Monday, February 26, 2007

Note to new Linux users: No antivirus needed

One of the most common questions I hear new Linux users ask is "What program should I use for virus protection?" Many of them lose faith in me as a source of security information when I reply, "None." But you really don't need to fear malware on your new platform, thanks to the way Linux is built.

Savvy Windows users have to watch their virus checkers as closely as the head nurse in the ICU keeps an eye on patient monitors. Often, the buzz in the Windows security world is about which protection-for-profit firm was the first to discover and offer protection for the malware du jour -- or should I say malware de l'heure? The only thing better than having backed the winning Super Bowl team come Monday morning at the office coffeepot is having the virus checker you use be the one winning the malware sweepstakes that weekend.

If a rogue program finds a crack in your Windows armor, paying $200 per infection to have your machine scrubbed and sanitized by the local goon^H^H^H^H geek squad not only helps to reinforce the notion that you have to have malware protection, but that it has to be the right protection, too. The malware firms are aware of this, and all of their advertising plays upon the insecurity fears of Windows users and the paranoia that results. Chronic exposure and vulnerability to malware has conditioned Windows users to accept this security tax.

It's no wonder, then, that when Windows users are finally able to break their chains and experience freedom on a Linux desktop, they stare at me in disbelief when I tell them to lay that burden down. They are reluctant to stop totin' that load. They have come to expect to pay a toll for a modicum of security.

I try to explain that permissions on Linux make such tribute unnecessary. Without quibbling over the definitions of viruses and trojans, I tell them that neither can execute on your machine unless you explicitly give them permission to do so.

Permissions on Linux are universal. They cover three things you can do with files: read, write, and execute. Not only that, they come in three levels: for the root user, for the individual user who is signed in, and for the rest of the world. Typically, software that can impact the system as a whole requires root privileges to run.

Microsoft designed Windows to enable outsiders to execute software on your system. The company justifies that design by saying it enriches the user experience if a Web site can do "cool" things on your desktop. It should be clear by now that the only people being enriched by that design decision are those who make a buck providing additional security or repairing the damage to systems caused by it.

Malware in Windows Land is usually spread by email clients, browser bits, or IM clients, which graciously accept the poisoned fruit from others, then neatly deposit it on their masters' systems, where malware authors know it will likely be executed and do their bidding -- without ever asking permission.

Some malware programs require that you open an attachment. Others don't even require that user error. By hook or by crook, malware on Windows often gets executed, infecting the local system first, then spreading itself to others. What a terrible neighborhood. I'm glad I don't live there.

On Linux, there is built-in protection against such craft. Newly deposited files from your email client or Web browser are not given execute privileges. Cleverly renaming executable files as something else doesn't matter, because Linux and its applications don't depend on file extensions to identify the properties of a file, so they won't mistakenly execute malware as they interact with it.

Whether newcomers grok permissions or not, I try to explain the bottom line to them: that because they have chosen Linux, they are now free of having to pay either a security tax up front to protect themselves from malware, or one after the fact to have their systems sterilized after having been infected.

So Linux is bulletproof? No. Bulletproof is one of the last stages of drunkenness, not a state of security. Linux users, like users on every operating system, must always be aware of security issues. They must act intelligently to keep their systems safe and secure. They should not run programs with root privileges when they are not required, and they should apply security patches regularly.

Misleading claims and false advertising by virus protection rackets to the contrary, you simply don't need antivirus products to keep your Linux box free of malware.

By: Joe Barr
http://joebarr.org

Saturday, February 17, 2007

Convert DRM Protected Audio Into a Plain MP3

If you've ever bought music on iTunes, Walmart.com, or another legal music-downloading system, it'll be protected by Digital Rights Management (DRM). Protected from you, the consumer. For example, you can probably only play your songs in the program you used to buy them. What if you want to transfer it to an unsupported MP3 player or transfer it to another of your computers? These are legal activities (provided you do not distribute the results to others, which is a violation of copyright), but the music companies want you to listen to music on their terms. Here's how to break the locks off your tunes.

Beginner's Method

1. Burn an audio CD with the protected audio tracks.
2. Rip that new audio CD to MP3's.

Direct Way with Virtual CD-RW Software

There is a software named "NoteBurner" from http://www.noteburner.com which can process the above two steps directly and straight forward.

The most important thing you need to do is selecting the default cd burner to "NoteBurn CD-RW", and the software will do the rest works for you automatically. Compared the medthod described below, it does all the work automatically within one software. Refer to http://www.noteburner.com/howto.html on how to use it..

Image Burning Method

This method doesn't need a CD-R to burn on and might be a little faster. Another advantage is that you can probably burn more than 80 minutes of music at once (I never tested it, but I think it'll work). Many CD recording programs allow you to burn on a "virtual recorder", creating a CD Image file on your hard disk.

1. In Nero, do this by clicking "Recorder" > "Choose Recorder..." > "Image Recorder" and then creating a new CD as usual.

2. After clicking on "burn", you're asked where you want the file to be saved. Select a drive that has enough free space to save all the contents of the CD.

3. When Nero has finished, you need a virtual drive like CloneCD's "VirtualCloneDrive" or the virtual drive in "Alcohol 120%". You can get a 21-day trial version of VirtualCloneDrive at http://www.slysoft.com/en/download.html . A free alternative is Daemon Tools 3.47 or 4.00, both of which can be downloaded at http://www.daemon-tools.cc . However, be carefull, as the latest version of Daemon tools will install spyware unless you are careful to uncheck this "option" . Microsoft also provides a free Virtual CD-ROM driver for Windows 2000 & XP at Microsoft.com

4. A (simpler) alternative to a virtual drive is to use a good unzipping program such as Izarc (free download from http://www.izarc.org) which will "unzip" the "ISO" or image file into regular audio files.

5. Right-click on your virtual drive and select "open image file..." or something similar - depending on which software you use. Then open the image file you created.

6. After loading your image file, rip the CD in the virtual drive as you would do with a normal CD.

Advanced Method Using Audacity for All Protected Audio

1. Open your recording program. It should be one that can save as an MP3. If you don't have a recording program you can download Audacity, which is cool and free, but if you already have another good recording program you can use that instead. (If you download Audacity, don't forget to grab the LAME encoder.)

2. Switch your sound-recording mode. Go to your system tray (in the lower-right corner of your screen, next to the clock) and double-click on Volume Control. Pull down the Options menu and click Properties. In the "Adjust volume for" box, press Recording, check all the boxes, and click OK. Your computer is probably set to record from the microphone; check the box under "Stereo Mix". You should only need to do this once.

3. Set up your recorder. Switch back to your music-recording program and create a new file. Make sure it's in the format you want; Audacity defaults to Mono mode, so if you're using that you'll need to go to Edit -> Preferences and change the Channels drop-down box to "2 (Stereo)".

4. Do it. Once your recorder is ready, press Record. Then switch to your audio source (whether it be iTunes, Windows Media Player, or another program) and press Play. Listen to the rapturous sound of your music being freed from DRM . When the song ends, press Stop, then switch back to your recording program and press Stop there.

5. Clean up. If you're going to be using a microphone with your computer, go back to Recording Control and switch the recording mode back to Microphone. Delete any unwanted sound or silence on either end of the waveform. Amplify if necessary. Save the project (in Audacity you'll want File -> Export as MP3) and close. You're done!

Very Advanced Digital-Only Lossless Method

1. Purchase and install Virtual Audio Cable (the demo adds "trial" clips to your sounds, so you'll need to purchase).

2. Set the playback device in your player software to the Virtual Audio Cable driver's input, and the recording device in your recording software to the Virtual Audio Cable driver's output.

3. Record using the Advanced Method above. The audio you play back and record through the Virtual Audio Cable will be a perfect digital signal, since it will never be converted to and from analog on your sound card.

4. If you have a Mac you can use Audiohijack (it's fully functional demo but before purchase, noise is overlaid on all hijackings longer than 10 minutes) to record any audio going through your computer. You would follow the using the Advanced Method above.

Method Using Hymn for Songs Bought on iTunes

1. Use Hymn an open source application for converting protected iTunes songs to unprotected MP3 files under fair use. Download and run it according to the directions provided on the site.

Tips

* If you don't need MP3 specifically (say you have a player that won't take anything else), consider ripping to OGG instead, as it gives better sound at the same filesize and is completely free of any patents. Most rippers as well as the Audacity tip above can handle this, and many players work with it too nowadays.

* This technique works for ripping music from any source. Music and dialogue from DVDs, streaming radio, game sound effects--absolutely anything your computer can play, you can record. If you've got a favorite song from one of your DVDs, try turning its audio into an MP3 and dropping it in your playlist!

* This technique can only be used to transcode songs in real-time. The alternative is to simply burn all your protected songs to a CD and then rip them back onto the computer in the format of your choice. That only works if you have extra CD-R's, though. Of course if you use a CD-RW you can keep it specifically to convert protected audio and rip to MP3.

* You'll need to make sure that your computer is silent during the transcoding process except for the music playing. If an IM or email notification pops up, for example, and makes a noise, that will go into the recording. If you're good, you can go back in afterwards and clean that sort of thing out, but it's simpler just to turn off all your noisemakers before you start transcoding.

* Obviously you need to be able to play the file for this to work. If someone sends you a DRM-protected file that you can't open, this process won't help you. You can send the link for this page to your friend, though, and have him or her de-DRM it for you!

* If you are using iTunes version 6 or later, Hymn will not be able to remove the DRM on purchased songs. The development team is currently trying to find a way around the DRM, but Hymn will only run on iTunes verions 5 or earlier. In addition, you cannot switch to an earlier version of iTunes, because once you authorize your account with iTunes 6, you can't use anything but iTunes 6.

Warnings

* Circumventing DRM may be illegal in and of itself within the United States -- regardless of ownership of the IP or intent after disabling the DRM method. Read up on the DMCA and then contact your congressman.

* Please don't use this technique for piracy. Transcoding a song for your own collection is fine. Making your entire collection available for the whole Internet to download is illegal.

Monday, February 12, 2007

Linux and Vista users share driver pain

(Linux kernel developers offer free support to struggling hardware manufacturers)

Customers are getting annoyed. They spent good money on the latest and greatest PC peripherals, only to find out that the hardware is only partially supported on their operating system of choice. Without the kernel drivers necessary to power them, some of the best features of the new toys are going unused.

Oh, and just to be clear: The OS we're talking about is Microsoft Windows.

Hardware vendors seem to be having a tough time getting up to speed with Windows Vista, the latest iteration of Microsoft's client OS. Drivers have yet to emerge for many products that have worked for years under XP, and those drivers that do exist are buggy or missing features.

Nvidia is just one example. For months, it has been selling high-end graphics cards with a label on the box that reads, "Windows Vista Ready." And yet, although a rudimentary graphics driver ships with the Vista install disc, many of the advanced features supplied by Nvidia's ForceWare software have yet to be implemented for the new OS. The downloadable drivers Nvidia makes available on its Web site add some functionality but are still beta software.

The situation is frustrating enough for some customers that they're ready to take action. A Web site suggesting a class action lawsuit against Nvidia has over 1,300 registered users as I write this, and its forums are filling up with tales of woe from customers who aren't getting the capabilities they were promised when they bought their video cards. A sister site is collecting user accounts of bugs in Nvidia's drivers.

Given how many other companies are similarly under-delivering on hardware drivers for Vista, it's enough to make you wonder why more vendors don't do more to support Linux. If writing drivers for Vista is really this much of a chore, getting open source drivers for Linux will seem trivial by comparison.

In January, the Linux kernel developers offered hardware manufacturers a straightforward proposition: Free driver development. All a vendor has to do is supply specifications to its products, and the community will do the work.

Of course, this is what has been going on in the Linux world all along, with or without the support of the vendors. Under this new program, however, the kernel maintainers are explicitly reaching out to manufacturers to encourage them to use the community as a resource.

The benefits for manufacturers are compelling. Not only do they not need to spend a dime on actual driver development, but any drivers produced will eventually be distributed with the stock Linux kernel and supported by the community. That includes the so-called enterprise Linux vendors, such as Novell and Red Hat.

What's more, a little hardware support under Linux goes a long way. For example, anyone who's impressed with Vista's "Aero Glass" user interface should check out the amazing eye candy that's possible with Beryl, a new UI layer under development for Linux. And Beryl's hardware requirements don't even approach what Vista demands. Why wouldn't vendors want to support an OS that gives users the most bang for their hardware buck?

Unfortunately, still far too few vendors choose to make their hardware specs available to open source developers. Instead of relying on the help and support of the Linux community, they offer up closed, binary-only drivers, developed in-house. Often, these drivers are only of beta quality or don't offer the full functionality that's available under Windows XP.

In other words, Vista users: The Linux community feels your pain. Maybe you'd care to check out the progress we've been making on this side of the fence?

By Neil McAllister

Thursday, February 01, 2007

Simon says: let me hack your Vista PC

Microsoft is playing down the possibility that the speech recognition system in Windows Vista could be hijacked to delete files or perform other unauthorised actions.

Vista contains improved speech recognition technology, a factor which prompted security researchers to see if it was possible to create MP3 files on hacker websites or audio tracks distributed on P2P networks to issue spoken commands which takes control of PCs running Vista.

Microsoft said the exploit is technically possible but unlikely to be much of a threat in practice. The attack scenario relies on activation of the speech recognition feature (with a user's microphone and speakers switched on to receive commands) and for a user to be away from his desk, so that the mischief takes place without anyone intervening. Many PCs are left on all the time, so hitting unattended PCs on, for example, the trading floor of a bank simply by targeting them at night might be possible.

A number of security researchers and Vista geeks have already tested the approach and were able to delete files and visit, albeit with considerable difficulty, arbitrary websites. But Microsoft says a number of additional factors make attacks based on the approach implausible, if not impossible.

"It is not possible through the use of voice commands to get the system to perform privileged functions such as creating a user without being prompted by UAC for Administrator credentials. The UAC prompt cannot be manipulated by voice commands by default. There are also additional barriers that would make an attack difficult including speaker and microphone placement, microphone feedback, and the clarity of the dictation," Adrian, a Microsoft security researcher wrote on Redmond's security response blog.

"While we are taking the reports seriously and investigating them accordingly I am confident in saying that there is little if any need to worry about the effects of this issue on your new Windows Vista installation," he added.

The SANS Institute's Internet Storm Centre (ISC), disputes Microsoft's assessment of the potential danger posed by the feature. "Downloading and executing a local privilege escalation is still eminently possible, you just need a suitable 0-day local privilege escalation for Vista. Indeed, any way to download and run arbitrary code as a valid user is never good news, this one just happens to be from the 'neat trick' pile," ISC duty staffer Arrigo Triulzi writes.

By John Leyden