If you use Ferret anywhere that allows users to execute queries, those users can crash the Ruby process with a specially crafted query.  This was quite serious for a number of my sites (not to mention slowing development of a current app) so I applied the fix to the released 0.11.4 source and repackaged it as 0.11.4.1.

Obviously this isn’t in any way official, but it works for me and I’m sharing here for anyone else affected. Gem, tgz and zip here and just the patch available here (derived from the author’s changeset to trunk).

The patch is against the release source, as the subversion repository seems to be down atm (I got the changeset from the web bases subversion viewer).

Get upgrading!

Install the cryptsetup package from apt

# apt-get install cryptsetup

Choose a partition you’d like to encrypt.

In my case, I’m encrypting an LVM logical volume on a sata harddisk:

/dev/mapper/vg0-home

Format the partition as a “LUKS” partition

LUKS stands for Linux Unified Key Setup. Run the following command and enter a password when prompted:

# cryptsetup luksFormat -c aes-cbc-essiv:sha256 /dev/mapper/vg0-home

The option “-c aes-cbc-essiv:sha256” sets what cipher to use. It’s AES by standard, which is a good default but you want to enable ESSIV support explicitly because it’s rather important. With this option the crypto uses an different IV for each sector – protecting against known plaintext attacks and information leakage (such as the “watermarking attack).

Configure cryptsetup initscript

In /etc/crypttab add a line like this:

crypt-home    /dev/mapper/vg0-home             none    luks

“crypt-home” is the name of the device mapper node that will be created (in the /dev/mapper/ dir). This is the the device you’ll mount.

Make the filesystem

Firstly, execute the cryptsetup initscript (or reboot):

/etc/init.d/cryptdisks start

This asks for your password and (if successful) creates the /dev/mapper/crypt-home device.
Now init your filesystem of choice (in this example, ext3):

mkfs.ext3 /dev/mapper/crypt-home

Configure fstab to automount the partition

Add a line to /etc/fstab:

/dev/mapper/crypt-home /home   ext3    defaults   0       2

Obviously, mounting this won’t work unless the cryptdisks initscript has been executed, but this happens in the correct order on boot.

Reboot!

On boot, you’ll be prompted for the password quite early on in the boot process. The prompt should time out after 180 seconds if you don’t type anything (handy for a server).

After you’ve typed the correct password, the device mapper device is created and then the unencrypted partition is mounted shortly after (alongside all the other partitions, as usual).

UPDATE: LUKS on boot broken in Edgy
This worked fine for me with Dapper, but an upgrade to Edgy broke it. It’s been reported as a bug on launchpad but I figured out a simple fix in the mean time:

Change line 294 in /lib/cryptsetup/cryptdisks.functions from:

$CRYPTCMD $PARAMS luksOpen $src $dst < &1

to:

$CRYPTCMD $PARAMS luksOpen $src $dst < /dev/console

Now it jumps to console from splash on boot and asks for password.

Encrypted Swap

Remember, data from your encrypted partition could end up on disk in your unencrypted swap partition. Depending on what you’re trying to achieve, this probably isn’t desirable. Set your swap partition to be stored in another encrypted device using LUKS. Use /dev/random as the keyfile and it’ll use a random password for encryption on every boot. I expect this will break hibernate support though.

USB keys and other removable devices

If you create a LUKS partition on a removable device (such as a USB key), the HAL daemon will spot that it’s LUKS and automatically handle all the cryptsetup stuff (including a nice Gnome password box). In this case, don’t setup the crypttab or fstab. Instead:

1. After creating the LUKS partition, open it manually (you’ll be prompted for the password):

   cryptsetup luksOpen /dev/sdusbdiskdevicename1 luks-temp

2. Create the filesystem:

   mkfs.ext3 /dev/mapper/luks-temp

3. Manually close the LUKS partition:

   cryptsetup luksClose luks-temp

4. Now just eject/unplug the device then reinsert it and you’ll be asked for the password!

These encrypted removable devices are even supported on Windows (see FreeOFTE) but you’ll obviously need to use a Windows compatible file system, like FAT32 or NTFS rather than EXT3).

• various government agencies including the police and social workers
• private investigators, media organisations and other commercial entities.

Well, you apparently have the legal right to opt out of this “data rape”:

In June 2005, FIPR developed an opt-out letter to send to the Secretary of State. People who sent this off have been fobbed off. We now recommend that you opt out via your GP. Ask your GP to enter into your record the code 93C3 (“refused consent for upload to national shared electronic record”). You can also ask for your address and phone number to be kept off the NHS internal directory, and for your hospital records also to not be uploaded to central systems: see here for details. We encourage you to opt out even if you have nothing to hide; if only people who do have something embarrassing in their records opt out, then doing so will carry a stigma.

• Light Blue Touch Paper: Opting out of the NHS database
• Foundation for Information Policy Research
• Guardian: Warning over privacy of 50m patient files
• Guardian: Ministers to put patients’ details on central database despite objections

I don’t know about other browsers, but this seems like a sane behaviour.

I’ve not come across this before, but it seems to be wide spread. In 2 hours I collected over a dozen to one particular host, all from different source IPs and nearly all with different messages and urls in them. Here are some excerpts, notice that as URLs aren’t clickable in message boxes they have to leave instructions to type the url in.

UPDATE: For all the non-techies, these messages are NOT the result of a virus or worm or anything like that. They are just network messages sent over the internet by scammers, a bit like spam. You can safely ignore them. If you want them to go away, install some firewall software or follow the instructions by Manimo to turn off the messaging service.

and this one

And this one:

My new Laptop arrived today too (not got it in my hands though). The ickle IBM Thinkpad X40 is very portable, but I’ve been using it for more of a desktop replacement than a portable troubleshooter, hence the new Viao one. Big 17inch widescreen LCD, crazy CPUness (for Doom3 and Half Life 2 fun), and 1G RAM. I expect it’ll weigh more than two Terri Schiavos* but I’m a big guy.

* – Please note: topical reference.

Quote: “The patent-pending air gap switch keeps sensitive systems and data physically disconnected from untrusted networks and users, and transfers application-level data in real time. It is a high-speed, solid-state analog switch that connects a 512K memory bank to one SBC at a time via a SCSI interface. The air gap switch contains no Operating System, no TCP/IP address, no programmable units, all of which protects the appliance from being compromised. It hides internal addresses, preventing hackers’ mapping of internal network and any tunnelling threat. It protects confidential information such as private keys and configuration data by placing them behind the “air gap.”

It’ll also apparently cure all known ailments, gives you a full head of hair, and a long life free of pain.