|
|
I’ve just been working with a Flash device used as /dev/hda (the root filesystem) for a router. The aim is much the same as with my idea of using an EeePC as a router [1]. The client in question may consider the EeePC for future deployments but are concerned about the ability of ASUS to supply when needed. The typical customer at a computer store probably isn’t going to be too upset if they have to order their computer and wait a week, but when rolling out a network for a few corporate offices it’s a major problem if there aren’t enough devices to get them all online at once!
One problem I encountered is that the default configuration had IDE DMA enabled and this didn’t work well on the system, rumour suggests that it might be related to the bridge chipset used to run the PATA controller which talks to the device that houses a SD Flash module and connects to the IDE cable. But I discovered that it would work reasonably well (at about 75% full speed) if I turned off DMA. When I run the Flash device with no DMA and 16bit IO I get about 2.4MB/s, I get 4.4MB/s if I use 32bit IO, and 6MB/s with occasional system hangs if I use DMA.
The machine in question is running CentOS so the trick was to run hdparm early enough in the boot process to turn off DMA before the machine could hang. In most cases the machine would lock up solidly when udev was started.
So I added the following lines to the start of /etc/rc.d/rc.sysinit (just after #!/bin/bash):
/sbin/restorecon -R /dev 2> /dev/null
/sbin/hdparm -d0 -c1 /dev/hda
Now the system seems to be working correctly.
The flash device seems like a good concept, no moving parts means less heat and more reliability, and the seek time is really good. But slow performance for bulk IO and problems with DMA increase the difficulty of implementing it. The advantage of having it in a pre-packaged device such as an EeePC is that it’s all one unit that is known to work together and has the drivers configured.
Having had a number of hard drives fail over the years I use RAID whenever possible to reduce the probability of data loss caused by hardware failure. It’s unfortunate that some machines make it impractically difficult to install a second hard drive (my laptop and some small form factor desktop machines I have given to relatives). But when it’s possible I have two hard drives running software RAID-1.
I use two partitions, one for /boot and one as a LVM physical volume (PV). When using RAID I make both /boot and the PV be software RAID-1 devices (the vast majority of machines that I install don’t have budget available for hardware RAID). /boot is a small partition, approximately 100M. For a machine with only one disk I make the second partition take all the available space as there is no benefit in doing otherwise (LVM allows me to create an arbitrary number of block devices out of the space at run-time).
When using software RAID I often make the PV take less than the full capacity of the disks. When the disks are 40G or more I usually use less than half the capacity. For most machines that I install or run the full capacity of the disks is not required. One deficiency of Linux software RAID is that on a power failure the entire RAID device must be checked to ensure that all disks have matching data. Reading the entire contents of a pair of disks can take a large amount of time if the disks are large, and as the size of disks is increasing at a greater rate than the speed of disks this problem is getting worse. See my ZCAV benchmark results page for graphs of the contiguous IO performance of some disks I’ve owned [1]. It seems that with a 10G disk you may expect to be able to read it all in less than 1000 seconds, for a 46G disk it’ll be something greater than 1,500 seconds, and for 300G disks you are looking at something well in excess of 5,000 seconds.
Almost all disks (and all IDE and SATA disks for which I’ve seen benchmark results) have the lower block numbers mapped to the outside tracks which are longer and give a higher contiguous IO speed. So by using the first half of the disk the RAID synchronisation time is reduced to less than half what it might be (in the absence of motherboard bottlenecks).
When there is no need for more than about 10G of storage space there’s no benefit in making a large RAID device and wasting recovery time. While the system can operate while the RAID is synchronising the performance will be significantly lower than normal.
If the usage pattern of the machine changes such that it needs more space it’s easy to create new partitions, make a new software RAID, and then add it to the LVM volume group (I’ve done this before). So the down-side to this is minimal.
When creating LVM logical volumes (LVs) I create volumes for the root filesystem and swap space when doing the install. This should result in the swap space being near enough to the start of the disk to get reasonable performance (but I haven’t verified this). I make the root filesystem reasonably large (EG 6G) as disk space is plentiful and cheap nowadays and the root filesystem is the only one that you can’t easily extend when running LVM (trying to do so deadlocks the disk IO). After the base install is done I create other LVs.
Chris Lamb has suggested storing a GPG key on a RAID-5 device [1]. The idea is that it can be stored on several physical block devices such that losing just one will not give the key to an attacker.
A default GPG secret key will be about 1.2K in size (3 sectors of a hard drive). A minimal key (with 1024 bit DSA keypair) will be 0.9K (2 sectors). I expect that very few people have secret keys greater than 4K in size.
To create a software RAID-5 device under Linux the tool mdadm is used. The default chunk size is 64K, so a 1.2K file will probably be on a single device. If you use the -c option of mdadm to specify a smaller chunk size then the smallest that is accepted is 4K which still permits a default GPG secret key to be on a single device. The Ext2 and Ext3 filesystems will always align such file data to a 4K boundary unless the device is smaller than a certain size (or a special mkfs option is used) to give a 1K block size for the filesystem. If an Ext2 or Ext3 filesystem is used with 1K blocks then you might get a 1.2K file split across multiple 4K RAID chunks.
So storing a GPG key on RAID-5 won’t prevent an attacker who steals one part from getting all the most valuable data. It will make it more inconvenient for them (if you are lucky it will prevent them getting all the data) and it will also make it difficult for the owner of the GPG key to determine which of the devices actually contains the secret data (probably all of them will end up having copies if you edit the secret key).
Now if RAID-5 did allow chunk sizes that were smaller than the secret key or if you have Ext2/3 with 1K blocks and get lucky with file fragmentation then the problem still isn’t solved. The reason is that you don’t require N-1 of the N disks to get some useful data out of a RAID-5 array (run strings on one element of a RAID-5 array to verify this). A single disk on it’s own will have some data that can be used, as file(1) can recognise GPG secret keys so you could just copy 1K chunks of data into separate files and use file to determine which (if any) has the data in question.
The really exciting question is, what do you get if you have the first 1K of a 1.2K GPG secret key? If it could be proved that the first 1K does not give an attacker any advantage then this might provide some benefit. But I think that this is a very dubious assumption, when dealing with such things it’s best to assume the worst. Assume that an attacker who has 1K out of 1.2K of secret data has the ability to reconstruct the rest. In that case the Linux kernel RAID-5 provides no benefit for storing a GPG secret key.
Just try not to get your devices that contain secret data stolen. Maybe a watch with a built-in USB device is a good idea. Thieves seem to be targetting mobile phones instead of watches nowadays and something that’s strapped to your wrist is difficult to lose.
It seems to me that the Asus EeePC (a $AU499 ultra-light laptop with only flash storage) would make a decent router.
Often full desktop PCs are used as routers because they run the most common software and have standard interfaces. There have been dedicated router devices with flash for a long time, but without the ability to connect a standard monitor and keyboard they were always more difficult to manage than general purpose PCs. Also dedicated routers have limited RAM and storage which often does not permit running a standard OS.
According to the best review I could find [1] EeePC has a minimum of 256M of RAM, a Celeron-M CPU (32bit Intel), and a minimum of 2G of flash storage. This hardware is more than adequate to run most server software that you might want to run (my current router/firewall/server has 192M of RAM). It could run a web server, a mail server, or any other general server stuff. It comes pre-loaded with a modified version of Debian so you get all the Debian software (which incidentally means more pre-packaged software than is available for any other distribution). Bigger versions are common, I believe that the $AU499 version has 512M of RAM and 4G of flash – I’m not sure that I could even obtain a lesser EeePC in Australia.
The up-side of flash is that it doesn’t take much power as having a low power device in whatever confined space ends up housing your router is a good thing (the EeePC is listed as using less than 20W no matter what the load and idling at as little as 14W) and that it doesn’t tend to break when dropped or have any moving parts to wear out. The down-side of flash is that a sufficient number of writes will destroy it.
Obviously swap is not a suitable use for a flash storage device. But a small mail server (suitable for the needs of a home or a small office) should be fine with it. Squid is commonly run on router devices, to run it on an EeePC I would be inclined to buy 1G USB flash device for the cache, then if Squid’s use destroyed the flash storage it would be easy to spend $20 and buy another.
The EeePC has three USB ports and a built-in Ethernet port. I believe that the minimum number of Ethernet ports for a firewall is three, this means either one for the uplink, one for the DMZ, and one for your LAN, or two for uplinks (with a redundant uplink) and one for the LAN. The three USB ports allow using two USB Ethernet devices to provide the minimum three Ethernet ports and one for USB flash storage.
One notable advantage of using a laptop as a server is the built-in UPS (the laptop battery). Many people have put old laptops into service as servers for this reason, but usually an old battery gives no more than about 30 minutes of power, while a new EeePC should be able to last for more than 3 hours without mains power. Using a second-hand laptop as a server is usually not viable in a corporate environment as laptops are all different. Repairing an old desktop PC is easy, repairing an old laptop is unreasonably difficult and often more expensive than replacing it. The low price of the EeePC makes it easily affordable (cheaper than some of the desktop machines that might be used for such a purpose) and the fact that it is purchased new at such a price means that you get warranty support etc.
It seems to me that a significant disadvantage of using an EeePC (or anything other than a real server) for a server task is that it lacks ECC RAM [2], but as I’m not aware of any device sold for the purpose of running as a low-end router or sold at a price-point such that it could be used as a low-end router which has ECC RAM I guess that’s not a big disadvantage for that purpose. But the lack of ECC RAM and the lack of useful support for RAID does make it a little less suitable for use as a mail server.
Finally if you are going to run a VPN then it would be handy to be able to secure the hardware against malicious activity when the office is closed. An EeePC will fit nicely in most safes…
Please let me know what you think about this idea. I’ll probably start installing some such machines for clients in the near future if ASUS can keep up with the demand.
Julien Goodwin asks whether an insecure platform can perform secure computation [1]. My immediate reaction was to recall Charles Babbage’s quote On two occasions I have been asked,—”Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?” […] I am not able rightly to comprehend the kind of confusion of ideas that could provoke such a question [2].
However on careful reading of Julien’s post it seems that he is most interested in the integrity of the computations rather than the secrecy. He suggests the possibility of performing the computation twice and comparing the results. Of course the issue to consider is whether both computations could be subverted. It seems most likely that if you are using someone else’s computation cluster for the calculations then performing the same calculation on two nodes of that cluster will give the same result both times (whether it’s right or wrong).
If there was a computation that would get a result that can be verified with little computation then it would be an easy problem to solve. For example if I wanted to brute-force a passphrase for a GPG key then I could try all combinations that were known to be possible, if one was flagged as correct then in a millisecond I could verify it. If none of the possibilities were listed as correct then I could assume that the process was broken in some way. The problem with this is that such a passphrase can have arbitrary length (I know someone who uses more than 50 characters). So if I used a brute-force attack on passwords of up to 9 characters that doesn’t exclude a 10 character password.
Probably the best potential use for insecure systems is for analysing large data sets. There have been several projects to harness unused computation resources to perform various large calculations (protein folding and SETI are two examples). Most such projects use closed-source programs because the people who run the contests are afraid of cheats who modify their programs to merely say “no” repeatedly and quickly. Of course this wouldn’t be a problem if they didn’t have a high-score table, and disassembling the program to hack the protocol can’t be that difficult (consider the work invested in reverse engineering protocols such as SMB which are much more complex).
It would probably be reasonably to randomly send batches of work to two machines in different regions for such large-scale public computation projects.
Finally if you want to perform calculations on secret data on someone else’s hardware then you may have lost before you even start.
I just read an interesting approach to finding a life partner [1]. A summary is “There is a sad truth to the world today. I am part of a dying breed of people known as “shell users.” … Because there are fewer and fewer of us, I must help keep our lineage alive. I am looking for someone to help me do this. I need a woman (obviously) who is willing to raise a child with me in the method of Unix.“.
While there is a moderate amount of humour in the post (I recommend that you read it in full) it is a genuine attempt to find a partner.
One thing that has occurred to me is that part of the cause of the attitude toward women that is sometimes demonstrated in my community is the fact that there are so many guys who are single and have been single for a long time. If this problem was alleviated then I believe that some of the other social issues would be significantly improved.
The advert in question is a bit more courageous than most guys would be prepared to consider (it’s up there with the guy who paid for a giant sign to be installed beside a highway). But there are many other options.
ESR has some advice to offer [2], but the name of the URL (sextips) seems an accurate representation of the focus of the pages. One problem with ESR’s advice is that it seems to assume an ability to be extroverted (or at least fake it) which is greater than many geeks possess. Another problem is that he assumes that geeks are inherently more intelligent than average people – there is more than adequate evidence to disprove this theory. It seems more reasonable to only assume that geeks are better than average at doing geeky things.
It seems to me that the one thing that geeks really are better at is writing email! Therefore it seems logical that geeks who want good success in meeting women should try and involve the use of email in some way. Singles web sites seem an obvious way to take advantage of this. Unfortunately there is a strange cultural aversion to using such web sites which even afflicts geeks. For some reason it’s thought to be a good idea to try and meet a life partner in a place where there is inadequate light, too much background noise to talk properly, and where everyone has taken mind-altering chemicals (I am referring to drinking alcohol at a bar of night-club). Once strange cultural ideas are discarded it seems obvious that if you want to meet a potential life-partner then you should do so in a place where there is good light, an opportunity to talk, and where everyone is in a normal state of mind. Starting out with email and then talking over the phone and exchanging JPEG pictures seems to be a sensible option in this regard.
Most times that you chat to someone you meet over the net it won’t go any further than email or maybe phone-calls. But that’s still entertaining and useful practice at communicating with women.
One thing that the Craig’s List advertiser really got right is that he knows what he wants. An advantage of the singles sites on the net is that they often force people to make decisions. When a singles site demands that you enter a desired number of children that you want to have (with 0 being an acceptable answer) then you will be forced to consider the issue and make a decision. While being prepared to negotiate about such things may be desirable, I can’t imagine anyone finding it appealing when someone doesn’t know what they want or doesn’t have the confidence to say it.
Finally don’t rule out the possibility of meeting someone through your local LUG. There are a quite a few married couples who met through the Linux community. But don’t go making “pick-up” attempts on women in the community – the result will not be positive.
Via Michael Still.
The portal http://www,softwarefree,org/ aggregates many blog feeds related to free software without regard to license.
The About Page for my blog links to my Blog License page which states that “The contents of my blogs (unless otherwise noted) are licensed under a non-commercial share-alike license. This means (among other things) that you may not put my content on a web page that contains Google AdWords or any other similar advertising“.
Fortunately I had just read a great post on ProBlogger.net about dealing with such problems [2].
This time I decided to report the site to Google Adsense. I’ve been sending out a few DMCA take-down messages recently and it doesn’t seem to do much good (some sites keep doing it). So I’ll try getting their Google account cancelled.
I encourage everone who blogs on Planet Debian and the other planets that they use as sources of such unauthorised copying to do the same.
I have decided to run a contest for security related blog posts that appear on Planet Linux Conf Au [1]. That Planet is for people who are attending Linux Conf Au [2], and the prize (or prizes) will be given out at the conference.
The aim will be posts on the topic of computer security from people who are not experts. Anyone who has been employed as a security consultant or developer of security software or who has spoken at a conference such as LCA on a topic related to security can enter but will only be eligible for an honourable mention. Any such expert who enters for an honourable mention MUST note on their entry that they are not eligible for a prize to avoid any possible confusion.
Only blog posts of a positive nature will be well regarded by the judges. Negative reviews are only acceptable if they have positive suggestions for improvement and/or bug reports linked from them.
You may submit a series of posts on a theme, and multiple posts on different security issues will help an entry – we will judge the contributions of the person not a single post.
The prize pool is currently $50, which I hope to expand – but such expansion depends in part on the quality and quantity of early entries, so if some good entries are submitted soon then there will be more and bigger prizes. Currently the prize pool comes from the pockets of me and Casey, commercial sponsorship will be accepted and may increase the prize pool significantly.
The duration of the contest is from this moment until at least lunch-time on Friday the 1st of February. We may extend the contest until Friday night and announce the winner(s) on Saturday – but at this time you should not count on such an extension and plan to have your entry or entries in by mid-day on Friday the 1st of Feb (Australian eastern daylight savings time).
So far of the people I have invited to join the judging panel only Casey Schaufler has accepted. Casey and I will consider offers to assist in judging from people who have a combination of security and blogging experience that is significant, but note that as of this time all prize money comes from the judges…
When you write a post that you wish to submit for the contest please comment on this post with the URL to make sure that the judges don’t miss it. Entries submitted on the last day may need some other form of notification, I will write a future post which clarifies this issue.
Some issues related to selecting the winners have yet to be determined, I will write future posts with more information. But please don’t hesitate to enter now, well written posts that have a positive tone are what you need. Also entering quickly will help increase the prize pool, more prizes means a greater chance that you will win one!
One thing I am considering is how to manage commercial sponsorship if it is offered. One possibility I am considering is allowing a sponsor to declare that half of the money they pay will be used as prizes for entries that relate to their product. That would give an extra incentive for people to blog about topics related to the sponsor but still give extra prize money for other topics. In that situation the relation between the sponsor’s product and the prize winning entry or entries would be liberal, so a post about standard Unix security features would be eligible for prize money from any commercial Linux distribution.
Finally you must have your own individual blog to enter the contest. Guest-posts on other people’s blogs or group efforts are not eligible for anything other than an honourable mention.
Update: The contest is over and was not a success. See this page for the details [3].
Leon writes about giving a stranger $1 to help him get a train ticket.
Recently I saw something similar, a lady was giving balloons to children in the Bourke St Mall in Melbourne just after 9PM. I asked her about this (I couldn’t see a logo on the balloons and wondered how she was making money). It turned out that unlike almost everyone else who gives out balloons in shopping areas she wasn’t trying to advertise a product to parents, but her hobby was to give out balloons to children.
I regret not asking her more questions, I wonder why she was doing this after 9PM (there aren’t many children out then), whether she always hangs out at Bourke St, and what gave her the idea to start doing this.
Bruce has written an interesting post about wireless encryption [1]. His main ideas seem to be that it’s nice to provide emergency net access for random people, that attempting to secure a wireless network only causes more problems when (not if) it is broken, and that your machines which are mobile need to be secure against a hostile LAN anyway.
These all make sense. I’d probably be doing the same if it wasn’t for the problems I had getting 802.11b gear working in my house (maybe conflicts with some of the other wireless equipment I run) and for the fact that I run NFS over my home network (which needs decent performance and has no security).
|
|
