Create a keyfile encrypted ZFS volume in Ubuntu 22.04

For the first time in nearly a decade I assembled a new desktop workstation to support a growing interest in learning about Artificial Intelligence and Machine Learning from "first principles". This is a departure for me, having been a creature of laptops for many years. To make things more interesting a ZFS pool will be used in place of the usual 'RAID' array for my large storage disks.

This post walks through how to create an encrypted ZFS pool / dataset (still adjusting to the terminology) which is auto-mounted on system boot

Kindle Oasis does not connect to home WPA2-Enterprise Network

My Kindle Oasis (3rd generation) decided to stop connecting to my home WiFi network today. It displayed a cryptic message about not being able to connect so I investigated. Logging in to my Ubiquiti console I did not notice any attempted logins. Checking pfSense / FreeRADIUS also turned up zero log events. The Kindle itself did not provide any log messages...

The best I had to go on was a hunch: A few months back I had issues with my Android devices after a security patch blocked connections to WPA2 Enterprise networks without specifying a CA Certificate. Could that be the problem here?

Update (2023-04-08): After configuring the CA Certificate the Kindle connected, self-updated then failed to connect again. Additional detail added below

Thoughts on System Design and the 'Organic' Emergence of Security Requirements

I've been thinking about the classic 'InfoSec Triad' lately (Availability, Integrity, Confidentiality) and how challenging it is to convey the real-world value of these concepts during real-world discussions on how to 'secure' a system. The InfoSec industry could stand to improve by providing clear provenance for each 'Security Requirement' that gets proposed. Most security professionals struggle to convey information security theory to non-specialists.

In this post I explore a 'hypothetical system' and attempt to show where security concerns become surfaced during the lifecycle of a growing software system. Not all systems will have the opportunity to grow to a point where designers need to seriously consider the more complicated an 'fun' security angles.

Upgrade to NextCloud 23 prevents online document editing in Collabora online: Files download instead of edit

After my recent effort in upgrading gitlab I decided to take a crack at updating NextCloud to version 23. On the surface it all went well - upgrading the dockerized version from 21 → 23 went smoothly and without any obvious errors.

Unfortunately, it appears that online document editing a-la Collabora Online [w/ Built-in CODE Server] has a problem when performing an upgrade installation. When attempting to edit a document in-browser I am prompted to download the file - no in-browser editor appears to load(?).

Ever Stale: A Tale of missed updates or how to upgrade GitLab from 12 to 14

I spent an hour reviewing my home lab setup and found an old internal gitlab instance running that I hadn't touched in some time. It was running GitLab-CE 12.10.13-ce.0 and was ready for an update! The latest version of GitLab at the time of this writing is 14.5.2-ce.0 which was too far to take in one jump. A complicating factor is that I've run this server since version 8.x using their publicly available docker image and have not built it out in a way that lends for easy upgrades. Fortunately I was able to apply the updates, not without some drama.

Today's ‘modern’ approach to application deployment can leave you in a perpetually stale state if you aren't able or willing to keep up with the relentless onslaught of patches, updates and troubleshooting patch/update failures.

BSidesSLC 2021: Container Security From the Bottom Up

Most companies have experimented with containerization in one form or another and there is a wealth of information at these higher abstraction levels for securing constructs like Dockerfiles, Container Images, and Container Orchestration tools like Kubernetes. What can be overlooked at times is that...

DEF CON 29: Why does my camera scream like a banshee? Signal Analysis & RE

I'll be presenting at DEF CON 29 tomorrow on signal analysis and reverse engineering a strange audio encoding used to configure certain models of wireless security camera. Along with the presentation I've created a tool that lets you pair the camera to your wireless network without using the included vendor app. This streamlines the process to speed further reverse engineering work:

Pre-recorded video can be found here: Why does my security camera scream like a banshee?

LXQt - lubuntu 20.04 shows windows from all virtual desktops / workspaces

After migrating a VM to Lubuntu 20.04 (with LXQt 0.14.1) I noticed that the launch bar / taskbar would show windows from all workspaces. My preference is to view only the ‘current' workspaces windows at any time to reduce accidental switches between desktops. There is an easy way to configure this.

golang sort.Slice - limits of 'int' in function signature

I had an idle question earlier today: can golang support sorting a slice with more than 2,147,483,647 or 4,294,967,295 entries (signed 32bit and unsigned 32bit max values)? Looking at the documentation for sort.Slice it specifies a comparator function with this signature: func(i, j int) bool which got me thinking about what int can represent in golang. int is signed, so is there a way to sort through a slice with a hypothetically enormous number of entries?

Work-around: Terraform 0.11 wants to rebuild EC2 instances when they haven't changed

Terraform claims that my EC2 instance needs to be rebuilt due to changes in the ebs_block_device even though we haven't made any changes to the block device definition. Note the ebs_block_device lines that claim 'forces new resource':

aws_instance.infosec-gatekeeper (new resource required)
      id:                                "i-01234567890123456" => <computed> (forces new resource)
      ami:                               "ami-0123456789abcdef0" => "ami-0123456789abcdef0"
      arn:                               "arn:aws:ec2:us-east-1:098765432109:instance/i-01234567890123456" => <computed>
      associate_public_ip_address:       "false" => <computed>
      availability_zone:                 "us-east-1e => <computed>
      cpu_core_count:                    "1" => <computed>
      cpu_threads_per_core:              "2" => <computed>
      ebs_block_device.#:                                "0" => "1"
      ebs_block_device.1357911171.delete_on_termination: "" => "true" (forces new resource)
      ebs_block_device.1357911171.device_name:           "" => "/dev/xvda" (forces new resource)
      ebs_block_device.1357911171.encrypted:             "" => <computed> (forces new resource)
      ebs_block_device.1357911171.iops:                  "" => ""
      ebs_block_device.1357911171.kms_key_id:            "" => <computed> (forces new resource)
      ebs_block_device.1357911171.snapshot_id:           "" => <computed> (forces new resource)
      ebs_block_device.1357911171.volume_id:             "" => <computed>
      ebs_block_device.1357911171.volume_size:           "" => "16" (forces new resource)
      ebs_block_device.1357911171.volume_type:           "" => "gp2" (forces new resource)

This was in an environment with:

  • terraform
  • aws provider 2.56.0