Encrypt All the Drives

I have always been an advocate on storage security (all types of security, actually). I like how iOS devices keep all files encrypted, even if you do not set a passcode on the device. They do this to facilitate quick erasure of files on the device — to erase all the data, they simply wipe the master key.

Erasing magnetic storage media isn’t difficult, but it is time-consuming. For solid state media such as SSDs and flash drives, the wear-leveling makes it difficult to ensure that all flash blocks have been securely overwritten. The answer to this is to encrypt everything.

Encrypt all the drives!! (meme)

Recently I have been busy building a Linux-based NAS and I decided to put this to practice.

Continue reading


Implementing EAP-SIM at Home

What is EAP-SIM?

EAP-SIM is one of the authentication methods that can be used in an 802.1x or WPA Enterprise network. Specifically, it relies on the user’s SIM card to process a presented challenge. This has been used by some telcos to provide WiFi service without having to maintain a separate set of credentials. However, not all phones support EAP-SIM.

Phone displaying EAP-SIM as a WiFi authentication method

Since I’m already using a RADIUS setup at home, the use of EAP-SIM will eliminate the need to install my CA certs onto each device. But of course, there is still a fair bit of work to do…

Continue reading

Hacking Functionality into ASUSWRT Routers

This weekend, I spent some time to replace my aged Linksys WRT54G wireless router, which is running DD-WRT. The WRT54G is slow by today’s wireless standards and since I sync my iOS devices wirelessly, the speed was getting quite unbearable. When I bought my Macbook Pro in 2007, it already has draft 802.11n support and fast-forward to 2012, my iPad (1st generation) and iPhone 5 both support the 5GHz band.

The ASUS RT-N56U wireless router ranks up there on wireless performance, and the “feature” I was really after was a router that can run an alternative firmware such as Tomato or DD-WRT. The really good news is, I figured out how to get the functionality I wanted while still using the official ASUS firmware.

ASUS router photo

For proper reviews and better photos, you might want to check out these other reviews:

Read on to find my short review, as well as how you can run your own programs on the router without using a third-party firmware.

Continue reading

SFF Server Build (Part 1): Short Cables

After 10 years, I decided to replace my 633MHz home server with something more modern. The fans on the system were making a lot of noise, especially the Slot-1 CPU cooler fan, which I don’t think I can find a replacement for. Also, the motherboard was very choosy about the power supply, meaning I could not use the newer, more energy efficient supplies; the voltage monitors claim the voltage is out of the acceptable range and refuses to continue beyond the POST screen.

I chose the MicroATX form factor, and the most compact case is the Silverstone SG02F because it places the power supply on top of the board. Most other cases I’ve seen have a similar layout to an ATX tower, but with a height reduction.

The wires are long and unwieldy because they assume you are using a normal ATX case, in which case you need relatively long cables depending on how the case is laid out. However when building a SFF machine like this, it gets really untidy. I decided to reduce the length of the cables.

Here’s the before photo of the wiring – the worst offenders are the SATA cables, the case front panel wires, and the SATA power connector.

Continue reading

GNU patch and Windows UAC

If you’re looking for the GNU patch on Windows, you would probably have found the GnuWin32 project. If you try to run this program on Windows Vista or 7, you will be prompted with the UAC dialog, asking you to run the program with administrative rights.

Windows Vista, when they introduced the User Access Control (UAC) feature, tried not to break existing programs by detecting which ones require administrative access. The usual suspects are installers that are probably named *setup.exe or *install.exe. For some reason they also thought they’d throw in *patch*.exe, which matches the patch.exe.

To fix this problem, I found a page at the OOMMF project at NIST, which talks about embedding a manifest file into the executable. Embedding it is actually not necessary, you just need to name it patch.exe.manifest and have it in the same directory as patch.exe.

The other alternative is to disable this system-wide “smart” detection behavior using a Security Policy: “User Account Control: Detect application installations and prompt for elevation“. If you do this, it means you will need to manually right-click older installer applications and select the “Run as administrator” option. Failing to do this means the installer will not be able to correctly write into directories like “Program Files” and alter system registry settings. Note that when I say “correctly write”, it’s because of the UAC virtualization, but that’s another story.

If you use MSYS (from the MingW project), it uses the patch.exe.manifest file technique, which is less intrusive than embedding it into the executable.

If you’re an application developer, you should read Windows Vista Application Development Requirements for User Account Control (UAC), which describes in detail the different options I have just talked about.


If you need just GNU patch, follow the OOMMF page to create the manifest file, but don’t bother embedding it. If you come from a UNIX background, just use MSYS to get all the other UNIX tools.