I recently deployed a few internet facings servers and decided it was probably prudent to at least hit them with a vulnerability scanner. I could have registered for a trial of Nessus or something of the sort. However I decided to try OpenVAS, as it has been a while since I used it and liked the idea of using something open source.
I found that the install process was just as bad as I remember. Following multiple different install guides just led me to broken install after broken install. I eventually gave up and used a docker image, which to my surprise, worked flawlessly. The github repo is available here: https://github.com/immauss/openvas. This made things much less painful and worked on my first attempt, after sorting out how to enforce HTTPS. I highly recommend this method.
tl;dr Want OpenVas? Spin up a Debian/Ubuntu box and do this.
The Bitcoin Standard – Saifedean Ammous This is one of the “must read” Bitcoin books that I had somewhat ignored for maybe a little too long. I really enjoyed the details explained in this book and the explanation of the reasons why Bitcoin is as important and unique as it is. Additionally, a majority of the book covers existing and past currencies, their positives and negatives, and a crash course on modern economics. That majority was more educational for me, with some prior interest in and understanding of Bitcoin. I would recommend this book, and already have, to anyone with a slight interest in cryptocurrency.
Toil, Taxes, and Trouble – Vivian Kellems I don’t recall where I initially heard about this book or the author, but after reading her Wikipedia page, I was pretty interested in this story. My impression after reading this is that Vivian Kellems was a badass and, from what I read, she was a pretty good person. The book details her stance on taxes and how she fought for what she felt was right, in opposition to the laws in place. Without getting too much into the details, the law she opposed in this book was the one effectively requiring employers to withhold income tax. Her stance being, “employees can pay that themselves, I don’t need to do it for them.” (not verbatim) While business owners get a lot of flack these days, a lot of it rightfully so, she did everything she could to minimize the impact of her choices on her employees while standing by her principles. That is something you hardly see today. I really enjoyed reading this and being reminded how awesome people can be.
Talking to Strangers – Malcolm Gladwell Another I have had on my list for quite a while. I’m glad I finally got to it. I was NOT expecting the way this was written, which isn’t a bad thing. Real-life example after real-life example of failures of communication. This was written before the insanity the last few years have been (this being written in 2021), but you can imagine multiple events in recent history fitting right in among these chapters. This book isn’t another self help book or even a “feel good” read.
The Four Agreements – Don Miguel Ruiz I read this based on Joe Rogan constantly recommending it. It is a very short short and quick read. Not to sound too harsh, after reading Jordan Peterson’s two “Rules” books, this feels like a much softer and maybe easier to digest sample of those books. It’s a little too woo-woo for me. I’m going to say, read Jordan Peterson’s work for better and more of what this book is trying to provide.
Pattern Recognition – William Gibson Another fun read from William Gibson. I knew I would enjoy it before starting it and loved it the whole way though. A bit of a strange twist at the end. Almost deus ex machina. I believe this is the first in another series, however, I’m not sure that I want to get sucked into another series right now. Maybe someday I’ll finish it.
The Book of Five Rings – Miyamoto Musashi First off, I think the wikipedia about this book is longer than the book itself. However, it was an enjoyable read. A major theme in this seems to be self discipline and practice, which I think is pretty obvious a way to be better at something, in this case swordsmanship. There is also a theme of learning the thought process and “fundamentals” over using tools that may give you an advantage in specific situations. Each of these being pretty applicable to many things in life, not just being a badass with a sword.
I decided to change the title of these posts to a more appropriate name, since I’m not going to give any of the books I read a proper review.
Atomic Habits – James Clear I heard about this book on some podcast, but I don’t remember which. It is a straight forward guide on how to recognize your current habits, how to make good ones, and how to stick to them. It was a good and quick read.
Catch-22 – Joseph Heller For various reasons, I have been avoiding reading this for a long time. I am glad I have read it, however. At first, the “comedy” felt really aged and even toward the end I really didn’t care for the repetitive and circular “humor”. As I continued reading, the rest of the story and characters really started to grow on me. I’m not sure how I feel about the ending. Overall, I’m glad I finally read it even though the humor was really hit or miss for me.
The Master and Margarita – Mikhail Bulgakov Another Russian classic knocked out. This one was a little bit more for fun. The humor can be a little dark in this one even though the overall “feel” to the story is kind of childlike. Richard Pevear and Larissa Volokhonsky translated this as well as the last Dostoevsky book I read, so that has lead me down a strange rabbit hole of their history. I know it is said that they “poetry” of the Russian language does not translate, but it is hard to ignore all the work they have done. Back to the story, it finishes as a love story, as all good stories do.
The Code Book – Simon Singh This book has been sitting on my shelf for quite some time. I think I was worried it was going to be more technical than I wanted to read in my free time. It turned out being more historical than anything. It was a good read, but towards the end I realized how old it was. At the time of writing this the book just passed the 20 year mark. Some of the ciphers mentioned in the final chapters of this book are no longer considered secure despite them being lauded in the book. I think a modern book of this nature would be really interesting to read.
Hate Inc. – Matt Taibbi I’ve been listening to Matt Taibbi on various podcasts, including his own, for a while now. I finally decided to read something by him. This book is, from what I understand, a compilation of a series of blog posts centered around the topic of how the media is influencing its consumers and various issues with its content. While I have liked a lot of Matt’s typically dry humor, there are moments where I can’t tell if he is just trying to be funny or actually just kind of losing it a bit in these writings. Maybe it is a little bit of both. Either way, it was enjoyable and pretty educational/enlightening. There seems to be a pretty poor sense of “truth” or “factualness” in the media that has been getting pretty apparent as of late, but Matt points out how long it has actually been going on with plenty of examples. This is probably another important read for anyone.
Beyond Order: 12 More Rules for Life – Jordan Peterson I had pre-ordered this book and was delightfully surprised when it showed up on my Kindle. Reading through it, I felt that it read a lot “faster”, not taking me near as long to read as the first “12 Rules” book. That could be due to a lot more stories and anecdotes included in this one, or maybe just an easier read. I will say that I don’t feel that as much useful/applicable information out of this one. This could be due to the looser feel to the second 12 rules, or maybe just the rules themselves. However, there is nothing for me to argue against or complain about in the rules outlined. They are solid bits of advice and the argument for them are solid. I’m interested in where Jordan Peterson goes with his next book or whatever he is working on next.
The Sacred Mushroom and The Cross – John Marco Allegro Another of Allegro’s work. While I don’t know how much I buy into the theories here, there is a lot of evidence here of mistranslations of various religious texts over the years. It really appears that playing the centuries long game of telephone mixed with a little meddling from the powers that be have warped religious and historical texts time and time again. I believe if I continue to read more from John Marco Allegro, I’ll come to the same consensus over and over. Other than those somewhat obvious conclusions, I do think there is a lot of wild connections or assumptions made here. I feel like the fact that the author can make some of these connections is more evidence of how these texts could be easily misunderstood. I feel like the logic behind finding references to the “Sacred Mushroom” over and over again is not wrong, but it could easily be replaced with some other plant/fungi/etc. I enjoyed the read.
Seven and a Half Lessons About the Brain – Lisa Feldman Barrett A very short and quick read about the brain. This felt like a more-serious (but there are some jokes in there) version of one of Mary Roach’s books that gets right to the point. A hand full of commonly held myths debunked and a few good things to keep in mind while thinking. I’m sure most could benefit from reading this, even if only in the slightest amount.
The Quick Fix – Jesse Singal At the time of writing this, this book’s author is under fire for something on the Internet. I’m not really sure why and can’t be bothered to really look into it, as after reading this, Jesse Singal seems like a reasonable and sane person. As for the book, it is a nice set of examples in the pop-psychology “field” of “too good to be true”. Jesse explains failures, unintentional and some not so unintentional, in research and associated published studies in the behavioral psychology field that have had some impact on life. One thing to take away from this book is a reminder that easy fixes are hardly ever the real fix.
The Infernal City & Lord of Souls – Greg Keyes I’m combining both of these books into one entry as they are part of a duo that could have been one book. This combo is part of The Elder Scrolls of video games, expanding a bit on a specific event in the lore. I feel like there are far too many stories going on in these two books, with about five different stories following various characters during the events detailed. Some of the writing is pretty bland and there are some strange choices made throughout, such as a character begin referred to by only her last name and then by only her first half way through the second book. I had to look that to make sure I knew who the author was actually referencing. With so many characters, it was easy to mix up the fantastical names. While I enjoyed filling in some missing bits of lore, it felt like a third party was hired to write this for the team behind The Elder Scrolls. Even though this is true, I don’t like that it really felt that way while reading. Would I recommend these to anyone? If you really wanted to be filled in on some lore not detailed in the games, maybe. However, I would probably point to a Fudge Muppet video on the topic of Umbriel first.
I little while ago I got to play around with a SonicWall firewall that had NetExtender configured. NetExtender is SonicWall’s SSL VPN offering. While my initial goal was just to password spray it, I found a few interesting quirks with the NetExtender client along the way.
Since I had some past experience with SonicWall and NetExtender, I knew there was a Linux CLI client, which led me to believe it would be relatively easy to script a login with it. I downloaded the latest Linux NetExtender client, which can be found with a quick Google search, and installed it. An example of a login attempt using the bare minimum amount of info looks something like this:
netExtender -u user -p password -d LocalDomain 192.168.1.1:4433
NetExtender for Linux - Version 9.0.803
Copyright (c) 2018 SonicWall
Connecting to 192.168.1.1:4433…
There is a problem with the site's security certificate.
Warning: self signed certificate
Do you want to proceed? (Y:Yes, N:No, V:View Certificate)
Authentication failure: Login failed - Incorrect username/password.
SSL VPN logging out…
Logout command failed
SSL VPN connection is terminated.
Exiting NetExtender client
A couple notes about the options and outputs I want to clear up first. The “Login failed” message is pretty self explanatory. The “-u” and “-p” flags should be pretty obvious. The “-d” flag is the login domain, which may be an Active Directory/LDAP back end or the local authentication service (this value is CaSe SeNsItIvE). The default local authentication domain is “LocalDomain”. The warning about a self signed certificate has to be answered, even if you import the cert on the machine. I imagine this wouldn’t be an issue if a valid cert was used. While I was a little disappointed I didn’t immediately get a successful login with user:password, I at least felt that I could script this and spray it regardless. After some trial and error, I came up with this ugly thing:
for j in `cat passwords.txt`; do for i in `cat ../users.txt`; do echo -e "\n\n ***login attempt: $i : $j ***"; echo -e "Y\n" | netExtender -u $i -p $j -d LocalDomain 192.168.1.1:4433; sleep 1; done; done
While it may be ugly and slow, it does the job. It will iterate through the list of users and attempt to log into each user with all the passwords in the list provided. I had a couple delays that would ruin the timing for input, so I added a “sleep 1” in there to help with that and may require a bit bigger of a value depending on connection speeds/reliability. Additionally, it will echo out the username and password attempted, since that isn’t echoed back in the login process itself. If I had a successful attempt, a VPN connection would succeed and just hang there, which I would hopefully catch.
After a few rounds with various user lists, I noticed the following interesting login message:
***login attempt for: user3 : password ***
NetExtender for Linux - Version 9.0.803
Copyright (c) 2018 SonicWall
Connecting to 192.168.1.1:4433…
There is a problem with the site's security certificate.
Warning: self signed certificate
Do you want to proceed? (Y:Yes, N:No, V:View Certificate)
Authentication failure: User doesn't belong to SSLVPN service group
SSL VPN logging out…
Logout command failed
SSL VPN connection is terminated.
Exiting NetExtender client
Well, it looks like we have a valid user! It won’t do us much good here since it doesn’t have permission to log in via NetExtender. I initially thought maybe the password was valid, but after a little playing around found out that the same message was returned regardless of the password value. A nice little user-enumeration.
While this may not immediately be valuable since you can’t directly use any of the enumerated users to log into NetExtender, you can always use them for other services or validate the username format. Also, while I didn’t/couldn’t test this with an Active Directory/LDAP back end, it may prove to be a handy way to enum/spray AD from an external perspective.
Lying – Sam Harris First, I’m not sure if this is a book or just an essay as it is rather short. Like Jordan Peterson’s book, I couldn’t help but reading this in Sam Harris’ voice in my head. That aside, this is a quick rundown, but deeper dive, of why lying is bad and how to identify lies, even when they don’t seem like a lie. The main point, I feel, is that lying is bad in just about every single case. I guess that explains why it is so short. There isn’t much more to say than “avoid lying at all costs”. Something I agree with. Insert something witty about truth here.
In Praise of Shadows – Jun’ichiro Tanizaki I don’t remember where I had heard the recommendation for this essay, and checking my Amazon order history, I bought it 3 years ago today. What a coincidence. Anyway, at the surface this seems like a grumpy old man reminiscing about the “good ol’ days” in a very polite way. I feel like common theme among these complaints and grumblings is that there is beauty in contrast, though not directly stated. Gold leaf on black lacquer, white face paint/makeup and dark clothing, bright extravagant clothing in darkness, pictures capturing important reminders in a dark corner of a room. An interesting short read that I want to read again after having some time to think about it.
Norwegian Wood –Haruki Murakami I have started this book three times and quit twice, but this time I finished it. I feel that it starts off strong, but then slowly spins wildly out of control into one hormonal teenage boy sex “dream” after another. I thought I would just get that out of the way. Every named female character in this book sleeps with the main character, Toru. It vaguely reminds me of the first track from Pinkerton, in a way. Towards the end of the book, the climax of the story just sends things into a seemingly rushed mess. I’m not sure if that was intentional, or the author just getting bored of writing and just wanted to be done. Maybe this is a cultural thing I just don’t get, I’m not sure. I really wanted to enjoy this book and did for a while, but once it was over, I don’t know if I want to read any more of Murakami’s work.
Brave New World – Aldous Huxley It has been a while since I read this last. This time around, it was more apparent to me that the “utopia” portrayed here is the product of apathy and distraction. More and more in the real world, I see signs of how distracted or preoccupied a large portion of people really are. While 1984 painted a terrifying world of oppression, I feel like the Brave New World is much more achievable and likely. If everyone is happy, there would be less push back. It is an interesting thing to think about. I felt previously that there were two protagonists throughout the story. However, this time, it just felt as though a story was being told and almost everyone was kind of a “bad guy.” Maybe not Helmholtz.
The Great Gatsby – F. Scott Fitzgerald After reading this again for the first time in a long while, I will say this is still one of my favorite books. I’m impressed at the amount of story packed into the short read, which I’m sure has added to its legacy. For the first time, what was going on in the “elevator scene” really stood out to me and made me laugh a little. I don’t think anything I can say will do this book justice. It is still just as great as it was the first time I read it.
Kafka on the Shore – Haruki Murakami While I wasn’t impressed with Norwegian Wood, I wanted to give Murakami another try. This was a little better to read, but it was significantly longer. Again, the main character, this time a 15 year old boy (who is not written as anyone under the age of 20), sleeps with every named female. At this point, I’m sure all of Murakami’s books include this theme, if you will. There are two story lines throughout this book, and I will say one, the “B” story, is way more interesting to read. There are even a couple good one-liners in there. Overall, another “eh”. I probably won’t be giving Murakami another try.
The Professor and the Madman – Simon Winchester While I never have really been interested in the history of the dictionary, it was brought to my attention that this story was more strange than one would have initially thought. I enjoyed the retelling of the decades of the creation of the Oxford English Dictionary and the, at times, mysterious William C Minor. The writing, however, seemed to very fluffy, if that word is appropriate. I think there was a goal of using as many different and uncommon words as possible, no doubt in theme with the subject, but it made it longer than it probably needed to be.
Party Monster – James St. James This was so much fun to read. I have watched both the “Party Monster” movie and documentary prior to reading this, so maybe that added to the enjoyment. I feel like someone coming into this without any previous exposure to the whole story of Micheal Alig or the Club Kids may be confused at times. James St. James is all over the place and sometimes gets distracted with the story he is trying to tell, but it is part of the charm. It seems to be written incredibly well, no offense intended. I enjoyed ever minute spent reading this.
Well, I forgot to post this in 2020. So, here we are a few days into 2021. I guess Party Monster was a good way to end the insanity of the year. I’m going to keep up on my reading for 2021 and I’ll be back with thoughts on those books as well.
Spook: Science Tackles the Afterlife – Mary Roach I was going into this expecting Mary to rip apart all the famous (or infamous) “ghost photos” and whatnot with some behind-the-scene knowledge and a little common sense. Instead it covers a select few “paranormal” and unknown scientific-ish topics, sighting research, and covering some anecdotes and research of the authors own. All this is done with smile-inducing witty comments and a constant sense of “get a load of this guy”. I’m looking forward to reading more of Mary Roach’s books.
Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground – Kevin Poulsen This was a deep dive into Max Ray Butler’s life in the cybercrime world of carding. I really enjoyed this over Brian Kreb’s Spam Nation, which covered a similar topic. Kevin Poulsen focused on the subject at hand, not really getting into morality or any personal anecdotes about the story, like a real journalist. It is an interesting story of the early days of the carding scene and the ease of cybercrime in the days after the dotcom bubble. A very good read if you are interested in infosec.
The One-Straw Revolution – Masanobu Fukuoka I want to start off with saying I know very little about farming. However, this book is just as much about philosophy as it is about farming. As much as I enjoyed this, I do feel that while the farming technique explained in this book (a natural way to farm a handful of grains), it is extremely specific to the authors location. Regardless, there is a lot of thought provoking ideas in this book.
Bonk: The Curious Coupling of Science and Sex – Mary Roach Where to start with this one. I guess the first thing to get out of the way is that it is all about penises and vaginas, for the most part. Following the style of the previous Mary Roach book I read, it digs into the history of the science and research of sex, sprinkling in humor here and there. I enjoy the structure of the two I have read so far, so I think I’ll end up reading the rest of this authors library.
Ten Arguments for Deleting Your Social Media Accounts Right Now – Jaron Lanier The first thing I want to say is, this is what I expected of “How to Do Nothing”. In comparison, this book is a much faster read and has actual content, not just anecdotes and excessive depth into unrelated topics. Jaron touches on the effects of social media on himself and others, the business model behind social media companies, and the potential dangers of allowing them to continue to operate how they currently do. His view and perspective due to his history in “tech” makes a lot of these concerns and points a bit more impactful to me personally. I look forward to reading more from him.
The Coddling of the American Mind – Greg Lukianoff and Jonathan Haidt First and foremost, parents of non-adult children, read this book now. Read the whole thing. This book covers some pretty big issues still going on in 2020. It covers some pretty scary-when-you-think-about-it patterns arising in the past 5-8 years in schools/children and how they are impacting society as a whole. Additionally, it offers resources for further reading and potential solutions for these issues.
1984 – George Orwell So, this is a re-read. I am going to make this an “every five year” read, I think. There isn’t much to say about this book that hasn’t been said or thought already. I feel that it is still just as important to read today as it was the last time I read it, which was maybe 10 years ago. If you haven’t read this, read it. Then read Brave New World and Animal Farm.
Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World – Joseph Menn This was a really fun read into the history of the cDc and other associated groups of the time. While there was a lot of cool stories and information to read, I felt it was really scattered. I often asked myself “wait, when is this happening?” while reading through it. If you exclude the first and last parts of the book, it feels like a solid retelling of history. With those two parts taken into account, it somewhat feels like a “coming out” story for Beto O’Rourke. I’m not sure if I’m reading an advertisement or not. Regardless, if you have any interest in the cDc, it is worth the read.
The Dead Sea Scrolls and the Christian Myth – John Marco Allegro Preface: I know nothing about Christianity or much about religion in general. To me, this book points out that the bible is made up of several games of telephone, a bit of bad translation, and a sprinkle of tweaks to control the populous. I did have a hard time deciphering some of the language used in excerpts of various religious texts, mostly due to lack of motivation to reread them. The commentary by the author is much more the focus of my purpose for reading this. I am impressed by the work put into the translations of the scrolls/texts the author had access to and the analysis and comparison of all the religious texts cited. I feel that it is a net positive for the world to have someone who will put the effort into working with artifacts like the Dead Sea Scrolls and actually publish his work.
And with that, I finished my previously posted list of books, as well as an additional few. Since it is early October as I’m writing this, I guess there will be a part three to this series. Extra credit, so to speak.
As I had mentioned in my “2020 Reading List” post, I wanted to try to write some small reviews or thoughts about the books I’ve read throughout the year.
UFOs: Generals, Pilots, and Government Officials Go on the Record – Leslie Kean A collection of interesting stories/events/etc from reliable witnesses. It was written with a lot of passion and dedication to the truth with no reliance on “little green men” being the answer. I recommend this for anyone interested in the topic of UFOs or maybe those who still think they are a thing of science fiction.
How to Do Nothing: Resisting the Attention Economy – Jenny Odell To be straight forward, I felt like this was a waste of time to read. It feels more like the author’s journal over the course of her discovering how to deal with the “Attention Economy” rather than a guide or tutorial. Reading it to completion is one way to “do nothing”.
Woke: A Guide to Social Justice – Titania McGrath It may not need to be said, but this is 100% satire. While it can be hilarious at times, providing tons of good “lines”, some of the “filler” is just ridiculous statements lacking a lot of thought. It is very short and worth hour or two read.
Animal Farm – George Orwell I really should have read this a long time ago, as it was an assigned reading in high school. I didn’t want to read, what I thought, was a children’s book and just read the Sparknotes on it. Well, I’m making up for it now. It was an interesting quick read but felt lacking in effort or quality compared to the other George Orwell works I’ve read. I feel that it is one of the important books, alongside books like “1984”, “Lord of the Flies”, and “Fahrenheit 451”.
The Metamorphosis – Franz Kafka My first thought when I finished this was “What did I just read?” It felt like someone’s anxiety ridden fever dream. That someone, in this story, is Gregor. A man who is overworking himself to near death in attempt to keep his “poor” family financially stable. However, in this book, death comes in the form of being transformed into a beetle. While that, in any other story, could be a spoiler, this is page one stuff. It is clear that the author is very familiar with anxious thoughts, as this story is example after example of over-analyzing each situation and Gregor’s constant concern with his family’s financial well being. While this is a short read, I think there are plenty of other books that tell the story just as well and in a much more interesting, modern, and realistic way.
Notes from Underground – Fyodor Dostoevsky Well, this is a roller coaster. A roller coaster that makes you feel like you learned something afterward. I am impressed with the perspective (that may not be the right word) that this story is told from, which I think is what I am supposed to get out of it. I do feel like I need to read it again. With how short it is, I don’t see that being a problem.
12 Rules for Life: An Antidote to Chaos – Jordan Peterson I enjoyed this book. While reading it, my internal “voice” would somehow slip into the authors voice, which was hilarious and great at the same time. If you haven’t heard Jordan Peterson talk, do listen to a talk or two of his and I’m sure you will experience the same thing. While parts of it get a little heavy on religious subjects, it never feels preachy or like someone is trying to convert me. Although some chapters feel like they are meandering far away from the “topic” of the chapter, they find its way back once you finally see the bigger picture. Overall, its really good.
Count Zero – William Gibson I LOVED IT. I loved it just like I loved Neuromancer. William Gibson is great world-weaver. Although there are three distinct stories told through this book, they feel more like tools used to flesh out an amazing cyberpunk world. This is the second of three books in the Sprawl trilogy and it saddens me that I am almost done with them. Mona Lisa Overdrive is next and the reading that will be bittersweet.
The Hardware Hacker: Adventures in Making and Breaking Hardware – bunnie An interesting collection of adventures in the world of electronics manufacturing and the supply chain involved. It sometimes feels like a a collections of blog posts, but that is because it sort of is. Regardless, it gives a very good view inside the world of producing electronics via Chinese factories and everything related to that process. I would recommend this to anyone who has interest in PCB/electronics manufacturing or anyone who know who bunnie is.
Chaos: Charles Manson, the CIA, and the Secret History of the Sixties – Tom O’Neill Tin foil hat time. The author starts this book with solid facts indicating some shady stuff happened during the Charles Manson/Manson Family trials. It slowly turns into some almost unbelievable theories on secret CIA projects and how they could be the “cause” of (or at least a major contributor to) the insanity that was the Manson Family. I really enjoyed this book, even if some may see it as crazy conspiracy theories. The facts that are revealed about what the CIA used to do (and probably still do) is where the “crazy” is. The information that Tom finds about how the Manson Family story was twisted to fit one lawyer’s narrative is eye opening. Just because someone ends up with the right answer, it doesn’t mean they got there the right way.
Mona Lisa Overdrive – William Gibson Just as I predicted, bittersweet. I loved it, as I knew I would. This wraps up the Sprawl Trilogy, connecting many dots from the second book (Count Zero) with a few appearances from the first book’s (Neuromancer) cast. As with all of the Trilogy, the multiple story lines all come together at the end. However, while randomly thinking about what I read, I start to realize small connected details I missed when reading. Without spoiling much, the overarching story of the trilogy, with each story line being orchestrated to achieve one major goal, is awesome. I am going to miss this trilogy.
A Scanner Darkly – Philip K. Dick At first, this seemed like a it was going to be somewhat of a “film noir” kind of cop story. However, it slowly turned into a drug-crazed recalling of the life of a group of addicts, including all the delusion and paranoia you can imagine. A little over halfway through the book, I honestly started to get somewhat confused with what was going on. Then, without trying to spoil much, a scene in which a cop reviews some surveillance footage came to the same conclusion as I did cleared that up. “WHAT is happening here?” I felt a little better then. It spirals into a bit more chaos from that point and ends with an all too real “well damn, that sucks” kind of ending. Some of the lingo/slang makes it feel somewhat dated. We have changed a lot since the 70s. But, the story is all too relatable. Don’t do drugs kids.
Slaughterhouse-Five – Kurt Vonnegut I felt like I should have read this in high-school. Judging by the depth and length of the Wikipedia article, I think I am right in feeling that way. Even though it was probably not intended to be, it seems to be a book used for teaching literature classes. While there is humor in the commentary of the stories told throughout the book, I don’t know if it hasn’t aged well or I am just not into it. I’m glad I have read it finally, but I feel like its potential impact didn’t land.
LSD My Problem Child – Albert Hofmann This was an extremely interesting read. Albert Hofmann walks the reader through his discoveries of some of the most powerful psychedelics, some of which I was not aware of him finding, his view on the usefulness of them, and hand picked anecdotes of the positive and negative impacts they have made. While his passion and respect for the substances is made clear, it is done in a very modest way, which I’m sure is testament to his personality and intelligence. I was ready for a little more of a chaotic story, but I’m glad it wasn’t.
I’ve been writing these throughout the year as I finish reading each book. I decided that I would finally post this since it is about half way through the year. I’ll do another post at the end of the year with the rest of what I have read. I realized that I was making a pretty big dent in my list early on, so I have been adding more and just reading new things that I stumble upon.
I have been using Qubes OS off and on for the past month or so and wanted to share my experience with it so far. I’ve used it on a secondary laptop in the past, just to play around with it and learn the basics. This time, however, I bought a dedicated laptop for it with the intent of using it full-time for a segment of time. I chose a ThinkPad X230 as it is highly supported and recommended by the Qubes OS team for a variety of reasons, relatively inexpensive, highly modifiable, and parts for it are easy to come by.
If you aren’t familiar with Qubes OS, a quick and official description is “A Relatively Secure Operating System”. A more detailed description would be something along the lines of “A security focused Linux Distribution which utilizes the principle of ‘security through segmentation’ via the use of narrow-purpose VMs”. It’s based on Fedora Workstation (or whatever it is called now) and uses Xen for virtualization. If you want to read more about it, take a look at the official site https://www.qubes-os.org/, which has tons of great documentation and general information about the OS.
While the installation was relatively painless (not much more than a typical Fedora install), the hardware requirements should be noted. Due to Qubes’ goal of security and the use of virtualization, a few specific things need to be supported by the hardware it is running on. The following list is directly from the Qubes OS system requirements page. https://www.qubes-os.org/doc/system-requirements/
64-bit Intel or AMD processor (x86_64 aka x64 aka AMD64)
The Qubes project also has some general recommendations, such as using a fast SSD. I would also add that having more RAM is not going to hurt.
As I had mentioned, I am using a ThinkPad X230 for my dedicated Qubes OS machine. It is an older laptop using some dated hardware, but still “modern” enough to get by. I don’t want to get too in-depth about the specs, but I’ll list out the important stuff here.
Core i5-3210m (supports VT-x and VT-d)
12 GB RAM
160 GB SSD
While this isn’t an impressive machine by any means, it runs Qubes OS well. I did have an issue during installation where, after install, the laptop would reboot to a black screen. After a quick search, I found that this is a common and well known issue with Lenovo’s UEFI implementation and a quick and easy fix was documented on the Qubes OS site. While I have multiple gripes with the hardware itself (LCDs have come a long way since this was new, the keyboard may be third party as the keys keep falling off, the battery is third party and shuts off at ~20%), I do like having a TrackPoint and ThinkLight again.
Getting the OS itself tweaked and set up has been an ongoing thing, as I think is true with any OS. I’ve become accustomed to “night mode” in other OSes, so that was the first thing that needed remedied. Installing Redshift in Dom0 was the easy fix. While installing additional software in Dom0 probably isn’t the best for security/trust, it is provided by the default repos, so I trust it enough. Note that Redshift cannot call out to the Internet to find its geolocation due to the networking limitation of Dom0, so a manual config is required. To start this at login, I added a similar command in Dom0’s “Session and Startup” menu.
reshift-gtk -l -75.2509766:-0.071389
Next, I needed to set up my VPN connection which I used when out and about. For this, I copied the OpenVPN config file to the “sys-net” qube, then imported it into NetworkManager. It was a pretty painless setup, but could lead to compromise of that config file if the sys-net NetVM were compromised. A separate “vpn” ProxyVM is the best option for this and you can read more about that here: https://www.qubes-os.org/doc/vpn/.
I use Signal quite regularly as my main form of communication with friends and family. Since this would be only needed in one qube and utilized third-party repos, I opted to make a StandaloneVM for it. I created this dedicated VM based on the existing Debian template, then added the Signal repos per the provided documentation here: https://signal.org/download/
After installation and configuration of Signal, I removed some of the applications I wouldn’t be using on that qube such as Firefox and KeePass. I didn’t want to accidentally open URLs in that qube, so there was no need for a web browser. Additionally, I limited RAM usage by decreasing the “Max memory” setting inside the “Qube Settings” for that qube. This was mostly just to play around with that setting, but I have not had any issues restricting the RAM to 1GB.
Since DisposableVMs are, as the name implies, disposable, any changes made to them will disappear once they are powered off. I mostly use DisposableVMs for browsing random websites, so I wanted a few things configured in Firefox to avoid re-configuring it each time I start a new DisposableVM. To make persistent changes to Firefox in the DisposableVM template, I ran the following:
qvm-run -a fedora-30-dvm firefox
I changed the search engine to DuckDuckGo, removed the bookmarks bar, changed the home page (got rid of the recommendations and highlights sections), and installed a few extensions. After forgetting to shut down that qube and wondering why my changes didn’t stick, the DisposableVMs’ Firefox was configured as I like it.
The last major component I configured was a Kali Linux TemplateVM. I regularly use tools provided by Kali and there is great documentation for its setup here: https://www.qubes-os.org/doc/pentesting/kali/. I followed the “Kali Linux TemplateVM from a Debian template” to set up the Kali TemplateVM. At first, I had some issues with the installation of the “kali-linux-full” package and wasn’t able to get a working Kali qube running. It was late at night and I wanted sleep, so it scrapped it and tried again a couple weeks later. Following the exact steps again worked fine. My assumptions was either some dependencies were borked, or I was very sleepy. I now have a functioning Kali TemplateVM.
I’m sure there are some additional tweaks and minor config changes that have happened, but those were the major ones for me to be able to use Qubes OS as a primary OS. I played around with installing a couple games in an qube. I was able to get Stardew Valley (GOG release) and OpenRCT2 to run acceptably well. I was surprised they launched at all, to be honest. If I end up doing some strange/unique things later on, I’ll make another post about them.
Now, the beauty of Qubes OS is its compartmentalization feature which allows you to separate Qubes based on their purpose, trust level, or whatever really. The default qubes included with an install are the following:
I use a few more in my setup, but they somewhat follow this default layout. In addition to the default “personal” qube, where I have Firefox set up to my liking and I’m logged into my web accounts and whatnot, I also have the aforementioned Signal qube, a separate qube for managing my home network, and the qube I have installed a couple games in. These all fit under the “personal” trust level, so I have named them with the prefix “personal-“. If I used a mail client, like Thunderbird or Claws, I think I would have a separate qube for that as well and maybe some firewall rules to lock it down a tad bit more. I have a separate qube for managing a few servers, using a different window border color than the “personal” qubes. In the “vault” qube, I keep my KeePass database. By default, this qube has no network access and I don’t see a reason to enable it. Joanna Rutkowska, the creator/founder of Qubes OS has documented how she separates out her life using Qubes OS in this awesome blog post: https://theinvisiblethings.blogspot.com/2011/03/partitioning-my-digital-life-into.html.
This pretty much wraps up my experience so far with Qubes OS. I have been impressed with it the more and more I use it, however annoying my hardware’s quirks are. I do plan on changing around some of my organization of my qubes, maybe separating out my “personal” ones a bit more. Maybe create a dedicated “banking” qube, for example. I want to attempt creating firewall rules for some specific qubes, the Signal one as I had mentioned earlier and maybe the server management qube as well. If/when I do migrate to using it full time, I also need to configure and test backing up the system. Qubes OS does include a backup feature in Qube Manager, so I need to test and familiarize myself with its backup and restore process. Moving all my data to appropriate qubes will also be a process and needs a lot more thought put into it before doing so. As for the hardware issues, I would really like to try out a Purism Librem 13 or 15, but maybe I’ll get into that later. Regardless, I am going to continue using it part-time, and maybe full time while I’m traveling for work since the X230 is tiny.
Overall, I’m really impressed that Qubes OS works as well as it does, which shouldn’t be taken negatively. With all the “stuff” going on behind the scenes, it runs as smooth as any other Linux distro, at least in my experience. That alone is quite impressive. To anyone interested in the security features it employs or just interested in general, I highly recommend giving it a try.
To hold my self a bit more accountable to finish my reading list for 2020, I thought I would post it publicly. Maybe I’ll post a little review of each book at the end of the year or maybe as I go. A few of these are going to be a re-read, as I feel its time to remind myself how important they are. These aren’t in any specific order and I may add a few more throughout the year.
UFOs: Generals, Pilots, and Government Officials Go on the Record – Leslie Kean
How to Do Nothing: Resisting the Attention Economy – Jenny Odell
Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World – Joseph Menn
1984 – George Orwell
Animal Farm – George Orwell
The Dead Sea Scrolls and the Christian Myth – John Allegro
The Metamorphosis – Franz Kafka
The Hardware Hacker: Adventures in Making and Breaking Hardware – bunnie
12 Rules for Life: An Antidote to Chaos – Jordan Peterson
LSD My Problem Child: Reflections on Sacred Drugs, Mysticism and Science – Albert Hoffman
Spook: Science Tackles the Afterlife – Mary Roach
Woke: A Guide to Social Justice – Titania McGrath
Notes from Underground – Fyodor Dostoevsky
Slaughterhouse-Five – Kurt Vonnegut
Count Zero – William Gibson
The One-Straw Revolution: An Introduction to Natural Farming – Masanobu Fukuoka
I recently gave a quick talk as an introduction to Qubes OS at SecIC, a local CitySec meetup. I’ve been using Qubes OS off and on for a while and recently bought a ThinkPad x230 to dedicate to running it. The slides are available below and I’ll link to the talk once it is uploaded.