Remembering Michelangelo

Yesterday was the 20th anniversary of the Michelangelo virus. If you don’t remember, on March 6, 1992, Michelangelo was programmed to overwrite the first 100 sectors of a hard drive–not quite as destructive as formatting a drive, but to the average user, the effect is the same. It was a huge scare–John McAfee predicted five million computers would be affected–but largely was a non-event.

Those of you studying for security certifications would do well to remember that Michelangelo is a prime example of a virus and a logic bomb. Viruses replicate; logic bombs do something when an event triggers. Malware doesn’t always fit neatly into specific categories–crossovers are common.
Read more

A Linux-based GPL\’ed disk partition table recovery program

It seems like I’m recommending the program MBRwork to someone at least once a month. I recommended it two or three times just last week. But there are a couple of things I don’t like about it. One, it’s DOS. Creating DOS boot floppies isn’t as easy as it used to be. And two, it’s proprietary, so it could theoretically disappear any minute.

But similar tools exist for Linux.The most highly regarded is gpart (guess partition), which just happens to be included on the BG-Rescue Linux two-floppy rescue system. Download BG-Rescue Linux and burn the ISO image to a CD, or download the two-floppy version and write it to two floppies, and keep it in your toolbox. Or, of course, they’re on Knoppix.

When a partition table vanishes, or, a more likely scenario, a system quits booting mysteriously, you can boot BG-Rescue Linux and run gpart. You can also check FAT/FAT32 filesystems with dosfsck and NTFS partitions with ntfsfix.

Need to undelete some files in an emergency? You can even undelete files from NTFS partitions with ntfsundelete.

Clearly, skills with a handful of Unix utilities are very useful even in a strictly Windows shop.

Looks like I should explore these tools a bit more in-depth this week.

How to use Knoppix to replace at least $100 worth of must-have utilities

Even if you aren’t really a Linux person, the live CD Linux distribution Knoppix is incredibly useful. If nothing else, you can use it to replace Ghost, Partition Magic, and Nero or EZ CD Creator. That’s $100 worth of utilities for the cost of a download, or, if you don’t have broadband, for $5-$10 from a Linux distributor.If you’re not a Linux person, here’s how to boot and fire up the utilities you need. Once they’re up and running, they’re very intuitive; it’s just finding them that can be difficult.

Boot Knoppix.
Click the shell icon in the toolbar at the bottom.
Type ‘su’ (no quotes) and hit enter to become a privileged user.
Type ‘qtparted’ (no quotes) and hit enter to bring up a free Partition Magic clone.

Boot Knoppix.
Click the shell icon in the toolbar at the bottom.
Type ‘su’ (no quotes) and hit enter to become a privileged user.
Type ‘mkdir /smb’ (no quotes) and hit enter to make a point to mount a network share.
Type ‘smbmount //server/share /smb -o username=myusername’ (no quotes) and hit enter to mount the network share. Enter your NT password when indicated.
Type ‘partimage’ (no quotes) and hit enter to launch Partimage, the closest thing there is to a free/open source Ghost. Save your image to /smb and you’ve got it made. No more paying for Ghost licenses, no more dinking around with boot floppies to try to find the right driver for your NIC and trying to find enough room to cram the ever-more-bloated Ghost…

Nero/EZ CD Creator:
Boot Knoppix.
Click the shell icon in the toolbar at the bottom.
Type ‘k3b’ (no quotes) and hit enter to launch a CD burning application.

Drive wiping utilities:
This assumes the drive you want to wipe is the primary master on your first IDE channel. Unless you really know what you’re doing, disconnect all other hard drives!
Boot Knoppix.
Click the shell icon in the toolbar at the bottom.
Type ‘su’ (no quotes) and hit enter to become a privileged user.
Type ‘dd if=/dev/random of=/dev/hda bs=512’ and hit enter.
For something approaching military-grade security, you need to overwrite seven times. Here’s one line to do that. This will take a good, long while.
Type ‘dd if=/dev/zero of=/dev/hda bs=512 ; dd if=/dev/random of=/dev/hda bs=512 ; dd if=/dev/zero of=/dev/hda bs=512 ; dd if=/dev/random of=/dev/hda bs=512 ; dd if=/dev/zero of=/dev/hda bs=512 ; dd if=/dev/random of=/dev/hda bs=512 ; dd if=/dev/zero of=/dev/hda bs=512’ and hit enter.
To securely wipe floppies, substitute the string “fd0” for “hda0”.

Need to squeeze a little more on that floppy?

I’ve been experimenting again with bootdisks and the FreeDOS project came to mind.

Boot floppies are getting rarer but they’re still hard to avoid completely. I think FreeDOS is worth a look for a variety of reasons.Its system files take up half the space of Win9x’s DOS. That extra 100K on the disk can make the difference between your tools fitting on a floppy or not.

FreeDOS supports FAT32. There’s an unofficial DR-DOS fork that does as well, but the licensing terms of FreeDOS are a whole lot more clear.

The FreeDOS FORMAT.EXE can overformat disks. If you use more than 80 tracks, the disks have problems in some machines, but a 1.68 megabyte disk using extra sectors per track should be OK. Concerned about overformatting disks? The Amiga’s default high-density disk format was 1.76 megabytes. That extra 240K can make a big difference, especially when coupled with that 100K you’ve already saved. The syntax to make a bootable 1.68 meg disk: FORMAT A: /F:1680 /S

The syntax for a 1.74 meg disk: FORMAT A: /F:1743 /S

The FreeDOS command interpreter includes command history, so you don’t need to make space on the disk or in low memory for DOSKEY.

Using FreeDOS and its 1.68 meg floppy, I was able to squeeze Ghost 8.1 (a 1.3 meg monster) onto a boot floppy and still have 197,632 bytes free to play with. With that kind of space left, if need be, one could format the disk with FreeDOS, then SYS it under Win9x and run MS-DOS 7 on it.

If you still need to squeeze a little more space, get the freeware FDFormat, which can also format oversized floppies and lets you reduce the root directory down to 16 entries from the default 224, which gives you a few more kilobytes of usable space. If you need to put more than 16 files on the disk, create a subdirectory and put your files in the subdirectory. The syntax would be FDFORMAT /D16 /F168 /S. Substitute /F172 for a bigger disk. To increase the performance of the floppy (who doesn’t want the slowpoke floppy to be a bit faster?) add the /X:2 /Y:3 options. A boot disk formatted this way yields 1,595,904 free bytes with the FreeDOS boot files installed.

That’s enough space to be almost useful for something again. You’ll at least be able to fit more on Bart’s modular disks or Brad’s network boot disk.


Grisoft AVG works as advertised. If you don’t want to pay for virus protection, do yourself and your friends a favor and head over to Grisoft and download the free edition of AVG. I used it Monday night to disinfect a friend’s PC that had become infected by the infamous KAK virus.
Free-for-personal-use anti-virus tools have a nasty habit of becoming un-free within a year or two of their release, but look at it this way: AVG at least saves you a year or two of paying for virus update subscriptions.

It’s not as whiz-bang as the tools from Norton or McAfee but it works. You can’t get as fine-grained about scheduling stuff but that doesn’t matter so much. You can schedule things like scans and updates, and it does find and isolate the viruses, and you can’t beat the price. Go get it.

Linux on vintage P2s. I helped Gatermann get Debian up and running on his vintage HP Kayak workstation last night. This is an early P2-266 workstation. Gatermann marveled at how it was put together, and with the calibre of components in it. It had a high-end (for its time) Matrox AGP card in it, plus onboard Adaptec Wide SCSI, 128 MB of ECC SDRAM, and a 10,000-RPM IBM Wide SCSI hard drive. It arrived stripped of its original network card; Gatermann installed an Intel EtherExpress Pro.

In its day, this was the best Intel-based workstation money could buy, and you needed a lot of it. Of course, back in that day I was working on the copydesk of a weekly magazine in Columbia, Mo. and chasing a girl named Rachel (who I would catch, then lose, about a year later). And I probably hadn’t turned 22 yet either. Needless to say, that was a while ago. It seems like 100 years ago now.

Today, the most impressive thing about the system is its original price tag, but it remains a solidly built system that’s very useful and very upgradable. He can add another CPU, and depending on what variation his particular model is, he can possibly upgrade to as much as a P2-450. A pair of 450s is nothing to turn your nose up at. And of course he can add a variety of SCSI hard drives to it.

Debian runs fine on the system; its inability to boot doesn’t bother me too much. I occasionally run across systems that just won’t boot a Linux CD, but once I manage to get them running (either by putting the drive in another PC for the installation process or by using a pair of boot floppies to get started) they run fine.

The system didn’t want to boot Debian on CD, or any other Linux for that matter. So we made a set of boot floppies, then all was well.

The batch that this computer came from is long gone, but I expect more to continue to appear on the used market as they trickle out of the firms that bought them. They are, after all, long since obsolete for their original purpose. But they’re a bargain. These systems will remain useful for several years, and are built well enough that they probably will be totally obsolete before they break.

Tweaking Debian for all it’s worth

I fell way behind on my Sorcerer Linux box. The thing compiled code for a day trying to keep up, and finally I started questioning the point of it all. Yeah, the kernel and glibc all benefit from having fresh, up-to-date and aggressively-optimized code, but my highly-optimized KDE 2.2 was slow as a dog, and why am I bothering compiling a superfast version of more? So I installed Debian.

But I wanted ReiserFS. So I went and downloaded the special Debian boot floppies that support Reiser. I just let it do an install over the network. The end result was a copy of Debian Testing on my system. Of course I wanted to upgrade to unstable, so I edited /etc/apt/sources.list and changed the occurrences of “testing” to “unstable.”

Next, I wanted the hottest kernel on the block, which happens to be 2.4.17-mjc2. There is no Debian package for that. So I made one. For myself. I’m pretty sure the one I made won’t work on your computer. Here’s what I did, so you can make one that won’t work on my computer.

apt-get install kernel-source-2.4.17

Download the mjc patch to /usr/src

cd /usr/src

ln -s kernel-source-2.4.17 linux

bzcat 2.4.17-2.4.18-pre1-mjc2.patch.bz2 | patch -p0 (substitute the name of the mjc patch you downloaded)

make xconfig

Pick some of the cool new options like the pre-emptible kernel and realtime scheduler

make-kpkg kernel_image

dpkg -i kernel-image-2.4.18pre1-mjc2_i386.deb

echo "kernel-image-2.4.18pre1-mjc2 hold" | dpkg --set-selections

rm /usr/src/linux

I also went into /etc/fstab, found my ReiserFS partitions, and under the (options) heading, I added the notail and noatime options to increase filesystem speed.

How’s it run? I’m about to find out. But even without this stuff, running GNOME apps under IceWM, Debian is awfully fast. I like KDE, but in my experience it’s so much slower than GNOME, at least when GNOME is running in conjunction with IceWM. GNOME apps like Gnumeric and AbiWord load in under 2 seconds, even on a slow hard drive.

Some goodies for your CD burner

This is the coolest thing I’ve seen in a really long time! Everyone and his uncle who has no clue how CD burners work wants a networked CD burner, for some reason. But it’s not as easy as just throwing the drive in a server and sharing it out with write access, as you probably know.
Leave it to someone else to think of combining the power of CGI scripts and the Unix command line to create a Web-based networked CD burning solution. So with this and a minimalist PC (any Pentium with 24 megs of RAM and a 1-gig hard drive ought to be more than enough) and a Linux-compatible CD burner, you can give controlled access to a CD burner to anyone on your network with a Web browser. It’ll even burn bootable CD-ROMs for you.

So now I’m half tempted to permanently install my 2X CD burner in my 486 so that any of my computers can use it, any time.

Speaking of bootable CDs… I’ve mentioned Bart’s way to create bootable CD-ROMs before, but it warrants another mention. Bookmark it. Bart Lagerweij has a great collection of boot floppies as well, and some good utilities, including low-level SCSI utilities.

Windows CD burning software. So you got a great deal on an OEM CD-R or CD-RW only to find it didn’t include software? What to do? You re-use the copy of Easy CD Creator that came with your old CD-R, that’s what. And then you’ll upgrade Windows and you’ll really regret that–Easy CD Creator is one of the most finicky programs I’ve ever seen about Windows versions. Upgrade Windows, you’ll have to buy a new version of Easy CD Creator. So if you’re smart, you’ll tell Roxio where to go and what to do with itself and buy Nero Burning ROM.

If you’re smart and cheap, you’ll pay this site (watch out for the annoying popups and popunders, sorry) a visit. It’s free CD burning software for Windows, based on GNU tools. It comes with dated versions of cdrecord, so you’ll want to download a newer version of CDRTools (current version as I write is 1.10; v1.11 is pre-release code so you use it at your own risk) and extract it to the directory you installed the front-end.

It’s not as flashy as the commercial tools and it doesn’t necessarily have all the features you’ll find in a retail shrink-wrap package, but it’s functional, and some people will find it easier to use. It happily runs on any 32-bit Windows. You can make as many copies of it as you want and install it anywhere you want. It’s legal, and much less invasive than the commercial tools. Good deal.

I can’t figure out what to write about so I’ll write about everything I can think of.

Cars. I just found out today that one of my coworkers owns four vehicles. And that’s not counting his Harley. I wondered the same thing everyone else did: What’s a single guy need four cars for?
I guess it would be handy for some things. Like this morning, I started my car, hopped out, started scraping, and when I got back inside, I looked down at my gas gauge and saw the yellow indicator light staring back at me. If I had four cars like (ahem) some people, I could have just shut it down and hopped in another car that had more gas in it. Of course, then I’d just have three more cars I could run down to E, so maybe that wouldn’t work.

I guess the other advantage would be driving something different to work every day, so people can’t keep track of whether you’re there or not. But I’m still having a hard time justifying it to myself.

The Cure. The Cure retired a year ago. Of course, the only thing harder than keeping track of how many times they’ve retired is how many band members they’ve had. So they recorded new material and released their third greatest hits collection, fulfilled their obligation to their record label, and said they’re still a band, but they’re staying unsigned.

As clueless as the record industry has become, it’s probably a smart move. It’d be nice if a few financially well-off artists would get together and form a privately-held record label that’s just about the music, rather than about pleasing shareholders or building huge financial conglomerates.

Cleveland Indians. The disassembly of the franchise continues. Manny Ramirez departed a year ago, replaced by a damaged-goods Juan Gonzalez. Now that Gonzalez has recaptured his old form, he’s gone. Roberto Alomar’s been traded to the Mets for a handful of prospects, plus ex-Twins outfielder Matt Lawton. Speedster Kenny Lofton is gone.

Cleveland was the model franchise of the 1990s. They signed their young players to long-term contracts early and they were only wrong about one of them (Carlos Baerga). The first two young stars they let go, Baerga and Albert Belle, are out of baseball now. They built a new stadium and kept it full. But for all the things they did right, they didn’t get a World Series win to show for it.

And I don’t see any indication with this trade that the Indians have learned their lesson. Clearly they’re in rebuilding mode, dumping salary and getting younger, cheaper players in the hopes of making a run for it again in a few years. But they traded Alomar for two outfielders and a relief pitcher. The Cleveland teams from the mid-90s on featured terrific offense and enviable defense that was at times spectacular, but little in the way of pitching. And the lesson of Arizona is that starting pitching plus one big bat is all you really need, even in these high-offense days.

So I’m shocked to say that between the Royals and the Indians, right now the pitcher-hoarding Royals are much closer to doing the right thing.

Should I be laughing at this? Gatermann sent me this link and I got a good laugh out of it. I can’t figure out if I should feel bad about that.

Viruses. My work laptop, or, more specifically, the Windows partition on my work laptop, was a victim of last week’s data recovery efforts. I have no excuse. I temporarily took leave of my senses and I didn’t write-protect the DOS boot floppies I made. So I booted off the troubled computer, then I booted the laptop off the same disks, and the next thing I knew, the laptop was infected too. It was, to say the least, my finest moment.

Yesterday I finished rebuilding the Windows partition and booted the laptop into Windows for the first time in half a week. I didn’t do any special tricks; I just wiped and reformatted the partition. But since installing Windows wipes out your Linux boot sector, I used a trick. I booted into Linux, inserted a floppy, and issued the command dd if=/dev/hda of=/dev/fd0 bs=512 count=1 to save the boot sector to a floppy. Then, after Windows was installed, I booted off a single-disk Linux distro, replaced the floppy, and reversed the command: dd if=/dev/fd0 of=/dev/hda bs=512 count=1 Bingo! I had a dual-boot system again.

Virus hoaxes. I just got e-mail from Wendy (the friend whose computer taught me a whole lot about data recovery last week), who got e-mail from a classmate. She’d received a fairly common virus hoax via e-mail, one that advises you to search for and delete the file SULFNBK.EXE
alleging it to be a virus. In actuality that file is part of Windows, so it’ll be present on every Windows 9x system. I personally can’t remember if it’s critical or not, but Steve DeLassus tells me it is.

I’m probably preaching to the choir here, but any time you get virus e-mail like that, check it out with an IT professional. My rule of thumb is this: I disregard any virus information I get via e-mail unless I’ve also heard about it on the news. And by the news, I mean the morning news, the news on the morning drive on the radio, the front page of the local newspaper–stuff like that. Believe me, any time there’s a legitimate virus story, it’s big news. Many of the powers that be in the media are still computerphobes, so they relish any bad news regarding computers that they find. So the mainstream media is really good at hunting down and reporting virus stories.

Meanwhile, I hope she didn’t delete that file. But at least it’s easy enough to replace if she did.

Finding an open-source alternative to Ghost

Finding an open-source alternative to Ghost. Have I mentioned lately just how pathetic a software company Symantec is? Norton Utilities is adequate, don’t get me wrong. But I don’t think I’d put Norton AntiVirus on any computer that I wanted to work right. I’d give you my opinion of McAfee’s product, but that’s a violation of the license agreement, so I’ll give you my opinion of the company instead. They’d rather spend their time and money and energy keeping you from talking about their products than they would making them worth buying.
So, anyway. Since Symantec is making my life difficult, why do we keep rewarding them by buying Ghost licenses over and over again?

Knowing that the Unix command dd if=/dev/hda of=[filename] makes a bit-for-bit copy of a hard drive, I sought to utilize the Linux kernel and dd as an alternative. Pipe it through bzip2 and it’d be great, right?

Uh, no. I imaged a 1.6-gig HD that had about 400 MB in use. About an hour later, I had a 900 MB disk image. This is bad. Very bad. Ghost would have given me a 250-300 MB image in 15 minutes.

But then I stumbled across PartImage, which does an intelligent, files-only disk image like Ghost does. It’s fast, it’s small, it works. NTFS support is experimental, but as long as you defragment your drive before you try to make an image, it seems to do fine.

However, it doesn’t do a full disk clone like Ghost does. Not yet, at least. Not on its own, at least. But this is Unix. Where there’s a will, there are 47 ways.

First, dump your partition table: sfdisk -d /dev/hda > table

Next, get your MBR: dd if=/dev/hda of=mbr bs=512 count=1

Yes, Eagle Eye, dd does grab your partition table. But restoring the table with DD will only get your primary partition(s). It won’t get your extended partitions, so that’s why sfdisk is necessary.

Now that we’ve got that detail out of the way, you can use PartImage to create images of all your disk partitions. It’s menu driven like Ghost. It’s text mode and not graphics-mode, so it’s not as pretty, but it’s also a fraction of the size.

Got your files made? Great. Now, to make the clone, you reverse it.

Write out the MBR: dd if=mbr of=/dev/hda bs=512 count=1

Re-create your partition layout: sfdisk /dev/hda

Then restore your partitions, one at a time, using PartImage either in interactive mode or with command-line switches.

It's a lot to remember, so the best bet would be to dump the images plus these two small files to a CD, make a Linux boot floppy containing dd, sfdisk, and partimage, and write a shell script that does it all. Then you can think about getting fancy and making a bootable CD that holds all of it and restores a system lickety-split.

A lot of trouble? Ugh. Yeah. Worth it? Probably. Ghost licenses aren't cheap, and PartImage has the potential to be a whole lot quicker, since it's built on a better foundation. Today's PCs are extremely powerful, and DOS has been underutilizing PCs' power since the introduction of the PC/AT in 1985. Linux will very happily scale up to whatever amount of memory and CPU power your PC has under the hood, making compression and decompression go faster. And if you do a little tweaking with hdparam before creating and before restoring (again, a good job for a shell script), you'll get far better disk throughput than DOS could ever give you. On these P3-866s, I found PartImage was a good 20-60 MB/minute faster than Ghost.

So this is not only faster, it also frees you from the difficulty of keeping track of Ghost licenses, which is a hidden administrative expense. With Linux and PartImage and the associated tools, you're free to use them as you like. The only questions anyone will ask is, "How'd you do that?"

That's not to say I have any objection to paying for a good product, but when you can't even buy a site license to escape the paperwork, it gets ridiculous. I suspect some companies just count their PCs and buy that many Ghost licenses once a year in order to be rid of the administrative overhead.

So I think it's more than worth it to figure out how to effectively do this job with open-source tools.

Of course I've left some questions. How do you make Linux boot floppies? How do you make Linux CDs? The PartImage site has images of bootdisks and boot CDs, but they don't have everything you need. Notably, sfdisk is missing from those images. And obviously you'd have to write your shell scripts and add those yourself.

I'll let you know when I figure it out. I'm pretty darn close.