Category: Privacy

Privacy of your personal information

Categories
Guides Privacy Self-hosting Technology

Offsite backup solution – Part 0

Our digital belongings are growing in size and importance. Family photos, accounting documents, beloved video games, losing them would be a nightmare. Having a backup is definitely mandatory. And if you’re self-hosting a lot like me, an offsite backup is a good way to be able to sleep calmly at night. I recently needed to rebuild my offsite storage system and so I decided to share my setup and my experience using it. This might be a long series, so hold on!

What Are Offsite Backups?

Offsite backups mean storing copies of your data in a different physical location from your main data. That means outside of your house! This way, if something unexpected happens (like a fire, theft, or hardware failure), your data is not completely lost. You could use cloud services for this, but we’ll focus on self-hosted solutions. I like to be in control, plus it gives me good understanding of how it all works.

Benefits of Offsite Backups

  1. Data Security: Keeping your data in a separate place protects it from local disasters.
  2. Redundancy: Extra copies of your data mean you’re covered if something goes wrong.
  3. Peace of Mind: Knowing your data is safe offsite gives you one less thing to worry about.

Additionally, if your backup is offline (in cold storage), it will be cheaper to run. No electricity or compute needed. And no need for fancy firewalls or access management, no one has access to the data unless they physically get to the hard drive.

My Self-Hosted Offsite Backup Setup

I run a local NAS with mirrored hard drives, shared over SMB on the LAN. This is the primary storage.

Next, there is a tiny ARM computer with an external hard drive that receives a weekly snapshot from the NAS, stored and encrypted via BorgBackup.

Lastly, a lonely external hard drive lives in my relative’s flat. And every time I make a visit there, I bring the other hard drive and swap them out.

Self-Hosted Backup Solution Overview

Step 1: Set Up Your Backup Server

  1. Choose Your Hardware: An old computer, a NAS, a Raspberry Pi. Make sure you have enough storage space on two separate drives.
  2. Install Linux: A lightweight Linux distro like Ubuntu Server or Debian works great.
  3. Secure Your Server: Set up SSH for remote access, configure a firewall, and keep your system updated.

Step 2: Configure the Backup Software

  1. Install the backup software: BorgBackup in this case.
  2. Configure mount points: both to the source and the destination of the backup.

Step 3: Automate and Monitor Your Backups

  1. Set up the automation: Fetch the data diff, compress and encrypt it, store it.
  2. Monitoring: Make sure you periodically find out that things DO work.
  3. Swap the drives: This is the actual offsite step!

Step 4: Test Your Backups

  1. Regular Testing: Periodically try and restore some data to make sure your backups and tools work.
  2. Health Checks: Inspect the state of the drives to replace them before they go ERR!

Is that it?

I didn’t even start yet! This was just a brief introduction of what I’m about to discuss in this series. More details to come in the next part where I’ll look into setting up the hardware.

Categories
Ideas Privacy Technology

Idea: Free Internet Over Telegram

Here’s an idea how to get unlimited free Internet data for your mobile device:

  1. Buy a pre-paid SIM card with a “free Telegram traffic” package
  2. Write a TUN device transferring data over a Telegram chat
  3. Setup a tunnel between a “client device” and a “server device” (i.e. a phone with the SIM and a VPS)
  4. Free internet!

Why? Mobile service providers often offer unlimited data to certain servers as a promotion (they get some revenue from promoting the service). And since all of the traffic will be going through these servers, you won’t hit the FUP limit.

Feel free to substitute Telegram with any chat service, though this one seemed the most open and API-accessible out of the offered ones.

Resources

Categories
Awesome Privacy Technology

Firefox Extensions

Here is a short list of Firefox extensions that I think are essential for your everyday browsing. I don’t want to persuade you into using them, this is more like a note to self for future reference.

Other nice to have extensions are these:

And it goes without saying that if there is one thing you don’t need, it is Adobe *, e.g. Flash. Just don’t download it. No one needs it. No one.

Categories
Linux Open source Privacy Projects Technology Web development

How to become a Certification Authority

This short How-To has been compiled based on the work I’ve done so far while building my personal home server. To achieve reasonable level of privacy without spending a fortune on it, I’ve become my own Certification Authority (CA).

Overview

These are the basic steps covered later in detail:

  1. Create a CA key and certificate.
  2. Create a server key and a Certificate signing request (CSR).
  3. Sign the CSR using the CA key.
  4. Use the new server certificate in Apache.
  5. Import the CA certificate into your browsers.
  6. … Profit!

What this results in is a single certificate file for your CA that you distribute and import into your browsers (PC, phone, …). Every individual signed server / service certificate you create and use is then automatically recognized as valid and trusted. If you are using a personal set of services (various web applications, XMPP server, etc.), this saves you a lot of “exception adding”, just import one (your) CA certificate and everything is working, no need for the browser to nag about self-signed certificates.

Detailed how-to

Creating a CA key pair

First, prepare your “playground”, a data storage somewhere on your (preferably Linux) computer. It should look like this:

root-ca
 |-- conf     ... for configuration files.
 |-- private  ... for private CA key (protect this directory!)
 |-- public   ... for public CA key
 |-- requests ... for incoming CSR
 +-- certs    ... for resulting certificates

Now cd to the root-ca directory. Create a configuration file conf/openssl.conf with the following content:

[ req ]
default_bits            = 2048
default_keyfile         = ./private/root.pem
default_md              = sha1
prompt                  = no
distinguished_name      = root_ca_distinguished_name
x509_extensions = v3_ca

[ root_ca_distinguished_name ]
countryName             = UK
stateOrProvinceName     = Sussex
localityName            = Brighton
0.organizationName      = Example Inc
commonName              = Example Inc Root CA
emailAddress            = david@example.com

[ v3_ca ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer:always
basicConstraints        = CA:true

[ ca ]
default_ca              = CA_default

[ CA_default ]
dir                     = .
new_certs_dir           = ./certs/
database                = ./conf/index
certificate             = ./public/root.pem
serial                  = ./conf/serial
private_key             = ./private/root.pem
x509_extensions         = usr_cert
name_opt                = ca_default
cert_opt                = ca_default
default_crl_days        = 30
default_days            = 365
default_md              = sha1
preserve                = no
policy                  = policy_match

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ usr_cert ]
basicConstraints        = CA:FALSE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer:always
nsCaRevocationUrl       = https://www.example.com/example-ca-crl.pem

It might look long and complicated, but most of it is pretty self explanatory. What you should edit is the root_ca_distinguished_name section and the nsCaRevocationUrl.

Then initialize the “certificate counters”, like so:

echo "01" > conf/serial
touch conf/index

Finally, generate a CA key pair (public and private root.pem files):

openssl req -nodes -config conf/openssl.conf -days 1825 -x509 -newkey rsa:2048 -out public/root.pem -outform PEM

Creating a server key pair

On the server for which you want to obtain a signed certificate, do this:

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Then you can transfer the server.csr file to the CA’s requests directory.

Signing the CSR

Simply call this command and you get a signed certificate server.cert from a request server.csr:

openssl ca -batch -config conf/openssl.conf -in requests/server.csr -out certs/server.cert

Setting up SSL in Apache

Somewhere in the httpd.conf or inside a virtual host configuration add these lines:

 Listen 443
 SSLEngine on
 SSLCertificateFile /path/to/keys/server.cert
 SSLCertificateKeyFile /path/to/keys/server.key
 SSLCertificateChainFile /path/to/keys/root.pem

These lines activate SSL and the port for SSL, specify server certificate, private certificate key and (optionally) root CA certificate. After restarting the server, HTTPS should be ready to use.

Importing and using

Different applications have different ways of importing trusted CA certificates.

On Windows, you just “execute” the certificate and install it into the appropriate category. This should take care of most of your applications. Web browser (e.g. Firefox) might need to have this certificate installed explicitly, ignoring certificates in the OS.

On Linux, look for /etc/ca-certificates.conf, add the certificate filename there and copy the file to /usr/share/ca-certificates/. Then run update-ca-certificates –fresh to recreate the list of known certificates.

 

Based on these articles:

Categories
Linux Privacy Projects Technology

Building a Digital Haven (home server)

As part of my “Prism break” initiative, I’ve started working on a personal (family) server — a safe haven in the wild digital world.

Target and usage

  • near-silent box you turn on and forget about
  • low energy consumption
  • large disk space
  • above-average data storage reliability, probably via RAID 1
  • web server (for email client, “cloud” storage interface, …, Friendica, etc.)
  • IM server (Jabber)

Hardware

Ideal setup: specialized low-energy no-fans computer.
Problem: hard to come by the appropriate parts, expensive, weak hardware.

My current plan: choose from what is available on the regular PC market, focus on power consumption, size and minimize unnecessary components / features.
Reason: consumer electronics are pretty cheap, standardized, easy to obtain. The bill for electricity will not outweigh the cost of a more energy efficient hardware.

— W-I-P —

Motherboard

Must have:

  • several SATA ports — for several disks
  • RAID 1 support
  • basic integrated graphics card (just for the setup phase, will not be actually used later on)

Should have:

  • USB 3.0 — for external disks
  • eSATA — for external disks

Selected type: AMD, FM2 socket. Supports the latest Trinity processors. These should have some usable power-saving capabilities.

Example: ASUS F2A85-M LE

Processor

Should have:

  • power-saving options — large portions of time it’s not going to be used
  • multiple cores — will have to serve multiple requests at a time

Selected type: based on the selected motherboard.

Example: AMD Athlon X4 740

Memory

Size “table”:

  • 2 GB — bare minimum
  • 4 GB — sufficient for most work
  • 8 GB — sufficient for most work with a nice reserve and smooth operation
  • 16 GB — virtualization becomes a usable possibility
  • 32 GB — … Hello? Anyone there? … *sound of echo*

Basic memory sticks seem to be the best — no fancy coolers needed, that can only mean energy wasted.

Example: Kingston 8GB 1333MHz

Power supply

Should have:

  • less than 400 W — should be a low-energy device, so no need for anything stronger
  • large fan (if any) — large means less RPMs means less noise
  • surge-protection etc.

Example: Seasonic G Series 360W

Hard drives

Setup:

  • 1 system disk
  • 2 data disks in RAID 1

Data disks should be separate from the OS disk. It would be best if the data disks could be simply unplugged and used freely on their own if the server broke down.

Energy efficiency is a question here: shared OS+Data disk would be a one-disk-less solution, meaning less devices to power. On the other hand, if the data is not needed, the disks may be powered down and only one device would then run.

Should have:

  • generally
    • low energy consumption (lower RPMs, etc.)
  • system disk
    • 32+ GB of space
    • fast
    • used for the OS and installed applications
  • data disk
    • 1+ TB of space
    • mostly sequential access to larger files, not many changes, mostly read operations

Example:

System disk — 32 GB SSD?

Data disk — WD Green WD10EZRX 3.5″ 1TB

Other things

Electricity usage meter might come in handy. Example: BaseTech Cost Control 3000

 

Grand total: 11 500 CZK = 444 EUR = 584 USD

…it is arguable whether it is worth it. Time for a web-hosting solution!

Categories
Friendica Ideas Open source Privacy Projects Raspberry Pi Technology Uncategorized

Prism break

If you haven’t heard about the Prism scandal, you should read a bit about it. But basically, numerous large companies based in the US have allowed private information of their users to be accessible to the government (the NSA, to be more exact). Maybe even yours, if you’ve ever interacted with companies like Google, Apple, Facebook and others.

As mentioned on the Prism-Break website, there are lots of alternatives to the services and software most of us currently use. And surprisingly, it should’t be that hard to switch to a more secure and privacy-protecting solution to your daily internet-related needs.

Here is my personal ‘Prism break’ roadmap, or a security todo list:
Note: work in progress, subject to change.

Email

Biggest challenge as far as I can see. The concept itself is sadly not really that secure.

Must have:

  • highly reliable (so no self-hosted solutions are acceptable)
  • web client for easy accessibility
  • address based on own domain name (and email address), e.g. me at dejvino dot com
  • at least country-local hosting (i.e. here in Czech Republic for me)

Should have:

  • contacts
  • calendar

Could have:

  • email content encryption. Currently it seems pretty impractical, but who knows. Maybe there is a usable solution?

Some cheap web-hosting with emails? http://hosting.wedos.com/cs/webhosting.html

IM

Similar to email. Doesn’t require 100% availability.

Ideas:

  • own secure Jabber/XMPP server? Could be self-hosted / VPS. Expensive, hard to maintain.
  • rented server? server-side history is hard to come by. Only Google has got it all…

Should have:

  • encrypted transmission
  • secured history saved on server side

Web hosting

I’m currently using external paid services. I might switch to a more custom solution, i.e. home server.

Raspberry Pi anyone? … UPDATE: nope, it could work for really simple services, but running anything more sophisticated results in long response times. And since I’ve got big plans, it is not the right solution.

Cloud storage

Dropbox has been a great service — lots of free space, great tools on Windows as well as on Android.
I’m in the process of switching to a more controlled ownCloud server solution.

Must have:

  • web interface
  • handle large files
  • access restrictions
  • per-user space limits (quotas)
  • PC client (Windows)

Should have:

  • online music streamer
  • public file-linking capability
  • applications / plugins / extensions

Could have:

  • Android client
  • synchronization / backup support

Social media

Friendica is a project I’ve been using a bit and am planing to use a bit more. But the other “standard” ones still seem quite usable, to some extent.

Should have:

  • RSS-feed-reader-like view
  • responsive design / client for Android
  • integration of different social networks

TODO: move Friendica to a more powerful server. It is quite CPU-demanding.

Web browsing

Type Current New Status
Browser Google Chrome Firefox DONE
Passwords KeePass KeePass + KeeFox DONE
Plugins DoNotTrackMe, HTTPS Everywhere, … see FixTracking.com as a handy guide. DONE