Lenovo T430 - a dynamite laptop with an attractive price tag

My go to laptop of the last 6 months has been this little beauty. I picked it up cheap and while she ain't much to look at:

The T430 - image from: https://www.lenovo.com/us/en/laptops/thinkpad/t-series/t430/

it's a ripper of a machine. Now I paid under $250AUD for this off a friend. The Windows install was stuffed and needed a full rebuild. Pretty easy right - 2 hours for install and then wait for patches - but she wasn't having a bar of it and bought a shiny, but shite new laptop. And I ended up with a terrific spare laptop that quickly became my number one machine.

The specs of this beast:

• 3rd generation Intel® Core™ i7-3520M (2.90 GHz, 4MB L3, 1600MHz FSB)
• 256 GB OPAL SSD
• 8GB RAM
• 14.0” HD (1366 x 768) (200 NITS) - look at those NITS!
• 2.166kg

  I get about 6 hours out of the battery - and this is mostly running the machine flat out. It has a nice bright screen, isn't very heavy and is very robust. The shining feature of this laptop is the keyboard.

The keyboard in all it's awesomeness. Image from: https://kelsusit.com/lenovo-thinkpad-t430s-core-i7-refurbished-laptop/

Lenovo have really done a great job keeping such nice keyboards on their laptops. This one in particular is great to use - a joy in fact. I recently typed a 3000+ word essay on it for Uni and appreciated how good the keyboard was consistently during the process. Compared to the brand new Apple laptop I've written about previously - laptops that are now having huge complaints about the keyboards - this one is great. And Lenovo have kept this quality with other laptops of theirs I've had the opportunity to play with - for example, the E570 and the X1 Carbon. I've actually got a review on the brand new Gen6 X1 to write up - keep an eye out for it.

The reason I write this is to promote the idea that older technology need not be obsolescent. A machine like the T430 is honestly a powerhouse - it smashes desktop work, has a nice sit-in dock available for it, USB3 ports, SSD disk as a standard option and has a very readable and usable screen. I managed to watch 3 episodes of Altered Carbon on it without the battery dying on me. Even better it has an Ethernet port, DVD writer and a top lit keyboard - there is a little LED light in the top of the monitor. Very handy for night work, or working in a roof - which I have done. As a rugged laptop it's great - apparently it's been tested to Milspec, but has shown to me to be resistant to falls (oops!), dust, heat and cold - 40C to 0.5C.

These laptops are available on eBay in price ranges between $100 and $400. Keep an eye out and you might grab a bargain!

Fixing a black screen after doing a Kali Linux update

Kali Linux is a rolling Linux distribution designed for security and penetration work. You can find details on it here: www.kali.org .

We run this excellent product for a range of different security work and it's been great. I built the image in VMplayer, then shared it to the team and we've all been at it since.

A recent update broke it though - black screen, no network and completely unresponsive.

There are lots of posts about similar things - mostly to do with graphics adaptors, however, we found that executing the following at a root prompt fixed it. But how to get to the root prompt from a blank screen?

Linux has a number of terminals available to the user - most of us use the graphical one to do our day to day, but you can access a command line prompt without much trouble. Simply hold CTRL-ALT and then F2 or F3 down at the same time and it drops you to a command line login.

BOOM. Time to fix it up. For me, and for the other fellas in the team, all it too was to issue this command:

apt --fix-broken install

And then reboot. Back to a graphics interface and networking is online again.

Enjoy

Using defence in depth to mitigate the risk of ransomware

I've written before about the evils of crypto locker and the spawn of that devilish state of affairs known as ransomware. Recently I came across an infection and saw first hand how defence in depth can save your data and the bitcoin.

Firstly, let's consider the perimeter of the network. What vectors for attack exist externally to the network? There are many and they include:

• malicious emails
• dodgy websites with malicious payload 
• malicious actors (hackers) out to get you

The first layers of defence include (in this case):

• an antivirus/antispam gateway for email, with the firewall at the main router allowing only connections on port 25 (smtp) from the mail scanner gateway
• antispyware/antivirus email on the computers scanning every website that a user visits, plus using OpenDNS with a variety of restrictions on it to protect the user from themselves
• firewalls and obfuscated ports where applicable with minimal "open-to-the-world" ports

That's the hard outer layer. Past the router / firewall and onto the network, we use:

• firewalls on all PCs (granted only the windows ones, but supplemented with the anti-virus product's offerings)
• WSUS to keep everything patched and up to date
• VLANs to separate out stuff
• usernames / passwords for access to all network resource

To further enhance security:

• all backups go to a UNC path (i.e \\nas\backups) rather than a mapped drive (like an S:\ drive) which is important because ransomware will attack both local drives and network mapped drives - encrypted backups are 100% useless
• users have restrictions based on principles of least privilege and this is rigorously enforced
• servers are also patched and up to date
• logs are maintained on a separate server
• PRTG is used to monitor network traffic on the switches and a variety of other stuff

So what happened and how did this all help to mitigate a ransomware attack?

Well a user, let's call him Jim Bob, has a very weak password. Let's say it's Secret01 (yes if this is your password, it is shite. Change it now!)

An external attacker managed to get Jim Bob's username, and then proceeded to attack the remote desktop services to see if they could brute force their way in. What would you know, about 2 hours after starting, they got the password and were in. This could have been mitigated by having a password locking system turned on, but remember - you have to balance usability with security. This particular organisation struggles with passwords at the best of times, so locking a user out after 3 failed attempts for 10 minutes would have very high frustration levels as a result.

The attacker now had access to a server. But - Jim Bob's account was extremely limited. He just couldn't do much - he didn't need to. Basically log on and access the internet. That's him to a tee. This therefore, is all the attacker could do. Frustrating I bet!

Along comes the admin and logs on. The attacker - seeing a systems admin hit the server panics and drops a ransomware payload, probably thinking they'll get some sort of a payday somehow. Their ransomware attack manages to get a foothold on a mapped drive. The security on that mapped drive allows for only a small percentage of accessible files to be encrypted before the wily sysadmin spots it and locks Jim Bob's account down, and shuts off the file server. 

Our defence has now limited the risk by controlling the access to files and what could be attacked. And it gets better. Our snapshot backups are working as advertised and have a 15 minute old copy of the entire mapped drive's file system. With a few clicks, our intrepid sysadmin restores the whole lot over the next hour. Hundreds of files, barely out of date and only in a few instances. Within a few hours, Jim Bob's account has been restricted, password changed and the user Jim Bob given a kick in the bum for having a crappy password and the network drive is fully recovered.

Although our initial defensive line was penetrated (users can be your greatest security risk), the rest of the network's defences held firm mitigating the impact of the attack and the organisation's exposure to loss of data. No pay day for our arsehole attacker today! I like to think of how sad they must be, all that effort and no reward.

In the wash up, the sysadmin goes through and using the logs, PRTG and combing files finds the attacker's trail and mops up after them, making notes on what failed and how to improve it for next time. 

The moral of the story is this - defence always loses. Attackers will win. All we can do is to mitigate the damage and risk to the best of our capabilities and budget. Hopefully you will read this and get a few little ideas about how to perhaps enhance your existing defence, or even think about what attack vectors might exist. This pretend network is by no means perfect - it could always be better. Budget and skill restrictions come into play though and mean we have to find the best effort with whatever we've got at hand to make it work. Be smart and get margin into your security so a break in doesn't break your heart or your budget!

Samsung Gear Fit vs Apple Watch 2 - a review and comparison

Recently I was given an Apple Watch 2 - it's very nice and I've replaced my Samsung Gear Fit with it. After wearing the Watch for a week, there have been a few tangible differences between the two I thought it might be worth noting. If you're unfamiliar with the devices they look like this:

These images are the same as the devices that I have. The physical differences are obvious - the Apple Watch is significantly bigger, with the more square face. Both have OLED displays which make for bright, colourful GUIs. Both are touch screen and both share a variety of internal sensors like heart rate and accelerometer. The Gear Fit is lighter, narrower and for what I've used it for - holds a longer charge than the Apple Watch. The Apple Watch has many more sensors - including GPS/GLONASS and WiFi, checks your heart rate with great frequency daily and keeps telling me to "Breathe"! (this gets a bit annoying after a while)

Here are a few of the summary differences I've found in the last week (and please bear in mind I wore the Gear Fit for 2 years before replacing it).

• The sleep function on the Gear Fit is much better than the Apple Watch - you have to get a 3rd party app for the Watch which I found annoying. It's built into the Gear Fit, mutes and blocks the device and gives you some nice reporting via the Samsung Health app. Also, access to the sleep function I found is better - put the Fit into sleep mode and it's ready to track your sleep, then give you a report in the morning when you turn it off. The Apple Watch - using the AutoSleep app, alleges that it can work out when you go to sleep and then when you get up via some sort of magic I assume. I'm still trying to figure out the meaning of the sleep reporting (which is irritating in and of itself).
• The Watch hasn't locked up yet but the Gear Fit has twice in the last week. This is a full reboot, and lose all of your sleep data - something that happens with semi frequency on the Fit and is quite annoying.
• Notifications are roughly the same through both - configurable and fairly useful. The ability to send detailed replies with the "Scribe" function (you use your finger to write each letter) on the Apple Watch is pretty neat - I've used that several times.
• Both watches can answer the phone, or more likely - divert to message or voicemail. The Apple Watch you can actually talk into the watch and I've been on the receiving end of that a couple of times. It wasn't bad really, but I think you'd feel like a dill talking into your watch like Get Smart rather than use the phone.
• the summary from the Samsung Fitness software is much better than what Apple Health provides (at least for me). I find the sleep data and the way its presented to be significantly better than the Apple information. The Samsung software tells you how often you got to bed on time, and how often you got up on time. I like that. It provides a small sense of accomplishment just for getting my lazy backside out of bed in time.

As a bit of an update to this review - it's been an extra week of using the Apple Watch and I'm still unimpressed by the sleep thing. I have set aside some time to look into this in greater depth because I feel it's so lacking. Keep an eye here for some more info. The alarm feature on the Apple Watch has been pretty good. The vibration on the wrist isn't startling to wake up to, and it doesn't disturb my wife (which she is happy about). 

In summary both of them are really quite good devices. They lock you into their respective ecosystems (Samsung vs Apple) and this is to be expected, potentially not loved though. For purpose, I think the Gear Fit was better for tracking sleep, better battery life and a robust device. The Apple Watch's aesthetics are lovely, it has a tonne of functionality and I've barely scratched the surface of it. I'll go into it more as I play with this thing a bit. It's easy to see where the extra value in the Apple Watch is.

Mint 18.2 Review

Linux Mint 18.2 in the wild!

I’ve just upgraded to Mint 18.2 from 18.1 being the (sort of) early adopter that I am. Realistically there was no good reason to do this - 18.1 was running well and doing everything I need, except to get any new bits and pieces that come with .2. There are some nice new desktop pics (quite beautiful ones actually), but not much I can see that is really different. It's still running Cinnamon, so there haven't been any gigantic changes in the UI in a while. I’m running it on a Lenovo M series desktop that I’ve had for some years and it’s a beast of a machine so any performance upticks in the new version aren’t really noticeable. Here are the release notes : http://blog.linuxmint.com/?p=3289 and they're worth a quick perusal.

I did find that my desktop icons all disappeared. As a result I experienced sadness :-(

Fortunately I found the solution. The nemo-desktop application is no longer running. I found it (/usr/bin/nemo.desktop), ran it and voila - icons are back! I’ve added it to the startup applications and that fixes that.

I really enjoy the ease of the upgrade process - it’s fast and straightforward using the excellent Mint Update Manager. The download was around 400MB but the mirrors are all quick and it was quite painless. A fast reboot and I was back in business. I also took the opportunity to upgrade the Nvidia drivers I have (for my whiz bang graphics adaptor) and after another restart I was done. As a result, my primary work computer was fully upgraded and operational in about 20 minutes - much better than the Windows 10 computers I've just got that need a 4GB upgrade out of the box (!)

Mint 18.2 “Sonya” new stuff:

• LTS release so supported until 2021
• Cinnamon 3.4 apparently has many new icon management features (I’ll have to try this out now I’ve got icons back!)
• Plugins for Cinnamon run in their own process
• Add-ons called “spices” have been added - check them out on the Cinnamon Spices website here: https://cinnamon-spices.linuxmint.com/
• Various app upgrades including xed, update manager, xviewer, xreader and LightDM - the new login manager.
• Ships with Linux Kernel 4.8.0-53

Get it via Update Manager or from the Linux Mint website: https://www.linuxmint.com/download.php

pi-hole - awful name, great product!

Advertised as "A Black Hole for Internet Advertisements" pi-hole (https://pi-hole.net/) goes a long way to living up to this reputation.

What is it?

pi-hole is a domain name server that can be installed with one command onto a Linux box or Raspberry Pi running Raspbian or similar. Once this is done, an update to your site's DNS records and all queries get pushed through the pi-hole, blocked as appropriate and then sent out to the world.

We are running it on an Ubuntu 14.04LTS virtual server, with 1GB of RAM and a single vCPU - and the DNS response time is quite acceptable. A tiny server will run this software quite easily.

Why use it?

If I'm looking at websites and browsing around, typically I'm not just getting my content that I want - there's a bit more sneaking through. Ads! Most sites will use advertisements to make money and I have no problem with this. My issue usually stems from having too many of the damn things popping up and chewing up resources like bandwidth and screen space. That's where pi-hole fits into the picture. Currently it's blocking over 100,000 different sites. We've noticed an improvement in web page speed and in testing - by going to www.news.com.au , we found that there was quite a few domains blocked.

Here is an example of our office's information from this morning (midnight to noon)

5% of our queries blocked! That's a reasonable amount of traffic in a 5 person (at the moment) office. Imagine if it were 100 people or more?! The amount of DNS requests and the traffic would drop considerably.

Additionally, pi-hole has provided some protection from malicious attacks via dodgy websites - these seem to get blocked as well and the additional safety is great to have - particularly when the cost is virtually nil. Combine it with OpenDNS as the relay (the next step in the DNS resolution trail) and the possibilities for controlling your DNS with a high degree become more realised.

We've been happy with our little pi-hole (oh that name is dodgy). Try it out :-)

MacBook Pro (late 2016) first impressions

One of my clients who is a bit of an early adopter grabbed a new MacBook Pro (MBP) last week. It's the 15" i7 wizzbang bit of gear that looks really quite lovely. He asked me to migrate his data from his old MBP to the new one. I ran a full backup to external USB and it was all going swimmingly, and then I remembered - damn! The new MBP's don't have regular USB! They only have USB-C! Aaargh. Fortunately the Apple Migration tool is great and I was able to punch it all across via wireless (this is very slow - I recommend an alternative via ethernet)

After using the machine for an hour or so this morning, this is what I've come up with:

Pros:

• The screen is gorgeous - the Retina screen is just so lovely to look at and has such awesome colour depth. I really liked it. Flicking through some of the desktop images and pictures showed the resolution and colours beautifully. I reckon my next one has to have this
• the touch bar above the keyboard - I thought this would be gimmicky but after a bit of use I found it quite handy. I do miss my Function keys though.
• touchpad - this is responsive and super accurate. One of the biggest faults I have with a laptop is the poor accuracy and/or speed of the touchpad. This one was quite nice (although it has it's faults)
• physically a very easy laptop to move around - light but solid construction and good hinges on the screen

 The Expected

• great build quality (like other MBPs - even my 5 year old one)
• snappy - i7 processor (2.6Ghz Quad Core i7)
• lots of RAM (16GB)
• fast disk (256GB PCIe-Based SSD)

 In short - I expected high performance from this laptop and while it was crunching the iPhoto database from the old machine, I installed and ran Parallels, with a full Windows install running some fairly intensive image software and the thing didn't miss a beat. It really cracked along and I expected that to be the case.

 Cons:

• The Keyboard - is shite. I'm sorry but the keys have no feeling to them, bugger all travel and just have a weird texture that I didn't like. I was jumping between the client's mid 2012 MBP and this brand new one and the comparison was no favourable. Seriously - typing is a kinesthetic experience. How about a bit of nod in that direction?  Check out Lenovo's L series laptops for a great typing experience. I hated the keyboard
• The touchpad clicks - while the touchpad was accurate and fast, the clicking feeling again was sub-par for me. I like a bit of tactile response (as you've guessed) when I'm wailing away on the keyboard. I don't want to have it feel like a tablet (which I despise typing on) or a phone (also = despise)

That's really all. For me though that keyboard is almost a deal breaker. Perhaps I'd get used to it over time though (if someone wants to give me one of these toys to play more with). Would I buy one for? There's a very high probability of that. It really is a well constructed laptop.

Here is the link to the model closest to what I was playing with: http://www.apple.com/au/shop/buy-mac/macbook-pro/15-inch - for $3600 it's a big price tag for a pretty decent machine. Is it worth it though? Well I had a bit of a poke around and looked at Lenovo's site. For a similar machine (size, processor, RAM, disk etc) Lenovo have a nice little ThinkPad P50.

Specs are:

System component

• Intel Core i7-6700HQ Processor (6MB Cache, up to 3.50GHz)
• Windows 10 Home 64
• 15.6" 4K (3840x2160), anti-glare, IPS
• 16GB DDR4-2133MHz SODIMM (8GBx2)
• NVIDIA Quadro M1000M 4GB
• With Color Sensor
• 720p HD Camera with Microphone
• Backlit Keyboard with Number Pad - English
• Integrated Fingerprint Reader
• 256GB SSD PCIe-NVMe OPAL2.0
• 170W AC Adapter - ANZ (3pin)
• 6 Cell Li-Polymer Battery, 90Wh
• Intel Dual Band Wireless-AC(2x2) 8260, Bluetooth Version 4.1 No vPro
• 1 Year Depot
• 
  

And this is $5050! See: http://www3.lenovo.com/au/en/workstations/thinkpad-p-series/P50/p/20ENCTO1WWENAU0 

I've specced it up from the basics to get close to the MBP. Hopefully this provides you with a little bit of perspective when you look at the MacBook's price. The Lenovo is a well built bit of kit too - I've used one of these before. The build quality isn't up to the MacBook though. It doesn't have the clean lines and aesthetics of the Apple products either. Still, I'll take either one if someone wants to give it to me!