Friday, February 6, 2015

Windows 10 on Virtualbox

What? Herman uses Windows? Shock, horror...

My first desktop computer - if you could call it that - was a Commodore Vic 20 - ugh.  The second one, was an Apple IIe, which was probably the first desktop computer worthy of the name.  Since then, I have used many, many systems, including Sperry, UNIVAC, Varian, DEC and some that nobody ever heard of.

As far as Microsoft operating systems go - if you can call them that - I have used practically every version of everything O'l Billybob ever made.  I even once received a cheque from Microsoft for one of their infamous illegal business practices lawsuits that they lost (Corel, Novel, Lotus, DEC, SAMBA, SCO, Stacker, Trumpet, Sierra...).  So I have a kind of love/hate relationship with MS and avoid their products wherever possible, since they can destroy a computer business competitor without batting an eye and leopards never change their spots.

If it is Free, Take Two!

You can download a Windows 10 ISO file for free here:
https://insider.windows.com/

Windows 10 Running in a Window on Fedora Linux KDE

You just have to give them your whole pedigree and create an online account, but if you are old enough to do this on your own, then MS already has your whole pedigree and you may even have an account too... 

The Magical Incantation

After downloading the thing (4.9 GB), run Virtualbox and create a "Windows 8.1, 64 bit" disk.  Select the ISO file in the Storage, CDROM widget and boot up.

If you cannot create a 64 bit VM with Virtualbox, then the Intel Virtualization features are turned off in the PC BIOS.  Reboot and fix that first.  The setting is usually not in the CPU tab as one would expect, but hidden somewhere else in the BIOS settings - you'll need to click around to find it.

The Win 8.1 64 trick above is the main reason I'm writing this, to save you from a Blue Screen of Death Error 5D.

Settings

Turn power management off, since your host already does that, install Virtualbox Guest Additions, enable file sharing and once everything is working right, disable the network, since that is the only way to keep a Windows machine secure.

Now please don't blame me for all the problems you may get with Windows... 

Guest Additions

Some people got it to work, but not I.  The 64 bit version of the Virtualbox guest additions runs and installs with no complaints, except that it doesn't actually work - sigh...

The main reason for using Guest Additions is the easy disk sharing with the host, but there is a way around that, which should be almost as easy.  Run a FTP server on the host (vsftpd for example) and then use the easy connect wizard in the Windows file browser (File, Map Network Drive, Map as Drive, Connect to a website..., Next, Choose...) to connect to the server using a URL like ftp://192.168.1.10 which will create a shortcut in the left pane which then works like a network file share - it will ask for your user name and password when required.  At least, that is the idea anyway.

However, I then run into some weird file access permission problems.  I can copy a file somewhere else, but I cannot open the file in place with an application, so it looks like I get read only access.  Access works perfectly with FileZilla, so it is a Windows Explorer problem, not a FTP server problem.

I heard on the grapevine that Windows 10 finally would support SSH as well, but it doesn't look like it.  A ssh:// type of URL fails.  Only FTP and WebDAV seems to be supported, same as before.  So Windows is still a pain in the derrier for engineering use.


Speed

...or the lack thereof.  

The default out of the box Win10 is a round and fat prasatka.  It is very slow compared to WinXP, Linux or Mac.  A VM backup tarball clocks in at 6.5 GB compressed - five times bigger than a typical Linux VM.  So everything and its dog is installed by default, yet, as always, Windows doesn't actually have any useful applications by default.  What the heck they do with all those gigabytes, is a mystery.

One reason I am experimenting with this fat piece of jello, is because I have to get MS Office 2013 to work and it requires Windows 8 or better.  However, it is so dog slow in Virtualbox, that MS Word is almost unusable, and I need to get the FTP server access above to work also.


Security

...or the lack thereof.  

To say that Microsoft doesn't take security seriously, is an understatement of mind boggling proportions.

One reason why I run Win10 on Virtualbox, is to allow me to easily firewall all the built-in spyware.   The creepy doll Cortana, listens to everything you say, your search keystrokes are sent to Microsoft Bing and if you would use Bitlocker, then the key will also be backed up to CloudDrive for easy access by the NSA, FSB, GCHQ and other hackers and mafiosi.  

Once you got it to work properly, then you should run the VM with host only networking, or go into the advanced firewall rules and block most things in the incoming and outgoing rules. The speed improvement from turning things off and blocking them in the firewall to make double sure, is quite amazing.

I ran the Settings Wizard and turned the fat creepy doll Cortana, Bing Search, the App Shops, Help, Support, Feedback, Remote everything, Skype, Games, Xbox and everything else that looked remotely useless OFF - most everything in other words.  After that - and rebooting of course - it seems to work even faster than my specially hacked Win7 VM and all pop up advertisements and other cruft are blissfully gone.  It is still very much slower than a WinXP VM though.

After my latest round of blocking and disabling cruft, MS Word launches and opens documents in the blink of a lazy eye.  So the default settings of Win10 are really awful.

Bugs

There are a few annoyances that I noticed already.  The menu system is a kind of self indexing database and has a limitation that is set too low.  It tends to pick up all kinds of cruft and you may find that a newly installed program won't show up in the menu and if it doesn't show in the menu, then you cannot search for it either, since search uses the same broken database.  I'll install Classic Shell and see how that goes.

Ditto with large folders.  I mapped a disk from the host system over FTP and large directories failed to show up in the file explorer.  I don't know what the limitation is, but one of these has 6700 files and is 32GB in size.  I can access it just fine from FileZilla though.  These missing folders eventually showed up - WTF?  It must be indexing things before showing it - another speed sapping service that I need to find and strangle.

Applications also seem to get only read access to mapped FTP folders.  I can use Notepad to open a file on the host from its File, Open menu, but cannot save it back to the host.  I have to save it somewhere else and use the file explorer or FileZilla to copy it back.  Also, if I double click a file in a mapped folder, it runs the relevant application, asks for username and password, and then tells me that it cannot open the file - grrr...

Ordinary mortals will probably never run into these issues, but Windows is clearly still not good for Engineering use and feels a bit buggy like Windows ME.

Windows FTP Authentication Bugs

Some searching on MS Technet showed that the FTP authentication bug has been in Windows since 2007.  It is now so old that the published workarounds don't work anymore.  In essence, Win7/8/10 only work properly with Anonymous FTP servers.

So, what I have to try next is to set vsftpd to anonymous on my home directory and block it with iptables so it is not open to the wild wild world and then try again.

Now to find a happy middle ground between Windows bugs and Linux bugs.  The vsftpd server chown function doesn't work in the version I got running, so I have to set all directories that I want to share to world read/write and sticky.  The world read/write allows the ftp user to put a file there and the sticky bit forces the group to the owner of the directory, so I end up with ownership of herman:ftp.

To change the properties of directories recursively:
find /home/herman/Data -type d -exec chmod 1777 {} +

and with the /etc/vsftpd/vsftpd.conf like this:
anonymous_enable=YES
anon_root=/home/herman/Data
local_enable=YES
write_enable=YES
anon_other_write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES

dirmessage_enable=YES
xferlog_enable=YES
ftpd_banner="FTP, Eh..."
listen=YES
chown_uploads=NO

allow_writeable_chroot=YES

Restart with the command service vsftpd restart and now finally, Windows 10 can read, write, edit and save properly to the anonymous FTP server, same as with a Virtualbox Guest Additions shared folder.

Battening Down the Hatches

When my computer is doing nothing, I prefer that it does exactly that - nothing.  It should not connect to any servers on the wild wild web behind my back.

Microsoft plays fast and loose with personal information.  Many network datagrams contain personal information for example a UUID and my email address and I really don't like that.

14:37:55.301077 IP 172.22.2.95.icslap > 172.22.2.55.51960: Flags [.], seq 204:1664, ack 236, win 256, length 1460
        0x0000:  4500 05dc 1c02 4000 8006 7c57 ac16 025f  E.....@...|W..._
        0x0010:  ac16 0237 0b35 caf8 18af 4d30 9068 b9a1  ...7.5....M0.h..
        0x0020:  5010 0100 aebf 0000 3c3f 786d 6c20 7665  P.......<?xml.ve
        0x0030:  7273 696f 6e3d 2231 2e30 223f 3e0d 0a3c  rsion="1.0"?>..<
        0x0040:  726f 6f74 2078 6d6c 6e73 3d22 7572 6e3a  root.xmlns="urn:
        0x0050:  7363 6865 6d61 732d 7570 6e70 2d6f 7267  schemas-upnp-org
        0x0060:  3a64 6576 6963 652d 312d 3022 3e0d 0a09  :device-1-0">...
        0x0070:  3c73 7065 6356 6572 7369 6f6e 3e0d 0a09  <specVersion>...
        0x0080:  093c 6d61 6a6f 723e 313c 2f6d 616a 6f72  .<major>1</major
        0x0090:  3e0d 0a09 093c 6d69 6e6f 723e 303c 2f6d  >....<minor>0</m
        0x00a0:  696e 6f72 3e0d 0a09 3c2f 7370 6563 5665  inor>...</specVe
        0x00b0:  7273 696f 6e3e 0d0a 093c 6465 7669 6365  rsion>...<device
        0x00c0:  3e0d 0a09 093c 5544 4e3e 7575 6964 3a35  >....<UDN>uuid:5
        0x00d0:  3166 6365 6266 332d 6431 6264 2d34 3538  1fcebf3-d1bd-458
        0x00e0:  642d 6261 3162 2d66 6432 3462 6130 3066  d-ba1b-fd24ba00f
        0x00f0:  3335 663c 2f55 444e 3e0d 0a09 093c 6672  35f</UDN>....<fr
        0x0100:  6965 6e64 6c79 4e61 6d65 3e57 494e 3130  iendlyName>WIN10
        0x0110:  564d 3a20 6865 726d 616e 4061 6572 6f6e  VM:.herman@aeron
        0x0120:  6574 776f 726b 732e 6361 3a3c 2f66 7269  etworks.ca:</fri
        0x0130:  656e 646c 794e 616d 653e 0d0a 0909 3c64  endlyName>....<d


For starters, you could block DNS requests for Microsoft servers, which will make outgoing connections fail, by loading the below hosts file into Windows/System32/drivers/etc:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#    127.0.0.1       localhost
#    ::1             localhost

127.0.0.1 dns.msftncsi.com
127.0.0.1 ipv6.msftncsi.com
127.0.0.1 win10.ipv6.microsoft.com
127.0.0.1 ipv6.msftncsi.com.edgesuite.net
127.0.0.1 a978.i6g1.akamai.net
127.0.0.1 win10.ipv6.microsoft.com.nsatc.net
127.0.0.1 en-us.appex-rf.msn.com
127.0.0.1 v10.vortex-win.data.microsoft.com
127.0.0.1 client.wns.windows.com
127.0.0.1 wildcard.appex-rf.msn.com.edgesuite.net
127.0.0.1 v10.vortex-win.data.metron.life.com.nsatc.net
127.0.0.1 wns.notify.windows.com.akadns.net
127.0.0.1 americas2.notify.windows.com.akadns.net
127.0.0.1 travel.tile.appex.bing.com
127.0.0.1 www.bing.com
127.0.0.1 any.edge.bing.com
127.0.0.1 fe3.delivery.mp.microsoft.com
127.0.0.1 fe3.delivery.dsp.mp.microsoft.com.nsatc.net
127.0.0.1 ssw.live.com
127.0.0.1 ssw.live.com.nsatc.net
127.0.0.1 login.live.com
127.0.0.1 login.live.com.nsatc.net
127.0.0.1 directory.services.live.com
127.0.0.1 directory.services.live.com.akadns.net
127.0.0.1 bl3302.storage.live.com
127.0.0.1 skyapi.live.net
127.0.0.1 bl3302geo.storage.dkyprod.akadns.net
127.0.0.1 skyapi.skyprod.akadns.net
127.0.0.1 skydrive.wns.windows.com
127.0.0.1 register.mesh.com
127.0.0.1 BN1WNS2011508.wns.windows.com
127.0.0.1 settings-win.data.microsoft.com
127.0.0.1 settings.data.glbdns2.microsoft.com
127.0.0.1 OneSettings-bn2.metron.live.com.nsatc.net
127.0.0.1 watson.telemetry.microsoft.com
127.0.0.1 watson.telemetry.microsoft.com.nsatc.net
127.0.0.1 win8.ipv6.microsoft.com
127.0.0.1 go.microsoft.com
127.0.0.1 windows.policies.live.net


The above hosts file will stop outgoing connections to these 39 servers that Windows like to connect to for no good reason, but it will do nothing to incoming connections or something with a hard coded IP address, or seldom used outgoing connections that I haven't seen yet.

To edit the hosts file, right click on notepad in the Accessories menu and select run as administrator, then open the file C:\Windows\System32\Drivers\etc\hosts

If you want to block advertisements and junkware also, see this site:
http://winhelp2002.mvps.org/hosts.htm

Combine the above into a single hosts file.  If you then sit and stare at the output from tcpdump, the network connection should be nice and quiet:
# tcpdump -A -i eth0

If you still spot something, simply add it.

Bah, humbug...

Herman






No comments:

Post a Comment

On topic comments are welcome. Junk will be deleted.