Category: Technology

Posted on

Project Lazarus

I sit here, typing on an HP Pavilion…running Ubuntu Linux!  That’s very exciting for me, although I’ve come to understand that the accomplishment isn’t so nearly as grandiose as I had predicted.  Still, it’s a happy accomplishment.

This computer was a necessary replacement.  Liz’s VAIO–her college computer–had died a quiet and dignified death through inevitable hardware failure.  Afterwards, she used my iMac G4–my college computer.  Eventually, that too died.  For obvious reasons we needed a computer, and since I was unable to justify the cost of a new mac (my own preference), and since Liz hated macs, we decided upon the HP laptop (since our apartment had a certain lack of space for a permanent desktop setup, as the computer room had been converted into a nursery).  Still, we opted for something with higher-end hardware, thus the HP (dv-3186cl)–an i5 quad-core 2.27 GHz with 4 gigs of RAM.  It was, and still is, a respectable computing system.

This machine served us well for years, but eventually it too succumbed to the ravages of time.  The hard drive had started to wear out, the OS (Windows 7), had become increasingly bloated (the inevitable fate of evolving OSes), the battery (which we had replaced multiple times) died, and the WiFi card ceased to function.

Upon this last failure, I lost my patience and bought a MacBook Pro.  It had been years since I enjoyed Apple’s OS, and I was elated at the homecoming.  Liz limped along with the HP, until one day it refused to cooperate at all.  And as she needed it for work, she immediately replaced it (with a newer iteration of HP’s Pavilion series).  I, being ever-loath to discard technology, retired the broken machine to the mothyard (the basement), with the vague plan of replacing its defective hardware parts one day, and installing Linux.

Then I received some Amazon gift cards and decided that was the necessary excuse to begin.  I hooked it up (it had no battery) and pressed the power button.  And it promptly informed me that the WiFi card was inoperable.  I disregarded the warning, and was then informed that the drive was likely to experience imminent failure.  I ignored this message too (all the data had been backed up anyway), and continued.

Rather, I tried to continue, but was then informed that the drive failed to mount.  Again,  no biggie.  This was just a test to see if the hardware would function at all.  Perhaps the drive was fine, but the OS had become corrupted.  So I began my search for a Linux distro.

My first hands-on experience with Linux was openSUSE, years ago when I had managed to install it on an old beige G3 powermac.  At the time, I had it configured to be a simple Apache web server, and it had performed its duties as a platform for my first-ever blog: intellectualnexus.net.  I’m happy to see that the domain lies unregistered currently.  Apparently no one else has since thought to use the name.  I ultimately agreed to discard that derelict machine once the kid arrived, and I had been without a web server since (until I bought my Synology).

Then my sister bought me a Raspberry Pi.  The Pi came with its fork of Debian, NOOBS.  That was my second experience using Linux.  The Pi has lived an off-and-on existence, primary simply to serve an omni-present web page (currently a Google calendar).

In both of these examples, my familiarity with Linux had been minimal, and my hand-on experiences to be lacking in confidence.  But Linux had changed since my earliest experiences, and the Internet was confident that contemporary distros were rivals in usability to the other major OS players.  In fact, I had even stumbled across Dell’s product listings that included machines with Ubuntu pre-installations.  I hadn’t much cared for SUSE at the time, and with Debian appearing rather minimalist, I took Dell’s endorsement of Ubuntu and searched for a package.

It didn’t take long to find.  It turned out that Ubuntu has very comprehensive guides for downloading and installing.  They even provided a step-by-step guide for my exact scenario: downloading the installation iso onto a USB flash drive with a Mac.  With this amount of helpful documentation, Ubuntu made a good option.  I picked up a USB stick on the way home from work the next day.

That night, I followed the instructions to the letter, and quickly ended up with a usable USB install drive.  I plugged it into the HP and booted up, and after ignoring the error message regarding the WiFi and failing HD, entered into the install prompts.  This, too, was straightforward, and after the installation completed, I rebooted, hoping to see Ubuntu’s happy welcome screen.

It certainly is pretty

But instead I was met with a new error, and this time the HD was completely inaccessible.  So despite my misgivings that the drive was okay and Windows was to blame, the hardware was indeed at fault.  I bought a 1TB HD off Amazon and waited the two days for shipping.  The old drive, now undoubtedly defunct, was removed and relegated to the mothyard’s stack of inoperable/obsolete hard drives.

What am I going to do with an 80GB PATA?

The drive installed easily enough and I re-ran the installation (once again ignoring the WiFi error (vowing to discover how to turn that message off in the BIOS later)).  The install completed much quicker this time.  Apparently a functioning hard drive was the key factor.  I also paid more attention to what the installation was doing, and was pleasantly surprised to see that it was automatically deciding upon the appropriate drivers for the detected hardware and removing those that weren’t relevant.  In short order, upon reboot, I was greeted with the happy welcome screen which for which I had eagerly awaited.

Elegant in its simplicity

I signed in and began poking around.  The default installation included the basic applications necessary to navigate a file system and the Internet.  I triggered a mass application update to get the most recent versions, then poked around in the package center (or whatever they call it).  There were similarities between Synology’s Linux fork and Apple’s OS (a freeBSD fork), so it’s been relatively straightforward to figure out.  Ultimately, I had just planned to use the HP as a web browser (courtesy of Firefox) and a coding platform (now using Notepadqq).  And it’s fulfilled these expectations.

So purdy

It’s also exceeded them.  The OS is incredibly efficient, and has proven to be the fastest system I have used to date.  And after discovering that a sticker had melted onto the internal WiFi card, and removing said sticker fixed it, I’ve decided to order a battery and have a completely restored workstation.  I don’t know if it’ll turn out to be my primary machine, but it’ll certainly fill a niche where more technical tasks are involved.  So far, Ubuntu has excelled beyond my every expectation.  I offer my personal endorsement.

–Simon

Posted on

What’s the Fox Say?

I like Firefox.  It has the visual settings I want, the security features I want, the plugins I want, and the business model I like.  Chrome and Safari in their own right are just fine, but I prefer Firefox.

My employer, however, does not like Firefox, and that is for obvious reasons.  Firefox is a standalone application that doesn’t require root privileges to install or configure.  It also ignores group policy, and maintains its own certificate store.  From an IT admin perspective, it’d be a nightmare to try to support.  So, officially, they don’t.  But, they don’t explicitly forbid its use, either.  In fact, many internal documents offer information that is Firefox-specific.  But, IT also blocks the domains which provide Firefox installation packages, and the company’s Reasonable Use of Company Resources policy does state that circumvention of technological protections is prohibited, so am I violating this policy by, say, acquiring an installation package that I had downloaded onto a domain I control?  I’m not really bypassing these protections, and besides which–I have a business need to test how web code renders in different browsers.  It’s a bit of a grey area.

What isn’t a grey area, however, is the means by which I connect to the Internet.  Naturally, I use the default proxy URL and configuration provided by the company, so all good there.

Then recently, I couldn’t connect at all.  I received a certificate error for every HTTPS page I attempted to access.  Unbeknownst to me, IT had installed a middlebox.

Middleboxes operate by intercepting a connection, breaking it open, then re-encrypting it back to the end user.    This re-encryption, however, requires a re-signing of the contents with a valid certificate.  This certificate is generally a company-generated CA, installed via group policy into every machine’s certificate store.  But since Firefox uses it’s own certificate store, when the re-signed connection arrived, Firefox only saw that the connection was signed with an unknown and invalid certificate, and promptly terminated the connection as a security measure.  This is, amusingly, the way it’s supposed to operate.  Breaking TLS in this manner violates its purpose, but it works because of its current limitations (at least for now–TLS 1.3 has protections against this but is being pushed back because of its ability to prevent this type of corporate TLS-breaking).

Naturally, I don’t have a problem with the company monitoring the use of its own resources, so you’ll find no soap box argument here.  My main concern, then, was how to get Firefox working again.

Fortunately there’s a buried setting, within about:config.

Simply changing the Value from “False” to “True” will allow Firefox to access and accept the hosting machine’s certificate store, thus allowing corporate TLS certificates to break and re-sign HTTPS.

So at least for now, I can still use Firefox.  I just had to configure it myself, which is no doubt the kind of support IT wants to avoid having to provide.

Curiously, when I’m connected to the company VPN, my traffic doesn’t appear to be funneled through the middlebox.  I wonder if there’s too much overhead to do that, or because since the VPN uses TLS it’d be a technical challenge to separate VPN TLS from HTTPS TLS?  Maybe they’re only concerned about monitoring non-exempts to that extent.  Dunno.

Regardless, Firefox can still play nice in a corporate environment.  It’s just that it has to be manually switched away from its default, and untrusting, policies.

–Simon

Posted on

Olympics and VPN

I run a VPN server at home.  This is for 2 reasons: to remotely access local services, and as a security measure to encrypt my phone’s traffic.  These reasons are what I feel to be the primary purpose of VPNs.  This is also what allows me to work at home with a company computer.

However, a consequence of this tunneling is that, from the perspective of any server to which the computer connects, that computer appears “physically” to be at the VPN’s emergence point.  This result, what I consider to be a mere auxiliary function, has caused VPN services to experience a surge in popularity for the sole reason of bypassing geolocation restrictions.  I snub my nose at those who subscribe to services for this reason, as I envision Millennials, deluded with a sense of feeling smarter than everyone else, bypassing “The Man” in order to access streaming content–with no appreciation for the actual security benefits that VPNs provide.

Then the 2018 Olympics arrived and I found myself unwilling to endure yet another year of NBC’s coverage.  Between their endless commentary and commercial breaks every 5 minutes, they’ve done everything in their power to make these events unwatchable.  And they succeeded, at least for me.  So I did exactly what I just expressed my condescension against, and shopped for VPN providers.

I stumbled across a site that actually explained the history of VPNs and their technology, a refreshing divergence from the usual array of clickbait-y sites (a la Gizmodo):

www.bestvpn.com/vpn-encryption-the-complete-guide

Given the comprehensiveness of the supplied information, I took their opinions to be acceptably educated, and subscribed to a month’s service from their top recommendation, www.expressvpn.com.

When the Olympics arrived, I connected to a server in Toronto and loaded the CBC’s live stream.  And behold!:

The CBC is mercifully low on commercials and commentary; and they stream live, rather than delaying for time zones.  I’d launch into some self-righteous rhetoric about runaway capitalism interfering with something who’s inherent purpose is contrary to this value, but I’m content to just go watch some more events and stop blogging.

Because, really, when’s the last time anyone in the US got to watch curling?

Simon

Posted on

Portal of Print

To me, the printer is a medium.  I use that word in a way that people who believe it’s possible to communicate with ghosts do.  The printer in a means by which we can connect the material to the metaphysical.  Information which only exists in digital form–a specific pattern of magnetized bits–can be made tangible via the printer.  And despite everyone claiming that they want to live in a paperless world, the preference for paper media over digital for varying personal and/or practical reasons renders the printer a critical component to our collection of electronic devices.

So surely a device of such importance would be built well, with a reliable OS and hardware, built by trustworthy vendors.

Yet for anyone who’s ever used one of these machines, we know this to not be the case.  Apart from the general user-end experience, when it seems invariably impossible to print something when it’s absolutely critical that that document be printed, printers are plagued by a number of more nefarious problems.  Offhand, I can think of a few that have popped up over the years: proprietary ink cartridges embedded with chips to prevent the use of 3rd-party replacements, chipped cartridges coded with expiration dates that prevent their use after a specified date regardless the level of remaining ink, printers which cache all print jobs in non-volatile and unencrypted drives, printers with closed-source software containing obsolete encryption libraries…and so on.  In short–printers are evil devices used only out of necessity, and this necessity is exploited by manufacturers.

Now for my personal story.

I needed a printer (see above).  My laundry list included separate color ink cartridges and network operability, and after reading reviews I decided upon the Canon MP640.

Ultimately the scanner got more use than printing, amusing in that it more often converted analog media to digital than the other way around.

The device came with two NICs–ethernet and wireless, and from day one I had trouble with the ethernet.  The wireless worked okay, but I’d rather of used the ethernet for the usual list of reasons.  But the ethernet NIC was IP-sticky, seemingly ignoring NAT assignments and demanding that it be given .1–which was a problem because .1 was the router’s IP.  So the wireless was used instead, but years later I wanted to explore the wired again.  I disabled wireless and plugged in the ethernet.  Then, for whatever reason, I became distracted with other things and never got around to fighting the printer.

Then, a few days ago, I noticed the main network switch downstairs furiously blinking.  Every connected port’s corresponding status light was flashing simultaneously…as was the living room’s, and the center room’s.  That didn’t seem right, obviously.

But the switches are unmanaged and data wasn’t passing through the edgerouter which does DPI, so I couldn’t readily deduce the problem.  Still, everything had connectivity, so I let the problem go.  But there was an obvious lag, so I had to figure it out.

So in the dark hours of the night, which is when I do this sort of work, I began my super-technical investigation by systematically unplugging cables until the flashy lights stopped.  As this is a residential network, it didn’t take long to narrow down: the guest room cable.  This jack is connected to an older router, which is acting as a non-NAT access point.  Wireless devices jump on and off as they roam, but I had also plugged the printer into it.  Recalling my past troubles, I unplugged it and the network instantly fell back into its normal patterns.

I’ve debated getting a new printer, but then I considered the work Xeroxes–multi-thousand dollar machines with regular servicing, and even those won’t cooperate with the network on a regular basis.

I don’t know why these machines won’t play nice.  Maybe one day, when my consciousness has been entirely converted into a digital signature, I’ll no longer have need for a printer.  For now, I suppose I’ll just have to grin and bear it.

–Simon

Posted on

Presumptuous Browsers

It’s a bit of a mixed blessing, but it can be a tad irritating when a company decides what’s best for me without my consultation.  To some extent, we opt in, either through conscious choice or implied by purchases; and in so doing, we are putting our trust in the companies we choose.  But there’s a fine line and it’s easy to cross.

For example, given the ongoing drama surrounding internet encryption standards and certificates, a certain trend has developed in which browser vendors have leaned towards becoming a tad…snarky with their judgments.  For example:

This connection most certainly is secure, to which the browser will even attest upon closer examination:

Large cipher block, perfect forward secrecy, current protocol version, large hash bit size.  This is an excellently secure encrypted connection.

However

Without authentication doth not exist security, irrespective of the level of encryption.  And since the certificate for this site is self-signed (due to a lack of practical alternative options–since it’s my edgerouter), the browser cannot effectively authenticate the source of the encrypted connection.  Therefore, said encryption is useless if one cannot confirm to whom they are communicating.

Except…

I know the certificate and server are legit, and have accepted the certificate as de facto trusted and indicated such to my browser.  Yet the browser has the audacity to assert that the connection is not secure despite this.

It’s a step too far I say!  I angrily shake my fist at the monitor and log in anyway.  Fuck you!

–Simon