Weak Certificates

I’ve got an odd little problem at work. I’ve got a Ricoh copier in the Traverse City office that I apparently now can no longer manage remotely due to an error in SSL. The error that Firefox throws is ssl_error_weak_server_cert_key and in Google Chrome it’s ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY. In both situations I understand what the issue is, that the SSL layer is weak because the Diffie-Hellman key is not big enough.

I’ve run into this issue before, mostly with self-signed certs and the browsers have usually allowed me to click on an exception and get on with my day. Except for Firefox and Chrome now, that is no longer the case. The browsers just refuse to display the webpage. I understand the logic behind it, everyone wants a more secure web, but sometimes what we are really after isn’t privacy or security, but rather just getting our work done.

I still need to connect to this copier and manage it, and frankly my dear, I don’t really care that much that the transactions be secure. In a way, this security is irrelevant. The traffic on our WAN is flowing over a Meraki VPN site-to-site link, so it’s already secure. This is security on top of security, and it’s in the way.

So I thought about using the awful Internet Explorer for this and I chafe at even considering using one more wretched bit of Microsoft technology – there has to be a better solution. So when you run into little bits like this the best way forward is to pursue my favorite solution, heterogenous computing! There’s more than one way to get what you are after. So if Firefox and Chrome won’t work, and Internet Explorer is unthinkable, how about Opera?

So I downloaded Opera and installed it. Then browsed to my copier in Traverse City. Opera told me about the error, but it also provided me with an exception button and then once I clicked that, the error was bypassed and my copiers remote management screen appeared.

So now I’ll add Opera to all the other browsers I have on my computers. The answer is competition. I wonder sometimes if there isn’t a special browser out there for IT type people like me. They’ll render anything, ignore any “privacy or security” type errors, all so people like me can get our jobs done. For now, Opera seems to lead the pack, at least for this. Thank you Opera!

HP Pavilion Boot Loop Problem

Yesterday I ran into a devil of a time with a HP Pavilion slimline workstation at work. This machine was beyond it’s warranty with HP, so no help from them. I had a machine that presented these symptoms:

  • Computer powers up normally.
  • All BIOS-level diagnostics pass.
  • No error codes or beep codes whatsoever.
  • Once the HP BIOS Splash screen fades, the computer should boot into Windows. In this case, Windows 7. It does not. The computer reboots into the HP BIOS Splash screen. Ad infinitum.
  • You can enter BIOS Setup, you can also access the Boot Menu to select other boot sources, however the F11 key to start System Restore is unresponsive.
  • All first-tier efforts to clear the error were taken. BIOS reset to factory conditions, as well as holding down the power button to clear the power supply controller. None of these resolved the issue.

I then plugged in a copy of Knoppix that I downloaded and installed on a USB memory stick. I could have also burned the ISO file to a DVD and used that as well, but the USB was handy. When I use Knoppix this way, I like to enter this “Knoppix Startup Cheatcode” into the prompt right after it boots: “knoppix 2” (without quotes, of course) and this starts the Knoppix system in  the INIT 2 run level, which is single-mode text only interface. I don’t need X-Windows, and in this case, that just gets in the way.

Once at the CLI for Knoppix, I figured the boot flag, the boot manager, or the MBR was shot for the primary partition on the hard drive in the machine. Diagnostics indicated that the primary hard drive was fine, so it wasn’t a physical failure in the HD. I knew that the first (and only) hard drive in systems like these were most likely /dev/sda, you could search the “dmesg” log if you have doubt on where in the /dev the primary hard drive is. Knoppix has the “fdisk” command, so that was my next stop. I knew that this particular HP machine had a Windows Recovery partition stuffed in it, so when I started “fdisk” I displayed the partition map and there were three partitions: /dev/sda1, /dev/sda2, and /dev/sda4. I looked at the sizes and figured that the biggest one was the damaged partition, the middle one was probably for swap or scratch or something, and the last one seemed sized properly for the recovery partition. Honestly it was a guess. I turned the bootable flag on for /dev/sda4 and then off for /dev/sda1, then wrote the partition map to disk and then issued the command “shutdown -r now” to reboot out of Knoppix. Technically you could have just unplugged the machine, but I’m a big fan of orderly shutdowns even when the consequences are irrelevant – it’s a good habit to have.

The machine booted to the HP BIOS Splash screen, and then Windows Recovery started. Once the recovery partition got going I noticed a cutesy HP menu appeared offering me a selection of options. I started out with the simplest option which was something like “Microsoft Windows Boot Recovery” and it ran for maybe a second and then offered to reboot. I went for the reboot and that fixed the issue. Windows started but instead of a regular startup it went to the recovery menu, which I found fine since that was where I was going to go anyways by pounding the F8 button like a madman. I selected “Safe Mode With Networking” and then plugged in my USB memory stick containing TRON and got TRON working on the system.

Once TRON was done, I rebooted and let chkdsk naturally freak out about the structure of the NTFS partition in /dev/sda1. Chkdsk did what it had to do, and the system booted normally. I then set it for redeployment.

I figure if anyone else has this issue, this blog post might be helpful. If it helped you out, and you’re willing, maybe dropping a wee tip in Bitcoin or Dogecoin would definitely be appreciated.

Sandboxing FTW

After I reminded people that I offer a complimentary attachment checking service through my office I got a submission from one of our warehouse operators in Texas. It was an oddly-named attachment called UmjSJCk.zip. I saved it to my Mac and opened Terminal. Then unpacked the zip file and it unpacked to Quotation.exe. I giggled a bit when I ran the file command on it and saw that it was a Windows executable. Exactly what I expected. So I put it in a folder called sandbox and started my copy of Windows XP that I have in VirtualBox. The OS has it’s hard drive set to immutable, so any changes or write activities that the OS does is not sent to the VHD image, but rather to a “snapshot” VHD image on the side. Each time I start the OS, it’s as if I am starting it for the first time, because when an immutable VM finds something (anything) in the snapshot folder, it dumps it first then creates a new snapshot image for writes. I make sure the sandbox can’t see anything beyond my Mac by assigning it’s LAN connection as a Host-Only Adapter. That means that the VM can only see VirtualBox’es fake network host and nothing else.

So start this sandbox Windows XP, mount the sandbox folder as a drive to the sandbox – set as Read Only also, by the way, no baby-backwash here… and then double-clicked on Quotation.exe. It loaded a process and started to grope the network connection. Of course it did. So, with the bug trying it’s best to reach out and fetch it’s payload I clicked on the little red close control and told VirtualBox to power off the virtual machine.

Poof. All gone. Changes and everything. Then I dumped the sandbox contents.

I think whats more concerning here is that my scan using ClamAV on my Mac in regards to this data showed no infected data. Well, it certainly was trying to be nasty.

Then I start to wonder about the inherent usefulness of VirtualBox when it comes to airgapped computing when it comes to privacy and really being paranoid about encryption. But then I realize that when I turn off my Airport on my MBP, that it’s just as good as anything I could screw around with in VirtualBox. An infection in my MBP? Heh… piff.

OS Tryouts 3: ElementaryOS

The start of ElementaryOS is quite like Linux Mint 17, as they are both based on Ubuntu Linux. One notable difference is that Elementary prompts you by default to choose whether you wish to use the LiveCD system or install it on a computer, whereas Linux Mint 17 simply brings you right into the LiveCD system and provides you a link to install it on your computer, as a shortcut on the Desktop of the LiveCD system.

ElementaryOS requires less space, by about half than Linux Mint 17 does. That’s remarkable but not really a stumbling block since most modern computers all have more than 10GB of primary storage just to start. The installation was really quiet and direct, a pleasant change from PC-BSD for sure. Updates were slipstreamed into the installation routine so there shouldn’t be any need for them once the system is up and running.

The primary login screen is remarkably beautiful. The graphical login has my full name with a place for my password and a Login button, and to the right of that is todays date and time styled in a very appealing way. There also appears to be a “Guest Session” which I will have to investigate, as Linux Mint 17 didn’t include that. Looking around the basic OS I am pleased to see many “Look and Feel” similarities to my beloved Mac OSX. After starting the software update app I expected all the apps to be updated however that wasn’t to be, there are 347 updates pending – so that’s the first thing that needs to happen. Since I have the updater open, clicking on “Install Updates” should get that ball rolling. True to form, the updater is quietly processing it’s duties without user intervention beyond the authentication for elevated privileges that all updaters require in Linuxland. One really neat thing to note in this review is that the devs for ElementaryOS wrote a kernel extension driver for VirtualBox all by themselves. The activation was very straightforward, that’s very impressive. Almost all other OSes force you to install the VBox addins from VBox itself.

The installation of optional software is easily found through the Software Center, it’s icon is a big friendly downward pointing arrow. Many of the apps I would figure would be installed by default, like Firefox and Thunderbird and LibreOffice are not, but they are available. That’s perfectly fine. Having a lot of apps delivered by default only adds to the size of the installation media and can complicate the installation routine if one of those other projects doesn’t behave properly upon installation.

It’s really a toss-up so far between Linux Mint 17 and ElementaryOS. My bias for the Mac OSX interface pushes me ever so slightly over into Elementary territory personally because it isn’t hamstrung by an impossible to eliminate Gnome prime panel that you just can’t get rid of, Elementary comes with a Dock by default. The only irk that gets me about Elementary is that the Dock has no mouse-sensitive effects, but that’s the weakest of quibbles. So far for machines that we’ll end up surplussing, Linux Mint 17 wins for work, but if I were to buy one of the surplussed machines I’d go for Elementary OS instead. It’s mostly just a matter of taste. I could just as easily live with Linux Mint 17.

OS Tryouts 2: Linux Mint 17

As part of my brief tour through some alternative operating systems I uncorked and tried out Linux Mint 17. So far for all the different systems I’ve tried, this was the most pleasant and simple installations that I’ve had so far. The system boots up into a Live CD environment, letting you try before you buy. I also found the lack of “Scary Text” during the system startup to be a very nice touch. When the OS gets started it works well out of the box. X Windows with the window manager works as it should, without any misgivings. The updater worked well from the first pass and only required one pass to get all the updates that the system needed. The application suites provided worked really well, LibreOffice, a host of web browser choices, but the only thing that was missing was a Calendar application. I thought about iCal and how well that works with Exchange, and wondered if there was an app in the Linux space that could do something similar. My admittedly cursory search didn’t yield any results. Arguably it is a non-issue as the entire Exchange experience for me can be done on the web, so pffft.

There really wasn’t much to write about Linux Mint 17. The OS got a green star on my selection board and led to the disposal of PC-BSD. Next up are Elementary OS and CentOS. I suspect that the last one will be a boondoggle, but only time will tell.

OS Tryouts 1: PC-BSD

PC-BSD

System Setup

The PC-BSD initial setup was pleasant enough, there was only brief exposure to the horror of the console as cryptic text scrolled past. I can imagine consumers panicking when they see these sorts of screens, pages of text they can’t comprehend without a solid understanding that much of it really is meaningless unless the system doesn’t work, and then it rockets from being worthless to priceless. Generally when I think of designing operating systems for consumers, you want to suppress this behind some pretty pictures or a progress bar, which is a clearer representation that everything is proceeding according to plan. Even when everything is working properly in systems like these you can spy error reports in the startup console text screens. The developers either don’t care or expect the errors and they are “worthless” issues because the system starts up normally. To consumers, if they are reading along and have a little bit of training about what they are looking at, they could be unsettled by a line that looks like an error even if it’s a throwaway warning.

After the initial setup, the standard installation questions are rather straightforward. Language and locale settings, however it is good to note that these days the really good systems automatically fetch much of this material from the indigenous Internet address. I would argue that if the IP is in the United States then it’s likely English, and if you know the IP, then you know the location, so time zones are easily set as well. The hostname selection is always different from system to system I’ve found. Some systems are computer-before-person and some are person-before-computer. Since you can set this to whatever you like, it’s not really a quibble.

PC-BSD does a very good job at clearly separating the difference between root access and user access. You create the password for the root account, and then it automatically leads you to create a user account afterwards, with the option for encryption presented immediately, which is a nice touch.

First Login

I was presented with a login dialog box, I selected my window manager to be Cinnamon as it was an installer option when I set up this system. The system attempted to start X Windows and then the desktop manager crashed. I tried to restart it twice and then when that wasn’t working I clicked Cancel and the system started into X Windows without a desktop manager. There are no clear ways on the display to proceed forward unless I wish to use “AppCafe”, “PC-BSD Control Panel”, or the “PC-BSD Handbook”. I tried to use the magic keyboard combination of Control-Alt-Backspace to exit out of X Windows to no avail, the key combination does not work. I then inserted Control-Alt-Delete which reset the system and led me directly back to the login window. This time I selected the default window manager, of KDE and logged in. The system did at this point proceed properly.

I tried to start a basic application, in this case I wandered through the applications and selected “Marble” in the education category. The app failed silently. After that I went to system update and started the update search. The wait for progress was rather long at about five minutes, but I did see there were “Base System Updates” available, what they are is not stated, but I elected to install them anyways. The progress bar does not really fill up in the way that a consumer would expect, but rather as a quarter-inch blue rippled box that bounces slowly left and right.

Generally when the system is installed and updated it seems to be competent. The fact that you can’t really stray from the KDE interface is a little bit of a concern, but generally not a huge problem. I would say that PC-BSD really isn’t ready for prime time consumer use yet. Then again, no Linux OS is, at least yet.

BSD and Linux Tryouts – Four Distributions

I’ve got a pile of dead hardware that I’m going to be surplussing soon here at work and much of it won’t be able to handle Microsoft Operating Systems, either because the system lacks a restore partition or lacks a Microsoft licensing sticker to make the install of Windows XP work properly. So we’ll have to live without Windows, which means some other operating system. There are four that I’m looking at currently:

  • PC-BSD
  • Linux Mint 17
  • ElementaryOS
  • CentOS

Generally I think none of these are really ready for prime-time consumer use, but maybe I’ll be surprised.

Throwback Thursday

Since I’ve been journaling so very much I’ve got a lot of memories stored up in my Journal. Here’s a slice of my life for the past September 25th’s:

2003 – Refilled toner cartridges are all the rage, and I put a kibosh on them because they are a terrible idea. Working on other peoples computers proves to be a gory biological hazard at every turn. Grand Theft Auto 3 makes kids kill. Moonies make a surprise return and surprise everyone with their bigotry. Congress did something! They passed the FTC Do Not Call List.

2006 – Jerry Falwell referred to Hilary Clinton as worse than Lucifer. Tee Hee!

2007 – I got my first iPod Touch. What a long wonderful journey it has been with Apple, man, the memories. 🙂

2008 – I was enjoying a good ten-minutes hate on Microsoft and Java. At work I started interviewing S3’s.

2009 – I was drinking quite heavily to cope with my awful days. Drop.io was still around, and OIT was making it difficult to use, what a shocker. I started thinking about drugs like Xanax to help me cope with my difficult days. Work issues abound, failures left and right. Some sort of Jazz Ensemble at a local eatery tortured out some music.

2010 – Legend of the Guardians in the movies, enjoyed it quite a lot. Lots of noisy twitter noise.

2011 – SyFy asked what shows we liked, all the ones they cancelled. LOL.

2012 – Resistance using the Help Desk Ticketing System shows up. Search for S3 internally falls flat on it’s face, not really surprised. Love for Waze, enjoying social navigation. Closet hanger in Hobbiton failed, I fixed it, after a while of battling with it.

Koval Single Barrel Oat Whiskey

photo by:

The Future is Forsaken

A few days ago, a brand new MacBook Pro 15″ laptop arrived. It is meant for one of my coworkers and I thought I had everything set up to rock and roll. Well, so much fail came to roost today on my shoulders. First, the MacBook, a big beautiful machine requires Windows 7 64-bit to be present to be able to set it up in Bootcamp on this machine, d’oh! I have Windows 7 32-bit on memory stick. Fnord.

As I was fiddling with the unit, and the fact that this didn’t occur to me at all is a testament to how pervasive wifi is in my life, I noticed that this laptop doesn’t have an Ethernet port on it. Apple sacrificed the Ethernet port in the aim to make this sleek slim metal box of sexy technology happen. It’s the 21st century and if someone buys a MacBook, then the logic that I can work out for myself is that Wifi is assumed. Except for when it isn’t. There’s an adapter that will make it work, and frankly I can’t be really shocked that Apple would dump Ethernet especially when there is Ethernet to Thunderbolt adapters for sale, as Thunderbolt can easily carry gigabit data rates and the port is supa-teeny.

So here I sit, this laptop will be starving for Wifi soon, and I need an adapter. After some investigation it appears that the best solution is USB Ethernet adapters as the Thunderbolt adapter (as far as I can tell) fails to understand sleep/wake cycles and that’s a deal-breaker for me. I don’t need gigabit speeds so it all works out to be the same in the end.

It’s interesting to me to witness all the technology that is no longer around by default. COM ports are gone, long ago. CD/DVD drives are gone, which is constant source of surprise to me, and now Ethernet ports are all being shuffled off. All of these things can be adapted to USB, and some of them to Thunderbolt, but these bold choices are surprising me. I find myself agreeing with them, for the sake of the form factor and how USB and Thunderbolt can do so much, it does make sense to me.

God help people who are used to certain historical technologies, they may find themselves on the sacrificial stone block to the gods of progress.