Hardy smbfs is borked.  Actually, I understand that smbmount has been adandoned.  CIFS, the samba replacement in Hardy, is busted.  All hail Ubuntuforums.org!  Beta OS != perfect, right?

It seems there was a change in the Samba package between Ubuntu 7.10 and 8.04.  I was getting an error while trying to connect to some Solaris shares.
$ smbclient -L //web -I 192.1.168.0 -U user%password
Server requested plaintext password but 'client use plaintext auth' is disabled

It seems that adding the following to your /etc/samba/smb.conf file solves the problem:

client plaintext auth = yes
client lanman auth = yes


It took awhile to realize that just setting plaintext auth to true wasn’t enough. lanman auth overrides it. Should have read the man page more closely, I guess.

I’ve had a spare data cruncher (Dell Precision 479 Xeon 2.8) sitting under my desk for awhile. Not being terribly interested in OpenBSD that it came to me with (sorry Eric), I blew it away and installed Ubuntu 8.04 Hardy Heron x86_64. It seems quite stable and is perhaps quicker than 7.10. That isn’t my point, though.

This weekend I installed the 32 bit version on a Dell Inspiron and it seemed to due the laptop good. Resume from sleep is definitely faster. Today I thought I’d take a real leap and upgrade in-place my 64 bit Thinkpad T60. I didn’t want to have to fool around with configuring LVM and associated encryption so I thought I’d just sudo update-manager -c -d to upgrade to the Hardy Heron Beta.  I’m happy to report that everything seems to work fine.  I was a little nervous on first reboot while waiting for a sign that dm-crypt was working.  After entering my dm-crypt password I noticed that there was a ext3 drive check in progress.  It was subtle compared to the same process in Gutsy since it didn’t drop out of the gui to do it.

Everything seems to work fine.  Audio, DVD, VPN, all work fine.  Sleep and resume seem considerably faster though on first resume my wireless card wasn’t found.  Hope that gets fixed.  Also, I’m happy that wake-on-lan works on all of the machines I’ve tested so far, which wasn’t the case in Gutsy.  Several machines would wake in Windows, but not in Linux, which was a bummer.  I don’t consider myself lazy, but wake-on-lan is awesome.  I hope that it works with dd-wrt so I can wake my home desktop remotely.

So, be it here known that it is possible to in-place upgrade an LVM/dm-crypt encrypted machine from 7.10 Gutsy Gibbon to 8.04 Hardy Heron.

I’ve gotten around to migrating my backup partition to a Truecrypt encrypted partition. This partition, /dev/sda2, was an ext3 partition I’ve been using for backups. I have an external backup drive (also encrypted) that I keep off-site and so didn’t worry about destroying the backup data on the partition.

Knowing a little something about computer forensics, I wanted to ensure that data I had written prior to encrypting the partition would be unrecoverable. If I had wanted to erase the entire drive I would have used Darik’s Boot and Nuke or some other linux-based drive eraser conforming at least to the DoD specification for file wiping. It’s important to remember, though, that wiping only files likely leaves data remnants in the empty drive space, file slack space, and sectors marked as bad. So, clearly it’s important to erase the entire partition or drive, not only files.

I wanted to only erase a partition so I used a more configurable utility to overwrite the space within the partition. First I rm -rf’d the files and directories on the partition. Then I overwrote the available space in the partition with random data using dd and /dev/urandom. sudo dd if=/dev/urandom of=/mnt/back/bigfile I probably should have just overwritten the partition at the device level, but I didn’t think of it until later. Next I used wipe to remove the bigfile. Only then did it occur to me that I could call wipe against the block device itself. sudo wipe -Q 1 -R /dev/urandom /dev/sda2

Hoping that the drive was sufficiently overwritten with random data I created a Truecrypt container on the partition. I chose to use the ext3 file system so chose the ‘no filesystem’ option in Truecrypt. After creating the container, I mounted the container. sudo truecrypt /dev/sda2 Then, I created the filesystem. sudo mkfs.ext3 -cjv /dev/mapper/truecrypt0

Now I have an encrypted backup partition on a separate internal hard drive completely independent of the LVM/dm-crypt encrypted system. I have a script that calls rsync against my /home, /etc, and /usr/local directories, which is everything I need to rebuild a system.

To those who would suggest that only people with something to hide should be concerned with privacy, I urge you to read ‘I’ve Got Nothing to Hide’ and Other Misunderstandings of Privacy.

I’ve been experimenting with drive encryption in Ubuntu 7.10 and am quite pleased. I used the AMD64 Alternate Install disk to encrypt everything but an ext3 boot partition. Ubuntu uses LVM to build logical partitions inside a dm-crypt partition. Installation was a snap, though it takes much longer than an unencrypted install mostly due to the drive wiping process. I assume it uses /dev/urandom to generate random data to overwrite drive space, but could be wrong. I’d probably use a trusted wiping utility if I didn’t need to preserve other partitions on the drive.

The installer offers several encryption algorithms, such as AES with, and several key sizes, up to 256 bit, but doesn’t offer cascading encryption algorithms, which I imagine would impact read/write speed. I don’t have any previous experience with LVM or dm-crypt, but have used cryptoloop under Suse 9.x with ReiserFS and lost a fair amount of data to it no thanks to personal support from Hans. I formatted all of the LVM volumes with ext3 and decided it prudent to have a backup plan independent of dm-crypt and LVM. I have a partition encrypted with Truecrypt on another internal drive to which I backup in addition to a Truecrypt-encrypted firewire drive I keep off-site and refresh periodically. I have confidence that if either LVM or dm-crypt fails and I lose access to the encrypted system, I can recover my data from the backup partition on the other internal hard drive or, if some greater calamity occurs, I will be able to access my off-site firewire backup.

Other than the dm-crypt password prompt when booting and the mildly confusing entries in /etc/fstab, I don’t notice any difference from the uncrypted installation I used previously. I’ve included a drive map below to show the partition layout. Installation into available space while maintaining both my Windows XP and Thinkpad recovery partition was straightforward. The Windows partition is unprotected, but I can’t remember the last time I used it and certainly wouldn’t trust it with anything important anyway.

One question I had and was unable to find and answer to was this: Does suspend to ram work with encrypted drives? I suspected it wouldn’t since the swap space is encrypted, but was pleasantly surprised to find I was wrong. I can suspend and recover successfully. I realize now that the dm-crypt partition stays mounted through the suspend which means that while I can have quicker recovery times, the data isn’t protected. Hibernate requires a dm-crypt password on recovery. In my mind, though, the benefit of drive encryption is two-fold. First, you’re protecting the data, both the data you intentionally have and the remains of data left in empty drive space and file slack space after deletion, from boot-time attacks. Everyone knows that physical access to a machine is the kiss of death. Second, you’re protecting against third-party forensics. Both of these scenarios require the machine to be shut down. When the machine is shut down, the dm-crypt session is lost and your data is again protected. So, unless there is a flaw in the session authentication mechanisms (pam, xscreensaver, GDM, etc), and there might well be, it seems safe.

Anyway, I’m very satisfied with the installation process and the encrypted system.

The drive map shows that the dm-crypt partition is unrecognized. Also, each LVM volume is recognized as a separate drive.

For those of you looking for the torrent files for the alternate install of Ubuntu 7.10 Gutsy Gibbon, here are some. I see the Canonical servers are being hammered and thought it might be useful to mirror the torrent files. I couldn’t find them elsewhere. Of course, by the time this site gets crawled again, the hammering may have stopped.

ubuntu-7.10-alternate-amd64.iso.torrent
ubuntu-7.10-alternate-i386.iso.torrent
ubuntu-7.10-desktop-amd64.iso.torrent
ubuntu-7.10-desktop-i386.iso.torrent

I’m getting 1060KB/s.

I’m on my way to Access 2007  in Victoria, BC.  The library is very generous with travel funds, but doesn’t pay for internet access by the rank and file.  Now that many hotels charge around $20 USD per day for wireless, I’ve had to work around the obstacles.  I discovered Ping Tunnel not long ago and this is my first opportunity to test it.  It’s pretty easy to configure except for IPTables firewall rules to allow ICMP traffic without allowing other junk.  Anyway, by using SSH to create an encrypted tunnel to the server I can use any application over the ICMP tunnel at pretty respectable speed.  SSH -D 8080 localhost -p 7777 creates a SOCKS 5 proxy connection that I can use to route traffic through.  Very nice!

I installed the beta release of Ubuntu Gutsy Gibbon to test application compatibility with 64 bit Linux. Specifically, I wanted to verify that the Oracle Calendar desktop client, Crossover Office, Internet Explorer 6, and Microsoft Office 2003 work without errors. I haven’t ever opted for the 64 bit version before and was worried about not being able to run applications that I commonly use at work. I feared for nothing! Everything went very smoothly.

In fact, installation and configuration was a breeze. Nvidia driver and proprietary codec installation was incredibly easy even though I decided to use a 32 bit browser so that I can easily use plugins such as Sun Java, Adobe Acrobat, Real Player, and Flash. In a former job I installed hundreds of systems with Windows version ranging from 95 to XP. Installing and configuring Linux AND all the software I use is orders of magnitude faster and easier. I hadn’t ever just copied over configuration directories before, but by copying the directories for Thunderbird, Firefox, ssh, gnupg, and Pidgin, I probably saved myself at least an hour. I had a nearly exact replica of my old system in about 2 hours. In fact, for applications like Oracle Calendar, I didn’t even install them in the new 64 bit system. I just copied the entire directory from the old system to the new and it ran.

I can’t say that I notice any speed improvement from migrating to the 64 bit environment, but I probably wouldn’t notice. I mean, fast is fast enough. I was able to play Call of Duty and Battlefield 2 under Cedega so I can’t complain. Ubuntu 7.10 Gutsy Gibbon will be officially released October 18th.

I’ve been toying with the idea of populating my domain and hosting at home. Since I sold my Cobalt Qube I have one machine at home on which to host. It strikes me as a bad idea to host a development site on the system that is also the archive for all of my digital artifacts such as photos, college papers, and correspondence. Of course, I maintain a mostly up-to-date, off-site backup (who doesn’t?), but that doesn’t fully mitigate the inconvenience and possibly disastrous consequences (think keylogger) that might result from an exploited workstation. So, what to do? I could pay someone else for hosting. The pro’s are that it’s relatively inexpensive, there is some expectation of maintained up-time, and my data is not at-risk.

I’ve experimented with virtual machines including Kernel-based Virtual Machine for Linux and VMware Server.  The expectation with a virtual machine is that an exploit in Apache2 would be confined to the virtual server and would not allow access to external file space.  However, virtualization introduces more overhead and, due to increased complexity, increases the likelihood of failure.  That said, no one is paying me to maintain a certain amount of up-time.  I’ve also been thinking of implementing mod_chroot and mod_security, both of which are included in the Ubuntu software repositories.  I have no experience with either, but they seem to be a nice compromise between virtualization and running straight Apache.

The problem I foresee with  running Apache chroot is the difficulty running third-party software in conjunction with Apache.  I’ve been playing with django, dojo, and would like to explore some map applications like Minnesota Map Server.  I also want to work more with Python CGI.  That may make virtualization a simpler environment to configure than chroot.  I’m open to advice.

is 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

Well, at least it seems to be the favorite number of the Motion Picture Association of America. They’re issuing DMCA Takedown Notices to people who post this number, I’ve read. I’ve always wanted one of my own! For those readers not ‘in the know’, this number is the decryption key for HD-DVD Processing. DVD encryption is meant to prevent DVD copying, but also makes it a criminal act to watch DVD’s in Linux, among other things. When I pay for a DVD I want to be able to watch it. That’s it. Also, copyright law clearly grants the right to make ‘archival backups’. See Spread this number for more information.