2013 Book Report 12: They Do It With Mirrors – Agatha Christie.

Another Agatha Christie ‘who dunnit’ that I read immediately after reading the Poirot reviewed below. This time the central protaganist is that other staple of Christie’s work, Miss Marple.

Miss Marple’s character bears a striking resemblance to TV Columbo. She bumbles around gathering information which she then weaves together into a conclusion. Like Columbo, a large part of the pleasure of the process is seeing how the answer is constructed. Unlike Columbo, you don’t get to find out at the beginning of the story just who the guilty party is.

As with ‘The Mysterious Affair at Styles’, the story is complex, but well managed, and the bits and pieces of the story are meted out at a pace which keeps you interested, without ever being overwhelming.

My only caveat is that I wouldn’t read two Agatha Christie’s back to back again.

Advertisements

2013 Book Report 11: The Mysterious Affair at Styles – Agatha Christie.

Like PG. Wodehouse, Agatha Christie is a writer whose works have endured. It is impossible to be part of the Western culture and not be immersed in her works. The multiple incarnations of Miss Marple and Poirot and the cliche about the butler having ‘done it’ are written into the DNA of our culture.

This, like the PG Wodehouse stories before it, is the first time I have read Agatha Christie. Once again, as with Wodehouse, the language is of its time and its stilted feel sometimes gets in the way, but the quality of the story telling still bursts through.

The story concerns the wife and mother at the centre of a family who, having been widowed has remarried. She is murdered by being poisoned, with, it transpires, strychnine. In classic ‘who dunnit’ form, there are several likely candidates of murderer, and it is up to Poirot to unpick the clues and red herrings.  The process and the narrative is handled with aplomb by Christie.

I won’t try and write a description of the story. It is worth the investment of your time to read it, and even more so, the investment of your money (it is available for a tiny sum on a Kindle). This book stood the test of time, to my mind, far better than the PG Wodehouse. May be the language is less stilted, or, may be the fact that one is a comedy, and comedy relies more on a fleet footed handling of the words. Anyway, an enjoyable read, and I plan to read many more Agatha Christie’s in future.

Note: I edited this entry as I noticed when refreshing my memory regarding plots that I got the plot of this book confused with the one that I read straight away afterwards. Always a danger when you read two or more very similar books one after the other, and then wait a couple of months to blog about the experience!

2013 Book Report 10: The Man With Two Left Feet and Other Stories – PG Wodehouse.

A confession: I had never read any PG Wodehouse before this book. In fact, I didn’t even watch the much praised TV series starring Hugh Laurie and Stephen Fry. I was, essentially a noob, a novice, a PG Wodehouse virgin.

It is possible that this wasn’t a good book to start my journey with, there may be far better in the canon, but I did enjoy this one enormously.

It is a series of short stories, one of which features PG Wodehouse’s most famous comic creations, Bertie Wooster and Jeeves. But the other stories are all stand alone pieces.

I enjoyed these stories. They are fluffy confections, whimsical and funny enough to raise a smile, though not, for me at least, to make me laugh out loud. Obviously the stories are dated, as is some of the language, but they have stood the test of time. And one advantage of reading books like this on a Kindle is that you can look up the obscure and archaic words simply by placing your cursor over them.

I won’t be rushing out to stock up on PG Wodehouse, but I won’t be averse to reading more in the future.

 

2013 Book Report 9: Using Samba – Gerald Carter

Samba is one of the great success stories of the Open Source movement. It takes a shared network space protocol created originally by Microsoft and makes it available within a Linux environment.  Massively popular around the world, it is also the bain of many a sysadmin’s life as it is complex to configure and manage.

The book ‘Using Samba’ tries to cover most of the bases of getting a Samba server configured and in use. It is very much the classic O’Reilly look and feel, and the text is clear, and largely well explained.

The challenges for a book like this are to keep pace with a rapidly evolving product and to cover the bases of what uses the software is going to be put to. In some respects this book falls down on the first of these challenges. The edition of the book I have is more than six years old. In terms of an open source project this can often be several epoch! Samba is, relatively, a staid project, people rely on it being stable and reliable, so often it doesn’t change much, but 6 years!

The actual content of the book is largely still relevant, though once you get away from a pretty standard set up it is worth spending a bit of time gooling in order to compare the current versions ‘take’ on how things are done.

In summary, this is a book that I dip into quite a lot, and it is very useful in my job of administering a Samba server, but it needs an update. It isn’t a cover to cover read, but it is full of useful information.

 

Now I Just Need Paranoid Friends.

My last post was about protecting data stored on a server by having the data encrypted and un-encrypted by a special Linux file system. It is a very elegant way of securing data against physical theft (though, obviously, a hacker gaining access would be able to see the files).

The other area of interest that came back recently is more generic. Edward Snowden shocked America by blowing the whistle on the US government hoovering up everyone’s emails. One of the things I thought was very interesting was the unspoken part of the story. The ‘controversy’ is that the government is doing it to US citizens in contravention of the 4th Amendment. Apparently not controversial is the fact that various governments have been doing it to the citizens of the rest of the world for a long time, and with complete impunity.

Back in the day when I used to work at WorldPay we used to say to customers that they shouldn’t send anything by email which they wouldn’t write on a postcard and send by Snailmail. Despite that, there were occasional people who would email use with their complete credit card number in the email asking why their transaction had failed.

So what can you do to protect the information that you send by email? The best solution is to encrypt everything that you send. Classic encryption used to come in the form of a shared secret between the message sender and the message receiver. The same method that was used to encrypt the information was used to unencrypt it. The problem in this case is always how do you share the secret of encryption/decryption securely. In many ways this was the major weakness in the Enigma machines used by Germany in the Second World War. Many radio operators got lazy in how they transmitted their first message of the day (which included information on the days secret configuration).

The modern solution to this problem is to have an asynchronous key pair for encryption. There are two parts to the key, the public and private. The public key is intended for distribution. This can include publishing on web pages, uploading to public keyservers and the like. The private key must be kept safe and protected.

The way that the asynchronous encryption works is simple in concept:

  1. Identify the address of the person that you want to send an encrypted email to, and if they have a public key available download it.
  2. Use the public key to encrypt the information that you wish to send. The important point is that the encryption process is a one way street. Even with the public key to hand the original message cannot be extracted from the encrypted data.
  3. Send the encrypted data to the intended recipient. The user will receive the data and can then upencrypt the data using their private key and a passphrase associated with the encryption keys.

As you can see, the data treated in this way is secured. However, this information can only be sent to users who have generated their own encryption keys.

Another, more common use of the encryption key pair is to ‘sign’ messages or files in order to confirm their veracity. In many ways the signing process is similar to that of generating an m5 signature of a file. An apparently random string of characters which is a product of the information being signed, the users private key and passphrase is appended to the information. The public key can be used to compare the signature with the signed data, and can confirm that whoever created the signature has access both to the private key for the user, the key’s passphrase and the original content of the data. Changing either the data that is signed or the signing string will cause a mismatch indicative of data that has been tampered with.

All of this probably sounds like quite a lot of hassle. The good news is that it is simple to automate the process in a simple, cross-platform way. Thunderbird supports a simple add-on ‘Enigmail’ which handles importing and managing public keys, signing and encrypting. It also confirms the identity of users if content is signed.

The only downside? No one I know cares enough about this stuff to actually go through the steps of creating a key pair and starting to encrypt their information. I’ll just keep to signing for the time being.

If you want to be able to email me securely then the following are my public keys, along with their associated email addresses:

rf343@cam.ac.uk (Work address):

—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: SKS 1.1.4
Comment: Hostname: keyserver.ubuntu.com

mQENBFHTXjMBCADKxtvkuyXKKYweYeluH1b0+tJE7b9CYPqbPI7sHUSiwO72SM/P9c9SJQGi
SmyywuNuD/X21pwPyUzzltVX5o5zjaJFFZ0h/zXsK6PXlm7ItAHzfgwQRvsuUfete/lG5jR1
QQeDSMk/vM3iMUKOLrP+VHIE1FGwZwXUU2FGnAglRnqa1YEmI6K7isJvqsP6lsoGa8ZnbAEp
IiIVXFOC3wejRlFBhwoq4P9B4l4vIWjBA88ha9Vh9YnGCWERLZCuMeG4ogkgf1w3EbCKflei
A/6IZrlOR+d9jsgWl5Gab7pxSLoGGn0fp2aP1r/V1hcw59jBynxn/Tcx55kMJUlRfuG9ABEB
AAG0OFJpY2hhcmQgRmllbGRzZW5kIChXb3JrIGVtYWlsIGFkZHJlc3MpIDxyZjM0M0BjYW0u
YWMudWs+iQE+BBMBAgAoBQJR014zAhsDBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIX
gAAKCRDMRKIrQNJwv9N3B/98XZcOVYOmrWpDxUPJSrU4Av4PjvUsTZvnsWOU0O8B/nYi1tvh
ZIwclL7AJxsDqk14T6v2RRiw6Lik3Ug/zkSecVgqSqY+As2kYfyliKAvUPutK1hxrkhvYbvq
iAfxP5DjGI89YWbmuuUxjOt7bGhw/J40EesTkqyhFM6CxvMlVfyiyGCvHuAOm8vwk+apNQo3
/lpsfIprp55i6oIsBgFWhxqAHKFesahd8bnA3rI8ATEiYMx9ck8yc5GDYjS4wFcUZ9XESIjY
D8Cxc40fJdSEMmE8EUbrnzQEpFrPOUpP7RiAeCugOHZFiyd4sucCHspkqoJ9VdMxpb695hKh
GeYuuQENBFHTXjMBCADW4c67GmNjQm8wkfFp+0QH0SI3Ba16M/s5NArEWVcNxx0luy7LjLcT
m0L3EVHpekNnlHpKOFaQYQOI/BRjfKfTR0MNxaQ4GiUfvqAYzOnspVqP+rJwLaS5O3Fk05FY
VacXxZDetwB8W7yKLRjt/fQk+9y1DrJv6MXlB9mCa+IRLyT1i/uha/HHWCi5ea/zJUK7SJLL
ewSWcBxft2quuROdv1EuyTJHEQqAg0fzyEv2L0qn46Xrgi+SBx8b3vwcDWm80OWyGxAbeIWv
pij5rGNluIS6Gdq+Ic3ExCz6ywfGzwt5K6u4twcOYDKprds9X51ok49qnZySg7hkEhu1DN+X
ABEBAAGJASUEGAECAA8FAlHTXjMCGwwFCQlmAYAACgkQzESiK0DScL+zMgf+L9WEVLWqjTQx
1EEUI1e7jNmPoKa6J3Y5eb1vQp+rS5clM67QQD7z0U0T7hgirj1Yi2QRiZlMiNhrlF2DGiUa
qXgWmQ0yxZYyXe6KFHTgeNOd5svczB183vskOlH9QdBfRdrooiSckKYjUqqaPHeHaZrBqloE
mKaddlkuneuI+/Z/jWa9JYQGpo4For7JVXZPHPu3Pp8Fr2Z5T0vxQl4zil7/Ocj6W4gs8Nev
n899sm19kWRZQxKKAX9VJcflX77bSFdLoP+0NzT/aCFHzUPcc9sP8BM9qTP4W09TfL42pBpL
vbRdcG/FAUA3JjUERXya291YmdeIzM0PhEuDC8qOgg==
=yyx7
—–END PGP PUBLIC KEY BLOCK—–

r.fieldsend@btopenworld.com (Home address):

—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: SKS 1.1.4
Comment: Hostname: keyserver.ubuntu.com

mQENBFHTXdYBCADDh4q4y6GL5qfvNnNuDVyggCr4i9MFdtBFy1Hl5iR+GCULajLASytg/Efp
YPc9n/1TqR4OspgL97hJvnLoyXB0f8MRiKSY46+X8J34usv+9yQ5e0nceMwJyVFukwoEWHHh
jQVLTXHcQH0sRXVJzV+zC5x1jyyUZAfrFb+y4Dc2XVlm3m+6i4bfUqrgsdT7JEcG04Ru74Q+
tuI4aMZGWw2Xpen7MtWcuNVfVA10PzGJNfKE0pi2jRpB1/nii4C0F9NX85tRcofA4IxhOxWd
PvoSY8UpqIaD0P8p7Km/jtiMMUvzdsC2K4/+KOzMnL9pW6bqaA8RAMl3SDe9nOH8dHu3ABEB
AAG0RFJpY2hhcmQgRmllbGRzZW5kIChIb21lIGVtYWlsIGFkZHJlc3MpIDxyLmZpZWxkc2Vu
ZEBidG9wZW53b3JsZC5jb20+iQE+BBMBAgAoBQJR013WAhsDBQkJZgGABgsJCAcDAgYVCAIJ
CgsEFgIDAQIeAQIXgAAKCRD4AnIBCb53rKOYB/0dE8H56gTpi5Kz9ZWBsd5wBI4reaEQ4KJ6
QVwR59DLQkjrZPpxnlkZhsGMcUKf8rSg4T5d9jHzu3b4BKKj9uTLv0QXcooj7V+h7Pmu1IgU
AEGx5A1espsjjPfvjZoFDZAcHVyO5owG33XC+cBc3f0hhxr6SUIrNcXr8m8HjCtkVUVTk2Kh
BqwrICY2xjTkwnGl901IkGWu8DwBI5y1Rr8+blMK9OZW6/4REpa0X2+0/Khzz7KGyD0sTwb0
m6/AH+SEbeaqq4gHkKdbGJXqHFZbqqdcxKzmmZs0rDd+/0s+pMZMnjf9/xKVemhtZya3MaJd
km3RWTUJ/qGmFJNWAyCYuQENBFHTXdYBCAChoKNH9jk+tpaHQ/G0ipsZhL3C7qKfpabDs3sP
ilAroC6RBGEGXe0gJ0x3BjZEAF8ueHf5DsmyZKwifXBnxEfYyzS7QRTu4B+2m5fyq6W/rA9Z
+41i/OfHTxCzQcK9WOdJ0WJNJ0i8PZrtOrsDK409n34FgDAif0yn7P0e8ysowt4MDW1L3kLv
bSFo6kvyp8jIXtImo8LZToj73ZQtDBH6C1ujtyThhP+VNrYGJTPiXbxZBmjX0o4flDidl0X6
ZvWSVNQdnHrVo3jdfbBmSeRei3NCVEHVTnszxbqEp7EYfrQwYXzrYnXd1Gyf27e88HyYSFaj
Ximo6MkIB1CpeBmxABEBAAGJASUEGAECAA8FAlHTXdYCGwwFCQlmAYAACgkQ+AJyAQm+d6yt
dwf+JiZyZoP6o10wLNAH+RZMjwhmsBPygS4tzzzpIyqXOd8STnzaUbrjv7YZmOobXFG24+Uf
g4X+q+KdGGgqJIOoZG2JHqjL/3defsgTEOpgkxtRF5OrnmMQoOIoLs8U0qsTPv0jXzVZXfB0
r+TsbKo/n9FOPN8jEoXuqZF0VaXfyWKm3AyOOdNIW/RTNr427qMHn2BLeEPhWaf4VoGAoHlW
wCJeULl1ZpDiW4NdlzOJv1+l4PwU5xPeeV8rsLKYXWDJMzqEAuJpkkHwyk/Qjv3+IYPokxBV
ie0W71LQHFK6U+EW9p7EsSSLla3yQ/Ay4CTVn9WabcfwMd67tdNtuj6M/Q==
=M0g+
—–END PGP PUBLIC KEY BLOCK—–

The really cool thing is that with the apps APG and K9-Mail I can have this same functionality on my phone as on my desktop machines!

Security Conscious, or even plain paranoid.

I have been investigating security a lot recently. You might think that this is primarily because of the revelations regarding the NSA hoovering up everyone’s data, but I was looking into this before Mr. Snowden broke his story.

There are a couple of things that I have been working on. The first one was securing a server.  One of the research groups here is working on sensitive material. However, they are not working on it alone, and in fact are doing collaborative research with groups in a couple of other European countries.

The issue is that they need to be able to share their data, to be able to write and read the data and have it secured.

Now if it was a single person, or even a single group working in a single location then I would seriously consider the use of something like Truecrypt. Putting the data in an encrypted ‘vault’ which you can open and close as required, and which users can co-operate on managing.  But this only works well for simple usage. How do you manage co-operative opening/closing/modifying of data stored in a Truecrypt vault. This is before you also consider the fact that it would also require sharing of the passphrase across the groups.

After much head scratching and reading of various pages I reached the conclusion that the best approach was to store everything within an ecryptfs file system. ecryptfs is part of the Linux kernel, and it provides an encryption/decryption layer at the file level.

The process of enabling it is quite simple. On the Linux machine that holds the data you need to install the ‘ecryptfs-utils’. On a suitable Ubuntu/Mint/Debian system this is achieved using the command:

sudo aptitude install ecryptfs-utils

Once the installation is complete then the following steps are required:

  1. Create the ‘Folder’ which will contain the encrypted data
  2. Create the ‘Folder’ which will ‘contain’ the unencrypted data
  3. mount the encrypted folder pointing to the unencrypted version using the ‘encryptfs’ mount type.

The command is: sudo mount -t ecryptfs ‘secure_folder’ ‘readable_folder’

When issuing the mount command (which needs to be done as sudo) then a number of settings have to be selected. These are:

  • Passphrase for the encryption (equivalent to the password)
  • Encryption type
  • Key bytes
  • Enabling plaintext passthrough
  • Enabling filename encryption

Care should be taken when setting these values the first time as they will define the settings for the content. If, on subsequent attempts to mount the encrypted content any setting is different from the ‘original’ settings then a warning will be issued, and you will be asked if you want to continue mounting. At this point I would suggest cancelling the mount process and re-mounting. This minimizes the probability of overwriting content and damaging it!

Once the process is complete then the ‘plain’ folder can be written to without any special commands. The file appears in the plain folder, but an encrypted version of the file is stored in the encrypted folder. If the option to encrypt the filename has been selected then the filename itself is encrypted.

There are a few things I like about this approach to securing data. Although it appears that the content is unencrypted, the ‘plain’ version is a live file, which disappears when the folder is unmounted. This means that if a bad guy were to steal the device (good luck, the server is bloomin’ huge!) then they would need the passphrase to remount the content, and it is therefore safe… Also, the encryption is on a file level, so you don’t have to earmark a certain size of ‘vault’ as you would in Truecrypt, you can just write files in the normal way and they will be encrypted. The ‘plain’ folder can be shared as a Samba share in the normal way, multiple users can connect and use the content, and they don’t need to be able to manage complex encryption software, or share a passphrase.

One other thing that is excellent about using this approach is that it plays so well with Dropbox (and other cloud storage providers). I have created a folder on all of my Linux machines which have the Dropbox client installed. The folder is then used to mount a folder within my Dropbox directory using the encryptfs as above. I can then store content in the folder which is then encrypted within Dropbox. No more worrying about ‘Safe Harbour’ policies etc. I haven’t made all of my Dropbox content encrypted though. There are several reasons for this.

  1. ecryptfs is not supported on any platform other than Linux. I don’t often have to use Windows or Mac, but it does happen, and if I put everything within an encrypted system there is no doubt there would be a time I wanted something from the file system which would be a pain to extract.
  2. While it is possible to automate the process of mounting the encrypted content it seems nonsensical to do so. Encrypted content which auto-unencrypts without intervention is functionally equivalent to unencrypted content, and isn’t in any real way secure.
  3. One of the tweaks I have made to my Emacs start-up files is to store them in the my Dropbox. I need these to be available when I log in so that the Emacs daemon can start, which enables fast start-up for any subsequent usage.

I’m very happy with the functionality, and so far, so are the users.

There is more to be said on the subject of security, but I will save it for another post.