Microsoft in 2016: A review from a UNIX Geek

What happened?

I was using a wonderful 4th Generation X1 Carbon that ran Linux like a top. My only issue was that, in taking on a new role, I needed Windows or Mac support with a CUDA capable GPU. Moving to a 15” MacBook Pro wasn’t an option due to the size/weight and my general dismay of the direction of macOS.

The Surface Book and XPS15 were on my radar, but the availability of the XPS15 in the U.A.E. was not easy to come by. Surface Books were plentiful so I type this post from it.

I should note I bought the device prior to the latest Apple Announcement. I almost waited, but am glad I did not. I am writing this against the back drop of the impact of the new hardware and moves of macOS.

Hardware

IMG_20161026_151608The hardware is amazing. Seriously. We have all become accustom to crappy PC laptops and Macs being the harbinger of solid design. I must admit that race is not so lopsided anymore. The Lenovo X1 series was beautiful in the way only a mother could love. Industrial and rugged, but not so pleasant to the eye. The Surface Book (from this point forward being SB) changed all of this for me. It is a beautiful piece of hardware from the unboxing to the daily use.

The Hinge

The hinge is unique. Lots has already been said about it, but it is my main concern with the laptop’s ability to sustain my travel schedule and use. In a week of use it seems to be strong enough, but I wonder after a year what it will look like. As I am late to the SB party many others have already tested the theory and it has held up for them, but I will write again after I get some time on the system.

IMG_20161030_103939

Ports

I use a trackball so one of my two USB ports is consumed with a dongle. I really wish Elecom would make a Bluetooth version, but alas here I am. The SD card will be filled with a flush converter soon to give an extra 256GB of space via MicroSD. My hope is the next SB provides a USB-C Connector in addition to keeping a current USB 3.0.

Screen

Many people loved the transition from 4:3 to 16:9 screens with the IMG_20161028_154127advent of DVD movies. The lack of vertical pixels annoy me greatly when I am reading or programming. SB took it a step further and went with 3:2 and I could not be happier. In addition to a simply beautiful screen full of bright colours and contrast, it is a usable screen for my workflow. I didn’t really plan on it, but the screen in tablet mode is now my goto for HN and Reddit reading.

Juice

Mag Power

Normally I wouldn’t write about the magnetic power/dock connector, but in light of Apple ditching MagSafe for unknown reasons, I think it is important to talk about. MagSafe saved countless laptops for me and I am sad to see it go, but really happy Microsoft marches forward with this type of system.

Power Brick

Normally I wouldn’t devout a section to this, but I love the size/weight of davthe charger as well as the USB charging port on the brick. I know Dell and others have done this for a while, but I think it’s a small design note worthy of praise. All manufacturers, especially now Apple, need to include this. In an odd turn of events if my Wife happens to buy the iPhone 7 and new MacBook Pro she will need my power brick to charge her phone now.

Input Devices

Touchpad

I hate touchpads. Compared to the Mac trackpads it is good, but it is still a trackpad. Give me a TrackPoint and this would be perfect. It is usable, but meh. Still a touchpad.

Keyboard

The keyboard isn’t Thinkpad quality or maybe it just isn’t as familiar to me yet. Compared to the butterfly keys that Apple is migrating to though, it is amazing. I try typing on the MacBook every time I see one in the store and just walk away disgusted.

The Fn key and Function row take some getting used to. The Fn-lock does not work between reboots so I am attempting to force myself to get accustom to Alt+Fn+F4. It isn’t going well thus far, but maybe a few more weeks will ingrain it into my memory.

Last, but most important, it still retains an Esc key for us vim users. Unlike some laptops…

Pen

I find myself only using the Pen for OneNote. My memories of the stylus with various WinCE, PalmOS, and Qtopia Embedix still follow to this day, if you need a stylus to interact something went wrong. The SB Pen though is a perfect device in combination with OneNote for note taking and basic diagramming.

I find myself sketching OV/SV system diagrams and architecture designs first with the Pen and migrating the data into Visio/Dia instead of starting on a Moleskin as I usually would.

My Wife on the other hand is in love with the Pen interface for art. I saved a whole section at the end of this post about that.

Software

Windows 10. It isn’t Windows 8 seems to be its biggest call to fame at this point. It isn’t perfect, but it is an improvement. This is the first time I have spent some significant time with the OS and I will simply say it really doesn’t matter anymore. If I have a console, a browser, and a vim I am fine in life.

Windows 10 has some weird design decisions and there is still a ton of work to do in the tablet/touch transition (2 control panels? which start menu thingie do I use?), but I’d say it is on equal footing with KDE and Gnome in this regard.

The App Store

Microsoft, it is a mess and wasteland. Please clean it up. If you know what you are looking for it is fine, but compared to App Stores within iOS and macOS environments it is garbage for discovery. I would go as far to say the Gnome Software Centre is in better shape.

The “top software” is mostly Edge browser extensions and web apps wrapped into an icon for tablet mode. It is an unacceptable setup and forces people out of your ecosystem, not into it.

Bash on Windows

What a god send. Full Ubuntu 16.04 environment capable of running a majority of my tools and daily workflows. Microsoft out did Apple by giving us admins/developers a true GNU environment. Why use homebrew or MacPorts when you can simply apt-get what you need from the current repos? It isn’t perfect, but having now used it on the Insider builds I can tell you it is maturing quickly. Checkout the Github page if you need to see that progress in real-time.

My hopes are in the coming weeks and months that the Linux subsystem picks up the ability to use devfs and procfs for more low-level things. Being able to plugin a USB NIC for network penetration testing would be the 100% closure of my need for a Linux VM.

Insider Previews

I really like the rolling release schedule being embraced by all the major players. Microsoft really needs to sort out their update times though. Multiple meetings have almost been missed because I rebooted thinking that 20 minutes would be sufficient time to apply 3 hotfixes. My recommendation is that Microsoft provides an estimate of the Update+Shutdown length of time or figures out a way to make it quicker.

Security

Windows Defender and Windows Firewall are still very basic. At this point I simply work under the pretence that all software is inherently insecure. I minimise my attack vector, analyse risks, and mitigate through fixes.

Microsoft still has a uphill battle with their patching lifecycle and fixes to their provided security software, but it isn’t Windows 95 bad anymore. Of special note though, patching once a month is asinine.

Draw me like one of your French Girls

My Wife has taken over my Surface Book. If there is a few minutes here IMG_20161029_182430and there where I am not working, she has stolen the tablet and pen and is off to the races drawing. She is an artist at heart and we usually lug around a backpack full of pencils, paper, supplies, etc.

She has wanted an iPad Pro 13”, but was torn between the trade-off of carrying a tablet that was not enough for her work and school while wanting something she could sketch on. I was taken aback to hear her desire to look at a Surface 4 Pro (she doesn’t want a Book apparently due to cost) and begin evaluating what software she’d need to convert over to Windows.

Reminder – if it is Apple she has it. I look over at her stack of technology
consisting of Apple Watch, iPhone 6S+, 15” MacBook Pro, and iPad. She is seriously considering the move to cut this stack of tech. That in my mind speaks volumes.
Apple is loosing a few key segments it has depended on for ages. UNIX geeks needing a friendly UI/UX with terminal underpinnings and Pro users who create art. We are the groups that our families and friends come to for computer recommendations. For years we have preached to simply get an Apple and leave us alone. I think those times are changing. I can’t recommend my Wife dump a grand on an iPad Pro when she can get a Surface 4 Pro to replace two of her devices at once. She can’t either apparently.

The latest Apple “Hello” announcement did little to course correct for her. She is not excited about the new software or hardware from Apple. I have watched her replay the Surface Studio commercial about 10 times at least. That says something.

IMG_3526_thumb.jpg

 

Closing Thoughts

Microsoft and Satya Nadella are knocking it out of the ballpark as of late. I am genuinely excited about their hardware designs (looking at you Surface Studio) and think that there is at least a core team at Microsoft who understands the need for better Software UI/UX.

I think that most DevOps types and CLI loving UNIX grey beards could make do on a Surface Book.

Essential Windows Software

Chocolatey – For those items that are not within the Ubuntu repos, think of this as Homebrew or Pacman/Portage/Ports for Windows

AutoClipX – Highlight to copy is integral to my workflow

eM Client – Windows Mail is too limited and Outlook 2016 doesn’t handle Google Apps (errr. GSuite?) at all. Thunderbird is a good option also, but I have had issues with some of the last versions on Windows

Baconit – Excellent Reddit App for Windows 10 in Tablet Mode. Maybe even my favourite app overall for Reddit surfing

HackerNews – Clean, simple, and fast client

TinyRSS Reader – I live on RSS feeds still and this is really the only option for syncing with my server. Works well enough.

Poki – Pocket client for Windows that does offline syncing

Gnu On Windows –  Gow is Cygwin-like, but much lighter

OpenWRT and PIA

I use an OpenWRT travel router to deal with public WiFi access security and geolocation concerns. I have written extensively prior  and ran into an issue with the latest OpenWRT release.

For those struggling with PIA using the luci-app-openvpn please see the below for a working config you can place in /etc/config/openvpn.

config openvpn 'piaEU'
               option dev 'tun'
                option nobind '1'
                option verb '3'
                option fast_io '1'
                option persist_tun '1'
                option persist_key '1'
                option client '1'
                option proto 'udp'
                option tls_client '1'
                option remote_cert_tls 'server'
                option cipher 'aes-256-cbc'
                option auth 'sha256'
                option ca '/etc/config/ca.rsa.4096.crt'
                option keepalive '10 120'
                list remote 'nl.privateinternetaccess.com'
                option comp_lzo 'adaptive'
                option auth_user_pass '/etc/openvpn/authuser'
                option resolv_retry 'infinite'
                option reneg_sec '0'
                option disable_occ '1'
                option enabled '1'
                option crl_verify '/etc/config/crl.rsa.4096.pem'
                option port '1197'

The port is a biggie. Make sure it is the correct one for the new secure settings!

905682p

Ring Doorbell Security

The Ring Doorbell has been invaluable as we travel the world. The reactions of people are often times pretty funny as the doorbell they just pressed begins talking to them and asking them to do some action in our absence. Even over our very low-bandwidth WiMax link it is usable. The most annoying part of the device, until now, is that our dog Bentley goes crazy when the device rings the multitude of devices. Even when we are abroad if he hears the phone notification he goes ballistic instinctively knowing someone is in his yard…from a few hundred/thousand miles away.

I started getting some odd alarms on my internal network Snort sensor indicating that my doorbell was attempting to use Base64 encoding for basic auth over port 80. Possibly it was just my doorbell and I reached out to support to ask:

Selection_080

Okay so with the answer from support I needed to look into things more. I started by performing a packet capture between the device and my firewall. I was able to capture the port 80 communication path without much issue. It appears that events (motion, button press, etc.) are communicated to home base over Port 80 via a JSON blob. The JSON structure is at the end of this post.

We can see from the above that the ID value is temporally consistent as the session control mechanism for the SIP server to identify the doorbell being rung. I logged into their website to see if the same JSON ID followed me there, but it seems the ID is temporal and possibly controlled as part of the authentication server instead of the button press itself. The SIP from address is always the MAC address of the device @ring.com. Having now captured multiple events, I can safely say that the JSON ID information changes between the sessions.

After the press the SIP server accepts the “push” as a call event and then sends out the group call to the various iPhones and iPads logged in to start a call as needed. It is an interesting concept to use a SIP Group to handle the communications path. Once the call is “answered” no other device can join the session so it is very much 1:1.

I find it interesting, as someone who does VOIP software, that they chose to use G.711 PCM as the media format with H.264 RTP with DynamicRTP Type 97. It seems there are much more resilient protocols you could have chosen for dealing with the latency/bandwidth constraints. Alas I digress…

Further down the SIP communication channel I finally found what was triggering my Snort alarms. There in clear text was the Basic Auth using a Base64 encoded stream.

Base64: MDAxZGM5MWUyMGEyOjZmMjhlMWM3ZGE0M2JjMTFmZjU1ZjBmMDU4MDM2NTU2AA==
Decoded: 001dc91e20a2:6f28e1c7da43bc11ff55f0f058036556

I recognised the first part of the decode as the MAC address of the device itself 00:1d:c9:1e:20:a2. The remaining 32 alphanumeric characters seem to be a MD5 hash best I can tell. I ran the MD5 hash through my usual suspect sources for collisions in the basement with no luck. My hope is that the MAC serves as the ID and the MD5 hash as the password which would be my guess. Why you would pass this over HTTP is beyond me though.

I stopped short of actually probing the API endpoint with JSON. Without allowance from the company and security team I didn’t think this prudent. Wanted to head-off the question as to why I didn’t dig deeper.

In the security world we always evaluate the vulnerability against the risk. Additionally we focus on a defence-in-depth approach to make sure that multiple protections are in place versus relying on one. For us we have multiple camera identification rings before you make it to our front door with physical access identification at the road. Within our internal network I segment the Ring doorbell device on a private VLAN to make sure any communication channel is limited to the device and its home servers versus my greater network. This, plus 802.1x on our home network, ensures that even with the unsecure authentication and settings passing, you can do little harm to us.

For this case, in our configuration, the usability outweighs the risk. I would make a few recommendations to Ring though:

  1. Switch to something like Opus for your audio encoding. This would be better for users like myself who live on poor WAN links.
  2. Move your video streaming to VP9 or something more bandwidth efficient.
  3. Once you implement more efficient audio and video codecs, you should be able to migrate your SIP sessions to TLS without much issue.
  4. Secure your authentication and JSON configuration streams with HTTPS at the very least! COME ON!

Video of Bentley flipping out with the doorbell:

JSON blob:

JavaScript Object Notation: application/json
    Object
        Member Key: "motion"
            Object
                Member Key: "id"
                    String value: 640791565
                Member Key: "state"
                    String value: ringing
                Member Key: "motion_snooze"
                    Number value: 2
                Member Key: "sip_server_ip"
                    String value: 52.23.89.147
                Member Key: "sip_server_port"
                    String value: 15063
                Member Key: "sip_server_tls"
                    String value: false
                Member Key: "sip_session_id"
                    String value: 665021697-1469363028
                Member Key: "sip_server_tls_port"
                    String value: 15064
                Member Key: "sip_from"
                    String value: sip:001dc91e20a2@ring.com
                Member Key: "sip_to"
                    String value: sip:665021697-1469363028@52.23.89.147
                Member Key: "button_press_path"
                    String value: /doorbots_api/motions/640791565/button_pressed
                Member Key: "mic_volume"
                    Number value: 11
                Member Key: "voice_volume"
                    Number value: 11
                Member Key: "stream_profile"
                    Number value: 2
                Member Key: "udp_ping_server"
                    Null value
                Member Key: "udp_ping_port"
                    Null value
                Member Key: "enable_recording"
                    Number value: 1
        Member Key: "settings"
            Object
                Member Key: "utc_offset"
                    String value: -04:00
                Member Key: "keep_alive"
                    Number value: 15
                Member Key: "doorbell_volume"
                    Number value: 8
                Member Key: "enable_chime"
                    Number value: 1
                Member Key: "enable_vod"
                    Number value: 0
                Member Key: "exposure_control"
                    Number value: 2
                Member Key: "theft_alarm_enable"
                    Number value: 0
                Member Key: "pir_sensitivity_1"
                    Number value: 10
                Member Key: "pir_sensitivity_2"
                    Number value: 5
                Member Key: "pir_sensitivity_3"
                    Number value: 5
                Member Key: "pir_zone_enable"
                    Number value: 7
                Member Key: "use_cached_domain"
                    Number value: 0
                Member Key: "use_server_ip"
                    Number value: 0
                Member Key: "server_domain"
                    String value: fw.ring.com
                Member Key: "server_ip"
                    Null value
                Member Key: "enable_log"
                    Number value: 1
                Member Key: "keep_alive_ms"
                    Number value: 15000

Apache and HTTP Headers with Underscores

Starting with Apache 2.4, headers were dropped that contained items to include underscores and expects dashes instead. Red Hat backported this change into the Apache 2.2 that ships with 6.7. You can read more here:https://httpd.apache.org/docs/2.4/env.html

If you run into the issue where your REMOTE_USER or similar is not being passed to your WSGI application or similar, it is most likely due to the above. Good news, easy fix. I came across this issue with the wonderful Oracle Access Manager (OAM) 10g. Side note: what a crappy piece of code and a disgrace to authentication mechanisms everywhere.

In this example I am looking for OAM_REMOTE_USER.

In your virtualhost config:

SetEnvIfNoCase ^OAM.REMOTE.USER$ ^(.*)$ fix_accept_encoding=$1
RequestHeader set OAM-REMOTE-USER %{fix_accept_encoding}e env=fix_accept_encoding

If you are using mod_wsgi for Django or Flask, you will need to add:

WSGIPassAuthorization On

 

Lenovo Yoga Tab 3 Pro Review

After the unfortunate loss of my 2014 Nexus 7 tablet I was on the prowl for a replacement. I prefer to keep an Android tablet due to the flexibility to use it as a mini Linux workstation if the need arises. The USB OTG support means the tablet is capable of taking on most of the tasks I use my Linux laptop with in the event I am stuck somewhere. Additionally I wanted a tablet that really excelled at media consumption as that is the primary use for a tablet in my workflow.

  • Great battery life
  • Android based
  • Media centric
  • USB OTG Support
  • SD Card support12556023_539159696241066_1175203354_n

Truth be told I prefer iOS-based devices for the security aspect, but I remove all sensitive and work related accounts from my tablets and accept Androids still broken security model.

I ended up looking at the latest and greatest from each vendor and ruled out most of them due to lacking some part of my requirements list. The one that really piqued my interest was the Lenovo Yoga Tab 3 Pro due to the projector, integrated stand, and great battery life. I had a heck of a time tracking one down stateside, but was able to order one directly from Lenovo.

Now having traveled with the device (the true test of a tablet) I feel I can offer my overall feedback on the device.

The good

  • Battery life is easily the best for screen-on I have seen in a tablet. The iPad has MUCH better standby, but for watching TV shows and Movies it is hard to beat
  • I like the hand grip more than I expected
  • The projector is enough for watching TV shows while we fall asleep in hotel rooms. We learned from this trip though we need a better mechanism to stand it up in odd-shaped hotel rooms
  • The SD card works as advertised and we brought tons of media
  • Lenovo didn’t muck up the Android build with too much crap, but they did severely limit the device
  • Screen is beautiful and the front-facing speakers are incredible. Why any tablet ships without front-facing speakers is beyond me

The bad

  • Slow and jerky. I kid you not. It makes using an iPad an absolute joy compared to Android. 2GiB RAM appears to be the biggest hinderance, but I blame it more on the Lenovo kernel build (~800MiB in use after fresh boot) as well as Android’s piss poor memory management. I type my pin in wrong all the time due to the numbers not registering
  • Android 5.1.1 is tough to use after having Android 6. It appears that Lenovo will slowly update this device as they do all others. They have released a series of patches the past month, but none that actual fix the systemic issues
  • No accessories as it isn’t a Samsung, Apple, or Google device. Lenovo needs to build an ecosystem around their flagship devices with simple things like cases and similar
  • The screen is incapable of staying at full brightness while playing intense games like Atlantic Fleet which leads me to question what the QA process was for the device
  • It feels…cheap…the stand creaks and the edges don’t align as much as I would have hoped for a device at this price point

Overall I’d say unless you really want a projector and stand built-in; buy an iPad. I keep hoping that Google will fix their atrocious tablet OS and hoping Android vendors actually focus on delivering a quality product versus churning out SKU. If it were not for my geekiness and needing to run dual mobile OS for things I would not be tossing my dollars at them until they can get their heads on straight.

Links on the issues with the tablet:

http://www.androidauthority.com/community/threads/brand-new-lenovo-yoga-tab-3-pro-is-extremely-slow.26667/

https://forums.lenovo.com/t5/Android-Yoga-Series-Tablets/Lenovo-Yoga-Tablet-3-Pro-Serious-memory-issues-bug-report/td-p/2224202