The Ingredients:

1. Apple Thunderbolt Display
2. MacBook Air 11″
3. OS X 10.7 Lion which added the tmutil command
4. Iomega eGo USB Drive
5. Debian 6.0 Server with oodles of encrypted disk space
6. Gigabit network
7. ControlPlane for geolocation detection

Secret Magic Scripts:

First we need to create a HOME script. This will be called when the MacBook Air detects that it is on a super-fast connection instead of that yucky Wifi.

sudo vi /opt/local/bin/switchtimemachinehome.sh

#!/bin/bash
#This will change your Time Machine setting the backup to your home server
sleep 5
tmutil setdestination afp://username:password@10.10.10.1/TimeMachineNAS/
sleep 5
tmutil startbackup

Obviously you will want to modify the username:password and destination. Something that will trip you up (hopefully) is your complex password does not work in the URL. If this is the case then please use the below AppleScript to modify it for you. Standard POSIX/UNIXy type things do not work.

Open AppleScript Editor and put in the following and run

set theText to "I want to pass this text, via GET, to a url!"
set theText to text returned of (display dialog "encode what" default answer theText)
set theTextEnc to urlencode(theText) of me
display dialog theTextEnc default answer theTextEnc

on urlencode(theText)
set theTextEnc to ""
repeat with eachChar in characters of theText
set useChar to eachChar
set eachCharNum to ASCII number of eachChar
if eachCharNum = 32 then
set useChar to "+"
else if (eachCharNum ≠ 42) and (eachCharNum ≠ 95) and (eachCharNum < 45 or eachCharNum > 46) and (eachCharNum < 48 or eachCharNum > 57) and (eachCharNum < 65 or eachCharNum > 90) and (eachCharNum < 97 or eachCharNum > 122) then
set firstDig to round (eachCharNum / 16) rounding down
set secondDig to eachCharNum mod 16
 

if firstDig > 9 then
set aNum to firstDig + 55
set firstDig to ASCII character aNum
end if

if secondDig > 9 then
set aNum to secondDig + 55
set secondDig to ASCII character aNum
end if
 

set numHex to ("%" & (firstDig as string) & (secondDig as string)) as string
set useChar to numHex
end if
set theTextEnc to theTextEnc & useChar as string

end repeat
return theTextEnc
end urlencode

After that we need to give ControlPlane something to call when we are on the road and have nothing but that simple USB drive we lug around.

sudo vi /opt/local/bin/switchtimemachinemobile.sh

#!/bin/bash
#This will change your Time Machine setting the backup to your home server
sleep 5
tmutil setdestination /Volumes/RubbageHolder/
sleep 5
tmutil startbackup

Lets now make both files executable or the scripts will fail

sudo chmod +x /opt/local/bin/switchtimemachinehome.sh

sudo chmod +x /opt/local/bin/switchtimemachinemobile.sh

Letting the Penguins talk to the Fruit:

In order for our Debian server to be useful we need to give it a secret decoder ring. This means installing some software and announcing itself a certain way for the Mac machines to recognize it as a Mac Server. You can also do this with a standard Mac server, but I prefer my servers to be Linux/BSD based. NOTE: If you are securing your backups using encrypted USB drives, but fail to encrypt your home NAS – SHAME ON YOU! So lets get started by issuing a SSH to our home server.

1. sudo apt-get install netatalk avahi-daemon
2. sudo vi /etc/netatalk/AppleVolumes.default
3. Add the line: /share/Backup           “TimeMachineNAS”         options:tm to the end of the file

<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h</name>

<service>
 <type>_afpovertcp._tcp</type>
 <port>548</port>
</service>

<service>
 <type>_device-info._tcp</type>
 <port>0</port>
 <txt-record>model=Xserve</txt-record>
</service>

<service>
 <type>_adisk._tcp</type>
 <port>9</port>
 <txt-record>sys=waMA=00:00:00:00:00,adVF=0x100</txt-record>
 <txt-record>dk0=adVF=0x83,adVN=TimeMachineNAS</txt-record>
</service>

</service-group>

Convince the Mac its right at home:

To convince the Mac machine that its talking to an approved machine we have to open a Terminal and type in the following command: defaults write com.apple.systempreferences TMShowUnsupportedNetworkVolumes 1

Location, Location, Location:

The next few steps are important and complicated, but its the logic we assign to your Mac to know which location it is in. ControlPlane can provide many rules to determining location such as network adapter, bluetooth, time of day, etc. Since I have that spiffy new Thunderbolt Display I am lucky enough to have a guaranteed en3 network adapter each time I plugin. Your adapter may vary, but the logic in the following screenshots states: IF en3 (Display Adapter) is active THEN assume the location of the laptop is home. Inversely if en3 is not active then assume the machine is away. For me this works great for when the laptop is upstairs, but still in the house. I obviously wouldn’t want to backup 256GiB over the wifi link.

1. Open ControlPlane and ensure that it is started at login and that Enable automatic switching is in use

2. Under evidence sources ensure that NetworkLink (or whatever you are using as the rule indicator) is checked

3. Create two new Contexts; Home and Away

4. Click the “+” and add a new rule

5. First rule states the en3 link is active and context is HOME

6. Next create an en3 is INACTIVE rule and assign it to Away. Your Rules screen should look like the below

7. With rules and contexts in place we can assign actions to those Context by executing our shell script switchtimemachinehome.sh on Context Home…

8. And executing shell script switchtimemachinemobile.sh on Context Away

1. cat /proc/partitions
2. Notice the Major/Minor columns associated with the partition you wish to mount. I will use /dev/sda1 as an example
3. mknod /dev/sda b 8 0
4. mknod /dev/sda1 b 8 1
5. mount /dev/sda1 /mnt/tmp

Now you can copy your new kernel over outside the dm-crypt and boot correctly!

Shameless exploit of meme I know...

I can’t take it anymore! I lurk on irc.freenode.net and /r/netsec and have seen a few too many mornings now that some person is safe, they used Tor. There is a big misunderstanding in what Tor actually does and protects. Here is my log in the fire to help explain the technology. Lets start with the basics…

What is Tor?

• Tor is a system intended to enable online anonymity, composed of client software and a network of servers which can hide information about users’ locations and other factors which might identify them. Use of this system makes it more difficult to trace internet traffic to the user, including visits to Web sites, online posts, instant messages, and other communication forms. It is intended to protect users’ personal freedom, privacy, and ability to conduct confidential business, by keeping their internet activities from being monitored. The software is open-source and the network is free of charge to use. Source: http://en.wikipedia.org/wiki/Tor_(anonymity_network)

So Tor helps you hide information about your location and personal information. A note here that is generally forgotten: A misconfigured Tor node does not guarantee anonymity. Lets walk through a standard Tor exchange with a user using Tor to get to http://google.com.

1. The user opens the browser that is configured to tunnel through their Tor node proxy server
2. The HTTP request is sent to the nearest known node and begins its transport through the Tor network
3. All communication within the node is encrypted using TLS/SSLv3 (shown with the red lines)
4. The HTTP request finds its way to the Exit Node shown in Green
5. Once the traffic leaves the Tor network through the exit node it is back to unencrypted HTTP requests
6. Our little robber dude is snatching your packets up

What we learn is that the same attack vectors exist for unencrypted traffic wether you are using Tor or not. As George Fuechsel from IBM would say “Garbage In, Garbage Out.” Likewise if you toss unencrypted traffic in you get unencrypted traffic out. Lets run this scenario again, but this time use the encrypted search function of Google by visiting: https://encrypted.google.com/

1. The user opens the browser that is configured to tunnel through their Tor node proxy server
2. The HTTPS request is sent to the nearest known node and begins its transport through the Tor network
3. All communication within the node is encrypted using TLS/SSLv3 (shown with the red lines)
4. The HTTP request finds its way to the Exit Node shown in Green
5. Once the traffic leaves the Tor network through the exit node it is back to HTTPS requests
6. Our little robber dude is left wondering what, who, and why the traffic was traversing Tor

By using HTTPS we have moved the attack vector from simple packet capturing to now the need to crack HTTPS. I focused entirely on HTTP, but it extends to ALL traffic types. That is why if you are using Instant Messenger or IRC through Tor you need to rely on TLS or OTR to provide encryption in addition to the standard clients. I hope this clears up some of the misunderstanding about what Tor is and what it protects (or doesn’t protect).

— UPDATE —

After receiving countless comments about this being the same vulnerability with VPN technologies, yes you are correct. Unless your end-to-end traffic begins and ends inside the tunnel then you are vulnerable to the same exploits. The difference is many users relate Tor=Anonymity and Security. In addition most users would not have access to an IPsec or OpenVPN end-point. Many on the other hand are turning to Tor after they hear word like encryption, proxy, and anonymous thrown around in the same breath. I would argue that due to the lack of understanding in how Tor and by an extension of that VPNs work, people are left with a false sense of security. As my Air Force security instructor taught me in BIP200 “You can’t lock the front door and leave the windows open and expect someone to not be able to break in.”

1. Create a salt file for random data that we will later use to encrypt the volume. I post mine in /etc/saltmine, but you can place it anywhere.

2. We need to setup a volume to encrypt. I am going to assume you are using this to encrypt your /home directory, but the same instructions work for any folder you might be doing this with. This example assumes a 1GiB file. Enter the command: dd if=/dev/zero of=/home_crypt bs=1m count=1024

3. With the image file created we can tell svnd to encrypt the volume and associate it with a dev node. In the command you will see that we are specifying the number of rounds with the -K and our salt file with -S. You will need to note that we are using svnd1 and the -K -S values as they will be needed to mount. vnconfig  -v -c -K 1440 -S /etc/saltmine svnd1 /home_crypt

4. Now we initialize a black MBR on the image: fdisk -iy svnd1

5. We need to create a filesystem so that we can mount and copy our preexisting data across. This will look very much like your install process when you began. For more information on howto use disklabel, reference the man pages. The key here is that we issue: disklabel -E svnd1

6. Now we create the filesystem: newfs /dev/rsvnd1a

7. In order for us to mount this as our home drive we must move our preexisting data. mv /home /home.orig

8. Create a home directory and mount your svnd image: mkdir /home && mount /dev/svnd1a /home There you have it. You can rsync your data back from your prior home folder with: rsync -av /home.orig/* /home

9. Now lets walk through unmounting the file. The difference between mounting a standard drive versus this is that we have two steps, unmounting and removing the association with the svnd file. umount /home && vnconfig -v -u /dev/svnd1

10. To ensure on reboot you are autoprompted for the password before logging in (and therefore keeping your /home intact) we need to edit /etc/rc.local What we do here is automate the vnconfig command from earlier

11. Likewise to mounting on startup, we want to unmount on shutdown. Edit the /etc/rc.shutdown file and ensure the umount commands and removal of the svnd association are present

12. On reboot you will be stopped until you enter your passphrase from earlier. Success!

—- Great tip from David @ www.davidkrause.com —-

I can’t seem to leave a comment on your article but fstab has support
for encrypted svnds.  Then you don’t have to pass so many options to
vnconfig.

For example:

/home/mnt/mydir /dev/svnd1c vnd rw,-K=20000,-S=/home/mnt/mydir.slt 0 0
/dev/svnd1a /home/mydir ffs rw,sync,noauto,nodev,nosuid 0 0

Then you can run:
mount /home/mnt/mydir
mount /home/mydir

I have some local changes to /etc/rc and /etc/rc.shutdown to make this
nicer though.  Without this the boot will hang until the key is entered,
but some people might want that.  Then the second part does the fsck and
mounts the final partition since it’s noauto.

David

— rc  Thu Jan 20 01:29:49 2011
+++ /etc/rc     Tue Jan 18 00:37:59 2011
@@ -495,7 +495,13 @@
fi
echo ‘.’

-mount -a
+echo “Press Control-C within the next 10 secounds to mount vnd.”
+sleep 10
+if [ $? -eq 0 ]; then
+       mount -a -t novnd
+else
+       mount -a
+fi

swapctl -A -t noblk

@@ -564,6 +570,17 @@
fi
done
fi
+
+# mount any vnd-backed filesystems (must be after dev_mkdb runs)
+for vnd in `vnconfig -l | fgrep covering | cut -d: -f1`; do
+       for vndpart in `grep ^/dev/s$vnd /etc/fstab | awk ‘{ print $1 }’`; do
+               echo “mounting vnd $vndpart”
+               fsck -p $vndpart
+               if [ $? -eq 0 ]; then
+                       mount $vndpart
+               fi
+       done
+done

[ -f /etc/rc.securelevel ] && . /etc/rc.securelevel
if [ X"${securelevel}" != X"" ]; then

• Install Windows 7 to active Verizon Gobi Modem and Firmware
• Install GMA 500 Graphics driver
  • wget http://dl.dropbox.com/u/1338581/Gma500/scripts/poulsbo.sh && sh ./poulsbo.sh
  • add mem=2000 /etc/default/grub
  • update-grub
  • After reboot dpkg-reconfigure psb-kernel-source
• Edit /etc/apt/sources.list to include universe and multiverse
• sudo apt-get dist-upgrade
• reboot
• Update system to include SSD optimizations
• Install sony-laptop-zseries module
  • http://www.logic.at/people/preining/software/
  • sudo -i
  • mkdir -p /usr/share/sony-laptop
  • Extract np5 into directory
  • ln -sf ../share/sony-laptop/sony-laptop-zseries-0.9np5 /usr/src/sony-laptop-zseries-0.9np5
  • dkms add -m sony-laptop-zseries -v 0.9np5
  • /etc/init.d/dkms_autoinstaller start
  • vi /etc/modules
• Turn on WWAN hardware
  • mkdir /lib/firmware/gobi
  • Copy files from:
    • C:\Program Files\Qualcomm\Images\Sony\1\AMSS.mbn
    • C:\Program Files\Qualcomm\Images\Sony\1\Apps.mbn
    • C:\Program Files\Qualcomm\Images\Sony\1\UQCN.mbn
    • to /lib/firmware/gobi
  • Download qcserial and extract to /usr/src/
    • http://westhoffswelt.de/data/blog/vaiox_gobi2000/qcserial_with_gobi2000_support.tar.gz
    • cd /usr/src/qcserial
    • make
    • make install
    • echo “qcserial” >>/etc/modules
  • Download gobi loader for Linux and extract to /usr/src
    • http://westhoffswelt.de/data/blog/vaiox_gobi2000/gobi_loader_with_gobi2000_support.tar.gz
    • make
    • make install
• Enable Suspend
  • Install PSB fix in /etc/pm/sleep.d/99_psb_fix
  • Touch /etc/pm/sleep.d/98smart-kernel-video
  • Install USB Wakeup fix for QCSerial Gobi issue in /usr/lib/pm-utils/sleep.d/00usbsleep
• Enable console framebuffer
  • Edit /etc/default/grub
  • set gfxmode=1024×768
    • You can do the full 1600×768, but on the console I prefer larger fonts
  • Edit /etc/grub.d/00_header
    • • if loadfont `make_system_path_relative_to_its_root ${GRUB_FONT_PATH}` ; then
      • set gfxmode=${GRUB_GFXMODE}
      • set gfxpayload=keep
    • IT HAS TO GO UNDER “set gfxmode…”
• Enable scroll trackpoint
  • sudo vi /etc/hal/fdi/policy/mouse-wheel.fdi
• Install RFkill Applet to disable radios
  • http://www.logic.at/people/preining/software/rfkill-applet-0.6.tar.gz
  • Execute with the following installer: rfkill install.sh
  • Reboot and add to panel
• Internal Mic Fix
  • sudo apt-get install linux-backports-modules-alsa-2.6.31-20-generic
  • sudo add-apt-repository ppa:ricotz/unstable
  • sudo apt-get update && sudo apt-get dist-upgrade
  • Edit /etc/modprobe.d/alsa-base.conf
  • Add at the bottom of the file
    • options snd-hda-intel model=toshiba-s06 power_save=10 power_save_controller=N
  • On Sound Preferences change Profile to Analog Stereo Duplex
  • Turn speaker volume up HIGH

Ubuntu Linux 9.10 SSD Optimizations

Disable Access Time Attributes
Edit your /etc/fstab. Modify the root partitions settings. Add noatime and nodiratime to defaults.

/dev/sda2 / ext4 noatime,nodiratime,errors=remount-ro 0       1

Optimizing the Kernel
Add the following to the /etc/sysctl.conf

vm.swappiness=0
vm.vfs_cache_pressure=50

Optimizing the Scheduler
Edit /etc/default/grub and add noop to end of mem=2000MB

GRUB_CMDLINE_LINUX_DEFAULT=”quiet splash mem=2000MB elevator=noop”

Run sudo update-grub afterward

RFKill Install.sh – the program doesn’t include an install program. Here is a small script

#!/bin/bash

sudo cp rfkill-applet.py /usr/bin/rfkill-applet
sudo chmod a+x /usr/bin/rfkill-applet
sudo cp rfkill-applet.server /usr/lib/bonobo/servers/
sudo chmod a+x /usr/lib/bonobo/servers/rfkill-applet.server
sudo cp rfkill-applet.png /usr/share/pixmaps
sudo cp rfkill-applet-hardoff.png /usr/share/pixmaps
sudo cp rfkill-applet.config /etc/

/etc/hal/fdi/policy/mouse-wheel.fdi

<?xml version=”1.0″ encoding=”UTF-8″?>

<match key=”info.product” string=”PS/2 Generic Mouse”>
<merge key=”input.x11_options.EmulateWheel” type=”string”>true</merge>
<merge key=”input.x11_options.EmulateWheelButton” type=”string”>2</merge>
<merge key=”input.x11_options.YAxisMapping” type=”string”>4 5</merge>
<merge key=”input.x11_options.Emulate3Buttons” type=”string”>true</merge>
<merge key=”input.x11_options.EmulateWheelTimeout” type=”string”>200</merge>
</match>

/usr/lib/pm-utils/sleep.d/00usbsleep

# disable wakeup events when suspending from USB
echo disabled > /sys/bus/usb/devices/usb1/power/wakeup
echo disabled > /sys/bus/usb/devices/usb2/power/wakeup
echo disabled > /sys/bus/usb/devices/usb3/power/wakeup
echo disabled > /sys/bus/usb/devices/usb4/power/wakeup

/etc/pm/sleep.d/99_psb_fix

#!/bin/sh

ACTION=$1

case “$ACTION” in
suspend|hibernate)
fgconsole >/tmp/xconsole.pm-sleep.tmp
;;
resume|thaw)
chvt 1
chvt `cat /tmp/xconsole.pm-sleep.tmp`
;;

esac

To install sudo dpkg -i drivers-lexprtdrv_552-2_i386.deb

“Error in service module”
If it keeps you from logging in, boot single user and touch /var/log/lastlog as root

When using CloneZilla you can capture server images and redeploy them unless there are hardware differences. To fix issues with hardware changes between physical server hardware and VMware here are my fix actions:

• Windows 2003 Enterprise
  • Change the hard drive to IDE from SCSI. Windows will blue screen when you boot after image deployment since it cannot find the drive to boot from. You will get the error: 0x0000007b
  • After booting windows 2003 you can then install the BusLogic or LSI SCSI drivers
• Red Hat Linux 5
  • Boot with the first CD of the install set and instead of an install, use linux rescue.
  • Once booted chroot /mnt/sysimage
  • Blank out the /etc/modprobe.conf
  • mv /boot/initrd-2.6.18-20.el5.img /boot/initrd-2.6.18-20.el5.img.orig
  • mkinitrd /boot/initrd-2.6.18-20.el5.img 2.6.18-20.el5
  • reboot
• Windows XP
  • Change the hard drive to IDE from SCSI. Windows XP in the default install does not include the two SCSI adapters VMware supports, BusLogic or LSI Logic.
  • During the CloneZilla restore you are given a few options. The ones to select to ensure a successful MBR restore are:
    • -t1
    • -j1

These settings will allow you to move your physical clonezilla images to vmware.