Tuesday, December 22, 2015

Home Networking: PowerLine Ethernet vs Wireless Bridging

Old Setup

I currently stay at a flat where each room has a network point and all connect to the building's switches. I disconnected all points from the building's switch and used my own to isolate the traffic.

This has served me well for years until last year where dust, humidity and water leakages have killed the switch, and as I'll be moving out to a new place, I didn't want to buy another switch.


Enter PowerLine Ethernet

Instead of laying network cables around, I thought of using PowerLine Ethernet adapters. Those allow you create a network between devices using house power cables, as long as all cables terminate to the same distribution board (the one that has the circuit breakers).

Attempt 1

I bought a D-Link "DHP-W310AV" kit which includes one adapter that serves as a wifi access point + Ethernet port and one adapter with only Ethernet.

I connected the adapter with Ethernet + WiFi in my room and the other one with only Ethernet in the hallway and connected an Asus access point to it to serve the rest of the house.

The D-Link adapter was difficult to configure, very buggy during configuration, breaks connection between adapters easily, and drops connections often causing timeouts. It took me about 2 hours to get things working and felt like I was dissembling explosives! It was garbage.

Attempt 2

I thought it was the D-Link that's a failure, so I ordered a TP-Link "TL-PA4010" kit. It doesn't offer wireless built into it, but it was such a breeze to configure! It took 5 minutes only. It also supports AES encryption, for the paranoid.

Things got better, but not that better. I still got intermittent DNS failures. So this prompted me to link failures to events in the house, and it seemed like the issues were due to high interference with home appliances.

Current Setup

I had bought Ubiquiti access points long ago but them in their box to use in the new place later on, but after all this fuss, I got fed up and pulled out the rabbit from the magic hat.

What I bought was Ubiquiti's UniFi AP 3-pack for $200! Can't beat that price, and what's even better, is that UniFi family comes with a free controller software that allows you to manage thousands of access points (APs) in multiple sites and get statistics. Lots of fancy features at a very attractive price.

One AP got connected to my switch in my room (which connects to the gateway) and another sat in the hallway. The hallway AP connected to the one in my room via wireless, not Ethernet. This way I can avoid the requirement for any Ethernet cabling however it's to be deployed.

Everything is working great now. Here are some screenshots from the UniFi controller interface:



The UniFi APs are so great for anyone needing 3 or more APs in a place, be it a house or a business location, because once you make a configuration it gets pushed to all APs in one shot! No hassle of managing multiple configurations.

They come packed with many features that I haven't listed here. You can download the controller for free from here and explore the options even if you don't have any AP (physically). Compared to Cisco or Meraki APs, these come with similar features and at no additional cost of management software, unlike what Cisco asks for, and you get to run the controller software on your own machines, so no need to trust the data to a hosted platform like Meraki's.

The controller software was written in Java, so it runs on Linux, Windows & Mac. This means you can even run it on a Raspberry Pi!

Monday, December 21, 2015

NVMe SSDs, Motherboards and i7 Limitations

TL;DR

Do not buy 2x NVMe disks and plug into M.2 ports if you want max speed. (TL;DR = Too long; did not read = very short summary provided).

Quick Into

For the past month or more I've been hunting for a new laptop to replace my 4-year old Asus gaming laptop & I've been reading a lot about new hardware.

Most shiny new toy is SSD & Non-Volatile Memory Express (NVMe), particularly, the Samsung Pro 950 which can do 2500 MB/s reads & 1500 MB/s writes, where normal SSDs can do 550 MB/s max. This is because the 950 is an NVMe which uses PCIe slots, not SATA slots.

Technical Details

I noticed that the majority of the laptops are designating only 1 slot as NVMe & another as SATA only, even when both are M.2 PCIe slots. This means only one can be used for the Samsung 950 & get max speed, while the other will function at SATA speed only. The most advanced Intel chipset available for Input/Output devices today is the HM170 which offers 16 PCIe lanes. (more lanes = more devices can connect to the PCIe bus).

However, Asus is releasing a new laptop "ASUS ROG G752VY-DH78K" which has a new Intel chipset: the CM236. This chipset offers 20 PCIe lanes! 4 more than the HM170, and an M.2 port supporting NVMe requires exactly 4 PCIe lanes, but the big catch is that any Intel Skylake processor (i7-6820HK or i7-6700HQ) only has 16 PCIe lanes!

So even though you can plug a 950 NVMe on both M.2 slots, they will be sharing the bus towards the CPU, and you will not get max speed of both at the same time, if there are other devices also using the 16 PCIe lanes, such as graphics cards (and you're likely to have one anyway).

This is valid for desktops as well since the above limitation comes from the i7 Skylake architecture.

Conclusion

If you plan on putting both M.2 slots in RAID0 or do some sort of dual access on them using NVMe disks, you will not see max speed of both.

Desktops

If you have a desktop, your motherboard might have a built-in M.2 slot, which would have dedicated 4x PCIe lanes. You can use a PCIe-to-M.2 adapter to plug an M.2 NVMe into a PCIe card in a standard PCIe bus. This way you should get max speed of both NVMe disks since the bus is not shared and all lanes are dedicated.

If you're using graphics cards in SLI mode, then maybe it would start sharing the bus with them. Watch out from that.

Links & References


Sunday, June 21, 2015

Identity Validation Regardless of Message Source

There are cases when one needs to communicate securely with a specific person to ask for help or to share private information. In such cases, one's private account must never be used, and instead, a new anonymous ID must be created.

Scenario example: Person Alpha has published secure ways to be reached (PGP/GPG Public key to be used for emails, or a secure chat facility). You need to contact that person from an anonymous account.

Solution:

  1. Create an ID for the intent of sending ONE message only.
  2. This message must start or end with a hash.
  3. The hash is an output of a text that you have randomly selected (old news article, historical event, ...etc.) that is not included in the same email, but instead, included in the next email exchange.
  4. This way, the recipient is able to validate the sender's identity even if the sender used a different ID or email, simply by hashing the first/last paragraph to result in the same hash output of the previous email.

A source for the random text should not be anything that can be linked to you. Not your favorite song lyrics, name, birth date, ...etc. It must be RANDOM. A good example is an article, or a part of an article, from Wikipedia. Luckily, Wikipedia offers an option to get a random article: https://en.wikipedia.org/wiki/Special:Random
It's also a good idea to mix 2 sources of random text to avoid having an adversary pre-compute text (something someone with lots of compute power can easily do). Google's "I'm Feeling Lucky" button will take you to a random topic.

It is up to you to select the text, but make sure it's at least 1 paragraph, then use a STRONG 1-way hash function such as SHA512. Avoid weak functions such as CRC & MD5. It is also advisable to NOT use any online converters. Download a tool to do the hashing offline on your computer.

This method can also be used to publish posts on famous text dump sites, such as pastebin, without having to register an ID. People can verify that the next dump is legit by hashing the paragraph you define in your next post.

Example posts to pastebin verifying the authenticity of the poster:

Message 0:

======== begin SHA512 hash ========
07f0f838fe03b92682728e8b2164796ea53bfa8f9a11dd29f0057ab9ea8a222142819c3c9d40d170519977544d9b623d02099bdc0e25f1f6e739a34b065e2793
======== end SHA512 hash ========
I need help. I have secret docs that I need to publish and require you to do it on my behalf. I can't expose myself.

I'll send details from another account in a different email. Write "The weather is nice today" in your public Twitter account so that I know that you received this and agree.

The sender then sends another email from a different account (to avoid creating an association between sender & receiver).

Message 1:

======== begin SHA512 hash ========
dd5e53f533d6d740857249b215e0a49c61f221abc5c633d6cda141efad5a558426e9c943ef1015a2b468c6fc9289a302b6ef455459d19d6283a24612710894cc
======== end SHA512 hash ========

======== begin hash text ========
Vernon Reginald Pinkney (born May 27, 1955 in St. Louis, Missouri) is a former American football defensive back. He played five seasons in the National Football League, two with the Detroit Lions and three with the Baltimore Colts.[1] Pickney was drafted 166th overall in the 1977 NFL Draft after an All-Conference career at East Carolina University.

Under the rule of the House of Este, the city of Ferrara attracted great artists and scholars of the Italian Renaissance, and the city itself expanded according to Renaissance ideals of urban design.
======== end hash text ========

Here's the link to the Tor hidden service to download the documents: http://dx2oyt83zbdgc3uy.onion/.files/secrets.7z

When receiving and downloading the files successfully, put a hidden HTML tag in your blog/site that says 'I can has cheezburger'.

As you can see, the sender changes his email , and didn't have to provide a way to be contacted back. Some email services even allow you to set an expiration date on an email account & it gets auto deleted.

Additionally, the first block of hash text is for the NEXT email to be authenticated, if any. It's always a good idea to keep one in case you have to reach out to the person and to prevent any impersonation attempts.

Below the hash output is the text that should be hashed to get the hash output of the previous email (Message 0). This is how the receiver validates the sender's identity.

Recommendations:

  1. Only email the person if s/he has a public key published, otherwise if you email in plaintext, you risk the email being intercepted & modified, rendering all future exchanges to be altered by an adversary.
  2. If the person doesn't have a public key or an encrypted messaging option, ask them to do so using an anonymous account. Twitter, web-to-SMS, ...etc. Always use Tor to browse and create any anonymous/fake/temp account.
  3. It's good practice to add spelling mistakes and random characters to the random text you chose, to further reduce the chance of it being pre-computed.
  4. Use a new email/messaging account for each message you send. Many tools and adversaries online exist that can correlate between frequency of emails and possible people to monitor. By sending from multiple accounts, each one only once, you reduce the chance of being tracked or linked.


Be paranoid. Be safe.