Monday, July 13, 2015

Tackling the GIAC GCIA!

Well, it’s that time again.  Time to tackle yet another certification.  The last certification I took was the GIAC GSEC which was chronicled in depth in a previous journal.  In that post, I went over briefly on the idea of are certifications worth it to someone.  After the GIAC experience I had last year, I couldn’t wait to get back into the saddle and conquer another GIAC class.  This time, a co-worker and I were approved to take on the GIAC GCIA training and exam.  What follows is another adventure into the wonderful world of SANS.

You mean I get to travel?!

The last time I was able to go to a SANS event, it was held locally.  By locally, I mean in my state of residence, Texas.  Roughly translated, a little over 250 miles.  This time I was approved for some major travel expenses, which made me feel all warm and fuzzy.  This year I was able to go to the SANS conference in Reston, VA.  One hassle free Virgin Airlines ride and we got on our way!  This was my first time in Virginia.  My trusty co-worker and I made our way to the hotel and checked into our rooms ready to wake up, get badged up, and submit our lives to the one and only Mike Poor.

I blame Mike Poor!

Upon entering the classroom, our awesome facilitator handed us our bag of books, which was different from my first time at a SANS conference where we received our books at check-in, and made our way to our seats.  We picked them strategically… you know, not at the very back, but not first row.  Others made their way in and filled the seats.  You could just feel the aura of nerd permeating through the rows of tables.  Finally the class started and we were introduced to the man, the myth, the legend, Mike Poor.  Many have said Red Bull runs through this man’s veins.  I’m not sure if that’s true, but the energy drink company may sponsor this guy due to the amount of cans he went through during the week.  Although he may not have visual wings, this man is high-powered octane and will keep you engaged. 

Like the GSEC and, I assume, any other SANS class, we went one book a day.  This material was very new to me.  Day one I kept up and understood the majority since it was a lot of TCP/IP concepts and also included IPv6.  Day two was slightly different but I held on.  It wasn’t so much of lack of understanding, more so than lack of sleep which kicked in the last hour or so of class.  Day three is where I started getting “deer-in-headlight” face when the topic of IDS/IPS evasion and other traffic analysis topics came up towards the latter half of the day.  The workbook definitely filled in the gaps and solidified the concepts covered in class. Day four… what can I say about day four?  It was the best of times.  It was the worst of times.  We were introduced to Snort and Bro.  In the past, I was introduced to these two tools, but never got to play with them in their full capacity.  Each package went over their own operational lifecycle, so by the time you got to the end of Snort, it was like Mike hit the repeat button but it was all for Bro.  That was morale crushing.  Necessary in the grand scheme of things, but my mind just did not want to get back in the game after half time.

But wait! Didn’t you say it was the best of times?  Sure, but let’s take a step back for a moment and go over a topic I find unbelievably valuable at these conferences; SANS@Night.  These are bonus sessions in which the instructors give an hour long talk about a certain topic.  When I did the GSEC class, I found myself at these talks every night.  Up until day four, I was in the room as well.  What stopped me from going on night four?  Mike Poor.  He invited my co-worker and me to go eat at a Korean BBQ place somewhere in the area.  Let me be the first to say, when you are invited to go to dinner with a minimum of five SANS instructors, you go.  The evening was an epic event that will not soon be forgotten.  However, co-worker and I had to cut our invite short since it was getting way too late.  The rest of the party were out until sometime the following morning.  I can only speak for myself, but I was destroyed and had to depend on sugar and caffeine to get me through the next day.  For this, I blame Mike Poor.  What is most impressive, Poor came to the class and didn’t skip a beat.  He taught the class with the same intensity he had the past few days.  That man is a beast or part cyborg! 

The last couple of days went off without a hitch.  I must say I was confused on a lot of the material but picked it up with the included workbook exercises.  The final day came forcing all of us to utilize the skills we all gathered throughout the week to recount the steps a nefarious hacker took within a honeypot.  This was a very exciting exercise as we were split up in teams and divided the tasks among individuals.  I was not expecting much in the area of results from my area since everyone else seemed way more experienced than me, but surprisingly enough I nailed my portion of the investigation including finding a photo of the perpetrator with some Google-fu.

Ugh… Indexing… Again

Indexing? Do I really have to? In short, yes.  Much like the GSEC experience, you get a ton of pages with no way of knowing where anything is which necessitates the need for an index.  However the biggest difference between GSEC and GCIA is the amount of topics covered.  Whereas GSEC is a broad spectrum of information security knowledge, GCIA is more focused on a specific set of concepts, tools, and commands.  Because of this, your index will be significantly smaller than GSEC. 
My previous experience in indexing really helped out. But I deviated in my study method.  I went through each book and took meticulous notes by hand in a spiral first.  That’s right. I went through the books twice.  In hindsight, I feel I could have done this study portion without this first step.  But I can’t say it hurt.  I am able to maintain knowledge better if I write stuff out by hand rather than blindly typing stuff into a Word or Excel document.  It’s just the way I work. 
Round two of hitting the books included indexing which was not as detailed as my first phase notes, nor my GSEC index.  But I did get the main sections I included in my GSEC version (Book Index, Tools, Commands, References).  I added header charts I found over at nmap.org and a hex, dec, bin chart that definitely helps making quick work of conversions found in those practice exams.

Am I Ready?

GIAC gives you two practice exams to see if you are on target.  My first practice exam emulated my GSEC experience.  The biggest difference was how often I used material to double check my work.  I hardly found myself reaching for the index or books.  This can be a very good thing.  For the first half, I was hitting a solid 90+% score.  But something happened.  Mental fatigue and wanting to figure out what I was going to do later that evening.  The increase of bone head mistakes and just wanting this to be done dropped my score.  I passed, but I learned a ton about the necessity of maintaining concentration.  I also found areas I needed more work in such as DNS and strangely Wireshark fundamentals (I think this is due to the aforementioned distractions).  The second practice exam was better, as you’d expect.  But that damn DNS category still got me.  I did get five stars on Wireshark (At least the embarrassment of that went away).  Other than that one aspect, I pretty much got it.  I’ll go ahead and schedule the exam and let you know how it goes in the next section.

It’s Time

So in the last section, I left off with two practice exams down and this feeling of just wanting to get this over with.  I scheduled a week out at my testing facility of choice.  DNS was a weak spot for both practice exams so I had that nagging me all week and I really concentrated on trying to that sorted.  Two days before the exam I felt I was ready and didn’t want to study any more.  I just couldn’t force myself to get those books out again.  I took the days off despite my wife’s words of wisdom.  Something about locking me out of the house if I failed the exam because I didn’t study those two days.  The night before I went through the books again and firmed up the loose ends I had.  Before I went to sleep, I made sure I put all the material I was to bring in the bag from the SANS convention I got back in Reston, VA.  I had dreams of the exam.  Yes, I was the paranoid about it.  Oddly enough, it wasn’t about taking the exam, it was about missing my scheduled time and not even getting to sit for the thing!  I woke up the next morning groggy.  In addition to the horrible dream, my dog found her way on to my pillow and a canine tail was laying on my face.  Looking at the clock, I realized I had overslept but only by about 30 minutes.  Definitely enough time to get to the testing facility.
So with all the worry about waking up late and the traffic due to construction, I get to the facility 2 hours early.  The people there know me and consider me an expert tester (mainly due to the certs you obtain through WGU).  They were nice enough to just put me in the hot seat immediately.  The first few questions did not phase me.  Then the DNSish questions came…. I plowed through them.  Around a quarter into the exam, I was hitting 90+ on the accumulated score.  I think I’m going to be able to get this thing done without issue!  Or at least that is what I thought.  Half way, I’m down to 83%.  I wouldn’t say panic hit me, more than disappointment.  I took my break and regrouped.  Went outside with one of the proctors and walked around a bit.  Warmed up too; it’s cold in that room!  Getting back to the test, I fought through that thing and stayed pretty consistent.  In the end I ended up with an 84%.  Not too bad keeping that score and not dipping below the lowest checkpoint score of 83. 

Your Thoughts?


I’ll be the first to say, this exam is a definite challenge.  The practice exams provided seem to be exam preps for the Sec503, not the actual exam.  What do I mean by that?  I feel the actual exam seemed to be more targeted/focused instead of the “relaxed” content of the practice exams.  I can’t get into too much detail due to NDA, but details matter in this exam.  Overall, this was a great experience and welcome anyone who is willing to give it a shot.

Wednesday, September 10, 2014

A List of 5 Million 'Gmail Passwords' Leaked, But There's No Need to Panic

It might be time to change some of your passwords — again. But if you've used a Gmail password that's unique from other accounts, you might not have to worry.

A list of almost 5 million combinations of Gmail addresses and passwords was posted online on Tuesday. But the passwords seem to be old, and they don't appear to actually belong to Gmail accounts. Instead, it seems that many of the passwords were taken from websites where users used their Gmail addresses to register, according to some of the leak's victims as well as security experts.

For example, someone might have signed up for a website with the username "myaddress@gmail.com" and the password "mypassword." The list exposed this week makes it look like "mypassword" is the password for the Gmail account itself, but the user's actual Gmail password might be totally different.

The list was posted on a Russian Bitcoin forum on Wednesday, and US media started reporting on it overnight.

We can't confirm the authenticity of all the email addresses on the list, but a Mashable employee, Evan Engel, saw that his old Gmail password, which he hasn't used in years, is part of the leak.

A Google spokesman told Mashable that the company has "no evidence that our systems have been compromised," and security experts seem to agree that the passwords are either old Gmail passwords obtained through phishing, or are passwords that were actually used on other sites.

Matteo Flora, a computer security expert, reviewed the dumped file and found that around 60 email addresses were in his address book. After he alerted those people, 30 of them told him that the password either was never used for their Gmail accounts or was very old, Flora told Mashable.

Chester Wisniewski, a senior security adviser for security firm Sophos, told Mashable that he expects many of these accounts not to be valid. "There is no honor among thieves as they say, and often stunts like this are released as a sad attempt at gaining credibility among other criminals," he said.

Several Reddit users also confirmed that they found their email addresses in the leak, but that the associated password has never been their Gmail password.

"The password that I generally use for other services is shown in this list and not my gmail password," wrote a Redditor nicknamed InternetOfficer. "This proves that the hackers hacked into some other service where gmail address (or other email addresses) are used and got the password of that service not gmail password."

"The password it shows (or at least the first two characters) is NOT from a password I've ever used on Gmail," wrote another Redditor, "but it does match a password I've used on bullsh*t I absolutely don't care about."

Some hints in the dump seem to point to several different sites that could have been compromised.

Both Flora and some Reddit users have noticed that some email addresses are followed by a "+" sign and the name of a website. (If you add "+" and a word to your Gmail address, like "myaddress+mashable@gmail.com," emails to that address can automatically be archived in a folder with the word you choose.) This might indicate which websites have been compromised. Some of the sites that have been identified this way include friendster, filedropper, xtube and freebiejeebies.

Even if this dump is simply a collection of old passwords belonging to minor sites, the issue is always the same: password reuse. If you tend to reuse your passwords, check this website to see if your Gmail address is on the list.

If it is, change your passwords, and choose long ones that combine special characters and numbers. Password managers can help you keep track of your accounts.

"And stop being silly and use the same password for everything," Flora said.

Also, as usual, enable two-factor authentication on services that provide it, including Gmail. That way those accounts are more secure, even in the event that someone steals your password.

Oh, and don't freak out.

"Ignore the man behind the curtain, keep your PC up to date, use a strong password and a second factor whenever possible," Wisniewski said. "Keep calm and move along."

(Source: Mashable)

Tuesday, September 2, 2014

My Experience with the GIAC GSEC Exam (Part 2)

In the first part of my experience with the GIAC GSEC exam, I promised I would let you all in on how the exam went.  The following is to be my post exam report.

Let’s Get It Started…

So we left off last time with the idea of having practice exams to get a good feel for where you stand in your general knowledge of the topic objectives and having a good detailed index.  Next, we answer the question, how do we even get this exam setup in the first place?  To do this, head over to the SANS webpage, log in to your account, and under Certification Attempts, you’ll be able to schedule your exam at your nearest PearsonVUE testing facility.  Luckily for me, my favorite testing center, ComputerMinds, was able to accommodate me for a morning slot.  The process was really easy in my opinion and wasn’t too difficult to navigate.  The only problem I had with the PearsonVUE page was that I couldn’t schedule the exam on the Saturday I wanted.  I had to settle for a Friday.  I think this had something to do with either it being too far into the future or that it was Labor Day weekend.  I shrugged that issue off and chalked it up to some bad juju.  I was ready to take my exam and looking forward to closing out this journey.

Even the TSA Gets a Pat Down

The morning of my exam arrives and I’m awaken to the hellish sounds of the alarm clock.  I knew I’d be fighting rush hour traffic and awful construction on the way so I tossed down a couple granola bars and started driving to the testing facility.  In my excitement for taking the exam, I may have misjudged my arrival time and showed up two hours early.  Luckily for me, my favorite certification instructor was there and we caught up on lost time.  He eventually had to start his MCSA class and I was stuck in an empty lobby with a cup full of coffee in hopes to keep my mind alert during the upcoming security onslaught.

In no time, the lovely proctor showed up.  She gave me the option to start early as there was an available seat in the time slot an hour before my scheduled exam time.  I thought it over and agreed just as a line of the regularly scheduled testers walked in.  One by one they were escorted into the testing room.  Finally there was only me and someone I’ve never seen there.  I asked what exam he was taking and surprisingly, it was for a TSA exam.  Who knew there was an exam to be a TSA agent?  Anyway, the proctor du jour came back and went through the usual “sign these forms to take the test routine” and went so far as to make him raise his pant legs to make sure there were no “prohibited materials” anywhere on his person.  I had to get my dig in by informing him that we have to get our turn to search ‘em sometime in our lives… might as well be now.  We all had a good laugh and in he went.  Minutes later it was my turn.

He Gets to Take What?!

There I was… in the hot seat and ready to go.  My testing cubicle was a little cramped to fit all the allowed material, but I managed.  Wait! Allowed material? Yes, during the GSEC exam, you are allowed to have any printed material with you.  No electronic funny stuff here.  Just good ol’ paper and ink, or toner if you prefer.  My space was limited so I stacked my books in heaps of three to the right.  So books 1-3 are in one pile, and 4-6 are in another.  I had my index to the left of me.  This pretty well emulated how my practice exam sessions were setup.

I felt sorry for the other testers that opted out of ear plugs.  I always take them whether I need them or not.  It is just far more comfortable that way for me while I test.  I think the woman sitting next to me was a little frustrated even though she did opt in for the ear plug option.  When I hit my 15 minute break and stepped outside to stretch my legs, the proctor informed me that the woman thought I was cheating when she noticed me flipping through my index several times.  The proctor went on telling me that this woman got a bit upset, exclaiming “He gets to take what?!”  With a little bit of distraction, I went back in and continued the exam.

This exam is all about mental endurance.  Even that 15 minute break is not enough to help out with the “attention deficit ‘oh squirrel’” I started getting towards the end.  I had to continue to mention to myself that it will be over soon and to keep alert and focused on the task at hand.  I eventually came down to the last question and saw that I had passed my exam.  I also had a little over an hour and a half left on the clock.

Post-Exam Technicalities 

After I got the joy of knowing I had passed the exam I had been dreading, something very different happened compared to all other certification exams I’ve taken.  Where is my printed score report?  I didn’t really notice this at first.  I was just having a good time with the proctor and gathering up my things from the lockers.  Turning on my phone, I saw I had an email from SANS informing me that my score report is online and I have the option to get my certification framed.  I asked the proctor and she told me that GIAC exams don’t get a printed score report.  I’m glad she knew that so I wouldn’t have to call and raise hell with the GIAC people.  I found this very strange, but it makes sense in this day and age of “going paperless.”

I fell short of the 90% needing to get on the GIAC advisory board.  This was a goal that I kind of wanted to accomplish.  Those that do get the 90% or better get invited to a board with other certified professionals to discuss issues related to GIAC and SANS.

Walking into the Sunset…

And so ends my exam day.  I didn’t ride off into the sunset on a horse (you need 90% or better for that), but I went home feeling good knowing that the next GIAC exam will be better.  It gives me another goal to accomplish in the future.  It was an amazing journey; one that will not be soon forgotten.

Tuesday, August 12, 2014

Biggest Collection of Stolen Login Credentials

A Russian crime ring has amassed a gargantuan database of pilfered login credentials, including 1.2 billion unique username-password combinations and 542 million email addresses, Hold Security of Milwaukee said today. This makes it the largest known collection of stolen credentials to date.
According to Hold Security, the attackers used a botnet to hunt for sites vulnerable to SQL injection hacks. They compromised roughly 420,000 websites and lifted 4.5 billion username-password combinations in all; after eliminating duplicates, the number drops down to a no-less-impressive 1.2 billion unique login combos. Hold Security has not released the names of the victim sites.
What's puzzling is that the criminals have not put this goliath database to great use so far. They are not selling the records. They're merely using them to operate a spammer-for-hire service. Nevertheless, the incident underlines the persistent troubles of lax website security, inadequate monitoring, and single-factor authentication.
"At this stage of the game, using passwords for security is simply table stakes," David Rockvam, vice president of product management and marketing communications for Entrust, told us. "In order to truly protect our personal and financial information, second-factor authentication is a necessity."
Some companies "are not being proactive enough about security; therefore, they are ill equipped to detect these types of breaches," said Jay Kaplan, CEO of Synack. "In fact, it's likely that most of them do not even realize how many times they've been compromised, as it's very challenging to track compromises when you do not have a continuous security cycle to test against and prevent these types of attacks."
"Today, we have learned of a huge issue where it seems like billion passwords were stolen overnight," said John Prisco, CEO of Triumfant, "but in reality... crime rings have been stealing information for years. They've just been doing it undetected, because there hasn't been a concerted effort on the part of companies entrusted with this information to protect it. Vendors haven't delivered a truly defensive product until recently. For so many years, we've relied on antivirus, which just doesn"t work. Vendors are in a transition period where the most effective products are not yet widely deployed."
Hold Security's researchers do not believe the attackers are politically motivated or have any connection with the Russian government. Russian entities were among the websites compromised.
(Source: DarkReading)

Friday, August 8, 2014

My Experience with the GIAC GSEC Exam

What do you do when you decide to take an IT certification exam? What path are you going to head down first? How long should this endeavor take? What books or video prep classes should you invest in? All these questions go through our minds when we take that first step into the realm of certification. Since everyone learns differently, there is no silver bullet when it comes to taking exams. Anyone who has gone through any sort of exam experience, whether it be a mid-term, SAT, or IT certifications, should by now really understand how they learn the best. What I’m going to give you is my experience and what I did to prepare for the GSEC exam.
Collecting certs is to become
a Pokemon Master!

I am the Ultimate Pokemon Collector

My first step was really to decide whether or not the GSEC exam would benefit me in the long run. It may sound silly to even ask this question. But in the world of IT certifications, you must really take into consideration the return on investment. A friend of mine, Ike, and I joked around with the notion of certifications becoming like the characters from Pokemon, “gotta collect them all.” There are so many out there and trying to do this to become the ultimate Pokemon collector is just not feasible, nor financially responsible (even if someone else is paying). I decided that the GSEC exam would be a good ROI for me as I am retooling my skillset from a help desk/system admin role to a security centric role. I have always been interested in aspects of security, but it never really fit into my job description. I figured I should change the job description and this would be a great place to start.

The Doctor Will See You Now

After deciding I’d like to attempt the exam, I researched what the exam is all about. People said it was a good supplement to the CompTIA Security+ exam, which I got when going through Western Governors University. If you are reading this, you may have also read that attending the SANS Security Essentials 401 class is a must. While this is not technically true, you can do a challenge attempt, it is highly recommended. I attended a SANS event in Austin, TX. I chose this one specifically for the fact that the man, myth, and legend, Dr. Eric Cole would be teaching the SEC401 class. Dr. Cole is the creator of the course and definitely knows his stuff. Unfortunately Dr. Cole would not be joining us the length of the class as he was inducted into the Infosecurity Europe Hall of Fame. He did, however, make the flight back from Europe to finish out the class. This dude is dedicated to everything he does. While he was away fighting fatigue by drinking frightening amounts of RedBull, Keith Palmgren took the reins and guided the class through the SIX BOOKS we received on the first day.


A gallon a day, keeps fatigue at bay.
Yes, for one week, we went through a book a day. I was mentally exhausted by day four. This is where I have to thank my personal sponsors, caffeine and sugar. Those two guys got me through the last couple days. But I digress. You need mental stamina to continue to write down notes and glean gems of information the instructor gives you. The books are excellent material, but the real world stories you are told not only reinforce the book material, but gives ideas on what could be implemented at your current job. This is where the SANS events shine. I was able to bundle the OnDemand and get the self-study MP3s. The advice here is the same: Take as many notes as you can. The OnDemand option has a nice feature of small quizzes at the end of each section to reinforce what you learned. If you are doing purely OnDemand, do NOT skip out on lecture and go straight to the quizzes. You WILL miss material and won’t get all the information you need.

So you have gone through a SANS event in person or via vLive, did OnDemand training, or did the self-study option. What now? Read the books. You might not think you’d need to read every word after listening to or watching lectures, but this would really put a hurt on your final outcome. You will find details you missed, but that’s ok you’re going to find those details. You are now in the midst of the longest part of the process. Making the Index.

On Indexing and Losing Your Social Life

You may ask, why in the world do I need an index? Well, the GIAC GSEC exam is open book. Remember back to the first day you took your SANS course? You received a big heavy bag of books that gives a wide range of information ranging from physical security to annual loss expectancy. Each of those books are heavy in information, but unfortunately light on either a table of contents or an index. If you are like the 99% of us who can’t recall what is on page 132 of book 3 in seconds, take a deep breath and realize your social life is on hold until you fix that void in your study plans by making The Index. Just like me, you will find any and every excuse to want to stop making the index. Persevere and you will be rewarded. I promise.

People on forums will tell you that an index that is greater than 50 pages is too much and you learned too little. Others, like me, will tell you that your index needs to be as long as your index needs to be. My initial index is 74 pages long. After taking a practice test, I know I need to add more details (more on this later). Basically what I did was go page by page creating an index of term, book, page number, and detail using an Excel spreadsheet. The following is a rough sample of what I created:

Term
BK
Page #
Info
%systemroot%\system32\drivers\etc\hosts
1
67
Location of Hosts file in Windows
/etc/hosts
1
57
Location of hosts file in Linux
ACEs
5
91
Individual permissions in the DACL.

I had my index spiral bound for added geek cred.

The index needs to be detailed. The information cells I’ve included here do not match exactly what I have in my index since I don’t want to deal with copyright issues with SANS. But the more information you put here is less time you’ll flip through your book, skim the paragraph, and find your answer if you’ve forgotten some fact or just want to double check your answer. List a term, put in the book number, page number, and the definition word for word in the detail/info section. This is time consuming but will pay off come test time. Another bit of advice here is to not make your entries too long. Break up your entries into smaller portions. For example, I have three rows for HIDS alone, then one row each for HIDS – Advantages, HIDS – Challenges, and HIDS – Developments.

Commands were color coded
depending on OS.
Another tip you may want to incorporate is to have a separate section in your index for just commands, tools, and misc/bonus material. My index includes five sections: The SANS SEC401 Books 1-6, Commands Index, Tools Index, Bonus Material, and Glossary of Terms/Acronyms. I chose to include the glossary even though it is in the back of book six for the fact that I do not want to be flipping books too much during the test. Each of these sections are divided off with labeled tabs for easy acquisition. The commands and tools are in the same format as the book index; four columns, term, book, page, and info. The bonus materials include the SANS TCP/IP and tcpdump reference guide, two styles of subnetting charts, and an IPv6 reference guide. Update: The price for having this index spiral bound at a professional store made me rethink the glossary. That section has been replaced with the Bonus Material section being broken down into subnetting reference and the tcpdump guide.

Indexed and Ready… Right?

Hold on there cowboy (or girl). The index is finally complete. Take a day or two to recompose yourself. In other words, bathe. Before you go off to your testing facility, remember that SANS gives you two practice exams to try out before you attempt the actual exam. Some of the SANS instructors tell you to take one of those practice exams soon after the class or self-study is finished. I knew before attending the SANS event in Austin, I wanted to use my first practice exam to refine my index, so I did not take this advice. I don’t really think this would hurt me in any way. But I don’t have any numbers of my own to back up this claim. I took the first practice exam to see how my rough draft version of my index would help me out. I got my results back and at 80% I got my answer as to how to proceed with the index. Two things were clear from this result: 1) Read the question and understand what it is asking. I had multiple questions where it asked for the false statement where I picked the true statement instead (I probably missed 6-8% because of this). 2) There were a few tools and commands out of place in the index and some terms I need to keep my eye out for during my second read through the books.

I will be taking my exam in a few weeks and will let you know how everything goes. Until then, it will be many sleepless nights. Updates will follow once this journey is complete.

Thursday, August 7, 2014

Raspberry Pi Powered by the Sun!

In The Beginning…

Ever since the Raspberry Pi came out, I was entranced by the coolness factor of having a small pocket sized computer that cost just north of thirty bucks. Hats off to those devoted for making this project a reality and launching it to the world. The only problem for me at the time of Pi launch, was the fact that I lived in a Windows world, and to an extent, still am. I had no rad Linux skills. No formal or informal training. I got my hands on an installation disc of Mandrake way back in the day when I did call center tech support. The only way to get that geek cred in that place was to show you knew your stuff. I took that disc, spun it up in my 32x CD-ROM drive, wiped my Windows partition (you know, cause this open source stuff comes at a college student budget), and stepped through the install. After it was all said and done, Windows was back as soon as it had gone. FAIL. I had similar experiences with Red Hat and Ubuntu, but I did manage to get wireless working on the former, but it was too much of a pain to deal with when it was so easy to make it all work in Windows.

Flash forward to today. I’m still in my Windows world due to the place I work, but much more comfortable with Linux and even got my LPIC-1 certification. I’ve had my Raspberry Pi which was used to study for the aforementioned cert and has since been sitting in a lonely dark drawer next to a twice used wicked looking webcam I got from WGU. This dark and dreary future was not what I had envisioned for the poor Pi. There are so many cool projects out there and one that caught my eye was from a guy who had a web server running off a Raspberry Pi that was powered by the sun and 4AA rechargeable batteries. How cool does that sound?! I put this on my list of things I must do. After about a year or so I finally decided to shed some light on this project (did you see what did there?).

Let’s Get To Work

To kick this thing off, I went back to that old project page and got some information on power consumption of the Pi. Knowing I’m going to run this headless, that would save on the load drawing from the battery if I had attached some sort of touch screen. I tried to figure out the math behind how long it would run on a full charge before shutting down and going to bed which lead me to ask, what battery pack should I use? The original idea had AA batteries which fit the project scope, but I wandered over to my favorite maker’s page, adafruit.com. Searching the shop, I was happily greeted with my power answer and a plethora of parts and/or kits for everything Raspberry Pi. The parts I finally opted for are as follows:

·         Medium Solar Panel (6V, 2W) https://www.adafruit.com/products/200
·         USB / DC / Solar Lithium Ion/Polymer charger https://www.adafruit.com/products/390
·         Lithium Ion Battery Pack - 3.7V 4400mAh https://www.adafruit.com/products/354
·         Male DC Power adapter - 2.1mm plug to screw terminal block https://www.adafruit.com/products/369
·         PowerBoost 500 Basic - 5V USB Boost @ 500mA from 1.8V+ https://www.adafruit.com/products/1903
·         2 x JST 2-pin cable http://www.adafruit.com/products/261
·         Large Plastic Project Enclosure - Weatherproof with Clear Top http://www.adafruit.com/products/905
·         Waterproof Metal On/Off Switch with Red LED Ring http://www.adafruit.com/products/916

PowerBoost 500 Basic with USB
connector soldered on.
When the box showed up safe and sound, I was set. The USB Solar charger had to have the included capacitor soldered on to the PCB, the PowerBoost also needed the USB A jack to be soldered on. This was pretty easy and really one of my first soldering attempts at putting components onto a PCB (The only other things I’ve soldered were Deans connectors onto batteries).
USB/DC/Solar LiIon/LiPo charger
with capacitor soldered on.

Next, the battery had to have the JST cable soldered on. I left them long just in case I needed the extra length when fitting this all inside the enclosure. The last soldering to be done was to solder the two remaining JST cables together for the link between the charger and the PowerBoost. I did not show the soldering steps because if I can do it, you can too. Believe me. Finally the solar panel came with a plug that would not fit the USB charger. Easy fix was to nip the tip and add the 2.1mm plug.

That’s Great, But Does It Work?

Testing the PowerBoost 500 with the battery.
When a coding project gets near completion, I start looking at the components and wondering “how did I break this part?” The same holds true for this one. The PowerBoost and the charger, where I had to actually solder components to the PCB, were my biggest concern. Batteries I’ve done, but this seemed to be a more delicate operation. This is the point where I start testing the theoretically completed parts. So I plugged the battery into the PowerBoost and was delighted to see the green power LED light up. Does it power on the Pi? After plugging in the USB cable to both the PowerBoost and the Pi, the little pocket computer powered on. Success!

Ok, so that’s one part down. What about the solar panel and charger? Taking the solar panel, battery, and charger outside, I connected it all together. Again the LEDs that indicate charging came to life! Success x 2! It may seem pretty basic to a lot of you out there, but it’s small things like this that amaze me. Also, keep in mind I am the son of someone who has taken electrical engineering classes, yet still stuck his finger in a light socket to see if the power was still on.

Putting it all together with all components working should yield a working solar powered Raspberry Pi, right? I’m usually cynical when it comes to situations like these and usually expect the worst, so I won’t be disappointed when that outcomes happens. But today, things just clicked. Moments like this put a big smile on my face. The Cynicism Demon was slayed. Now to the next part of this project. Getting the Pi to run headless.

Prep the Pi

Since I used this Raspberry Pi to use as study for the LPIC-1 exam, a lot of the work was already done. But that was so long ago and it needed an update. More requirements popped up such as static IP address on the wlan0 interface and remote desktop. I also ran into the problem of having forgotten my user pi password since it was setup so long ago and so quickly neglected, thrown into a locked drawer, and forgotten about. But times change, things are brought out back into the light. Used for new purposes. First thing’s first, get wireless working.

For the wifi adapter, I had a very tiny Wi-Fi USB adapter from Edimax (EW-7811Un) being used in a security lab I setup earlier this year. When I got this adapter, I envisioned using it for the Pi, so the lab will suffer a little bit but these are so cheap on Amazon, I’ll be grabbing another soon. Setting up Wi-Fi was a little more difficult since I didn’t have a mouse to click on things (one USB for the Edimax and the other for a keyboard).

These are the steps I took to get Wi-Fi working on my network:
1)      Plug in the Edimax
2)      Power on the Raspberry Pi
3)      Ctrl+Esc and run wpa-gui.
4)      Tab through to the Manage Networks tab and fill in the blanks for SSID, Authentication, Encryption, and PSK.
5)      Tab to the Current Status tab and try to Connect. I had to reboot my Pi before it would connect to my access point.
6)      Upon connection, you’ll see the IP address populate on the Current Status tab.

Once I got connected to the access point and was able to successfully ping outside of the network it was time for updates. A quick apt-get command and everything was all set. So static IP shouldn’t be too hard, right? I spent about thirty minutes to an hour fighting with having the wlan0 interface retaining a static IP. Here are the steps I took to resolve this:

1)      Bring up LXTerminal
2)      Type: sudo nano /etc/network/interfaces
3)      Change the line “iface wlan0 inet dhcp” to read “iface wlan0 inet manual”
4)      Change the line “iface default inet dhcp” to read “iface default inet static”
5)      Add these lines after the above line: “address 192.168.xxx.xxx” “netmask 255.255.255.0” and “gateway 192.168.xxx.xxx” where xxx is your subnet and host octets.

I also checked wpa_supplicant.conf to make sure it all looked fine (and it did) by using the following command:

                Sudo nano /etc/wpa_supplicant/wpa_supplicant.conf

This shows SSID, PSK, encryption type, etc. Basically everything you see in wpa_gui. I changed nothing in here. Now, the above solution is a little weird. Why not just set wlan0 to static? At first I did and got nowhere fast. The only thing I could ping was the loopback interface and my static IP address. Couldn’t ping the gateway IP although I did specify it. The above solution was the only thing I could come up with and make work after rebooting a few times to make sure it auto connects.
At this point, static IP and wireless are working. Just need to make remote desktop work. For this project, I do not need to access the Raspberry Pi desktop from outside of my network. For this feature you may press your luck with Google. Also, this is for connecting from a Windows based laptop to the Pi. I’m using xrdp for my remote desktop solution. I had already installed this feature when studying for the LPIC-1 exam, but here are the steps to install it:

1)      Bring up LXTerminal.
2)      Type: “sudo apt-get install xrdp”
3)      If it asks for your password, please feed the pi the password.
4)      This should begin installing your software for remote deskop, xrdp.
5)      Restart the Pi. This should get the Remote Desktop Protocol server running.
6)      You can verify this when the Pi boots up by finding the line: [OK] Starting Remote Desktop Protocol server : xrdp sesman. My Pi boots directly to the desktop so I have to be quick to find this line when it boots. If yours boots to command line, you’ll be able to easily find this line.

Great! RDP is up and running on the Raspberry Pi! Let’s jump back to the Windows world for a second.
1)      On the Windows laptop, bring up Remote Desktop Connection and enter in the static IP address we gave the Pi and hit Connect. You may get a security warning, hit OK since we know you got a nice safe Pi.
2)      You’ll be presented an XRDP login prompt showing Module, Username, and Password. Leave the module defaulted to sesman-Xvnc and type in your username and password (the default username is “pi” and the default password is “raspberry”).
3)      Click OK and peer through the Windows to the world of Pi.

Now, I had trouble on this part of the process because I didn’t remember the password I set for the user “pi” so long ago. There are a couple options to fix this:

1)      From an LXTerminal window, use the “sudo raspi-config” command to run the starting config and change the password that way.
2)      From an LXTerminal window, use the “sudo passwd” command.

I used option 1 which was quick and simple.

That’s about it for prepping the Pi. I haven’t really come up with what I want to do with the Pi. Should it be a web server, ftp server, etc.? or should it be used for a surveillance machine, like Ike created. Or should it be used for weather reports? Time will answer that question. But to finish out the build, we need to look at fitting all this stuff in a box.

What’s In the Box?!

So many drawn diagrams.
So much planning.
I’ve spent a few days looking at how to put all these parts in the box. I took measurements of the components with calipers. First observation was pretty obvious: All components including the Pi cannot remain on the same plane. That means shelves. The box has two M4 bosses that will work as a starting point for creating two shelves within the box. Bottom shelf will house the battery, charger, and PowerBoost. Top shelf will house the Pi. According to the tech specs on adafruit.com, this box has an internal height of 70mm. So there is the first constraint I had to deal with. How should I lay the planes in the box? I went with a 3.5”x6.5” plane for both top and bottom. These measurements gave me just enough room to fit the middle 90mm x 167mm space in the box. I drew out a few diagrams, namely, top down view of the inside of the box, a side view with components for vertical spacing, and one top down view of the shelves for placement of the components. Laying out the components was not too difficult when drawn out on paper (yeah, I guess I’m old school. No CAD here). Getting stand offs for this project proved a bit of a challenge. I had some of those jack screws you’d find on the back of a pc or laptop on either side of the video connection to support the video cable and some screws from the inside of a laptop. These screws seemed to fit but wouldn’t go all the way into the jack screw. I threw that idea away and found some nylon stand offs but would take about twenty days to get to my door step. In the end I used 2-56x3/4 nylon screws, #2 .032”thick washers, 2-56 nylon lock nuts and ¼” #4 nylon spacers to act as a makeshift standoff. Putting all these together, they fit well and snug on the small circuit boards.

Next order of business was obtaining the material for the shelves. I went to the local hardware store and got a sheet of Lexan cut to the above dimensions. Fit perfectly in the box. Next was to place the PowerBoost and the LiPo charger to know where to drill holes. All the places were marked on the Lexan and the drilling began. This was my first time drilling into polycarbonate. I read a lot on how to drill this stuff so it would not crack. Everyone agreed to clamp the Lexan to wood and drill with a drill press. I was not able to get my hands on a drill press, so I was careful to be as vertical as possible with my trusty drill. Lessons learned on the test pieces of Lexan showed that slow and steady wins the race here. On to the actual pieces. They turned out perfect. The circuit boards were screwed in place with the nylon screws, spacers, and nuts. As they say, measure twice, cut once. This was very true here. So the first shelf is done, on to the second shelf. Only three holes needed to be cut for this one: two for the bolts to hold up the shelf and one for the capacitor on the charger.
PowerBoost, Charger, and Battery
all layed out in the enclosure.
If that last hole was not made, the Pi would not be able to fit inside the box. Taking measurements of the capacitor, I marked the location where that hole would be drilled. However, something occurred to me. The capacitor is not perfectly vertical. So I made the hole, but used a dremel to widen the area where the Lexan and the capacitor kept touching. Easy fix, but that made the top shelf look a little janky. No one will see it since the piece will be covered anyway.

Another step that doesn’t really need to be documented but you’ll notice in the photos, I used a dremel to cut off the top of the bolts that are used for supporting the Lexan shelves. This was done so I could work with the shelves a little easier and just set them into the box instead of putting the shelves on the bolts and screwing everything into place. I’m going to cap them with locking nuts to prevent any sharp edges and make it look a little more finished.

Everything at this point was looking great, but another thing popped into my head. If I continue on with the plan I had in mind, I would have to take the box apart to turn off the Pi. I need a power switch I can easily have access to. Back to my layout drawing. I saw the space I needed for a switch. Again, Adafruit.com to the rescue. I ordered the on/off switch listed above in the parts list. This switch did not come pre-wired. This was a good thing for me. That means I get a bonus for learning how to wire up the switch. Again, I took measurements to get the vertical and horizontal placement correct on the side of the box. I required a 16mm hole drilled into the side of this box, but living in an imperial world, I wasn’t able to source a 16mm drill bit, so I went with a 5/8” bit and milled out the extra .1mm. No big deal, and the hole looked pretty clean.
Testing the external power button.
The LED makes it look good!
I quickly learned how to wire up the switch so the LED would turn on when the button is depressed and off when not switched on. Back when I was soldering all those wires together, I had enough length in the wires for the job. Question now is, can I still use the same wires or do I need to get a few more inches of wire. Lucky for me, there was just enough wire after cutting the cable apart from the original plan. I decided to wire up the cable between the charger and the PowerBoost instead of wiring up the battery directly. I went this route in case I have to change out my battery in the future, this could be done with little or no effort. The wiring for the switch goes as follows: positive wire from the charger goes to the Common terminal, then a small jumper wire goes from the Normally-Open terminal to the Positive terminal, then from the Positive terminal, to the PowerBoost, then the negative wire comes out of the PowerBoost to the Negative terminal on the switch, and then from the Negative terminal to the charger. This wiring scheme allows the LED to light up when the push button is in the on position and off while in the off position.

Quickly, I hooked up all the cables to the appropriate jacks, screwed the shelves in place, and used some double sided tape to keep the battery in place and also to keep the Pi case from being knocked around on the top shelf. Screwed the top cover in place and voila, a solar powered Raspberry Pi computer!

Praise the Sun!



At this point, I am feeling really good about this project. How amazing is it when you learn new skills and overcome challenges. I learned a lot in regards to planning for a project of this scale, making a soldering job look nice, how a switch is wired up, and more. I haven’t done any long term testing as to how long the Pi will run into the night when only running on battery. However, I find it amazing that this pocket computer can inspire so many people to come up with bright ideas and make them a tangible item. Some of the notable pages that helped me complete this project are as follows:

·         How to make a Raspberry Pi solar-powered FTP server
·         Adafruit.com
·         Ike the Network Guy
·         Raspberry Pi Forums

Final product. One solar powered Raspberry Pi!

Finally, for all you Sun Bro’s out there, Praise the Sun!