Dear A.P. – Encrypt your telephones.

Well, not what I’d intended. I’d intended to get back to “International Affairs” as they relate to word stability and economic outlook, and back to some stock trading (now that I have a secure method of using my stock trading account again… yes, I’d largely backed off of on-line trading until I had a solution to the Java vulnerability). But things didn’t work out that way.

Seems that Dear Leader and / or Dear Leader’s Minions decided that “contact tracing” the entire Associated Press was ‘a good thing’ for “security” (and, one presumes “for the children“…) Why? Because someone in Government was suspected of leaking. So the right to privacy (the foundation, BTW, of Roe v. Wade) gets thrown under the buss if an Agency suspects their own government of talking to the press? Well excuse me, but that’s the PURPOSE of a Free Press. To be an outlet for Regular Folks to undermine the foundations of tyranny. If the leak is valid, it is a positive feature for the strength and health of a democracy. If the leak is invalid, then both the leaker and the press agent end up looking the fool and the press agent is likely to “leak” themselves about just who lied… Untidy? Unpleasant? Certainly. Reality is like that.

So our government has decided that Freedom Of The Press is only at the pleasure of unnamed government agents and agencies.

At least, at last, the Press Corp has shown a tiny bit of spine and is actually asking some non-lap-dog questions. Perhaps they will eventually generalize to the I.R.S. being used as a political tool of oppression of dissent and the use of the Military as a political chess piece (with the death of Diplomatic Corp folks as a consequence) to create a political narrative. Heck, they might even start to ask about Gun Walking to Mexico and the recent “push” in some overly liberal media of stories pro-gun-restriction saying that most of the guns used in criminal acts in Mexico come from the U.S.A. – leaving out the furnishing and pushing of those guns in a government run Gun Walking operation… The stink is so strong from all of those, collectively, to wake up even the most numb brown nose in the White House Press Corp. The question now being “for how long?” will they stay awakened.

Perhaps even Congress will realize that if THEY want to talk to the Press, they too will end up in a report on the desk of the Administration… (Anyone who thinks that the ‘contact tracing’ was neatly focused only on a D.O.D. related leak doesn’t know how this works. You map ALL contacts. Then search that space for who is likely to be the path of most interest. By necessity, ALL contacts are identified and assessed as to likely purpose and effect.) So Dear Congress: You make the laws. How about restoring some of the Right To Privacy for We The People, and remember that you are part of We The People; especially when a “contact trace” is being run on the Press.

Technical Solutions

So now I find myself forced to look into technical solutions to telephony interception and contact tracing. Not what I wanted to do today at all. I run in “phases”. Interest then rotates back to other things. I’ve done several technical posts in a row now, and I’m getting a bit jaded on the whole Tech Thing and my “novelty seeking” need is starting to push at me… yet I’m being herded by circumstances into more Tech. So please, bear with me for a bit longer. I promise to get back to “other things” soon.

First off, you need an encrypted phone. There are many ways to do that. Skype does encryption (though now that it’s owned by Microsoft, I’d be a bit worried about government asking for ‘back doors’ to be inserted…) so one quick thing to do is swap to some Skype based communications until you get a better solution in place. Realize that sending a ‘tweet’ or an open email saying ‘call me on Skype’ is itself a ‘contact trace’, so the “set up” of the contact must be done by other more discrete methods (to be worked out in another posting, but ‘burner’ email, encrypted, is a good first option). For now, just presume that you slipped someone a card with a Skype address on it and / or another anonymous contact point.

Eventually, there’s a need to get a more “appliance” like solution. I’ll be doing an article on “public key encrypted email” at some future point. This does not hide the ‘contact trace’ but does let you send a private message. So setting up a disposable email account, using the contacts public key to send an encrypted text with YOUR contact info and public key, and then “burning” that email account; that lets you communicate the ‘request for contact’ in a darned hard to find / track method. (Provided the recipient is at all careful to not save that message in clear text…) Once you have a private “contact me here” message, then what?

You could use something like Skype on a computer “not your own” (where the Dongle Pi comes into play again… so I need to look for Skype like software on the Pi…) and preferably from a public WiFi access point. If not doing that, is there a regular telephone like solution?

Well, to start with, use an encrypted phone. Even if the “contact trace” says the two of you talked, it says nothing about what was discussed. Encrypting the communications makes a ‘tap’ fairly useless. Now the Agency has to break into the equipment and crack the system to get to the clear form communications. I’m presently searching for encrypted phone solutions on Linux (and will be looking for a Raspberry Pi encrypted phone solution – it does have and audio jack) but until that’s done; or for folks more interested in commercial products, there are such systems commercially available. This one caught my eye as it is “open source” (which means that Agencies can’t lean on the vendor to insert a hidden back door into the code).

http://www.endoacustica.com/encrypted_telephone.htm

ENCRYPTED TELEPHONE VoIP
Encrypted Telephone

Welcome to the End of the Telecommunications Interception Age.

Trustworthy Voice Encryption

The Encrypted Telephone VoIP comes with full source code available for independent review. Finally, you can perform an independent assessment to ensure that you can rely on strong encryption without any backdoors in the communications device that you entrust your security to.

The Encrypted Telephone VoIP enables you to put the trust where it belongs – in a trustworthy, open and scientific verification process.

GSMK CryptoPhone technology is based on well-researched algorithms for both encryption and voice processing. It features the strongest encryption available combined with key lengths that provide peace of mind today and in the future.

TECHNICAL SPECIFICATIONS
Telephone IP Network Interface

Gigabit Ethernet IEEE 802.3 10/100/1000 BaseT with RJ45 plug
Compatible with Inmarsat BGAN satellite terminals
Optional IEEE 802.11b/g/n wireless LAN support

Voice Encryption

Secure voice over IP communication on any IP network
strongest and most secure algorithms
available today – AES256 and Twofish
4096 bit Diffie-Hellman key exchange with SHA256 hash function
readout-hash based key authentication
256 bit effective key length
encryption key is destroyed as soon as the call ends

Device Protection

Encrypted storage system for contacts protects confidential data against unauthorized access hardened Linux operating system with security optimized components and communication stacks protects device against outside attacks GSMK CryptoPhones are the only secure phones on the market with full source code available for independent security assessments.
They contain no proprietary or secret encryption, no backdoors, no key-escrow, no centralized or operator-owned key generation, and require no key registration.

Interoperability

Fully compatible with all GSMK CryptoPhone IP mobile, satellite and fixed-line encryption products
IP PBX integration with virtual extensions

There’s even folks in Germany offering such products, so you don’t need to worry about “U.S. Export Restrictions” on cryptography:

http://www.cryptophone.de/

GSMK introduces new groundbreaking secure mobile phone

Launch of trailblazing Android-based secure mobile phone at the world’s largest information technology trade show

I’ve not “vetted” the product, especially for ‘contact tracing’ security, but they look like they’ve done their homework:

http://www.cryptophone.de/en/use-cases/private-individuals/

• All GSMK Cryptophone products are interoperable with each other

• Secure mobile telephone calls can be established on any number of mobile networks (including roaming and cross border connections)

• The use of the Thuraya satellite network allows secure calls from areas without GSM coverage or when the user does not want to be visible on the local GSM network

Not sure what that Thurays satellite network might be, but being able to keep off the GSM network means that your information is kept out of the general Telco / provider network. GSM Global System for Mobile phones signalling method is commonly used on phones outside the USA, but also from some USA based carriers. I’ve had GSM phones in California and they work well. Other CDMA methods are more common in the USA; while TDMA is the old “gargling underwater” signalling method on early AT&T services that is now deprecated / obsolete. But it looks like a system worth exploring.

It looks like the Australians can pick up a solution as well:

http://spycity.com.au/gsmk-cryptophone-400.aspx

SMK Cryptophone 400

The GSMK CryptoPhone 400 is a secure IP mobile phone for secure voice over IP communication on any network – GSM, 3G or WLAN.

The CryptoPhone 400 gives you the flexibility to conduct secure voice over IP calls using either GSM, 3G/UMTS, or wireless local area networks.
This unmatched flexibility combined with:

secure messaging
a hardened operating system
encrypted storage for your confidential contacts
messages and notes provides you with 360-degree protection in a sleek
elegant package including a brillant 3.2-inch TFTLCD high-resolution touch screen

Quad-band GSM
Dual-band UMTSHSDPA / WCDMA with HSUPA support
IEEE 802.11 b/g Wireless LAN
Voice & SMS encryption
Secure storage
Hardened WM 6.5 operating system
Standby: Up to 360 hours
Secure talk time: Up to 5 hours

Note: Available to Australian & New Zealand Purchasers only.

That ability to work over a WiFi link is a nice touch. Lets you drop into Starbucks for that call that’s not going to show on the corporate LAN…

I’ll leave the rest of the search for a Commercial Solution to folks who have a real need. I’m going to be putting some “mindshare” on finding an open source roll-your-own solution for those of us who do not have $Million I.T. budgets and corporate staff to provide the solution. I figure A.P. has a Director of I.T. (or perhaps even Chief Information Officer) who can work out a solution for them. (If not, I’m available… “chiefio” came from that job role in my past…)

So no, not a “how to roll your own” in this posting. This is just the “line in the sand” marker. The notice that: If you do not presently have a ‘contact trace’ proof and ‘tap proof’ telephony solution, the time to start selecting one is now.

Since GSMK is open source, it ought to be portable to most any Linux device. It also looks like some folks are already using the Raspberry Pi in telephony applications:

http://www.techweekeurope.co.uk/news/raspberry-pi-gsm-network-cambridge-102553

Raspberry Pi Runs a Mobile Phone Network In Cambridge

The £25 Raspberry Pi becomes a GSM base station
On December 21, 2012 by Max Smolaks

Engineers from PA Consulting Group have managed to create a GSM base station based on the tiny Linux-powered computer Raspberry Pi and some open source software, running their own mobile phone network in a sealed room.

Operating a mobile network usually requires an expensive GSM base station and other infrastructure, but Cambridge-based PA conducted this experiment to highlight the hidden value of cheap, off-the-shelf solutions, keeping the system tucked indoors to avoid encroaching on licensed spectrum belonging to mobile operators.
[...]
Now, it turns out the tiny computer can also successfully route voice and SMS traffic through a GSM network. PA hooked up the Raspberry Pi to a radio interface and,

using two pieces of open source software (OpenBTS and FreeSWITCH), made it perform the same functions as a 30-foot cellphone tower.

The wireless experts had to tweak the software by hand, as well as code-optimise the signal processing. Once this was done, the new network was capable of connecting mobile phones at PA labs. The consultancy tested the device in a special facility, to ensure no laws on frequency spectrum were broken.

“This proves what can be achieved through low-cost off the shelf-systems. Just imagine the other possibilities that other such low cost technologies could inspire across other sectors and industries,” commented Frazer Bennett, a technology expert at PA.

You can see a short video explaining how the consultancy created its private network below:

So this also means that a private company, say A.P., can set up their own GSM access point inside their building. Now all calls to / from that point, go through their Linux and they can choose what data gets out about who is talking to whom. It would take a bit of work, but essentially one could add the equivalent of NAT Network Address Translation to that phone switch such that the actual originating phone ID is hidden. Furthermore, the call can be routed out to the internet and on to a ‘relay’ to mask point of origin, and then back to The Congressman on his / her Skype account. Now the “contact trace” just shows a call originating from Vidalia Washington (or wherever the relay is planted) and nothing about the individual or their actual location. The “contact trace” is broken.

No, don’t know if anyone has such services set up yet. Yes, they WILL come into existence… In theory, anyone could make such an Onion Router like service for internet based telephone calls.

So that’s where I’m “Digging Here!”. Looking for what it takes to capture and secure both the content (via encryption) and the contact trace (via re-routing / IP masking).

Anyone else with ideas / information, this is a giant “Dig Here!!”.

I think a whole lot of reporters are about to get an education in encrypted email, telephony, and contact tracing… If you work for A.P. (or any other news agency) I suggest a phone call to your I.T. department asking about the availability of encrypted phones and contact trace proof telephony solutions. It’s going to be a busy day in the news room, and you don’t need Big Brother with a bug in your ear…

Subscribe to feed

MicroSoft Access Point Sharing

Some things can just be bizarre at times…

I was looking at a different thing, wrangling with MicroSoft over why my LAN connection is marked as an untrusted public network and how can I make it “home”… ( I think that’s why turning on samba on the Dongle Pi didn’t get the files seen… while using wireless did). Well, one thing leads to another, and I “disable” the interface (in the hope that when re-enabling it, I can say “that one is home too!”… which it doesn’t let me do after all…)

But along the way ANOTHER interface shows up. It’s named “oddly” and being perpetually worried about potential exposures, think maybe it’s someone inserting an interface. Some exploration follows…

Turns out it’s a Microsoft 1/2 a feature… Something not “done” yet, but still working… I can turn my laptop into an Access Point and then “share” my internet connection (even if a wireless one…) out that access point. Yes, the ONE wireless interface acting as both my internet connection AND an access point for others…

This would, for example, let me extend the range of an Access Point by connecting with my laptop and then sharing it on to the range of my laptop. Or in the hotel I could “sign up” with the laptop, then share with other devices in the room or even with friends next door. (When in the Motel 6 at Disneyland and they wanted some nuisance fee to use the internet, like $3 for the day, and I just wanted to do a 4 minute mail check, I could instead “share it out” to the rest of the family including the kids in the next room over and thus justify the cost, since they use it more than I do.)

It also means that folks with the necessary equipment and software release can become an improvised sharing point for private group communications fairly easily. Since “file sharing” is allowed by default, you can easily have file passing. (Rather like we saw here: http://chiefio.wordpress.com/2013/05/09/small-group-communications-wo-internet/ )

So to test it, I decided to just use the Dongle Pi and connect back to the laptop wireless and then on out to the internet. And it worked… Though not without some problems along the way (mostly in Microsoft Land…)

First off, realize that this software “has issues” as it is a 1/2 done project that got cancelled, so you don’t turn it on with a nice GUI interface. It’s from the command line with Administrator Privs turned on. It also is not very robust to “change” and it required some changes to the DonglePi config to adapt to that.

First off, how to do it:

You need particular levels of M.S. Windows and a WiFi connection that works.

http://www.wi-fiplanet.com/tutorials/article.php/3849841 lists the details.

By Eric Geier

November 24, 2009

The wireless Hosted Network feature in Windows 7 lets anyone with a supported Wi-Fi adapter and driver become a wireless AP for other Wi-Fi users, while also having the ability to connect to another wireless network.

So this has been kicking around for at least 3+ years.

Back in 2002, the research department at Microsoft started experimenting with the virtualization of 802.11 wireless adapters under the project code name VirtualWiFi. They discovered a way to make a single physical Wi-Fi adapter look like multiple adapters in Windows.

VirtualWiFi lets users simultaneously connect to multiple wireless networks with only one wireless card. They hoped this technology could be used in a variety of applications, including wireless diagnosis and troubleshooting, Wi-Fi mesh networking, virtual access points, and wireless repeating.

What is a wireless Hosted Network?

Though the VirtualWiFi project disbanded before the feature was fully implemented, Microsoft has included some of the underlying functionality in Windows 7 and Windows Server 2008 R2. Microsoft coined the name, wireless Hosted Network, for this new feature.

The wireless Hosted Network feature uses the VirtualWiFi technology along with a software-based access point (AP) feature. Thus, it lets anyone with a supported Wi-Fi adapter and driver to become a wireless AP for other Wi-Fi users, while also having the ability to connect to another wireless network. It also includes a DHCP server, so users automatically receive an IP address.

OK, skipping some stuff, the “How To”:

There’s some caveats in that article, like it WILL be an encrypted link WPA2-PSK, and anyone with the pass phrase gets to see any stuff you are sharing…

It is set up via a “Administrator command shell”. Seems that being in the Admin group isn’t enough. You must do a special kabuki dance to get admin privs when doing a command line. OK, some more searching turned up how. http://www.mydigitallife.info/how-to-open-elevated-command-prompt-with-administrator-privileges-in-windows-vista/ There are a couple of ways, but the quickest is “Yet Another Right Click Hidden Trick”… You right click on the Command Prompt menu item rather than the regular click.. Ok…

Now you get to start doing Admin Command Lines…

netsh wlan set hostednetwork mode=allow ssid=YourVirtualNetworkName key=YourNetworkPassword

So, for example, you could give it the name “LaptopShared” and the password needs to be more than 8 and less than 64 characters, so PasswordForMyFriends would work….

Now you need to turn on ICS (as we saw in the Dongle Pi article). This presented a problem as I had already turned it on, and I’d hard assigned that number block to the laptop / Dongle Pi ethernet. (when you share your network interface with internet to the other interface, you can only share it to ONE of them, and it WILL be forced to the IP M.S. likes.) As I’d already set that subnet to be used on the hard wire, it balked. OK, I got to redo the IP range used by the Dongle Pi ( I just turned 192.168.137.x into 192.168.37.x …) and restart it all. Now, turning on ICS let me assign the sharing to the Virtual WiFi interface.

So get ICS running shared to that interface. It shows up as “Microsoft Virtual WiFi Miniport”.

Once sharing is on, and the wlan is configured, you get to “start” it. Since it doesn’t auto start or survive “sleep”, or shutdowns, you get to do this every time you want to use it…

netsh wlan start hostednetwork

There is also a “stop” command: netsh wlan stop hostednetwork
and one to see what’s happening: netsh wlan show hostednetwork

And one for changing the password / passphrase:

netsh wlan refresh hostednetwork YourNewNetworkPassword

The article repeatedly stresses that “Sharing isn’t blocked” so you will want to keep this limited to folks you trust, or only run on a laptop with nothing of interest… (though it’s a little unclear just what sharing isn’t blocked…)

The Dongle Pi

Meanwhile, back at the Dongle Pi, I was having some issues. While some of them were related to the various number shiftings, part was from the ICS not being up so Domain Resolution was failing. I added some more DNS servers to the DHCP ‘prepend” list, then figured out that ICS had evaporated when I’d done the interface musical chairs… which lead back to that IP conflict that needed resolving up above. Got all that sorted out…

Then found that the WLAN Config program was not happy; having picked up state with one IP number, it was unhappy with the changes to the WLAN IP (as it swapped from the original to the ICS mandated one). Moral of story: It’s best to do all the changes first, THEN test it…

A reboot of the Dongle Pi reset everything (though likely just a service stop / start would have been enough). Then the WiFi Config found “LaptopSharepoint” (what I named it) just fine, put in the pass phrase, and proceeded to launch a web browser… that worked…

Now just tracing where the packets go in this mess is a bit interesting…

So I’m typing on my laptop keyboard and watching the laptop screen. They are connected via VNC to the Dongle Pi over the built in hard wire ethernet. The Dongle Pi running Linux puts that into a browser, that it sends to “the internet” via that Wireless WiFi Dongle, that connects back to the Laptop WiFi being shared out on one set of IP numbers.

The Laptop, acting as an Access Point Router, repackages those bits, puts them into a new IP network, and sends them back out the WiFi connection to the Access point of the house, that sends them on to the Telco.

So it will appear with exactly which MAC address where? I have no idea… I suspect it shows up as the MAC address of the WiFi dongle on the Dongle Pi (as that’s what is originating network packets), yet it passes through the laptop as a WiFi HotSpot.. and eventually comes out my home router ot the internet (so a trace route ought to find my boundary router to the telco, but it’s doing NAT, so the stuff behind it is hidden)

Frankly, I think one would need to put packet sniffers on things to figure out what is actually in the packet headers as they leave the laptop for the internet…

In Conclusion

I don’t see much reason to actually use the Dongle Pi on the Virtual Wlan of the laptop that is hosting it via wired ethernet. Yet it is a strange thing, and strange has the opportunity to confuse attackers. (Frankly, I’d not want to be on the stand trying to explain that tortured path to a jury and get a conviction based on my testimony that I knew it was “that machine”… when they would not even be able to keep strait what all machines were in use…)

I’m much more likely to keep the idea of a Laptop-Access-Point somewhere handy. Yes, it needs better characterization as to “what is shared”, but frankly, someday this box will be “uninteresting” and due for replacement. At that point having it be an ‘ersatz hotspot and file server’ is a great ‘reuse’. Even now, simply by leaving my personal data inside the encrypted containers, it’s safe. (Not much chance of pulling down a 100 GB file and not being noticed. Fractional parts are useless. It can’t be cracked anyway…) So I’d be more than happy to use it as a “Family share point” on trips, just leaving my stuff in the crypto vault.

Well, having now sunk several hours into this peculiar backwater of tech, I’m still stuck with a LAN interface that shows up as “unidentified network, public access” with the park bench icon… and still don’t see how to turn it into a ‘home network’ so I can see if “Samba To The Dongle” works with network discovery. I may have to turn on wide open access on “public networks” to test it, then back it out later. I’d like to have Samba to the Dongle Pi, just so I can get “stuff” from the Dongle Pi to the Laptop at ‘end of sessions’. Making checkpoint / restart easy. But not at the expense of leaving the laptop open and visible…

For some unknown reason, it is insisting on keeping the LAN interface “public”. Oh Well… that will have to wait for tomorrow. For now, it’s time to wrap up for the day. But at least I got a “Share the hotspot” AP feature out of it all…

Subscribe to feed

Dongle Pi

DonglePi set up for use from the laptop

High Res Image for detail inspection

This is a Raspberry Pi board (the $35 B type with ethernet and 2x USB connectors) set up with a TP-Link TL-WN722N type WiFi Dongle. The 722N comes in two types, one with an external antenna (shown) and one without an external antenna that looks just like this one, but without the antenna connector on the side. This one cost $5 more at Fry’s (where I paid $19.xx for it, not willing to wait for internet shipping…) Why this one? Because it is known to work as an Access Point under Debian on a Raspberry Pi and I have that as the next project. What I really wanted was the “button sized” dongle for about $9 with the RAlink chipset in it, but Fry’s didn’t have those. (It is known to work in both A.P. mode and Mesh mode at the same time, where this one is only ‘one at a time’)

So this is a little under twice as long as it needs to be for portable / pocket use. With the button type, it would also have less risk of torque on the USB connector causing some damage… The adapter comes with a USB extension cable in the box, so one could use that for more “fixed” locations. In this case I just wanted a quick field test so left it a bit long, gangly, and potentially liable to having the WiFi adapter torqued… For actual day to day use, I expect it to be on the extension cable and up on the dashboard of the car (if in a parking lot and needing the added range to reach the nearest StarBucks WiFi hotspot while sipping my coffee in the comfort and quiet of my car – I generally make it a habit to always buy something at the places where I use the hotspot from the car; but Starbucks doesn’t always have power plugs open and some are way too loud / noisy… where I come equipped with power in the car, a comfy seat, and music of my choice / loudness…)

For actual clandestine use, I’d get the button dongle on the RPi and then put the device into a small box. In use, in the Starbucks, nobody noticed me assemble it and slip it into a pants pocket. (Folks are remarkably focused on themselves, generally.) Even after I pulled it out and put it on the table, nobody seemed to notice. (With the antenna on it, I think anyone who did see it would take it for a WiFi Dongle only; and in fact that’s a decent “cover story”; just say “the WiFi in the laptop died and this is an add-on” or even “The laptop is old and slow, this is a 150 Mbps high speed I’m working on.” which is actually true in my case. ;-)

Here’s a picture of it in the cargo pants pocket. Note that with the button dongle it would not show up at all. Just two wires into a pocket…

Dongle Pi in Cargo Pants Pocket

For anyone wondering if I’m “into camo” or a wild eyed Militia Type or “whatever” just because the pants are camouflage pattern: I bought these when in Florida (they are ‘shorts’, though you can’t see that in the picture) as I desperately needed something that wasn’t “long dress pants”. I went into Target and had exactly and only one criterion: “Shorts that are damn cheap and not an offensive color, on me, like pink…” These were the cheapest ( $10 IIRC on sale / clearance). They have been very useful over the years, thanks to the pockets, but were purely an accidental pattern choice. It’s really silly to wear camo shorts for the camo effect; with Neon White / Pink legs sticking out of them anyway ;-) ( I have a full cover camo suit for any actual camo needs – such as hunting for food – that I’ve worn all of once as a Halloween costume; there not being much need for camo-survival-hunting in the Urban Jungle where a charcoal suit is more effective “camo” than is green blotch…) I don’t have anything against Militia Types either; our history says we adults ARE the militia, like it or not. It’s just a bald faced lie to use “Militia” in a derogatory put-down way. The Militia is any adult, during times of need / crisis. (Historically any male adult, but times have changed.) So while I do endorse the idea of the Militia groups, holding onto the historical root of power originating from We The People; I’m just not “into it” myself. Nor do I do the “camo thing” as any kind of statement. I just buy cheap ass clothes… So, that out of the way, back to Geek Stuff…

The laptop provides power to the RPi and WiFi dongle via the little black USB / MICRO-USB connector. ( I emphasize the micro as I thought I had lots of ‘those small USB’ cables… and found out that my cameras et. al. were using MINI not Micro… they are almost the same to visual inspection unless side by side.) Ethernet is provided by the blue ethernet cable. In practical use, a better color would be ‘wood brown’ as that’s the color of many Starbucks chairs / walls / tables, or any of: black, gray, putty, dark brown. I.e. all the ‘not a color’ colors ;-)

Why not just connect to it from the laptop via WiFi? Well, in fact, I can see a use for that. BUT: Part of the ‘design goal’ here was just to make the laptop VERY secure and private. If I’m advertizing my MAC address via the WiFi in the laptop, I’m leaving records of my laptop presence on any WiFi system that cares to record it. It is also open to various kinds of sniffing and attack on the packet stream and potentially to folks breaking in to the laptop. So while a “WiFi to the Pi” ;-) would be useful at home, it’s less useful “in the wild” where part of the goal is to eliminate records of where the laptop has been and protect it as a place were more personal stuff can be kept more private. At home, I have connected via WiFi to the Pi and used it as a web proxy surfing appliance. Works fine. In the field, by using the hard wire connection and shutting off the laptop WiFi, I can have a truly private link to my “proxy” on the internet. IFF doing anything “clandestine”, I could also just pitch a $9 button dongle when done, and not worry about some forensics tying that MAC address to me or my laptop. (Spark Plug Wires to a great job of frying electronic parts prior to pitching ;-)

Still to be done things include encrypting that laptop / RPi link (though it isn’t really needed), and putting TrueCrypt on the RPi so on powerfail there isn’t anything left open. Alternatively (and a longer term project) is to make the RPi a “boot from locked USB image” as opposed to boot from active file system image. (Think “Live CD” type instead of “From Disk” type). That way nothing is ever written to the SD card anyway. At present the Operating System is a live pseudo-disk on SD card, not a “Live CD” type. I’m sure that will change over time. I have a copy of Puppy Linux on it that I’ve not tried yet, and it has a “Live CD” type structure. So another “someday” project…

What Good Is It?

The laptop holds a locked / standard image of the RPi OS fully configured and lacking anything at all distinctive or ‘about me’. I can “flash” that image onto the SD card in a couple of minutes and it is a ‘pristine’ web appliance. Now, from the laptop, I can connect to the RPi and use it to do things like web surfing or “whatever”. IFF I land on some site that tries to put crap on my machine or “track me” with cookies or “whatever”, they do that to the RPi. At the end of my session, it gets powered down, and the SD card gets “flashed” again back to pristine. (Eventually, with a write locked SD card, even that step becomes unnecessary). In essence, it is like using a “Bootable Live CD” Linux on the laptop.

So why not just do that Live CD thing?

First off, it leaves my hard disk “available” to the Linux that is running. Even if I don’t “mount” it, someone who breaks into the system while in use could do so. Only if I’m “watching” would I see that happen. (Yes, I watch. I use “w” which is a Linux / Unix command to keep up a panel of active processes and look at it from time to time. Anything happening out of the ordinary will show up. In another panel, I have “df -ks” on a ‘once a minute’ cycle. That shows me the mounted file systems – in kB – and ought not to change…) So it’s some protection, but not full protection.

Second, and most important for me, this particular HP Laptop has a funky video driver that was not supported in Linux last time I looked ( 2 years ago?) and I just didn’t want to deal with it. Making a custom built Linux isn’t for everyone, where a generic RPi dongle is more “approachable”.

Finally, it still imprints my MAC (network hardware unique number) Address into various tracking and forensics logs. Not that I have any reason to care, I just don’t like it. This whole “excursion” in my life path came about when The Constable decided to raid Tallbloke and run off with his computers. As he had his laptop confiscated (no doubt to be scrubbed for anything that could be used to tie him to FOIA-2011 including the MAC address from any email / file upload records at WordPress or elsewhere) that was a bit “chilling”. FOIA had simply posted a message on TallBlokes blog. THAT, was enough to get him raided on suspicion he had posted to himself as a foil. OK, I run a blog. What if FOIA had posted on my blog? So time to “get defensive”. (So right off the bat I put TrueCrypt on the laptop and stuff is all inside encrypted containers; which also prevents hackers seeing it either. I only decrypt / mount a container if I need what is in it at that moment; and even then often have the WiFi NOT connected when the container is open…) But really what I wanted was a way to simply not use the laptop for anything other than a “screen server”. So any old “crap top” can be a keyboard / monitor. Then, if it “goes away”, I don’t give a damn. Similarly, if the RPi “goes away”, I don’t give a damn. All the “important stuff” will be in encrypted containers and stored off site. (Another project for some future posting). Essentially, I’m breaking the link between any particular bit of hardware and “my stuff” and “my actions”. Having a “disposable Linux Dongle” is part of that. It’s 100% disposable, from computer board to SD chip to WiFi dongle. And it’s 100% generic. Someone takes it, they get nothing (after the SD is re-flashed and WiFi dongle ditched, or once it’s write protected) and I’m back up and running in minutes off the reserve copy and spare parts.

Can it be used by Black Hats to do bad things? Certainly. They also use cars and wear clothes too. Shall we ban cars, hats, sunglasses and gloves because Bad Guys use them? How about banning airplanes? They were used to kill thousands in NYC. Banning is a lousy way to attempt crime control. It just doesn’t work worth a damn. So we now have confiscate first, prove innocence later behaviour from the cops (that also doesn’t work well / properly ) and this is simply a prudent response by a private blog operator to abusive policing actions. Essentially, too much police state behaviour causes more innocent folks to act like Bad Guys and use tools (build tools) usable by Bad Guys in response to bad policing policy. That doesn’t make the innocent citizen a Bad Guy, it means the Police are acting in a negative way, and everyone, Bad Guys and Innocents alike, find “common cause” in the methods to “dial back” the police intrusion. (This is a common issue in law enforcement, BTW. I taught a forensics class to White Hats and one of the things I did was hand out “cracking tools” CDs. Forensics often uses the very tools created by Black Hats to break into machines. It gets dressed up a “Ethical Hacking”, but the reality is that the tool knows not who uses it. Be that tool a gun, a car, or a computer.) I’ve generally worked on the White Hat side, and this tool too can be a White Hat tool. One of the “Live CDs” I downloaded and tested was a U.S. Govt. issued one for secure email reading for government employees “on the road” and connecting from hotel WiFi. They could just as easily use one of these for their email reading platform to protect their laptop from intrusion.

As a sidebar advantage: It’s just nice to have a Linux machine to play on. I’m an “Old Unix / Linux Guy” who has been using it as my dominant compute platform since the early ’80s. I find Microsoft a PITA (though more usable now, in a stupid kind of way) and the Mac a very pleasant warm fluffy safe jail… it’s possible to get ‘under the covers’ to the Unix like world under the Mac skin, but it’s just so much trouble… I like my wild and wooly Linux / Unix machine where at a couple of characters I can be SuperUser and do anything I want. I like being able to pop open a command line interface and do all those things I’ve learned to do over 35 years or so of practice and NOT have some ass telling me I can’t via some software trap. And, frankly, all the commercial software folks are larding on ever more auto-update auto-tracking auto-buggering crap that is just offensive to anyone who wants their computer to be their computer and other folks keep their damn nose out. So I just like having “my world” where I can go do what I want, how I want, and not worry that the next “auto-update” will break things, open a security hole (thanks, Java… /sarc;) or or just nag me to death. Linux is a “from the people up” world, and I like it that way.

Building Dongle Pi

I’ve got a fairly long write up on how to do it. I’ve not yet done my usual “Q.A.” on the write up. That is, to start from scratch, doing only what is on the written sheets, and prove it all works as written. (In F.D.A. terms, a “Qualified Installation”. I did those once. Any drug company must send a document to the F.D.A. stating exactly how to recreate their equipment used in any computer operation. So, for example, if you used a NetApp to store your data for your drug trials, you have to say how to set on up. If you write “Turn the red power switch to on” that will fail if the color of the switch is changed to yellow, and is ‘questionable’ due to the use of ‘turn’ for a rocker switch… yes, it’s that ‘nutty / picky’. So you write the directions as “the power switch is located and put into the ‘on’ position applying power to the system”. Yes, it pays well to be able to do “qualified installs” ;-) I’ll get back to that level of “proving up” after Mother’s Day is over…

For now, here’s a ‘rough notes’ version.

Making Dongle Pi.

Materials:

Raspberry Pi B (A to come later via USB Ethernet).

Ethernet Cable – 1 ft to 10 ft ( 1 to 3 ft preferred)
MICO – USB w/power to USB cable ( 3ft – cost 99 cents at Fry’s)

TV (composite with RCA video, or hi definition with hdmi and HDMI cable)
USB Mouse
USB Keyboard – All three only for initial ‘bring up’. Can be skipped with pre-built Pi SD card

SD Card – minimum 4 GB, preferably 8 GB. Up to 32 GB Ultra SanDisk if desired. I used the “Ultra” Sandisk and a Patriot Micro 8 GB and both worked.

Creation Station – Windows Laptop or Desktop with SD card slot or added SD / USB adapter and USB slot. Basically, a way to write the SD card and a ‘terminal server’ to control the Dongle Pi. Preferably the laptop that will be used as workstation.

Laptop / MS Windows box software needed:

PuTTY -

Purpose: To provide a relatively generic terminal session on various equipment, such as a Raspberry Pi or any other Linux / Unix machine (and many other kinds of routers, switches, whatever…) A ‘command line interface’ for configuring things and turning things on, like that nice graphical interface you really want…

Get from: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

download via: http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe for M.S. Windows executable

VNC -

Purpose: A remote graphical desktop interface to the target system. It lets you have a graphical desktop environment on the Puppet Pi via a screen / keyboard / mouse on your laptop.

Get from: http://www.tightvnc.com/download.html

download via:

32 Bit Machines: http://www.tightvnc.com/download/2.7.1/tightvnc-2.7.1-setup-32bit.msi

64 Bit Machines: http://www.tightvnc.com/download/2.7.1/tightvnc-2.7.1-setup-64bit.msi

Win32Disk.Imager -

This works much more easily than the manual process of card formatting on the Mac / Linux world. At some future point I’ll work out a simple / easy way from the Linux side, but as most folks do have a M.S. Windows computer (and as mine has a built in SD card slot while the Linux White Box didn’t…) this was just a lot easier on that laptop.

Purpose: To store SD Card images onto the laptop, or copy them from the laptop to SD cards.

Get from: http://sourceforge.net/projects/win32diskimager/

download via: http://sourceforge.net/projects/win32diskimager/files/latest/download

TrueCrypt - optional. Only needed if you wish to keep the contents secret / really secure.

Purpose: To encrypt files, file systems, whole disks, and generally keep your files private.

Get from: http://www.truecrypt.org/

download via: http://www.truecrypt.org/downloads

The Raspberry Pi install method:

http://www.raspberrypi.org/phpBB3/viewtopic.php?f=41&t=6225

how to use: IFF you want all the Raspberry Pi configuration files and software hidden away when not in use, so that they can not be buggered, hacked, or even just noticed, you will make a “TrueCrypt Container” and mount it as an encrypted file system. It will only be mounted when needed, and the rest of the time will look like some other innocuous file.

I’ve not installed TrueCrypt on the RPi yet, so you are on your own on that one, for now.

Basic System Install

Basic Debian Wheezy:

Download the basic system image from the Raspberry Pi site:

http://www.raspberrypi.org/downloads

Direct download: http://downloads.raspberrypi.org/images/raspbian/2013-02-09-wheezy-raspbian/2013-02-09-wheezy-raspbian.zip

Via a Torrent: http://downloads.raspberrypi.org/images/raspbian/2013-02-09-wheezy-raspbian/2013-02-09-wheezy-raspbian.zip.torrent

Then using Win32Disk.Imager, write it to the SD card.

Put the SD card into the Raspberry Pi board.

First Life configuration and connection to laptop ( ICS )

Configure ICS Internet Connection Sharing in your Laptop or Desktop (and have it connected to the Ethernet). Settings, network, “share” the interface to the internet (the wireless interface for my laptop). Alternatively, plug a wire from the Ethernet of the RPi into your home network router / hub as a wired connection.

This, ICS, will cause the wired interface or your laptop to become 198.168.0.1 / 255.255.255.0 and start a rather obnoxiously brain dead DHCP server on it. (It gives out near random IP numbers and can not be configured). When the Raspberry Pi is powered up, it will be given some IP number, but not one you can predict, so you need to have a keyboard, mouse, and monitor long enough to find out what it is. Alternatively, you can have an external Ethernet hub with cables and connect into your existing home network then ask your router what IP numbers are assigned to which devices (mine has a nice display in a web page).

Connect the Ethernet cable from the RPi to the laptop. Connect the keyboard, mouse, and video monitor. Then connect the MICRO – USB cable from the Raspberry Pi to the USB power source (laptop or USB Hub or other USB power source of 1000 mA.)

This will start the Pi booting up. A screen will appear on the TV set with several options. For mine, the display sometimes “rolled” and hitting return would stop it. Use the tab key to select “expand file system to use whole SD card”. Then the ‘select’ button. It is also a good time to choose the “update” option at the bottom of the panel, but we can also do that later. When done, choose “finish”. The RPi will now bring up a standard desktop. This selection panel only appears once. If you don’t do this now, you will need to use config-Pi later. IFF you want your RPi to launch a nice graphical environment on the TV ports on boot, you choose that option here as well. This will suck up about 150 MB of memory, so don’t do that on systems that will be almost always run “headless” (no need wasting that memory…)

At this point, the Raspberry Pi is up and running in a standard Debian mode. You can connect to it with a telnet server like PuTTY and get a line oriented terminal server that is sufficient for most all of the configuration. Eventually, you will want a graphical interface to it, and it is possible once the graphical interface is up, to open a ‘terminal window’ on the Raspberry Pi from inside that graphical desktop. The default user id is “pi” and the default password is “raspberry”.

Update Firmware

I didn’t do this step. I’m only putting these notes here as reference should it ever be needed.

From: http://www.megaleecher.net/Raspberry_Pi_Firmware_Update

We will be using the rpi-update tool developed by Hexxeh, to install it use the commands below at terminal.

sudo wget http://goo.gl/1BOfJ -O /usr/bin/rpi-update && chmod +x /usr/bin/rpi-update

sudo apt-get install ca-certificates

Once installed, user can use rpi-update anytime at the terminal to fetch and install the most current version of the Raspberry Pi firmware and kernel. Make sure to reboot your RasPi after every update.

Update the Debian Operating System

To get the current list of software package dependencies (so following additions work) do the following at a command prompt (in PuTTY from the laptop; or via a ‘terminal’ in the LXE windows environment on the TV screen):

sudo apt-get update

Or can be done at first boot of generic w/ bottom menu item of ‘update’.

To upgrade the kernel do:

I didn’t do this step either, as the kernel was working fine.

sudo apt-get upgrade -y

VNC Install

The Virtual Network Computer interface is used to get that graphical windows manager on your laptop screen, driving the Raspberry Pi board. The VNC Manual Page (called a ‘man page’) is at:

http://linux.die.net/man/1/xvnc

You can do this step via the Raspberry Pi keyboard, and TV Monitor, or via PuTTY from the laptop. As I find the TV an annoyance (mine is ‘composite’ – i.e. old and low resolution), I used PuTTY. In either case, open a “terminal session”.

the commands to get and install VNC on the Raspberri Pi are listed at this web site:

http://elinux.org/RPi_VNC_Server

As of now, the directions say:

Instructions
Log in to your Pi and install the Tight VNC Package
$ sudo apt-get install tightvncserver
Next Run TightVNC Server which will prompt you to enter a Password and an optional View Only Password

*(do a ‘touch .Xauthority’ first? Chmod 664? -EMS )*

$ tightvncserver
Once that is done you can start a VNC server from the shell prompt. This example starts a session on VNC display zero (:0) with full HD resolution:
$ vncserver :0 -geometry 1920×1080 -depth 24
(If fonts appear the wrong size, add ‘-dpi 96′ to the end.) Or you could create a script to save typing in the whole thing.
$ nano svnc.sh (call the file whatever you like)
*(I used vncsrv.sh and :2 1280 x 640 x 16 -EMS )*
Add the lines:
#!/bin/sh
vncserver :0 -geometry 1920×1080 -depth 24 -dpi 96
Ctrl-x y (To Exit Nano and Save)
Set the file to Execute
$ chmod +x svnc.sh
then to run
$ ./svnc.sh
Run at boot.
Start a root session
sudo bash

Create a file in /etc/init.d with a suitable name such as vncboot with the following content.
### BEGIN INIT INFO
# Provides: vncboot
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start VNC Server at boot time
# Description: Start VNC Server at boot time.
### END INIT INFO

#! /bin/sh
# /etc/init.d/vncboot

USER=root
HOME=/root

export USER HOME

case “$1″ in
start)
echo “Starting VNC Server”
#Insert your favoured settings for a VNC session
/usr/bin/vncserver :0 -geometry 1280×800 -depth 16 -pixelformat rgb565
;;

stop)
echo “Stopping VNC Server”
/usr/bin/vncserver -kill :0
;;

*)
echo “Usage: /etc/init.d/vncboot {start|stop}”
exit 1
;;
esac

exit 0
Modify the file permissions so it can be executed
chmod 755 /etc/init.d/vncboot
Enable dependency based boot sequencing
update-rc.d /etc/init.d/vncboot defaults
If enabling dependency based boot sequencing was successful, it says
update-rc.d: using dependency based boot sequencing
But if it says
update-rc.d: error: unable to read /etc/init.d//etc/init.d/vncboot
then try the following command
update-rc.d vncboot defaults
Reboot your Raspberry PI and you should find a vncserver already started.

As I didn’t want a “root” VNC window just a single password away, I changed that to a different user in the script (pi). I also needed to use 1280 x 640 and 16 bit color depth to get things to fit the laptop screen and have better performance. VNC sends the whole bit map of the screen (no Graphics Processor Unit in use…) so its a big performance and network hit to be computing and sending large deep screens every time to change a bit… So I changed that ‘launch’ line to:

sudo -u pi /usr/bin/vncserver :2 -geometry 1280×640 -depth 16 -pixelformat rgb565

that gives me a “pi” VNC session instead, and cuts the size back to fit. I also put it on “2″ so I connect with (your ip range):5902 for example: 192.168.1.100:5902 if you had that IP number assigned to the RPi. (At a terminal window, type “ifconfig” and note the IP number assigned to eth0 to see what you have gotten.)

I have also put “sudo -u pi” in front of the kill command line, but that is likely optional and I’ve not tested it.

Install Tight VNC on your desktop from the link below; or most VNC clients work I believe.

http://www.tightvnc.com/download.php

These instructions are for Ubuntu and are only noted as I’m going to try putting it on a Pi later just to see how bad it get using one RPi to log onto another in a chain ;-) For most folks, it will be ‘download the M.S. Windows version and click to install”. Realize that you do NOT need the “server” on your laptop. That is to let you connect TO the laptop from some other machine and see the laptop screen. You need only the “Viewer” (that any normal software person would call a client… but X Server folks are a bit silly on that…)

Or install it using your package manager. The following works on my ubuntu 11.10 workstation
sudo apt-get install xtightvncviewer
Then use :1 (e.g. 192.168.1.2:1) as the host name when connecting.[1]
Works Great, select full screen from the tool bar and a full 1080p 24bit desktop is yours from anywhere.
1. ↑ You can put your raspberry pi in /etc/hosts on Linux systems. I think you can make such a file on windows too. Then you can refer to your raspberry pi as “rpi” or whatever you called it.

As noted above that config will give you a ‘root’ desktop, and is ‘risky business’. Better to use a user desktop. I didn’t use this method, but it’s in that link. I hacked the ‘at boot’ script instead…

Getting VNC Server to Work on a Specific User
Instead of using the script in the Raspberry Pi wiki, use this one provided by “PenguinTutor”:
#!/bin/sh
# /etc/init.d/tightvncserver
# Customised by Stewart Watkiss
#http://www.penguintutor.com/linux/tightvnc
# Set the VNCUSER variable to the name of the user to start tightvncserver under
VNCUSER=’pi’
eval cd ~$VNCUSER
case “$1″ in
start)
su $VNCUSER -c ‘/usr/bin/tightvncserver :1′
echo “Starting TightVNC server for $VNCUSER “
;;
stop)
pkill Xtightvnc
echo “Tightvncserver stopped”
;;
*)
echo “Usage: /etc/init.d/tightvncserver {start|stop}”
exit 1
;;
esac
exit 0
Now, change the VNCUSER=pi to your desired username, so for example: VNCUSER=jsmith
That’ll make it boot on the username of which you want it to boot on… but I then received the grey screen error when remotely accessing the Pi from my computer, now the way you fix this is, open up the xstartup file that was created when VNCSERVER executes on your desired username. Now the way you access it and edit it is by:
sudo nano .vnc/xstartup
.vnc is usually in the home directory.
Delete everything that is in xstartup (or not in as mine was), and add this:
!/bin/sh
xrdb $HOME/.Xresources
xsetroot -solid black
/usr/bin/lxsession -s LXDE &
Now it should work.

Desktop / Apps enhancement

To add “Iceweasel” (firefox) browser:

sudo apt-get install iceweasel

You can do the same thing for “chromium” (an open / free version of Chrome) but I don’t know why anyone would ;-)

Change the Hostname:

Open a terminal server. Set the new hostname to whatever you like by editing two files and restarting the “hostname” service. (Yes, it’s a full blown service… who knows why…)
sudo leafpad /etc/hostname
or sudo vi /etc/hostname for us old Unix guys ;-)
(In reality, I get tired of typing “sudo” all the time, so I just do “sudo bash” and get a “root shell” and just type the regular commands… CTL-C to exit the root shell when done).
change “raspberrypi” to whatever you like.
sudo leafpad /etc/hosts or sudo nano /etc/hosts for the new kids ;-)
change “raspberry pi” to the same thing everywhere.
sudo /etc/init.d/hostname.sh start

Set A Fixed IP Number

For use as a ‘plug in a DHCP world and go’ machine, the process is basically done. Other than installing “transmission”, that’s what I did for my Torrent Server. Yet for use on a laptop dongle, you really really want a fixed IP. Why? Because Brain-Dead Microsoft can’t assign the same IP number to the same computer two times in a row and doesn’t let you see the IP assignment table, that’s why. (Or buried it somewhere I couldn’t find, nor the dozen sites a web search turned up who also said to ‘give it up’…)

So since you connect via IP, and have 253 of them to search if you leave it on DHCP, “that’s a problem”. I used a single digit IP number, since MS seems to be assigning them in the 2 and 3 digit ranges, but not in the single digit range. (However, since you can not see nor change the assignment ranges, that’s a guess…) So something like 192.168.0.8 ought to work OK.

Since nothing else is on the wire, if MS assigns that number to something, it still ought to be ok. (Yes, I know that nothing ought to be asking for an assignment so no assignment ought to be done; but I’ve seen stranger things happen in M.S. Land. Like letting you see “dueling default gateways” where you can set one for each of two different interfaces, then it swaps between them about every 20 minutes. Took me most of a day to figure out that the way the ‘mail guy’ at a client site had set things up was with dueling default gateways and that was why they had sporadic 20 minute email delays. It would pick up for 20 minutes out one interface, then deliver for 20 minutes out the other. Setting ONE default gateway outbound, and fixed routing the private network inbound, fixed it. On the M.S. support site, in describing this bug, they said: “This behavior is by design”… and folks wonder why Unix / Linux guys don’t like M.S. products… too many weeks of my life wasted by them deliberately building bugs and calling them features…)

To set a fixed IP:

$ sudo nano /etc/network/interfaces

This will allow you to edit the file using nano.  Personally, I use “sudo vi”… as I’m an old Unix geek. One can also use leafpad in the graphical environment if logged in to a VNC window as root.

Change the line that reads
iface eth0 inet dhcp
to

iface eth0 inet static

Below this line enter the following.
address 192.168.137.8
netmask 255.255.255.0
network 192.168.137.0
broadcast 192.168.137.255
gateway 192.168.137.1

That “gateway” line lets you get from the Dongle Pi out to the internet through your laptop wireless connection for any further software updates / testing and until you get the wireless dongle installed. Once you have the dongle working wireless, you would remove that “gateway” line from this file so you stop using the laptop as your internet gateway. At this point, you have a “Dongle Pi” that works through the laptop, but not via wireless. Useful for some things, like having a private Linux on a Dongle where you could put things or just use Linux tools.

Realize that older version of M.S. Windows used “192.168.0.x” and newer versions use “192.168.137.x” and you have no idea what M.S. will do to you in the future… so it’s best to check what the actual range is being used by your laptop prior to entering those numbers. It is possible, after ICS is turned on, to go to the network control panel and set the Windows IP to a ‘use this one’ value that you control and still have it work (though it stops doing DHCP, which is a feature IMHO given how brain dead their DHCP happens to be). That can be a ‘feature’ in that you can set it to an unusual ‘non routing’ value and anyone who DOES break into the RPi will not see “194.168.137.1″ and think “Oh, a M.S. Windows box doing ICS; attack with M.S.Windows cracking tool kit”.

The non-routing blocks are:

10.0.0.0 – 10.255.255.255

single class A network
10.0.0.0/8 (255.0.0.0)

172.16.0.0 – 172.31.255.255

16 contiguous class B networks
172.16.0.0/12 (255.240.0.0) or you can do:

172.22.4.0 mask 172.22.4.255 to break out a class C sized chunk of it that will be just a bit obscure ;-)

192.168.0.0 – 192.168.255.255

192.168.0.0/16 (255.255.0.0)

Most often seen as things like 192.168.0.0 / 192.168.0.255 or 192.168.0.0/24

FWIW, I also set mine to use a specific set of DNS servers. The WiFi dongle will tend to pick up a DHCP address and the associated DNS servers when used to connect that way, or if used with DHCP on the ICS side, it will get DNS servers there along with default route information. But using chosen DNS servers has benefits. You can use DNS services that put in blocking of offensive sites or places that are known security risks. (Norton provides those) Or you can just use a known “nice” DNS server that doesn’t track you and / or tattle on you to “agencies” or is just in another country so doesn’t “localize” you. (Google provides fast DNS from their own custom software, but given their “track everything” business model, I have to suspect they track who contacts whom on their DNS requests… So I’d avoid them for anything you wish to keep ‘private’. Also, as your ISP tends to give you their DNS services on their wire, IFF an agency tracks you down to, say, Starbucks at this ISP, they could put monitoring on that DNS server to see what you are looking up. In that case, looking elsewhere for DNS is also a feature. Finally, some, like OpenDNS, redirect failed lookups to their web site to “help” you… you might not want that…

Configuring DNS is something most folks choose to avoid, and with good cause, but it also can be made much more robust with just a little work, and can fix many problems. For example, if you are using Bell South networking and their default DNS and they come under a DNS DDS (Destributed Denial of Service attack) you will slow down as your Domain Name Service lookups fail / slow. If, instead, you had many DNS servers in your list, failed DNS would just move down the list to other servers.

This is all completely optional, but nice to do.

If you will be doing much with networking, you will want the usual networking / DNS tools:

sudo apt-get install dnsutils

Initially I put the DNS list in /etc/resolv.conf where it belongs. But network guys are a confused sort. They have had ongoing ‘turf wars’ forever. The “old” method of using “config files” didn’t appeal to some, so they added other layers. And them more layers. And then things didn’t ways work. And DHCP was supposed to be ‘no thinking required’, so having an /etc/resolve.conf file in charge was Not Acceptable, so the DHCP guys think THEY are in charge… eventually Sun added nsswitch (Name Service Switch) to let you sort out “who is in charge”… that then some other folks crowbarred their way around…

So there’s a bit game of “who is really in charge?” that gets played in Network Land on Linux machines. For the RPi it looks like nsswitch might be ignored, and /etc/resolv.conf just gets over written by DHCP in any case. (My nsswitch says ‘files’ first, so the ‘files’ ought to rule, but… back at “I’m in charge!” network wars…)

So it looks like the place to edit is:

/etc/dhcp/dhclient.conf

where you add a line like:

prepend domain-name-servers 184.169.143.224,208.67.222.222,4.2.2.4,8.8.4.4;

Listing whatever DNS servers you like. There’s lots of choices in the “Open DNS” world, and choosing one is up to you. Some pointers though:

http://pcsupport.about.com/od/tipstricks/a/free-public-dns-servers.htm

has this list:

Provider Primary DNS Server Secondary DNS Server
Level31 209.244.0.3 209.244.0.4
Google2 8.8.8.8 8.8.4.4
Securly3 184.169.143.224 184.169.161.155
omodo Secure DNS 8.26.56.26 8.20.247.20
OpenDNS Home4 208.67.222.222 208.67.220.220
DNS Advantage 156.154.70.1 156.154.71.1
Norton ConnectSafe5 198.153.192.40 198.153.194.40
ScrubIT6 (may be out of service) 67.138.54.120 207.225.209.77
SafeDNS7 195.46.39.39 195.46.39.40
DNSResolvers.com8 205.210.42.205 64.68.200.200
OpenNIC9 74.207.247.4 64.0.55.201
Public-Root10 199.5.157.131 208.71.35.137
SmartViper 208.76.50.50 208.76.51.51 Dyn 216.146.35.35 216.146.36.36
censurfridns.dk11 89.233.43.71 89.104.194.142
Hurricane Electric12 74.82.42.42
puntCAT13 109.69.8.51

Google claims innocent desire to speed things up. Yeah, sure…

https://en.wikipedia.org/wiki/Google_Public_DNS

Google Public DNS is a freely provided DNS (Domain Name System) service announced on 3 December 2009, as part of Google’s self-proclaimed effort to make the web faster. According to Google, as of 2013 Google Public DNS is the largest public DNS service in the world, handling more than 130 billion requests on an average day.
Google Public DNS provides the following recursive nameserver addresses for public use, mapped to the nearest operational server location by anycast routing:
IPv4 addresses
8.8.8.8
8.8.4.4

Think if The Govt asked for some info or to block certain IP lookups that Google would be more than glad to help in exchange for favorable business treatment? (Having your own DNS table / server lets you prevent that …)

Norton has some they claim are a value added set:

https://en.wikipedia.org/wiki/Norton_DNS

According to Symantec’s website their DNS service for home users offers the following options depending on how much filtering the user would like the DNS servers to perform for them.

Security
198.153.192.40
198.153.194.40

Security and Pornography
198.153.192.50
198.153.194.50

Security, Pornography and “Non-Family Friendly”
198.153.192.60
198.153.194.60

Open DNS offers:

208.67.222.222
208.67.220.220

and some folks don’t like their re-direct behaviour of failed lookups.

Yahoo has a DNS server at: 68.180.131.16 named ns1.yahoo.com

The Telcos usually have them. Some I know are:

dnsr1.sbcglobal.net 68.94.156.1
ns1.swbell.net 151.164.1.1

where I’d expect S.W.Bell has others named ns2, ns3, … but have not looked them up. Similarly, SBC likly has a dnsr2 and dnsr3.

I’m sure there are more, but you get the idea.

Well, enough on DNS. Just realize that most networking problems start with checking out what is the default gateway (or “route of last resort” where packets go if you don’t have a specific routing table to say “take that interface there”) and then look to DNS failures. So “ping yahoo.com” first does a DNS lookup, while “ping 206.190.36.45″ goes directly via the default route without an DNS lookup. (Yes, Yahoo! has generally been very nice about providing a ping responder. I typically have used them for diagnostics and they engender lots of good will in me by that. It’s a little thing, but much nicer than just blocking pings.)

So first try “ping yahoo.com” and if that does not work, while a direct IP ping does, you have a DNS problem…

In Conclusion

As noted, this is the ‘rough notes’. If you use them and “have issues”, please note what it was and I’ll fix it / provide consultation (on where I wrote it up badly ;-)

I have a DonglePi working as an attached Linux (via the laptop as default gateway) and as a “Wireless Dongle Pi” with the laptop as only an attached screen viewer. (that “gateway” choice and the added WiFi dongle)’)

Why no directions on installing the WiFi dongle? Because by selecting one known to work, it just plugs in and works. Open a VNC session to the ‘pi’ desktop and click on the WiFi Config application. “Scan” for networks, enter any security options needed (for public hot spots, that’s none) and go.

With that, I’ve got a BBQ to start for today’s “burnt offering” and it’s time for me to take a break from hacking Pi. It’s been a fun couple of days, but I tend to go “down the rabbit hole” and everything else stops for a while ;-)

Hopefully this “cookbook” is helpful to folks and it will save someone some time. I’m also willing to “flash” an SD card with an image, test it in my RPi, and drop one in the mail to anyone who needs it done for them. For now, $20 + SD card cost ($5 for 4 GB, $8 for 8 GB at Best Buy near me) to the tip jar and a note that you want one in email with an address. Delivery “when I get around to it” but likely in the mail inside of a week.

Subscribe to feed

Small group communications w/o Internet

Sometimes it amazes me what has already been done by creative people. One of the “new” (old) issues is private communications in a small group; made a bit more urgent by the newfound tendency of governments to shut off the internet when they don’t like what a group of citizens is doing. Yes, in concept no different from any Petty Tyrant breaking printing presses and arresting folks for making speeches from soapboxes when they don’t like what is being said.

Yet still a tiny bit chilling…

In an earlier posting I’d speculated on some ways to reestablish some internet connectivity (even if very limited). Ways that folks could create an ersatz network as / if the need arose.

http://chiefio.wordpress.com/2011/02/03/ersatz-internet/

The basic idea being to create a local wireless “LAN” and let folks share over it, while finding some way to add an improvised (even if slow) connection out to the ‘real’ internet. That way folks could do some sharing locally, and limited flow in / out from the rest of the world depending on the kind of internet link that could be provided. (Telephone / modem, packet radio, even wi-fi over a border…)

Well, while looking up a different thing for a Raspberry Pi project (what WiFi dongle would work best and how to set it up) I stumbled on a rather creative solution for “private sharing” of files and communications in a local small group specifically disconnected from the internet. This looks at the problem from the other side…

Given that Big Brother is watching now, and will be watching even more in the future; and given that much of what folks want to do is “share” something specifically without snoops, one easy way to do that is to remove the internet connection. Yes, as it is WiFi based, you still have the risk of a local ‘cracker’ trying to break into your box, or a government satellite picking up the traffic – but it eliminates all those Chinese Hackers and Russian Spys and 1001 other systems crackers from hanging on your every bit and byte. Add some encryption and even the sniffing satellites don’t get much…

So you would need an access point ( WiFi router) and a DHCP server (preferably using a non-routing block of numbers) and some kind of file sharing software… Having one of these (perhaps even with a bulletin board system on it) at, say, a Street Rally, when The Authority decides it wants to crush communications, would enable folks to swap from phone calls and email to file swaps. And potentially even things like email, just from an anonymous server… It would take some time to build one, but it can be done.

Well, kids will be kids… and it looks like some kids already figure this out.

That name is a bit “cute” for my tastes, “PirateBox”, intended to remind of Pirate Bay (a movie / record / whatever piracy site / service) and reflect the old Pirate Radio Station ambiance. OK, but for a random group of folks at a political rally suddenly in the dark, a name more like “Open Communications Services” would be more likely to be used by newbies. (I’d even go so far as to suggest a dedicated build specifically tuned to suggest security and secrecy in communications and with a welcoming ambiance, instead of the skull and cross bones motif… but perhaps that’s only needed for the “over 30″ group ;-)

At any rate, they built one of these already. In fact, many of them. One even runs on a Raspberry Pi board (so you could prebuild it on a chip (SD card) and have it ‘ready to go’ but unused until needed, leaving the RPi doing other things until that day…

I’ve not looked over the feature set, and before I’d trust one for anything terribly sensitive / risky, I’d want to know more about the creators, and I’d want to go through the system image that is provided to assure it wasn’t loaded with security “issues”; but it’s still an intersting thing to look at, and maybe even build / test.

Here’s the site that talks about it:

http://daviddarts.com/piratebox/

Some excerpts:

PirateBox

PirateBox is a self-contained mobile communication and file sharing device. Simply turn it on to transform any space into a free and open communications and file sharing network.

Share (and chat!) Freely Inspired by pirate radio and the free culture movements, PirateBox utilizes Free, Libre and Open Source software (FLOSS) to create mobile wireless communications and file sharing networks where users can anonymously chat and share images, video, audio, documents, and other digital content.

Private and Secure PirateBox is designed to be private and secure. No logins are required and no user data is logged. Users remain completely anonymous – the system is purposely not connected to the Internet in order to subvert tracking and preserve user privacy.

Easy to Use Using the PirateBox is easy. Simply turn it on and transform any space into a free communication and file sharing network. Users within range of the device can join the PirateBox open wireless network from any wifi-enabled device and begin chatting and sharing files immediately. See the short video demonstration below for more details.

DIY PirateBox was created by David Darts and is registered under the GNU GPLv3. This license grants the right to freely copy, distribute, and transform creative works according to the principles of copyleft.

That last line is important since that means you can see the source code and assure it is clean and secure.

The link has the referenced video along with many photos, including lunch pails with an antenna on the side and even a skateboard with one of the units taped to the underside.

IMHO, it’s a darned good idea for any sort of folks who think they might want to continue communicating in a 200 m or so radius area either during natural disasters or when The Authorities have decided to kill communications. I can see two immediate enhancements, as well. 1) Named Accounts. In addition to the anon style accounts for “randoms”, having some named accounts for family and friends would let you know it was your spouse sending you that text message… 2) A locked down secured variation. Yes, much / most of the time you would want ‘free and open’ communications. Sometimes, though, you would want absolute privacy and without even the risk of a ‘random’ on the box looking around. So only those in your party, with their SSH keys, get in and ‘share’. (The RPi makes this especially easy to do simply by swapping SD cards to swap personalities.)

There is mention made of self forming webs in one of the pages. That’s a more complicated extension. To make it such that the devices discover each other, and ‘link hands’ so to speak. So if there were enough of them, the whole area becomes one large web of communications. (The problem there is with the lack of ID. If 2000 folks are all “anon”, how do you find your spouse?) But with ‘not too much work’, that can be fixed too (or may already have been fixed by someone…) So, take a blog where folks can post with any name not already taken. Pretty quickly folks could paste up messages saying “John Q. Public looking for Jane, need lunch in 10 minutes.”

http://daviddarts.com/

PirateBox DIY

PirateBox can be configured to run on many devices, including wireless routers, single-board computers, laptops, and mobile phones. Key hardware platforms include the TP-Link MR3020 and the Raspberry Pi both of which start at US$35.

OpenWrt
PirateBox will potentially run on most OpenWrt compatible routers with USB storage. Check out this tutorial and be sure to visit the forum for support and more info.

OpenWrt with Mesh
Thanks to lead PirateBox developer Matthias Strubel PirateBox can now be configured to create wireless mesh networks using Alexandre Dulaunoy’s Forban. This feature is still in testing – for more info, check out this forum post.

So those distributed mesh self organizing bits are being worked on…

The “how to” do it on a Raspberry Pi mostly has a download of a prebuilt image. I’d want to know what was in it before using it for anything where badges and guns were involved (or checking accounts and money…)

http://piratebox.aod-rpg.de/dokuwiki/doku.php?id=raspberry

Custom Image

Support-Thread for Image-Issues: http://forum.daviddarts.com/read.php?2,6298

Download this imagefile: 2013-02-06-wheezy-raspbian-PBx06E.zip (MD5SUM f39d934a2cfb1883e8661a3e06d97649)
Install Raspberry as normal: http://elinux.org/RPi_Easy_SD_Card_Setup (But use the image above instead)
Boot as normal with a Monitor, Keyboard & connected LAN (DHCP with Internet access) :!:
Do the following steps in Raspi-Config
Enable SSH Server via raspberry-config
change Password
Expand FS
Finish & reboot now

After this you have can enable it with

# sudo /etc/init.d/piratebox start

And if PirateBox should start via startup, run the following line

# sudo update-rc.d piratebox defaults

Yet they also have a “manual” path, where you install the source code, so you can see what’s in it. Nice.

The original page has much nicer formatting, this is just to give a quick flavor:

Manual install

The following steps describes the procedure, if you want to store your files on the SD-Card. Additional steps are required, if you want you uploaded data on a USB drive.

Download: Raspbian “wheezy” http://www.raspberrypi.org/downloads
Install Raspberry as normal: http://elinux.org/RPi_Easy_SD_Card_Setup
Boot as normal with a Monitor, Keyboard & connected LAN (DHCP with Internet access) :!:
Do the following steps in Raspi-Config
Enable SSH Server via raspberry-config
change Password
Expand FS
Finish & reboot now
Wait until reboot is finished- needs a while because the OS is resizing the filesystem during this reboot
Install needed packages and prepare some stuff:

# sudo apt-get update
# sudo apt-get -y install lighttpd
# sudo /etc/init.d/lighttpd stop
# sudo update-rc.d lighttpd remove
# sudo apt-get -y install dnsmasq
# sudo /etc/init.d/dnsmasq stop
# sudo update-rc.d dnsmasq remove
# sudo apt-get -y install hostapd
# sudo /etc/init.d/hostapd stop
# sudo update-rc.d hostapd remove
# sudo apt-get -y install iw
# sudo rm /bin/sh
# sudo ln /bin/bash /bin/sh
# sudo chmod a+rw /bin/sh

Edit network config file /etc/network/interfaces

auto lo

iface lo inet loopback
iface eth0 inet dhcp

iface wlan0 inet manual
### disalbed for PirateBox
#allow-hotplug wlan0
#wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
#iface default inet dhcp

Fetch and copy over PirateBox Source

# wget http://downloads.piratebox.de/piratebox-ws_current.tar.gz
# tar xzf piratebox-ws_current.tar.gz
# cd piratebox
# sudo mkdir -p /opt
# sudo cp -rv piratebox /opt
# cd /opt/piratebox
# sudo sed ‘s:DROOPY_USE_USER=”no”:DROOPY_USE_USER=”yes”:’ -i /opt/piratebox/conf/piratebox.conf
# sudo ln -s /opt/piratebox/init.d/piratebox /etc/init.d/piratebox
# sudo update-rc.d piratebox defaults
# sudo /etc/init.d/piratebox start

:!: After this, the PirateBox should be run on default-startup. PirateBox works only on Wifi-Access with redirect. Network on Ethernet-Port is a normal “dhcp-client”, so no interference with your home network :!:

End Notes

So with that, I’ve got “Yet Another Project” on my endless list of projects ;-) Download the source code, look it over, build one of these, see what features look good, etc. etc.

If it does at all what it claims, it would be well worth it to have one in the Aw Shit Kit. So anyone in the area at least could connect, share, and communicate. Even if it’s just a bulletin board system and some file sharing, that’s a major feature if you have a crowd that’s been cut off from the general internet connectivity. When the ‘mesh’ is done and working, adding a “packet radio node’ would let the whole mesh get out to the internet (even if very slowly) via Ham Packet Radio (potentially to places hundreds or thousands of miles away). Similarly, one person in an apartment that was joined to the mesh, and with a modem / dial up hard line could make a call to an ISP out of country and ‘connect’. (It would likely need some kind of limiter on what was sent, so ‘text only’ or ‘email with small attachments’ only, not video and 4 GB attachments… )

That it can be built for on the order of $60 is all that much the better. ($35 Rpi, $5 SD card, $10 for WiFi dongle, $10 for battery and power cable).

Though I’d really be much more inclined to have it present a picture of a “fluffy bunny” and be named something like:
“Warm pleasant open and accepting file sharing and chat room for guests”…
;-)

Subscribe to feed

Lego Pi Parallel SuperComputing

This one has been around a month or two and I’m just now discovering it.

Looks like there’s still some creative folks in the world. At a UK University, they ganged together 64 Raspberry Pi boards into a parallel processing “supercomputer”. (Technically not, as the production supercomputers are way high in performance now, but easily in the scale of what was a supercomputer just a decade or two back, and can be scaled to any number of processors, so it’s a ‘supercomputer architecture’ just waiting for money to be applied… and not very much money at that…)

At any rate, as I’m fond of parallel computing, and have built a personal Beowulf Cluster for fun and production, it’s a step I’d not expected so soon. Yet, there it is. Now I’m looking at my old cluster parts (some old “white boxes” mostly in the garage to free up office space) and thinking “I could fit more than that in a cigar box”… At present I only have two RPi boards, but I can see more are in my future. One is already acting as a Torrent Server, and I could easily use another as a dedicated file server, and I’d like a local DNS caching server and maybe email server and…

I will likely “strap together” the two I’ve got as a “cluster of two” just for the experience. They also install a FORTRAN compiler… GIStemp uses FORTRAN… So I can likely clean out the full sized desktop box that has GIStemp on it (in a small part of a 10 GB disk, so easy to fit in one SD card). Yes, it would require a “re porting” of GIStemp, but as that release is about 4 years out of date, I probably ought to do it anyway. (Gritting my teeth at that… but having “GIStemp on an SD card” would be an interesting “product” to offer… ) OTOH, it would make for a fun posting. GIStemp on a postage stamp sized card with the whole thing in the palm of a hand as the photo… “Fate of the world economy fits in palm of hand” ;-)

But “back to the present”:

University Of Southampton

I love the creativity that uses Lego blocks to make the ‘holder’ for the cards… Here’s their site, and a fun video:

http://www.southampton.ac.uk/~sjc/raspberrypi/

U. of Southampton Raspberry Pi Lego Supercomputer

In the background you can see the stack, in the foreground is one module that gets stacked.

They have a PDF of the steps to do it:

http://www.southampton.ac.uk/~sjc/raspberrypi/pi_supercomputer_southampton_web.pdf

Not too hard and nothing I’ve not done before. Though they don’t have enough detail on the Legos ;-) and I need to find out if the spouse pitched them when our kids grew up or if they are in the garage somewhere ;-)

They have an updated HTML page on “how to” that has much more detail on the Legos ;-) and has how to set up SSH (nice, that, as it’s next on my ‘todo’ list…) along with some handy scripts and several very nice pictures:

http://www.southampton.ac.uk/~sjc/raspberrypi/pi_supercomputer_southampton.htm

Lego R.Pi Cluster Computer, 64 nodes

Kickstarter Project with More Mojo

http://www.kickstarter.com/projects/adapteva/parallella-a-supercomputer-for-everyone

The Parallella Computing Platform

To make parallel computing ubiquitous, developers need access to a platform that is affordable, open, and easy to use. The goal of the Parallella project is to provide such a platform! The Parallella platform will be built on the following principles:

Open Access: Absolutely no NDAs or special access needed! All architecture and SDK documents will be published on the web as soon as the Kickstarter project is funded.
Open Source: The Parallella platform will be based on free open source development tools and libraries. All board design files will be provided as open source once the Parallella boards are released.
Affordability: Hardware costs and SDK costs have always been a huge barrier to entry for developers looking to develop high performance applications. Our goal is to bring the Parallella high performance computer cost below $100, making it an affordable platform for all.

The Parallella platform is based on the Epiphany multicore chips developed by Adapteva over the last 4 years and field tested since May 2011. The Epiphany chips consists of a scalable array of simple RISC processors programmable in C/C++ connected together with a fast on chip network within a single shared memory architecture.

Here is a link to the Epiphany Architecture Reference Manual
[...]
Once completed, the 64-core version of the Parallella computer would deliver over 90 GFLOPS of performance and would have the the horse power comparable to a theoretical 45 GHz CPU [64 CPU cores * 700MHz] on a board the size of a credit card while consuming only 5 Watts under typical work loads.

But it costs an order of magnitude more than an a Raspberry Pi… which sounds really big compared to $250 ;-)

End Note

With multicore cheap risc chips, we’re headed to a whole new level of compute power for not much money. Looks like fun, too.

For any heavily compute intensive task, parallel computing is going to make a difference. Things like video and image processing especially. Robotics and such. For large compiles of complex systems, like Linux, ‘distributed make’ can speed things up considerably. (I did that at one company about a decade back when I was ‘build master’ for about a year). Besides, it’s really fun to play with ;-)

One of the more interesting uses of “clusters” is for security via distribution. There are many ‘distributed file systems’, including one that requires a ‘quorum’ to open it. Developed in Italy, it looks like something the Mafia asked for ;-) Any one person can be compromised (or settable up to several), and divulge their password. Until you get a ‘quorum’ of them, you get nothing… The blocks are spread over many systems all over the place, so take any one system (or several) you get nothing. It is RAID structured, so kill a system (or take it) and it rebuilds the missing parts. I’m sure you can see why this is of benefit.

So one of my “someday” projects is to make such a cluster distributed compute and file server. Then spread the parts around via a routing system like Onion and you have a non-stop non-compromise compute and file system. Only question / issue is performance level over multi-hop routes… (One could use VPN instead at the risk of contact tracing).

But it all starts with making a parallel cluster that uses distributed processing…

Back at the Lego RPi:

Not as pretty, but snagging a copy of the Lego RPi HTML text for my future use…

Steps to make Raspberry Pi Supercomputer

Prof Simon Cox

Computational Engineering and Design Research Group

Faculty of Engineering and the Environment

University of Southampton, SO17 1BJ, UK.

V0.2: 8th September 2012

V0.3: 30th November 2012 [Updated with less direct linking to MPICH2 downloads]

V0.4: 9th January 2013 [Updated step 33]

First steps to get machine up

1. Get image from

http://www.raspberrypi.org/downloads

I originally used: 2012-08-16-wheezy-raspbian.zip

Updated 30/11/12: 2012-10-28-wheezy-raspbian.zip

My advice is to to check the downloads page on raspberrypi.org and use the latest version.

2. Use win32 disk imager to put image onto an SD Card (or on a Mac e.g. Disk Utility/ dd)

http://www.softpedia.com/get/CD-DVD-Tools/Data-CD-DVD-Burning/Win32-Disk-Imager.shtml

You will use the “Write” option to put the image from the disk to your card

3. Boot on Pi

4. Expand image to fill card using the option on screen when you first boot. If you don’t do this on first boot, then you need to use

$ sudo raspi-config

http://elinux.org/RPi_raspi-config

5. Log in and change the password

http://www.simonthepiman.com/beginners_guide_change_my_default_password.php

$ passwd

6. Log out and check that you typed it all OK (!)

$ exit

7. Log back in again with your new password

Building MPI so we can run code on multiple nodes

8. Refresh your list of packages in your cache

$ sudo apt-get update

9. Just doing this out of habit, but note not doing any more than just getting the list (upgrade is via “sudo apt-get upgrade”).

10. Get Fortran… after all what is scientific programming without Fortran being a possibility?

$ sudo apt-get install gfortran

11. Read about MPI on the Pi. This is an excellent post to read just to show you are going to make it by the end, but don’t type or get anything just yet- we are going to build everything ourselves:

http://westcoastlabs.blogspot.co.uk/2012/06/parallel-processing-on-pi-bramble.html

Note there are a few things to note here

a) Since we put Fortran in we are good to go without excluding anything

b) The packages here are for armel and we need armhf in this case… so we are going to build MPI ourselves

12. Read a bit more before you begin:

http://www.mcs.anl.gov/research/projects/mpich2/documentation/files/mpich2-1.4.1-installguide.pdf

Note: As the version of MPICH2 updates, you are better to go to:

http://www.mpich.org/documentation/guides/

and get the latest installer’s Guide.

We are going to follow the steps from 2.2 (from the Quick Start Section) in the guide.

13. Make a directory to put the sources in

$ mkdir /home/pi/mpich2

$ cd ~/mpich2

14. Get MPI sources from Argonne.

$ wget http://www.mcs.anl.gov/research/projects/mpich2/downloads/tarballs/1.4.1p1/mpich2-1.4.1p1.tar.gz

[Note that as the MPI source updates, you can navigate to:

http://www.mpich.org/downloads/ to get the latest stable release version for MPICH2]

15. Unpack them.

$ tar xfz mpich2-1.4.1p1.tar.gz

[Note: You will need to update this as the version of MPICH2 increments]

16. Make yourself a place to put the compiled stuff – this will also make it easier to figure out what you have put in new on your system. Also you may end up building this a few times…

$ sudo mkdir /home/rpimpi/

$ sudo mkdir /home/rpimpi/mpich2-install

[I just chose the “rpimpi” to replace the “you” in the Argonne guide and I did the directory creation in two steps]

17. Make a build directory (so we keep the source directory clean of build things)

mkdir /home/pi/mpich_build

18. Change to the BUILD directory

$ cd /home/pi/mpich_build

19. Now we are going to configure the build

$ sudo /home/pi/mpich2/mpich2-1.4.1p1/configure -prefix=/home/rpimpi/mpich2-install

[Note: You will need to update this as the version of MPICH2 increments]

Make a cup of tea

20. Make the files

$ sudo make

Make another cup of tea

21. Install the files

$ sudo make install

Make another cup of tea – it will finish…

22. Add the place that you put the install to your path

$ export PATH=$PATH:/home/rpimpi/mpich2-install/bin

Note to permanently put this on the path you will need to edit .profile

$nano ~/.profile

… and add at the bottom these two lines:

# Add MPI to path

PATH=”$PATH:/home/rpimpi/mpich2-install/bin”

23. Check whether things did install or not

$ which mpicc

$ which mpiexec

24. Change directory back to home and create somewhere to do your tests

$ cd ~

$ mkdir mpi_testing

$ cd mpi_testing

25. Now we can test whether MPI works for you on a single node

mpiexec -f machinefile -n hostname

where machinefile contains a list of IP addresses (in this case just one) for the machines

a) Get your IP address

$ ifconfig

b) Put this into a single file called machinefile

26. $ nano machinefile

Add this line:

192.168.1.161

[or whatever your IP address was]

27. If you use

$ mpiexec -f machinefile –n 1 hostname

Output is:

raspberrypi

28. Now to run a little C code. In the examples subdirectory of where you built MPI is the famous CPI example. You will now use MPI on your Pi to calculate Pi:

$ cd /home/pi/mpi_testing

$ mpiexec -f machinefile -n 2 ~/mpich_build/examples/cpi

Output is

Process 0 of 2 is on raspberrypi

Process 1 of 2 is on raspberrypi

pi is approximately 3.1415926544231318, Error is 0.0000000008333387

Celebrate if you get this far.
Flash me… once

29. We now have a master copy of the main node of the machine with all of the installed files for MPI in a single place. We now want to clone this card.

30. Shutdown your Pi very carefully

$ sudo poweroff

Remove the SD Card and pop it back into your SD Card writer on your PC/ other device. Use Win32 disk imager (or on a Mac e.g. Disk Utility/ dd) to put the image FROM your SD Card back TO your PC:

http://www.softpedia.com/get/CD-DVD-Tools/Data-CD-DVD-Burning/Win32-Disk-Imager.shtml

You will use the “Read” option to put the image from the disk to your card

Let us call the image “2012-08-16-wheezy-raspbian_backup_mpi_master.img”

31. Eject the card and put a fresh card into your PC/other device. Use win32 disk imager to put image onto an SD Card (or on a Mac e.g. Disk Utility/ dd)

http://www.softpedia.com/get/CD-DVD-Tools/Data-CD-DVD-Burning/Win32-Disk-Imager.shtml

You will use the “Write” option to put the image from the disk to your card and choose the “2012-08-16-wheezy-raspbian_backup_mpi_master.img” image you just created.

[Note that there are probably more efficient ways of doing this – in particular maybe avoid expanding the filesystem in step 4 of the first section.]

32. Put the card into your second Pi and boot this. You should now have two Raspberry Pis on. Unless otherwise stated, all the commands below are typed from the Master Pi that you built first.
Using SSH instead of password login between the Pis

33. Sort out RSA to allow quick log in. This is the best thing to read:

http://steve.dynedge.co.uk/2012/05/30/logging-into-a-rasberry-pi-using-publicprivate-keys/

In summary (working on the MASTER Pi node)

$ cd ~

$ ssh-keygen -t rsa –C “raspberrypi@raspberrypi”

This set a default location of /home/pi/.ssh/id_rsa to store the key

Enter a passphrase e.g. “myfirstpicluster”. If you leave this blank (not such good security) then no further typing of passphrases is needed.

$ cat ~/.ssh/id_rsa.pub | ssh pi@192.168.1.162 “mkdir .ssh;cat >> .ssh/authorized_keys”

34. If you now log into your other Pi and do

$ ls –al ~/.ssh

You should see a file called “authorized_keys” – this is your ticket to ‘no login heaven’ on the nodes

35. Now let us add the new Pi to the machinefile. (Log into it and get its IP address, as above)

Working on the Master Raspberry Pi (the first one you built):

$ nano machinefile

Make it read

192.168.1.161

192.168.1.162

[or whatever the two IP addresses you have for the machines are]

36. Now to run a little C code again. In the examples subdirectory of where you built MPI is the famous CPI example. First time you will need to enter the passphrase for the key you generated above (unless you left it blank) and also the password for the second Pi.

$ cd /home/pi/mpi_testing

$ mpiexec -f machinefile -n 2 ~/mpich_build/examples/cpi

Output is

Process 0 of 2 is on raspberrypi

Process 1 of 2 is on raspberrypi

pi is approximately 3.1415926544231318, Error is 0.0000000008333387

If you repeat this a second time you won’t need to type any passwords in. Hurray.

Note that we have NOT changed the hostnames yet (so yes, the above IS running on the two machines, but they both have the same hostname at the moment).

37. If you change the hostname on your second machine (see Appendix 1 “Hostname Script”) and run:

$ mpiexec -f machinefile -n 2 ~/mpich_build/examples/cpi

Output:

Process 0 of 2 is on raspberrypi

Process 1 of 2 is on iridispi002

Now you can see each process running on the separate nodes.

CONGRATULATIONS – YOU HAVE NOW FINISHED BUILDING 2-NODE SUPERCOMPUTER

IF YOU FOLLOW THE STEPS BELOW, YOU CAN EXPAND THIS TO 64 (or more) nodes
Acknowledgements

Thanks to all of the authors of the posts linked to in this guide and Nico Maas. Thanks to the team in the lab: Richard Boardman, Steven Johnston, Gereon Kaiping, Neil O’Brien, and Mark Scott. Also to Oz Parchment and Andy Everett (iSolutions). Thanks to Pavittar Bassi in Finance, who made all the orders for equipment happen so efficiently. And, of course, Professor Cox’s son James who provided specialist support on Lego and system testing.
Appendix 1 – Scripts and other things to do
Flash me… one more time (rinse and repeat for each additional node)

1. Power off the worker Pi and eject the card

$ sudo poweroff

We now have a copy of the WORKER nodes of the machine with all of the installed files for MPI in a single place. We now want to clone this card- as it has the ssh key on it in the right place. Shutdown your Pi very carefully

$ sudo poweroff

2. Remove the SD Card and pop it back into your SD Card writer on your PC/ other device. Use Win32 disk imager (or on a Mac e.g. Disk Utility/ dd) to put the image FROM your SD Card back to your PC:

http://www.softpedia.com/get/CD-DVD-Tools/Data-CD-DVD-Burning/Win32-Disk-Imager.shtml

You will use the “Read” option to put the image from the disk to your card

Let us call the image “2012-08-16-wheezy-raspbian_backup_mpi_worker.img”

3. Eject the card and put a fresh card into the machine. Use win32 disk imager to put image onto an SD Card (or on a Mac e.g. Disk Utility/ dd)

http://www.softpedia.com/get/CD-DVD-Tools/Data-CD-DVD-Burning/Win32-Disk-Imager.shtml

You will use the “Write” option to put the image from the disk to your card and choose the “2012-08-16-wheezy-raspbian_backup_mpi_master.img” image you just created.

[Note that there are probably more efficient ways of doing this – in particular maybe avoid expanding the filesystem in step 4 of the first section.]
Hostname Script

If you want to rename each machine, you can do it from the Master node using:

ssh pi@192.168.1.162 ‘sudo echo “iridispi002″ | sudo tee /etc/hostname’

ssh pi@192.168.1.163 ‘sudo echo “iridispi003″ | sudo tee /etc/hostname’

ssh pi@192.168.1.164 ‘sudo echo “iridispi004″ | sudo tee /etc/hostname’

etc.

You should then reboot each worker node

If you re-run step (‎36) above again, you will get:

$ mpiexec -f machinefile -n 2 ~/mpich_build/examples/cpi

Output:

Process 0 of 2 is on raspberrypi

Process 1 of 2 is on iridispi002

pi is approximately 3.1415926544231318, Error is 0.0000000008333387

This shows the master node still called raspberrypi and the first worker called iridispi002

Using Python

There are various Python bindings for MPI. This guide just aims to show how to get ONE of them working.

1. Let us use mpi4py. More info at

http://mpi4py.scipy.org/

http://mpi4py.scipy.org/docs/usrman/index.html

$ sudo apt-get install python-mpi4py

2. We also want to run the demo so let us get the source too

$ cd ~

$ mkdir mpi4py

$ cd mpi4py

$ wget http://mpi4py.googlecode.com/files/mpi4py-1.3.tar.gz

$ tar xfz mpi4py-1.3.tar.gz

$ cd mpi4py-1.3/demo

3. Repeat steps ‎1 and ‎2 on each of your other nodes (we did not bake this into the system image)

4. Run an example (on your master node)

$ mpirun.openmpi -np 2 -machinefile /home/pi/mpi_testing/machinefile python helloworld.py

Output is:

Hello, World! I am process 0 of 2 on raspberrypi.

Hello, World! I am process 1 of 2 on iridispi002.

5. $ mpiexec.openmpi -n 4 -machinefile /home/pi/mpi_testing/machinefile python helloworld.py

Output is:

Hello, World! I am process 2 of 4 on raspberrypi.

Hello, World! I am process 3 of 4 on iridispi002.

Hello, World! I am process 1 of 4 on iridispi002.

Hello, World! I am process 0 of 4 on raspberrypi.

6. These are handy to remove things if your attempts to get mpi4py don’t quite pan out

$ sudo apt-get install python-mpi4py

$ sudo apt-get autoremove
Keygen script commands

cat ~/.ssh/id_rsa.pub | ssh pi@192.168.1.161 “cat >> .ssh/authorized_keys”

cat ~/.ssh/id_rsa.pub | ssh pi@192.168.1.162 “cat >> .ssh/authorized_keys”

cat ~/.ssh/id_rsa.pub | ssh pi@192.168.1.163 “cat >> .ssh/authorized_keys”

etc. for sending out the key exchanges if you want to do this again having generated a new key
Getting Pip for Raspberry Pi

1. We can install Pip, which gives us a nice way to set up Python packages (and uninstall them too). More info is at

http://www.pip-installer.org/en/latest/index.html

http://www.pip-installer.org/en/latest/installing.html

$ cd ~

$ mkdir pip_testing

$ cd pip_testing

2. A prerequisite for pip is “distribute” so let’s get that first and then install pip. The sudo is because the installation of these has to run as root.

$ curl http://python-distribute.org/distribute_setup.py | sudo python

$ curl https://raw.github.com/pypa/pip/master/contrib/get-pip.py | sudo python
Notes on making MPI Shared Libraries for Raspberry Pi

MPI libraries can also be built “shared” so that they can be dynamically loaded. This gives a library file that ends in “.so” etc. not “.a” and we can do that by building those MPI libraries again. This is a repeat of steps above, but written out again using the suffix “_shared” on the directory names.

1. Make a directory to put the sources in

$ mkdir /home/pi/mpich2_shared

$ cd ~/mpich2_shared

2. Get MPI sources from Argonne.

$ wget http://www.mcs.anl.gov/research/projects/mpich2/downloads/tarballs/1.4.1p1/mpich2-1.4.1p1.tar.gz

[Note that as the MPI source updates, you can navigate to:

http://www.mpich.org/downloads/ to get the latest stable release version]

3. Unpack them.

$ tar xfz mpich2-1.4.1p1.tar.gz

[Note: You will need to update this as the version of MPICH2 increments]

4. Make yourself a place to put the compiled stuff – this will also make it easier to figure out what you have put in new on your system.

$ sudo mkdir /home/rpimpi_shared/

$ sudo mkdir /home/rpimpi_shared/mpich2-install_shared

[I just chose the “rpimpi_shared” to replace the “you” in the Argonne guide and I made the directory creation in two steps]

5. Make a build directory (so we keep the source directory clean of build things)

$ mkdir /home/pi/mpich_build_shared

6. Change to the BUILD directory

$ cd /home/pi/mpich_build_shared

7. Now we are going to configure the build

$ sudo /home/pi/mpich2_shared/mpich2-1.4.1p1/configure -prefix=/home/rpimpi_shared/mpich2-install_shared –enable-shared

[Note: You will need to update this as the version of MPICH2 increments]

8. Make the files

$ sudo make

9. Install the files

$ sudo make install

10. Finally add the place that you put the install to your path

$ export PATH=$PATH:/home/rpimpi_shared/mpich2-install_shared/bin

Note to permanently put this on the path you will need to edit .profile

$ nano ~/.profile

… and add at the bottom these two lines:

# Add MPI Shared to path

PATH=”$PATH:/home/rpimpi_shared/mpich2-install_shared/bin”

Subscribe to feed