All posts by root

It Is Our Time

I’m American. I’m not afraid. I’m more likely to die by furniture than terrorism. I can’t say that the news of the extensive NSA snooping is shocking, and frankly not totally surprising. What I can say, is that it’s time for a change. We must consider how America has changed, and if it is what we want it to be.

America can be great. In fact, America is great. What America needs now is to be better — to be a true leader. I am compelled to take to writing because I am positive that we can be better. I know we live in trying times, I know there are no easy decisions. I also know that now is the time to take the right path. It is time to take the high road, and lead the world into a new era. It is our time. We’ve spent more than a decade being afraid. We’ve written a blank check for the War on Terror, and it’s due time that we reassess whether all of those decisions are in our best longterm interest. I realize this is a sensitive subject — I know that there are many smart and hardworking people doing the best they can to protect us. Do not confuse me with being “soft on terror”, I’ve come to these realizations exactly because I am strong on America.

In 1933 Franklin D. Roosevelt famously said —

So, first of all, let me assert my firm belief that the only thing we have to fear is…fear itself — nameless, unreasoning, unjustified terror which paralyzes needed efforts to convert retreat into advance.

America has faced massive adversity in the past dozen years. However, it is becoming painful apparent that our inability to accurately judge the cost of the War on Terror is slowly draining us of what it is to be American. You could take a look at how Associated Press reporters call records are being targeted. Or how every day that Guantanamo Bay is open and we have fathers, brothers, and family members locked away — is a day that we tarnish our reputation, alienate the world and endanger all Americans. Collateral damage of military conflicts is burning an image of violence and American aggression into the witnesses and survivors. We measure our costs in American dollars and American lives, and this view is limiting us. The 9/11 attacks cost roughly $500,000. If our response is an arms race where we outspend 1,000:1, our only destination is bankruptcy.

The world is not us vs them, it’s not good guys and bad guys. This view can be extremely toxic and risks de-humanizing other nations and people. We’re all human — we share the same needs and the same planet. The world is shades of grey and overzealous reactions risk alienating huge swaths of the world, not just for today but for decades.

I’ve grown up surrounded by this “new reality” and it’s admittedly difficult to come to understand that the intention of terrorism is to terrorize, to get within ones mind and fears. Viewed with this understanding, our reactions have largely played directly into the hands of the September 11 attackers. We haven’t destroyed them, we’ve created tributes in the form of the Patriot Act and security checkpoints, secret court orders, disallowing photography, and barring liquids on planes. There is little more core to the American belief than “Checks and Balances”. It seems blindingly obvious that intentionally shielding programs like PRISM from the American public, and decisions made in secret validated through secret approvals and courts run diametrically opposed to this foundation in what America is.

This doesn’t affect me

You might be thinking “if you have nothing to hide, don’t worry”. I can’t blame you for thinking this, it certainly would be easier, but sadly it’s not true. I’d like to point out that Hoover and the FBI tapped Martin Luther King Jr, and told him to kill himself. The ability to systemically profile on a large scale is not good for anyone. I like this description of why “metadata” matters.

The glacial turn — Call to Action

I do not believe that these changes will happen overnight. Nor do I believe that we have a perfect solution. I know that we need a course-adjustment, that we need to return to what makes us great. I believe that programs like PRISM need to be made transparent to and evaluated by the American taxpayers who fund it. I believe that transparency has to be the default, and that as long as large scale secrecy exists, it will be exploited. Let’s change, starting today.

Today

  • Seriously reflect on what you think and why. Write about it.
  • Talk about it, this is a mainstream problem, it impacts everyone whether we like it or not.
  • Donate to the EFF (I have)
  • sign this petition asking for pardon of Edward Snowden
  • Adopt encryption

    Tomorrow

    Put whatever your skills are to use. The privacy problems we face are not insurmountable and virtually everyone can do something about it.

    • Become an advocate, volunteer time to help
    • If you make web applications think about architectures that are engrained with user privacy
    • Contribute to Open Source projects however you can (self plug: OpenPGP.js)
    • Don’t give up

The Everyman Watch of 1938

IMG_5127_SMALL

Quick Background

This is different than things I usually post about. There have been some exciting developments on my other projects and I hope to post on those soon.

While cleaning out some old family items, I recently came across a few pocket watches. I was immediately drawn in by this piece: a Westclox Pocket Ben watch. I was intrigued in no small part because it is a dollar watch; a category of watch targeted the average person. A slight personal fascination with mechanical watches helped too.

Mechanical Era

We often talk about the democratizing potential of new technologies. I don’t have much personal context on this beyond the information age of smartphones and the Internet. However, were I a betting man I’d wager this effort to democratize technological advances is far from new. I think mechanical watches are both a historical example of this and the pinnacle of their era.

Tear Down

The watch was not working when I received it, the second hand broken off and it seems it had not worked for some time. It’s not a particularly valuable watch in any condition. I timeboxed several hours yesterday to attempt to take it apart and understand how it works. Here’s what I learned:

  • This watch was stamped “38” on the movement, signifying it was made in 1938.
  • There is no magic. The internals of the watch expose its secrets, gears and springs mostly.
  • Watches are assembled by hand, therefore they can be understood with eyes and manipulated with hands.
  • Be discerning: trust your hands, don’t be forceful but the pieces sometimes need caressing.
  • Westclox took a number of shortcuts to save money, particularly leaving the spring exposed, and sometimes replacing gears with pins that are distributed to fake acting as gears.
  • Despite being relatively low cost and a few shortcuts, the work is honest, glue was avoided oil minimal and tolerances respected.
  • The balancer is attached to the back of movement, which means the watch basically has to be assembled from the back forward. It would have been nice to learn this one earlier than being one step away from back together.

Community

There is a small online community interested in watches like these (surprise, online community). One particularly helpful source was two videos showing a very honest dissection and assembly of these watches, the videos highlight the creators thoughts and frustrations. He clearly has much more experience than I with watches and tools that are better equipped.
The disassembly video: https://www.youtube.com/watch?v=xAMU64fzuKU
The reassembly video: https://www.youtube.com/watch?v=fKnS61s1diE

I would be curious to know more about these watches from a historical perspective. I think it would also be particularly interesting to do an interview with people who worked on devices like this. Semi-specialized hand labor was a trademark of 20th century industry and is quickly fading. I imagine the story of watches like this will fade unless recorded soon.

References

I liked this page showing some the various Westclox Pocket Ben watches. The watch I have pretty clearly is closest to the advertised 1933 watch, which matches the printed 1938 date.

Next up

I unfortunately didn’t finish reassembling the watch. I was one step away from having it back together when I realized that the balancer must be integrated much sooner. This resulted in me assembling in the opposite direction and unable to finish in the time I had allotted. I hope to someday have a chance to revisit this.

Prey in Standalone Mode (OS X)

Prey is a powerful recovery tool for lost/stolen computers and smartphones. Even better is that their software is largely open source available on github.

It’s something I’ve used for some time. They are increasingly pushing you towards using their command center, and freemium service. I understand why they would want to — they are a company that tries to make money, and perhaps more importantly it is far easier for people to get set up and running with their unified service.

However, I like to run what they call “Standalone Mode”. This means that the server will try to ping a webpage I specify, and if it gets a 404 (because you pull that page down when your device goes missing), then a report will be generated. I like having this control and approach. When I tried to install via the dmg provided at their website, my only option was to use their command center so here is what I did instead:

  1. Crack open the terminal (or use iTerm, like a boss). I’m assuming a basic knowledge of the terminal.
  2. First we need to get the client:
    git clone https://github.com/prey/prey-bash-client.git
  3. Edit the config file in the client root directory. Edit: "check_url", "post_method", "mail_to", "smtp_server", "smtp_username", "smtp_password".

    • If you’re using gmail don’t use @gmail.com in your username.
    • As noted in the comments, you need to Base64 encode your password:
      echo -n "password" | openssl enc -base64
  4. If you try to run ./prey.sh from the client at this stage it will complain about no active modules. Don’t bother running it yet.
  5. It was not immediately obvious to me but we also need to separately get the latest modules. Modules allows us to do things like determine geographic location and take a picture with the webcam:
    git clone https://github.com/prey/prey-bash-client-modules.git
  6. If like me you’re thinking well this is simple let’s link these:

    ln -s ../bash-client-modules modules

    You would be wrong. Prey is expecting to use find which will not traverse through symlinks. Copy the contents of module repository directly into the client project into modules/ dir.

  7. Don’t run the default modules. It will lock the screen and sound an alarm. The password is preyrocks, yes I found out the hardway.

    rm -rf modules/lock/
    rm -rf modules/alarm/
  8. Now let’s move the client to the conventional place and set up the cron task.

    sudo mv prey-bash-client /usr/share/prey
    (sudo crontab -l | grep -v prey; echo "*/20 * * * * /usr/share/prey/prey.sh > /var/log/prey.log") | sudo crontab -

    It might output:

    crontab: no crontab for root

    Don’t be alarmed — it’s doing this because the command first lists cron tasks to ensure that you don’t already have a prey task.

I think the code makes a number of reasonable assumptions about things like modules, but I didn’t understand them going into working on this which caused me to take a little more time than I had anticipated.

I think the project has an excellent goal — though it could be reasonably debated how effective it would be if you’re using full disk encryption, since the person who “finds” the laptop will have little option but to wipe the hard drive which would take prey out of the picture. However, if the machine hasn’t been restarted yet there would be hope…

I haven’t been able to publish too much lately about Mymail-Crypt for Gmail, but will try to post soon about both it and OpenPGP.js

HOW TO: Wipe a Hard Drive

I recently needed to wipe an old hard drive. I knew that one recommended way to do this was to use something like DBAN.

However, what I didn’t know was that many-pass intensive disk over writes wasn’t the only way to wipe data. Since 2001, there has actually been an ATA standard known as “Secure Erase”. This operation is within the firmware of the hard drive and will perform an exhaustive overwrite, without burdening the computer. It hits sectors of the disk that an overwrite might traditionally miss. Additionally, it proceeds very quickly.

NIST research has found this to be effective.

You will come across mentions of Secure Erase a lot in relation to SSD’s. I believe this focus has come from the fact that disk overwriting is widely accepted, and people are looking for alternatives that apply to modern SSD’s. However, that’s just a personal conjecture.

I’ve heard conflicting evidence whether Secure Erase works for USB drives. If you know/find out, please let me know.

Below is the process I followed. It was guided largely based on this guide.

Disclaimer

This article helps you clear all of the data off of a disk, I take no responsibility for anything you do with this information. Please, be very careful when you are attempting to wipe hard drives. Make sure all information is backed up. Additionally, I make NO GUARANTEE about the permanence/effectiveness of this method.

Process

  1. Get PartedMagic
  2. Use Unetbootin to make a bootable USB drive
  3. Boot into that usb drive.
  4. Determine which drive is the one you want to wipe. The tools on the desktop should show you pretty obviously what drive /dev/sdX, most likely it will be /dev/sda
  5. Pull up a terminal
  6. hdparm -I /dev/sdX

    1. This will show the information pertaining to this drive
    2. If the drive shows that it is frozen (no “not” to frozen) you will need to unfreeze it. The most effective way to do this appears to be to put the computer to sleep. To do this:
      1. sudo echo -n mem > /sys/power/state
      2. This will put the computer to sleep. Once it’s asleep, you should be able to wake the computer up (touch some keys, move the mouse…)
    3. Run the informational hdparm command again:
    4. hdparm -I /dev/sdX
    5. Ideally it will now show “not frozen”. If the drive still shows frozen, ensure that you don’t have any sort of bios password locking on the drive, and then the next best option is probably to move the drive into a different computer.
  1. Now set a password so we can continue (odd, I know)
    1. hdparm --user-master u --security-set-pass pass /dev/sdX
  2. We can again run the informational hdparm command.
    1. hdparm -I /dev/sdX

  3. Now we should see “enabled” in the security section. Bingo. We also see the estimated time to wipe the drive. In this case it said 384 minutes.
  1. Let’s wipe this drive. We can time the command if we’d like information about how long it actually takes:
  2. time hdparm --user-master u --security-erase pass /dev/sdX
  3. Relax. Go do something else for awhile.
    1. We can see that my drive ended up taking 299 minutes.

 

Additional Reading

Gmail is a-changing

It looks like Gmail might be in the process of changing the DOM layout for the site somewhat extensively. It appears that it is re-architecting some of it’s top level elements that will almost certainly break my extension among many others.

As I find out more and am able to address what the issue is, I will post what I find.