Subscribe via Email

Subscribe via RSS


Recent Posts

Creative Commons Attribution 4.0 International License
© Rakhesh Sasidharan

2013: lost year?

Couldn’t refrain from adding my two cents while reading this article.

The author argues that 2013 was a lost year. Among his arguments one of them is that “smartphones became commodities” … like that is a bad thing! Jeez! I am glad smartphones became commodities. There used to be a time when smartphones were expensive and good devices were un-affordable for most, but thanks to them being commodities now you can easily own a good phone for much lesser cost than before. The new iPhone 5S, for instance, is cheaper than the iPhone 4S when it was released (at least in Oman), and the prices dropped after a month or so thanks to Apple’s improvements in the supply chain. That’s not a small thing however much the author plays it down! Smartphones have also improved in terms of the overall quality and listening to user opinions. Android phones too have got better over the year, and most manufacturers now update the device faster or are at least open about it and there are many more options for customers (for instance the Google Play editions). Sure there isn’t any breaking enhancements anywhere but that isn’t a reason to argue 2013 was a lost year. You have leaps in technology, then you have periods when things are consolidated and refined, and the latter is in no way worse off than the former.

Another argument is how the iPhone 5S is not a big deal. All Apple could do with the new device was get a faster processor, use it to animate 3D effects (which users apparently dislike), and add a fingerprint sensor to solve a problem no one had in the first place. Moreover iOS 7 apparently crippled older devices. Wrong! Being an iPhone 4S and 5S user I love the fact that the 5S is similar to the 4S. In fact at a glance there’s not much difference between the two devices and so most people around me don’t even realize I have a new phone. And that’s a good thing the way I see it, because ultimately the phone is a tool and I don’t see why it should change in appearance every year. Why must users undergo the learning curve of a new device each time they upgrade? Why not just have a better device with a minimal curve? Better doesn’t have to be different; why make a difference if things are already working well the way they are?

I love the 5S (compared to the 4S) coz it is lighter. Agreed that’s not a 2013 innovation as the iPhone 5 too was lighter, but the big deal is that the iPhone 5S and 5 have differences between them and yet Apple managed to keep the same weight and form factor. I am a fan of the 64-bit CPU in the 5S and think it’s a good idea, future friendly. I am a fan of the improved camera sensor which lets me take better pictures with a phone. I am a fan of the M7 motion CPU and am excited about the new apps that make use of this. I am also excited by iOS 7 and it’s design improvements (not without some quirks, but that’s to be expected) as well as Apple’s use of technologies like Bluetooth LE for iBeacons and such.

The iPhone 5S fingerprint reader may not greatly enhance its security in that a determined hacker can break it, and any random person can break it provided they can get your finger to press the reader somehow (maybe you are sleeping with the device around). But that’s fine because you are not forced to use the reader. Even passcodes or pattern locks can be broken by looking at the marks on the screen and while fingerprint reader might not be as secure as that, it is more convenient. If you want higher security, use one of those alternatives; but if you want convenience with slightly less security, use the fingerprint reader. I find it so much more convenient unlocking the phone by pressing the home button and holding it a few seconds for the fingerprint to be read – beats entering the code any day!

The S versions of the iPhone have always been about subtle improvements to the non S version. And for this reason I usually stick with the S version because Apple seems to make internal changes to these devices to differentiate from the non S version. For instance, the 4 and 4S look same, but the 4S had a better camera, improved antenna, and was faster. Similar the 5 and 5S look same, but the 5S has the M7, better camera sensor, faster CPU, 64-bit, and other small changes. That’s how Apple seems to release its phones. The non S version brings external changes and some improvements, the S version brings internal changes and improvements plus refinements.

iOS 7 works well on the 4S (at least for me). It probably won’t work as fast on the iPhone 4 – but that’s kind of expected as it is a 3 year old device – and by the same measure I don’t expect iOS 8 to work as well on the 4S. I find it good on Apple’s part that iOS 7 works well on the 4S – from Apple’s side they haven’t made the device obsolete for me, moving on to the 5S was a choice from my end. Of course, not all features of iOS 7 work on the 4S, and some of them may have no reason for not working either, but that doesn’t make the device obsolete. The device works as it did before. In fact, in Oman the 4S still has a great resale value. The 16GB 5S costs about OMR 295, the 16GB 4S still costs in the range of OMR 200.

The author also argues against Google Glass and wearables. I haven’t followed Google Glass much (as I find it creepy) but I am excited about wearable tech. Pebble was released in 2013 and looks to be a great piece of wearable tech. 2013 is also the year when tech such as the Jawbone UP and FitBit Flex/ Force became popular. It also seems to be the year when one started using tech (devices such as the UP/ Force, or apps on the phone) to monitor one’s health, sleep patterns, diet, etc. Again, none of these are dramatic improvements, but they are small changes that go towards bettering the product.

Using Get-ACL to filter AD objects without certain group ACLs

At work we discovered a few accounts yesterday that didn’t have a certain group in its ACL. So I was curious on how to use PowerShell and find other accounts which are similarly missing this group.

To get the ACL of an ActiveDirectory object you must import the ActiveDirectory module and then use the Get-ACL cmdlet. Importing the ActiveDirectory module creates the AD: PSDrive which is what Get-ACL will use to access the AD objects.

For example:

The output of this cmdlet is the path to the object, the owner of the object, and a list of ACLs. To view these ACLs you must enumerate them:

This gives a list of ACLs. Here you can filter out the ACL you are interested. Sometimes (like in my case) the group name isn’t shown but the SID is, so keep that in mind.

So the simplest test to check whether an ACL is present or not is to see if the ouput of the above is $null:

Put this together with the Get-ADUser cmdlet and some formatting one can produce a list of AD users along with whether this group is present in their ACL or not:

One can also just produce a list of user objects which don’t have this ACL:

Self Encrypting Drives (SEDs), BitLocker, UEFI, Truecrypt, etc

Past few days I upgraded my laptops with SSD drives. Learnt a few bits and pieces on the way, this is just a dump of what I learnt in case it helps others.

SSDs are fast and can really speed up old hardware, but set your expectations right if you are using encryption. In my case, an aging laptop with a 5400rpm regular HDD was very fast (as expected) when replaced with SSD. But add Truecrypt encryption to the mix, and it slows down a bit. Not too much, but noticeably, and especially when it comes to waking up from hibernation. In retrospect this should be expected as encryption places demands on the CPU, and older laptops mean slower CPUs hence that becomes a bottleneck.

There are SSDs that support hardware based encryption too. These are usually $20-$30 more than the other SSDs but the advantage is that the encryption task is offloaded to the controller of the SSD freeing up your computer CPU and avoiding a performance hit.

There seem to be three varieties of SSDs that support hardware based encryption: (1) also known as Self Encrypting Drives, these are based on an OPAL standard developed by the TCG wherein the drive itself has an engine to encrypt everything written to it (hence the name “self encrypting” drive); (2) those where the hard disk enclosure has a smaller regular (non-encrypted) hard drive, accompanied by an encryptor chip that takes care of encryption; and (3) there is a separate encryptor chip placed between the computer and regular (non-encrypted) hard drive that takes care of the encryption.

Self Encrypting Drives seem to be the popular ones. The Crucial M500, which I used for one of my laptops, is such a drive. SEDs have a 256-bit AES encryption engine that encrypts everything written to the drive by default. On it’s own that’s useless though as there’s no password protecting the keys used to encrypt everything, so anyone can read data from the drive and it will happily decrypt too. To use the drive effectively one needs additional software that support the OPAL standard and which will interact with the drive to password protect the keys. There are many third party software for this but sadly most of them are for enterprises (so the software is very expensive and you can’t get more details until you contact the sales department etc). This is a pity, I wish drive manufacturers included such software for an additional reasonable cost as without such software the hardware-based encryption feature of such SSDs is useless.

From one of the Amazon reviews for the M500 I learnt that a user had good experiences using WinMagic’s SecureDoc. That software too is pricey (nearly as much as the SSD itself!) and I have two laptops so buying two copies of the software is not worth it.

There exists a “free” alternative though. If you are on Windows 8 (or Server 2012) and your SSD is OPAL 2 compliant (the M500 is) and your computer is UEFI 2.3.1 based and has the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined (and has the Compatibility Support Module (CSM) disabled in UEFI, and always boots natively from UEFI) then you can use BitLocker (which is a part of Windows 8) will encrypt the drive using its hardware-based encryption. (If you want to be doubly sure you can use the BitLocker PowerShell cmdlets to specify you want hardware encryption and later use the manage-bde -status command to verify hardware-based encryption is in use).

The UEFI requirement is only if the SSD is used as a startup drive though (i.e. the OS is installed on it and boots up from it). If you are using the SSD as an additional drive, then BitLocker can be used to for hardware-based encryption.

In my case, however, the SSD is a startup drive but neither computer had UEFI. Nor did the computer manufacturer have any updates for flashing UEFI. It does not seem possible to upgrade BIOS to UEFI either (at least not easily and there could be hardware limitations that prevent you from doing so too). So although I have an SED I can’t use BitLocker to use its hardware-based encryption features. Bummer!

For more info on SEDs: check out this KB article from Crucial on the encryption features of the M500; this forum post which clarifies hardware-based encryption does not work with Linux and also mentions SecureDoc; this and this article from AnandTech; this very informative article on how SEDs work.

UPDATE: Turns out I am not entirely correct in saying that SEDs are based on OPAL standards. Not all SEDs are based on OPAL standards. For instance, SSDs from Intel and Samsung (Intel SSD 520 Series, Samsung 840 Series) are SEDs but use a password you specify in the BIOS for hardware encryption. These SSDs require BIOS support for the password – known as ATA password. The drives always encrypt their data and once you specify a BIOS ATA password they keys are encrypted using a hash of this ATA password, thus locking the data (also see this FAQ and whitepaper in case the previous link is broken). (Also, if you are interested in ATA passwords and have a motherboard that does not support ATA passwords (not the same as BIOS passwords!) this forum post might be helpful).

See this page too from Softex.

UPDATE 2: Softex SecureDrive seems to be a reasonably priced product for OPAL SED drives. It’s about US$75 per license, which while high is still less that the US$100+ prices of others.