A Little Wizardry, A Lot of Security.

fsck_itMy close collaborator wears one of these (in a men’s size and cut). Usually it means he’s a bit PO’ed, but he claims it’s to show his unix wizardry. Still, at least he looks the part – which I don’t. (At least he doesn’t smell the part.)

That said, I’m going to earn my right to wear this shirt with today’s post.

The problem:

Too many people want to look at your laptop and it may become difficult to stop them. Especially in those bulwarks of personal liberty – the USA and the UK. Not to mention other places which don’t even give lip service to the idea of freedom.

A solution:

You need to be able to show the spooks a machine that is clean. Even better, a machine that has links to the collected wisdom of Ms May or Mr Trump and a background set to an appropriate image. However, you want to use your machine to do other things and you don’t want traces left on it. Even more important the media that stores the data should be disposable.

You can get a cheap, solid-state, laptop such as a lenovo ns-10 for $100-$200 on Amazon. These have long battery lifetimes, but limited storage. They’re bullet-proof (figuratively speaking).

It turns out windows 10 will easily boot from a usb stick. There may be an event in the log files, but it’s not hard to do and it does not leave a tell-tale boot sequence.

It does mean, however, that you need to construct a persistent linux boot image on a device.

  • micro-sdhc cards can be put in a usb adapter and work like normal usb memory.
  • micro-sdhc cards are easy to destroy. A few seconds with a cigarette lighter and they’re toast. NSA-grade toast as far as recovery is concerned.
  • micro-sdhc cards are not terribly expensive, and can be sent by second channels such as regular mail, or inside of a camera or phone.

patriot_sdhc

So in many ways they’re a spy’s dream.

Making a persistent boot device.

  1. Acquire the software. Download your favorite linux distribution and make sure that gparted and unetbootin are installed.  (sudo apt-get install will usually do the trick. There are windows versions of these, but if you are installing a linux operating system bite the bullet and learn to use it.)
  2. Repartition the media.  I used gparted because it’s graphical and cute. parted will work too, but you have to be a little more careful about typos.  Windows will only boot from a fat32 partition (fat 16 is ok, but NTFS is right out). This will cause some complications, but nothing too hard to deal with.  I set up a 7 gig  fat 32 primary partition and labeled it bootable. (Two steps with gparted, make the partition (execute the commands), and then after it’s made set the bootable flag.) The rest of my disk (which will be invisible under windows anyway) was made into an ext3 partition. I could have used NTFS too. By the way, you’ll need to be root or sudoer to do this.
  3. Use unetbootin to install the software. It can read from an disk image (ISO) that you’ve downloaded. You’ll need enough space to install the software (about 3gig for linux mint 18) and 4 more gig.  At the bottom of the unetbootin menu is a line about creating a persistence file.  I made it 4 gig, which is as large as fat32 can take, by entering 4000.  Don’t accept unetbootin’s offer to reboot.
  4. So far these instructions have been more or less standard, and you have a bootable disk. But only 4 gig. WTF!  It used to be that you could have a casper-rw partition and it would mount that, but that actually took advantage of a security hole. So now for the magic.  With your disk mounted, cd to the other partition and create a whopping big file.   dd if=/dev/zero of=casper-rw bs=1M count=23300 will create a 24G file. It will take about an hour. Make a cup of tea. There’s probably a faster way to do this with the QEMU suite, but that’s another post.  The next step is to make that file into a filesystem itself.  mkfs.ext3 -F casper-rw will do the trick.
  5. Now you can boot the disk. But we’re not done. Casper files are mounted as loop-back files which means we have to mount them to proceed. The easiest way to do this is to just use the device. In windows 10, use the settings icon (that gear shaped thing), go to update & security and click on the recovery menu. Under advanced startup there is a restart now button. Click on it. Tell the machine to reboot from a device and then select the appropriate usb device. A grub menu should appear.

And it didn’t work. Well it did, sort of, booting without persistence. ARRGH! Now for the wizardry.

It turns out that the kernel needs to be passed a parameter to boot in a persistent mode.  This is literally the word ‘persistent’ and it’s appended after the ‘- -‘ in the configuration.  (i.e. it looks like stuff – – persistent with a space).  The configuration file was right. It just wasn’t the right configuration file.

So back on unix, we mount the drive and look at the boot/grub.cfg file. There’s no persistent passed to the kernel. So we add it. (Actually we copy the 5 lines and add it so we have both options.)  Now it works.

On with the show.

The casper-rw file is a virtual file system. It’s mounted as a loopback file system (mount casper-rw /other -o loop).  So we create a directory /other and a short script to mount the other casper file as a loop back.

#!/bin/sh
mount /media/mint/<a big funny string>/casper-rw /other -o loop

The <big funny string> is a UUID for the disk. One of those security things. I’m still working on how to get it to run automagically, but it works.

Why did I have to do this?

This is actually a feature. Most OS’s won’t let you run programs from a USB device because you could very easily make a virus that ran from disk to disk. The partitions on the disk are recognized as USB partitions, but once mounted in loopback mode are not and so files run. There were a set of instructions which involved making a casper-rw partition and which seemed to magically stop working. I suspect, and one of these days will check, that was an error in the grub configuration.

By the way, you’re the system user on this installation – so installing a useful utility like nmap might be an idea.

Under Construction.

We’re building a new website as I type. Well, sort of.

I’ve reorganized the books page to display by category rather than which of us took the blame for it.

The other thing we’ve done is to write a landing page. Eventually there will be one for each book, coupled to newsletter signups and instafreebie, but for now you can see the one for Cynthia the Invincible.

They’re built using twitter bootstrap – so they will scale on multiple devices and be somewhat robust. Like the house on the header image, it is a modular approach to building a web page.

I am available for consultations.

A Designing Woman 4 for #wewriwar

More from the Steampunk book

Welcome to Weekend Writing Warriors.  This is a sample from my latest work in progress, “A Designing Woman”, and I hope you enjoy it.  This is the start of the next chapter and introduces more of the family. Continuing from last week, Amanda’s father and brother quiz her about the mysterious Mr. Williams.
(last weeks snippet).


 She laughed, “Don’t get too far ahead in your hopes. He’s studying for the ministry, and I somehow cannot see myself as a minister’s wife. Could you imagine me doing everything Mrs. Peabody does?”

Privately, Lord Caterham had to admit that he couldn’t see that either, but this was such a step in the right direction for his daughter that he wasn’t about to throw the least bit of obstacle in its path. So he changed the subject, “Did Mr. Williams mention which college he was a member of?”
New College, Freddie’s; doesn’t remember Freddy, though.”
Who doesn’t remember me?” Frederick found his way to the parlor, having dealt with the horses, or at least ensured that the stable hands were at their work.
Amanda regarded her brother with a mixture of affection and envy. Affection, because he was a likeable if somewhat flighty, young man, and envy, because he could attend university while she could not.


This is a work in progress. Here are links on tablo and authonomy.  Apparently Steampunk implies Victorian, Dieselpunk the 1920’s. What-punk should a Regency period book be? Horse-punk isn’t right.

Despite being told in no uncertain terms that “steampunk” meant Victorian with ubiquitous steam technology, I’m calling this steampunk, although given the amount of time they will later spend on the river, maybe “Steampunt” is better. Amanda is working on what will become the defining technology of the 19th century, steam. Although, a few things, like the Napoleonic war will get in the way.

A heads up for #computer #privacy.

I’ve  been using the EFF’s excellent “Privacy badger” to block third party cookies. Firefox quietly de-installed it.

Naughty naughty.

I’ve reinstalled it and suggest you do likewise.

https://www.eff.org/privacybadger

First party cookies, such as google uses, are a fee for service. You search for data, they know you searched.

Third party cookies are more like vampires or parasites. “Lamprey cookies?” They get the benefit but give you very little.

Alpha testing a free book add server.

I’ve put together a javascript framework (a very simple one) for a cooperative add server for indie authors. The example on my front page just has my books right now, but I expect that to change. It’s going to need a better data organization than instances of an object (probably xml). Anyway some of my friends will try it out.

It can link to servers like Iauthor or goodreads and lets you handle different vendors (both Amazon and smashwords work). I like the idea of using Iauthor because you can get statistics from them.