Archive for the ‘computer geek stuff’ Category

The Unofficial Getac S400 G2 Guide

Sunday, March 30th, 2014

This is a guide for some of the more unorthodox things you can do with your Getac S400 G2 if you don’t care too much about voiding the warranty.

Whats the S400?

caseview

The Getac 400 is a semi-rugged laptop. Semi-rugged means it can survive some medium levels of abuse but it still has vents and fans, so you can’t throw it into a lake. Semi ruggeds like the Panasonic Toughbook CF-53 and the Getac S400 typically cost about twice the price of a similar spec normal laptop. In contrast a fully rugged will be totally sealed from any dust or water and will usually have a metal body which the CPU will use as a giant heatsink (since there’s no air vents), the problem is that a fully rugged typically costs four times as much as a high end laptop.

Semi-rugged and fully rugged laptops are normally provided to high abuse but technical environments, such as the oil industry, emergency services and military. The catch is that as part of all the certifying and approval, spare parts are expensive compared to normal laptops.

This is where this guide comes in. If you’re an individual who has managed to grab an S400 cheaply (such as an ex display model or similar) and enjoy tinkering with things, this guide is aimed at helping answer some of the questions you might have.

There’s a good review of the Getac S400 on the ruggedpcreview site but note that it’s for the older G1 socket version. There’s also a slight mistake in the description of how the back can be removed (read my notes for a couple of gotchas).

What’s the difference between the S400 and the S400G2?

Essentially it’s a move to a more recent processor generation/architecture, from those using the older Intel Socket G1 to the newer Socket G2.

For example, a G1 model might use a i5-520M CPU, a similar build G2 a i5-3320M. The more recent processor is better in every way for the same wattage [1] [2].

I want to upgrade my hard disk but the cost for a Getac hard disk is too high.

The official Getac certified hard disk enclosures aren’t really priced at the individual market.

Assuming you don’t care about the warranty, open the hard disk panel on the back of the laptop and take out the caddy. You need to prise apart the two halves of the hard disk carrier by putting pressure on the retaining lugs. Then put in your standard 2.5″ laptop hard disk and reseal it and replace it.

120GB Samsung SSD

Samsung SSD in the Getac carrier

I’ve tested the 120GB and 250GB Samsung SSD drives with the G2. If you want to use the encryption built into the Samsung SSD drives, go into the Bios and find the option for the hard disk password. It’s not very well explained by Samsung, but this will apparently encrypt the disk. Existing data wont be damaged so there’s something clever going on – I’d like more technical details about how this works but it’s very poorly documented the last time I tried to find details.

What’s the Maximum RAM it can handle?

The official stats say 8GB RAM is the maximum.
For the G2 I used 2x 4GB DDR3 SODIMM (204 pin) 1333Mhz PC3 10600 [Amazon link].

Note that the G2 socket processors can address 32GB RAM as opposed to the G1′s 8GB. It might be that (unofficially) the S400 G2 can talk to more than 8GB of RAM, or it might be a limitation of the Getac motherboard, but I don’t have the larger SODIMMS about to test this.

Just take the small panel off on the back and (obviously, with the laptop off) fit the new ram. If you don’t have 8GB showing in the bios when you boot then it’s a seating issue. Turn the laptop back off and remove/reseat the RAM properly.

What’s the fastest Processor it can Handle?

i5-3380M in the socket, about to be locked in place.

i5-3380M in the socket, about to be locked in place.

The official options for the G2 are the i3-3120M 2.5GHz and the i5-3320M 2.6GHz but an i5-3380M will work.

Limits on laptops are normally down to
* what can the physical socket/architecture support
* What heat can the laptop cope with
* What restrictions has the manufacturer put in the BIOS

The later is because they might have locked it to only certain specific CPU types to prevent support cases related to people tampering and modifying. Happily this isn’t the case with the Getac G2, at least using the R1.04.070520 Bios.

i5-3380M CPU

“Now, young Jedi, witness the power of this fully armed and operational i5-3380M CPU with Samsung 840 SSD”

Normally, the G2 socket can support the following processors.

  • Core i5-3210M 2.5 3MB/35W
  • Core i5-3230M 2.6 3MB/35W
  • Core i5-3320M 2.6 3MB/35W [Getac option]
  • Core i5-3340M 2.7 3MB/35W
  • Core i5-3360M 2.8 3MB/35W
  • Core i5-3380M 2.9 3MB/35W

Note that they are all 35 Watt maximum power draw (and hence heat output) so there’s no danger of overheating. There’s no i7 option for the G2 socket, so any choice is a two core CPU with the maximum speed processor the socket supports being a i5-3380M. I’ve tested the i5-3380M – it works great with the R1.04.070520 bios and I’m typing on a 3380M S400G2 now. Obviously Getac support are going to spit out their coffee and start showing you the door if you take such a laptop in for warranty work.

Use some decent thermal paste. It costs pretty much nothing from ebay.

use the good stuff

use the good stuff

I’ve not listed the i3 Options as you’re probably upgrading from an i3 so will be looking at the i5 range. The i3 in the Getac is a really great CPU so don’t be in any rush, however the i5 for the same clock speed offers a few improvements that might be of interest depending on the work you do, notably the vPro extensions, AES acceleration and Trusted Execution.

Help! I was tinkering and now the screen lights up but no Bios shows…

You had the back off and now the screen doesn’t work? This is easy to fix, don’t panic. Grab a cup of tea and here’s how to fix it.

To verify:

  • You turn on the power button
  • Laptop status lights come on, LCD backlight comes on, no text on the screen
  • Connecting up a monitor to the SVGA output, hey I can see everything fine

Here’s what happened:
When you took the back off, one of two things happened. Either you didn’t loosen the external SVGA connector nuts and tugging on the case caused this connector to tug on the motherboard or you didn’t undo the two screws on the back of the case that surface mount above the SVGA connector and that tugged on the motherboard. Either way, when you attempted to lift the back case off, a small white connector was tugged partially lose on the back of the motherboard. It’s hard to spot but just a matter of pushing it back home again.

To fix it:

  • Take the back cover off
  • Take the CPU heatsink and fan off
  • Don’t undo anything else, just get a torch and look under the motherboard
  • Push the white connector back into place
  • Put everything back
  • breath again, it’s all ok.

graphics-dislodged

graphics-fixed

My Bluetooth device is being a right pain…

Er, yeah it might not be the Bluetooth device. If you’re in MS Windows, go to device manager and checkout the Bluetooth driver. If it’s the Windows one from years ago then click to uninstall/remove the Bluetooth device.

Go to the Intel site and download the latest Bluetooth driver, let it install and reboot.

Don’t download the official Getac Bluetooth drivers, they’re a mess (three types of Bluetooth driver, with no explanations) and out of date.

There’s only 3 USB ports on the S400 G2, so I went with a Bluetooth mouse and headset.

Other Upgrades

According to Getac support, your authorised local Getac service centre should be able to upgrade some of the modular features, like 4G, Bluetooth and discrete VGA. When I first asked a Getac reseller in the UK however, they we’re not aware this was possible, stating only the RAM could be upgraded after purchase.

GPS / WWLAN / 4G LTE

I haven’t seen it fitted but I believe the GPS, Gobi WWLAN and/or 3G/4G options are handled by one mini PCI-E card. The sim card fits in next to where the battery is, so I believe the PCI-E minicard fits beneath the protective cover in that corner.

With 4G being released, there’s a lot of 3G cards going cheap on ebay but one of the problems might be that even if you get it, since you didn’t have the WWLAN option (because if you did you wouldn’t be attempting to fit it) you might not have an antenna available as I believe the antenna is an option that’s built into the monitor housing. I need to look at this further,

You can of course use an external adaptor via USB but that’s not a challenge worth writing about :o)

Graphics

I don’t know anything about the GeForce GT 730M option at this time. It plugs in next to the CPU but I’m unsure of the heatsink/fan arrangement – I suspect a different combined heatsink is used. I’ll alter this post if I find out details.

graphics

I don’t currently know if the board can support any alternatives to the GT730M.

If you are buying an S400 from new, I’d go for the Nvidia graphics option as aftermarket cards appear to be fairly rare and expensive (compared to the PC desktop components market) so it will be harder to upgrade later.

External Display

I wanted another monitor but I wanted it to be light and portable. I went with the Lenovo Thinkvision LT1421 14″ portable monitor which works over USB (just one cable, feeding off the USB port by the power supply) and doesn’t appear to cause any CPU load or cause ghosting effects which are the two main concerns people tend to have with USB monitors. It roughly matches the rectangular outline of the S400 and it comes with a protective case.

Getac Support

Sadly I find the support (as an individual) very hit and miss, which is a shame because I love the hardware. I suspect corporations might have better/dedicated support agents assigned.

Starting with the website, if you compare the Getac S400 G2 downloads page to similar offerings from HP, you’ll notice HP have changelogs describing why a newer driver or bios is available – what’s been fixed and what has changed. With Getac it’s just the file, with no details.

Raising a support ticket, I got a response where it looked like a link had been stripped from the persons reply, e.g. “please download from . Reply back if there’s any issues.” But the mail came from a noreply@ address and the web interface at the time didn’t have any option for replying on support tickets (I notified their web team so this might be fixed now).

Raising a ticket to ask about the newer bios for the S400 and the differences between the three Bluetooth options, there was no reply.

I’m not sure if Getac support is based in one location. My experiences have included one person who had very good written English, which I suspect was someone in the US (and addressed the query well) but my contact since then has always been in broken English, with at least one signature stating it was from an office in Taiwan.

Did you know…

  • Press function-escape for the pretty keyboard backlight
  • Press the special bulb strikethrough button when you hear Russian helicopters overhead, it turns off the screen and every other light, including hard disk activity lights, power indicator, keyboard backlight and caps lock etc. Press it again to stop panicing that you just crashed the laptop.
  • Don’t forget you can expand with a PCMCIA card or a ExpressCard/54

I want to do some REAL customisation….

For extra engineering work, talk to people like this who add external GPS ports and similar to the Getac range.

2014 plans

Sunday, March 2nd, 2014

I was a risk, but in the end it’s all worked out.

I handed in my notice and spent the Christmas and New Year period applying for security related positions which was what I wanted to move into. I know most people would think it’s crazy to leave one job without having another lined up, but I don’t see it as being clear cut. I knew I had funds for a few months and I’d sorted out a motorbike and laptop in advance for commuting and potential self employment. Note for anyone that tries this – the Christmas period sucks for job hunting, a lot of companies don’t advertise until January but for my situation I was happier making a start. It was the right time.

For non IT people – previously I’d worked as generalist positions, related to network and system administration, with some web programming thrown in. Although both my previous position and security IT work is in the IT industry, it’s not the case that different branches of the IT industry are similar enough that you can walk from one to another without preparation. My recent self study and qualifications were designed to be this assisting preparation.

Finding the right place

I approached a local penetration testing company – I’d found them by search engine, using certain security related keywords and the local area names. From their website I could see they weren’t advertising for a position but I thought they might be of the right size and specialist enough to be recruiting in future. I used LinkedIn to see what the various staff specialised in, and to lookup previous staff members and used this to tailor what aspects of my training I emphasised in the approach letter. I was careful with the wording as you can’t come across as the sort of person that assumes you know another persons profession just from reading a book or studying (or you could think that, but I’d hope everyone recognises it’s a troubling and flawed reasoning). I stated I wasn’t a penetration tester, but emphasised that I had transferable skills. I’ve spent years on the other side of things – trying to secure things to negate the type of attacks they’re carrying out – but didn’t know the deeper technicalities or have the experience of performing the attacks.

Interview

I was invited in for a technical interview. I took a taxi as I thought it would look more professional than turning up for an interview carrying a motorbike helmet and clothing. The taxi driver took my map (with the marked destination) spotted the company telephone number and then, before I realised what he was doing, he rang the company direct to get directions – I cringed slightly at the lengthy confused conversation on the phone as I thought if the rest of the workplace was within earshot of the person speaking they would think it was myself when I walked in.

I was asked verbal questions from a senior members experience – there were no written questions, the questions weren’t pre-planned and didn’t seem hard for the interviewer to come up with which I think made it better for both parties. I wont give specifics, but in general I was asked about things such as certain common programming issues and the security problems inherent with them, and how an attacker might approach or detect certain issues in websites or networks. I wasn’t asked any cliché interview questions. There were no awkward silences from when you’ve answered an interview question incorrectly or attempts as belittlement. When I said I didn’t know an answer, I explained the limits of my knowledge on that subject, which the interviewer appeared fine with.

In the application I’d suggested perhaps I could do a couple of days work as a trial. In the interview this was discussed and I was sent a Non Disclosure Agreement (NDA) covering client names, details of work done and similar.

Trial Day

I’d had a disastrous interview somewhere else where I’d turned up in a expensive suit which matched the interview panel, but then had been introduced to the team, whereupon a scruffy member of the team spent about 5-10 minutes openly sneering at my suit. I didn’t want that to happen at this company so I dressed down for the trial day to match the smart/casual attire I’d noticed the testers wearing in-office on my first visit.

I shadowed one team member first, who turned out to be an ex-marine. He showed me some physical penetration testing equipment he’d built (disguised tools you might leave in a target building) which I thought were fantastic and seemed well executed and then went through the network based attack he was currently performing.

As some background to the industry: A long time ago at a trade stand I’d spoken to a member of a branch of GCHQ (I don’t recall the specifics but in hindsight it might have been a member of CESG as the discussion topic matches the role) who had spoken of the difficulties they had when identifying useful penetration testing companies – the problem with the trade is the presence of companies who can only perform automated sweeps with no greater knowledge than the output reported by their automated tools (I have some horror stories on this for a future blog post). This wasn’t the case with the company I visited, where the penetration testers were hands on, with any tools simply being used as an alternative to speed up certain attacks that they happily demonstrated by hand to explain the theory and execution.

I’m not giving specific technical details due to the NDA but can say it was exciting to see an attack underway, the thought going on, the tool selection, usage and experience based testing. I understood the concepts and the flaws being explored, so I could follow what was being done, but the penetration testers clearly had a lot of experience – problems I’d always thought of as being theoretical or pedantic were actively being turned into exploits.

The team automatically went for lunch together, walking down to the local shop which you could tell form mannerisms was a routine social behaviour which I took to be a good sign.

After lunch I then shadowed another member of staff who was performing a social engineering attack on a client. While deploying the attack he was encountering issues with the companies defences and I understood from my own work what the company had done and was able to assist. I was really excited and wanted to help but didn’t want to be obnoxious and interfering so I tried to tone it down as much as possible. I helped with some a Linux command line syntax problem and suggested a minor improvement to the social engineering attack, which the tester decided to implement as a valid idea.

The day went really well, but the company hadn’t been advertising for a penetration tester and couldn’t offer me a position at the time as they didn’t know in January how much work there would be next month (a lot of large companies take a little while to wind up again after the new year and so take time to place orders for new networks or websites to be tested). They asked what salary I was seeking, and I stated I was motivated by the position, so was simply looking for one they felt was fair.

Feedback

A week later I got an email, saying they’d let me know, and that the tester I’d shadowed for the social engineering attack wanted to pass on that it had been successful.

The Wait

I’d applied for more positions at other companies and as time went on I was fearing not just the career damage of an unemployment gap on the resume but also, due to financial liabilities, of potentially having to accept a position being employed somewhere where my heart wasn’t in it. One friend really stuck his neck out, first to suggest a temporary employment possibility and then to continually persuade me to apply for another company he knew to be a good employer despite my accidental best efforts at being unemployable – a public thanks to Dan.

I was a bit conflicted and about to finish arrangements to attend a second interview as a sysadmin with a local company when the phone rang and I was asked if/when I could start as a penetration tester at the company where I’d wanted to work – work had picked up again after the New Year break and there was now lots of work to support an additional position.

What Worked?

I don’t claim to be an expert on job seeking, but it might be that my experience is useful to others.

  • Don’t be afraid to approach companies directly if they aren’t advertising.
  • Talk to your friends about local employers they’ve heard of. I had no idea how many local companies there were tucked away nearby. Some quite famous ones I’d never realised were within a stones throw.
  • Do your research to find what they offer to clients and then demonstrate in your cover letter you have at least some knowledge of these areas.
  • Make sure you can financially afford to job hunt – know how long you can survive
  • Suggest something unorthodox like a trial/test day. It’s a chance for you to discover and run like heck if the place is dysfunctional (hopefully that’s rare but it’s a real career threat if you accidentally accept a job at such a place), and a chance for them to answer two of the the main questions they need to know the answer to: will you enjoy it here, and will they enjoy working with you?
  • Work on your LinkedIn profile, interview presentation materials, portfolio and resume

What didn’t work

I attended about 4-5 interviews over December-February, it’s important to learn from things that went wrong.

  • Don’t expect anyone to read your portfolio, LinkedIn profile, interview materials and resume (despite the advice in the previous section). If they do it’s a bonus, so you should work hard on it, and there’s personal benefits from self development as you work on them, but don’t assume a link on the resume will ever be followed.
  • Don’t assume the interview is just to flesh out more details about the things in your resume. You have to repeat your experience in the interview. It’s a nightmare to realise towards the end of an interview that they haven’t read your resume and you’ve just assumed they know you have knowledge of the areas you’ve mentioned in it.
  • Don’t let it get you down. If an interviewer fixates on your A level results from 18 years ago, if they hate your suit, if they have some slightly crazy view of the world – it’s going to happen in an interview eventually. Do your best not to burn the bridge and afterwards just learn from the experience as character development.

This is almost 2k words – there’s bound to be some errors so drop me a message for corrections. Related: I’m currently offering £2 to charity per correction on my portfolio site.

Portfolio Site Revamp

Monday, February 10th, 2014

A couple of years ago I had a go at building a portfolio website. I also created a couple of small software projects to try and show some public code. It was successful in getting me to think about what I was selling, and holes in my skillset or presentation compared to advertised positions, but the site itself looked a bit dated. I’m currently between employments so revisited the site to modernise it and improve the presentation.

I spent last weekend reworking it and then making corrections over the week. If you’re interested in creating your won and, like me, your primary experience is not web development, then you might be interested in some of the notes below:

Monitored for reachability by site24x7.com

247site24x7.com is quite handy in that it alerts you if your site goes down. Although it costs money for commercial use, it’s free for one website (with a starter number of alerts). It constantly checks my site is up (from world locations you can choose) and sends me a mail if my site goes down, which avoids a potential situation of sending out resumes linking to an online portfolio and then discovering it’s been down for days due to a technical problem.

If you pay a little bit you can have a lot of other features such as SSL certificate checking, SLA monitoring, twitter and SMS alerts and similar, however I’m not using HTTPS for my portfolio and don’t need the other extra features at this time.

  • normal link [http://site24x7.com]
  • Referral link (gains me monitoring alert credits if you sign up, but no other benefit)

Static analysis of code

To check the code that creates the sites html, I run the code through a static code analysis program that looks for and alerts you to issues. For Perl this is perlcritic, but other languages have their own tools. As well as using it in your development, you might want to automate this so any time you accidentally commit broken code to the site (development or live) it emails you an alert (think: preferably only one alert, and not every $X minutes the check runs against the webservers codebase).

If you’re using a version control system for your code, such as SVN or Git, you can make it run checks each time your commit code.

Run the CSS through CSSlint
csslint

I’m familiar with the W3C validator for CSS but hadn’t heard of CSS lint.

The key with CSS lint is to understand that it’s aimed at massive sites. There’s an online checker at http://csslint.net/ and for a small site I would run your sites CSS through it but then only fix the issues you recognise to be genuine problems – the other warnings (such as not using CSS ids) are aimed at improving code maintenance in massive sites and can be ignored as incorrect for a small site.

Tidy the HTML

Just for my own site maintenance and readability, I’ve passed a lot of the html templates through htmltidy although some files I’ve avoided where HTML is mixed with a templating language (Template Toolkit).

The full command I used for XHTML wrapped at 80 characters is:
tidy -w80 -indent -omit -asxhtml -xml -modify somepath/sometemplate.tt

Let someone else run a suite of tests for you

sitebeam

Rather than testing each page separately for spelling mistakes, accessibility, search engine optimisation, dead links or XHTML syntax errors I used a trial account for a centralised website tester that performs multiple checks on your site http://trial.sitebeam.net.

I’m about 3/4 of the way through the trial allowance of 10 checks. Currently it’s aimed at large customers but their support say that their service might be about to change to add a smaller/cheap customer category suited for individual site owners.

Run a dev site

If you’re making changes, always do it to the development site. It’s just one more DNS record, and extra folder and webserver configuration that’s near identical to your live site (just change the site name from “foosite” to “dev-foosite” and the directory files are served from to match).

This way is something breaks there’s no damage to you public presented image and no panic to fix it. You can try out different things on different versions of the site. Remember to have your template or code automatically link to the right site when you move pages to live. You don’t want to find links in your live site accidentally pointing to pages on your development site (I see this on some large public sites sometimes). If you don’t know how to do this, at least go with a check that runs every $X minutes/hours to search the live site for links to the development site and alerts you if it finds any. This later option isn’t as good a solution but it’s better than letting the visitors find the errors.

You may or may not want the entire internet to be able to find your development site. For a simple portfolio site I find it easier for the dev site to be accessible, and there shouldn’t be embarrassment from people seeing the information on it. This might not be true for a commercial site of course, especially if it’s a non static site dealing with customer data or shopping carts and billing information since client data might be exposed by a developer error or someone might be able to exploit a mistake.

For a simple portfolio site, I find having the online site checkers be able to check your development site is also handy since it’s preferable to find and fix mistakes on the development site, rather than discover them on your live site when someone might already have seen them. A commercial venture would probably use tools in-house so this wouldn’t be an issue.

Backup

If you put a lot of effort into a site, you don’t want to lose it due to hardware failure, hosting provider mistake or your own accidental command. Make regular backups, and if possible automate the system so you don’t have a laborious manual process that you might end up skipping. Remember, depending on what’s in the backup, to think about how you’ll get that backup off the server and transmitted/stored in a secure manner.

For my site:

  • A fileserver machine at home automatically establishes an encrypted SSH tunnel to the webserver, or re-establishes one if there’s been a connectivity drop. It’s important to do it this way around since if the webserver had login SSH keys for my fileserver (if my home fileserver had a public ipv6 address and could be reached) then an attacker that gets into the public webserver could have useful avenues of attack versus my home fileserver and from there my home network (There are ways to limit the commands the SSH client can run but it’s good not to tempt fate, in case you’ve made a mistake in configuration or there is a flaw in the software).
  • The webserver later performs an automated rsync of the files it has compared to the currently back up files on the fileserver and transmits only what’s changed. If it wasn’t for this intelligent comparison you’ll transfer a lot of data every time and might consume your bandwidth allowance, either at your hosting provider or your backup site (perhaps your domestic broadband in this case, if it has a data cap)
  • You can generally predict how long the rsync will take (e.g. for me it’s a lot less than an hour). So another timed automatic cron job then causes the backup fileserver to creates a single archive file of the entire folder of backup up files it has stored (e.g. creating a single file similar to a windows .zip file but without the compression at this point).
  • The date is added to the filename and the backup server (which has little else to do during the day) spends the next few hours compressing the archive file to reduce hard disk space usage and so increase the number of days of backups that can be stored.
  • An automatic housekeeping process removes archives over a given age to stop the disk filling.

If I was taking backups to CD/DVD/Tape or other removable media, I’d encrypt the backup so that if someone finds the CD, they can’t read the contents. I might also encrypt the filesystems and files on my backup server if the data was really important (since a thief could rob my house and take the server), but it’s harder to achieve in a totally automatic manner and in this case the data is only my public portfolio code.

Aren’t backup systems simple?

Use some of the colour/color picking websites

The title is because all CSS uses the American spelling of colour.

There’s various websites that let you put in a colour and automatically give you the range of lighter and darker shades to choose from. This was handy as I used a colour scheme centred around that used for the organisation/logo of my highest qualification and then where I needed to, produced darker and lighter shades of the same colour (to improve readability and so on).

These tools might not be all that advanced, you could write your own, or use the facilities in an art program like GNU Gimp, but some of the sites suggest entire themes and help give you ideas. Some quick hits from a search engine:

Analytics

clicky

For visitor analytics I used http://clicky.com. I’ve used Google Analytics in the past but I wanted to move away from Google and the clicky.com interface is simpler. It’s also free for this small scale usage. There’s open source analytics programs that you host yourself, which would be more private, but I wanted to be up and running quickly and didn’t want another package to administer/maintain at this point in time. Maybe later.

Modernising

I’ve added Twitter, Linkedin and Google+ buttons to the site, as well as the new OpenGraph meta tags that sites like Facebook use for rendering a picture of a site when it’s linked.

The code these addons and meta tags use necessitated moving to HTML5 instead of XHTML1.1 strict. I need to test the site over the next couple of weeks in some older Internet Explorer (IE) browsers and get it rendering to an acceptable level in those, since some HR units may be using corporate managed desktops stuck with old browsers. This sometimes happens if large internal corporate web based systems like payroll are using 3rd party software that only runs on old versions of IE.

Get feedback early

I created a table with one axis being the types of people I wanted feedback from (sysadmin, networks, security, human resources, design/typesetting), and then a column for friends and one of contacts which I then tried to populate with names of people I knew I could probably contact. My thinking was that a sysadmin friend would have the most feedback on the sysadmin section, but perhaps wouldn’t have the same depth of knowledge on another topic. A friend might also give you quite different feedback to that of someone that only knows you briefly, professionally or not at all.

Your roles/topics of people whos opinions you want will depend on your industry, but remember to talk to someone from Human Resources (HR) or a recruiter. For commercial 3rd parties you’ll need to be prepared to pay or offer a donation to charity if approaching them in their spare time.

Role/Topic 3rd party professional Friend
Designer Laurence Llewelyn-Bowen Sam
Sysadmin Richard S.
Cryptography Bruce S. Alice,Bob
Someone who works in HR

I contacted a few people for this first draft and the best response was from a friend who I hadn’t met in some time, has sat on a few recruitment panels and has a similar employment history. This seems to give the right blend of technical knowledge combined with being able to confidently say “look, this bit sucks, I’d change that to be more [...]” without any social awkwardness.

As an example, in this case the feedback included

“The front page has hardly anything on it, throw things at me.” [fixed]
“The navigation is awkward and confusing, just give me one page per topic.” [fixed]
“I’m bored of IT people with nothing but IT in their lives, tell me something about you” [fixed]
“$X and $Y don’t line up! I know it’s little but fix it” [fixed]

Publishing the site on this blog was the next step, and probably next week I’ll contact some more specific people.

Asking for feedback gives you an opportunity to step back and take a break while you wait for the response. I think it’s important to take little breaks and do the development in waves, especially as even a small portfolio might be 2,000+ words of meaningful content that you need to create, check, rewrite and re-scrutinise.

Domain name

I moved the domain name to improve the branding. Just be aware when you do this that search engines may rank the old site higher as the domain name has existed for longer and remember to make requests for the old site redirect to the new one in your webserver configuration – don’t just leave the old site up and wonder why people visit your old site by accident, and don’t take it down and wonder why everyone has broken links and thinks your site no longer exists. Redirect oldsite.yourdomain to newsite.yournewdomain. I used an Apache rewrite rule.

So what is the new site?

The new site is at http://portfolio.guyjohnedwards.co.uk/

If you have any feedback, there’s an email address on the front page. Let me know your favourite charity if you’re providing useful war-and-peace volumes of feedback and I’ll make a donation.

Does making a portfolio site actually do anything for your employment chances?

I’d love to say yes but I’ve attended a number of interviews where I’ve realised that my resume hasn’t been read by at least one person on the panel (this happens a lot), let alone any linked sites within it.

It could be that the main value is in the journey rather than the end product. It’s what you learn in developing the site and writing about what you’ve done. In doing so you’re forced to re-evaluate what skills you have and what evidence you can show. You might start thinking about the future and what you wish you could say in a certain section in a years time. It might affect what projects you get involved with at work, or how you otherwise guide your development.

Maths Institute – Building Move

Wednesday, August 28th, 2013

Just a short post- I’m now working in a senior post at the Mathematical Institute, University of Oxford. Our main task is moving three old buildings full of academics, students and similar into the new building. I’ve been working quite long hours for this and we’re only two days in so I’ll leave a picture instead:

P1030365

I took this this evening on my way out of work. My pedometer says I walked roughly 17,450 steps inside the building today, with a lot of crawling under peoples desks and a fair bit of cable patching. I’m going to get some sleep and will start early again tomorrow.

Bank refunds me for 2005 cash withdrawal

Thursday, July 25th, 2013

I received a letter from HSBC who refunded my account after discovering that in 2005 I didn’t receive all the money I’d used at a cashpoint. It’s genuine – my account has been credited. This raises some interesting points like:

  • My cynical side is speechless that banks actually have managers that say “hey lets check if we owe our customers money, it’s the ethical thing to do”
  • banks keep cash machine records for a long time. Before you say “Well, duh! They need to keep financial records!”, there are quite a few laws concerning data and they get harder to defend against the longer you keep data

I’m not complaining, I just find it interesting.

Here’s a scan of the first page of the letter, the second page is just a closing paragraph and the HSBC footer so I’ve left it out.

hsbc-refund

If you work for a bank and know what process/requirement or similar might have suddenly have brought this on, drop me a line in the comments.

Nation State Monitoring

Sunday, June 30th, 2013

There’s lots of new recently with the former NSA contractor Edward Snowden releasing information about the surveillance programs operated by the US and UK governments. Thanks to this recent development I would suggest that for the general population, government monitoring is now known to be taking place, whereas previously it might have been considered by laypersons as the conjecture of IT workers and conspiracy theorists. I’m going to attempt to discuss some of the technical and political aspects of a nation state monitoring program without getting into opinions on current political circumstances.

This article is aimed at people with a little IT knowledge (friends, family) although it’s a little bit of a dry subject area. It’s my job to give these kind of technical and ethical issues thought and I should be able to communicate the problems into laypersons terms.

a cat monitoring

By popular demand, this post will again feature pictures of cats

Why do we have Secret Services?

You’re probably thinking this is a daft question – clearly we have them to fight terrorists and assist in wars? This is one role (it’s actually quite close to the mission statement of MI5) but it might be more accurate when talking about the collection of secret services a government will have, to say that governments generally have secret services to protect and improve the countries financial and political welfare. That’s not a perfect definition but it makes the situation a little clearer. What’s the difference? The difference is that the scope is much wider than you might expect. A basic example would be if you’re a large corporation in a nation, bidding for an overseas contract, then there are avenues by which you can ask if there’s any information the government can provide to assist in your bidding.

At this point you’re probably thinking there doesn’t seem to be much of an issue. The ‘bad guys’ being negatively affecting by the information gathering are either foreign nations or designated as ‘the enemy’. It all perhaps sounds fairly reasonable if you’re law abiding and you assume the good faith of others, especially as we have to assume other nations are doing the same.

Problems with national monitoring

The problem comes in five main situations

1. When corporate domestic interests clash with local (or larger) public domestic interests.

For example
* The hydraulic fracturing industry (fracking)
* The wind turbine industry
* The nuclear industry

These industries contain people, and as per any human population of reasonable size – not all will be honest. Groundwater contamination, wind turbines well under the recommended distance from homes and nuclear risk/contamination might be valid concerns for local residents to raise depending on how professional and responsible the implementation has been. Regardless of the behavior of the industries or the behavior of the protest groups (on a rising scale of political opposition, civil disobedience, direct action or outright military violent actions) the corporations can receive data from the government on the activities of the activists. If an activist is acting legally, and the large corporate is acting illegally, then supplying domestic confidential information to the corporation about the activist takes the monitoring program (on a sliding non-Boolean scale) from being beneficial to residents of the country to being a hostile tool (and the extreme end, fascism).

2. When ‘the enemy’ of the nation slowly shifts to become members of the public opposed to the current ruling regime of the nation

…such that the surveillance powers become a tool to maintain power against a democratic desire for change. A clear example would be when demonstrations or internal civilian actions against an oppressive regime take place – in this case the demonstrators would be labelled as ‘freedom fighters’ and the government as an ‘oppressive regime’. The perspective changes however when the terms instead become ‘anti terrorist surveillance’ and ‘domestic terrorists’. Specifically the terminology used normally depends not only on the actions of those involved, but also on who is creating the labels and who emerges as the victor.

3. When data collection points are shared with another country.

Entering into a reciprocal arrangement with another country whereby you monitor their citizens and they monitor yours, and then you share the resulting data, gets around a lot of laws designed to safeguard against domestic surveillance. These laws are typically in place to put barriers in the way of, for instance, a political regime using the data to target supporters of another political party. A corrupt government can change the law of course, but changing or breaking the rule is a warning flag or tool by which to trigger widespread notice of corruption by the government, so it still has value.

A countermeasure to this is preventing or limiting the discussion of breach. In the UK this is done via a Defence Advisory Notice (D-Notice or DA-Notice) to the press, the issuing itself of which is confidential so in may ways it’s similar to the “super injunction” gagging orders certain celebrities in the UK used to hide affairs, but the DA-Notice is more of a threat of (severe) action rather than an in-effect court based action. At least one site claims to have a copy of a current DA-Notice but due to it’s nature there isn’t any way to verify the claim and be able to report the result in press if positive. Again there’s a terminology problem – we’re either defending necessary state secrets from reckless disclosure harmful to the state, or we’re a corrupt regime that’s censoring media to the population in order to manipulate the populations opinion, depending on the intent behind the restriction, the country and who is labeling the action.

4. When known false positives are chased up harshly – with the effect of stifling discussion.

This goes from obviously over reactive examples – such as people who state on twitter that they are going to destroy (as in party) the US and dig up Marilyn Monroe (which was a “Family Guy” cartoon quote) being interviewed as terrorists and rejected entry to the US. Another person discovered a tracking device on their car (which the FBI turned up to collect) after a friend commented on a news forum that in his opinion the airport security measures were poorly thought out as the friend perceived that an explosive device in the airport where everyone had to queue up due to the new security measures was now a greater risk than on a plane. He’d been investigated for 3-6 months due to the friends comments.

The end effect of these incidents is an undercurrent of fear – a noticeable number of commentators on online articles warning people that it’s too risky to discuss opinions on monitoring and current political events (on common UK newspaper websites, which would normally be perceived to be legitimate discussion sites in a democratic and free country) because the perception (rightly or wrongly) is that there will be repercussions by the state against them for voicing an unfavorable discussion.

5. When the data is handled recklessly

Such as leaving data on a train, or via a stolen laptop. Now all the intercepted data is in the hands of whoever stole the information.

chickens

A friend refused to read my blog unless it had “pictures of hot chicks”. Enjoy the photo.

If you’ve done nothing wrong, then you’ve got nothing to hide

This is best treated as a fallacy.

* Even if you assume that governments are trustworthy, people run these systems and in any population of people there is a percentage of corruption in the form of using the data for individual criminal purpose, or to further personal goals. Your financial and personal data can be used in interesting ways against you. The data you accidentally hold about other people can also be unintentionally useful. When Banks or large data maintainers (such as Google) have bad employees caught performing illegal acts, I would suggest that it is safe to assume that sometimes these employees are quietly let go (dismissed, perhaps with a gagging order or other agreement) without public notification so as to prevent damage to the public perception of the company (brand).

* A future governments of your country, between now and when you die, may have information for all your personal data stretching back many years. They may share that data with groups of their choosing (foreign, corporate, criminal). With apologies for skirting close to Godwins Law, the most obvious case is the persecution of a section of the population due to their religion for political purposes – the World War II persecution of the Jewish population of Germany to the extent of euthanisation programs, wasn’t believed by the allies due to being too far fetched, until the concentration camps were found. We often think no such action would repeat itself, but the actions of a small group of people in the terrorist attacks on the US world trade centre caused a growing polarisation against members of the same religion (I could discuss what might appear to be a feedback loop here over the past decade but it’s likely to cross too far into opinion).

* You may be committing a crime by stating something which is not against the law in your country, but is against the law in another country that has surveillance (and potential extradition) abilities in your country. An example would be the NSA staffed (with an RAF commander) Menwith Hill installation in the UK – the UK and USA have similar Law structure but not identical laws, nor identical political interests.

Is there some test I can perform to detect nation state monitoring?

No, not really (or at least, not without getting yourself into potential trouble).

There was a statement from Nokia when they were initially taken to task for providing a telecommunications network with the ability to conduct government controlled monitoring to Libya. I’m struggling to find it but I believe the quote was along the lines of “all governments require this, you can’t setup a telecommunications network for any country without providing this facility”. I believe the obvious implication was that this was known to be implemented in the reporters country as well. You sometimes see occasional stories that hint at this ongoing operation.

Rightly or wrongly, and despite any public statements, for the purposes of computer security you should assume all nations do this. It’s still perfectly legitimate to have concerns about it however. Even if you accept monitoring for the purpose of national defence, it’s legitimate to have concerns about specific parts of the monitoring, including who has access to the data, how long the data is stored for, and what is being collected. The ideal situation is perhaps to have capabilities to detect and therefore intercept against terrorist attacks whilst at the same time not allowing for political and corporate misuse. That’s easy to type but the political requirements can be quite difficult to translate into a system. As an example the NSA claim to intercept only data for (or concerning) non US citizens but that’s a very difficult requirement in terms of analysis of modern internet traffic – for this reason it appears they’ve made some generalisations such as traffic originating from IP ranges abroad are not US citizens, which although flawed is the perhaps the best that can be done.

How is it implemented?

In short, if I was given a massive pot of money and had a short timeperiod to setup a monitoring system in a country it would be broken down into

* ‘taps’ which essentially take a copy of data sent on an internet service providers backbone. These might be housed in the service providers buildings or via covert means (at extra cost and fragility) without the provider knowing (the example is from the cold war rather than the domestic sector, and the physical conditions a little extreme but the technology is the same for the purposes of a tap example). In the NSA case it appears this was done against the local law and via a mechanism that if the telco had refused would have resulted in repercussions. It’s not clear what tap points are in place in the UK but it’s believed it might be at the national data exit/entry points.

* local servers – perhaps local servers turning the raw packet data into a summarized form such as netflow – in laypersons terms “this ip contacted this IP on these ports at this time” – and then perhaps compressed form for sending to a central location.

* a data centre – to receive and store the data in the long term and to perform computationally intensive processing of the data

* software for interfacing with the data – how do you search through so much data? You have to have a logical interface that everyday operators can use to provide them with data.

* start setting up relationships with mail and social network providers so that we can get access to mail boxes and account information via some form of interface.

How do you defend against it?

With great difficulty. There are a few points to note here:

* You can attempt to defend against corporate and governmental data cataloging of your actions however defending against a nations government where you live that has an express and burning interest in you is (I would say) impossible.

* unusual things attract interest. A computer that only sends encrypted mails, out of a local population of 10,000 domestic ISP connections, is conspicuous. I might be able to deduce something from the timing of your mails, as well as who they are sent to (unless the SMTP servers involved using opportunistic encryption, and even then are they log searchable themselves?).

* You can avoid using Internet based services. Google, Microsoft, Facebook and similar have stated they wont give up information without a warrant. No warrant is needed for non US citizens however. If IT literate you can run your own services but it’s likely to incur a cost and it mainly protects against routine cataloging of your data – nothing is totally secure from a nation state. As an example it’s nearly always possible to bribe someone when needed, such as the person running your collocation server room or your system administrator (if he/she doesn’t have a price, perhaps the threat of prison for some concocted charge might work).

* You can use applications such as TOR to attempt to disguise your network traffic but you still need to be careful as there’s lots of ways to make mistakes that demask who you are. As a couple of examples, with visibility of your ISP network and the TOR endpoint your entry traffic can be correlated with the exit traffic (not always possible but a risk…) – a lot of TOR end nodes are thought to be operated by governments as the cost of the traffic volume and risk of prosecution from other peoples traffic such as file sharing can make operating an end node problematic for an individual – and the traffic still needs to be encrypted as the contents might give away your identity.

Why would you want to defend against it?

Sometimes society is broken – historically there are some things that should be challenged so that society can change for the better
* The abolition of slavery
* The right to vote for women
* Equal rights regardless of ethnic background

Remember that the negative case of each of these was bound in law at one point and if the governments had had the data to single out and arrest each activist they would have. That doesn’t of course endorse every political view to have an activist approach but it does show that protesters (and lawbreakers) aren’t always out to damage a country. Following on from this is the subject of whistleblowers which probably deserves a post all of it’s own. In short you want people to come forward and tell you about out of control situations but you also don’t want to be able to punish staff giving confidential data to the press in other situations where no greater good had priority and it served only to damage your institution.

cat

Congratulations, you got to the second cat photo. This one is entitled “The End”

In closing

I have to stop here for today. I try and take a step back and think about the different angles and as stated at the start of my post, it’s part of my job as an IT professional to stay up to date and think about these issues. I’m not advocating any angle, but I think it’s sensible to think about what services you use (such as ‘cloud’ internet based services) and what data you make available deliberately such as via facebook/linkedin or accidentally such as via nation state monitoring (internet traffic, credit card transactions and similar).

Full disk encryption with a twist

Monday, June 3rd, 2013

What’s this about?

Perhaps as a normal user in your job, you deal with job applications, or patient data, or your new product idea, or your companies client list, or your new product designs from engineering which you show to select customers under an NDA. If your laptop were to get stolen, it might lead to (non exhaustive list)

  • political embarrassment
  • financial loss to your company
  • identity theft issues for your customers
  • legal fallout
  • loss of your job

You might have a logon password to get into your operating system (Windows Desktop and similar) but this isn’t going to stop someone who can Google for a solution to resetting/rescuing a forgotten administrative/root password (or just mounting the drive on another system) who can then get in to take a look about at the user data

It doesn’t have to be theft either – if passing through certain national borders you might end up having an image of your hard drive taken. If we assume (for simplicity) that governments themselves are totally trustworthy we still have to assume that data will be held securely and only analysed for national security… but the data is being held by multiple people, you only need one parasitical (corrupt) employee to put your data at risk. An individuals motivations for your data might be looking for financial data such as credit card details stored in a file (don’t do this), or data that could be used to answer your password recovery information on banking sites.

hunting_cat

I’m told I don’t use enough pictures, so this post will feature pictures of cats

What’s the solution?

A solution is disk encryption. This way if the laptop is stolen the confidential data stays encrypted. When the computer boots up you type in a password and that is fed into the process that allows the data on the hard drive to be read. For an attacker, removing the hard drive and putting it in another computer won’t work – without the decryption password as well as the drive you just have a lot of encrypted data.

What other solutions are there?

You could pay someone to constantly stand over your laptop and physically remove anyone that comes near. For border crossings a diplomatic status, armed guard and being from a large aggressive military orientated country would probably keep the data safe. It’s a bit expensive though and do you trust your guard? Maybe he’s a spy…

Ok, lets use disk encryption. Are there any problems with disk encryption?

I notice you didn’t say ‘full’… sometimes software will be used on the hard drive that first boots up a kernel from a small partition on the hard disk, then asks for the password and uses that to decrypt the second (much larger) encrypted partition. One problem with this approach is that I could work out what software you’re using, work out an attack in private, and then the next time your laptop is unattended I can modify that unencrypted partition to boot up a slightly altered kernel. With the right approach you won’t be able to trust your device any longer and the attacker will be able to use your system at will.

Ok, full disk encryption. No unencrypted stuff. Beat that.

So you’ve been given some full disk encryption product and is has a suitably massive number for how long in years it’s expected that all the worlds computers combined would take to decrypt your disk. There’s still some issues. The main one is social related.

When you go through some hostile border and they demand that you boot up your laptop, the first thing they will see is a password prompt. If you’re lucky you’ll just get a demand that you type it in. If you’re unlucky they’ll ask for the password so they can record it with the disk image. You can stamp your feet and refuse but things are only going downhill from here on – you might lose the laptop, be promptly deported or detained for national security reasons.

Or if you have financially valuable engineering data on your laptop, perhaps you’ll get the xkcd scenario, and beaten until you give out the password. How many fingers do you have?

Well this all sucks

OK wait. Imagine someone demands to see what’s on your laptop, it boots up into MS Windows, they see that you have a few (rather dull) mp3s, a browser history of some dull sites and not much else. They see you have a USB stick on you, they ask to see what’s on it. You plug it in and there’s just some more boring mp3s. They get bored and wave you off.

Later on in private you put the usb stick in to the same machine, reboot and up comes a different operating system, which asks for a disk encryption password, and then decrypts a different operating system from a hidden (to the casual eye) encrypted area of the hard drive.

That sounds fun

Yes, the problem is that despite whatever you know about computers you now need to sit though a bunch of graphical installers, trying to convince them to do something complicated when they’ve spent the past 10-15 years making the install process hide as much complexity as possible from the user.What you need is a technical blog written by someone who went through the pain for you.

Technical

Our success criteria:

  • If untouched, the computer boots into [a sacrificial] MS Windows without any boot menus or similar having been shown during the bootup process
  • If plugged in to a Windows based machine, the USB stick you carry will show as ‘normal’ (some mp3 files etc)
  • If an image of the hard drive is taken, the data remains confidential
  • Stealing the USB stick and computer is not sufficient enough to get access to the real data
  • If the hard drive is tampered with (data altered) your data is either unaffected or the entire system is destroyed – you can trust the integrity of your device

There are limits to this but it’ll protect you in most scenarios. You have to upset some persistent people for it to come apart.

Solution Outline

  • Put windows on the laptop, then install Linux to a second partition, with the partition encrypted and the /boot partition on the second partition of the usb stick
  • Carry a usb stick with you, on a keyring or similar. The first partition is fat/vfat which windows can read, the second partition is /boot for Linux. Grub bootloader is installed to the USB sticks Main Boot record.
  • For extra security, you could use a hardware encrypted USB stick that has a built in keypad

Gotchas

  • You must put the FAT (windows viewable) partition on the first partition of your USB stick
  • You must put the bootloader onto the usb stick despite anything the installer does to try and persuade you not to
  • The USB bus resets a lot of times in an install, causing issues if using a hardware encrypted usb stick as it will disconnect and demand the password and the install process might chose that moment to get upset and die because the drive didn’t return in time. Hence use a normal usb stick for the install, then ‘dd’ the image to your hardware encrypted usb stick later (and securely wipe the original after confirming the copy works).

Limitations

  • Don’t write a blog post about implementing it, otherwise they’ll know it’s there and you’re vulnerable to physical duress again[1]
  • Don’t use a uselessly weak password. There’s no point using 256 bit disk encryption if your password for unlocking it is ‘password’  (and no, ‘s3cur1ty’ isn’t a good password).
  • Anyone who’s above average with computers will spot the secondary partitions if they investigate either the laptop or USB stick in a partition manager[2]
  • If you make backups of the drive in it’s encrypted form, don’t forget the password or you’ll be locked out forever
  • If you make backups of the laptop when the drive is decrypted, then remember your data is vulnerable whereever the backup data is stored.
  • It might be possible to social engineer you into using a keylogger device (“hey, that laptop keyboard looks small, want to use my spare USB desktop one?”)
  • If you don’t keep your system patched and secure, you might just get it compromised when it’s turned on like any other machine
  • If using a hardware encrypted USB device, note that various nation states might have required a backdoor from the manufacturer
  • If the laptop is unattended, a well funded attacked might just lift out the laptop keyboard, but some form of small broadcasting hardware between the keyboard and keyboard connector and then refit it, then wait to sniff your keystrokes which decrypt the hard drive. That’s out of the realms of normal attackers but within reach of state-sponsored espionage.

[1] In all seriousness, this is a trade off. I like to share helpful information, my fleshy biological internal risk analysis thinks I’m low risk of (for instance) physical duress but I find it fun to work out how to do things like this.

[2] Forensic examination will have no problem determining that there’s partitions there, and if you’re involved in a court process you’ll probably be asked to give up your encryption keys. You can refuse which in the UK will get you 2-5 years in prison. The best way to avoid going to prison is to not break the law (not a perfect guarantee).

Full Howto

I’m using OpenSUSE 12.3 in this guide but the general principal is the same for pretty much all Linux distros.

Install MS Windows, but during installation don’t use the entire hard disk, instead leave some space (which will be used by Linux). E.g. you could split a 120G drive into 60G/60G.

Now we’ll install Linux. If you get it wrong and accidentally install grub (laypersons: a common bootloader used by linux) onto your main drive, do not panic. Boot up your windows install/repair disk and select the command prompt option, then type

bootrec /fixmbr
bootrec /fixboot

this will remove the Linux bootloader and you can then try installing Linux again (and windows boot will return to normal).

So during the Linux installation, when it comes to partitioning your hard disk space, select the free space not used by windows and select to create a partition. In OpenSuse 12.3 I used the following steps

  • click on free space
  • select ‘add a partition’
  • select ‘do not format’
  • select ‘LVM partition type’
  • select ‘encrypt device’.
  • enter the password when prompted that you want to type in when the laptop tries to boot into Linux

It will not have created what’s probably (depending on the Linux distribution) an AES 256 encrypted drive. If you’ve an Atom processor there’s some suggestion that you may have faster disk access times if you’re able to select the Blowfish encryption method instead, but I don’t think this is possible in Opensuse (using a command prompt to look at the installers supported encryption types) and there may have been some improvements in implementation. If I was doing this on 250 corporate laptops and had the option in the distribution I was using then I’d probably do some benchmarking.

But currently it’s just a big encrypted space, we need something useful on it.

  • Now go to LVM volume management, select to add a new volumegroup
  • select the physical partition to add to the LVM physical group (use the one you encrypted)
  • enter a name, then click on finish
  • now add logical volumes (such as a swap, root and home area)

Some people might suggest not adding a swap partition – my advice would be that you might not need it but it’s going to be a nightmare to add it later on so add one now to play it safe.

It’s optional but you might want to change the mount options to add noatime (this means don’t record file access times, it’s not normally useful and slows everything down) and to remove support for extended file attributes (ACLs) if you won’t be using them.

I used ext4 as the file system as btrfs is a bit new and gave me some unexplained errors during one of the trial installs on the device I was using (I forget which distribution I was trying at the time – I tried a few while looking into the disk encryption) which made me nervous about the implementation – I like my filesystems to be error free since I want my data uncorrupted.

windows-usb-partitioning

For removable media, selecting to format the second partition will format the first partition. You made a backup right? Right?

  • Having partitioned the main drive, select the usb stick.
  • Put a vfat partition at the start of the disk, then use the last space on the disk for the /boot partition (200MB-500MB) – you must get the order right (see following notes)

Important: you might be tempted to make the usb stick have a /boot partition at the start and a vfat partition for windows use in the remaining space. Don’t do this. If you do it this way around firstly windows will ask if you want to format the disk everytime the usb stick is plugged in, and secondly attempting to format the secondary vfat partition in MS Windows partition manager will cause it to format the first partition. So in short you won’t be able to use the usb device in Windows and you’ll fail the requirement of the USB stick appearing normal when plugged in.

This is due to Windows behavior with drives that have the Removable Media Bit (RMB) set (only one partition allowed, and some other behavioral changes), which is normally set in the USB device controller chip, and usually only alterable using a special program from the device manufacturer.

The Microsoft decision maker

The Microsoft RMB policy decision maker

  • click finish
  • you’ll be asked to add a user, and then you’ll get the install summary screen. HALT! stop at the summary screen as there is something we need to do

Take a look at the Bootloader section very carefully on the install summary screen. Notice that the installer is going to install grub to the main hard disk (e.g. /dev/sda) but we want it on the usb stick, (e.g. /dev/sdb).

So if we click accept now it will be a disaster. If it goes on the hard drive then grub (bootloader menu) will be loaded on boot and it will get upset when the usb stick isn’t present and we won’t be able to boot windows either.

So to fix this

  • click on Booting
  • select ‘boot loader installation details’
  • in the list of drives, move the secondary drive (usb stick) to be top of the list using the arrow buttons

I then used ‘boot loader options’ to set the active flag for the /boot partition but I think you only use that if you install grub to the boot partition itself, and I used the MBR instead. now proceed with the Linux install.

If you have a hardware encrypted usb stick and you followed my earlier advice and to installed to a normal usb stick, you can then image to your encrypted usb stick

# check the device names are right, then double check
# if = reading in file[system in this case], of = writing out file[system]
dd if=/dev/sdb of=/dev/sdc

Although an encrypted usb drive has better data integrity/confidentiality, a small usb stick might be better in use as it’s discrete and easier to carry on yourself at all times. Although I don’t like promoting security through obscurity, a smaller device also won’t look out of place, whereas having a (in comparison) gigantic usb encryption keypad sticking out of your laptop might perk interest. You can always take the stick out after boot of course (add the ‘nofail’ option to the /boot mount point fstab to make Linux cope with that situation better).

Testing

Test Expected Result If it fails…
Laptop boots without USB stick Laptop bootsinto windows without and bootloader evident If grub loads you installed grub to the main drives MBR by mistake
Laptop boots with USB stick Laptop loads grub boot loader and attempts to boot Linux If this fails you’ve probably made a mistake with grub
Linux needs a drive decryption password to boot On boot, Linux halts and asks for a decryption password If it boots without a password then you forgot to create an encrypted drive
USB stick appears normal in windows Plugging in the stick, it’s visible as a normal USB drive If it asks to format it, you’ve got the partitions the wrong way around – fat/vfat has to be the first partition
hidden_cat

Congratulations, you made it through the wall of text. This second cat picture is your reward.

Conclusion

Some modern devices come with features such as the ability to encrypt the hard drive via (in simplified terms) the computers bios, which loads before the operating system. This means the attacker needs the password to decrypt the disk. The problem is that it’s very obvious as soon as the computer boots up that a password is needed (“please enter the password”), and depending on the circumstance whoever took the laptop from you might be physically aggressive.

So instead, don’t have Linux as the sole operating system. Have the device boot into MS Windows by default. You could still have a hardware implemented password required (a bios boot password), but under duress you can give it up and the attackers will boot the machine, which will yield the Windows system. In a similar fashion, we want our USB stick to appear boring and uninteresting. It should behave normally when plugged into a everyday computer.

Some people say that you only need to encrypt your /home partition in Linux – where your user files are. The problem with this is that you really want to ensure you can trust the integrity of the computer kernel before you type in your disk encryption passwords. If the kernel in /boot has been modified the attacker can get logs of everything you do in the operating system, they can open backdoors, they can operate invisibly as root.

So with the above  described technique your /boot will be on a usb stick which you carry with you. Your data is on your laptop, and you can leave the laptop behind and still trust it on your return (within sane levels of paranoia – if you are a state funded secret agent, please consult your local security officer for further notes). You need to have a backup of your boot usb stick (otherwise it will be awkward to recover your system), and ideally that backup needs to be encrypted.

dd if=/dev/sdb of=my-bootdisk-backup.dd
xz --compress my-bootdisk-backup.dd
gpg -c my-bootdisk-backup.dd.xz
# now copy it somewhere safe/off your computer

So this isn’t a golden solution to every security problem, but it might help you setup one trusted device that you can always depend on.

Visit to ECMWF

Friday, April 12th, 2013

There was good news and bad news this week.

The bad news was that I won’t receive any funding support for the CISSP exam/course that I did which covered networks and telecoms, datacentre security, disaster recovery, software development and similar.

The good news was that yesterday I passed the smaller Comptia Security+ exam, which cuts a year off the endorsement time period required for the CISSP. It’s only a minor achievement in light of the larger CISSP exam being a superset of the Securty+ exams content (although it’s from a different vendor). A friend summed it up in a text message as “well done. It would have been HILARIOUS if a CISSP failed the Security+”.

Today I followed up on an invite to visit ECMWF, which is essentially a well funded EU wide organisation with a ~300 person branch facility in Reading, using supercomputing facilities for medium range weather forecasts.

ecmwc_room

The server rooms are restricted photography areas but the watercooled supercomputers are quite impressive in terms of heavy machined piping and reinforced floor to handle the weight. The operations monitoring room (again, photography restricted) looks like a miniature version of the military nuclear control facility in the 1980s movie ‘Wargames’. The photograph below is from the public video wall near the reception.

video_wall

There’s obviously a lot of funding going on – there’s two datacentres of duplicated infrastructure equipment, large individual offices for staff (although office sharing is now coming in) but there’s also some tactful funding decisions evident such as not specifying the most expensive switch vendors for edge switches.

In the networking and security section I met my old work college, Oliver, and his co-worker Ahmed who is a CISSP and we had food at the local pub.

office_room

I enjoyed talking to Ahmed about his life experiences as he’d emigrated to the UK and I was interested in hearing what it had been like as I’d similar concerns about a potential move abroad. He’d also taken the CISSP for similar reasons to myself so it was easy to relate to his work experiences. Oliver was doing well and it was interesting to see what new technologies he’d been looking at as ECMWF appears to use quite a range of vendors. They’ve made different key choices about key business software (Zimbra based rather than MS Exchange for mail) and also have a quite different network architecture. I’m not going to go into depth on what the setup is as it’s not my network and the culture on openness might be slightly different – we tend to openly publicise network design/service setup at the university more than not educational institutions would (if someone wants to argue that this is good or bad I could probably write a whole article on the ethics and reasoning either way and what I’d chose in each situation) .

Passed the exam

Wednesday, April 3rd, 2013

In case anyone is wondering, I passed the exam in the previous post. I finished in 3 hours 15 minutes which is a bit too fast – I think three people finished before me and I don’t think they passed – I only saw one of them and he was quite glum/stern looking after picking up his results so I left him alone and didn’t ask. The instructor had warned us that most people that finish earlier than 3 hours don’t pass so I did try to take my time to read the questions and to apply structure to answering the questions (for instance, is this a confidentiality, integrity, reliability or trivia question?) I took breaks roughly every 40-50 minutes. I found it pretty hard to concentrate for that long. I tried to use visualisation techniques to help concentrate – whenever I found myself daydreaming about a scenario that the exam question reminded me of, I imagined a box and put the thought in it to be opened after the exam. There were two questions out of 250 that I didn’t recognise as being from the ten domains, otherwise I was generally happy. I was pretty tense as I waited to collect the result, it was a big relief when I was handed it with a murmur of “congratulations”.

I had self funded the course as I had thought our training budget was used up (I had heard it was 19k split between 29 people) but this seems to be incorrect – with the merger of three IT related units at the university our requests for training funding are being handled differently and I’ve heard that at least two people are attending overseas conferences. Hence I’ve put in for retrospective partial funding for the course.

What next?

I’ve booked the Security+ exam for 11th April, which might seem odd having taken the CISSP which could be seen as a superset of the Security+ exam, but the CISSP endorsement process is going to take about 6 weeks, whereas the Security+ result is immediate and can be used as part of the CISSP endorsement process to prove you have the required experience. It’s a different vendors exam and smaller/cheaper. I’m currently scoring in the 85% area, I hope to have it up higher by the actual exam.

After that I’ll work on the LPI201 and LPI 202 exams which make up the Linux Professional Institute LPIC-2 qualification. There was a special offer on for existing LPIC-1 certified candidates to receive exam vouchers with a practise exam which I took so I’ve the vouchers to use before the end of the year.

If I get the training costs partially or fully refunded for the CISSP course then I’ll probably spend part of the money on a small development network built from Raspberry Pi computers which I can then use for revision – they cost about £35 each and are about the size of an old audio cassette, and consume about 4-15 watts with no moving parts so they’re girlfriend friendly – you can have an entire network server infrastructure in a carry case without the house being full of whirring noises and without breaking the bank.

What are you aiming for?

Career wise there’s four main paths that I see

The Cisco skills are something I’ve beaten myself up over far too much – essentially I’ve worked with other people who are highly talented in the area but I feel I’ve neglected areas I’m strong in (system administration, general security) whilst trying to pursue areas I’m weak in (Cisco topics over CCENT level). I’ve felt quite frustrated with my progress when perhaps what I should have done is avoided the topic and worked on my core skills first to avoid the constant confidence knock. I need to give it another go but take it slow and methodically, mixing it in with personal development in the other areas.

All this talk of computer certifications is boring!

I will make the next post not about computer certifications, I promise

 

Day before exam

Saturday, March 23rd, 2013

For the last week I’ve been on a training course for the CISSP, and I revised by self-study beforehand. The exam is tomorrow and I’ve been doing my last bits of revision, going over weaker areas.

I’m not going to stay up late or stress myself doing last minute cramming so will stop now – it’s a long exam and it’s best to be as calm as possible, I’ll be in bed early tonight.

I hit about 81.6% on the half size (125 questions) mock yesterday, when reviewing I can see I dropped 5 questions simply by rushing, 13 were mistakes I needed to brush up on. Today when we were going back over areas, the instructor reminded the class not to rush, staring straight at me to remind me. The statistics show that most candidates that leave before 3 hours is up, fail. For a slightly odd reason, one person has to take the test today (they can’t move the appointment). At the time of writing they’ve been in there answering questions for 4.5 hours. I didn’t want to hang around outside for them to finish, just in case it was bad news.

The course has had a lot of people from different backgrounds. There’s a large mobile network/telecoms providers security team here, lots of Ministry of Defence IT security army members, one person from a large financial firms security team and a member of Interpol. I’m not top of the class (I believe someone is hitting 90%) and I haven’t been as obnoxious as to demand everyones scores but I think I might be somewhere in the top. I feel some empathy for the people without networking backgrounds as I can see how things like the network OSI model might be difficult to grasp if you haven’t studied it before or applied it in troubleshooting and planning.

Everyone has been quite friendly, I hope we meet up again. The bar is about to open so I’m going to have one drink with my fellow coursemates (not more than that) and then it’s our last evening meal.

If I pass tomorrow the score wont be given – only failing results in a points out of 1000 message, and even then it’s not broken down by domain. I think everyone’s in the mood that we’re ready for the exam right now, and we just want to take it to get the moment of truth out of the way, but we have to wait for the booked slot tomorrow.

We’ve had a snowfall, there’s a layer of snow over everything and it’s still coming down in a light fashion, everything’s pretty peaceful outside.