Standard Mischief

I had these really important photos on my hand-held device, with a backup on the PC when I caught a case of teh stupid and erased them one night to make some space. On next sync, the files were “deleted” per standard sync procedure, which in a ext3 file system means that the inodes were erased, effectively marking those spots on the hard drive as available for reuse. I didn’t really think about the files going “poof” until about 36 hours later.

Quote from me: “Oh crap”

When I got home, I shut the system down. While the PC was up, there was always a chance that something would write to disk, and overwrite those important files. After some study and research, I found Foremost, a program to do “file carving”. What this program does is search an image of a filesystem and copies out any series of bytes that have the proper start and ending hex strings. you can look through the raw data and copy out anything that looks like a jpeg or a html file, or just about anything else you want to search for. Here’s something of a step-by-step. This is basically what I did, except without the tedious research between many of the steps to make sure I was doing the right thing.

1. Boot the PC using a Linux live CD that does not automatically mount hard drives. I used an old copy of Ubuntu I had lying around, therefore instructions here will be tailored to that distro. By default, Ubuntu will use any swap space it finds, but will not auto-mount any file systems.
2. I had space on my hard drive, so I used a partition program to make a new 8 GB partition.
   If there wasn’t any space, I’d likely have to install another hard drive or something. I used whatever came with Ubuntu, likely Gparted, to format the partition.
3. In Ubuntu, you will need to go to software sources and enable via check box the universe and multiverse options. I believe everything is in the universe repository, but why do this step twice?
4. Drop down into console (command line) and mount your new partition. You could also mount anything where you have enough space, and this could be network drives or flash drives, or anything that works for you. Just don’t mount the partition that contains the files you want to recover. I used $ sudo mkdir /home/hda4 to create the mount point, and then $ sudo mount -t ext3 /dev/hda4 /home/hda4 to mount the partition.
5. Use dd to make an image of the unmounted partition where recovery took place. I used $ dd if=/dev/hda3 of=/home/hda4/image.dd bs=4096 conv=notrunc,noerror
6. Get Foremost. I used $ sudo apt-get install foremost
7. I also had to get some tools for interfacing with Palm PDA. Depending on what you want to carve, you likely won’t need this. For me it was $ sudo apt-get install pilot-link
8. Run Formost on your disk image. I had to write my own formost.conf file. Full details are on the man page. I won’t go into details because it’s not likely that you will be searching for the exact same kinds of files as I was. I was looking for files that ended in jpg.pdb, and I had to create some example files first and then do hexdumps to see what the files start and end with. Fun.

In the end I recovered the photographs, but I ended up not ever needing them. They were from a hit and run accident where the lady that plowed into me ended up stopping long enough to talk to me and call someone else, but then abruptly left when I was on the phone with the police. Luckily, I had pictures of the other vehicle with license plates and after contacting her insurance, and every possible delay, her agent finally cut me a check for the damage.

I’ve really got to work on my incremental hard disk backups.

Chris Soghoian (over at his new cnet digs) goes over how to (usually) skip most of the airport screening line wait by refusing to show ID. He claims that you get bumped to the front of the line and end up going through some” secondary screening”. Copy of letter from the TSA is included.

Here lies the bleg. One of the secondary screening devices is the “puffer machine”. A poorly sourced Wikipedia article says that the machine in question detects microscopic particles of “gunpowder” or “residue from bomb-making materials”. The problem I suspect here is that the machine would likely give off a false positive on people who reload firearms ammunition or perhaps even those who merely enjoy the shooting sports, both of which are legal activities.

A quick search of teh intarw3bz turns up nothing, so I can either bleg or try to fly without ID after dabbing a little Blue Dot behind each ear. So can anyone tell relate a personal experiance of going through the “puffer machine” after shooting or reloading within about 24 hours of their flight? Did you pass or fail?

Update before publication: Here’s a few threads on Flyertalk.com (emphasis mine):

Janeen: I had the puffer machine experience at the Providence, R.I. airport early last month. Unfortunately, I flunked the test and I have no idea why. After they opened the doors of the machine to let me out, I was pat-down searched and questioned. They wanted to know if I had recently been around any guns, chemicals, or explosives (no to all three). They asked where I worked, took my driver’s license, and called over a police officer, who (I assume) ran a warrant check on me. Before they gave me back my license, one of the guys appeared to write down information from it.

FliesWay2Much:Your experience is the slippery slope of any semblance of privacy. The TSA just nuked the Privacy Act. If you alarm the puffer, you are already assumed to have handled explosives. You are turned over to the cops, forced to reveal personal information, you have a check run on you, and are essentially “detained” by anyone’s definition. …and all because you dared to buy a plane ticket. Wow — the TSA really upped the ante on us this time.

I just love that there’s such a streak of “civil libertarians” (that’s the preferred mainstream media term for people who are not the ACLU but opine about “civil liberties”. Can’t be giving any free advertising to the Cato Institute or anything ) on what’s basically a forum on how to work the frequent flyer system. (I’ve linked to the low-bandwidth version of the forum, but if you search with all the extra overhead, you’ll also see a bunch of Jefferson quotes and Kip Hawley slams in the taglines.)

SDF_Traveler: I was on the patio in my backyard on the 4th and my yard happens to back up to a decent sized park. Some folks were putting off a spectacular fireworks display that someone likely purchased across the state line (i.e. the fireworks you would see at a professional display).

 

During one of the spectacular displays, a chunk of unexploded firework came down and nailed me in the chest. Thankfully it wasn’t burning or hot - nor was I injured; it just stung a bit; most thankfully it only hit my chest in the peck area (and not my face!).Problem: It did leave a big brown coloured powder type stain on a good shirt. $20 says this residue will trigger an ETD or Puff Portal if not cleansed properly.

DCA TSO: Why would you even risk setting of an ETD or ETP machine a second time? Are you looking to be placed on the “no-fly” list?

ralfp: Because he wants to use his shirt? Or is the presence trivial/trace amounts of legal materials grounds for punishment by the gov’t? I guess people who work with fireworks and in mines aren’t allowed to fly. :rolleyes:

It’s wrong that anyone has to worry about this. Why should the OP’s name, etc. have been recorded the first time around? If he actually had non-trivial amounts of TNT I would understand it, but traces? What percentage of ETD alarms are of actual concern? Is it something other than 0%?

PatrickHenry1775: My grade in Organic Chemistry II was a D, so take that into account re this advice. Rubbing alcohol - isopropanol - affects quite a few chemicals. What material is your shirt? If cotton, should be no adverse reaction if you soak the area of impact with isopropanol for about 30 minutes. First test this treatment on an area of the shirt that is not visible when you are wearing it. Then rinse the shirt thoroughly in water. In fact, after the isopropanol I would soak the shirt in dishwashing detergent. After the rinse, wash the shirt as you normally would. I would let the shirt air dry, because tossing it in a dryer could set the residue.

Using fscking Rust-Oleim no less! The car looks pretty good, and you don’t end up going through a case of rattle-cans. Bonus, you don’t get CMYK-lung from the overspray.

Yea, I have a beater and as soon as I get all of god’s mistakes fixed on the thing, I’m gonna have to try this. It’ll look a lot better than a rattle can primer camo job.

Details here, and no, I don’t think this Corvair is a beater.

Photo stolen from the linked page (but he says that doing so is OK), and I reduced the size/quality via gimp.

ReiserFS is a general-purpose, journaled computer file system that usually only shows up on *nix systems. A journaling file system basically records what it’s about to do in a journal before doing it, such that if power is lost during the operation, after it’s restored, the file system can recover itself. It’s suppose to be “fault tolerant”, but after a recent wind storm and the accompanying power outage, I found that one of the partitions on my hard drive would not mount. The root partition was kinda sorta flaky too, sometimes mounting, sometimes not.

Searching teh intarwebs, I came across the this great little post. Using that and a tool called dd_rescue, I was able to get most of my data back. Because I think I can add a bit better explanation, I’ve decided to write up the steps.

Got the same problem I had? Here’s how to check.

1. Boot using a copy of Knoppix live CD.
2. Be root.
3. With the drive unmounted, run reiserfsck –check partition

# reiserfsck --check /dev/hda3

If you get something back like:

bread: Cannot read the block (8210): (Input/output error).

Well, then you have what I had. I’d advise you to write off the entire drive as a loss. I would be afraid of trusting it any longer. Of course, you likely want to pull the data off first, unless you have been smart about backups.

So I went and got a new drive. Although my motherboard supports SATA drives, Knoppix out of the box does not. I ended up going back to the store for a second drive that takes EIDE (also PATA, or parallel ATA) The message I linked to seems to imply you can use any type of storage system you can write to, but I created a new ReiserFS partition.

Standard industry practice is to put CD and DVD burners on one EIDE cable, and any hard drives on another. This is so data transfer is sped up during CD burning. In my case is was a mistake. With both drives on the same EIDE cable, I had to write a block of data to RAM, and stop, and send that same data back down the cable to the second drive. It would have been much faster if I had the CD-ROM and the new drive on one cable and the dead drive on another. That way data could stream up one cable and down another.

It seems that Knoppix does not enable DMA acceleration (misspelled as “acelleration” on the menu) by default. You probably want to enable this, although there seems to be a few bad mothers out there that can’t handle it. I did not, and recovery took 3 fracking days. Enable this by K Menu::KNOPPIX::Utilities::Harddisk/CD/DVD/ DMA acelleration

Step by step, on how I did it (or, knowing now how I should have done things.)

1. Get a new hard drive that’s at least as big as the trashed partition you are trying to recover. Install on a different EIDE cable as the bad drive if at all possible.
2. Boot Knoppix (I used 5.1.1 EN)
3. Assign yourself a root password using K Menu::KNOPPIX::Set password for root
4. Using K Menu::System::GNOME partition editor create a partition on your new drive at least as large as the one you are trying to recover. Just to be sure, I made mine a few MB larger.
5. Enable DMA acceleration.
6. Open a Konsole, be root.
7. With both source and recovery partitions unmounted, type:

# dd_rescue -A /dev/hda3 /dev/hdb2

Where “#” is the root prompt (that you don’t type), the -A option inserts zeros when the source could not read a block. Replace /dev/hda3 with your bad partition and /dev/hdb2 with your new partition.
8. You could use nice or renice to speed things up a bit if you want. If you are not familiar with how they work read the man pages.
9. After dd_rescue makes an exact bit-for-bit copy of whatever it can read, you need to fsck the new copy. the frontend fsck told me to run reiserfsck --rebuild-tree.

# reiserfsck --rebuild-tree /dev/hdb2

10. Mount the recovered file system and make a backup of the critical content.

Thank you rvalles. Thank you Kurt Garloff

Specifically this is against Snap.com’s cookie, but broadly I could subtitle this as Manipulating Brower Cookies in Firefox - 101 or something.

One of the more annoying things on teh tubes of ‘net nowadays is called Snap Preview. When you are on certain websites with this crap enabled, when you roll a mouse over a off-site link, a javascript program runs and pops up a pretty useless preview of the off-site website. The pop-up is too small to be useful, yet too large to be ignored.

I thought the world knew by now that any window that pops up, without me specifically clicking on anything to activate it, instantly gets classified as annoying, whether or not said window is actual spam. Tiny little helpful “tool tips” are the one exception.

There are several different ways to kill this annoyance, some better than others. You could disable javascript, but it’s useful for all kinds of things (like Google Maps). Here I’m going to give you Snap.com’s preferred method, with a twist.

Step one: Go to this page, scroll down until you see the yellow area.
Step two: click on the “Click here” link (underlined in red below).

This should set a cookie that gets sent back to Snap.com’s servers, informing them to not send me a pop-up. It seems, however, that the cookie they send only lasts one session, meaning I’d need to keep setting that cookie each time I started up Firefox. To keep it around a bit longer I need to use a Firefox extension called Add ‘n Edit Cookies That means that from here on out, you need to be using Firefox.

Note: While testing this procedure, I once got a cookie from Snap.com that did not expire at the end of my session. I have no idea why that happened, but I thought I’d let you know. If I could reliably reproduce that result, I could skip the Add ‘n Edit Cookies extension part. That would save a bit of work. Most of the cookies Snap.com sends me are session cookies.

Go follow the above link, and install Add ‘n Edit Cookies. While you are at it, you want to install CookieCuller too. We’ll need it later. Got it? Good, you will now need to exit and then reload Firefox, and after that, you’ll likely need to fetch that damn cookie again too.

Step three: Activate Add ‘n Edit Cookies by clicking on Tools::Cookie Editor. Click on the one cookie from Snap.com that’s called “spa”. Go ahead and ignore the other ones.

press the edit button that’s in the lower center

In the new window just opened, we need to now click on the “new expiration date” radio button and add some time to the life of that cookie. I added 20 years. Press save to dismiss the top window, and then close to dismiss the one below that.

We could stop right here, but if you have your browser set to “upchuck” cookies after every session (highly recommended) you will lose your magic cookie, no matter how much time you added. So I’m going to use another extension (called CookieCuller) to protect just the cookies I want to keep, and discard every other unprotected cookie.

Step four: Using CookieCuller, Tools::CookieCuller again we select the “spa” cookie.

Step five: Then we press Protect Cookie to protect only the “spa” cookie, and any other cookie we wish to keep around. I only keep cookies where I know what the purpose of the cookie is, and I feel the benefits outweigh any privacy disadvantages.

Under Tools::Extensions, right-click on the CookieCuller bar, and select preferences

Make sure that “delete cookies on startup” is checked.

Last step: Click on Edit::Preferences or Tools::Preferences (Win XP), select the Privacy icon at the top, and click on the Cookies tab, and make sure your setting are as shown below.

You are done! Please note that if you want to test your new no-snap cookie, you will need to mouse over a site other than Snap.com. It seems that even with the cookie, the pop-ups do pop-up on any Snap.com page.

Now for the disadvantages. Please to be donning teh tin-foil hat. Every time you go visit a site that uses Snap.com, a line appears in Snap.com’s referrer log. That’s not so terribly bad, because you never really gave Snap.com your mothers maiden name or your Social Security number, but they do know when and how often you visit a Snap.com enhanced crippled site, how often you upchuck the other cookies Snap.com sends you, your browser type and other data like that. I’m going to go out on a limb and assume that Snap.com’s Terms of Service will read in such a way that they presume to own all that data, and may do with it as they wish.

The other disadvantage is that beyond step two, you need to use Firefox and a few extensions. There may be other cookie manipulating tools on other browsers like Opera or Safari, but I don’t know anything about them.

If you liked this post, you may like another blog post where I show you how and why to zero out Google’s cookie.

This is not the way I block Snap.com’s crap, but it should hold you over for a day or so until I get the other methods up. I’ll also try to clarify anything if you leave me a comment.