It appears Pan is the only decent GUI usenet news reader on Linux. It doesn’t support SSL by default. To get SSL to work, one must rely on Stunnel according to this post.
I wrote about Tor in the past but I never tried using it. I installed it on my Ubuntu laptop and tested using it via Firefox and [Torbutton]. Now that it’s set up, when I want to surf the web anonymously, I just need to launch Firefox and toggle Torbutton to be on. Even though the Tor daemon is running in the background, I won’t use it on a day to day basis.
I also downloaded the Tor Browser Bundle for multiple platforms per this post and placed them in Lightweight Portable Linux (LPS) USB stick so I can use them on other people’s computer should the need come. Of course, if I wanted to be even more discreet, I would boot up LPS directly.
I recently sold shoes through Ebay to relieve my room of clutter. Since I wasn’t getting much out of them, I wanted to ship them out as cheap and as fast as possible. Some things I learned:
- you can print out shipping labels through paypal by paying for the postage online; paypal will also pay for a tracking number
- you can print shipping labels for multiple orders in one step
- you can have the post office pick up the boxes at your house or you can drop them off at the post office. If you choose to drop them off at the post office, make sure the “drop-off” zip code matches that of the post office.
- the priority mail shoe boxes offered by USPS will only fit thin shoe boxes (think women shoes).
- since the shoes were in boxes themselves and finding or buying boxes for the shoe boxes can be time-consuming or costly, I went to Home Depot to buy a roll of brown paper (used for painting projects) for $10 and wrapped all my shoe boxes up with them.
This post on lifehacker introduced me to NetbootCD, a live CD that allows me to install the latest version of popular Linux Distros (e.g, Ubuntu, Debian, CentOS, etc.) using a single live cd or usb drive. The latest version of the chosen OS is installed over the network. This will save me lots of time and space from repeatedly downloading the latest OS version.
While on the topic of security (been blogging about [[][encryption]] and such pretty often in the last month), I remember reading about a basic, secure linux distribution for web browsing created by the US Department of Defense. I downloaded Lightweight Portable Security just in case I need to use a secure OS on someone else’s hardware.
When doing serious work like surfing the internet, writing, or programming, I like to do so from a single user interface regardless of whether I’m at work or home. Currently, this takes the form of a Linux laptop (Ubuntu) due to portability (laptop), power (Linux/Ubuntu), and the availability of a keyboard and touchpad (fast input).
I’ve always wanted to encrypt my laptop for privacy reasons. However, I dread the thought of a fresh OS re-install on my laptop because I would have to restore all the programs I use and the customizations I’ve configured. Sure, there are benefits to doing a fresh install like getting rid of unused programs and restoring only customizations that I truly use (I will definitely feel it if something I use is missing) to yield a less cluttered system. However, I after doing this a few times in the pass, I really don’t want to have to do it again since I don’t have any major issues with my current OS.
What I would like to do is backup my entire OS and files, re-install Ubuntu with full disk encryption, and restore the entire OS. That is, I would like the exact OS but with full disk encryption added. After some research, I found this post that describes how to perform a system backup and restore. I wondered whether the same procedure would work while following these instructions for full disk encryption during the OS installation phase. I asked on SuperUser and it appears to be fairly safe. Sources of possible complications might stem from /etc/fstab, /boot/, grub, and, as I’ll later find out, /etc/crypttab (fstab‘s equivalent for encrypted disks). I’ll now outline my attempt.
Backup
I backed up my entire system onto two external hard drives that were encrypted, just in case something wrong happened to one of the backup file.
cp /etc/fstab /media/MYUSBDRIVE/fstab.old cp /etc/crypttab /media/MYUSBDRIVE/crypttab.old sudo su cd / tar cvpzf /media/MYUSBDRIVE/boot.tgz /boot/ tar cvpzf /media/MYUSBDRIVE/dev.tgz /dev/ tar cvpzf /media/MYUSBDRIVE/backup.tgz --exclude=/proc --exclude=/lost+found --exclude=/backup.tgz --exclude=/mnt --exclude=/sys --exclude=media --exclude=/dev --exclude=/boot / ## I added media, dev, and boot
Kromey on SuperUser recommended that I also excluded /boot because I’m adding encryption. Hence, I should use the new /boot directory. Also, he mentioned I should also exclude /dev, which makes sense to me. However, the original post mentioned that there is debate about whether to include /dev or not. I opted to back up both /boot and /dev in separate files just in case I’ll need them later.
I backed up my system to two usb drive and set up encryption on a third disk simultaneously on a 2.2 GHz dual-core laptop. The backup of 350 GB of data took about 12 hours. This length of time might have stemmed from doing multiple backups at the same time and/or from compressing the data. If not constrained by space, I would recommend not compressing the tar file (removing the -z argument) to speed up the process.
To fail-safe my attempt and have a point where I could return to my old system if things did not work, I went ahead and made an image backup of the entire disk using dd. However, this HAS to be done while the disk is unmounted. I booted the Ubuntu 11.04 Installation Disk using a USB drive to “preview” Ubuntu. Once there, I did:
## unencrypt my usb drive dd if=/dev/sda of=/media/MYUSBDRIVE/disk1.img
This took about 6 hours.
People discussing in the comments here recommended Clonezilla for the image backup to make sure things are fail-safe. I wanted to finish with this project fast so I didn’t use it. If I were to re-do this again somehow, I would probably ditch dd for Clonezilla.
I also backed up my list of packages and repositories just in case I can only restore /home (my files) and /etc (my configurations). This way, I will only use programs I compiled from source.
dpkg --get-selections | awk '!/deinstall|purge|hold/ {print $1}' > /media/MYUSBDRIVE/packages.list find /etc/apt/sources.list* -type f -name '*.list' -exec bash -c 'echo -e "\n## $1 ";grep -v -e \^# -e \^$ ${1}' _ {} \; > /media/MYUSBDRIVE/sources.list.sav
Encryption
Followed these instructions for encryption while installing Ubuntu 11.04 Alternate. I did so from a USB boot disk created from unetbootin. Like before, I did not create a different volume for /home so it can be stored in /.
Boot up OS
When booting up, I get a blank screen with a blinking cursor. I think this is a known bug for Ubuntu 11.04 (possibly for 10.10 as well). It appears to be an issue with grub. I plugged in my USB drive to boot into Ubuntu preview and surprisingly, I get either a grub menu or a blank screen. I knew there were issues with encrypted LVM and Ubuntu 11.04 before. I tried Ctrl-Alt-F1 Ctrl-Alt-F7 and indeed, I saw the passphrase screen. I entered it and went back to TTY1 (Ctrl-Alt-F1) and logged into terminal console.
Restore
Now, I figured these issues out after having several things break. I’ll describe the solutions first and then describe how I debugged the issues.
First, backup the new /boot, /etc/fstab, and /etc/crypttab:
## unlock encrypted external usb drive and mount it using the command line cp /etc/fstab /media/MYUSBDRIVE/fstab.new cp /etc/crypttab /media/crypttab.new sudo tar cvpzf /media/MYUSBDRIVE/boot.new.tgz /boot/
Next, restore my backup:
tar xvpfz backup.tgz -C /
This was a lot faster than the backup process. I believe it took about 4 hours.
Now, for some reason, I was not able to sudo in the current terminal. I pressed Ctrl-Alt-F2 to get to TTY2 and logged in. I did:
sudo cp /media/MYUSBDRIVE/crypttab.new /etc/crypttab ## my old file should be empty, new file should have content
For /etc/fstab, look at the /media/MYUSBDRIVE/fstab.new and copy the content into /etc/fstab, commenting out any content that is no longer relevant. For me, it looks something like:
# proc /proc proc nodev,noexec,nosuid 0 0 # /dev/sda1 / ext4 errors=remount-ro 0 1 # # swap was on /dev/sda5 during installation # UUID=5e2279de-83a3-4d12-a5e7-cfbebff2f6c4 none swap sw 0 0 # /dev/scd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0 proc /proc proc nodev,noexec,nosuid 0 0 /dev/mapper/vg01-vg01--vol02sys / ext4 errors=remount-ro 0 1 # /boot was on /dev/sdb1 during installation UUID=a069371d-bfb2-4033-809d-d6fe6ee3c13d /boot ext4 defaults 0 2 /dev/mapper/vg01-vg01--vol01swap none swap sw 0 0 /dev/scd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0 ## remaining is my custom fstab from my old file
Now, if I restart with the USB boot disk plugged in, I should get a passphrase screen and be able to log in and use Ubuntu like normal. YAY!
Issues
Let me now describe some of my adventures with grub and initramfs. For grub, I tried to set NOMODESET in /etc/default/grub per this post:
sudo emacs -q -nw /etc/default/grub ## modify: ## GRUB_CMDLINE_LINUX_DEFAULT="quiet splash nomodeset" sudo update-grub
This didn’t work and gave me a resolution that did not match the screen (image too big for screen; mouse down and up to see different parts of screen). I had to remove that option and updated grub.
I haven’t figured out how to fix grub. Some resources that I hope to lead me to the right solution: this and this.
Originally, I did not have to modify /etc/crypttab (copy the new one back) for the OS to boot. However, I wanted to make sure that everything is good in /boot (all the new init stuff, eg, encryption, and all the old init stuff, ie, what I restored) by running
sudo update-initramfs -u
(I did this because I know in the future, initramfs might be updated so I wanted to make sure I’m error free right now.)
After doing so, when booting with the USB stick plugged in, I was not asked for passphrase. The BusyBox shell appeared. Something was broken. To have a successful boot again, I had to restore /boot according to boot.new.tgz. I remember when I ran update-initramfs, I saw these messages:
update-initramfs: Generating /boot//initrd.img-2.6.38-11-generic
cryptsetup: WARNING: failed to detect canonical device of /dev/sda5
cryptsetup: WARNING: invalid line in /etc/crypttab -
I found this post that helped me investigate the initrd.img files. Using his initrd-extract.sh and initrd-create.sh scripts, I did:
cd /tmp initrd-extract.sh /boot/initrd.img-2.6.38-11-generic /tmp/initrd.working sudo update-initramfs -u -b /tmp ## this creates a new initrd, combining both old config and new config ## update-initramfs: Generating /tmp//initrd.img-2.6.38-11-generic initrd-extract.sh /tmp/initrd.img-2.6.38-11-generic /tmp/initrd.update ## recursive diff: http://linux.devquickref.com/linux-recursive-diff.html diff -u -r -B -N -s initrd.update initrd.working
After browsing the diff output, I noticed many files were identical, and many files were different. However, looking at those that were different, they don’t seem to be that important. I did notice /etc/crypttab, one being empty, and the other having something like
sdb5_crypt UUID=731a44c4-4655-4f2b-ae1a-2e3e6a14f2ef none luks
I copied the new crypttab file to /etc/crypttab.
Actually, I originally didn’t even backup my crypttab file. Thanks to the recursive diff, I was able to figure out what I needed to enter into the file (I used server’s /etc/crypttab as a reference and this to find out what needs to be inputted). After restoring the file’s content, I was able to see a screen asking for a passphrase again.
UPDATE: Fix Grub
The odd thing about my grub issue is that the system boots up when the original usb drive I used to install is plugged in and is booted. That is, it will go to grub but not the unetbootin menu that allows me to install ubuntu for preview, etc. I tried plugging in another USB boot disk and it did indeed give me the installation menu. It finally came to my mind that during my installation process, Ubuntu asked me to install Grub into the Master Boot Record (MBR) of the disk and I just accepted blindly. During that time, sda refers to the usb drive and sdb refers to my main disk. It might be the case that grub was not installed into the MBR of my disk.
The original backup post did mention about restoring Grub. I attempted these instructions but it did not work for me. It said something like /boot/grub/stage1 was not found. After perusing and trying different methods for reinstalling Grub or getting it installed on the MBR, the Boot-Repair finally worked for me. Boot into my Ubuntu system (with usb drive plugged in to successfully boot). Then remove USB drive. I then did:
sudo add-apt-repository ppa:yannubuntu/boot-repair sudo apt-get update && sudo apt-get install -y boot-repair
Launch boot-repair. After the scan I chose “Advanced”. I re-installed Grub according to this:
- Re-install Grub
- Unhide Boot Menu for 10 seconds
- Create BootInfo file
- Separate /boot partition: sda1
- Force GRUB into sda
Then “Apply”. Afterwards, my system did boot successfully without the USB drive plugged in. If it didn’t, maybe try another run of Boot-Repair but now, “Restore MBR” (I did this prior to re-installing GRUB).
TO DO
- Test suspend: DONE. This works.
- Test hibernate:
I enjoyed this post. What did I learn?
- Don’t immediately jump to making slides when you have to give a presetation.
- If you have to use slides to help facilitate your presentation, start out by writing prose. That is, tell your story. Then make your slides. For a 20 minute presentation, try to stick to 3 slides. This way, only the most needed content (main ideas and graphics) will be on the slides, and everything else should be spoken. I like this because it forces me to know the content of my presentation cold without having to rely on the slides to know what I need to say next.
My current way of doing things? I start off by writing slides immediately. I start with an outline and fill in the gaps. This leads to many slides. However, I do I target my presentation to no more than 1 slide per minute. I have to admit that I always rely on my slides to remind me of the content I am to present. Many times, I even read the slides verbatim. If the slides were not available, I would not be able to deliver my presentation.
I really need to improve on my presentation skills. I think the key to it all is to know the content of your presentation as the back of your hand. This, no doubt, will lead to higher level of confidence when delivering the talk. Having a limited number of slides will definitely help with knowing the content cold.
This is an excellent post from Linux Journal giving an overview of parallel programming.
I recently performed a full disk encryption on my server using dm-crypt + LUKS. I did not address remote unlocking of the disk then because I did not know how. Remote unlocking is highly desirable I might not be physically near the server when a restart is necessary.
To remotely unlock the disk, one needs an ssh server running during startup (boot). Then, ssh into the server and unlock the disk with the passphrase. I originally was going to follow this post to perform remote unlocking via early-ssh. However, I couldn’t figure out how to do so. It appears early-ssh is no longer needed as the solution can be easily implemented with Dropbear SSH Server and Busybox in Ubuntu; see the documention at /usr/share/doc/cryptsetup/README.remote.gz.
It took me quite some time to figure out how to set things up. I first had issues with logging into the Dropbear server (normal user accounts won’t work); this post helped me figure out how to log in. Then I had a difficult time with how to unlock the disk once I’m in the server. The solution is elegantly described here and here.
Set up Dropbear SSH Server
sudo apt-get install dropbear busybox ## do not install early-ssh
There is an error in the dropbear hook script in initramfs-tools. To fix it, do
find /lib -name libnss_files.so.2 ## me: #/lib/x86_64-linux-gnu/libnss_files.so.2
At around line 30 in /usr/share/initramfs-toosl/hooks/dropbear, replace =cp lib/libnss_ “${DESTDIR}/lib/”= with =cp lib/x86_64-linux-gnu/libnss_ “${DESTDIR}/lib/”= (if early-ssh is installed, it will give further errors related to this).
Now, run:
update-initramfs -u
Enable the root account in Ubuntu as only the root user can login to Dropbear SSH Server during boot (entire disk is encrypted):
sudo passwd root ## enter root password ## to disable root account: ## sudo passwd -dl root
Now, in your laptop (not server), copy over the private key in order to login to Dropbear SSH Server:
scp user@remote.server:/etc/initramfs-tools/root/.ssh/id_rsa ~/.ssh/remote_dropbear_id_rsa
NOTE: It appears you HAVE to to use the generated private key in order to login. Login with password will not work. I also tried copying my laptop’s public key into the server’s /etc/initramfs-tools/root/.ssh/authorized_keys so that I can use my laptop’s key to login but that did not work. I might have to translate my laptop’s private key to dropbear’s formatin order for it to work. Since I have to use another file regardless, I’ll just use Dropbear’s private key.
Disable root login for OpenSSH as it is unsafe to login as root (we only allow root to login when Dropbear SSH server is running during startup and restrict root all other times):
## change in /etc/ssh/sshd_config PermitRootLogin no
If I restart the server now, Dropbear SSH Server will run after some time when the system is waiting for the passphrase to unlock the disk. To SSH into the Dropbear server, do:
ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.initramfs" -i "~/.ssh/remote_dropbear_id_rsa" root@my.server
Remote Unlocking
It appears the original method to unlock the disk does not work with Ubuntu 11.04:
ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.initramfs" -i "~/.ssh/remote_dropbear_id_rsa" root@my.server "echo -ne "encryptionpassphrase" > /lib/cryptsetup/passfifo"
The error is due to Plymouth. Uninstalling or tinkering with Plymouth could cause other errors (like allowing remote unlocking to work but one loses the ability to unlock in at the server’s physical console). To get remote unlocking to work, follow the manual method described here:
## log into dropbear ps ## locate the process id (first column) for the /scripts/local-top/cryptroot script kill -9 pid ## PID from previous ps ## look for a wait-for-root script and note the timeout on the command line; mine: 30 ## wait 30 seconds /scripts/local-top/cryptroot ## enter passphrase ps ## locate process ID for /bin/sh -i kill -9 PID exit
A more concise command is:
pid=`ps | grep "/scripts/local-top/cryptroot" | cut -d " " -f 3`; kill -9 $pid; sleep 35; /scripts/local-top/cryptroot; pid=`ps | grep "/bin/sh" | cut -d " " -f 3`; kill -9 $pid; exit
The disk should unlock and you can now ssh normally into the server (root not allowed!). YAY!
I’m sure one can automate this last portion using a script. Also, I would like to add a startup script that emails me when the server is waiting for a passphrase. This will be useful if the system restarts due to a power outtage without me knowing.
In the past, I’ve described the benefits of a slide show based on html. I used to prefer the html5 method over S5, but after some use, I’ve come to realize that the html5 method (at least the one described here) isn’t ready for prime time yet. The display of the slides can get screwy. For example, the current slide might not be centered correctly. Therefore, I’m going to recommend the S5 system for html slide shows for now.
For use with Emacs org-mode, use Sigma’s method. Why? It is easier to change themes compared to Eric Schulte’s method (the latter method currently does not support a change in themes I think). In addition, it is compatible with the very good looking S5 Reloaded themes.
To change themes in the original S5 archive and have it work with emacs org-mode, copy ui/default/slides.js to ui/i18n/slides.js. To get S5 Reloaded themes to work, add jquery.js and org-slides.js from Sigma’s archive (in ui) into S5 Reloaded’s ui directory. Also, change /default/ to the desired location (theme) in S5.org from Sigma’s archive.