I’ve written before suggesting the use of Linux for open source drive imaging and it seems there has been some movement in this direction. About a year after my initial posting the folks at PackRatStudios posted this article with a list of free and open source alternatives to the Symantec Ghost software. A quick look at the utilities they reviewed indicates that there is still much work to be done on using Linux as a disk imaging platform, particularly when it comes to ease of use and filesystem (NTFS in particular) support. On the other hand we’re much further along than we were and progress is clearly being made.
Revisiting Open Source Whole Drive Encryption: TrueCrypt vs. DiskCryptor
About a month and a half ago I wrote about open source whole disk encryption software (this was just before TrueCrypt 5 came out) and mentioned an open source program called DiskCryptor which has been available since late fall and was the first open source whole drive encryption (system partition encryption) utility to support Windows that I’m aware of.
DiskCryptor has releases hosted on SourceForge and additional information on the primary developer’s website. Though the developer’s site is in Russian the Google translation facility does an ok job of translating it.
I started using DiskCryptor a few weeks before TrueCrypt 5 came out and was really impressed. Once TrueCrypt was released I tried that and while I do appreciate some aspects of the super redundancy in TrueCrypt whole disk encryption I soon went back to using DiskCryptor for a couple of reasons.
First, I had problems with TrueCrypt blue-screening on me and sometimes preventing my system from shutting down properly (it would sometimes reboot instead of shutting down). This made me quite uncomfortable as I was trusting my data to the software. I understand there have been a few patches to TrueCrypt since I tested version 5.0 which fixes some of the problems people were having and which I have not tried yet but there are other reasons I prefer DiskCryptor.
Second, while all the hand holding and redundant systems in TrueCrypt do make it (to some extent) dummy-resistant they are actually quite a pain when being utilized by a power user and there is no way to bypass them. In some cases it is either inconvenient or unnecessary to create a recovery CD. DiskCryptor does not require that a recovery CD be created and has different, perhaps more robust methods of recovering the data should the need arise.
Third, DiskCryptor supports hibernation! This is reason enough to use DiskCryptor for many laptop users. I understand that TrueCrypt 5.1 includes hibernation support but it appears a bug may have been introduced at the same time with dire consequences for drive security. Read about this bug in English and see the code problem in Russian. This may be fixed in TreuCrypt 5.1a but is not specifically mentioned as fixed in the TrueCrypt changelog as far as I can see.
Fourth, DiskCryptor has (in my mind) more robust/useful recovery options. This is for several reasons. While there is no recovery CD or extensive boot loader decryption ala TrueCrypt the encrypted volumes are fully compatible with standard TrueCrypt encrypted volumes (including pre-TrueCrypt 5). This means you can take a DiskCryptor encrypted volume and physically attach the drive to another system or boot into another OS and then mount and decrypt the drive with TrueCrypt. You cannot even do this with TrueCrypt encrypted drives as the technology behind TrueCrypt whole drive encryption is not compatible with regular TrueCrypt encrypted volumes. To me this is really exciting and useful as it allows me to move drives between systems and retain access to the encrypted data. There is also a BartPE plugin for DiskCryptor so you can boot from a BartPE CD and decrypt/access the encrypted drive. Finally, support is in version 0.3 (coming out shortly) for installing the DiskCryptor boot code on other media (eg. flash memory keys, CD-ROMs, etc.)
Fifth, DiskCryptor appears to be faster than TrueCrypt 5 WDE. At least on my system I noticed no slowdown with DiskCryptor but TrueCrypt 5 significantly slowed down my disk intensive operations. This is a major reason I personally switched back to DiskCryptor and I’m not the only one as evidenced by some posts in the DiskCryptor forums which indicate that in terms of MB/s DiskCryptor is as much as twice as fast as TrueCrypt 5, at least on some systems. Based on my experience I would agree. I understand there have been some performance enhancements in TrueCrypt 5.1a which include some assembly optimization (which was already a part of DiskCryptor) and I have not had a chance to test this latest version yet but believe speed improvements have also been made in the latest version of DiskCryptor which may still give it the edge.
Sixth, the development of DiskCryptor is both more active and more responsive to users than TrueCrypt. “ntldr” the developer of DiskCryptor has been very open to suggestions and very responsive to users through the forum on their website http://freed0m.org/forum the same cannot be said for TrueCrypt. Based on what I’ve seen from various TrueCrypt users they have been often ignored by the TrueCrypt developers who seem to be a small group of developers who do not respond particularly well to users or accept development assistance (one of the major benefits of open source development). The disenfranchised users include the DiskCryptor developer “ntldr” along with OS X users who started a project called OS X Crypt because of the unresponsive nature of TrueCrypt developers. I think this potentially will be a huge problem for TrueCrypt and it makes me somewhat concerned about the motives and long term success of the TrueCrypt development team. This is also manifested in the somewhat restrictive nature of the TrueCrypt source license compared with other open source licenses such as the GPL (which is used by DiskCryptor). While TrueCrypt may be open source it is most definitely not GPL software and not GPL compatible (read about the issues of including this with GPL software here)
There is one downside to DiskCryptor, there is currently no real help file or instructions for using it but I was able to figure it out by looking at the menu options all of which seem fairly straightforward to me. This is an acknowledged flaw and is being actively worked on by a few DiskCryptor users. In the meantime the primary developer is more concerned about enhancing the feature set and eradicating bugs than on developing documentation, an understandable position for many volunteer software developers.
Communication and publicity is not a strong suit for DiskCryptor and this may be partially to the fact that English is not the first language of the developer. In my opinion this, more than anything, is holding back what is otherwise an excellent (and in my mind superior to TrueCrypt) product. Much of the information is available but it’s in the DiskCryptor forums which contain a mix of Russian and English making them not the most user friendly way to learn about the software. There has also been little tech press coverage of the program.
I am not so much trying to make the case by myself that DiskCryptor is a better product for everyone, though it was for me. I am trying to bring some attention to the first open source whole disk encryption program (there was even a Wikipedia vote where it was decided to eliminate the page for DiskCryptor as non-notable and where people seriously questioned if it was just a knock off of TrueCrypt 5!) and encourage others to talk about and try DiskCryptor. Certainly the program could use some English language press if it is to grow significantly. Hopefully by explaining my reasons for selecting DiskCryptor as my choice I’ve encouraged you to at least keep an open mind and try the software then write and share your experience with others.
Whole Disk Encryption
My laptop is one of the IBM (Lenovo) Thinkpads which includes a fingerprint reader and TPM chip which can be used to both unlock the system at boot and log on to Windows using software supplied with the computer. One thing that the supplied software does not do but something that I’ve been interested in doing is whole disk encryption (something also called by a few other names depending on the vendor and software.
You can learn more about whole disk encryption in this article written by Bruce Schneier a couple of months ago or from the Wikipedia article. Essentially the idea is to encrypt the entire hard drive rather than a small subset of files. Obviously this does not protect the files while the computer is operating but is especially useful if you have a laptop (something prone to being stolen) and want to ensure that if someone stole it the data on it would be useless. While some free utilities such as TrueCrypt have allowed you to encrypt entire volumes they have not allowed you to encrypt the boot drive, at least not when using the Windows operating system. You see the trick with encrypting the boot drive is that you need to unencrypt it for the system to boot so a driver must be loaded at boot time which will prompt the user for a password and thus unlock the key allowing the drive to be unencrypted and the system booted. Until recently there were no free or open source programs which allowed you to do this with the Windows OS (solutions for Linux were available).
In the span of just over a month that has all changed. In December a Russian security consultant released the open source program DiskCryptor (and on SourceForge) which allows you to install a Windows driver (which can be renamed for extra obscurity) which will encrypt your drive and also allow you to install a boot time driver onto the disk which allows for the encryption of the boot volume. The encryption algorithm and container is TrueCrypt compatible so if need be you can access the drive by putting it in another computer which has TrueCrypt installed and mount the volume (with the appropriate password of course). This is an especially nice touch as it ensures some kind of compatibility between the open source projects and makes data recovery from an otherwise dead system a bit less problematic. I’ve been successfully running DiskCryptor on my laptop boot drive for several weeks now and have found the program works as advertised though there is essentially no help file or other documentation so you have to learn the program by playing around with it and looking at menus.
Later today TrueCrypt plans to release version 5.0 of their popular open source encryption software which among other things promises to include a boot driver for Windows systems which will allow the encryption of the boot drive. I plan to try out this software once it becomes available. I am excited to see that there will be two open source solutions to whole drive encryption and look forward to improvements in one or both of the programs.
A few things to note. Neither of these solutions (as far as I’m aware) supports the TPM chip and fingerprint reader in my laptop. This means that you need to enter a separate password to unlock the hard drive in addition to unlocking the computer. It also means that the encryption is all taking place in software and utilizing CPU cycles and slowing down drive access times. While I haven’t noticed a pronounced effect in my usual word processing and Internet browsing on this system I can see that this might be problematic for a media or gaming intensive situation. Hopefully advancements to these solutions will allow for better integration with hardware acceleration and authentication to improve this situation.
Configure Windows XP Network Settings from the Command Line
Once upon a time batch files were king in the PC world. Hardly a magazine issue, BBS discussion or user group meeting would go by without one of these handy scripts to add some functionality or usability to systems. Since the reign of Windows batch file programming has been on the decline. Of course shell scripting remains popular and extremely popular in Linux where most settings on the system are still controlled by text configuration files and command line utilities but in Microsoft land the script has been largely supplanted.
Even though the NT based operating systems (NT, 2000, XP, etc.) have actually made significantly more configuration available from the command line and there was a push for a new ‘Windows Scripting’ language these things have become largely forgotten and there are now an extremely limited number of users comparable to the Windows operating population which are comfortable writing scripts to automate things in Windows. Even among large corporate IT departments where there is perhaps the most to be gained by writing these sort of mini-utilities scripting is a dying art. One of the reasons for this is that most magazines and technical publications no longer regularly mention scripting or command line configuration utilities so there is a limited opportunity to learn about these tools.
Nevertheless these tools exist and when you find them they can be extremely useful. Take the “netsh” program for example. This handy little tool allows you to set and manipulate many of the Windows network settings from the command line and when combined with scripting it is possible to create scripts which will completely reconfigure your network interfaces (say from DHCP to a static address to another static address) for various network configurations all with the simple execution of a script.
You can learn more about this powerful tool from a few different Microsoft sites but while these provide some syntax and information perhaps the best place to get started is at one of the third party sites which covers it. Or now that you know about the utility you could just start experimenting with things.
For example running the “netsh -c interface dump” command will dump all kinds of interesting information about how your interfaces are currently configured to the prompt. It’s possible to capture this information to a text file and then ‘replay’ the data to reconfigure things as they currently are using something like “netsh -f netsettings.txt”
Keep the art alive!
D-STAR Projects
One of the many misconceptions about the D-STAR digital amateur radio protocol is that it is closed and will prevent tinkering by hobbyists. This turns out to be far from the truth indeed. Last year at the Dayton Hamvention there were several exhibits by D-STAR enthusiasts which included an entirely home brewed D-STAR radio and a home brewed D-STAR repeater controller. Well now someone has built a DV interface adapter which can provide a D-STAR digital voice interface on many existing transceivers. Of course some functionality is missing as there is no ability to change various DV settings from the minimal interface but it proves yet again that there is the possibility for much experimentation with this new digital mode.
On other fronts the OpenDSTAR group has released several software tools which build on existing commercially available repeaters and Internet gateways to extend functionality. Still in the pipe from that group is a USB dongle called the DV Dongle which will allow end users to encode audio in the AMBE format used by D-STAR digital voice for later playback through the repeater or, ostensibly, for live PC to repeater communications. Indeed the home brew spirit of amateur radio is alive and well in the world of digital communications, it just looks different than it has in the past.
Keeping an eye on system security
A few months ago I learned of an interesting website called myNetWatchman. This is a very interesting and free website which aggregates firewall logs from various sources around the Net (you are free to contribute your logs as well) and analyzes them for trends and potential infections by IP address. System administrators are then able to enter IP addresses of servers they manage into the site and see whether those servers have been exhibiting any malicious behavior towards the monitored firewalls. This is just one additional useful tool for sysadmins to monitor the behavior of their servers.
Free utility to create ISO CD-ROM images
Occasionally I have the need to have someone who is not as technically literate as myself send me a CD image. In the past I’ve recommended a number of shareware utilities (most of which are for ISO manipulation including extraction) but these are often more powerful than what the person needs and the associated cost is a disincentive. More recently I’ve found a piece of freeware from Lucersoft called LC ISO creator which does nothing but create ISO images of CDs and DVDs. It’s pretty difficult to make a mistake with a piece of software this simple.
Now if only there was a good open-source cross-platform GUI ISO manipulation utility that allowed for the creation, extraction and modification of ISO files. I’ve been really happy with InfraRecorder so I’m hoping something similar comes along in this vein.
Congressional Media Access
In January of this year I wrote about congressional media access. Specifically the concerns I had related to C-SPAN’s attempt to gain independent camera access to the floor of the house and senate which could prohibit the redistribution of proceedings should copyright be enforced. At the same time the independent camera C-SPAN access to committee hearings was already preventing them from being redistributed freely. At that time I lamented that a situation such as this would occur when the Internet provides such a low cost way for the government to make itself more accessible to the people.
Since January a lot has been going on, primarily thanks to Carl Malamud and the great people at http://public.resource.org who are truly dedicated to bringing public domain government documents and media to the people via the Internet. Thanks to their efforts the Internet Archive has already started getting access to and posting committee hearings online, the archive page also has a good overview of the current state of things. The goal, and what I consider a great solution is that “By the end of the 110th Congress, the U.S. House of Representatives could achieve the goal of providing broadcast-quality video of all hearings and the floor for download on the Internet.” Obviously this would be a huge step forward and I would hope the Senate would follow suit.
I really hope that all this comes to pass as it would be a giant leap forward in making government produced content freely accessible to the people. There are other targets (such as NASA TV archives, FCC proceedings, etc.) which could be similarly targeted. Ideally state legislature proceedings would be online as well. The government produces a huge amount of material which belongs to us, the taxpayers, and there are a lot of interesting things that go on in the government. I believe it is only fair that we have access to these proceedings, and other government documents, collections and media, at the highest quality possible so that we may reuse and distribute them.
Open Source CD Recording in Windows
Just last year I was lamenting about the lack of good open source CD recording software for the Win32 platform. I’ve been thrilled with k3b for Linux and was hoping that someone would come out with something similar for Windows. As the formally great Nero Burning ROM software has become more and more a bloated piece of junkware there have been several interesting developments on the CD recording software front.
First, the very unofficial “Nero Light” and “Nero Light Micro” setups of the Nero software have become increasingly popular with people “in the know”. Not produced by Ahead Nero Software these are slimmed versions of the Nero trial version from the Ahead software page which can be activated with a regular Nero key but which contain far less bloatware (13-35MB instead of 170+). While I haven’t tried them myself I hear they provide the most used functionality without throwing in the kitchen sink. Nero has grown far beyond simple disc burning software which is all I ever used it for and which has caused me to leave it behind.
Second, there are now two open source contenders for CD recording in Windows. Both are technically frontends to a Windows port of the command line cdrecord engine but so is k3b (requires Linux) which has been my favorite since dumping Nero. Even though I do most of my burning with k3b in Linux these days it is occasionally useful to burn something in Windows so I’m testing these as replacements for Nero on that platform.
Both cdrtfe and InfraRecorder provide basic CD burning capability on the Win32 platform though there are a few advantages and disadvantages to each. Cdrtfe is a bit more mature software but is also more complicated, has a less familiar interface and, let’s face it, not the best name in the world. On the other hand InfraRecorder is a lot easier to remember, has a clean, slick interface and is quickly gaining momentum but is quite a bit newer and has fewer configuration options at the moment. Personally, I really like the way InfraRecorder looks and feels which does count for something in software design and I’ve heard great things about the primary developer Christian Kindahl so I look forward to watching this product mature. Both packages allow for basic CD/DVD creation as well as ISO image burning and should already serve the majority of users’ needs, best of all they are both free and open source solutions.
Booting DOS from a USB flash drive
**UPDATE 2014/02/21: Times have changed and you might want to check out the Rufus utility I mention here as an alternative to these technical instructions.**
USB flash drives also called USB keys, pen drives and an assortment of other names can make quite handy reusable boot disks. Today I found myself in need of a DOS boot disk to upgrade the firmware on some hard drives and CD/DVD drives but didn’t want to burn a bunch of bootable CDs or try to find a USB floppy disk drive. I remembered that most newer BIOSs including the one on this system support booting from USB drives so I thought I would investigate that as an option. Unfortunately I found that, being an afterthought, boot support is not an easy thing to do and presents several challenges.
First and foremost is that while there is some information on how to accomplish this on the Internet, there is comparatively little and what information does exist is not as clear or definitive as would be useful. Secondly, there are a number of different methods and tools for accomplishing this and not all methods work with all BIOS implementations of bootable USB. For example, USB flash drives may be booted as fixed disks, floppy drives or USB-Zip drives each of which requires different methods of preparation and the requisite support in the BIOS. Both of the methods I will describe hear treat the flash drive as a fixed disk which seems to be the best method if your BIOS supports it and appears to be becoming the standard for new BIOSs. While these methods are based on readings of other guides and howtos I was unable to find something as simple as I describe here so this method was developed on my own though research based trial and error (and lots of reboots) over the better course of a day.
In its simplest description booting from a flash drive as a fixed disk works almost exactly like booting from a hard disk does. The BIOS invokes the boot sector and master boot record (MBR) on the flash drive which loads the operating system kernel. It would initially seem that it should be no problem to make this work, after all DOS based operating systems worked this way for years. The trick is getting the boot sector and MBR on the flash drive. In ye old DOS days when you wanted to install DOS from a floppy disk onto a fixed disk it was common to invoke the FDISK and SYS commands to create a MBR, boot sector and copy the required system files. The problem is that in most cases the USB flash drive is being prepared from within a recent copy of Windows such as Windows XP which no longer has these commands available for this use. On the other hand if you booted DOS from a floppy disk or bootable CD and had access to FDISK and SYS you would not (normally, without drivers) have access to the USB flash drive to install the files.
After reading the information that was available on the Internet I determined it would be reasonably easy to create a bootable DOS USB flash drive in Linux and possible, yet convoluted and confusing to do so from Windows. I wanted to avoid requiring the use of Linux because the average user of such a drive may not have access readily available to a Linux system. Most of the solutions for creating the drive in Windows either used a creation utility from HP (questionable availability and suitability) or a slew of command line utilities and requiring a floppy drive (or emulator) which seemed like an unnecessary and complicated hack to me. The solutions I present may require you to download a few software packages from the Internet but each only requires one command line utility and should be fairly straightforward. As an added bonus all of the software is free and open source.
Note that these methods were specifically designed for installing FreeDOS, an open source DOS. Similar methods may work for installing MS-DOS, DRDOS or other DOSs; however you will need to obtain the boot sector (probably either from source or via extraction from a floppy disk or disk image) and system files specific to your version of DOS. I recommend using FreeDOS whenever possible as it is generally compatible and provides many additional features not found in vintage DOSs.
The first method described is the FreeDOS direct booting method. The advantages of this method are that the drive boots directly into FreeDOS and requires no files on the flash drive root other than the FreeDOS system files (kernel.sys and command.com). The disadvantage is that you must download an additional software package and FreeDOS is the only OS you may boot from the flash drive.
The second method is the SYSLINUX chained booting method. Advantages to this method include more configuration and customization options and the ability to boot floppy disk images and/or other OSs from the same flash drive using a boot loader menu and chained boot loading. None of these enhancements are covered here, this document will only help you get FreeDOS up and running, for information on booting other OSs from the same drive see the SYSLINUX documentation. The disadvantages of this method include three additional files in the flash drive root (can be moved into other directories, see SYSLINUX documentation) and a slightly more complicated (though transparently so) boot process.
Read more »
Recent Comments