I got a deal ($125) on an Acer ES1-111M laptop. This class of laptop is intended to be a Windows-running equivalent to Google’s Chromebook. It came with 8GB of RAM and an embedded 32GB eMMC drive. I gave it to my daughter, until the shoddy trackpad made it too frustrating for her and I got her a newer and better laptop. I upgraded the onboard RAM to 8GB. I’ve run Windows 10 and Ubuntu on it, but I don’t really need another personal laptop. Considering the RAM, the light weight, the low temperature and power usage, along with onboard Gigabit Ethernet and a USB 3.0 port, I figured it might make a decent VPN gateway.
I first set it up as a router, which led to the discovery that the existing router in my house, a Buffalo WZR-HP-G300NH, was holding me back. I had a USB 3.0 Gigabit Ethernet dongle as the second interface for the laptop, and when I set up simple IP Masquerading on Ubuntu and pointed a computer at it, I found that my download speeds jumped from ~70Mb/s to ~170Mbs. That led me to look for a wife-friendly (i.e., free) way to improve things. My first choice was my favorite firewall software, OpenWRT. There is an x86 version which is developed alongside the embedded device versions I am so accustomed to using. I grabbed the ISO, then discovered the issue I’ve seen with other Linux distributions, it would not see the storage. Eventually, I installed it to a USB key, which was fine. Along the way, I upgraded to the trunk build and discovered that the OpenWRT which was running could now see the (unused) MMC storage. Perhaps it would now work.
Initially, I wrote an image to the eMMC storage, and booted, but it froze during the boot process. After a bit of tinkering, I found out that if you edit the grub entry so that root=/dev/mmcblk0p2 rather than UUID=-2, it would boot correctly. After booting, just mount /dev/mmcblk0p1 to /mnt, then edit /mnt/boot/grub/grub.cfg to change the UUID entry to /dev/mmcblk0p2, and everything works correctly. You will need to install kmod-usb-net-asix-ax88179 to use the USB Ethernet adaptor. From there, it’s a very normal OpenVPN setup.
Yesterday, The homepage for the popular full disk encryption solution, Truecrypt, changed to reflect the following:
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
This page exists only to help migrate existing data encrypted by TrueCrypt.
The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.
The page goes on to describe how to configure Bitlocker encryption and remove Truecrypt.
The message is very odd, as there were no indications of the project ending. Truecrypt does very specific things. It is not the sort of software which requires expansive numbers of new features. It works well with Windows 7, which is a huge part of the market. I have not attempted to use it on Windows 8, but Microsoft’s own page on it indicates that it works fine. My reasons for distrusting the new message, despite the fact that the issuer of that message has access to the correct keys to sign the TC release are:
- There are no details of the security issues with Truecrypt.
Assuming this message is actually from the same people who have been developing Truecrypt, they should have no problem at all clearly describing the nature of the vulnerabilities. They have more ability to do this, once those vulnerabilities are known, than anyone else. The lack of detail makes me suspicious.
- The endorsement of Bitlocker flies in the face of the history of the project.
The developers of Truecrypt have shown a consistent (and justified) pattern of paranoia. The sudden endorsement of a closed source security solution is a completely different (and worse) attitude towards security. Among the most suspicious aspects of this is the fact that TC has explicitly avoided dependence on the TPM module due to a lack of trust, yet the “solution” suggested by the homepage currently explicitly endorses using that functionality in moving to Bitlocker.
- The new release appears to not actually correct bugs or improve functionality.
7.2 appears to do nothing more than issue warnings and disable encryption. The users of Truecrypt tend to be a savvy lot. They have the skills to decrypt data should that become necessary. Issuing a version with the encryption function disabled is nonsensical.
I was recently interviewed by Manuel Lora for Liberty.me on the topic of cybersecurity. You can listen to it here.
Windows 8 Pro (which is the version I have. I cannot comment on other versions) appears to have an issue with a normal OpenVPN tunnel. When using UDP, my VPN does not pass traffic. It does pass that traffic when I use TCP. Additionally, a Cisco SSL VPN (also UDP based) I use does not work. After browsing about a bit, I found that the UDP encapsulation settings have an effect on this. The registry setting which needs to be changed is:
After rebooting, both of my VPNs worked, fixing an issue which nearly made me abandon Windows 8.
One thing which always bugged me about my VPN setup is that whenever I used IPSec on Windows 7, I had to specify the route into my home network using a command prompt in Windows (with elevated permissions) where I had to use the “route add” command (you can view the link to see my example.) I finally have a way around this, by using the tip here. Just follow these directions, but instead of a script, specify the route command, with the flags “add 192.168.0.0 mask 255.255.255.0 10.8.8.1” from the example in my VPN setup post. Check the box “run with highest permissions” and save it. Now, every time you connect to your VPN, the task will automatically set your route. Obviously, you could make this a script with any number of commands or multiple routes, so adjust things accordingly.
I bought an Asus U56E from Fry’s, which has an Intel i5-2410M CPU. The laptop has been very good, having excellent battery life and good performance. I replaced the internal optical drive with a drive caddy so that I could replace the internal drive with an SSD, but have an additional spinning drive in order to have a larger amount of space. My SSD has built-in encryption, however the spinning drive does not. I use Truecrypt. I wanted the i5 because I was under the mistaken impression that they all supported AES-NI. I later discovered that Intel has issued a microcode update for this CPU which enables the feature, but the BIOS manufacturer needed to enable it in the system BIOS. Asus has now enabled this feature in version 213 of the BIOS. Truecrypt’s benchmark performance has increased 5x since the update.
I recently purchased a Buffalo WZR-HP-G300NH router and installed OpenWRT on it. I used the trunk version, but found that StrongSwan4 did not allow me to pass traffic, despite an identical configuration to my working Trendnet router. I can successfully connect, but my log files show an error “unable to add SAD entry.” My client indicated no proposal. Though I have not discovered the full nature of the issue, I did notice that the current OpenWRT trunk does not include the kmod-mod-imq module. Since the networking component has changed, I wondered if that might be related. When I installed the 10.03.1-rc4 version of OpenWRT instead, things worked again.
I log into a Zimbra server for email. I may be logged in on the local network, from outside, over the Internet, or across a VPN. The hostname is always the same. I found that I would have to actually quit Firefox in order to log back into Zimbra if I initiated a session over the Internet, and later made a VPN connection. I would see a white screen with a link in the upper left corner which said [Sign Out]. Clicking it did nothing. I actually had to restart Firefox. I discovered that this happened because of Noscript’s ABE protection. I did not wish to disable this, as it is a useful security feature. The solution is to go into the NoScript options, under ABE, and edit the SYSTEM settings. It normally says
# Prevent Internet sites from requesting LAN resources.
Accept from LOCAL
I added this line after the Accept lin:
Accept ALL from *.<mydomainname>
That fixed the issue. It might be advisable for people who use Noscript in a corporate environment with VPN access to add this to their ABE settings in order to prevent web application failures.
I was listening to an MSNBC podcast and the reporter said:
“As much as airline security has been tightened since 9/11, this attempt to bomb a plane bound for the US demonstrates this: that determined terrorists are constantly looking for gaps to exploit.”
Clearly, this is ridiculous. This incident has shown us many things, but that is not one of them. Among the things it shows us:
1) The government is as incompetent at performing basic security as it is at providing anything else of value.
2) In light of 1), Al Qaeda and its allies are not terribly interested in launching attacks on US soil. It would not, apparently be terribly difficult to do so if they actually had much desire.
3) Considering the attacks seen overseas, Islamic militants are mostly interested in attacking soldiers in Muslim areas and civilians who are living in occupied areas.
4) It is difficult to get someone who is both competent and smart to sign up for a suicide bombing mission.