Serially install Debian (Debian over serial)

 

Installing Debian over serial

Installing Debian using serial is relatively straight forward and still very useful on a multitude of devices that can be installed, and managed, over serial. This include the PC-Engines APU Devices which can be booted on USB and installation performed over serial.

 

“Begin at the beginning," the King said, very gravely, "and go on till you come to the end: then stop.”

-Lewis Carroll, Alice in Wonderland

 

Prerequisites (the beginning)

You will need:

1. Serial cable for your device.

2. Serial terminal, such as minicom, picocom, GTKTerm, screen or Putty [3] if you’re on Windows.

3. Debian 11, code name bullseye, netinst, for 64-bit PC (amd64) [1] or a media with additional non-free firmware, such as [2].

4. USB Device to transfer the Debian ISO to.

Note: Debian netinst works well for APU devices as they're using AMD CPUs and Intel NICs - both vendors have been good Open Source contributors.

 

Burn ISO, burn to USB

As we will boot the system from USB, we will have to write the ISO to a suitable USB drive.

On Linux you have the option of using dd:

sudo dd if=debian-11.3.0-amd64-netinst.iso of=/dev/sdn bs=4096 status=progress

 

or

sudo dd if=firmware-11.3.0-amd64-DVD-1.iso of=/dev/sdn bs=4096 status=progress

Replace sdn with sdb, sdc, depending on what drives are already installed in your system. Please double-check that you’re not writing to other drives than the USB for this purpose. You will lose data if you’re not careful. (ask me how I know).

There’s also the graphical tool called popsicle on many Linux distros which is quite neat.

On Windows, you can use Rufus [4]

Note: The netinst iso is around 400M, while the "firmware" iso is just shy of 4G.

Aaaand action

Now plug the USB and the serial cable into the system, start your favorite serial terminal and power up the system to be installed.

Just remember.

 

Hopefully you will now see Debian booting and, after a short while, show the installation menu.

BUT… if you just choose install now, it won't work, as the console is not shoved over serial for the rest of the installation, unless you do this.

Press the <TAB> key instead and replace quiet after the --- with:

console=ttyS0,115200n81

Note: Adjust port and its parameters to your specific device. The above works for APU boards (ttyS0 is the first serial port on that - please note uppercase S followed by a zero)

 

Then when the message below shows up, press space to start installation, or wait 30 seconds.

You should now be able to complete the standard Debian installation process. Do remember to remove the desktop options and add SSH Server.

 

You should now be able to connect over SSH to the system.

Serial Killer

The freshly installed Debian may not work over serial after installation, if that is the case, change /etc/default/grub as follows:

GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200n8

GRUB_TERMINAL=serial
GRUB_SERIAL_COMMAND="serial --speed=15200 --unit=0 --word=8 --parity=no --stop=1"

 

Then run

sudo update-grub

Note: I have not had this problem with the latest builds, and have not taken the time to reproduce if it was my mistake or certain builds that caused it.

 

(The end)

References

[1] Debian 11 netinst: https://www.debian.org/distrib/netinst

[2] Unofficial Debian 11 with non-free firmware: https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/11.3.0+nonfree/amd64/iso-dvd/

[3] Putty for Windows: https://www.chiark.greenend.org.uk/~sgtatham/putty/

[4] Rufus: https://rufus.ie/en/

There's Lies, Damn Lies, and Maturity Assessments

On the immaturity of maturity assessors

 

Over the course of my career I have been the assessor as well as the assessee of maturity assessments revolving around Security, Architecture and/or Operational Maturity of IT/OT.

Having made the mistake myself of painting a better picture of As-Is being interviewed, as well as experiencing others painting a picture that was obviously far from reality I learned the hard way that "If it isn't documented, it doesn't exist". While there's certainly value in feeling pride in your work, it shouldn't stand in the way of getting as precise a maturity measurement as possible.

After all, it is embarrassing to start at say ML-3 then, after spending a lot of resources, being at 2 just because the initial assessment was overly optimistic. In reality that is not going to happen, so everyone will just lie, painting a better and better picture, never having the time to address the actual root of the issue. As we all know it is hard work keeping up appearances.

So here's my issue with this. Several assessments that I have seen are in the category of overly optimistic.

There could be 2 reasons this is happening; 1) The Assessor is caving to pressure and/or just don't want the customer to look (too) bad to be able to sell more hours, or 2) The Assessor isn't competent.

Or in short, 1) Lack of integrity, or 2) Incompetence.

Based on what I've seen the worse option (Lack of Integrity) is the main issue here - For the sake of better security postures and providing real value to customers it would be great to see assessors taking the hard discussions to be able to provide direct and honest information in order to enable senior executives to make fact-based decisions.

I suggest starting with demanding supporting information and if that is not made available within hours, it doesn’t exist and maturity is <1.

Redelegation of .dk domains to other nameservers

My chosen DNS Hosting Provider does not support .dk hostmaster's  process for DNS redelegation, what should I do?

So while the new process for redelegating to other DNS servers work quite well, provided the new DNS hosting provider support it (as e.g. simply.com does), several - including Cloudflare - do not.

This is easily overcome by using the simple "anonymous redelegation" link:

https://ns-update.dk-hostmaster.dk/da

It can also be automated, as explained on the page itself - the example below is taken from there.

https://ns-update.dk-hostmaster.dk/index.php?id=52&confirm=true&redel=true&domain=eksempel.dk&nameserver=ns1.hostnavn.dk&submit=Bekr%E6ft

Shortly after requesting the change you will be asked to confirm the requested change. You will have to login to your account(s) at https://selvbetjening.dk-hostmaster.dk/ to confirm this.

DNS Hosting with gratisdns is dead, long live...

How I learned to stop worrying and replaced GratisDNS

This might be helpful - not just for those of you moving from gratisdns, but for anyone looking for a DNS hosting provider.

Note: If You're moving to a DNS Hosting provider that do not support .dk hostmasters new process, read this companion post: https://blog.infosecworrier.dk/2022/02/redelegation-of-dk-domains-to-other.html

While I subconsciously knew this would happen when one.com bought GratisDNS, I'm ashamed to admit that I did not plan accordingly. The other day all current users of GratisDNS got the troubling email from the new owners that they'd migrate all zones from the multiple GratisDNS servers to 2 one.com servers "march 2022" so likely in a month.

With no further information tangible information on the migration specifics or future cost, this triggered me to look for other providers of DNS hosting.

 

My requirements were (are):

[R1] DNSSEC: This is a must!

[R2] Decentralized. There's way too much centralization, perverting DNS.

[R3] Hidden Master: Very nice to have, however can live without.

[R4] API: If hidden primary isn't supported, this is high on the list.

R5. Cheap or free: I need to pay for food and coffee.

Started investigating some possibilities (In alphabetical order):

CloudFlare.

Hetzner.de (.com).

QuickDNS.dk.

Simply.com

Migration Process

Created the following simple process for migration.

1. Select a less critical domain for testing.Luckily I have quite a few domains.
   
2. Disable DNSSEC.
   
3. Create zone on selected provider.
4. Transfer, add and verify all RR's
5. Test with dig to ensure RR's are correct (use @ns.provider.tld with dig and e.g. OpenDNS or even 1.1)
   
6. (Re)enable DNSSEC.
7. Test with dig that DNSSEC works. dnsviz.net is awesome for this too, especially when you're tired and can't read dig output :)
8. Test DKIM some more. Fatfingered during testing.
   

This is (opinionated) how they fared during my testing.

Cloudflare

Large centralized US based provider, trying to grab all our DNS queries at 1.1.

They did have a very nice interface, support DNSSEC and have an API with the free tier. If you want to pay several hundred $/month you can also use a hidden master.

Migrated one of my domains to Cloudflare and it worked well. But no (see R2)

Hetzner.com

Never got to test Hetzner as they wanted both a credit card and a photo of my passport to create an account even for the free tier. Heard good things, but no.

QuickDNS

Not supporting DNSSEC, no hidden master, no API, even no AAAA support.

I wish quickdns the best and hope they grow into a great alternative.

Simply.com

European provider, nice interface, have an API, but no hidden master support. Free tier for DNS only but the prices for web hosting look okay (not tested, but may happen).

Conclusion

I ended up moving a bunch of my domains to simply.com, with nothing but the mere due diligence described above, to be in better control of the migration and current/future costs. I'll report back on my experiences, but so far it's great.

Pay the maintainers of FOSS - Your business relies on it

Pay per use.

Ever wondered why large software corporations - including, but not limited to - Apple, Cisco, Microsoft, and Oracle, are able to develop licensing schemes so intricate that it requires tons of people to understand, but doesn't seem to be able to create a comparatively simpler model of paying the maintainers of the Open Source Software that their products and businesses rely on?

 

 

 

Yeah Yeah, I know it isn't that simple, some of those corporations have people employed that work on Open Source projects as well, but the point still stands.

Just today @bagder of Curl fame posted this:

If you are a multi billion dollar company and are concerned about log4j, why not just email OSS authors you never paid anything and demand a response for free within 24 hours with lots of info? (company name redacted for *my* peace of mind) pic.twitter.com/saumXAWPKO

— Daniel 🥌 Stenberg (@bagder) January 21, 2022

 

The business model of the large cloud providers is to sell services (mainly) based on Open Source Software providing great services (most of the time) to their customers. Their shrink wrapped software is based on or contain FOSS components - Windows 10/11 contains curl as well as OpenSSH. Many others including Aruba, BMC, Broadcom, Cisco, Citrix, and VMWare use Log4j. (See also https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md).

The harsh truth is that the corporations that relied on Log4j never paid a dime to the maintainers, while being so bad at CI/CD that they couldn't even tell us what versions they used where, nor how it was configured out of the(ir) box.  

 

Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns.

— sqlfeng (@sqlfeng) January 2, 2022

 

Worst of all, over the course of handling the Log4Shell incident, I heard people blame Open Source for this situation. Please, this is beyond stupid.

This needs to stop, and we must hold all companies responsible for  the  current state of affairs. I do not have the legal, nor financial, insight into whether or not it would be possible to demand that when you pay e.g. Microsoft for Windows, that a buck or two of that cost had to be forwarded to the maintainers of Curl (and others) but we need to "nudge" those corporations to do that to a greater extent.

Back to the intricate licensing models; Why not "just" add a clause, stating that every time you sell a product or use license containing/using e.g. Curl, a small percentage of that had to go to the maintainers. It wouldn't make the license less understandable (That's impossible for most of them anyway), ensuring that the maintainers get something for their efforts and can continue to maintain their project; to the benefit of everyone using it/relying on it!

And... Please do remember to pay for the FOSS used when building software and solutions inside your organization, if it's worth deploying, it's worth paying for.

 

Let me just end by saying that way waaaaaaaay smarter people have pondered this question, so please investigate this topic further yourself.