• There are two main options, should the shit actually ever hit the fan: bugging in, or bugging out. Yes, there are variations to both of those, but that’s essentially your two choices in their most basic form. I’ve talked about bugging in a bit, and about hiding in forests and building shelters and such. But what about bugging out?

    If you’ve decided (for whatever reason) to leave your home during an emergency, you have to address the issue of travel. Near as I can tell, you have a very limited number of methods to travel in the average bug out situation:

    • your vehicle
    • a non-motorized method of transport (ie a bicycle, unicycle, scooter, skateboard, etc.)
    • riding an animal (horse, llama, sheep, yak, whatever)
    • walking

    Your vehicle, be it a car, truck, camper van, or motorcycle, is probably your first thought. I know it’s mine. My car already has a bug out bag in it, and in winter there’s always a 72 hour survival bucket stashed in the back, just in case. Your vehicle (other than the motorcycle, for the most part) is also a type of shelter, somewhere to be secure with doors locked, out of the rain and wind and snow, with at least somewhat comfortable sleeping arrangements. You can also cart things with you in a vehicle, such as food, clothing, emergency shelter like tents and tarps, first aid items, and weapons with ammo.

    There’s a major drawback with vehicles, though. They run on fuel. If you run out of fuel, you stop. Now, if you carry a siphon kit (and I do recommend it, because sucking gas out of a tank without one is a very unpleasant thing indeed, and no I don’t want to talk about it), you can remove fuel from other vehicles. If the movies (and images of war torn countries) are reliable, you’ll probably find abandoned cars and trucks at the side of (or in the middle of) the roads. These can be checked for abandoned fuel, depending on your situation, and you can take from them if they have any.

    You can carry extra fuel with you, though you may want to be careful about how you do that. You shouldn’t really carry fuel inside a vehicle, and if you have it on the outside, you’re advertising to everyone that you have fuel to spare. Whether it’s FEMA, desperate parents, or raiders, you could lose that extra fuel if you stop. Disguising it (fuel canisters inside empty suitcases?) might be your best bet, along with securing them with locks, and protecting yourself and your gear using firearms.

    (more…)

            

  • Networking

    This week has had a few successes. I was able to upgrade one node to 10 Gbit/second and to hand it some more disk. Everything seems to be working. More upgrades are slowly happening.

    Physical, OpenVSwitch, OVN, Oh My.

    Physical networking has many different levels. The easiest, which most people deal with, is Level2 or L2. At L2, you plug cables in, and it just works. It really is that simple.

    There are some exceptions, the L2 switch might not support the speed that you want, or you might need power on that port, but by and large, it is simple.

    Level 3 devices start to get a bit more complicated. Cisco has made an entire business model out of making Level 3 devices.

    The difference is that a L3 device provides routing. Modern L3 devices also provide services, such as DHCP or SNMP. It also should have some routing protocols implemented, but this is not required. There are so many features that it gets complicated fast.

    OpenVSwitch was designed to provide both virtual and physical packet switching. Instead of using cables, it uses programming, called logical flows. The cool thing is that these logical flows can be pushed down into the network interface to run below the kernel.

    OVN or Open Virtual Network is layered on top of OpenVSwitch, but does not require OpenVSwitch. As long as all you are doing is building and looking at switch and router configurations, there is no requirement to actually interact with OpenVSwitch

    OVN has a “north” and a “south” side. On the north side, you define logical devices and how those devices are interconnected. A process is tasked to convert those logical devices and interconnections into datapaths and logical flows on the south side.

    Another process then converts those datapaths and logical flows into open flow. These are what do the real work.

    Now the fun part. All of these pieces need to talk to each other and all the communications paths are configured.

    I have something working. Maybe it is right? It is closer to right than I expected.

    But how do we get there from here?

    Which takes us into the world of routing. I’m learning about OSPF. Which caused me to have to relearn about multicasting. Which isn’t working for me yet.

    Regardless, my network knowledge is better and getting better.

    Monitoring

    I wondered through one of the node areas yesterday and noticed that one of the KVM’s had been left active on a node. Normally, I want them turned off so I don’t get screen burn in.

    On the screen were some disk errors. This is a not good thing. These leads to going back to the monitoring game.

    I’ve been studiously ignoring Prometheus for years now. I took the plunge, and it isn’t as bad as I first thought it was. Now to figure out how to use Grafana. It is powerful, but I don’t have the insight I need to know how to do things. That’s next week’s learning task.

    Piles of Garbage

    If the left didn’t have double standards, they would have no standards at all.

    The latest example of this is that a comedian, who’s routine is to insult people, made a joke about Puerto Rico. It didn’t go over well with the audience. Part of that is a lack of context.

    It appears that a few years ago a hurricane went through and blew tons and tons of garbage into the sea. Since that time, it has been washing up on the shores. The people have to clean up the beaches constantly, leading them to have a running joke about living on an island of garbage. Note: This is a second hand story.

    That’s not important. What is important is that the left seized on this to claim that every person associated with Trump, like you and me, is racist and hates Puerto Ricans.

    Never mind the name-calling that comes out of their people, every single day. They have attempted to label us with every vile label they can come up with. Nazi comes to mind.

    The hit pieces had just come up to speed when Joe stepped into it with both clown sized feet. He was recorded as calling Trump supporters “garbage”.

    Yeah, that really happened.

    The short videos have been laugh-out-loud funny. In addition, people have taken to wearing garbage bags to vote. It can’t be a political statement because the media and the White House are claiming that Joe didn’t say what he is on video saying.

    In an epic troll, Trump arrived at his rally in a white garbage truck with “Trump” on the side. He wore an orange hi-vis vest into the rally and proceeded to poke fun at himself.

    Tuesday is your last day to Vote!

    Go VOTE!

    The Trumpet Calls of Battle

    The left is prepared to do violence if Trump wins. The Right is in FAFO mode. The magazines have been topped off. The firearms cleaned and put away.

    It could get spicy out there, people. Keep your head on a swivel.

    Have you spotted anything hinky?

    People acting like poll workers that aren’t? Cops obeying pseudo poll workers? People being told to leave the lines to vote?

    Hundreds of reports of that sort of thing happening in PA.

            
  • I’ve started disseminating this on some of the prepper groups I belong to, and of course it’s starting to get a *little* traction on TikTok. We’ll see what happens.
    I’m posting it here because if you go watch the video, you’ll get a glimpse of one of our firearms. 😉
            

  • For years, I’ve been hearing about how Republicans are calling for some horrific or ridiculous thing.

    I’m reminded of the days when Glenn Beck was the voice. You would hear, over and over again, how he had said terrible things.

    If you search YouTube, you could find those videos. Those videos were maybe 30 to 60 seconds long.

    All of those videos contained the same things. In other words, with thousands of hours of audio, the left could only find a few minutes of questionable audio. Plus, it often turned out that the audio was taken out of context.

    The left runs on emotions. Unfortunately, they are not good with joy and excitement, they always fall back on fear and hate.

    I had the misfortune of listening to a short clip of Obama stomping for the Democrat candidate for governor of NC.

    The clip was about a minute. There wasn’t a thing that came out of his mouth that wasn’t a lie. It was all accusations of Trump, conservatives, Republicans, and anybody else that wasn’t in lock step with his wants.

    It was worse than when Kamala’s people make a statement.

    Kamala’s people just dropped an ad suggesting that conservative women have no agency. That “the only place they have a choice” is in the voting booth. It was disgusting.

    I am not married to a robot. I’m married to a living, breathing, thinking, thoughtful, and beautiful lady. She listens and makes her own choices. Until the debate with Biden, she wasn’t going to vote for Trump.

    At that point, there was nothing I could have said to get her to vote for Trump. She had to decide herself.

    Hate is a powerful emotion. It is much easier to get people to hate than it is to get them to love, like, or enjoy something.

    That has been the Democrat playbook for as long as I have been aware.

    In 1964, LBJ aired the “Daisy” ad. The emotion he was looking for was fear. Fear that Goldwater would start a nuclear war, while he, LBJ, was only going to send boys to Vietnam to die. Oops, he didn’t say that last part.

    There have been so many hoax hate crimes. The reason is that actual criminal actions based on race are very low. Sorry, that is whites acting in a criminally racist way towards others. Blacks often act in racists ways towards Whites, and it is just accepted.

    Fearmongering on the Left has been about abortion. There are 50 states. Each state gets to set their laws, regarding abortion, according to how their people want, via their legislators.

    So why are so many women screaming that Republican’s are going to take their “right” to an abortion away. They never had a right to an abortion. A right is something you have from existing. Everybody has it.

    If abortion is a “right” then the mother OR the father should be able to choose to abort.

    When they scream about their right to an abortion, what they are really screaming for is access to abortion services.

    There are a few states that have put in strong anti-abortion laws.

    The left is screaming about those. They search high and low for something to go wrong. The first person they found to shove a megaphone in front of was an abortion for a child.

    She was transported out of the state of Ohio to have the abortion done. She was raped. The rest of the story includes the fact that the mother’s illegal alien boyfriend was the rapist. That she went out of state to protect him from the law.

    And that there was an exception in the Ohio law to cover that type of case.

    That is who they held up as an example of horrific outcomes from anti-abortion laws.

    They scream that horrible things will happen. So they find a victim. Who was the victim? It was a woman who wanted an abortion rather late, not “late term” but not early in her pregnancy. Her social situation had changed.

    She opted for a surgical procedure. Then didn’t allow enough time to get to her appointment. Almost as if she weren’t the sharpest crayon in the box. She was late, they couldn’t do the procedure. She agreed to have a chemical abortion.

    She did no follow-up care. She waited until very late to seek treatment for the sepsis that she was suffering from. The hospital she went to didn’t do the required abortion to remove the dead baby from her in a timely fashion.

    At the clinical mortality review, it was determined that she would have survived if she had received treatment at the hospital without the extended delay.

    Now, the findings of death review panels, mortality committees, and clinical mortality reviews are closed. This is a place where doctors can feel free to say that somebody fucked up, badly. That a doctor’s error killed somebody.

    This is who got the megaphone. A woman who didn’t keep her knees together. That got pregnant out of wedlock. Who’s baby father left her. Who waited until then to decide to abort her baby. Who didn’t seek treatment. And who was dead as a result of medical malpractice.

    Is she an example of horrific anti-abortion laws killing women? Not in the least.

    When Ally and I were talking about the “push for outlawing birth control”, my response was, “you’ve got to be kidding me. Nobody is pushing to outlaw birth control.”

    When she posted, you replied that you hadn’t heard a push for banning birth control.

    But Ally has heard it.

    And that’s because somebody is shoving a megaphone in front of somebody. Who are these people? We don’t know. What are the odds of them getting a bill passed to ban birth control? Nonexistent.

    But it adds more volume to the fearmongering. Look, The EVIL Republican’s have not only taken your right to reproductive health care away, now they won’t even let you use birth control!”

    That megaphone is being used to chase the sheeple right of the edge of the clif.

            

  • So here I am. The waters have retreated and I’m standing on dry beach, and all these new people are standing around and near me. I’m being welcomed, and it all seems very friendly. I want to let my guard down. I really do. But damn, folks, it’s HARD.

    Recently, I had a conversation with Chris about birth control. We all know that “just don’t have sex” doesn’t work, and hasn’t worked since before written history. I was explaining that to me, it just makes sense that if you want a low abortion rate (which I do), then the answer is to have effective, inexpensive, low side-effect birth control. Preferably, you want several types, too, so that people have choices, and so that men and women both can be involved in being responsible.

    I pointed out that there are many people on the Right who advocate eradicating both abortion AND birth control, and I want to know why. Why is that so important, to remove birth control from people? It makes no sense to me.

    I admit, I may have said to Chris that a good portion of unwanted babies (via rape and incest, for example) all have come about because of men. Women don’t rape men and then get upset over getting pregnant (or there are so few that I’ve not only never read about it, I’ve never even heard a whisper about it) and become so emotional that they require an abortion. That makes men the problem. This is, of course, a grand simplification of the issue and removes franchise from women, which is not cool. But the idea is there, and it’s not a wrong idea, it’s just that it’s too vague as currently stated. Chris’s response was, of course, that men who commit incest or diddle little girls should be fed through a wood chipper on low speed, feet first, wearing a tourniquet. I heartily agree with him on that one.

    But that doesn’t address the birth control issue. The worst part is, I don’t even really know how to ask the question, or what to say to get a reasonable (ie truthful, meaningful, statistically relevant) answer. How many people on the Right are interested in legislating or otherwise taking away the right to use birth control? This is not a question about paying for it, by the by. I know there’s insurance issues and all that. That’s not a part of what I’m after here. For the purposes of this line of questioning, you can assume that everyone pays up front cash for their birth control. How do I find out whether the Left is correct about this issue?

    (more…)

            

  • As I contemplate another deep dive into a legal case, I realize how thankful I am to Justice Thomas.

    Our Second Amendment protected rights had been eviscerated. Most of the country was under the suffocating opinions of gun hating inferior courts.

    If a stated wanted a gun control law, they passed it. Challenges were always dismissed. To listen to the gun grabbers, everything that was done was constitutional because everybody knew that the Second only protected the rights of the militia.

    In 2008, the Supreme Court issued the Heller opinion. In a five to four decision, the court found that the Second Amendment protected an individual right to keep and bear arms. Even Justice Stevens’ dissent says it is an individual right.

    The question presented by this case is not whether the Second Amendment protects a “collective right” or an “indi­vidual right.” Surely it protects a right that can be en­forced by individuals. But a conclusion that the Second Amendment protects an individual right does not tell us any­thing about the scope of that right.
    District of Columbia v. Heller, 467 U.S. 837, 636 (2008) Stevens, J., dissenting

    Of course, this didn’t stop Justice Stevens from joining Justice Breyer’s dissent

    We must decide whether a District of Columbia law that prohibits the possession of handguns in the home violates the Second Amendment. The Court, relying upon its view that the Second Amendment seeks to protect a right of personal self-defense, holds that this law violates that Amendment. In my view, it does not.
    id. at 681 Breyer, J., dissenting

    This case was much closer than we hoped for.

    There is a good reason the court did not take up another Second Amendment case (outside McDonald, which was an easy, “Yes, the Bill of Rights applies to the states, morons”) for 14 years. We would have lost. And if we had not lost outright, the opinion would not be strong enough to protect our rights.

    In 2022, we had a strong majority on the Supreme Court. Not a majority of Republicans, but a majority of Constitutionalist.

    The Court issued a powerful opinion in Bruen. It slapped down the inferior courts. It set clear guidance for how to adjudicate Second Amendment challenges.

    The inferior courts had a meltdown. We have judges who have sworn to uphold the Constitution, claiming they are too stupid to understand the Constitution. Judges who have decades of training and practice in reading old laws and interpreting them, correctly, claim that the plain text is unclear.

    This is not the fault of the Supreme Court. This is the fault of those rogue inferior courts.

    I worked for an incompetent lead analyst for a couple of years. One evening, I found him still at his desk, programming. He was trying to do something in FORTRAN. I explained that what he wanted to do wasn’t possible to do in FORTRAN. He insisted it could.

    I wrote a short C function that did the task that FORTRAN could not. Gave it to him to use. This would have allowed him to complete his program without any architectural changes.

    When I checked in with him the next day, I asked how the function worked for him. He reported that it had worked, but he had done a redesign, so he didn’t need that function.

    To this day, I believe he made that change to exclude me from having participated in the project. He was a rogue, inferior programmer/analyst.

    Rogue inferior courts will twist and squirm to avoid the clear guidance of the Supreme Court, when they don’t like the outcome.

    The remarkable strength of Justice Ginsburg, was her ability to find law to support her positions.

    From President Obama, we got Sotomayor. She has grown into her position, but she has never been a strong justice.

    We also got Elena Kagan, a Justice so corrupt that she felt that there was no conflict of interest in sitting on a case that she had worked on as a member of the Obama staff.

    Those two “powerhouses” don’t come close to the idiocy of Ketanji Brown Jackson. This is a person that can’t find case law, regulation, or original meaning in anything that goes against her agenda. She writes as if the Supreme Court should be writing law, not following the law.

    The Three!

    Neil Gorsuch was our first win. He has done a good job for the Second.

    Kavanaugh was our second win. He is doing an ok job for the Second. I’m not sure of him, but so far, so good.

    Amy Coney Barrett is our third win. I believe she could become the next Clarence Thomas.

    Conclusion

    Next Tuesday is the day our Constitution set as the date to vote for our President. A week from today, we should know who our next president will be.

    Please, PLEASE, vote.

    The most lasting wins from the first Trump presidency were the amount of reform that was done to the courts. We do not want to have Kamala replace Thomas. Imagine another Ketaji Brown Jackson replacing Thomas. It would be years before we could recover.

    VOTE!

            

  • I love the sound of this song. Here is the movie version:

    And a very pure version:

            
  • Ally's homemade turkey a la king.
    Ally’s homemade turkey a la king.

    Last week I cooked up a turkey breast that had been lurking in the freezer for a while. It was a lovely treat, and we really enjoyed it. However, with just a few of us here at the house these days, even cooking up just a breast is a bit much. I decided I would make turkey pot pies out of the leftovers, some of which we’d eat right away, and some that could go in the freezer. The grocery store was sadly lacking in pie crusts, and I’m just not great at making them. So I decided to try Turkey a la King, because it was sort of an inside out turkey pie. The end result was incredibly delicious, and we really enjoyed it! I hope you do, too.

    Ingredients

    • 4 tbsp butter or margarine
    • 1/2 medium yellow onion, finely chopped
    • 1 medium carrot, peeled, finely chopped
    • 1 stalk celery, finely chopped
    • 5 tbsp all-purpose flour
    • 2 cups low-sodium chicken broth
    • 1-1/2 cups milk (oatmilk also works)
    • salt and pepper to taste
    • 1-1/2 lbs cooked turkey breast, cut into 1″ chunks
    • 1 cup frozen peas or mixed vegetables
    • 1/2 cup mashed potatoes
    • 1/4 cup chopped fresh parsley
    • Warm biscuits or puff pastry shells for serving

    In a large skillet or cast iron pot, melt the butter over medium high heat. When the butter is bubbling slightly and is completely melted, add in the carrot, onion, and celery. Cook for about ten minutes, until the vegetables are softened.

    Add in the flour, and quickly stir to coat all the vegetables as evenly as you can. Immediately whisk in the broth, milk, and salt and pepper. Add the liquid slowly while whisking rapidly throughout, to achieve a silky smooth finish. This part should take about five minutes to complete. Add in the turkey, potato, and peas, and stir occasionally until the dish is warmed through, about ten more minutes.

    In a large skillet over medium-high heat, melt butter. Add mushrooms, onion, carrot, and celery and cook, stirring often, until softened, 8 to 10 minutes.

    Serve the turkey mixture over top of the biscuits or puff pastry shells, and sprinkle with a bit of fresh minced parsley for color and flavor.

    Notes:
    So traditionally, this would be made with 8 oz or so of sliced mushrooms. I didn’t have any on hand, so this is my version of the more traditional recipe. I used an old fashioned biscuit recipe for this, but you could do any biscuits, including the “quick” ones on a box of Bisquick.

    If you find that your finished product isn’t thick enough, you can fix it in one of three ways. First, you can use the traditional route, which is to make a roux in another pan and then add the roux to the boiling turkey mixture. Stir well, and it should thicken. Second, you can make a slurry (a tablespoon of flour or cornstarch with just enough cold water to make a thin paste) and add that to the boiling turkey mixture. Stir, and it should thicken up. The third, and inarguably the easiest method, is to add a teaspoon or so of potato flakes to the mixture. Simply sprinkle potato flakes on top of the boiling turkey  mixture, and then stir. Continue to add more potato flakes a little at a time until the desired thickness is achieved.

            

  • There are two parts to access control, the first is authentication, the second is authorization.

    Authentication is the process of proving you are who you claim to be.

    There are three ways to prove you are who you say you are, something you know, something you have, or something about you.

    When you hand your driver’s license to the police officer at a traffic stop, you are authenticating yourself. You are using two-factor authentication. The first part is that you have that particular physical license in your possession. The second is that the picture on the ID matches you.

    After the officer matches you to the ID you provided, he then proceeds to authenticate the ID. Does it have all the security markings? Does the picture on the DL match the picture that his in-car computer provides to him? Does the description on the DL match the image on the card?

    He will then determine if you are authorized to drive. He does this by checking with a trusted source that the ID that he holds is not suspended.

    People Are Stupid

    While you are brilliant, all those other people are stupid.

    So consider this scenario. Somebody claims that they can read your palm and figure things out about you. Your favorite uncle on your mother’s side of the family is Bill Jones. You laugh and reply, you got that wrong, James Fillmore is my favorite uncle.

    So, one of the more common security questions to recover a password is “What is your mother’s maiden name?” Do you think that the person who just guessed your favorite uncle incorrectly might do better at guessing your mother’s maiden name?

    It was assumed that only you know that information. The fact is that the information is out there, it just takes a bit of digging.

    The HR department at a client that I used to work for liked to announce people’s birthdays, to make them feel good.

    She announced my birthday over the group chat. I went into her office and explained that she had just violated my privacy.

    The next time you are at the doctor’s office, consider what they use to authenticate you. “What is your name and date of birth?”

    I lie every time some website asks for my date of birth, unless it is required for official reasons.

    Finally, people like to pick PINs and codes that they can remember. And they use things that match what they remember. What is a four-digit number that is easy for most people to remember? The year of their birth.

    You do not want to know how many people use their year of birth for their ATM PIN.

    In addition, it is easy to fool people into giving you their password. We call that phishing today. But it is the case that many people will read that their account has been compromised and rush to fix it. Often by clicking on the link in the provided e-mail.

    A few years back, I was dealing with a creditor. They have a requirement to not give out information. A blind call asking me to authenticate myself to them. I refused. I made them give me the name of their company as well as their extension and employ number.

    I then looked up the company on the web. Verified that the site had been in existence for multiple years. Verified with multiple sources what their main number was. Then called the main number and asked to be connected to the representative.

    Did this properly authenticate her? Not really, but it did allow us to move forward until we had cross authenticated each other.

    Biometrics

    If you have watched NCIS, they have a magic gizmo on the outside of the secure room. To gain access, the cop looks into the retina scanner. The scanner verifies that pattern it scans with what is on record and, if you are authorized, unlocks the door.

    Older shows and movies used palm scanners or fingerprint scanners. The number of movies in which the MacGuffin is the somebody taking a body part or a person to by-pass biometric scanners is in the 1000s, if not higher.

    So let’s say that you are using a biometric to unlock your phone. Be it a face scan or a fingerprint scan.

    The bad guys (or the cops) have you and your phone. While they cannot force you to give up your password, they can certainly hold the phone up to your face to unlock it. Or forcibly use your finger to unlock it.

    Biometrics are not at the point where I would trust them. Certainly, not cheap biometric scanners.

    It Doesn’t Look Good

    We need to protect people from themselves. We can’t trust biometrics. That leaves “something they have”.

    When you go to open unlock your car, you might use a key fob. Press the button and the car unlocks. That is something you have, and it is what is used to authenticate you. Your car knows that when you authenticate with your key fob, you are authorized to request that the doors be unlocked.

    If you are old school, and still use a physical key to unlock your home, the lock in your door uses an inverse pattern to authenticate the key that you possess. It knows that anybody who has that key is authorized to unlock the door.

    Since people might bypass the lock or make an unauthorized duplicate of your key, you might add two-factor authentication. Not only do they have to have something in their possession, they must all know the secret code for the alarm.

    Two-Factor Authentication

    Two-Factor authentication is about providing you with something that only you possess. You need to be able to prove that you have control of that object and that the answer cannot be replayed.

    Consider you are coming back from patrol. You reach the gate and the sentry calls out “thunder”. You are supposed to reply with “dance”. You have now authenticated and can proceed.

    The bad guy now walks up. The sentry calls out “thunder”. The bad guy repeats what you said, “dance”. And the bad guy now walks through the gate.

    This is a “replay” attack. Any time a bad guy can repeat back something that intercepted to gain authentication, you have a feeble authentication.

    The first authenticator that I used was a chip on a card. It was the size of a credit card, you were expected to carry it with you. When you tried to log in, you were prompted for a number from the card. The card had a numeric keypad. You input your PIN. The card printed a number. That number was only good for a short time.

    You entered that number as your password, and you were authenticated.

    There were no magic radios. Bluetooth didn’t exist. Wi-Fi was still years in the future. And it worked even if you were 100s of miles away, logging in over a telnet session or a dial-up modem.

    How?

    Each card had a unique serial number and a very accurate clock. The time of day was combined with the serial number and your pin to create a number. The computer also knew the time, accurately. When you provided the number, it could run a magic algorithm and verify that the number came from the card with that serial number.

    One of the keys to computer security is that we don’t store keys in a recoverable format. Instead, we store cryptographic hashes of your password. We apply the same hash to the password/pass phrase you provided us and then compare that to the stored hash. If they match, the password is correct. There is no known methods for going from the hash to the plaintext password.

    That security card had some other features. It could be programmed to have a self-destruct PIN, or an alert PIN, or a self-destruct after too many PIN entries in a given amount of time.

    When it self-destructed, it just changed an internal number, so the numbers generated would never again be correct. If the alert PIN was set up, using the generated number would inform the computer that the PIN was given under duress. The security policies would determine what happened next.

    Today, we started to see simple two-factor authentication. “We sent a text to your phone, enter the number you received.” “We emailed the account on record, read and click on the link.”

    These depend on you having control of your email account or your phone. And that nobody is capable of intercepting the SMS text.

    A slightly more sophisticated method is a push alert to an app on your phone. This method requires radio communications with your phone app. The site requesting you to authenticate transmits a code to your phone app. Your phone app then gives you a code to give to the site. Thus, authenticating you.

    There are other pieces of magic involved in these. It isn’t a simple number, there is a bunch of math/cryptology involved.

    Another method is using your phone to replace the card described above.

    I authenticate to my phone to prove I’m authorized to run the authenticator application. There is a 6-digit number I have to transcribe to the website within 10 seconds. After 10 seconds, a new number appears.

    I’ve not looked into all the options available, it just works.

    The cool thing about that authenticator, is that it works, even if all the radios in my phone are off.

    Finally, there are security keys. This is what I prefer.

    I need to put the key into the USB port. The key and the website exchange information. I press the button on the security key, and I’m authenticated.

    Another version requires me to type a passphrase to unlock the key before it will authenticate to the remote site.

    Conclusion

    If you have an option, set up two-factor authentication. Be it an authenticator app on your phone or a Yubico security key. It will help protect you from stupids.

            

  • Data security is the protection of your data throughout its lifecycle.

    Let’s pretend you have a naughty image of yourself that you don’t want anybody else to see.

    The most secure way of protecting that image is to have never taken that image in the first place. It is too late now.

    If you put that image on a portable USB drive, then somebody can walk off with that USB drive. The protection on that image is only as good as the physical security of that device.

    Dick, the kiddy diddler, who is in the special prison for the rest of his life, kept his kiddy porn on USB thumb drives. They were stored around his bed. Once the cops served their warrant, all of those USB drives were available to be examined.

    They were examined. Dick was evil and stupid.

    The next best way is to encrypt the image using a good encryption tool.

    To put this in perspective, the old Unix crypt program implemented an improved version of the German Enigma machine. It was improved because it could encrypt/decrypt a 256 character alphabet rather than the original 27 characters.

    Using the crypt breakers workbench, a novice can crack a document encrypted with the Unix crypt command in about 30 minutes.

    At the time, crypt was the only “good” encryption available at the command line. The only other was a rot-13 style obfuscation tool.

    In our modern times, we have access to real cryptography. Some of it superb. We will consider using AES-256, the American Encryption Standard. This is currently considered secure into the 2050s at current compute power increases.

    AES-256 uses a 256-bit key. You are not going to remember a 256-bit number. That is a hex number 64 characters long. So you use something like PGP/GnuPG. PGP stands for Pretty Good Privacy.

    In its simplest form, you provide a passphrase to the tool, and it converts that into a 256-bit number, which is used to encrypt the file. Now make sure you don’t forget the pass phrase and also that you delete (for real) the original image.

    Now, if you want to view that image, why I don’t know, you have to reverse the process. You will again have the decrypted file on your disk while you examine the image. Don’t forget to remove it when you are done looking.

    We can take this to a different level, by using the public key capabilities of PGP. In this process, you generate two large, nearly prime, numbers. These numbers, with some manipulation, are used to encrypt keys. These are manipulated into a Public Key and a Private Key. The public key can decrypt files encrypted with the private key. The private key can decrypt files encrypted with the public key.

    The computer now uses a good random number generator to create a 256-bit key. That key is used to encrypt your plaintext file. The key is then encrypted with your “Public Key” and attached to the file.

    Now you can decrypt the file using your “Private Key”.

    This means that your private key is now the most valuable thing. So you encrypt that with a pass phrase.

    Now you need to provide the pass phrase to the PGP program to enable it to decrypt your private key, which you can then use to decrypt or encrypt files. All great stuff.

    I went a step further. My PGP key requires a security fob to decrypt. This means it requires something I know, a pass phrase, plus something I have, the security fob.

    This means that there are two valuable items you have, the private key and your pass phrase. Let’s just say that those need both physical and mental protection. You need to make sure that nobody can see you type in your pass phrase, plus your pass phrase has to be something you can remember, plus it has to be long enough that your fingers can’t be read as you type it.

    And, don’t ever type it on a wireless keyboard. You would have to trust that nobody is intercepting the transmission from the keyboard to the computer system.

    In addition to that, most keyboards are electronically noisy. This means that the electrical interference that is given off by your keyboard can be read and used to guess at key sequences.

    Finally, you need to make sure that nobody has installed a keylogger to capture every key you type. These can go inside your keyboard, or just plug into the end of your USB cable.

    All of this is painful to do. And you need to go through the decryption phase every time you want to look at your secret document.

    So we can use disk encryption.

    The idea here is similar to PGP. You generate a large block of random bits. This will be your encryption/decryption key. This block of random bits is then encrypted with a pass phrase. When you mount your disk drive, you need to “unlock” the decryption key. Once that is done, the data on that disk is accessible in plain format.

    You can tell your computer to forget the key and then none of the data is available. You can unmount the file system and the data is protected. You can turn off your computer and the data is now unavailable and protected.

    Of course, they might have your pass phrase, in which case they will just use it to decrypt your key.

    But there is a neat thing that you can do, you can wipe the decryption key. If this is done, then even with your pass phrase, there is nothing that can be done.

    The government has strict requirements on how to erase magnetic media, disk drives, magnetic tapes, and the like. For magnetic tape, they use a machine that has a strong magnetic field. This field will scramble any data on the tape if used correctly.

    This is not good enough for disk drives, though. The “short” version of erasing a magnetic disk is to write all zeros, then write all ones, then write random numbers. This will make it difficult to recover the data. The longer version, “Gutman”, requires 35 passes.

    Sounds good, let’s do it on a test drive. Here is a 12 TB drive that is 75% full. The 75% doesn’t help us. We still need to erase every sector.

    Our SATA 3, 6 Gbit I/O channel is not our bottleneck, it is the time to write the data. That is 210 Mbit/second. So more than five days, per pass.

    If we have encrypted the drive, we only have to wipe a few sectors. That can be done in far less than a second.

    But, it gets better. You can buy “secure” drives. These drives have the encryption built in. You send a magic command to the drive, and it wipes its key and makes the entire disk just random bits, nearly instantly.

    This key on disk method is what Ceph uses, under the hood.

    Of course, that is only part of the solution, the next part is on the wire encryption. This requires still more.

    Conclusion

    The biggest issue facing people who are trying to create secure environments is that they need to make sure that they have identified who the black hat is.

    • Will they be able to physically access your equipment? Assume yes.
    • Will they be able to tap into your network? Assume yes.
    • Will they be able to physically compromise your keyboard? Maybe?
    • Will they be able to take your stuff?
    • Will they be able to force you to give your pass phrase?
    • Will they be able to access your computer without a password?
    • Will you be able to boot your network from total outage without having to visit each node?