Feuerfest

Photo by Keira Burton: https://www.pexels.com/photo/unrecognizable-friends-gossiping-together-on-street-6147138/

I am walking down a street behind a building and notice a person leaving said building. Suddenly an alarm sounds.

Person: "Ah man! Damn it!"
Person picks up their phone and makes a call
Person: "Yes hi, this is first name last name from company X. I'm calling because I triggered a false alarm."
*Short pause*
Person: "Gross income."
*Short pause*
Person (visibly relieved): "Alright, thank you! Bye"

Your task: Identify the passphrase that will allow you to flag the security alarms as false-positive.

Please! Take the place, time and situation in which a passphrase is used into account! Especially when you must account for passers-by!

Thanks and make sure to visit my TED-Talk. 😉

Photo by Chevanon Photography: https://www.pexels.com/photo/person-performing-coffee-art-302899/

I really dislike the uninformed attitude of some companies to the dependencies of their software. In this case: Rundeck
They actually state the following in their installation documentation:

Rundeck depends on Java 11. The Java 14 packages will satisfy this dependency however Rundeck will not function properly with them. It is recommended to install the openjdk-11-jre-headless package manually.
Source: https://docs.rundeck.com/docs/administration/install/linux-deb.html

In case Pagerduty (who owns Rundeck) didn't get the memo: Java11 reached end-of-life years ago! And some Linux distributions don't have packages for it any more. The latest Java version is Java22. And the current LTS version is Java21.

Utilizing https://endoflife.date/ we can easily get an overview of the respective dates.

Free builds from Oracle: https://endoflife.date/openjdk-builds-from-oracle: End of life reached: 19th March, 2019.

Paid builds from Oracle: https://endoflife.date/oracle-jdk: Premier Support reached end-of-life on 30th September 2023. Extended Support last until 31th January 2032.

RedHat builds of OpenJDK: https://endoflife.date/redhat-build-of-openjdk: Support ends 30th October 2024. With paid extended life-cycle support 1 it ends 31th October 2027.

However this is just for the OpenJDK packages!

The really important part is: Are there any Java11 packages for the operating system being used?

RedHat Linux Enterprise Server 9 contains Java1.8, Java11 and Java17.

SuSE Linux Enterprise Server 15 SP6 contains Java1.8, Java11 and Java17.

Ubuntu 24.04 - the current LTS version, provides OpenJDK packages for version 11, 17 and 21.

Debian Stable (Bookworm currently) ships with OpenJDK 17 only.

Sure, there are backports available for Debian, or you can just build your own packages. But that is not what bothers me. Java11 was released in September 2018. That is about 6 years ago. Java14 was released in March 2020. Four years ago.

And in all these years, they haven't been able to update their commercial application to depend on a more recent version of Java? Which is included in more recently released distributions? Or least make it work with them? This annoys me. Yes, it's nice that you offer free community packages for non-commercial distributions - but if I can't install your software because of missing dependencies, it doesn't help at all.

Especially as many business customers run commercial Linux distributions such as RedHat Linux Enterprise Server (RHEL) or SuSE Linux Enterprise Server (SLES) and are required to update regularly. Either by their own processes & standards or by law/insurances.

They literally can't install or even run older, unsupported versions of Java11 packages. This effectively forces them to purchase additional support packages for older versions of Java. Great! Not to mention if RHEL or SLES were to drop Java11 support. (Well, at least OpenJDK11 is already somewhat confirmed for RHEL10. Though I don't know if only with a valid ELS subscription or not. SuSE has not said anything about Java11 and SLES16 as far as I know).

Or they run one of the big non-commercial distributions like Debian or Ubuntu. Sure, Ubuntu 24.04 would be a viable alternative. But what if the customer doesn't have any Ubuntu servers? Should there be one or two Ubuntu servers out of thousands, just for one meagre application?

Create completely new Ansible playbooks and/or Puppet modules just for a handful of servers running a completely different OS? Maybe even use different software for other basic tasks like backup, LDAP integration, etc. in case the current software doesn't support Ubuntu LTS? This can easily lead to a long (and expensive) software chain reaction. Not to mention the new skills required at staff level.

"Just use docker."

You do understand that Docker is no solution to security risks when the container runs the same outdated software, yes? Sure it's good for mitigation/reduction of the attack surface but it doesn't fix the underlying problem.

And this annoys me. We really should hold enterprise software accountable to higher standards.

I do understand fairly well that someone at Pagerduty must have thought: "Well, all major (commercial) Linux distributions still support Java11, so there is no business risk for us. And for the rest we just provide container images via Docker." Yep, this is the reason why we sometimes can't have nice things. Total neglect of the wider responsibility while additionally ignoring the fact that Java11 needs to be included in all these commercial distributions as still too many software products rely on it.

If you sell software, every process involved in creating that piece of software should be treated as part of your core business and main revenue stream. Giving it the attention it deserves. If you don't, I'm going to make a few assumptions about your business. And those assumptions won't be favourable.

Unfortunately, this form of critical thinking about software dependencies is eroding as "Just use Docker" becomes the new norm among the next generation of IT professionals.

Photo by Markus Spiske: https://www.pexels.com/photo/internet-technology-computer-display-360591/

Part 2 of this series is here: Little helper scripts - Part 2: automation.sh / automation2.sh or use the following tag-link: https://admin.brennt.net/tag/littlehelperscripts

I decided to make some posts about smaller helper scripts I created. Just to brag about them. 😁 Well.. And maybe they help others solve a problem of their own too or serve as inspiration.

First script in this series is my: no-screenlock-during-meeting.ps1 (GitHub)

As the file extension reveals it's a Powershell script. It use is to press the ScrollLock key every 280 seconds. This effectively prevents Windows from automatically locking the screen after 5 minutes of inactivity.

I came up with this rather quickly as this seems to be a non-changeable standard setting of all clients I was working at so far. And yes, that setting makes sense and really enhances workplace security. I don't argue that.

However.. When you are in a meeting and easily spent several minutes listening, watching a demo/presentation or discuss topics.. Those 5 minutes are up rather quickly. And I got annoyed of constantly typing in my password when I just wanted to add 1-2 small sentences to my meeting notes.

This is what this script is for. It even checks if the computer is locked already and doesn't press a key if it is. As I also got annoyed of my laptop screen activating when locked and showing the password prompt every time the script would press a key.

But you have to keep in mind: I only use this script when I am in front of my laptop. Therefore I deemed this to be okay - if used in a responsible manner. As yes, I am circumventing a clients security measure. This is something you have to keep in mind. If I mess up by using this script - for example by keeping it running and leaving the room - my fault, my responsibility.

The script can be found on GitHub here: https://github.com/ChrLau/scripts/blob/master/no-screenlock-during-meeting.ps1

# If the computer isn't locked:
# Press the Scrolllock-Key every 280 seconds to prevent the automatic screen locking
$WShell = New-Object -Com "Wscript.shell"
while (1) {
  # Check if the logonui process is running - which is only the case when the Lockscreen is up
  if ( Get-Process logonui -ErrorAction SilentlyContinue ) {
    # Computer is locked, do nothing
  } else {
    # Computer is unlocked, press SCOLLLOCK key
    $WShell.SendKeys("{SCROLLLOCK}");
  }
  # Sleep for 280 seconds
  sleep 280;
}

I gladly take improvements as comment here or merge request on GitHub. Or just send a link to your version and I'll copy over the stuff I deem useful. 😜

Photo by Paula: https://www.pexels.com/photo/grey-metal-lockers-is-open-170453/

Recently I got into a discussion about cloud password managers like LastPass, 1Password and the like. People argued that they were great because they offer flexibility, synchronisation, and enable users to automatically choose secure passwords. And while I concurred to these arguments, I still took the position of the opposite side.

I am strongly against any form of online/cloud/managed password managers where I (or an entity I trust) don't control everything in a transparent way. Why?

First let me make my, the what I call, "the conspiracy theory argument": It's the least important argument for me, but is suited just right for paving the way to my main arguments. Most companies are US based. National security letters are a fact. And companies like Lavabit and, presumably, the Open Source Drive/File encryption project Truecrypt had their fair share of experience with them. The US and especially the NSA shows that it has no sane moral limits on what type of data to access, accumulate, and analyse. Would they stop at companies offering password managers? I don't think so. Others take the stance: "Why should they send a NSL to LastPass, if they can access the data they are after directly through others means?" but enough on that point.

My main argument is the following: "If I can't trust them, why should I use them?" A cloud password manager is a blackbox. I put my credentials in, hit save, and that's it. What happens in the background? Is the data stored secure? Are the algorithms used still considered secure? Are there no unencrypted backup copies? How does their security concept look like? Are the servers patched regularly? Am I being informed to re-generate my passwords in case the password-generation algorithm had a flaw and was, for example, tied to the systems date and time (wired.com)? I can't know.

Just search for the name of your cloud password provider and add the lovely word "breach". They were already dozens of it for all online password managers out there. Despite people ironically choosing or recommending them as to be "more secure".

But more secure in comparison to what?

You don't have to use an online/cloud password manager. A locally installed password manager like KeePass works the same way.

"But it doesn't synchronize automatically with all my devices!" - Ah, so it's comfort you are after? Yeah, well that is the common trade-off you have to choose: Comfort, or security. However, you do know KeePass has a build in sync which allows to sync two KeePass database files? I use that and it works fine.

Or I just copy over the file from my Linux workstation onto my Smartphone when I know that I had added no new entry on my smartphone. There are enough tools to allow the accessing of Windows/NFS/whatever file shares from Smartphones. Even via SSH utilizing SCP.

Additionally online password managers with sync-features who do allow to host your own instance do exist! Take for example Bitwarden: https://bitwarden.com/help/install-on-premise-linux/
This would give you the security of hosting it yourself and automatic sync-feature so many people desire. If not made accessable to the internet, but online in your local network you can still sync your smartphone, without opening your crucial application to the biggest security risk in human history: The internet.

Sure, not everybody has the knowledge to selfhost such an application. That's a fair point which Jürgen Geuter aka tante pointed out years ago in his writing "Host your own is cynical". But that's exactly the reason why I make this blogpost about me and my viewpoint. I have the knowledge, and I constantly observe broken promises by the very companies who gave them. And yet I still use KeePass. As I like the simplicity.

That's why I'm on #TeamKeePassUltras. An OpenSource application available for all operating systems out there. A simple file, a key, a passphrase and that's it.

Photo by Sora Shimazaki: https://www.pexels.com/photo/crop-unrecognizable-developer-using-laptop-and-smartphone-5926389/

My Windows 10 gaming PC showed the lovely error code 0x80070643 when I try to apply the "2024-01 Security Update for Windows 10 Version 22H2 for x64-based Systems (KB5034441)". And this update gained a somewhat notorious reputation.

What I do understand is, that KB5034441 fails to install if there isn't at least 250MB of free space on the so-called "Windows-RE" or recovery partition. Microsoft offers a PowerShell script to enlarge the recovery partition. But this only works in certain cases like the recovery partition is located after the Windows partition. Which wasn't the case on my PC. Additionally Windows wasn't able to shrink my C-Partition in order to create new, and greater, Windows RE partition behind the C-Partition.

First time I executed the script in April 2024, it told me that I have only 171.5 MB of free space then I will be under the MinSize of the C-Partition.

So yeah.. Time to dive a little bit deeper?

Turns out the MinSize and MaxSize are retrievable via the Get-PartitionSupportedSize function.

PS C:\WINDOWS\system32> Get-PartitionSupportedSize -DriveLetter C

     SizeMin      SizeMax
     -------      -------
245659398144 248628903936

A little bit of PowerShell internals

With (Get-Command Get-PartitionSupportedSize).CommandType I am able to get the CommandType, this tells me if I am working with a Function, an Cmdlet or an alias. Helpful if you explicitly need to know the details.

Via (Get-Command Get-PartitionSupportedSize).Definition we can retrieve the actual code behind that function. There we can see that a new CIMInstance connection to the MSFT_Partition class of the Windows Storage Management Provider API is made.

Ok, but does this help me? Not much, now I would need to dig into WMI, C/C++ and this would require more time than I am willing to invest.

Back to the problem

However I noted (or more like: felt) that the SizeMin number is different from what I got last time. Which would surprise me as the Partition Size was the same and I always had more than 20GB of free space on the C-Partition.

Fancy a try? Sure thing!

PS C:\Users\users\Downloads> .\resize_script.ps1

Cmdlet resize_script.ps1 an der Befehlspipelineposition 1
Geben Sie Werte für die folgenden Parameter an:
(Geben Sie !? ein, um Hilfe zu erhalten.)
BackupFolder: C:\winre-backup
Start time: 08/10/2024 18:08:39
Examining the system...
WinRE-Status:                          Enabled
WinRE-Ort:                             \\?\GLOBALROOT\device\harddisk0\partition1\Recovery\WindowsRE
System directory: C:\WINDOWS\system32
ReAgent xml: C:\WINDOWS\system32\Recovery\ReAgent.xml

Collecting OS and WinRE partition info...
OS Disk: 0
OS Partition: 4
WinRE Partition: 1
Disk PartitionStyle: GPT
WinRE partition size info
  Partition capacity: 523235328
  Partition free space: 55316480
WinRE Partition Offset: 1048576
WinRE Partition Type: Recovery
OS partition size: 249414287360
OS partition Offset: 644874240
OS partition ends at: 250059161600
WinRE partition starts at: 1048576

Backup Directory: [C:\winre-backup]

Verifying if the WinRE partition needs to be extended or not...
WinRE partition is not after OS partition, cannot perform extension
Need to create a new WinRE partition after OS partition

Summary of proposed changes
Note: WinRE partition is before OS partition, need to create a new WinRE partition after OS partition
Will shrink OS partition by 785383424
Current OS partition size: 249414287360
Target OS partition size after shrinking: 248628903936
New WinRE partition will be created with size:  785379328
Existing WinRE partition will be deleted
WinRE partition: Disk [0] Partition [1]
Current WinRE partition size: 523235328
The contents of the old WinRE partition will be backed up to [C:\winre-backup]                                                    
Please reboot the device before running this script to ensure any pending partition actions are finalized

Would you like to proceed? Y for Yes and N for No: y
Proceeding with changes...

Note: To prevent unexpected results, please do not interrupt the execution or restart your system

Loading [C:\WINDOWS\system32\Recovery\ReAgent.xml] ...
Stage location info is empty
Disabling WinRE...
REAGENTC.EXE: Vorgang erfolgreich.

Verifying that WinRE wim exists in downlevel at default location
Performing repartition to extend the WinRE partition ...
Shrinking the OS partition to create a larger WinRE partition
Resizing the OS partition to: [248628903936]...
Target partition size: 248628903936
Size of OS partition after shrinking: 248628903936

Copying content on WinRE partition from [\\?\Volume{daac35b3-1726-41c1-b290-1f73fd3f840a}\] to [C:\winre-backup]...
Copying [\\?\Volume{daac35b3-1726-41c1-b290-1f73fd3f840a}\Recovery] to [C:\winre-backup\Recovery]...
Backup completed

Deleting WinRE partition: Disk [0] Partition [1]...

Creating new WinRE partition...
Target size: 785379328
Formating the partition...
New Partition index: 1
Re-enabling WinRE...
REAGENTC.EXE: Vorgang erfolgreich.


WinRE Information:
WinRE-Status:                          Enabled
WinRE-Ort:                             \\?\GLOBALROOT\device\harddisk0\partition1\Recovery\WindowsRE
WinRE Partition Index: 1
  Partition capacity: 785379328
  Partition free space: 317145088

OS Information:
OS partition size: 248628903936
OS partition Offset: 644874240
End time: 08/10/2024 18:09:29

The contents of the old WinRE partition has been backed up to [C:\winre-backup]

Successfully completed the operation
PS C:\Users\users\Downloads>

And after a reboot everything was fine. The update is now installed and my recovery partition is now located after my Windows C-Partition. My C-Partition is now 231GB, 1GB less.

Don't ask me what changed between April 2024 and August 2024. I have absolutely no idea. When I executed the script in April 2024 I had ~22GB of free space. Cleared all temp files from Windows you can clear. Defragmented the drive. Even moved some games to other partitions/hard-disks to free up even more space. Nothing worked.

The resize_script.ps1 is also still the same as the one I downloaded in April 2024.

Anyway, no annoying pending update anymore. And given that we are talking about my gaming PC I can live with that. ☺️

Photo by cottonbro studio: https://www.pexels.com/photo/a-person-in-black-sweater-holding-compact-disc-5473402/

Update, March 2025: It seems that Verbatim switched the chipset in the drives without changing the model number. (Yeah.. Don't we all just love it when corporate does stupid stuff like that..). As according to the thread Verbatim 43888 with LG drive? in the MakeMKV-Forum the first Verbatim 43888 drives with a BU40NBD-RW surfaced and these are NOT LibreDrive compatible. I strongly advise you to read the thread and get the newest information. The good working devices can currently be identified via the "Model code" and a subtle change in the layout of the packaging. However this might change at any time without notice.
Good news is there seems to be an Autoflasher tool available. Visit the forum to get all details.
Update end.

I own some 4k UHD BluRay discs and like all my DVDs I wanted to have them as plain files on my NAS. Enabling me to watch them anytime via my TV/Laptop/PC/Smartphone. After a bit of googling I found out that the Verbatim 43888 external DVD/BluRay drive (Amazon) is compatible to LibreDrive off the shelf and hence able to rip UHD BluRays.

What LibreDrive is, is described in the MakeMKV forum, but the important part is:

A LibreDrive is a mode of operation of an optical disc drive (DVD, Blu-ray or UHD) when the data on the disc are accessed directly, without any restrictions or transformations enforced by drive firmware. A LibreDrive would never refuse to read the data from the disc or declare itself “revoked”. LibreDrive compatible drive is required to read UHD discs.

For many drives this requires a flashing of the firmware in order to work with LibreDrive. The Verbatim 43888 does not. It works out of the box. However you have to pay attention on where to buy the drive. Turns out there are three caveats when buying this drive.

1. The 43888 drives sold in EU and US are different. The US version uses a chipset which is NOT LibreDrive compatible. And as Verbatim solely uses Amazon to sell it's drives you have to explicitly switch to Amazon Germany to buy the drive. This, of course, makes it more expensive and people not living in Gemany/EU should consider other alternatives.
   If you are in doubt, this is the link I used to buy the Verbatim 43888 https://www.amazon.de/dp/B07MTP9VKX/ and the model number is listed down below in the technical details.
2. Do NOT update the firmware of the Verbatim 43888. It uses a Pioneer chipset and in 2022 Pioneer released new firmwares for lots of drives which sole intention was to cripple LibreDrive support. While I do not know for sure that the new firmware for the 43888 would remove the LibreDrive support I also wasn't keen on spending 100€ and updating the firmware just to have a drive which can't do what I bought it for..
   The MakeMKV forum has a long thread on the topic where the MakeMKV developers write a little bit about the challenges and current status to get those drives working again: Pioneer firmware update February 2023
3. When buying from Amazon: Pay attention you actually buy new and not used hardware. Turns out Amazon tries to sell you their so-called "Amazon Warehouse deals" first. These are often products who were returned to Amazon for various reasons.
   The first drive I bought was an Amazon Warehouse deal and the drive wouldn't even be recognized by neither Windows nor Linux. The LED didn't even turn green. So yeah, looks like Amazon doesn't do a good job in ensuring their Warehouse deals are actually in working condition..

Apart from that I often read that external drives in general tend to be more frail then internal drives. And my experience supports this.

• The first drive I bought was defect, wouldn't even turn own.
• The second drive I bought from Amazon was new hardware, not an Amazon Warehouse deal, but made loud clicking noises and wouldn't read BluRays. DVDs worked somewhat with lots of Read Errors. Even called the Verbatim support and they just said I should return it. And that is, what I did.
• Drive 3 was damaged while being delivered to me. 😆
• The fourth drive finally arrived in working condition and does what it should.

All in all: This is what MakeMKV should display when you have a Verbatim 43888 with working firmware:

Drive Information
OS device name: \Device\CdRom0
Current profile: BD-ROM
Manufacturer: PIONEER
Product: BD-RW BDR-UD04
Revision: 1.14
Serial number: REMOVED
Firmware date: 2020-06-15
Bus encryption flags: 1B
Highest AACS version: 78

LibreDrive Information
Status: Enabled
Drive platform: RS8A10
Firmware name: PIONEER BDR-US04
Firmware type: Original (unpatched)
Firmware version: 1.14
DVD all regions: Yes
BD raw data read: Yes
BD raw metadata read: Yes
Unrestricted read speed: Yes