A Little Wizardry, A Lot of Security.

fsck_itMy close collaborator wears one of these (in a men’s size and cut). Usually it means he’s a bit PO’ed, but he claims it’s to show his unix wizardry. Still, at least he looks the part – which I don’t. (At least he doesn’t smell the part.)

That said, I’m going to earn my right to wear this shirt with today’s post.

The problem:

Too many people want to look at your laptop and it may become difficult to stop them. Especially in those bulwarks of personal liberty – the USA and the UK. Not to mention other places which don’t even give lip service to the idea of freedom.

A solution:

You need to be able to show the spooks a machine that is clean. Even better, a machine that has links to the collected wisdom of Ms May or Mr Trump and a background set to an appropriate image. However, you want to use your machine to do other things and you don’t want traces left on it. Even more important the media that stores the data should be disposable.

You can get a cheap, solid-state, laptop such as a lenovo ns-10 for $100-$200 on Amazon. These have long battery lifetimes, but limited storage. They’re bullet-proof (figuratively speaking).

It turns out windows 10 will easily boot from a usb stick. There may be an event in the log files, but it’s not hard to do and it does not leave a tell-tale boot sequence.

It does mean, however, that you need to construct a persistent linux boot image on a device.

  • micro-sdhc cards can be put in a usb adapter and work like normal usb memory.
  • micro-sdhc cards are easy to destroy. A few seconds with a cigarette lighter and they’re toast. NSA-grade toast as far as recovery is concerned.
  • micro-sdhc cards are not terribly expensive, and can be sent by second channels such as regular mail, or inside of a camera or phone.

patriot_sdhc

So in many ways they’re a spy’s dream.

Making a persistent boot device.

  1. Acquire the software. Download your favorite linux distribution and make sure that gparted and unetbootin are installed.  (sudo apt-get install will usually do the trick. There are windows versions of these, but if you are installing a linux operating system bite the bullet and learn to use it.)
  2. Repartition the media.  I used gparted because it’s graphical and cute. parted will work too, but you have to be a little more careful about typos.  Windows will only boot from a fat32 partition (fat 16 is ok, but NTFS is right out). This will cause some complications, but nothing too hard to deal with.  I set up a 7 gig  fat 32 primary partition and labeled it bootable. (Two steps with gparted, make the partition (execute the commands), and then after it’s made set the bootable flag.) The rest of my disk (which will be invisible under windows anyway) was made into an ext3 partition. I could have used NTFS too. By the way, you’ll need to be root or sudoer to do this.
  3. Use unetbootin to install the software. It can read from an disk image (ISO) that you’ve downloaded. You’ll need enough space to install the software (about 3gig for linux mint 18) and 4 more gig.  At the bottom of the unetbootin menu is a line about creating a persistence file.  I made it 4 gig, which is as large as fat32 can take, by entering 4000.  Don’t accept unetbootin’s offer to reboot.
  4. So far these instructions have been more or less standard, and you have a bootable disk. But only 4 gig. WTF!  It used to be that you could have a casper-rw partition and it would mount that, but that actually took advantage of a security hole. So now for the magic.  With your disk mounted, cd to the other partition and create a whopping big file.   dd if=/dev/zero of=casper-rw bs=1M count=23300 will create a 24G file. It will take about an hour. Make a cup of tea. There’s probably a faster way to do this with the QEMU suite, but that’s another post.  The next step is to make that file into a filesystem itself.  mkfs.ext3 -F casper-rw will do the trick.
  5. Now you can boot the disk. But we’re not done. Casper files are mounted as loop-back files which means we have to mount them to proceed. The easiest way to do this is to just use the device. In windows 10, use the settings icon (that gear shaped thing), go to update & security and click on the recovery menu. Under advanced startup there is a restart now button. Click on it. Tell the machine to reboot from a device and then select the appropriate usb device. A grub menu should appear.

And it didn’t work. Well it did, sort of, booting without persistence. ARRGH! Now for the wizardry.

It turns out that the kernel needs to be passed a parameter to boot in a persistent mode.  This is literally the word ‘persistent’ and it’s appended after the ‘- -‘ in the configuration.  (i.e. it looks like stuff – – persistent with a space).  The configuration file was right. It just wasn’t the right configuration file.

So back on unix, we mount the drive and look at the boot/grub.cfg file. There’s no persistent passed to the kernel. So we add it. (Actually we copy the 5 lines and add it so we have both options.)  Now it works.

On with the show.

The casper-rw file is a virtual file system. It’s mounted as a loopback file system (mount casper-rw /other -o loop).  So we create a directory /other and a short script to mount the other casper file as a loop back.

#!/bin/sh
mount /media/mint/<a big funny string>/casper-rw /other -o loop

The <big funny string> is a UUID for the disk. One of those security things. I’m still working on how to get it to run automagically, but it works.

Why did I have to do this?

This is actually a feature. Most OS’s won’t let you run programs from a USB device because you could very easily make a virus that ran from disk to disk. The partitions on the disk are recognized as USB partitions, but once mounted in loopback mode are not and so files run. There were a set of instructions which involved making a casper-rw partition and which seemed to magically stop working. I suspect, and one of these days will check, that was an error in the grub configuration.

By the way, you’re the system user on this installation – so installing a useful utility like nmap might be an idea.

Author: Amelia

A mild-mannered professor of computer science in real-life, I remove my glasses in the evening to become, well, a mild-mannered author in my alternate reality. I mostly write sweet romantic fiction, although with an occasional science-fiction or paranormal angle thrown in. I have interests in history, mathematics (D'oh), and cryptography. I'm also something of an Anglophile, and know that country pretty well. In addition to writing, research, and more writing, I volunteer with the scouts. I'm something of a nature-nut, enjoying long walks in the country with almost ultra-light gear, boating, and identifying wildlife.

Leave a Reply

Your email address will not be published. Required fields are marked *