Re: Wiping an unencrypted SSD in preparation for encryption
Hi. On Thu, Jun 10, 2021 at 11:43:12PM -0700, David Christensen wrote: > I don't bother with the 'discard' option in /etc/fstab, but perhaps I > should. The fstab(5) and mount(8) manual pages are unclear if > 'discard' applies to swap or ext4. swapon(8): -d, --discard[=policy] Enable swap discards ... The /etc/fstab mount options discard, discard=once, or discard=pages may also be used to enable discard flags. Therefore 'discard' can be applied to both ext4 and swap. Reco
Re: Wiping an unencrypted SSD in preparation for encryption
On 6/10/21 9:31 PM, David Wright wrote: I'm about to install buster or bullseye on a newly acquired laptop with an SSD (a first for me). I'm intending to clean (zero or randomise) the entire drive with dd before I start, and am interested in any pitfalls with that. I will also encrypt the new /home partition, but for the remaining partitions I need to decide whether to add mount's discard option, or use a weekly systemd trim, or leave it entirely up to the garbage collection in the SSD device itself (which is an nvme THNSN5512GPUK TOSHIBA, presumably an OEM model supplied for this HP Spectre). The machine has 16GB of memory, so I wasn't intending to use swap. (It won't have to hibernate, and if push came to shove, there's always the possibility of setting up a swapfile or a ramdisk.) Background: The July 2017 system was pre-installed with Windows 10. I have copied the entire disk to external spinning rust, and can mount partitions from this image. It's difficult to foresee my ever wanting to reload and run this Windows system. The drive has unencrypted information on it, either in existing files, or in deleted/overwritten/whatever ones (though I think that is irrelevant to the method for erasing them). I don't work for the CIA, so "basic" erasure methods are sufficient, ie so-called logical and digital sanitisation, but not analogue sanitisation/purging. I'm just encrypting stuff like personal bank records etc, and not looking for anything like plausible deniability. Cheers, David. You want to command the SSD controller to do a "secure erase". The manufacturer should provide a utility for this, but it will likely require Windows. In years past I have found Linux CLI utilities to do secure erase. STFW for details. I would then make a decision between BIOS/MBR or UEFI/GPT. I prefer the former so that I can boot system images in the older machines in my SOHO LAN. Eventually we will all be using the latter. I would then install Debian using the Debian Installer, choose manual partitioning, and partition the SSD as follows: 1. Create a 1 GB unencrypted partition with ext4 and mount it at /boot. 2. Create at least a 1 GB encrypted (dm-crypt) swap partition. I experimented with no swap in the past and found that the systems were unstable when free memory was low. 3. Create a small (I use 13 GB) encrypted (LUKS) ext4 partition and mount it at / (root). Once Debian is installed, I would take a raw binary image of the system drive for backup, reboot into single-user mode, login as root, create a fourth partition, create a LUKS key, chmod the key to 0400, put a LUKS container into the 4th partition using the key, add an entry to /etc/crypttab for the fourth partition using the key, open the LUKS container, put an ext4 filesystem inside the LUKS container, move aside the old /home subdirectory, add an /etc/fstab entry to mount the new ext4 filesystem at /home, mount the new /home, copy the old /home contents into the new /home, reboot into multiuser mode, and verify everything. I would then take another raw binary image for backup. It would be best to do this before you log in to any unpriviledged accounts, so that /home contains few or no directories or files. I don't bother with the 'discard' option in /etc/fstab, but perhaps I should. The fstab(5) and mount(8) manual pages are unclear if 'discard' applies to swap or ext4. Beware that adding 'discard' to /etc/fstab boot, swap, and/or root entries could break boot. If you want trim, one option might be to run fstrim(8) periodically. David
Re: Wiping an unencrypted SSD in preparation for encryption
David Wright wrote: ... > I don't work for the CIA, so "basic" erasure methods are sufficient, > ie so-called logical and digital sanitisation, but not analogue > sanitisation/purging. I'm just encrypting stuff like personal bank > records etc, and not looking for anything like plausible deniability. i don't think this really matters, but the overriding issue is that the technology of SSD means that sometimes things are moved around (wear leveling) hidden from the user and will not be seen again in normal use, but they are still there. you will have to see if the SSD manufacturer releases a deep erase utility or something like that for it to be a sure thing (and even then i'd have my doubts). personally, i wouldn't bother going beyond the simple format and setting up of file systems. like you i have nothing on this machine i consider sensitive so i don't need to worry about what is left where. songbird
Re: Wiping an unencrypted SSD in preparation for encryption
On 11/6/21 12:31 pm, David Wright wrote: I'm about to install buster or bullseye on a newly acquired laptop with an SSD (a first for me). I'm intending to clean (zero or randomise) the entire drive with dd before I start, and am interested in any pitfalls with that. I will also encrypt the new /home partition, but for the remaining partitions I need to decide whether to add mount's discard option, or use a weekly systemd trim, or leave it entirely up to the garbage collection in the SSD device itself (which is an nvme THNSN5512GPUK TOSHIBA, presumably an OEM model supplied for this HP Spectre). The machine has 16GB of memory, so I wasn't intending to use swap. (It won't have to hibernate, and if push came to shove, there's always the possibility of setting up a swapfile or a ramdisk.) Background: The July 2017 system was pre-installed with Windows 10. I have copied the entire disk to external spinning rust, and can mount partitions from this image. It's difficult to foresee my ever wanting to reload and run this Windows system. The drive has unencrypted information on it, either in existing files, or in deleted/overwritten/whatever ones (though I think that is irrelevant to the method for erasing them). I don't work for the CIA, so "basic" erasure methods are sufficient, ie so-called logical and digital sanitisation, but not analogue sanitisation/purging. I'm just encrypting stuff like personal bank records etc, and not looking for anything like plausible deniability. Cheers, David. The problem with SSD is that it's actually very difficult if not impossible.to completely erase them with DD. The drives have a large number of sectors in reserve and use them to wear level. This means some sectors may be swapped out when you do the DD and so aren't cleared. There are some drives that have a self erase function that may work for your drive See https://grok.lsu.edu/article.aspx?articleid=16716 -- Jeremy OpenPGP_signature Description: OpenPGP digital signature
Re: Automating tasks on wifi association
On Thu 10 Jun 2021 at 17:33:53 (-0700), L L wrote: > I'm writing a script that generates a randomized valid MAC address and > assigns it to the wireless card. It would be nice to make it run > automatically as part of connecting to an access point. What will I have to > edit to make this happen? For the MAC address itself, would macchanger help you? * set specific MAC address of a network interface * set the MAC randomly * set a MAC of another vendor * set another MAC of the same vendor * set a MAC of the same kind (eg: wireless card) * display a vendor MAC list (today, 6200 items) to choose from As for making the connection, most packages supply locations for placing your scripts, like /etc/network/if-*.d/ and /etc/wicd/scripts/p*connect/ and so on. Cheers, David.
Wiping an unencrypted SSD in preparation for encryption
I'm about to install buster or bullseye on a newly acquired laptop with an SSD (a first for me). I'm intending to clean (zero or randomise) the entire drive with dd before I start, and am interested in any pitfalls with that. I will also encrypt the new /home partition, but for the remaining partitions I need to decide whether to add mount's discard option, or use a weekly systemd trim, or leave it entirely up to the garbage collection in the SSD device itself (which is an nvme THNSN5512GPUK TOSHIBA, presumably an OEM model supplied for this HP Spectre). The machine has 16GB of memory, so I wasn't intending to use swap. (It won't have to hibernate, and if push came to shove, there's always the possibility of setting up a swapfile or a ramdisk.) Background: The July 2017 system was pre-installed with Windows 10. I have copied the entire disk to external spinning rust, and can mount partitions from this image. It's difficult to foresee my ever wanting to reload and run this Windows system. The drive has unencrypted information on it, either in existing files, or in deleted/overwritten/whatever ones (though I think that is irrelevant to the method for erasing them). I don't work for the CIA, so "basic" erasure methods are sufficient, ie so-called logical and digital sanitisation, but not analogue sanitisation/purging. I'm just encrypting stuff like personal bank records etc, and not looking for anything like plausible deniability. Cheers, David.
Touch screen monitor recommendations?
Hi, I have a use case which could use a touchscreen monitor with a standard desktop running Debian. Does anyone have any recommendations for units known to work with Debian? Thanks, Bob
Re: Automating tasks on wifi association
On 6/11/21 8:33 AM, L L wrote: I'm writing a script that generates a randomized valid MAC address and assigns it to the wireless card. It would be nice to make it run automatically as part of connecting to an access point. What will I have to edit to make this happen? Luke somthing like this? [1] [1] https://gist.github.com/zaneclaes/31ff645e303e1a6c9a86fc166216371d -- Robbi Nespu D311 B5FF EEE6 0BE8 9C91 FA9E 0C81 FA30 3B3A 80BA robbinespu.gitlab.io | mstdn.social/@robbinespu
Automating tasks on wifi association
I'm writing a script that generates a randomized valid MAC address and assigns it to the wireless card. It would be nice to make it run automatically as part of connecting to an access point. What will I have to edit to make this happen? Luke
Re: problem with speedtest-cli
On 6/11/21 1:51 AM, john doe wrote: I would file a bug report to the Debian package and maybe upstream. It on upstream https://github.com/sivel/speedtest-cli/commit/cadc68b5aef20f28648072cf07a8f155639b81dd#diff-561d5175f923c2ffd7764768f8e3cd6e1fdb41806bf1b0e4da699ab21bb31930 -- Robbi Nespu D311 B5FF EEE6 0BE8 9C91 FA9E 0C81 FA30 3B3A 80BA robbinespu.gitlab.io | mstdn.social/@robbinespu
Re: Debmirror
On 6/10/21 4:39 PM, Andrew M.A. Cater wrote: > My advice to you would be the same as the advice I gave to Polyna: ftpsync > "just works" for most things and relies only on rsync. > > It's what I and several others use - it's Debian native and is widely > understood and used. Oh, I'm not looking for that. I was just trying to help the OP. Cheers! -- []'s, Francisco M Neto 3E58 1655 9A3D 5D78 9F90 CFF1 D30B 1694 D692 FBF0
Re: Debmirror
On Thu, Jun 10, 2021 at 01:34:56PM -0300, Francisco M Neto wrote: > Hello again, > > On 6/5/21 4:33 AM, Polyna-Maude Racicot-Summerside wrote: > > I used to make my own mirror using aptly but as it need to sign with a > > new key all the mirror it does, it does take lot of time and that's > > excessive for the full debian repository with backports and source. > > Eh, I hadn't seen this message when I sent my last reply. My apologies. > > Maybe apt-mirror is the better alternative then. > > Other sync programs might work too (ftpsync, rsync) but they might be > less effective since they don't know about debian mirrors. > Hi Francisco, My advice to you would be the same as the advice I gave to Polyna: ftpsync "just works" for most things and relies only on rsync. It's what I and several others use - it's Debian native and is widely understood and used. All the very best, Andy Cater > -- > []'s, > > Francisco M Neto > > 3E58 1655 9A3D 5D78 9F90 > CFF1 D30B 1694 D692 FBF0 >
Re: problem with speedtest-cli
On 6/10/2021 6:08 PM, kaye n wrote:
Hello guys
kaye@laptop:~$ speedtest-cli
Retrieving speedtest.net configuration...
Traceback (most recent call last):
File "/usr/bin/speedtest-cli", line 11, in
load_entry_point('speedtest-cli==2.0.2', 'console_scripts',
'speedtest-cli')()
File "/usr/lib/python3/dist-packages/speedtest.py", line 1887, in main
shell()
File "/usr/lib/python3/dist-packages/speedtest.py", line 1783, in shell
secure=args.secure
File "/usr/lib/python3/dist-packages/speedtest.py", line 1027, in __init__
self.get_config()
File "/usr/lib/python3/dist-packages/speedtest.py", line 1113, in
get_config
map(int, server_config['ignoreids'].split(','))
ValueError: invalid literal for int() with base 10: ''
I don't know what's wrong.
I would file a bug report to the Debian package and maybe upstream.
--
John Doe
Re: Debmirror
Hello again, On 6/5/21 4:33 AM, Polyna-Maude Racicot-Summerside wrote: > I used to make my own mirror using aptly but as it need to sign with a > new key all the mirror it does, it does take lot of time and that's > excessive for the full debian repository with backports and source. Eh, I hadn't seen this message when I sent my last reply. My apologies. Maybe apt-mirror is the better alternative then. Other sync programs might work too (ftpsync, rsync) but they might be less effective since they don't know about debian mirrors. -- []'s, Francisco M Neto 3E58 1655 9A3D 5D78 9F90 CFF1 D30B 1694 D692 FBF0
Re: Debmirror
Hello! On 6/5/21 4:27 AM, Polyna-Maude Racicot-Summerside wrote: >>> I've did a mirror with debmirror. >>> All seem good when I look at the folders and files. >>> But when I do apt-update it complains about contents-amd64 file missing !? >>> >>> Got some ideas? >> > I already know this one. > But there seem to be a problem with debmirror not copying some files. > I found a bug report relating to this. > > I've now tried using apt-mirror. > I'll see if I get the same. You also might be interested in having a look at package aptly. -- []'s, Francisco M Neto 3E58 1655 9A3D 5D78 9F90 CFF1 D30B 1694 D692 FBF0
Re: thunderbird vs clawsmail
Hello! On 6/6/21 11:43 AM, fxkl47BF wrote: > i've gone back and forth between thunderbird and clawsmail Been there, brother. > clawsmail is lightweight and clean, i like that > debian stable only has an old version, i don't like that > to get an up to date version i have to continuously compile from source, i > don't like that Depends on what you call "old": * Stable has 3.17.3 * Testing and Unstable have 3.17.8 * Upstream is... 3.17.8 I'm not familiar with Claws but a cursory look at their changelogs shows why upgrading might be a good idea. I'm assuming that if you don't like compiling it every time you're probably not interested in backporting, neither in creating a local version of your package, so I'm gonna give you an alternative. If you _really_ want the latest version of Claws and you _cannot_ wait for Bullseye's release (best guess right now would be late July), you can install the version from Testing using Pinning [1]. You basically add testing to your sources.list and tell APT that you don't want it to install stuff from Testing unless you tell it to. Have a look at the link below; I'd be happy to help if you have questions. [1] https://wiki.debian.org/AptConfiguration -- []'s, Francisco M Neto 3E58 1655 9A3D 5D78 9F90 CFF1 D30B 1694 D692 FBF0
Re: problem with speedtest-cli
On Fri, 11 Jun, 2021 at 00:08:51 +0800, kaye n wrote:
>Hello guys
>kaye@laptop:~$ speedtest-cli
>Retrieving [1]speedtest.net configuration...
>Traceback (most recent call last):
> File "/usr/bin/speedtest-cli", line 11, in
>load_entry_point('speedtest-cli==2.0.2', 'console_scripts',
>'speedtest-cli')()
> File "/usr/lib/python3/dist-packages/speedtest.py", line 1887, in
>main
>shell()
> File "/usr/lib/python3/dist-packages/speedtest.py", line 1783, in
>shell
>secure=args.secure
> File "/usr/lib/python3/dist-packages/speedtest.py", line 1027, in
>__init__
>self.get_config()
> File "/usr/lib/python3/dist-packages/speedtest.py", line 1113, in
>get_config
>map(int, server_config['ignoreids'].split(','))
>ValueError: invalid literal for int() with base 10: ''
>I don't know what's wrong.
>Thank you for your time.
>Kaye
>
It's a known issue[1]. A workaround is to edit the file
/usr/lib/python3/dist-packages/speedtest.py. Remove the following block
beginning on line 1112
ignore_servers = list(
map(int, server_config['ignoreids'].split(','))
)
and replace it with
ignore_servers = [
int(i) for i in server_config['ignoreids'].split(',') if i
]
Hopefully the issue will be fixed in the next stable point release.
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986637
problem with speedtest-cli
Hello guys
kaye@laptop:~$ speedtest-cli
Retrieving speedtest.net configuration...
Traceback (most recent call last):
File "/usr/bin/speedtest-cli", line 11, in
load_entry_point('speedtest-cli==2.0.2', 'console_scripts',
'speedtest-cli')()
File "/usr/lib/python3/dist-packages/speedtest.py", line 1887, in main
shell()
File "/usr/lib/python3/dist-packages/speedtest.py", line 1783, in shell
secure=args.secure
File "/usr/lib/python3/dist-packages/speedtest.py", line 1027, in __init__
self.get_config()
File "/usr/lib/python3/dist-packages/speedtest.py", line 1113, in
get_config
map(int, server_config['ignoreids'].split(','))
ValueError: invalid literal for int() with base 10: ''
I don't know what's wrong.
Thank you for your time.
Kaye
RE: ISC-DHCP server number of active leases
Hi Dan / list, >> I am running multiple isc-dhcp servers on Debian Linux. >> I have several sites with multiple networks and I use the isc-dhcp-server to >> hand out ip numbers in the various network segments. In most of the networks >> I have more then enough free ip numbers all the time. >> However, in some networks I KNOW I regularly hand out far more then 50% of >> the assigned ip numbers and I have set the default and max-lease-time low >> enough to free up ip numbers asap. >> So far so good, I have had no problems this year but... we are growing and >> people have more mobile devices so I want to know HOW CLOSE I am to running >> out of free dhcp leases. >> >> Which tool can help me getting insight in the number of active dhcp leases. >> It would be really great if it gave insight including a history of when how >> many ip numbers were in use at any given time segment. >> That would show me whether I am getting close to saturation at any given >> moment in the day. > apt install dhcpd-pools That seems to do a lot of what I want, however our current monitoring tool can do stuff a lot easier if it were accessible via SNMP. It seems there is a tool that can help https://github.com/ohitz/dhcpd-snmp It is a perl script that I somehow need to hook into the net-snmp tool. Has anyone even done this on a Debian machine, I have not used SNMP on a Debian machine before and have yet to read all the documentation as to how I can install a perl script as an extention. Anyone who can help, please do so. What do I need to focus on at first? Bonno Bloksma
