Configure your ISO image before burning your cdrom :
Miniconf is a small program running under Windows. If needed it can be ported easily to other operating systems. Its purpose is to insert all your internet connection details in your ISO image and protect them with only one global password. Be sure that the .ISO file is in same directory and launch miniconf.exe. Fill in first field (global password) and other fields contents will then appear. Change them if needed, then close program. There is no OK or CANCEL button. Any keystrike is immediately saved in .ISO image. If you don't know the meaning of each field, read the example below :
For people interested in security, here are some details about Minilgos global password. To believe that encrypting secret data is a good way to prevent people from discovering them, is a mistake : whatever encryption method is used it can and will be broken, mainly because hacker can have an idea of what is the syntax of the data they seek, and secondary because hacker can always read and understand any code piece. It's better to "taint" the only pure random data, i.e the main random password (and only this one) with another random password you will choose yourself; we will call this one, your global password. For example, let's assume your main login password, needed to connect to internet and then through your ISP link, to your private data, is 734 (3 digits). It's random, so no one can "guess" it. But some hacker can calculate that only an average number of 500 attempts is needed to successfully login (000-999=1000 combinations, average attempts needed is 50%). In this specific example number of combinations is low; in reality we hope your ISP provides you with a pure random password, long enough, and also is able to detect someone trying multiple login attempts with password changing each time, and of course able to block each of this attempt for a long time, forcing hacker to lose significant time between two attempts (final goal is to have average time needed to discover a login password, high enough -let's say centuries- to turn this hacking method quite insane and worthless).
Now let's decide that we want two new properties :
- We don't want our main login password to be captured by a modified keyboard (spying keystrokes).
- We want to provide other family members or employees with their own cdrom and allow them to access ISP servers with their own private password, but without giving them the ISP server login password that will be used by all these cdroms and with the warranty that nobody can retrieve it, for example, from a stolen or lost cdrom (we assume global password remains secret).
To achieve this goal, you just need to "taint" the main password with the global password and store it on cdrom. Even a simple addition can be enough : Your main login password (the one expected by ISP server) is 734. The global password you choose is 260. We will then just store in your cdrom ISO image the "tainted" password 734+260=994. Now you burn the cdrom. When you boot PC on cdrom it will request your global password. You type in 260. The software will read from cdrom the "tainted" passsword 994, and then will attempt a login on network with password 994-260=734 (some hacker scanning network packets WILL NOT be able to see this login password, because we use CHAP protocol with MD5 algorithm; in a few words, password is mixed with a random part coming from server in a way that can't be mathematically reversed and server will compare this mix with its own mix, calculated the same way on server side). If global password is wrong, software will use a wrong calculated login password and login fails. If hacker steals cdrom and wants to use it to attempt to login more easily, he will discover that this method provides him no gain at all. Having to try 000-999 combinations for the global password is exactly the same as before when he tried to discover directly the ISP server login password. So, a global password brings us two new benefits (see list above) and does not lower significantly the number of combinations (minilgos limits global password to 8 pure digits to be sure all keyboards, whatever is language, accept them, and to encourage children or blind users to use numeric pad in order to remember a small movement rather than something written; despite this limitation the number of combination is high enough to prevent someone to try the 50,000,000 average login attempts... Let's bet that after 1000 of these attempts, your ISP will warn you that something "annoying" happens). Other passwords are less important (because they can be scanned on network, and are valid only if you connect through same ISP) and encrypted partially with another method (if they were tainted the same way and were already "known" because caught by a network scanner, it could give a way to discover global password and thus the login password. So the "tainting" method applies fully only to login password).
Example :
Warning : all following names, usernames and passwords do not actually exist. Other information exist and are working, by the time these lines were written, for the ISP chosen for this example, which actually exists. More examples for other ISPs are listed at bottom of this page.
We will assume your name is John DOE, and you decided to pay a monthly subscription to a french internet service provider named "Wanadoo" (unlimited ADSL 512K, "plaque ECI" area, protocol used in this specific area is PPPoE : PPP over Ethernet).
You have a daughter named Michele DOE. You know how it's impossible to prevent a kid from finding porn sites using a standard local operating system (even if you pay a lot for theoretical children protection software, none of them is able to "understand" if something nasty appears in some image, and there are too many possible way to download an image). You also dislike all existing ways for unknown adults to detect your daughter online and "chat" with her...
So you decide to try Minilgos for yourself, and if it works, and reveals a "closed" or "secure" enough system, you will create an additional mailbox for your daughter (your subscription allows you to create 4 additional mailboxes for same account).
1) First step : collect internet connection details
By the way, when you chose your ISP you chose ADSL ethernet instead of ADSL USB or ADSL Wi-Fi (because you know that Minilgos can work DIRECTLY with modems only if they are ethernet modems). Normally, if your ISP is a standard one (caution, the most non standard I know is AOL...), you will automatically receive a sheet of paper with details written on it -or if you don't receive it, you can ask for it and you will obtain it-.
For example, you received this :
Login username : fti/zorglub7@fti
Login password : 1oulala3
POP3 server name : pop.wanadoo.fr
POP3 username : john.doe@wanadoo.fr
POP3 password : 45zarg12
E-mail address : john.doe@wanadoo.fr
SMTP server name : smtp.wanadoo.fr
POP3 capacity : 20 Mb
(These details are enough to connect to internet web pages, receive or send e-mails... but no more. In this example, the login refers to a PPPoE login, protocol used by the ethernet modem, in this specific area of france -"plaque ECI"-. The mailbox refers of course to a POP3 server. SMTP server is the server that receives your outgoing e-mails).
Minilgos needs much more since it saves data to FTP area instead of local hard disk. It's probably the hardest part of configuration since it's not related to Minilgos but only to your ISP. Usually you PAY for some FTP area, even if you don't know it, and by default, this area is not activated. It's a storage area on a remote server named FTP server (File Transfer Protocol). Visit your ISP home page and discover how to activate your FTP area; if you find nothing, call your ISP and ask for their help. Once your FTP area is activated, it's quite necessary to test it. Use a FTP client to connect to your space, save something there, then delete it. Usually it takes a few hours or a day to have FTP storage area completely working. FTP access is usually slow, much slower than HTTP access (the way you access WEB pages). ISP gives you a FTP storage in order to maintain your own WEB pages. Minilgos will save data through FTP, and since saved file will become part of your "WEB pages", it will be possible for Minilgos to read back this file at maximum speed with HTTP protocol, just like a Web page (for example, during any save action, a progression bar appears in top left corner; the first 80% of the bar is for the FTP save itself; the remaining 20% are for the saved data verification through HTTP, much faster; if verification fails the whole save action is repeated, up to four times; save is attempted in a temporary file before it replaces target, so in case of total failure, you don't lose previous version of target). Confidentiality of your data is obtained by confidentiality of data full path in your FTP area. So, be sure that someone looking for a file in your Web page with an incomplete path, will not see on his screen your entire files and directories list, but instead will be blocked by the famous 404 error (file not found). Your ISP Web masters will be able to obtain tools in order to check what data you are saving (all data must strictly obey to the laws of the country where FTP server is located), so, normally they should tolerate this "strange" usage of FTP area, and you will be fully responsible of your saved data. Many users on internet, use FTP storage area to allow other people to download large files, instead of sending many copies of it in e-mails (very large attachments in e-mails are incredibly annoying to handle because e-mails are definitely not designed for this usage). So using FTP area for other purpose than publishing pure HTML WEB pages is common. Since your data will be "online" but "hidden", you will also discover that sending an e-mail to a friend in order to let him/she view/read/listen to a large document will be instant and easy with Minilgos (a link will be sent instead of a copy of the file, link will work instantly, and if you update your document, same link in same message will allow, later, your friend to access the updated version).
After your successful "FTP" adventure, you get the following details :
Web page address : perso.wanadoo.fr/john.doe
FTP server name : perso-ftp.wanadoo.fr
Web page directory : none (when you login you arrive directly in the page directory)
FTP username : john.doe
FTP password : 45zarg45
FTP capacity : 100 Mb
(FTP server returns the space you use in the code 226 message. You get it when you upload something)
(That means minilgos will be able to display free space in a small graphic gauge)
Minilgos for each user will create automatically a subdirectory (his/her root). We suggest you to choose the user first name for the subdirectory name. So the complete URL in order to access a Minilgos user subdirectory will be "http://[web page address]/[first name]". We have the server name. We can see that "john.doe" is the remaining of the web page address, and the first name will be "john" (we will choose it ourself later in miniconf main screen).
We now have enough details and we can use Minilgos with our ADSL account. The following details are optional, but may reveal themselves very helpful because even the best and most expensive ISP always has some failure (let's say 1-3 days in a year, where ADSL login, POP3 or FTP login fails because of a technical failure on ISP side, far from your street or in your street) or you may want to connect to your ISP servers from another location (where ADSL modem can't be connected to a valid signal). Minilgos can attempt (in phase 1) to connect to internet through a standard Hayes modem (i.e a modem working through your phone line at low speed with a standard phone call) connected to serial port Com1 or Com2. In this case protocol will be PPP. For ISP "Wanadoo" in this example, the login username will not be the same (we have to remove "@fti") and of course we have to find several additional details to succeed (ask them to your ISP, or if they refuse, try to discover them on internet) :
You discover this (optional) :
"Wanadoo libre" service phone number : 0806008484
PPP username : fti/zorglub7
PPP password : 1oulala3
Primary DNS : 193.252.19.3
Secondary DNS : 193.252.19.4
The "Wanadoo libre" phone number will accept your connection, since you have an ADSL subscription, but you will have to pay additional fee calculated on the phone call duration.
In order to dial the phone number your Hayes modem expects a Hayes command. Syntax is "ATDT[phone number]" if your phone accepts tones, or "ATDP[phone number]" if it requires pulses. DNS means Domain Name Server. They are servers able to translate a server name into IP address (4 numbers separated by periods) which are the destination addresses used by data over internet to reach their final destination.
2) Second step : Type in your details in miniconf screen
Launch miniconf, choose your global password (in the picture below we chose 12345678 but, normally all passwords will appear as hidden characters -********-, so other people can't read your password on your screen behind your back, but for this example only we let you see passwords on screen below). Fill in all fields where you have the info. Leave other fields unchanged. Close program.
3) Third step : Burn CD and try it
The .ISO file is ready to be burnt on a CD-R (experts may use CD-RW or floppy disk, but in this case invulnerability vs viruses coming from other operating systems is broken). You can always restart miniconf and when you enter your global password, you can see again the values you entered. If you enter a wrong global password, you won't notice it because they are hidden, but all passwords become wrong.
When you try to boot on the cdrom (insert cdrom, then power on PC or restart it), you will see a key in middle of screen and eight circles. If you don't see this key, check your BIOS setup, to see if you can boot on a cdrom before booting on hard disk. If you read "GCNS" (graphic card not supported) that means your graphic card is not VESA 2.0 (or above) compliant, and does not allow direct linear 32 bits addressing. Type in your global password, if you are typing in a figure a circle will turn from a cross to an arrow, with a 3 tones beep coming from internal speaker or buzzer (useful for blind users). If you dislike this noise just disconnect physically the speaker or buzzer. You can hit backspace to delete last figure you entered. When 8th figure is entered, login attempt starts.
Login may proceed with 3 phases : hayes modem, pppoe modem, and direct local connection or dhcp modem (in this order). You can force minilgos to skip hayes modem phase by leaving dial number field blank, and you can skip pppoe modem phase by leaving pppoe username field blank. Each phase will produce a line of icons on screen giving an idea on current step in login process (network interface card setup, CHAP authenticating mechanism, or retrieval of ISP servers IP addresses from DNS, for example). If a line ends with a cross and next line starts that means phase did not work or is avoided and next phase is attempted.
Direct local connection means we will attempt to work directly in TCP/IP with local network, without any PPP protocol. The local IP address field is very important in this last phase. Either it's DHCP (eventually BOOTP) or a static IP address you choose yourself. In first phases (PPP or PPPoE), most of bottom left fields, IP addresses, netmask, dns (for PPP you need to define them), packet size, etc..., defined in miniconf, are IGNORED and defined with values received directly during protocol setup. For last phase these values are received only if DHCP or BOOTP works, otherwise you have to define yourself all these values. The interesting thing with DHCP method is that you may have several other PCs in your local network (a local network is just a cheap ethernet hub -or router- you purchase to connect modem and all PCs together), able to connect to internet all at same time through the PC that is currently connected to modem (you need to run on this PC a DHCP server, a DNS server and something able to translate packets addresses, usually named NAT). "Comtun" for example is a very small software working on all versions of Windows and gathering all these roles. DHCP server role is to assign dynamically separate IP addresses to each PC, according to valid IP adresses range you have to define yourself (for example : 192.168.0.10 up to 192.168.0.40).
In our specific example, if John DOE uses its local hard disk operating system, and have Comtun running, then his daughter can start her minilgos cdrom, on her own PC (PC without hard disk), at same time : her cdrom will fail phase 1 (Hayes modem) & 2 (ADSL modem can't respond since modem is already busy with John DOE connection), but will succeed in phase 3 (if DHCP server is currently running and connection to modem is active on same PC). If John DOE turned his computer off or is not connected to internet, his daughter can start her cdrom and will fail phase 1 (Hayes modem) but will succeed phase 2 (ADSL modem). If John wants to start his computer and wants to connect to modem, he will have to "negociate" with his daughter a shutdown and a restart, in order to have her cdrom use phase 3, after her father connects...
.
If login is successful, you will see a few icons on left side. The icon named "WWm" (World Wide Minilgos) will allow you to select your country then to browse a protected subset of World Wide Web, i.e web pages, all approved, one by one, that can be seen safely by children. Just follow the links you see there to reach the global Minilgos documentation in order to learn all you want to know about Minilgos (how to define a few friends e-mail addresses in phone book, then read your e-mails -caution any e-mail coming from unknown people is hidden and deleted automatically-, send e-mail from phone book list, etc...). If you are just doing a first test it maybe wise to read your e-mails first on your local hard disk operating system, to be sure you won't lose any, and print the e-mail addresses of all the friends you know if you really want to use Minilgos to read your e-mails (but don't worry you can't start reading -and filtering- your mailbox if phone book has no e-mail address defined or if phone book could not be read completely and without error because of a network failure : in such case you will see a black exclamation mark in front of phone book icon to warn you that phone book is not correct and so, mailbox reading is blocked). Send also some e-mail to an incorrect address in order to see what is the e-mail address of the "daemon" (automatic program) used by your ISP in order to warn you that your e-mail could not reach its target (caution, some spam engine can send spam with this identity, or even target's identity, thus do not add such "predictable" e-mail address in the phone book of someone that could be offended by some spam).
4) Fourth step : Configure daughter's CD
On your ISP home page, you should find a way to create an additional mailbox for your daughter, "michele.doe@wanadoo.fr", and choose its random mailbox password, for example "2youark6". Only the first name, the mailbox username, the mailbox password and the mailbox e-mail address change. Configure your daughter's iso image and burn it. Your daughter's PC does not need any hard disk inside. You can use same iso image, let your daughter type in herself her own secret global password, then you can change some data in the appropriate fields (you HAVE to type in again all hidden passwords, since a global password change turns them wrong).
Caution : Kid's hard disk can send you in jail... if you get bad luck and your kid is fond of copyrighted files (musics, movies, etc...). How hard piracy will be prosecuted in future is unpredictable. The worst thing, even if justice is nice with you, is that some school rejects studients that got problems with justice, so decide once for all what risks, related to piracy, you accept in your house or in your office, because of computer hard disks contents (and do not forget to display clearly what you tolerate and what you forbid).
5) Fifth step : some testing and a little feedback
Show your daughter (or son or any other family member) how to add your email address in their minilgos phone book (the icon just above the WWm icon). Now she/he can send you e-mails and you can send her/him any text email or MMS (standard MIME emails with JPEG pictures attachments). Only pure texts, sound files (WAV or OGG) and JPEG pictures will work but it's quite enough. Also try to create a temporary mailbox to simulate an unknown adult trying to contact your daughter. You will discover that this e-mail coming from someone not registered in your daughter's phone book will never appear on your daughter's screen (it's physically deleted from the POP mailbox and your daughter won't even know it). If she wants to receive e-mails from close friends, she will have to add their e-mail addresses first in her own phone book. That's how minilgos is completely closed and secured by default, right after the cdrom burning! (adults not happy with this behaviour may ask for a customized version through full support). Another interesting feature is phone over internet. She will be able to call her friends (assuming they use minilgos as well) through the phone book screen and it will involve only internet data exchange (no extra bill to pay! whatever is distance or duration!). If she explores WWm pages, she will discover some entertainment page, requiring entertainment time that can be earned through lesson pages where this time is granted when final lesson test (random parameters) is successful. Normally, this reward system should make the play time always shorter than the work time and will help minilgos to achieve its primary goals (let children use computer safely and improve their knowledge).
Use the e-mail address at bottom of Minilgos home page, to send feedback about your Minilgos experience. Thank you for trying a new operating system!
More examples... (other Internet Service Providers) :
Télé2 Haut-débit DSL 1024
Received in your physical mail box :
Login username : eu2000000@tele2.fr
Login password : 1oulala3
Retrieved after mailbox (account) creation on www.tele2internet.fr :
POP3 server name : pop.tele2.fr
POP3 username : eu1900000
POP3 password : 45zarg12
E-mail address : john.doe@tele2.fr
SMTP server name : smtp.tele2.fr
POP3 capacity : 10 Mb
Retrieved after personal web page creation on www.tele2internet.fr :
Web page address : home.tele2.fr/~fr-00000
FTP server name : home.tele2.fr
Web page directory : html (after a ftp login, we have to go inside "/html")
FTP username : fr-00000
FTP password : 45zarg45
FTP capacity : 10 Mb
(FTP message 226 doesn't return any free space info.)
(FTP message 230 returns free space info at login time.)
