Archive for June 20th, 2010

Whole-disk encryption

Two times recently I’ve had friends who have had data stolen from them physically; one had her house broken into and her laptop stolen, another had her external backup drive stolen.

It’s one thing to have a laptop or a hard drive stolen, but it’s much much worse to worry about the impact that the now-compromised data can have on your life — Stored passwords, confidential data, personal information, photos, the list goes on. It’s even possible that a thief could use the saved passwords and cookies saved on your computer to access your on-line accounts and do considerably more damage. On-line banking, email accounts, social-media accounts, etc.

Even if your laptop is damaged, it’s still possible for an attacker to take the hard drive out and hook it up to another computer to gain access to your information. Log-in passwords don’t protect against this if the OS is bypassed. Your data is completely accessible.

While it is possible to secure a large part of your data by encrypting your most private files, that still doesn’t cover areas like browser cookies, temp files, and the swap space. Data from secured areas can “leak” into those areas and still be viable for attackers. In addition, this requires effort, and I talked about this in my post about backups.

Hard drive passwords are one good tool, as they render the drive effectively useless to all but the most sophisticated attackers (read: all except police, government, and attackers with sophisticated tools). The hard drive is logically “locked” at the firmware level and cannot be unlocked without the correct password or some circumvention of this. Your data is still stored on the drive, but attempts to read the drive will fail. Most modern computers (especially laptops) and hard drives support hard drive passwords. This is a good tool, but if you’re at all concerned with the potential weaknesses of this, you might want something a little stronger.

Enter full-disk (or whole-disk) encryption. This is one of the strongest tools to protect against any time of attack against the hard drive. By storing the data on the drive in an encrypted form, it becomes next-to-impossible to get anything useful off the drive. Full-disk encryption typically uses the AES method, which is well-established to be secure.

There are several commercial solutions to full-disk encryption, but as a big supporter of free/open-source software, I’m only going to cover the free and cross-platform ones.

TrueCrypt (Windows, Mac, Linux) – This is an exceptional tool for encrypting both internal and external drives, and creating encrypted “containers” to store files in. Free and open-source, and from what I’ve seen, rock solid. I’ve used this under Windows to do full-disk encryption, and I still use it to keep my 1TB external hard drive encrypted. Setup is easy and doesn’t require you to reinstall the OS — encryption of your existing drive can be done on-the-fly and you won’t lose any data. (Though having a backup beforehand is always a good idea)

Ubuntu has a few options ingrained into the OS. Home directory encryption is a choice during installation, which protects your files when you’re not logged in. The encryption is very good, but there’s still the chance that file information will leak out into unencrypted areas of your drive. When you’re installing Ubuntu, and you’re at the part where you enter your chosen username and password, at the bottom of the screen you’ll see the option “Require my password to log in and decrypt my home directory.” That’s the option which enables home directory encryption.

The “alternate” installer CD gives a solution to this: Full-disk encryption using LVM/dmcrypt. Unfortunately, this option will require you to reinstall your OS as it requires the disk to be repartitioned as LVM and encrypted. Also, it’s a little harder to set up. Although the installer is guided (and some very good walkthroughs exist) there’s no fancy GUI. It’s also not easily reversible, but as far as I’m concerned, there’s no reason you’d want to. While installing using the alternate CD, choose “LVM with encryption” while you’re setting up partitions. It’s worth noting that this installation was markedly slower than a typical install (I think it took an hour-something) but considering the amount of disk I/O that was taking place, I’m really not surprised.

Performance versus an unencrypted drive in all cases is good — your system will take a performance hit but it wont be very noticeable except in cases of disk thrashing, or very heavy disk read/write activity. You will notice a little bit of a slowdown in system performance then, but it won’t be much.

Thoughts or opinions on this? Please share them!

, , ,

Leave a comment

Ubuntu and Brother HL-2170W

I picked up a Brother HL-2170W wireless laser printer at OfficeMax a while back to replace my empty HP ink jet. For the price per page, laser is without a doubt the way to go.

I had done some searching while I was at the store because, as a Linux user, I’m big on cross-platform. (Obviously, or I’m not going to buy it.) I read a lot of mixed stories about this printer, but at the time Lucid (10.04) was coming out and I figured that a number of the issues would be addressed and I had a good chance of it working. Besides, it was a wireless printer so nearly any generic driver should work.

I brought it home, unpacked it, and set it up. Connecting the printer to the wireless AP was a breeze — simply connect the printer (via wire) to either the PC (via USB) or the router (via ethernet) and do the config using either the web interface (built into the printer) or the software. I had tossed the instructions immediately upon opening the box — this is one case where you’re probably going to want to refer to them. At least until that first test page comes out okay.

So I got the printer hooked up, on the wireless network, static IP set up, and off I go to install the drivers on the machines.

Ubuntu: Recognized immediately. Going to System > Administration > Printing and click Add brought up the add printer screen where the printer showed up after a few moments. Though the installer showed some lag, I attributed it to having to communicate with the printer during the setup.

Windows Vista: Installation of the drivers from the CD was grudgingly slow. It must have taken me the better part of half an hour start to finish.

Printer performance? I was immediately impressed. But my mind changed after a few days: This printer choked on graphics. A page of text would come out immediately, but any page with a graphic on it could take up to 20 minutes. Then for the sake of troubleshooting I tried it on the Windows machine. Came out in moments.

Something was definitely amiss. But I left it as it was for a while, until I finally got tired of waiting 20 minutes per page to print shipping labels for 15 boxes one day. So I put Windows 7 on my machine. Problem solved. (Note — the printer ships with a second drivers disc specifically for Windows 7.)

So now, a few months later, I am a Linux user once again and ran back into the same problem: The incredibly slow graphics printing. Only this time, determined to find a solution. I only had to look so far as this post. Citing a fault in the cups drivers for (at the least, this printer model), a solution was explained using a generic driver instead of the [presumably broken] cups driver:

1. Log on to the cups web interface: http://localhost:631/admin (for username and pw I used an account with sudo privileges).
2. Select “Add Printer
3. From “Other Network Printers:” I selected: LPD/LPR Host or Printer
4. under “Connection” put in: socket://IP_of_the_printer:9100 (of course, substitute in the IP of your printer)
5. Name, description, location: fill those out as you wish.
6. Sharing: I did not check this box.
7. Make: Select Generic and click Continue
8. Model: Generic PCL 5e Printer Foomatic/hpijs-pcl5e (recommended)
(this model is the closest by name to what Johnny_vc told me to use. I figured mine is different because I’m using Lucid)

Nick (below) adds this: Make and Model: Brother HL-2170W Foomatic/hpijs-pcl5e (recommended)
If you find the Brother selection, try it and see if it works, otherwise the Generic as above is known to work.

9. Click “Add Printer” and you’re done.

Works for me too. After doing this, you can view and edit the properties of the printer via System > Administration > Printing. Printing speed is back to normal.

Also, I strongly recommend you have your printer assigned a static IP address, either on the printer itself or using DHCP address reservation.

UPDATE: I encourage users to try the instructions contained in the blockquote above first, if their printer does not appear or performance is bad. Make sure you know the LAN IP address of your printer or it won’t work. I just tested this with a stock 10.10 install and I was able to print without installing anything else.

Feedback and comments are welcome, as always.

Make and Model: Brother HL-2170W Foomatic/hpijs-pcl5e (recommended)

, ,

Leave a comment