Trojan Horse for Linux?

I came across this post on the avast! forum recently. Trojan Horse for Linux, it declares. OK, it's Symantec that called it a Trojan Horse, but wrong: it's a malicious Apache Module.

Yes, Linux malware does exist. Who should be worried? In this case, administrators of Linux servers, as the attack vector of this malware is unknown, and it seems to have been placed on servers with good security.

This is not a Trojan Horse that desktop users of Linux are going to have to worry about downloading from the internet.

I recently wrote that Desktop Linux needs anti-virus like a fish needs a bicycle. I'm glad I put that "Desktop" in there. Virus programs like Symantec and ESET do detect this malware. This VirusTotal result I found suggested that the detection rate among anti-virus programs is pretty good. An anti-virus scan of a server may pick up a hack like this.

But I'm writing for users of Desktop Linux. The existence of a targeted hack against Linux servers or the existence of Linux malware on servers is not reason for desktop Linux users to worry.

When it is time to worry, you'll read it here.

My new Linux computer

This is my new Linux computer. Well, it's my daughter's, really, but I've been playing with it too. I know it runs Linux because somebody has hacked it.

Sadly the software that comes with it to allow download of new games and ebooks is not Linux compatible. Although I eventually got the Learning Lodge Navigator working on PlayOnLinux (Debian has a very old version of Wine- PlayOnLinux downloads the latest version), the USB to the Innotab didn't work.

Looks like I'll be needing to borrow a Windows computer.

I had better luck putting content on the SD card I bought (memory cards are astonishingly cheap now- 8GB for under £4!). Create the directory structure and convert videos as described on A Maggid's Musings. (I added a comment with an alternative parameter to make videos full screen which I used when resizing videos for Android.) I had no problem playing an MP3 file I put on the card, unlike some people.

Of course I had to mount the SD card first. I have an SD slot in my laptop, but it doesn't seem to work in Debian. I must try and get it working, but in the meantime, I bought a £1 card reader from PoundWorld.

It works. As did the bluetooth dongle I bought for a pound.

Do I need an Anti-virus program on Linux?

This is a question often asked by new users of Linux. (See here.) The short answer often given is no, but that answer often stirs controversy. (See here.)
I haven't used an anti-virus program in Linux for years (although I've tried all the free ones). My answer to the question, as a home user of Linux only computers who doesn't share files with Windows users is also no. Obviously I've caveated that answer, and there are plenty more caveats, so here are some points to beware.

• Saying that you don't need an anti-virus doesn't mean that Linux malware doesn't exist. It does.
• Saying that you don't need an anti-virus doesn't mean that you don't need to be careful about security in Linux. You do.
• For new users of Linux, that attention to security means getting software from the distributions digitally signed software repository, or trusted sources. (For example, I have installed software from Opera and HP in addition to software from the Debian repository.) This guide is not intended for or likely to be useful to more advanced users of Linux.
• Linux malware exists, but Linux users are very unlikely to encounter it. Don't go downloading packages form the internet and you won't. (Obviously, with so much free software available in distribution repositories, Linux users won't be on crack sites or peer-to-peer networks downloading dodgy executables that claim to unlock Windows programs.)
• Most Linux anti-virus programs don't do the background scanning of files that Windows anti-virus programs do. If you want to scan a file, you have to do it manually.
• Why use one installed scanner to scan a file when you could send it to Virustotal and have 30 or so scanner check it? (And please see the point above about not downloading packages from untrusted sources in the first place.)
• Linux users are simply not affected by the web-borne exploits that install software willy-nilly on Windows systems.
• Most Linux anti-viruses are primarily intended for file servers, not desktop environments. Yes, an anti-virus is recommended in that situation- beyond the scope of this simple guide. But if you have a dual partition with Windows, or share files with Windows users, yes, an anti-virus is useful- but you'll be looking for Windows viruses.
• There is no certainty that anti-virus programs will detect a malicious file, as I demonstrated here and here.
• Linux anti-virus programs are meant as file scanners, not system scanners- scanning the /root (system) directory is likely to result in a lot of frightening warnings (for the new user) which actually don't indicate any sort of infection. See here and here.
• Institutional network users running Linux may well be asked to use an anti-virus program- I'm not here to contradict your system administrator. Mostly the concern is that Linux users will pass Windows malware around. But there is also the possibility that these users will have valuable information and may be targeted by criminals- and receive a Linux Trojan in their email inbox, for example.
• Where untrusted and possibly malicious people have physical access to a computer, there is the possibility that they may try to run malicious software. This area is outside my experience. Untrusted people don't use my computer. In institutional situations like this, the answer may be yes, an anti-virus might be a good idea. Listen to your system administrator or consult a more advanced guide.
• Most of the people advising that home users of Linux need an anti-virus program are Microsoft shills spreading FUD. The idea that you can run a computer connected to the internet without anti-virus protection or risk of infection tempts users away from Windows, and Microsoft has never been above a little black propaganda. More importantly, these people don't actually look at the evidence when they tell you it's not safe to run Linux without an anti-virus.

2.6.39 kernel will drop 686 flavour

Updating my Linux kernel recently in Squeeze (and previously in Lenny), I had to chose a 'flavour' to match my CPU architecture. For me this was the 686 flavour- compiled and optimised for modern multi-core chips.
An email from Debian Project News recently informed me that the 686 flavour kernel is to be dropped.
From the information linked to at Ben's technical blog, it seems I'll be able to use the '686-bigmem' flavour- even though my computer only has 1GB of memory- with a tiny hit on performance but a slight security advantage:

Even those that have less than 4 GiB RAM do support PAE and can run the '686-bigmem' flavour. There is a small cost (up to about 0.1% of RAM) in the use of larger hardware page tables. There is also an important benefit on recent processors: the larger page table entries include an NX bit (also known as XD) which provides protection against some buffer overflow attacks, both in the kernel and in user-space..

There are a few 686-class processors that won't be able to use 686-bigmem and which will have to use the 486 flavour- apparently with a performance gain (see the blog for details).

Quod Libet

Rhythmbox (the music player that comes with Debian) is pretty good. Fine most of the time. But it does have a problem with compilation albums. Investigating the issue before, I'd found that Banshee will play compilation albums correctly, but in the process of installing it on Squeeze I noticed it has an obsolete dependency bug, so I gave it a miss. On a whim I tried Quod Libet again. Lenny came with version 1 which didn't impress me too much, but Squeeze has version 2 which is a big improvement. It recognised my compilation albums correctly- and what's more its excellent tag editor allowed me to fix some tagging errors I hadn't noticed before.
The default GUI is pretty basic, can be customised to show a paned browser, album covers, a search feature, playlists etc. (These features are also available in a separate window.)

The basic GUI:


Album cover view:


The Tag Editor:


The download album art plugin:


Quod Libet comes with many plugins that can be enabled if desired. I really liked the album cover search feature which works really well- no more Google searches and file saving- it's all automatic.
I also used the notify plugin to get new track notifications, and the tray icon plugin to put the music player in the notification area rather than close it completely. (I like to keep the bottom panel for documents and keep my music player separate.) This is probably the weakest feature of the player (although it is only a plugin.) Hovering over the Quod Libet icon only gives track information- not album art and track progress like other players. The panel icon is also indistinct when paused (a bug?)
[Update: not a bug. The plugin superimposes the Gnome paused icon (which depends on the theme selected) over the Quod Libet icon. Unfortunately in a dark panel, the Quod Libet icon does not display well, as it is black with a white border (so only the border shows. Editing the Quod Libet icon to white helps.]
Other plugins worth a look would be the MusicBrainz and CDDB lookup plugins for identifying audio tracks. (I looked previously at other programs using MusicBrianz and CDDB.)
Despite the minor gripe about the tray icon plugin, I'll give Quod Libet five stars for handling compilation albums, having one of the best tag editors around, a brilliant album cover finder and an elegant and customisable GUI. And I haven't looked at all the features yet- for example, Quod Libet claims to be better able to handle large music libraries than other players.

MSN video chat in Linux

Most computer users use Windows, and most of them use MSN for messaging. So how do you talk to them in Linux? Pidgin works fine for chatting over the MSN network in Linux (Gnome), but nothing works with video chat with sound.
Yesterday my wife asked me to set up a video chat with her friend (who uses Windows). This I had done previously by booting into Windows and using Live Messenger, but recently I deleted my Windows partition. I tried something I'd heard about previously: Meebo, "the web platform for IM on any network or site."
Frustratingly, I could see my wife's friend's webcam, but my own remained inactive. Embarrassingly, I had to concede that I couldn't set up video chat.
Later, I was Googling for an answer and came across this information:

You need to allow meebo access from the settings manager, go here. Look for mee.tokbox.com set to always allow. This works on a few other websites too. The problem is when you set it to allow while in the website for whatever reason it doesn't actually do it.

Also after setting it to allow restart Firefox

I've allowed Meebo in Flash player privacy settings, now I'm just waiting for an opportunity to test video chat.


UPDATE: Success!


Update: It looks like Flash 10 may not be able to access webcams because of a bug. Of course that bug may or may not have been fixed by the time you're reading this. If you follow the steps above and still can't see your webcam in Meebo, try here.

How useful is anti-virus in Linux? (Part 2)

In Part 1 I wrote about Linux malware found in a screensaver. In this post, I'm going to talk about a more recent story of a Trojan horse found in a Linux distribution. The story was picked up with glee by Ed Bott:

Every time I write about Windows security software, I get a predictable flood of responses from Linux advocates who claim that they don’t need any such protection. Today comes a shining example of why they’re wrong.

Then Adrian Kingsley-Hughes jumped on the FUD wagon. So should Linux users all be installing anti-virus software? I decided to investigate. With a bit of searching, I found an analysis of the malware script concerned. Submitting the script to VirusTotal produced no detections, but I'd found this blog post from Sophos describing how they detect the malware as Troj/UnIRC-A. Another analysis suggested the malicious package was still available for download. I checked, and it was. The file had already been submitted to VirusTotal in February 2010, when there had been four detections. (A reanalysis didn't produce any more.)



Despite the rather gloating blog from Sophos above, they only added their detection for this malware on the day the story broke. F-Secure added their detection the day after. I don't know when Comodo and Panda added their detections, but I'm guessing they too added their detections after the story broke.

So should Linux users be installing anti-virus products, and combing their systems for malware? There are two points to make here:

• There's no evidence that any anti-virus product would have detected this malware before it was discovered and reported.
• Well over a month after the malware was discovered, it's detected by a tiny minority of anti-virus programs.

The real moral of the story seems to be (as the Sophos blog points out) for administrators to check signatures and checksums of files when using a distro like Gentoo. [Some background I picked up reading the comments sections of various articles about the story: Gentoo is a far from mainstream distro which requires users to compile everything from tarballs.]
In more mainstream distros, software in repositories is digitally signed by the developer, so it is not possible for a package to be replaced with malware. When enabling additional repositories, or trusted third-part repositories, always may sure the appropriate key is installed so software can be authenticated. The following warning means the appropriate key has not been installed, and you are at risk of installing a possibly insecure passage:

You are about to install software that can’t be authenticated! Doing this could allow a malicious individual to damage or take control of your system.

See here for an example.

How useful is anti-virus in Linux? (Part 1)

In almost three years of using Linux, I've never come across any Linux malware.
I have come across two tales of Linux malware. I'm revisiting them now to ask: do these stories suggest that using anti-virus software is necessary or advantageous?
In December 2009, malware was found inside a screensaver on gnome-look.org. The malware was a "script with elevated privileges designed to perform a DDoS attack as well as keep itself updated via downloads".
The moral of the story was clear: don't install software packages from untrusted sources.
The malware script can be found in the Ubuntu forum post linked to in the story above, so I decided to save the script as a text file and send it to VirusTotal, to see how many if any anti-virus programs detect it. I found that somebody had already done this, a couple of days after the malware was discovered, and that no anti-virus program at VirusTotal had detected the script at that time.

I then hit the 'Reanalyse' button to see what the result would be seven months later.


This time, eight anti-virus programs detected the script as malicious.
The two points that can be made here are:

• None of the anti-virus products on VirusTotal (which is most of 'em) would have detected this script as malware during the time it was available to download.
• Even seven months later, only a small number of anti-virus programs would detect this malicious script.

To answer the question: is using anti-virus software necessary or advantageous in Linux? In the case of new Linux malware at least, the answer seems to be that anti-virus software has nothing to offer- caution remains the key.

Share files in a local network with NFS on Linux

Here's a really easy way to share folders and files between two Linux computers on a local network from mybeNi. (I've done it with Ubuntu and Debian.) It doesn't require the skills of a network administrator to implement, and uses NFS, which seems to be fast and reliable.
Here are the steps to go through- details are at the link above.

On the first computer:

Install NFS (either using Synaptic or the command line).
Edit an NFS configuration file to tell NFS which folder to share, which computer to share it with, and specify options.
Restart the NFS server.

On the second computer:

Install NFS.
Make a directory to contain the shared directory from the first computer.
Mount the directory.
Edit an NFS configuration file to mount the directory automatically if required.

Folder locations in the tutorial change be changed. For example, I shared...

/home/username/Shared

...on the first computer and created...

/home/username/Shared

...on the second.

Be carefully with typing the locations because case and spelling mistakes will mean the share won't work

For me, the tutorial didn't work at first. Then I noticed a comment which provided the answer. As described in later comments, I added lines to the /etc/hosts file on my computers to tell them the IP address of the other computer.

To edit the file:

sudo gedit /etc/hosts

Add:

'IP address' 'computer name', for example:
192.168.2.2 compaq

(To find the name of each computer, type the following in a terminal:

hostname)

Thanks to Beni for the tutorial.

Update: the original tutorial has gone, but I found a condensed version of it here:

==NFS shares
Condensed frm http://mybeni.rootzilla.de/mybeNi/2007/how_to_set_up_nfs_and_how_to_share_files_in_a_local_network_with_ubuntu_linux

====Share /media/music from 'ERNIE':
$ sudo apt-get install nfs-kernel-server

Add a line to /etc/exports:
$ ECHO "/media/music BERT(ro,async,all_squash)" >> /etc/exports

Restart the NFS Server
$ sudo /etc/init.d/nfs-kernel-server restart

====Connect and mount from 'BERT'
$ sudo apt-get install nfs-common
$ mkdir /var/music
$ sudo mount ernie:/media/music /var/music

To automount at start, add a line to /etc/fstab
$ ECHO "ernie:/media/music  /var/music     nfs r,hard   0  0" >> /etc/fstab

May have to add a line to /etc/hosts.allow

1. The server rejected the requests. What I did was I opened ports: 111, 2049, 32771 (from client and server, but not from router). This wasn't enough. I had to tell the servers firestarter to allow connections from my clients ip (in the lan).
2. Then I ran in to a new problem, but at least the server responded:
mount.nfs: access denied by server while mounting timo-desktop:/media/musiikki
Then I realized that for some reason I had to add the clients ip in to the file /etc/hosts
Like this
192.168.1.51 timo-laptop
after doing that and then I ran on the server:
sudo exportfs -ra
sudo /etc/init.d/portmap/ restart
sudo /etc/init.d/nfs-kernel-server restart

GB english spellchecker in Opera 10 on Linux

Opera 10 has added an inline spell checker which checks spelling in web forms, but the default (and only) dictionary in the Linux version is US English. Here is how to add GB English, and other languages.
Curiously, the Windows version already has a GB English dictionary option.
UPDATE: This post is now obsolete (and the link above dead). The current version of Opera has a menu option to add spell check dictionaries.

Your operating system is not supported...

Looking into cable modem problems in Ubuntu recently, I came across a few horror stories about Comcast, the American ISP. Technicians who have never heard of Linux and insist they can only install the Internet to a Windows computer, that sort of thing. So it was a surprise to come across this blog post by a guy called Linus.
I guess it all depends on who you are, or possibly what you know.

So I need to provision it (ie letting Comcast know about the new modem MAC address), so I call up Comcast. It being a Sunday afternoon, I was expecting that I'll just have to wait for Monday to get it sorted out. But no, not only is there a friendly tech who is greeting me with neither silly muzak nor waiting, but she's happy to get my all provisioned and up and running with a new cable modem in minutes (ok, so it took more than a couple of minutes, but a lot of it was literally waiting for the new cable box to boot up a few times).

The clue in the image above is the telephone number: just call and ask for the ISP to provision your modem seems to be the answer.

Ubuntu and cable modems

The other day I was trying to help somebody on the Ubuntu forum get an internet connection. I didn't notice at first that it was a cable modem (of which I have zero experience), but when I did, I decided to look into how they work. (The thread is here.)
There seems to be a lot of confusion around as to how to get a cable modem connected and working with Linux, how to solve connection problems, and how to connect a different computer or a router.
Here are the myths:

• Cable companies only support Windows or Mac.
  
• You'll need to spoof the MAC address of the computer originally connected to the modem in order to connect another computer or a router.

Here's the reality:

• ISP software may only work with Windows or Mac, and technicians may only know about Windows and Mac, but there's actually no obstacle to getting a connection. A modem connected to a cable network needs to be "provisioned": the cable company needs to know the MAC address of the modem. They can do this at their end, or the cable guy can do it at your end. If it's done at your end, the cable guy will need Windows or Mac. If you have Linux, the advice is: just get the cable guy to connect the modem and tell him you'll call the provider service line to provision the modem.
• After connecting a different computer or a router to a cable modem, power down the modem for 10 minutes before connecting (the computer and/or router should be off while connecting too). Power up the modem> (router)> computer and everything should be fine (no need for spoofing). A good guide is here.

In Ubuntu, make sure DHCP is enabled unless the cable Internet provider has told you to use a static IP address.
The original poster at the Ubuntu forum thankfully managed to get his connection working, despite my fumbling around for a solution.

Microsoft anti-Linux FUD

Microsoft doesn't want you to use open source software. And the way they get you not to use open source software is through FUD. The latest example can be found here, where MS is "indoctrinating" sales staff in the reasons customers wouldn't be happy with Linux.
Now it's perfectly true that Linux doesn't run Windows programs. If you really want to run MS Word, you'll need Windows; but if you use Open Office, you won't. Fair enough, customers should know this.
Linux doesn't run Windows games* (*Some will run in Wine, but the performance can be poor.) If customers want a games machine, they'll need Windows, fair enough, although I actually think a dedicated games console can be a better option- games take up huge amounts of disc space, require a powerful video card which can add the price of a games console to a PC, and if my experience with Half Life is anything to go by, can rip a HD to shreds with crashes while reading or writing to the HD leaving bad sectors.
Now we come to hardware. My printer, camera, MP3 player, wireless dongle and external hard drive all ran out of the box on Ubuntu Linux. I had to install some firmware for the scanner to work, but I'd've had to install a driver for it to work in Windows- in fact my printer doesn't work in Windows because I haven't installed the driver. Good manufactures support standards and Linux, and their hardware works in Linux. (HP is a shining example.) Verdict: FUD.
Finally, Internet Messaging. No, you can't get Window's Live Messenger on Linux. Yes, you can have IM with a multi-protocol IM client* like, in Ubuntu, Pidgin. (* Supports multiple accounts- MSN, Yahoo!, Google, ICQ etc.) No, Pidgin doesn't support video chat on MSN (and I don't know of any Linux IM client that does.) Linux does have Ekiga, a free video chat client, and Pidgin does support video chat on GMail, but I can see that it's not going to be convenient for a Windows users to get used to a new IM program, or a Linux user to video chat to a Windows user.
This is a big turn-off for prospective Linux users, or indeed, purchasers of Linux computers (netbooks, probably) who ask: where's Windows Messenger?
This is of course intentional: that's the way Microsoft works: get you used to their product so it's just too much effort to change.
Verdict:FUD. There's no reason to be locked in to Windows. There are alternatives to the Microsoft IM network.