What you can do

Content note: discussion of harassment, sexual assault, and community responses to them.

It’s Vegas Security Dog-and-Pony Show Week[1], and I’ve come to dread the stories I will inevitably hear about harassment and assault at Defcon and the assorted computer security events that happen around it. It’s an occupational hazard of being one of the few people speaking out about harassment in infosec – I end up being the person people vent to, a safe outlet for the terrible things people don’t feel safe airing in public. Every year, it’s the same awful litany – assault, groping, drink-spiking, and all varieties of harassment – 5-10 incidents every year for the past five years. I hear these stories from people of all genders, from respected experts and neophytes. I didn’t even attend last year, and I still heard stories. Every year, I learn that another person I once respected as a professional peer is accused of being a predator. Every year. [edit: This wasn't my story to tell, but the latest instance of someone I had immense professional respect for being accused of rape was made public yesterday. I had no knowledge of this when I wrote this post.]

If you’re thinking “Why don’t I hear these stories?” you should know that most people who experience harassment and worse in our field are afraid to speak out publicly about the specifics of what’s happened to them. They are afraid of backlash, further harassment, and professional ostracism – and with good reason. Here’s the target of a violent attempted rape at an infosec conference, writing about her fears on a blog post she later deleted: “I don’t want to write this. I don’t want to get caught up in anything to do with this women in infosec bit. [...] People I thought were my friends and colleagues have said things to me about this that have cut deeper than the actual assault ever could.” How fucked up are we as a community[2] that someone is afraid to talk publicly about a violent assault and attempted rape by her fellow conference speaker?

And yet, my friend Jack once told me that I “see things as they are and yet manage to hang on to some optimism.” Dan Farmer’s recent post criticizing sexism at Defcon has renewed my optimism that now is the time to start making change. So I am asking you to take two leaps of faith: 1) trust me when I say that things are really bad (even worse than what you read), and 2) believe me when I say that it doesn’t need to be that way. Believe me that small interactions change behavior and change expectations around what we as a community are willing to tolerate.

If you care about making the security community a better place for women (and everyone!), here are some things you can do:

Stop tolerating casual bigotry

So someone “makes a joke” about faggots, scenewhores, or uses a racial slur. What are you going to do? Casual bigotry dehumanizes people, and tells predatory people that you will not be likely to speak out if they choose to harass someone around you – or you yourself. But you can change that by speaking up. Never underestimate the power of a simple “pardon me?” or a more direct “wow, that was a messed up thing to say.”

People will object, “Oh but it was just a joke!” Read this about how rape jokes give comfort to rapists and speak up the next time you hear a rape joke. Or people will say, “They didn’t mean it, they are just socially awkward!” This is the biggest myth of all. Socially awkward people are more likely to be the targets of predatory people, especially when predators have power over them.

Stepping up in cases like this feels awkward, but you weren’t the one making it awkward – the bigot already did. Make them own their own awkward. Push through it. That’s what change feels like. And it gets easier with practice. I also highly recommend spending some time on Captain Awkward for more on learning to handle awkward moments with grace, and Yo! Is This Racist? for snappy comebacks to racism.

Stand up to harassment

Making it clear that harassment is unacceptable helps stop it before it turns into something worse. Here are some great tactics from Hollaback, a group that works to fight street harassment:

Direct Action – As a bystander, you can directly intervene when you see a situation of street [or other] harassment by confronting the situation head on. For example, you can ask the harasser to stop bothering the person she/he is targeting.

Distraction – A bystander can take an indirect approach to intervening. For example, if you notice someone being harassed, you can approach her/him to ask for directions or say ‘hello’ as if you know them, thus de-escalating that situation.

Delegation – This is when you seek outside assistance to intervene in the situation. For example, a bystander can seek help or assistance from the police, a public transport worker or another outside party on behalf of the victim/target.[3]

Delay – This is when you wait for the situation to pass and you check in with the person who was targeted to make sure that they are okay. Even if you were unable to intervene at the time, checking in later makes a difference to the person who was harassed.

Believe and support people who speak up

Most of the time, the disincentives are so high for people speaking up that there’s zero incentive for them to lie about being assaulted or harassed. Operating from a default mode of believing people who speak up is a powerful change of frame. Choose to identify with survivors, rather than sympathizing with harassers and abusers.

Choose to believe that the person who is suffering in order to seek justice is telling the truth, as otherwise you’re choosing to accuse them of lying.

Advocate for codes of conduct

Blackhat Code of Conduct signage from the tradeshow floor, courtesy @blowdart
Blackhat Code of Conduct signage from the tradeshow floor, courtesy @blowdart

Incident response 101 says: have a playbook that covers the scenarios you already know about. We know that harassment and assault happens at conferences. Having a plan to handle the set of known issues helps you deal them should they arise, and to at least have a starting point should new kinds of issues appear. Communicating your plan publicly acts as a powerful social signal as to what behavior is not acceptable in your community. Anil Dash wrote a great post a while back titled “If your website’s full of assholes, it’s your fault” – in the same way, those who run conferences have the power to set social norms and expectations. Choosing to not set those norms means preferring abusers and predators over other attendees.

While there has been controversy in the security community over codes of conduct, I have seen their use make a real change in the open source community and continue to advocate for them. Four years ago, I was hearing about multiple sexual assaults at open source conferences each year. Now, I hear about one or two a year, and usually they get handled quickly. Rather than reinvent this wheel, read Ashe Dryden’s Code of Conduct 101 and FAQ, and check out the resources for conferences and communities on the Geek Feminism wiki.

Probably at this point someone is going to pop up and say, “But what about Violet Blue’s talk at BSides SF? You are against rape prevention education!!1!11″[4] I want to finally call bullshit on this whole argument. I did my first training as a sex educator 12 years ago, and helped run the Sex Ed and Peer Counselling Centre at the largest university in Canada. I have given awkward demonstrations involving bananas. I have counselled survivors of sexual assault, and been there for friends who were escaping intimate partner violence. I know this stuff. I watched the recording of the talk Violet eventually gave at BSides LV, and it was Sex Ed 101, with a smattering of advice about safety (and a long rant about the Ada Initiative, an organization which I’ve supported since its inception with both volunteer labour as an advisor, and thousands of dollars of my own money).

Flared bases are not the most important part of our threat model here, people. I do not have 5-10 sad people per year tell me about their failure to use their toys correctly. I do have that many people telling me about their experiences getting roofied or stalked or worse – people from our community. People you care about. As a community, we need good education about rape culture, consent, and not being a bystander – but that hour-long “where is the clitoris” festival of the bad kind of awkwardness wasn’t it. And a good code of conduct that indicates clearly that sex-positive content is on-topic certainly won’t stand in the way of the talks our community does need.

Educate yourself – resources

A call to action

We aren’t doomed to being the harassment and sexual assault capital of the tech world. We can make a difference. And it starts with each one of us standing up for what we think is right, in the moment when it happens.

[1] I’ve lost track of the sheer number of events, but there’s BlackHat, Defcon, BSides LV, and all of the associated off-conference parties that vendors throw, for starters.

[2] Some folks like to play semantics on “scene” vs. “community” vs. “professional field.” I think those semantics are a cop-out. You get to choose the kind of environment you want to be part of, whatever the word you choose to use for it is.

[3] Note: I have heard enough reports at this point of harassment from Defcon Goons themselves, or mishandling of issues reported to them, that I wouldn’t personally be inclined to reach out to them for help. Goons are volunteers and I have no idea what training they go through; I’ve only seen its effects. Use your judgement as to whether or not that would be a good idea. I myself would call hotel security or the cops rather than ask a Goon for help unless it happened to be one of the handful I trust.

[4] For those who are wondering what I am talking about regarding BSides, here’s a news articleher side of the story, our side of the story part 1, our side of the story part 2. It’s worth noting that the incident people are holding up as evidence of how codes of conduct are bad… happened at an event which didn’t have one.

Comment moderation note: Please keep the focus in the comments on moving forward: things that you want to do to make things better, questions about strategies in specific types of interactions, resources that you have found helpful in fighting sexism. I’m just going to delete any whining about BSidesSF, so don’t even bother. Trust me, I’ve heard enough about it in the last 18 months to last a lifetime, and you’re not going to make a new argument.

 

The extremely lazy perfectionist’s guide to brightly coloured hair

I was re-pinkifying my hair a few weeks ago and realized that there isn’t a very good guide out there for how to use the type of hair colour I prefer, so I’m writing myself some instructions and sharing them with the world for posterity. This thread on the Long Hair Community helped me figure a bunch of this stuff out, as Goldwell does not publicly document their products for amateur hair scientists like myself :)

What you need

  • Bowls you don’t care about staining, or which are stain resistant (I used Corelleware ones and they didn’t stain; your mileage may vary)
  • Cling wrap (get good quality stuff, the kind that sticks well to itself)
  • 2-3 towels you don’t care about staining/bleaching
  • The following Goldwell Elumen products, which you can get on Amazon or eBay:
    • Prepare
    • Colour(s) of your choice – there’s a list here as they have weird codenames
    • Lock
    • Clean (this removes the colour from any skin you get it on)
  • You may also want the Return product if you’re switching colours – it will lift some of the Elumen out of your hair without bleaching. I’ve not used it myself, and have heard mixed reviews of its effectiveness
  • Optional: whatever bleach stuff you need; see below for links to better stuff others have written about bleaching

The bleaching process

I’m not going to write up much about bleaching, because it’s not my area of expertise. Seriously, last time I bleached I just followed the instructions in a Splat colour kit. The bleach worked fine, but the colour didn’t hold very well… so read on for better colour tips.

Also, importantly – you can use Elumen on un-bleached hair, and it’ll give you either a cool tint / sheen of colour if your hair’s dark, or various different intensities of colour if your hair is lighter. And it’ll make your hair feel supah soft.

My friend Courtney has a cool guide to brightly coloured hair over on her blog which includes extensive bleaching instructions, but the main thing for me in the past has been to not over-do it. The Elumen pinks and oranges, in particular, are so intense that it’s ok if you have some brassiness left in your hair. I haven’t done blues or greens in a while but I suspect you might need to bleach more for those… but regardless, it’ll look fine. Don’t stress, and don’t burn your scalp.

The key to my lazy process is to set yourself up so that your hair can grow out a bit, fade a bit, and you can re-colour again without bleaching and make it look good even if you have roots showing – it looks like you did frosted tips on purpose rather than that you’re lazy and hate bleaching :D

The colour process

Elumen is a 3-step process. There’s a prep step (“Prepare), the colour itself, and then a fixative (“Lock”). Sounds like high school chemistry, right? The colouring goes like this:

  • Wash hair if you’re not coming from the bleaching process. Don’t use conditioner.
  • Wearing gloves, apply Prepare to dry-ish hair. Smush it around until your hair feels slick; it doesn’t need to be soaked.
  • While you’re letting it sit, put out the colour(s) you’re using in some bowls. For short hair, I used up about 4-5 tablespoons worth (60-75mL).
  • Towel dry. The Prepare stuff doesn’t seem to stain, but still use a towel you don’t care about.
  • Using a cheap hairbrush, fancy dyeing brush, or just your gloved hands, apply colour to your head. Be careful not to get too much on your skin or fling it around the room, this stuff does stain. Also don’t get it in your eyes.
    • If you want multiple colours, you can separate them out with bits of tinfoil; if you don’t do this they will kinda blend together, which is a cool effect too! I like blending, because I’m lazy.
  • Comedy time now: once you’ve got a fair amount of colour on your hair, you want to apply heat to speed up and intensify the effect of the colour. Here’s my lazy technique:
    • Wrap your head in clingwrap, coiling/pinning it up first if you’ve got long hair
    • Blast your head with a hairdryer a bit
    • Wrap your toasty clingwrapped head in a towel
  • Chill out and do something low key for about half an hour to an hour. Write a blog post, perhaps. Take care not to drip colour out from under your tenuous clingwrap/towel arrangement.
  • Rinse time! If you’ve got a sink you can do this in, go for that, otherwise just hop in the shower. The colour will stain grout, so be careful if your shower features that.
  • Apply the Lock to towel-dried hair and let it sit for a while, then rinse again. You’ll get some colour bleed for the next few times you wash your hair, but it’ll stop and your hair will be super bright for many weeks.
  • Use the “Clean” product to get the colour off your skin. It’ll be on the top of your ears, I promise.

And that’s it! Enjoy how amazing you look, and how you brighten up the day of everyone around you!

Organizational Anti-Patterns

I’ve been thinking a lot lately about organizational behavior, partly as a result of taking this cool Coursera class last year. (I wrote papers! Voluntarily!)  A couple of things keep coming up that I haven’t seen articulated elsewhere very much. So I wrote them down.

“Consensus-based” for-profits

Problem:

Combine all the Tyranny of Structurelessness failure modes of consensus-based decisionmaking with the veto power of those who actually own the entity involved, and you have a recipe for disaster. I’ve seen it happen over and over again where something contentious comes up which pits the owner(s) of the entity against the participants / stakeholders whose consensus has been sought in the past. I’ve never seen a result other than the owner(s) exercising their veto.

Solution:

Make it clear to stakeholders that you value their input, but that as a for-profit, the Board and/or owner(s) have the final say. To say otherwise is misleading. Consider consultative business models such as B Corporations.

Alternately, consider co-op or partnership business models, but think very carefully through their management implication. Both involve substantial overhead in terms of logistical and emotional labour.

For-profits which rely heavily on volunteer labour

Problem:

So-and-so works 20+ hours per week for your for-profit entity, or does hero shifts all weekend at your conference. How cool is it that they believe in your cause so strongly or love your event so much that they are willing to help you out for free?!

Except… turns out they are actually incompetent / abusive towards clients (especially vulnerable ones) / toxic towards other staff or customers / did I mention incompetent? / a number of other failure modes.

Solution:

Be wary of heroes. Hold any such “volunteers” to the same standards as you’d hold employees, including rigorous interview processes and background checks. This kind of screening is especially critical if they have any access to vulnerable or marginalized people such as children, people making career changes, people who are minorities in their field, etc. – people they would have power over in their “volunteer” work. Remember always that abusive people are attracted to positions of power and trust.

“All-volunteer” non-profits

Problem:

Organizations which proudly proclaim their “all-volunteer” status have enough of a pattern of dysfunction that this has become a major red flag for me. Burnout is the biggest outcome I’ve seen with this one, but some of the same patterns as the volunteering-for-for-profits problem apply as well. When organizations run critical functions on donated time rather than being willing to compensate people for their time, they have a paradoxical tendency to both undervalue that labour (particularly, but not exclusively, if it is “pink-collar” labour that is traditionally marked as women’s work) while also being reluctant to ever “fire” volunteers who may be, as above, incompetent, abusive, or toxic.

Solution:

Non-profit management is a specialized professional occupation. Pay someone who knows how to do it, even if only part time. Outsource (or insource, if you’re big enough) other specialized tasks such as accounting. Especially, as I learned from my friend Val, tasks you dread – those are the most likely to burn you out.

Boards as managers vs. boards as strategists

Problem:

A friend pointed out another issue which is related to, but distinct from, the “all-volunteer” thing. Combine a lack of specific management staff with a board who are professionals or experts in the field the organization deals with, and you may end up with a board which manages rather than providing strategic guidance. In larger organizations, a part-time, volunteer board won’t be able to adequately manage staff (volunteer or otherwise). Another friend, Mike, pointed out to me that this is a version of Gerber’s “E-Myth” – the TL;DR of which is that businesses fail because people work “for” their businesses rather than “on” their businesses. When combined with the devaluation of labour through the “all-volunteer” anti-pattern, this has a particularly strong effect on non-profits.

Solution:

Have separate board members and managers. Some overlap can work, but be thoughtful and most importantly explicit about roles and duties. Write these things down. Read up on non-profit board and management best practices from groups like BoardSource, because this is apparently a super common failure mode. For for-profits, check out the book “Startup Boards” by Brad Feld and Mahendra Ramsinghani.

 

There are two common threads between these four anti-patterns: power, and labour. Whose work and what kind of work is being valued? What is motivating the people who are working for free – what is their payoff? Whose voice is being listened to, and under what circumstances? What patterns of power and powerlessness from the wider culture in which these organizations exist are being reproduced within them?

 

Some readers will be able to guess which patterns I think apply to which organizations – none of these are points I’m making for the first time, and I’ve discussed them in the context of particular organizations at various times in the past. You’re welcome to discuss the applicability of these patterns to organizations you have experience with, but please don’t speculate as to which ones I’m referring to here.

Feminist hackerspaces everywhere

TL;DR: interested in starting or being part of another feminist hacker/makerspace in SF (or elsewhere)? Leave a comment, tweet contact info at me, or send me an email at leigh at hypatia dot ca.

As some of you may know, I have started a couple of hackerspaces. I’ve also recently moved to San Francisco, and joined Double Union, a women’s hacker/makerspace in town. And I didn’t even have to start it! Woohoo :D

Double Union has proven such a success that we temporarily closed applications last Friday. We have 105 members! Of an organization that’s not afraid to frequently drop the f-bomb! This blows my mind and makes me very happy.

I think that the wider Bay Area but even just SF proper probably have space for another feminist hackerspace (or two), particularly one open to people of all genders (like the Seattle Attic or Portland’s Flux). I have heard from several people that this is something they want.

So! In the interest of connecting other people who want to start something but maybe don’t know each other, if this is relevant to your interests, please let me know! Here in the comments (I can see your email but the public can’t) or via the tweeters or email me at leigh at hypatia dot ca. If this is something you are interested in leading (which for now just means running an email list) please let me know that too.

To be clear: I am just looking to connect people, and specifically find and connect people who are interested in organizing. I’ve started enough hackerspaces for a few years at this point :)

I know of several other efforts to start feminist hackerspaces around the country, so if you’re outside of the bay area but interested, please feel free to also comment with some indication as to your geography and I’ll put you in touch with feminist hackerspace peeps in your area if I know of any.

Also you may be interested in the nascent feminist hackerspace design patterns over at the geek feminism wiki. And definitely read Liz Henry’s piece on feminist hackerspaces in Model View Culture.

Note: these things are off-topic in this discussion and will just result in me deleting your comment / pointing and laughing / not giving a shit:

  • whining about Double Union being women-only
  • whining about feminism in general
  • whining in general, really
  • reverse proxy-whining about how awesome your hackerspace is but the womenz just don’t seem to show up and are clearly just not interested and you had an e-textiles class that one time and WHAT MORE DO YOU FEMINISTS REALLY WANT I MEAN COME ON WE EVEN HAD AN E-TEXTILES NIGHT.*

*For the record, I love e-textiles. But having had a workshop on e-textiles once is not a Magical Get Out Of Sexism Free Card, sorry!

Heading South for the Winter (and beyond!)

It’s been an amazing two-and-a-bit years at Microsoft. I got to write security bulletins and advisories, and reboot a bazillion computers (sorry about that) in the MSRC. I helped secure new releases of Visual Studio, Team Foundation ServerSignalR, Azure Web Sites, and other products as a member of MSEC. I made dear friends and worked on fun side projects in the Garage, and got to help build the new Maker Garage at the Microsoft Library.  I can’t wait to see what the future will bring for everyone I had the privilege of working with and the rest of the company as well. Thank you all.

But it has come time for me to heed the siren call of San Francisco and head south, like a Canada Goose (minus the biting). This weekend I’m loading my life into a truck and heading to San Francisco to join the Heroku security team. I’m excited to be working with Jacob Kaplan-Moss and Matt Zimmerman, two longtime friends and mentors, both of whom happen to also be awesome advocates for women in tech.

I’ll be handing over my responsibilities at the Seattle Attic Community Workshop to my capable co-founders, and am really stoked to have already been accepted as a member of Double Union down in SF :)

For my Seattle peeps, I’m organizing a small going-away thing on Friday evening, ping me by email (leigh at hypatia dot ca) or on Twitter if you want to know when/where.

Changes to Twitter’s block behavior – and a workaround

TL;DR I hate the changes to Twitter’s blocking, and you can get around them by marking your account private, blocking the person, then going back to public. This will cause them to unfollow you. I hope the powers that Tweet reconsider this change.

Update: so this happened…

Yay!

Twitter posted an update today to their blocking functionality. In my opinion, it’s a real step backwards for the usability of Twitter for anyone with a large number of followers, or facing any kind of harassment.

It used to be that when you blocked someone, it would force them to “unfollow” you, in addition to hiding them from your mentions. This is no longer the case:

Note: If your account is public, blocking a user does not prevent that user from following you, interacting with your Tweets, or receiving your updates in their timeline. If your Tweets are protected, blocking the user will cause them to unfollow you.

The obvious objection to my objection is “well your stuff is public anyway, they could just make a new account” – the thing is, this reflects a fundamental misunderstanding of 1) how people use blocking and 2) how harassers operate.

People use blocking to force unfollows.

I have nearly 9000 followers (which I find fairly hilarious as I mostly post fart jokes, but whatevs)(clarifying for new visitors: I actually tweet about computer security, privacy, feminism, open source, and how weird being a Canadian living in the US is – and more Bitcoin jokes than fart jokes). Something that happens pretty often is that someone will follow me and start replying to things I post or retweet in an aggressive or annoying way. I am particularly conscious of when people do this to folks I retweet – I feel like I have a responsibility to not expose people I retweet to douchebaggery on my watch, so I block people who demonstrate a pattern of being jerks. My friend Ellie made this in response to one of the times I retweeted her:

retweets

I realize that I’m directing a lot of traffic at folks when I retweet them, and I don’t want to expose them to jerks. This change prevents me from curating my followers in the same way as I curate my feed.

Harassers are easily distracted, and many just go away

Blocking, even on a public account, is surprisingly effective at dealing with low-grade harassment. Most harassers just aren’t that invested in the person they are bothering, and putting up the tiniest roadblock will make them move on to their next target. I had this conversation with a Googler shortly after G+ shipped, as its blocking behavior was at the time the same as the new Twitter behavior. I have no idea what it is now because I hate G+ and don’t use it, and I realized that this may be unintuitive to someone who hasn’t experienced harassment before – but trust me, as someone who has, it works a lot of the time. Which is great!

Update: Some who read the above argument think that it’s a “false sense of security” – there’s nothing false about effectively driving away a large percentage of drive-by harassment. I think people pretty broadly get that if you have a public feed, and block someone, that that person can just log out to read your feed – there really are a large number of users, and I say this from personal experience, who won’t bother making a new account, they will just move on. I want to keep being able to handle those users easily.

Telling users facing harassment to just make their account private punishes them, not harassers

This is just shitty and not ok, and I hope it needs no further explanation.

A Workaround

If you make your account private, then block the person, then make it public again, it emulates the old behavior and makes them unfollow you. It’s a pain, but it works. It will not prevent them from re-following you, however – so it’ll only work on the least motivated harassers.

Another Workaround

My friend shadowspar pointed out that you can still force an unfollow by marking someone as spam:

Looks like I’m going to be misusingrepurposing the spam report button more frequently :(

Update: or not:

Return of the blog

Just a shade under two years after my blog first went kaput, it’s back. 2 VMs, one MySQL data recovery, and an absurd amount of time fussing with DNS later, it’s back.

I’m using wordpress.com this time around instead of fussing with my own setup; many of the plugins for which I self-hosted are now part of the core featureset, so I’m going to give this “cloud” business a run for it. I’ll probably fuss with themes a bunch more, so don’t be surprised if next time you’re here things are unrecognizable.

One thing I was frustrated by the last time I went to set up hosted wp was the way they expect you to set up your DNS if you want to do domain mapping; it turns out it’s pretty simple to map your domain directly to their set of IPs.  Once you have your domain mapping paid for and set up (from the “Store” link in the dashboard), do the following:

dig @ns1.wordpress.com example.com A

Then assign to example.com’s DNS the 6 A records that WordPress’s nameserver gives you.

At some point in the future they may change those IPs and your blog will stop working etc etc (which is why they’d rather you use their DNS instead) but for now that’ll do the trick.

This is fairly obvious stuff once you know what to look for but I haven’t seen it documented on the web, so enjoy :)

-Leigh

Acrobat 9 Updater crashes on Windows 7

I got a copy of Acrobat 9 Standard with my new Fujitsu ScanSnap scanner, and I ran into a weird issue when trying to update it to the latest version.  The fix ended up being pretty simple but it took me a while to figure out, so as with my previous post, I’m recording it here for the benefit of folks searching for how to resolve the error.  I don’t know if it has anything to do with the particular error, but I’m running Win7 64-bit for reference.

After going to Help -> Check for Updates, you get a popup saying that “A new version of the Adobe Updater is available for installation.”  Click OK, it runs a batch script of some kind, and then Adobe Updater Install Manager (a.k.a. AdobeUpdateInstallMgr.exe) crashes and dies.

The simple solution: install the Adobe Updater thingy manually from here.  If you’re starting from 9.0 you’ll then go from there to 9.2 and then 9.4.5.  It’s a bit of a process :/

Incidentally, the scanner is made of pure shiny awesome.  I’ve turned literally 2 feet of course readers from my undergrad into searchable bits.  Amazing.

Whole disk encryption, HP laptops, and other shenanigans

I use an HP tm2-1070ca convertible tablet laptop as my primary machine, and have one hell of a love-hate relationship with it.

I adore the convertible tablet format; being able to annotate PDFs in Xournal /Acrobat / Windows Journal, “think on paper” by sketching out a design or a circuit, or flip the screen around to show something on it to the person across the table from you are all at this point part of how I use computers and I find I hate having to go back to using machines I can’t poke.

But as I’ll detail below, it’s got some downright weird stuff going on when it comes to hardware compatibilities.

Given all the ridiculosity around HP’s hardware business at the moment, my next machine is virtually certain to be another brand.  I’m currently eyeing some Fujitsus, but would love to hear about other convertibles folks have had good experiences with, particularly with running multiple OSs on them.

Ubuntu lessons

For 11.04, I needed acpi=off to get the installer to work. It turned out that disabling VT in the BIOS made it work alright with acpi on, but things were otherwise just sort of flaky – the touchscreen in particular would just sometimes work, and sometimes not.  I made a bunch of changes at the same time which lead to confusion about what was actually going on here; it turns out my shiny new SSD was not the problem, but it was a 11.04 regression against this particular BIOS, which I worked around by disabling VT.  Many thanks to Matthew Garrett for spending a bunch of time helping me troubleshoot this.

I used the Ubuntu alternate installer and the built-in whole disk encryption, and it performed very nicely on the SSD, benchmarking at nearly the same speed as the drive running in plaintest.  Sorry I don’t have the numbers handy :/

This isn’t specific to this laptop, but took me some time to figure out so I’m recording it for the convenience of those searching for this error:  if you try to mount your old luks/lvm encrypted system drive on another luks/lvm encrypted machine which happens to have the same hostname, you’ll get an error saying that it’s “not a valid file system,” which is obviously not at all what’s going on.  lvm simply can’t deal with volumes with the same name, and your volumes are named after the hostname you set on install.  lvs and lvrename are the relevant commands here.

Also, if you try to mount a luks/lvm encrypted drive on a machine which has not had luks/lvm applied on install, you’ll need to install the libraries which it uses – cryptsetup and lvm2.  This seems obvious in retrospect but non-specific error messages lead to me stressing out that I’d hosed my drive, which hadn’t been backed up in a few days.

HP laptops + MBR-based whole disk encryption = :(

The above VT issue ended up being the dealbreaker for me running Ubuntu as the host OS on this machine – I need VMs to do a bunch of things, so now I’m running Win7, with Ubuntu in a VM (along with various other things).

Search for “hp laptop truecrypt” and you will see that I am not the first to venture into this particular valley of fail.  I’ve seen threads where people report that PGP’s WDE also doesn’t work.  Given that Ubuntu’s WDE worked just fine, I suspect that it’s something with MBR-based WDE rather than the way it’s done with luks/lvm; the other thing that makes me suspect this is that the way you know it’s failing is that the laptop will blink the capslock key, in my case 5 times indicating a “general system board failure”.  There’s no blink code for “hard drive problem” and it’s different from the error you get when you boot without a hard drive installed, so my guess is that the 5-blink code covers hard drive errors too.

I don’t have any workaround for this one.  I’ve tried truecrypt WDE on a couple of different drives, to no avail.  I’ve even bugged HP on the twitters but they haven’t gotten back to me.  Oh well.  I’ll eventually put Win7 Ultimate on it and try Bitlocker… after making a whole disk backup because I am really, really tired of reinstalling, heh.

Hopefully someone will find the above useful.  It’s been an adventure.

Security at the Ubuntu Developer Summit

I’m attending the Ubuntu Developer Summit this week in Budapest, and I wanted to share how to participate in the security track remotely.

You’ll want to look at the schedule of security track sessions, and the icecast streams for the various rooms we’re in.  Each session in the schedule has one or both of:

  • an etherpad for recording discussions
  • a blueprint which is the “working document” for that particular portion of the project

Both have little icons in the schedule.

You may also want to join the IRC channel for the session; there is one per room, with naming scheme #ubuntu-uds-$room_name_without_accents .  There’s also #ubuntu-hardened, for general discussions and continuing to participate in the Ubuntu security community after UDS.  If you’re not a big IRC user or your network blocks it, you may prefer web-IRC, which is available here for freenode.

This stuff of course generalizes for any other topic at UDS; check out the schedule for tracks on other topics.