Terminally Incoherent

This is for my cousin Anetta who likes to store sensitive information in her head. While it’s sometimes good to commit crucial passwords to memory, good documentation is important. My memory is not that great - and I must admit that I’m a frequent user of the “I forgot my password” feature on online services. Documenting passwords and procedures for crucial systems is just a good practice, and a safety line. In case you forget, you can always fall back on your notes.

But how do we prevent other people from snooping at your security sensitive notes? One way is to encrypt them. One of the best known, and highly recommended free encryption tools is TrueCrypt. Below I will walk you through installing it, and creating an encrypted volume that you can use to store sensitive data.

Installation is very simple - in fact, it is a one click deal that Jeff Artwood would love:

Granted, there is a lot of text to read there, and quite a few buttons, but in the end all you have to do is to hit Install and then Exit.

We have TrueCrypt installed so lets create our encrypted volume that we will use to store our sensitive data. Open up the tool and hit Create Volume.

On the next screen choose Create Standard TrueCrypt Volume:

Now let’s choose where do we want to locate our file. Choose Select File:

You can choose any file you want to be your TrueCrypt volume. I chose not to overwrite any existing files, but to create brand new one. If your goal is hiding data, you want to pick a mundane sounding name that no one would be interested in. I chose “Quaterly TPS Report Summary.xls”. I mean who wants to read about TPS reports [PDF Link]? Most people will stay clear of that file.

Once you choose the file name, click Next. I’ll skip that screenshot and more right along to our next screen. Here you choose your encryption and hashing algorithms:

AES is currently the national government standard, so it should be good enough for our purposes. Just leave the default settings on this page and hit next.

One slightly annoying limitation of TrueCrypt is that you need to specify the size of the file ahead of time. This is because all the free space on your volume will be filled out with random noise, and included in the ciphertext. From cryptographic point of view, this is a good thing. From the user’s standpoint, not so much - but that’s just how it works. Note that it is a good idea to choose a reasonable size for the type of the file you are employing if you intend to hide data. I arbitrarily chose 100 MB - but this size may be a dead giveaway for someone snooping around in my file system. How many 100MB excel files have you seen lately? Keep that in mind!

Next you will be prompted to enter the password - or passphrase. I probably do not have to remind you that this is by and far the most crucial step of the process. If your password is weak, and easily guessed, then all the encryption in the world won’t help you. TrueCrypt recommends a 20+ character pass phrase - a short sentence for example. But watch for dictionary words and names.

The FAT filesy stem is good enough for our purposes. If you plan storing big files (over 2GB) switch it to NTFS. Otherwise leave as default and hit Format. You might need to move your mouse around a bit to generate some randomized data that will be used as seed for the encryption algorithm.

That’s it - you are done. Just hit OK and then Exit and you are free to use your file. Let’s check it out up close - it looks like a regular excel file:

Of course if someone tries to open it, the file will appear to be corrupted - a completely irrecoverable ASCII goblygook. They won’t be able to retrieve the data by using normal analysis tools, or making hexadecimal dump because of the encryption. So the worst that can happen to your file, is that someone will delete it thinking it got corrupted.

Let’s mount our file now. Go back to the main TrueCrypt screen and hit the Select File button:

Navigate to our TPS report file, and open it. Next we want to select a mount point - ie. a drive letter which will be associated with our volume. Pick a free one from your the list in the main program window:

I choose O, but you can pick any available drive. When ready, hit Mount and type in your password at the prompt:

If you peek in My Computer you should see a brand new drive sitting there.

The encryption is completely transparent for the end user. You can interact with this drive as you would with any other hard drive. You can copy files to and from it, edit them in place and etc. When you are done editing your secret files, simply Dismount the drive:

Best part is that you can move your TPS Report workseet within the file system. You can even dump it onto a flash memory and take it with you. Whenever you need it back, just open up TrueCrypt again, and mount it from the new location.

In Part 2 I will show you how to encrypt your data using Stegonography - hiding information, within other information. In other words, with the Stego approach the nosy intruder rummaging through your files will be able to open our TPS Report worksheet and inspect it without ever noticing that it is actually an encrypted volume.

I recently got Covad ADSL to act as a backup internet connection. Comcast is fast, and cheap, but not always reliable, and I hate to have downtimes because of them. By default Covad gives you a Netopia-3000 which is a classic all-in-one piece of crap. It is a router, wireless access point and a DSL modem all rolled up into cheep bluish plastic case.

By default the device is set up like this:

1. Enabled NAT with DHCP
2. Enabled open Wifi
3. Blocking all Inbound Traffic

This was exactly the opposite of what I needed. I simply need a DSL modem to sit outside my Sonicwall TZ170. All I really want is a piece of hardware that can translate the DSL moonspeak into proper Ethernet signals that the firewall will understand. I looked around but I couldn’t find good tutorials on how to accomplish this so I decided to make my own.

First you will need to configure the Netopia router. So connect it to any computer, and pull up the web interface at 192.168.1.1. By default both the username and password are admin. Don’t forget to change that!

First navigate to Advanced Configurations and choose Internet Security. We don’t want Netopia doing any kind of Firewall like stuff. This is what the Sonicwall is for and it does it much better. So check Allow Sever Hosting on this screen.

Next, got to NAT Applications, and choose OFF from the combo box. NAT is bad. We want the firewall to have direct access to the outside world - not sit on a NAT. You might be prompted to restart the router after you change this setting.. Once you log back in, this screen should look like this:

In LAN Setup un-check the DHCP option. This may or may not prompt you to restart the router again. You want your screen to look like this when you are done - just the Router IP and Subnet should be visible:

Finally, go to WAN Setup. Don’t touch the values of VPI and VCI. Make sure the Protocol is PPP over Ethernet LLC/SNAP. Set Bridging to Enabled.

This will definitely force you to reboot the router. After this you won’t have internet connectivity on that machine. That means it’s working. Your Netopia just became a DSL modem and you will need a PPPoE client to use it. Disconnect it from your machine, and plug it into the Sonicwall’s WAN port.

Get into your Sonicwall control panel, and open the Network section. There, choose NAT with PPPoE Client from the pull-down menu:

You should see an automatic popup window. If you are with Covad like me, you can safely ignore the General tab. It will be overwritten anyway. Switch to the PPPoE tab and enter your username and password.

You obtain them from your ISP - and no, they are not the same as the credentials you use to sign into covad.net. Both username and password fpr PPPoE are just random character strings composed of letters and numbers and some non-alphanumerics like @. Covad actually puts them on the packing slip that comes in the box with the router.

Be sure that you typed in your credentials correctly. As far as I could see there was no meaningful error messages if you get them wrong. You still get an IP, but there is no internet connectivity.

Once you get it set up, go get a cup of coffee. Sometimes it will take 2-3 minutes before the two devices figure out how to talk to each other. No clue why, but I was fighting with it for around 10 minutes, then got interrupted, went to do something else, and all of a sudden the internet “fixed itself” as I was told by a coworker.

So there it is. I hope it helps you, and spares you some unnecessary frustration.

If you own XP Home you are probably painfully aware of some of it’s limitations. The home edition of the OS for example won’t let you have a detailed file access control. The security tab where you can give or deny users permissions on given file or folder is simply missing from the properties dialog in this version.

Of course you can still modify file access permissions by using simple workarounds like:

1. Booting into Safe Mode
2. Using the cacls command on the command line
3. Using a 3rd party tool such as ACLView
4. Patching your system with a untested, unofficial patch.

None of this options is convenient, and the last one is particularly unsafe. While this patch does not have to be malicious, it’s just to easy to slip a rootkit into this type of system file patch.

Today I found yet another solution, while looking for something completely different. Someone at the MSFN forum simply noticed that you can cheat the system into thinking it is in safe mode by tweaking the registry, opted to create two reg files. First one to enable the security tab:

Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option]
"OptionValue"=dword:00000001

And another one to disable it:

Windows Registry Editor Version 5.00
 
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option]

The change is instant, and does not require a restart. Why do you need to disable it? Because with that dword in place, your XP will be absolutely convinced that it is running in safe mode, and thus won’t let you run certain software, or perform any installations.

The problem with their solution is that you need to remember to click on the second reg file to restore your registry back to normal. So I decided to improve on it with a little shell script that will add that key, wait for you to finish your file access related tasks, and then remove the key before closing:

@echo off
echo 'Enabling Security Tab'
 
reg add HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option /v OptionValue /t REG_DWORD /d 00000001
 
echo 'Please keep this window open while you use the tab. When done, follow the prompts on the screen.'
pause
 
reg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option /f

You simply run this batch script, then leave it open at the prompt, do what you have to do, then go back and hit enter. The key will be automatically removed as the script closes.

As you may have read, my windows box has suffered a hard drive failure after a power outage yesterday. Well, my machine is back - at least in a way. I’m running on a bare bones windows installation with just the antivirus, firewall and few other crucial applications such as Firefox.

I mentioned that Knoppix was able to access the drive without much problems. Windows was not as nice. The access was sketchy, and the system partition, which was the one I wanted to access was missing. After few tries I pulled it out, mounted my secondary drive, and closed the box up. I just didn’t feel like dealing with it. What exactly did I loose?

1. My Firefox Profile - I miss my familiar setup and my adblock filters which I’ve been tweaking for the last few years. Still, all my bookmarks are either in del.icio.us or in Google Notebook so nothing irrecoverable was really lost.
2. The whole MUGEN folder with the 50+ characters I downloaded. Oh well. I can re-download all this stuff, it will just take time.
3. Morrowind and HL2 saved games. While these are irreplaceable, I can live without them.
4. All the emails I pulled from my school email account over the last 2-3 years. Most of that stuff was mirrored on my laptop, and I don’t think I will need any of it any time soon.
5. Some applications that I obtained… Um… Let’s say, less then legally. I don’t think I ever bothered archiving the iso’s and installation files for these things

That’s about the extent of the damage.

I did learn that my backup strategy needs to be more robust. Because of my unique drive situation, I have been very diligent in backing up the failing drive. I’d usually back up my both drives to an external device twice a week using the Windows NTBackup software. Each time it was a full backup (not an incremental one) and because of space constraints, I would simply overwrite the previous file.

Of course, this plan has one big hole in it. What happens if the machine dies in the middle of a backup? Well, you end up with an unusable, corrupted file. Since Murphy’s Law never fails, this is exactly what happened to me. I thought I was ready, and I thought I was “doing it rite” but I guess I was not.

My new backup plan is:

1. Backup twice a week like before
2. Always keep at least 2 backups on the drive
3. Automatically delete the backup with the suffix _old from the drive
4. Rename the current backup with a suffix _old
5. If necessary get another external drive and start a weekly rotation
6. Check the integrity of backups at least once in a while

Fortunately my policy of keeping crucial data on non-system drive did pay off big time. This is the least amount of data I have ever lost in a critical failure of this magnitude.

I also learned that NTBackup does not like failing drives. I had an old backup from April stashed away somewhere, and it seemed to be in a pristine condition… Unfortunately I was unable to recover anything from the system partition. All the other drives and partitions were fine. Which just goes to show you that auditing the integrity of your backups is crucial even in home environment.

I decided to finally shell out some cash for a UPS. I saw small 1hr ones at Best Buy few days ago for $50. They seemed like a perfect size for your home desktop. This is another lesson that came out of this whole ordeal. If I had a working UPS underneath my desk, chances are the machine would do a graceful shutdown, perhaps extending the life of my drive few more months. Power surges, and hard reboots are definitely not healthy for your hardware.

Finally, I will never use a computer with just one hard drive, unless it’s a laptop. It is a security policy that prevents you from pulling hair, and murdering innocent bystanders in a fit of rage. That second hard drive is crucial to my mental health and I will always have one.

My primary HD on my Windows box finally died. We had a power outage when I was at work, and when I came back the machine would consistently boot into BSOD claiming that “boot drive is not mountable”. The drive was acting funky anyway, so this is not a huge surprise.

So the machine I use at home the most is temporarily out of commission till I reinstall windows on the new drive. In other words, I’m windowless for today, and probably tomorrow until I get everything back in order. Fortunately I still have my laptop so it’s not the end of the world.

I booted Knoppix on the machine and I can still access the drive so I should be able to restore everything as needed. I was also pretty good with backups - but of course, the power outage happened on a backup day so I have no clue if it finished. I do have a 60 GB file on the external drive which was last modified at 3pm today, but it might as well be corrupted. The earlier backups are from April and May which is not so great.

But, again - since I’m able to access the drive from Knoppix I should have no problems pulling the data off of it later on. Most of my important stuff was on the secondary drive anyway. So I’m not panicking just yet. At most I will loose my Firefox preferences folder, and some saved games, and whatever crap I had thrown onto the the desktop.

So my plan for today is:

1. Pull the band HD
2. Install Windows
3. Go through the usual post-installation tasks such as hunting down drivers, installing applications and etc
4. Check if the latest backup was ok, and try to restore the most crucial files.
5. ???
6. Profit

Whatever I planned to blog about today and tomorrow is going to get pushed back, because this crap will likely take me a while.