One Click Away

One thing I see over and over again is the e-mail from friends that obviously reveals that their e-mail addressbooks have been compromised. Blast, after blast, after blast. The consequences of having viruses, malware, trojans, or worms on your computer really don’t fully weigh in with most people. Botnets, ransomware, extortion – you name it. It’s all there. Your digital life is at someone else’s mercy.

While an undergraduate in the computer engineering department, we used an e-mail program called Pine. It is text based only, used for actually sending text (e-mail). It purpose was to display text, and allow you to reply with text. Pretty simple, right? I have always appreciated this elegance, subconciously ignoring its real power and value.

Fast forward to today. In many ways, people consume software like crows collect shiny things. We’re attracted to the latest bells, knobs, widgets, and features that a salesperson says we need. What has happened is that e-mail has turned from a messaging system with text, to a platform that is so integrated with your computer, that attacks and infestations are now trivial. People are happy to have these shiny things, and are willing to install incredibly complex and often weak security products to combat attacks via e-mail. Make no mistake, this industry has a lot of money involved, and it will *never* go away.

What I am about to say will, no doubt, will be laughable by most: dumb your e-mail down, and use a text only reader again – you will be better off in the end. The reason I say this is due to a recent e-mail I received. It was well crafted, appearing to be from a large social networking site, stating that my account had been locked due to a login from an odd computer (site redacted):

Date: Sat, 11 Feb 2017 08:20:00 -0500
From: [large socialmedia] no-reply@accounts.compromised.[large socialmedia].com
Subject: [large socialmedia] account compromised
Parts/Attachments:
   1 Shown     17 lines  Text (charset: ISO-8859-1)
   2          162 KB     {application/octet-stream}
   3 Shown      1 lines  Text
----------------------------------------

Dear [large socialmedia] user,

Your [large socialmedia] account was recently logged into from a computer,
mobile device or other location you've never used
before. For your protection, we've temporarily locked your account your
account until you can review this activity and make sure no one
is using your account without your permission.

Did you log into [large socialmedia] from a new device or an unsual location?

- If this was not you, please download attached file and follow the
instructions provided to help you control
your account information.


Thanks,
[large socialmedia] Security Team


    [ Part 2, {application/octet-stream}/UNKNOWN (Name: ]
    [ "COMPROMISED11022017.zip") 162 KB. ]
    [ Cannot display this part. Press "V" then "S" to save in a file. ]

    [ Part 3: "Attached Text" ]

Obviously this is an easy one, in the fact that it misspells unusual as unsual. But to people pay attention? I didn’t initially. I was just on the large social media company’s web site. Could this be real? Well, the simplest answer was to log back in, which I did. Guess what? It wasn’t locked.

Taking a look at the attachment using hexdump on Linux, and taking a look at the bits:

$ unzip COMPROMISED11022017.zip
$ hexdump -C COMPROMISED11022017.exe | less

I looked for the string “exe” and guess what pops up? Hand.exe. Doing a quick search of hand.exe yields this link:

http://www.threatexpert.com/files/hand.exe.html

The obvious is true: another attack via e-mail. The protection from a text based reader is that one cannot “click” on the attachment. It forces you to examine what you are doing, requiring extra steps. This is a small price to pay, one which I am happy to do. You should be too.

Cut/Paste with AutoCutSel

Recently, I have moved from supporting CentOS 5.7 in Amazon’s EC2 to CentOS 6.6. At the same time, VNC clients have moved from running on Windows 7 to Windows 10. A question came up, why does copy and paste not work any more?

It’s true. After these changes, there is no copy/paste from the VNC client’s system to the VNC server.

Quick rundown: the client runs the TightVNC client 2.7.10 on Windows 10. The server runs the Xvfb on CentOS 6.6, using x11vnc 0.9.13 to connect.

The answer turns out to be simple. Normally I attribute the solution to a web page that offers it, but unfortunately this time, I seem to have lost the URL. Sorry, person, who so graciously posted the comments about autocutsel!

If you compile and install the program “autocutsel”, then things become sane again. Adding to System -> Preferences -> Startup Applications, an application for “autocutsel” with the option of “-fork” solved this problem. In GNOME, this adds the file $HOME/.config/autostart/autocutsel.desktop, which will launch when the Xvfb is initiated as the user owning the Xvfb/x11vnc desktop.

Nice!

New Age of Firewalls

As the holiday season comes and goes this year, families will undoubtedly be inundated with new gadgets that hook into the home wifi network. We will marvel at our high technology prowess, and new found abilities and productivity. Yet, this is a cautionary tale, one that examines our path of no return.

Taking a trip down memory lane, when companies and families first started connecting to the Internet, a basic security measure was necessary: the firewall. All of these hard-wired devices sat behind it, with a path outbound, but no reverse path inbound. One of the first hoaxes on the Internet was the e-mail that warned of the “Good Times” virus. After all, how could one get a virus from ASCII text? Ha, ha, we thought. Simplicity of software would not allow such things to happen, rendering this time as the Golden Age of the Internet, yielding peace and harmony. The World Wide Web was born, and short were the days of dial-up services. Broadband became viable at the consumer level with the introduction of cable modems, and shortly thereafter, a protocol called 802.11, wireless ethernet. Pagers were replaced with cell phone technology. Domain names were snatched up, companies built web sites, and the hunger for content grew. And grew. And grew. And then, on January 9th, 2007, Apple announced the iPhone. It was a three way marriage of networking: phone company networks, wifi networks, and the Internet.

All the while, the firewall was deemed to be the most important part of Internet related computer security. After all it has been there protecting you all of this time, right? Wrong. What people forget is that as time passes, software becomes more and more complex, as do the licensing agreements that accompany them. Does anyone, really, read EULAs? No. And yet, it is in these agreements that the details of our very flawed thinking are revealed.

Moving to today’s commercialized world of techno-wizardry, from a computer security perspective, it is safe to say that we have moved from the Golden Age to the Iron Age, where we live an existence of toil and misery. Why? Well, it all comes down to the firewall. Most people have a firewall that protects their “home” network. A “home” network most likely includes personal, medical, and financial information that not only includes documents, but account access. Family photos and videos, music, movies – it’s all in the mix. And, the poor little firewall has to protect it all from out blazing fast upload speeds (or put another way, theft speeds). Not only does the firewall manage wired connections, but wireless ones as well. Smart phones today use “home” wifi to help save on the data plan tied to the phone provider. We all do this, we save money!

It is this one scenario that best describes the inherit weakness of today’s home based computer security. For example, a gift was given that requires an app to be installed on a smart phone. You click through the license agreement and off and running you are. What fun! It’s magic. In reality, because your smart phone is connected to your home wifi, and the app connects back to the manufacturer of the gift, you now have an attack vector right into the heart of your digital life. The unspoken assumption is that people who sell stuff have thought this through. This is not the case. If people who write operating systems for a living have a hard enough time to make things attack free, then what are the chances that a purveyor of anything trying to meet a market deadline will accomplish this? What about these free gaming apps that kids love to play? What about anything that is IoT? What about any piece of software on your computer? Anything you install today will connect back to some mother ship, and when this happens you are vulnerable. Not only from the mother ship itself, but from the software running at home – both sides.

The spirit of the firewall is dead. There is nothing that can be done. If you think otherwise, then you are living a delusional fantasy. Of course, people who sell sophisticated firewalls will tell you otherwise. After all, public companies have to report they are doing their due diligence to protect themselves, right? And how many attacks and public disclosures do we see a year? How much money was spent? To make matters worse, firewalls today also suffer from vulnerabilities. The Iron Age it is, indeed.

Is there anything that can be done? Yes, and it requires time, thought, discipline, and a willingness to accept complexity, all of which are incongruous with the “instant satisfaction” that we are so desirous of today. Here is a basic chart of what a modern home network should look like:

Firewall Architecture

Firewall Architecture

The hardware is a hypervisor, running virtual machines. The firewall itself is now virtual, managing traffic flows from other virtual machines and their respective networks. The firewall VM has a dedicated physical port, as does the hypervisor. In this example, there are three wireless networks, governed by three separate physical wireless ethernet bridges. There are three types of networks: personal, IoT, and anything else. On the personal network, the general assumption is that this is where all important data exist, data one would rather not see out on the Internet. Ideally, devices that do not phone home should exist here. Unfortunately, this precludes products from Apple and Microsoft. The IoT network should include all of the devices that manage household gadgetry – thermostats, sensors, security, etc. For obvious reasons, this network should not be affected by the personal or third network, the “other” network. This last network is where all of the bluray players, televisions, mobile devices, printers, and guest access should reside. While the IoT network phones home, it pales in comparison to the “other” network. This network is the wild west of security, and should not be considered safe.

Plainly, this installation is far from simple. One machine, five operating systems, five IP networks, ten ethernet bridges – eight virtual, three physical. There is no “instant on”. The machine will take minutes to power on, and should be placed on a UPS in case of power failure.

If this seems too technical, it is supposed to. People make very good salaries supporting such installations. How is a non-technical person supposed to enjoy the merits of such an installation? The sad answer is that they cannot. This is precisely the reason why so many large DDoS attacks can take place using hijacked machines, your hijacked machines.

AI

So here we go again. Lee Sedol is losing to Google’s AlphaGo. Man vs. machine. Jeopardy, chess, and now Go. The Internet is flooded with stories regarding the advancement of artificial intelligence based on this match. I will admit that it must be very complicated to write a program that can compete against the top tier player of a game such as Go. Is it intelligence?

This can be answered with a simple question. Can AlphaGo or Watson or whatever, create a game such as Go, Jeopardy, or chess? Until we reach that point, this AI we’re talking about is simply clever computer programming. That is all. Fluff, bragging rights, name it what you will. Will it have benefits in the future? Unequivocally yes. Is it intelligence? No.

To see how fallen human heroes opine on their loss, check this out:

Gary Kasparov: http://www.forbes.com/asap/1999/0222/071.html

Ken Jennings: http://www.slate.com/articles/arts/culturebox/2011/02/my_puny_human_brain.single.html

(and TBD, Lee Sedol’s thoughts).

Xvfb, RHEL6, gdm, and x11vnc

Yep, the title says it all. Pure geekdom. As the Gnome Display Manager ages, options that were available are no longer, taking away some awfully useful technology.

Sometimes it is nice to have not only one X display start at boot, but two! My choice is to have the first display tied to hardware, and the second be software based. The latter can be accomplished with VNC, but it has been my preference to use the X Virtual Frame Buffer package (Xvfb), and let x11vnc do the translation to the VNC protocol.

With Redhat 6, options in the /etc/gdm/custom.conf file are now simply ignored without any notice. It is (or was) pretty frustrating to get a system to boot with a VNC session that ran the Gnome Display Manager (gdm). That, combined with the fact the Xvfb no longer ships as a standard part of the operating system (only available through a subscription channel) makes it difficult at best to continue such functionality that was present in release 5.

Assuming you can get an official Xvfb package from Redhat, here is how to make the magic happen. The /etc/gdm/custom.conf file is pretty much empty. Make sure you have these options in it:

# GDM configuration storage

[daemon]

[security]
AllowRemoteRoot=true
DisallowTCP=false

[xdmcp]
Enable=true
MaxSessions=30

[greeter]

[chooser]

[debug]

Then create the file, /etc/init/xvfb.conf:

# Do not edit this file directly. If you want to change the behaviour,
# please create a file xvfb.override and put your changes there.

start on stopped rc RUNLEVEL=5

stop on starting rc RUNLEVEL=[!5]

console output
respawn
respawn limit 10 120
exec /usr/bin/Xvfb :1 -ac -screen 0 1440x900x24 -pixdepths 24 -query localhost

Ensure your changes take hold:

# initctl reload-configuration
# initctl list

To hook it to VNC, add your service in /etc/services:

vncserver       5901/tcp

Add your /etc/xinetd.d/vncserver file:

service vncserver
{
        disable = no
        socket_type     = stream
        wait            = no
        user            = root
        server          = /path/to/x11vnc/binary
        server_args     = -inetd -rfbport 5901 -forever -shared -q -skip_lockkeys -o /dev/null -display :1 -buttonmap 12345-123:Prior::Next: -buttonmap 12345-123:Up+Up+Up::Down+Down+Down:
        log_on_failure  += USERID
}

And restart xinetd. Voila! You now have GDM running, available via VNC. Cheers.

Time Capsule As a File Server

With so many Apple devices now interacting with my family, I made the decision to install a Time Capsule as the principal wifi presence. I have always believed in heterogeneous networks. Yet, other vendors of wifi routers have resulted in performance variability for the Apple products. So, now the onus is on Apple. Guess what? Apple clients work much better with the Time Capsule. Really I should not be surprised, but it does make me wonder what goes on behind the scenes that makes the difference. Hmmmm.

The Time Capsule (TC) has a USB 3 port on it, so we now have a 2TB external drive connected to it. This disk, apart from the internal drive on Time Capsule, is used for central storage. How can one access it via Linux? The TC shares this disk via CIFS, so Windows and Linux computers can utilize the export as well. To get a list of what is available on the TC:

# smbclient -U "USER NAME" -L IP ADDRESS|hostname
Enter USER NAME's password: 
Domain=[WORKGROUP] OS=[Apple Base Station] Server=[CIFS 4.32]

	Sharename       Type      Comment
	---------       ----      -------
	USER NAME       Disk      
	IPC$            IPC       
	Data            Disk      
	USB Drive       Disk      
Domain=[WORKGROUP] OS=[Apple Base Station] Server=[CIFS 4.32]

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------

And to mount it, the option that provides the secret sauce is the option “sec=ntlm”:

# mount -t cifs -o user="USER NAME",sec=ntlm --verbose //[IP ADDRESS|hostname]/"USB Drive" /path/to/mount

Now that the mount command can be issued manually, it can then be integrated with the Linux automounter. Now that Linux has access to the drive, the doors are open.

Cryptsetup

By now, most companies are employing disk encryption. Linux has for a long time supported disk encryption, and using it is imperative for mobile devices in case of loss or theft. Upon occasion, replacing the decryption key is a necessity, and thankfully, LUKS (Linux Unified Key Setup) allows this.

To create a test filesystem with encryption:

# cd /tmp
# dd if=/dev/zero of=test.sparse bs=1 count=0 seek=100M
0+0 records in
0+0 records out
0 bytes (0 B) copied, 2.5627e-05 s, 0.0 kB/s

# ls -als test.sparse
0 -rw-r--r-- 1 root root 104857600 Dec 31 04:14 test.sparse

# losetup /dev/loop0 /tmp/test.sparse
# losetup -a
/dev/loop0: [fe00]:122882 (/tmp/test.sparse)

# cryptsetup luksFormat /dev/loop0

WARNING!
========
This will overwrite data on /dev/loop4 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: FOO
Verify passphrase: FOO

# cryptsetup luksOpen /dev/loop0 TEST-ENCRYPTED
Enter passphrase for /dev/loop0:

# mke2fs -j /dev/mapper/TEST-ENCRYPTED 
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
25168 inodes, 100352 blocks
5017 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67371008
13 block groups
8192 blocks per group, 8192 fragments per group
1936 inodes per group
Superblock backups stored on blocks: 
	8193, 24577, 40961, 57345, 73729

Writing inode tables: done                            
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 31 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

# mount /dev/mapper/TEST-ENCRYPTED /tmp/mount
# df -k /tmp/mount
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/mapper/TEST-ENCRYPTED
                         97167      5663     86487   7% /tmp/mount

At this point we have an encrypted filesystem, 100 MB in size, mountable via the loopback filesystem (loopfs). Now, to examine the details of of test.sparse (remembering it could be any storage partition, logical volume, raid set, etc).

# cryptsetup luksDump /dev/loop0
LUKS header information for /dev/loop0

Version:       	1
Cipher name:   	aes
Cipher mode:   	cbc-essiv:sha256
Hash spec:     	sha1
Payload offset:	4096
MK bits:       	256
MK digest:     	88 e2 08 fb 6c 1f b3 cf 31 36 d6 b8 33 e5 26 e0 9e 00 87 3b 
MK salt:       	e9 9c 9b 35 f8 9f 72 f4 db 4d d7 aa 6d 6e 7e a3 
               	85 38 41 65 b5 35 0a 88 08 c9 66 ee ad ba 77 30 
MK iterations: 	66500
UUID:          	0b7452c4-1c2f-43d4-8768-fcf168d990a4

Key Slot 0: ENABLED
	Iterations:         	266167
	Salt:               	66 dc d0 4c dd 22 a4 48 b7 9b 2e bd b2 6d af 9d 
	                      	c5 5c 43 f8 25 f3 d4 86 36 8d 78 28 75 7a 52 a5 
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

There are a lot of goodies here. One thing to note are the key slots – eight total. Isn’t that nice? Eight decryption keys can support one device. This means you can place an additional key in case one is lost, a back door. The next step is to add a key to a slot, and for this example, it is slot 7:

# cryptsetup --key-slot=7 luksAddKey /dev/loop0
Enter any passphrase: FOO
Enter new passphrase for key slot: BAR 
Verify passphrase: BAR

# cryptsetup luksDump /dev/loop0
LUKS header information for /dev/loop0

Version:       	1
Cipher name:   	aes
Cipher mode:   	cbc-essiv:sha256
Hash spec:     	sha1
Payload offset:	4096
MK bits:       	256
MK digest:     	88 e2 08 fb 6c 1f b3 cf 31 36 d6 b8 33 e5 26 e0 9e 00 87 3b 
MK salt:       	e9 9c 9b 35 f8 9f 72 f4 db 4d d7 aa 6d 6e 7e a3 
               	85 38 41 65 b5 35 0a 88 08 c9 66 ee ad ba 77 30 
MK iterations: 	66500
UUID:          	0b7452c4-1c2f-43d4-8768-fcf168d990a4

Key Slot 0: ENABLED
	Iterations:         	266167
	Salt:               	66 dc d0 4c dd 22 a4 48 b7 9b 2e bd b2 6d af 9d 
	                      	c5 5c 43 f8 25 f3 d4 86 36 8d 78 28 75 7a 52 a5 
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: ENABLED
	Iterations:         	255589
	Salt:               	5e 49 e4 72 6f 27 7a 76 64 b9 df ae 4e 92 bc 1e 
	                      	d9 0e 55 87 61 ba e6 13 af d8 a5 4d 5f 6e 02 14 
	Key material offset:	1800
	AF stripes:            	4000

Now we have two keys for decryption, one in slot zero, the other in slot seven. To confirm the filesystem can be mounted with both passwords:

# umount /tmp/mount
# cryptsetup luksClose /dev/mapper/TEST-ENCRYPTED 
# cryptsetup luksOpen /dev/loop0 TEST-ENCRYPTED
Enter passphrase for /dev/loop0: FOO
# mount /dev/mapper/TEST-ENCRYPTED /tmp/mount
# df -k /tmp/mount
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/mapper/TEST-ENCRYPTED
                         97167      5663     86487   7% /tmp/mount

# umount /tmp/mount
# cryptsetup luksClose /dev/mapper/TEST-ENCRYPTED 
# cryptsetup luksOpen /dev/loop4 TEST-ENCRYPTED
Enter passphrase for /dev/loop4: BAR
# mount /dev/mapper/TEST-ENCRYPTED /tmp/mount
# df -k /tmp/mount
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/mapper/TEST-ENCRYPTED
                         97167      5663     86487   7% /tmp/mount

Everything works as expected. We now have two keys that can mount the encrypted loopback filesystem. The next step is to remove slot 0, and verify that its key no longer works.

# umount /tmp/mount
# cryptsetup luksClose /dev/mapper/TEST-ENCRYPTED 
# cryptsetup luksKillSlot /dev/loop0 0
Enter any remaining LUKS passphrase: BAR

# cryptsetup luksDump /dev/loop0
LUKS header information for /dev/loop0

Version:       	1
Cipher name:   	aes
Cipher mode:   	cbc-essiv:sha256
Hash spec:     	sha1
Payload offset:	4096
MK bits:       	256
MK digest:     	88 e2 08 fb 6c 1f b3 cf 31 36 d6 b8 33 e5 26 e0 9e 00 87 3b 
MK salt:       	e9 9c 9b 35 f8 9f 72 f4 db 4d d7 aa 6d 6e 7e a3 
               	85 38 41 65 b5 35 0a 88 08 c9 66 ee ad ba 77 30 
MK iterations: 	66500
UUID:          	0b7452c4-1c2f-43d4-8768-fcf168d990a4

Key Slot 0: DISABLED
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: ENABLED
	Iterations:         	255589
	Salt:               	5e 49 e4 72 6f 27 7a 76 64 b9 df ae 4e 92 bc 1e 
	                      	d9 0e 55 87 61 ba e6 13 af d8 a5 4d 5f 6e 02 14 
	Key material offset:	1800
	AF stripes:            	4000

Slot zero is now removed, and trying to use FOO confirms it:

cryptsetup luksOpen /dev/loop0 TEST-ENCRYPTED
Enter passphrase for /dev/loop0: FOO
No key available with this passphrase.
Enter passphrase for /dev/loop0: FOO
No key available with this passphrase.
Enter passphrase for /dev/loop0: FOO
No key available with this passphrase.

To tidy things up, the last steps are to add new key to slot zero, and remove slot seven.

# cryptsetup --key-slot=0 luksAddKey /dev/loop0 
Enter any passphrase: BAR
Enter new passphrase for key slot: NEW 
Verify passphrase: NEW 
# cryptsetup luksKillSlot /dev/loop0 7
Enter any remaining LUKS passphrase: NEW

# cryptsetup luksOpen /dev/loop0 TEST-ENCRYPTED
Enter passphrase for /dev/loop0: 
# mount /dev/mapper/TEST-ENCRYPTED /tmp/mount
# df -k /tmp/mount
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/mapper/TEST-ENCRYPTED
                         97167      5663     86487   7% /tmp/mount

# cryptsetup luksDump /dev/loop0
LUKS header information for /dev/loop0

Version:       	1
Cipher name:   	aes
Cipher mode:   	cbc-essiv:sha256
Hash spec:     	sha1
Payload offset:	4096
MK bits:       	256
MK digest:     	88 e2 08 fb 6c 1f b3 cf 31 36 d6 b8 33 e5 26 e0 9e 00 87 3b 
MK salt:       	e9 9c 9b 35 f8 9f 72 f4 db 4d d7 aa 6d 6e 7e a3 
               	85 38 41 65 b5 35 0a 88 08 c9 66 ee ad ba 77 30 
MK iterations: 	66500
UUID:          	0b7452c4-1c2f-43d4-8768-fcf168d990a4

Key Slot 0: ENABLED
	Iterations:         	251733
	Salt:               	4d a1 48 b7 26 15 a3 1c 53 e2 14 a4 75 7d f9 02 
	                      	8b 0f 2c 3d e3 1f 34 05 fa 21 92 15 ea d0 1b a8 
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

This completes the key change. Looking at the above dump, one interesting item is the cipher. The default cipher can be changed at compile time for cryptsetup. From the man page (1.2.0 was used in this example), a few key points:

NOTES ON SUPPORTED CIPHERS, MODES, HASHES AND KEY SIZES

The available combinations of ciphers, modes, hashes and key sizes
depend on kernel support. See /proc/crypto for a list of available
options. You might need to load additional kernel crypto modules in
order to get more options.

For –hash option all algorithms supported by gcrypt library are avail-
able.

NOTES ON PASSWORDS

Mathematics can’t be bribed. Make sure you keep your passwords safe.
There are a few nice tricks for constructing a fallback, when suddenly
out of (or after being) blue, your brain refuses to cooperate. These
fallbacks are possible with LUKS, as it’s only possible with LUKS to
have multiple passwords.

Thank you to the folks who wrote cryptsetup. It is available here:

http://code.google.com/p/cryptsetup/

Spectrum

spectrum-640

Here are the frequency allocations in all of their glory, available from here. It’s interesting that the U.S. government auctions off spectrum for mobile carriers, who then pass this cost back on to the very people who “own” it. But wait, there are some frequencies that you can use gratis, even commercially. It just so happens, though, they don’t go through walls well. Can you find this needle in the haystack?

Large, yet Small and Inexpensive

With the end of the year upon us, it is time to see what goodies there are give to friends and family. In looking at technology, it appears SanDisk has a 128GB micro-SD card for $110. SanDisk is able to accomplish this feat using a 19nm manufacturing process.

It really is amazing to see so much produced on so little silicon. As EDA zeros in on the possibility of sub-nanometer circuitry, the industry is also started producing chips with FinFet, moving away from planer chips. Every year, the question is, how can it get better? Well, it’s my guess that we will not see the mass results of these advances for a year or two. When they are here, though, today will seem like the good old days of being off the grid. Small, perhaps unnoticed IP enabled devices will be pervasive in all aspects of our lives.

This opens many doors, some of them we wish we could keep closed. Just ask Sony. There will be an overwhelming flood of technology, and it will be the tiny little consumer that is washed out to sea, naked, alone, and scared. Not to stray too far from the benefits, but we should warn our friends and families about the consequences of ignoring the obvious.