vilimblog

VirtualBox has a pretty good remote desktop server built in, but securing it can be a pain if you’re actually doing it properly, using Transport Layer Security (TLS) certificates and the like.

I’ve created a script to handle setting these certificates and username/password pairs, based on the VirtualBox manual, but it seems almost overkill to me for my use case.

There’s an easier way to do it if you’re not trying to set up a whole bunch of headless VirtualBox instances for many different people. The trick is to set the authentication type to Null, but only start the Remote Desktop server on localhost:

VBoxManage modifyvm "${VM_NAME}" --vrdeauthtype "null" VBoxManage modifyvm "${VM_NAME}" --vrdeaddress "127.0.0.1" VBoxManage modifyvm "${VM_NAME}" --vrdeport "${VRDE_PORT}"

1 2 3

VBoxManage modifyvm "${VM_NAME}" --vrdeauthtype "null" VBoxManage modifyvm "${VM_NAME}" --vrdeaddress  "127.0.0.1" VBoxManage modifyvm "${VM_NAME}" --vrdeport     "${VRDE_PORT}"

If you’re using the secure-box-rdp.sh script I wrote, this is simplified to:

./secure-vbox-rdp.sh -v virtual-machine-name -N -P remote-desktop-port

You just provide the virtual machine name and port number you’d like to use, and the script does the rest.

Then, all you have to do is set up an SSH tunnel into the virtual machine host, and none of the VMs set up this way are exposed to the outside world. Better still, it’s not clear how hard of a security audit the VirtualBox TLS implementation has gone through, but SSH is the constantly-reviewed bedrock of internet security.

Using plink on windows, it looks something like:

plink -v -ssh -l yourloginname -L 5000:localhost:5000 -C -N some.domain.com

Using ssh, it looks something like:

ssh -fCNq -L 5000:localhost:5000 yourloginname@some.domain.com

Once the tunnel is connected properly, you can just connect to the virtual machines via localhost:VRDE_PORT, and all of the tunneled traffic is automatically encrypted, for the win!

I’ve been messing with system provisioning quite a bit lately. i.e. How can I repeatably and consistently configure a system to a known state?

I’ve posted a script to Github that performs provisioning to free up as much RAM as possible on an OS X server system.

OS X is a hairy operating system though, since Apple provides little to no detail about the system services they enable on a freshly-installed machine. This is annoying.

Here are some techniques I use to determine which services can be disabled, and what subsystems they relate to.

First of all, you can get a sense of all of the services run at launch time by running launchctl list:

I’ve already disabled a number of services using the Github script, but maybe there are more to be disabled in the launchctl list.

For example: soagent, what is it and what does it do?

The find out, read the com.apple.soagent.plist file in /System/Library/LaunchAgents.

The launchd.plist manpage explains some of these settings.

The process has something to do with iChat. Since I don’t care whether iChat is running on my provisioned machine, I can try disabling this process:

launchctl -w /System/Library/LaunchAgents/com.apple.soagent.plist

If the system is stable with soagent disabled, then everything’s fine. Same thing goes for the CalendarAgent, the SocialPushAgent, and sharingd.

Another example: What is tccd?

So tccd appears to be the little popup that appears when application wants to dig into your more personal information. If the provisioned machine is being used as a server w/no logged in UI user, this can also be disabled.

The same pattern of analysis, reading plist files, and looking into the application bundles themselves if necessary, can be applied to all of the launched services.

This is a pretty random post with two parts.

1. On a recent trip to Norway, I noticed something about the way the society there reinforces its ethics among the public. If you’re riding public transport and are caught without a ticket, the fine is 750 kroner. If you try to lie about having a ticket, or produce a fake ticket, the fine is 1500 kroner. So, lying is worse. Maybe Berlin could use some of this, considering the number of people who often ride without paying.
2. Google continues to invest heavily in its own applications while letting its built-in Android apps rot. Makes sense, as it gradually moves people off of using non-Google services. Things like email, for instance. Case in point: the standard Android email app.

• It doesn’t try to autocomplete recipient email addresses from either the header or the contents of previously received messages, so if you’re writing someone for the first time on a particular device, it will make you type in their entire email address. Awesome. It doesn’t try to figure out who you mean, with typical Googley cleverness. I’m sure the Gmail app doesn’t make you do that.
• It takes forever to load messages and doesn’t cache them long enough or cache the contents particularly well. Or between restarts of the app. I’ve had to reload large images via IMAP multiple times, and message contents, and so forth. Once it’s retrieved once, why doesn’t it stick around for at least a few hours?

Apple pulled a huge surprise out of the hat yesterday, by launching the latest version of their desktop operating system as a free upgrade for anyone owning a system from ~2007 forward. This is a brilliant move.

1. It makes their hardware more sticky, by extending the life of older systems and generating goodwill among existing users. The memory compression feature and battery life improvements mean that even older systems will continue to be usable for a few more years.
2. It increases the second-hand value of older systems, as they can run a top-notch, supported operating system and gain access to all the new development that Apple’s been paying for. Compared to the scattered development lifecycle and the utter impossibility of an easy and cheap OS upgrade on the Microsoft side, the Apple strategy pays off immensely.
3. It moves all of their customers from 3 previous operating system generations (10.6, 10.7, 10.8) to the latest generation (10.9) and removes any disincentive to upgrade. Apple also adds the last holdout customers to the App Store ecosystem. The revenue from content and media sales cover the costs of operating system development. Microsoft needs to ask itself: Is it worth trying to squeeze a large amount of cash out of OEMs and end users every few years, or capture small amounts of cash out of end users many times per year?
4. It allows Apple to focus solely on improvements to the current operating system codebase, once the majority of users are onboard, which will be very fast. With no need to waste resources on supporting older OS X versions, Apple gets to shuffle and to devote more resources to new development. It means more features reaching more customers. Which is something they need in order to stay abreast of Google.

By supporting older systems, Apple confirms to some extent that desktop computers have stopped requiring more powerful processors and graphics for the past 6 years, while also repudiating the Microsoft demand that users upgrade their hardware with every new Windows release. It sends a signal to potential buyers (and people looking to switch from Windows) that they can amortize the higher initial hardware cost across several years of low-cost (and now, free) operating system updates. In concrete terms, it means you can max out a 2007 iMac with $150 of today’s RAM and solid-state disk component upgrades (improving it even beyond the original top-of-the-line 2007 specs), and easily get years more life out of the system.

Apple made the same hardware upgrade demands on early iPhone adopters, but smartphone specifications are also starting to plateau. So it may be the case that in 2016, when iOS X (?!) is released, the operating system will reach back and support the iPhone 5S as well.

Or, more likely, smartphones and desktops will converge within the next few generations. This is probably the only thing that will keep the hardware evolving and actually require new hardware purchases, since the current hardware can’t quite do everything that would be necessary to support this convergence.

There are a few moves Apple is already making to support this in advance:

1. Apple is now making their productivity applications available for free when you buy their hardware. Combined with iCloud support, it means being able to seamlessly work through multiple hardware devices. And it gives them a few years’ lead time to work out any remaining issues.
2. iOS 7 added support for Bluetooth mice, meaning that precision work will be possible in certain apps, certainly in future desktop-style apps.
3. iTunes streaming already allows you to stream movies to a connected Apple TV device, but one could just as easily imagine a way of doing this with a computer monitor. Indeed, one of the new features listed in OS X Mavericks is to stream the desktop to an Apple TV device.

Apple knows it needs to start moving in this direction, and that if it doesn’t, Google and Amazon probably will.

The current overall strategy that Apple seems to be signaling is the utter stability of the ecosystem: that what you buy today will run the content that you bought yesterday and that you will buy tomorrow, that Apple will retain current customers and gain new customers by offering them smooth, pain-free upgrades, and that investments in expensive hardware can be considered viable for the longer term.

Microsoft

On the Microsoft side of things: Is Ballmer gone yet?

Because Microsoft really needed new management years ago. But more to the point, because by April 8, 2014, something new will happen that will make Microsoft feel even worse.

As Windows 8.1 begins making its way onto desktops around the world, it might be useful to take a look at the approaching train wreck that is the end-of-life for Windows XP.

It will be a free-for-all on two fronts.

First, malware and spyware developers are going to rush to find more exploits, that they know will never be patched. Whoever captures the first zero-day exploits (and the many exploits past that point), will have essentially unlimited capacity to set up botnets. There will be very little that antivirus software providers will be able to do, once these exploits make it into the wild. These bits of malware represent the fatal blow to the Windows XP platform, and it’s unlikely Microsoft will do anything to stop them. But without providing a viable upgrade path, Microsoft allows the value of those existing systems and existing sales relationships to plummet to zero. Not a great strategy, where Apple is now signaling that it is trying to preserve the value of existing systems by making them as modern and secure as possible, while continuing to grow its installed base.

Second, IT departments will have to consider replacing these insecure systems. Will they choose Microsoft this time around, knowing that the total cost of ownership of a Mac system (factoring in hardware and operating system upgrades, less hardware diversity to manage, security updates, etc.) is within striking distance? In addition, when Windows 8 behaves as oddly as it does, with fullscreen Modern UI apps competing with traditional windowed apps to annoy the user, IT might decide that if they’re going to have to retrain users anyway, they might be willing to give the Mac a try.

There’s a blog post at the AMD community website called “The End of Windows XP: An Opportunity for PC Resurgence” that makes the argument that the loss of support for Windows XP for “its approximately 500 million users” might provide a “much-needed uptick for PCs”. But my feeling is that that’s 500 million desktops that are theirs to lose to other form factors. The usage patterns, the way people interact with data, have changed significantly over the past decade and Microsoft’s attempts to retain either a hardware or software lock on the market have been pretty unimpressive. (Except for Excel, of course.)

Microsoft needs to consider:

1. Dropping support for native 32-bit environments entirely going forward, relying instead on the Windows-on-Windows 64 (WOW64) software layer to run older applications in a native 64-bit environment. It not as though this is new technology, it’s been field proven over the past 10 years already, so the idea of supporting a pure 32-bit environment is entirely anachronistic and pointless.
2. Dropping the distinction between the different licenses. Rolling all of the features into a single codebase would make more sense and would allow developers to concentrate on improving that codebase. The only real distinction to be made between Windows versions is between the additional multiple-system management tools available to home and corporate customers.
3. Validating a version of Windows 8 with reduced hardware requirements for machines that once ran XP, and pricing the licenses accordingly. This hurts new PC shipments from its OEM partners, which Microsoft is loathe to do, but the decreasing volume of PC shipments means that ship has likely sailed anyway and Microsoft will need to find a way to generate incremental revenues from existing PC users looking to upgrade. As Apple just proved, hardware requirements are not the issue here.
4. Dropping support for Windows RT and ARM. Seriously, it makes no sense to bifurcate the platform. Instead, work with Intel’s latest Atom processors, running in 64-bit mode (so you can compete with iOS 7 with a single codebase), and optimize heavily to solve the battery-life issues. (I just ran into another post today about Windows having terrible battery life.)
5. Investing in kernel efficiency improvements and software optimization from the lowest levels of Windows (MinWin) to the topmost, user-facing features. Efficiency is an area in Windows that has been sorely lacking for years, and which is killing their efforts to build usable tablet computers and other alternative form-factor devices. There need to be platform-wide bounties and goals for improving energy efficiency, I/O performance, networking performance, security, and so on.
6. Open-sourcing the Internet Explorer core technologies. Browser development is charity work these days, and it’s not even Microsoft’s core business, so what is the point of singularly shouldering the development costs? It would be to their own benefit to let independent programmers review the source code looking for ways to improve it.

Not making these kinds of moves means that Microsoft will be stuck supporting a bloated ecosystem full of duplicated effort, with minimal resources dedicated to improving their situation. Sound familiar? It might, because that’s essentially the way the Linux ecosystem has been run for years. This is not an ecosystem they should want to emulate.

The current overall strategy that Microsoft seems to be signaling is the utter instability of their ecosystem: that what you buy today will not run the content that you bought yesterday and that you will buy tomorrow (Windows Phone 7.2, PlaysForSure, anyone?), that the way you expect to interact with your computer will also utterly change underneath you, that Microsoft will neither retain current customers nor gain new customers by offering them smooth, pain-free upgrades, and that even investments in inexpensive hardware cannot be considered viable for the longer term because Windows upgrades are so costly that no one bothers.

If Microsoft wants to remain relevant, they need to start thinking up ways to put their best work in front of the most people, all of the time, as part of the package, as a benefit of membership in the Windows ecosystem, as it were. Because this is the world we now live in: Apple and Google push their latest developments to consumers as soon as possible and at no additional cost, while Microsoft sits on its hands, hoping they will both go away.