Initial Tasks on a new openVZ container (virtual Server)

Flattr this!

Normally openVZ Containers are cloned or prepared with pre-built images. So we need to update a few settings after deployment.

Localize Debian Mirrors

If your Debian Mirrors are too far away, it will take very long to install stuff with apt-get. So have a look at the Debian Mirror List and select any which are located near your server and have a better throughput and ping.

Go to your sources.list file located at /etc/apt/ and update the servers.

deb http://ftp.us.debian.org/debian stable main contrib
deb http://ftp.debian.org/debian/ wheezy-updates main contrib
deb http://security.debian.org/ wheezy/updates main contrib

Comment unwanted servers and add your localized better ones.

#deb http://ftp.us.debian.org/debian stable main contrib
deb http://ftp.at.debian.org/debian/ stable main contrib
#deb http://ftp.at.debian.org/debian/ wheezy-updates main contrib
deb http://ftp.at.debian.org/debian/ wheezy-updates main contrib
deb http://security.debian.org/ wheezy/updates main contrib

Add Backports Repository to Sources List

Sometimes our Debian Stable Repository does not contain packages we need, but Debian Testing contains it, and it was backported to stable. So we need to adapt our system to the Backports sources.
Debian Backports are recompiled packages from testing (mostly) and unstable (in a few cases only, e.g. security updates) in a stable environment so that they will run without new libraries (whenever it is possible) on a Debian stable distribution.

Add Backports Sources to your sources.list file.

deb http://http.debian.net/debian wheezy-backports main

There are also localized Mirrors available.

deb http://http.debian.net/debian wheezy-backports main

With this updated sources.list, we can install backported packages too.

Locales and Timezone

The system should be told which timezone it is using.

 dpkg-reconfigure tzdata

Get root and type dpkg-reconfigure locales and select the locale(s) you want to generate. At the end, you’ll be asked which one should be the default.

dpkg-reconfigure locales

Regenerate SSH Keys

On Virtual Servers or Containers ssh keys are often generated with lack of entropy, or they are cloned or other security implications. It often appears SSH-Keys are identically.
Create after some work on the Server new Keys is always a good idea. At least do it when you do your initial setup. Do some work on the Server, apt-get update && apt-get upgrade -y && apt-get install htop bmon vim in the meantime to collect some entropy.

Delete all old keys for root

rm /etc/ssh/ssh_host_*

and generate new Keys

dpkg-reconfigure openssh-server

Finally, you need to update ~/.ssh/known_hosts files on client computers
http://www.cyberciti.biz/faq/howto-regenerate-openssh-host-keys/

Create New User

Create new User, set home directory, create home directory, create SSH Keys

root@kopimi:~# useradd kopimi -d /home/kopimi/ -s /bin/bash
root@kopimi:~# mkdir /home/kopimi
root@kopimi:~# chown kopimi:kopimi /home/kopimi
root@kopimi:~# passwd kopimi
root@kopimi:~# su kopimi
kopimi@kopimi:/root$ cd
kopimi@kopimi:/home/kopimi$ 
kopimi@kopimi:/home/kopimi$ mkdir .ssh
kopimi@kopimi:/home/kopimi$ chmod 0700 .ssh
kopimi@kopimi:/home/kopimi$ cd .ssh
kopimi@kopimi:/home/kopimi/.ssh$ ssh-keygen -t rsa -b 4096

Set Up SSH With Public-Key Authentication

Its a good idea to setup Public Key Authentication and disable Password Authentication to stop all these bruteforce kiddies.

On the client side copy the id_rsa.pub Public Key to the Remote Host

cave@laptop:~$ cd .ssh
cave@laptop:~/.ssh$ ls
id_rsa    id_rsa.pub  known_hosts  known_hosts.old
cave@laptop:~/.ssh$ scp -p id_rsa.pub remoteuser@remotehost:/root/

Backup your client ssh keys, they are important now!

On the Server we need to create in an authorized_keys file.

root@kopimi:~# mkdir ~/.ssh
root@kopimi:~#  chmod 700 ~/.ssh
root@kopimi:~# cat id_rsa.pub >> ~/.ssh/authorized_keys

Edit sshd_config

root@kopimi:~# cd /etc/ssh/  
root@kopimi:/etc/ssh# vi sshd_config

Set following value:

AuthorizedKeysFile    %h/.ssh/authorized_keys

restart ssh

root@megafr1:/etc/ssh# /etc/init.d/ssh restart
[ ok ] Restarting OpenBSD Secure Shell server: sshd.

logout and login again. If it works without password, disable password login completely

PasswordAuthentication no

and restart ssh again.
https://www.howtoforge.com/set-up-ssh-with-public-key-authentication-debian-etch

Build RetroShare v0.6.x (preAlpha) on Debian Wheezy

Flattr this!

 

logo_splash

 

Install package requirements for Wheezy

First we need to install missing dependencies with apt-get. We can find build instructions and requirements in the README of the project. The packages and this instructions should also fit for Ubuntu.

apt-get update 
apt-get install libglib2.0-dev libupnp-dev qt4-dev-tools \
      libqt4-dev libssl-dev libxss-dev libgnome-keyring-dev libbz2-dev \
      libqt4-opengl-dev libqtmultimediakit1 qtmobility-dev \
      libspeex-dev libspeexdsp-dev libxslt1-dev libprotobuf-dev \
      protobuf-compiler cmake libcurl4-openssl-dev

Additionally we need some more basic packages from Debian. In most cases they are already installed. If not we need to add them

apt-get install subversion git make build-essential unzip screen

For the package libsqlcipher-dev we need to add the backports repository for Wheezy. There is no package libsqlcipher-dev available for Debian 6 Squeeze. If you still use Debian Squeeze, c’mon and update your system. If you are running Debian 8 Jessie, libsqlcipher-dev is already in the normal repositorys.

Edit /etc/apt/sources.list as described in official instructions from Debian.

root@kopimi:~# vi /etc/apt/sources.list

And add the line:

deb http://http.debian.net/debian wheezy-backports main

and now we can install libsqlcipher-dev

root@kopimi:~# apt-get update
root@kopimi:~# apt-cache search libsqlcipher-dev
libsqlcipher-dev - SQLCipher development files
root@kopimi:~# apt-get install libsqlcipher-dev

done 😀

copyme

Download and Build libssh

Do not do this with root. We need to build libssh for retroshare-nogui.

user@kopimi:/home/user$ mkdir workbench
user@kopimi:/home/user$ cd workbench
user@kopimi:/home/user/workbench$ mkdir lib
user@kopimi:/home/user/workbench$ cd lib 
user@kopimi:/home/user/workbench/lib$ wget http://git.libssh.org/projects/libssh.git/snapshot/libssh-0.6.4.tar.gz
user@kopimi:/home/user/workbench/lib$ tar -xzf libssh-0.6.4.tar.gz 
user@kopimi:/home/user/workbench/lib$ cd libssh-libssh-0.6.4/build/
user@kopimi:/home/user/workbench/lib/libssh-libssh-0.6.4/build$ cmake -DWITH_STATIC_LIB=ON -DWITH_GSSAPI=OFF ..
user@kopimi:/home/user/workbench/lib/libssh-libssh-0.6.4/build$ make

Download and Build RetroShare

Checkout Trunk from the Subversion Code Repository.

user@kopimi:/home/user/workbench$ svn co svn://svn.code.sf.net/p/retroshare/code/trunk retroshare
user@kopimi:/home/user/workbench$ cd retroshare
user@kopimi:/home/user/workbench/retroshare$ qmake CONFIG=release && make clean && make -j 2

“make -j 2” tells make to use two threads – if you have more/less CPU cores/threads feel free to change the value

 

RetroShare Gui and NoGui are now available as binary’s. Small compile errors are maybe possible for the plugins. Ignore them for now.

user@kopimi:/home/user/workbench/retroshare/retroshare-gui/src$ ls RetroShare 
RetroShare
user@kopimi:/home/user/workbench/retroshare/retroshare-nogui/src$ ls retroshare-nogui
retroshare-nogui

For easier handling i created symbolic links on the binary’s in my user directory

user@kopimi:/home/user$ ln -s /home/kopimi/workbench/retroshare/retroshare-gui/src/RetroShare RetroShare
user@kopimi:/home/user$ ln -s /home/kopimi/workbench/retroshare/retroshare-nogui/src/retroshare-nogui retroshare-nogui

 

retrosharelogo_new

A Cypherpunk’s Manifesto

Flattr this!

rebel

 

A Cypherpunk’s Manifesto

 

A Cypherpunk's Manifesto
 
 by Eric Hughes
 
 Privacy is necessary for an open society in the electronic age.
 Privacy is not secrecy. A private matter is something one doesn't
 want the whole world to know, but a secret matter is something one
 doesn't want anybody to know. Privacy is the power to selectively
 reveal oneself to the world. 
 
 If two parties have some sort of dealings, then each has a memory of
 their interaction. Each party can speak about their own memory of
 this; how could anyone prevent it? One could pass laws against it,
 but the freedom of speech, even more than privacy, is fundamental to
 an open society; we seek not to restrict any speech at all. If many
 parties speak together in the same forum, each can speak to all the
 others and aggregate together knowledge about individuals and other
 parties. The power of electronic communications has enabled such
 group speech, and it will not go away merely because we might want it
 to.
 
 Since we desire privacy, we must ensure that each party to a
 transaction have knowledge only of that which is directly necessary
 for that transaction. Since any information can be spoken of, we
 must ensure that we reveal as little as possible. In most cases
 personal identity is not salient. When I purchase a magazine at a
 store and hand cash to the clerk, there is no need to know who I am. 
 When I ask my electronic mail provider to send and receive messages,
 my provider need not know to whom I am speaking or what I am saying
 or what others are saying to me; my provider only need know how to
 get the message there and how much I owe them in fees. When my
 identity is revealed by the underlying mechanism of the transaction,
 I have no privacy. I cannot here selectively reveal myself; I must
 _always_ reveal myself.
 
 Therefore, privacy in an open society requires anonymous transaction
 systems. Until now, cash has been the primary such system. An
 anonymous transaction system is not a secret transaction system. An
 anonymous system empowers individuals to reveal their identity when
 desired and only when desired; this is the essence of privacy.
 
 Privacy in an open society also requires cryptography. If I say
 something, I want it heard only by those for whom I intend it. If 
 the content of my speech is available to the world, I have no
 privacy. To encrypt is to indicate the desire for privacy, and to
 encrypt with weak cryptography is to indicate not too much desire for
 privacy. Furthermore, to reveal one's identity with assurance when
 the default is anonymity requires the cryptographic signature.
 
 We cannot expect governments, corporations, or other large, faceless
 organizations to grant us privacy out of their beneficence. It is to
 their advantage to speak of us, and we should expect that they will
 speak. To try to prevent their speech is to fight against the
 realities of information. Information does not just want to be free,
 it longs to be free. Information expands to fill the available
 storage space. Information is Rumor's younger, stronger cousin;
 Information is fleeter of foot, has more eyes, knows more, and
 understands less than Rumor.
 
 We must defend our own privacy if we expect to have any. We must
 come together and create systems which allow anonymous transactions
 to take place. People have been defending their own privacy for
 centuries with whispers, darkness, envelopes, closed doors, secret
 handshakes, and couriers. The technologies of the past did not allow
 for strong privacy, but electronic technologies do.
 
 We the Cypherpunks are dedicated to building anonymous systems. We
 are defending our privacy with cryptography, with anonymous mail
 forwarding systems, with digital signatures, and with electronic
 money.
 
 Cypherpunks write code. We know that someone has to write software
 to defend privacy, and since we can't get privacy unless we all do,
 we're going to write it. We publish our code so that our fellow
 Cypherpunks may practice and play with it. Our code is free for all
 to use, worldwide. We don't much care if you don't approve of the
 software we write. We know that software can't be destroyed and that
 a widely dispersed system can't be shut down. 
 
 Cypherpunks deplore regulations on cryptography, for encryption is
 fundamentally a private act. The act of encryption, in fact, removes
 information from the public realm. Even laws against cryptography
 reach only so far as a nation's border and the arm of its violence.
 Cryptography will ineluctably spread over the whole globe, and with
 it the anonymous transactions systems that it makes possible. 
 
 For privacy to be widespread it must be part of a social contract.
 People must come and together deploy these systems for the common
 good. Privacy only extends so far as the cooperation of one's
 fellows in society. We the Cypherpunks seek your questions and your
 concerns and hope we may engage you so that we do not deceive
 ourselves. We will not, however, be moved out of our course because
 some may disagree with our goals.
 
 The Cypherpunks are actively engaged in making the networks safer for
 privacy. Let us proceed together apace.
 
 Onward.
 
 Eric Hughes 
 9 March 1993

 

Image from Chris Halderman (CC BY-ND 2.0)

Text from EFF

vHost and TLS Ciphers for Apache2/openSSL

Flattr this!

openSSL cipherlist

The ciphers command converts textual OpenSSL cipher lists into ordered SSL cipher preference lists. It can be used as a test tool to determine the appropriate cipherlist.

A good idea is to have a look at BetterCrypto.org. They share lot’s of good examples and practical recommendations for hardening your Server.

Their recommendation for Apache Webserver:

#Enabledmodules SSL and Headers arerequired. 

SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression off
# Add six earth month HSTS header for all users... Header always set Strict-Transport-Security "max-age=15768000"
# If you want to protect all subdomains, use the following header
# ALL subdomains HAVE TO support HTTPS if you use this!
# Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"
SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+
aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'

This is a good example and provides also good connectivity to most of the used Browsertypes.

Result of command “openssl ciphers -v” with BetterCryptos Cipherlist:

root@host:~# openssl ciphers -v 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:!SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256

I changed the cipherlist from their recommendation and made it a little stricter. This does not include 100% of legacy Browser Versions. (thanks to MacLemon)

SSLCipherSuite 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA'

If we want to know the output off the improved cipherlist directly from the server, this can be easily checked at ssllabs.com : https://www.ssllabs.com/ssltest/analyze.html?d=mydomain.tld This list has a cipher strength rating 100/100. All ciphers support Forward Secrecy. This is what we want, Perfect Forward Secrecy is more important than ever.

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384    DHE-RSA-AES256-GCM-SHA384   TLS v1.2
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256    DHE-RSA-AES256-SHA256       TLS v1.2
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384  ECDHE-RSA-AES256-GCM-SHA384 TLS v1.2
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA  DHE-RSA-CAMELLIA256-SHA     TLS v1.0
TLS_DHE_RSA_WITH_AES_256_CBC_SHA       DHE-RSA-AES256-SHA          TLS v1.0
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA     ECDHE-RSA-AES256-SHA        TLS v1.0

HSTS – HTTP Strict Transport Security

# Add six earth month HSTS header for all users... Header always set Strict-Transport-Security "max-age=15768000"
# If you want to protect all subdomains, use the following header
# ALL subdomains HAVE TO support HTTPS if you use this!
# Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"

I would not recommend HSTS if your domain contains different subdomains with Self-Signed Certificates, you can’t use them anymore. HSTS is a good idea to force HTTP->HTTPS and has also other improvements.

But it would cost us a valid CA-signed Certificate for each subdomain or a WildCard Domain which is costly. I use instead the rewrite engine of Apache.

Rewrite port 80 to 443 vhost entry

root@host:/# cat /etc/apache2/sites-available/100-default-rewrite-ssl 
<VirtualHost *:80>
    ServerName *.mydomain.tld
        RewriteEngine on
        ReWriteCond %{SERVER_PORT} !^443$
        RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>

This ensures all the traffic is redirected to https/443

namebased vHosts

After each creation of a vhost entry, they need to be enabled afterwards

root@host:/etc/apache2/sites-available# a2ensite 103-new_vhost-ssl 
Enabling site 103-new_vhost-ssl.
To activate the new configuration, you need to run:
  service apache2 reload

reload Apache config

root@blog:/etc/apache2/sites-available# /etc/init.d/apache2 reload
[ ok ] Reloading web server config: apache2.

or disable a vhost with one command

root@blog:/etc/apache2/sites-available# a2dissite 105-old_vhost-ssl 
Site 105-old_vhost-ssl disabled.
To activate the new configuration, you need to run:
  service apache2 reload

 Simple HTTPS/TLS Port 443 vHost for Apache

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@mydomain.tld
        DocumentRoot /var/www/new_vhost
        ServerName new_vhost.mydomain.tld

        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/new_vhost/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

        SSLEngine on
        SSLProtocol All -SSLv2 -SSLv3
        SSLHonorCipherOrder On
        SSLCompression off
        SSLCipherSuite 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA'
        SSLCertificateFile    /etc/ssl/certs/new_vhost.mydomain.tld.pem
        SSLCertificateKeyFile /etc/ssl/private/new_vhost.mydomain.tld.key
        #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
</VirtualHost>
</IfModule>

 Wildcard redirect for all unused SubDomains

The vhost of the wildcard redirect needs to be named beginning with a high number, so all low numbered vHost can match before the redirect vHost is used.

root@host:~# cat /etc/apache2/sites-available/999-default-404-ssl 
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAlias *.mydomain.tld
    Redirect 404 /
    ErrorDocument 404 https://vhost1.mydomain.tld/404_vhost.html
    ServerAdmin webmaster@mydomain.tld

    SSLEngine on
    SSLProtocol All -SSLv2 -SSLv3
    SSLHonorCipherOrder On
    SSLCompression off
    SSLCipherSuite 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA'
    SSLCertificateFile    /etc/ssl/certs/vhost1.mydomain.tld.pem
    SSLCertificateKeyFile /etc/ssl/private/vhost1.mydomain.tld.key
    #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

</VirtualHost>
</IfModule>

list order of  vHosts for Apache

root@blog:/etc/apache2/sites-available# apachectl -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
         default server vhost1.mydomain.tld (/etc/apache2/sites-enabled/100-vhost1-ssl:2)
         port 443 namevhost vhost1.mydomain.tld(/etc/apache2/sites-enabled/100-vhost1-ssl:2)
         port 443 namevhost new_vhost.mydomain.tld(/etc/apache2/sites-enabled/103-new_vhost-ssl:1)
         port 443 namevhost vhost1.mydomain.tld (/etc/apache2/sites-enabled/999-default-404-ssl:2)
*:80                   is a NameVirtualHost
         default server *.mydomain.tld (/etc/apache2/sites-enabled/100-default-rewrite-ssl:1)
         port 80 namevhost *.mydomain.tld (/etc/apache2/sites-enabled/100-default-rewrite-ssl:1) Syntax OK

 

httpd_logo_wide_new

Sources:

Name based vhosts https://httpd.apache.org/docs/2.2/vhosts/name-based.html

Add SSL to your Website http://freedif.org/add-ssl-to-your-website-https-made-easy/

Redirect 80 to Subdomain http://freedif.org/how-to-redirect-a-port-to-a-sub-domain-proxypass/

Apache2 Docs on SSL and TLS https://httpd.apache.org/docs/2.4/ssl/

ciphers – SSL cipher display and cipher list tool https://www.openssl.org/docs/apps/ciphers.html

https://httpd.apache.org/docs/2.0/ssl/ssl_faq.html

http://www.sitepoint.com/apache-mod_rewrite-examples/

https://crashingdaily.wordpress.com/2008/03/31/steering-users-away-from-nonexistent-apache-virtual-hosts/

 

Without the systemic use of Force

Flattr this!

 

silkroad camel

I love learning and using theoretical constructs to better understand the world around me. Naturally therefore, I studied physics in college and worked as a research scientist for five years. I published my findings in peer reviewed journals five times over that period, first on organic solar cells and then on EuO thin-film crystals. My goal during this period of my life was simply to expand the frontier of human knowledge.
 
Now, my goals have shifted. I want to use economic theory as a means to abolish the use of coercion and agression amongst mankind. Just as slavery has been abolished most everywhere, I believe violence, coercion and all forms of force by one person over another can come to an end. The most widespread and systemic use of force is amongst institutions and governments, so this is my current point of effort. The best way to change a government is to change the minds of the governed, however. To that end, I am creating an economic simulation to give people a first-hand experience of what it would be like to live in a world without the systemic use of force.

from: Ross Ulbricht

 

http://www.fbi.gov/newyork/press-releases/2014/manhattan-u.s.-attorney-announces-the-indictment-of-ross-ulbricht-the-creator-and-owner-of-the-silk-road-website

Create SSL/TLS certificates with openSSL

Flattr this!

Self Signed Certificates

If you want to create your own self signed X.509 certificate to secure your Webservices just use them. They are as secure as every other certificate.

IMHO – CA/Certificate Authorities just take money for no additional security. Their Trust model is broken and was never secure. They only check if you are able to receive a mail linked to your domain. No more security checks.

openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/mydomain.tld.key -out /etc/ssl/certs/mydomain.tld.pem

Set up your vhost on apache, lighty ngin-x or any other TLS-capable Webserver with the key and the pem file.

Firefox brings a warning, and lets you add the certificate to your trusted certificates. Chromium warns always about the untrusted certificate. Similar to MS Internet Explorer.

If you want to put your self signed certificate on an Android Phone to remove warning, import it with the App CAdroid (GPLv3) from F-Droid Repository. CAdroid on GitHub and CAdroid Homepage

SHA1 is broken – don’t use it anymore.

Check your page with similar site’s like https://shaaaaaaaaaaaaa.com/check/blog.cavebeat.org and verify if your certificate is signed with SHA256 instead of SHA1/MD5.

Most of the secure web is using an insecure algorithm, and Google’s just declared it to be a slow-motion emergency. Something like 90% of websites that use TLS encryption use an algorithm called SHA-1 to sign their certificates.

Unfortunately, SHA-1 is dangerously weak, and has been for a long time. It gets weaker every year, but remains widely used on the internet. Its replacement, SHA-2, is strong and supported just about everywhere.

That’s why you should add -sha256 to every openSSL command when creating new certificates.

Create a CSR File – Certificate Signing Request

If you still want to use a Certificate Signed from a CA you need to create a CSR File and send it to them. Your key MUST not be sent to them.

openssl req -new -newkey rsa:4096 -sha256 -nodes -keyout mydomain.tld.key -out mydomain.tld.csr

Put your *.key file into your /etc/ssl/private/ directory and send the CA company your *.csr file.

LowEnd Providers for single Domains:

  • Namecheap/Comodo/PositiveSSL – sell’s cheap 8€/yr certificates, hands out all necessary intermediate files.
  • StartSSL – hands out one 0$ Certificate for a single domain, expect an OCSP error in the first few hours when used with FF.
  • LetsEncrypt – Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. GoLive for Mid of 2015
  • CAcertCAcert.org is a community-driven certificate authority that issues free public key certificates to the public. Unfortunately they are not available as RootCA in the plattforms where we want to access our TLS secured WebServers. Even Debian has removed CAcert from there trusted RootCA store.

They will send back soon the signed certificate mydomain.tld.CRT which you can use like the self signed mydomain.tld.pem file.

You will receive two or three additional certicates from your CA. These are intermediary certificates needed for the Certification Paths which point in the end to your pre-installed RootCA’s. Copy the intermediary files without the RootCA and the signed Cert into the file CA_path_for_mydomain.tld.crt

Apache vHost config

Certificate File – *.PEM from Self-Signed or *.CRT from CA

SSLCertificateFile    /etc/ssl/certs/mydomain.tld.crt

Private Key File – Keep this one save!

SSLCertificateKeyFile /etc/ssl/private/mydomain.tld.key

Certificate Paths for Intermediary Certificates

SSLCertificateChainFile /etc/ssl/certs/CA_path_for_mydomain.tld.crt

Lavabit, email service Snowden reportedly used, abruptly shuts down

Flattr this!

lavabit logo

Lavabit, email service Snowden reportedly used, abruptly shuts down

lavabit down

My Fellow Users,

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

Sincerely,
Ladar Levison
Owner and Operator, Lavabit LLC

Defending the constitution is expensive! Help us by donating to the Lavabit Legal Defense Fund here.

 

lavabit logo

 

 

Create RetroShare User on Raspberry Pi

Flattr this!

[HowTo] Create RetroShare ID on Raspberry Pi

SSH with X-Forwarding into your Raspberry Pi.
ssh -X pi@ipaddress
Download RetroShare Binarys for Raspberry Pi

RetroShare binarys for Raspberry Pi are available at [HowTo]compile-retroshare-on-raspberry-pi or download it from PiShare

Place RetroShare and retroshare-nogui in your  home directory
go to your home directory

 

pi@retropi ~ 
$ cd ~/ pi@retropi ~ 
$ ./RetroShare 
RetroShare:: Successfully Installedthe SIGPIPE Block
Hashed main executable: a7308a6c6283892a25f5af05986ee8b6a835ab89
retroShare::basedir() -> $HOME = /home/pi
Creating Root Retroshare Config Directories
pubring file "/home/pi/.retroshare/pgp/retroshare_public_keyring.gpg" not found. 
Creating a void keyring.
Pubring read successfully.
secring file "/home/pi/.retroshare/pgp/retroshare_secret_keyring.gpg" not found. 
Creating a void keyring.
Secring read successfully.  
private trust database not found. 
No trust info loaded.
getAvailableAccounts()
No Existing User
getRetroshareDataDirectory() Linux: /usr/share/RetroShareData 
Directory not Found: /usr/share/RetroShare
Finding PGPUsers

rs_createChoose a nickname.
Enter a good, long, unique, new and secure password.

rs_create_pw

Select a Location Name.
Put a meaningful location for example: home, laptop, server, raspberrypi, etc …
This field will be used to differentiate different installations with the same identity (PGP key)

rs_create_id

Your RetroShare is now available and ready to use.
You can run the GUI directly on LXDE, with VNC or with X-Forwarding.

rs_created

Done, RetroShare is now working on your Raspberry Pi

haf phun

HowTo compile RetroShare on Raspberry Pi

Flattr this!

This HowTo is for native compiling on Raspberry Pi.
There are other faster ways to compile Raspberry Pi with architectural root or cross compiling tools or chroot. This tutorial is for compiling on Raspberry Pi directly. Takes some time but works well.If you do not want to compile yourself, i upload sometimes binarys Gui+noGui to https://sourceforge.net/projects/pishare/
Tutorial should work for Debian Wheezy 7.0 in general!
First install your Raspbian (Debian ARMHF) on your Raspberry Pi and do your settings, static IP or whatever your network needs.
SSH into your Raspberry Pi
ssh pi@IPaddress
Upgrade your system
sudo apt-get update && apt-get upgrade -y
Install dependencies to build RetroShare regarding http://retroshare.sourceforge.net/wiki/index.php/UnixCompile
sudo apt-get update

sudo apt-get install g++ libgnome-keyring-dev libqt4-dev libxss-dev \ 
             libssl-dev libupnp-dev subversion libbz2-dev \
             libprotobuf-dev protobuf-compiler cmake \
             qt4-qmake libqt4-dev-bin libbz2-dev

build libssh for RetroShare noGui before

Go to your home directory
cd ~/
create build directory
mkdir build
enter the build dir
cd build
create a directory lib
mkdir lib
enter the directory lib
cd lib
download the libssh-0.5.4 source tarball
wget https://red.libssh.org/attachments/download/41/libssh-0.5.4.tar.gz
extract the tarball
tar zxvf libssh-0.5.4.tar.gz
enter the created room
cd libssh-0.5.4
create another build directory
mkdir build
enter the directory build
cd build
run command cmake
cmake -DWITH_STATIC_LIB=ON ..
run command make
make
libssh is built, good.

Download RetroShare Sourcecode from the Subversion Repository

go to your home directory
clone RetroShare Trunk from subversion Code repository
cd ~/build && svn co svn://svn.code.sf.net/p/retroshare/code/trunk retroshare

256MB Ram is not enough

If you do not have enough ram (512MB) you need to create a bigger SWAP Space.
command “free -h” shows your ram and Swap space.
pi@retropi ~ $ free -h
             total       used       free     shared    buffers     cached
Mem:          232M        90M       141M         0B        11M        55M
-/+ buffers/cache:        23M       208M
Swap:          99M         0B        99M
 
cd ~/
create a file with 512MB
sudo dd if=/dev/zero of=swapfile bs=1M count=512
create a swapfile out of the file.
sudo mkswap swapfile
start swaping 
sudo swapon swapfile
the swap space is now increased by 512MB.
pi@retropi ~ $ free -h
             total       used       free     shared    buffers     cached
Mem:          232M       220M        11M         0B       3,2M       190M
-/+ buffers/cache:        26M       205M
Swap:         611M         0B       611M
after a restart the swap is not active anymore and the swapfile unneeded
retroshare-gui takes a lot of time on this small CPU.
i suggest using screen http://www.gnu.org/software/screen/
apt-get install screen
start screen
screen 
enter the message away

Compile RetroShare

you can run this command in a single step and it will compile libbitdht, openpgpsdk, libretroshare, rsctrl, retroshare-nogui and retroshare-gui
cd ~/build/retroshare/libbitdht/src && qmake && make clean && make -j 4 && \
cd ~/build/retroshare/openpgpsdk/src && qmake && make clean && make -j 4 && \
cd ~/build/retroshare/libretroshare/src && qmake && make clean && make -j 4 && \
cd ~/build/retroshare/rsctrl/src && make && \
cd ~/build/retroshare/retroshare-nogui/src && qmake && make clean && make -j 4 && \
cd ~/build/retroshare/retroshare-gui/src && qmake && make clean && make -j 4
and detach from this screen session with “CTRL+A D”
you can now grab a cup of coffee and watch http://www.nyan.cat/pirate.php
after 1-2 hours start your screen session with “screen -r +TAB”
and look, if it has finished yet.
screen -r +TAB
if not finished yet, wait and do more NYANing.

Copy your fresh binarys to your preferred directory

after finishing this process.
cd ~
cd ~/build/retroshare/retroshare-nogui/src/
cp retroshare-nogui ~/
cd ~/build/retroshare/retroshare-gui/src/
cp RetroShare ~/
your executeable binarys are now in your home directory
cd ~/
exit your SSH session
start SSH with X-Forwarding into your Raspberry Pi  to start the GUI
for X-Forwarding use a Linux PC or a Windows PC with xming
cd ~/
Start RetroShare and create a new ID or set up a second location for your Main ID
./RetroShare 
Your Gui should now be running 

Image

Guerilla Open Access Manifesto

Flattr this!

Guerilla Open Access Manifesto

Guerilla Open Access Manifesto 

Information is power. But like all power, there are those who want to keep it for 
themselves. The world's entire scientific and cultural heritage, published over centuries 
in books and journals, is increasingly being digitized and locked up by a handful of 
private corporations. Want to read the papers featuring the most famous results of the 
sciences? You'll need to send enormous amounts to publishers like Reed Elsevier. 

There are those struggling to change this. The Open Access Movement has fought 
valiantly to ensure that scientists do not sign their copyrights away but instead ensure 
their work is published on the Internet, under terms that allow anyone to access it. But 
even under the best scenarios, their work will only apply to things published in the future. 
Everything up until now will have been lost. 

That is too high a price to pay. Forcing academics to pay money to read the work of their 
colleagues? Scanning entire libraries but only allowing the folks at Google to read them? 
Providing scientific articles to those at elite universities in the First World, but not to 
children in the Global South? It's outrageous and unacceptable. 

"I agree," many say, "but what can we do? The companies hold the copyrights, they 
make enormous amounts of money by charging for access, and it's perfectly legal — 
there's nothing we can do to stop them." But there is something we can, something that's 
already being done: we can fight back. 

Those with access to these resources — students, librarians, scientists — you have been 
given a privilege. You get to feed at this banquet of knowledge while the rest of the world 
is locked out. But you need not — indeed, morally, you cannot — keep this privilege for 
yourselves. You have a duty to share it with the world. And you have: trading passwords 
with colleagues, filling download requests for friends. 

Meanwhile, those who have been locked out are not standing idly by. You have been 
sneaking through holes and climbing over fences, liberating the information locked up by 
the publishers and sharing them with your friends. 

But all of this action goes on in the dark, hidden underground. It's called stealing or 
piracy, as if sharing a wealth of knowledge were the moral equivalent of plundering a 
ship and murdering its crew. But sharing isn't immoral — it's a moral imperative. Only 
those blinded by greed would refuse to let a friend make a copy. 

Large corporations, of course, are blinded by greed. The laws under which they operate 
require it — their shareholders would revolt at anything less. And the politicians they 
have bought off back them, passing laws giving them the exclusive power to decide who 
can make copies. 

There is no justice in following unjust laws. It's time to come into the light and, in the 
grand tradition of civil disobedience, declare our opposition to this private theft of public 
culture. 

We need to take information, wherever it is stored, make our copies and share them with 
the world. We need to take stuff that's out of copyright and add it to the archive. We need 
to buy secret databases and put them on the Web. We need to download scientific 
journals and upload them to file sharing networks. We need to fight for Guerilla Open 
Access. 

With enough of us, around the world, we'll not just send a strong message opposing the 
privatization of knowledge — we'll make it a thing of the past. Will you join us? 

Aaron Swartz 

July 2008, Eremo, Italy

http://archive.org/stream/GuerillaOpenAccessManifesto/Goamjuly2008_djvu.txt