Tips on getting going with Ubuntu: January 2022

Friday, January 28, 2022

A couple of decent desktop backgrounds

Although my sky-snapshots usually end up being disappointing, I couldn't resist taking these, and have found them to be excellent as desktop backgrounds. So, I decided to post the photos and my 16:9 cropped versions, in case anyone else wants to try them.

Click on the image of interest below for the high-res version.

Tuesday, January 25, 2022

Revised APT-Offline A-Z

I revised the introductory sections (up to "> Set-operation details") of APT-offline A-Z, to clarify and otherwise enhance them. I was frankly disgusted that there was still so much bad writing. Naturally it's better, but I've learned to avoid predicting whether it will need more revisions. At least the introductory section, which is the key to putting the rest into perspective, is fairly good at this point.

Wednesday, January 5, 2022

Using a cheap Gigabyte mini-PC as a secure PC

Rev 1/10/22 (see Notes)

After concluding that there will probably never be an inexpensive Ryzen 3-based mini-PC, I got a Gigabyte Brix GB-BLCE-4105R for about $185 (including 8GB of memory) from Amazon. It has an Intel Celeron J4105 CPU, which has plenty of processing-power for my purposes, and is rated at 10W power consumption, compared to the Ryzen 3 5400U's 15W.

But good luck getting such a good deal now, if you can even get one of these mini-PCs at all, due to the supply-chain crisis and inflation. However, even if this model goes out of production, Gigabyte will probably replace it with something similar.

The Brix is made well, although it's tiny. Just use caution when opening it up, installing or removing whatever, and putting the cover back on. Before opening it, I place a light-colored towel underneath so that if I drop any of its tiny screws, they're easy to see, and they don't bounce and disappear forever.

Because I don't trust software (except validated AES-grade encryption software) to isolate data from the internet [1], I needed to put the OS on a flash drive and to use a wired keyboard/touchpad [2], as part of creating a "secure" PC (my definition, not the NSA's). So, I had to use both USB ports on back for these purposes, but I can connect hubs to the front ports (USB-3 and USB-C), to obtain as many ports as I need. The fact that the GB-BLCE-4105R's case is all metal reduces the likelihood that a bug planted inside the PC could get a signal out, although if you're really paranoid about the Thought Police planting a recording device in it, you could conceal the entire PC, or put it in a tamper-proof lockbox locked with a Master Lock Speed Dial lock when you can't keep an eye on it. I posted my enhanced instructions for the Speed Dial lock here (https://toggwu.blogspot.com/2022/01/enhanced-master-lock-speed-dial-lock.html). If you lock it in a tamper-proof lockbox with an SD lock, nobody would be able to tamper with it without leaving evidence, such as by cutting the lock off with a grinder, and replacing it with a look-alike, in which case the old combination would no longer work. Perhaps you could place a unique pattern on the back of the lock so that any replacement would be obvious, which would probably prevent anyone from substituting another lock. Of course you'd also unplug the presumably tiny OS-flash-drive and conceal it separately. BTW, I've found that Sandisk 64GB USB-3 drives work very well for this purpose, partly because they have a much faster write-speed than even a 32GB version, which makes the process of installing the OS go quickly (appx. 20 minutes).

Multiple PCs can use the same keyboard and monitor with a KVM switch. I messed around with a cheap KM switch (Iogear GCS24U 4-port VGA) for years before finally getting a CKLau-64H2ua, which is listed on Amazon as "CKLau 4Kx2K Ultra HD 4 Port HDMI Cables KVM Switch," and is excellent, although I've found that I have to boot my Zbox BI320 PC up to the point where the password must be entered, before selecting it with the CKLau KM switch, or it won't boot. The CKLau KM switch has ports which allow flash drives to be switched between PCs, which eliminates the need to physically transfer the drives between PCs to use them for transferring data. Naturally, any KM switch used with a secure PC cannot have any wireless capability.

Preferred operating systems for "secure" PCs

I've been running Ubuntu (oo-boon-too) Mate on both of my mini-PCs. UM is a popular no-nonsense, efficient type of Ubuntu Debian Linux (Ubuntu is a type of Debian, which is a type of Linux). I wasn't a big fan of plain Ubunutu's "desktop" (OS-GUI) the last time I tried it, but it might have been changed since then.

I also like Xubuntu (zoo-boon-too), which is very compact and innovative. I had problems using it with my Iogear KM switch (it wouldn't wake up when I switched back to it after using another PC, which prevented me from using Xubuntu), but it works well with the CKLau KM switch. My only other complaint about it was its file manager didn't remember the selected file-arrangement-order (by name, type, etc.) for each directory, but this drawback has been addressed, or soon will be. Its default selection of apps is different than UM's default selection, but I would have to install apps in either case to get everything I want. The software which I install on UM is mentioned later, but on Xubuntu, I install Synaptic Package Manager (a highly functional software manager which isn't dumbed-down, appx. 1.5MB), VLC "video player" (appx. 20MB), Disks a.k.a. Gnome Disk Utility (very handy, especially since its circa-2020 overhaul, for creating encrypted partitions on storage devices, which GParted doesn't do - appx 0.5MB), Eye of Mate a.k.a. EOM image viewer (appx. 2.5MB), which I prefer over Ristretto, Xubuntu's default viewer), Plank (a nifty app-launcher dock, which doesn't require much data to install), and Vnstat (for on-line installations) to keep track of internet data consumption (less than 200kB to install). Xubuntu's Network Monitor widget looks like it would be good for monitoring download-speeds, to avoid inadvertently downloading vast amounts of data which you don't need or want. Xubuntu's text editor lacked built-in spelling-check, but I found a way to add a custom action to the file manager to make it easy to use the Aspell spelling-checker (which Xubuntu includes by default) on text files and posted it here (https://toggwu.blogspot.com/2018/11/performing-spell-check-via-right-click.html).

One advantage of Xubuntu is that, by default, it retains downloaded software modules, which are downloaded into File_System/var/cache/apt/archives as part of the complex, automatic software-installation process, as a precursor to actually installing them. Ubuntu Mate, by default, deletes these modules from the archives directory after installing them, although there is a command which can be found in another entry in this blog (toggwu.blogspot.com), which causes these modules to be retained in the archives directory after they are installed. Retaining these modules allows them to be copied and saved for use in creating copies of the installation, without having to download the modules again. (To copy modules into the archives directory, you have to launch the file manager in superuser mode, such as by entering "sudo caja" in UM or "sudo thunar" in Xubuntu, but if you make a mistake with the file manager in this mode, you could destroy the installation, so be careful and exit it ASAP, by closing the file manager and the terminal.) If you wait too long to reuse them, some of the modules will probably be superseded by newer versions, and the software manager (which would be basing its decisions on a later version of the package/software index) will download the newer revisions if the installation is connected to the internet when the software is being installed.

Kubuntu (koo-boon-tu) is also excellent, and allows you to zoom the entire screen. I use Kubuntu on my "heavy duty" desktop PC which I use for audio and video purposes.

Each of these Ubuntu-derivatives includes a large collection of widgets, which are small programs such as desktop notes, CPU-load monitors (useful for determining when the PC is fully booted, which in the case of of the Brix booting any version of Ubuntu from a typical USB-3 flash drive is very quick), search programs which can search for files by name or text-content, timers, etc.

How to get Ubuntu etc. and install them

(Some of the following is also included in an earlier post.)

All types of Linux come in the form of "ISOs" (.iso-files) which are downloaded from the corresponding official site, and in the form of "live" (bootable) DVDs which are sold online by many sources. An ISO is an essentially tamper-proof archive-file (about 1.5GB in UM's case) which contains the OS, the desktop, and a selection of apps (a particularly useful selection in UM's case). A "live"/bootable DVD is essentially an ISO in the form of a DVD, and various Linux and Windows "burner" apps can create ISOs from live DVDs. PCs in general can be booted directly from a live DVD by simply placing it in the DVD drive and booting the PC. But booting from a DVD is very slow, so bootable/live flash drives are preferred. Live flash drives are created from ISOs by using USB-installer apps (more details below).

Never trust an ISO or live DVD until you've validated it. Live DVDs have to be converted to ISOs (which again is done with various "burner" apps) to validate them. Validating an ISO is a matter of calculating its checksum (preferably its SHA256 checksum, because if the SHA256 checksum is good, the ISO is definitely good), and comparing the result to the reference value on the official website or on Distrowatch (which retains checksums for a few older revisions, in case you can't get the latest release). So, before using an ISO to create an installation, copy it to an ssd/hdd on a powerful PC with an ssd/hdd installation, because calculating Linux-ISO checksums takes a long time on low-powered PCs, and because other required processing must be done on a PC with a full installation on an ssd/hdd. Then use the relevant command to calculate the ISO's check-sum, and compare the result to the corresponding reference value.

Commands to calculate checksums are very simple. For the Windows commands, I recommend an article entitled "How to Check an MD5 (or SHA) Checksum on Windows 10." The Linux command to generate an SHA256 checksum is sha256sum path/filename.iso. With a few simple tricks, you can avoid the aggravation of having to precisely type the file's name or path (its location in the directory-tree, relative to the directory named "file system" in UM) into the command. By right-clicking in the directory where the ISO is stored, and selecting "open terminal here," or "open in terminal," you can avoid having to enter the ISO's path into the command at all. But entering the path is simple - just right-click on the file, select Properties in the menu which appears, copy the "location" from the window which appears, paste it into the command-line with Ctrl-Shift-V, and then add a "/" at the end unless there already is one. To enter the file's name into the command, you can copy it by right-clicking on the file, selecting Rename, then pressing Ctrl-A, then Ctrl-C. If there are any spaces in the path or filename, put quotation marks around the term which contains spaces, or just enclose both the path and filename in a single pair of quotation marks. If you get a bad checksum from an ISO made from a DVD, it might help to clean the DVD, but be careful to avoid damaging it. There are no doubt instructions online.

An ISO can be made into a bootable DVD (such as to mail a copy of the ISO to someone in a secure, bootable form) by using a "burner" program to copy the ISO to a blank DVD "as image" (which copies the contents of the ISO to the DVD), not "as file," because you wouldn't be able to boot directly from the resulting DVD, although it would be doubly secure, like putting an ISO in an ISO. As mentioned previously, ISOs can also be made into bootable flash-drive installations by using a "USB installer" app, which copies the ISO's image to the flash drive in a format which the PC will recognize as a bootable drive. I prefer Rufus for Windows and Etcher for Linux. Neither requires installation, but Etcher can be installed. I've tried to run Etcher on a PC booted from a live flash-drive installation, but it didn't work, so it apparently has to be run on a PC with a full installation, i.e. an unencrypted installation on an ssd/hdd. I don't know why this is, but since you'll probably want a heavy-duty PC for big jobs, you might as well build yourself a custom desktop PC (which is easy these days) to get just what you want and save a boatload of money. Then install UM or Kubuntu on it, and use it for creating ISOs from live DVDs, calculating ISO-checksums, and creating flash drive installations from ISOs. (I use Kubuntu for its screen-zoom capability, and because installing the heavy-duty video-editor known as KDEnlive requires much less data than installing it on UM. However, my installation of KDEnlive developed problems, so I switched to OpenShot, which is relatively simple and comes as an AppImage, meaning that it can be run on any type of Linux without installing it, although I still prefer Kubuntu because it has screen-zoom capability. Openshot apparently can't simply extract clips from videos (which KDEnlive does very quickly and conveniently), but you can use VLC's record-function to copy sections of videos, which is fast enough for short clips. [3]

Booting PCs from flash drives

Modern PCs in general can boot from live flash drives, but you might have to change some "BIOS" settings so that the PC will boot from a flash drive instead of the regular installation. The BIOS menu is typically accessed by pressing and holding the Delete key down, shortly after starting the PC, until the BIOS menu appears. However, some PCs use other keys or combinations, which you can find on the internet. Once you're in the menu, just don't change any settings that you don't understand, and if you mistakenly change a setting and don't remember the original setting, just exit the menu without saving any changes, and then start over. There's typically a boot-order sub-menu, and assuming that you've plugged the live flash drive into the PC, it will appear on the menu. After making the changes, select "save changes and exit," and the PC should boot from the flash drive. Then, to boot from the regular installation, just shut the PC down, unplug the flash drive installation, and reboot.

Encrypted installations

I use an encrypted installation on a 64GB Sandisk Ultra-FIT USB-3 flash drive for my "air-gap" PC. (FIT refers to the fact that drive is stubby and can be left in a USB port without worrying about something hitting the drive and damaging the port.) Although the capacity is overkill, 64GB Ultra-FITS have a much higher write-speed than even 32GB UFs, making the installation-process go much faster. (I would not use an encrypted installation for such things as video processing, due to the amount of CPU-power required for encrypting video.) I suppose that Sandisk USB-3 drives in general have the same performance as FITs. I previously recommended a Kingston Datatraveler 3.0 because the Sandisks runs a bit on the hot side at times, but the installation on the Kingston provided sluggish response, although it's tolerable if nothing better is available. But flash-drive technology continues to evolve, so you might want to experiment.

To create an encrypted flash-drive installation for a particular PC, boot the PC from a live flash drive, then plug the "target" drive (the USB-3 or higher drive to receive the installation) into a USB-3 (or higher) port and launch the installation program. Or, if the target drive doesn't contain a functional operating system, you could plug both drives in at the same time, then start the PC, and then go directly into the installation-process from the boot-menu. (In Xubuntu, watch out for NumLk, which sometimes ends up being turned on at the beginning of installation, because if it's on when you enter the passwords during installation, you might end up entering something besides the intended password.) I recommend selecting the option to install 3rd-party software, in case you'll want to use a USB wifi modem to connect to a hotspot to set up the installation. When you are asked to specify the installation type, select "Erase disk and install Ubuntu Mate," then click the Advanced Features button, and in the window which appears select "Use LVM ..." and "Encrypt ..." and then click on OK.

The installation program also provides an option for erasing the unused portion of the drive (overwriting it with zeroes) when the installation is finished, which eliminates any potential malware and is probably a good idea when performing the first installation on a drive. It takes quite a while, but you wouldn't have to erase the drive again, assuming that you don't give anyone an opportunity to infect it. However, I typically erase the drive before performing the installation, by formatting it and selecting the overwrite-option, because I can do it while working on other stuff. After creating the installation, unplug it and conceal it whenever you're unable to keep an eye on the PC. If you'd rather use an internal SSD, you could disconnect the PC and conceal it when you're out.

Protecting PCs from hackers

To eliminate the possibility of a surreptitious connection to the internet (such as wifi burst-mode), my type of secure PC has no wired or wireless internet connection. I completely remove the wireless module, and avoid using any peripherals with wireless capability. In some PCs, the wireless module is built into the motherboard, which makes these PCs unsuitable to use as secure PCs. To remove the module, first disconnect the tiny RF connectors by using something like long-nose pliers to pull them straight up from the module. Then remove the screw which holds the module in place, unplug the module, replace the screw, and store the module safely. I wrapped it in aluminum foil to protect it from static. After disconnecting the RF connectors, I cover each of them with a piece of tape to prevent it from shorting to anything. To reconnect them, you'll probably need to use a bright light and a magnifying glass.

To prevent the PC from being able to surreptitiously retain data for Big Brother (assuming that he could access it physically), a "secure" PC (by my definition) cannot have any internal storage devices. All data is stored on separate flash drives with EXT4 partitions (including encrypted ones), which compared to FAT partitions have much faster write-speeds on Linux. My storage scheme is described in my earlier post on creating an air-gap PC, so I won't repeat it here. To avoid major hassles when EXT4-formatted flash drives on multiple PCs, I set the permissions on each EXT4 partition so that any PC running Linux can create and delete files. (Right-click on the partition of interest, select Properties, then Permissions, and then set folder-access on owner, group, and others to "create and delete files.") The permission-system on Linux is complex and is the main reason why Linux doesn't need anti-viral software.

One use for "air gap" PCs is to compose and encrypt secure messages, which would then be transferred via flash drive to an online PC, and emailed. When an encrypted message is received, it would be transferred to the secure PC, decrypted and read. That way, the unencrypted versions are never exposed to an unsecure environment. The weak link then becomes the correspondent.

Israeli intelligence, according to some sources, claims to have found ways to spy on air-gap PCs, but these techniques would be used only by intelligence agencies spying on high-value targets, and require physical access to the target-PC. If you follow the precautions mentioned previously, the Thought Police probably won't be able to access your air-gap PC.

Setting up the installation

The installation should be set up before using it, so that you don't need to connect it to the internet after using it and potentially leaving traces of your activity. Installing software on Debian-type Linux PCs is fairly easy if the installation has a fast, direct internet connection, in which case installing apps consists of updating the "local package index" (which is a matter of replacing the installation's internal software index with a new copy of the on-line software index - more details below), and then installing software. I don't usually bother to update the OS itself, which typically requires hundreds of MB of data, although once in a blue moon some vulnerability is found and I update my online PC's package index and perform a security update, which can still require a lot of data. If you can wait for the next release, you could avoid having to perform a security update, because the new release would incorporate all updates up to that point.

The local package index is the installation's internal copy of the user's choice of pre-defined sections of the massive on-line package index. (Most people just need the "main" and "universe"/"community-maintained" sections.) The online package index is updated daily to reflect revisions to the gigabytes of software in the corresponding online software repository, the latest version of which is copied to servers around the world nightly. So, the local package index is technically outdated the next day, and doesn't reflect the state of the repository. (You can't use the online index directly, mainly due to security concerns.) However, I was able to use a local package index from April of 2020 to download some modules in November of 2021, and when I installed them, they worked. But this approach requires the downloaded modules to be manually validated, and to be installed one at a time in the right order (since some depend on others, and can't be installed until the ones they depend on have been installed - but at least the installer would indicate what needs to be installed first, and it would be one of the modules in the group which you had downloaded). But when only about five modules are required, this isn't very difficult, and in some cases this approach is necessary.

One way to update the package index is to get online, use the Software & Updates app to select the desired sections (I use just the Main and Universe sections), and to select various update options. Then hit Close, and in the window which appears, hit Reload, and the update should proceed. The update requires about 10 MB of compressed data, depending on which sections you need, so hopefully your connection is fast.

After performing the update, you would install any software which you might want. UM comes with almost everything I need, but I always install Synaptic Package Manager (a no-nonsense software manager), GIMP (a powerful image editor), dclock (a large on-screen digital clock, timer, and alarm, although the dclock module by itself is sufficient for just a clock, and I keep a copy and install it by simply clicking on it, etc.), and perhaps Catfish file search, which can search for files by name or by text-content, although I've discovered a widget that does the same thing, and use it instead. (Xubuntu 20.04 includes GIMP and Catfish by default, and its clock has an LCD mode which eliminates the need for dclock.) If you enter the command "sudo apt install synaptic" (without the quotation marks), and then your password, Synaptic Package Manager will be installed and you can use it to install everything else. Or you could use the terminal to install everything, using "sudo apt install synaptic gimp catfish dclock" (without the quotation marks). If you need to get online to install more after using the installation, and you want to ensure that Big Brother won't see any of your data, you would have to delete it all, including all data in the .cache/thumbnails folder (go to Home, press Ctrl-H to show hidden files, and .cache will appear), update the package index, and install the extra software. Or, if you're paranoid, you could create a new installation from scratch, which is no big deal.

Xubuntu's default screensaver settings are too short for my tastes, so I use the Screensaver settings-app to adjust it to something reasonable.

It is possible to make changes to Debian-type installations (which include Ubuntu and its derivatives) without an internet connection, using a unique piece of software known as APT-Offline (for details, see AnAptOfflineBlog.blogspot.com). However, some people would rather do what it takes to get a direct internet connection, such as by taking their PC to a wifi hotspot [4], to avoid having to deal with APT-Offline, although this could be impractical for large, power-hungry PCs, and using APT-Offline is the only truly secure way to make changes to an "air gap" installation which has been used for accessing confidential data. Perhaps the easiest way to become familiar with APT-Offline is to read the introductory sections in the tutorial on AnAptOfflineBlog.blogspot.com, and then to use APT-Offline to perform an update or to install something on an online PC, and refer to the tutorial for details when you need them. I just used it to install Gparted on my online installation, and it was easy even though it had been a long time since I previously used it, and I had to look up a detail which I had forgotten.

The new "containerized" software system known as Snappy can be used without a direct internet connection, as explained in another post on this blog (toggwu.blogspot.com), although some popular software isn't available as Snaps, and Snap versions of apps are typically far larger than Debian versions, although there were obviously compelling reasons for developing the Snappy system.

Notes

Rev 1/10/21 - Rewrote the main text's last two paragraphs, which were previously a single paragraph. In the previous revision, I claimed that APT-Offline's "install"-operation didn't work, but I might have been mistaken because I installed it on my online Ubuntu Mate installation just before making this revision, and used it to install Gparted on that installation, and APT-Offline indicated that an error had occurred. This might have been what previously led me to conclude that it was malfunctioning, although many error messages can be ignored, and APT-Offline proceeded to perform the install-op, and then indicated success (meaning that it had placed the app-packages in File_System/var/cache/apt/archives, where the regular installation-process places files after downloading and validating them, before actually installing them). So, I then performed a regular installation-process to actually install Gparted, and it worked.

[1] "During the interview, Snowden discussed his motivations for releasing the documents to journalists, explaining, 'The intelligence capabilities themselves are unregulated, uncontrolled, and dangerous. People at NSA can actually watch internet communications and see our thoughts form as we type. What's more shocking is the dirtiness of the targeting. It's the lack of respect for the public and for the intrusiveness of surveillance.'"

from "Snowden says NSA watches our digital thoughts develop" by Arstechnica

Snowden's in exile, and Congress apparently never investigated his claims, which speaks volumes. There was a time when we could get cheap little netbooks which could be booted with Linux and which didn't have built-in wireless (it could be added with a USB "dongle"), but they're no longer available.

A recent arstechnica.com article entitled "Google warns that NSO (an Israeli company) hacking is on par with elite nation-state spies" is further evidence that software can't be trusted to isolate data from the internet.

[2] I first tried an Adesso AKB-410UB, which has a good layout, but the elastomeric "springs" under the space-key wore out in about a year. So, I got an "E-SDS Waterproof Industrial Machine Keyboard 88 Keys with USB Interface and Touchpad" sold on Amazon for about $65, which has made it past the 1-year mark as of this writing, although it was difficult getting accustomed to the locations for the Delete and Insert keys.

[3] To use VLC to extract a clip from a video, I pause the source-video where I want the clip to start, then click on Record and un-pause the video. When it gets to the end-point, I pause it again and click on Record again to stop the recording-process. There is no risk of accidentally overwriting the source file, since each clip initially has a unique name generated by VLC. For greater precision, I suppose that you could make the clip a little long and trim it with an editor.

In Kubuntu 20.04, the recordings were stored in the Home/<username>/Downloads directory until I changed the destination-directory, as follows (which might vary depending on VLC-version):

Click on Tools, then Preferences, then find Show Settings in the bottom left-hand corner of the Preferences window and select Simple. In the resulting window, select Input/Codecs, and in the resulting window, go to the Files section, click on Browse, and select the destination for the recordings/clips.

[4] For powering a PC at a wifi hotspot, if all else fails, you could use a DC-to-AC inverter plugged into a car's cigarette lighter, or an uninterruptible power supply with sufficient capacity to power the PC long enough to set it up. To shield a monitor from sunlight, you could use a cardboard hood.

Sunday, January 2, 2022

Enhanced Master Lock Speed Dial Lock instructions

This page contains my enhanced instructions for selecting and changing combinations for Master Lock Speed Dial locks, which are the only locks I trust, although they're not perfect and it's a good idea to have spares on hand in case your primary develops a problem. Fortunately, they're not expensive. I recommend becoming familiar with these procedures and using them whenever you think that a lock's combination has been compromised, such as after having been sent over the internet.

=============================

WARNING

If the Speed Dial lock is just "clicked" closed, it might not actually be locked, and it could be opened by just pulling on the shackle with moderate force. So, to lock it, close it firmly, and then try to pull it open to ensure that it is actually locked.

=============================

I. Selecting new combinations

Because the combinations for the Speed Dial lock can supposedly be any length, and they have to be entered in their entirety each time, nobody in their right mind would try to crack the combination, other than perhaps to try all 1,2, and 3-digit combinations. So, if you make your combinations at least 4 digits long, chances are that nobody will crack them. However, I use longer combinations. It helps to think of the lock as a toy, and changing combinations as a game. But when you lose, the lock is useless as a lock, so it's a good idea to make a video recording of the new combination being programmed into the lock (details below) and to have extra locks on hand.

A) Using phone numbers as combinations

One approach to coming up with combinations and remembering them is to use a phone number or a combination of phone numbers (such as the first three digits of one, and the last four of another) which you will remember or be able to find when you want to open the lock. But if you use this system, don't let anyone know that you're using it. The correspondence between the phone-number digits and lock-"digits" would be as follows:

0-1: Up (12:00)
2-3: Right (3:00)
4-6: Down (6:00)
7-9: Left (9:00)

Note that the phone-number digits are grouped in two groups of two, followed by two groups of three, and that the last number in each of the groups corresponds to the clock-position of the lock-"digit" (well, not exactly - 1 corresponds only to the first digit in 12). This system should be easy to remember. It will skew combinations toward D's and L's because there are more numbers associated with them than U and R in the above table, but it's not as if it's going to make it easy to crack them.

> Using a whiteboard as an aid for entering combinations

You can't be too careful when entering a combination, and writing the combination in its most direct form helps to avoid mistakes. It also helps me to avoid mistakes by saying "up" for U, "down" for D, "left" for L, or "right" for R when entering a combination.

When changing a lock's combination to one based on a phone number, or opening a lock with such a combination, I suggest writing the phone number on a whiteboard, converting it in your head to the corresponding combination, writing it below the phone number, and then double-checking the conversion.

When done changing the combination or opening the lock, erase the whiteboard.

> Make a video recording of the new combination being programmed into the lock

When entering a combination into a Speed Dial lock, my thumb sometimes seems to have a mind of its own. For example, when I intend to enter a "D" (i.e. move the lock's "knob" downward from its center/rest-position), even if I'm looking at a "D" and saying "down" to myself, my thumb sometimes moves up, left, or right. This isn't much of a problem unless I happen to be programming a new combination into the lock at the time. So, it's a good idea to make a video recording (using a camera which has no wireless capability) of the new combination being programmed into the lock, so that if you make a mistake, you can watch the recording to get the combination which was actually entered. To do this, I place the camera on the edge of a counter and hold the lock in front of it. Make a test recording and watch it to be sure you'll have a clear recording if you need it. Once the recording has served its purpose, it should be completely deleted (not just sent to the trash) to prevent anyone else from using it to obtain the combination.

B) Another system for selecting combinations

I use the GRC Ultra High Security Password Generator (an on-line random number generator) as a source of long strings of random hexadecimal numbers, and a hexadecimal-to-base-4 converter found at translatorscafe.com/cafe/EN/units-converter/numbers/4-7/hexadecimal-base-4/ to convert them to base-4 numbers. Then convert the base-4 string to U's, D's, L's, and R's using a text-editor's search/replace function (just don't use the same letter for more than one number), and then select sections from the resulting long string to use as combinations.

Never store a combination on a non-secure PC, unless it is disguised as something else. I suggest keeping a copies on several encrypted flash drives.

II. Procedure for changing Master Lock Speed Dial lock combination

The reason I use the Master Lock Speed Dial lock is that it's the only one I trust because it can't be cracked or picked. Some of them are flaky, and don't always open on the first try even if you enter the right combination. I've had a couple which failed the first time I entered a new combination, so that they couldn't be opened even with the right combination (and I was certain that I was using the combinations which I had programmed into them). SO, AFTER ENTERING A NEW COMBINATION, ALWAYS TRY TO OPEN THE LOCK BEFORE USING IT TO LOCK ANYTHING. It seems that some combinations, at least in the case of 9-"digit" combinations, don't work very well, so when I find a combination that doesn't work well, I change it. In some cases, it might help to hold it in a vertical orientation when opening it, although that's not based on a scientific experiment and could just have been a coincidence. So, when using these locks, the top priority is to be certain that you'll be able to open them after using them to lock something, and the next priority is to be certain that nobody else will be able to open them.

The procedure for changing the combination is as follows:

A) Open the lock as usual.

B) Push the lever on the back of the lock to its upper position. (I use a large nail for this. Be careful to avoid jabbing yourself if you slip. It might be a good idea to wear a leather glove in case you do slip.)

C) Close the lock and press down firmly on the shackle twice to clear the existing combination.

D) Pull the lock open

E) (Before performing this step, read "> Record new combination being programmed into lock" above.) Very carefully enter the new combination. (It might be a good idea to start out with a one-digit combination, and then a two-digit combination, in case you make a mistake and need to open the lock without knowing the combination.) I find that saying "down" for D, "up" for U, "left" for L, and "right" for R as I enter the corresponding digit helps me to avoid making mistakes. If you think you make a mistake, return to step C.

You can correct a mistake until you push the lever on the back of the lock down and close the lock. If you make a mistake, and then push the lever down and close the lock, the lock is useless as a lock, unless you made a video recording of the new combination being programmed into the lock, as recommended above. At least they're not expensive to replace, but if you lock yourself out, you need an SD lock right away, and you don't have a spare, you're out of luck.

F) If you are reasonably certain that you entered the new combination correctly, push the lever on back to its lower position (again, be careful to avoid jabbing yourself), and close the lock firmly.

G) Try to pull the lock open to see if it's really locked. If it opens, close it more firmly and repeat this step.

H) TEST THE NEW COMBINATION BEFORE USING THE LOCK TO LOCK ANYTHING.

I) Don't leave the lock unlocked when unattended, because someone might change the combination.

J) To ensure that two people must be present when the lock is unlocked, each person would program a portion of the combination into the lock without the other person being able to watch. (So, each person would have to enter at least 4 "digits" so that the other person couldn't guess their portion of the combination.) The aforementioned video-recording system could be used in case someone makes a mistake while programming their portion into the lock. If a mistake is made, the recording could be viewed by either person so that the lock could be opened and the process could be repeated. If both people correctly program their portion into the lock, as proven by their combined ability to unlock the lock, the video would not be viewed, and it would be completely deleted (i.e. shift-deleted or sent to the trash, and the trash emptied, or overwritten by a secure-erase program) while both people observe.