Cheap cybersecurity books

 Posted by  Uncategorized  No Responses »
Jul 192017
 

Those into cybersecurity, rejoice.

Humble has a new book bundle and, unlike their lately book offerings, this one is actually good and extremely cheap considering the books included. Frankly, it would be a good deal if only Applied Cryptography was included.

Yes, lowest tier is useless and middle tier essentially lives on Cryptography Engineering with Mitnik’s The Art of Deception adding a bit of flair.

But the most expensive $15 tier more than makes it up with Applied Cryptography, aged book that still somehow manages to stay current in the approach to security if not in all examples. And there is Secret and Lies proving that Schneier is getting all philosophical as he ages.

Based on my picks you can already see that they might have called this Schneier’s bundle and I would be equally interested. The only two books I wish were here are Applied Cryptography and The Twofish Encryption Algorithm (yes, I know how old it is).

If you have any interest in security do think about this bundle. Probably the cheapest (legal) way to get some real classic and a good read.

My SSH crypto settings

 Posted by  Linux  No Responses »
Jul 162017
 

With ever-expanding number of scripts on my NAS I noticed that pretty much every one had similar, but not quite the same parameters. For example, my automatic replication would use one set of encryption parameters while my Mikrotik router backup script would use other, and my website backup script would use a third variant.

So I decided to see if I could still keep the reasonable security but consolidate all these to a single type.

For key exchange, I had choice of diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, and diffie-hellman-group1-sha1. Unfortunately there is no curve25519-sha256@libssh.org or similar algorithms that are considered more secure.

For a while I considered using diffie-hellman-group14-sha1 as it uses 2048 bit prime but its abandonment by modern SSH versions made me go with diffie-hellman-group-exchange-sha256. As this method allows for custom groups, it should be theoretically better but it also allows server to setup connection with known weak parameters. As servers are in my control, that should not pose an huge issue here.

For cipher my hands were extremely tied – Mikrotik, my router of choice, supports only aes256-ctr and aes192-ctr. Both are of acceptable security so I went with faster: aes192-ctr.

For authentication Mikrotik was again extremely limited – only hmac-sha2-256 and hmac-sha1 were supported. While I was tempted to go with hmac-sha1 which is still secure enough despite SHA1 being broken (HMAC part really does make a difference), I went with hmac-sha2-256 as former might get obsoleted soon.

My final set of “standard” parameters is as follows:

-2 -o KexAlgorithms=diffie-hellman-group-exchange-sha256 -c aes192-ctr -o MACs=hmac-sha2-256

Additional parameter is not strictly encryption related but I find it very reasonable to enforce SSH protocol version 2.

My settings for Panasonic LX100

 Posted by  Uncategorized  No Responses »
Jul 112017
 

On these pages I cover a wide array of topics. There is no order to it – just things that interest me and problems I faced trying to make them work. More often than not, posts are just a way for me to remember solutions thinly veiled into a more generic topic.

However, some posts are so specific I cannot even pretend I am actually helping somebody else than me. This is one of those posts – my general settings for Panasonic LX100 camera. Probably of no interest to anyone, oddly specific to my way of shooting photos, and for a camera that is a bit on the old side.

PS: Panasonic also makes available online full basic and advanced manual where much more detail can be found.

Rec
Photo Style Standard: NR-2 Standard profile with a touch of lower noise reduction.
Picture Size L 12M Not sure why you would go any lower.
Quality Fine Occasionally I might add Raw to it too, but not in general. I found myself too lazy to do a lot of post-processing.
AFS/AFF/AFC AFF This setting is actually one I change the most and value varies between AFS (single focus) and AFF (flexible focus).
They are both really similar but AFF does adjust a bit for moving subjects so it fits my use better as default choice.
Metering Mode Multi-metering For evening/night time photography I sometime change it to center-weighted or spot settings. However, for daytime use it almost always stays at default.
Burst Rate M I love mid-speed setting as it gives me 7 pictures per second bursts while keeping the live view working. Even better,
at this speed, fast card, and with JPEG-only you can shoot forever. For sports it is tempting to switch to high speed but there is no benefit if you are using AFF/AFC and you lose live view. Super-high speed uses electronic shutter so approach with care.
Auto Bracket I almost never do bracketing of any kind other that for HDR which uses other settings anyhow. So I just pretend this doesn’t exist.
Self Timer 10 seconds (3) I really rarely use this – frankly cannot remember the last time I had it. However, I feel as having it shoot three pictures instead of one is a nice feature.
Highlight Shadow I generally leave this at default setting. If I have picture where adjusting it would make sense I simply record it raw and edit it on computer.
i.Dynamic Standard I found enabling this feature gives me better shadows for a general use case without having to fiddle with raws.
i.Resolution Off It basically just increases sharpness at the cost of fine detail.
Simultaneous record without filter On I really rarely mess with filters but when I do, I like option to have the same picture with and without filter applied. Do notice this setting can only be changes if filter is selected and you are not shooting raw (annoying restriction!).
iHandheld Night Shot On I love this setting on my FZ-300 as it helps tremendously during night recording. Unfortunately available only in automatic mode (iA).
iHDR Off This is automated HDR and not necessarily too bad if you are on a lazy side. However, I leave it on by default.
HDR Off This is manually enabled HDR and I set it to On only if I really want it. While some settings can be adjusted (e.g. EV) but I use it on full auto.
Multi Exposure This setting is more of a guide for taking pictures with multiple exposures. I could never been bothered to play much with it.
Time Lapse Shot If you are fan of leaving your camera somewhere and recording a time-lapse, this camera has really nice helper. Just set the starting time and interval, and away you go.
Stop Motion Animation If you like to make stop-animation movies this helper saves you a bit of time and even creates end video for you.
Panorama Direction Right Default is good.
Shutter Type Mechanical While you can use higher shutter speeds with electronic shutter, that comes at the cost of various artifacts for the fast-moving subjects as it takes as much as 100 ms to read the whole sensor. That is eternity. I prefer to use mechanical shutter unless silence is needed. In silent mode you have electronic shutter whether you like it or not.
Flash Haven’t used it in eternity – don’t even know where flash that came with camera is.
Red-Eye Removal Off There used to be time when subjects in every picture seemingly had red vampire eyes. Not sure if people evolved in last few years or cameras got better but I don’t see it happening as often anymore. And it is trivial to adjust in any photo editor so I leave it off.
ISO Limit Set 6400 While this camera can go all the way up to 25600, I find that anything above 6400 is really noisy. If I really need ISO that high I prefer to set it manually instead.
ISO Increments 1EV I find that thirds are simply too finicky for me to bother.
Extended ISO Off Unlike with most other cameras, extended ISO doesn’t increase your maximum setting but it lowers your minimum ISO to 100 instead of native 200. As this is done in software, I cannot see why you would bother.
Long Shutter Noise Reduction On It turns on only at low shutter speeds (1/15th and below) and it does make a difference if you need to go that low.
i.Zoom Off Realistically, it is a small digital zoom and it will impact your picture quality. Yes, 3x lens can be a bit limiting but suck it up.
Digital Zoom Off Why would you do this to yourself?
Color Space sRGB While Adobe RGB is better, sRGB is what literally every consumer device supports for viewing. Use Adobe RGB only if you know what you are doing.
Stabilizer Vertical-only Full stabilizer is a nice thing but quite annoying when panning – i.e. catching your kids running next to you.
Face Recognition Off Somehow I never bothered to register the faces needed for this.
Profile Setup Off Just more stuff for kids and dogs.

 

Motion Picture
4K Photo Off It is nice idea but requires you to record everything in 4K and it changes compression method a bit.
Rec Format MP4 I find MP4 a bit better supported with amateur software.
Rec Quality FHD 20M 20p I rarely record videos and, when I do, I stick to HD most of the time. Only if I know I will be editing video further or upload it to YouTube I switch to 4K 100M 30p.
Picture Mode Motion-priority Allows you to take 2M picture while video is recorded. I don’t generally use it but I prefer it to Still-priority which essentially stops the movie in order to take picture. Annoying if done by accident.
Continuous AF On For most of time I want camera to refocus to action. If I am recording something where I can control field of action,
I might switch it Off to keep focus steady.
Mic Level Display On While it does add additional clutter, I find it useful to see if camera is picking up some noise it shouldn’t.
Mic Level Adjust 3 It is default and I wen’t with it.
Wind Cut Auto I might change this if I record in windy situations but I generally just leave camera to decide.

 

Custom
Utilize Custom Set Feature Off As I am the only one using this camera, I never found myself needed different customization styles.
Silent Mode Off I usually keep it off as it enforces dreadful electronic shutter. However, I do keep it on quick menu for occasions when I need it.
AF/AE Lock AF/AE Lock I prefer to lock both focus and exposure when using that button. As I use it only if I am recording something,
AF/AE Lock Hold On Setting this to on allows locking of AF/AE with the long press to the button and then using shutter without having to hold the button at the same time. I find default setting requires way too much fidgeting on a small space for my taste.
Shutter AF On It just enables half-press focus, full-press take picture mode.
Half Press Release Off It just enables half-press focus, full-press take picture mode.
Quick AF Off Idea of this setting is that camera focuses as you get ready to take picture. In reality it just eats up the battery and doesn’t work when you need it the most (e.g. low-light).
Eye Sensor AF Off I prefer to set my focus by half-press and not to have camera refocus every time I switch between monitor and viewfinder.
Pinpoint AF Time MID I rarely use pinpoint AF so I simply go with default.
Pinpoint AF Display PIP I rarely use pinpoint AF so I simply go with default.
AF Assist Lamp Off Somehow I always find myself in positions behind glass or with shiny metal around me and AF assist lamp goes berserk. I might re-enable it during low-light.
Direct Focus Area Off Since I use Fn1 to adjust focus area, I keep this off.
Focus/Release Priority Release I’ll rather have blurry picture than no picture at all.
AF+MF Off Call me lazy but I usually don’t mess with auto-focus. If I want manual focus I simply use the side lever and go crazy.
MF Assist Wheel Focus It uses control ring for adjusting.
MF Assist Display PIP Picture-in-picture works for me.
MF Guide On When using manual focus, a small scrollbar is shown with focus position marked.
Peaking On / High When manually focusing, blue dots are nice hint to know what is in the focus.
Histogram On I would say histogram is mandatory. My favorite position is down-right; just far enough not to mess with picture framing.
Guide Line 3×3 I love guide lines. Makes framing much easier.
Highlight On Even with histogram, it is easy to get picture overexposed by accident. With highlight you will see all those overexposed areas blinking and that is much harder to ignore. :)
Zebra Pattern ZEBRA2 I like to see my errors early. :)
Monochrome Live View Off Supposedly it is easier to focus in black-and-white; I just ignore it.
Constant Preview On I love constant preview as it allows me to immediately see if I messed up Aperture/Shutter/ISO trinity instead of figuring that once my button is already half-pressed.
Exposure Meter On When changing aperture or shutter speed, it is nice to see where you stand.
Dial Guide On More guides never hurts. :)
LVF Display Style Top+Bottom I like lot of details.
Monitor Display Style Top+Bottom I like lot of details.
Monitor Info Display On Why not having more info? :)
Recording Area Picture I like my default setup to show how stills would look.
Remaining Display Stills As I don’t use videos much, I prefer to see number of stills remaining.
Auto Review 2 seconds Two seconds is more than enough to see picture you have taken.
Fn Button Set Fn1 I only remap Fn1 to Focus Area Set. Fn2 I leave on Wi-Fi and Fn3 stays LVF/Monitor switch.
Zoom Lever Smooth Default is fine.
Control Ring Off If there is one thing I don’t like on LX100 it is its control ring. It simply doesn’t feel right and it is easy to move by accident. So I simply turn it off. Mind you, control ring still works for manual focus even if you turn it off.
Zoom Resume Off I prefer to start on the widest zoom.
Quick Menu Custom Default menu is OK but I find it a bit on a crowded side with all settings I can set more easily directly on the button.
With custom menu, I can configure up to 3 screens with 5 settings each albeit I keep it on a single screen for even faster adjustments.
iA Button Switch Press And Hold Two things I find easy to do by accident: changing exposure compensation and entering iA mode. While I cannot do anything about oversensitive wheel, I can at least make later a bit harder to enter.
Video Button On As someone who takes stills most of the time, I like having video recording on a separate button.
Eye Sensor Low I lower the sensibility of eye sensor to minimize misdetects.

 

Setup
Menu Resume On I prefer menu state to be remembered between visits.
Menu Information On I leave it on since even if you turn it off, you don’t get an extra row.
Self Timer Auto Off On I don’t see purpose of remembering self-timer between camera restarts.

 

Playback
Delete Confirmation Yes first I prefer to have Yes preselected when deleting images. I guess I like to live a dangerous life.

 

Custom Quick Menu
AFS/AFF/AFC I like to be able to quickly switch between AFS and AFF.
Metering Mode Switching between 49-area and single-area focusing comes in handy.
HDR For rare occasions I need HDR, I don’t need to hunt it in menu.
Stabilizer Essentially just to select between full and vertical-only stabilization.
Silent Mode Nice for museums and similar places. Lousy for high-speed subjects.

Encrypted ZFS for my backup machine

 Posted by  Linux  No Responses »
Jul 062017
 

I already wrote about my ZFS setup. However, for my new machine I made a few changes. However, setup is still NAS4Free based.

The very first thing I forgot last time is randomizing the disks upfront. While not increasing security of new data, it does remove any old unencrypted bits you might have laying around. Even if disk is fresh, you don’t want zeros showing where your data is. Dangerous utility called dd comes handy here (once for each disk):

# dd if=/dev/urandom of=/dev/ada0 bs=1M
# dd if=/dev/urandom of=/dev/ada1 bs=1M

This takes a while but fortunately it is possible to see current progress with Ctrl+T. Do use tmux to keep session alive as this will take long time (with a big disk, more than a day is not unexpected).

Next, instead of using glabel, I decided to use the whole disk. That makes it easier to move disk later to other platform. No, I am not jumping BSD ship but I think having setup that can change environments is really handy for emergency recovery.

While ZFS can handle using device names like ada0 and ada1 and all shenanigans that come with their dynamic order, I decided to rely on serial number of drive. Normally device labels containing serial number are found under /dev/diskid/ directory. However, NAS4Free doesn’t have them on by default.

To turn them on, we go to System, Advanced, and loader.conf tab. There we add kern.geom.label.disk_ident.enable=1 and reboot. After this, once can use /dev/diskid/* for drive identification.

Those drives I then encrypt and attach each drive:

# geli init -e AES-XTS -l 128 -s 4096 /dev/diskid/DISK-WD-WCC7KXXXXXXX
# geli init -e AES-XTS -l 128 -s 4096 /dev/diskid/DISK-WD-WCC7KYYYYYYY

# geli attach /dev/diskid/DISK-WD-WCC7KXXXXXXX
# geli attach /dev/diskid/DISK-WD-WCC7KYYYYYYY

Finally, I can create the pool. Notice that I put quota around 80% of the total pool capacity. Not only this helps performance but it also prevents me from accidentally filling the whole pool. Dealing with CoW file system when it is completely full is something you want to avoid. And also, do not forget .eli suffix.

# zpool create -o autoexpand=on -m none -O compression=on -O atime=off -O utf8only=on -O normalization=formD -O casesensitivity=sensitive -O quota=3T Data mirror /dev/diskid/DISK-WD-WCC7KXXXXXXX.eli /dev/diskid/DISK-WD-WCC7KYYYYYYY.eli

# zdb | grep ashift
            ashift: 12

Once pool was created, I snapshotted each dataset on old machine and sent it over network. Of course, this assumes your pool is named Data, you are working from “old” machine, and new machine is at 192.168.1.2:

# zfs snapshot -r Data@Migration
# zfs send -Rv Data@Migration | ssh 192.168.1.2 zfs receive -Fs Data

This step took a while (more than a day) as all datasets had to be recursively sent. Network did die a few times but resumable send saved my ass.

First I would get token named receive_resume_token from the destination:

# zfs get receive_resume_token

And resume sending with:

# zfs send -v -t <token> | ssh 192.168.1.2 zfs receive -Fs Data/dataset

Unfortunately resume token does not work with recursion so each dataset will have to be separately specified from that moment onward.

Once bulk of migration was done, I shut every single service on old server. After that I took another (much smaller) snapshot and sent it over network:

# zfs snapshot -r Data@MigrationFinal
# zfs send -Ri Data@Migration Data@MigrationFinal | ssh 192.168.1.2 zfs receive -F Data

And that is it – shutdown the old machine and bring services up on the new one.

PS: If newly created machine goes down, it is enough to re-attach GELI disks followed by restart of ZFS daemon:

# geli attach /dev/diskid/DISK-WD-WCC7KXXXXXXX
# geli attach /dev/diskid/DISK-WD-WCC7KYYYYYYY
# /etc/rc.d/zfs onestart

 Older Entries