OpenBSD (First impressions)

BSD’s are operating systems that I always had a keen interest in, mostly because unlike Linux (which comprises of mainly the kernel), BSD’s are developed and distributed as a complete operating system.

What I mean to say is that, GNU/Linux consists of a subset of user land tools (GNU) selected by the distribution developers along with the Linux kernel. Not that it is a bad thing, but the choices made by the developers behind these various distributions such as Ubuntu, Fedora, Manjaro, etc. are reflected on the type of experience a user has since the selection of userland tools that end up in the final operating system may vary. There are also no clear guidelines, no right or wrong way to do something. This is exactly where advanced / meta Linux distributions like Gentoo and Arch Linux fit in, as they hand over the decision making process of what and how to the user.

Anyway what I wanted to talk about today is OpenBSD. Firstly, I have zero experience with any previous BSD operating system. They might be a bit similar to Linux, but they are totally different beasts both with their pros and cons. I’m not here to discuss which is better, I like them both and they have different use cases.

So firstly, the reason for me choosing OpenBSD over the more popular FreeBSD is because the main focus of OpenBSD is security and code correctness. Security is a complex topic, and it is tough to get it right. A lot of the modern operating systems including Linux don’t have many of the advanced system security features enabled by default as distributions like Ubuntu aim to be compatible with as much hardware as possible and enabling such features may cause software & hardware issues as well as a lot of headaches. So just having a Linux distribution like Ubuntu doesn’t necessarily mean that you are safe or secure.

Yes, the advanced security features can be configured if you are an experienced Linux user with strong background in security and using a Linux distribution like Gentoo. But setting up everything to be of top notch security standard and trying to compete directly with OpenBSD is nearly impossible because the code base of the Linux Kernel is huge (Millions of lines of code). As we know, with bigger code base comes vulnerabilities and bugs that can be exploited and so far we have seen many vulnerabilities related to the Linux Kernel emerge over the years, perhaps more is yet to follow.

What I’m trying to get here is that, OpenBSD code base is way smaller than that of Linux and they have a team of dedicated developers who just audit their code base on a regular basis and have been doing that for over a decade. Which means their code base is not only clean and stable, but the whole operating system has been designed from the ground up to be a highly secure system with strong focus on Cryptography as well.

Since I have Gentoo Linux system on my current laptop (which took me like weeks to configure and fine tune everything), I decided to leave it as it is and indulge in OpenBSD by investing as little as possible. An embedded device like Beagle Bone (Black) was naturally the perfect choice as it is reasonably cheap and listed as being supported on the OpenBSD website. What I didn’t know at first was that OpenBSD doesn’t support HDMI on Beagle Bone, so I had to wait a while until I finally bought a ttyl to usb serial cable. What it is and how it works is outside the scope of this post but I learned a lot along the way and was successful at making an OpenBSD install.

Anyway, the most impressive thing that I first realized about OpenBSD was the quality of the man pages. It’s so well written that it puts the Linux man pages to shame. There’s a lot of things that I still have to figure out but I’m learning things one step at a time.

The filesystem used by BSD systems in general is ZFS, which I heard is pretty robust and flexible and used by big companies such as NetFlix to manage thousands of terabytes worth of data. The firewall (PF) is also well known and have been used in a variety of commercial firewall appliances. A lot of other things are still new to me, but OpenBSD package management reminds me of Gentoo as it also gives you the option to compile packages from source besides having binary packages.

Apparently on Beagle Bone there is still no support for binary packages on OpenBSD, and since my SDCard has a limit of 8GB I wasn’t also able to compile anything from source due to the limited capacity. I will write a full review related to OpenBSD once I’ve upgraded to a bigger SDCard and had enough time to mess around with it.

In the mean time, feel free to share your opinion or suggestions related to OpenBSD or Linux in general.

Thanks for reading!

 

 

 

Preventing Evil Maid and Rubber Ducky style attacks on Linux

So you are running Linux and you think that perhaps you are relatively secure compared to Windows right? Well actually there’s not much difference when it comes to security of either platforms because there are certain attacks that your operating system will never be able to defend against unless you pro actively take the right security measures to prevent it.

What am I talk about here? Let’s start with hard disk encryption, and let us assume that we are on Linux. So, you have encrypted your default Ubuntu partition with a really strong passphrase during installation (Luks + Dmcrypt) and you must be thinking man am I secure. Well that is true to some extension but the catch here is that your boot partition needs to be left un-encrypted so that it will be able to unlock your drives after entering the correct password.

So here is the dilemma, even on Linux we have an un-encrypted boot partition therefore it is in a way a vulnerability waiting to be exploited. Someone can just mess around with the contents of your boot partition while you are away and perhaps even write a simple shell script that will log the password and send it back to the author?! This is what you call an Evil Maid style of attack. There are not many ways that you can defend against such an attack but a good measure would be to have your boot partition somewhere else, perhaps on a USB drive. Thus whenever you go outside you can keep that USB with yourself at all times and have the peace of mind that the laptop at your home will not be messed around with because all that is there is just a block of encrypted data whose contents can not be tampered with. Today I will not go into details on how you would go about making such a setup because trust me doing this manually will take a lot of work especially if you are on a Distro like Gentoo!

But let me tell you of another attack that is quite common these days and not many people know about it. Have you heard about the USB rubber ducky? If not, go out on the web and Google around a bit. Or if you wanna save time, let me tell you.

Basically, the USB rubber ducky looks like a regular USB…even has a similar size but when you plug it in, it acts as a HID (Human Interface Device). HID is usually reserved for mouse or keyboards, so basically posing as USB and being able to act as a keyboard allows it to interact with an active system in a way that you would least expect. It can own you in a matter of seconds if you haven’t taken the right precautions, especially on a Distro like Ubuntu that allows anything to be automatically mounted by default. This is not just a big threat for Windows but also for Linux.

Perhaps the USB rubber ducky could run as a background process that would spawn a shell and try to sniff the password that you type when you login to your device, after it receives the password it could automatically call home with the new gained credentials.

So I looked around for a bit on how to stop such an attack on Linux, and to my surprise I found that the Linux kernel provides an easy to call interface that would disable the USB ports.

So you could just paste this script and it would disable your USB ports, depending on the number of USB ports you have you may need to modify those commands and follow the instructions in the comments. This script if set correctly, would basically disable USB ports on boot so that you don’t have to worry about manually disabling them (you might forget).

Also you can add this code to your .bashrc or .zshrc, so that you can enable or disable USB manually when necessary.

# Disable usb devices to mitigate rubber ducky style attacks

usboff(){echo 0 > /sys/bus/usb/devices/usb*/authorized_default}

 

#Enable usb devices

usbon(){echo 1 > /sys/bus/usb/devices/usb*/authorized_default}

 

You will need root permission to use these functions so don’t forget to add sudo.

Anyway, this concludes my today’s post and I hope that this will be helpful.

Cheers!

Gentoo Linux Review

So it’s been a month that I’ve switched to Gentoo Linux. I must say that I gave it a very long and careful thought. I was intimidated at first with the idea of even spelling the name of Gentoo Linux and there is a reason for that. Thing is from the very beginning, since the day I first made the switch from Windows to Linux a thought was planted in my brain that Gentoo is the most hardcore Linux distribution there is…but as I learned that is far from the truth.

Basically you compile everything from source, it’s not like a traditional binary Linux distribution. You build it from scratch, step by step and you decide what and how you want things to be built. The end result is that you get a very highly customized Linux operating system that is fine tuned for your hardware and all the software is built on that same machine as well as optimized for your architecture. Not only does it result in a boost of speed but the main benefit I saw using Gentoo was in the customization of software using what they call USE flags.

USE flags are a pretty interesting concept. Let’s say you want to install a software like Firefox. You can see what USE flags it uses and then you can add or remove the flags  to enable or disable certain features like whether it should use pulseaudio or alsa for audio playback. Whether Firefox should have native language support for your country built in or if you want to add gstreamer support to have native video decoding capabilities. There’s hundreds of different USE flags depending on the type of software you are interested in and they can all be tweaked to suit your needs. This customization option is pretty much unavailable on a binary distro unless you are compiling stuff manually which for the most part can break a lot of stuff in your system. Thus this makes Gentoo a really attractive Linux distribution for experienced Linux users.

Anyway for me personally it took me two weeks to have a fully working system with all issues fixed from touchpad to suspend to ram, audio, etc. now working perfectly fine. It was a rather interesting learning experience for me as for the first time I learned how to compile the Linux kernel from scratch…actually I had to do it 5-6 times to have a fully working setup.

If I had to reinstall Gentoo from scratch may be I would have to give it a second thought because it is quite time consuming. Most of your time is spent reading and learning from the wiki, very less time on actually doing something trivial. But once you have figured it all out you know what to do so the subsequent installations should be much faster. A good idea is to always clone the image of your Gentoo install and back it up elsewhere once you have figured everything out.

Is Gentoo for you? Well if you can set aside time for it and you have the patience and the will power to learn then it is definitely worth it. Personally there were times while setting up Gentoo when I felt hopeless, frustrated and was about to give up. But the burning desire in me to cross over to the other side and be with the elites of the Linux world kept me going. Some of the most talented and smartest people I know in the Linux community use Gentoo and you will never understand what Gentoo is like until you have actually installed it. I think if you are a serious Linux user and you just want to learn how all the underlying parts of the Linux operating system fit together then this learning experience is definitely worth it.

After having used Gentoo, I can never look at another Linux distribution the same way again. On my previous Arch Linux install (on my netbook) I had issues with browsers like Chromium and Firefox, they used to crash randomly especially during video playback but after having installed Gentoo it didn’t even crash once. Smooth, stable, fast in my opinion the Gentoo experience is second to none.

Smooth video playback @Youtube [Linux]

So recently I’ve been researching about how to get a better video playback experience on Linux when browsing sites like Youtube. Video playback from the early days of Linux was most of the times a headache, especially because there were not many “good” alternative to a lot of proprietary codecs. Especially now that flashplayer is long dead and is no longer being supported widely, we look up to html5 to solve our media playback woes online.

But the thing is html5 doesn’t solve our problem yet. On sites like Youtube, vp9 is the codec that is being served by default when html5 is enabled on your browser. Vp9 is a successor to vp8 and is about 5-15% improvement over it’s predecessor but on the downside hardware acceleration for vp9 is not built onto most hardware other than the latest smartphones like the Samsung Galaxy S6, etc.

Hardware based decoding is important because it is more efficient than software based decoding, not only in terms of raw performance but the overall cpu usage goes down resulting in less energy being used on your laptops or mobile devices. Therefore hardware based decoding also helps conserve battery life by a big margin when watching videos.

Even if hardware acceleration of vp9 is built into your hardware, the software side of things aren’t ready yet on almost all platforms since vp9 is still a pretty recent development and the industry needs some time to catch up.

Anyway long story short, I turned towards various browsers at first without doing much research hoping that they would magically solve my problem but that was not the case. After a while I learned about this open sourced api being developed by intel (vaapi) thats allows hardware decoding of various codecs using the built in intel gpu on most CPUs. Vaapi on Arch Linux can be accessed by installing the packages “libva-intel-driver” and “libva”. On other distros should be something similar.

Another thing I discovered while testing the browsers is that Firefox for some reason uses a lot more cpu during video playback than a Google chrome based browser like Chromium although they both rely on software based decoding methods. It probably has something to do with how Firefox renders the video internally.

Anyway, the bad news is that vaapi doesn’t yet support vp9 decoding but what you can do is install a browser plugin that forces h264 codec only and then take advantage of hardware acceleration using vaapi as h264 decoding is supported. In my case I used an external player (mpv) with my custom config  (placed in ~/.config/mpv/config) and a firefox plugin called open-with and I can just right click on any video and select open_with mpv to have awesome video playback with negligible cpu usage.

Before hardware accelerated video playback my average cpu usage on Chromium was around 20-25% where as on Firefox was around 40-50%. After hardware acceleration on my netbook with n3700 processor, cpu usage is less than 10% using Firefox. Power usage dropped from 9-10W to 5-6W. That’s a pretty big improvement not to mention the video playback seemed more crisp compared to the software decoded version.

It might seem that I was complaining about Firefox at the start, but after switching video playback to mpv it seems to be a much better solution than even chromium.

If you have some tricks of your own, feel free to comment and share below!🙂

 

So you use Linux?

So recently I saw this video explaining the frustrations of using Linux on a daily basis (Click Here), and it reminded me of the same thing.

As a Linux user who has been using Linux non stop for over 6-7 years I can totally relate.

I’ve blogged about this in the past on how life as a Linux user is quite challenging if you don’t get the right hardware. Even if you do get the right hardware, getting things to work the way you want might take more than just few hours of tinkering. As a beginner Linux user, if you value your time then just closing your eyes and going for Windows sometimes is a better alternative if you want to get some real work done.

There’s a steep learning curve when it comes to Linux, that’s mainly because Linux is an open system and there’s just too many choices that you can make. There’s no right or wrong way to do something. That leaves a lot of Linux users (especially beginners) frustrated because they are so used to pointing and clicking on closed systems like Windows that they just expect things to work in a minimal number of steps. Actually it’s not that simple on Linux because it is the operating system built by hackers and programmers and they have this mentality that you should be able to quickly edit a config file somewhere, do some research and make things work. That’s the mentality that makes Linux seem so complex for beginners in my opinion because they don’t feel comfortable with the idea of changing the way they usually do things. People are afraid of change and it’s one of the many reasons why desktop Linux may never be a reality, but it’s good to see that Distros like Ubuntu are giving it a shot anyway.

Having spent 6-7 years of my life learning and taming the wild beast that is Linux, I’ve learnt a lot of stuff and I’m thankful to the community, the forums, the users for being so generous with their time, sharing knowledge and most importantly for being so patient with me. Without Linux and the community behind it I would not be able to define my identity as I’ve grown so attached to it and it has slowly won over my heart. It’s like falling in love with a wild beast, that initially barks and whines at you. Then slowly you start to understand the reasons behind why it is misbehaving. It took me a lot of frustration, sleepless nights, doses of caffeine and socializing with geeks over IRC to tame this beast but in the end it is totally worth it and I have no regrets.

Yes, it is frustrating as a Linux user but once you get to the point that you have figured every single detail about what makes the underlying operating system tick you have nothing to worry about. It’s like reaching GOD mode on your computer, and you have complete control over everything…from the type of cipher being used to encrypt your hard disk to the firewall rules that allow packet to traverse your network, everything is under your control with no abstractions, no bloat, no hidden third party code written by uncle Gates that might spy on you. It’s just your hand written configurations and the Linux kernel bridging the gap between you and your hardware.

Even though I love Linux so much but I definitely would not recommend it to a friend or family. That is because the headache and the babysitting that you have to do or the investment of time towards someone completely new to Linux is not worth it. You may be thinking that may be I am selfish, but actually I have a point. Out of 10 people only may be 2 or at most 3 people would have the time or interest to learn how to do things differently and most people that I’ve seen from my experience don’t want to consider investing time towards learning a new operating system. Especially one where if something doesn’t work you try to fix the problem yourself.

 

Linux Mint Hacked (/rant)

So I recently  heard in the news that a quite popular Linux distro that is currently a competitor to Ubuntu (Linux Mint) has been hacked. The hackers took control of their servers and infected one of the downloadable ISO.

It’s not the first time a distribution has been hacked and I really don’t blame the Linux Mint admins for that. Security is a quite complex topic and it’s even harder if you’re on the defender side. All the attacker needs to do is find a single flaw,  whether it’s a plugin on the blog you’re using or something that might seem really insignificant. But the results can be really devastating even though you have taken strict security measures on the network side of things.

Anyway, what I really wanted to talk about is the important role gpg has to play in this. For example, I’ve recently made a fresh Arch Linux install from scratch. Before getting started I had to verify the integrity of the ISO that I downloaded to make sure the downloaded image is the same image that I’m supposed to receive from the server. But just verifying the integrity of the image successfully doesn’t guarantee that it is the exact image that the original authors had created. To verify that it is coming from the intended author I also had to download the signature file that came with it, receive the key from key-server and verify the signature using gpg.

This extra step of verifying the signature is something that I’ve noticed on distros like Arch, Gentoo, etc. Personally I think gpg is not that hard to use, although some people find it confusing and even most distros like Ubuntu (back when I was using it) doesn’t provide this extra step of signature verification.

So why is this important? Well let’s say in the case of Linux Mint after it was hacked, if signature verification was there the users could see if the image came signed with a key from one of the official developers and could further inquire about it if anything looked suspicious. I don’t think it’s easy for a random attacker to forge the signature of the developers but it does provide an extra layer of security on the user side.

Anyway, I actually support the decision made by the Linux Mint community to immediately announce to it’s users of the compromise and taking appropriate measures. There are perhaps a lot of distros out there that don’t like to reveal such stuff publicly for fear of losing their image in the community. But Linux Mint developers do really care about their users so props to them for being so transparent about the whole thing.

P.S. If you’re really paranoid about your security/privacy, try doing an Arch Linux install from scratch. I know it takes a lot of time on your first run but the learning experience is totally worth it. Goodluck!🙂

 

 

 

 

 

Efficient browsing / productivity with Vimium

For quite a while now I’ve been doing pretty much everything on Linux with just keyboard shortcuts. I’ve switched to a tiling window manager called i3 which eliminates the need for a mouse as everything from resizing window frames, making them full screen or tiling them in a certain way can be done with the press of a few buttons. I’ve found that it increased my productivity by quite a big margin and I feel like mouse was just a block in the road towards productivity.

Only place mouse was needed for me was for browsing the web. Luckily, even though a bit late I’ve found a way to even get rid of that by using a plugin called Vimium for Chrome. I’m a big time Vim user and it’s kind of funny that I thought the learning curve that I had to go through for vim and the hours I spent learning it could only be used for stuff like coding / text editing. The time I invested learning vim actually pays off when you consider plugins like Vimium, which allows you to use the same keyboard shortcut like features you’re used to in Vim and works as a replacement for your mouse.

It’s actually difficult to imagine how the experience is like when you consider the fact that there’s no mouse at all, you just press keys and things work the same way as if you had a mouse. From opening links in new tabs, scrolling, interacting with custom frames, clicking on elements, opening older tabs from history or going through your bookmarks; everything works smoothly as if you’re doing it with a real mouse.

I’m starting to get used to it, so far it seems pretty easy to get started and I highly encourage people to try it out and see for yourself how it’s like. You don’t actually need previous experience with vim and the shortcuts can be configured as the plugin is quite flexible. Try it out, who knows you might even like it🙂