1. cat /proc/partitions
2. Notice the Major/Minor columns associated with the partition you wish to mount. I will use /dev/sda1 as an example
3. mknod /dev/sda b 8 0
4. mknod /dev/sda1 b 8 1
5. mount /dev/sda1 /mnt/tmp

Now you can copy your new kernel over outside the dm-crypt and boot correctly!

As I test virtualization platforms I try to keep a matrix that shows which tools will manage what host types. I figured it could be of use to some other architects and CTO out there. If I missed any please let me know!

Google Docs Spreadsheet Link to Matrix

I will start with Linux. There are RPM and DEB files, but where is the fun with that? In order to hit the most people possible, if you follow these instructions to build from source you will be just spiffy. Note that there is an initiative with the Red Hat Linux PKI Team to implement the fixes from CACkey into Coolkey, but it has only flowed to some initial Fedora packages thus far. These instructions will not age well once that coolkeys package hits the main debian, ubuntu, rhel, etc.

1. Download the latest Firefox extension for installing the root certificates for both the Federal and DoD CA from here: DoD Firefox Extension
2. Next we need to install the *.xpi file into Firefox. I will assume you are more than capable of doing this. When you are done, restart the browser and allow it to fetch the certificates
3. Download the source-code for cackey from here: CACKey Source
4. Install the libpcsclite-dev package for your distro. The one mentioned here is for Debian Unstable
5. Extract: tar xfvz cackey-0.5.20.tar.gz
6. Configure: cd cackey* && ./configure
7. Make: make
8. Install: sudo make install
9. Next open Firefox/Iceweasel back-up and ensure that your security devices is free of OpenSC and Coolkey. I have had little success in having both loaded with the CACkey implementation. You will load the Security Device from /usr/local/lib/libcackey.so
10. Shutdown the browser and restart
11. Surf to a friendly CAC enabled website you frequent and when prompted for your pin use the same you would at work. If you have the newer 144k CAC you will be given a choice between two certificates, choose the one with your email address listed.
12. You are in!

For Mac your life is much simpler. There are pre-made packages for Tiger, Leopard, and Snow Leopard. Download the one applicable to your platform and follow the same instructions above from Step 9 down. The only difference being that your location for the Loading of the security device is: /usr/lib/pkcs11/cackey.dylib

Screenshots:

Linux:

Mac:

1. Download source from http://get.bitlbee.org/src/bitlbee-3.0.1.tar.gz
2. sudo apt-get install libotr2-dev libotr2-bin
3. ./configure –prefix=/usr –otr=1
4. make
5. make install
6. make install-etc

Done! Now once you start bitlbee (/etc/init.d/bitlbee start) for the first time it will generate your OTR keys. I am going to assume that you are going to use the Question and Answer verification for OTR keys. With our other secure buddy we do the following:

1. otr connect $buddy
2. otr smpq $buddy 2+2 4
3. If your buddy knows your answer then they will reply correctly
4. Your buddy being a smart cookie will then ask for you to respond to a question: otr smp $buddy answer
5. Done!

In step 2 the breakout is question then answer. So if we wanted to do a “Where did we eat lunch 1 Jan” “Taco Bell” then you could do that also. I used 2+2 for simplicity. It is important to note that if you have logging turned on for BitlBee then your OTR messages are in vain. Also they could trace your connections via your network connection. Lets add an additional layer. Open your /usr/etc/bitlbee/bitlbee.conf (or where ever you put it) and change the following settings:

Proxy = socks5://127.0.0.1:9050

This assumes you have configured TOR SOCKS for that address, but that is the default. I run this configuration in a hidden service SSH server with screen. A potent combo that in essence lets me roam through the interwebs constantly connected and secured. Any questions let me know

DoD was playing major league ball and way ahead of the curve (single sports reference this post) while the rest of the federal govt. sat on the sidelines. Homeland Security Presidential Directive 12 tried to fix this situation by mandating CAC or MFA usage for all federal agencies in 2004. Note that the year is 2010 and I will not call out anyone, but this is still not fully implemented.

Where does that leave us consumers? Complex passwords are no longer a guarantee with the services we use storing them in weak methods. Much like the sticky note hanging above the keyboard, the security you use is only as good as the storage. Why not take the password out of the loop? This was where I was at a few weeks ago as I began researching solutions. My requirements were:

1. Open Solution
2. Compatible with Mac/Linux/Windows/*BSD
3. Does not require special hardware IE SmartCard reader, RFID, etc.
4. Not tied to a single vendor

I landed with the RFID enabled Yubikey which cost me a total of 35.00 USD. I sprung for the RFID enabled version so I could begin integrating it with NFC components, but for now only using it as the basic version. So what is a Yubikey? Basically it is a keyboard on a stick that is programmed to generate a OTP. Here is the output of what happens when I click the button:

cccccccfgihevjtgrefvftjufjgurunnvvcjjcfdfifk

PCMag gave a great description:

The $25 YubiKey is a tough little chunk of plastic with USB connectors on one end and a touch-sensitive (no moving parts) button on top. Each time you touch the button it sends a static password and a dynamically-generated one-time password to any application that’s listening for its input. If a spy program captures the password, so what – that particular one-time password won’t be valid ever again. Others seem to think this is a good idea; Yubico is a finalist for “Most Innovative Company” at the RSA conference

After a quick shipment the device was in my hands and I quickly started integrating it into my home architecture. Due to the hacker friendly nature of their API, it has many plugins and applications enabled to work out of the box. The ones I installed right away:

• LastPass
• WordPress Admin Protection
• OpenID Support
• Linux PAM Module – SSH Access
• OpenBSD Server Access

With OpenID you can login into Facebook, Google Apps, and others which is a huge benefit for online websites. The onus is then put on the OpenID provider to perform the multifactor authentication rather than Gawker and the likes. So you are ready to run out and buy one right? Sounds like the most secure thing for the home user, right? Well I have my doubts.

Earlier in this post I outlined how I was placing the onus on the OpenID provider and OTP scheme from Yubi. In essence I have now put my trust in a company and their security perimeter. How do I know that their architecture is well protected? What security testing has been done to ensure their device complies with the security I hold so dear? Their AES algorithm is not found on the list of FIPS validated modules. The Yubikey itself is not certified for any FIPS/DISA/DoD/NSA testing and therefore in my world it is non-usable outside the home. I would recommend this wholeheartedly to small business and personal security users, but it will never find its way into the govt. without these groups certifying they have their stuff together.

It comes down to hearing people argue with me at work about not wanting to move to the cloud since it isn’t as available or that their data is outside their control. This is the same group that is running single points of failure in their core and have never tested their backups, so it makes you feel comfortable to throw darts. At the end of the day this token+good password selection is enough to keep you out of trouble. It isn’t the most secure option, but it is easy to use and hacker (not cracker) friendly.

Pros:

+ Small and rugged device, no moving parts

+ Easy to Use

+ If your OS supports USB keyboards, it works

+ Cheap

+ Geek Friendly

+ Integrates into Active Directory, PAM, and other OS level authentication mechanisms

Cons:

- Left with this uneasy feeling that I am screwed if its lost; installing my own little back-doors places

- USB keyboard means nothing when you are on your phone. Only works with full-PC devices, not phones or tablets

- Lack of formal security certification

1. This machine is to provide a cloud-based Thin Client. I live off servers around the world, not necessarily in the cloud.
2. As a geek, the Walled Garden drives me crazy. “What do you mean I can’t install a SSH server?!?!?”

My girlfriend on the other hand could care less about a SSH server. She finds the Mac Mini a little overwhelming at times and really just wants the internet. “Show me where the Safari icon is.” For that reason alone I found ChromeOS to be built for her. Instant On and just a web browser.

Unboxing

Despite finding the little surprise on my porch before Becca got home, I held back from opening it. She was home and I rushed her to the kitchen to open the box. Her initial thoughts:

• The box is artsy and fun
• I like the rubber feel of the exterior
• Keyboard feels nice
• Trackpad is yucky

Usage

The setup was super easy. I made sure Becca drove and the only info she needed was the WPA passwords for the Wifi and off she went. It was that easy and off she was off to Etsy and Amazon. It was impressive how little input I had and I have to admit I was somewhat jealous to see her on her way surfing the internet. I am not sure what else to say. It is Chrome on Linux and runs great. We did some video chatting over Gtalk and it was equally as simple. Not once have I had to assist Becca in using this machine. It is an appliance for her and provides a gateway to what she cares about online. That simplicity I believe would be shared by many as the need for full-time computing disappears. As mentioned on many other reviews though, FLASH KILLS THIS MACHINE. Simple flash objects too like Facebook widgets stuff kills it. I am so tired of Adobe and hope the continued rise of HTML5 will slowly kill it.

Where is my Google Gears?

Why did Google include the Verizon data plan? Because the laptop is useless without it. The lack of offline resourcing means that the machine is a big paperweight without Internet connectivity. In Washington DC thats not a big problem, in Arab Alabama or Standish Michigan its dead on arrival. The big question is where is my offline? Google had a great platform in Google Gears that I would argue they prematurely killed off. HTML5 supports offline storage, but as it stands today there is no usage of it within Google. Utter Fail…

Trackpad

For reasons unknown to me the trackpad is utter crap. I was going to hold off on talking about it since this is development hardware platform, but its that bad. Imagine the worst trackpad and then cut your hands off and try to navigate with nubs. I can’t put into words how horrendus the damn thing is. Weirdest thing is that two finger scrolling ONLY works for my hands. Becca can’t get the thing to scroll, but has no problems on any other laptop in the house. It is a big pile of poo…sheesh

Where it would sit at work…

As an Enterprise guy I can’t help but think where this would fit at work. My port scans and pen tests show that the machine is in a default secure mode and offers very few entry points for hackers, but it does so by disallowing local authentication and network access. Need AD access? CIFS/SMB shares? Ain’t happening. Where as on the iOS devices there has sprung up applications that bridge that divide it simply isn’t there in the ChromeOS ecosystem. There is a Native Client which will possibly allow for those type of applications, Google has not shared the roadmap or vision. I feel like I am back in 2007 having to jailbreak my iphones to get non-web based apps. So at work I can only see this as a kiosk which doesn’t seem like a big power play for Google in the enterprise.

Where it sits in the house…

We use it in the livingroom and bedroom. Battery life means we hardly ever charge the thing and its great for syncing to my Chrome desktop installs. The roaming profiles of the internet! Its really a great tool for that. When I left Boeing and had to give back my iPad we were feeling naked with no surfing device. The CR-48 fills that role and I’d argue better than the iPad. I am writing this post on the CR-48 which I would NEVER do on the iPad. It fails at ergonomics like any other notebook which is why the iPad was great. Laying in bed trying to surf is painful where as an iPad was easier to surf while horizontal. Its in a tough spot for what niche it fills which brings me to my next point…

Niche is an overstatement

My biggest fear is that Google will pull a Kin and kill the device on pricing. The problem will be price and marketing. In my humble opinion here is what Google will need to do in order to sell these things:

1. Price point will need to be under 250 dollars. The coming abundance of Android tablets on the market will make this a tough sell
2. Must include 3G data plans that are affordable and non-contract
3. Google will need to not only market this thing, but rather give it away. Go to colleges with a truck and dump them off in the cafeteria with a sign that says “Free Pizza and Laptop.”
4. HTML5 offline storage needs to be done before it ships
5. Convince us geeks why Grams and Girlfriend needs this. Why would I buy this over an iPad for the family? Today I am not sure I would recommend this to the above folks because it is what 90% of people need a computer for. The other 10% are total and complete hell to deal with. Today it is positioned to be a third machine, not a second. Not many people have 3 machines outside us weird people that giggle at binary and hex jokes

** Update: I was going to upload pictures from my phone when I realized I couldn’t. How do you get them off the phone? Just an interesting note as I run up to a Real Computer to complete this post **

For there record if you say "CAC Card" in my presence you will be "SOL Luck" talking again soon.

If you are running Linux or Mac there is a good chance you haven’t been touching my CAC, otherwise known as Common Access Card. George Bush signed HSPD-12 way back in 2004 to mandate the usage of CAC and multifactor authentication on federal networks. The DoD giggled as it was already deploying limited installs at choice commands and was way ahead of the curve. The rest of the government and corporate entities are starting to roll-out the installs and a common theme I see is lack of heterogenous OS support. In this day and age your CIO/CTO/CISO must think beyond what the Microsoft sales lead tells them and think of the user base. Here is a big hint to save you from looking silly – You can’t say iOS/Android development is important to your divisions and then mandate they use Windows computers to comply with your SmartCard policy. I only mention that having sat in the room when the mobile development PM had to make his leadership aware they were basically shutting his group down.

The great thing about the OSS community is they recognize the shortfall in the SmartCard support and have risen to the challenge. OpenSC has made great strides in supporting the technology for authentication and SSO type installs. I can personally vouch that the instructions below will allow you use your SmartCard on the worlds second largest IT network with no trouble. There are commercial  packages that will provide nice GUI and support plans, but if your enterprise just has a few geeks in the basement needing support, the ROI may not be worth it. A few gotcha’s to be aware of:

• While the site states Linux/Mac support; Linux is really the only full featured platform
• Snow Leopard requires the beta builds. Apple changed the crypto mechanism from 10.5 to 10.6 and Safari is no longer supported. If you are using your SmartCard for web-based applications you must use Firefox
• Ensure your card reader is supported. If you are a Dell house then the Cherry Keyboards with built-in SmartCard reader work great. Here is a full list.
• If you are scared of the Command Line I recommend you skip this and look at a commercial package instead

Instructions for Install on Snow Leopard:

1. Download http://www.opensc-project.org/files/sca/experimental/sca-0.3.0-pre3.dmg
2. Mount the .dmg
3. Run the installer.
4. Launch Firefox.
5. In Firefox, select “Firefox -> Preferences”, click on the “Advanced” tab, then click on “Encryption” tab, then click on “Security Devices”…
6. Click on “Load” button, then type in Module Name of “OpenSC PKCS#11 Module”
7. Found I had to manually type in the path to the library which is “/Library/OpenSC/lib/opensc-pkcs11.so”
8. Click OK, then quit and relaunch Firefox.
9. Connect to a website that requires SmartCard access using Firefox, select to use “SecureBadge”. It will ask for your PIN, then will authenticate you.

Instructions for Debian-based Distro IE Ubuntu:

1. As root or with sudo: apt-get install opensc mozilla-opensc libp11
2. Launch Firefox.
3. In Firefox, select “Firefox -> Preferences”, click on the “Advanced” tab, then click on “Encryption” tab, then click on “Security Devices”…
4. Click on “Load” button, then type in Module Name of “OpenSC PKCS#11 Module”
5. Found I had to manually type in the path to the library which is “/usr/lib/onepin-opensc-pkcs11.so”
6. Click OK, then quit and relaunch Firefox.
7. Connect to a website that requires SmartCard access using Firefox, select to use “SecureBadge”. It will ask for your PIN, then will authenticate you.

These are really the first few steps to getting SmartCards working. If you can access the websites using your card then you are just a few steps away from loading the required PAM modules and integrating your systems into Active Directory. That blog post is more likely to be part of a book than online as it is VERY extensive. Feel free to drop me any questions you might have!