Secure Erase a Crucial M4 SSD

Secure Erase a Crucial M4 SSD

Secure Erase a Crucial M4 SSD

The next suggestion was to throw away half of the broken chips at home, and the other half at work. But I *know* someone will suggest eating the refuse, then “depositing” the processed output in multiple lavatories along the eastern seaboard. Me, I think that’s a bit over the top.

Dead Drive

Dead Intel 320 Series SSD

Dead Intel 320 Series SSD

This SSD wouldn’t keep recognizing its own existence for long enough to even run the SMART tools against it. I ordered a Samsung 840 Pro yesterday, it arrived this morning.

I’ve installed (k)Ubuntu on it, updating now. In a bit I’ll strip the chips off that board, and crush them – that’s the only way to securely destroy data on an SSD.

Today: More house cleaning. Ciao!

Nearly So

Paul guessed that the pictured object was a vertical file holder. Ye..ess, depending on what you’re filing. What I’m filing with it:

Cutting board holder

Cutting board holder

Pushed back to the edge of the counter, the holder keeps the boards from using too much counterspace, while still easily available for use. I made these two boards to replace two bamboo boards that cracked. We’ve also moved our two large boards (including the one made by Marcia’s dad many moons ago) up off the counter and above the fridge. We don’t need those too often.

We hope y’all had a nice holiday (if you celebrate). I’m celebrating by taking the upcoming week mostly off – I’ve got a couple of work tasks during the time, but only a couple at this time. The balance of the time is taken with house cleaning and other indoor chores. For example, I’m pivoting my *NIX system over to the Illumos-backed OpenIndiana distribution. I’ll have some Linux running as virtual machines, but this Solaris fork is going to be an interesting and useful platform for me. Today I’m migrating data onto it from backup disks.

*      *      *

I’m happy to relay that DoD reported no US Military casualties during the last week. That’s definitely something to be thankful for! Ciao!

 

Choresday

That’s my new name for the `day formerly known as Sunday`. Today was full of shopping, laundry, car washing and paint maintenance, coffee roasting, and computer rebuilding.

Only the latter was really interesting. I had a new motherboard/CPU/RAM combo, courtesy of work, to be able to do more VM work here at home. Now the processor is faster and hyperthreaded, and the RAM is faster, and more (32G). I took advantage of the rebuild occasion to remove the old Linux MD device, and installed the ZFSonLinux module and tools. Now my data store is a ZFS raidz1 pool, built from three 1TB drives. Snapshots are better and easier, etc, etc. This makes me very happy.

Moving lots of data at once appears to make ZFSonLinux a little unhappy … freezing the system unhappy. More to explore there.

*      *      *

Our condolences to the family, friends, and unit of Sgt. 1st Class Forrest W. Robertson, 35, of Westmoreland, Kansas, who died Nov. 3, in Pul-E-Alam, Afghanistan, of wounds sustained when enemy forces attacked his unit with small arms fire.

Six Days of LISA ’13

Howdy. My name’s Brian, and I’m a tired SysAdmin…

So, six days of tutorials and talks at the USENIX LISA ’13 conference are done. And it was good. My behind is, however, glad to be shut of those hotel conference chairs.

Sunday, 3 November

Sunday’s full day tutorial was called Securing Linux Servers, and was taught by Rik Farrow, a talented bloke who does security for a living, and is Editor of the USENIX ;login: magazine on the side. We covered the goals of running systems (access to properly executing services) and the attacks that accessibility (physical, network) enable. As always, the more you know, the more frightening running systems connected to networks becomes. We explicitly deconstructed several public exploits of high-value targets, and discussed mitigations that might have made them less likely. User account minimization and root account lockdowns through effective use of the `sudo` command were prominently featured. Proactive patching is highly recommended, too! Passwords, password security, hashing algorithms, and helping users select strong passwords that can be remembered also were a prime topic. Things that Rik wished were better documented online are PAM (Pluggable Authentication Modules) and simple, accessible starter documentation for SELinux.

Monday, 4 November

Hands-on Security for Systems Administrators was the full-day tutorial I attended on Monday. It was taught by Branson Matheson, a consultant and computer security wonk. Branson is an extremely energetic and engaging trainer who held my attention the whole day. We looked at security from the perspective of (informally, in the class) auditing our physical, social, and network vulnerabilities. In the context of the latter, we used a customized virtual build of Kali Linux , a Debian-based pen testing distro. I learned a lot of stuff, and for those things that I “knew”, the refresher was welcome and timely.

Tuesday, 5 November

Tuesday, I took two half-day tutorials.

The first was presented by Ted Ts’o, of Linux kernel and filesystem fame. Our tutorial topic was “Recovering from Linux Hard Drive Disasters.” We spent a couple of hours covering disk drive fundamentals and Linux file systems. The final hour was given over to the stated topic of recovering from assorted disk-based catastrophes. My take-away from this tutorial was two-fold. I think the presentation be better named “Disks, Linux Filesystems, and Disk Disaster Recovery,” which would be more reflective of the distribution of the material. Additionally, it’s worth stating that any single disk disaster is generally mitigated by multi-disk configurations (mirroring, RAID), and accidental data loss is often best covered by frequently taken and tested backups.

The second tutorial I attended, on Tuesday afternoon, was on the topic of “Disaster Recovery Plans: Design, Implementation and Maintenance Using the ITIL Framework.” Seems a bit dry, eh? A bit … boring? Not at all! Jeanne Schock brought the subject material to life, walking us through setting goals and running a project to effectively plan for Disaster Recovery. IMO, it’s documentation, planning, and process that turns the craft of System Administration into a true profession, and these sorts of activities are crucial. Jeanne’s presentation style and methods of engaging the audience are superb. This was my personal favorite of all the tutorials I attended. But … Thanks, Jeanne, for making more work for me!

Wednesday, 6 November

Whew. I was starting to reach brain-full state as the fourth day of tutorials began. I got to spend a full day with Ted Ts’o this time, and it was an excellent full day of training on Linux Performance Tuning. Some stuff I knew, since I’ve been doing this for a while. But the methods that Ted discussed for triaging system and software behaviour, then using the resulting data to prioritize diagnostic activities was very useful. This is a recurring topic at LISA ’13 – go for the low-hanging fruit and obvious stuff: check for CPU, disk, and network bottlenecks with quick commands before delving into one path more deeply. The seemingly obvious culprit may be a red herring. I plan on using the slide deck to construct a performance triage TWiki page at work.

I was in this tutorial when Bruce Schneier spoke (via Skype!) on “Surveillance, the NSA, and Everything.” Bummer.

This was also my last day of Tutorials. In the evening I attended the annual LOPSA meeting. Lots of interesting stuff there, follow the link to learn more about this useful and supportive organization. Yep, I’m a member.

Thursday, 7 November

Yay, today started with track problems on Metro, and an extra 45 minutes standing cheek-to-jowl with a bunch of random folks on a Red Line train.

This was a Technical Sessions and Invited Talks day for me. In the morning, Brendan Gregg presented Blazing Performance with Flame Graphs. Here’s a useful summary on Brendan’s blog. This was followed in the morning by Jon Masters of Red Hat talking about Hyperscale Computing with ARM Servers (which looks to be a cool and not unlikely path), and Ben Rockwood of Joyent discussing Lean Operations. Ben has strong opinions on the profession, and I always learn something from him.

In the afternoon, Brendan Gregg was in front of me again, pitching systems performance issues (and his new book of the same name). I continue to find Brendan’s presentation style a bit over the top, but his technical chops and writing skills are excellent. This was followed by Branson Matheson (who was training me earlier in the week) on the subject of “Hacking your Mind and Emotions” – much about social engineering. Sigh, too easy to do. But Branson is so enthusiastic and excited about his work  that … well, that’s alright, then, eh?

The late afternoon pair of talks were on Enterprise Architecture Beyond the Perimeter (presented by a pair of talented Google Engineers), and Drifting into Fragility, by Matt Provost of Weta Digital. The former was all about authentication and authorization without the classical corporate perimeter – no firewall or VPN between clients and resources. Is it a legitimate client machine, properly secured and patched? With a properly authenticated user? Good, we’re cool. How much secured, authenticated, patched is required is dependent on the resource to be accessed. This seems a bit like a Google-scale problem… The latter talk, on fragility, was a poignant reminder of unintended dependencies and consequences in complex systems and network.

The conference reception was on Thursday evening, but I took a pass, headed home, and went to bed early. I was getting pretty tired by this time.

Friday, 8 November

My early morning session had George Wilson of Delphix talking about ZFS for Everyone, followed by Mark Cavage of Joyent discussing Manta Storage System Internals. I use ZFS, so the first talk held particular interest for me, especially the information about how the disparate ZFS implementations are working to prevent fragmentation by utilizing Feature Flags. OpenZFS.org was also discussed. I didn’t know much about Manta except that it exists, but I know a bit more now, and … it’s cool. I don’t have a use, today, but it’s definitely cool.

The late morning session I attended was a two-fer on the topic of Macs at Google. They have tens of thousands of Macs, and the effective image, deployment, and patching management was the first topic of the day, presented by Clay Caviness and Edward Eigerman. Some interesting tools and possibilities, but scale far beyond my needs. The second talk, by Greg Castle, on Hardening Macs, was pertinent and useful for me.

After lunch, the two talks I attended were on “Managing Access using SSH Keys” by the original author of SSH, Tatu Ylönen, and “Secure Linux Containers” by Dan Walsh of Red Hat (and SELinux fame). Tatu pretty much read text-dense slides aloud to us, and confirmed that managing SSH key proliferation and dependency paths is hard. Secure Linux Containers remind me strongly of sparse Solaris Zones, so that’s how I’m fitting them into my mental framework. Dan also talked to us about Docker … a container framework that Red Hat is “merging” (?) with Secure Linux Containers … and said we (sysadmins) wouldn’t like Docker at all. Mmmmmm.

The closing Plenary session, at about an hour and 45 minutes, was a caffeine-fueled odyssey by Todd Underwood, a Google Site Reliability Manager, on the topic of PostOps: A Non-Surgical Tale of Software, Fragility, and Reliability. Todd’s a fun, if hyper, speaker. He’s motivated and knows his stuff. But like some others in the audience, what happens at the scale of a GOOG-size organization may not apply so cleanly in the SMB space. The fact is that DevOps and NoOps may not work so well for us … though certainly the principles of coordinated work and automation strongly apply.

Brian’s Summary

At any given time, for every room I sat in, for every speaker or trainer I listened to, there were three other things that I would have also learned much from. This was my path through LISA ’13. There are many like it, but this one is mine. This conference was a net win for me in many ways – I learned a lot, I ran across some old friends (Hi, Heather and Marc), made some new ones, and had a good time.

The folks I can recommend without reservation that you take a class from, or attend a talk that they’re presenting: Jeanne Schock, Branson Matheson, Rik Farrow, and Ted Ts’o. These are the four people I learned the most from in the course of six days, and you’d learn from them, too!

My hat’s off to the fine staff at USENIX, who worked their asses off to make the conference work. Kudos!

LISA ’13

Today was the first of a six day run at LISA ’13 for me. I had a full day training class with Rik Farrow on Securing Linux Servers. I learned a few new tricks to add to the layers of defense that we apply to slow attackers, and passed some of my own on, hopefully for the benefit of my classmates. I have three more days of training, followed by two days of talks and presentations. I expect to take a lot of useful info back to work with me.

*      *      *

Last night, Marcia and I went out to celebrate our decade in this house. Yup, Hallowe’en was the actual anniversary of the contract closing, but we started moving in on the first and second of November, 2003. Pretty darn amazing, you ask me. We *really* like our life here, y’know.

*      *      *

Gladly, there are no US casualties that have been reported by DoD in the last week. Let’s see if we can keep that trend going, while we work on getting everyone home… Ciao!

Pi tricks

But first, 0630 EDT on Saturday the 26th day of October, 2013, was brought to you by the word “Fahrenheit” and the number ’28’. Brrrrrr!

*      *      *

I got home from work yesterday evening, and found Marcia watching something that probably first appeared on an obtangular Philco Predicta television in the late 1940’s. I threw an ENOTINTERESTED exception, then I came upstairs and started mucking about with the Raspberry Pi.  The little credit-card sized computer, named Dortmunder (for REASONS), has languished in a corner for quite a while. I first discovered that my phone life-extension battery (acquired at VMworld, thanks VMUG) also happily powers the Pi:

Pi, fully mobile with battery pack

Pi, fully mobile with battery pack

It’s worth pointing out that the 2200 mAh pack will probably only run the Pi for around 3 hours, since a 10 Ah battery’s been tested out to 15 hours. So, not a LOT of value there, but certainly a momentarily fun test. You can also see the size of the wireless adapter from Edimax, lit blue out of the USB housing at the top of the Pi.

More about Dortmunder: I’d considered buying a case for it pretty much from the day it arrived. I was an early Pi adopter, and at the time of purchase there were only one-off prototype cases spun up on someone’s 3D printer. While that’s cool and all, I didn’t have THAT much of a need for a case. After all, for months Dortmunder hung on a hook in my wiring closet, wired to the switch there.

With the recent addition of that Edimax miniature wireless adapter (see last Sunday’s post), the Pi can now sit comfortably with just a power connection anywhere I want. But the camera, hanging out there at the end of a 14cm ribbon cable, is not trivially stable. Nor is it easy to handle the Pi without risking static damage. So instead of going to Element 14, or Adafruit, or one of the many other Raspberry Pi resources online, I headed down to the woodshop, and noodled for a couple of hours with hand tools and scraps. I came up with this:

Dortmunder's hobby horse

Dortmunder’s hobby horse

There’s a couple of tweaks to adjust the operation and positioning of the camera on the “head”. I’d like to be able to get a good angle up (or down) to aim the camera properly. I have to think about that. But the circuit board body is quite firmly stable in the hand-cut grooves in the three wooden uprights. Fun little project, and the inexpensive accessory camera takes really sharp pictures:

Brian snapped by Pi camera

Brian snapped by Pi camera

Let’s just assume that’s NOT a halo, mmm’kay? It’s almost certainly the light that sits on top of that cabinet over my right shoulder.

Fencing, continued.

Yesterday, I got all of the left side front fencing replaced. Today, I executed the decorative arches on those sections:

Arching the fence sections.

Arching the fence sections.

I set a horizontal string line across the sections, and measured down, sinking a screw at each bottom end of each arch. I then used a quarter-inch thick, 7′ long cutoff from a piece of cherry, braced against the screws and pressed upwards in the middle to describe each parabolic arch. A quick swipe with a pencil marked each arch. I cut them with the circular saw, first plunging in the middle, then working along the curve to each end. The final bits I completed with a jig saw. That side of the fence now awaits stain/sealer.

I’ll also pressure-wash the gate and posts on this side, and the posts on the other side, to get a better match with the stain/sealer when that’s applied.

*       *       *

Today’s Solaris patching went off without any hitches. The best answer for the task is Martin Paul’s Patch Check Advanced. I can audit my systems for needed patches, apply them to snapshots of the root filesystem (these are called Boot Environments, and I can patch the copy while the system is still running, yay), and then make the patched copy the next Boot target. This makes Solaris patching a much less impactful event, compared to the days when a patch set was downloaded and staged, then the system was brought down to single user mode (no services running) for the entirety of the patch cycle. Much better service uptime this way.

*       *       *

Also this week, I picked up an Edimax EW-7811Un USB wireless adapter from Amazon, for use with the Raspberry Pi. An excellent, miniscule little product, works like a champ for my purpose. It’s also worth noting that setting up wireless on Linux distros these days is shed-loads easier than it used to be. I added two lines configuring the WPA settings to the /etc/network/interfaces file, and on reboot the network came right up. It makes the Raspberry Pi a much easier thing to work with, since I don’t have to tether it to a wired LAN connection.

*       *       *

Our condolences to the families, friends, and units of these fallen warriors:

  • Staff Sgt. Patrick H. Quinn, 26, of Quarryville, Pennsylvania, died Oct. 13, in Paktika Province, Afghanistan, of injuries sustained when the enemy attacked his base with small arms fire.
  • Sgt. Lyle D. Turnbull, 31, of Norfolk, Virginia, died Oct. 18, in Camp Arifjan, Kuwait, from a medical emergency.

Fall II = Summer?

Hmmm. Six plus hours working in the yard yesterday, and nearly broken as a result. Why? It was nearly 90 degrees Fahrenheit  out. I was slamming the H2O and got through it. The garden beds are cleared, turned and mulched with leaves harvested from the front yard:

Gardens put to bed before winter

Gardens put to bed before winter

After that was done, I mowed both front and back.

Today I got the shopping done, then roasted coffee and cut my hair, and wrapped the day’s chores by washing the car. That’ll bring rain. I should probably wash the car more often if it does, since we’ve had only about 3/4″ or so since late June.

*      *      *

Many of the evenings recently, I’ve been working my way through Michael Jang’s RHCSA/RHCE certification study guide. While I’ve been using Linux for a long time – about 18 years now – there’s lots of features that I don’t know because I don’t use them. I want to know more both because I might learn something actually useful in my day-to-day work, and because the certification will be useful to the business when it comes to proposal responses and such. Right now I’m about a quarter of the way through the book. I’m taking my time and doing even the stuff that seems obvious on the face of it, because there are likely details I’ll want to grok. Michael Jang knows his stuff and communicates it well – Recommended!

My other connection to Michael Jang is this book: Linux Transfer for Windows Network Admins: A Roadmap for Building a Linux File Server. You can see that while Michael is listed on the cover, Amazon still lists me as the author of the book. I was in negotiations to write that, but declined to sign a contract that required me to write the book on spec with no advance. I hope the book did well for Michael.

*      *      *

I have no condolences to offer for fallen warriors this week, as DoD hasn’t claimed any casualties in the last week. It’s possible that reporting is sluggish due to staffing issues during the US Government shutdown. But let us hope for the best – that there were no US casualties to report in the last week.

 

Bad sysadmin, no cookie

In a fit of giggles, I did something on purpose which one normally only does by mistake. I zeroed out a boot drive on a Linux box. The system had previously been wiped with DBAN, and a test CentOS install thrown on for REASONS. Those reasons were done, and it was due for wiping again anyway, so, what the heck…

dd if=/dev/zero of=/dev/sda bs=4M

Do NOT cut and paste that into your *NIX box as root unless you’re not running Linux (in which case /dev/sda is unlikely to exist), or you want a re-install opportunity because you’ve got great backups and you want to test them. Oh, yeah: Cut the blue wire first.

This is what happens:

Zero out a running system drive

Zero out a running system drive

So endeth the lesson.