Beneath The Surface

<abstract surface pun />

As a follow up to my last post I talked a little about how I'd become more open to options and that I'd had reservations about re-applying Windows onto my Surface Pro 3.

Obviously this isn't a default install and most of the concerns weren't because of issues with Windows - eventually I got Win 8.1 Enterprise back in there dual booting with Ubuntu. A couple of minor hitches which were resolved with a bcdedit command to force Windows to use the Grub2 loader after a file copy from the old Ubuntu boot partition to the newly-screwed Windows boot partition.

Still have to register the loaders in the secure boot registry, as is well described by David Elner (just be aware that this is an older version of Ubuntu and I could not get the kernel re-compile to work) but otherwise it's all ok.

However I thought I'd share some issues I have with SP3 and why I'm not likely to buy an SP4. For reference the PCs involved are:

• Surface Pro 1 128Gb 4Gb i5
• Surface Pro 3 512Gb 8Gb i7

Firstly the OS.... Windows 10 locked me out and I had no downgrade option other than a manual re-install. Something went horribly wrong after I got my replacement SP3 and for some as yet unknown reason Win10 software protection service started failing after I installed Office 2013 Pro. The knock-on effect was that I couldn't use Office, I couldn't use a lot of the feature changers (add / remove programs, anything that writes changes to registry, etc) nor would any of the safe boot options appear and I couldn't do a refresh or a factory reset either.

I didn't have any choice about Windows 10 - that was what was installed on the replacement unit.

Support simply suggested I return it to the shop and as I'd already burned two weeks for the replacement unit after a screen failure, then another week or so (evenings only) actually re-deploying all the 'stuff' on it, I didn't think the extra effort was worth the pain. After a bit of thought I then realised now would be the perfect time to dual boot it and have a workaround for some of the issues with Windows in general. Not much to lose at that stage.

Of course now I have screen flickering issues on the unit - it seems to be some sort of physical connection issue because when I squeeze the screen in a particular place and wait an undetermined amount of time it sorts itself out. Although often I'm not sure whether the whole thing hasn't just hung and I do a hard reset. It's not a driver or software issue as only physical intervention (pressing and squeezing the unit until the screen springs back into life is not a driver fault or brightness management) and I just don't have time to send it back for another replacement; rebuild and re-deploy only to later find out the same problem might exist.

A very embarrassing problem for a touch screen device.

The pen....the pen....What a brilliant concept yet how did they screw it up so badly? It feels like a real pen, the buttons on the side are fantastic and I no longer need a mouse....just the pen and my fingers. But then all by itself it decides that it needs a rest and goes to sleep. I've tried battery replacements, holding down buttons to try and wake it up and even whacking it over a solid surface (which seems to work most often) and nothing seems to help. Of course if you try and disable power management via Windows you get a BSOD. Nice. And I'm far from alone on this one.

Windows 10 lost it's way and I struggled to get it to flow as Windows 8.1 does. 10 tries to keep the desktoptards from Windows Vista *spits* and 7 happy whilst showing promise to touch-screen owners. Sometimes I think the desktoptards were the only voices complaining about 8.1 and not enough people extolled it's virtues. So now I have 8.1 Enterprise until the end-of-life or when Windows 10 Enterprise catches up so I can access OneNote during meetings and sync my OneDrive repositories. Windows also seems to be the only way to get firmware updates for Surface so it gets a small section of the SSD to park itself. I have too many reservations about the way Microsoft is approaching some aspects of security (such as the changes to BitLocker in 8). I'm not trying to outrun any governments but if someone nicks my SP3 I want to be fairly sure they won't get my data in their lifetimes. Of course dual booting means BitLocker won't encrypt the system drive like LUKS will, so only the OS and some program files are on the open system partition, the rest is on encrypted partitions.

Ubuntu is ok too - but the touch screen integration is extremely basic and there's no handwriting tools that are anywhere good enough. The pen buttons just don't do anything at all and no matter what I try I can't get the kernel re-compile to work. With Wily Wolf the battery indicator suddenly appeared and that was a big step forward - I've also discovered that touch screen scroll & zoom does work in specific applications. At the moment I'm struggling to get routes working under OpenVPN configurations that work fine under Windows so I tend to use Windows for comms and browsing in situations where VPN is a requirement. I will fix the problem but I need to understand it first.

I've also noticed that Network Manager sometimes refuses to use the right password for WiFi networks, resolved only by a mac change and a ifdown-up on the network adapters. That seems a little shoddy to me. Evolution is a pretty good mail app and I'm not really missing Outlook that much so it's evens on that front and with LibreOffice too - there are some issues with .XLSM and the occasional corruption-and-loss of .XLSX which is beginning to get on my nerves. Ubuntu seems ok but the Pen buttons don't work and I tend to end up using a mouse - the horror! - due to that and the SP3 Pen sleepy-time issues.

In short - neither platform is doing a great job at the moment but each has its own strengths.

I'm not going for a SP4 because - as much as I've loved the Surface experience - Surface Book means I can have my cake and eat it. It's more powerful than the overpriced Macintosh (I'd only be replacing OsX with a Win & Linux dual boot anyway) and I get the clipboard & pen with OneNote and Visio that I can't be without in meetings and team updates.

Of course that is assuming they fix the current complaints and I see some indication that the pen behaviour has improved. My Surface Pro 1 is still going strong and I don't mind Windows 10 on there because I don't use it much. The rest of the family don't seem to mind it when they want to use Kodi or play some Xbox games and everyone's forgotten about the Nexus 7 completely.

Wǒ hěn hǎo, xièxie

Some time ago I had a peek into The Other Side and didn't take it any further - but maybe that's because I didn't have a purpose or reason to take it further but I couldn't see a reason to progress, so I didn't. It just came across like a hobbyists environment with a community of snobs driving progress.

Wind the clocks forward another year or more and the landscape is vastly different. I've moved on to learning about network security, information management and have trained myself to think like a black hat (a good defensive strategy). I'm working on some exams that will give me the foundation to absorb that within my work as an architect too and because of the nature of this research I've been working on Linux.

There's some aspects of Windows (e.g. restrictions on packet injection / tampering) which the Linux community seems to lambaste Microsoft for. To me - as a noob at least - it looks like this is by design for commercial reasons. Whatever the reason it just isn't feasible to do a lot of this research on Windows.

So I created VMs through Hyper-V and researched distributions and their capbilities, settling on Debian as my initial preference. It's used as a basis for a number of other flavours including Kali, Raspbian and Ubuntu. KDE is nice and the apt system makes sense to me at this stage.

But then, of course, you start discovering limitations in the virtualised environments leading to one conclusion: You need to deploy to hardware to gain direct interaction with that hardware (and mitigate problems with networking especially). I started beefing up my knowledge of networking stacks and how to analyse network traffic, creating sandbox WiFi networks on my test router and trying to see how to break them / break into them. I found that Kali was a great place to look at this as it contained all the tools and was designed to run OotB so stuck with that on a Pi B+ for a while.

After a while I was using Archimate to design the domains of our house network and started building a HIDS and IDPS, then a DNS server, then spent a bit of cash at ModMyPi getting all the bits I needed. I set up high-grade SSH keys and improved security - I may add a VPN server in the DMZ at some point too. I've got DD-Wrt on the inner router and a custom network set-up which provides additional protection for everyone in the house.

ATX Mid-tower was replaced and needed a new use. Stick a PiRack in there and all the cables.

I suddenly realised I'd become one of the hobbyists I'd turned my nose up years ago. Now our house provides media services so the kids can fire up a film of their choice on any Surface or XBox, iPhone or Windows Phone. We have network protection running in the background emailing me when it detects or fixes a problem. The kids came up with the idea of an underwater camera so they can see the fish even when they hide (yet to be designed and built). None of this involves a Windows server.

Of course I've made significant progress in my learning and research - the next pot of which will be a short study on effective WiFi passwords vs. advice from the pub - but as a by product I've gotten far more technical than I'd expected; you end up finding things to investigate that you'd never considered before and research topics or techniques far from the original purpose.

For example, I've moved my trust away from BitLocker and am testing alternatives, using local accounts for BAU and my Microsoft accounts for connected services (such as OneDrive and XBox). It's not about tin-foil hats, the X-Files or any part of government; it's just a simple case of protecting your assets against criminals or other similar attackers.

I went with Ubuntu because it is Debian-oriented and it seems to have the most support for things that Surface Pro needs. If Debian covered a lot of it I'd have just gone straight there. I don't like the whole Amazon / internet integrations on Unity; the volume buttons don't work; the SP pen buttons don't work; sometimes the left-mouse / pen touch / finger touch just stops responding at random. There's too many suggestions out there on the forums that don't explain what each command suggested actually does (do people just copy and paste these suggestions without understanding the implications first?).

Today is the first time I've used Windows in a week - I love Windows 8.1, especially on Surface Pro. It's beautifully designed, easy to use, makes the switch between keyboard-oriented and tablet seamlessly and OneNote /OneDrive / Office is pure brilliance in design and productivity. LibreOffice and Evolution do Office well but the UX is far clunkier. There is no OneNote outside of Windows and I miss the right click pen button (I only use a mouse on Ubuntu for apps that use context menus a lot). Office365 means I get proper Powerpoint instead of the terrible LibreOffice Impress. There's no Visio equivalent though I'm learning to use Camunda Modeller and Archimate instead. I can operate on client site without Windows now though.

For me Windows 10 is a disaster as it stands. They've ruined OneDrive (where is "Available Off-line Only" for files?) although are promising to rectify the situation and I think they've been led by too many Windows XP-ers in their UI-design-by-community instead of holding their ground and pushing 8.1 on to the next level. Continuum is awesome though - the new W10/Xbox dash is great (game streaming is by far the best add-on here), W10Phone looks superb and I hope they iron out the creases on W10. None of the privacy issues bothered me because you can turn off the telemetry services and disable the data sharing but the OS itself just doesn't feel as coherent or as well thought out as 8.1 on my SP3 or Windows Phone 8.1 on my Lumia.

I'm now in a position where I've had to remove Windows 10 from my replacement Surface Pro 3 as the software licensing service locked the whole machine out (Access Denied); despite this being the default build as supplied by Microsoft. USB boot won't work even after changing the UEFI settings to enable it - I suspect something to do with the Win10 installation - but I've now copied the 8.1 Enterprise installer to a new partition on the SP3 SSD and hacked the Grub2 bootloader to give me the option to boot from it and I'm going to get Windows dual booting on it for OneNote and firmware upgrades. Encrypted SD and data partitions allow sharing between OS-es and decent OpSec can ensure Windows only knows how to access one of those for transfer.

Phew. If you'd suggested and of that to me a year ago my eyes would have glazed over and I would have probably just sent the device back to manufacturer.

But the thing is I'm still afraid to install Win8.1 in case it fudges up all the work done installing and configuring Ubuntu. I know Windows will install its own boot-loader (I've modified the same on my desktop to add back the Ubuntu option enabling dual boot again). I like Ubuntu, Raspbian and Debian - I also like the Windows ecosystem and the journey is never over but I'm reaching the point where I have enough foundation to build on for the security architecture courses. In order to design an architecture or provide solid options for businesses I still feel it's beneficial to understand the inner workings.

It's good to be bilingual between Windows and Linux and none of this has been as difficult as learning Mandarin (as I originally thought it might be). It just sounded more tricky to get started than it was.