The PGP Whole Disk Encryption (WDE) tools have a command line interface for both OS X and Windows. The options are mostly the same across the two. We’ll focus on two for the purposes of this little article. The first is –list-user and the second is –change-passphrase, although there are a number of other options. A general breakdown of the options include the following:
OK, so disk 0 is my only volume and it’s bootable. Nothing has been encrypted yet. So let’s confirm by looking at –disk-status:
pgpwde --disk-status --disk 0
Now, let’s see who’s got access to that disk:
pgpwde --list-user --disk 0
Then, let’s enable BootGuard on our volume:
pgpwde --instrument --disk 0
And then add user cedge to be able to unlock that volume, with a passphrase of krypted:
pgpwde --add-user cedge --passphrase krypted --disk 0
And then let’s encrypt it:
pgpwde --encrypt --passphrase krypted --disk 0
And finally, to change the password of that cedge account to something more secure:
pgpwde --change-passphrase --disk 0 -u cedge --passphrase krypted --new-passphrase "!Ab@nK$Ru13z"
To make scripting this a bit easier, you can also choose to skip the whole –passphrase option (since you might not know the current passphrase since they’re not typically reversible) you can use the –recovery-token option (assuming you have a token).
Note: No passwords were hurt in the writing of this article.
krypted February 14th, 2014
The acrodrome (yes, I just made that up, although I wasn’t sure if palinym was a better choice – decided on acrodome because I wasn’t as afraid of Tea Party snipers coming to murder me as I would have been if I used palinym) APIPA stands for Automatic Private IP Addressing. APIPA is in every version of Windows since NT and all versions of Mac OS X. APIPA is a dhpc mechanism that provides dhcp clients with self-assigned IP addresses when DHCP servers are not available. When there isn’t a DHCP server available, APIPA assigns IPs from 169.254.0.1 to 169.254.255.254 with a default mask of 255.255.0.0. Clients leverage arp to verify their address doesn’t conflict with another on the network.
APIPA is enabled on all interfaces of all dhcp clients in pretty much all modern operating systems. Add the IPAutoconfigurationEnabled key and set to 0 in Services\Tcpip\Paramters to disable on Windows, or set any client to a static IP and the system won’t attempt to self assign if a DHCP server is not available.
krypted September 15th, 2013
Posted In: Network Infrastructure
When doing updates in WordPress, upgrading the WordPress version or the Plug-Ins causes the site to enter into Maintenance Mode. While in Maintenance Mode, a message appears that says “Briefly unavailable for scheduled maintenance. Check back in a minute.” rather than the actual site. Sometimes, especially if you’re using the automatic updating functions, an update might fail and the site may be stuck in Maintenance Mode.
WordPress looks at the root level of a directory for some hidden files that can tell a site to operate in a different manner. If there’s a file called “.maintenance” then the site will display the message above. When an update of a Plug-in fails, the .maintenance file is never deleted and the site is stuck in Maintenance Mode. To correct the error, simply ftp into the root of the site and delete the file. It’s hidden, so make sure your ftp software isn’t suppressing the ability to see a hidden file.
Whatever Plug-in or update failed likely also broke something. Usually, if it’s a Plug-in then you’ll need to re-install that plug-in, as the update process removes the old Plug-in and then adds it back. If it’s a Theme, you might need to re-install the Theme.
Programmatically, you can also enable Maintenance Mode by creating this file and then disabling Maintenance Mode by deleting (or renaming) the file again.
krypted December 27th, 2012
Client systems don’t have to have drives. Nor should they, in certain circumstances. Therefore, diskless NetBoot has been a part of OS X since the early beginnings. And it’s great provided you have the Server Admin application handy. But if you want to enable/control diskless NetBoot without Server Admin then you’re going to need to use the command line.
Each of your NetBoot images will be stored in an array, which can be seen by running the serveradmin command, along with the settings option and then the net boot service, as follows:
serveradmin settings netboot
Locate the netBootImagesRecordsArray, which shows the images that are served up on the server. Find the appropriate one (most people tend to only have one) and then make sure that the SupportsDiskless option is set to yes.
serveradmin settings netboot:netBootImagesRecordsArray:_array_index:0:SupportsDiskless = yes
You can also set DisabledSystemIdentifiers, EnabledSystemIdentifiers, Type (type of file share), pathToImage, Architecture and use IsEnabled to enable and disable images programatically. This allows administrators to programmatically control NetBoot and therefore build custom imaging workflows that, for example, update the NetBoot set for NetRestore at the time of generating the NetRestore NetBoot set. It would also come in handy if any of these features were ever removed from the GUI…
krypted June 7th, 2012
In Mac OS X Lion, applications can make use of a feature to auto-save and version files. This feature locks files that are inactive for editing and when the file is unlocked then starts automatically saving versions. If you have a problem with the file you can then always step back to a previous version of the file. The feature is manifested in the title bar and the file menu of applications that make use of it. When you open a file, it can be locked. Viewing the file in the Finder also shows that it is locked. Clicking on locked provides the option to unlock. Once unlocked you can make changes as you normally would. The next time you save the file, a version is created. Hovering the mouse over the title of a file results in a disclosure triangle. clicking that results in some options otherwise located in the file menu.
Clicking on the Lock option again locks the file. Files inactive can automatically be locked as well. The Duplication option is similar to that of Save As. You are asked where you want to duplicate the file to. No versioning information is sent with the file. These same options are in the File menu as well.
The command-S will still save a file, and in fact now it does more and it saves a new version of the file (also done as part of the auto-save routine). The Revert to Saved options in the File menu and title bar menu will bring up an interface similar to that of Time Machine. You can navigate through here to find a version that you want to restore and restore your data.
Versioning information is persistent across a restore. In fact, once restored, you can revert back to a more recent save than that which was restored. In my testing so far, versioning information is not always persistent across restores of files (works with Time Machine, doesn’t work with 3 other applications I’ve tested). But YMMV there as patches are introduced in (hopefully) the next few weeks. Versions data is stored in /.DocumentRevisions-V100. In the /.DocumentRevisions-V100/db-V1 directory is a sqlite database with information and pages files are stored in containers by UID of local users in the /.DocumentRevisions-V100/PerUID directory. Permissions here are owner of root, group of wheel and d–x–x–x.
bash-3.2# cd /.DocumentRevisions-V100/
bash-3.2# ls -al
d--x--x--x 7 root wheel 238 Jul 18 22:39 .
drwxr-xr-x 36 root wheel 1292 Jul 28 23:24 ..
drwx------ 5 root wheel 170 Jul 28 23:27 .cs
drw------- 2 root wheel 68 Jul 18 22:39 ChunkTemp
d--x--x--x 3 root wheel 102 Jul 18 22:39 PerUID
drwx------ 4 root wheel 136 Jul 28 23:27 db-V1
drwx--x--x 2 root wheel 68 Jul 18 22:39 staging
Changing the permissions to 000 causes the feature to report no versions for the files but then you also cannot save changes to files. If you remove the .DocumentRevisions-V100 directory altogether it does not automatically recreate itself at the creation of a new document; however, it does not create itself initially until the first time you’re saving a document. Putting the directory structure back in place resolves any saving problems (is all this sounding a bit like how Spotlight indexes work to anyone???). Versioning is saved locally for files that are stored on network volumes. If you move a file that was versioned locally to a network volume and back then it will loose versioning information. If you open a file from a network share there is no versioning information in the file unless the local computer you are using had been used to make those versions. When you save a file stored on a network volume you are informed that the volume does not support permanent version storage. If you open the file and start editing it on another host and changes occur on both hosts (which the system will allow to happen) then at the next save you will get an alert that states that the file has been changed by another application. Clicking Save Anyway will overwrite changes from the other computer and Revert will revert to the last saved document or more likely error out with a complaint about permissions (even if those permissions are 777). Continuing to make changes on both hosts will eventually cause a “GSLibraryErrorDomain error 1” error code; however, the file will remain open so you can copy your changes off into another file. A few other points of information:
You can still mv a file to a .zip, unzip it and extract images and raw index data; however the versioning information is not actually saved there. Scanning the file system for changes during a version change only nets the file itself and the temp file (nested within /tmp) as having been altered. The Apple Developer Library explains Versioning as follows:
In the applications that ship as part of Mac OS X v10.7, users no longer need to save documents explicitly or be concerned about losing unsaved changes. Document-based Cocoa applications can opt into this autosaving behavior with a simple override. With automatic saving enabled, the system automatically writes document data to disk as necessary so that data displayed in a document window is, in effect, always the same as the document data on disk. A file coordination mechanism maintains sequential access to files. (See “Mac OS X File Coordination.”) Applications that support automatic saving also support document version history browsing. To browse previous versions of a document, choose Browse All Versions from the pull-down menu at the right end of the menu bar.
For more on NSDocumentController here’s Apple’s page for that.
Overall, Versions has taken me a little while to get used to. Especially in TextEdit. But I’ll take the latency in exchange for the ability to roll back changes. If you are rolling out Lion in a larger environment, you’re going to want to check out whether or not users expect this to persist across network shares, copying files to additional computers or even backups in many cases.
krypted July 28th, 2011
Posted In: Mac OS X
Each time you sync an iOS based device, a backup is made (unless you disable the option). These are stored in ~/Library/Application Support/MobileSync/Backup. Here you will find a number of folders, each beginning with the UDID of the iPhone, iPad or iPod Touch that has been backed up. The contents of these folders can be used to restore a device in the event that the device falls outside your control. Within the folders are a bunch of files with alphanumeric names that look garbled, even though some can be viewed using a standard text or property list editor (while others are binary). But there are also a bunch of other files in here. These can be parsed using a script, such as this one (which parses the database files), or you can use a GUI tool to put Humpty Dumpty back together again, such as iPhone Backup Extractor.
When you open iPhone Backup Extractor, click on the Read Backups button and you will be shown a list that should correspond (albeit using prettier names) to the entries in the Backup directory. Select the one that you would like to extract and then click on Choose. From here, click on iOS Files and then click on Extract. You will then be asked where to extract the file to. Choose a location.
Once extracted you can find out a lot of information about the apps you use and how they interact with your data. Most useful applications are going to cache your data (that’s what makes most of them useful) so don’t be surprised to see data such as conversations, contacts and even passwords in raw text or sqlite databases that you might not have thought so easily accessed (even without your phone). Keep in mind, the iTunes backup is considered secure to your iOS based device and if a user profile shouldn’t be considered secure then there is an Encrypt iPhone backup option available in iTunes that makes this whole process a moot point…
Anyway, back to finding that pincode… Next, browse into the extracted iOS Files and then into the Library/Preferences directory. Here you will find a file called com.apple.springboard.plist with a SBParentalControlsPin key. I extracted my files on my test device to my desktop, so I can see this with a quick defaults command:
defaults read /Users/seldon/Desktop/iOS Files/Library/Preferences/com.apple.springboard SBParentalControlsPIN
If a iPhone backup has been encrypted then it can be decrypted only if you know the correct password to decrypt. Once you have the passcode, you can safely manage the device again. There are also a lot of other things that you can enjoy playing around with if you’re interested to see what kind of data is stored where, either in the operating system or for each application (eg – com.apple.mobilephone.speeddial.plist is why I can never seem to remember my wifes phone number).
While much of the data for an iOS based device is stored in property lists, some is also stored in a sqlite database (typically in .sqlitedb files). You can interact with these via the sqlite3 command, built into Mac OS X or using a tool such as http://sourceforge.net/projects/sqlitebrowser if you’re not into SELECT commands in sqlite3. Overall, there is a lot of information that can be learned playing around with this stuff. If you haven’t given it a shot yet, I’d recommend it. However, again, don’t be alarmed about any of the security impacts of this stuff, just encrypt the backups and it’s not an issue.
krypted April 10th, 2011
Using the firewall in Ubuntu can be as easy or as hard as you want to make it. BSD variants all basically use the ipfw command whereas most of the rest of the *nix world will use netfilter. Netfilter has a number of front ends; the one that comes pre-installed in Ubuntu is ufw, short for ‘uncomplicated firewall’. Ufw is good for basic port management: allow and deny type of stuff. It’s not going to have the divert or throttling options. So let’s look at some basic incantations of ufw (you need to have elevated privileges to do all of this btw).
First you need to enable ufw, which is done using the ufw command (no need to apt-get this to install it or build it from source) followed by the enable option:
You can also use the disable option to turn the firewall back off:
And to see rules and the status of the firewall, use the status option:
The ufw Configuration File
The ufw configuration file is /etc/default/ufw. Here, you can manage some basic options of ufw. These include:
To restart ufw after you make changes to the configuration file, use the services command:
service ufw reload
service ufw restart
The first thing most people will want to do is enable a port. And of the ports, 22 is going to be pretty common, since without it you can’t ssh back into the box. For this, you’ll use the allow option followed by the name of the service (application profile):
ufw allow ssh
You can use numbers instead (since ufw isn’t going to know every possible combination and you might be running some on custom ports):
ufw allow 22
You can also deny traffic using the same structure, just swapping allow with deny:
ufw deny http
Beyond a basic allow and deny, you can also specify what IP addresses are able to access each port. This is done using ufw followed by the proto option, which is the followed by the actual protocol (tcp vs udp, etc) which is then followed by the from option and then the source then the to option then the IP to accept traffic (or the any option for all IPs on your box) and finally the port option followed by the actual port. Sounds like a lot until you see it in action. Let’s say you actually want to allow traffic for port 10000 but only from 192.168.210.2. In that case, your rule would be:
ufw allow proto tcp from 192.168.210.2 to any port 10000
Or if you only wanted 10000 to be accessible on one IP of your system (theoretically you have two in this scenario) that has an address of 192.168.210.254:
ufw allow proto tcp from 192.168.210.2 to 192.168.210.254 port 10000
Once you have your rules configured, you are invariably going to have to troubleshoot issues with the service. Obviously, start with log review to perform a hypothesis of what the problem is. To enable logging use the logging option and specify the on parameter for it:
ufw logging on
Once enabled I usually like to view both /var/log/messages and /var/log/syslog for entries:
cat /var/log/syslog | grep UFW ; cat /var/log/messages | grep UFW
One of the best troubleshooting tools to prove any hypothesis that has to do with a rule is to simply delete the rule. To delete the deny http rule that we made earlier, just use the ufw command along with the delete option specifying the deny 22 rule as the rule to remove:
ufw delete deny http
Additionally, just disabling ufw will usually tell you definitively whether you are looking at a problem with a rule, allowing you to later look into disabling each rule until you find the offending rule.
Ubuntu also comes with iptables by default. iptables is the ipchains replacement introduced a number of years ago and is much more complicated and therefore flexible than ufw, although using one does not mean you cannot use the other. To get started, let’s look at the rules:
You will then see all of the rules on your host. If you have been enabling rules with ufw these will be listed here. You can then configure practically anything for how each chain (a chain is a series of rules for handling packets) functions. You can still do basic tasks, such as enabling ssh, but iptables will need much more information about what specifically you are trying to do. For example, to accept incoming traffic you would need to define that the chain will add an input (by appending it to the chain using -A INPUT) for tcp packets (-p tcp) on port 22 (–dport ssh) and accepting those packets (-j ACCEPT):
iptables -A INPUT -p tcp –dport ssh -j ACCEPT
That is about as simple as iptables get. I’ll try and write up more on dealing with it later but for now you should have enough information to get a little wacky with some basic firewall functionality on Linux. Enjoy.
krypted November 24th, 2010
I don’t think I’ve actually used the caps lock key in years. Well, scratch that, I’ve frustratingly used it by accident. I did a post a couple of years back with a couple of ways to disable it for Windows. But recently I’ve been doing a lot of work and have accidentally made the amount of work a little more by enabling the caps lock key and typing entire paragraphs. So to disable, open the Keyboard & Mouse Preference Pane from System Preferences and then click on Modifier Keys. From here, change the Caps Lock Key value to No Action. Check out com.apple.systempreferences.plist and the com.apple.preference.keyboard.config array within it for doing so programatically.
krypted August 12th, 2009
Posted In: Mac OS X
When you plug a disk into a drive (er, mount a volume) in Windows the autorun.inf will automatically be processed. You can disable this by holding down the shift key when you plug it in.
krypted January 23rd, 2007
Posted In: Windows XP