Categories
Awesome Privacy Technology

Firefox Extensions

Here is a short list of Firefox extensions that I think are essential for your everyday browsing. I don’t want to persuade you into using them, this is more like a note to self for future reference.

Other nice to have extensions are these:

And it goes without saying that if there is one thing you don’t need, it is Adobe *, e.g. Flash. Just don’t download it. No one needs it. No one.

(1054)

Categories
Awesome PicoPosts Projects

Playful Little Corpses Released

My very own horror game “Playful Little Corpses” is now released.

Playful Little Corpses

To find out more about it, head to the project entry page or to the main page of the game. Download it and give it a try!

Project entry page: projects.dejvino.com/w/playful-little-corpses/

Main page: hrave.mrtvolky.cz

(807)

Categories
Awesome PicoPosts Projects

Projects page is open

I’ve opened a new page dedicated to the projects I worked on. You can find links to source code of various games and utilities. Every project entry is described in short and you know whether it was just an idea I didn’t have time to finish, or a fully working product.  The list goes years back.

Link to the actual website:

projects.dejvino.com

(789)

Categories
Awesome Linux Open source Programming Projects Technology Web development

HTTP and HTTPS running on the same port

Running HTTP and HTTPS on the same port with Apache. They said it couldn’t be done. They were wrong!

https://github.com/Dejvino/https-multiplexer

I’ve modified a simple Python port forwarding utility to act as a port multiplexer that can automatically forward HTTP and HTTPS requests to the appropriate ports. If the request looks like an HTTP in plain text, it forwards it to port A. Otherwise it is assumed to be HTTPS and is forwarded to port B.

Now you can run your web applications from a single port, regardless of using HTTP or HTTPS. Hooray!

(1997)

Categories
Linux Open source Privacy Projects Technology Web development

How to become a Certification Authority

This short How-To has been compiled based on the work I’ve done so far while building my personal home server. To achieve reasonable level of privacy without spending a fortune on it, I’ve become my own Certification Authority (CA).

Overview

These are the basic steps covered later in detail:

  1. Create a CA key and certificate.
  2. Create a server key and a Certificate signing request (CSR).
  3. Sign the CSR using the CA key.
  4. Use the new server certificate in Apache.
  5. Import the CA certificate into your browsers.
  6. … Profit!

What this results in is a single certificate file for your CA that you distribute and import into your browsers (PC, phone, …). Every individual signed server / service certificate you create and use is then automatically recognized as valid and trusted. If you are using a personal set of services (various web applications, XMPP server, etc.), this saves you a lot of “exception adding”, just import one (your) CA certificate and everything is working, no need for the browser to nag about self-signed certificates.

Detailed how-to

Creating a CA key pair

First, prepare your “playground”, a data storage somewhere on your (preferably Linux) computer. It should look like this:

root-ca
 |-- conf     ... for configuration files.
 |-- private  ... for private CA key (protect this directory!)
 |-- public   ... for public CA key
 |-- requests ... for incoming CSR
 +-- certs    ... for resulting certificates

Now cd to the root-ca directory. Create a configuration file conf/openssl.conf with the following content:

[ req ]
default_bits            = 2048
default_keyfile         = ./private/root.pem
default_md              = sha1
prompt                  = no
distinguished_name      = root_ca_distinguished_name
x509_extensions = v3_ca

[ root_ca_distinguished_name ]
countryName             = UK
stateOrProvinceName     = Sussex
localityName            = Brighton
0.organizationName      = Example Inc
commonName              = Example Inc Root CA
emailAddress            = david@example.com

[ v3_ca ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer:always
basicConstraints        = CA:true

[ ca ]
default_ca              = CA_default

[ CA_default ]
dir                     = .
new_certs_dir           = ./certs/
database                = ./conf/index
certificate             = ./public/root.pem
serial                  = ./conf/serial
private_key             = ./private/root.pem
x509_extensions         = usr_cert
name_opt                = ca_default
cert_opt                = ca_default
default_crl_days        = 30
default_days            = 365
default_md              = sha1
preserve                = no
policy                  = policy_match

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ usr_cert ]
basicConstraints        = CA:FALSE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer:always
nsCaRevocationUrl       = https://www.example.com/example-ca-crl.pem

It might look long and complicated, but most of it is pretty self explanatory. What you should edit is the root_ca_distinguished_name section and the nsCaRevocationUrl.

Then initialize the “certificate counters”, like so:

echo "01" > conf/serial
touch conf/index

Finally, generate a CA key pair (public and private root.pem files):

openssl req -nodes -config conf/openssl.conf -days 1825 -x509 -newkey rsa:2048 -out public/root.pem -outform PEM

Creating a server key pair

On the server for which you want to obtain a signed certificate, do this:

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Then you can transfer the server.csr file to the CA’s requests directory.

Signing the CSR

Simply call this command and you get a signed certificate server.cert from a request server.csr:

openssl ca -batch -config conf/openssl.conf -in requests/server.csr -out certs/server.cert

Setting up SSL in Apache

Somewhere in the httpd.conf or inside a virtual host configuration add these lines:

 Listen 443
 SSLEngine on
 SSLCertificateFile /path/to/keys/server.cert
 SSLCertificateKeyFile /path/to/keys/server.key
 SSLCertificateChainFile /path/to/keys/root.pem

These lines activate SSL and the port for SSL, specify server certificate, private certificate key and (optionally) root CA certificate. After restarting the server, HTTPS should be ready to use.

Importing and using

Different applications have different ways of importing trusted CA certificates.

On Windows, you just “execute” the certificate and install it into the appropriate category. This should take care of most of your applications. Web browser (e.g. Firefox) might need to have this certificate installed explicitly, ignoring certificates in the OS.

On Linux, look for /etc/ca-certificates.conf, add the certificate filename there and copy the file to /usr/share/ca-certificates/. Then run update-ca-certificates –fresh to recreate the list of known certificates.

 

Based on these articles:

(2905)

Categories
Awesome PicoPosts Projects

New Homepage

After uniting both of my personal domains (dejvino.cz and dejvino.com) to have the same content, I’ve prepared a new personal hompage.

Links:

www.dejvino.cz
www.dejvino.com

The purpose of this page is to act as a simple roadsign with directions to all of my projects and pages.
There is also a little “easter egg” floating around that page. Try to find it!

(1028)

Categories
Linux PicoPosts Projects Raspberry Pi Technology

Linux udev USB automount script

I’ve been wondering how to enable automounting of USB drives on my Raspberry Pi server. The sollution is pretty simple with udev on Arch Linux.

  1. Create a new file /etc/udev/rules.d/automount.rules
  2. Fill this script:
    ACTION=="add",KERNEL=="sda*", RUN+="/usr/bin/mount /dev/sda1 /mnt/disk-a"
    ACTION=="remove", KERNEL=="sda*", RUN+="/usr/bin/umount /mnt/disk-a"
  3. Run udevadm control --reload-rules to reload the rules.
  4. Done!

Naturally you should modify the script to your needs. What this one does for me is that when sda1 is connected, it is mounted as /mnt/disk-a (and unmounted when removed). Adding more lines like this can be used to mount more / other drives.

(9293)

Categories
Linux Privacy Projects Technology

Building a Digital Haven (home server)

As part of my “Prism break” initiative, I’ve started working on a personal (family) server — a safe haven in the wild digital world.

Target and usage

  • near-silent box you turn on and forget about
  • low energy consumption
  • large disk space
  • above-average data storage reliability, probably via RAID 1
  • web server (for email client, “cloud” storage interface, …, Friendica, etc.)
  • IM server (Jabber)

Hardware

Ideal setup: specialized low-energy no-fans computer.
Problem: hard to come by the appropriate parts, expensive, weak hardware.

My current plan: choose from what is available on the regular PC market, focus on power consumption, size and minimize unnecessary components / features.
Reason: consumer electronics are pretty cheap, standardized, easy to obtain. The bill for electricity will not outweigh the cost of a more energy efficient hardware.

— W-I-P —

Motherboard

Must have:

  • several SATA ports — for several disks
  • RAID 1 support
  • basic integrated graphics card (just for the setup phase, will not be actually used later on)

Should have:

  • USB 3.0 — for external disks
  • eSATA — for external disks

Selected type: AMD, FM2 socket. Supports the latest Trinity processors. These should have some usable power-saving capabilities.

Example: ASUS F2A85-M LE

Processor

Should have:

  • power-saving options — large portions of time it’s not going to be used
  • multiple cores — will have to serve multiple requests at a time

Selected type: based on the selected motherboard.

Example: AMD Athlon X4 740

Memory

Size “table”:

  • 2 GB — bare minimum
  • 4 GB — sufficient for most work
  • 8 GB — sufficient for most work with a nice reserve and smooth operation
  • 16 GB — virtualization becomes a usable possibility
  • 32 GB — … Hello? Anyone there? … *sound of echo*

Basic memory sticks seem to be the best — no fancy coolers needed, that can only mean energy wasted.

Example: Kingston 8GB 1333MHz

Power supply

Should have:

  • less than 400 W — should be a low-energy device, so no need for anything stronger
  • large fan (if any) — large means less RPMs means less noise
  • surge-protection etc.

Example: Seasonic G Series 360W

Hard drives

Setup:

  • 1 system disk
  • 2 data disks in RAID 1

Data disks should be separate from the OS disk. It would be best if the data disks could be simply unplugged and used freely on their own if the server broke down.

Energy efficiency is a question here: shared OS+Data disk would be a one-disk-less solution, meaning less devices to power. On the other hand, if the data is not needed, the disks may be powered down and only one device would then run.

Should have:

  • generally
    • low energy consumption (lower RPMs, etc.)
  • system disk
    • 32+ GB of space
    • fast
    • used for the OS and installed applications
  • data disk
    • 1+ TB of space
    • mostly sequential access to larger files, not many changes, mostly read operations

Example:

System disk — 32 GB SSD?

Data disk — WD Green WD10EZRX 3.5″ 1TB

Other things

Electricity usage meter might come in handy. Example: BaseTech Cost Control 3000

 

Grand total: 11 500 CZK = 444 EUR = 584 USD

…it is arguable whether it is worth it. Time for a web-hosting solution!

(1179)

Categories
Friendica Ideas Open source Privacy Projects Raspberry Pi Technology Uncategorized

Prism break

If you haven’t heard about the Prism scandal, you should read a bit about it. But basically, numerous large companies based in the US have allowed private information of their users to be accessible to the government (the NSA, to be more exact). Maybe even yours, if you’ve ever interacted with companies like Google, Apple, Facebook and others.

As mentioned on the Prism-Break website, there are lots of alternatives to the services and software most of us currently use. And surprisingly, it should’t be that hard to switch to a more secure and privacy-protecting solution to your daily internet-related needs.

Here is my personal ‘Prism break’ roadmap, or a security todo list:
Note: work in progress, subject to change.

Email

Biggest challenge as far as I can see. The concept itself is sadly not really that secure.

Must have:

  • highly reliable (so no self-hosted solutions are acceptable)
  • web client for easy accessibility
  • address based on own domain name (and email address), e.g. me at dejvino dot com
  • at least country-local hosting (i.e. here in Czech Republic for me)

Should have:

  • contacts
  • calendar

Could have:

  • email content encryption. Currently it seems pretty impractical, but who knows. Maybe there is a usable solution?

Some cheap web-hosting with emails? http://hosting.wedos.com/cs/webhosting.html

IM

Similar to email. Doesn’t require 100% availability.

Ideas:

  • own secure Jabber/XMPP server? Could be self-hosted / VPS. Expensive, hard to maintain.
  • rented server? server-side history is hard to come by. Only Google has got it all…

Should have:

  • encrypted transmission
  • secured history saved on server side

Web hosting

I’m currently using external paid services. I might switch to a more custom solution, i.e. home server.

Raspberry Pi anyone? … UPDATE: nope, it could work for really simple services, but running anything more sophisticated results in long response times. And since I’ve got big plans, it is not the right solution.

Cloud storage

Dropbox has been a great service — lots of free space, great tools on Windows as well as on Android.
I’m in the process of switching to a more controlled ownCloud server solution.

Must have:

  • web interface
  • handle large files
  • access restrictions
  • per-user space limits (quotas)
  • PC client (Windows)

Should have:

  • online music streamer
  • public file-linking capability
  • applications / plugins / extensions

Could have:

  • Android client
  • synchronization / backup support

Social media

Friendica is a project I’ve been using a bit and am planing to use a bit more. But the other “standard” ones still seem quite usable, to some extent.

Should have:

  • RSS-feed-reader-like view
  • responsive design / client for Android
  • integration of different social networks

TODO: move Friendica to a more powerful server. It is quite CPU-demanding.

Web browsing

Type Current New Status
Browser Google Chrome Firefox DONE
Passwords KeePass KeePass + KeeFox DONE
Plugins DoNotTrackMe, HTTPS Everywhere, … see FixTracking.com as a handy guide. DONE

(3892)

Categories
Awesome Music Technology

Floppy drive music

I knew this could be done! … Game of Thrones’ main theme played by 6 floppy drives. Enjoy.

http://www.youtube.com/watch?v=IYQWLlBz8hE&feature=youtu.be&t=7m27s

(1227)