The Principles Of Datalove




Love data
Data is essential
Data must flow
Data must be used
Data is neither good nor bad
There is no illegal data
Data is free
Data can not be owned
No man, machine or system shall interrupt the flow of data
Locking data is a crime against datanity
Love data

monitoring local lan server on main munin server

I want to monitor my hostname.cavebeat.lan servers on my main server on the internet, to have from everywhere access to the monitoring. My internet connection at home is with dynamic ip so opening a port is not a good solution. DynDNS is also not the best thing and stable.

Searched the net for an easy setup without the need of openVPN or other tunnel software.

SSH Reverse proxy

one of the best tutorials out there is from

and more advanced with autossh:

# ------------------------------
# autossh reverse tunnel on boot
# ------------------------------

# This is the username on your local server who has public key authentication setup at the middleman

# This is the username and hostname/IP address for the middleman (internet accessible server)

# The following two numbers can be whatever you want, but need to be unique if you have multiple reverse ssh tunnels
# Port that the middleman will listen on (use this value as the -p argument when sshing)

# Connection monitoring port, don't need to know this one

# Ensures that autossh keeps trying to connect


su -c "autossh -f -N -R *:${PORT_MIDDLEMAN_WILL_LISTEN_ON}:localhost:4949 ${MIDDLEMAN_SERVER_AND_USERNAME} -p 22 -oLogLevel=error -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no" $USER_TO_SSH_IN_AS

When i start this script, the Server domain.tld is able to access port 4949 via 20005 from my local lan munin monitored node.

    use_node_name yes
    port 20005



easy as that



Initial Tasks on a new openVZ container (virtual Server)

Normally openVZ Containers are cloned or prepared with pre-built images. So we need to update a few settings after deployment.

Localize Debian Mirrors

If your Debian Mirrors are too far away, it will take very long to install stuff with apt-get. So have a look at the Debian Mirror List and select any which are located near your server and have a better throughput and ping.

Go to your sources.list file located at /etc/apt/ and update the servers.

deb stable main contrib
deb wheezy-updates main contrib
deb wheezy/updates main contrib

Comment unwanted servers and add your localized better ones.

#deb stable main contrib
deb stable main contrib
#deb wheezy-updates main contrib
deb wheezy-updates main contrib
deb wheezy/updates main contrib

Add Backports Repository to Sources List

Sometimes our Debian Stable Repository does not contain packages we need, but Debian Testing contains it, and it was backported to stable. So we need to adapt our system to the Backports sources.
Debian Backports are recompiled packages from testing (mostly) and unstable (in a few cases only, e.g. security updates) in a stable environment so that they will run without new libraries (whenever it is possible) on a Debian stable distribution.

Add Backports Sources to your sources.list file.

deb wheezy-backports main

There are also localized Mirrors available.

deb wheezy-backports main

With this updated sources.list, we can install backported packages too.

Locales and Timezone

The system should be told which timezone it is using.

 dpkg-reconfigure tzdata

Get root and type dpkg-reconfigure locales and select the locale(s) you want to generate. At the end, you’ll be asked which one should be the default.

dpkg-reconfigure locales

Regenerate SSH Keys

On Virtual Servers or Containers ssh keys are often generated with lack of entropy, or they are cloned or other security implications. It often appears SSH-Keys are identically.
Create after some work on the Server new Keys is always a good idea. At least do it when you do your initial setup. Do some work on the Server, apt-get update && apt-get upgrade -y && apt-get install htop bmon vim in the meantime to collect some entropy.

Delete all old keys for root

rm /etc/ssh/ssh_host_*

and generate new Keys

dpkg-reconfigure openssh-server

Finally, you need to update ~/.ssh/known_hosts files on client computers

Create New User

Create new User, set home directory, create home directory, create SSH Keys

root@kopimi:~# useradd kopimi -d /home/kopimi/ -s /bin/bash
root@kopimi:~# mkdir /home/kopimi
root@kopimi:~# chown kopimi:kopimi /home/kopimi
root@kopimi:~# passwd kopimi
root@kopimi:~# su kopimi
kopimi@kopimi:/root$ cd
kopimi@kopimi:/home/kopimi$ mkdir .ssh
kopimi@kopimi:/home/kopimi$ chmod 0700 .ssh
kopimi@kopimi:/home/kopimi$ cd .ssh
kopimi@kopimi:/home/kopimi/.ssh$ ssh-keygen -t rsa -b 4096

Set Up SSH With Public-Key Authentication

Its a good idea to setup Public Key Authentication and disable Password Authentication to stop all these bruteforce kiddies.

On the client side copy the Public Key to the Remote Host

cave@laptop:~$ cd .ssh
cave@laptop:~/.ssh$ ls
id_rsa  known_hosts  known_hosts.old
cave@laptop:~/.ssh$ scp -p remoteuser@remotehost:/root/

Backup your client ssh keys, they are important now!

On the Server we need to create in an authorized_keys file.

root@kopimi:~# mkdir ~/.ssh
root@kopimi:~#  chmod 700 ~/.ssh
root@kopimi:~# cat >> ~/.ssh/authorized_keys

Edit sshd_config

root@kopimi:~# cd /etc/ssh/  
root@kopimi:/etc/ssh# vi sshd_config

Set following value:

AuthorizedKeysFile    %h/.ssh/authorized_keys

restart ssh

root@megafr1:/etc/ssh# /etc/init.d/ssh restart
[ ok ] Restarting OpenBSD Secure Shell server: sshd.

logout and login again. If it works without password, disable password login completely

PasswordAuthentication no

and restart ssh again.

Build RetroShare v0.6.x (preAlpha) on Debian Wheezy




Install package requirements for Wheezy

First we need to install missing dependencies with apt-get. We can find build instructions and requirements in the README of the project. The packages and this instructions should also fit for Ubuntu.

apt-get update 
apt-get install libglib2.0-dev libupnp-dev qt4-dev-tools \
      libqt4-dev libssl-dev libxss-dev libgnome-keyring-dev libbz2-dev \
      libqt4-opengl-dev libqtmultimediakit1 qtmobility-dev \
      libspeex-dev libspeexdsp-dev libxslt1-dev libprotobuf-dev \
      protobuf-compiler cmake libcurl4-openssl-dev

Additionally we need some more basic packages from Debian. In most cases they are already installed. If not we need to add them

apt-get install subversion git make build-essential unzip screen

For the package libsqlcipher-dev we need to add the backports repository for Wheezy. There is no package libsqlcipher-dev available for Debian 6 Squeeze. If you still use Debian Squeeze, c’mon and update your system. If you are running Debian 8 Jessie, libsqlcipher-dev is already in the normal repositorys.

Edit /etc/apt/sources.list as described in official instructions from Debian.

root@kopimi:~# vi /etc/apt/sources.list

And add the line:

deb wheezy-backports main

and now we can install libsqlcipher-dev

root@kopimi:~# apt-get update
root@kopimi:~# apt-cache search libsqlcipher-dev
libsqlcipher-dev - SQLCipher development files
root@kopimi:~# apt-get install libsqlcipher-dev

done 😀


Download and Build libssh

Do not do this with root. We need to build libssh for retroshare-nogui.

user@kopimi:/home/user$ mkdir workbench
user@kopimi:/home/user$ cd workbench
user@kopimi:/home/user/workbench$ mkdir lib
user@kopimi:/home/user/workbench$ cd lib 
user@kopimi:/home/user/workbench/lib$ wget
user@kopimi:/home/user/workbench/lib$ tar -xzf libssh-0.6.4.tar.gz 
user@kopimi:/home/user/workbench/lib$ cd libssh-libssh-0.6.4/build/
user@kopimi:/home/user/workbench/lib/libssh-libssh-0.6.4/build$ cmake -DWITH_STATIC_LIB=ON -DWITH_GSSAPI=OFF ..
user@kopimi:/home/user/workbench/lib/libssh-libssh-0.6.4/build$ make

Download and Build RetroShare

Checkout Trunk from the Subversion Code Repository.

user@kopimi:/home/user/workbench$ svn co svn:// retroshare
user@kopimi:/home/user/workbench$ cd retroshare
user@kopimi:/home/user/workbench/retroshare$ qmake CONFIG=release && make clean && make -j 2

“make -j 2” tells make to use two threads – if you have more/less CPU cores/threads feel free to change the value


RetroShare Gui and NoGui are now available as binary’s. Small compile errors are maybe possible for the plugins. Ignore them for now.

user@kopimi:/home/user/workbench/retroshare/retroshare-gui/src$ ls RetroShare 
user@kopimi:/home/user/workbench/retroshare/retroshare-nogui/src$ ls retroshare-nogui

For easier handling i created symbolic links on the binary’s in my user directory

user@kopimi:/home/user$ ln -s /home/kopimi/workbench/retroshare/retroshare-gui/src/RetroShare RetroShare
user@kopimi:/home/user$ ln -s /home/kopimi/workbench/retroshare/retroshare-nogui/src/retroshare-nogui retroshare-nogui



A Cypherpunk’s Manifesto



A Cypherpunk’s Manifesto


A Cypherpunk's Manifesto
 by Eric Hughes
 Privacy is necessary for an open society in the electronic age.
 Privacy is not secrecy. A private matter is something one doesn't
 want the whole world to know, but a secret matter is something one
 doesn't want anybody to know. Privacy is the power to selectively
 reveal oneself to the world. 
 If two parties have some sort of dealings, then each has a memory of
 their interaction. Each party can speak about their own memory of
 this; how could anyone prevent it? One could pass laws against it,
 but the freedom of speech, even more than privacy, is fundamental to
 an open society; we seek not to restrict any speech at all. If many
 parties speak together in the same forum, each can speak to all the
 others and aggregate together knowledge about individuals and other
 parties. The power of electronic communications has enabled such
 group speech, and it will not go away merely because we might want it
 Since we desire privacy, we must ensure that each party to a
 transaction have knowledge only of that which is directly necessary
 for that transaction. Since any information can be spoken of, we
 must ensure that we reveal as little as possible. In most cases
 personal identity is not salient. When I purchase a magazine at a
 store and hand cash to the clerk, there is no need to know who I am. 
 When I ask my electronic mail provider to send and receive messages,
 my provider need not know to whom I am speaking or what I am saying
 or what others are saying to me; my provider only need know how to
 get the message there and how much I owe them in fees. When my
 identity is revealed by the underlying mechanism of the transaction,
 I have no privacy. I cannot here selectively reveal myself; I must
 _always_ reveal myself.
 Therefore, privacy in an open society requires anonymous transaction
 systems. Until now, cash has been the primary such system. An
 anonymous transaction system is not a secret transaction system. An
 anonymous system empowers individuals to reveal their identity when
 desired and only when desired; this is the essence of privacy.
 Privacy in an open society also requires cryptography. If I say
 something, I want it heard only by those for whom I intend it. If 
 the content of my speech is available to the world, I have no
 privacy. To encrypt is to indicate the desire for privacy, and to
 encrypt with weak cryptography is to indicate not too much desire for
 privacy. Furthermore, to reveal one's identity with assurance when
 the default is anonymity requires the cryptographic signature.
 We cannot expect governments, corporations, or other large, faceless
 organizations to grant us privacy out of their beneficence. It is to
 their advantage to speak of us, and we should expect that they will
 speak. To try to prevent their speech is to fight against the
 realities of information. Information does not just want to be free,
 it longs to be free. Information expands to fill the available
 storage space. Information is Rumor's younger, stronger cousin;
 Information is fleeter of foot, has more eyes, knows more, and
 understands less than Rumor.
 We must defend our own privacy if we expect to have any. We must
 come together and create systems which allow anonymous transactions
 to take place. People have been defending their own privacy for
 centuries with whispers, darkness, envelopes, closed doors, secret
 handshakes, and couriers. The technologies of the past did not allow
 for strong privacy, but electronic technologies do.
 We the Cypherpunks are dedicated to building anonymous systems. We
 are defending our privacy with cryptography, with anonymous mail
 forwarding systems, with digital signatures, and with electronic
 Cypherpunks write code. We know that someone has to write software
 to defend privacy, and since we can't get privacy unless we all do,
 we're going to write it. We publish our code so that our fellow
 Cypherpunks may practice and play with it. Our code is free for all
 to use, worldwide. We don't much care if you don't approve of the
 software we write. We know that software can't be destroyed and that
 a widely dispersed system can't be shut down. 
 Cypherpunks deplore regulations on cryptography, for encryption is
 fundamentally a private act. The act of encryption, in fact, removes
 information from the public realm. Even laws against cryptography
 reach only so far as a nation's border and the arm of its violence.
 Cryptography will ineluctably spread over the whole globe, and with
 it the anonymous transactions systems that it makes possible. 
 For privacy to be widespread it must be part of a social contract.
 People must come and together deploy these systems for the common
 good. Privacy only extends so far as the cooperation of one's
 fellows in society. We the Cypherpunks seek your questions and your
 concerns and hope we may engage you so that we do not deceive
 ourselves. We will not, however, be moved out of our course because
 some may disagree with our goals.
 The Cypherpunks are actively engaged in making the networks safer for
 privacy. Let us proceed together apace.
 Eric Hughes 
 9 March 1993


Image from Chris Halderman (CC BY-ND 2.0)

Text from EFF

vHost and TLS Ciphers for Apache2/openSSL

openSSL cipherlist

The ciphers command converts textual OpenSSL cipher lists into ordered SSL cipher preference lists. It can be used as a test tool to determine the appropriate cipherlist.

A good idea is to have a look at They share lot’s of good examples and practical recommendations for hardening your Server.

Their recommendation for Apache Webserver:

#Enabledmodules SSL and Headers arerequired. 

SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression off
# Add six earth month HSTS header for all users... Header always set Strict-Transport-Security "max-age=15768000"
# If you want to protect all subdomains, use the following header
# ALL subdomains HAVE TO support HTTPS if you use this!
# Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"

This is a good example and provides also good connectivity to most of the used Browsertypes.

Result of command “openssl ciphers -v” with BetterCryptos Cipherlist:

DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256

I changed the cipherlist from their recommendation and made it a little stricter. This does not include 100% of legacy Browser Versions. (thanks to MacLemon)


If we want to know the output off the improved cipherlist directly from the server, this can be easily checked at : This list has a cipher strength rating 100/100. All ciphers support Forward Secrecy. This is what we want, Perfect Forward Secrecy is more important than ever.

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256    DHE-RSA-AES256-SHA256       TLS v1.2
TLS_DHE_RSA_WITH_AES_256_CBC_SHA       DHE-RSA-AES256-SHA          TLS v1.0

HSTS – HTTP Strict Transport Security

# Add six earth month HSTS header for all users... Header always set Strict-Transport-Security "max-age=15768000"
# If you want to protect all subdomains, use the following header
# ALL subdomains HAVE TO support HTTPS if you use this!
# Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"

I would not recommend HSTS if your domain contains different subdomains with Self-Signed Certificates, you can’t use them anymore. HSTS is a good idea to force HTTP->HTTPS and has also other improvements.

But it would cost us a valid CA-signed Certificate for each subdomain or a WildCard Domain which is costly. I use instead the rewrite engine of Apache.

Rewrite port 80 to 443 vhost entry

root@host:/# cat /etc/apache2/sites-available/100-default-rewrite-ssl 
<VirtualHost *:80>
    ServerName *.mydomain.tld
        RewriteEngine on
        ReWriteCond %{SERVER_PORT} !^443$
        RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]

This ensures all the traffic is redirected to https/443

namebased vHosts

After each creation of a vhost entry, they need to be enabled afterwards

root@host:/etc/apache2/sites-available# a2ensite 103-new_vhost-ssl 
Enabling site 103-new_vhost-ssl.
To activate the new configuration, you need to run:
  service apache2 reload

reload Apache config

root@blog:/etc/apache2/sites-available# /etc/init.d/apache2 reload
[ ok ] Reloading web server config: apache2.

or disable a vhost with one command

root@blog:/etc/apache2/sites-available# a2dissite 105-old_vhost-ssl 
Site 105-old_vhost-ssl disabled.
To activate the new configuration, you need to run:
  service apache2 reload

 Simple HTTPS/TLS Port 443 vHost for Apache

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@mydomain.tld
        DocumentRoot /var/www/new_vhost
        ServerName new_vhost.mydomain.tld

        <Directory />
                Options FollowSymLinks
                AllowOverride None
        <Directory /var/www/new_vhost/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all

        SSLEngine on
        SSLProtocol All -SSLv2 -SSLv3
        SSLHonorCipherOrder On
        SSLCompression off
        SSLCertificateFile    /etc/ssl/certs/new_vhost.mydomain.tld.pem
        SSLCertificateKeyFile /etc/ssl/private/new_vhost.mydomain.tld.key
        #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

 Wildcard redirect for all unused SubDomains

The vhost of the wildcard redirect needs to be named beginning with a high number, so all low numbered vHost can match before the redirect vHost is used.

root@host:~# cat /etc/apache2/sites-available/999-default-404-ssl 
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAlias *.mydomain.tld
    Redirect 404 /
    ErrorDocument 404 https://vhost1.mydomain.tld/404_vhost.html
    ServerAdmin webmaster@mydomain.tld

    SSLEngine on
    SSLProtocol All -SSLv2 -SSLv3
    SSLHonorCipherOrder On
    SSLCompression off
    SSLCertificateFile    /etc/ssl/certs/vhost1.mydomain.tld.pem
    SSLCertificateKeyFile /etc/ssl/private/vhost1.mydomain.tld.key
    #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt


list order of  vHosts for Apache

root@blog:/etc/apache2/sites-available# apachectl -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
         default server vhost1.mydomain.tld (/etc/apache2/sites-enabled/100-vhost1-ssl:2)
         port 443 namevhost vhost1.mydomain.tld(/etc/apache2/sites-enabled/100-vhost1-ssl:2)
         port 443 namevhost new_vhost.mydomain.tld(/etc/apache2/sites-enabled/103-new_vhost-ssl:1)
         port 443 namevhost vhost1.mydomain.tld (/etc/apache2/sites-enabled/999-default-404-ssl:2)
*:80                   is a NameVirtualHost
         default server *.mydomain.tld (/etc/apache2/sites-enabled/100-default-rewrite-ssl:1)
         port 80 namevhost *.mydomain.tld (/etc/apache2/sites-enabled/100-default-rewrite-ssl:1) Syntax OK




Name based vhosts

Add SSL to your Website

Redirect 80 to Subdomain

Apache2 Docs on SSL and TLS

ciphers – SSL cipher display and cipher list tool


Without the systemic use of Force


silkroad camel

I love learning and using theoretical constructs to better understand the world around me. Naturally therefore, I studied physics in college and worked as a research scientist for five years. I published my findings in peer reviewed journals five times over that period, first on organic solar cells and then on EuO thin-film crystals. My goal during this period of my life was simply to expand the frontier of human knowledge.
Now, my goals have shifted. I want to use economic theory as a means to abolish the use of coercion and agression amongst mankind. Just as slavery has been abolished most everywhere, I believe violence, coercion and all forms of force by one person over another can come to an end. The most widespread and systemic use of force is amongst institutions and governments, so this is my current point of effort. The best way to change a government is to change the minds of the governed, however. To that end, I am creating an economic simulation to give people a first-hand experience of what it would be like to live in a world without the systemic use of force.

from: Ross Ulbricht

Create SSL/TLS certificates with openSSL

Self Signed Certificates

If you want to create your own self signed X.509 certificate to secure your Webservices just use them. They are as secure as every other certificate.

IMHO – CA/Certificate Authorities just take money for no additional security. Their Trust model is broken and was never secure. They only check if you are able to receive a mail linked to your domain. No more security checks.

openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/mydomain.tld.key -out /etc/ssl/certs/mydomain.tld.pem

Set up your vhost on apache, lighty ngin-x or any other TLS-capable Webserver with the key and the pem file.

Firefox brings a warning, and lets you add the certificate to your trusted certificates. Chromium warns always about the untrusted certificate. Similar to MS Internet Explorer.

If you want to put your self signed certificate on an Android Phone to remove warning, import it with the App CAdroid (GPLv3) from F-Droid Repository. CAdroid on GitHub and CAdroid Homepage

SHA1 is broken – don’t use it anymore.

Check your page with similar site’s like and verify if your certificate is signed with SHA256 instead of SHA1/MD5.

Most of the secure web is using an insecure algorithm, and Google’s just declared it to be a slow-motion emergency. Something like 90% of websites that use TLS encryption use an algorithm called SHA-1 to sign their certificates.

Unfortunately, SHA-1 is dangerously weak, and has been for a long time. It gets weaker every year, but remains widely used on the internet. Its replacement, SHA-2, is strong and supported just about everywhere.

That’s why you should add -sha256 to every openSSL command when creating new certificates.

Create a CSR File – Certificate Signing Request

If you still want to use a Certificate Signed from a CA you need to create a CSR File and send it to them. Your key MUST not be sent to them.

openssl req -new -newkey rsa:4096 -sha256 -nodes -keyout mydomain.tld.key -out mydomain.tld.csr

Put your *.key file into your /etc/ssl/private/ directory and send the CA company your *.csr file.

LowEnd Providers for single Domains:

  • Namecheap/Comodo/PositiveSSL – sell’s cheap 8€/yr certificates, hands out all necessary intermediate files.
  • StartSSL – hands out one 0$ Certificate for a single domain, expect an OCSP error in the first few hours when used with FF.
  • LetsEncrypt – Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. GoLive for Mid of 2015
  • is a community-driven certificate authority that issues free public key certificates to the public. Unfortunately they are not available as RootCA in the plattforms where we want to access our TLS secured WebServers. Even Debian has removed CAcert from there trusted RootCA store.

They will send back soon the signed certificate mydomain.tld.CRT which you can use like the self signed mydomain.tld.pem file.

You will receive two or three additional certicates from your CA. These are intermediary certificates needed for the Certification Paths which point in the end to your pre-installed RootCA’s. Copy the intermediary files without the RootCA and the signed Cert into the file CA_path_for_mydomain.tld.crt

Apache vHost config

Certificate File – *.PEM from Self-Signed or *.CRT from CA

SSLCertificateFile    /etc/ssl/certs/mydomain.tld.crt

Private Key File – Keep this one save!

SSLCertificateKeyFile /etc/ssl/private/mydomain.tld.key

Certificate Paths for Intermediary Certificates

SSLCertificateChainFile /etc/ssl/certs/CA_path_for_mydomain.tld.crt

Lavabit, email service Snowden reportedly used, abruptly shuts down

lavabit logo

Lavabit, email service Snowden reportedly used, abruptly shuts down

lavabit down

My Fellow Users,

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

Ladar Levison
Owner and Operator, Lavabit LLC

Defending the constitution is expensive! Help us by donating to the Lavabit Legal Defense Fund here.


lavabit logo



Create RetroShare User on Raspberry Pi

[HowTo] Create RetroShare ID on Raspberry Pi

SSH with X-Forwarding into your Raspberry Pi.
ssh -X pi@ipaddress
Download RetroShare Binarys for Raspberry Pi

RetroShare binarys for Raspberry Pi are available at [HowTo]compile-retroshare-on-raspberry-pi or download it from PiShare

Place RetroShare and retroshare-nogui in your  home directory
go to your home directory


pi@retropi ~ 
$ cd ~/ pi@retropi ~ 
$ ./RetroShare 
RetroShare:: Successfully Installedthe SIGPIPE Block
Hashed main executable: a7308a6c6283892a25f5af05986ee8b6a835ab89
retroShare::basedir() -> $HOME = /home/pi
Creating Root Retroshare Config Directories
pubring file "/home/pi/.retroshare/pgp/retroshare_public_keyring.gpg" not found. 
Creating a void keyring.
Pubring read successfully.
secring file "/home/pi/.retroshare/pgp/retroshare_secret_keyring.gpg" not found. 
Creating a void keyring.
Secring read successfully.  
private trust database not found. 
No trust info loaded.
No Existing User
getRetroshareDataDirectory() Linux: /usr/share/RetroShareData 
Directory not Found: /usr/share/RetroShare
Finding PGPUsers

rs_createChoose a nickname.
Enter a good, long, unique, new and secure password.


Select a Location Name.
Put a meaningful location for example: home, laptop, server, raspberrypi, etc …
This field will be used to differentiate different installations with the same identity (PGP key)


Your RetroShare is now available and ready to use.
You can run the GUI directly on LXDE, with VNC or with X-Forwarding.


Done, RetroShare is now working on your Raspberry Pi

haf phun