recovering from lost partition table: a use case

This happened today and may be of use to other Ubuntu or Debian users with a similar configuration. The disk of a laptop lost its partition table because it was mistaken for a USB key and modified. There was no way to recover the old GPT partition table from the backup because it was not corrupted. The new partition table was both in the GPT partition table and its backup.

The laptop was installed with Ubuntu 16.04 about two years ago and it was assumed to:

  • Have an EFI partition
  • Have a separate boot partition

The partition table is rebuilt to start with a 512MB partition for EFI (type 1) followed by another parition for the rest of the disk. When the second partition table is created using fdisk, it will issue a warning about an ext2 signature: it must be preserved.

Using dumpe2fs on the second partition the actual size of the partition is displayed, for instance:

$ dumpe2fs /dev/nvme0n1p2
...
Block count:              249856
...
Block size:               1024

The partition table is adjusted accordingly, taking into account that filesystem blocks are 1024 bytes and fdisk sectors are 512 bytes (i.e. 249856 * 2 == 499712):

$ fdisk -l /dev/nvme0n1
Device           Start        End   Sectors   Size Type
/dev/nvme0n1p1    2048    1050623   1048576   512M EFI System
/dev/nvme0n1p2 1050624    1550335    499712   244M Linux filesystem

Note: for some reason fdisk adds 1 to the specified number of sectors in some cases. Care must be taken to verify the actual number of sectors allocated to the partition and adjust them accordingly.

The signature of the third partition gives a hint regarding its content. If it is crypto_LUKS, it can be open with cryptsetup luksOpen /dev/nvme0n1p3 root and the device will show under /dev/mapper.

Why I deleted my GitHub account

Today I permanently deleted the GitHub account that was in my name. I used it to contribute to Free Software projects that only use this proprietary platform. I started using GitHub a few years ago and constantly tried (and failed) to convince projects to self-host using Free Software instead. As more and more Free Software projects I care about moved to GitHub, I ended up using it daily and it made me sad.

The recent acquisition of GitHub by Microsoft turned it into a service that belongs to a company that is actively working against the Free Software movement by:

  • Lobbying for Software Patents and being one of the largest Software Patents holder in the world
  • Lobbying for DRMs and implementing them in their software products
  • Convincing people they must not fight in court when their rights under copyleft licenses are violated

By using Microsoft services daily, I would also implicitly support them, even if indirectly. I feel better knowing I no longer depend on Microsoft in any way.

Running tests on a Nextcloud app

The sample Nextcloud app is generated with restrictions that won’t allow it to run on version 13 or above. This can be fixed by updating apps/foobar/appinfo/info.xml with:

<nextcloud min-version="12" max-version="14"/>

The Docker test container can be modified to run on /opt/nextcloud/server, a clone of the Nextcloud server including the generated app.

version: '3'

services:
  db:
    image: postgres
    restart: always
    volumes:
      - db:/var/lib/postgresql/data
    env_file:
      - db.env

  app:  
    image: nextcloud:fpm
    restart: always
    volumes:
      - /opt/nextcloud/server:/var/www/html
    environment:
      - POSTGRES_HOST=db
    env_file:
      - db.env
    depends_on:
      - db

  web:
    build: ./web
    restart: always
    ports:
      - 8080:80
    volumes:
      - /opt/nextcloud/server:/var/www/html:ro
    depends_on:
      - app

volumes:
  db:
#  nextcloud:

The phpunit-5.7 script is then installed with:

  • cd /usr/local/bin
  • wget -O phpunit https://phar.phpunit.de/phpunit-5.phar
  • chmod +x phpunit

and run with

  • cd /var/www/html
  • chown -R www-data .
  • cd apps/foobar
  • phpunit
PHPUnit 5.7.27 by Sebastian Bergmann and contributors.
.                                                                   1 / 1 (100%)
Time: 241 ms, Memory: 8.00MB
OK (1 test, 2 assertions)
  • phpunit –debug -c phpunit.integration.xml
PHPUnit 5.7.27 by Sebastian Bergmann and contributors.
Starting test 'OCA\FooBar\Tests\Integration\Controller\AppTest::testAppInstalled'.
.                                                                   1 / 1 (100%)
Time: 250 ms, Memory: 8.00MB
OK (1 test, 1 assertion)

From a SecureDrop talk to the first edition of the privacy devroom at FOSDEM


Only this year did I fully understand what motivates so many people to devote their free time to making FOSDEM a success, year after year. As surprising as it sounds, organizing the privacy devroom and standing at the booth was better than just visiting, chatting and attending talks. A big part of that good feeling certainly comes from the excellent organization. Accidents happened, of course, but they were resolved quickly. And ancient Free Software was used with clunky interfaces but nothing got in the way and people used to it help the newcomers. As a Free Software developer, this sets a fine example of the feeling we would like to provide to every contributor of our code base. When participating is more enjoyable than passively using, we’re one step closer to contributopia.

Continue reading “From a SecureDrop talk to the first edition of the privacy devroom at FOSDEM”

HOWTO Anonymous mobile in Paris

Using a mobile anonymously with encrypted messages and voice is challenging. With Signal text and voice are encrypted but it sends your contacts to Signal which makes me uncomfortable. With Orfox you can browse the web without revealing your IP address but the GSM module tracks your location.

With a small budget you can however buy a second hand mobile and dedicate it to anonymous communications, as long as you remove its battery when you’re not in a public place. You do not leak your contacts to Signal and the GSM module tracks a SIM card that is not associated with you. Here is a detailed description of the preparation of an anonymous phone I did today. This is not rocket science and I’m sure lots of people already know all of that. But I did not find a HOWTO and it took me some time to figure it out.

Continue reading “HOWTO Anonymous mobile in Paris”

gnome3 / libnotify notification for org-mode appointments

Org mode appointments

can be notified 12 minutes before with libnotify

by adding the following to the .emacs:

; Desktop notifications
(setq alert-default-style 'libnotify)
(setq appt-disp-window-function (lambda (min-to-app new-time appt-msg)
                                                         (alert appt-msg)))
(setq appt-delete-window-function (lambda ()))
; Rebuild the reminders everytime the agenda is displayed
(add-hook 'org-agenda-finalize-hook (lambda () (org-agenda-to-appt t)))
; Run once when Emacs starts
(org-agenda-to-appt t)
; Activate appointments so we get notifications
(appt-activate t)

Continue reading “gnome3 / libnotify notification for org-mode appointments”

HOWTO nginx & letsencrypt on Debian GNU/Linux stretch/9

The goal is to configure a nginx server with automatic Let’s Encrypt renewal, assuming a new dedicated virtual machine running a pristine Debian GNU/Linux stretch/9.

Install docker-compose:

sudo apt-get update
sudo apt-get install -y apt-transport-https ca-certificates dirmngr
sudo apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
echo deb https://apt.dockerproject.org/repo debian-stretch main | sudo tee /etc/apt/sources.list.d/docker.list
sudo apt-get update
sudo apt-get install -y docker-engine
sudo bash -c 'curl -L https://github.com/docker/compose/releases/download/1.13.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose'
sudo chmod +x /usr/local/bin/docker-compose

Assuming the FQDN of the machine is download.securedrop.club and the person responsible can be reached at admin@securedrop.cub, create the docker-compose.yml with:

cat > docker-compose.yml <<EOF
version: '2'
services:
  web:
    image: nginx:1.13.3
    volumes:
      - ./html:/usr/share/nginx/html:ro
    ports:
      - "8080:80"
    environment:
      - VIRTUAL_HOST=download.securedrop.club
      - LETSENCRYPT_HOST=download.securedrop.club
      - LETSENCRYPT_EMAIL=admin@securedrop.club
  proxy:
    image: jwilder/nginx-proxy
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./certs:/etc/nginx/certs:ro
      - /etc/nginx/vhost.d
      - /usr/share/nginx/html
    ports:
      - "80:80"
      - "443:443"
    restart: always
    depends_on:
      - web
  letsencrypt:
    image: jrcs/letsencrypt-nginx-proxy-companion
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./certs:/etc/nginx/certs:rw
    volumes_from:
      - proxy
EOF

and run docker-compose up in the same directory as the docker-compose.yml file.

HOWTO vagrant libvirt provider on Debian GNU/Linux stretch/9

vagrant is the default virtualization development environment for SecureDrop. When starting with a new Debian GNU/Linux 9, installing the dependencies to get vagrant to run with the libvirt provider instead of the default virtualbox can be done as follows:

sudo apt-get update
sudo apt-get install -y vagrant vagrant-libvirt libvirt-daemon-system qemu-kvm
sudo apt-get install -y nfs-common nfs-kernel-server ebtables dnsmasq
sudo apt-get install -y ansible rsync
vagrant plugin install vagrant-libvirt
sudo usermod -a -G libvirt debian
newgrp libvirt
sudo systemctl restart libvirtd

The current user (debian) must belong to some groups to get permission to run accelerated (assuming intel) kernel virtualization:

sudo usermod -a -G kvm debian
newgrp kvm
sudo rmmod kvm_intel
sudo rmmod kvm
sudo modprobe kvm
sudo modprobe kvm_intel

To convert a virtualbox image so it can be used by libvirt

sudo apt-get install -y vagrant-mutate
vagrant box add --provider virtualbox bento/ubuntu-14.04
vagrant mutate bento/ubuntu-14.04 libvirt

To make it the default for the current user

echo 'export VAGRANT_DEFAULT_PROVIDER=libvirt' >> ~/.bashrc

It should now be possible to start the SecureDrop development virtual machine with:

git clone http://lab.securedrop.club/main/securedrop.git
cd securedrop
export VAGRANT_DEFAULT_PROVIDER=libvirt
vagrant up development

Removing potential backdoors from Tails 3.0

The default Tails 3.0 bootable ISO includes proprietary binary blobs running on network hardware. They may contain backdoors and are silently loaded when Tails boots. There is no known exploit at this date but it may take years before they are discovered. To remove this security and privacy risk, a new ISO can be built using a pristine Debian GNU/Linux 9 / stretch installation.

$ sudo apt-get update
$ sudo apt-get install -y git
$ git clone -b stable https://git-tails.immerda.ch/tails
$ cd tails

Edit config/chroot_apt/preferences and remove the following block:

Explanation: src:firmware-nonfree
Package: firmware-linux firmware-linux-nonfree firmware-amd-graphics ...
Pin: release o=Debian,n=sid
Pin-Priority: 999

Build the bootable ISO

$ cat | sudo tee /etc/apt/preferences.d/00-builder-jessie-pinning <<EOF
Package: *
Pin: release o=Debian,a=stable
Pin-Priority: 700

Package: *
Pin: origin deb.tails.boum.org
Pin-Priority: 800
EOF
$ sudo apt-get install -y software-properties-common dirmngr
$ sudo add-apt-repository 'deb http://deb.tails.boum.org/ builder-jessie main'
$ sudo apt-key adv --receive-keys C7988EA7A358D82E
$ sudo apt-get update
$ sudo apt-get install -y \
  dpkg-dev \
  gettext \
  intltool \
  libfile-slurp-perl \
  liblist-moreutils-perl \
  libyaml-libyaml-perl \
  libyaml-perl \
  libyaml-syck-perl \
  perlmagick \
  po4a \
  syslinux-utils \
  time \
  whois
# because lb build sets /etc/resolv.conf to 127.0.0.1 in chroot
$ sudo apt-get install -y bind9
$ sudo systemctl start bind9
$ sudo apt-get install ikiwiki
...
Get:6 http://.../main amd64 libmarkdown2 amd64 2.2.1-1~bpo8+1~0.tails1 [35.0 kB]
Get:7 http://.../main amd64 ikiwiki all 3.20160905.0tails1 [1,413 kB]
...
# because --no-merge-usr is not in builder-jessie debootstrap
$ sudo apt-get install debootstrap=1.0.89
$ sudo apt-get install live-build
$ sudo lb clean --all
$ sudo lb config
$ sudo lb build

The *.iso file can then be installed.