arriving at your home PC.

Tor is free, and hackers, privacy enthusiasts, and Egyptian and Iranian dissidents have used it with great success to elude government surveillance.” This is where PC World drops the ball. They say little about how to install Tor or how to take other measures to ensure your security. PC World also does not go into much detail on Tor’s limitations… but the Captain is here to help!

Tor is only the fist step toward internet surfing privacy. You should do all your web surfing using “virtual” environments. Go get VMWare Player (currently at version 3.1.4, released March 29, 2011), or Virtualbox (currently at version 4.1.2, released August 15, 2011) and install one or the other. Then go get an operating system like Fedora, openSUSE, Ubuntu, Linux Mint, or even and old Windows XP disk and install that as virtual environment to surf in using the Tor network. Having a virtual XP environment is also and excellent place to install all that questionable FREE software that everyone loves to try! This added measure of protection insulates your PC against cookies, spyware, viruses, etc. that we get many ways… the most prevalent being from visiting questionable web sites that search engines present, and we blindly click on with no regard for our PC security.

Use “Network Address Translation (NAT)” for your virtual OS. You can check if you are using NAT in VMware Player by right clicking on the virtual OS and selecting “Virtual Machine Settings…” You will see “Network Adapter NAT”. Even if a “cracker” tracks you back through the Tor network (doubtful) they will land in your virtual Operating System and not on your home computer where all your valuable data is stored. But adding virtual surfing is still NOT enough.

To use virtualization you will need a computer powerful enough run all your applications. See my blog entry titled, “Building the ultimate home computer for virtualization and gaming, don’t scrimp on the components! This baby should scream!” This project was started March 29, 2011 and was just completed September 6, 2011. The motherboard selected is ASUS Maximus IV Extreme-Z and is on the bleeding edge of technology. It also costs a whopping $349. I am letting the technology age another month or two to get more user reviews and feedback on this new technology. In the next few months, god willing, this baby will be built and “the captain” will blog all about it.

From the Tor website, “Tor can't solve all anonymity problems. It focuses only on protecting the transport of data. You need to use protocol-specific support software if you don't want the sites you visit to see your identifying information. For example, you can use Torbutton while browsing the web to withhold some information about your computer's configuration. Also, to protect your anonymity, be smart. Don't provide your name or other revealing information in web forms. Be aware that, like all anonymizing networks that are fast enough for web browsing, Tor does not provide protection against end-to-end timing attacks: If your attacker can watch the traffic coming out of your computer, and also the traffic arriving at your chosen destination, he can use statistical analysis to discover that they are part of the same circuit.”

To get real privacy you can integrate other applications with Tor. There is a gold mine of information about how to do this on the Tor Wiki at https://trac.torproject.org/projects/tor/wiki. The application I integrate with Tor is the “Electronic Frontier Foundation, HTTPS Everywhere.” From their web site, “HTTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites.”

How to install and setup Tor in Ubuntu 11.04 for surfing the internet securely

Installing VMware or Virtualbox, and loading up a virtual OS is beyond the scope of this project. See previous blog entries to learn how to do this. One of the most user friendly virtual Operating Systems I am running is Ubuntu so I am using that to setup Tor and HTTPS Everywhere in Firefox.

General Firefox setup:

Login to Ubuntu and apply all the latest updates as root. “$ sudo su –”; “# apt-get update”; “# apt-get upgrade”; “# apt-get dist-upgrade”. Make sure the Firefox browser is updated to the latest version by clicking on “Help > About Firefox”.
Add the Firefox browser to the Desktop and to the panel by clicking on “Applications > Internet > Right click on Firefox > Click on (Add this launcher to panel) and click on (Add this launcher to desktop)”.
In Firefox click on “Edit > Preferences > Check the Always ask me where to save files” and change the home page. I use my web site at http://users.wowway.com/~captainkirk/ which is also where you can get all the links to free software I recommend.

Method 1 for permanently installing Tor and having it available in Firefox with one click

This method will automatically show the Tor button when you start Firefox. Most of these directions are taken from https://www.torproject.org/docs/debian.html.en#ubuntu and slightly modified for the blog.

Type “# apt-get install tor tor-geoipdb” as root. Note that this might not always give you the latest stable Tor version, but you will receive important security fixes. To make sure that you're running the latest stable version of Tor, continue on.
Type “$ lsb_release -c or cat /etc/debian_version” and note the release. Ubuntu 11.04 is "natty".

- Debian unstable (sid) is "sid"
- Debian testing is "wheezy"
- Debian 6.0 (squeeze) is "squeeze"
- Debian 5.0 (lenny) is "lenny"
- Ubuntu 11.04 is "natty"
- Ubuntu 10.10 or Trisquel 4.5 is "maverick"
- Ubuntu 10.04 or Trisquel 4.0 is "lucid"
- Ubuntu 9.10 or Trisquel 3.5 is "karmic"
- Ubuntu 8.04 is "hardy"

Then as root add this line to your /etc/apt/sources.list file: “deb http://deb.torproject.org/torproject.org <DISTRIBUTION> main” where you put the codename of your distribution (i.e. natty, lenny, sid, maverick or whatever it is) in place of <DISTRIBUTION>. After backing up “# cd /etc/apt; cp –p sources.list sources.list.orig” add the following to the bottom of the /etc/apt/sources.list file:

## Add the Tor Project repository.
deb http://deb.torproject.org/torproject.org natty main

Then add the gpg key used to sign the packages by running the following commands at your command prompt. NOTE: This should be done by the user ID you are using to surf the internet and NOT as root. Type:

$ gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg: directory `/home/username/.gnupg' created
gpg: new configuration file `/home/username/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/username/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/username/.gnupg/secring.gpg' created
gpg: keyring `/home/username/.gnupg/pubring.gpg' created
gpg: requesting key 886DDD89 from hkp server keys.gnupg.net
gpg: /home/username/.gnupg/trustdb.gpg: trustdb created
gpg: key 886DDD89: public key "deb.torproject.org archive signing key" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
$ gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
OK

Now (as root) refresh your sources and install Tor by running the following commands (as root) at your command prompt:

# apt-get update
Ign http://extras.ubuntu.com natty InRelease
Ign http://security.ubuntu.com natty-security InRelease
Ign http://us.archive.ubuntu.com natty InRelease
Ign http://us.archive.ubuntu.com natty-updates InRelease
Get:1 http://deb.torproject.org natty InRelease [2,756 B]
Hit http://security.ubuntu.com natty-security Release.gpg
Hit http://extras.ubuntu.com natty Release.gpg
Hit http://us.archive.ubuntu.com natty Release.gpg
Hit http://security.ubuntu.com natty-security Release
and so on...
# apt-get install tor tor-geoipdb
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
linux-headers-2.6.38-8-generic polipo linux-headers-2.6.38-8 socat
libreadline5
Use 'apt-get autoremove' to remove them.
Suggested packages:
mixmaster xul-ext-torbutton tor-arm
The following packages will be upgraded:
tor tor-geoipdb
and so on...

Startup Firefox and browse to “https://www.torproject.org/torbutton/index.html.en” and click on Install Stable: Click to install from this website. Click on “Allow” and “Install Now”. You will see “Torbutton will be installed after you restart Firefox.” Click on “Restart Now”.
When you start Firefox you will see the Tor button with an “X” on it, “Toggle Tor for status”. Click on it and you are using Tor to surf the internet safely in a virtual Ubuntu environment.
You can verify that Tor button is installed by clicking on “Tools > Add-ons > Extensions”. You will see “Torbutton 1.4.2”.
If you want Tor enabled every time you start Firefox like I do “Right click on the Tor button > Select Preferences… > Click on the Security Settings tab > Click on the lower Startup tab > Click on the On browser startup, set Tor state to Tor”.
Net click on the “Shutdown” tab and check “Clear cookies during any browser shutdown”.
Now surf to https://check.torproject.org/?lang=en-US&small=1 and you will see a web page displaying, “Congratulations. Your browser is configured to use Tor. The web page will also display something like, “Your IP address appears to be: 78.31.70.182 or 199.48.147.40”. This tells you your IP address is masked and you are surfing through a Tor server relay.

Method 2 for running Firefox in Ubuntu without installing the packages:

Login to Ubuntu and “# mkdir Tor”.
Surf to the download page at Tor and click on “Linux, BSD, & UNIX” button and download either the 32bit or 64bit version to the Tor directory… depending on your hardware.
Directions for installation from Tor, “Download the architecture-appropriate file above, save it somewhere, then open a terminal window and do the following:
”$ cd Tor”; “$ tar -xvzf tor-browser-gnu-linux-i686-2.2.32-2-dev-LANG.tar.gz or tor-browser-gnu-linux-x86_64-2.2.32-2-dev-LANG.tar.gz” (where LANG is the language listed in the filename).
“$ cd tor-browser_en-US”; “$ mv * ..”; “$ mv .* ..”; “$ cd ..”; “$ rmdir tor-browser_en-US”.
Either open a terminal window and “$ cd Tor” or double click on the directory, then execute the ./start-tor-browser script. This will launch Vidalia and connect to Tor, it will also launch Firefox. Do not unpack or run TBB as root.
You should see “Connected to the Tor network!” dialog box pop up and later Firefox will run and display the web page, “Congratulations. Your browser is configured to use Tor.” The web page will also display something like, “Your IP address appears to be: 78.31.70.x or 199.48.147.40”. This tells you your IP address is masked.
Check you real PC IP address in windows by clicking on “Start > Run > cmd > and typing ifconfig” and compare that IP to the virtual IP displayed on the Tor web page. The ifconfig command should display an IP like 192.168.1.x which is vastly different than the Tor address of 78.31.70.182.
In Firefox click on “Tools > Add-ons > Extensions” and you will see “Torbutton 1.4.1, Torbutton will be updated after your restart Aurora.” Click on “Restart now” and the Congratulations page will reappear. Click on “Tools > Add-ons > Extensions” again you should see Torbutton 1.4.2.
You will also see funny looking icon on the upper right side of Firefox that looks like a green acorn. When you move the cursor over this icon it should say “Tor enabled”.
One problem with this installation is the next time Ubuntu is started and you run Firefox you will not see the Tor button. You have to run the script again to use Tor.

I did not add the the third option using the development branch of Tor because we are not here to help diagnose problems with the Tor network. But you can if you want. Go to bottom of blog entry to read about installing HTTPS Everywhere.

How to install and setup Tor in Fedora 15 for surfing the internet securely

Some of the following is taken from the Tor web site at https://www.torproject.org/docs/rpms.html.en

Do not use the packages in the native repositories. They are frequently out of date. That means you'll be missing stability and security fixes.

I first apply all the latest updates like I did in Ubuntu by typing (# yum update). If run without any packages, update will update every currently installed packages. If for some reason a package does not apply use the GUI and uncheck that package. I always have problems applying kernel-PAE-2.6.38.6-26.rc1.fc15_2.6.40.3-0.fc15.i686.drpm because VMware Player does not allocate enough space the / (root) partition. I keep hoping VMware will fix this problem but it has existed since I have been using Fedora in VMware.

Transaction Check Error: unknown error 13191497 encountered while manipulating package kernel-PAE-2.6.40.3-0.fc15.i686. The following screen shot shows how to get the updates applied using the GUI:

Make sure the Firefox browser is updated to the latest version by clicking on “Help > About Firefox”.

Running the Tor client on Linux/BSD/Unix

Note that these are the installation instructions for running a Tor client. The easiest way to do this is to simply download the and install the latest Tor Browser Bundle.

Step One: Download and Install Tor

The latest release of Tor can be found on the download page. Tor has packages for Debian, Red Hat, Gentoo, *BSD, etc. there too. If you're using Ubuntu, follow my directions above to use Tor’s deb repository. Similarly, CentOS / Fedora / OpenSUSE users should use Tor’s rpm repository instead.

If you're building from source (not recommended by the captain), first install libevent, and make sure you have openssl and zlib (including the -devel packages if applicable). Then run:

# tar xzf tor-0.2.2.32.tar.gz; cd tor-0.2.2.32
#./configure && make

Now you can run tor as src/or/tor, or you can run make install (as root if necessary) to install it into /usr/local/, and then you can start it just by running tor. I did not try this.

Tor comes configured as a client by default. It uses a built-in default configuration file, and most people won't need to change any of the settings.

To install Tor from a package repository (recommended by the captain):

You'll need to set up our package repository before you can fetch Tor. Using yum in Fedora, in /etc/yum.repos.d/, create a file called torproject.repo. Edit this file with the following information:

[torproject]
name=Tor and Vidalia
enabled=1
autorefresh=0
baseurl=http://deb.torproject.org/torproject.org/rpm/DISTRIBUTION/
type=rpm-md
gpgcheck=1
gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org

If you wish to track the stable releases of Tor, you should substitute DISTRIBUTION with one of the following: centos4, centos5, fc13, fc14, suse

To track experimental releases, substitute DISTRIBUTION with one of these: centos4-experimental, centos5-experimental, fc13-experimental, fc14-experimental, suse-experimental

# yum install tor

Running Transaction
Installing : fedora-usermgmt-default-fedora-setup-0.11-1406.fc15.noarch         1/7
Installing : fedora-usermgmt-core-0.11-1406.fc15.noarch                               2/7
Installing : fedora-usermgmt-shadow-utils-0.11-1406.fc15.noarch                    3/7
Installing : fedora-usermgmt-0.11-1406.fc15.noarch                                      4/7
Installing : tor-systemd-0.2.1.30-1501.fc15.noarch                                       5/7
Installing : tor-core-0.2.1.30-1501.fc15.i686                                                6/7
Installing : tor-0.2.1.30-1501.fc15.i686                                                       7/7

Installed:
tor.i686 0:0.2.1.30-1501.fc15

Dependency Installed:
fedora-usermgmt.noarch 0:0.11-1406.fc15
fedora-usermgmt-core.noarch 0:0.11-1406.fc15
fedora-usermgmt-default-fedora-setup.noarch 0:0.11-1406.fc15
fedora-usermgmt-shadow-utils.noarch 0:0.11-1406.fc15
tor-core.i686 0:0.2.1.30-1501.fc15
tor-systemd.noarch 0:0.2.1.30-1501.fc15

Complete!

Although this looks like it will work it did not completely get everything working. For example, you will probably also want Vidalia Control Panel for Tor, especially if you want to setup Tor as a Relay. This the Tor GUI configuration tool.

# yum install vidalia

To start Tor manually:

# service tor start

If you want the Tor service to start automatically like I do:

# chkconfig tor on

I had a few problems getting the “Tor” service to start automatically, (# chkconfig -–level 5 tor) did not start Tor at run level 5. You can check to see if Tor is running after a reboot by using:

# system-config-services or serviceconf

Using (# chkconfig –-list) will only show SysV services only.

Now that Tor is installed, running and set to start automatically. Move on to step two of the "Tor on Linux/Unix" instructions.

Tor had this footnote on their web site which did not apply to my installation: The DNS name deb.torproject.org is actually a set of independent servers in a DNS round-robin configuration. If for some reason you cannot use it, you might be able to access one of the individual servers instead. Try deb-master.torproject.org, mirror.netcologne.de or tor.mirror.youam.de.

Step Two: Configure your applications to use Tor

After installing Tor, you need to configure your applications to use them. The first step is to set up web browsing.

You should use Tor with Firefox and Torbutton, for best safety. Simply install the Torbutton plugin, restart your Firefox, and you're all set. You will see Install Stable: click to install from this web site. Firefox will prompt you and click on “Allow > Install Now > Restart Now”. Next right click on the Torbutton select “Preferences > Security Settings tab > Startup > check the On browser startup, set Tor state to: Tor. The Click on the Shutdown tab and select “Clear cookies during any browser shutdown”.

Browse to https://check.torproject.org/ to check that everything is running.

If you plan to run Firefox on a different computer than Tor, see the FAQ entry for running Tor on a different computer.

To Torify other applications that support SOCKS proxies, just point them at Tor's SOCKS port (127.0.0.1 port 9050). See this FAQ entry for why this may be dangerous. For applications that support neither SOCKS nor HTTP, take a look at torsocks or socat.

For information on how to Torify other applications, check out the Torify HOWTO.

Install HTTPS Everwhere:

To install HTTPS Everywhere simply browse to “https://www.eff.org/https-everywhere” and click on “Click here” to install the latest 1.0.1 version. Once installed you should see “HTTPS-Everywhere 1.0.1” when you click on “Tools > Add-ons > Extensions”.

With these simple steps you have now taken some huge steps in protecting your home PC from attack while doing all your questionable internet search activity. By “questionable” I mean doing research on whatever you are looking into using the search engines like way I do to find things like the latest and greatest information on computer hardware. I click on many links that I have no idea where I am going. It also keeps criminals, search engines, governments, etc. from tracking internet activity! It is not foolproof but with these simple steps you are doing more that 99% of the users out there. Who are criminals going to target… you or the other easy 99%?

Stay safe my friend.

Dropbox / Skydrive, or both? Fedora 15 is out! VMWare Player still at 3.14 as of 8/14/11…

2011-08-14T23:00:00.001-04:00

Work in progress…

I have not forgotten about this post. I am still planning to check out Dropbox for Linux. Unfortunately it is not on my certification test… that it my priority… see previous blog entry. Did check VMware… still at 3.14 as of August 14, 2011.

Fedora 15 went into VMware no problem except for the same kernel update problem because of too little disk space. See previous blog posts.

If any of you have Time and Chaos I developed a script to copy all the tilde ~ files to regular file name you can store on the Microsoft SkyDrive. It makes backing up your my contact, tasks, schedule information easy.

Dropbox.com - Sync up to 2GB FREE of your files online on all your computers, and smartphones simultaneously. Dropbox support Windows, Mac, iOS, Android BlackBerry, and more. May, 2011 PC World.

Skydrive.live.com – Microsoft Live Skydrive offers 25 GB Free online storage for sharing files FREE. It also attempts to integrate your documents, photos, videos and email. I use it across my windows systems which makes sharing a few important files between Desktop’s and Laptops easy.

Even though Dropbox.com only offers up 2GB free is does so with my Linux environments and someday my mobile devices. This could come in very handy when I am on the road with all these devices. So it is a project I will take on to get a closer look inside Dropbox.

Setting your PC’s hardware clock using a Linux Virtual Environment and Network Time Protocol (NTP) Server or Client, the fastest an most accurate way to set your computers software and hardware clocks.

2011-08-11T01:23:00.001-04:00

Have not posted a PC/Linux tip in a while so I figured I had better get something up on the blog. Been busy studying and getting the Linux+ certification. I should be done with that in the next few weeks so expect some good stuff coming on the blog. I have some really cool volunteer projects at the local universities working with those masters students that will benefit us all. One is setting up a bootable double encrypted USB drive for that Keypass traveling password file. And the other is setting up SSH to VPN into your secure (locked down) home network. I have blogged about how to lock down your home network in the past.

First off Unix time, or POSIX time, is a system for describing points in time: it is the number of seconds elapsed since midnight UTC on the morning of January 1, 1970, not counting leap seconds.

In my studies for the certification I had to learn about Network Time Protocol (NTP). So I decided to setup a NTP Linux server not really thinking about how this would aid me with the time drift on the hardware clocks on my home computers and my traveling laptop.

Taken from http://fedoraproject.org/wiki/Docs/Drafts/AdministrationGuide/Servers/NTP The Network Time Protocol (NTP) allows the computer to synchronize the clock to that of an external authoritative time source and provide the accurate time to clients on the local network. Fedora provides this functionality through the ntpd server. The ntpd daemon and associated utilities are provided by the ntp rpm package. My old solution to resetting the clock on my home PC’s was to go to:

http://www.time.gov

look at the current time… and then manually type it in using the GUI, trying to hit the seconds correctly. I do this every few months. I also have one PC that eats motherboard batteries like candy and being lazy I have to set the clock every time I boot it… until it annoys me so much I take it apart and replace the battery on the motherboard. Some of my Linux environments are virtual using VMware Player so I was not even sure I could set the hardware clock using them. Turns out I/you can so read on.

My first dilemma was the timezone was wrong in most of my new Linux environments. The default 3.14 VMware install is with Los Angles as the timezone default. So I needed to change that. You can do this easily using the GNOME or KDE GUI but usually a server is not running a GUI interface. So an admin will need to set it from the command line. The first thing I found is there is a bunch of documentation out there (and in my books) about setting a symbolic link from /etc/localtime to the timezone you want. I recommend against this. The /etc/localtime is a binary file probably copied by the tools the various distributions provide from /usr/share/zoneinfo. Having been a UNIX administrator I have worked in too many shops making liberal use of symbolic links. Eventually it gets very confusing. Using the tools to set up the timezone as a binary file is a better solution… or just copying the file from /usr/share/zoneinfo in after backing up the current file. Test it first with a symbolic link.

In Ubuntu type the following:

# dpkg-reconfigure tzdata

or,

# tzconfig

Which sets the text file /etc/timezone and copies the binary configuration file from /usr/share/zoneinfo to /etc/localtime. The /etc/timezone is used by Debian and its derivatives.

In Fedora for the X-Windows interface type:

# system-config-date

In Red Hat on the internet it said to type the following:

# redhat-config-date

It sets the timezone in /etc/sysconfig/clock.

In Red Had and Fedora, if you just need to temporarily change the timezone to test an application type the following for the ASCII text interface type:

# tzselect

The tzselect program asks the user for information about the current location, and outputs the resulting timezone description to standard output. The output is suitable as a value for the TZ environment variable. For example, the program output, “You can make this change permanent for yourself by appending the line “TZ='America/Detroit'; export TZ” to the file '.profile' in your home directory; then log out and log in again.

Below is an example of a manual way to set the timezone:

# cat /usr/share/zoneinfo/Canada/Pacific > /etc/localtime

This overwrites/updates your /etc/localtime file. If you want to test it first create a symbolic link:

# mv /etc/localtime /etc/localtime.bk
# ln -s /usr/share/zoneinfo/Canada/Pacific /etc/localtime

and then change the /etc/sysconfig/clock in Fedora or the /etc/timezone in Ubuntu.

Now just type “date” and you should see that the timezone has been updated. Once you have the timezone set correctly it is time to update the date/time to an NTP server. Every flavor of Linux I have tested has some public servers already preconfigured. If you have the IP address of a close public NTP server you don’t have to setup a NTP server to update your system clock. For example, type the following command three times to set the software clock:

# ntpdate -u 128.233.154.245

And then update the hardware clock using the following:

# hwclock [options], or hwclock –systohc

# hwclock --systohc
# date
Wed Aug 10 16:01:17 EDT 2011

Set the hardware clock based on the software clock by using the –-systohc option. Set the software clock based on the hardware clock by using the –-hctosys option.

You can set the software clock manually using the following syntax:

# date [-u|-—utc|-—universal] [MMDDhhmm[[CC]YY][.ss]]

Installing a NTP server

If you are like me I have no NTP server on my home network, I could not find a NTP server address from my ISP, so I setup a NTP server to see what NTP would recommend as the best IP to use to set the time on my computer. In Fedora, to find out weather the "NTP" is present in the system or not, the following will display the full name of the package if installed and then install the package if it is not already installed:

# rpm -qa ntp
# yum install ntp-doc To install the NTP documentation
# yum install ntp To install the package, if already installed you will see:
Package ntp-4.2.6p3-4.fc15.i686 already installed and latest version
Nothing to do

To install NTP in Ubuntu and Debian:

# apt-get install ntp
# apt-get install ntp-doc

Configuring and setting up a initial NTP Server

Some of the following is taken from:

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch24_:_The_NTP_Server

with my own needs inserted. To get the nearest address of an NTP server we have to start the server, wait a few minutes and see what it picks as our best NTP public server.

# service ntpd start
Starting ntpd (via systemctl): [ OK ]

To test whether the NTP process is running use the command:

# pgrep ntpd
602

You should get a response of plain old process ID numbers. One problem you may encounter is if the time on the local server is very different from that of its primary time server your NTP daemon will eventually terminate itself leaving an error message in the /var/log/messages file. Because we are looking for the IP you will have to set the time manually by going to http://www.time.gov and try again. If you know the IP then you can run the ntpdate -u command to force your server to become instantly synchronized with its NTP servers before starting the NTP daemon for the first time. The ntpdate command doesn't run continuously in the background, you will still have to run the ntpd daemon to get continuous NTP updates.

Taken from “Linux+ Complete Study Guide written by Roderick W. Smith”:

The server to which you are synchronized (a.k.a. has the best connection time is denoted by an asterizk (*), other servers with good times are indicated by plus signs (+), and most other symbols (such as x and –) denote servers that have been discarded from consideration for various reasons. You can obtain a server list by passing the –p to ntpq –p, without entering interactive mode.

# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*mirror 128.233.154.245 2 u 1 64 1 51.250 -12.376 0.269
conquest.kjsl.c 69.36.224.15 2 u - 64 1 72.761 -1.436 2.505
i4.fwwds.com 24.56.178.140 2 u 1 64 1 49.595 7.041 0.416
name3.glorb.com 198.60.22.240 2 u - 64 1 72.486 2.936 0.366

Once you have the best server denoted by (* –> 128.233.154.245) write down the IP address and then manually sync your time to that server. The ntpdate command should be run three times to synchronize your host’s software clock to the NTP server time, but it must be run while the ntpd process is stopped. So you'll have to stop ntpd, run ntpdate and then start ntpd again.

[root@localhost etc]# service ntpd stop
Stopping ntpd (via systemctl): [ OK ]

# ntpdate -u 128.233.154.245
10 Aug 15:59:48 ntpdate[2132]: adjust time server 128.233.154.245 offset 0.006014 sec
# ntpdate -u 128.233.154.245
10 Aug 16:00:00 ntpdate[2133]: adjust time server 128.233.154.245 offset -0.000184 sec
# ntpdate -u 128.233.154.245
10 Aug 16:00:09 ntpdate[2134]: adjust time server 128.233.154.245 offset 0.000183 sec

Or if getting the time correct to nearest microsecond is not important using the BEST server you could just update it to the NTP pool using:

# ntpdate -b pool.ntp.org
14 Aug 03:27:43 ntpdate[4739]: step time server 68.0.14.76 offset -0.044081 sec

Taken from http://fedoraproject.org/wiki/Docs/Drafts/AdministrationGuide/Servers/NTP Admonition("Note","pool.ntp.org is the project that manages a cluster of publicly available time servers across the world. Its clever DNS round-robin setup greatly reduces the load on individual time servers and aids in reducing the bandwidth cost for the operators and users by utilizing pgeodns data. It is likely that the response to the ntpdate command above will come from the geographically close time server.")

# service ntpd start
Starting ntpd (via systemctl): [ OK ]

So for a brief review:

/usr/share/zoneinfo directory contains multiple subdirectories and files that are used for selecting the time zone for most Linux computers.

/etc/localtime is used to store the time zone that is selected for the Linux computer.

/etc/timezone is a secondary file in Debian Linux that is used to store text-mode zone data.

/etc/sysconfig/clock file is a secondary file in Fedora Linux that is used to store text-mode zone data.

Setting up NTP to start at boot

The -–add option adds a new service for management by chkconfig. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel. If any runlevel is missing such an entry, chkconfig creates the appropriate entry as specified by the default values in the init script. I don’t believe it was necessary to add the NTPD service in Fedora but I list it here in case other flavors of Linux may need this step.

# chkconfig -–add ntpd

I wanted the ntpd service in Fedora to only be started at levels 3 and 5.

# chkconfig --level 345 ntpd off
Note: Forwarding request to 'systemctl disable ntpd.service'.
rm '/etc/systemd/system/multi-user.target.wants/ntpd.service'
# chkconfig --level 35 ntpd on
Note: Forwarding request to 'systemctl enable ntpd.service'.
ln -s '/lib/systemd/system/ntpd.service' '/etc/systemd/system/multi-user.target.wants/ntpd.service'

You can also use the following for the current run level:

# chkconfig ntpd on
Note: Forwarding request to 'systemctl enable ntpd.service'.

The “ntsysv” is another utility for configuring services to start and stop. But in Fedora it does not list “ntpd” as a configurable service. To be honest, I have more to learn about the Linux startup process. I put print statements in the /etc/rc.d/init.d/ntpd startup file and the script was not even called during startup. This is very different than the UNIX systems I am used to. Linux is beginning to look like Windows starting programs from hidden places. Once again if/when I figure this out I will update the blog.

NTP without Automatic update via crontab

But suppose you don’t want a daemon running the background consuming valuable system resources like on a laptop. There is much documentation online about using the ntpdate command but on the man page for “ntpdate” it says the following:

Disclaimer: The functionality of this program is now available in the ntpd program. See the -q command line option in the ntpd - Network Time Protocol (NTP) daemon page. After a suitable period of mourning, the ntpdate program is to be retired from this distribution.

When you read the “ntpd” man page it says the following: With the -q option ntpd operates as in continuous mode, but exits just after setting the clock for the first time with the configured servers. So I performed the following experiment to understand what this meant:

[root@localhost etc]# date -u 08142004
Sun Aug 14 20:04:00 UTC 2011
[root@localhost etc]# date
Sun Aug 14 16:04:03 EDT 2011
[root@localhost etc]# ntpd -4 -q
[root@localhost etc]# date
Sun Aug 14 16:05:28 EDT 2011
[root@localhost etc]# /usr/sbin/ntpdate -4 -b pool.ntp.org
14 Aug 21:14:00 ntpdate[3421]: step time server 64.113.32.10 offset 18342.096682 sec
[root@localhost etc]# /usr/sbin/ntpdate -4 -b pool.ntp.org
14 Aug 21:14:16 ntpdate[3424]: step time server 64.113.32.10 offset 0.000402 sec
[root@localhost etc]# date
Sun Aug 14 21:14:24 EDT 2011

Try as I might I could not get “ntpd” to set the time using the –q option. If I discover how to do so I will update this blog entry. My guess is as the description implies it will only sync the first time it is run… or within a certain error factor which I don’t know how to override. So I used the following crontab to update the system’s time using “ntpdate”:

# -4     Force DNS resolution of following host names on the command
#         line to the IPv4 namespace.
# -b     Force the time to be stepped using the settimeofday() system
#         call, rather than slewed (default) using the adjtime() system
#         call. This option should be used when called from a startup
#         file at boot time. Update /etc/logrotate.conf to rotate the log.
00 12 * * * /usr/sbin/ntpdate -4 -b pool.ntp.org 2>&1 >> /var/log/ntp.log

# Copy the software time to the hardware clock:
15 12 * * * /sbin/hwclock --systohc 2>&1 >> /var/log/ntp.log

We can never configure a log file and leave it unattended. The “logrotate” utility is excellent for taking care of this administration function. There is a good article at http://www.thegeekstuff.com/2010/07/logrotate-examples/.

# cp –p /etc/logrotate.conf /etc/logrotate.conf.orig

Add the following to the /etc/logrotate.conf:

# system-specific logs may be also be configured here.
# Rotate the Network Time Daemon log file.
/var/log/ntp.log {
    weekly
    copytruncate
    notifempty
    missingok
    size 100k
    rotate 9
}

Then test your changes:

[root@localhost etc]# logrotate -s /tmp/logrotate.out /etc/logrotate.conf
[root@localhost etc]# cat /tmp/logrotate.out
logrotate state -- version 2
"/var/log/yum.log" 2011-8-14
"/var/log/boot.log" 2011-8-14
"/var/log/sssd/*.log" 2011-8-14
"/var/log/dracut.log" 2011-8-14
"/var/log/wtmp" 2011-8-14
"/var/log/spooler" 2011-8-14
"/var/log/btmp" 2011-8-14
"/var/log/maillog" 2011-8-14
"/var/log/ntp.log" 2011-8-14
"/var/log/wpa_supplicant.log" 2011-8-14
"/var/log/secure" 2011-8-14
"/var/log/ppp/connect-errors" 2011-8-14
"/var/log/messages" 2011-8-14
"/var/log/cron" 2011-8-14
"/var/account/pacct" 2011-8-14

Logger makes entries in the system log. Add the following script if it does not already exist:

$ cat /etc/cron.daily/logrotate
#!/bin/sh

/usr/sbin/logrotate /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0

NTP Troubleshooting and Logging

I was getting some errors messages logged by “ntpd” in /var/log/messages. So to break them out and make sure the server was doing what it was supposed to be doing I modified the /etc/ntp.conf file.

cd /etc
# cp -p ntp.conf ntp.conf.orig

By default “ntpd” will log all messages to the /var/log/messages file. So if you are having problems with NTP you might want to have your NTP messages consolidated in a separate file rather than sift through /var/log/messages. Add the following to the /etc/ntp.conf file:

# Specify the location of an alternate log file to be used instead of the default system syslog(3) facility.
logfile /var/log/ntp.log

There are many other options and a good read on them can be found at:

http://www.gsp.com/cgi-bin/man.cgi?section=5&topic=ntp.conf.

NOTE: I can’t vouch for if this site is safe or not. Surf to it in an expendable virtual environment. For example, the following also might be useful from the site:

statsdir directory_path
Indicates the full path of a directory where statistics files should be created (see below). This keyword allows the (otherwise constant) filegen filename prefix to be modified for file generation sets, which is useful for handling statistics logs.

After “ntpd” is running you can look at information using the “ntpq” interactive command. To see what these variables entail look at file:///usr/share/doc/ntp-4.2.6p3/html/ntpq.html#pe or http://doc.ntp.org/.

ntpq> rv
associd=0 status=0613 leap_none, sync_ntp, 1 event, spike_detect,
version="ntpd 4.2.6p3@1.2290-o Fri May 6 16:27:05 UTC 2011 (1)",
processor="i686", system="Linux/2.6.38.6-26.rc1.fc15.i686.PAE", leap=00,
stratum=3, precision=-19, rootdelay=80.783, rootdisp=1070.755,
refid=67.18.187.111,
reftime=d1f2d82b.07d5b3fa Sun, Aug 14 2011 19:26:35.030,
clock=d1f2d8d1.dc787018 Sun, Aug 14 2011 19:29:21.861, peer=13214, tc=8,
mintc=3, offset=6.612, frequency=-45.820, sys_jitter=4.852,
clk_jitter=14.962, clk_wander=2.744

ntpq> peers
     remote           refid      st t when poll reach   delay   offset jitter
==============================================================================
+cheezum.mattnor 208.66.175.36    2 u 193 256    1   72.987    0.320   2.464
-w1-wdc.ipv4.got 10.0.77.54       4 u   64 256    7   35.891    2.098   0.519
+mail.freerip.co 67.18.187.111    3 u   69 256    7 113.455    1.004   4.690
*199.4.29.166    64.90.182.55     2 u 133 256    3   40.712    5.705   0.401

ntpq> associations

ind assid status conf reach auth condition last_event cnt
===========================================================
1 13214 945a   yes   yes none candidate    sys_peer 5
2 13215 9314   yes   yes none   outlyer   reachable 1
3 13216 9414   yes   yes none candidate   reachable 1
4 13217 963a   yes   yes none sys.peer    sys_peer 3

ntpq> pstatus 13214
associd=13214 status=945a conf, reach, sel_candidate, 5 events, sys_peer,
srcadr=cheezum.mattnordhoff.net, srcport=123, dstadr=192.168.26.134,
dstport=123, leap=00, stratum=2, precision=-20, rootdelay=28.717,
rootdisp=16.663, refid=208.66.175.36,
reftime=d1f2dcf5.995ffb09 Sun, Aug 14 2011 19:47:01.599,
rec=d1f2dd22.32f8895b Sun, Aug 14 2011 19:47:46.199, reach=007,
unreach=0, hmode=3, pmode=4, hpoll=8, ppoll=8, headway=0, flash=00 ok,
keyid=0, offset=0.320, delay=72.987, dispersion=5.957, jitter=2.298,
xleave=0.164,
filtdelay=    73.94   73.29   77.64   78.72   77.99   78.59   78.57   72.99,
filtoffset=    2.84    0.84    2.35    2.69    2.82    2.84    3.15    0.32,
filtdisp=      0.00    4.08    7.82    7.85    7.88    7.91    7.94    7.97

Updating you Linux Virtual Environments in VMware Player 3.1.4

2011-07-05T21:21:00.001-04:00

The last release date of VMware Player was 03/29/2011. This update fixed some problems in 3.1.3 and most of all allowed for the smooth installation for Fedora which was not possible in 3.1.3. Since then all the flavors of Linux I use have marched on and I needed to update all my Linux virtual environments.

The first thing I realized was I have never updated my Web Site will all the latest and greatest Linux links. I have started rectifying that and you can go to:

http://users.wowway.com/~captainkirk/computers/UnixLinuxLinks.htm

To download everything you need to run all the greatest/latest Linux flavors which I recommend you do.

Linux Mint currently at version 11 installed with no problems. You have to tell VMware that it is based on Ubuntu which is based on Debian. Once installed I had to manually update the VMware Tools. VMware documents how to do this online and I have blogged about this in the past. Once installed I applied all the latest updates using a combination of the GUI tool “Menu > Administration > Update Manager > Install Updates.” Or do it my way and open a root terminal window and type:

# apt-get update
# apt-get upgrade
# apt-get dist-upgrade

Ubuntu 11.04 Desktop installed no problem and all updates went on in the same method as above. I believe the VMware Tools installed automatically.

Fedora installed no problem. All but three of the updates installed no problem. It sill have a problem applying the kernel update which will have to be omitted to get the other updates to apply. Two other updates had to be applied in pieces but eventually installed. I had to use the GUI because of the disk problem with the kernel-PAE update. VMware tools installed automatically. In the next version of VMware Player we could just do the following:

# yum update

openSUSE I did a while back. I don’t remember any problems installing it or applying the updates. Using the GUI proved to be the easiest method to get all the package updates.

Once done don’t forget to remove all your old Linux environments. Always select “Delect VM from Disk” and then run CCleaner to purge everything from the Recycle bin and as general system maintenance.

I will get to looking at using DropBox in Linux (the previous blog entry) soon.

Dropbox / Skydrive, or both? Fedora 15 is out! VMWare Player still at 3.14…

2011-06-17T16:34:00.001-04:00

Work in progress…

In updating VMware to Fedora 15 I encountered the following problems. First the install hung… after clicking on the the VMware window and typing “CTRL-ALT-DEL” I was able to get the install to continue. I then did my usual to download all the latest updates and encountered the same problem I had in Fedora 14. The kernel update would not install because the root partition was too small. To install all the other updates go into the updates and deselect kernel update “kernel-PAE-2.6.38.8-32.fc15 (i686)”. All the other updates will apply just fine.

My next step is to check out Dropbox.com in Fedora 15 so stay tuned. I checked out VMWare Player to see if a new version was out to support Fedora 15 and it is still at 3.14… Dropbox support Windows, Mac, iOS, Android BlackBerry, and more. May, 2011 PC World.

The new open source alternative to Facebook… could this be the end of Facebook?

2011-06-03T23:08:00.001-04:00

I have been hesitant to open up a Facebook account after all the stories about how little regard they have for privacy. If you follow the PC magazines, and the media it seems like one Facebook horror story after another. Facebook is in the news constantly. In the face (get the pun) of all this bad media employment agencies everywhere encourage the unemployed (myself) to open up a Facebook account to network. So far I have not done so. I value my privacy… hence all my blog entries about computer security.

Now there is an open source alternative to Facebook that you can control at home. According to PC World, “Diaspora is open-source software that duplicates the functions of a social network like Facebook while ensuring that users retain full control and ownership of everything they share on the network; instead of first uploading photos to Facebook and then choosing who gets to see them, Diaspora users can simply share photos directly with each other, without having to go through a corporate middleman or having to agree to a company’s not-so-strong privacy policy.”

The idea is that people everywhere can set up or use diaspora servers everywhere to share as much or as little they want, even if everyone is on different pods. As PC World puts it, “Diaspora is like an entire archipelago, a chain of private islands linked with bridges built and controlled by the users.

Diaspora can be found at https://joindiaspora.com. This project is still in its Alpha stages and I don’t have time for it now… but I will give this a closer look after I rebuild my SSH server to Ubuntu 11.04. A project I have to work in while working on my Linux+ certification studies which comes first.

Soon to come on “TheCaptainsLatest:”

I will show you how to build a home Ubuntu 11.04 Linux SSH server in your home secure network. One that you can connect to from anywhere in world and surf the internet securely via your laptop through a SSH tunnel.
I will show you how to set up a USB drive to boot from Ubuntu 11.04 and use a Keepass encrypted password file in a Truecrypt USB partition yielding double encryption of your valuable password file… a file you need around the world. If you lost the USB drive it will take some work to get at your password file.
My last project is when Diaspora becomes more developed to setup a Diaspora server and use it to share my social network data while looking for a job. I like the idea of being in an interview and being asked, “What is your Facebook account?” My answer, “I don’t like Facebook so I set up my own Facebook server so I can control the privacy on my Facebook account. You can look at it at…” Got to love that!

So when friends, family, relatives can social network on a private server of someone they know and trust… could this be the end of corporate exploitation of that type of data? Maybe… one can only hope.

We shall see…

magicJack as a home phone is a bust… it might work for you but read this before wasting your valuable time.

2011-05-19T00:22:00.001-04:00

We have all seen the advertisements on TV. For only $20 a year magicJack will give us a land line… the actual cost of year one is $40.00… and then $20 there after. I am in the process of switching/researching cell phone plans and decided to give magicJack a chance to solve my minute usage problems with my cell phone company. I hoping to have tons of phone interviews with companies seeking my talents soon… and my wife is now working from home. I need a land line for her to use to send faxes, have long conference calls, wear a headset, etc. So I gave magicJack a chance.

Buying the magicJack is just the first step in what could become a very long an involved process. Once you insert the magicJack in your USB port on your home computer the windows autorun menu will appear (if you have not disabled that like I have… if you have just use windows explorer to surf to you K: or whatever drive and run the software manually). The software installed and had me go online to register, create a phone number and setup an account. This was fairly time consuming because of all the options available which is a good thing. For example, you can use an existing phone number if you want which I considered. But after some thought, if people call that number to reach my wife during the day and it rings my cell phone… well you see the problem.

The second problem I ran into was I could not call the magicJack phone number from my Verizon cell phone. However, my father from his cell phone and home line had no problem. At the advice of magicJack I went to Verizon and reported the problem. I never got a response back from Verizon.

A few details you might want to consider about magicJack are:

The call quality was unusable for my wife. She could not hear her mother and there was an echo when talking to a work mate. It worked OK for me talking to my dad and calling our personal cell phones.
The software can only be installed on a computer in Windows and Mac OS. I use Linux so this is a drawback.
The phone will only work while the computer is on. I tried connecting magicJack to my router… no luck.
The software, in my experience, will not install in the “All Users” area in Windows. So it has to be setup individually for every user on the computer.
The software does not load itself into the users “Startup” area. I like this, but my wife will not remember to start the software so the phone will work. There should be an option that says “start automatically” offered when installing the program. Windows 7 hides the automatic start area so it took some web surfing to figure out where to copy the shortcut to get it to automatically startup which did not work. For your benefit magicJack is at C:\Users\admin\AppData\Roaming\mjusbsp. and to start it up put a shortcut at C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup which did not work for me. When started automatically magicJack could not connect. Starting it manually worked just fine.
After getting everything working on my test computer I wanted to move the magicJack to another older computer. It was very confusing and I ended up setting up a trial account that I could not delete with a 30 day new phone number. To fix the problem you unplug the magicJack for 15 seconds and then autorun the software to get it connected to the correct phone number and account.
After rebooting the wife’s magicJack’ed computer it would not connect. I had to unplug the magicJack from the USB port… hit the autorun again and everything was OK. I rebooted again and tried it again with the same result.
The voice quality was OK for me. MagicJack worked fine with an old worthless phone. It did not work at all on my 900 MHz phone but did fine on my 2.4GHz phone.

Because of the limitations I returned the product to Walmart. After returning the magicJack I logged in to change/delete my information and it was not possible. I then contacted the company technical support to delete my account and/or change my personal information. They were unable to do this. For this reason alone I recommend against magicJack as an option for anyone. It appears magicJack wants to retain you personal information regardless of what you do with their product which is not safe.

Passwords are still the weak link in securing information… and still the default method of authentication.

2011-05-09T00:55:00.001-04:00

In the PC World October 13, 2010 article http://www.pcworld.com/businesscenter/article/207718/surprise_passwords_are_still_weak_link_in_security_chain.html it points out that passwords are still the weak link in the security chain. One would think that is the days of laptops with fingerprint scanners that username and password authentication would be becoming obsolete. But according to the article the username and password are still the default method of accessing secure accounts and information. The Webroot survey found that users continue to follow poor password practices. From the article the survey also found:

· 4 in 10 respondents shared passwords with at least one person in the past year.

· Nearly as many people use the same password to log into multiple Web sites, which could expose their information on each of the sites if one of them becomes compromised.

· Almost half of all users never use special characters (e.g. ! ? & #) in their passwords, a simple technique that makes it more difficult for criminals to guess passwords.

· 2 in 10 have used a significant date, such as a birth date, or a pet's name as a password--information that's often publicly visible on social networks. 86 percent do not check for a secure connection when accessing sensitive information when using unfamiliar computers.

· 14 percent never change their banking password.

· 20 percent have used a significant date in a password.

· And 30 percent remember their passwords by writing them down and hiding them somewhere like a desk drawer… where someone in the nighttime cleaning crew can easily get at them.

Not too long ago I had to help someone get logged into to their work applications. I was helping them get set up to telecommute and work from home. To set them up I had to log in with their work password, which was promptly changed while they watched everything I did. I was shocked at the simplicity of the password. The person I was helping works in the health care industry entering personal information from patients every day. Any password cracking tool like Cain & Able at http://www.oxid.it/cain.html would have cracked the original password in less than 15 seconds.

If you are not familiar with it “Cain and Able” is a brute-force password cracking program for Microsoft Windows. It goes through every possible combination of legal characters in sequence to crack a password. It has other capabilities built in to aid administrators in securing their users network password files and other authentication mechanisms.

Given the simplicity of the password it indicated a total lack regard for information security in this example of health care industry business. The IT administrators were clearly not checking the network passwords their users are entering. If they had they would have long since identified this hole in their security and corrected it. The scariest part to this story is that thousands of people’s personal information housed in this business databases are at risk. If that information is hacked and it is discovered it will cost them untold millions… Much more than they are paying the contracted IT administrators that work on all facets of their computer systems.

The craziest part of this story is how easy it is for a business like this to help their employees choose strong passwords. It is as simple as telling their employees to go to the web site https://www.microsoft.com/security/pc-security/password-checker.aspx and test the strength of their password when they are required to change it. Or a business could provide a tool like “KeePass Password Safe http://keepass.info/” to enable their employees to generate their network password keeping the less secure encrypted password database on their home/business computer. They could even use a free web site password generator like http://www.pctools.com/guides/password/ to generate secure passwords.

Businesses need to someday realize that their IT department is not an expense to be outsourced, but an integral part of the core business to be invested in. Their data must be protected by experienced trained professionals and not contracted out to the lowest bidder.

Quicken Home Inventory will not run in Windows 7 64 Bit Operating System but worked find in a VMWare Player XP virtual environment

2011-05-05T03:35:00.001-04:00

My Masters program has me putting together an inventory of assets at a business to do a risk assessment. I thought to use Quicken Home Inventory 2009 for the job but it will not run under a 64-bit Window Operating System. I tested in under my VMWare virtual Windows XP installation and it ran just fine. The lack of support for a 64-bit Operating System indicates to me Quicken may abandon this product. I put in an inquiry with them and will let you know what I find out. For now I plan to use Microsoft Access to gather the information. It seems a better solution than Excel because the different categories of objects have different attributes which I may want to capture. Plus I will have binary objects like pictures to store in the database. I have not used Access in a few years so this may yield yet another blog entry as I play with the tool.

Have a laptop to backup your laptop for $99 or less, buy a second hard drive and make it a close duplicate of your original hard drive… but better by installing everything you will ever need.

2011-05-05T01:07:00.001-04:00

This blog entry came about because a friends laptop hard drive became corrupted and the technician they took their laptop to told them they needed a new laptop, which my friend ultimately purchased at great expense. My friend gave me their old hard drive to recover the data which I did no problem. After a simple scan of the perfectly good drive I told them it was fine. My friend donated the drive to “TheCaptainsLatest” in return for their data so I decided to make a project out of it to benefit everyone with.

Quite often I hear people crying about how they lost their laptop and had to buy a new one. Most of the time it is just a hardware drive failure/virus/spyware/application problem that can be easily repaired. The laptop users decide this problem is a signal to buy a new laptop. This might be true if your laptop is over 5 years old, or if you bought a cheap laptop with minimal hardware to begin with. Rules of thumb to buy a new laptop are:

Has less than 4 GB of RAM and cannot be upgraded.
Does not support Ethernet 1000MB connections, only 10/100.
Does not support a minimum of Wireless 802.11a/b/g/n
Allow hard drives of at least 500 GB. Although you should call the manufacturer on this one. My laptop only showed support for up to 500 GB (5400 rpm) but I had no problem installing a 500 GB (7200 rpm) drive.
Does not support USB 2.0 or above.

Most of the laptops I hear about are not all that old and are still nice pieces of hardware (DONATE THEM TO THECAPTAINSLATEST!). Buying a new laptop is a huge waste of money. If you go to http://www.newegg.com/Product/ProductList.aspx?Submit=ENE&IsNodeId=1&Description=seagate%20momentus&bop=And&Pagesize=50 you find any number of Seagate Momentus drive models to choose from to replace your current hard drive for less than $100.

Any number of computer professionals advise users to backup their data but how many tell people to backup their data offsite (somewhere other than your house)? Preferably far… far… away. The problem is as we use our computers/laptops and we learn things our laptops/computers become very personalized. As we add applications/shortcuts/configure things/customize everything/etc. our laptop becomes and extension of ourselves. All our latest homework assignments, our tweaks, our shortcuts, our projects, our taskbar items, etc. are all there when we need them. Everything becomes quick and easy.

Being able to bring up a presentation with a click of the mouse is not possible on a NEW laptop. All that stuff will have to be setup the way we had it to look professional in a meeting doing a demonstration, or something else we take our laptops for granted for. So in addition to a data backup we need a laptop backup. If you stand to lose $50,000 if you don’t win a contract with a presentation tomorrow you cannot afford to risk everything on a simple hard disk crash or a virus/spyware infestation. You can’t just go out and buy a new laptop. If you want to try it be my guest but I bet you will run into problems getting everything back the way you had it.

What I advise is that in addition to holding your USB data backup in a safety deposit box you should also hold a duplicate laptop hard drive in the safety deposit box also. You can do this easily by cloning your current hard drive with http://en.wikipedia.org/wiki/Clonezilla, http://clonezilla.org/downloads.php or pay somebody to clone it for you. The problem with a clone is we run the risk of bringing all the BAD garbage along with the good for the ride.

What I do is a new CLEAN laptop build by downloading and installing all the latest and greatest on the new hard drive until I have it just as functional (but better), than my old drive. Then I swap hard drives in the safety deposit box every so often to keep them both up-to-date with all the latest updates, configuration changes, software installs, etc. It is the same as having two fully functional computers in one laptop. If you don’t want to pay for a safety deposit box, keep the USB and hard drive at a distant relatives house and swap them on visits.

If you decide to do this buy the VERY BEST hard drive your laptop is capable of running. This, CPU and RAM are your most important pieces of hardware. The hard drive being the best bang for the buck. A lot of the following is taken from a previous blog entry about how to build a new laptop. I have updated it and tweaked it as everything keeps evolving.

How to swap the hard drive in your laptop:

With the battery out and power unplugged, turn your laptop over and look for a compartment with two or so screws about the size of 2 1/2 inch disk drive.
After unscrewing the screws, open up the compartment, ground yourself by touching something metal around you. If you have a built up static electric charge it will dispel in a spark.
The connector to the hard drive looks like two pieces but is in reality just one. Look at the back of the new hard drive to understand what I am talking about. The connector easily slides off. Be careful not to touch the pins on the back of the hard drive. The oil from you fingers is not good to spread on to sensitive computer connections. Latex gloves for this type of work is not a bad idea.
Label the old hard drive with the Windows 7 key from the bottom of your laptop that also describes what it is.
Just like on a desktop there are two side rails on the old hard drive that have to be moved to the new drive. Don’t do this right away if you will be swapping drives back and forth while building your new computer.
Connect all the cables including a Category 6e or 7 copper cable to your laptop and router’s, or cable modem’s RJ-45 port. Sometimes you cannot do this wireless and it is faster for downloads.
If your hard drive has a previous install on it go to http://www.minitool.ca/ and download the latest version of Partition Wizard to zero your hard drive. One of the greatest free tools for working on hard drives I have found.

Loading up the laptop’s new/backup hard drive with software:

Turn on the computer and insert the Windows 7 OS DVD. Don’t make the mistake of loading a 32-bit OS on a Laptop capable of running a 64-bit OS.
Install new operating system… self explanatory.
Download all system updates until Windows says there are no more updates… multiple reboots.
Download the latest vendor updates. Browse to the laptop manufacturer web site and download all the latest drivers and software. I was surprised at how many drivers and software there were at the vendors site that did not install via Windows Update. For example, the Web Cam Software, Audio driver, Graphic’s drivers, etc. There were 39 downloads to install. Stay organized for the files all have generic names. What I do is create a laptop directory “VendorLaptop,” under “VendorLaptop” I create subdirectories according to how the vendor presents the software for download (DriverAudio, DriverChipset, DriverGraphics, SoftwareMultimedia, SoftwareSecurity, etc.) As I download each update I rename it (e.g. sp0925HPSmartLiveTVSoftware, sp3456HPMediaSmartSmartMenu, etc.)… As I install each download I create a directory in the sub directory (e.g. sp0925Installed110521) so I will know where I am in the installation process. It is also handy to track the date the install took place, so that later if I need to look for updates I know whether there is more recent update/software at the vendor site.
Run “Windows Update” again because more hardware may have become visible. It is not a bad idea to do this a few times while applying the vendor updates.
If you don’t have Windows Office, or you will just be storing this disk as a backup like I am, then download and install either the Oracle’s free http://www.openoffice.org/ software; or if you don’t want to be a slave to Oracle then download and install the continued open source office version at http://www.libreoffice.org/. No reason to burn an Office license on a backup drive.
If you install LibreOffice go to the Desktop and delete the Installation files.
Optional: Install your Windows Office software. Run “Windows Update” to apply all the latest Office updates. Click on "Start > All Programs" and send your often used Office applications to the desktop to create shortcuts. Then drag them down to the TaskBar. If backup disk copy the installable Office files keys to your Downloads directory.
Open up Microsoft Word and Customize the Quick Access Toolbar. Click on the little down arrow in the upper left corner –> and start adding options. I added (Save As, New, Open, Open Recent File…, Print Preview and and Print, PasteMenu, Copy, Cut, and Find). Order them however you want. Do the same for Microsoft Excel, PowerPoint, etc.
Disable Windows service "Distributed Link Tracking Client," unless you plan to maintain links between NTFS files within a computer or across computers in a network, or use AVG Anti-Virus. Read about it at http://wiki.blackviper.com/wiki/Distributed_Link_Tracking_Client. "Start > Run... > type services.msc" scroll down to "Distributed..." > Right click and select "Properties." and change "Automatic" to "Disabled."
Disable Windows service "Network Access Protection (NAP) agent." Read about it at http://wiki.blackviper.com/wiki/Network_Access_Protection_Agent.
If your laptop is capable of imaging LightScribe CD’s and DVD’s http://www.lightscribe.com/ (one of your vendor updates may have been to install LightScribe System Software which I don’t recommend)… install instead your purchased disk burning software that supports burning LightScribe disks.
If you don’t have any purchased software, LightScribe provides free programs and designs for doing this. Go to their web site and click on “Get the latest downloads” and download “LightScribe Template Labeler, LightScribeSimpleLabeler and LS_Update.” Then go into the “Design Center” and download all the label designs. There are many and they download and install one by one so this will take time.
LightScribe will run in the background unless you tell it not to. Go to "Start > All Programs > LightScribe Direct Disk Labeling > LightScribe Control Panel." Uncheck "Run this program when I log onto windows."
Next disable the LightScribe service if you will only be using the software every once in while. Clink on “Start > Run > type services.msc > and scrolls down to LightScribe Driect Disc Labeling Service > Right click on the entry > Select Properties > Change the Startup Type to Manual.” Note: The labeling programs may not be able to burn disks until this service is started again... as software updates come out this may change. But how often do we burn these disks and how difficult is it service this service when we need it?
Open up “Internet Explorer” start setting it up how you want. Click on “Tools > Internet options.” First thing I change is the home page. I set one tab to my favorite search engine, and one to my web site. Next I change the Tabs Setting, Click on the “Settings” button under Tabs and check “Always open pro-ups in a new tab” and “Always switch to new tabs with they are created.” Click on the “Advanced” tab and scroll down to, and check the “Empty Temporary Internet Files folder when browser is closed” check box… keeping your laptop FINALLY FAST. Those commercials really crack me up!
Download and install the latest Java Runtime Environment (currently jre-6u25-windows-i586). Once done click on “Start > Control Panel > Java > General > Settings > uncheck Keep temporary files on my computer.” Next click on “Advanced tab > JRE Auto-Download > Never Auto-Download.” If you are running the 32-bit version click on “Java > Update > and uncheck Check for Updates Automatically.” Even though the next time you go in it is checked, we can only hope that Java leaves it unchecked till we run the panel again. Hopefully, keeping the computer Finally Fast!
Go to http://www.adobe.com/ and download the latest Reader and Flash Player for 32 bit Internet Explorer. Uncheck McAfee antivirus install add-on and the Google Toolbar. Run Adobe Reader and Select "Edit > Preferences > Bottom left click on Updater and click on Do not download or install updates automatically." You will have to occasionally update Adobe yourself but this is better than having the updater polling the internet slowing down your computer. It is very important to keep Adobe updated so if you won't remember to update it manually then leave it enabled.
Install Microsoft Mappoint 2010. Insert DVD and click on “Setup.” This will also install Access database engine and C++ Redistributable. Click on “Start > All Programs > Right click on Microsoft MapPoint North America 2010 and Send to Desktop. Drag to TaskBar. If this is a backup disk don’t run and activate. Make sure the license key is on the disk.
Install your web development software. I use Microsoft Expression Web. Komodo Edit is a free option if you don't own any web development software. You can get it at CNet or http://www.activestate.com/.
Download and Install CCleaner and CCEnhancer from either http://download.cnet.com/ or from http://www.piriform.com/, be sure to uncheck the “Google Toolbar” and “Run in Background” options. Or get CCleaner Portable if you don’t what to install in on your computer. Run it and clean the disk and registry. Reboot when done.
Download and Install Microsoft Security Essentials Anti-Virus. http://www.microsoft.com/security_essentials/?WT.srch=1. Download definitions and updates.
Optional: Download and Install either “Ad-Aware Free Internet Security” http://www.lavasoft.com/ or “Spybot Search and Destroy” http://www.safer-networking.org/en/home/index.html. Both have their advantages and disadvantages. You can read about both at CNET.
Download and Install Malwarebyte’s Anti-Malware http://www.malwarebytes.org/. Download definitions and updates. Malwarebyte’s Free will not run in the background so it has to be manually updated. This is a good thing keeping you Laptop finally fast.
Download and Install SuperAntiSpyware Free Edition which will run in the background using resources. Or do what I do and use SuperAntiSpyware Portable http://www.superantispyware.com/ which does not run in the background. If you use the portable like I do drag it to the desktop and download the portable again to your downloads and updates. Run it and download the latest definitions and updates.
Download and Install Revo Uninstaller http://www.revouninstaller.com/. It is better than the “Add and Remove Programs” that Windows provides.
Download and Install KeePass http://keepass.info/, the free, open source, light-weight and easy-to-use password manager that has erased hours of password frustration from my life! Open it up and point it to where your encrypted password file is located. Sync up any passwords that may have changed on your other computers while you were building your laptop. Click "Start > Run... > type msconfig click on the Startup tab and uncheck Keepass. Keepass works fine without this process running in the background. I scoured the internet and the Web site and found nothing about this processes purpose.
I don’t agree with storing contact information at an ISP or email web site. There have been too many cases where Google or Microsoft get hacked or are subpoenaed for personal information people have stored on there web sites. I use Time and Chaos. If you want to check it out it can be found at http://www.ChaosSoftware.com/products.asp. Be sure and download all the other freebies that are provided like the holiday transportable records and the technical word database for spell checking. This is an easy to use but powerful address book of contacts, appointment schedule, to do task management and memos. Open it up and point the application to where its data files are C:\Captainkirk\TimeAndChaos. It is NOT free.
Download and Install GnuPG http://www.gnupg.org/ to get GNU project’s complete and free implementation of the OpenPGP standard as defined by RFC4880. I have blogged in the past about how you can setup a script to use the command line version to encrypt important files on your computer. Click on “Download” in the left menu > Scroll down till you see “GnuPG 1.4.11 compiled for Microsoft Windows” and click on “FTP” on the right. My script is published at http://users.wowway.com/~captainkirk/computers/MSWindowsTricksTips.htm. I also give you advice on how to setup GnuPG. Create a shortcut to the script on the desktop.
Optional: Download and Install Firefox at http://www.mozilla.org/. I use Firefox in my virtual Linux environments so I don’t install it in Windows. Firefox 4 is an awesome browser release. Read about it at http://en.wikipedia.org/wiki/Mozilla_Firefox_4. The primary goals for this milestone include improvements in performance, standards support and the user interface. There are many useful plug-in’s for this browser that don’t exist for Window Explorer that I have blogged about in the past.
Optional: PC World recently rated Google Chrome as the number one browser (before Firefox 4) if you would prefer that. You can get it at http://www.google.com/chrome. Software developers I have talked to tell me that web development is easier for Chrome and Firefox and they really like Chrome.
Optional: If you are a UNIX/Linux person you will want to edit the GnuPG script from my web site. I have fallen in love with gVim which is a VI editor for windows that offers all the benefits of VI plus the cut and paste capabilities of text based programs like Notepad. Because it is a programming tool it also shows what “(“ matches with “)” which is nice for programming. Get it at http://www.vim.org/. Remove the “gVim Read only 7.3” and the “gVim Easy 7.3” shortcuts from the desktop. If you need them they are available off of the “Start” menu. The latest version is gvim73_46.exe.
Optional: If you are not a UNIX/Linux person Download and Install Notepad++ http://notepad-plus-plus.org/. It has a few added options that "Notepad" which comes with Windows 7 does not have.
Add the menu bar to Windows Explorer. Open Windows Explorer > Click on Organize > Click on Layout and select Menu bar.
Setup all your DeakTop shortcuts. Go to Start > Highlight the applications you use the most > Right click > Pick Send to > Desktop (create shortcut). I keep shortcuts to (Adobe Reader X, Calculator, CCleaner, Command Prompt, Computer, Control Panel, Dell Webcam Central, Dragon Naturally Speaking, Firefox, GnuPG encryption script blogged about in the past, gVim 7.3, Internet Explorer, Internet Explorer 64bit, Keepass Password Safe, Lightscribe, Malwarebytes, Microsoft Access 2010, Microsoft Excel 2010, Microsoft Expression Web, Microsoft MapPoint 2010, Microsoft Powerpoint 2010, Microsoft Security Essentials, Microsoft Word 2010, Network, Quicken, Recycle Bin, Revo Uninstaller, SuperAntiSpyware Portable (you have to drag and drop X.com file then rename), Windows Explorer, Snipping Tool, Time And Chaos, Windows Live Mail, Windows Live Mesh, Windows Live Writer, Yahoo Finance Web Link, VMware Player) on my desktop.
Add the desktop toolbar to the taskbar so you can take advantage of all your desktop shortcuts without going to the desktop. Right click on the TaskBar –> Click on the Toolbars tab > Check the Desktop box.
Sort all your desktop icons by type. Right click on the desktop > Select “Sort by” then select “Item type.”
Rearrange the "Start > All Programs" menu by dragging and dropping the Windows Live items from the top to the “Windows Live” folder. I already added the shortcuts to my desktop and task bar that I use.
Drag the icons from the desk top to the Task bar located at the bottom that you want on the task bar.
Setup a shortcuts directory to navigate the computer quickly. I have blogged about this in the past... create a directory and create shortcuts to places on the computer that you will visit often. Open “Windows Explorer” > right click in the right pane open area and select “New > Shortcut.”
Setup “Windows Explorer” shortcut to open up to the “Shortcuts” directory. I have blogged in much more detail about this but I use “%windir%\explorer.exe /n,/e,/Select,C:\…\Shortcuts\Directory.lnk” which opens the directory and selects the link that I use most often. You have to add the “.lnk” for this to work. Test the desktop shortcut to make sure it opens and highlights the most used shortcut. More than likely your top level data directory.
Suggested shortcuts are (Downloads, Data, DVDRWDrive, Finance, Jobs, Local Disk (F), MSLiveFiles, MSGodMode, HP Personal Media Drive, Music, TimeAndChaos, Quicken2009, etc.) A little thought is needed here about what makes Windows 7 happy. What I do is put all my Downloads in the C:\Users\win7admin\Downloads directory. I then create a Symbolic link C:\Downloads > C:\Users\win7admin\Downloads. Then the symbolic link created in my shortcuts directory points to C:\Downloads. That way as the versions and accounts change in Windows from version to version and install to install the shortcut always works without modification.
The next shortcut to think about is to your DataDir. Libraries are a fairly new invention under Windows 7. So I have always housed all my documents/data under C:\DataDir. No reason to move it under Windows 7 documents directory. All you have to do is in Explorer click on “C:\DataDir > Include in library > Documents.”
If you want "Windows Explorer" on the task bar to operate like your desktop shortcut; Right click on "Windows Explorer" on the taskbar and select "Unpin this program from taskbar." Drag the shortcut you created on the desktop to the taskbar.
Add the folders you copied in to the default Libraries on windows 7… or the libraries you create. Open “Windows Explorer” > Navigate to the directories you want in the libraries > Single click on the directory > Click on the “Include in library” menu item at the top and click on the library you want.
If later you want to remove the location from the library open “Windows Explorer” > Navigate to the directory you want to remove from the library in the LEFT pane > Right click on the directory and choose “Remove location from library.” You can read about windows libraries at http://windows.microsoft.com/en-US/windows7/Libraries-frequently-asked-questions if you want to know more.
Add the “Run…” command to the “Start” menu > Right click on the Taskbar > Click on the “Start Menu” tab > Select the “Customize…” button > Scroll down and check the “Run command” box.
Unlock the taskbar, use small icons and allow it to Auto-hide. Right click on the Taskbar > Uncheck the “Lock the taskbar” box, check the “Auto-hide the taskbar” box, check the “Use small icons” box if you monitor is small as most laptops are.
Add the “Network” and “Recent Items” to the start menu. Right click on the taskbar > Select “Properties” > Click on the “Start Menu” tab > Select “Customize…” > scroll down and check the “Network” and “Recent Items” check boxes.
Add the Address Toolbar to the TaskBar. Right click on the TaskBar > Select “Toolbars” > Check “Address.”
Change the desktop icons to add Network, Computer and Control Panel. Right click on an open area in the desktop > Go to the bottom and select “Personalize” > Click on “Change desktop icons” in upper life corner. Check what desktop icons you want.
Copy in all my data files from backup. Some of the next steps and applications require setup to point them to their data files I house my data right off of C:\ so the data location stays constant from computer to computer.
I have blogged in the past about using Windows Skydrive… Setup “Windows Live Mesh 2011” to sync up all your files with your Windows Skydrive. Login to Windows Live Mesh. On the Folders you are syncing click on it. Go to the folder on your laptop you plan to sync.. and click on “Sync” you will see “Sending and Receiving Files” and eventually “Up to date.” Now your laptop is synced with Skydrive which is synced with your home desktop… which is synced with all other computers you have set up for syncing. You can work on the same files from ANY computer you own just by powering on. No more backing up to that USB drive… which you should still do occasionally.
Setup “Windows Live Mail 2011” with all your email accounts. Click on “Windows Live Mail > Click on the Accounts menu item. Click on the Email button and Add your email accounts.
I blogged about this in the past but Windows Live Mail does not use the signature you have setup with your email service provider login. So you have to add a signature in manually to every computer. “Windows Live Mail” allows you to use a HTML file as a signature. So what I do is maintain my Email signatures in a “EMailSignatures” directory on my Skydrive as Microsoft Word documents. That way my links are sent as links and not just text. I then save the Word signature files as “Web Page, Filtered, (*.htm, *.html)” files which “Windows Live Mail” can read and attach to outgoing email messages. I like to include my email address as part of the signature so I have a different signature for all my email accounts. When I synced up the laptop I automatically got all my signature files. All that is left is to configure “Windows Live Mail” to use the signature files. Open “Windows Live Mail” > Click on the down arrow in the upper left corner > Scroll down to “Options” –> Select “Mail…” > Click on the Signatures tab > Click on the “New” button > Rename the signature to something like “Hotmail Signature” > Click on the “File” box > Click on “Browse…” and select the signature file from your synced Skydrive files.
Now that you are synced you have to update all your synced files with the laptop on. Go to you main computer and update all your synced files that need updating. In my case I have encrypted files (I have blogged about how to do this in the past) that need updating on my synced drive. I also rethink what I want up on Skydrive all the time and this time I added my website for another added backup. My last tip is I maintain separate directories of certain files that I later copy to the Skydrive. This is a good time to copy those files. Keep the Skydrive up-to-date by backing up things the old fashion way to your USB drive.
Hopefully you use some sort of home financial software. It automates many tasks like downloading checking account transactions. I have been a Quicken http://quicken.intuit.com/ user for years. I encrypt the Quicken database and keep a backup on my Skydrive. Delete the added Desktop Icons that Quicken adds for “One Month Free – pay bills right from Quicken,” “Best Card for Quicken Users – Great NEW rewards” and “Free Credit Report and Score.” Let Quicken apply updates. Update Quicken with latest financial data.
Run CCleaner to clean up the computer again.
Optional: On my tower I use GNU Image Manipulation Program (GIMP) for editing my digital photos. Read about it at http://en.wikipedia.org/wiki/GIMP. GIMP is widely considered to be the main free-software functional drop-in replacement for Adobe Photoshop, with a similar feature set and a similar and complex user interface. You can get it at http://www.gimp.org/. I don’t keep photos on the laptop so I did not include this in my base load.
Move all your downloads to your backup device. I leave my data files in place so they will be part of the disk image files I am about to create. I do this because I want the path to certain data files to remain consistent across the various Windows Operating Systems I run at home.
Cleanup your data files prior to imaging.
If there are no other applications you want in your core image, it is time to clone the hard drive using CloneZilla. You can read about it at http://en.wikipedia.org/wiki/Clonezilla. Download the software at http://www.clonezilla.org/. Clonezilla live allows you to use CD/DVD or USB flash drive to boot and run Clonezilla (Unicast only).
Cut on your network printer, go to you printer manufacturers web site, browse to “Support and Downloads,” and download the latest printer driver and software. You might want to do this before you clone your disk.
Download and install VMWare Player at http://www.vmware.com/ so that you can run virtual environments like Ubuntu Linux, BackTrack, etc. Even though I am running 64 bit Windows 7 VMWare does not recognize my Intel Core processor in the Laptop. So I had to install the 32-bit flavors of Linux. I also have a VMware startup script so that I can turn off all the VMware services that run in the background. See my previous blog entry. If you do use the script change the shortcut icon by right clicking on it, click on “Change Icon…” browse to the VMware Player executable and add the icon.
Go to http://fedoraproject.org/ and download and install the latest version of Fedora (currently 14) in VMware. Name the Virtual Machine “Fedora-14-i386-DVD.” Name the username “suroot” and make the password the same as root. Note it in your “KeePass” database. Copy the VMware Tools to the /tmp directory and install them. When done installing delete the VMware tar ball and the directory created when you expanded the GZIP file. NOTE: VMware Player does not make the /boot partition large enough to install the “kernel-2.6.35.13-91.fc14 (i686)” patch. You have to uncheck that patch or all other updates will fail.
Go to http://www.ubuntu.com/ and download and install the latest version of Ubuntu Desktop (currently 11.04) in VMware. Make the username “sudoroot.” Make the Virtual Machine name ubuntu-11.04-desktop-i386. This version went in flawlessly and installed VMware Tools automatically. I then applied all updates which also when on flawlessly.
Go to http://www.opensuse.org/en/ and download and install the latest version of openSUSE (currently 11.4), in VMware. Name the username “sudoroot” and make the password the same as root. Name the Virtual Machine “openSUSE-11.4-DVD-i586.” OpenSUSE’s default repository is the DVD drive. You will have to manually add the online repositories to apply the latest updates. This requires a openSUSE reboot to show the Community Repositories. After reboot, click on “Application Launcher > Computer > Yast > Software > Software Repositories Community Repositories > and check to box for {Main Repository (NON-OSS); openSUSE-11.4-Non-Oss; Main Repository (OSS) openSUSE-11.4-Oss; Main Update Repository and any other repository you may need.}” Select “Software > Online Update > Accept > Accept > Continue” to start the Patch Download and Installation.
Go to http://www.linuxmint.com/ download and install the latest version of Linux Mint (currently 10) and install it in VMware.
Clink on "Start > All Programs > Maintenance > Create a System Repair Disk" to create a Windows 7 Repair Disk.
Clink on "Start > All Programs > Maintenance > Backup and Restore > In left panel select "Create a system image." This will create a system image file on your USB drive that Windows 7 can restore your computer from. If you have a lot of data and/or downloads copied onto your laptop hard drive this file will be large.
If your drives are from Western Digital they are now offering "Acronics True Image" software to clone you drive which would be another option to image your hard drive. Who know it might even work with other drive types.
Optional if you hate Windows 7 firewall: Download and install "ZoneAlarm Free Firewall http://www.zonealarm.com/security/en-us/home.htm." CNET has this to say about the software, "ZoneAlarm Firewall Free 9.2 has gotten quieter and more effective, and should be considered an excellent tool for replacing the adequate default Windows firewall with a stronger option that includes better outbound protection, antiphishing guards, and ZoneAlarm's behavioral detection network." I am using it on the desktop with no degradation in performance. It is catching programs trying to access the Internet and warning me about it which I like. However, Window’s 7 Firewall is vastly improved and installing ZoneAlarm’s may not make sense with a few configurations changes in Window’s 7.
Move/copy all your downloads from your backup device to the laptop. I put mine at Favorites -> Downloads directory where Window’s 7 is happy. But if you have multiple users on your computer put them in the C:\Downloads directory and add shortcut to that directory in your downloads area.
Assuming your build steps do not exactly follow mine above, you need to check on what is starting automatically on your computer to keep it "finally fast" and secure. Click on "Start" -> "Run..." and type "msconfig32". Click on "Software Environment" and select "Startup Programs." Examine what is starting up.
Select "Start" -> "Run..." type "msconfig" and click on the startup tab. Examine what is starting up and deselect what you know you don't need every time your computer starts. The "Tools" tab is also a quick way to get at a lot of powerful Windows 7 Tools quickly.
Select "Start" -> "Run..." type "services.msc" and disable services you don't want to start automatically. To figure out what you don't want to start go to Black Viper's http://www.blackviper.com/Windows_7/servicecfg.htm exhaustive list of Window 7's services across all its various editions, along with a list of services you should modify and how you would set their parameters.
Optional: Install Nuance "Dragon Premium Version 11." Nuance will install a service to start automatically that you should change to manual. The next time you run Dragon it will start the service so why have it running all the time in the background?
When done run a defrag on the hard drive.

Links to all these programs and more can be found on my web site at http://users.wowway.com/~captainkirk/computers/Computers.html.

Using the Lynx Text-Based Browser to get the weather in OpenSUSE 11.4

2011-05-02T00:12:00.001-04:00

If you are like me and did not know that a text based web browser existed then read on. You can read about it at http://en.wikipedia.org/wiki/Lynx_%28web_browser%29. If you want a quick way to view the weather forecast without wasting the time opening up a browser, leaving the OpenSUSE command prompt install the Lynx browser using YaST > Software Management > Select RPM Groups tab > Scroll down to Networking > Web > Browsers and select “lynx.” Once installed the script below will display the 10 day weather forecast for whatever zip code you type.

This script was copied from http://www.intuitive.com/wicked/wicked-cool-shell-script-library.shtml who has many other useful scripts and ask for donations.

#!/bin/sh

# weather - report weather forecast, including lat/long, for zip

llurl="http://www.census.gov/cgi-bin/gazetteer?city=&state=&zip="
wxurl="http://wwwa.accuweather.com"
wxurl="$wxurl/adcbin/public/local_index_print.asp?zipcode="

if [ "$1" = "-a" ] ; then
size=999; shift
else
size=5
fi

if [ $# -eq 0 ] ; then
echo "Usage: $0 [-a] zipcode" >&2
exit 1
fi

if [ $size -eq 5 ] ; then
echo ""

# get some information on the zipcode from the Census Bureau

lynx -source "${llurl}$1" | \
sed -n '/^<li><strong>/,/^Location:/p' | \
sed 's/<[^>]*>//g;s/^ //g'
fi

# the weather forecast itself at accuweather.com

lynx -source "${wxurl}$1" | \
sed -n '/Start - Forecast Cell/,/End - Forecast Cell/p' | \
sed 's/<[^>]*>//g;s/^ [ ]*//g' | \
uniq | \
head -$size

exit 0

Setting up a duel boot with Windows 7, an older post now new…

2011-04-22T00:38:00.001-04:00

Duel boots are now obsolete with virtualization but someone my find this old post useful as I split apart my blogs.

Fedora 12 went on flawlessly with Windows 7 if you keep the Vista partitions. But once I zeroed the hard drives (which I recommend on any refresh of a system) I would only get "Operating System Not Found". My belief is that Microsoft has altered the system partition size such that Fedora cannot install Grub in the MBR. I tried various iterations to no avail... If you have created a duel boot with Fedora 12 and Windows 7 please let me know! I want to hear about it.

On the computer front there is big news (for me) with the latest releases from Fedora and Microsoft. Both now support RAID SATA on my motherboard upon install without any special drivers or other effort. I set myself up as a Microsoft Partner in anticipation of getting back into the computer business which seemed the cheapest way to go. This gives me access to all the latest and greatest software from Microsoft. If you are interested in doing this for your business which requires you to market Microsoft products let me know. Window 7 Ultimate by itself is selling for the same price as a partnership these days.

Fedora used to completely lock up on trying to install... and I could only install and run it on my old 32 IDE bit machine. Not any more. Let me help you refresh your PC with new capabilities and make it FINALLY FAST without investing a dime. Of course you will need the latest Fedora 12 release free at http://fedoraproject.org and/or your Windows Install disks. Also noticed Oracle has released a new version of Open Office. Here is something to try on an IDE system (could not get it to work on a SATA RAID mirror) to set it up as a duel boot... I don't think I need to say backup everything for nothing will remain on this computer...

Download Western Digital Diagnostics or Segate Sea-Tools and make a boot-able floppy. If you don't have a floppy drive you can make a CD. Then ZERO your hard drives. If you are going through all this PAIN and have limited disk space buy two new drives. If you don't zero the drives Windows will do stupid things like backup your previous installation. Before I zeroed the hard drives it did not even show the system partition. Upon installation Windows 7 uses a new size for the system partition. Duel boot was no longer possible unless I used the old Vista partitions. Once zeroed Windows 7 will show the new system partition upon creation which it did not before I zeroed the hard drives... duel boot was no longer possible under the new Windows 7 partitions.
Setup the disk striping or mirror. With how cheap disk space is these days I suggest a mirror.
Windows 7 recognized I did not have my RAID setup in my BIOS setup as a boot-able partition (which is amazing) and would not load. So be sure to set up your hard disk (RAID) as a boot-able partition in the BIOS.
Install Windows 7 (Ultimate, Pro, or Premium). It is shocking how quick it installs. Do some apply updates and you are done.
If you are trying this on an IDE machine as I will someday try installing Fedora as a duel boot. During installation choose (Install on free space) and when given the choice make Windows your Default partition. I also recommend you rename the boot options to Windows 7 Ultimate and Fedora 12 x86_64. I choose to install everything from every repository. I also added the Livna repository by specifying "http://rpm.livna.org/repo/12/x86_64" as an additional repository. Looking around I could not figure out how to add Freshrmps or RPMFusion.org as additional repositories until after installation... but I'm sure it can be done. If you know how please let me know.

Setting up a single server for NIS authentication in OpenSUSE

2011-04-16T19:54:00.001-04:00

OpenSUSE does not load nis-server by default so I will have to be loaded before we can configure the server. Login as root to make life easier. Run Yast > Software > Software Management:

Click on the RPM Groups tab and go to Yast > Productivity > Networking > NIS and select “ypserv”. After installing you will still not see NIS server as a configurable Network Service. For that you will also have to load the YaST2 component for NIS server configuration. Software > Software Management > click on the “RPM Groups” tab and scroll down to System > YaST, now scroll on the right till you see yast2-nis-server. I also installed yast2-nis-server-devel-doc found under System > YaST. This will also install “ruby” as a dependency. Now when you click on “Network Services” you will see to option to configure a NIS Server.

Taken from http://doc.opensuse.org/products/opensuse/openSUSE/opensuse-security/cha.nis.html:

To configure a NIS master server for your network, proceed as follows:

Start YaST+Network Services+NIS Server.

If you need just one NIS server in your network or if this server is to act as the master for further NIS slave servers, select Install and Set Up NIS Master Server. YaST installs the required packages. If NIS server software is already installed on your machine, initiate the creation of a NIS master server by clicking Create NIS Master Server.

Determine basic NIS setup options:

Enter the NIS domain name.
Define whether the host should also be a NIS client (enabling users to log in and access data from the NIS server) by selecting This Host is also a NIS Client.
If your NIS server needs to act as a master server to NIS slave servers in other subnets, select Active Slave NIS Server Exists.
The option Fast Map Distribution is only useful in conjunction with Active Slave NIS Servers Exist. It speeds up the transfer of maps to the slaves.
Select Allow Changes to Passwords to allow users in your network (both local users and those managed through the NIS server) to change their passwords on the NIS server (with the command yppasswd). This makes the options Allow Changes to GECOS Field and Allow Changes to Login Shell available. “GECOS” means that the users can also change their names and address settings with the command ypchfn. “Shell” allows users to change their default shell with the command ypchsh (for example, to switch from bash to sh). The new shell must be one of the predefined entries in /etc/shells.
Select Open Port in Firewall to have YaST adapt the firewall settings for the NIS server.

Leave this dialog with Next or click Other Global Settings to make additional settings.

Other Global Settings include changing the source directory of the NIS server (/etc by default). In addition, passwords can be merged here. The setting should be Yes to create the user database from the system authentication files /etc/passwd, /etc/shadow, and /etc/group. Also, determine the smallest user and group ID that should be offered by NIS. Click OK to confirm your settings and return to the previous screen.

If you previously enabled Active Slave NIS Server Exists, enter the hostnames used as slaves and click Next. If no slave servers exist, this configuration step is skipped.
Continue to the dialog for the database configuration. Specify the NIS Server Maps, the partial databases to transfer from the NIS server to the client. The default settings are usually adequate. Leave this dialog with Next.
Check which maps should be available and click Next to continue.

Determine which hosts are allowed to query the NIS server. You can add, edit, or delete hosts by clicking the appropriate button. Specify from which networks requests can be sent to the NIS server. Normally, this is your internal network. In this case, there should be the following two entries:

The first entry enables connections from your own host, which is the NIS server. The second one allows all hosts to send requests to the server.

Click Finish to save your changes and exit the setup.

3.2. Configuring NIS Clients¶

To use NIS on a workstation, do the following:

Start YaST+Network Services+NIS Client.
Activate the Use NIS button.
Enter the NIS domain. This is usually a domain name given by your administrator or a static IP address received by DHCP.

Figure 3.6. Setting Domain and Address of a NIS Server

Enter your NIS servers and separate their addresses by spaces. If you do not know your NIS server, click on Find to let YaST search for any NIS servers in your domain. Depending on the size of your local network, this may be a time-consuming process. Broadcast asks for a NIS server in the local network after the specified servers fail to respond.
Depending on your local installation, you may also want to activate the automounter. This option also installs additional software if required.
If you do not want other hosts to be able to query which server your client is using, go to the Expert settings and disable Answer Remote Hosts. By checking Broken Server, the client is enabled to receive replies from a server communicating through an unprivileged port. For further information, see man ypbind.
Click Finish to save them and return to the YaST control center. Your client is now configured with NIS.

# ypwhich
localhost

ypwhich -d bogus.hfcc.net
can't yp_bind: Reason: Domain not bound

# ypwhich -d mydomain.hfcc.net
localhost

# ypcat -x
Use "ethers"    for map "ethers.byname"
Use "aliases"   for map "mail.aliases"
Use "services" for map "services.byname"
Use "protocols" for map "protocols.bynumber"
Use "hosts"     for map "hosts.byname"
Use "networks" for map "networks.byaddr"
Use "group"     for map "group.byname"
Use "passwd"    for map "passwd.byname"

# ypmatch -x
Use "ethers"    for map "ethers.byname"
Use "aliases"   for map "mail.aliases"
Use "services" for map "services.byname"
Use "protocols" for map "protocols.bynumber"
Use "hosts"     for map "hosts.byname"
Use "networks" for map "networks.byaddr"
Use "group"     for map "group.byname"
Use "passwd"    for map "passwd.byname"

# chkconfig yppasswdd
yppasswdd off

# chkconfig ypbind
ypbind on

# ps -ef | grep yp
root        28     2 0 18:57 ?        00:00:00 [crypto/0]
root      6985     1 0 19:38 ?        00:00:00 /usr/sbin/ypserv
root      7003     1 0 19:38 ?        00:00:00 /usr/sbin/rpc.yppasswdd -D /etc -e chsh
root      9595     1 0 19:38 ?        00:00:00 /usr/sbin/ypbind

Make sure all the necessary daemons are running:

# rpcinfo -p localhost
   program vers proto   port service
    100000    4   tcp    111 portmapper
    100000    3   tcp    111 portmapper
    100000    2   tcp    111 portmapper
    100000    4   udp    111 portmapper
    100000    3   udp    111 portmapper
    100000    2   udp    111 portmapper
    100004    2   udp    801 ypserv
    100004    1   udp    801 ypserv
    100004    2   tcp    802 ypserv
    100004    1   tcp    802 ypserv
    100009    1   udp    819 yppasswdd
    100007    2   udp    867 ypbind
    100007    1   udp    867 ypbind
    100007    2   tcp    868 ypbind
    100007    1   tcp    868 ypbind

# ypmatch nisuser passwd
nisuser:$2a$05$ZHTJcZ2/Z83am1moKoQYTuKlOIjUTCb9Lpyc8sw8lX79i7qlMwyOC:1001:100:nisuser:/home/nisuser:/bin/bash

C:\net use j: \\192.168.1.9\users

# ypcat passwd
suseroot:$1$4hLXlU5W$4TOXqWRMN31G/4X1kuwy.0:1000:100:openSUSE-11.3-i586:/home/suseroot:/bin/bash
nisuser:$2a$05$ZHTJcZ2/Z83am1moKoQYTuKlOIjUTCb9Lpyc8sw8lX79i7qlMwyOC:1001:100:nisuser:/home/nisuser:/bin/bash
nobody:*:65534:65533:nobody:/var/lib/nobody:/bin/bash

# smbpasswd -a nisuser
New SMB password:
Retype new SMB password:
Added user nisuser.

To see the users set up for Samba shares:

# pdbedit -L

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch30_:_Configuring_NIS

http://www.linuxtopia.org/online_books/opensuse_guides/opensuse11.1_reference_guide/sec_nis_server.html

Use FREE OpenDNS for faster and safer internet surfing!

2011-04-15T00:36:00.001-04:00

SHOCKING HOW FAST THIS WILL MAKE YOUR WEB SURFING!!!

Continuing my computer tips I read an article on computer security today at PC World. It talked about setting up your router to use OpenDNS instead of your ISP's default DNS. This is a DNS service provided by a company formed in 2006. I figured I would give it a try but when I went to the web site it wanted me to register an account to do this. So I went to WIKI and found the DNS addresses. They are:

208.67.222.222 (resolver1.opendns.com)
208.67.220.220 (resolver2.opendns.com)

Just enter these IP addresses in your router in place of your ISP DNS's automatic values and marvel at how fast your web surfing will become! It also gives you web security you did not have before. Here is what http://en.wikipedia.org/wiki/OpenDNS has to say:

OpenDNS offers DNS resolution for consumers and businesses as an alternative to using their Internet service provider's DNS servers. By placing company servers in strategic locations and employing a large cache of the domain names, OpenDNS usually processes queries much more quickly, thereby increasing page retrieval speed.

Other features include a phishing filter, domain blocking and typo correction (for example, typing "wikipedia.og" instead of "wikipedia.org"). By collecting a list of malicious sites, OpenDNS blocks access to these sites when a user tries to access them through their service. OpenDNS also launched PhishTank, where users around the world can submit and review suspected phishing sites.

A screenshot of a 'phishing blocked' page OpenDNS is not open source software, but instead its name refers to the DNS concept of being open, where queries from any source are accepted.

and more... go to WIKI and read all about it!

How to Find and kill a runaway process in Windows that keeps reappearing

2011-04-07T03:40:00.001-04:00

Every now and again I run across an article in PCWorld that hits a vein. I have had run away processes on my PC years past killing performance on my PC. I would kill it only to have it reappear and crush things again. My only recourse was to reload the PC with a fresh install of Microsoft’s latest software solving the problem (a solution not available to people who are not Microsoft Partners). This solution is like taking a sledge hammer to nail! So here is how you solve this now:

To get enough computing power to start with you have to kill the process, this is quoted from PC World:

Right-click the task bar and select “Start Task Manager”. Click the “Processes” tab. followed by the CPU column heading. Doing so will cause the performance-hampering culprit to show up at the top of list.

To kill a process, select it and click “End Process”. Now the part I love but did not have access to before… if the process continues to reappear you have two web sites to visit to discover the information about them and how to terminate them forever! Something I never had before:

http://runscanner.net/

http://www.processlibrary.com/

DON’T use either site’s options for scanning your drive, instead, simply enter the process’s name in the site’s Search field. Once you’ve identified what process is launching the resource hog, check to see if an update or bug fix that addresses the problem is available. These links are also on my web site at:

http://users.wowway.com/~captainkirk/computers/MSWindowsTricksTips.htm

Using the Windows 7 ‘PSR’ utility tool… using ‘script’ in Linux

2011-04-05T21:17:00.001-04:00

I have used the UNIX/Linux “script” command to make typescript of terminal session, “what is output to stdout” for years. You can read about it at http://linux.about.com/library/cmd/blcmdl1_script.htm. It is very useful.

PC World just hit upon the Window equivalent “PSR” which you can run from “Start-> Run… PSR” will record a screenshot of each step, logging everything you type and click. A session to send to help desk support or just a quick and dirty tutorial you can present. Very useful.

From PC World <Ctrl><Mouse Wheel> lets you zoom in and out in most applications.

OpenSUSE 11.4 is out… Google Chrome 9 is out

2011-04-05T21:01:00.001-04:00

Get openSuse at:

http://software.opensuse.org/114/en

Google Chrome 9 is out. Download the standalone installer at:

http://www.google.com/chrome/eula.html?standalone=1

The blog is changing… there will no longer be investment updates at TheCaptainsLatest… visit http://thecaptainsfinance.blogspot.com for finance and investment advice, tips and commentary!

2011-04-03T22:35:00.001-04:00

I have listened and acted on your comments. People are visiting my blog for Linux and Windows - Security and Administration, home network security, PC hardware, advice, tricks and tips. This is the majority of my blog activity so I am separating out the finance and investment advice and tips.

This is being done for four reasons:

People have asked,
In reading about professional blogs it is important to stick to one theme,
I am planning to seek a sponsorship and may be adding Ads to the blog,
Prefixing entries with “Investment update:” and “Computer update:” is not search engine friendly.

My in depth computer projects will continue, you just won’t have to sort through the investment tips and advice to find my projects, tips and advice on Windows and Linux system and application administration, computer hardware, etc.

I will be moving the recent investment tips to http://thecaptainsfinance.blogspot.com. I hope you visit there, to as Kramer puts it… make mad money!

Transitioning to two blogs will take time. Be patient as you will see blog entries added and removed from both blogs. When the project is complete I won’t bore you with this blog entry anymore…

VMware Player 3.1.4 is out, running Fedora 14 at last but without update kernel-2.6.35.11-83.fc14.x86_64!

2011-03-30T00:11:00.001-04:00

I have downloaded and installed VMware Player 3.1.4. It promised support for Fedora 14 and Ubuntu 10.10 (although Ubuntu 10.10 worked fine before)… the first frightening thing was the upgrade asked to delete the previous install. I have many virtual environments that I have data in for my college classes so I had to try this first on my laptop.

I am happy to report everything worked fine and all my virtual environments where there once the upgrade was complete. Next I tried running some virtual environments on the laptop. VMware had to download VMware tools upon my first run of Ubuntu 10.10… everything worked fine. Linux Mint ran no problem and I downloaded the latest updates with no problem. OpenSUSE was next since that is what I am using in class. OpenSUSE ran fine.

So I installed VMware Player 3.1.4 on my server. I loaded Fedora 14-x64 which went flawlessly. As I blogged about before VMware 3.1.3 would not load Fedora 14… so the problem is now fixed. I never researched the problem in hopes of VMware correcting this… which I am happy to say they now have. If you have to stay with VMware 3.1.3 Fedora 13 will run just fine in 3.1.3 minus the kernel update below… which was adequate for me. The Fedora 13 load had one problem which was the /boot mount point was not given enough space to install the latest updates in the VMware default configuration. I’m sorry to say this was not corrected in 3.1.4 release as this problem still exists in both the 64 bit and 32 bit Fedora installs.

Test Transaction Errors: installing package kernel-2.6.35.11-83.fc14.x86_64 needs 9MB on the /boot filesystem

If you want to install the latest updates in Fedora (recommended!), scroll down and unselect “kernel-2.6.35.11-83.fc14 (i686) or kernel-2.6.35.11.83.fc14 (x86_64)” and then install all updates. If you don’t do this installing ALL updates will fail and you will have to try to figure this out by installing a few updates at a time like I did… thank me for saving you the time! If you absolutely have to have this update perhaps there is a way to custom configure the VMware install and allocation more disk space to /boot. I tried both the “Store virtual disk as a single file” and the “Split virtual disk into multiple file” options to no avail.

To uninstall an environment in VMware right click on it and select “Delete VM from Disk” to completely remove it. Otherwise you will receive annoying errors every time you “Play” a virtual machine. Fedora 13 is no more… it is scary how fast you can blow away an operating system you might have many hours of work in.

VMware reset the FOUR vampire sucking services that it needs to run automatically. VMware is a HOG on computer resources which starts FOUR services to automatically run in the background. I blogged about this at http://thecaptainslatest.blogspot.com/2011/01/computer-update-more-to-come-on.html which shows a CMD script I wrote to start and stop the VMware vampire sucking services from hogging computer resources. You might want to put this script on your computer. Use Start > Run > services.msc to switch the VMware services to manual... reboot and then run the script to start and stop VMware till the next release.

Building the ultimate home computer for virtualization and gaming, don’t scrimp on the components! This baby should scream.

2011-03-29T04:15:00.001-04:00

This has been an ongoing project since March, 2011. On September 6, 2011 this project was completed. The Motherboard technology will be allowed to mature which is on the bleeding edge. Sometime in October or November I will build this system are report back to you on the blog the results in a separate blog entry.

When you fill up you SUV at $100 a pop, are you really worried about spending an extra $50 to get a great computer component, verses just a good computer component? You shouldn’t because if you are like me you buy a new computer about every 7 years and living with lesser choices can be painful. Plus many of us spend more time on the computer than we every do behind the wheel of our $25,000 car.

I have blogged in the past about loading up a Windows 7 operating system with all all the free software you will ever need. But what about building a new computer from scratch? With my wife now working from home… and me schooling from home… a new ultimate screaming fast home computer capable of running multiple VMware virtual environments is in the works. When you don’t have a fortune to spend building your own computer with excellent components is better than an expensive off the shelf system loaded with sub-standard components.

I have built many PC’s. Every time I think this sucker will last for many years to come. Most of my custom builds last longer than the off-the-shelf alternatives, but technology marches on… virtualization has really changed the game. I blew through 1TB of disk space in no time loading many versions of Linux. 11 years ago 1TB of disk was unfathomable on a desktop PC. My current custom built PC (7 years old) running RAID 1 is not slow but I have maxed the memory and other resources with no place to go.

Why build a computer rather than buy a prebuilt? I guess in my case it is arrogance... and it is somewhat FUN! I don’t trust anyone to package the computer components the way I can to get the best bang for the buck. I do many hours of research on every component. The first thing that comes to my mind is the ability to cannibalize parts off of old computers. You can argue about how technology keeps advancing and this can’t be done in most instances, but cannibalization part life is a lot longer than off-the-shelf computer part life. Plus every time I open up an off-the-shelf computer I’m shocked at how limited my options are to alter the hardware. Some of these off-the-shelf products use some the cheapest scaled down components I have ever seen in an otherwise decent computer.

I have learned that in home computing technology, go where the gamers go. I don’t game which will appall them but I give them credit for scrutinizing every piece of hardware that goes into their home custom built systems. They take great pride in their hardware. Gamers are wonderful people that rate and write about computer hardware from a performance perspective that we all must pay attention to. My philosophy is get the best CPU and Motherboard money can buy and build the rest of the computer around those choices. Why buy a mediocre CPU and Motherboard when you can get screaming state-of-the-art for a few hundred dollars more? Everything else in the computer is dictated by these core components.

CPU:

I want the best processor; using the least power; putting out the least amount of heat money can buy in the $200 to $500 range. Anything less with a top of the line motherboard would be a waste of a good motherboard.

According to: http://en.wikipedia.org/wiki/Intel_Core_i7#Core_i7

Intel released the Gulftown Core i7-9xxX Extreme Edition, Socket LGA 1366, March 2010. The 2nd generation of Intel core processors are based on the 'Sandy Bridge' core and are set to be updated in January 2012 with 'Ivy Bridge'. It is selling for $1000 at NewEgg.com which is above my price range. It also consumes 130 W (TDP). There is also an article at Tom’s Hardware published August 23 about the best gaming CPU’s http://www.tomshardware.com/reviews/cpu-gaming-performance,3007.html.

In this article Tom’s Hardware is still recommending the Intel Core i7-2600K, Model BX80623I72600K. In my experience with computer technology the second generation of anything is to correct some flaw with the first generation. The processor we want is the Intel Core i7-2600K BX80623I72600K Unlocked Processor - Quad Core, 8MB L3 Cache, 3.40 GHz, Socket H2 (LGA 1155) second generation. Sells for about $314. TigerDirect.com Item Number: I69-2600K.

http://www.tigerdirect.com/applications/SearchTools/item-details.asp?EdpNo=7073159&CatId=6991 and http://www.newegg.com/Product/Product.aspx?Item=N82E16819115070.

Another thing I look at is how the user community is reacting. NewEgg.com now has 688 reviews on the second generation Intel i7-2600K 3.4GHz processor and had very few on the first processor a few months ago. Tells me a lot about how the user community did not even want to comment on Intel’s first attempt at the 2600 processor. In fact, a few short months after I started this blog entry NewEgg.com is not even selling the first generation processor.

When shopping, the first thing to note is what socket is needed for the processor. The 2nd generation Intel Core i7 processors are NOT compatible with Socket H (LGA1156) processors and is looking for LGA1155. Another thing to note is the wattage which is 95 Watts. This will impact the power supply selection. The processor comes with heat sink and Fan included which is another cost savings. Newegg has the processor for sale at http://www.newegg.com/Product/Product.aspx?Item=N82E16819115070&cm_re=intel_core_i7-_-19-115-070-_-Product.

If you don’t like the CPU cooler that comes with the CPU it will be hard to beat the ZALMAN CNPS9700 LED 110mm 2 Ball CPU Cooler. It has 2,041 reviews at Newegg.com… most all positive.

The Tom’s hardware article also talks about the new AMD CPU:

We also wonder if AMD's price drops have anything to do with the imminent introduction of the Zambezi-flavored rendition on the Bulldozer architecture (which should become available in the next 30 days, if the company wants to stay true to its word on a third-quarter release). If you haven't heard, Zambezi is a 32 nm processor that lacks the integrated graphics found on AMD's Llano-based APUs.

You can read all about the new Bulldozer socket AM3+ (AM3b) architecture at:

http://www.tomshardware.com/news/amd-bulldozer-zambezi-processor-am3,13272.html and http://en.wikipedia.org/wiki/Bulldozer_(processor). According to Wiki the release date is September 19, 2011. The price range will be around $320. It is intended to match up against the Intel Core i7-2600K. But this is shining new technology and I don’t like to be on the bleeding edge. I am going with the tried and true Intel i7-2600K.

Motherboard:

I want a Motherboard with the maximum number of USB 3.0 ports I can get. USB 3.0 is backward compatible with USB 2.0 so I want to minimize the USB 2.0 ports. During my research most motherboards come with a few USB 3.0 ports and six to MANY USB 2.0 ports. I ruled these out right away. I don’t want a Motherboard that waste resources/space supporting USB 2.0 ports. I also want support for 6Gb/s SATA storage devices in case I decide not to run RAID. If you want to run with 6Gb/s hard drives you will not get 6Gb/s throughput using RAID. If you hook up two 6Gb/s drives and run RAID your throughput will actually be 3Gb/s or less. In some tests with 6Gb/s drives the throughput was worse that running 3Gb/s drives in a RAID configuration. I called ASUS and they confirmed what I had read at various web sites about this.

Most all Motherboards in this category come with hardware support for SATA RAID 0,1,5,10 which is mandatory. I also want LAN Speed support for 2 x Gigabit, Audio 8 channels/6 ports (don’t what to purchase separate audio cards… I spent enough time on Creative sound card technology). Price range between $200 to $400 range. The last requirement is not to be on the bleeding edge of technology by being on the front line trying the motherboard before it has become established.

Now I have to admit some bias based on past experience. I have two computers that have been running on ASUS motherboards for years. The one Gigabyte motherboard I purchased years ago I had to replace and is in the motherboard graveyard. Could have been my fault for I think the Motherboard overheated… but I go first to ASUS to see what is the latest and greatest! Go to http://usa.asus.com/ProductGroup2.aspx?PG_ID=mKyCKlQ4oSEtSu5m to view the latest savory jewels. Be aware ASUS technical support can be pretty bad… so if you get a bad motherboard you will have jump through hoops to get a new one.

When I started this project back in April I liked the ASUS MAXIMUS IV EXTREME (REV 3.0) LGA 1155 Intel P67 SATA 6Gb/s USB 3.0 Extended ATX Intel Motherboard. On January 31, 2011 Intel announced the detection of a design error in the new Intel 6 Series support chipset, also known as Cougar Point. ASUS updated all motherboards with the revised Intel 6 B3 chipsets, which certified every SATA port safe. All modified motherboard packaging came with some sort of label like “New P67 B3 Revision” on the side of the box, Onboard sticker, and the BIOS will indicate “B3 Stepping.” This put me off a few months waiting for the next generation in motherboard design.

Intel has a Motherboard selection list:

http://www.intel.com/reseller/mbselector/index.htm

Intel does not list many of the new motherboards as verified. The motherboards they list are too old to consider in a modern computer system.

ASUS has come out with the ASUS Maximus IV Extreme-Z. It is not perfect but it meets my requirements NEC® USB 3.0 controller : 8 x USB 3.0 port(s) (6 at back panel, blue, 2 at mid-board); NEC® USB 3.0 controller : 2 x USB 3.0 port(s) (2 at back panel, blue); Intel® Z68 chipset : 9 x USB 2.0 port(s) (1 at back panel, black, 8 at mid-board); 4 x SATA 3Gb/s port(s), gray; 2 x SATA 6Gb/s port(s), red; Intel®, Realtek® ALC 889 8-Channel High Definition Audio CODEC; 2 x Gigabit LAN Controller(s). You can look at the specifications at:

http://usa.asus.com/Motherboards/Intel_Socket_1155/Maximus_IV_ExtremeZ/#specifications

It is selling at Newegg for $349 at http://www.newegg.com/Product/ProductList.aspx?Submit=ENE&DEPA=0&Order=BESTMATCH&Description=maximus+extreme or at Amazon for the same price http://www.amazon.com/ASUS-Maximus-IV-Extreme-Motherboards/dp/B005584ZEO/ref=sr_1_1?ie=UTF8&qid=1314761105&sr=8-1. Amazon packages it with the Intel Core i7-2600K processor for $664.94. Newegg had a combo price of $639.98. There are currently 28 reviews at newegg.com. Let’s let this technology age a few more weeks and see what the gaming community thinks.

Hard Drives:

If you are running some old dinosaur IDE computer technology you may not be familiar with Serial Advanced Technology Attachment (SATA) technology. You can read all about it at https://secure.wikimedia.org/wikipedia/en/wiki/Sata. Even SATA is now being replaced with Solid State Drives (SSD) https://secure.wikimedia.org/wikipedia/en/wiki/Solid-state_drive. The SSD’s are expensive and on the edge of technology so I am only looking at SATA for this computer build.

Now that virtualization is in we need tons of disk space to run all those virtual Linux environments. Plus with Music and Video it is surprising how fast we can slice through a terabyte. My drive minimum requirements are:

At least 2 TB+
The SATA 6 Gb/s interface
Minimum 5 year limited warranty

You can read about RAID at http://en.wikipedia.org/wiki/RAID_10#RAID_10_.28RAID_1.2B0.29. The is a good article on SATA 3Gb/s verses SATA 6Gb/s at http://www.hardocp.com/article/2010/02/20/sata_6gbs_on_your_new_motherboard. I can’t vouch for the site so don’t “open surf” there. The article is really good and even goes in for a comparison of various 6 Gb/s controllers with the Marvell 9128 doing well in burst speed testing. The ASUS Maximus IV Extreme-Z uses the Marvell PCIe 9182 controller. If you are going to use RAID there is no advantage to running a RAID configuration on the SATA 6 Gb/s interface over the SATA 3 Gg/s interfaces. I called ASUS and verified this. However running a SATA 6 Gb/s drive outside of RAID will yield a performance improvement over a SATA 3 Gb/s drive.

If I decide to run RAID 10 I will pick up 4 “Western Digital Caviar Black WD1502FAEX 1.5TB 7200 RPM 64MB Cache SATA 6.0Gb/s 3.5" Internal Hard Drive -Bare Drive”. It is selling a Newegg.com for $99.99. The 1.5TB and the 2.0TB drives come with Dual actuator technology so you have to spend the extra money to get the higher capacity drives.

After doing a lot of reading and looking at a lot of user reviews, purchasing drives from all the drive companies (Western Digital, Seagate, Hitachi, Samsung, etc.) had drive failures and problems. The early motherboards when the 6.0 Gb/s drives that came out also had problems supporting this new standard. And some users complained their RAID would only run at 3.0Gb/s which is still true. My feeling here became “get the drive with the best warranty!” That way if I am one of the unlucky ones to get a bad drive then it should be covered under the warranty. I lean toward Western Digital because in the past they have taken back a bad drive no questions asked. But I have been running a pair of Seagate’s for years now, so either will work fine. I have no experience with Samsung or Hitachi. Some users complained that Window’s had problems with the 3TB drives so I am sticking with the cheaper 1.5TB or 2.0TB options. I like the following two drives and if I see a deal on either I will pick up a one or two…

Western Digital Caviar Black WD2002FAEX 2TB 7200 RPM 64MB Cache SATA 6.0Gb/s 3.5" Internal Hard Drive -Bare Drive, $170. Comes with a limited 5 year warranty. You can look at the drive specs at http://www.wdc.com/en/products/products.aspx?id=100. Newegg.com price quote at http://www.newegg.com/Product/Product.aspx?Item=N82E16822136792&cm_re=western_digital_2tb-_-22-136-792-_-Product

The Seagate Barracuda XT SATA 6 Gbit/s Hard Drive is also a good candidate. There is a good review of it at http://www.pcper.com/reviews/Storage/SATA-6G-60-Gbs-Performance-Preview-Seagate-XT-drive-tested/Performance-Testing-and-C. Do not “open surf” to this link. I can’t vouch for the site. Use Tor and a virtual environment. The Seagate Barracuda XT also comes with a limited 5 year warranty. You can read a good article about the Barracuda line at http://www.pcmag.com/article2/0,2817,2382026,00.asp?kc=PCRSS02129TX1K0000530.

Power supply:

When looking for a power supply, you have to determine what your max hardware configuration could be before searching for a power supply. I then add 20% more power than I think I might need. It is kind of like my demolitions work back in the Marine Corps. We had table cards to calculate how much explosive to use on various obstacles… and then we would add 20% more just to be sure. The tables were supposed to add more than you needed already but in a combat situation you don’t want to have to blow something up twice!

Also a power supply is a mechanical device. It is the power engine of your computer. If it is operating at half capacity then you should not be putting any strain on the component… but if you are operating at near full power capacity how long before that component fails from the strain?

Output alone is not enough to rate a power supply. I am now a fan of HardwareSecrets.com. They have excellent articles about how most power supply reviews are wrong and how to properly test a power supply at http://www.hardwaresecrets.com/article/Why-99-Percent-of-Power-Supply-Reviews-Are-Wrong/410/1. The article was written in April 2010 and they point to TomsHardware.com as properly testing power supplies… but in 2010 TomsHardware.com had not done any reviews in three years. HardwareSecrets.com also list other web sites that they felt do proper testing of power supplies at http://www.hardwaresecrets.com/article/522/7.

Tom’s hardware has a good article written May 19, 2011 about how power supplies are rated at http://www.tomshardware.com/reviews/750-watt-psu-80-plus-gold,2927.html. What we are looking for is a 80 Plus Gold or Platinum rating on the power supply.

I decided to make a call to “PC Power and Cooling” to discuss how much power (wattage) would be needed to support the CPU/motherboard combination and 2 powerful video cards. They recommended their:

Silencer 760 http://www.pcpower.com/products/description/Silencer_760W/index.html and their new Silencer MkII 750W http://www.pcpower.com/products/description/Silencer_Mk_II_750W/index.html. Both are rated 80+ Silver certified and operate at 88% efficiency. I did not give these much thought because of the “Silver” rating.

While there is not much difference between a 80+ Silver verses a 80+ Gold rating I want Gold. The May 19, 2011 article from Tom’s hardware recommended FSP’s Aurum AU-700 and Seasonic’s X-760. Even though the Seasonic is more expensive I like it better because of the higher wattage and the full modular Cable Management system. It also has more connectors. You can read another review of the Seasonic X760 SS-760KM ATX12V v2.3, EPS12V, 80 PLUS Gold at http://www.jonnyguru.com/modules.php?name=NDReviews&op=Story&reid=235.

When I went to newegg.com to get a price Newegg showed the SeaSonic X Series X-850 as receiving Hardwaresecrets.com Golden Award. So I went to Hardwaresecrets.com and read their conclusion at http://www.hardwaresecrets.com/article/Seasonic-X-Series-850-W-Power-Supply-Review/1169/10. The X-850 costs $50 more than the X-760. The X-760 also has 170 reviews at Newegg.com verses 12 for the X-850. The 850 is probably a better power supply, but for my purposes the 760 is adequate.

The OCZ ZX 1000W also had very good ratings at http://www.jonnyguru.com/modules.php?name=NDReviews&op=Story5&reid=238. You can also read about it at http://www.hardwaresecrets.com/article/OCZ-ZX-Series-850-W-Power-Supply-Review/1204/10.

Intel has a web page that might aid in the selection of power supplies at http://www.intel.com/reseller/psu_selector/. You can also look at http://www.intel.com/support/processors/corei7/sb/CS-030866.htm.

RAM Memory:

Although the memory can be installed one module at a time, the best performance comes from using matched pairs of modules. I believe more memory at a clock rate less than the MAX available is a better deal than buying the MAX MHz at the highest price. But on the ASUS motherboard description web page it says, “Due to CPU behavior, DDR3 2200/2000/1800 MHz memory module will run at DDR3 2133/1866/1600 MHz frequency as default.”

I usually buy my memory from Crucial.com and the only memory listed as running at the 2133 range comes in the 2GB verity. If you want this super fast memory you can get a two 2GB module kit for $89. Specs: 4 GB kit (2GBx2), Ballistix 240-pin DIMM, DDR3 PC3-17000 memory modules: 9-10-9-24 • Unbuffered • NON-ECC • DDR3-2133 • 1.65V • 256Meg x 64.

But I will be buying the 8GB Kit (4GBx2), Ballistix 240-pin DIMM, DDR3 PC3-12800 memory module at $69. Specs: DDR3 PC3-12800 • 10-10-10-28 • Unbuffered • NON-ECC • DDR3-1600 • 1.5V • 512Meg x 64. If necessary, I will upgrade when the DDR3 8GB modules (16GB kit’s) come out which is what the motherboard will support up to 32GB.

Case Fans:

The Fans are important to cooling the PC. A few usually come with the case but in my experience that is not near enough cooling capacity. I think I cooked a Gigabyte Motherboard years ago due to inadequate cooling. That was a expensive lesson.

A good article at http://www.bit-tech.net/hardware/cooling/2009/09/28/what-s-the-best-case-fan/5 recommends the Sharkoon Silent Eagle 1000 120mm and the Scythe Gentle Typhoon D1225 C12B4AP-14. But this article is from 2009 so I went to Newegg.com and look at the user reviews of the fans.

I finally went to Newegg.com to see what the users are say. The best rated fans are the (MASSCOOL FD08025S1M4 80mm Case Fan; Scythe DFS123812-3000 "ULTRA KAZE" 120 x 38 mm Case Fan; Vantec Tornado 80mm Double Ball Bearing High Air Flow Case Fan - Model TD8038H; ENERMAX UC-8EB 80mm Case Fan). I did the same at Amazon and the best rated fans were (Cooler Master Computer Case Cooling R4-LUS-07AR-GP, Cooler Master R4-LUS-07AB-GP MegaFlow 200mm LED Case Fan (Blue); Scythe Gentle Typhoon D1225C12B5AP-15 - Case fan - 120 mm; Cooler Master 120mm Silent Blue LED Case Fan 2-in-1 Value Pack - (R4-L2S-122B-GP); Vantec Stealth SF6025L 60x60x25mm Double Ball Bearing Silent Case Fan (Black)).

Video Card(s):

Not being a gamer pretty much any good mid level card will do. I can always double up on the cards if I want better performance.

The August 12, 2011 article at http://www.tomshardware.com/reviews/gaming-performance-radeon-geforce,2997.html listed the EVGA GeForce GTX 560 Ti FPB 1GB GDDR5 PCIe and the Radeon HD 6870; Radeon HD 6950 1GB; Radeon HD 6950 2GB as the best PCIe cards between $180 and $300.

Tom’s hardware also did a review in April of PCIe Video cards at http://www.tomshardware.com/reviews/best-graphics-card-radeon-hd-6990-geforce-gtx-590,2912-4.html. In that article they recommended the Radeon HD 6870 for a mere $210. It only uses 151 W of power compared to the more powerful cards. You can view their Graphics Card Hierarchy Chart at http://www.tomshardware.com/reviews/best-graphics-card-radeon-hd-6990-geforce-gtx-590,2912-7.html.

Consumersearch.com recommended the PNY XLR8 GeForce 8800 GT; MSI NX8600 GT; XFX GeForce 8400 GS; XFX GeForce 8800 GTX

PC World June, 2011 recommended the AMD’s Radeon HD 6870 at $200, and Nvidia GeForce GTX 560 Ti at $250 to $270. The article warns that AMD’s Radeon HD 6900 Line, can be quite long, and may not fit in certain PC cases.

DVD burner:

Can’t do better than the Asus DRW-24B1ST 24X Internal DVD Burner review at http://benchmarkreviews.com/index.php?option=com_content&task=view&id=465&Itemid=60. Can’t vouch for this site. The drive has over 2000 good reviews at Newegg.com.

If you want Lightscribe capability just buy another cheap drive to give you that capability. The “SAMSUNG CD/DVD Burner 22X DVD+R 8X DVD+RW 16X DVD+R DL 22X DVD-R 6X DVD-RW 16X DVD-ROM 48X CD-R 24X CD-RW 48X CD-ROM Black SATA Model SH-222AL LightScribe Support – OEM” is also a good drive. But the Samsung drive only has 13 reviews at Newegg.com. All I was able to find is it looks like the latest firmware was released March 23, 2011.

Case:

Since I am not a gamer I looked for a case with less show and more air flow. I want the ability to run two video cards so I need plenty of room and air flow to cool the components. I also want a sturdy steel design that does not weigh 50 pounds. The plastic cases are too easy to break. I don’t really want to get into the complexity of a liquid cooled system. I limited my price range was from $100 to $250. Years ago I had a full tower in the office and because of the large footprint I had to put it in an awkward spot just to roll out the keyboard. I finally downsized to a mid-tower and gave the full tower away. Your needs may be different.

From Tom’s Hardware: The top case, SilverStone’s Raven RV03, has all of the cooling, quietness, and quality required for our recommendation, but that recommendation comes with an caveat: the face panel is held in place with eight screws, in addition to snaps, and each of the bay adapter trios is also secured by eight screws. While most users can get away with a single 5.25" drive and the five bays behind the motherboard tray, access to remaining front bays is unusually cumbersome. I like the fact that the RV03 has two front USB 3.0 ports, 1 audio and 1 MIC. At newegg.com it had only 17 reviews and sells for $159.99. There were a lot of complaints about how fragile the plastic components were. Based on all these negative reviews I ruled out this case.

The Corsair Obsidian 650D Aluminum Mid Tower ATX Enthusiast Computer Case - Black CC650DW-1 - Steel structure with black brushed aluminum faceplate/ bottom mounted PSU with room for extended PSU/ 4 x External 5.25" Drive Bays/ 3.5"/2.5" Drive x 6/ 8 expansion slots/ FRONT: USB 2.0 x 4, USB 3.0 x1, IEEE 1394 x 1, Headphone x 1, Mic x 1, 4-channel Fan Controller is the case I have chosen. It matched up very well with the Raven RV03 spec for spec. At newegg.com the case has 52 mostly positive reviews and sells for $189.99. There were a lot of complaints about the awkward USB 3.0 support that comes from the back of the motherboard but everything else was mostly positive.

I also like the Cooler Master Storm Enforcer chassis. it comes with USB3.0 x 2 (internal), USB2.0 x 2, Mic x 1, Audio x 1; and matches up well with the Corsair Obsidian 650D and the SilverStone Raven RV03. But it is not a roomy as the Corsair or the SilverStone. The cooling reviews were less when compared with the other cases.

Lian-Li Lancool PC-K63 also has good ratings. You might want to give these a chance.

Other cases I looked and decided against are the Rosewill Challenger; Rosewill Armor; Xion AXP-ARM001-BL; NZXT Vulcan Enthusiast; and the Rosewill Cruiser; Cooler Master HAF ATX Mid Tower Case RC-922M-KKN1-GP (Black); Cooler Master HAF X; Ruled out because no USB 3.0 support: Cooler Master Elite Mid Tower case RC-310-BWN1-GP; Thermaltake Element G VL10001W27; The cases were ruled out because the are full towers or have too large a footprint: Thermaltake Level 10; Cooler Master HAF 932

Printer:

September, 2011 PC World rated the “Brother MFC-9970CDW http://find.pcworld.com/71935” and the “Brother MFC-9560CDW http://find.pcworld.com/71936” the top 2 Color Laser Multifunction Printers. Go to http://find.pcworld.com/71573 for in-depth reviews.

Laptops:

September, 2011 PC World rated the “ASUS G73SW http://find.pcworld.com/71945” as the Best Buy and a Superior rating. The “Dell XPS 17 3D http://find.pcworld.com/71505” and the “HP Envy 17 3D http://find.pcworld.com/71943” also got superior ratings. Go to http://find.pcworld.com/70832 for in-depth reviews.

Keyboard and Mouse:

This is really personal preference. Most of the Keyboards and Mice I looked at had good user ratings. The Logitech MK550 Black USB RF Wireless Ergonomic Wave Combo looks like a nice choice for non-gamers. BestBuy had it on sale for $60.00.

How to set up a Home Web Site using Apache Web Server running on OpenSUSE 11.4

2011-03-22T00:01:00.001-04:00

The first thing to setting up a home web site will be to edit your router configuration. The three things to configure are:

Port forwarding (usually 80 and/or 443). You can configure it to be anything http://www.example.com:8000/path/. You would want to higher port if server security is an issue.
Address reservation for your web server IP address.
A DYNDNS domain for your WEB server.

For reference see my entries “Computer update: Securing the home network, implementing home router wireless security, router configuration, and Computer update: Final steps to secure SSH tunneling for your Laptop while on the road. Don’t let those coffee shop hacker’s spy on everything you are doing!”. Those blog entries (and others) go into detail about things like “port forwarding, address reservations, and setting up a dyndns domain.”

The IP address given to your home Cable Modem or router is dynamic. Your ISP will assign you a new DHCP address from time to time. If your router is not too old, it has the capability to update a domain you setup at DynDNS http://www.dyndns.com/ with the new IP automatically. As long as you use that domain to connect to your home server with the ports you forwarded, you will always get to your home Web/SSH/network/Linux server.

You will also have to configure your home router to forward the browser port your configure to your flavor of Linux running Apache Web Server. You can either setup Linux to use a “static” IP address in your home network, or use an address reservation in the router, or do both. You can also setup “static” IP’s in the router but I found an “address reservation” easier to configure and maintain.

From my router help:

Port Forwarding

For the services, applications, or games that already exist in the drop-down list, you need to specify only the computer's IP address. Otherwise, you should specify the port number and computer's IP address for each service, game, or application by clicking the Add Custom Service button.

Address Reservation

To reserve an IP address:

Click the Add button.
Select the radio button of the computer you wish to add from the Address Reservation Table.
If the computer is not on the Address Reservation Table, enter the IP address, MAC address, and device name of the computer you wish to add.
Click the Add button when finished.

To edit a reserved IP address:

Select the radio button next to the reserved address you want to edit.
Click the Edit button.
Edit the IP address, MAC address, or device name.
Click the Accept button when finished.

To delete a reserved IP address:

Select the radio button next to the reserved address you want to delete.
Click the Delete button.

Dynamic DNS Help

A Dynamic DNS (DDNS) service provides a central public database where information (such as e-mail addresses, host names, and IP addresses) can be stored and retrieved. The Dynamic DNS server also stores password-protected information and accepts queries based on e-mail addresses.

If you want to use a DDNS service, you must register for it. The Dynamic DNS client service provider will give you a password or key.

To set up for DDNS:

If you have registered with a DDNS service provider, select the Use A Dynamic DNS Service check box.
Select the name of your Dynamic DNS service provider.
Type the host name that your Dynamic DNS service provider gave you.
The DDNS service provider might call this the domain name.
Type the user name for your DDNS account.
Type the password (or key) for your DDNS account.
Click Apply to have the DDNS service used.

Note: The router supports only basic DDNS, and the login and password might not be secure. If you have a private WAN IP address, do not use DDNS service as it can lead to problems.

If you want to use a “static IP” you should backup your network configuration files:

# cd /etc
# cp –p resolv.conf resolv.conf.orig
# cp –p host hosts.orig
# cp –p HOSTNAME HOSTNAME.orig
# cp –p nsswitch.conf nsswitch.conf.orig
# cd –p /etc/sysconfig/network
# cp –p dhcp dhcp.orig
# cp -p ifcfg-eth0 ifconfig-eth0.orig
# cp –p config config.orig
# cp –p routes routes.orig

The easiest method to set up a static IP using YaST, “YaST > Network Devices > Network Settings > Overview > Edit button to edit [Ethernet Network Card DHCP] > Select button Statically assigned IP Address.” This assumes that you also configured your router to provide a static IP to your server.

Most ISP’s provide space to house a simple home web site. I have had mine with my ISP for years. There are also Web Hosting and Development sites. See my web page http://users.wowway.com/~captainkirk/computers/WebDesign.htm for a few. But if you want to do some more advanced things with your web site then keep a few static web pages, housing your sight at your ISP will not work… also why pay a company to host your site someplace else… except for the fact they provide tools to quickly generate professional looking WEB pages and sites. The best solution is to develop a professional site and host it on your home network.

The first step is to install a Web Server like Apache. In OpenSUSE use “Start > Computer > YaST > Software Management > Click on the RPM Groups tab > scroll down to [Productivity – Networking – Web – Servers] > Select package apache2 with will automatically select apache-itk Apache 2 “ITK” MPM (Multi-Processing Module) and Apache 2 utilities apache2-utils” as dependencies. There are may other modules to consider installing depending on what you are planning to do with your web site:

From the reference “OpenSUSE 11.0 and SUSE Linux Enterprise Server:”

There are also various modules for serving dynamic content including: apache2-mod_fcgid, apache2-mod_mono, apache2-mod_perl, apache2-mod_php5, and apache2-mod_python. The packages apache2-prefork and apache2-worker are what are known as multi-process modules (MPMs). These allow Apache to spawn multiple processes (and in the case of apache2-worker multiple threads). For normal usage the apache2-prefork package is recommended. The apache2-mod-fcgid allows for “Fast CGI,” while the other modules provide the ability to embed the various scripting languages names into HTML pages (Mono, Perl, PHP, and Python). There is also the apache2-mod_tidy module that allows web pages to be fed through a program to detect and fix invalid HTML. This is useful for debugging web site content. In addition, there is a YaST module for configuring the web server yast2-http-server and packages including documentation apache2-doc and sample web pages apache2-example-pages.

The minimal installation packages I used were:

apache2
apache2-itk
apache2-utils
apache2-prefork
apache2-doc
apache2-example-pages
yast2-http-server

The YaST module apache2-doc can be found in the RPM Groups tab under “Documentation > Other,” and the yast-http-server module is under “System > YaST.” Once you have installed yast-http-server scroll down to “Network Services > HTTP Server > Click on it and see Configure an Apache 2 server,” a dialog box stating “To configure the HTTP server, the apache-prefork packages must be installed.” If you did not install them above. Accept the defaults…

Surprisingly now that apache2 is installed it does not start automatically. The server can be started by typing rcapache2 start, stopped using rcapache2 stop, and get the status using the command rcapache2 status which will confirm the web server is running. You can restart or reload with rcapache2 restart or rcapache2 reload. From OpenSUSE 11.0, “You can also confirm that Apache is listening on port 80 by typing the command telnet localhost 80.”

Trying ::1...
Connected to localhost.
Escape character is '^]'.

You can now look at the maual at http://127.0.0.1/manual/ assuming you installed the minimum installation packages above. If you installed the apache2-example-pages you can browse to http://localhost you will see the index.html file stored at /srv/www/htdocs. The minimal web page contains the text “It works!” to demonstrate that Apache is working.

If you make changes to the configuration you can check the syntax using any of the following:

# apache2ctl configtest
# rcapache2 configtest
# apache2ctl –t

Which will show “Syntax OK” if your changes were correct. If we want our web site to start when OpenSUSE reboot’s we have to configure the “apache2” service to start automatically. This can be done using “YaST” or from the command line using “chkconfig” command (chkconfig is used to enable or disable system services). For example, to start Apache automatically in runlevels 3 and 5, execute the following command:

# chkconfig –a apache2

Alternative, YaST can be used, select “System > System Services (Runlevel):”

You can configure Apache manually or use YaST. Setting up an advanced Apache configuration is beyond the scope of this project. We just want to do the most minimal Apache configuration necessary to service our home web site. So only a few settings need to be changed. Below are some excerpts from http://doc.opensuse.org pertaining to the minimal changes I had to make to the Apache configuration:

30.2.3. Configuring Apache with YaST

To configure your Web server with YaST, start YaST and select “Network Services > HTTP Server.” When starting the module for the first time, the HTTP Server Wizard starts, prompting you to make a few basic decisions concerning administration of the server. After having finished the wizard, the HTTP Server Configuration dialog starts each time you call the HTTP Server module. For more information, see Section 30.2.3.2, “HTTP Server Configuration”.

30.2.3.1. HTTP Server Wizard

The HTTP Server Wizard consists of five steps. In the last step of the dialog, you are given the opportunity to enter the expert configuration mode to make even more specific settings.

30.2.3.1.1. Network Device Selection

Here, specify the network interfaces and ports Apache uses to listen for incoming requests. You can select any combination of existing network interfaces and their respective IP addresses. Ports from all three ranges (well-known ports, registered ports, and dynamic or private ports) that are not reserved by other services can be used. The default setting is to listen on all network interfaces (IP addresses) on port 80.

NOTE: The following is not necessary if you have not used “Yast > System > Firewall” to configure a firewall in OpenSUSE. If the firewall is disabled the web site is visible by just forwarding port 80 to the IP address OpenSUSE is running on in your home network. If you are interested in setting up a OpenSUSE firewall you can read about it at http://doc.opensuse.org/products/opensuse/openSUSE/opensuse-security/cha.security.firewall.html. Also if you are using VMware or Virtual Box don’t forget to set the IP for Linux as bridged and not NAT.

Some other links to securing your web site are http://www.openvas.org/ (network vulnerability tool) and http://www.netfilter.org/ for packet filtering and other useful network tools.

Check Open Port In Firewall to open the ports in the firewall that the Web server listens on. This is necessary to make the Web server available on the network, which can be a LAN, WAN, or the public Internet. Keeping the port closed is only useful in test situations where no external access to the Web server is necessary. If you have multiple network interfaces, click Firewall Details... to specify on which interface(s) the port(s) should be opened.

Click Next to continue with the configuration.

30.2.3.1.3. Default Host

This option pertains to the default Web server. As explained in Section 30.2.2.1, “Virtual Host Configuration”, Apache can serve multiple virtual hosts from a single physical machine. The first declared virtual host in the configuration file is commonly referred to as the default host. Each virtual host inherits the default host's configuration.

To edit the host settings (also called directives), choose the appropriate entry in the table then click Edit. To add new directives, click Add. To delete a directive, select it and click Delete.

Below are some screen shots of the defaults I used:

After finishing with the Default Host step, click Next to continue with the configuration.

The last step is browse to your web page http://youdomainname.dyndns.[com,org,edu,etc.]

Some useful links used in the project:

http://httpd.apache.org/docs/
http://wiki.apache.org/httpd/
http://httpd.apache.org/docs/2.2/
http://www.apache-ssl.org/docs.html
http://doc.opensuse.org/products/opensuse/openSUSE/opensuse-reference/cha.apache2.html
http://www.iana.org/assignments/port-numbers
http://en.wikipedia.org/wiki/TCP_and_UDP_port

Using Tor to surf the internet anonymously, FlashCookieView to view your flash cookies, Web of Trust WOT, Atomic clock to sync your Windows PC with official US time

2011-03-15T21:59:00.001-04:00

PCWorld had a recent article about using “Tor” http://www.torproject.org/index.html to surf the internet anonymously. I found this interesting and tried it out in a virtual XP environment. If the application is doing what it says it is doing, I experienced no impact on my anonymous web browsing… but in my reading “Tor” warns about problems you may experience using it to browse. I had to download the software from “Tor’s” web site to get the latest version. Tor also wants you to use Firefox with the latest TorButton plugin. Below is what CNET and “Tor” had to say about the freeware:

Tor: An anonymous Internet communication system Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize Web browsing and publishing, instant messaging, IRC, and SSH. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.

The Electronic Frontier Foundation publishes Tor, a free suite of Internet communications and security utilities. Tor enables safe, anonymous online browsing and publishing, instant messaging, and more. It has potential uses ranging from helping casual Net surfers protect themselves from online attacks and predators to giving programmers the tools to develop applications with built-in safety and privacy features. Tor protects your online privacy and anonymity by linking your PC to the Tor network, which then links to the "outside world."

Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location. Tor works with many of your existing applications, including web browsers, instant messaging clients, remote login, and other applications based on the TCP protocol.

We have all heard about how sites like Google are tracking our every web search and home internet activity. While I know we all don’t engage in any illicit activity, do we really want corporations and big brother having that power over our everyday lives? Not to mention when we are wrongfully accused (see the movie) having big brother have access to all our surfing activity.

One good thing about “Tor” was that it warned me that the clock on my computer was about 1800 seconds out of sync. For years I have been updating the clock manually by going to http://www.time.gov but this time I sought out a solution that would sync up the time with a time server. On my installation of Windows 7 the “Window Time Service” is not started automatically… which is a good thing. You can sync up the time on your computer manually by starting the service, syncing and stopping the service. Go to http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx or http://technet.microsoft.com/en-us/library/bb490605.aspx to read about this. Below is a simple command script you can write (NOTE: If must be run as administration by right clicking and selecting “Run as administrator.”

net start w32time
w32tm /resync
net stop w32time

NOTE: This procedure only works on computers that are joined in a domain.

You can also use “Run > type “services.msc” > scroll down to “Windows time” and start/stop the service. Or use my favorite method and use the program “atomic.exe.”

An easy way to sync up your clock is by using “Atomic Clock sync” http://download.cnet.com/Atomic-Clock-Sync/3000-18512_4-14844.html?tag=mncol;1. Click on the “Repair Service” tab and follow the steps. Now the computers clock is perfectly synchronized with a time server… which I assume is Uncle Sam because the two were perfectly in sync after using “atomic.exe.”

Flash cookies are also a threat on your home computer. CCleaner http://www.piriform.com/ccleaner/download is the battle ax to clean these out but if you want to just browse them and keep your cookies from certain sites (like your credit unions) then the Flash Cookie Utility at http://www.pcworld.com/downloads/file/fid,83205-order,4/description.html is a good tool. CCleaner can be configured to keep certain cookies permanently also. What I do is clean everything and then browse to my financial web sites. I then use configure CCleaner to keep the cookies I need. See below:

Don’t forget about using Web of Trust which I have blogged about in the past. It is now available for Internet Explorer at http://www.mywot.com/en/download/ie.

Securing Windows Live Mesh on your laptop while on the road to keep it from connecting to a public network

2011-03-08T20:10:00.002-05:00

I have been playing with the Windows Live Mesh settings to keep it from connecting to the internet while I am on the road. I have surfed then internet to discover how to do this. My first method was to go into the startup programs by using “Start > Run > msconfig > and select the Startup” tab. Scroll down to Start Item “Windows Live Mesh” uncheck that and restart the computer. That will work as long as you don’t double click on the Windows Live Mesh icon ever again… especially while on the road.
As soon as you run Window Live Mesh again it will magically create a new startup entry in addition to your unchecked entry. No matter how many times you restart you will continue to have one unchecked and one checked “Windows Live Mesh” entry. To get things back to normal check both Windows Live Mesh entries in the startup menu and restart. This will clean things up for using Mesh on the home network.

But what about on the road? The best solution would be to tunnel the ports that Mesh uses through your SSH tunnel much like we did the Email and Web browser ports. But it seems that Microsoft keeps these ports a hidden secret for I could not find them listed anywhere on the internet or Microsoft’s Web sites. The best solution I came up with was “Start > Control Panel > Windows Firewall > Advanced Settings > Allow a program or feature through Windows Firewall.” Scroll down to “Windows Live Mesh” and uncheck the “Public” check box. But Windows magically created a new Windows Live Mesh entry and still connected across a public network…

Windows 7 Firewall can block applications from connecting to public networks. I will look into this. It is on my todo list.

Using a SSH tunnel to forward email ports, and use Dynamic port forwarding for the Web Browser to keep your laptop secure while on the road

2011-03-06T22:24:00.001-05:00

I blogged in the past about setting up a home SSH Server to use while on the road. I also blogged about how to setup the home wireless router to point DYNDNS.COM to that SSH Server from anywhere in the world. It is now time for the final step to get the Windows PC totally secure and tunnel every email and browser port to your home SSH server so you can get email, surf the web, and do everything in Windows totally secure from anywhere. Here is your script for doing just that once your SSH Server is setup:

echo off
REM
REM Download OpenSSH for Windows from http://sshwindows.sourceforge.net/ or
REM use use Putty’s PLINK.EXE from
REM http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html):
REM
REM This sets up a tunnel for Windows 7 Browsers:
REM
REM Tools > Internet Options > Connections Tab > LAN Settings button
REM Click on "Use a proxy server for your LAN" check box.
REM Click on "Advanced" button.
REM
REM Enter 127.0.0.1 in the SOCKS5 box. Port 8080.
REM
REM This sets up a tunnel for all email ports:
REM
REM Forwarded port TCP UDP Description Status
REM
REM 22 TCP UDP Secure Shell (SSH) used for secure logins, file transfers (scp,
REM    sftp) and port forwarding - Official
REM 25 TCP     Simple Mail Transfer Protocol (SMTP) used for e-mail routing
REM     between mail servers - Official
REM 80 TCP UDP Hypertext Transfer Protocol (HTTP) - Official
REM 110 TCP UDP Post Office Protocol v3 (POP3) - Official
REM 143 TCP UDP Internet Message Access Protocol (IMAP) management of email
REM     messages - Official
REM 220 TCP UDP Internet Message Access Protocol (IMAP), version 3 - Official
REM 587 TCP e-mail message submission[18] (SMTP) - Official
REM 443 TCP HTTPS (Hypertext Transfer Protocol over SSL/TLS) - Official
REM 465 TCP SMTP over SSL - Unofficial
REM 993 TCP UDP Internet Message Access Protocol over SSL (IMAPS) - Official
REM 995 TCP UDP Post Office Protocol 3 over TLS/SSL (POP3S) - Official
REM

if defined ProgramFiles(x86) (
set sshdir="%ProgramFiles(x86)%\OpenSSH\bin"
set sshpg="%ProgramFiles(x86)%\OpenSSH\bin\ssh"
echo Running script on 64 bit machine..."
) ELSE (
set sshdir="%ProgramFiles%\OpenSSH\bin"
set sshpg="%ProgramFiles%\OpenSSH\bin\ssh"
echo Running script on 32 bit machine...
)

set strSSHServer=yourdomainname.dyndns.(com, org, edu, etc.)

%sshpg% -L 25:%strSSHServer%:25 -L 110:%strSSHServer%:110 -L 143:%strSSHServer%:143 -L 220:%strSSHServer%:220 -L 587:%strSSHServer%:587 -L 993:%strSSHServer%:993 -L 995:%strSSHServer%:995 -D 8080 yourusername@%strSSHServer%

pause
exit 0

Using Windows 7 GodMode to quickly navigate to all your administrative needs

2011-03-01T23:50:00.001-05:00

Occasionally I come across an computer tip that is so useful it has to quickly go up on the blog. PCWorld posted an article on Feb 27, 2011 on Windows 7 GodMode. The title caught my eye so I had to read the article http://www.pcworld.com/businesscenter/article/220753/windows_7_godmode_tips_tricks_tweaks.html#tk.nl_hox_t_cbintro.

If you don’t want to spend time reading the article above create a folder on your computer and add it to your “Shortcuts” folder and desktop. Then create a BAT file in the folder with the following:

mkdir "God Mode.{ED7BA470-8E54-465E-825C-99712043E01C}
mkdir "Location Settings.{00C6D95F-329C-409a-81D7-C46C66EA7F33}
mkdir "Biometric Settings.{0142e4d0-fb7a-11dc-ba4a-000ffe7ab428}
mkdir "Power Settings.{025A5937-A6BE-4686-A844-36FE4BEC8B6D}
mkdir "Icons And Notifications.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}
mkdir "Credentials and Logins.{1206F5F1-0569-412C-8FEC-3204630DFB70}
mkdir "Programs and Features.{15eae92e-f17a-4431-9f28-805e482dafd4}
mkdir "Default Programs.{17cd9488-1228-4b2f-88ce-4298e93e0966}
mkdir "All NET Frameworks and COM Libraries.{1D2680C9-0E2A-469d-B787-065558BC7D43}
mkdir "All Networks For Current Connection.{1FA9085F-25A2-489B-85D4-86326EEDCD87}
mkdir "Network.{208D2C60-3AEA-1069-A2D7-08002B30309D}
mkdir "My Computer.{20D04FE0-3AEA-1069-A2D8-08002B30309D}
mkdir "Printers.{2227A280-3AEA-1069-A2DE-08002B30309D}
mkdir "Application Connections.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}
mkdir "Firewall and Security.{4026492F-2F69-46B8-B9BF-5654FC07E423}
mkdir "Performance.{78F3955E-3B90-4184-BD14-5397C15F1EFC}

Open up a command prompt and run the BAT file. It will create a bunch of shortcuts making tweaking anything in Windows 7 two or three clicks away.

The only question I have is why doesn’t Windows 7 provide this by default?

A Simple Windows share setup with Fedora, Ubuntu and openSUSE Linux

2011-03-01T00:26:00.001-05:00

I showed a simple setup to share files in openSUSE using Samba Server with Windows… but how do you share files in Windows with Linux. I have years of scripts on my Windows machine that I wanted to copy to my Linux SSH server box for reference in an upcoming midterm. I did not want to explore using things like Windows “Public” shares, setting up special user accounts, using the new Windows 7 “Home Group” option, etc. All I wanted to do was setup Windows to share a directory and allow guest access to it.

The first thing I tried was to share a directory between to Windows 7 boxes. If I could do that then everything should work in Linux.

To connect to a share you don’t need to open up public access. If you really want to share files between Windows 7 machines the new “homegroup” option is really the way to go. Plus I imagine Microsoft is going to take “Public” access out of future versions of the operating system. Right click on the “Network” icon, Select “Change advanced sharing settings.” I opened up the “Home or Work” options:

And locked down the public options:

Right click on the folder you want to share “Select Properties > Sharing Tab > Advanced Sharing > Check the ‘Share this Folder’ box > Enter a share name.” When I attempted to connect from another Windows 7 box I got permission denied. I looked at various options and had to add “Everyone” to the list of groups that had access to the directory.

My needs are simple for my home network and there is nothing in this directory that someone breaking into my network can use except Linux System Administration scripts and notes which is an honest living. I would not do this for C:\ or something like that if I were you. Once mounted I just copy the files to my Linux directories so I don’t even need write access. To mount this in Fedora or openSUSE:

# mount -t cifs //192.168.1.122/Win7ShareDir /mnt

In Ubuntu type the following:

# mount -t cifs //192.168.1.122/Win7ShareDir /mnt –o username=Guest,password=

To be able to write files to your windows computer share “Right click on the shared directory > Select Properties > Click on the Share button > and grant Read/Write permission to Everyone.

NOTE: If you are connecting to the Windows 7 computer with no password then you are connecting with the guest account. In order to access the files on the drive, the everyone group needs to have access set here.

To view visible shares in Windows open the network path to your computer. For example, if your computer was named hope, you could view your computer by clicking Start / Run and typing \\hope. Running this command opens a window and will display all available network shares. It is important to realize that this will not show hidden shares. Running the net share command explained below will.

View your computer through "Network" double click on the icon > double click your computer name.

Opening your computer through "Network neighborhood" or "My Network Places" will enable you to view your computer's shares and any other computer's shares in your network.

The "Network neighborhood" or "My Network Places" is accessible through your desktop and you must open the workgroup that your computer belongs to before being able to view your computer's shares. This also will not display any hidden shares.

Use the MS-DOS "net share" command. To use this command, follow the below steps.

Click Start / Run and type "cmd" and press enter.
At the MS-DOS prompt, type "net share" and press enter. This will display each of the shares, the location of the resource, and any remarks for that share. Below is a basic example of what this may look like.

If you want to use Home Groups or “Public” shares, Microsoft has a good web page to read http://windows.microsoft.com/en-us/windows7/File-sharing-essentials.

Setting up a simple Samba Server configuration in openSUSE 11.3 to share files with Windows 7

2011-02-28T01:41:00.001-05:00

In my Linux administration class we have to install Samba server in openSUSE 11.3 and allow the instructor to connect and retrieve a file. I have a personal interest in getting file sharing working at home so I can copy files to/from my virtual Linux machines to all my Windows environment running on the same/other computers. As with most home users my needs are simple. I want to setup a directory tree to share in my virtual openSUSE machine and map a windows drive there when I need it. The share can be wide open in my home network so security is not really a concern. As I got into all this I could find nothing on the internet or in my many Linux books about how to do a minimal install and configuration. Things can get very complex with Samba quickly. I have no doubt people are making careers configuring Samba in corporate environments. My first attempt at getting all this working somehow disabled my ability to share anything at all. When I logged in as “root” to use “Dolphin” to open up directories to share I got “Only folders in you home folder can be shared.” I searched the internet and could not find a solution to this problem. So I installed another 64-bit openSUSE virtual environment to start from scratch.

SUSE is nice in the fact that it will allow root logins unlike Ubuntu. To be consistent I setup my first virtual user as Full name: and User name: “sudoroot.” For Virtual Machine name: I always use the name of ISO file. It contains everything you would ever want to know about the virtual environment.

On the final configuration screen click on the “Customize Hardware” button and change the “Network Adapter” setting from NAT to bridged. This will allow connections from other computers on your home network. If you only have one computer leave it as NAT… you can connect from that computer to any virtual environments that is running. If you have a floppy drive change it to “Connect at power on.” Click on “Finish” and let VMware install openSUSE 11.3.

See my blog entry “Getting Online Update and DVD package installs working in openSUSE 11.3 running in VMware Player 3.1.3, NAT to bridged in VMware player,” for a how-to on getting online updates working in openSUSE… if they do not work with the default settings. Log in as “root” and apply all online updates “Application Launcher > Computer > YaST > Online Update.” If you get an error go into “Yast > Software Repositories” and remove the bad default repository. The click on “Community Repositories > Next > Add” and add in the repositories. I add “Main Repository (OSS), Main Repository (NON-OSS) and Main Update Repository.” Click on “Application Launcher > YaST > Online Update” and everything should work. To save the mouse clicking finger “Right click on any of the updates > Select “All in This List > Install.”

To see if Samba is installed in openSUSE (it is by default) and Fedora type the following:

# rpm –qa | grep samba

You will see something like the following:

samba-client-3.5.4-5.3.1.x86_64
samba-client-32bit-3.5.4-5.3.1.x86_64
samba-3.5.4-5.3.1.x86_64
yast2-samba-server-2.18.3-3.2.noarch
yast2-samba-client-2.19.6-1.4.noarch

Backup the Samba configuration files:

# cd /etc
# cp xinetd.conf inetd.conf.orig
# cd /etc/xinetd.d
# cp –p swat swat.orig
# cp –p servers servers.orig
# cp –p services services.orig

# cd /etc/samba
# cp –p cifstab cifstab.orig
# cp –p dhcp.conf dhcp.conf.orig
# cp –p lmhosts lmhosts.orig
# cp –p smb.conf smb.conf.orig
# cp –p smbusers smbusers.orig

# cd /etc/xinetd.d
# cp –p servers servers.orig
# cp –p services services.orig
# cp –p swat swat.orig

You will want the samba-doc repository if you are working with Samba so install that… samba-doc-3.5.4-5.3.1.noarch.

Click on “Application Launcher > Computer > YaST > Network Services > Samba Server.” Click on the “Start-Up” tab and select “During Boot.” Click on the “Identity” tab and enter “WORKGROUP” as your openSUSE Samba Workgroup which by default in Window 7 is “WORKGROUP.” If you are not sure, in Window 7 right click on on the desktop icon “Computer” and select “Properties.” In openSUSE for “Domain Controller” select “Not a DC.” Click on OK.

OpenSUSE comes with a number of preconfigured shares so why not just use one of those. I chose to share all my user home directories as “public > writable” where the name of the share is “users” by default. Click on “Application Launcher > Right click on Dolphin and add it to your Desktop and the Panel.” Double click on “Dolphin” and select “Root in the left menu > Right click on home > select Properties > Click on the Share tab.”

Click on the “Configure File Sharing… button.” Click on the /home/ entry and select the “Change…” button.

On the bottom select “Public and Writable > Click on OK” to enable a window map full access to your user directories. Share with Samba (Microsoft(R) Window (R)) should already be selected.

Go into “Windows Explorer > Tools > Map Network Drive” and enter the IP Address of your openSUSE host obtained with “ifconfig” followed by “users” which was just set up. Click on “Finish” to connect to the /home share.

Now that we have the minimal Samba configuration working we might want to use SWAT (Samba Web Administration Tool) to do more complex things later.

MORE TO COME ON GETTING SWAT WORKING!

The internet article http://www.linuxquestions.org/questions/suse-novell-60/samba-smb-file-sharing-in-opensuse-11-2-a-796399/ also has useful information if you want to go further with a minimal Samba configuration. From the article:

Loading Samba into openSUSE 11.2:

By default I think you will get most of Samba program files already loaded for you, but we will want to add to the list and verify that you have everything your need to get Samba up and running. Even though I am using 64 bit software, I am still loading the 32 bit versions to ensure all 64 and 32 bit program will work properly with Samba. If you are running 32 bit openSUSE, you just need to leave out the 64 bit version, if they are ever a choice for you. I assume you have the default “Software Repositories” installed for you when openSUSE is installed connected to a network that had access to the INTERNET.

Menu > System > YaST > enter root password to start YaST Control Center

In YaST Select: Software > Software Management

In YaST2, pick the “Search” tab and enter “samba” and press the search button. You want to have installed the following applications so check any programs that are missing to be installed for you:

samba
samba-32bit
samba-client
samba-client-32bit
samba-doc
samba-winbind
samba-windind-32bit

Other files may be installed for you after you make your selections. The samba-doc file is not loaded by default and is imported when we use the SWAT browser configuration program. After making your selections press the “Select” button on the bottom right and allow the missing applications to be loaded into openSUSE for you.

Securing your home wireless network, implementing home router security settings; configuring the home router for all your needs

2011-02-16T03:11:00.001-05:00

Let’s secure our home network against all the unscrupulous people out there! In my travels I have been to friends and family where their wireless networks were running with no security at all! Some people connect directly through their cable modem. I almost sick up at the implications… and tell them how crazy that is… but the care factor is minimal. They don’t know it but their network is a GIANT BILLBOARD ADVERTISMENT to every criminal/terrorist/porn-surfing-neighbor out there to please use my home network and hack into everything I do, also please conduct all your porn/criminal/terrorist activities using my home network… Criminals, robbers and terrorists don’t just watch what you are doing… they use your home wireless network for access to the internet to do all sorts of unsavory things. Uncle Sam is watching also, so if homeland security comes knocking on your door asking about your home internet activity… don’t be surprised. As an experiment, I enabled the SSID broadcast on my router and watched to see it anyone would attempt to connect to my home network. Guess what… I got two attempted connections in less that one hour. I assume they tried the default SSID/Login/password… but I had changed all that!

If you don’t know how to setup your home router, READ MY BLOG, find a friend or relative to help you do it… or even pay someone… If you do not, plan to spend hours/days/weeks of your valuable time fixing problems that hackers, pickpockets, an identity thieves create for you. For example, I was at the bank yesterday and a women was there with her statements showing transactions on her checking account that she did not initiate. How much do you want to bet that someone hacked her network or password and is a bit richer now? Don’t be a victim, seek computer router help now. I would gladly help friends and family secure their home networks (and anyone reading this blog), but nobody ever asks me to do so. It is strange… if you have a doctor in the house and a family member is sick, no one hesitates to ask the doctor for advice. But if you have a knowledgeable computer person nearby… no questions asked… I guess I should be thankful! But I really do want to help keep my blog readers, friends and family to be secure.

If you are using and old router, especially a wireless one with only WEP encryption (stands for Wired Equivalent Privacy), buy a new one. From http://en.wikipedia.org/wiki/Wireless_security “this type of encryption is now being considered outdated and seriously flawed.” It does not take a brain surgeon to understand that as we develop encryption methods and security measures… unscrupulous people are out there figuring out ways around it. The only thing us poor hapless users can do is upgrade our hardware every few years… and then learn everything we can about locking it down with the options the new hardware/firmware provide. I’ll try to put together a project about “Hacking WEP encryption” and throw that up on blog when I can find time.

Another serious mistake I see people making is buying new hardware and using the default settings. Just because the hardware (wireless router) is new… don’t think that the default settings are secure. Most routers come with minimal default security settings. You can lock it down a lot tighter with a few simple changes and a few hours of work.

To blog about a thing I must destroy a thing… So I turned my router upside down and pressed the reset button to return it to the default factory settings… OUCH… many hours of work ahead!

If your cable modem is NEW it cannot connect to the internet without a call to your ISP to register the MAC address.
If you reset your router like I did, the router is may not connect to the internet through the modem without a few extra steps. To test your connection click on “Basic Settings > Default or Use this MAC Address > Test” to see if the router will connect to your ISP on its own.
After the reset, I admit, a call to my ISP provider was necessary to get my router talking to the internet again. Just logging into the router and clicking on “Setup > Basic Setting > Get Dynamically from ISP” did not work. You can also try “Maintenance > Router Status > Click the Connection Status button > Release/Renew”. I tried the usual like powering down the router and cable modem to no avail. What the ISP had me do was power down the router… and then disconnect the power and cable connection from my cable modem for 20 seconds. I connected the power and cable back to modem and waited till my ISP could see the modem. I then powered up the router checking the connection light on the router indicating that the router and cable modem were talking. My attempt to get an IP address failed. I had already configured my DNS to static IP’s pointing at my OpenDNS and my ISP, so I changed this to “Get Automatically from ISP” and shazam everything worked.
Now that we are connected, update the firmware on the router.
Go into “Maintenance > Router Upgrade” and check the box “Check for new version upon login.” If there is one device you want to keep the software up-to-date on at home it is your router. All you have to do is log in occasionally to keep the software up-to-date.
Change the login password, “Maintenance > Change Password”. My routers max password length was 30 characters.
Select Language in upper right corner: I changed it from Auto to English. Might save a nanosecond or two…
This is not necessary but who knows… Go into “Setup > Guest Network b/g/n” and uncheck “Enable SSID Broadcast and Select WPA2-PAK [AES]”, continue reading to understand. Enter a generated passphrase and record it.
Go into “Setup > Guest Network a/n" and do the same thing.
We will later disable SSID Broadcast on all wireless connections after they are configured. From my routes help:

Enable SSID Broadcast

If this feature is enabled, the wireless router will broadcast its name (SSID) to all wireless stations (and I add to criminals, neighbors, the man.. any device) within broadcast range of your router. Stations that have no SSID (or a null value) can then adopt the correct SSID for connections to this access point.

If you have a Wireless laptop, right click on the desktop screen select “Personalize > Change Desktop Icons > and check Network.” Now go to your desktop screen and right click on the Network icon and select Properties. You will see “Connect to a network” on the right bottom so select that. Look at how many network there are to connect to. On my computer I have six! All broadcasting their names saying please connect to me…
This broadcast is not necessary and a security leak once you have configured your wireless equipment to connect. I record everything in my KeePass Password Safe database. You will need it set to broadcast to make things easier for initial wireless setup of your wireless devices… just don’t forget to turn it off after everything is done.
Change the mode for the 2.4Ghz to 300 Mbps. If your wireless devices were purchased in 2009 or later they probably support “Performance Mode”… or 11a and 11n wireless stations. If you want to read about wireless protocols go to http://en.wikipedia.org/wiki/IEEE_802.11. 802.11n is a new multi-streaming modulation technique that supports both 2.4Ghz and 5Ghz. One thing to consider is your range may be affected at 300 Mbps… or so I read… did not have any effect in my little house. If a device does not see the router or will not connect try changing the channel first… then try changing it back to 130 Mbps. I had no problems at 300 Mbps. From my router help:

Mode

Select the desired wireless mode. The options are:

Up to 54 Mbps - Legacy Mode with maximum speed of up to 54 Mbps for b/g networks.
Up to 130 Mbps - Neighbor Friendly Mode, with a speed up to 130 Mbps in presence of neighboring wireless networks.
Up to 300 Mbps - Performance Mode - Maximum Wireless-N speed up to 300 Mbps.

The 2.4GHz (b/g/n) default is Up to 130Mbps, which allows all 11b and 11g and 11n wireless stations. The 5GHz (a/n) default is Up to 300Mbps, which allows all 11a and 11n wireless stations.

Set the security Options to “WPA2-PSK [AES]”. You can read all about it at http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access. WPA-PSK [TKIP] only operates at “Up to 54Mbps” rate, not N rate. So if your gear supports it just use WPA2-PSK [AES] as your encryption protocol to get full N support. Why open up another protocol as a security hole for devices to use another encryption standard to hack into your router unless you have to.
Change the “Name (SSID):” from the router default to something like <WebData-2.4G or StreamVideo-2.4G> for the Wireless Network (2.4Ghz b/g/n); and <WebData-5G and StreamVideo-5G> for the (Wireless Network 5GHz a/n). I list both because my PS3 would only connect at 2.4G… So I used the 5G for my laptop. These passwords are the only two passwords you may not want to generate. You will have to retype this password into all your wireless devices to allow them to connect to your router. Using WES might take care of this but I did not try it. So I had to use the streaming video device remote(s) to select one character at a time on the TV screen.
You probably notice the names I picked (WebData-xG and StreamVideo-xG) to imply a specific use for each connection. What you want to do (if you have family member(s) streaming video while you are on the computer) is connect your wireless (Laptop) computers to one “WebData-xG” network, and connect your Streaming media http://en.wikipedia.org/wiki/Streaming_media, Voice over Internet Protocol (VoIP) http://en.wikipedia.org/wiki/VoIP or Skype VoIP http://en.wikipedia.org/wiki/Skype_protocol proprietary protocol; devices to the other network “StreamVideo-xG.” From PC World March 2011, this will give you “Simultaneous dual-band wireless: Concurrent wireless allows you to perform ad-hoc QoS by splitting traffic between two networks.” I will talk about QoS later.
Also if you separate the networks you might be able to “Enable Wireless Isolation” for your wireless devices… unless you have a music library on your PC you want to connect to from your video devices… or you to share files with the Laptop… using Window Homegroup, FTP, SFTP, etc. between home computers.

Enable Wireless Isolation

If checked, the wireless client under this SSID can only access internet and it can‘t access other wireless clients even under the same SSID, Ethernet clients or this device. Other clients can‘t access the wireless client, either.

Most of us are using streaming video these days. So check the box “Enable Video Network”. From the Routers Help:

Enable Video Network

(For 5GHz a/n network only) Select this check box if you will be streaming HD video. When this option is selected, the router uses Video reliability algorithms to reduce jitter and packet loss during video presentations. If you will not be streaming video, leave this check box unchecked. Below is what is will all look like:

You can configure the router's wireless settings, or add a wireless client through WPS using the router's PIN only when the PIN is enabled. The router's PIN can be disabled temporarily when the router detects suspicious attempts to break into the router's wireless settings by using the router's PIN through WPS. You can manually enable this function by clearing the check box and clicking the Apply button. To do WES there is a button on your router you can push. From my Router’s help:

You can use WPS, or use PIN entry to add a client to the router. I did not find this necessary for it was just as easy, to me, to go to the few wireless devices we own and configure them manually. You should disable this once you have setup all your wireless devices.

Router's PIN

This is the PIN number you use on a registrar (e.g., from Network Explorer on a Vista Windows PC) to configure the router's wireless settings through WPS. You can also find the PIN on the router's product label.

Disable Router's PIN

You can configure the router's wireless settings or add a wireless client through WPS using the router's PIN only when the PIN is enabled. The router's PIN can be disabled temporarily when the router detects suspicious attempts to break into the router's wireless settings by using the router's PIN through WPS. You can manually enable this function by clearing the check box and clicking the Apply button.

Now let’s really lock things down. Power on all your wireless devices that are connected to your router… NOTE: To get the following to work I had to power off and back on the router. Go to “Maintenance > Attached Devices” and look at all the Device Names and MAC addresses attached to your router. If you have DVD players or PS3’s the device name will be blank requiring extra effort.
Go into “Advanced > Wireless Settings > Click on Set Up Access List button” and start adding devices. Adding the home wireless laptop(s) is/are easy. Just select them from the list and the device name and MAC Address are added. NOTE: Once SSID broadcasting is disabled the laptops will no longer connect to the router. You have to connect them with SSID enabled. Right click on the “Network” icon and select “Properties,” go over to the right side and click on “Internet > Wireless Network Connection (networkname-5G)” and select the “Wireless Properties” button. Check the box labeled “Connect even if the network is not broadcasting its name (SSID).”
The PS3 and other devices are different. They don’t have device names listed on the router screen. So it is not easy to identify their MAC addresses from the list. I had to go to each device and work my what through the labyrinth… on the PS3 to get Netflix streaming again I had to log into the PlayStation Network and then retype and login to Netflix. While I was at it I updated both the box firmware the PlayStation Network software. I then went to “Settings –> Systems Settings > System Information” to look at the MAC address and the device name. The MAC address was listed on the router screen so all I had to do was add the PS3 device name. You could just cut them on and off one by one also but I like to see the MAC address just to be 100% sure.
If you have a streaming DVD Player is will/may not have a Device Name, so you will have to look at something like “Setup > Network > Connection Settings.” This will at least show the MAC address, and then you can make up your own Device Name.

Click on “Setup > Wireless Settings” to configure your “Wireless Security Options” to the most secure settings. Uncheck “SSID broadcast.”
Make a backup of the router configuration so you have a copy of the default configuration if you ever want to restore it. The basic router settings are done.

The next thing we do is configure the router to use OpenDNS as the primary DNS. You can read about it at http://en.wikipedia.org/wiki/OpenDNS. From Wiki, “OpenDNS offers advanced features, such as misspelling correction, phishing protection, and optional content filtering.” I make my secondary DNS my ISP so I have redundancy if one of the DNS providers fail... or the internet route to OpenDNS fails. You don’t have to register with OpenDNS to use their IP. Just configure 208.67.222.222 into your router. Go to “Setup > Basic Settings > Domain Name Server (DNS) Address” and click on “Use these DNS Servers.” Configure OpenDNS as the primary and the ISP Provider “Primary IP” as the Secondary router IP address. I blogged about the benefits of OpenDNS in the past.
Now let’s add in things like our DYNDNS domain… I have blogged about this in the past so I won’t include screen shots… From my router help:

When done, to make sure you set everything up properly click on “Show Status” button and you should see “yourdomainname.dyndns.org / updated successfully at 11:55 pm, 02/18/2011.”
A while back I setup up a static IP on my Printer… To do so cut it on, log into the router and go into “Attached Devices,” cut and paste the Device name, MAC and IP address into Notepad++. Set the printer to use this address as a static IP address. I did this because every time my printer got a new DHCP address I would have to reconfigure the printer on all my computers to the new IP address. On my printer I “Press Menu > Admin Menu > Wired Network > TCP/IP > IPv4…” and set the IP/Subnet/and Gateway.
Now setup your “Address Reservations” for your printer, and your home Apache Web, SSH tunnel or other servers. I have blogged about how to do this in my SSH home server project. The easiest way is cut them on and let them connect to the router, then click on “LAN Setup > Address Reservation” and add them in. They will attach to your router with the static IP’s you configured on my other projects. If against all odds (happened to me) the computer you are using to configure the router has the IP address of one of your static IP’s you will have to open a command prompt and do a “ipconfig /release” followed by “ipconfig /renew.” From the router help:

Address Reservation

To reserve an IP address:

Click the Add button.
Select the radio button of the computer you wish to add from the Address Reservation Table.
If the computer is not on the Address Reservation Table, enter the IP address, MAC address, and device name of the computer you wish to add.
Click the Add button when finished.

Setup your “Port Forwarding” for your Web, SSH or other server. Go into “Advanced > Port Forwarding,” select “Port Forwarding” and click on the “Add Custom Service” to add SSH. My router did not offer SSH as a selectable Service Name. In the custom configuration screen you must also select the protocol. If you go to http://en.wikipedia.org/wiki/Transport_Layer_Security it states:

Historically it has been used primarily with reliable transport protocols such as the Transmission Control Protocol (TCP). However, it has also been implemented with datagram-oriented transport protocols, such as the User Datagram Protocol (UDP) and the Datagram Congestion Control Protocol (DCCP), usage which has been standardized independently using the term Datagram Transport Layer Security (DTLS).

So rather than allow two protocols access to your SSH server I set it to “TCP only.” Connect ability has been tested from my local community college bypassing their proxy. This allowed me to securely view my email and surf the web without big brother college Proxy watching everything I do (See my blog entries on setting up a SSH tunnel, last one named: “Final steps to secure SSH tunneling for your Laptop while on the road.”
I mentioned QoS when we split the wireless networks. Click on “QoS Setup” on the left menu. From the router help:

QoS is an advanced feature that you can use to prioritize some Internet applications and online gaming, and to minimize the impact when the bandwidth is busy.

If they are not enabled already (my router default was enabled), you should probably enable WWM (Wi-Fi multimedia) settings for 2.4GHz b/g/n and 5GHz a/n. From the router help:

WMM (Wireless Multimedia) is a subset of the 802.11e standard. WMM allows wireless traffic to have a range of priorities, depending on the kind of data. Time-dependent information, like video or audio, has a higher priority than normal traffic. For WMM to function correctly, wireless clients must also support WMM.

From March PC World 2011, “WME, WMM: Wireless Multimedia Extensions and Wi-Fi Multimedia are two name for the same 802.11e wireless QoS service. Enable WME or WMM if your router supports it. That setting will help with streaming applications such as voice and video, if the wireless device at the destination supports it. You may see an option for acknowledgement, which triggers the resending of data on errors; for real-time streaming applications, however, this option won’t help.”

I wanted to know more about if WMM would help my wireless devices function optimally. The PC World article also stated, “Enable WMM to help with wireless video. If you see a video entry in your router’s QoS section, put it on the highest setting. Some newer routers come with their own proprietary video-streaming enhancements; enable them.”

I tried surfing to many questionable sites IN A VIRTUAL XP ENVIRONMENT… “when you are surfing where no one may want to go, use a virtual environment for your computers safety!”" Most of the following I took from the only good article I could find on the internet about WMM at http://www.smallnetbuilder.com/wireless/wireless-features/30833-does-wi-fi-multimedia-wmm-really-do-anything-part-1. Not sure I would go there if I were you, the page wanted to install a Pop-Up and has a ton of advertising so I cut and pasted some of it for your benefit. Excerpts from the Web pages:

The WMM Checklist
To take advantage of WWM functionality in a Wi-Fi network, three requirements have to be met:
(1) The access point is Wi-Fi CERTIFIED for WMM and has WMM enabled;
(2) The client (device) that the application is running on must be Wi-Fi CERTIFIED for WMM; and
(3) The source application supports WMM.

As indicated by the bold italics, it turns out that the third point is the weak link in the path to all the QoS goodness promised by WMM.

According to the white paper, WMM defines four access categories (ACs) derived from 802.1d, which correspond to priority levels (Table 1). The 802.1d tags are also used by 802.1p. Table 1: WMM Access Categories:

He was using Windows XP. I’m hoping no-one reading this blog is being tortured by XP so I’m only blogging about how to do this in Windows 7. In XP a registry hack was necessary to get everything working, and he enabled “Ad Hoc QoS Mode.”

To enable “Ad Hoc QoS Mode” in Windows 7: “Right click on Computer > Select Properties > In left menu Select Device Manager > In left menu select Network Adapters > Right click on Intel® WiFi Link 5100 AGN > Properties > Advanced Tab > Ad Hoc QoS Mode” and change Value to “WMM Enabled…” Click on “OK”.

He also had to enable QoS Packet Tagging for the Ethernet NIC on the Laptop machine. I checked Windows 7 and this was enabled by default. If you want to check this “Right click on Network Icon > Click in the Wireless Network Connection (WebData-xG) > Click on Properties button” and you should see a check mark next to “QoS Packet Scheduler.” If you want to read more about this for XP and Vista Microsoft has a good article at http://technet.microsoft.com/en-us/magazine/2007.02.cableguy.aspx and http://www.intel.com/support/wireless/wlan/sb/CS-015402.htm. From Intel:

When should the feature be enabled?
Consider enabling the Intel Throughput Enhancement setting when operating in an environment where equal access by all clients is not necessary and higher throughput on uploads is desired. Streaming video, uploading large files, and sharing content are examples of applications that would benefit from using the Intel Throughput Enhancement. Short duration or periodic traffic such as Voice over IP (VoIP) will not see much improvement when using the Intel Throughput Enhancement.

When should the feature be disabled?
The Intel Throughput Enhancement setting should be disabled in an environment where equal access by all clients is a priority. Intel Throughput Enhancement should be disabled in mixed-mode (802.11b and 802.11g) environments.

If you are a gamer, web host, or just the home user who wants to do downloads while you family watches streaming Netflix video on the TV then there is more work to do. Click on “QoS Setup left menu > QoS Priority Rule button” settings. From my routers help:

Turn Internet Access QoS On

If this feature is enabled, the QoS function prioritizes Internet traffic. For applications, online gaming, an Ethernet LAN port, or a specified MAC address that already exists in the drop-down list, you can modify the priority level by clicking the Edit button. You can click the Delete button to erase the priority rule. You can also define the priority policy for each online game, application, LAN port, or the computer's MAC address by clicking the Add Priority Rule button.

For Applications or Online Gaming

To set up the priority for an application or online gaming:

1. Select Applications or Online Gaming from the Priority Category lists.
2. Select the Internet application or game you want to use from one of the relevant lists.
3. Select the priority level: Highest, High, Normal, or Low.
4. You can also type the name in the QoS Policy for field for this rule.
5. Click Apply.

For an Ethernet LAN port

To set up the priority for computers connected to a LAN port:

1. Select the number of the LAN port for which you want to specify the priority level.
2. Select the priority level: Highest, High, < b>, or Low.
3. You can also type the name in the QoS Policy for field for this rule.
4. Click Apply.

For a MAC address

To set up the priority for a specified computer through its MAC address:

1. Select the MAC address from the Priority Category list.
2. Click the Refresh button to update the list of those computers already connected to routers.
3. Select the entry's radio button in the table.
4. Modify the information in the MAC Address and Device Name fields.
5. Select the priority level: Highest, High, Normal, or Low.
6. You can also type the name in the QoS Policy for field for this rule.
7. Click the Edit button.
8. Click Apply.

To add the priority for a specified computer through its MAC address:

1. Select MAC Address from the Priority Category list.
2. Enter the MAC address of the computer for which you want to define the priority.
3. You can also enter a name in the Device Name field.
4. Select the priority level: Highest, High, Normal, or Low.
5. You can also type the name in the QoS Policy for field for this rule.
6. Click the Add button.
7. Click Apply.

I tried setting the MAC address of my streaming video devices “High” first... the next setting is “Highest.” You will see any connected computers listed as “Priority Normal.” Da wife did some video streaming with these settings and I rushed upstairs and kicked off some BIG downloads… I waited for the cell phone to ring (she was to call me if streaming stopped flowing… but picture was unbroken… However, when I went down later she complained that the picture quality was very poor... and it was. Since I don’t care how long a download takes I changed the setting to “Highest” for my streaming video devices. The important thing was, to keep household peace, I could now do downloads while the family gets to enjoy streaming video in the evenings. Life at home is good again!

The last step, yes we are here at last, is to backup your configuration. Go into “Backup Settings” and click on the “Back Up” button to save a copy of current settings. I named it “xxxxxxxFinalSettings.cfg.”

Fix the Wi-Fi problems in the house

If you are having problems with your Wi-Fi range, try repositioning the router away from potential sources of interference. Microwave ovens, cordless phones, baby monitors, your neighbors Wi-Fi network could be causing problems. You can also try boosting the signal. Also make sure your firmware is up-to-date by logging into the router occasionally and updating it. Not only can old firmware slow down your router, it can also be a security concern.

You can read more about Wi-Fi problems at http://find.pcworld.com/71972. For additional details and product suggestions go to http://find.pcworld.com/71971.

Another idea is to use your homes electrical wiring to network your devices. You can add HomePlug AV powerline-networking support to your Wi-Fi network. You can read about it at https://www.homeplug.org/home/.

VMware won’t start giving message: Remove disks or other media. Press any key to restart

2011-02-15T01:18:00.002-05:00

Yesterday most of my virtual environments would not start. I got the following message when I went to start them:

I searched and searched on the internet for an explanation. The weird thing was my recent install of Linux Mint started just fine. I tried examining the VMware Virtual Machine settings to no avail. Linux Mint was the only operating system that would start.

I finally ejected the floppy that I was using to backup some files… and magically everything started working again. So to keep VMware environments booting keep that floppy out of the floppy drive! It is always the simple things that waste our valuable time.

Creating a Linux Mint 10 Virtual Machine in VMware Player 3.1.3

2011-02-12T04:42:00.001-05:00

My college instructor was impressed with Linux Mint and introduced the Linux Administration students to it a few weeks back handing out bootable CD’s. After seeing Mint booted off the CD I wanted to install the full DVD version in my VMware Virtual Player. If nothing else because the project is based outside the United States the full blown version contains all the CODEC’s for audio and video included. For that reason alone I wanted to get it working.

If you don’t have it you can get VMware Player here http://downloads.vmware.com/d/info/desktop_downloads/vmware_player/3_0. You can read about “Linux Mint” and download it at http://www.linuxmint.com/.

Linux Mint is not listed as an option to select in VMware Player. But if you do some digging it is based on Ubuntu (I tried various “Other” options and they would not work).

Bring up VMware Player using my command file. See my blog entry entitled “Starting and stopping VMware Player 3.1.3 and its services keeping your computer finally fast!”
Click on “Home” in the upper left and select “Create a New Virtual Machine.” Browse to your download Linux Mint ISO file linuxmint-10-gnome-dvd-amd64.iso.

Pick “Linux” and for Version select “Ubuntu 64-bit.” Why “Ubuntu,” if you browse to http://www.linuxmint.com/about.php you will read that Mint is based on Debian and Ubuntu and provides about 30,000 packages. I did not try selecting “Debian 5 64-bit” but that may work also.
As you install more and more virtual machines you will need to standardize how you set them up to keep track of what is what. I use the ISO file name as my Virtual Machine name. It is hard to keep track of 32 bit verses 64 bit… or DVD verses CD… or Gnome verses KDE… you get the picture. The ISO file name has all the information you need to completely identify a Virtual Machine Install. Also if you look in the directory C:\Users\admin\Documents\Virtual Machines you will see all the directory names housing your virtual machines which you want to be as descriptive as possible.

The next two screens I went with the defaults at first and you can try that... it worked on my i386 machine. But the 64-bit install blew up multiple times near the finish line with a network error. So I reluctantly changed the network connection from NAT to Bridged and install went flawlessly. We can try changing it back to “NAT: Used to share the host’s IP address” after the install is complete and all the updates have been downloaded. A NAT address is more secure because it only allows traffic out of the Virtual machine but not in. You only need Bridged access if you have to connect to the computer from another device/computer. Bridged enables DHCP with your router and your VMware environment on your home network will be assigned an IP address. I have blogged about all this in the past.
To change the network connection click on “Configure Hardware…” button, select “Network” and check the “Bridged” radio button. Click “OK” and “Finish.”

You will see “Automatic Boot in 10 seconds” and then Linux Mint 10 will start installing. The software will come up to a screen with a few icons. Click on “Install Linux Mint.” You will go through a few screen that are self explanatory. Accept the defaults. On “Where are you?” keep clicking till you find your city… I could not enter it manually.

Keep going till you come to the “Who are you?” screen. This is where standardization comes in again. “Your name:” is optional. For “Your computer’s name:” pick a hostname that is not 100 characters long but identifies the computer and the type of install. I use “<motherboard or master computer model>-mint-10-64.” If you have multiple computers running virtual environments you have to identify in the Virtual computer name which computer is running the virtual machine. As you install more and more Linux flavors/versions/CPU’s you have to be able to distinguish between them… especially if you are setting up servers and establishing connections between them.
“Pick a username:” this is almost always your “sudo su –“ to root account... you should create other user accounts for things like scripting. I try to name this account the same in all my Virtual Installs. Makes establishing connections using things like Samba, FTP and SFTP to the account easy to remember. I call this account “sudoroot”. Short and easy to type and remember as I setup and run virtual machine after virtual machine.

The next step is to install VMware tools. I have blogged about how to do this in the past so I won’t include every step here.

Click on “Virtual Machine” and select “Install VMware Tools.” This will mount VMware ISO as a CD. However you want to do it copy the file VMwareTools-8.4.5-324285.tar.gz to the /tmp directory. I open a terminal window from “Menu > Terminal.”

$ sudu su -
# cd /media
# cd “VMware Tools”
# cp –p VM* /tmp
# cd /tmp
# tar zxf VMwareTools-8.4.5-324285.tar.gz
# cd vmware-tools-distrib
# ./vmware-install.pl

I accept the defaults. You will see a message at the bottom of the screen “VMware Tools is installing. Follow the instruction in the guest operating system to complete the installation. Eventually you will come to:

Before running VMware Tools for the first time, you need to configure it by invoking the following command: “/usr/bin/vmware-config-tools.pl”. Do you want this program to invoke the command for you now? [yes] <enter>… this will install the tools. Eventually you come to:

You must restart your X session before any mouse or graphics change take effect.

You can now run VMware Tools by invoking “/usr/bin/vmware-toolbox-cmd” from the command line or by invoking “/usr/bin/vmware-toolbox” from the command line during an X server session.

To enable advanced X features (e.g., guest resolution fit, drag and drop, and file and text copy/paste), you will need to do one (or more) of the following:
1. Manually start /usr/bin/vmware-user
2. Log out and log back into your desktop session; and,
3. Restart your X session.

At this point I reboot:

# shutdown –r now

The last step in getting a fully functional version of Linux Mint is to download and install all the latest updates. Every flavor of Linux seems to have a different way of doing this. In Linux Mint click on “Menu > Administrator > Update Manager, <enter suduroot password>, > Install Updates”. You will see “Downloading Package Files”… Do a “# shutdown –h now” after the install is complete. Change the network back to a NAT and play the Linux Mint Virtual Machine. It should boot just fine. Do a “$ ifconfig” and try Firefox, the change back to NAT should be AOK.

How to use Virtual environments to surf the internet and read email to secure your home computer core operating system from viruses and spyware!

2011-02-11T02:28:00.001-05:00

With everyone working on CISSP I am researching my own security projects as they come to me in my studies. It hit me recently that Virtualization is yet another way to secure our home and laptop computers. The two most often ways home computers are attacked are via email and browsing to unscrupulous web sites. No matter how fast the software companies plug the leaks… the hackers are one step ahead. Virtualization allows us to put those viruses and spyware in a controlled/virtual box. This protects your home/laptop computer from attack. If these malicious hackers destroy your virtual install just delete it and create a new one. Don’t forget to change your email passwords also.

Create the ultimate install of Windows 7 (blogged about in the past) and then install Virtualization into Windows 7 using either “Virtualbox” http://www.virtualbox.org/ or VMware Player http://downloads.vmware.com/d/info/desktop_downloads/vmware_player/3_0 leaving your original install in perfect condition. Then install virtual operating systems of various Linux and Windows versions keeping your original Windows 7 operating system pristine (or finally fast… lol). We can surf to questionable web sites introduced by the search engines researching the technical computer questions we are constantly seeking answers to without worry.

Microsoft has an answer that put the kibosh on all that… they limit how many times you can register Windows (or so I told by the University students) so you don’t want to go burning registrations on Virtual Machine installs. But if you have an old XP version of Windows lying around… like I do why not burn one of those? Then you can install Firefox, Google Chrome, CCleaner, Putty, etc. in your (virtual) XP environment and surf like mad… never using your Windows 7 environment except for safe and secure stuff. If you leave the Network connection as NAT this keeps you even more secure. That is what I am doing now! I do all my risky internet activity using my virtual machines.

To use your virtual Windows XP environment for email I suggest Thunderbird http://www.mozilla.org/projects/thunderbird/ which really works great… especially if you have multiple accounts like I do. You can read about Thunderbird at http://en.wikipedia.org/wiki/Mozilla_Thunderbird.

What I did was setup Gmail in Thunderbird. Thunderbird is smart enough to know the optimal settings and configures everything for you. All you enter is email address and password. I then went into Gmail and set it up to retrieve the POP3 mail from my ISP email account. Don’t want my ISP email popping down to a temporary virtual XP install. Gmail is IMAP which leaves the email on the server and keeps everything in sync. The last thing I did was setup Hotmail in Thunderbird. Hotmail is uses secure POP3 which from http://en.wikipedia.org/wiki/Pop3, “Clients that leave mail on servers generally use the UIDL command to get the current association of message-numbers to message identified by its unique identifier. The unique identifier is arbitrary, and might be repeated if the mailbox contains identical messages. A POP client must fetch the entire UIDL map. For large mailboxes, this can require significant processing.”

I was worried that I was about to POP all the email off the Hotmail server, but I knew Windows Live works without doing that so I rolled the dice and prayed Thunderbird would not do it. Like the WIKI said all email downloaded as new to Thunderbird, and it took a while… (I really need to do some house cleaning) but my email was left on the Hotmail/Live server. My next test was to delete an email from Thunderbird and see if it would eventually sync up with the Hotmail server. It only occurs every 15 minutes so be patient… and it did. Project complete. Surfing and reading email from a virtual XP machine keeping your home/laptop computer secure is now viable.

You can read more about Hotmail at http://en.wikipedia.org/wiki/Hotmail, as part of Hotmail "Wave 4" release, Microsoft has added Exchange ActiveSync support to Hotmail, allowing users to synchronise their email, contacts, and calendar on any device that supports the Exchange ActiveSync protocol. My guess is this is what keep the email on the server syncing up.

The last thing to do is install Putty in your virtual environment and use a SSH tunnel to your home network if you are out and about using public networks on your laptop. Blogged about… read about it… No more worrying about questionable email or what sites you view. If you get a virus or spyware just blow away your Windows XP Virtual environment and install another leaving your original Window 7 installation in perfect condition… that is until Microsoft will allow no more XP installs… If you want to you can also use your Linux browsers which may be more secure. Not as many hackers have been attacking those operating systems… the hate level in just not quite as high as it is with Microsoft.

How to Get Online Update and DVD package installs working in openSUSE 11.3 running in VMware Player 3.1.3, NAT to bridged in VMware player

2011-02-10T22:42:00.001-05:00

In my post entitled “Setting up a Ubuntu SSH server for secure sftp with chroot and public/private keys…” I did not figure out how to change my VMware Player environment from a NAT to a bridged network. The “bridged” network setting will actually request a IP from your DHCP router and allow outside access to the virtual machine. Which for my projects, is mandatory. To do this click on “Virtual Machine > Virtual Machine Settings > Network.” Change the Network configuration from the default NAT to Bridged.

In my college computer Linux Administration class we are using openSUSE 11.3. So I needed some fully functional openSUSE virtual operating systems working at home to do my homework. Part of our second project is to install 4 Servers (Samba, Apache, DHCP and LDAP) from the openSUSE DVD. There is a lot of scripting in the class so I wanted to get Samba working so I could copy scripts back and forth from Windows to openSUSE. Of course I could use my previous project and make openSUSE a SSH server… but that does not address my homework learning about Samba.

When I installed openSUSE i586 in VMware on my laptop it would not render the graphics properly. I fixed this problem in Ubuntu by applying online updates. But when I went to use “Online Update” in openSUSE it brought up the following:

It looked like I had to register openSUSE online (like Microsoft) just to get online updates. My college instructor had not seen this before and I asked the other students if they ran into this and they had not. All of them were either using a computer install or Virtualbox. I tried openSUSE on my desktop and the graphics were OK so I forgot about the laptop. Then I went to load server packages from my openSUSE DVD on my server and could not get that to work either. My option was either travel to the college and use openSUSE there or get all this working in “VMware Player.” I chose the latter.

You have to tell VMware Player to enable the DVD drive. Go in to “Virtual Machine > Removable Devices” and click on the “CD/DVD (IDE)” box to enable your DVD drive.

This is pretty useless unless you mount the DVD and tell Yast how to get to the software on the DVD. Click on the “Application Launcher > System > File Manager.” Right click on “Dolphin” and Add it to the Desktop. I would also add Firefox to your desktop by clicking on “Application Launcher” and just arrow up the Firefox icon. When you open it up you will see the DVD icon on the left side. Double click that an mount the DVD.

Do the same for “Terminal” to get a “Terminal” window on your desktop, and also add it to the Panel. If you open a terminal window and type “$ ll /media” you will see the DVD mounted as “openSUSE-DVD-i586-Buildd0702..001.” Now we have to setup YAST to do “Online Updates” and load software from the DVD. Click on “Launcher > Computer > Yast.”

If you want to use the DVD to install packages you will have to add that as a repository. Click on “Software Repository > Add, select DVD…” and the rest is easy.

Getting Online Update working:

First try to do either an “Online Update, or Add-On Products” you may get “Insert openSUSE-11.3 11.3-1.82 (Disc 1), Retry, Abort, Skip, Eject” dialog box. If you do then it is time to change the default repositories. Click on “Software Repositories” and delete the repository (only if it is NOT working) named “Priority: 99 (Default); Name: openSUSE-11.3 11.3-1.82; URL: cd:///?devices=/dev/sr1.” This is the default repository that points to your CD or DVD drive and usually works. But in my case it did not and I had to delete it and add my DVD drive in a separate repository entry.

Next Click on “Add” and check “Community Repositories > Next.” In the “Repository Description” box you will see many repositories listed like “Open and Non-Open Source Software Addon repository for openSUSE 11.3.” Click on a repository and the description will change… each description providing the URL to add.

To add repositories copy the URL… go back to the “Add” button and click on “Specify URL” and paste in the URL. I did not name them but maybe you should… Click on “OK” and this adds the repository.

If all you want is “Online Update” just add http://download.opensuse.org/update/11.3 which is the main update URL down near the bottom of suggested repositories. Once it is added you will not be prompted to register to download all the latest patches and updates ever again. I also added the “Main Open and Non-Open Source” repositories for openSUSE.

These are the final steps to secure SSH tunneling for your Laptop while on the road. Don’t let those coffee shop hacker’s spy on everything you are doing!

2011-02-05T19:21:00.001-05:00

This is my final entry on this project. You might think this all an overkill on surfing security… and if you don’t use your computer to manage your bank accounts or read confidential email, etc. I understand… If you don’t mind people snooping your every packet, watching where you surf and what you type; if you never log into any web site exposing your username and password’s to hackers everywhere; if you want to use your companies VPN where every email and URL you visit in monitored… then all this is not for you.

The next step in the process is to setup a permanent domain for your roaming DHCP IP address. Once again the university students clued me into a solution at DYNDNS.com.

Setting up your roaming Internet Service Provider IP to a permanent domain:

You would not want to be in Europe and have your ISP change your public router address. Imagine asking family members to log into your router that magically started working and send you the IP address. My family just knows it works… More than likely your home router is setup as DHCP from your Internet Service Provider. You can create your own domain and point it to your home router using DynDNS http://www.dyndns.com/. From their web site, “Obtain your own free domain name like name.dyndns.org, host your own weblog/blog at home, or access your computer remotely.”

What this does is if your ISP changes your IP address you can configure your router to automatically update your DYNDNS.com information to keep your domain name pointed at your router. So if you a in Japan and your IP changes at home server… no problem. This web site explains how to accomplish this http://www.dyndns.com/support/kb/dyndns.html#howto. From my router’s help menu:

If you want to use a DDNS service, you must register for it. The Dynamic DNS client service provider will give you a password or key.

Sounds complex but all you have to do go to their web site and create a domain. Then configure your router to keep DYNDNS.com updated as to your router DHCP address.

You can test your setup by clicking on “Show Status” and you should get a message like, “yourdomainname.dyndns.org / x.x.x.x updated successfully at 04:49 pm, 02/05/2011.” Now to connect to your home SECURE ssh server you would enter the following:

$ ssh <yourusername>@<yourdomainname>.dyndns.org

Locking down the Laptop for surfing while on the road, final setup on your SSH client/local computer

Now that I can use a domain instead of my routers IP address I will set everything up on the laptop for permanent lock down. Our first problem is knowing when the laptop is using our SSH tunnel or the public internet connection on un-tunneled ports. With the browser it is not a problem because once we enable SOCK5 it won’t work until the dynamic tunnel is established. But what about our email or other applications running on the laptop? How do we make sure they are not connecting to the public internet via open ports?

In Linux it is well documented what services use what ports so we could just kill those processes and start them up again when we need them. But in Windows 7 I have no idea what application uses what ports. A few are easy… email only uses six possible ports which we know. But we want to make sure those ports are only used through the tunnel. What I tried was creating one master Putty entry that tunneled everything. Every port I knew that applications use I tunneled even if those tunnels did not seem to work. That way nothing could go out or come in on those ports unless it went through the tunnel.

Don’t forget to add your Dynamic port D8080 to the Putty entry. Try as I might I never got this to work. My next option is to figure out how to disable port 1-21, and 23-1024 in Windows. This is a work in progress.

How to set up a dynamic SSH tunnel to do secure Web browsing in Linux and Windows

2011-01-31T22:04:00.001-05:00

This blog entry is a continuation of the previous blog entry: Computer update: Setting up a SSH tunnel from your laptop into your home computer for secure public Email and Internet access from ANYWHERE…

This blog entry is about setting up and testing everything at home. To actually use a SSH tunnel from a public internet connection will require three devices: your local computer (laptop), an intermediate machine with a public IP or domain name, and the private SSH server/remote computer based inside your SECURE home network. Hopefully you have logged into your home router and enabled encryption and locked down you home network from prying eyes. The following was taken from http://docs.cs.byu.edu/general/ssh_tunnels.html and reworded a bit:

Start an SSH connection from your local machine to the intermediate machine (your home router) with a public IP address which was provided by your ISP. This is usually a DHCP address so later on we will set up a domain at DynDNS http://www.dyndns.com/ to keep the address static.
Tell that connection to listen for traffic to some port (22) on your local machine, and send it through the intermediate machine (router) which forwards it to a specific port on the privately addressed SSH remote/server machine. This port is said to be forwarded.
On your local machine, use the application that you want to connect to the remote machine, and tell it to use the forwarded port on your local machine. When you connect to the local port, it will look like it is the destination machine.

They make it all sound so simple…

Static IP or Address Reservation for that home tunnel computer:

To tunnel to your home computer you need an Home Network IP that does not change. I mistakenly thought that I would need to setup a static IP which is what I hear from others how they are setting up ports on their home networks. But that is not really the best solution and a lot more work than is necessary. Just leave that home SSH server computer as a DHCP host and setup a “Address Reservation” in the router. What is the difference?

Static routes give the router information that it cannot learn automatically through other means. This can happen when RIP is disabled on the LAN. (See the LAN IP Setup screen.) All defined static routes appear in the table. You add or delete a route in the area under the Static Routes table.

When you specify a reserved IP address for a PC on the LAN, that PC will always receive the same IP address each time it accesses the DHCP server. Reserved IP addresses should be assigned to servers that require permanent IP settings. The router does this by MAC Address and Device Name so a simple reservation configured in the “LAN Setup” in your home router solves the home moving DHCP IP problem. As I mentioned before you want to do this for your Network Printer also. Mine kept getting a new IP from time to time and then my family was crying to dear old Dad that the printer would not print anymore.

Setting up Firefox to SSH tunnel using SOCKS5:

To get Firefox working we need to use SSH as a proxy. This is where the ssh –D option to use the SOCKS internet protocol. There is a good article at http://xuanluo.bol.ucla.edu/sshproxywin.html you may want to read also. On the web page the author mentions http://www.freecap.ru/eng/ as another alternative to getting application to use a dynamic tunnel. I have not explored this but may someday. From the Freecap website, “FreeCap -- is a program for transparency redirect connections from programs through SOCKS server. In fact that some programs hasn't native SOCKS support (for example Internet Explorer), In this case FreeCap will be helpful, transparently redirect all connections requests through SOCKS server.”

From http://en.wikipedia.org/wiki/SOCKS SOCKS is an Internet protocol that facilitates the routing of network packets between client–server applications via a proxy server.

From the Wiki, “Bill wishes to communicate with Jane over the internet, but a firewall exists on his network between them and Bill is not authorized to communicate through it himself. Therefore, he connects to the SOCKS proxy on his network and sends to it information about the connection he wishes to make to Jane. The SOCKS proxy opens a connection through the firewall and facilitates the communication between Bill and Jane.”

Go back to http://polishlinux.org/apps/ssh-tunneling-to-bypass-corporate-firewalls/ and it reads, after showing how to use the tunnel to specific web sites, "In this situation let’s look into the SSH manual and find a parameter -D. As we can read there, SSH can act as a (specific) proxy server. This is a SOCKS-type (pseudo) server. We won’t be concerned how it works, just remember the name.”

Go into the router and write down the IP address provided by your ISP. Armed with that, the account you setup on the home SSH server, and the password to that account, type the following in a terminal window on your Client/Remote/Laptop host:

$ ssh <ServerUser>@<ServerIP> –D 8080

NOTE: The terminal window with the connection to your home computer account needs to stay connected. One you close the terminal your tunnel will be lost and you can no longer surf the web using this method.

The command above establishes the tunnel to your home server on port 8080. From now on, SSH listens dynamically on port 8080. The next step is to setup Firefox to use the tunnel so you can surf the web free from prying eyes. In Firefox, click on “Edit” > “Preferences” > “Advanced” click on the “Network” tab, click on the “Settings” button. Check the “Manual proxy configuration:” and for “SOCKS Host:” enter “localhost or 127.0.0.1,” for Port enter 8080, server type should be set to 5. Don’t forget to remove any other entries in HTTP Proxy.

And what do we have now? Well, now SSH will intercept everything on this port and dynamically open a tunnel (via REMOTE_HOST) to the final target typed in the Firefox address bar. From now on we can surf over the whole Internet. If you want to use Firefox at home without the tunnel just click on the “No proxy” button and go back to surfing the old way. If you are at work you will need to reenter the proxy you had before if there was one.

Setting up Windows Internet Explorer 8 to SSH tunnel using Putty and SOCKS5:

If you have not already done so, you will need to download putty at http://www.putty.org/ or http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. You can just run the “putty.exe” file or install it. Either way, to save sessions, putty is going to add entries to your registry so I installed it. If you want to later remove it I recommend “Revo Uninstall” at http://www.revouninstaller.com/. The Free version works good, but look at the Pro Options to see if you want to purchase it.

In the Putty > SSH > Tunnels Panel there is a Radio button called “Dynamic.” Selecting this option instructs Putty SSH to use the –D [bind_address:]port option that I blogged about previously. Briefly the –D option specifies a local “dynamic” application-level port forwarding. Just like in Firefox under Linux we will use the SSH supported SOCKS5 protocol to forward a port above 1024 across the tunnel to our remote/server computer that we will connect to using the applications protocol… in this case HTTP and HTTPS. You can read about SOCKS5 protocol at http://en.wikipedia.org/wiki/SOCKS or http://www.faqs.org/rfcs/rfc1928.html.

Go into putty and setup your Session. The putty manual states, “The Session configuration panel contains the basic options you need to specify in order to open a session at all, and also allows you to save your settings to be reloaded later.” In Firefox we forwarded port 8080 dynamically. To be consistent lets do the same in Internet Explorer 8. Call the session something descriptive like “SSHTunnel8080Dynamic.” The Host Name will be the IP of our SSH server, and port is secure SSH 22. Click on any of the screen shots to read all about the options.

Note: Saved sessions are saved in the registry. The Host Name is the host… Saved Sessions is what you want to call it. They can be the same or not. Both must be filled in when you save the entry. Don’t save it yet… we have to setup the Dynamic Tunnel from our client/local computer to our remote/server computer. Go to Category “Connection > SSH > Tunnels.”

To maximize security there is no reason to open up shell on your host computer. If someone hacks your username and password all you want them to see is blackness. I also checked “2 only” for the connection.

So lets get the Internet explorer working. There were many outdated postings on the internet about tunneling ports and I accomplished that fairly quickly. What you do is establish the tunnel to port 22 on the remote host using a port above the reserved ports. The connect Putty to the localhost port being tunneled.

But I want to be able to use Internet Explorer to surf the Internet at will what proved a lot more reading and surfing. Since we are doing a browser 8080 comes to mind. Here are the settings you want:

Go back to the “Session” panel and click on the “Save” button.

As I worked to get other ports tunneled for email I quickly realized I need to identify my Putty connections to my remote/server computer. This can be done by Clicking on “Window > Behavior” and entering a “Window title:” like “SSH 8080 Dynamic SOCKS5 Tunnel” and “SSH Tunnel All Ports:”

Windows Internet Explorer works the same way with the SOCKS5 proxy as Firefox did. Use localhost or 127.0.0.1. All other Proxy entries must be clear to surf through the tunnel:

Go to “Tools” menu, click on “Internet Options,” select the “Connections” tab. In Connections click on the “Lan Settings” button.
Under “Proxy Server” check the box “Use a proxy server for your LAN…”.
Click on the “Advanced” tab.
Clear all proxy settings (making note of any there were there) and enter the following in the “Socks:” field:

So how do we test all this on our home network. After all, if are browsing the internet how would we know whether it is happening via “Putty” tunneling to your SSH server or your local machine connected to your router? Open a command prompt on the client and run “ipconfig” to get your DHCP IP address on your home network. NOTE: You will have to do this every time you turn off an on the home computer unless it is setup as fixed IP. Now log into your router and disable port (80 – HTTP, 25 – SMTP, 110 – IMAP, 443 – HTTPS) for your client PC. On my home router this is found under “Content Filtering > Block Services.” Under “Services Blocking” make sure “Always” radio button is selected.

Click on the “Add” Button. Select the “Filter Services For” and select the “Only this IP Address” and enter the IP of your client. I selected “Service Type > User Defined” and entered the range (24-1024) to block everything from the client/local computer. Now we know that if anything works, it will work only through the tunnel via port 22. Click Apply when done. Test your browser. If it can go nowhere you were successful. You have cut off your client/local computer from the internet. NOTE: It goes without saying you may need a second computer to enable the ports again if all this does not work for your home setup. If you are bridging to VMware or Virtual Box and you disable the host ports…

All that is left to do is open the session in putty and log in to the server. Internet Explorer 8 should browse the web just fine via the dynamic SSH tunnel.

This Blog entry is continued on my next blog entry: Computer update: Setting up a SSH tunnel for secure access to do view your Hotmail and GMail in Linux and Windows

Below are notes taken from web sites…. and part of a future project perhaps!

PLINK.EXE -ssh -P 22 hostname -l username -L 993:imap.gmail.com:993 -L 25:smtp.gmail.com:25

The following taken from Fedora 11 and Red Hat Enterprise Linux:

Open permissions to your X server so that the remote application (Evoloution) can use your display.
Identify your X server display to the application when it starts up.

When you run an X client on your local system, your local display is often identified as :0, which represents the first display on the local system. To identify that display to a remote system, however, you must add your computer’s host name. In most cases, the host name is the TCP/IP name.

You will probably use the display name in the form most of the time you run a remote X application. In certain cases, however, the information may be different. If your computer had multiple X displays (keyboard, mouse, and monitor), you many have numbers other that :0 (:1, :2, and so on). It is possible for one keyboard and mouse to be controlling more than one monitor, in which case you could add a screen number to the address, like this:

client:0.1

Everything below is copied from polishlinux.org as they wrote about some special situations:

The Firewall administrator has closed port 22:

Well, we need to adjust to the new environment now. First, we should find a port which is usually open. Let’s try the one responsible for secure web pages (SSL connections) which is usually left open in all networks. Its number is 443. As there is no possibility to change anything remotely for now, we need to go back home. Sitting in front of our REMOTE_HOST as root we need to edit /etc/ssh/sshd_config file. Find the place with entry Port 22 and put Port 443 just below. All we have to do now is to restart SSH server with:

REMOTE/SERVER_HOST:~# /etc/init.d/ssh restart

Sample command to connect to REMOTE_HOST from LOCAL_HOST in the present situation may look like that:

worker@LOCAL/CLIENT_HOST:~$ ssh -p 443 user@REMOTE_HOST -D 8080 \\
-L 10025:smtp.gmail.com:25 -L 10110:pop.gmail.com:110

As you can see, option -p 443 is a proper switch to force SSH to use a non-default port for a connection.

Battle continues with a corkscrew

Oh, no! Our network administrator got really furious now. “It’s time to finish these abuses” – he said. But he was not allowed to block all HTTPS traffic (fortunately!). So he figured out that the best thing in this situation is to control all traffic with an HTTP proxy server. He has set it up to listen on port 3128 and opened this port to connect only to a proxy server (naturally port 443 has been blocked). Outside connections on port 3128 are blocked too. Is there any way to bypass this? Well, try to remind some settings you’ve written down earlier: PROXY_SVR, PROXY_PORT. We’ll assume now that these values point to admins’ proxy server (here PROXY_PORT = 3128). We need to find a proper tool to use these values. Let’s look into our repositories:

worker@REMOTE/CLIENT_HOST:~$ apt-cache search proxy ssh tunnel

Among the results we should probably see a corkscrew app. Quick installation:

REMOTE_HOST:~# aptitude install corkscrew

Corkscrew manual reveals an easy way to “teleport” SSH to the other side of the HTTP proxy. To generate such a “hoop” we need to know which types of connections are passed directly through the proxy. All encrypted connections usually fulfill this condition. That’s why we again concentrate on HTTPS (port 443). To force SSH skip the proxy we should edit ~/.ssh/config and add the entry shown below:

Host IP_NUMBER
ProtocolKeepAlives 30
ProxyCommand /usr/bin/corkscrew PROXY_SRV \
PROXY_PORT IP_NUMBER 443

Having such settings we should be able to connect to REMOTE_HOST again with:

worker@LOCAL_HOST:~# ssh -p 443 user@IP_NUMBER

All those switches like -L and -D still work, so we can use them in a suitable way for us. So please welcome another good friend of SSH – corkscrew

Post Scriptum

There is another useful option for SSH. It’s -C which compresses all traffic on-the-fly. It’s especially useful while using corkscrew.
I haven’t mentioned the reverse tunnels (option -R), but they are very useful as well.
Another method to efficiently bypass restrictions when we don’t have root access on LOCAL_HOST is (our) proxy server installed on REMOTE_HOST
As I’ve mentioned in the beginning, SSH is widely used to secure “plain text” protocols, too.

Appendix (for the tenacious ones): using httptunnel

The above text is an almost-direct translation from the original. But I’ve got something special for those who are not bored (or confused) with all those tunnels, yet. So, let’s met the…

Absolutely extreme conditions

Here I need to be more precise. Imagine that the traffic in our network is allowed only via port 3128 and only to one specific IP number which points to a proxy server. What’s more, the proxy doesn’t allow for http_connect (i.e. forwarding encrypted protocols). This excludes the usage of corkscrew. And to make it even harder, the firewall blocks all packages that don’t have an HTTP header. Conditions described above mean no more than that we are only allowed to view “classical” web pages and only with a proxy. What shall we do to bypass such restrictions? To effectively overcome this “not so fortunate” situation, we’ll still need SSH. But this time SSH is going to have a special carrier to bypass the proxy. This carrier needs to have an HTTP header to do its job. You can probably figure out the name of this third SSH friend – yes, it’s an httptunnel. Installation is needed on both hosts (LOCAL_HOST and REMOTE_HOST) and as you’ve noticed earlier, in Debian this is as simple as:

REMOTE/LOCAL_HOST:~# aptitude install httptunnelThe application contains both an httptunnel server (hts) and an httptunnel client (htc). I encourage you to take a look at the manual to see how it works in detail, but the usage is very similar to SSH tunneling. On the REMOTE_HOST we need to run the server side of the application. The server is responsible for deciding where the connections should be forwarded. If we want to tunnel the connection to REMOTE_HOST we simply point it by using localhost.

In our example we only want to forward all connections to an SSH server running on REMOTE_HOST. To accomplish this task, the httptunnel server should be started as follows:

REMOTE_HOST:~# hts -F localhost:22 80A word of explanation: -F localhost:22 means that each connection is going to be forwarded to REMOTE_HOST’s port 22 (i.e to an SSH server on REMOTE_HOST). And 80 is the port on which hts should await our connections from the outside (just remember to open it on the firewall and/or stop any other services that may be running and listening on this port).

The appropriate command to connect to hts on REMOTE_HOST from LOCAL_HOST using the proxy is:

worker@LOCAL_HOST:~$ htc -P PROXY_SVR:PROXY_PORT \\
-F 10022 IP_NUMBER:80From now on, LOCAL_HOST listening on port 10022 should forward all connections to port 22 on REMOTE_HOST. To establish a desired SSH connection we can type:

worker@LOCAL_HOST:~$ ssh -p 10022 user@localhost -C -D 8080 \\
-L 13389:somewhere.else.com:3389 -L file://13306:here.or.there.net:3306/Although this is a double-tunneled connection and may be a little bit slower than a direct one, it allows us to navigate all over the net, not only to the addresses set by the administrator. And you know what? We are free again!

Need to look into OpenVPN on Windows.

Installing VMware Tools from Warren, Steven S. VMware Workstation 5 Handbook

2011-01-28T00:32:00.001-05:00

Every time I create a VMware Linux workstation I have install VMware Tools and realize I have forgotten the steps I went through the first time. So I decided to blog about it this time. A lot of the following is taken from Warren, Steven S. VMware Workstation 5 Handbook and the VMware help pages.

Installing VMware Tools for Linux:

VMware Tools installation for Linux is a bit more complicated than installing VMware Tools for Windows. To make this process as simple as possible, I am going to walk you through the steps of installing VMware Tools on a Linux platform. With this release, you now have the choice of installing VMware Tools with the RPM or tar.gz package. Furthermore, you no
longer have to exit the X session to install VMware Tools. Let’s start by going over the installation with the tar.gz installer.

Installing VMware Tools via the tar.gz Installer:

Let’s begin choosing VM | Install VMware Tools. The book said that “The RPM and tar.gz packages are automatically mounted as shown in Figure 7.6.” But that was not the case for me. I did the following:

$ sudo su -
root's password:

Some Linux distributions use different device names or organize the /dev directory differently. If your CD-ROM drive is not /dev/cdrom or if the mount point for a CD-ROM is not /media/cdrom, modify the command to reflect the conventions that your distribution uses. If your Linux distribution does not automatically mount CD-ROMs, mount the VMware Tools virtual CD-ROM image. If necessary, create the /media/cdrom directory.

# ls /media

- No cdrom directory...

# mkdir /media/cdrom

- VMware help said to (# mount /dev/cdrom /media/cdrom) but that did not work in openSUSE. I did a:

# ls /dev

- and saw that the device "cdrom1" so I tried:

# mount /dev/cdrom1 /media/cdrom
mount: block device /dev/sr0 is write-protected, mounting read-only

# cd /media/cdrom
# cp cp VMware* /tmp

Delete any previous vmware-tools-distrib directory before you install VMware Tools.

Next, open a terminal session, log in as root and copy the package to the /tmp directory.

# cd /media/cdrom1
cp VMwareTools-*.tar.gz /tmp

Next, let’s change directories to the tmp directory and extract the package. Run the installer and configure VMware Tools. To install VMware Tools and choose the appropriate display resolution.

NOTE: It is best to unmount the ISO image before running the Tar installer.

# umount /dev/cdrom
# cd /tmp
# tar zxf VMwareTools-*.tar.gz
# cd vmware-tools-distrib
# ./vmware-install.pl

You are prompted with the following questions, in which you can accept the default values:

In which directory do you want to install the binary files? [/usr/bin].
What is the directory that contains the init directories (rc0.d/ to rc6.d/)? [/etc/rc.d]
What is the directory that contains the init scripts? [/etc/rc.d/init.d]
In which directory do you want to install the daemon files? [/usr/sbin]
In which directory do you want to install the library files? [/usr/lib/vmware-tools]
The path "/usr/lib/vmware-tools" does not exist currently. This program is going to create it, including needed parent directories. Is this what you want? [yes]
In which directory do you want to install the documentation files? [/usr/share/doc/vmware-tools]
The path "/usr/share/doc/vmware-tools" does not exist currently. This program is going to create it, including needed parent directories. Is this what you want? [yes]
Unmounting The Tools ISO image mnt/cdrom.

The installation of VMware Tools 4.52 build 8848 for Linux completed successfully. You can decide to remove this software from your system at any time by invoking the following command:

"/usr/bin/vmware-uninstall-tools.pl."

Usually, the vmware-config-tools.pl configuration file runs after the installer file finishes running. Respond to the prompts and press Enter to accept the default value.

If you are updating VMware Tools, reboot the virtual machine or manually reload the pvscsi, vmxnet, and vmxnet3 Linux kernel modules.

If you reload the modules, networking on the virtual machine is interrupted.

If you manually reloaded the pvscsi, vmxnet, and vmxnet3 Linux kernel modules, enter the following commands to restore the network.

/etc/init.d/network stoprmmod vmxnetmodprobe vmxnet/etc/init.d/network start

Before running VMware Tools for the first time, you need to configure it by invoking the following command if it did not run automatically:

"/usr/bin/vmware-configtools.pl."