Rev 1/10/22 (see Notes)
After concluding that there will probably never be an inexpensive Ryzen 3-based mini-PC, I got a Gigabyte Brix GB-BLCE-4105R for about $185 (including 8GB of memory) from Amazon. It has an Intel Celeron J4105 CPU, which has plenty of processing-power for my purposes, and is rated at 10W power consumption, compared to the Ryzen 3 5400U's 15W.
But good luck getting such a good deal now, if you can even get one of these mini-PCs at all, due to the supply-chain crisis and inflation. However, even if this model goes out of production, Gigabyte will probably replace it with something similar.
The Brix is made well, although it's tiny. Just use caution when opening it up, installing or removing whatever, and putting the cover back on. Before opening it, I place a light-colored towel underneath so that if I drop any of its tiny screws, they're easy to see, and they don't bounce and disappear forever.
Because I don't trust software (except validated AES-grade encryption software) to isolate data from the internet [1], I needed to put the OS on a flash drive and to use a wired keyboard/touchpad [2], as part of creating a "secure" PC (my definition, not the NSA's). So, I had to use both USB ports on back for these purposes, but I can connect hubs to the front ports (USB-3 and USB-C), to obtain as many ports as I need. The fact that the GB-BLCE-4105R's case is all metal reduces the likelihood that a bug planted inside the PC could get a signal out, although if you're really paranoid about the Thought Police planting a recording device in it, you could conceal the entire PC, or put it in a tamper-proof lockbox locked with a Master Lock Speed Dial lock when you can't keep an eye on it. I posted my enhanced instructions for the Speed Dial lock here (https://toggwu.blogspot.com/2022/01/enhanced-master-lock-speed-dial-lock.html). If you lock it in a tamper-proof lockbox with an SD lock, nobody would be able to tamper with it without leaving evidence, such as by cutting the lock off with a grinder, and replacing it with a look-alike, in which case the old combination would no longer work. Perhaps you could place a unique pattern on the back of the lock so that any replacement would be obvious, which would probably prevent anyone from substituting another lock. Of course you'd also unplug the presumably tiny OS-flash-drive and conceal it separately. BTW, I've found that Sandisk 64GB USB-3 drives work very well for this purpose, partly because they have a much faster write-speed than even a 32GB version, which makes the process of installing the OS go quickly (appx. 20 minutes).
Multiple PCs can use the same keyboard and monitor with a KVM switch. I messed around with a cheap KM switch (Iogear GCS24U 4-port VGA) for years before finally getting a CKLau-64H2ua, which is listed on Amazon as "CKLau 4Kx2K Ultra HD 4 Port HDMI Cables KVM Switch," and is excellent, although I've found that I have to boot my Zbox BI320 PC up to the point where the password must be entered, before selecting it with the CKLau KM switch, or it won't boot. The CKLau KM switch has ports which allow flash drives to be switched between PCs, which eliminates the need to physically transfer the drives between PCs to use them for transferring data. Naturally, any KM switch used with a secure PC cannot have any wireless capability.
Preferred operating systems for "secure" PCs
I've been running Ubuntu (oo-boon-too) Mate on both of my mini-PCs. UM is a popular no-nonsense, efficient type of Ubuntu Debian Linux (Ubuntu is a type of Debian, which is a type of Linux). I wasn't a big fan of plain Ubunutu's "desktop" (OS-GUI) the last time I tried it, but it might have been changed since then.
I also like Xubuntu (zoo-boon-too), which is very compact and innovative. I had problems using it with my Iogear KM switch (it wouldn't wake up when I switched back to it after using another PC, which prevented me from using Xubuntu), but it works well with the CKLau KM switch. My only other complaint about it was its file manager didn't remember the selected file-arrangement-order (by name, type, etc.) for each directory, but this drawback has been addressed, or soon will be. Its default selection of apps is different than UM's default selection, but I would have to install apps in either case to get everything I want. The software which I install on UM is mentioned later, but on Xubuntu, I install Synaptic Package Manager (a highly functional software manager which isn't dumbed-down, appx. 1.5MB), VLC "video player" (appx. 20MB), Disks a.k.a. Gnome Disk Utility (very handy, especially since its circa-2020 overhaul, for creating encrypted partitions on storage devices, which GParted doesn't do - appx 0.5MB), Eye of Mate a.k.a. EOM image viewer (appx. 2.5MB), which I prefer over Ristretto, Xubuntu's default viewer), Plank (a nifty app-launcher dock, which doesn't require much data to install), and Vnstat (for on-line installations) to keep track of internet data consumption (less than 200kB to install). Xubuntu's Network Monitor widget looks like it would be good for monitoring download-speeds, to avoid inadvertently downloading vast amounts of data which you don't need or want. Xubuntu's text editor lacked built-in spelling-check, but I found a way to add a custom action to the file manager to make it easy to use the Aspell spelling-checker (which Xubuntu includes by default) on text files and posted it here (https://toggwu.blogspot.com/2018/11/performing-spell-check-via-right-click.html).
One advantage of Xubuntu is that, by default, it retains downloaded software modules, which are downloaded into File_System/var/cache/apt/archives as part of the complex, automatic software-installation process, as a precursor to actually installing them. Ubuntu Mate, by default, deletes these modules from the archives directory after installing them, although there is a command which can be found in another entry in this blog (toggwu.blogspot.com), which causes these modules to be retained in the archives directory after they are installed. Retaining these modules allows them to be copied and saved for use in creating copies of the installation, without having to download the modules again. (To copy modules into the archives directory, you have to launch the file manager in superuser mode, such as by entering "sudo caja" in UM or "sudo thunar" in Xubuntu, but if you make a mistake with the file manager in this mode, you could destroy the installation, so be careful and exit it ASAP, by closing the file manager and the terminal.) If you wait too long to reuse them, some of the modules will probably be superseded by newer versions, and the software manager (which would be basing its decisions on a later version of the package/software index) will download the newer revisions if the installation is connected to the internet when the software is being installed.
Kubuntu (koo-boon-tu) is also excellent, and allows you to zoom the entire screen. I use Kubuntu on my "heavy duty" desktop PC which I use for audio and video purposes.
Each of these Ubuntu-derivatives includes a large collection of widgets, which are small programs such as desktop notes, CPU-load monitors (useful for determining when the PC is fully booted, which in the case of of the Brix booting any version of Ubuntu from a typical USB-3 flash drive is very quick), search programs which can search for files by name or text-content, timers, etc.
How to get Ubuntu etc. and install them
(Some of the following is also included in an earlier post.)
All types of Linux come in the form of "ISOs" (.iso-files) which are downloaded from the corresponding official site, and in the form of "live" (bootable) DVDs which are sold online by many sources. An ISO is an essentially tamper-proof archive-file (about 1.5GB in UM's case) which contains the OS, the desktop, and a selection of apps (a particularly useful selection in UM's case). A "live"/bootable DVD is essentially an ISO in the form of a DVD, and various Linux and Windows "burner" apps can create ISOs from live DVDs. PCs in general can be booted directly from a live DVD by simply placing it in the DVD drive and booting the PC. But booting from a DVD is very slow, so bootable/live flash drives are preferred. Live flash drives are created from ISOs by using USB-installer apps (more details below).
Never trust an ISO or live DVD until you've validated it. Live DVDs have to be converted to ISOs (which again is done with various "burner" apps) to validate them. Validating an ISO is a matter of calculating its checksum (preferably its SHA256 checksum, because if the SHA256 checksum is good, the ISO is definitely good), and comparing the result to the reference value on the official website or on Distrowatch (which retains checksums for a few older revisions, in case you can't get the latest release). So, before using an ISO to create an installation, copy it to an ssd/hdd on a powerful PC with an ssd/hdd installation, because calculating Linux-ISO checksums takes a long time on low-powered PCs, and because other required processing must be done on a PC with a full installation on an ssd/hdd. Then use the relevant command to calculate the ISO's check-sum, and compare the result to the corresponding reference value.
Commands to calculate checksums are very simple. For the Windows commands, I recommend an article entitled "How to Check an MD5 (or SHA) Checksum on Windows 10." The Linux command to generate an SHA256 checksum is sha256sum path/filename.iso. With a few simple tricks, you can avoid the aggravation of having to precisely type the file's name or path (its location in the directory-tree, relative to the directory named "file system" in UM) into the command. By right-clicking in the directory where the ISO is stored, and selecting "open terminal here," or "open in terminal," you can avoid having to enter the ISO's path into the command at all. But entering the path is simple - just right-click on the file, select Properties in the menu which appears, copy the "location" from the window which appears, paste it into the command-line with Ctrl-Shift-V, and then add a "/" at the end unless there already is one. To enter the file's name into the command, you can copy it by right-clicking on the file, selecting Rename, then pressing Ctrl-A, then Ctrl-C. If there are any spaces in the path or filename, put quotation marks around the term which contains spaces, or just enclose both the path and filename in a single pair of quotation marks. If you get a bad checksum from an ISO made from a DVD, it might help to clean the DVD, but be careful to avoid damaging it. There are no doubt instructions online.
An ISO can be made into a bootable DVD (such as to mail a copy of the ISO to someone in a secure, bootable form) by using a "burner" program to copy the ISO to a blank DVD "as image" (which copies the contents of the ISO to the DVD), not "as file," because you wouldn't be able to boot directly from the resulting DVD, although it would be doubly secure, like putting an ISO in an ISO. As mentioned previously, ISOs can also be made into bootable flash-drive installations by using a "USB installer" app, which copies the ISO's image to the flash drive in a format which the PC will recognize as a bootable drive. I prefer Rufus for Windows and Etcher for Linux. Neither requires installation, but Etcher can be installed. I've tried to run Etcher on a PC booted from a live flash-drive installation, but it didn't work, so it apparently has to be run on a PC with a full installation, i.e. an unencrypted installation on an ssd/hdd. I don't know why this is, but since you'll probably want a heavy-duty PC for big jobs, you might as well build yourself a custom desktop PC (which is easy these days) to get just what you want and save a boatload of money. Then install UM or Kubuntu on it, and use it for creating ISOs from live DVDs, calculating ISO-checksums, and creating flash drive installations from ISOs. (I use Kubuntu for its screen-zoom capability, and because installing the heavy-duty video-editor known as KDEnlive requires much less data than installing it on UM. However, my installation of KDEnlive developed problems, so I switched to OpenShot, which is relatively simple and comes as an AppImage, meaning that it can be run on any type of Linux without installing it, although I still prefer Kubuntu because it has screen-zoom capability. Openshot apparently can't simply extract clips from videos (which KDEnlive does very quickly and conveniently), but you can use VLC's record-function to copy sections of videos, which is fast enough for short clips. [3]
Booting PCs from flash drives
Modern PCs in general can boot from live flash drives, but you might have to change some "BIOS" settings so that the PC will boot from a flash drive instead of the regular installation. The BIOS menu is typically accessed by pressing and holding the Delete key down, shortly after starting the PC, until the BIOS menu appears. However, some PCs use other keys or combinations, which you can find on the internet. Once you're in the menu, just don't change any settings that you don't understand, and if you mistakenly change a setting and don't remember the original setting, just exit the menu without saving any changes, and then start over. There's typically a boot-order sub-menu, and assuming that you've plugged the live flash drive into the PC, it will appear on the menu. After making the changes, select "save changes and exit," and the PC should boot from the flash drive. Then, to boot from the regular installation, just shut the PC down, unplug the flash drive installation, and reboot.
Encrypted installations
I use an encrypted installation on a 64GB Sandisk Ultra-FIT USB-3 flash drive for my "air-gap" PC. (FIT refers to the fact that drive is stubby and can be left in a USB port without worrying about something hitting the drive and damaging the port.) Although the capacity is overkill, 64GB Ultra-FITS have a much higher write-speed than even 32GB UFs, making the installation-process go much faster. (I would not use an encrypted installation for such things as video processing, due to the amount of CPU-power required for encrypting video.) I suppose that Sandisk USB-3 drives in general have the same performance as FITs. I previously recommended a Kingston Datatraveler 3.0 because the Sandisks runs a bit on the hot side at times, but the installation on the Kingston provided sluggish response, although it's tolerable if nothing better is available. But flash-drive technology continues to evolve, so you might want to experiment.
To create an encrypted flash-drive installation for a particular PC, boot the PC from a live flash drive, then plug the "target" drive (the USB-3 or higher drive to receive the installation) into a USB-3 (or higher) port and launch the installation program. Or, if the target drive doesn't contain a functional operating system, you could plug both drives in at the same time, then start the PC, and then go directly into the installation-process from the boot-menu. (In Xubuntu, watch out for NumLk, which sometimes ends up being turned on at the beginning of installation, because if it's on when you enter the passwords during installation, you might end up entering something besides the intended password.) I recommend selecting the option to install 3rd-party software, in case you'll want to use a USB wifi modem to connect to a hotspot to set up the installation. When you are asked to specify the installation type, select "Erase disk and install Ubuntu Mate," then click the Advanced Features button, and in the window which appears select "Use LVM ..." and "Encrypt ..." and then click on OK.
The installation program also provides an option for erasing the unused portion of the drive (overwriting it with zeroes) when the installation is finished, which eliminates any potential malware and is probably a good idea when performing the first installation on a drive. It takes quite a while, but you wouldn't have to erase the drive again, assuming that you don't give anyone an opportunity to infect it. However, I typically erase the drive before performing the installation, by formatting it and selecting the overwrite-option, because I can do it while working on other stuff. After creating the installation, unplug it and conceal it whenever you're unable to keep an eye on the PC. If you'd rather use an internal SSD, you could disconnect the PC and conceal it when you're out.
Protecting PCs from hackers
To eliminate the possibility of a surreptitious connection to the internet (such as wifi burst-mode), my type of secure PC has no wired or wireless internet connection. I completely remove the wireless module, and avoid using any peripherals with wireless capability. In some PCs, the wireless module is built into the motherboard, which makes these PCs unsuitable to use as secure PCs. To remove the module, first disconnect the tiny RF connectors by using something like long-nose pliers to pull them straight up from the module. Then remove the screw which holds the module in place, unplug the module, replace the screw, and store the module safely. I wrapped it in aluminum foil to protect it from static. After disconnecting the RF connectors, I cover each of them with a piece of tape to prevent it from shorting to anything. To reconnect them, you'll probably need to use a bright light and a magnifying glass.
To prevent the PC from being able to surreptitiously retain data for Big Brother (assuming that he could access it physically), a "secure" PC (by my definition) cannot have any internal storage devices. All data is stored on separate flash drives with EXT4 partitions (including encrypted ones), which compared to FAT partitions have much faster write-speeds on Linux. My storage scheme is described in my earlier post on creating an air-gap PC, so I won't repeat it here. To avoid major hassles when EXT4-formatted flash drives on multiple PCs, I set the permissions on each EXT4 partition so that any PC running Linux can create and delete files. (Right-click on the partition of interest, select Properties, then Permissions, and then set folder-access on owner, group, and others to "create and delete files.") The permission-system on Linux is complex and is the main reason why Linux doesn't need anti-viral software.
One use for "air gap" PCs is to compose and encrypt secure messages, which would then be transferred via flash drive to an online PC, and emailed. When an encrypted message is received, it would be transferred to the secure PC, decrypted and read. That way, the unencrypted versions are never exposed to an unsecure environment. The weak link then becomes the correspondent.
Israeli intelligence, according to some sources, claims to have found ways to spy on air-gap PCs, but these techniques would be used only by intelligence agencies spying on high-value targets, and require physical access to the target-PC. If you follow the precautions mentioned previously, the Thought Police probably won't be able to access your air-gap PC.
Setting up the installation
The installation should be set up before using it, so that you don't need to connect it to the internet after using it and potentially leaving traces of your activity. Installing software on Debian-type Linux PCs is fairly easy if the installation has a fast, direct internet connection, in which case installing apps consists of updating the "local package index" (which is a matter of replacing the installation's internal software index with a new copy of the on-line software index - more details below), and then installing software. I don't usually bother to update the OS itself, which typically requires hundreds of MB of data, although once in a blue moon some vulnerability is found and I update my online PC's package index and perform a security update, which can still require a lot of data. If you can wait for the next release, you could avoid having to perform a security update, because the new release would incorporate all updates up to that point.
The local package index is the installation's internal copy of the user's choice of pre-defined sections of the massive on-line package index. (Most people just need the "main" and "universe"/"community-maintained" sections.) The online package index is updated daily to reflect revisions to the gigabytes of software in the corresponding online software repository, the latest version of which is copied to servers around the world nightly. So, the local package index is technically outdated the next day, and doesn't reflect the state of the repository. (You can't use the online index directly, mainly due to security concerns.) However, I was able to use a local package index from April of 2020 to download some modules in November of 2021, and when I installed them, they worked. But this approach requires the downloaded modules to be manually validated, and to be installed one at a time in the right order (since some depend on others, and can't be installed until the ones they depend on have been installed - but at least the installer would indicate what needs to be installed first, and it would be one of the modules in the group which you had downloaded). But when only about five modules are required, this isn't very difficult, and in some cases this approach is necessary.
One way to update the package index is to get online, use the Software & Updates app to select the desired sections (I use just the Main and Universe sections), and to select various update options. Then hit Close, and in the window which appears, hit Reload, and the update should proceed. The update requires about 10 MB of compressed data, depending on which sections you need, so hopefully your connection is fast.
After performing the update, you would install any software which you might want. UM comes with almost everything I need, but I always install Synaptic Package Manager (a no-nonsense software manager), GIMP (a powerful image editor), dclock (a large on-screen digital clock, timer, and alarm, although the dclock module by itself is sufficient for just a clock, and I keep a copy and install it by simply clicking on it, etc.), and perhaps Catfish file search, which can search for files by name or by text-content, although I've discovered a widget that does the same thing, and use it instead. (Xubuntu 20.04 includes GIMP and Catfish by default, and its clock has an LCD mode which eliminates the need for dclock.) If you enter the command "sudo apt install synaptic" (without the quotation marks), and then your password, Synaptic Package Manager will be installed and you can use it to install everything else. Or you could use the terminal to install everything, using "sudo apt install synaptic gimp catfish dclock" (without the quotation marks). If you need to get online to install more after using the installation, and you want to ensure that Big Brother won't see any of your data, you would have to delete it all, including all data in the .cache/thumbnails folder (go to Home, press Ctrl-H to show hidden files, and .cache will appear), update the package index, and install the extra software. Or, if you're paranoid, you could create a new installation from scratch, which is no big deal.
Xubuntu's default screensaver settings are too short for my tastes, so I use the Screensaver settings-app to adjust it to something reasonable.
It is possible to make changes to Debian-type installations (which include Ubuntu and its derivatives) without an internet connection, using a unique piece of software known as APT-Offline (for details, see AnAptOfflineBlog.blogspot.com). However, some people would rather do what it takes to get a direct internet connection, such as by taking their PC to a wifi hotspot [4], to avoid having to deal with APT-Offline, although this could be impractical for large, power-hungry PCs, and using APT-Offline is the only truly secure way to make changes to an "air gap" installation which has been used for accessing confidential data. Perhaps the easiest way to become familiar with APT-Offline is to read the introductory sections in the tutorial on AnAptOfflineBlog.blogspot.com, and then to use APT-Offline to perform an update or to install something on an online PC, and refer to the tutorial for details when you need them. I just used it to install Gparted on my online installation, and it was easy even though it had been a long time since I previously used it, and I had to look up a detail which I had forgotten.
The new "containerized" software system known as Snappy can be used without a direct internet connection, as explained in another post on this blog (toggwu.blogspot.com), although some popular software isn't available as Snaps, and Snap versions of apps are typically far larger than Debian versions, although there were obviously compelling reasons for developing the Snappy system.
Notes
Rev 1/10/21 - Rewrote the main text's last two paragraphs, which were previously a single paragraph. In the previous revision, I claimed that APT-Offline's "install"-operation didn't work, but I might have been mistaken because I installed it on my online Ubuntu Mate installation just before making this revision, and used it to install Gparted on that installation, and APT-Offline indicated that an error had occurred. This might have been what previously led me to conclude that it was malfunctioning, although many error messages can be ignored, and APT-Offline proceeded to perform the install-op, and then indicated success (meaning that it had placed the app-packages in File_System/var/cache/apt/archives, where the regular installation-process places files after downloading and validating them, before actually installing them). So, I then performed a regular installation-process to actually install Gparted, and it worked.
[1] "During the interview, Snowden discussed his motivations for releasing the documents to journalists, explaining, 'The intelligence capabilities themselves are unregulated, uncontrolled, and dangerous. People at NSA can actually watch internet communications and see our thoughts form as we type. What's more shocking is the dirtiness of the targeting. It's the lack of respect for the public and for the intrusiveness of surveillance.'"
from "Snowden says NSA watches our digital thoughts develop" by Arstechnica
Snowden's in exile, and Congress apparently never investigated his claims, which speaks volumes. There was a time when we could get cheap little netbooks which could be booted with Linux and which didn't have built-in wireless (it could be added with a USB "dongle"), but they're no longer available.
A recent arstechnica.com article entitled "Google warns that NSO (an Israeli company) hacking is on par with elite nation-state spies" is further evidence that software can't be trusted to isolate data from the internet.
[2] I first tried an Adesso AKB-410UB, which has a good layout, but the elastomeric "springs" under the space-key wore out in about a year. So, I got an "E-SDS Waterproof Industrial Machine Keyboard 88 Keys with USB Interface and Touchpad" sold on Amazon for about $65, which has made it past the 1-year mark as of this writing, although it was difficult getting accustomed to the locations for the Delete and Insert keys.
[3] To use VLC to extract a clip from a video, I pause the source-video where I want the clip to start, then click on Record and un-pause the video. When it gets to the end-point, I pause it again and click on Record again to stop the recording-process. There is no risk of accidentally overwriting the source file, since each clip initially has a unique name generated by VLC. For greater precision, I suppose that you could make the clip a little long and trim it with an editor.
In Kubuntu 20.04, the recordings were stored in the Home/<username>/Downloads directory until I changed the destination-directory, as follows (which might vary depending on VLC-version):
Click on Tools, then Preferences, then find Show Settings in the bottom left-hand corner of the Preferences window and select Simple. In the resulting window, select Input/Codecs, and in the resulting window, go to the Files section, click on Browse, and select the destination for the recordings/clips.
[4] For powering a PC at a wifi hotspot, if all else fails, you could use a DC-to-AC inverter plugged into a car's cigarette lighter, or an uninterruptible power supply with sufficient capacity to power the PC long enough to set it up. To shield a monitor from sunlight, you could use a cardboard hood.
Wednesday, January 5, 2022
Sunday, January 2, 2022
Enhanced Master Lock Speed Dial Lock instructions
This page contains my enhanced instructions for selecting and changing combinations for Master Lock Speed Dial locks, which are the only locks I trust, although they're not perfect and it's a good idea to have spares on hand in case your primary develops a problem. Fortunately, they're not expensive. I recommend becoming familiar with these procedures and using them whenever you think that a lock's combination has been compromised, such as after having been sent over the internet.
=============================
WARNING
If the Speed Dial lock is just "clicked" closed, it might not actually be locked, and it could be opened by just pulling on the shackle with moderate force. So, to lock it, close it firmly, and then try to pull it open to ensure that it is actually locked.
=============================
I. Selecting new combinations
Because the combinations for the Speed Dial lock can supposedly be any length, and they have to be entered in their entirety each time, nobody in their right mind would try to crack the combination, other than perhaps to try all 1,2, and 3-digit combinations. So, if you make your combinations at least 4 digits long, chances are that nobody will crack them. However, I use longer combinations. It helps to think of the lock as a toy, and changing combinations as a game. But when you lose, the lock is useless as a lock, so it's a good idea to make a video recording of the new combination being programmed into the lock (details below) and to have extra locks on hand.
A) Using phone numbers as combinations
One approach to coming up with combinations and remembering them is to use a phone number or a combination of phone numbers (such as the first three digits of one, and the last four of another) which you will remember or be able to find when you want to open the lock. But if you use this system, don't let anyone know that you're using it. The correspondence between the phone-number digits and lock-"digits" would be as follows:
0-1: Up (12:00)
2-3: Right (3:00)
4-6: Down (6:00)
7-9: Left (9:00)
Note that the phone-number digits are grouped in two groups of two, followed by two groups of three, and that the last number in each of the groups corresponds to the clock-position of the lock-"digit" (well, not exactly - 1 corresponds only to the first digit in 12). This system should be easy to remember. It will skew combinations toward D's and L's because there are more numbers associated with them than U and R in the above table, but it's not as if it's going to make it easy to crack them.
> Using a whiteboard as an aid for entering combinations
You can't be too careful when entering a combination, and writing the combination in its most direct form helps to avoid mistakes. It also helps me to avoid mistakes by saying "up" for U, "down" for D, "left" for L, or "right" for R when entering a combination.
When changing a lock's combination to one based on a phone number, or opening a lock with such a combination, I suggest writing the phone number on a whiteboard, converting it in your head to the corresponding combination, writing it below the phone number, and then double-checking the conversion.
When done changing the combination or opening the lock, erase the whiteboard.
> Make a video recording of the new combination being programmed into the lock
When entering a combination into a Speed Dial lock, my thumb sometimes seems to have a mind of its own. For example, when I intend to enter a "D" (i.e. move the lock's "knob" downward from its center/rest-position), even if I'm looking at a "D" and saying "down" to myself, my thumb sometimes moves up, left, or right. This isn't much of a problem unless I happen to be programming a new combination into the lock at the time. So, it's a good idea to make a video recording (using a camera which has no wireless capability) of the new combination being programmed into the lock, so that if you make a mistake, you can watch the recording to get the combination which was actually entered. To do this, I place the camera on the edge of a counter and hold the lock in front of it. Make a test recording and watch it to be sure you'll have a clear recording if you need it. Once the recording has served its purpose, it should be completely deleted (not just sent to the trash) to prevent anyone else from using it to obtain the combination.
B) Another system for selecting combinations
I use the GRC Ultra High Security Password Generator (an on-line random number generator) as a source of long strings of random hexadecimal numbers, and a hexadecimal-to-base-4 converter found at translatorscafe.com/cafe/EN/units-converter/numbers/4-7/hexadecimal-base-4/ to convert them to base-4 numbers. Then convert the base-4 string to U's, D's, L's, and R's using a text-editor's search/replace function (just don't use the same letter for more than one number), and then select sections from the resulting long string to use as combinations.
Never store a combination on a non-secure PC, unless it is disguised as something else. I suggest keeping a copies on several encrypted flash drives.
II. Procedure for changing Master Lock Speed Dial lock combination
The reason I use the Master Lock Speed Dial lock is that it's the only one I trust because it can't be cracked or picked. Some of them are flaky, and don't always open on the first try even if you enter the right combination. I've had a couple which failed the first time I entered a new combination, so that they couldn't be opened even with the right combination (and I was certain that I was using the combinations which I had programmed into them). SO, AFTER ENTERING A NEW COMBINATION, ALWAYS TRY TO OPEN THE LOCK BEFORE USING IT TO LOCK ANYTHING. It seems that some combinations, at least in the case of 9-"digit" combinations, don't work very well, so when I find a combination that doesn't work well, I change it. In some cases, it might help to hold it in a vertical orientation when opening it, although that's not based on a scientific experiment and could just have been a coincidence. So, when using these locks, the top priority is to be certain that you'll be able to open them after using them to lock something, and the next priority is to be certain that nobody else will be able to open them.
The procedure for changing the combination is as follows:
A) Open the lock as usual.
B) Push the lever on the back of the lock to its upper position. (I use a large nail for this. Be careful to avoid jabbing yourself if you slip. It might be a good idea to wear a leather glove in case you do slip.)
C) Close the lock and press down firmly on the shackle twice to clear the existing combination.
D) Pull the lock open
E) (Before performing this step, read "> Record new combination being programmed into lock" above.) Very carefully enter the new combination. (It might be a good idea to start out with a one-digit combination, and then a two-digit combination, in case you make a mistake and need to open the lock without knowing the combination.) I find that saying "down" for D, "up" for U, "left" for L, and "right" for R as I enter the corresponding digit helps me to avoid making mistakes. If you think you make a mistake, return to step C.
You can correct a mistake until you push the lever on the back of the lock down and close the lock. If you make a mistake, and then push the lever down and close the lock, the lock is useless as a lock, unless you made a video recording of the new combination being programmed into the lock, as recommended above. At least they're not expensive to replace, but if you lock yourself out, you need an SD lock right away, and you don't have a spare, you're out of luck.
F) If you are reasonably certain that you entered the new combination correctly, push the lever on back to its lower position (again, be careful to avoid jabbing yourself), and close the lock firmly.
G) Try to pull the lock open to see if it's really locked. If it opens, close it more firmly and repeat this step.
H) TEST THE NEW COMBINATION BEFORE USING THE LOCK TO LOCK ANYTHING.
I) Don't leave the lock unlocked when unattended, because someone might change the combination.
J) To ensure that two people must be present when the lock is unlocked, each person would program a portion of the combination into the lock without the other person being able to watch. (So, each person would have to enter at least 4 "digits" so that the other person couldn't guess their portion of the combination.) The aforementioned video-recording system could be used in case someone makes a mistake while programming their portion into the lock. If a mistake is made, the recording could be viewed by either person so that the lock could be opened and the process could be repeated. If both people correctly program their portion into the lock, as proven by their combined ability to unlock the lock, the video would not be viewed, and it would be completely deleted (i.e. shift-deleted or sent to the trash, and the trash emptied, or overwritten by a secure-erase program) while both people observe.
Wednesday, June 10, 2020
Ebay Linux-source recommendation
I obtain Linux ISO's by purchasing "live" DVD's and using various burner-programs to generate ISO's from the DVD's. Before using any ISO, calculate its checksum and compare it to the corresponding reference value on the official website, or on Distrowatch. It is a very bad idea to use an ISO which has not been validated in this manner, because some of them contain dirty tricks which can lead to loss of valuable data.
All of the Linux DVD's which I've obtained from Ebay seller ZC Trading, including Kubuntu 20.04 and Ubuntu Mate 20.04 (which were the latest at the time, except for the daily releases, which I don't trust), have arrived quickly in good condition, and have produced ISO's with good check-sums. If he doesn't advertise what you want, contact him.
To calculate a checksum, I recommend placing the ISO of interest on an hdd or ssd on a PC with some power. Then right-click in the directory where the ISO is located, and on the menu which appears, select the option to open a terminal in that directory, and enter "sha256sum <filename.iso>," without the quote marks and with the ISO's actual filename. To get the actual filename, right-click on it and select Rename, then press Ctrl-a, then Ctrl-c. Then paste the filename into the command by pressing Ctrl-Shift-v and hit Enter. I haven't timed it, but it seems to take about half a minute on my PC to perform the calculation. If you want to copy the result, highlight it and press Ctrl-Shift-c, but if the checksums aren't identical, the differences won't be subtle.
All of the Linux DVD's which I've obtained from Ebay seller ZC Trading, including Kubuntu 20.04 and Ubuntu Mate 20.04 (which were the latest at the time, except for the daily releases, which I don't trust), have arrived quickly in good condition, and have produced ISO's with good check-sums. If he doesn't advertise what you want, contact him.
To calculate a checksum, I recommend placing the ISO of interest on an hdd or ssd on a PC with some power. Then right-click in the directory where the ISO is located, and on the menu which appears, select the option to open a terminal in that directory, and enter "sha256sum <filename.iso>," without the quote marks and with the ISO's actual filename. To get the actual filename, right-click on it and select Rename, then press Ctrl-a, then Ctrl-c. Then paste the filename into the command by pressing Ctrl-Shift-v and hit Enter. I haven't timed it, but it seems to take about half a minute on my PC to perform the calculation. If you want to copy the result, highlight it and press Ctrl-Shift-c, but if the checksums aren't identical, the differences won't be subtle.
Saturday, February 22, 2020
How to retain downloaded packages in /var/cache/apt/archives after installing them
2/25/20
Debian/Ubuntu software is modular, and when you tell the software manager to install a piece of software, it refers to the installation's internal software index known as the local package index [1] to determine which modules/packages are required, then downloads them from a secure site, screens them for corruption by comparing them to reference data in the local package index, and places them in /var/cache/apt/archives before the actual installation process begins.
Normally, the downloaded packages are automatically deleted after installation. However, some people might want to retain the downloaded packages after installing them, such as to save copies to use in case they have to re-create the installation in the near future, such as to create a new installation to replace a botched one. Packages can become outdated quickly, and new versions might be required if you wait too long to re-create the installation, because every time a new installation is created, a new local package index must be installed if you want to install any additional software, and the new index would specify the latest versions for everything.
According to Disable auto clean in apt (https://unix.stackexchange.com/questions/499035/disable-auto-clean-in-apt ), the downloaded packages can be retained by entering the following command:
"echo 'Binary::apt::APT::Keep-Downloaded-Packages "1";' | sudo tee /etc/apt/apt.conf.d/10apt-keep-downloads" (Copy the command without the end-quotes and paste it into the terminal with Ctrl-Shift-V. In case there have been any revisions, get the command directly from the source.)
This command (not necessarily in the following order) creates a text-file named 10apt-keep-downloads, inserts the line "Binary::apt::APT::Keep-Downloaded-Packages "1";" in it, and places the file in the /etc/apt/apt.conf.d/ directory, which contains Apt configuration files, which are executed in alphanumeric order. In the past, they were lumped into a single configuration file, but it became too unwieldy.
I took a different approach, by opening the installation's text-editor with superuser privileges (by entering "sudo <text-editor name>" and then the password) and added the aforementioned line to the /etc/apt/apt.conf.d/20archive file because it pertains to the archives directory. This caused the packages to be retained, but it apparently also caused some problems. So, to be on the safe side, and for convenience, I recommend using the aforementioned command.
Notes
[1] The local package index, which is an extracted version of user-selected sections of the online package index (which is revised daily) is massive and contained in var/lib/apt/lists (the package index is also known as "package lists" when extracted). The reference data for a particular package can be found by entering "apt-cache show <package name>" (assuming that the local package index includes the section which pertains to the package of interest). For an introduction to the package index from a PC-user's perspective, see the package-index sections in my article on Apt-offline, because although it's not difficult to understand, it has to be explained in a precise manner when explaining it in writing, and I don't want to repeat it here.
Debian/Ubuntu software is modular, and when you tell the software manager to install a piece of software, it refers to the installation's internal software index known as the local package index [1] to determine which modules/packages are required, then downloads them from a secure site, screens them for corruption by comparing them to reference data in the local package index, and places them in /var/cache/apt/archives before the actual installation process begins.
Normally, the downloaded packages are automatically deleted after installation. However, some people might want to retain the downloaded packages after installing them, such as to save copies to use in case they have to re-create the installation in the near future, such as to create a new installation to replace a botched one. Packages can become outdated quickly, and new versions might be required if you wait too long to re-create the installation, because every time a new installation is created, a new local package index must be installed if you want to install any additional software, and the new index would specify the latest versions for everything.
According to Disable auto clean in apt (https://unix.stackexchange.com/questions/499035/disable-auto-clean-in-apt ), the downloaded packages can be retained by entering the following command:
"echo 'Binary::apt::APT::Keep-Downloaded-Packages "1";' | sudo tee /etc/apt/apt.conf.d/10apt-keep-downloads" (Copy the command without the end-quotes and paste it into the terminal with Ctrl-Shift-V. In case there have been any revisions, get the command directly from the source.)
This command (not necessarily in the following order) creates a text-file named 10apt-keep-downloads, inserts the line "Binary::apt::APT::Keep-Downloaded-Packages "1";" in it, and places the file in the /etc/apt/apt.conf.d/ directory, which contains Apt configuration files, which are executed in alphanumeric order. In the past, they were lumped into a single configuration file, but it became too unwieldy.
I took a different approach, by opening the installation's text-editor with superuser privileges (by entering "sudo <text-editor name>" and then the password) and added the aforementioned line to the /etc/apt/apt.conf.d/20archive file because it pertains to the archives directory. This caused the packages to be retained, but it apparently also caused some problems. So, to be on the safe side, and for convenience, I recommend using the aforementioned command.
Notes
[1] The local package index, which is an extracted version of user-selected sections of the online package index (which is revised daily) is massive and contained in var/lib/apt/lists (the package index is also known as "package lists" when extracted). The reference data for a particular package can be found by entering "apt-cache show <package name>" (assuming that the local package index includes the section which pertains to the package of interest). For an introduction to the package index from a PC-user's perspective, see the package-index sections in my article on Apt-offline, because although it's not difficult to understand, it has to be explained in a precise manner when explaining it in writing, and I don't want to repeat it here.
Friday, February 21, 2020
The most important reason for checking the integrity of ISO's before using them
revised 3/3/20
Probably the most important reason for checking the integrity of a Linux ISO before using it is to be certain that the encryption software contained in it is the official version, and not some hacker's version with a backdoor. To do this, check the integrity of the ISO, which is done by finding the reference sha256 checksum on a trustworthy site (either the official site or Distrowatch, which lists the checksums for all of a distribution's "point" releases, such as Ubuntu 18.04.3, and not just the latest one).
Then, you would calculate the sha256 checksum for your ISO-copy (which you might have downloaded, or made from a DVD, which various Linux and Windows DVD-burner programs can do). The command for calculating an ISO's checksum is "sha256sum <path>/filename.iso." To get the ISO's path, right-click on it and select Properties in the menu which appears, and a window which contains various information, including the path and file's name, will appear. To copy it, either highlight it and hit Ctrl-C, or right-click on it and select "copy" in the menu which appears. To paste something into the terminal, use Ctrl-Shift-V.
If the checksums agree, you at least know that your ISO is the official version, although this still isn't an absolute guarantee that there aren't any backdoors into the encrypted partitions which you create with it. The only way to be certain would be to analyze the code, which is out of the question for most people. You might assume that there couldn't be a backdoor due to the threat of some whiz-kid programmer analyzing the source code and blowing the whistle if he or she finds something, but that's just wishful thinking. So, using encryption software is ultimately a gamble that it's not a means of luring us into a false sense of security so that Big Brother can snatch our encrypted drives and access our secrets, which he would have to do in order to access the data if you normally open them only on an air-gap system.
To be on the safe side, I use the slow-format method to format new flash drives, which erases everything on the drive before formatting it, to ensure that there's nothing on them which could compromise security. (The drive's firmware, which is a sort of "BIOS" for the drive, might contain viruses, such as Stuxnet, but no such viruses have supposedly actually been deployed in the wild, and I haven't seen any indications that they can create backdoors into LUKS partitions, although to be on the safe side, open them only on an air-gap system to ensure that the data when in unencrypted form can't be sent out over the internet by some virus.) By the way, the latest version of the Disks program (a.k.a. gnome-disk-utility) as of this writing has apparently undergone a major revision, and it can create LUKS partitions in free space, instead of having to create FAT partitions and then reformatting them as LUKS partitions. Keep track of which installation was used for creating each encrypted partition, pay attention to news of any vulnerabilities which might compromise the security of your data, and reformat any affected drives. Use long passwords which are easy to remember but impossible to guess, with upper and lower case letters, numbers, and symbols. Store a copy in a safe place (besides on the encrypted flash drive, such as in a list of all passwords you have ever used, in case you ever have a need for an old password which you've forgotten). When you are certain that you have memorized the password, destroy the physical copy. Don't leave your flash drives lying around unattended, and get into the habit of locking your PC's screen whenever you leave the room.
Probably the most important reason for checking the integrity of a Linux ISO before using it is to be certain that the encryption software contained in it is the official version, and not some hacker's version with a backdoor. To do this, check the integrity of the ISO, which is done by finding the reference sha256 checksum on a trustworthy site (either the official site or Distrowatch, which lists the checksums for all of a distribution's "point" releases, such as Ubuntu 18.04.3, and not just the latest one).
Then, you would calculate the sha256 checksum for your ISO-copy (which you might have downloaded, or made from a DVD, which various Linux and Windows DVD-burner programs can do). The command for calculating an ISO's checksum is "sha256sum <path>/filename.iso." To get the ISO's path, right-click on it and select Properties in the menu which appears, and a window which contains various information, including the path and file's name, will appear. To copy it, either highlight it and hit Ctrl-C, or right-click on it and select "copy" in the menu which appears. To paste something into the terminal, use Ctrl-Shift-V.
If the checksums agree, you at least know that your ISO is the official version, although this still isn't an absolute guarantee that there aren't any backdoors into the encrypted partitions which you create with it. The only way to be certain would be to analyze the code, which is out of the question for most people. You might assume that there couldn't be a backdoor due to the threat of some whiz-kid programmer analyzing the source code and blowing the whistle if he or she finds something, but that's just wishful thinking. So, using encryption software is ultimately a gamble that it's not a means of luring us into a false sense of security so that Big Brother can snatch our encrypted drives and access our secrets, which he would have to do in order to access the data if you normally open them only on an air-gap system.
To be on the safe side, I use the slow-format method to format new flash drives, which erases everything on the drive before formatting it, to ensure that there's nothing on them which could compromise security. (The drive's firmware, which is a sort of "BIOS" for the drive, might contain viruses, such as Stuxnet, but no such viruses have supposedly actually been deployed in the wild, and I haven't seen any indications that they can create backdoors into LUKS partitions, although to be on the safe side, open them only on an air-gap system to ensure that the data when in unencrypted form can't be sent out over the internet by some virus.) By the way, the latest version of the Disks program (a.k.a. gnome-disk-utility) as of this writing has apparently undergone a major revision, and it can create LUKS partitions in free space, instead of having to create FAT partitions and then reformatting them as LUKS partitions. Keep track of which installation was used for creating each encrypted partition, pay attention to news of any vulnerabilities which might compromise the security of your data, and reformat any affected drives. Use long passwords which are easy to remember but impossible to guess, with upper and lower case letters, numbers, and symbols. Store a copy in a safe place (besides on the encrypted flash drive, such as in a list of all passwords you have ever used, in case you ever have a need for an old password which you've forgotten). When you are certain that you have memorized the password, destroy the physical copy. Don't leave your flash drives lying around unattended, and get into the habit of locking your PC's screen whenever you leave the room.
Sunday, October 27, 2019
How to create a cheap secure air-gap PC (2019 edition)
Rev 11/8/19 (see notes)
(For the latest revision of this article, go to toggwu.blogspot.com.)
When it comes to isolating data from the internet, I don't trust software, except AES-grade encryption software (and only then if its checksum matches its reference value, and the reference has been thoroughly authenticated). Instead, I rely on electromagnetic isolation, which I obtain by using a pseudo air-gap PC in the form of a cheap mini-PC without any wired internet connection, without any wireless capability (including in peripherals such as keyboards), and without any internal storage (or with internal storage disabled via the PC's "BIOS"-settings menu, by disabling the SATA controller). Any wireless capability must be eliminated to prevent it from being surreptitiously activated in wi-fi burst mode (look it up), which cannot be detected without specialized equipment. I use a KVM switch to share the keyboard and monitor with my other PC's. (Currently, I use an Iogear 4-port VGA KVM switch, but the $90 CKLau 4Kx2K Ultra HD 4 port HDMI KVM switch looks like a good one, partly because it has a wired remote, as opposed to a wireless one, which seems like a security risk.) For the OS, I use an encrypted flash-drive installation of Ubuntu or one of its derivatives, and conceal it when not in use, partly to prevent it from simply being taken.
Truly secure communications
One reason for having such a secure installation is to compose and encrypt messages to be sent over the internet, and to decrypt and read encrypted messages received via the internet. So-called secure messaging apps might be secure, but there's no way for the average person to be certain, and the underlying OS might not be secure, so it's best to err on the side of caution, partly because using one PC for accessing the internet (which I just assume is used for spying on us), and another PC which is completely isolated from the internet for everything else, eliminates the need to be constantly concerned about OS security vulnerabilities, which it seems are always being discovered, perhaps long after hackers have known about them and exploited them, perhaps to access messages in their unencrypted state (known as "plaintext"). By using a PC which is electromagnetically isolated from the internet, hackers are definitely unable to access your data, and you don't need to be a security expert to be certain - you just have to know that there is no physical connection to the internet, no wireless circuitry, and no way for the PC to store data which can be uploaded to the internet if and when an internet connection ever becomes available. There are claims that Big Brother can spy on us via the power line, but this is a fairy tale concocted by hackers to scare us away from using air-gap PC's. For details, see my posting on AnAptOfflineBlog.blogspot.com on this subject.
If you don't need to communicate securely with many people, you could use Ccrypt, which is a symmetrical system, which uses the same password for encryption and decryption. The alternative is a public-private key system, which is much more complex and requires the private key to be kept secret, and the public key to be registered in a highly secure manner, although those who use such systems usually do so as part of an organization with a system administrator who handles the details and trains the users.
To send passwords to use with Ccrypt, I'd put them on an encrypted drive with a long, unique serial number (such as a Kingston Datatraveler with a Linux encrypted format, known as LUKS), get the serial number of the drive using the Disks program and store the serial number securely, send the drive to the correspondent, and call them (preferably via video call, to ensure that you're talking with the right person) to confirm that they got the flash drive which you sent, and if so, to give them the password. It's extremely unlikely, if not impossible, for two or more drives with long serial numbers to have the same serial number, but if the serial number checks out, and the password won't open it, you should assume that someone else would have the passwords at that point, and that you should start over.
If you're using a Datatraveler, you could attach a Master Lock Speed Dial to the drive, which would provide another layer of authentication before providing the password, since the Speed Dial lock is resettable and uncrackable. When setting the combination, make a video with a camera which has no wireless, to ensure that you can unlock the lock if you accidentally enter the wrong combination when setting it, which is easy to do with the Speed Dial. When done with the video, erase it. Also close the lock firmly, and then try hard to pull it open, to ensure that it's really locked, because if you just "click" it closed, it might seem to be locked without really being locked. Some of the locks just don't work right, or stop working after the combination is changed, so keep extras on hand. Those are the main problems with the Speed Dial lock. It's not perfect, but it's the only lock I trust.
If you use a Speed Dial lock and its combination checks out, if the drive's serial number checks out, and the password works, you can assume that nobody has intercepted the passwords. The passwords should be transferred to secure storage and deleted from the flash drive used for sending them (or its password should be changed by the recipient). Then you could use any of the passwords in the list and indicate which one was used by its position in the list.
With such security, the correspondent and their system becomes the weak link, so there's really not much use in having such high security unless the correspondent has a vested interest in maintaining security. As a rule, just don't let anyone know about your plans, including your shopping list, unless it's absolutely necessary, because Big Brother is watching, and he's always looking for ways to use information about us to make us suffer. (1984 indicates that making someone suffer is a means of confirming one's power over them, although this is actually intended as a motive for inflicting suffering, which is intended to drive our consciousness-evolution. A certain amount of suffering is beneficial. However, this subject is very deep and mysterious, and I am not qualified to be more specific.)
Live installations: more secure, but less convenient
If you want even better security, use a so-called "live" installation, which "forgets" everything upon shutdown. The disadvantage of live installations is that it's not feasible to customize them to precisely suit your needs in every detail, making it necessary to use multiple installations to obtain all of the desired apps, (or to do without some apps), or to change settings each time they're booted. There are so-called persistent live flash-drive installations which retain data and settings, but no expert, as far as I know, recommends using such installations any more, and there are very few usb-installers which can create persistent installations (Startup Disk Creator once had this capability, but it was dropped in about 2015).
It is feasible to delete all traces of data from full installations, or at least I'm fairly certain that it is, so that even if Big Brother can find the installation, and there's a back door, there would be nothing behind it. (Data would be stored on encrypted partitions on data drives, which would be formatted with the Disks utility. The NSA reportedly doesn't even try to crack the Linux encryption system, known as Linux Unified Key System, or LUKS, but instead tries to get the passwords. So, store your passwords on encrypted drives, and in your own memory.)
Potential problems with Xubuntu with KVM's
As much as I like Xubuntu, it has problems that make it unsuitable for use with some KM switches, at least up through version 18.10. Otherwise, it's hard to go wrong with any type of Ubuntu, although I prefer Ubuntu Mate because the interface/desktop is intuitive, and it includes almost everything I need in a secure installation.
Recommended type of mini-PC
As of this writing, Ryzen-based mini-PC's are just becoming available, so there's not a great selection and they're a bit pricey. But eventually there will be a good selection, and the prices will come down, and they'll be the logical choice for a powerful, energy-efficient mini-PC. If you're in a hurry, you could either shell out whatever it costs to get a Ryzen-based unit, or you could get by with a cheap mini-PC until Ryzen-based units are affordable. I'm satisfied with my basic Zbox BI320-U (or B1320-U) the vast majority of the time, but I'd obviously prefer the latest technology if it didn't cost much more. One of the more important reasons for choosing an AMD-based PC is that AMD processors generally don't include built-in wireless circuitry. Instead, the wireless circuitry is typically placed on a small circuit board, which must be removed to ensure that it cannot be surreptitiously activated in burst mode, which cannot be detected without special equipment. (To disconnect the tiny RF connectors, pull straight up on them, using a pair of long-nosed pliers. Once loose, I'd cover them with tape to prevent them from shorting something to ground, since their exposed metal portion is connected to ground.)
To ensure that nobody can tamper with the PC and compromise its security, it could be stored in a lockbox, drawer, file cabinet, etc., locked with a Speed Dial lock (mentioned previously). The motherboards on desktop PC's have case intrusion detection systems which would serve the same purpose. Edward Snowden created an app which allows some or perhaps all Android devices to detect any movement, allowing them to act as tampering-detectors, assuming that they wouldn't be moved otherwise.
Recommended Linux sources
Shop Linux Online is my most trusted source for copies of Linux, although I've had good luck with a couple of sources on Ebay. I've given up on downloading Linux, or ordering it from OSDisc.com, since I've gotten little from these sources but copies with dirty tricks, such as ones that permanently lock encrypted flash drives when the password is entered, after allowing a few weeks to store data on it. Because I back-up my data religiously, this trick never did anything more to me than cause inconvenience. One of the worst tricks was one in a text editor, which would insert cut and deleted text into random locations off-screen. So, if you're unsure of a new copy of Linux, I'd make a backup copy of any long text files before editing them, and perform a search for any cut or deleted text to see if it has been inserted in some random location.
Linux provided in two main forms
Linux is made available in the form of an "image," either on a "live" DVD or in a secure archive file known as an "ISO" (.iso-file, also known as an "image file") which cannot be altered without leaving evidence. PC's can be booted directly from live DVD's by putting them in the DVD drive, booting the PC, and responding to the prompts. Unfortunately, this takes a long time, so live flash-drive installations are preferable.
Creating ISO's from live DVD's
ISO's, which are required for creating live flash-drive installations, can be created from live DVD's by using various "burner" programs, such as CD Burner XP in Windows, which was a free download the last time I checked. There are various burner-programs in Linux which can be used for this purpose, such as Brasero and x3b.
Creating live flash-drive installations
Creating a live flash drive installation is a matter of installing the image from an ISO or DVD onto a flash drive by means of a "usb-installer" program. (There was a time when you could boot from a DVD and create a flash-drive installation from the same DVD, but this capability is apparently history, although you could try it by booting from a DVD, which takes a long time, and using the program known as Startup Disk Creator, or some variation on this name.) I recommend Rufus, a usb-installer that runs on Windows, and Etcher, a usb-installer that runs on Linux (both are free downloads). I've tried to run Etcher on live installations, but it apparently has to be run on full installations. I run it on my desktop PC which has a relatively powerful processor, an SSD, and a large HDD, and haven't had any problems with it there.
Creating full installations
To create a "full" installation on an SSD, HDD, or a USB 3.0 flash drive, you would boot a live installation (select the install-option when booting), and use it to create the full installation. (When creating a full installation on a flash drive, use the PC where the full installation will be used.) I've found that to create a full installation on a flash drive, it's best to use a flash drive with a really fast write-speed (although I don't understand why), which seems to require using one with a lot of storage. For example, a 60 GB Sandisk FIT works well for Ubuntu Mate 18.04 (the resulting performance is good), but a 15 GB Sandisk FIT doesn't work very well. Before creating the installation (instead of selecting the erase-option during installation), I usually erase the flash drive for purposes of security by using the Disks program to format it the slow way, which can take hours. Disks is included by default on Ubuntu and Ubuntu Mate, but not on Xubuntu or Kubuntu, the last time I checked. It can be installed under the name gnome-disk-utility. (Gparted, another disk utility, doesn't have the ability to create encrypted partitions, or at least it didn't the last time I checked.)
When creating the full installation, be certain to select the option to install 3rd-party software, if you'll want to use a USB modem to temporarily connect the installation to the internet to set it up (which you would do before using the installation to access any sensitive data). I use a Panda PAU05 (I boot the PC, turn on the wi-fi hotspot and wait for it to make a connection to the 4G base-station, and then plug the modem into the PC). You can also use a wi-fi bridge (avoid cheapies, which in my experience fail after a year or so), which connects to the ethernet port and eliminates the need for USB-modem drivers.
Installation set-up
Setting up the installation would start by updating the internal software index, known as the local package index. (The update-process doesn't actually update the existing index - it deletes it and replaces it with a fresh copy of the desired/selected sections of the online index.) The online index contains all of the sections and is updated daily to reflect changes to the software which it references, with which it is stored in a massive collection of software and data known as the repository for that type and version of Linux, which is "mirrored" (copied) to many servers around the world on a daily basis. Before updating the local index, you would select the desired server (the default selection is probably adequate for most people - don't use servers that belong to small, exclusive organizations such as university departments without permission), the desired package-index sections (I'd select all of them except those which you definitely won't need), and the desired types of updates (select all types of updates because some application modules which you might need are classified as updates). To make these selections, use the software manager or an app designed specifically for making these selections, such as Software & Updates. The setup should include installing Apt-offline-gui, to make it more convenient to make future changes to the installation. For instructions on using Apt-offline, see AnAptOfflineBlog.blogspot.com. After performing the set-up, de-select the updates-sections of the package index, and set "Automatically check for updates" to Never, or the update-manager will constantly pester you to install hundreds of MB of updates which you don't need because the installation is being run on a secure PC. I effectively update my OS by replacing it in its entirety every couple of years with a newer version, and I've never had any problems as a result of not updating the OS frequently.
I also recommend installing Synaptic Package Manager (a non-dumbed-down software-manager GUI), assuming that it's not already installed, because even though you won't be able to use it to install software without connecting the installation to the internet, you can use it, for example, to learn what would be required to install some app of interest, or to learn about options that wouldn't normally be installed when using the terminal, Apt-offline, or some dumbed-down software manager. (For example, GIMP has many optional modules. If you use the terminal or Apt-offline to install GIMP, you'd never know about these other modules, but if you use Synaptic to obtain information about GIMP, all of the options will be listed and described, and they could be installed via the terminal or Apt-offline by adding their special names without caps or spaces (such as gimp-help-en for GIMP's English help module) to the list of modules to be installed.
Try to anticipate all of the software that you'll need so that you can install it while the installation is connected directly to the internet. As of this writing, Ubuntu doesn't include a desktop-notes-program by default (the designers probably assumed that a text file stored on the desktop would suffice). If you want a notes program, I suggest Gnote, which is overkill but the best choice I could find the last time I checked. Every Ubuntu derivative which I've tried includes a convenient notes-program, sometimes as a widget which can be added to the panel. It's just nice to have a desktop scratchpad, but I delete my notes frequently for security, and store bits of information that I want to keep in the equivalent of a text-file junk drawer which is backed up to multiple encrypted flash drives.
Creating encrypted flash drives
To create encrypted flash drives, I use the Disks program, which is included by default on many types of Linux, but not all. It can be installed under the name gnome-disk-utility. To create an encrypted partition, it seems to be necessary to first create a FAT partition with approximately the same size and location, and to then reformat it as a LUKS partition. Don't forget to write the password in a secure location before creating the encrypted partition. I save all of my old passwords, in case I forget to change the password on something and have to access it after I've forgotten its password.
Setting permissions on encrypted flash drives
The Linux file system's permission-scheme is quite complex, but fortunately you can get by with a simple set of permissions for your personal encrypted data drives, so that if your full installation fails (very unlikely, but possible), you can use your data drives with a live installation running on your secure PC until you get around to creating a new full installation. Unfortunately there is no single set of instructions for implementing this permission scheme on all types of Ubuntu, due to differences between the GUI's which are used for setting permissions. So, I'll describe how it's done on Ubuntu Mate, and you should be able to adapt the procedure to any other Ubuntu derivatives, or Ubuntu itself. Begin by opening the flash drive, and right-clicking on its top-level directory (not on anything in the directory), or on the drive's name above the file manager's main window. In the menu which appears, click on Properties, and in the window which appears, click on the Permissions tab. In the Permissions tab, set all three "Folder access" settings to "Create and delete files, and all "File access" settings to "Read and write." Then, if there are any folders or files in the top-level directory, click on the "Apply Permissions to Enclosed Files" button, and close the window. (Ignore the "Execute" setting, unless you need to give a shell script permission to run as a program, in which case you would begin by right-clicking on the shell-script, etc., and ultimately click on the Execute box so that there's a check-mark in it. A "-" sign indicates do nothing, and an empty box means to rescind an existing execute-permission.) So that's it - you should then be able to do anything to the flash drive using any Ubuntu installation, which can prevent some major headaches, but of course you wouldn't even unlock it on an unsecure installation.
Suggested data-backup system
In my backup system, I have a primary backup drive which I religiously maintain as a duplicate of the primary data drive (all data drives are encrypted). I also have a so-called "disseminate" folder on each of these drives, where I put a copy of every change made the primary drive, and which I copy weekly to several secondary backups, after deleting the previous copy. The disseminate-folder is a sort of fail-safe which would allow the primary data drive to be reconstructed from one of the secondary backups if the primary data drive and the primary backup both fail simultaneously, which is highly unlikely. If either the primary data drive or primary backup fails, I would immediately re-create it from the primary backup or primary data drive. Every few months, or if the Disseminate folder gets too big and takes a long time to copy to multiple secondary drives each week, I delete the Disseminate folder from the primary data drive, and then copy the remaining data to each secondary backup (after deleting the secondary backup's old data). I recommend hiding the secondary backups in separate places where they will remain cool, dry, and clean.
I also have a FAT drive that I use for downloading data from the internet, and a copy which I use as a pseudo back-up. Once in a while, I get rid of the downloads I don't want to keep, copy the primary FAT drive (FAT-1) to the secondary (FAT-2), and then copy FAT-2 to FAT-1 to refresh the data on FAT-1. I also copy the primary encrypted data drive's data, except for the Disseminate folder, to the primary backup, and then copy the primary backup to the primary data drive. The reason for copying these flash drives to each other is that flash drives need to be refreshed once in a while to ensure that the data doesn't fade away, although with big new flash drives, this probably wouldn't happen for years if the drives are kept cool. Each time data is written to a flash-drive memory cell, its retention decreases, and the retention-spec is based on the condition of a cell after a certain number of writes. But I'd rather be safe than sorry, so I refresh the data on my drives about twice annually.
NRAM
If NRAM ever becomes available, we won't have to worry about data fading away, or put up with flash memory's slow write speeds. NRAM would also revolutionize the distribution of digital audio and video, due to its phenomenal write-speed and retention characteristics. You could store all of your digital audio on an NRAM drive without having to worry about it getting wiped out by accidentally leaving it in a car in the sun during the summer.
Notes
Revisions
D - Tweaked first paragraph and added section on setting permissions for encrypted data drives.
11/1/19 - Added an explanation for the need to remove wireless circuitry from the PC (added to the first paragraph and to the section on recommended PC's). Also made various minor revisions. such as to add a suggestion to cover RF connectors with tape after detaching them from the small circuit board for wireless circuitry.
11/2/19 - Added details in the following locations: A) 2nd section B) "Creating live flash-drive installations" section C) Last two sentences in the 1st paragraph of the "Installation set-up" section D) to the first and second paragraphs of Note 1.
11/3/19 - A) Added details about security precautions in "Truly secure communications" section and in "Recommended type of mini-PC" section. B) Rewrote the "Creating live flash-drive installations" section, which was a mess.
11/7/19 - Mainly refined the 1st paragraph in the "Truly secure communications" section, but also made some other tweaks which I didn't consider worth mentioning specifically.
11/8/19 - Added a reference to AnAptOfflineBlog.blogspot.com in the last sentence of the 2nd paragraph.
[1]
A 4 GB flash drive is sufficient for live installation - I like Topsel FD's with caps for this purpose because of their low cost, no-nonsense physical design, and the fact that they have an LED which indicates when booting is completed. As of this writing, I'm not sure about their reliability, but reliability isn't crucial in this application. I've used similar drives by Kootion, and have found that the red ones are quite reliable, but that that blue ones have some problem which makes them unsuitable for live installations (I don't recall precisely what it was), and have a very high failure rate, although I don't know if this applies to all red and blue Kootions. Lexar makes a similar design, but the minimum size as of this writing is 16GB, they're considerably more expensive, and they aren't as easy to label.
The aforementioned Topsel drives can be labeled by simply marking them on both sides with a Sharpie, folding a piece of wide transparent tape over the drive, and then trimming the tape. To change the label, you'd have to peel off the tape (which can be a pain) and clean off the old label and adhesive, which can be done with nail polish remover (acetone). So, it's not easy to change the labels with this system.
If you want to be able to change the label easily, I suggest creating a window for holding a label on one side of the drive. To create such a window, I tape a piece of wide transparent tape, sticky side up, on top of some guidelines drawn with a Sharpie on a cutting-surface. (The guidelines consist of a 1-1/8"x2" rectangle with a line drawn across it at 90 degrees, 5/8" from either end.) I then apply a piece of regular-width (3/4") transparent tape, sticky side down, across the wide tape along the relevant guideline, and then use a straight-edge and something like an Xacto knife to cut the resulting combination along the aforementioned outline. The result is essentially a piece of transparent tape 1-1/8" wide and 2" long with a 3/4" non-adhesive section (window) in the middle. To apply it the drive, side the window across a relevant edge on the drive, until the adhesive catches on the edge. Then wrap that end of the tape around to the other side of the drive, and then the other end, but not so tightly that you can't insert a label under the window.
(For the latest revision of this article, go to toggwu.blogspot.com.)
When it comes to isolating data from the internet, I don't trust software, except AES-grade encryption software (and only then if its checksum matches its reference value, and the reference has been thoroughly authenticated). Instead, I rely on electromagnetic isolation, which I obtain by using a pseudo air-gap PC in the form of a cheap mini-PC without any wired internet connection, without any wireless capability (including in peripherals such as keyboards), and without any internal storage (or with internal storage disabled via the PC's "BIOS"-settings menu, by disabling the SATA controller). Any wireless capability must be eliminated to prevent it from being surreptitiously activated in wi-fi burst mode (look it up), which cannot be detected without specialized equipment. I use a KVM switch to share the keyboard and monitor with my other PC's. (Currently, I use an Iogear 4-port VGA KVM switch, but the $90 CKLau 4Kx2K Ultra HD 4 port HDMI KVM switch looks like a good one, partly because it has a wired remote, as opposed to a wireless one, which seems like a security risk.) For the OS, I use an encrypted flash-drive installation of Ubuntu or one of its derivatives, and conceal it when not in use, partly to prevent it from simply being taken.
Truly secure communications
One reason for having such a secure installation is to compose and encrypt messages to be sent over the internet, and to decrypt and read encrypted messages received via the internet. So-called secure messaging apps might be secure, but there's no way for the average person to be certain, and the underlying OS might not be secure, so it's best to err on the side of caution, partly because using one PC for accessing the internet (which I just assume is used for spying on us), and another PC which is completely isolated from the internet for everything else, eliminates the need to be constantly concerned about OS security vulnerabilities, which it seems are always being discovered, perhaps long after hackers have known about them and exploited them, perhaps to access messages in their unencrypted state (known as "plaintext"). By using a PC which is electromagnetically isolated from the internet, hackers are definitely unable to access your data, and you don't need to be a security expert to be certain - you just have to know that there is no physical connection to the internet, no wireless circuitry, and no way for the PC to store data which can be uploaded to the internet if and when an internet connection ever becomes available. There are claims that Big Brother can spy on us via the power line, but this is a fairy tale concocted by hackers to scare us away from using air-gap PC's. For details, see my posting on AnAptOfflineBlog.blogspot.com on this subject.
If you don't need to communicate securely with many people, you could use Ccrypt, which is a symmetrical system, which uses the same password for encryption and decryption. The alternative is a public-private key system, which is much more complex and requires the private key to be kept secret, and the public key to be registered in a highly secure manner, although those who use such systems usually do so as part of an organization with a system administrator who handles the details and trains the users.
To send passwords to use with Ccrypt, I'd put them on an encrypted drive with a long, unique serial number (such as a Kingston Datatraveler with a Linux encrypted format, known as LUKS), get the serial number of the drive using the Disks program and store the serial number securely, send the drive to the correspondent, and call them (preferably via video call, to ensure that you're talking with the right person) to confirm that they got the flash drive which you sent, and if so, to give them the password. It's extremely unlikely, if not impossible, for two or more drives with long serial numbers to have the same serial number, but if the serial number checks out, and the password won't open it, you should assume that someone else would have the passwords at that point, and that you should start over.
If you're using a Datatraveler, you could attach a Master Lock Speed Dial to the drive, which would provide another layer of authentication before providing the password, since the Speed Dial lock is resettable and uncrackable. When setting the combination, make a video with a camera which has no wireless, to ensure that you can unlock the lock if you accidentally enter the wrong combination when setting it, which is easy to do with the Speed Dial. When done with the video, erase it. Also close the lock firmly, and then try hard to pull it open, to ensure that it's really locked, because if you just "click" it closed, it might seem to be locked without really being locked. Some of the locks just don't work right, or stop working after the combination is changed, so keep extras on hand. Those are the main problems with the Speed Dial lock. It's not perfect, but it's the only lock I trust.
If you use a Speed Dial lock and its combination checks out, if the drive's serial number checks out, and the password works, you can assume that nobody has intercepted the passwords. The passwords should be transferred to secure storage and deleted from the flash drive used for sending them (or its password should be changed by the recipient). Then you could use any of the passwords in the list and indicate which one was used by its position in the list.
With such security, the correspondent and their system becomes the weak link, so there's really not much use in having such high security unless the correspondent has a vested interest in maintaining security. As a rule, just don't let anyone know about your plans, including your shopping list, unless it's absolutely necessary, because Big Brother is watching, and he's always looking for ways to use information about us to make us suffer. (1984 indicates that making someone suffer is a means of confirming one's power over them, although this is actually intended as a motive for inflicting suffering, which is intended to drive our consciousness-evolution. A certain amount of suffering is beneficial. However, this subject is very deep and mysterious, and I am not qualified to be more specific.)
Live installations: more secure, but less convenient
If you want even better security, use a so-called "live" installation, which "forgets" everything upon shutdown. The disadvantage of live installations is that it's not feasible to customize them to precisely suit your needs in every detail, making it necessary to use multiple installations to obtain all of the desired apps, (or to do without some apps), or to change settings each time they're booted. There are so-called persistent live flash-drive installations which retain data and settings, but no expert, as far as I know, recommends using such installations any more, and there are very few usb-installers which can create persistent installations (Startup Disk Creator once had this capability, but it was dropped in about 2015).
It is feasible to delete all traces of data from full installations, or at least I'm fairly certain that it is, so that even if Big Brother can find the installation, and there's a back door, there would be nothing behind it. (Data would be stored on encrypted partitions on data drives, which would be formatted with the Disks utility. The NSA reportedly doesn't even try to crack the Linux encryption system, known as Linux Unified Key System, or LUKS, but instead tries to get the passwords. So, store your passwords on encrypted drives, and in your own memory.)
Potential problems with Xubuntu with KVM's
As much as I like Xubuntu, it has problems that make it unsuitable for use with some KM switches, at least up through version 18.10. Otherwise, it's hard to go wrong with any type of Ubuntu, although I prefer Ubuntu Mate because the interface/desktop is intuitive, and it includes almost everything I need in a secure installation.
Recommended type of mini-PC
As of this writing, Ryzen-based mini-PC's are just becoming available, so there's not a great selection and they're a bit pricey. But eventually there will be a good selection, and the prices will come down, and they'll be the logical choice for a powerful, energy-efficient mini-PC. If you're in a hurry, you could either shell out whatever it costs to get a Ryzen-based unit, or you could get by with a cheap mini-PC until Ryzen-based units are affordable. I'm satisfied with my basic Zbox BI320-U (or B1320-U) the vast majority of the time, but I'd obviously prefer the latest technology if it didn't cost much more. One of the more important reasons for choosing an AMD-based PC is that AMD processors generally don't include built-in wireless circuitry. Instead, the wireless circuitry is typically placed on a small circuit board, which must be removed to ensure that it cannot be surreptitiously activated in burst mode, which cannot be detected without special equipment. (To disconnect the tiny RF connectors, pull straight up on them, using a pair of long-nosed pliers. Once loose, I'd cover them with tape to prevent them from shorting something to ground, since their exposed metal portion is connected to ground.)
To ensure that nobody can tamper with the PC and compromise its security, it could be stored in a lockbox, drawer, file cabinet, etc., locked with a Speed Dial lock (mentioned previously). The motherboards on desktop PC's have case intrusion detection systems which would serve the same purpose. Edward Snowden created an app which allows some or perhaps all Android devices to detect any movement, allowing them to act as tampering-detectors, assuming that they wouldn't be moved otherwise.
Recommended Linux sources
Shop Linux Online is my most trusted source for copies of Linux, although I've had good luck with a couple of sources on Ebay. I've given up on downloading Linux, or ordering it from OSDisc.com, since I've gotten little from these sources but copies with dirty tricks, such as ones that permanently lock encrypted flash drives when the password is entered, after allowing a few weeks to store data on it. Because I back-up my data religiously, this trick never did anything more to me than cause inconvenience. One of the worst tricks was one in a text editor, which would insert cut and deleted text into random locations off-screen. So, if you're unsure of a new copy of Linux, I'd make a backup copy of any long text files before editing them, and perform a search for any cut or deleted text to see if it has been inserted in some random location.
Linux provided in two main forms
Linux is made available in the form of an "image," either on a "live" DVD or in a secure archive file known as an "ISO" (.iso-file, also known as an "image file") which cannot be altered without leaving evidence. PC's can be booted directly from live DVD's by putting them in the DVD drive, booting the PC, and responding to the prompts. Unfortunately, this takes a long time, so live flash-drive installations are preferable.
Creating ISO's from live DVD's
ISO's, which are required for creating live flash-drive installations, can be created from live DVD's by using various "burner" programs, such as CD Burner XP in Windows, which was a free download the last time I checked. There are various burner-programs in Linux which can be used for this purpose, such as Brasero and x3b.
Creating live flash-drive installations
Creating a live flash drive installation is a matter of installing the image from an ISO or DVD onto a flash drive by means of a "usb-installer" program. (There was a time when you could boot from a DVD and create a flash-drive installation from the same DVD, but this capability is apparently history, although you could try it by booting from a DVD, which takes a long time, and using the program known as Startup Disk Creator, or some variation on this name.) I recommend Rufus, a usb-installer that runs on Windows, and Etcher, a usb-installer that runs on Linux (both are free downloads). I've tried to run Etcher on live installations, but it apparently has to be run on full installations. I run it on my desktop PC which has a relatively powerful processor, an SSD, and a large HDD, and haven't had any problems with it there.
Creating full installations
To create a "full" installation on an SSD, HDD, or a USB 3.0 flash drive, you would boot a live installation (select the install-option when booting), and use it to create the full installation. (When creating a full installation on a flash drive, use the PC where the full installation will be used.) I've found that to create a full installation on a flash drive, it's best to use a flash drive with a really fast write-speed (although I don't understand why), which seems to require using one with a lot of storage. For example, a 60 GB Sandisk FIT works well for Ubuntu Mate 18.04 (the resulting performance is good), but a 15 GB Sandisk FIT doesn't work very well. Before creating the installation (instead of selecting the erase-option during installation), I usually erase the flash drive for purposes of security by using the Disks program to format it the slow way, which can take hours. Disks is included by default on Ubuntu and Ubuntu Mate, but not on Xubuntu or Kubuntu, the last time I checked. It can be installed under the name gnome-disk-utility. (Gparted, another disk utility, doesn't have the ability to create encrypted partitions, or at least it didn't the last time I checked.)
When creating the full installation, be certain to select the option to install 3rd-party software, if you'll want to use a USB modem to temporarily connect the installation to the internet to set it up (which you would do before using the installation to access any sensitive data). I use a Panda PAU05 (I boot the PC, turn on the wi-fi hotspot and wait for it to make a connection to the 4G base-station, and then plug the modem into the PC). You can also use a wi-fi bridge (avoid cheapies, which in my experience fail after a year or so), which connects to the ethernet port and eliminates the need for USB-modem drivers.
Installation set-up
Setting up the installation would start by updating the internal software index, known as the local package index. (The update-process doesn't actually update the existing index - it deletes it and replaces it with a fresh copy of the desired/selected sections of the online index.) The online index contains all of the sections and is updated daily to reflect changes to the software which it references, with which it is stored in a massive collection of software and data known as the repository for that type and version of Linux, which is "mirrored" (copied) to many servers around the world on a daily basis. Before updating the local index, you would select the desired server (the default selection is probably adequate for most people - don't use servers that belong to small, exclusive organizations such as university departments without permission), the desired package-index sections (I'd select all of them except those which you definitely won't need), and the desired types of updates (select all types of updates because some application modules which you might need are classified as updates). To make these selections, use the software manager or an app designed specifically for making these selections, such as Software & Updates. The setup should include installing Apt-offline-gui, to make it more convenient to make future changes to the installation. For instructions on using Apt-offline, see AnAptOfflineBlog.blogspot.com. After performing the set-up, de-select the updates-sections of the package index, and set "Automatically check for updates" to Never, or the update-manager will constantly pester you to install hundreds of MB of updates which you don't need because the installation is being run on a secure PC. I effectively update my OS by replacing it in its entirety every couple of years with a newer version, and I've never had any problems as a result of not updating the OS frequently.
I also recommend installing Synaptic Package Manager (a non-dumbed-down software-manager GUI), assuming that it's not already installed, because even though you won't be able to use it to install software without connecting the installation to the internet, you can use it, for example, to learn what would be required to install some app of interest, or to learn about options that wouldn't normally be installed when using the terminal, Apt-offline, or some dumbed-down software manager. (For example, GIMP has many optional modules. If you use the terminal or Apt-offline to install GIMP, you'd never know about these other modules, but if you use Synaptic to obtain information about GIMP, all of the options will be listed and described, and they could be installed via the terminal or Apt-offline by adding their special names without caps or spaces (such as gimp-help-en for GIMP's English help module) to the list of modules to be installed.
Try to anticipate all of the software that you'll need so that you can install it while the installation is connected directly to the internet. As of this writing, Ubuntu doesn't include a desktop-notes-program by default (the designers probably assumed that a text file stored on the desktop would suffice). If you want a notes program, I suggest Gnote, which is overkill but the best choice I could find the last time I checked. Every Ubuntu derivative which I've tried includes a convenient notes-program, sometimes as a widget which can be added to the panel. It's just nice to have a desktop scratchpad, but I delete my notes frequently for security, and store bits of information that I want to keep in the equivalent of a text-file junk drawer which is backed up to multiple encrypted flash drives.
Creating encrypted flash drives
To create encrypted flash drives, I use the Disks program, which is included by default on many types of Linux, but not all. It can be installed under the name gnome-disk-utility. To create an encrypted partition, it seems to be necessary to first create a FAT partition with approximately the same size and location, and to then reformat it as a LUKS partition. Don't forget to write the password in a secure location before creating the encrypted partition. I save all of my old passwords, in case I forget to change the password on something and have to access it after I've forgotten its password.
Setting permissions on encrypted flash drives
The Linux file system's permission-scheme is quite complex, but fortunately you can get by with a simple set of permissions for your personal encrypted data drives, so that if your full installation fails (very unlikely, but possible), you can use your data drives with a live installation running on your secure PC until you get around to creating a new full installation. Unfortunately there is no single set of instructions for implementing this permission scheme on all types of Ubuntu, due to differences between the GUI's which are used for setting permissions. So, I'll describe how it's done on Ubuntu Mate, and you should be able to adapt the procedure to any other Ubuntu derivatives, or Ubuntu itself. Begin by opening the flash drive, and right-clicking on its top-level directory (not on anything in the directory), or on the drive's name above the file manager's main window. In the menu which appears, click on Properties, and in the window which appears, click on the Permissions tab. In the Permissions tab, set all three "Folder access" settings to "Create and delete files, and all "File access" settings to "Read and write." Then, if there are any folders or files in the top-level directory, click on the "Apply Permissions to Enclosed Files" button, and close the window. (Ignore the "Execute" setting, unless you need to give a shell script permission to run as a program, in which case you would begin by right-clicking on the shell-script, etc., and ultimately click on the Execute box so that there's a check-mark in it. A "-" sign indicates do nothing, and an empty box means to rescind an existing execute-permission.) So that's it - you should then be able to do anything to the flash drive using any Ubuntu installation, which can prevent some major headaches, but of course you wouldn't even unlock it on an unsecure installation.
Suggested data-backup system
In my backup system, I have a primary backup drive which I religiously maintain as a duplicate of the primary data drive (all data drives are encrypted). I also have a so-called "disseminate" folder on each of these drives, where I put a copy of every change made the primary drive, and which I copy weekly to several secondary backups, after deleting the previous copy. The disseminate-folder is a sort of fail-safe which would allow the primary data drive to be reconstructed from one of the secondary backups if the primary data drive and the primary backup both fail simultaneously, which is highly unlikely. If either the primary data drive or primary backup fails, I would immediately re-create it from the primary backup or primary data drive. Every few months, or if the Disseminate folder gets too big and takes a long time to copy to multiple secondary drives each week, I delete the Disseminate folder from the primary data drive, and then copy the remaining data to each secondary backup (after deleting the secondary backup's old data). I recommend hiding the secondary backups in separate places where they will remain cool, dry, and clean.
I also have a FAT drive that I use for downloading data from the internet, and a copy which I use as a pseudo back-up. Once in a while, I get rid of the downloads I don't want to keep, copy the primary FAT drive (FAT-1) to the secondary (FAT-2), and then copy FAT-2 to FAT-1 to refresh the data on FAT-1. I also copy the primary encrypted data drive's data, except for the Disseminate folder, to the primary backup, and then copy the primary backup to the primary data drive. The reason for copying these flash drives to each other is that flash drives need to be refreshed once in a while to ensure that the data doesn't fade away, although with big new flash drives, this probably wouldn't happen for years if the drives are kept cool. Each time data is written to a flash-drive memory cell, its retention decreases, and the retention-spec is based on the condition of a cell after a certain number of writes. But I'd rather be safe than sorry, so I refresh the data on my drives about twice annually.
NRAM
If NRAM ever becomes available, we won't have to worry about data fading away, or put up with flash memory's slow write speeds. NRAM would also revolutionize the distribution of digital audio and video, due to its phenomenal write-speed and retention characteristics. You could store all of your digital audio on an NRAM drive without having to worry about it getting wiped out by accidentally leaving it in a car in the sun during the summer.
Notes
Revisions
D - Tweaked first paragraph and added section on setting permissions for encrypted data drives.
11/1/19 - Added an explanation for the need to remove wireless circuitry from the PC (added to the first paragraph and to the section on recommended PC's). Also made various minor revisions. such as to add a suggestion to cover RF connectors with tape after detaching them from the small circuit board for wireless circuitry.
11/2/19 - Added details in the following locations: A) 2nd section B) "Creating live flash-drive installations" section C) Last two sentences in the 1st paragraph of the "Installation set-up" section D) to the first and second paragraphs of Note 1.
11/3/19 - A) Added details about security precautions in "Truly secure communications" section and in "Recommended type of mini-PC" section. B) Rewrote the "Creating live flash-drive installations" section, which was a mess.
11/7/19 - Mainly refined the 1st paragraph in the "Truly secure communications" section, but also made some other tweaks which I didn't consider worth mentioning specifically.
11/8/19 - Added a reference to AnAptOfflineBlog.blogspot.com in the last sentence of the 2nd paragraph.
[1]
A 4 GB flash drive is sufficient for live installation - I like Topsel FD's with caps for this purpose because of their low cost, no-nonsense physical design, and the fact that they have an LED which indicates when booting is completed. As of this writing, I'm not sure about their reliability, but reliability isn't crucial in this application. I've used similar drives by Kootion, and have found that the red ones are quite reliable, but that that blue ones have some problem which makes them unsuitable for live installations (I don't recall precisely what it was), and have a very high failure rate, although I don't know if this applies to all red and blue Kootions. Lexar makes a similar design, but the minimum size as of this writing is 16GB, they're considerably more expensive, and they aren't as easy to label.
The aforementioned Topsel drives can be labeled by simply marking them on both sides with a Sharpie, folding a piece of wide transparent tape over the drive, and then trimming the tape. To change the label, you'd have to peel off the tape (which can be a pain) and clean off the old label and adhesive, which can be done with nail polish remover (acetone). So, it's not easy to change the labels with this system.
If you want to be able to change the label easily, I suggest creating a window for holding a label on one side of the drive. To create such a window, I tape a piece of wide transparent tape, sticky side up, on top of some guidelines drawn with a Sharpie on a cutting-surface. (The guidelines consist of a 1-1/8"x2" rectangle with a line drawn across it at 90 degrees, 5/8" from either end.) I then apply a piece of regular-width (3/4") transparent tape, sticky side down, across the wide tape along the relevant guideline, and then use a straight-edge and something like an Xacto knife to cut the resulting combination along the aforementioned outline. The result is essentially a piece of transparent tape 1-1/8" wide and 2" long with a 3/4" non-adhesive section (window) in the middle. To apply it the drive, side the window across a relevant edge on the drive, until the adhesive catches on the edge. Then wrap that end of the tape around to the other side of the drive, and then the other end, but not so tightly that you can't insert a label under the window.
Thursday, November 29, 2018
Performing spell-check via right-click in XFCE
Rev 11/30/18 (see Revision Notes)
XFCE's default text editor, Mousepad, doesn't have a spell-checker, but most types of Linux include Aspell, an excellent spell-checker which runs in the terminal. You could use LibreOffice Writer (typically included with XFCE) as a spell-checker, but it's a massive program which takes a long time to load and is cumbersome to use as a spell-checker, whereas Aspell is small, quick, and easy to use. The problem with Aspell is that to use it, you would normally right-click in the directory which contains the file to be spell-checked, select "open terminal here," and enter the command "aspell -c <filename>" or "aspell check <filename>," and it might be a pain to enter the filename. So, I decided to try to find a way to use Aspell to spell-check a file by simply right-clicking on the file and selecting "Spell-check" in the resulting menu. Fortunately, XFCE's file manager includes a "Custom Actions" feature which allows custom "bash" programs (bash is the command-line interpreter) to be added to Thunar's right-click menu. I'm not a bash programmer, and I couldn't find a pre-fabbed solution, so I flailed around until I stumbled onto a solution, which can be implemented as follows:
In Thunar (the XFCE file manager), click on Edit, then on Configure Custom Actions.
In the Custom Actions window which appears, click on the "+" button in the column of buttons on the right.
In the window which appears, enter the following in the designated fields (the command must be used exactly as shown, including the quotation-marks, unless you have a better solution):
name: Spell-check
description: perform spell-check with aspell
command: xfce4-terminal -e "aspell check %n" (This command causes Thunar to open the terminal and enter the command enclosed in quotes, with the name of the file of interest substituted for %n. This is necessary because Aspell runs in the terminal, meaning that it uses the terminal as its means of interacting with the user, which in this case is initially Thunar.)
In the Appearance Conditions tab, enter "*" into the File Patterns field and below, select Text Files only.
Click on OK, then click on Close in the Custom Actions window.
Close the file manager.
Open the file manager and navigate to the text file to be spell-checked.
Right-click on the text file and click on "Spell-check" in the menu which appears. That should do it.
Notes
Revisions
11/30/18 - Clarified and embellished the 1st paragraph and the passage "(This command causes Thunar....)."
XFCE's default text editor, Mousepad, doesn't have a spell-checker, but most types of Linux include Aspell, an excellent spell-checker which runs in the terminal. You could use LibreOffice Writer (typically included with XFCE) as a spell-checker, but it's a massive program which takes a long time to load and is cumbersome to use as a spell-checker, whereas Aspell is small, quick, and easy to use. The problem with Aspell is that to use it, you would normally right-click in the directory which contains the file to be spell-checked, select "open terminal here," and enter the command "aspell -c <filename>" or "aspell check <filename>," and it might be a pain to enter the filename. So, I decided to try to find a way to use Aspell to spell-check a file by simply right-clicking on the file and selecting "Spell-check" in the resulting menu. Fortunately, XFCE's file manager includes a "Custom Actions" feature which allows custom "bash" programs (bash is the command-line interpreter) to be added to Thunar's right-click menu. I'm not a bash programmer, and I couldn't find a pre-fabbed solution, so I flailed around until I stumbled onto a solution, which can be implemented as follows:
In Thunar (the XFCE file manager), click on Edit, then on Configure Custom Actions.
In the Custom Actions window which appears, click on the "+" button in the column of buttons on the right.
In the window which appears, enter the following in the designated fields (the command must be used exactly as shown, including the quotation-marks, unless you have a better solution):
name: Spell-check
description: perform spell-check with aspell
command: xfce4-terminal -e "aspell check %n" (This command causes Thunar to open the terminal and enter the command enclosed in quotes, with the name of the file of interest substituted for %n. This is necessary because Aspell runs in the terminal, meaning that it uses the terminal as its means of interacting with the user, which in this case is initially Thunar.)
In the Appearance Conditions tab, enter "*" into the File Patterns field and below, select Text Files only.
Click on OK, then click on Close in the Custom Actions window.
Close the file manager.
Open the file manager and navigate to the text file to be spell-checked.
Right-click on the text file and click on "Spell-check" in the menu which appears. That should do it.
Notes
Revisions
11/30/18 - Clarified and embellished the 1st paragraph and the passage "(This command causes Thunar....)."
Subscribe to:
Posts (Atom)