ChromeOS Flex on a jail-broken Chromebook

I recently inherited an old Acer Chromebook that was EOL (end of life - not eligible for security updates from Google any more). That's unacceptable for me in the current cyber-climes.

I had some experience with ChromeOS Flex (link below), a new-ish version of ChromeOS that can be run on any hardware. I had put it on a USB drive and run it from there on my old Apple Air laptop, which was too old to get MAC security updates, and too slow really for Windows or current version of Ubuntu Linux. I had been running Server Ubuntu (command line only, no desktop). But ChromeOS really shined on that hardware, and running from USB. For browsing, including sites like Youtube, it felt snappy. It was really incredible.

So I wondered if I could somehow "jailbreak" the Chromebook and put ChromeOS Flex on it and get my updates that way. Sure enough I found some help doing that:

https://www.androidpolice.com/install-chromeos-flex-chromebook-explainer/

Those instructions required  a UEFI bios, so I followed the link to:

https://mrchromebox.tech/

There I learned how to turn off the physical firmware lock, by opening the laptop case and taking out a screw on the motherboard, enter Recovery mode and Developer mode, and from there run a script to wipe and reload the firmware with the UEFI bootloader.

So then back to the first link to figure out how to load ChromeOS Flex from USB.

I had a little trouble because my lock screw location did not match any of the pictures I could find Googling. But I eventually figured out which one it was. The motherboard hold down screws had little holes all around their location.

It runs great! 

Learn:

https://chromeenterprise.google/os/chromeosflex/

Install:

https://support.google.com/chromeosflex

Destroying Hard Drives

Short story long, I wish I had done this sooner, it's so much easier than I thought. I had been hanging onto some computers for a long time, longer than I wanted, because I didn't want lose control of the privacy of the drives in them. Not that there's anything crazy on them; pictures and audio and video of my kids, old programs I'd written, that sort of thing. I just care about privacy. Kinda pointless these days :) .

Even after I'd gotten rid of the machines I still held on to the hard drives, plus a bunch of external drives, and broken drives from other people's machines I'd fixed. That was part of the problem - these drives in one way or another didn't work anymore, so I couldn't run "dban" (wiping software) on them. If I wanted them wiped, it had to be physical. So anyhow there's a pile. I had dreams of taking them outside with a sledge hammer, but the little bit of research I'd done told me that was pointless. 

Somehow what I'd missed in my reading through the years, was that you can EASILY get at the actual disks! All you need is a special bit or screwdriver,  a  hexagon star. It's a security head you can find in hardware stores or on the internet. You go through the cover side, rather than the side with a circuit board on it. There's the 5 or 6 screws around the edges, and one hidden under the label you have to dig a little for. Just scrape around with a sharp edge until you find the indent.

Next you pry up the cover. Once you get it going it comes off easily. There's another screw in the middle of the drive holding the disk(s) down, same style. Hold the disk as you turn the screw. Push the head to the side if needed, and remove any other hardware in the way using the same driver. Then the disk(s) should just plop into your hand.

I found that a vigorous rubbing on a piece of emery paper was enough to satisfy me that the data was gone. When I broke one by accident I was surprised to find it shattered like a cd, so that's an option too. I googled that they can be made of aluminum or glass.

So that's all there is to it. Now I gotta find a way to securely recycle all those old broken cell phones I'm sitting on :)

Addendums:

(Some details I found out as I worked my way through the pile :) ).

• If there are two or more disks in a drive, there will be a collar between them. Just pry the collar up without breaking the disk. 
• Some drives don't have the security-headed screws, but instead regular Phillips-head.
• Some of the covers are also glued down. They still can be pried up. It's easiest to start from the end where the connections are.
• It's real easy to strip the little screwdrivers. But they are cheap :) .
• The drives should be recycled as electronics, even though they are in pieces.
• Sometimes it's easier to unscrew the hidden screw right through the label than to pry the label up.

Dip My Toe In The Cloud

 I wanted to "dip my toes" in the cloud, just get my feet wet, you know? 

So I migrated some websites I had on a regular hosting service to an NGINX web server running in a Docker container on theLightSail container service on AWS, with the domains themselves hosted on Google Domains. 

Now I can say all that in one (run-on) sentence, sure. But it wasn't that easy! And it's supposed to be a pretty painless way to get into cloud. LightSail containers is basically serverless. And Docker containers themselves are basically serverless.

Let me just say most of the time was spent on research. Everything that follows was pretty much non-intuitive (at least for me) much less tying it all together, so there were just hours of googling.

First I had to figure out Docker. I ended up setting up Docker on a bare metal Linux box (an old Mac Air), and SSH'ing from my current Mac. Then I had to learn enough NGINX to configure multiple websites and host headers (for the domains). Then I had to figure out how to package all that up in a container image. 

I wanted to admin the whole thing from a Github repo as well. So I had the website content in there, the web server config, the Dockerfile, and the (shell) script to tear down and build the image. I cloned the repo both to my current Mac (to edit from VsCode) and the Linux Air (to deploy).

I already had an AWS account (basically empty). I figured out an IAM account (you're not supposed to use your actual account for security reasons), provisioning a LightSail container from the web Gui (console), and creating and pulling down the keys needed for programmatic access.

Then I installed the apis (command line tools) for AWS and LightSail on the Air. Finally I was able to fire up my container in the Cloud. Let me tell you I let out a whoop when that NGINX test page came up.

But I wasn't done. I had to get the custom domains working. So I moved them over to Google domains, leaving the DNS pointing to the prior hosting for the time-being. Then I provisioned a LightSail certificate for them all. You can do up to 4 domains in LightSail, though there's a gotcha that I will explain in a minute that I wish somebody had told me about. It is going to haunt me for awhile.

Next I reconfigured Google DNS to point the domains to AWS. That's where I ran into real trouble. And this is probably the point of the article, to explain it so nobody else gets caught. See AWS does not provide static ips for the LightSail container service. You just get a static public endpoint (url), that has a dynamic ip, and the ip changes every time you boot the container, or some similar event. There are static ips in LightSail, but they are only for instances (not containers).

Now that's only half the problem. DNS is designed to require an "A record" for "bare" domains. So that means you literally can't point "example.com" to anything other than an ip. Subdomains can be aliased via a "CNAME" record. But not bare domains. And I couldn't use a subdomain (like "www.example.com") because of the AWS cert limits.

But it turns out this is becoming kind of standard with the cloud. So many DNS providers have  hacked a way to make this work (kind of against the DNS standard), by providing a new "ALIAS" (or similar) record for bare domains. But I chose Google domains, which decidedly does not support this.

So to get around all this, I turned to "LightSail domain zones". And here's where the gotcha got me. AWS LightSail supports 4 custom domains, BUT only 3 domain zones. Domain zones are basically AWS DNS for 3 domains, including the custom ALIAS record. So I pointed 3 of my domains to AWS for DNS in Google Domains, and they are hunky-dory. For now I temporarily gave Google Domains DNS the current ip of the public end-point of my container service for the 4th domain, but I know that is going to bite me in the rear with an unexpected outage soon.

I have some options for remediation. I was trying to stay totally within Lightsail, for cost and "dipping my toes" reasons. But I could investigate solving my problem by expanding to other AWS services, such as Route53 (DNS) and ECS (Elastic Container Service). Or I could consider switching the 4th domain onto it's own container on Google Cloud or Azure, to learn those clouds as well. Or I could change the DNS servers for the 4th domain to some other provider, or in 60 days (the minimum required wait time) I could move the domain to another provider. We will see.

Getting wireless networking working on Ubuntu Server 20.04 with Netplan and Wpa_supplicant

 I'd love to riff on how every time they try to make things easier they actually make them harder, but ain't nobody got time for that..

I installed Linux (the latest version of Ubuntu) on my Macbook Air this week, since Apple says it's too old to get their newest version of MacOS. That went pretty swimmingly. So I thought I would instead install Server, since that's how I tend to relate to Linux, through the CLI via SSH.

So I did the install and immediately came up against a big problem. The networking part of the install choked because I did not have a wired ethernet card. It turns out that the default wireless support is kinda iffy for Server, which makes sense I guess (typical servers don't tend to connect via WIFI). But the Air has two USB ports and an SD card slot and that's it, and so wired ethernet is off the table. (Sure I could get some kind of USB adapter card, but that is really out of scope.)

So I got through the install, without a network connection. Then I dug into seeing if I could set up the wifi. Ubuntu has gone to this new method of network config called "Netplan". Basically 99% of the network commands and files I knew are no longer used with it.

I'll make a long story short and say there was a lot of googling, and trial and error, and banging my head against the wall. Here's a good place to start: 

     https://linuxconfig.org/ubuntu-20-04-connect-to-wifi-from-command-line

That will take you through editing your yaml file, and running the commands to install it.

But most fail to mention that a key software component is missing (wpa_supplicant). And as you have no Internet connection, you can't install it. This is quite a catch-22. But I got the URLs for the debian packages by failing the install- "sudo apt install wpasupplicant" which listed them (there were two dependencies too). So I downloaded them with another machine, and put them on a flash drive. Then I mounted it, and ran the installs (just point sudo apt install at the deb files in the usb mount point, do the dependencies first).

Of course now that I figured it out, I found a link that lays it all out - 

     https://medium.com/@yping88/how-to-enable-wi-fi-on-ubuntu-server-20-04-without-a-wired-ethernet-connection-42e0b71ca198

It took about a day, to do something in Server, that the Desktop version had done automatically and instantly. It was so minor I never saw a notice or dialog about the networking, except to pick a wifi access point. Another nightmare like this, and I'll probably go back to the Desktop :) .

Windows 10 High Performance power plan missing

Windows 10 High Performance power plan is missing after the Fall Creator’s Update. 

I found a workaround in this forum:

Https://answers.microsoft.com/en-us/windows/forum/windows_10-power/power-plans-missing/9885bdc8-b11f-4722-9e11-423ef77494a9

Annoyingly, there seem to be no direct links, so look for EdSchoaps. 

Anyhow, the hack is to go to Windows Mobility Center and change the battery status. 

See Ed for the caveats. 

Lock windows 10 without screensaver

Lock windows 10 without screensaver. It took me forever to find the answer to this one, and it was dead simple! What stumped me was the needlessly complicated multiple layers of settings Microsoft has created. It's insane!

The answer is not in the Lockscreen or Display tabs of the new"Settings" dumbed-down Control Panel replacement. The Display applet of the classic Control Panel seems to have disappeared in the latest Windows 10 installment. No help is found in the Power options.

Instead it's in same place it has been since I dunno maybe Windows 95 lol. Screensaver settings. I'm not sure the most direct way to get to that anymore, but I found a link to it in the Lock Screen tab of the Settings app.

In there you set the Screen saver to (None) and set the wait to (for instance) 5 minutes, then check the box for "On resume, display logon screen". Just the way I have been doing it for I think at least a decade. I just never expected this to override all the new settings mess. Wow.

iPhone syncing weirdness

I was copying pictures and videos from last night's concert from my iphone to my pc (just using a cable and Windows Explorer). Strangely, my phone wasn't "popping up" iTunes on my PC like usual, and when I opened iTunes manually, the phone did not "show up". Then the last file, a 4GB video file, was not showing up to copy out of the phone in Windows Explorer.

 

I ended up implementing the following process, which fixed both weird behaviors believe it or not.:

 

https://discussions.apple.com/thread/5845597?tstart=0

 

Right-click the Apple Mobile Device entry in Device Manager and choose Update Driver Software. 

•Select "Browse my computer for driver software."

•Select "Let me pick from a list of device drivers on my computer."

•Click the Have Disk button. Note: If the Have Disk option is not present, choose a device category such as Mobile Phone or Storage Device if listed, and then click next. The Have Disk button should then appear.

•Click the Browse button and navigate to C:\Program Files\Common Files\Apple\Mobile Device Support\Drivers.

•Double-click the "usbaapl" file. (This file will be called "usbaapl64" if you have a 64-bit version of Windows. If you don't see "usbaapl64" here, or if there is no Drivers folder, look in C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\Drivers. instead).

•Click Open in the Have Disk window. Then, click Next and then Click Finish. Windows will install the driver.

Chrome Privacy Extensions

Reloading my personal machine post clean install of Windows 10. Wanting to secure Chrome (as best as possible). I haven't surveyed browser privacy and security extensions in awhile so I took the opportunity to look around again briefly. Here's what I came up (in no special order):

lastpass
adblock plus
disconnect
do not track me (now "blur")
https everywhere
ghostery
scriptsafe
flashcontrol

Tightening down browser settings and enabling the entire list broke Facebook profoundly (beyond what whitelisting could fix). In the end it was Scriptsafe that I had to really convince to loosen up, but eventually everybody was co-existing, Safe browsing (no, such a thing is not actually possible silly).

Window 7 - figure out what network card you have so you can get the right drivers

I found a great site that helps you figure out what network card your computer has, so that you can get the right drivers:

http://www.sevenforums.com/tutorials/73420-hardware-identification.html 

I was working on an HP laptop, and pulling down drivers from HP's site, that just did not work at all. I found some forum entries that indicated that the drivers listed for that particular machine class were just wrong.Using the link above I was able to get the exact network maker and model, and even a link to download the driver from the manufacturer's website. Worked perfect.I wasted several days trying to guess at drivers etc., until I found that site!

iPhone Phone Extensions from Dial Pad

Everybody knows the trick of putting extensions in the contact record with commas. 

But this is no help when you have to dial the same bridge line but with many different extensions. 

It's a total pain when you've gotten on the bridge like that and you get knocked off and you have to dial the whole thing again. It would be so nice to just hit redial.

Turns out Steve has anticipated our needs once again. You say, "but there is no comma (for pause) or semicolon (for wait) on the interactive dialer!" Ho-ho my friend I suggest you hold down the star or pound key a little longer and see what happens. That's right they become the other keys. How nice. 

So now I just input the bridge, the commas, and the extension, and then let it dial away, secure in the knowledge that I'll be able to easily redial. Yay!