Windows 10 BitLocker on a Macbook Pro (13″ Retina Late-2013)

Windows 10 has turned out to be a rather nice operating system. So much so, that I felt compelled to abandon OSX on my Macbook Pro and go Windows only on my Macbook Pro (13″ Retina mid-2013). There are plenty of installation guides out there and I don’t really have anything to add to them. The only challenge for which I didn’t find a ready answer in Google was to implement Bitlocker.

Running the BitLocker wizard prompts Windows to tell you, “This device cannot use a Trusted Platform Module [NOTE: Macbooks don’t have them]. Your administrator must set the ‘Allow BitLocker without a compatible TPM” option in the “Require additional authentication at start-up” policy for OS volumes.

 BitLockerError

The first step in fixing this is to run the Group Policy Editor. To do this, hit start, type gpedit and select the ‘Edit Group Policy’ option.

 GPEStartMenu

When the editor opens, navigate the tree controls on the left to the location specified by the BitLocker error.

GroupPolicyEditor

And double click on the ‘Require additional authentication at startup’ policy. That will open-up this dialog in which you should first select, ‘Enabled’ and then check the ‘Allow BitLocker without a compatible TPM (requires a password or startup key on a USB flash drive)’ option:

 GPEDIalogue

With that done, you’re all set. Return to the BitLocker wizard and run again. Note that if you want to use a USB key to unlock your machine, you might have a few more hoops to jump through but this article seems to explain how to get through them.

Advertisements

Dual-radio Wi-Fi for range extension

Extending Wi-Fi networks without halving your bandwidth.

Living in a rented apartment in one of the most densely populated cities in Europe sometimes has its challenges. If you’re a techie, you will likely find one of those challenges to be getting your Wi-Fi to work effectively and at any sort of range given the huge numbers of networks you will find around you. If I fire up the very wonderful inSSIDer in my living room, I can see no less than 33 networks (one of which is using WEP – eek!).

image

When I look at the channel graph (which sadly doesn’t have an option to hide SSIDs so I won’t be posting a screenshot), I see an almighty mess. This issue is compounded by the layout of my apartment. I know there are other ways to make an apartment unfriendly to Wi-Fi but I find ~22 meters of length with multiple brick walls does a fine job of blocking high-frequency radio signals. Between the lack of clear air and structural obstacles, getting decent connectivity across the apartment has been a serious chore.

image

Network extension

I am clearly not the only person with this kind of problem. There are a set of technologies out there that are sold claiming to help one solve these issues. There are many dedicated and often not particularly effective Wi-Fi repeaters on the market. The Powerline networking space exists specifically for this use-case but seems to be effective only for a proportion of those who buy them (some people have more serious concerns about them). In general, the dedicated solutions work, but just not all that well. Practically speaking, I want to be able to shift 50Mbps consistently from front to back without adding a tonne of latency and without spending too much money.

In an ideal world, I would just run CAT5 through the walls and if I were building / rewiring a house, there is no doubt I would do it. As a tenant though, that is just not going to happen. The most cost effective solution for me is to use general purpose Wi-Fi routers to repeat and thereby extend the Wi-Fi signal through my apartment.

The industry standard solution to support this is the Wireless Distribution System (WDS). This has the advantage of relative simplicity and built-in support in many routers. WDS has two major drawbacks in that it halves your effective network bandwidth and only supports the thoroughly broken WEP and WPA encryption standards. WPA2 isn’t perfect but it’s the best we have right now and I would rather use it on my networks.

DD-WRT to the rescue

DD-WRT is an alternative, Linux-based firmware for Broadcom and Atheros based Wi-Fi Routers. It has been around for many years and is considered sufficiently stable for some router manufacturers such as Buffalo to offer it by default on their devices. One of its great strengths is that it provides a number of ways to bridge and route multiple Wi-Fi and wired networks together. These include the ubiquitous WDS but much greater flexibility is allowed by the provision of Repeater, Repeater-bridge, Client and Client-bridge modes. Until recently, I was successfully using the ‘repeater’ mode of DD-WRT to extend the 2.4GHz N (300Mbps) signal from my cable router through the rest of my house via a classic Linksys WRT54G. This is a workhorse router that has been around forever and is sufficiently famous that is has its own Wikipedia entry.

Using ‘repeater’, the 300Mbps signal from the living room was repeated as a 54Mbps signal through the rest of the house. I was able to get reasonable (internet) bandwidth to the back of the house and was able to download at a bit more than 1MBps on a good day. I also got reasonably low levels of latency and was able to use WPA2 throughout. Repeater mode does share one issue with WDS. It halves the effective bandwidth available. When that bandwidth is only a (theoretical) 54Mbps in the first place, you are not going to see world beating figures.

Having recently spent a day trying to do a bulk-transfer of data from front to back without much success,  I was inspired to find a better solution. Some digging around the DD-WRT forums turned up a comment from Barryware noting that,

[…] the 4200 has two radios. you can set on up to receive (client or client bridge), and the other to be an AP. You will not lose 1/2 the wireless bandwidth if you choose to do it that way.

The E4200 is a dual-band, dual-radio router from Cisco/Linksys with a reputation for being delivering good range out of the box. It is also supported by DD-WRT albeit with some caveats. While on vacation a few weeks ago, I took the opportunity to pick up an E4200 and rebuild my home network as shown in the diagram below.

image

The difference is huge. I can now reliably download at over 40Mbps from the Internet at the back of the house. The setup was also remarkably simple.

The 5GHz band is a ghost town

The E4200 is both dual-band and dual-radio. That means it has separate antenna for the two consumer Wi-Fi bands. When I bought the router I had not read a lot about Wi-Fi in general. I had a good conceptual understanding of the basics and security in particular but didn’t know how much things changed with the introduction of the N standards. The introduction of the 5GHz band changes things dramatically. While not strictly a feature, I found out how dramatically 5GHz changes things, the first time I fired up inSSIDer on a 5GHz capable machine.

image

In contrast to the 33 2.4GHz networks I can see from my front room, before I installed my E4200, there were a grand total of… none, on the 5GHz band. In effect, I have the 5GHz band entirely to myself. While there are great benefits to using the twin radios to avoid bandwidth losses, the clear-air in the 5GHz band has probably been just as important, I suspect.

Setting up dual-radio extension

I am not going to provide instructions for getting DD-WRT onto a router. The DD-WRT wiki and forums have ample information and I would suggest starting there. I am not even going to link to specific documents as they are easy to find but do occasionally change location. As such, make sure you’re reading the latest as getting the process wrong can lead to tears. Seriously, there are lots of ways to make yourself very sad so on this occasion, RTM!

Once you have DD-WRT on your repeater device (the E4200 is a fine choice but do be careful about hardware versions – check the DD-WRT router database for compatibility to avoid disappointment), you can proceed to configure your bridging. For my network, I want a single, flat subnet for everything inside my house apart from the cable router itself which I treat as tainted goods since it was supplied by the cable company.

image

The basic principle is to use one of the E4200 radios to connect back to the Buffalo WZR-HP-G300NH in the living-room. I won’t provide instructions for setting up the first router. The important thing is to ensure that you note all of the wireless settings you choose to use (including standard, channel and width). The basic process is as follows but even though it is a simple process, you should through and use the more detailed documentation for ‘Client-Bridge’ at the DD-WRT wiki to complete your setup.

  1. Do a full 30-30-30 reset of the router to clear out all existing configuration
  2. When the router restarts, set a non-default username and apply a decent password
  3. Login and go to the wireless tab.
  4. Set the 2.4GHz network to “Client-Bridge” mode and set the other parameters exactly as you configured the first router
  5. Go to the ‘wireless-wireless security’ tab and set the security the same was as for the first router (note that you must use AES encryption since TKIP apparently causes issues)
  6. Go to the ‘basic-settings’ tab and set the router management IP to what you want it to be
  7. Go back to the wireless tab and setup the second radio however you want it. This is now your ‘extension AP’.
  8. Done!

Client bridge mode is described in the wiki as follows:

Join two wired networks by two Wireless routers building a bridge. All computers can see one another in Windows Network.

What we are doing is extending the definition such that instead of joining two wired networks, we are joining one wired network to another (5GHz) wireless network by means of a (2.4GHz) wireless bridge.

image

The results for me have been fantastic. I get a strong 2.4GHz signal at the front of the house (albeit of variable quality depending on what the neighbours are doing) and I get an extremely consistent signal at the back of the house on the 5GHz. It is nice to know that I have that band to myself as well.

Further improvements

If you live in a densely populated area, look at going 5GHz. The 5GHz band has a lot more elbow room to begin with (see my earlier post on channel layout) but because very few people are using it at the moment, there is a window of time during which one can enjoy wide open electromagnetic vistas, free of the hoi polloi. If I had endless money, I would look to replace my two existing routers with a couple of routers, both with dual 5GHz radios. I can’t seem to find such a beast but it would let me run one 40MHz channel pair at the front of the house and a difference channel pair at the back. I am happy with the setup I have though. I would like greater consistency but for now, that’s the price you pay for having neighbours!

Missing 5GHz Wi-Fi Networks

Holiday is a time for rest, relaxation and trips to exciting new places with family and friends. It is also a great time to rebuild your home network and spend long nights mucking about with firmware, conf files and cables. As I come to the end of my summer vacation, I have achieved at least some of the items in the above list.

In particular though, I have managed to rebuild my home network to make use of many of the bits and pieces I have had lying around waiting for something to do. As usual, 80% was straight-forward (or answers to problems were quickly found) but 20% were proper head-scratchers.

This post is about one of the 20%. Without worrying about why, for now, I switched one of the Wi-Fi networks in my apartment to the 5GHz band. This worked just fine for the two laptops I run in my house (both of which use Intel Wi-Fi adapters). The Linksys WMP600N PCI adapter that I added to my desktop could see nothing whatsoever on the 5GHz band.

Using inSSIDer, I was able to see a number of 2.4GHz networks (including one of my own at the other end of the apartment) but nothing on the 5GHz band. This misdirected my investigations for a time since it led me to assume that the card (or Windows) was not enabling the 5GHz radio.

After quite a bit of Googling and reading of unhelpful forum posts (the quantity of which suggest that laptop manufacturers need to be clearer about what the adapters in their laptops really support), I came across this post from ReginaldPerrin (post 8) on the Linksys forums. To summarize, he reminds readers that the regulatory situation for 5GHz channels is much more complicated than for the 2.4GHz bands.

Depending on the country you are in, your Wi-Fi equipment will be configured to support a particular range of channels in a particular way. Provided all your equipment was bought in the same country and you are not using custom firmware, you will probably not experience this issue.

The relevant part of my network consists of a Linksys E4200 running DD-WRT to allow it to act as a wireless bridge and get me coverage across my apartment. This was configured with a N-only, 5GHz network with automatic channel selection and a 40GHz width. Using inSSIDer on one of my laptops, I could see that the auto-selected base channel was 148.

A quick check against the Wikipedia table of Wi-Fi channels showed that none of the channels above 148 are legal in Europe. Setting the E4200 to use channel 48 as the base channel fixed the problem immediately. I have no idea whether this was down to Windows hiding ‘illegal’ channels or the Linksys WMP600N itself disallowing access.

A couple of observations

The forum post talks about a configuration page for the NIC that exists in neither the current driver, nor the driver than ships with Windows. This should allow you to configure the country and hence allowable channel. I guess the driver now works off the country locale of the host machine. I am using the ‘-EU’ suffixed card so it is possible that the allowed channels have been set in the card’s firmware. According to this, the card is probably a Linksys OEMd version of RALink RT3562. I might try the RALink driver to see what more I can do with that.

It is interesting that there are still very few 5GHz networks out there. The 2.4GHz band around my apartment is packed and it is difficult if not impossible to find clear-air. 5GHz is a ghost-town for now. If you want to improve your Wi-Fi reception and you live in a busy area, it’s probably worth investing in 5GHz capable gear. Use inSSIDer to find

Wi-Fi routers have to monitor for radar pulses and switch to a different channel if they detect them!

Setting up OpenSSH\Putty and key based authentication

I wrote this back in 2005 on my old blog (since deleted). As I was setting this up again tonight, I’ve re-posted this as it’s a useful reference. 

Sick of trying to remember root passwords for my *nix boxes, I’ve finally got round to configuring key based authentication using OpenSSH and Putty. This is a quick description of the setup and configuration that is required to get this going. There are some useful links at the end for background and understanding.

Download putty.exe, pageant and puttygen. Next, fire up puttygen and create an ssh key-pair (private to keep on the workstation, public to dole out to the hosts you’ll be authenticating to). Generate lots of lovely entropy by waggling the mouse furiously and pick a decent pass-phrase.

Save your newly created public and private keys on the workstation that you’ll be making connections from.

Next up, copy the public key text from the ‘puttygen’ window and connect over SSH to the host you want to configure. Login as the user you want to key authenticate and paste the public key text into a ~/.ssh/authorized_keys. Save the file then check run, “chmod 700 ~/.ssh” and “chmod 600 ~/.ssh/authorized_keys”. Note that this process can be automated somewhat using Plink and cat.

Note that it is important that the text be in the format shown in the puttygen window. I always forget this and spend ages fannying around trying to figure out the right format for authorized_keys. If you just load your keys into the puttygen application, it will provide the appropriate key-text for you (just hit the ‘load’ button and select your private key).

Before logging out, check that the /etc/ssh/sshd_config has the following lines uncommented:

PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

If not, make the change and reload the sshd config.

Back on the Windows box, run pageant.exe with the path to your private key as an argument. Pageant will prompt you for your pass-phrase (stick this command in your startup directory to make life easier).

Now, when Putty is run, it will detect the presence of Pageant and attempt to authenticate using the key you’ve provided. Bear in mind that if you’ve not configured a host correctly, login will fail silently. Thus, it’s worth checking the ‘Attempt “keyboard-interactive” (SSH2)’ in the ‘Auth’ section of putty’s options so that you’ll get a password prompt if key authentication fails.

Now just look after your private key and pass-phrase and all will be well with the world.

The following are pretty useful to get you up and running :

Leeds and the Bomb (Part 2)

I started putting this together yesterday morning before North Korea spat its dummy over the border to the South. Here’s hoping the timing isn’t prescient.

A week off work and I have finally got around to properly scanning my mother’s copy of Leeds and the Bomb at a usable resolution. The versions here are 20% the original scan and haven’t been processed apart from being resized and saved as PNG in Paint.Net. Click the thumbnails for the resized versions. I have high-resolution copies available and can post them if anyone wants them. The images are readable (and are pretty faithful to the state of the original pamphlet after twenty one years). A bit of tweaking of contrast in your image editor of choice can tart them up quite nicely though.

Leeds and the Bomb - Copyright notice

The pages are below. Reading them, you might reasonably ask whether Leeds City Council which produced the pamphlet might have something to say about it being reproduced on-line. A quick look at page two will tell you that this brilliant little pamphlet was an early example of a publication released under a form of proto-creative commons.

Former Councillor Brian North said in a comment on the earlier post:

I devised and Edited Leeds and the Bomb . The booklet sold 60,000 copies worldwide and went into three print runs. Reproduced in Holland, Germany, Japan, USA.

We can add the internet to that list now.

Leeds and the bomb - Cover

The cover cleverly juxtaposes the apocalypse with lovely shades of pink and baby blue (in fairness, my copy is rather faded so the colours were probably more appropriate originally). Look closely and you’ll see that the pamphlet is well-thumbed. The markings left by a terrified youth.

Continue reading

Governance in the cloud

One of the IT department’s less official roles has been as a gatekeeper to an organisations infrastructure. The cost and time to market constraints that are sometimes imposed by internal IT can lead to applications being cancelled and even to not being proposed in the first place. By allowing the business to side-step the IT department though, cloud computing enables departments and individuals within organisations to get new applications up and running quickly and with investment largely focussed on development.

Where internal IT is imposing unreasonable delays and costs, this is going to be great for businesses. There are some major caveats to add though. In particular, a lot of the governance and ‘red-tape’ that internal IT seems to impose is actually about protecting an organisation’s data. By checking that things like backup and recovery have been considered and planned for, IT ensures that an organisation’s data, reputation and ultimately it’s business are protected. Where those checks are bypassed, it is fair to expect that the ‘boring’ aspects of application development and deployment will not get the attention the really require. The litany of data loss horror stories never seems to abate. Cloud computing service providers may provide the tools to implement effective backups, but that won’t guarantee that developers will use them.

To be clear, the threat here is not that organisations will use cloud computing, which will be a great addition to the IT tool-box. The threat is the same as that posed by applications running on servers sitting under people’s desks; It is the same thread as that posed by data that leaks on portable drives; The threat is that broken governance can lead to no governance and that organisations will be compromised as a result.

The solution is for internal IT and their management to build cloud computing into their governance and release management models. In much the same way as for suppliers of physical infrastructure, organisations need to choose their suppliers and build standards for development and deployment . By doing this, they can ensure that all applications, whether hosted internally or in the cloud are checked to ensure compliance with data protection, availability and security requirements.

There’s something else to say here though and that’s to remember quite how much due diligence vendors of physical infrastructure are put through before purchase decisions are made. Ultimately, even an SLA isn’t really enough unless you are convinced that the organisation to which you are trusting your data is able to follow through on their promises. I wonder what the cloud services RFP equivalent of a double disk pull will be?

Leeds and the bomb

I have a little project that I’ve been putting off for quite a while as it involves a little work (!). I did most of my growing up in the 1980s. For the most part that was a decade of mullets, leggings and the first wave of banking types making an absolute bloody mint then buggering it all up. More importantly though, the 1980s were a period when people were legitimately afraid that the world might imminently end in a nuclear fire ball. At various times during that decade, we really did come very close to the missiles being let loose.

Leeds, a city of (then) around half a million people in the North of England played host to a faded football team (now freshly faded following an all too brief return to success) and a lot of dead industries. It also had a council which like most outside the South of England was run by a vaguely left-wing (note for modern day conservatives, when I write “vaguely”, you may read, “rabidly”) Labour council which insisted that Leeds was a ‘nuclear free zone’. However silly a designation this might have been (and it was silly as there was not a nuclear power station within 100 miles and the river Aire isn’t suitable for sailing nuclear submarines), it did mean that the council put considLeeds and THE BOMBerable effort into explaining the precise impact on Leeds that a putative nuclear strike might have.

The result of these efforts was the production of an amazing pamphlet called, “Leeds and THE BOMB” [original emphasis]. This thing was a wealth of horror for a young boy – I absolutely loved it. Between incredible graphs and diagrams (using a design that is absolutely of its time but which still looks great today) showing estimated casualties and fatalities were interspersed descriptions of the injuries that people would likely suffer. For an eight year old, these were quite clearly the stuff of nightmares. Consequently, I couldn’t stop reading it.

For years, I forgot about it, then recently had a discussion with a friend where we discussed ‘Threads‘. This film, a fictionalised account of post-nuclear-holocaust Sheffield (another Yorkshire town – I wonder to what extent the inherent ‘grimness’ of England’s North contributed to an obsession with nuclear destruction) was another great source of nightmares, albeit in my teens. The upshot of this conversation was that we both remembered this brilliant pamphlet but could find simply no trace of it on the internet.

This was a bit of a surprise frankly. How could something so brilliant not be available online? I intend fixing this frightening omission and plan over the next few days to finally get scanned copies of the pamphlet’s pages up onto the Web in all their horrible glory. Luckily for posterity, my mother found a copy lurking in a box somewhere and has been kind enough to scan the pages. Sadly, her scanner isn’t much cop and when I’m back in Europe I will get better versions done. For now though, they are legible and a great reminder of quite how bloody terrifying it could be growing up in the 1980s.

Leeds and THE BOMB 007

Just to whet your appetite, this two page spread shows the likely impact of blast, burn and fallout damage across Leeds resulting from a (comparatively small) one megaton bomb. To get a feel for how I felt about this diagram at the time, I lived right, bang, smack in the middle, where it says ‘University’.

More to come over the weekend. Hopefully, over time I will be able to get together some of the history behind this pamphlet including who produced it and what discussions were had about its likely effect (including on impressionable young science fiction fans like my young self). I might also do a few comparisons between the diagrams in ‘Leeds and THE BOMB’ and some of the more modern simulators such as HYDEsim.

—————————————————

Edit (10th January 2011): I have now put the full version of the pamphlet on-line.