I really don’t like the trend of filesystem authors to only care about filesystem integrity by default. How about having seat belt for your data integrity by default and let people turn it off if they want to compromise correctness for performance?
What I didn’t know is that ReFS integrity is not on by default. Only metadata integrity.
It’s also not visible or changeable in the UI (which is why I assumed they’d done the right thing), which is strange to me, this being Windows. No, you have to drop down into Microsoft’s crappy CLI.
PS E:\> Get-Item '*' | Get-FileIntegrity
FileName Enabled Enforced
-------- ------- --------
E:\SomeDirectory False True
E:\SomeOtherDirectory False True
E:\SomeFile.txt False True
[...]
Fuck you, Microsoft.
Of course Get-Item
doesn’t do recursion. Why would it? That would
make sense.
PS E:\> Get-Children -Recurse 'E:\SomeDirectory' | Get-FileIntegrity
FileName Enabled Enforced
-------- ------- --------
E:\SomeDirectory\foo.txt False True
[...]
Both commands are needed. The first command sets the new default for the root directory, and the second adds checksums to all existing files and directories.
PS E:\> Continue reading
Two interesting things I saw when listening to the output from my microwave:
Separate measurement some rooms away.
# Edit usrp_spectrum_sense.py so that it prints time.time() instead of datetime.now()
./usrp_spectrum_sense.py --dwell-delay=0.1 -A RX2 -s 8000000 --real-time 2.4e9 2.5e9 > near-microwave.txt
# Edit near-microwave to remove the stupid verbose messages from the top.
cat > microwave.plot << EOF
set view map
set size ratio .9
set object 1 rect from graph 0, graph 0 to graph 1, graph 1 back
set object 1 rect fc rgb "black" fillstyle solid 1.0
set xlabel 'Time in seconds'
set ylabel 'Frequency'
set zlabel 'dB'
set terminal epslatex color
set output "near-microwave.eps"
splot 'near-microwave.txt' using ($1-1496693552.11):((($5/1000-2400000)/1000)):4 with points pointtype 5 pointsize 3 palette linewidth 30 title 'Signal'
EOF
gnuplot microwave.plot
convert near-microwave.{eps,png}
I can’t have GNUPlot output PNG directly because it hangs.
The magic value 1496693552.11
is the first timestamp in the file.
Something I’ve been playing with lately is software defined radio with GNURadio. I’m not good at it yet, but I’ve managed to decode the signals from a couple of things.
This is my step-by-step for how I decoded data from a boiler thermostat. I’m not saying it’s the best way, or even a good way. But it’s what got me there.
Often this is written on the device itself. Other times it’s in the manual. If not, then more research is needed, such as by trying to find the manufacturer on fcc.gov or similar.
In this case it was easy. The manual said “868 MHz”, which is in the SRD860 band.
When I poked at the controls of the thermostat, saying “please make the room 25 degrees”, the thermostat must send this data to the boiler. I could hear the boiler start up and shut down, so there must be something sent between me pressing the buttons and I heard the results.
I started by centering around 868.5 Mhz with 1Msps. The minimum for the RTL-SDR is 900ksps, so even if you wanted to see less than 1MHz you need Continue reading
Let’s say you have some TCP connections to your local system that you
want to kill. You could kill the process that handles the connection,
but that may also kill other connections, so that’s not great. You
could also put in a firewall rule that will cause the connection to be
reset. But that won’t work on a connection that’s idle (also if one
side is initiator then using this method the other side would not tear
down its side of the connection). There’s
tcpkill
, but it needs to
sniff the network to find the TCP sequence numbers, and again that
won’t work for an idle connection.
Ideally for these long-running connections TCP keepalive would be enabled. But sometimes it’s not. (e.g. it’s not on by default for gRPC TCP connections, and they certainly can be long-running and idle).
You could also do this by attaching a debugger and calling
shutdown(2)
on the sockets, but having the daemon calling unexpected
syscalls thus getting into an unexpected state doesn’t really make for
a stable system. Also attaching a debugger hangs the daemon while
you’re attached to it.
This post documents how to do this on a Debian system.
I managed to get an SSH client working using an SSH pubkey protected by a TPM.
This is another post in my series in playing with TPM chips:
This is not needed, since TPM operations only need well known SRK PIN, not owner PIN, to do useful stuff. I only document it here in case you want to do it. Microsoft recommends against it.
Set OSManagedAuthLevel
to 4
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM\OSManagedAuthLevel
2 -> 4
Reboot.
Clear TPM
Run tpm.msc
and choose “Clear TPM”. The machine will reboot
and ask you to press F12 or something for physical proof of
presence to clear it.
Set owner password from within tpm.msc
Create key
PIN must be at least 8 characters.C:\> tpmvscmgr.exe create /name “myhostnamehere VSC” /pin prompt /adminkey random /generate
Create CSR
Create a new text file req.inf
:
[NewRequest] Subject = “CN=myhostnamehere” Keylength = 2048 Exportable = FALSE UserProtected = TRUE MachineKeySet = FALSE ProviderName = “Microsoft Base Smart Card Crypto Provider” ProviderType = 1 RequestType = PKCS10 KeyUsage = 0x80
C:\> certreq -new -f req.inf Continue reading
I managed to get an SSH client working using an SSH pubkey protected by a TPM.
This is not needed, since TPM operations only need well known SRK PIN, not owner PIN, to do useful stuff. I only document it here in case you want to do it. Microsoft recommends against it.
Set OSManagedAuthLevel
to 4
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM\OSManagedAuthLevel
2 -> 4
Reboot.
Clear TPM
Run tpm.msc
and choose “Clear TPM”. The machine will reboot
and ask you to press F12 or something for physical proof of
presence to clear it.
Set owner password from within tpm.msc
Create key
tpmvscmgr.exe create /name "myhostnamehere VSC" /pin prompt /adminkey random /generate
PIN must be at least 8 characters.
Create CSR
Create a new text file req.inf
:
[NewRequest]
Subject = "CN=myhostnamehere"
Keylength = 2048
Exportable = FALSE
UserProtected = TRUE
MachineKeySet = FALSE
ProviderName = "Microsoft Base Smart Card Crypto Provider"
ProviderType = 1
RequestType = PKCS10
KeyUsage = 0x80
certreq -new -f req.inf myhostname.csr
If you get any errors, just reboot and try again with the command that failed.
Get the CSR signed by any Continue reading
From a customer’s perspective it’s hard to tell if HSBC UK is some sort of performance art as opposed to a real bank.
I will add more things to this blog post as they occur to me, since this is the first time I’m writing these down in one place some of the many many absurdities are bound to slip my mind.
How are they absurd? Let me count the ways.
You can only view about one month of transaction history in your account, and you see it in the logical reverse chronological order.
For anything older, you have to check your “statements”, which have overlapping data and are in chronological order. They have the data. They just refuse to show it to me in a useful form.
So if you want to inventory one month of expenses you now have to synchronize your recent transactions (reverse chronological) with one or two overlapping chronological ones. Oh, and multiply this by two to look at debit and credit card expenses.
If you thought the main banking website was bad (and it’s terrible. If you don’t think it’s absolutely awful then you’ve never seen e.g. SEB to compare), then you should Continue reading
From a customer’s perspective it’s hard to tell if HSBC UK is some sort of performance art as opposed to a real bank.
I will add more things to this blog post as they occur to me, since this is the first time I’m writing these down in one place some of the many many absurdities are bound to slip my mind.
How are they absurd? Let me count the ways.
You can only view about one month of transaction history in your account, and you see it in the logical reverse chronological order.
For anything older, you have to check your “statements”, which have overlapping data and are in chronological order. They have the data. They just refuse to show it to me in a useful form.
So if you want to inventory one month of expenses you now have to synchronize your recent transactions (reverse chronological) with one or two overlapping chronological ones. Oh, and multiply this by two to look at debit and credit card expenses.
If you thought the main banking website was bad (and it’s terrible. If you don’t think it’s absolutely awful then you’ve never seen e.g. SEB to compare), then you should Continue reading
These are my notes from setting up Ubiquity wifi access point and router to replace the horrible BT HomeHub 5.
These are my notes from setting up Ubiquity wifi access point and router to replace the horrible BT HomeHub 5.
This is another post in the series of how to protect SSH keys with hardware, making them impossible to steal.
This means that you know that your piece of hardware (e.g. Yubikey or TPM inside your laptop) was actively involved in the transaction, and not, say, turned off and disconnected from the Internet at the time (like in a safe or on an airplane).
What’s new this time is that we can now have a physical presence test on every use of the key. That means that even if someone hacks your workstation completely and installs a keylogger to get your PIN, unless they also break into your home they can’t use the key even while the machine is on and connected. Evil hackers in another country are out of luck.
Most of this is a repeat of official docs (see references).
If it looks like a command is hanging, check to see if the Yubikey is flashing. If it is, then touch it.
The touch feature is optional. If you don’t want a key to require it, you can chose to generate a key that doesn’t.
sudo apt-get install help2man gengetopt libtool Continue reading
This is another post in the series of how to protect SSH keys with hardware, making them impossible to steal.
This means that you know that your piece of hardware (e.g. Yubikey or TPM inside your laptop) was actively involved in the transaction, and not, say, turned off and disconnected from the Internet at the time (like in a safe or on an airplane).
What’s new this time is that we can now have a physical presence test on every use of the key. That means that even if someone hacks your workstation completely and installs a keylogger to get your PIN, unless they also break into your home they can’t use the key even while the machine is on and connected. Evil hackers in another country are out of luck.
Most of this is a repeat of official docs (see references).
If it looks like a command is hanging, check to see if the Yubikey is flashing. If it is, then touch it.
The touch feature is optional. If you don’t want a key to require it, you can chose to generate a key that doesn’t.
sudo apt-get install help2man gengetopt libtool Continue reading
This post explains how to set up a keyboard layout the way I like it. It may not fit you at all, but it may give you ideas that would work for you.
In short: I remap Caps Lock to add some extra keys.
First a description of what my preferred keyboard layout is: I type Dvorak, but also want to occasionally use Swedish letters. There are a couple of Dvorak versions for Swedish, but since most of my typing is in English or programming I think they compromise too much on the accessibility of other keys to add these three Swedish characters.
So for decade or so I’ve been remapping Caps Lock to AltGr and holding down AltGr to add new keys. Typing “ö” quickly became fluent and easy, since it involves holding down one key with my left hand and pressing a key with another.
I used this method even before I switched to Dvorak, because if you’ve ever coded on a Swedish keyboard you should know how terrible it is. I know several Swedish programmers who use US keyboard layout all the time because of this, and simply live without being able to type proper Swedish.
This post explains how to set up a keyboard layout the way I like it. It may not fit you at all, but it may give you ideas that would work for you.
In short: I remap Caps Lock to add some extra keys.
First a description of what my preferred keyboard layout is: I type Dvorak, but also want to occasionally use Swedish letters. There are a couple of Dvorak versions for Swedish, but since most of my typing is in English or programming I think they compromise too much on the accessibility of other keys to add these three Swedish characters.
So for decade or so I’ve been remapping Caps Lock to AltGr and holding down AltGr to add new keys. Typing “ö” quickly became fluent and easy, since it involves holding down one key with my left hand and pressing a key with another.
I used this method even before I switched to Dvorak, because if you’ve ever coded on a Swedish keyboard you should know how terrible it is. I know several Swedish programmers who use US keyboard layout all the time because of this, and simply live without being able to type proper Swedish.
This is just notes in case I need to do this again. It’s for my QPov project.
sudo apt-get install autoconf libboost-all-dev libjpeg-dev libtiff-dev libpng-dev
git clone https://github.com/POV-Ray/povray.git
cd povray
git checkout --track -b 3.7-stable origin/3.7-stable
cd unix
./prebuild.sh
cd ..
./configure --prefix=$HOME/opt/povray COMPILED_BY="My_Name on RPi"
make
make install
This is just notes in case I need to do this again. It’s for my QPov project.
sudo apt-get install autoconf libboost-all-dev libjpeg-dev libtiff-dev libpng-dev
git clone https://github.com/POV-Ray/povray.git
cd povray
git checkout --track -b 3.7-stable origin/3.7-stable
cd unix
./prebuild.sh
cd ..
./configure --prefix=$HOME/opt/povray COMPILED_BY="My_Name on RPi"
make
make install
If you have BT broadband and want to graph the synced speed and actual use of your broadband connection, and you use the BT provided router (Home Hub), then you can’t use SNMP to get these counters. But you can get the data over HTTP without too much trouble. Here’s some ugly one-liners for doing that.
curl -s 192.168.42.1/nonAuth/wan_conn.xml
| sed -r '/wan_conn_volume_list/{N;s/.*[.//;s/[^0-9]],$//;s/%3B/ /g;s/^[0-9]+ ([0-9]+) ([0-9]+)$/1 2/g;p};d'
curl -s 192.168.42.1/nonAuth/wan_conn.xml
| sed -r '/status_rate/{N;s/.*[.//;s/[^0-9]],$//;s/%3B/ /g;s/^([0-9]+) ([0-9]+) [0-9]+ [0-9]+/2 1/g;p};d'
First I tried this. And it appeared to work. But only if someone had logged in to the web UI recently.
curl -s 192.168.42.1/cgi/cgi_ad_B_Internet.js | sed -r '/wan_conn_volume_list/{N;s/.*[.//;s/[^0-9]],$//;s/%3B/ /g;s/.* ([0-9]+) ([0-9]+)$/1 2/g;p};d'
But then I try it on a different machine and… Oh… oh no. Oh say it ain’t so. Don’t tell me the BT home hub security is based on IP address? Oh… oh it is.
Yet another reason these routers are completely retarded. Other examples:
If you have BT broadband and want to graph the synced speed and actual use of your broadband connection, and you use the BT provided router (Home Hub), then you can’t use SNMP to get these counters. But you can get the data over HTTP without too much trouble. Here’s some ugly one-liners for doing that.
curl -s 192.168.42.1/nonAuth/wan_conn.xml \
| sed -r '/wan_conn_volume_list/{N;s/.*\[.//;s/[^0-9]\],$//;s/%3B/ /g;s/^[0-9]+ ([0-9]+) ([0-9]+)$/\1 \2/g;p};d'
curl -s 192.168.42.1/nonAuth/wan_conn.xml \
| sed -r '/status_rate/{N;s/.*\[.//;s/[^0-9]\],$//;s/%3B/ /g;s/^([0-9]+) ([0-9]+) [0-9]+ [0-9]+/\2 \1/g;p};d'
First I tried this. And it appeared to work. But only if someone had logged in to the web UI recently.
curl -s 192.168.42.1/cgi/cgi_ad_B_Internet.js \
| sed -r '/wan_conn_volume_list/{N;s/.*\[.//;s/[^0-9]\],$//;s/%3B/ /g;s/.* ([0-9]+) ([0-9]+)$/\1 \2/g;p};d'
But then I try it on a different machine and… Oh… oh no. Oh say it ain’t so. Don’t tell me the BT home hub security is based on IP address? Oh… oh it is.
Yet another reason these routers are completely retarded. Other examples:
These are my notes on how to set up a system securely, in a way that would prevent attackers from being capable of performing an “evil maid attack”.
You have a Linux server that you want to protect against data theft and other backdoors. The attacker can get physical access to your hardware, for example by having access to the server room that houses your rack.
Your attacker is funded, but not super well funded. This will not protect you against intelligence agencies.
The attacker can buy a new server that looks just like the one you have. You will not be able to tell the difference from physical inspection.
You want to know that it’s safe to log in to your server after a suspicious power outage or reboot.
This solution assumes that once the system is booted and you log in, you have access to the secret data. In other words, this is not a protection for gaming consoles or kiosks.
First of all, full disk encryption using dm-crypt. Obviously. (other FDE also acceptable, of course)
Walking up to the server and typing the passphrase every reboot is not only tedious Continue reading
These are my notes on how to set up a system securely, in a way that would prevent attackers from being capable of performing an “evil maid attack”.
You have a Linux server that you want to protect against data theft and other backdoors. The attacker can get physical access to your hardware, for example by having access to the server room that houses your rack.
Your attacker is funded, but not super well funded. This will not protect you against intelligence agencies.
The attacker can buy a new server that looks just like the one you have. You will not be able to tell the difference from physical inspection.
You want to know that it’s safe to log in to your server after a suspicious power outage or reboot.
This solution assumes that once the system is booted and you log in, you have access to the secret data. In other words, this is not a protection for gaming consoles or kiosks.
First of all, full disk encryption using dm-crypt. Obviously. (other FDE also acceptable, of course)
Walking up to the server and typing the passphrase every reboot is not only tedious Continue reading