Tangling with Secure Boot and UEFI in Ubuntu

Folks in Dallas, among other places, were wondering why in the world I would run Windows 8 as my primary system.  Well, I run ubuntu as much as I can, just off a stick. I have three USB sticks tied up as ubuntu LiveCDs for ages, hopping installs between them, attempting to find the secret sauce that will get me a fully-fledged, mutable, bootable system.

I’d certainly prefer to have an environment where audacity, kdenlive, vlc, inkscape, gimp, and my favourite fonts are already preinstalled. Old solutions like the Ubuntu Customization Kit used to do this easily, but were never well-supported, even back in the day when they still worked.

Why not just run ubuntu side-by-side with Windows?  Two issues.  I’m down all those USB sticks just now and I don’t really want to mess with my hard drive partitions whatsoever, without having a backup of my System Restore partition around.  I rather dislike the notion of a software problem ballooning into a $12-$50 how-much-backup-space can-you-buy issue.  This whole deal is supposed to be plug-and-chug!

It’s all tied into UEFI Secure Boot.  The LiveCD takes right away, no problems. As soon as I “install” onto a USB drive, though… it stops showing up in the boot menu.  I can get the install to work if I re-enable “Legacy” boot.  But that’s two runs to the BIOS during every reboot, super annoying.

So far the best I can do to work around is this: There’s a daily build of Ubuntu that in theory has all the latest security packages to start out with.  On the days I update my boot stick, I burn that to a secondary jump drive, and boot from it.  Then I take out my primary 16GB jump drive, and clone the new build to the primary stick with dd, onto the 1600MB of space I have reserved for Xenial at the moment.

All the  .deb files for my programs have been ferreted away on a second partition on that jump drive (copied over from /var/cache/apt following the usual sudo apt-get dance), since I’m not scared to use dpkg -i -R .

The jump drive is also rounded out with 8GB of swap space, because ubuntu runs out of RAM in a hurry when you install packages on the LiveCD environment.  There’s also this other odd issue, where it will halt, seemingly for no reason, even with all that swap, so maybe I’m barking up the wrong tree with that.

What I might do next is make a custom Debian disc, since that’s actually a half-decently supported toolchain, versus ubuntu where you’re just rolling the dice.  Now, keeping that updated is bound to be a real chore…

Part 2 of Let’s Encrypt will be delayed.

Barring some unexpected cooperation from my hosting provider, my HTTPS rollout will be delayed.  They have not rolled a management console for SSL certificates, and it’s not even on their radar for the basic hosting package.

My options going forward are to pay $20 a month for VPS with my current host or bolt, probably for Amazon Web Services, I’ll bet I can get under $20 easy.  Since everything is going to break either way, I’m leaning toward the latter.  If any webdev types have some other thoughts on good WordPress hosting companies that support SSL and multiple domains, I’m all ears.

Let’s Encrypt covers just one piece of the puzzle — getting a universally-recognized certificate.  Unfortunately, it can’t cover for everything else, especially if you have a web server stuck in 2008.

Getting started with Let’s Encrypt (without sudo)

What do you do if you want a Let’s Encrypt free certificate, but don’t have root access to your server?

One pitfall I found through searching too fast:  Don’t go out and use the old diafygi script on GitHub, its features are already in the latest Let’s Encrypt code.

If your webhost has Python, you might even be able to run Let’s Encrypt right on the server.  Mine isn’t set up right, though, so a fresh copy of an ubuntu LiveCD or USB Stick will do to begin. Once you’ve got your LiveCD system up and running, download Let’s Encrypt and extract it where convenient, your choice of:

git clone https://github.com/letsencrypt/letsencrypt

or

wget https://github.com/letsencrypt/letsencrypt/archive/master.zip
unzip master

You will need to enable Universe software to install Let’s Encrypt.  In ubuntu 15.10, the Universe repository is not enabled by default.  the easy way is to select the “Software & Updates” module from the ubuntu menu to select the Universe repository.

Once that hurdle is cleared, fire up Let’s Encrypt in manual mode.

./letsencrypt-auto certonly -a manual -d mydomain.com

After installing support software, LE automatically does everything in the background to get a secure certificate set up for a request to the LE servers. At this point, you’ll be instructed to post public URLs on your site for verification.

These challenges are composed of two parts, separated by a period. The specific domain is tied to the first part, and the second part is the same for each domain. The filename the LE servers are looking for is just the first part, and inside the file all the server wants to see is the whole-two part challenge.

Go to the top-level folder for your particular domain name(s) and run

mkdir .wellknown/acme-challenge
cd .wellknown/acme-challenge
nano (or your favourite text editor) [challengeheader]
[paste or enter entire challenge response line]

The challenge for the certificate must remain there until you have your certificate in hand, so don’t delete any challenges prematurely. You’ll need to repeat this in various combinations if your site has multiple folders and/or multiple domains.

If you have more than one domain/subdomain you are registering with the same certificate, you must have all of the files present before hitting ENTER the last time, which is when LE actually contacts your site to look for the challenge requests. So don’t tap through too fast.

When successful, you will get a set of files that together allow for SSL to your website. Configuring that is another story (I’ll let you know when I’m done!)

Running Xtightvnc vncserver automatically on Raspberry Pi

I spent, oh, literally a week figuring this one out.  Solid week bashing the old noggin against solid walls.  But the clouds of haze parted and left a shining path before me, how to get my VNC Server on my R-Pi working automagically on Raspbian Jessie.

Firstly, you should have raspi-config (or its GUI equivalent) set to autologin to the desktop.

Once you’ve installed the server, go ahead and edit LXDE’s autostart routine.

sudo apt-get install tightvncserver
vncpasswd
nano /home/pi/.config/lxsession/LXDE-pi/autostart

add this line at the bottom:

@nohup vncserver :1

If you get a checkered background, you have have to add an extra line at the bottom of your commands.  For example, I also launch pronterface automatically. Don’t forget the @!

Now, safety first, it’s highly recommended to connect to VNC through an SSH tunnel, or leave your Pi on its own network if you’re controlling it like this.  There is an option on the vncserver to only allow connections from localhost, if you care to change it down the line.

Now for logging into your new server, I recommend tightvnc, it’s available free on every platform.

Props to our Pi forebears!

The Malware Scanner Lifecycle

Two_Face

You either die a hero, or you live long enough to see yourself become the villain.

Malware comes and goes [mostly comes], but good malware scanners are few and far between.

Very big names have gone into this arena and come out emptyhanded; the battle to keep the computers of the world safe and infection is a three-way fight between platform builders who battle to patch mounds of buggy code, security experts who monitor for plagues and vectors, and bands of rogues who want to keep exploits secret and nefariously useful.

In the midst of the second group lies the home of the malware scanner.  Having largely supplanted the virus scanner over the last decade, malware looking to turn any given network node into a quick buck has faced off against a small army of independently produced scanning systems.

Essentially, they rely on detecting rogue software and feeding a database shared with all other users of the software.  It might be more obvious to develop a unified response (like WordPress’ Akismet spam-blocking agent) — but Microsoft has always taken a hands-off approach to security, save for a handful of years it mounted a half-hearted effort with the Windows Defender program.

Malware scanning is left to the wider market, where the story always goes like this: idealistic IT student makes malware scanner, does it for fun and donations, then slowly sells out as the software gets popular and too big to manage.  And then comes the point where you insist on receiving payment before users can remove malware.  Now your software has itself become ransomware, and rounded the circle from hero to villain.

 

GNOME Evolution 3.2 e-mail database recovery

Missing e-mails?  Nothing showing up in your folder, but the “Properties” for the folder says you still have hundreds of messages in there?

If, like me, you’ve ever tried to mark 3000 messages as read all at once, you may have crashed the SQL database at the heart of Novell GNOME Evolution.  If your Inbox is suddenly “empty” — don’t worry!  Evolution is capable of rebuilding the database on its own with only a little prompting.

If this happens to you, I’d recommend making a backup before proceeding.  Use Evolution’s backup option ( File > Backup Evolution Data ) or make a tarball out of your e-mail folder [ The default location on Precise Pangolin is ~/.local/share/evolution ]

Also to keep things neat while you mess around, you ought to take Evolution offline ( File > Work Offline ).  This way, you don’t have any new messages filtering in to gum things up.

Now navigate to your Evolution folder [ in this case, the location is ~/.local/share/evolution/mail/local ] and wrench your database file.  You can delete it, but renaming will suffice.

dbwrench

Now Launch Evolution. You won’t see anything to begin with, although some of your messages may trickle in.  You’ll see a small new folders.db file reflecting the rebuild:dbrebuild

Wait a minute or two until Evolution seems like it’s finished.  You shouldn’t see too much.  Now, to really get things rolling, quit Evolution.

Your disk activity will spike as Evolution syncs with all the files still located on your computer, and folders.db will grow in size too.

dbrepopAll your messages should be restored, but e-mails previously moved to the Junk folder will now be back in your Inbox.  Sorry.

I’m still using Ubuntu Precise with Evolution 3.2, so this may be different in a newer version.