Windows 10 Fall Creators Update fails on MacOS based VM

Yesterday my Windows 10 VM I run on my Macbook took forever to install updates.

Then at some point my macbook (yes the complete macbook) went blank / off without any warning. As the laptop usually warns of low battery charge, I suspect I hit some kinda bug.

This morning when trying to recover, the Macbook itself was fine, but my Windows 10 VM gave me screen I rarely get to see these days. Luckily I have a backup copy of the VM which I will try to update today.

FYI : I’m running High Sierra with VMWare Fusion Professional Version 8.5.8 (5824040)

Update: after restoring the VM and running the update again, it worked fine. Strange 😉

PC Engines APU2 with OPNsense firewall on top as homelab gateway

There has always been some testing going on at home, but with the introduction of an extra firewall, there will be a separate network for tinkering and trials at home.

First I decided to buy an APU2 board from PC Engines. Although the APU first generation I had got fried quickly, their new version had the thermal issues the first generation had addressed according to the website.

When it arrived earlier this week, I still had to decide wether to run Linux or a BSD variant on top. After some quick research  I stumbled upon two FreeBSD based products that both seemed a good fit : pfSense and OPNsense. I soon discovered that OPNsense is actually maintained by some guys from my village. So OPNsense it was.

Right now I’ve only done the basic setup stuff, but the web interface et al look very promising. Clean, modern, snappy, complete. No CLI necessary for more advanced stuff.

It also has ‘cloud’ / virtualisation options, so I’m sure I will try that sooner or later.

#nicefind

BTW: For my serial line needs on MacOS I stumbled upon ‘Serial‘. Just evaluating, but it is rather nice. I just might pay the thirty euro for it

 

Vandaag CISSP examen gehaald

Eind vorig jaar liep ik al met het idee om een security gerelateerde certificering te gaan halen. Mensen die met me gewerkt hebben weten dat ik altijd oog heb voor de security aspecten in mijn werk. Het leek me leuk en goed om dit bevestigen in een certificering.

Het was me niet direct duidelijk welke ik zou moeten kiezen. CISSP was een optie, maar ik heb ook CEH (Certified Ethical Hacker) overwogen. Doorslaggevend voor de keuze was het aan de certificering verbonden toegang tot vakgenoten. De (ISC)2 heeft Nederlandse afdeling waar ik mensen ken. Gezellie. En vast leerzaam.

Dus toen dat ei was gelegd, ergens in mei/juni materialen besteld. Ik heb het gedaan met de ‘Official Study Guide’, gecombineerd met een aantal apps op mijn ipad/iphone.

Het stuk over wetgeving vond ik taai en bovendien teveel op Amerika gericht. Sowieso is het boek overduidelijk heel Amerikaans. Europa wordt nog net genoemd maar ik moet denk concluderen dat ze op alle andere continenten hun eigen certificeringen hebben. Die komen in dit boek in ieder geval niet voor.

Verder was voor mij de CISSP Official Study Guide een goede manier om bij mezelf te checken of ik het vakgebied in de breedte een beetje dekte. Natuurlijk zaten er onderwerpen bij waar ik weinig mee gedaan heb, maar tegelijkertijd zat er weinig echt nieuws in. Voor mij een duidelijke bevestiging dat ik er goed aan deed om mijn security kennis met een certificering zichtbaarder te maken.

Vanmorgen dan toch zitten puffen op het examen. Het is vooral veel en je moet goed op de details / nuances letten. Je krijgt dan ook vier uur voor het examen om 250 vragen te beantwoorden. Gelukkig was ik er een stuk sneller doorheen.

Het wachten is op de administratieve afhandeling waarna ik mijn endorsements kan gaan verzamelen.

 

 

MacOS High Sierra upgrade uneventful

The install took 50 minutes and two reboots two days ago. All seems fine.

Also, did a clean install on another laptop and apparently enabling disk encryption during initial setup has been the default for some time. It was a new one for me. But then I rarely do clean MacOS installs. Mostly upgrades or Time Machine recoveries.

 

 

Protecting Keepass databases with yubikey on MacOS

Looking for alternate or additional protection for my Keepass databases, I stumbled upon a fork of KeepassX that actually has some nice new features. One of those is the ability to use a yubikey as the key or as an additional key to the password database.

The fork KeepassXC released a version with yubikey support last june. Apparently the windows version Keepass2 has had time support for some time.

Trying a sample database with the default OTP configuration of my yubikey worked just fine, but it did raise the question what would happen if my yubikey would get lost or otherwise unusable. An unacceptable risk of locking yourself out of your password database. Thankfully this was already adressed, but it requires some extra work.

The yubikey has two configuration slots, where the second slot is unused by default. By getting a second yubikey and using the Yubikey Personalisation Tool, you can set up two yubikeys with the same secret for HMAC-SHA1 Challenge Response Mode in the second configuration slot. The yubico website has a pretty clear configuration guide in PDF to on ‘How to Configure Identical Credentials in Challenge – Response‘.

After that, it is just a matter of creating a new password database that requires the Yubikey challenge (maybe combined with a password you still type). That, or reconfigure existing databases to start using the yubikey by adding it in change main key option.

As the feature is still somewhat new, I’m considering keeping a password protected version of my database offline, while protecting the one I use on a daily basis with the additional yubikey protection.

.

 

Locking and unlocking MacOS using a yubikey

Some time ago I bought a couple of Yubikeys, but actually start using them ended up on the todo list.

But now I can easily unlock and lock my apple laptop with my yubi key. Unlocking is just done using the standard pam module and the configuration described at the yubikey website.

But getting my screen locked when I unplug the device needed some extra deamon. There is an option to lock the laptop when you unplug the yubikey in the advanced security preferences, but it did not do anything for me

I found a small project at https://github.com/shtirlic/yubikeylockd.git dealing with just that. So now running this small daemon, my screen is locked as soon as I unplug the key.

Yunohost maakt hosten web based applicaties simpeler

Waar het kan gebruik ik graag decentrale oplossingen voor Internet diensten. Tot nu toe begon ik vaak met een Ubuntu of Debian gebaseerd systeem waarom ik dan Owncloud, een IMAP server of wat dan ook installeerde. Niet heel ingewikkeld, maar je moet er daarna wel zo af en toe wat beheer en updates aan doen.

Laatst kwam er op Mastodon.social een berichtje langs waar Yunohost in genoemd werd. Mijn interesse was gewekt en ik ben er even mee aan de slag geweest.

Yunohost gebruikt als basis een aangepaste Debian installatie CD, om hierna al vrij snel een web gebaseerde tool te starten om applicaties met een paar klikken toe te voegen en de minimale configuratie te regelen.

Het draait slechts een paar weken, dus ik moet er zeker nog wat langer naar kijken, maar vooralsnog ziet het er veelbelovend uit. In de kern levert het een centrale authenticatie oplossing met werkende e-mail afhandeling ‘out of the box’ . Ook TLS is netjes geregeld met LetsEncrypt integratie. Daarna kun je met enkele klikken en hier en daar een simpele configuratie keuze extra toepassingen installeren.

Op mijn setup voor persoonlijk gebruik, ben ik nu al fan van FreshRSS als alternatief voor Feedly. Ook de e-mail functionaliteit werkt prima zonder configuratie. Spamfilters etc zitten er standaard al vrij stevig in.

Ook heb ik er Nextcloud op geïnstalleerd en Rainloop als webmail toepassing. Kind kan de was doen en ziet er tof uit.

Voor zover ik nu heb kunnen zien is het enige nadeel dat de community vooral Franstalig is. Goed moment om mijn Frans eens serieus op te poetsen? 😁

Wat mijn betreft een wat gelikter alternatief voor Sandstorm.io

Ubuntu 16.04 on MacBook Pro 11,1 success story

Once every blue moon I try some sort of Linux as the native operating system on my laptop. As I tend to have a recent laptop, this usually ends as a short experiment where I find out one or two devices just will not work.

As my wife moved to my previous laptop when I bought my current laptop, we had her old laptop more or less as a spare / for the kids. After about half a year I noticed the laptop had rarely been touched by said kids and I figured it was too good a machine to waste. So it was either selling it off or re-purposing it.

Re-purposing as a small / lightweight spare for myself sounded great. At first I set it up using MacOS, but soon I found myself installing Windows 10 and Ubuntu 16.04 as multiboot to toy around with.

This is by far the Best Ubuntu experience I ever had on a macbook, or any other laptop. It worked so well in the first couple of days, that I wiped everything from the machine to install Ubuntu exclusively on it.

Sound, wifi, graphics, hot plugging monitors, VPN, all with zero or really minimal fuss. Nice, fast, reliably. Really, I am impressed.

And the machine is from late 2013 / early 2014. But the performance of this thing is still pretty amazing.

Apparently the camera does not work, but I did not check as I have a Bits of Freedom sticker covering it up. Also the media controls on my apple earbuds do not work in Ubuntu apparently blocked by some Apple patent.

Batterylife is supposed to be a lot worse compared to MacOS. But I haven’t been bothered by it yet.

Thank you Ubuntu devs 🙂 #donationtime

windows git pre-commit hook for puppet development

For a recent client I was asked to provide a puppet development setup on the windows platform. The toolchain included Git for windows / Git bash / Turtoise GIT / Atom and some others. It also includes the windows adaption of my git pre-commit hook.

To use this hook, you need to install the puppet v4 agent and install a couple of ruby gems within the provided ruby environment. Something like :

c:\program files\puppetlabs\puppet\sys\ruby\bin\gem.bat install r10k
c:\program files\puppetlabs\puppet\sys\ruby\bin\gem.bat install puppet-lint

(from an elevated command prompt)

The hook needs to be saved in every git repository that contains puppet code in het directory [repo]/.git/hooks/

Warning : The windows linefeed bit is really recent and might need some additional testing.

 

#!/bin/bash
# Requires bash, as it uses the [[ ]] syntax.
#
# https://puppetlabs.com/blog/using-puppet-lint-to-save-yourself-from-style-faux-pas
# https://docs.puppetlabs.com/guides/templating.html#syntax-checking
#
# If it's puppet code, lint it up.
# 20150915 syncaddict
# - Added support for erb syntax checking
#
# 20151020 syncaddict
# - Added support for YAML syntax checking
# - more verbose operation
#
# 20170615 syncaddict 
# - version that works on windows
#
# 20170809 syncaddict
# - detect / convert windows linefeeds
#
# Variables goes hither

 

PUPPETLINT="/c/Progra~1/Puppet~1/Puppet/sys/ruby/bin/puppet-lint.bat"
PUPPETAGENT="/c/Progra~1/Puppet~1/Puppet/bin/puppet.bat"
ERB="/c/Progra~1/Puppet~1/Puppet/sys/ruby/bin/erb.bat"
RUBY="/c/Progra~1/Puppet~1/Puppet/sys/ruby/bin/ruby.exe"

DOS2UNIX=/usr/bin/dos2unix
GREP=/usr/bin/grep
WC=/usr/bin/wc

declare -a FILES

IFS="
"
FILES=$(git diff --cached --name-only --diff-filter=ACM )
 

for file in ${FILES[@]}
do

   ## replace windows linefeeds on all changed files - WIP
   LFCHECK=`$GREP "\r\n$" $file | $WC -l`
   if [[ $? > 0 ]]; then echo "LF check failed"; fi

   if [[ $LFCHECK -gt 0 ]];
   then
     $DOS2UNIX $file
     echo "Converted linefeeds on $file, please re-add and retry your commit"
     exit 666
   fi

 

 

  case $file in
    *\.pp*)
      echo "Checking puppet file $file"
      $PUPPETLINT --no-puppet_url_without_modules-check --no-arrow_on_right_operand_line-check --no-140chars-check --fail-on-warnings --fix --with-filename "$file"
      RC=$?
      if [ $RC -ne 0 ]; then exit $RC;fi

      $PUPPETAGENT parser validate "$file"
      RC=$?
      if [ $RC -ne 0 ]; then exit $RC;fi
    ;;
    *\.erb*)
      echo "Checking erb template $file"
      $ERB -P -x -T '-' $file | $RUBY -c
      RC=$?
      if [ $RC -ne 0 ]; then exit $RC;fi
    ;;
    *\.yaml*)
      echo "Checking yaml file $file"
      $RUBY -e "require 'yaml'; YAML.load_file('$file')"
      RC=$?
      if [ $RC -ne 0 ]; then exit $RC;fi
    ;;
    *)
      echo "Not checking file $file"
    ;;
  esac
done

exit 0

Tor relay node back in business

When a leased server has bandwidth to spare, I try to give it to the tor network. Project servers come and go, but I am happy to report that my relay node is back in business.

Aug 5 14:45:48 droid Tor[8966]: Bootstrapped 0%: Starting
Aug 5 14:45:48 droid Tor[8966]: Starting with guard context "default"
Aug 5 14:45:48 droid Tor[8966]: Bootstrapped 80%: Connecting to the Tor network
Aug 5 14:45:48 droid systemd[1]: Started Anonymizing overlay network for TCP.
Aug 5 14:45:48 droid Tor[8966]: Signaled readiness to systemd
Aug 5 14:45:49 droid Tor[8966]: Opening Socks listener on /var/run/tor/socks
Aug 5 14:45:49 droid Tor[8966]: Opening Control listener on /var/run/tor/control
Aug 5 14:45:49 droid Tor[8966]: Bootstrapped 85%: Finishing handshake with first hop
Aug 5 14:45:49 droid Tor[8966]: Bootstrapped 90%: Establishing a Tor circuit
Aug 5 14:45:49 droid Tor[8966]: Tor has successfully opened a circuit. Looks like client functionality is working.
Aug 5 14:45:49 droid Tor[8966]: Bootstrapped 100%: Done
Aug 5 14:45:49 droid Tor[8966]: Now checking whether ORPort 94.130.31.206:443 and DirPort 94.130.31.206:80 are reachable... (this may take up to 20 minutes -- look for log messages indicating success)
Aug 5 14:45:49 droid Tor[8966]: Self-testing indicates your DirPort is reachable from the outside. Excellent.
Aug 5 14:45:50 droid Tor[8966]: Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Aug 5 14:45:51 droid Tor[8966]: Performing bandwidth self-test...done.

(And it is all the server does at this time, the project work is still on the todo list 😉

I thought fixing the tor relay today would be a good thing as I am wearing my tor shirt at #sha2017