2017: the year of configuring Linux (or Windows, or OS X, or…) on the desktop

I’m going to FOSDEM next month, maybe I’ll see some of you there. This gives me motivation to solve one of the outstanding problems on my laptop: I currently, as has been mentioned here multiple times, use Windows 10 as a bootloader for my GNU/Linux installation. I would rather boot straight into Linux. So I can set myself a milestone: I would prefer, by the time I get to St. Pancras International train station on Friday 3rd Feb, not to have Windows on this laptop any more.

The laptop is a Alienware 15 R3, although weirdly the processor my laptop contains (Core i7-6820HK) is not one of the CPU options listed on the Dell website, so maybe they changed the configuration without updating the model, or had a spare old CPU knocking around when they built my laptop and decided to use that. Anyway, this is computering, so this is fine. You’re not expected to know or care that you don’t have the correct bits in the computer, just that it’s “Late 2016” (even though they still sold the R2 in late 2016, too).

The problems I have seem to fit into one of two categories: either the wi-fi (a Qualcomm Atheros chipset) doesn’t work, or the CPU/motherboard chipset (see above) isn’t supported and all hell breaks loose.

The wireless situation is that the wireless should be fully supported: Qualcomm Atheros integrated the driver into the Linux kernel back in version 3.11-rc1, in July 2013, and supply the firmware binaries. And so it doesn’t work in modern Linux kernels (or doesn’t reliably work, or fails for different reasons).

The chipset situation is that Intel integrated the driver into the Linux kernel back in version 4.3, in November 2015. So it doesn’t reliably work in modern Linux kernels.

I could go into the specific problems I’ve seen and the specific things I’ve tried to work around them, but I won’t. I won’t because well-meaning but unengaged people will ask me infuriatingly basic and irrelevant questions (yes, I have already turned Secure Boot off; no, it doesn’t change the fact that the ath10k module hasn’t loaded), or suggest unjustifiable solutions. The most common is the Distro Pimp: you should try [Debian/Debian testing/Arch/Ubuntu/openSuSE/Fedora/Mint/wait, which one did you say you’d already tried?]. Well that’s nice, but the distribution I tried (that didn’t work) is made of GNU and Linux 4.8, and the distribution you’re suggesting is made of GNU and Linux 4.8, so what specifically is it about your distribution that makes you think it works where this other one doesn’t? Oh, they focus on [stability/cutting edge/purple desktops/compiz effects/bible-reading software] do they? And how does that solve my problem where the kernel doesn’t work, despite being newer than all of the bits I need to have a working kernel?

This is the reality of Linux on the Desktop, the one that computerists say the world is ready for. Of course, it’s also the reality of everything else on the desktop. Something that occasionally happens in my Windows 10 bootloader is that it reboots while I’m using it to install some updates, because I stopped moving the mouse for a couple of minutes between 6pm and 9am (you know, the time when I’m at home, using my home computer). Some colleagues at work use Windows as an actual operating environment, and have things like Skype (made by Microsoft) popping up a notification when they’re presenting in PowerPoint (made by Microsoft). Something that apparently happens to people that have Macs is that the built-in PDF software doesn’t work well and they have to buy somebody else’s PDF software, except that they have to check whether that other PDF software is based on the built-in stuff or is something written by somebody else only they can’t because without the Four Freedoms they don’t have the freedom to study how the program works, and even if they could fix the problem they’re not allowed because they lack the freedom to redistribute and make copies to help their neighbours, or to improve the program so the whole community benefits.

This is fine.

On phone support scams and fake AV

A couple of weeks ago, I posted on Twitter about a new scam:

Heard about someone who was phoned by a man “from Windows” who engineered his way into remote access to the mark’s computer.

Fast forward to now, the same story has finally been picked up by the security vendors and the mainstream media. This means it’s probably time to go into more depth.

I heard a first-hand account of the scam. The victim is the kind of person who shouldn’t be expected to understand IT security – a long distance lorry driver who uses his computer for browsing, e-mail, and that sort of thing. As he tells it, the person called, saying they were from Windows and that they had discovered his computer was infected. He was given instructions to give the caller remote access to help clean up the computer.

With remote access, the caller was able to describe some of the problems the victim was having with his computer, while taking control to “fix them”. The caller eventually discovered that the victim’s anti-virus was out of date, and that if he gave the caller his payment information he could get new software for £109. This is when the victim hung up; however his computer has not booted properly since then.

I think my audience here is probably tech-savvy enough not to need warning about scams like this, and to understand that the real damage was done even before any discussion of payments was made (hint: browser form-auto-fill data). It’s not the scam itself I want to focus on, but our reaction.

Some people I have told this story to in real life (it does happen) have rolled their eyes, and said something along the lines of “well of course the users are the weakest link” in a knowing way. If that’s true, why rely on the users to make all the security decisions? Why leave it to them to decide what’s legitimate and what’s scammy, as was the case here? Why is the solution to any problem to shovel another bucketload of computer knowledge on them and hope that it sticks, as Sophos and the BBC have tried in the articles above?

No. This is not a solution to anything. No matter how loudly you shout about how that isn’t how Microsoft does business, someone who says he is from Microsoft will phone your users up and tell them that it is.

This is the same problem facing anti-virus vendors trying to convince us not to get fooled by FakeAV scams. Vendor A tells us to buy their product instead of Vendor B’s, because it’s better. So, is Vendor A the FakeAV pedlar, or B? Or is it both? Or neither? You can’t tell.

It may seem that this is a problem that cannot be solved in technology, that it relies on hard-wired behaviour of us bald apes. I don’t think that’s so. I think that it would be possible to change the way we, legitimate software vendors, interact with our users, and the way they interact with our software, such that an offline scam like this would never come to pass. A full discussion would fill a whole whitepaper that I haven’t written yet. However, to take the most extreme point from it, the one I know you’re going to loathe, what if our home computers were managed remotely by the vendors? Do most users really need complete BIOS and kernel level access to their kit? Really?

Look for the whitepaper sometime in the new year.

Anatomy of a software sales scam

A couple of days ago, Daniel Kennett of the KennettNet micro-ISV (in plain talk, a one-man software business) told me that a customer had fallen victim to a scam. She had purchased a copy of his application Music Rescue—a very popular utility for working with iPods—from a vendor but had not received a download or a licence. The vendor had charged her over three times the actual cost of the application, and seemingly disappeared; she approached KennettNet to try and get the licence she had paid for.

Talking to the developer and (via him) the victim, the story becomes more disturbing. The tale all starts when the victim was having trouble with her iPod and iTunes, and contacted Apple support. The support person apparently gave her an address from which to buy Music Rescue, which turned out to be the scammer’s address. Now it’s hard to know what she meant by that, perhaps the support person gave her a URL, or perhaps she was told a search term and accessed the malicious website via a search engine. It would be inappropriate to try and gauge the Apple support staff’s involvement without further details, except to say that the employee clearly didn’t direct her unambiguously to the real vendor’s website. For all we know, the “Apple” staffer she spoke to may not have been from Apple at all, and the scam may have started with a fake Apple support experience. It does seem more likely that she was talking to the real Apple and their staffer, in good faith or otherwise, gave her information that led to the fraudulent website.

The problem is that if you ask a security consultant for a solution to the problem of being scammed in online purchases, they will probably say “only buy software from trusted sources”. Well, this user clearly trusted Apple as a source, and clearly trusted that she was talking to Apple. She probably was, but still ended up the victim of a scam. Where does this leave the advice, and how can a micro-ISV ever sell software if we’re only to go to stores who’ve built up a reputation with us?

Interestingly the app store model, used on the iPhone and iPad, could offer a solution to these problems. By installing Apple as a gateway to app purchases, customers know (assuming they’ve got the correct app store) that they’re talking to Apple, that any purchase is backed by a real application and that Apple have gone to some (unknown) effort to ensure that the application sold is the same one the marketing page on the store claims will be provided. Such a model could prove a convenient and safe way for users to buy applications on other platforms, even were it not to be the exclusive entry point to the platform.

As a final note, I believe that KennettNet has taken appropriate steps to resolve the problem. As close as I can tell the scam website is operated out of the US, making any attempted legal action hard to pursue as the developer is based in the UK. Instead the micro-ISV has offered the victim a discounted licence and assistance in recovering the lost money from her credit card provider’s anti-fraud process. I’d like to thank Daniel for his information and help in preparing this article.