History, Security

Aligning NTFS to SSD Geometry

Leave a comment

Frank Shu, Senior Program Manager for Microsoft, gave a presentation in 2008 called Windows 7 Enhancements for Solid-State Drives. The slides illustrated a set of challenges with SSD for the Microsoft Windows OS

  • Reporting non-rotating media will allow Windows 7 to set Defrag off as default; improving device endurance by reducing writes.

He meant that when the ATA8 rotation rate value of 0001h is reported to the Windows operating system, it could automatically disable de-fragmentation.

Shu’s presentation towards the end explains why it matters.

SSD endurance is equal to the safety of user’s data.

Defrag no longer is your friend; it can actually be your enemy. What does that mean for earlier versions? Windows XP is here to stay, right? Note the most recent end-of-life announcement from Microsoft:

We might therefore expect it to be updated to ensure “the safety of user’s data.” Alas, the challenges presented by Shu at Microsoft in 2008 are today still present in Windows XP.

The SSD offers an easy way to give new life to an old system since the price for a reasonable size has dropped under $100. It makes sense that every XP owner would go there and after a little research (uh, four years?) Microsoft would support them. Where do you want to go today? SSD.

Yet defrag is just the beginning. Microsoft has left other SSD problems for Windows XP unsolved as well. Here is an even better example. The presentation revealed major performance risk:

A fresh install of Windows 7 can do a proper geometry alignment but an upgrade from Windows XP would be mis-aligned and inherit a 50% performance hit. Ouch. Common symptoms are a system freezing momentarily.

This leads to a very uncomfortable user experience. You’ll know availability loss when you hit it. After seeing the first taste of SSD speed it feels like slamming on the brakes after driving on the highway.

For a more technical test, simply use Start -> Run and type msinfo32. You can see the problem by looking at the Partition Starting Offset value. Divide the number by 4096. If that number doesn’t divide evenly by 4096, then obviously the partition is not aligned with the 4096-byte sized sectors of an SSD. Here’s an example that shows a start at 32,256:

Divide by 4096 and you get 7.785. Uh-oh.

This also can happen on virtual systems as the physical layer is abstracted completely away. NTFS of a legacy OS could be mis-aligned with VMFS, which itself is not aligned with SAN LUNs. At least in large enterprise you can hope a service provider will be aware and looking for symptoms of read and write degradation as sector sizes are represented up the stack.

Microsoft however has left many users in the lurch. Fortunately there is an easy and free solution…Linux. Here’s a good example of why this actually matters today and how Linux is doing things right.

Let’s say you want to buy a sub 3 pound laptop with a full keyboard, bright screen and 10 hour battery life for under $200.

You can start with a solid machine for just $50. It’s known as the IBM Thinkpad X40 and it was one of the best form-factors ever built. No, I’m not just being nostalgic. If that were the case we’d be talking about the IBM 701c Butterfly or the Apple Duo 230. The X40 is more than a pretty face, it is a very practical and useful system for today’s needs that literally costs $50.

The X40 is perhaps best known for being the lightest laptop when it was introduced in February of 2004, weighing just 2.7 pounds (lighter than the portless Apple Air!). Although the first 1.8″ HDD was introduced in 1991 it was the Apple iPod in 2001 that brought it to mainstream. The IBM X40 then adopted it. I mention that because today buying a tiny 1.8″ SSD for an IBM laptop might feel odd. Just remember that in 2005 the thin and light tablet form-factor was mega-hyped and even helped bring perpendicular recording to market, but I digress…

SSD storage prices have come down so a 64GB 1.8″ SSD for the X40 should be less than $100. Put that with your $50 X40 and you now have a light fast laptop for $150. The official specs say Windows 7 is not supported but you can make it work if you fiddle with the drivers. Or you also could install Linux and go. Mint Maya is very nice.

But what if you want to restore life into an existing Windows XP installation (or install from factory CDs, or want to use the Windows XP license attached to the hardware)? Then you have to do some SSD geometry alignment for NTFS to address all the challenges (e.g. safety of your data) identified by Microsoft yet left for you to deal with on your own.

Linux to the rescue. You only need a 128MB or larger USB drive to boot the system with GParted Live. Creation of the USB drive with GParted is trivial. Download the Tuxboot executable. Run it and choose GParted Live from the source menu, choose the USB device from the target menu. After a few minutes you will be ready to fix your NTFS partition.

Insert your USB device into a powered down system. Next you’ll have to get the BIOS to let you boot from USB. On an X40 this means pressing power and then F12 to get to a device boot prompt. Select USB, answer the GParted setup questions and then the live environment is loaded.

You now can either fix an existing XP installation or create a new partition from the Gparted live tool. If you want to fix alignment, just select the “resize/move” option. Change the “free space preceding” value to 2. Click apply. This will take about 30 minutes on 64GB. Then select the “resize/move” option again and change the value from 2 to 1. Click apply. Wait another 30 minutes. That’s it!

Take another look with Start -> Run -> msinfo32. You now should be able to divide your number by 4096.

The move to 2 and then back to 1 by GParted re-aligns the NTFS partition to the geometry of the drive, per the Microsoft presentation above.

Don’t forget to also disable defragmentation, remove the swap file (a memory upgrade to the max on the X40 is $20)…basically you want to get rid of all the “caching” habits that were designed to help speed up old spinning disks when memory was low or expensive.

That’s how you can go from a 2008 risk presentation on NTFS to a 2012 snappy-lighter-than-air-system-with-lots-of-cool-output-ports-and-10 hour-battery-life for just $150.

Imagine if that would have been the point of the Microsoft presentation in the first place…if you don’t need/want to run a dual core i5-2520M and 8GB RAM in a magnesium skin (e.g. pay for industry-leading engineering like the sub 3 pound yet incredibly durable Panasonic Toughbooks) then why not breathe new life into a classic design by IBM? Think about it.

Security

Victim Exposure by Anti-Malware Research

Leave a comment

Let’s say malware compromises your system. Do you want a responder or a researcher to let others know that you were compromised? That’s the question that came to mind when I read a new research report.

There certainly is precedent for privacy and secrecy practices among other emergency responders, as well as researchers. Health care privacy might be a good example. One of the interesting cases I had to deal with in a hospital was related to x-rays of sports teams. In the run up to a big game we saw threats increase as gamblers tried to get in and improve their chances on bets by stealing information related to player health.

From that perspective a report of a system breach by a security responder could be analogous to a report of a bone break by a doctor. The situation may be more complicated than some realize, given the market for data, when you try to ask a simple question like who does a report serve. People betting on a company want to know the company status, just like people betting on a player want to know the team status.

Regulations help because they can sort out the decisions and attempt to make it as clear as possible when a responder or even a victim has an obligation to report. Recently an anti-malware blog report seemed to unintentionally expose more than necessary.

The start of the story called “An Inside Look into a Customized Threat” has a screenshot of “targeted” email. From the redacted sections you can almost make out the company name, as you can see at the top of this image:

FireEye Email Example

The little clues to the company name might not be enough to do anything about if the image didn’t also reveal the location.

San Diego, CA is redacted but still very easy to read. So now you know elements of the company/domain name in a specific city. And then the report emphasizes it’s a billion dollar company with the title Senior Vice President and Chief Financial Officer.

The individual points on their own are not much to think about; taken together they significantly narrow down the possibilities.

The irony is if there is anything generic to that message, which the researcher might try to argue in their own defense, it works against their argument that this is a “Customized Threat”.

Moving on to the rest of the story reveals little customization. Nothing in the technical summary mentions customization at all.

To summarize, when the malicious file—disguised as a financial report—is executed, it drops an executable file in a temporary folder and executes it. The dropped file then requests an HTML page from a server located in Taiwan and downloads a compressed executable file. This downloaded file establishes SSL communication on the compromised computer.

Perhaps they’re omitting custom elements but that sounds pretty generic. Then the researcher gives more detail on the company.

The entire exploitation was customized for a specific individual—in this case, the president of a billion dollar corporation.

The entire exploitation was customized or just the initial attack path? It seems to reveal a message could be customized while at the same time trying not to reveal how customized it is.

I wonder why they didn’t go all the way and just give the company name. Approval to discuss customized information may have been more convincing and less likely to cause accidental exposure, compared with semi-exposing the target.

Or we can hope that the email was completely fabricated by the researcher and San Diego, etc. have nothing to do with the real victim. A simple disclaimer would have been nice in that case, like the usual “identities have been changed to protect…”.

Otherwise it’s like a doctor who says they are not going to reveal which team has an injured player, but test results could be a threat to a winning streak in Manchester.

Security

Future of Camouflage…is the Past

Leave a comment

Interesting article from Slate on why the US Army chose pixel camouflage and why it soon may change.

Seen with civilian eyes, the rise and fall of the [Universal Camouflage Pattern (or UCP)]—and the family of rectilinear camouflage patterns to which it belongs—reads like a parable of irrational exuberance. Pixelated camouflage started to catch on in the technophilic years of the late-1990s, a digital pattern for a dot-com world. By taking the flowing shapes of the old woodland prints and deconstructing them into tiny squares, military engineers applied a computer logic to nature: They made over the science of camouflage, once inspired by the evolution of peppered moths and other animals, into a kind of digital screen-print that could spread through the networked military as a piece of viral media.

How could engineers have lost touch with the evolution of dark moths and their adaptation to industrial pollution? Sounds like the Army is ready to return to reality and go fashion-analog. No more computer logic games. It’s back to nature.

Peppered Moth
Can you find the hidden pepper moth?

Energy, Food, Security

Virus Causes Firework Explosion

1 Comment

The Oregonian says San Diego accidentally launched its entire Fourth of July firework display in one giant fireball. The $250,000 arsenal was spent in less than a minute.

Garden State Fireworks has apologized, saying they’re working to determine what caused “the entire show to be launched in about 15 seconds.”

August Santore, part-owner in the company, said tens of thousands of fireworks on four barges and a pier had been prepared. But because of a glitch or virus in the computer firing system, they all went off with one command, he said.

“Thank goodness no one was injured. Precautions all worked 100 percent,” Santore said.

I think he means physical precautions. When it comes to the other precautions…they might have worked at a lower percentage.

Also, an explosion like that must have created quite a plume of chemical compounds, as listed by the New Hampshire Department of Environmental Services