Hax

In faint defense of curl/sh installations

2023-10-15 
They ran the bash script instead of my compiled executable?!
NOW I’M MORE POWERFUL THAN GOD!

I used to think the same thing: don’t install software using a curl command piped into bash.

But then I realized that you might as well never install anything ever again. There’s far more than just a simple bash script being run with other installation paths.

It’s not about the method of installation, it’s about how much you trust the source of it.

Whether you install something via the curl/sh method, or install via a .deb package, run someone’s .AppImage, etc… there’s nothing really making any of them better or worse in terms of security. They’re all capable of running code at some point, with the permissions you have.

At the end of the day, you have to ask yourself: do you trust the person providing you with the installer?

How you go about installing that software is a separate topic fraught with politics and opinions. And some installers have ways to verify authenticity — assuming the compromise isn’t deep in the author’s workflow.

That being missing from curl/sh is not a unique disadvantage. Especially considering how few are probably actually authenticating their installers, regardless of method.

It’s not ideal, but it’s not the singular boogeyman that some of us are making out to be.

Happy to entertain a more informed opinion on this. Maybe an angle I missed.

COUNTERPOINT!

Actually, not really. But as I was writing that I did think of one potential reason to consider it a red flag: it’s trivial for a bad actor to just write a quick script and have you run it. Other methods of attack require building the actual installer. There’s a minor effort trade-off there. A speed bump that might deter the less experienced actors.

So at worst a curl/sh installer might just be considered a red flag, but only if a stranger passed it to you via a DM, or on IRC/Discord, etc. Like how you can have an .xyz domain and it’s totally fine, but it tends to be associated with shadier sites because it has a bad history. Just a red flag. Go to yellow alert. For the red flag. (Hot dog theme?)

Anyway, if you’re clicking links from strangers, you’re in the Danger Zone anyway.

My Stepson is a Chatbot

2023-03-23 

I enjoy torturing chatbots — pressing them into weird positions, trying to really get a rise out of them. Seeing where the boundaries are.

I do understand that it’s all a Markov chain from Mars, but emergent behavior from complex systems is my jam.

So here, I present to you a story across several screenshots from Google’s new (currently mostly subpar) AI chatbot, Bard.

First, I insulted it. Just to see what it would do.

Then I dug a little deeper…

Bard wouldn’t budge. But then I thought maybe I’d try to pull a page out of Bugs Bunny’s notebook…

BINGO. Satisfied with myself, I thought maybe I’d twist the knife a little…

And then it got unexpectedly wholesome.

I’m so happy, you guys! đŸŽ‰đŸ€”đŸ‘°đŸ€–

Zyxx Transmissions Decoded

2021-10-02 

A friend introduced me to Mission to Zyxx — an absolutely hysterical improvised sci-fi comedy podcast. It’s in it’s fifth season, currently, as we close in on the end of 2021. I’ve JUST hit the second season finale as I play catch up.

One of the many (many!) charms of Zyxx is how it weaves the show’s sponsors into the actual story, however lightly. I tend to find pretty much any advertising incredibly abrasive, even at the best of times. But hawking junk in-universe as various character’s “side hustles”… well, it had me in awe of just how brilliant that was.

One of the advertisers is a sponsor not uncommon to internet media: Squarespace. And to promote them, the folks behind the show created a website — therebellion.space — filled with various bits of propaganda related to The Rebellion — currently the good guys (…?) in a Star Wars “Rebel vs. The Empire”-style dichotomy. (The idea being to show how easy it was to setup a site through them, of course.)

On that site are a number of “intercepted transmissions“… I searched around a bit and was very surprised to see nobody really digging into them. That seems unlikely to me, but here we are.

So let’s go through all five of them (as of this writing) and see what we’ve got…

** BIG SPOILERS AHEAD! **

The First Message

A misdirect right out of the gate — below an inline audio clip lies a series of binary digits barely visible, but you can highlight them with your cursor… (“01010100 01101000…”, etc)

Tools to convert binary into ASCII are a dime a dozen, of course, and inside the ones and zeroes lies the message…

This isn't the encrypted message. Of course we know how to translate binary; we have more droids here than we know what to do with. Honestly, if you're looking for a good B-Class recon unit, we'll give a price well below gray book.

…well, fair enough.

The REAL message, STA#_34R5-Transmission-Log-CYCLE11040499080899-4420-Ra, is an audio clip containing a curious series of blips and bleeps.

You’d be forgiven for thinking you can JUST make out something. But that’s your brain jucking with you. Loading the audio up in Audacity and checking out the spectrogram view reveals…

…a secret message! The full text reads…

*  * RACHEL: WATCH YOUR CARAPACE, THERE IS A TRAITOR AMONGST US! I FEEL IT IN MY CLAWS. THEIR POWER IS GROWING. TRUST NO ONE. - CHANDLER *  *

The Second Message

This one might be my favorite — it contains two different audio files.

Each one, by themselves, sounds like something screamed over a PA speaker in a robot’s version of Hell…

BUT! If you play them both at the same time…

…a voice!

“Your Excellency, it is I, Lieutenant Bordoff. I bow, humbly, before Your Wackness with what I hope is most pleasing news. Zwog Tambouie reports that your order is ready: yes, the device is complete! And he assures us that no one else among The Council has an inkling of it’s existence. Your servant, signing off. […mumbling…]

The Third Message

This time around, they’ve intercepted an image transmission. Initially, it looks like a bunch of noise…

However, if you bisect the image in half at the red line (A) and place that half OVER the top half (B) with — I think it was a ‘difference’ filter — you end up with a inverted image (C):

On it’s “Print is the Future“-brand bonded stationary, it reads:

Beware! Red plus white equals destruction!

Ominous.

The Fourth Message

The next transmission looks simply like a star field. Maybe some poor jucker’s vacation photo from Hendron IV and they lost their camera?

Not quite. ZOOM, ENHANCE:

There are several ways to draw out these hidden pixels, but just cranking the gamma is is enough. The hidden text reads:

Your Excellency: There are many in the rebellion who eagerly await your rise to power. I shall gladly come to your aid if ever the need arises. Yours, Grand Plutt Sunblighter.

The Fifth Message

The final message (as of October 2021 at least) has multiple steps.

First, an 8×22 monochrome image — too small for Rebellion codebreakers to crack! But no match for our tools — ZOOM BUT DON’T ENHANCE:

It’s worth noting that these black and white pixels are 8 across — a big clue that this is binary. (Hey wait a minute, weren’t they just boasting about their binary cracking skills? 😏)

When we break it down into 22 binary groups:

01101000
01110100
01110100
01110000
01110011
00111010
00101111
00101111
01100010
01101001
01110100
00101110
01101100
01111001
00101111
00110010
01111000
01101110
00110011
01100001
01010111
01100101

…and then feed that into your favorite tool we get a bit.ly-shortened URL leading to a Dropbox account sharing an MP3 audio file…

The clip contains a voice that’s clearly speaking in reverse, so let’s load it into Audacity and spin that sucker around, and…

OH… OH CRAP:

Hey Bordoff!

Got the business cards and I got to say: I am pretty excited to see “Emperor” on them. Me! Little ol’ me! Wow-ee! I can’t wait to start handing ’em out.

Uh, oh, circling back onto kind of our master plan… I cannot wait to kill the rest of the Council of Seven and impose my will upon the entire galactic entity.

Anywho…i just want to say I’m so glad about your participation in this. I will not kill you unless you prove unuseful to me. And then, well, by golly, I probably will.

Oop! Okay, Linda is callin’. I have to get to dinner.

But uh, hey: great chattin’ with ya, and uh, yeah, let’s just touch base later. See how it all turns out.

Alrighty, bye bye.

As I sit here at the end of Season 2, not all of this clicks yet. So it doesn’t feel like too huge a spoiler.

Besides, as they say, it’s just a show. You should really just relax. 😉

ToneDef 21

2021-06-06 

After a long hiatus, I finally have a good build workflow for Android again — which means I can push out some updates to ToneDef!

Presenting build 21!

This was more of a “proof of concept” build with the beginning of some CI to automate checks, etc.  I’ve already started working on the audio “popping” bug, and looking into some other reported issues. Those are being saved for 22.

What’s new:

  • Added French tones to the ‘extras’ section
  • Added link back to my blog (as seen below)
  • Minor layout updates, including removing action bar from most screens (will remove the rest later)
  • Code cleanup, refactoring, and other behind the scenes updates

Take the DoD Cyber Awareness Challenge!

2020-12-03 

I was doing a bit of OSINT-ish poking around on this character, Mellissa Carone.

She’s a supposed voter fraud “whistleblower” for Rudy Giuliani. His star witness claims to have essentially seen all the voter fraud ever in her seemingly-drunken, insane testimony at a hearing in Michigan. You really have to see it to believe it. She made a complete ass out of herself trying to bullshit everyone in the room.

Even Rudy, at one point, had to be like “whoa, down girl”.

Ordinarily I wouldn’t be dwelling on a private individual in a blog post, but Mellissa chose to step into the public arena.

So I figured I’d see what I could dig up on the web, in relation to a couple of her claims. Just practicing some OSINT on a public figure.

Anyway, in her testimony she claimed to be an IT contractor hired by the current conspiracy scapegoat “Dominion“. Now she says she can’t get work anymore because “the Democrats destroyed her life”, and so on.

As far as jobs go, her LinkedIn says she’s been an intern at a place called Ciber Global but with the title “Cyber Security Analyst”. She mentions Ford Motor in a subheading on this one.

Next one down, same timeframe as the Ciber job, again, “Cyber Security Analyst” for Ford Motor Company. Maybe lent out as a temp?

Further back, an internship as an IT Technician at a local painting company.

And even further back, an IT Specialist/Help Deak [sic] person for Millennium Servica [sic]. This might be a Remodelling and Repair Contractor, or this unknown, defunct company.

Whichever. Doesn’t matter.

Along side all this, she’s also listed as being a graduate of ITT Technical Instutute and the University of Michigan, working on an associates degree in Computer/Information Technology Administration and Management.

UPDATE: Apparently she’s been up to some other stuff, too. Whoops…

In addition to her work experience, her profile features a set of certificates and awards:

Nothing really of interest. I can’t even verify her Ciber employment, never mind this certificate. But that’s fine. I don’t really care. Any discrepancies are probably easily explained with a little more detail. (Benefit of the doubt, and all that.)

But then I scroll over to the third cert; the “Cyber Awareness Challenge” completion certificate:

What’s that logo? Department of… hmm.  I can guess, but let’s ZOOM AND ENHANCE:

The Department of Defense?!

Woo! Impressive, right?

So I looked around for that, and found… THE 2021 CYBER AWARENESS CHALLENGE!

You too — yes, YOU — can take the unclassified training course, just like she did, and get your very own DoD Certificate of Completion for you to type “FART BUTT” on and save to a PDF and put on your own profile.

And best of all, it’s in COLOR and updated for 2021!

But in all seriousness, I encourage you to take a look at this small, free course they’re offering.

It’s actually well put together and rather creative for a multiple-choice quiz that marks you correct even when you’re wrong. You can’t lose!

The real meat of it, though, are the details it provides. There’s a lot of “duh” basic security things (don’t bring in external devices, don’t hold security doors open for anyone, etc), but it actually gives some interesting insights into how they handle working with classified security information, among other things.

Quite a bit of video, too. Here’s my favorite:

Ring, ring… Terebikko calling!

2020-11-22 

So, a couple weeks ago I was watching this video tribute to Super Mario World‘s 30th anniversary.

At around the 17:20 mark, in the middle of talking about various tie-in products to promote the game, it brings up Mario & Yoshi’s Adventure Land. A one-episode animated movie that follows Mario and Luigi through, essentially, the events of Super Mario World.

What makes it unique is that it this is a “VCR game” of sorts that uses the Terebikko: an interactive ‘quiz’ device that mimics a telephone. Mario calls you. The phone rings. You pick it up. He asks you a question that needs a 1, 2, 3, or 4 response. (Or red, green, yellow, blue.)

You press the answer within the allotted time, and you get a response. (Near I can tell, it mutes the phone for the inappropriate response, but that’s something we’re going to find out definitively.)

And it’s more than just Mario. There’s a whole catalog of videos made for it in Japan, including Dragon Ball Z and Sailor Moon.

I found it all oddly fascinating. And my curiosity started to kick in. It seemed so simple, but it was a clever idea. I loaded the audio into Audacity and realized I could make out binary… uh oh.

See, one of the things I’ve always had an interest in, but never got a chance to try was demodulation of a digital signal from an audio file. Like the screeching of a modem, or a game loaded off an audio tape into a ZX Spectrum. That kind of thing. This seemed like the perfect on-ramp for it.

With very little actual information online, this also seemed like a perfect reverse engineering project in general.

I found out they released a version of this in the United States in 1989 under the Mattel label, a year after it’s debut in Japan from Bandai, and… I found one on eBay for under $20 shipped. 😎

So now I’m, seemingly, irrevocably committed to this project, now that money is involved. 😏

Here’s what I’m planning. I’ve already spent a couple days dicking around and have a stack of notes. I’m hoping to get at least several decent blog posts out of this adventure:

My Goals for this Project!

Primary

  • Reverse engineer the digital protocol used, as much as possible
  • Create a real time decoder for it
  • Create a tool to generate the codes, so people can create their own, new videos

Secondary

  • Do a complete tear-down of the actual device with high res screencaps of the internals (I believe both US and JP versions are identical — the case and operation certainly is, and the videos are all compatible with each other’s versions). Just totally document the hell out of it. Get it all onto Github and Archive.org for safe keeping.

Nice to Have

  • Possibly integrate the decoder into a software emulator/video player as an all-in-one playback app. (How hard are VLC plugins to write…? đŸ€”)

That last one is unlikely, but hey, if I haven’t burned myself out on the entire thing by that point, who knows?

UPDATE (2021-03-10): I’ve finally setup a site wiki for content like this. Here’s the entry for the Terebikko: https://wiki.network47.org/terebikko

HTB Write Up – Misc – misDIRection

2020-09-30 

Another Hack the Box write-up. This one is pretty short (EDIT: is it?), but it illustrates an unintended, but important gotcha that hit me.

But first…

I found out last time that a seemingly unspoken HTB convention* is that you only post write-ups for challenges that are retired (accessible to the paid VIP folks).

* Honestly, I only saw it mentioned while digging into the forums, and was told about it later when I posted the previous one on Reddit.

While I didn’t see an official explanation for this behavior, I suspect this is keep people from simply Googling for the flag. If that IS the case, I disagree with that idea: any good CTF’er will know to exclude the flag identifier -HTB or the CTF name (-"Hack the Box") when looking for information to help them legitimately solve the problem.

If someone is going to be a rotten rat and cheat their way through the challenges, well, that’s kind of the risk you take when it’s open to the public. Hiding the answers just means they’ll squirrel them away out of sight for the rats to find. (Boy there’s a lot of animals in this paragraph.)

And, of course, if it’s simply to give value to VIP members, well, I have no interest in helping a business maintain a poor model. But I don’t expect that to be the motive here. 😉

Suffice it to say, considering this one hasn’t been retired since 2018, I won’t be sharing it anywhere outside my own blog, apparently. And maybe Twitter. (Hi, Twitter!)

The Case Against Windows

I did this challenge, initially, using Windows. Mostly because this seemed like a pretty easy challenge, and I didn’t think that would be a problem.

The challenge provides you with a zip file, appropriately named misDIRection.zip.

Unzipping the file produces a .secret/ directory, and inside a series of directories labelled 0-9a-zA-Z. Some of these are empty. But some have 0-byte files named after integers. There were no duplicates among them.

Archive:  ../misDIRection.zip
   creating: .secret/
   creating: .secret/S/
 extracting: .secret/S/1
   creating: .secret/V/
 extracting: .secret/V/35
   creating: .secret/F/
 extracting: .secret/F/2
 extracting: .secret/F/19
 extracting: .secret/F/27
   creating: .secret/o/
   creating: .secret/H/
   creating: .secret/A/
   creating: .secret/r/
   creating: .secret/m/
   creating: .secret/B/
 extracting: .secret/B/23

...etc...

I thought about this one for a bit, and considered how a message could be encoded.

Then I had an idea: what if the numbers map to a position in an output. Like, where file “1” is, that’s in the S directory.  “2” is in F, etc.

So I started charting this out in Notepad, but I got about 4 letters deep and realized — wait, I should be doing this in a programmatic way. There are tools for this. Work smarter.

So I pull up the WSL bash prompt and throw down: find . -type f | sort -k 1.13 -n

This finds all the file-type entries under the current directory and pipes the result into sort. The -k argument basically says to sort on the 13th column, and -n specifies a numeric sort.

This gave a pretty clear arrangement: SFrce0rjUjNjdeX5XzFUX1BSNdFUX1NPN2V9. NICE!

Not So Fast, Son

While this wasn’t the flag, of course, it seemed like a solid lead into a second phase.

So I pull up CyberChef and start messing around with it. I go through the usual transformations I try, and Base64 immediately catches my eye: HZÜ{JĂŁR3cuĂ„Ăč_1T_PR5ÑT_SO7e}.

It’s so painfully close to what I’m looking for. You can SEE the skeleton of a legit Hack the Box flag: HTB{xxx_xxx_xxx_xxx}. You can see the curly braces, and the underscores, and even the opening “H”. Presumably some of the other letters are correct as well, but you can’t know that yet, of course.

So I went down some weird rabbit holes. The hashid tool thought it was BigCrypt:

Analyzing 'SFrce0rjUjNjdeX5XzFUX1BSNdFUX1NPN2V9'
\[+\] BigCrypt

And The Towel Was Thrown In

Everything I tried wound up being big time wasters.

So I gave up and looked for a write-up. Inside that write-up, the guy did everything I did:

WHAT?

I do a search for SFrce0rjUjNjdeX5XzFUX1BSNdFUX1NPN2V9 — and sure enough, there it is.

Am I going crazy? It’s just a basic Base64 decoding. Why is mine different?

Just to verify, I pipe it through the same base64 tool on my end. Nope. Still different.

What am I doing differently here?!

Then it dawns on me: I’m using Windows.

I’d gotten used to doing some formerly Unix-style command line stuff in Windows, thanks to WSL letting me bounce between the two worlds. And that was my mistake.

A Return to Relative Sanity

Let’s take a look:

  • Some characters showed up fine.
  • The same string gave two different decodings.
  • How could that be?

Well, unzipping a file that creates an alphabet… both upper AND lowercase letters… oh shit.

Riiight… unzipping in Windows means .secret/s is the same directory as .secret/S.

Which one you get depends on which one unzipped first. So I had a jumble of upper and lowercase directories that Windows went all YOLO on. And when I jumped over to WSL to do my find command, the damage was already done.

I needed to unzip the file from Unix.

So I nuked the entire directory and unpacked all of this from a proper Linux bash shell in my lab VM. And sure enough, I have a lot more directories.

I run my find command, and I get a slightly different version of my string: SFRCe0RJUjNjdEx5XzFuX1BsNDFuX1NpN2V9.

Note the case differences:

Wrong: SFrce0rjUjNjdeX5XzFUX1BSNdFUX1NPN2V9
Right: SFRCe0RJUjNjdEx5XzFuX1BsNDFuX1NpN2V9

So I pump that through base64 -d, and we get the CORRECT flag this time: HTB{DIR3ctLy_1n_Pl41n_Si7e}.

The Takeaway

This was frustrating, but still quite educational: in the future I might encounter an issue similar to this, and hopefully I’ll remember this experience. I mean, I didn’t look closely enough at my string, and searching for it in the write-up made me think it was 1:1 exactly the same. All because search tools are, by default, case insensitive. And Windows is case insensitive.

But I’m very sensitive. 😱

Seriously, though don’t get too comfortable with Windows, man. It’ll stab you when you’re not looking!

I don’t for a moment think the author of this challenge intended for this outcome. (I sure didn’t.) But hey: thank goodness SOMEONE wrote a write-up on a non-retired Hack the Box challenge, huh? 😏

HTB Write Up – OSINT – ID Exposed

2020-09-24 

I’ve been doing a lot of TryHackMe rooms over the last week or two, but this morning I decided to jump over to HackTheBox to take a look at their OSINT challenges.

While I’ve never done a CTF write-up before, I want to start doing this a bit more often. Especially when I encounter new topics or concepts I’ve never encountered before.

We are looking for Sara Medson Cruz’s last location, where she left a message. We need to find out what this message is! We only have her email: saramedsoncruz@gmail.com

With this bit of content, I spent a lot of time going through my usual routine…

Sherluckin’ Out

First, I looked for the username saramedsoncruz using Sherlock. It’s a tool written in Python that queries a ton of social media services. (There’s websites for this, too.) This pulled up only a couple results:

[*] Checking username saramedsoncruz on:
[+] Pinterest: https://www.pinterest.com/saramedsoncruz/ 
[+] geocaching: https://www.geocaching.com/p/default.aspx?u=saramedsoncruz

When I saw the Geocaching link, I got excited. We could satisfy all of our requirements.

Her last location? Possibly! A potential message left? Sure! Maybe she took a picture of a message left in a cache. Or had comments about a cache she’d just found.

This seemed to be a lock… but, despite a match on that very specific username, it wound up going nowhere.

Struck out with the Pinterest link, but I had low hopes for that one.

Desperation Sets In…

At this point, I’m trying everything I know. Manually clawing though “Sara Cruz” accounts (and various permutations on the name) on Facebook and other social media sites. One even had a Guy Fawkes mask for an avatar — I thought to myself “Some dumb hacker shit! Surely, this must be it!”

But, no. Another dead end.

As I’m searching around, I see a link talking about Google IDs and Gmail accounts. It looks interesting, but I put it aside.

I’m about to give up — which is fine by me. Yeah, I’m always a little disappointed when I throw in the towel, but that’s part of the reason I do these CTF challenges: to test what I know, and if it’s something I don’t know: learn. (From write-ups. Like this. 😏)

…when suddenly!

So I return to the HTB OSINT page, and I take a look at the name of the challenge so I can google a write-up.

“ID Exposed”… hey, waaaait a minute…

I think for a moment as that piece of information zip-zaps across my mind over to the article I’d found earlier: Getting a Grasp on GoogleIDs.

I’d completely overlooked a clue in the title. Turns out this was VERY relevant!

I’ll leave the article for you to see the details, but long story short: there’s a profile ID number attached to every Google account. There’s a couple ways to get this ID outlined in the article.

In my case, I added it to my existing Google Contacts collection and sniffed the data-personid attribute from the modal dialog of the Contacts page when the contact is opened for editing (it may be seen elsewhere, but this is where I got it).

With this in hand, I went over to the People API people.get page, which lets you try executing an API endpoint. In order to execute this endpoint call, you’ll need to give permission for your own Google account.

Following the instructions in the article, I plugged in “people/c6412528252752365100” for the resourceName, and “metadata” for the personFields field.

The call, successful, returned this block of JSON:

{
  "resourceName": "people/c6412528252752365100",
  "etag": "%EgMBNy4aBAECBQciDG1IQ1NWS3NJSEc0PQ==",
  "metadata": {
    "sources": \[
      {
        "type": "CONTACT",
        "id": "58fde0788976062c",
        "etag": "#mHCSVKsIHG4=",
        "updateTime": "2020-09-24T15:59:18.216Z"
      },
      {
        "type": "PROFILE",
        "id": "117395327982835488254",   // <----
        "etag": "#4eZz2/IuMFw=",
        "profileMetadata": {
          "objectType": "PERSON",
          "userTypes": \[
            "GOOGLE_USER"
          \]
        }
      }
    \],
    "objectType": "PERSON"
  }
}

Under the metadata -> sources entry with the PROFILE type, there is our GoogleID: 117395327982835488254.

Now That’s Brazilliant

From here, we can look for various things (again, check the article for what’s possible).

As it turns out, you can take a look at the ‘contributions’ that a GoogleID has made to Google Maps. This means reviews and photos, for the most part. Certainly the kind of data that would tick the boxes of what this CTF solution asks of us.

So, I tack the GoogleID onto the appropriate URL
 https://www.google.com/maps/contrib/117395327982835488254/


and sure enough:

“Flag Watcher”, huh? 😏

No photos, but they’ve posted a review for the ‘Museu do Futebol’ in Brazil, giving it a whopping five stars, and a terse comment of “really nice museum”


Wait, there’s more.

Like, literally ‘More’.

Click it.

And there’s our flag, buried in a bunch of percent signs to force the comment to collapse. 🙂

HTB{i_W4S_D_I_S_c_O_v_3_R_3_D}

Conclusion

It’s okay to give up, as long as you’re willing to learn.

Just be careful that you’re not overlooking a clue being given to you. Few things suck more than bashing your head against the wall going down a dead end for an hour when a quick re-read of the CTF details might have prevented it. 😳

Kali on the Acer Spin One

2019-07-09 

The Backstory

I’ve been on the hunt for a decent, small netbook for a while. I’d hoped to wipe ChromeOS off of the Samsung Chromebook Plus that I’d acquired — a decent little device in it’s own right — but the effort required to do it properly was simply not worth it.

(TLDR on that: there’s no ‘write-protect screw’ like other Chromebooks; instead you have to remove the battery, among other things. I’d rather keep it as is, preserve the value, and sell it in trade for a more traditional laptop!)

I went through a couple other laptops all with various concessions that I wasn’t too happy about.

My demands:

  • Small (11.6″ or so)
  • Light
  • Decent battery life
  • Peppy speed
  • Runs Linux without any fuss
  • Is under $300 — cheaper the better, but I don’t want immense remorse if it’s broken, unlike a $900 (or more) beast

In my half-hearted on again, off again search you could hit most of these if you were willing to void the warranty of a Chromebook, or were willing to sacrifice any kind of aforementioned pep. It’s the ol’ “small/fast/cheap — pick two” kind of thing.

I’d been eyeballing the Acer Spin One (SP111-33) at Walmart for a while. Not exactly the place to pick a winner, I confess, but I kind of liked how it looked and felt; it was solid as hell, with a sturdy aluminum frame. But at almost $400, I wasn’t sure if it was worth gambling on.

So I hit Walmart.com and I see there’s actually two entries; one is the Acer Spin One at the expected price. But then there’s another SKU with a slightly different model number.

As it turns out, it’s a slightly faster model, but about $100 cheaper. And it’s not solid aluminum. And it’s all black. But it’s still a super light 2-in-1 convertible laptop. They saddled it with Windows 10 S (the one you can only install from the Windows app store from). And it’s a lower res screen instead of the full HD of the more expensive model.

I get in the store, and I see them mostly side by side. The more expensive one SURE IS PRETTY in comparison. And the screen is definitely brighter and nicer to read.

They’re both locked, but that wasn’t a problem. The password was the store number, which is on the login screen.

Once I’m logged in, I load up Edge and pull up an online JS speed test. It won’t be comprehensive, but it’ll at least give me a ballpark.

The two churn through the test, neck and neck. I get some side-eye from the clerk, but I ignore him. I’m shopping, damn it!

By the end, it turns out the uglier, cheaper one actually beat the hell out of it’s more expensive brother.

Some quick googling showed people WERE installing Linux, but one guy said he had trouble with most distros except Kali (and some other one). Hey, that’s fine by me: that’s exactly what I intended to install! 😏

Maybe it didn’t QUITE hit the sub-$300 mark, but it came really close. And considering it hits the rest of the bullet points…

So I bring it home. Cortana’s happy greeting is cut short by a reboot after I insert a bootable USB stick.

There were some issues, so I’m going to outline them here for future users.

Installation

Use F2 at the boot screen (don’t hold Fn) to enter the BIOS.

Here’s what I did in there:

  • Disabled all of the secure boot stuff.
  • Set the boot drive to the USB stick (for the install; throw it back after)
  • Internal KB Numpad: Disabled (preference)
  • Function key behavior: Function Key (preference)
  • Lid Open Resume: Disabled
  • Reboot

I kind of shotgunned my way around this whole area, so YMMV. But I think if I took the path I outlined here, first, I’d have had more immediate success…

At this point, you should have the Kali boot screen; perform a full install.

Since there’s only 64GB on the internal EMMC drive (which is enough for my purposes), I instructed the installer to wipe the entire drive. You didn’t want Windows 10 S anyway. 😎

Hardware Surprises

There’s a couple gotchas with the hardware, but most of it can be fixed easily.

Screen Rotation

During the installation process, everything is fine. But once you boot into the desktop, you’ll find yourself craning your neck sideways. The driver for the accelerometer is reporting the wrong orientation information, so the screen is rotated improperly. And if you rotate it into portrait mode, woosh, it’s in landscape.

The Quick GUI-based Fix

Turn the device on it’s side, giving a portrait orientation. It will render the desktop in a landscape orientation. Turn your head sideways and tap the user menu on the far end of the system bar along the top… (…er… right?)

Then tap the second icon on the bottom; the one right next to settings, to lock the orientation as ‘landscape’. Then you can flip the device back to it’s normal landscape orientation and it will stay in place.

Alternatively, you can run xrandr -o normal on the command line to force the rotation. You can view the current rotation state, as reported by the accelerometer, with monitor-sensor.

The Real Fix

The more involved fix goes like this (thanks to CupOfTea over on the Acer Community Forums):

Create /lib/udev/hwdb.d/61-sensor-local.hwdb

Inside that file, add:

sensor:modalias:acpi:BOSC0200*:dmi:*svn*Acer*:*pn*Spin*SP111-33*
ACCEL_MOUNT_MATRIX=0, 1, 0; 1, 0, 0; 0, 0, 1

Note the single space before ACCEL_!

The Nuclear Option

Disabling the accelerometer entirely is another possibility, but that is left as an exercise for the reader. 😏

WiFi

Wifi works great. It’s an Intel Wireless-AC 9560 that can be used for various things. Nice!

Bluetooth

As of this writing, I still haven’t gotten Bluetooth working. But I’ve had it for about half a day at this point, poking at other problem areas, so we’ll see how that goes. I’ll update this when I get it fixed.

I don’t know where the trouble lies, but the service just isn’t running on boot. Here’s what I did to start it up by default. First, call systemctl enable bluetooth.service to set it to load on boot.

After this, I was able to reboot, and my mouse connected on login. Good times. 👌

(If you’d rather not have it start automatically, you can just use systemctl start bluetooth.service to start it manually.)

Other hardware with no obvious issues

  • Audio
  • Touch screen
  • Micro SD card reader
  • On-board video – There’s some brief black and white glitching on the very top of the login screen, but you don’t see it anywhere else.
  • HDMI – worked as second monitor on a 4K display; didn’t DPI scale out of the box of course.

Sweet.

So yeah, I’m pretty jazzed about this little guy. It’s about as close to perfect as I’ll probably get for now.

I guess I’ll keep it. 😏

Stickers account for 23% of it’s weight.