Slightly less Random Ramblings

December 28, 2016

Bizarre issue using the xfinitywifi hotspot (solved)

Filed under: computing, encryption, OpenVPN — Robert Wicks @ 1:49 am

OpenVPN over UDP is broken. I get a connection, but rarely pass traffic, and never make an https connection. When I switch to TCP port 443 on my server, everything works.

July 1, 2016

Installing OpenWRT on a Cheap Laptop

Filed under: computing, Firewall, linux, OpenWRT, security — Tags: , , , , , , — Robert Wicks @ 4:20 pm

I got a deal ($125) on an Acer ES1-111M laptop. This class of laptop is intended to be a Windows-running equivalent to Google’s Chromebook. It came with 8GB of RAM and an embedded 32GB eMMC drive. I gave it to my daughter, until the shoddy trackpad made it too frustrating for her and I got her a newer and better laptop. I upgraded the onboard RAM to 8GB. I’ve run Windows 10 and Ubuntu on it, but I don’t really need another personal laptop. Considering the RAM, the light weight, the low temperature and power usage, along with onboard Gigabit Ethernet and a USB 3.0 port, I figured it might make a decent VPN gateway.

I first set it up as a router, which led to the discovery that the existing router in my house, a Buffalo WZR-HP-G300NH, was holding me back. I had a USB 3.0 Gigabit Ethernet dongle as the second interface for the laptop, and when I set up simple IP Masquerading on Ubuntu and pointed a computer at it, I found that my download speeds jumped from ~70Mb/s to ~170Mbs. That led me to look for a wife-friendly (i.e., free) way to improve things. My first choice was my favorite firewall software, OpenWRT. There is an x86 version which is developed alongside the embedded device versions I am so accustomed to using. I grabbed the ISO, then discovered the issue I’ve seen with other Linux distributions, it would not see the storage. Eventually, I installed it to a USB key, which was fine. Along the way, I upgraded to the trunk build and discovered that the OpenWRT which was running could now see the (unused) MMC storage. Perhaps it would now work.

Initially, I wrote an image to the eMMC storage, and booted, but it froze during the boot process. After a bit of tinkering, I found out that if you edit the grub entry so that root=/dev/mmcblk0p2 rather than UUID=-2, it would boot correctly. After booting, just mount /dev/mmcblk0p1 to /mnt, then edit /mnt/boot/grub/grub.cfg to change the UUID entry to /dev/mmcblk0p2, and everything works correctly. You will need to install kmod-usb-net-asix-ax88179 to use the USB Ethernet adaptor. From there, it’s a very normal OpenVPN setup.

March 18, 2016

The Process or the Product?

Filed under: crime, encryption, Police, Technology, terrorism — Tags: , , , , , — Robert Wicks @ 5:29 pm
codebook

Cipher for Telegraphic Correspondence — a code book used by Union General Joseph Hooker’s code clerk

When I was younger, I often heard people debating whether the state should attempt to ensure equality of opportunity for people or equality of outcome. This has generally focused on areas associated with race or gender. Libertarians have consistently maintained that equality of opportunity is all that the government should properly enforce. The most progressive people push for equality of outcome in some situations, though many will say that historical biases are being overcome, so it is meaningful equality of opportunity that they seek. It strikes me however, that the recent public confrontation between Apple and the FBI provides us with similar arguments being made.

The state has long had the recognized authority to seize property and search it with a warrant. Many of the discussions surrounding the iPhone in question mention that the government can issue orders to look through private property and that the iPhone in question is no different. I’ve seen comparisons, for example to breaking into a home and taking papers for examination.

This is where I think the parallels to civil rights situations can come into play. If the police take your papers, do they have the right to the intelligibility of those papers and effects, or simply to the effects themselves. That is, if the papers are in some language or code that they do not know, do they have the right to force someone to translate it or to teach them the language? In the cases of both plain English papers and the iPhone, they have the same opportunity to examine, but the lack of knowledge (of the pass code, password, or encryption key) may make the outcomes very different.

Another analogy I have seen is that of a safe. Imagine a safe with a completely impregnable lock. What does the state do? Well, there are ways to get into safes without using the lock. You could cut your way in, or blow it up. However, it is at least possible that these other methods may destroy something of value within the safe. Does the government have the right to force the  to come up with a method for opening the lock? Further, do they have the right to force  to only make locks which can be opened without the owner’s consent? In the case of the confiscated iPhone, there may well be ways to “open” the data without the owner’s consent, but those methods may destroy the information which is sought.

It is entirely possible that this case may have effects which reach outside of the world of technology. The most fundamental of notions being examined are whether the state is entitled to a process or a product? The process is the issuing of warrants and the collection of property. The seizure of property is no guarantee of specific uses of that property. And it is the specific uses that the state demands. Is it appropriate for the state to insist on a specific outcome for a policy or is it appropriate that an agreed upon process be followed? In the justice system, I have heard many times over the years that the purpose is to follow the process. Justice is the ideal outcome, but a particular outcome is not what the state promises citizens. It promises them a process. Yet, it appears as though the state is not satisfied to have the same situation in cases involving itself: it demands an outcome. As we move forward and various technologies are developed, this guarantee of outcome will necessarily create greater and greater burdens on hardware and software developers. It may be effectively illegal for a small independent developer to create an encrypted product, for example, because the day may come where each instance of a product will require some sort of individualized method for accessing whatever data is held within it. That implies a substantial data handling infrastructure which companies, and individuals, may soon be required to maintain.

 

January 19, 2016

A Trump Win Might Be a Boon for Apple

I just had a thought while chatting with some friends. What if Apple buys Tesla, and leverages the IP, along with moving iOS and even Mac production stateside? There has been plenty of speculation about them building cars or buying Tesla, and Donald Trump was recently reported to have said that he would make them move production back stateside. This might actually be something which would benefit Apple’s bottom line. I think they have enough IP protection to pull all of that off. And they’d have PR coups over even the American car manufacturers, which would place pressure on them to move more production back stateside. I really think, the more that I think about it, that Trump winning could make Apple more money than its ever made over a Presidential term. It could be absolutely massive. With IP, you can afford union wages, as the restricted competition means greatly increased profit margins. Considering the nationalist fervor which would accompany a Trump win, this might be a win for Apple as well.

April 6, 2015

Using SSH as a remotely accessible proxy server

Filed under: computing — Tags: , , — Robert Wicks @ 12:39 pm

I wanted to have a SOCKS proxy on my home network, but I didn’t want to have to install new software. Fortunately, autossh can be used for that purpose without much trouble. Just add to your /etc/rc.local:
autossh -M 0 -N -C -g -l root -D :1080 localhost

after setting up ssh keys to allow root to log in as itself via localhost with no password. This will cause your server to listen on port 1080, and any SOCKS client on your home network can just point to it. After that, you can force all outbound traffic through that proxy if you wish, and limit the direct access to the Internet for internal machines.

January 27, 2015

Autonomous Cars: Don’t Hold Your Breath

Filed under: cars, computing, economics, libertarianism, Police, statism — Tags: , , , , , — Robert Wicks @ 11:51 am

Driverless vehicles are all the rage all over the Internet. In October, Tesla announced an autopilot feature which, in addition to providing some useful driver assistance features, will also allow the car to park itself when on private property. Mercedes has had similar driver assistance features for some time. Of course, Google is famous for experimenting with fully autonomous cars for years and have been improving the technology steadily. I have every confidence in the engineering. The capability to make a reliable autonomous vehicle is nearly upon us and is a very reachable goal. However, that is not the determining factor in them becoming commonplace on the roads.

The proponents for autonomous cars largely come from the technologically sophisticated left. There are some significant potential efficiency and safety gains to be had from self-driving vehicles. The driver is the most unreliable part of a car. Driver behavior has a large impact on energy usage as well. Up to this point, there has not been much in the way of vocal opposition to driverless cars. There are concerns, yes. Perhaps they will make traffic worse. There are potential ethical dilemmas. But these are not serious impediments to adoption. The serious impediment to the adoption of autonomous cars is the state.

Some of the things being touted as benefits of autonomous cars are threats to some parties. Let’s look at safety. Assume an autonomous car obeys all traffic laws. What does that do to various governments who depend on ticketing revenue? Driving irregularities are a leading reason for traffic stops which allow for the detection of drug trafficking, which is another major source of revenue for local police departments. Will police departments and municipalities be onboard for technology which will potentially eliminate the majority of their revenues? I think not.

Assuming the limited testing of computer controlled cars is promising, what are likely reactions from governments? If a driverless car is really safer and more efficient, how long before anything else is banned? Look at technologies such as airbags and backup cameras. These things went from high-end features to mandatory ones within 3 car generations. How long before something which could save considerably more lives would be similarly mandated? And that would spark outrage among both car enthusiasts and the automakers who cater to those enthusiasts. Those are moneyed interests whose influence should not be underestimated.

I do not expect these reasons to be the explicit cases for banning or at least slowing the adoption of autonomous vehicles. They are too cynical to be digested by the public. There will be other reasons given. I’m sure many factions are chomping at the bit for the first fatality which is caused or at least exacerbated by some sort of failure or design flaw in an autonomous car. When that happens, it will be put to maximum use by political interests who have had to largely remain silent due to their somewhat unsavory motivations. I expect us to have autonomous vehicles. But not without a fight, and not when the technology is ready. Perhaps a generation after the technology is readily available, the political climate will have sufficiently changed to allow them to become commonplace, but I don’t expect them to be common on American roads for at least 20 years after we have fully operational, reliable, cost-effective prototypes. The state will probably not allow it to happen any sooner than that.

 

August 21, 2013

OpenVPN Not Passing Traffic on Windows 8 Professional using UDP

Filed under: computing, encryption, OpenVPN, security, Windows — Tags: , , , , , , — Robert Wicks @ 7:25 am

Windows 8 Pro (which is the version I have. I cannot comment on other versions) appears to have an issue with a normal OpenVPN tunnel. When using UDP, my VPN does not pass traffic. It does pass that traffic when I use TCP. Additionally, a Cisco SSL VPN (also UDP based) I use does not work. After browsing about a bit, I found that the UDP encapsulation settings have an effect on this. The registry setting which needs to be changed is:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
“AssumeUDPEncapsulationContextOnSendRule”=dword:00000002

After rebooting, both of my VPNs worked, fixing an issue which nearly made me abandon Windows 8.

February 22, 2011

Setting up a VPN Gateway on the Cheap

I recently got a hand-me-down Trendnet TEW-652BRP router. The label on it indicates that it is version 1.1R. Doing a bit of research, it seems as if the one I have is actually identical to the TEW-632BRP, so I compiled OpenWRT for the TEW-632BRP, and it worked like a charm. The router uses an Atheros AR9130 rev2 chipset with a MIPS processor running at 400Mhz. It features wireless N in the 2.4GHz range, 4MB of flash, which is fairly typical, and 32MB of RAM, which is more than several I’ve seen. The processor is what intrigued me. It is well known that alternative, Linux-based firmwares exist for consumer routers, which can offer an array of new features. I have several compatible models myself. But most of the older Broadcom chipset models have fairly slow processors, so some applications, such as VPNs, perform only moderately well on them.

One of my favorite VPN products is OpenVPN. It performs well, and is simple to set up. A couple of years ago, an excellent analysis of the performance of OpenVPN on a consumer grade router was published. For most home connections, you will get plenty of throughput using either of the VPN solutions we will be setting up. In order to get this up and running, first you must flash the router to get rid of the firmware which came with it and replace it with something altogether more powerful: OpenWrt. Download the backfire image builder from the trunk. Support for this chipset is newer than the Broadcom chipsets in the original Linksys WRT-54G(L) and OpenWrt is under constant development, and the trunk build has run much better than the others on my router. The features I want really push the limits of the storage, so I had to just drop wifi support. Fortunately, I have other wireless routers which I can use for access points on my home network. So these directions are for a command-line-only, wired-access-only router and VPN endpoint. After you get the builder, run

“tar -jxvf OpenWrt-ImageBuilder-ar71xx-for-Linux-x86_64.tar.bz2;cd OpenWrt-ImageBuilder-ar71xx-for-Linux-x86_64”

After you get into the directory, run something like the make command below.

make image PROFILE=”TEW632BRP” PACKAGES=”base-files busybox ddns-scripts dnsmasq dropbear firewall hotplug2 ip iptables iptables-mod-conntrack iptables-mod-conntrack-extra iptables-mod-filter iptables-mod-imq iptables-mod-ipopt iptables-mod-ipsec iptables-mod-nat iptables-mod-nat-extra kernel kmod-button-hotplug kmod-crypto-aes kmod-crypto-authenc kmod-crypto-core kmod-crypto-des kmod-crypto-hmac kmod-crypto-md5 kmod-crypto-sha1 kmod-input-core kmod-input-gpio-buttons kmod-input-polldev kmod-ipsec kmod-ipsec4 kmod-ipt-conntrack kmod-ipt-conntrack-extra kmod-ipt-core kmod-ipt-filter kmod-ipt-imq kmod-ipt-ipopt kmod-ipt-ipsec kmod-ipt-nat kmod-ipt-nat-extra kmod-ipt-nathelper kmod-iptunnel4 kmod-leds-gpio kmod-sched kmod-textsearch kmod-tun libc libgcc libgmp libiptc liblzo libnl-tiny libopenssl libpthread librt libuci libxtables mini-snmpd miniupnpd mtd openvpn opkg qos-scripts strongswan4 strongswan4-app-charon strongswan4-app-pluto strongswan4-mod-aes strongswan4-mod-attr strongswan4-mod-des strongswan4-mod-dnskey strongswan4-mod-fips-prf strongswan4-mod-gmp strongswan4-mod-hmac strongswan4-mod-kernel-netlink strongswan4-mod-md5 strongswan4-mod-pem strongswan4-mod-pgp strongswan4-mod-pkcs1 strongswan4-mod-pubkey strongswan4-mod-random strongswan4-mod-resolve strongswan4-mod-sha1 strongswan4-mod-sha2 strongswan4-mod-stroke strongswan4-mod-updown strongswan4-mod-x509 strongswan4-mod-xcbc strongswan4-utils tc uci udevtrigger -vsc7385-ucode-ap83 -vsc7385-ucode-pb44 -vsc7395-ucode-ap83 -vsc7395-ucode-pb44 zlib -kmod-ath9k -wpad-mini”

This will install Strongswan and OpenVPN, but, due to only have 4MB of flash storage to work with, will not install the web interface, so we will be doing everything from the command line. After the command above gives you your image, you will need to choose the appropriate one to flash your router. If you are going from the factory firmware, you need to use the recovery image, which, when I build it, is called “openwrt-ar71xx-generic-tew-632brp-recovery-squashfs-factory.bin.”

You can then flash your firmware by unplugging it, holding down the reset button, plugging it in while the reset button is held down for about 10 seconds, then setting your computer’s IP address to 192.168.0.2 and browsing to 192.168.0.1. Upload the file and flash away. The router will eventually reboot and have an IP address of 192.168.1.1.

You can then set your computer’s IP address to 192.168.1.2 and telnet into 192.168.1.1. The router will allow you in with no password. You can issue the “passwd” command to set the root password, which I recommend. Once you do this, however, you will have to use SSH to log into the router, as telnet is disabled when the root password is set.

OpenVPN Setup

OpenVPN is a very easy to configure, cross-platform, open source VPN, and it now has wide support on third party firmwares such as OpenWRT, DD-WRT, and Tomato (but you will need either TomatoVPN or TomatoUSB). IPSec has the advantage of being a standard which can interoperate with a variety of devices and operating systems where OpenVPN is not available. I figure why not do both? We are going to use certificates to authenticate both of them, so with a bit of care, we can use the exact same certifcates and keys on our router for both services, saving us a little bit of storage. I did my certificate generation on Ubuntu 10.10, but you could use anything which runs OpenVPN and OpenSSL. On Ubuntu, run

sudo apt-get install openvpn

After the installation completes, copy the entire /usr/share/doc/openvpn/examples/easy-rsa/2.0 directory into your home directory with

cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 $HOME/

This will give you a “2.0” directory in your home directory. Cd into that directory, and edit the vars file so that it has your organization and personalized information (this is optional). Then edit the openssl.cnf file. You will modify it so that the certificates it generates will be suitable for both OpenVPN and Windows 7’s implementation of IPSec. Go to line 196 in the file, the extendedKeyUsage line. You will also add a new line after this one. Together, they read:

extendedKeyUsage=clientAuth, serverAuth, 1.3.6.1.5.5.8.2.2
subjectAltName=DNS:Your.Internet.DNS.Hostname

In place of Your.Internet.DNS.Hostname, put your computer’s hostname. If you are on a home Internet connection, you should use one of the dynamic DNS providers such as DynDNS.com. These lines will enable the Windows 7 IKEv2 VPN client to work with StrongSwan. Be sure to follow the directions here. You can then run the following commands.

. ./vars
mkdir keys
./clean-all
./build-dh
./build-ca
./build-key-server Your.Internet.DNS.Hostname
./build-key-pkcs12 client1

As before, replace the Your.Internet.DNS.Hostname with your Internet hostname. One of the good things about the build-key-pkcs12 script is that it generates everything you will need for OpenVPN clients on both Windows and Linux. You will find client1.key, client1.csr, client1.crt, and client1.p12 under the keys directory after running the last command. You will also see files with the same extensions (except the p12 file) prefixed by your Internet hostname. Those files will be installed on your OpenWRT VPN endpoint. The client1 files will be installed on your laptop (or whatever will be connecting into your VPN endpoint). First, we need to copy the server keys we generated into the appropriate places. We will use the default paths for StrongSwan, but OpenVPN will also use them. Run:

scp keys/Your.Internet.DNS.Hostname.crt root@:/etc/ipsec.d/certs/Your.Internet.DNS.Hostname.crt

scp keys/Your.Internet.DNS.Hostname.key root@:/etc/ipsec.d/certs/Your.Internet.DNS.Hostname.key

scp keys/ca.crt root@:/etc/ipsec.d/cacerts/ca.crt

scp keys/dh1024.pem root@:/etc/openvpn/

SSH into your OpenWRT router and run:

vi /etc/openvpn/my-vpn.conf

This will create the configuration file you will use, which you will fill with something like this:

daemon
server 10.10.10.0 255.255.255.0
proto udp
port 1194
dev tun0
comp-lzo adaptive
keepalive 15 60
verb 2
push “route 192.168.0.0 255.255.255.0”
ca /etc/ipsec.d/cacerts/ca.crt
dh /etc/openvpn/dh1024.pem
cert /etc/ipsec.d/certs/Your.Internet.DNS.Hostname.crt
key /etc/ipsec.d/private/Your.Internet.DNS.Hostname.key
tls-auth /etc/openvpn/ta.key 0

You should customize the route to reflect the IP scheme of your internal network. You can also alter the server line to any arbitrary private network. Finally, you can change your port to something other than 1194. Notice that the last line refers to a file, ta.key, which we have not yet created. We can do that on the router itself with the command:

openvpn –genkey –secret /etc/openvpn/ta.key

Adding this to your OpenVPN configuration will defend against port scanning and DOS attacks. You will need to copy this file to your laptop as well. Your laptop’s OpenVPN configuration will contain something like this:

client
dev tun
proto udp
remote Your.Internet.DNS.Hostname 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/ipsec.d/cacerts/ca.crt
dh /etc/openvpn/dh1024.pem
cert /etc/ipsec.d/certs/Your.Internet.DNS.Hostname.crt
key /etc/ipsec.d/private/Your.Internet.DNS.Hostname.key
tls-auth ta.key 1
comp-lzo
verb 3

You now have a working OpenVPN configuration, but you still need to modify your firewall rules to allow traffic through. Run

vi /etc/config/firewall

Add the following lines to the end:

config ‘rule’

option ‘src’ ‘wan’
option ‘target’ ‘ACCEPT’
option ‘proto’ ‘udp’
option ‘dest_port’ ‘1194’

Save the file. This will configure your firewall to accept inbound OpenVPN traffic. In order to pass the tunneled packets through, we edit the firewall.user file:

vi /etc/firewall.user

Add the following lines to that file:

/usr/sbin/iptables -I INPUT -i tun+ -j ACCEPT
/usr/sbin/iptables -I FORWARD -i tun+ -j ACCEPT

This will allow your VPN to work. Just reboot the router and OpenVPN should work. Now, let’s get to IPSec.

IPSec Setup

IPSec is actually more difficult to configure than OpenVPN, but, being a cross-platform standard, and enjoying kernel-level support, is still a nice feature to have on an Internet gateway. The crypto files have already been put in place, so we just need to edit the configuration. Run:

vi /etc/ipsec.conf

Modify the files so that it contains:

config setup

strictcrlpolicy=no
nat_traversal=yes
charondebug=all

conn %default

ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1

conn nat-t

authby=rsasig
leftfirewall=yes
left=%defaultroute
leftcert=Your.Internet.DNS.Hostname.crt
rightsourceip=10.8.8.0/24
leftsubnet=192.168.0.0/24
right=%any
auto=add

Edit your /etc/ipsec.secrets file and fill it with:

: RSA Your.Internet.DNS.Hostname.key

Now, we allow the appropriate connections to the firewall. Edit the /etc/config/firewall file and add:

config ‘rule’

option ‘src’ ‘wan’
option ‘proto’ ‘esp’
option ‘target’ ‘ACCEPT’

config ‘rule’

option ‘src’ ‘wan’
option ‘proto’ ‘udp’
option ‘dest_port’ ‘500’
option ‘target’ ‘ACCEPT’

config ‘rule’

option ‘src’ ‘wan’
option ‘proto’ ‘udp’
option ‘dest_port’ ‘4500’
option ‘target’ ‘ACCEPT’

config ‘rule’

option ‘src’ ‘wan’
option ‘proto’ ‘ah’
option ‘target’ ‘ACCEPT’

Finally, add the following to /etc/firewall.user to enable all the traffic to pass, even to the OpenWRT router itself:

/usr/sbin/iptables -I INPUT  -m policy –dir in –pol ipsec –proto esp -j ACCEPT
/usr/sbin/iptables -I FORWARD  -m policy –dir in –pol ipsec –proto esp -j ACCEPT
/usr/sbin/iptables -I FORWARD  -m policy –dir out –pol ipsec –proto esp -j ACCEPT
/usr/sbin/iptables -I OUTPUT   -m policy –dir out –pol ipsec –proto esp -j ACCEPT

This gives full access to all the tunneled traffic. On a Windows 7 client, you can follow this guide. Note that you will have to manually add the route for your home network on Windows 7, due to the limitations of the Agile VPN client. I run a command prompt as administrator and run

route add 192.168.0.0 mask 255.255.255.0 10.8.8.1

after I connect. Traffic then passes. Things are much easier if you are using StrongSwan as the client. Just edit the /etc/ipsec.conf file on your Linux laptop client to contain the following:

config setup

charondebug=all
nat_traversal=yes
charonstart=yes
plutostart=yes

conn roadwarrior

left=%defaultroute
leftcert=client1.crt
leftfirewall=yes
leftauth=rsasig
leftsourceip=%modeconfig
right=Your.Internet.DNS.Hostname
rightcert=Your.Internet.DNS.Hostname.crt
keyexchange=ikev2
rightsubnet=192.168.0.0/24
auto=add

As you can see, you will be copying your router cert (and only the cert, not the private key) to your client. You will also copy your client1 key and cert. In a similar manner to the router, your /etc/ipsec.secrets file will contain

: RSA client1.key

You can read more on the Strongswan client configuration here. Once you have Strongswan configured, you can start ipsec, then issue

ipsec up roadwarrior

to start the tunnel.

Final Notes and Tips

You can actually replace the rightcert line with “rightid=%any” which is a better practice, from what I gather from the StrongSwan mailing list. That is how I have modified my own setup. Also, note that the Ubuntu package is actually broken, because it does not use socket-raw. To fix this, remove /usr/lib/ipsec/plugins/libstrongswan-socket-d* and restart the daemon. Or, you can do what I did and build the latest StrongSwan from source.

Be sure to look at the various documentation pages for OpenWRT, OpenVPN, and Strongswan. They have a lot of very useful information. One of the nice things you can do when you have your VPN setup working fully is completely disable all other remote access to your network. You can make your router invisible on the Internet, yet still allow full access to your home resources. With more powerful routers, especially ones with more storage, you can add useful packages to allow full SNMP support, traffic monitoring, the GUI interface, or port knocking.

If you have any questions, please post them in the comments or email me.

November 6, 2010

Noscript And Zimbra Problem

Filed under: computing, security — Tags: , , , , , — Robert Wicks @ 8:23 am

I log into a Zimbra server for email. I may be logged in on the local network, from outside, over the Internet, or across a VPN. The hostname is always the same. I found that I would have to actually quit Firefox in order to log back into Zimbra if I initiated a session over the Internet, and later made a VPN connection. I would see a white screen with a link in the upper left corner which said [Sign Out]. Clicking it did nothing. I actually had to restart Firefox. I discovered that this happened because of Noscript’s ABE protection. I did not wish to disable this, as it is a useful security feature. The solution is to go into the NoScript options, under ABE, and edit the SYSTEM settings. It normally says

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny

I added this line after the Accept lin:

Accept ALL from *.<mydomainname>

That fixed the issue. It might be advisable for people who use Noscript in a corporate environment with VPN access to add this to their ABE settings in order to prevent web application failures.

July 19, 2010

Automounting Truecrypt in Linux

Filed under: computing, encryption, linux, Truecrypt, ubuntu — Tags: , , — Robert Wicks @ 12:35 am

I have a dual boot system with Windows 7 and Ubuntu 10.04. In order to secure the system, I have system encryption with Truecrypt and encrypted LVM in Ubuntu. I need to access my Windows files from within Ubuntu. After a bit of searching around the Internet, I pieced together this command line, which I put in /etc/rc.local. Since my system is fully encrypted and used by only me, I’m not concerned about the password being in /etc/rc.local. I installed the Truecrypt console version.

I added the following line to /etc/rc.local:

echo “MyTruecryptPassPhrase” | /usr/local/bin/truecrypt -t -m system -k “” -p ”” –protect-hidden=no –fs-options=rw,noatime,umask=000 –filesystem=ntfs-3g /dev/<windows partition> /<local mount point>

By echoing the passphrase and piping it to the Truecrypt command, we avoid having it show up in the ‘ps -ef’ command. The filesystem will be mounted with 0777 permissions.

I have found that it is even possible to mount outer partitions (with hidden partitions inside) using this method, and protecting the hidden partition. The command is as follows:

echo “HiddenPartitionPassphrase\n\nOuterPartitionPassphrase” | /usr/bin/truecrypt -t -k “” -p “”  –protect-hidden=yes –fs-options=rw,noatime,umask=000  /dev/sda2 /windows

By using the hidden OS feature in Truecrypt, it is possible to triple boot your computer, with all data on the drive except for the /boot partition in Linux being encrypted. Since no secret information is stored in /boot, this is not a problem.

Older Posts »

Blog at WordPress.com.

%d bloggers like this: