An argument against proxies

Inductive Bias | 17:53, Thursday, 08 March 2018

Encrypted files in Dropbox

Evaggelos Balaskas - System Engineer | 19:18, Sunday, 04 March 2018

Encrypted files in Dropbox

As we live in the age of smartphones and mobility access to the cloud, the more there is the need to access our files from anywhere. We need our files to be available on any computer, ours (private) or others (public). Traveling with your entire tech equipment is not always a good idea and with the era of cloud you dont need to bring everything with you.

There are a lot of cloud hosting files providers out there. On wikipedia there is a good Comparison of file hosting services article you can read.

I’ve started to use Dropbox for that reason. I use dropbox as a public digital bucket, to store and share public files. Every digital asset that is online is somehow public and only when you are using end-to-end encryption then you can say that something is more secure than before.

I also want to store some encrypted files on my cloud account, without the need to trust dropbox (or any cloud hosting file provider for that reason). As an extra security layer on top of dropbox, I use encfs and this blog post is a mini tutorial of a proof of concept.

EncFS - Encrypted Virtual Filesystem

(definition from encfs github account)

EncFS creates a virtual encrypted filesystem which stores encrypted data in the rootdir directory and makes the unencrypted data visible at the mountPoint directory. The user must supply a password which is used to (indirectly) encrypt both filenames and file contents.

That means that you can store your encrypted files somewhere and mount the decrypted files on folder on your computer.

Disclaimer: I dont know how secure is encfs. It is an extra layer that doesnt need any root access (except the installation part) for end users and it is really simple to use. There is a useful answer on stackexchange that you night like to read .

For more information on enfs you can also visit EncFS - Wikipedia Page

Install EncFS

• archlinux

  $ sudo pacman -S --noconfirm encfs

• fedora

  $ sudo dnf -y install fuse-encfs

• ubuntu

  $ sudo apt-get install -y encfs

How does Encfs work ?

• You have two(2) directories. The source and the mountpoint.
• You encrypt and store the files in the source directory with a password.
• You can view/edit your files in cleartext, in the mount point.

1. Create a folder inside dropbox
   eg. /home/ebal/Dropbox/Boostnote

2. Create a folder outside of dropbox
   eg. /home/ebal/Boostnote

both folders are complete empty.

3. Choose a long password.
   just for testing, I am using a SHA256 message digest from an image that I can found on the internet!
   eg. sha256sum /home/ebal/secret.png

that means, I dont know the password but I can re-create it whenever I hash the image.

BE Careful This suggestion is an example - only for testing. The proper way is to use a random generated long password from your key password manager eg. KeePassX

How does dropbox works?

The dropbox-client is monitoring your /home/ebal/Dropbox/ directory for any changes so that can sync your files on your account.

You dont need dropbox running to use encfs.

Running the dropbox-client is the easiest way, but you can always use a sync client eg. rclone to sync your encrypted file to dropbox (or any cloud storage).

I guess it depends on your thread model. For this proof-of-concept article I run dropbox-client daemon in my background.

Create and Mount

Now is the time to mount the source directory inside dropbox with our mount point:

$ sha256sum /home/ebal/secret.png |
    awk '{print $1}' |
    encfs -S -s -f /home/ebal/Dropbox/Boostnote/ /home/ebal/Boostnote/

Reminder: EncFs works with absolute paths!

Check Mount Point

$ mount | egrep -i encfs

encfs on /home/ebal/Boostnote type fuse.encfs
(rw,nosuid,nodev,relatime,user_id=1001,group_id=1001,default_permissions)

View Files on Dropbox

Files inside dropbox:

View Files on the Mount Point

Unmount EncFS Mount Point

When you mount the source directory, encfs has an option to auto-umount the mount point on idle.
Or you can use the below command on demand:

$ fusermount -u /home/ebal/Boostnote

On another PC

The simplicity of this approach is when you want to access these files on another PC.
dropbox-client has already synced your encrypted files.
So the only thing you have to do, is to type on this new machine the exact same command as in Create & Mount chapter.

$ sha256sum /home/ebal/secret.png |
    awk '{print $1}' |
    encfs -S -s -f /home/ebal/Dropbox/Boostnote/ /home/ebal/Boostnote/

Android

How about Android ?

You can use Cryptonite.

Cryptonite can use EncFS and TrueCrypt on Android and you can find the app on Google Play

The Goal and The DevOps Handbook

Evaggelos Balaskas - System Engineer | 12:44, Monday, 26 February 2018

I’ve listened two audiobooks this month, both on DevOps methodology or more accurate on continuous improving of streamflow.

also started audible - amazon for listening audiobooks. The android app is not great but decent enough, although most of the books are DRM.

The first one is The Goal - A Process of Ongoing Improvement by: Eliyahu M. Goldratt, Jeff Cox

I can not stress this enough: You Have To Read this book. This novel is been categorized under business and it is been written back in 1984. You will find innovating even for today’s business logic. This book is the bases of “The Phoenix Project” and you have to read it before the The Phoenix Project. You will understand in details how lean and agile methodologies drive us to DevOps as a result of Ongoing Improvement.

https://www.audible.com/pd/Business/The-Goal-Audiobook/B00IFG88SM

The second book is The DevOps Handbook or How to Create World-Class Agility, Reliability, and Security in Technology Organizations by By: Gene Kim, Patrick Debois, John Willis, Jez Humble Narrated by: Ron Butler

I have this book in both hardcopy and audiobook. It is indeed a handbook. If you are just now starting on devops you need to read it. Has stories of companies that have applied the devops practices and It is really well structured. My suggestion is to keep notes when reading/listening to this book. Keep notes and re-read them.

https://www.audible.com/pd/Business/The-DevOps-Handbook-Audiobook/B0767HHZLZ

Okular gains some more JavaScript support

TSDgeos' blog | 15:53, Friday, 23 February 2018

Hacking at EPFL Toastmasters, Lausanne, tonight

DanielPocock.com - fsfe | 11:39, Tuesday, 20 February 2018

SwissPost putting another nail in the coffin of Swiss sovereignty

DanielPocock.com - fsfe | 22:17, Sunday, 18 February 2018

I love Free Software Day 2018

Ramblings of a sysadmin (Posts about planet-fsfe) | 22:10, Wednesday, 14 February 2018

Today isn't just Valentines day, but also I love Free Software Day! I've been using (and contributing) Free Software for years now and don't want anything else. Even when I've given non-Free Software another chance, every time I was glad when I returned to Free Software.

A big thank you goes out to all developers, sysadmins, network guru's, translators, bugsquashers and all other contributors.

A small selection of tools/libraries/projects/organizations I'm thankful for this year: debian, ubuntu, terminator, mate, vi(m), firefox, thunderbird, postgresql, apache, kvm, libvirt, bash, openssh, nextcloud, workrave, audacious, vlc, mtp (Media Transfer Protocol), ext2/ext3/ext4/btrfs, mdadm, postfix, the linux kernel, fosdem, fsfe, eff, bitsoffreedom, ccc and kodi.

For the next year, let's make sure we don't squabble amongst ourselves. Let us be even more understanding and help each other out more. Let us agree to disagree and be fine with that. I do not care which window manager, editor, desktop or database you use. Of course I have my own preferences and don't mind a good discussion. As long as we give each other the freedom to choose what we want, it's OK. We're all playing for the Free Software team. And yes, each of us known that we are right ;-)

At the previous FOSDEM I picked up the following card and gave it to my wife, she liked it a lot (just a tip)

What is the best online dating site and the best way to use it?

DanielPocock.com - fsfe | 17:25, Wednesday, 14 February 2018

How to batch geotag your photos using Free Software and OpenStreetMap

English Planet – Dreierlei | 08:35, Wednesday, 14 February 2018

If you like shooting and collecting pictures, you might be interested in geotagging your pictures. More and more software can use such geospatial metadata information for categorizing and visualizing these pictures, for example in an interactive map. Today, on I love Free Software day, I show you a way how to batch geotag your pictures with OpenStreetMap and Free Software only.

Geospatial metadata, together with time-stamps, seem to me to be the most important meta-information a picture can have. It is extremely helpful in organizing pictures, for example to cluster pictures that have been taken at the same location but at different times. Personally, I always need this data whenever I upload my pictures to Wikimedia Commons, as it asks me during the process about the geolocation of these pictures. Before, each time I had to look up the data individually on OpenStreetMap and fill in the information manually. Pretty fast, I got bored of this and I was looking for a way to write this information automatically into my pictures even before uploading.

One solution to this is a GPS-recorder built-in or attached to the camera. Unfortunately, very few cameras come with a GPS-recorder built-in and additional GPS-modules are a way too expensive for most hobby enthusiasts. Fortunately, there are software-solutions, that enable you to use just any other device which is able to capture GPS-tracks and then later merge this recorded geo-information with your pictures taken.

For sure, there are multiple ways to do this. In this blogpost, I will show you how you can do this with a smarthphone, OpenStreetMap and Free Software. All you need is:

• a smartphone running Android or a custom fork
• Osmand~
• a camera
• GPS correlate

Set up your infrastructure

Get Osmand

If you have a phone that is running Android or a more privacy and freedom friendly fork of Android get yourself Osmand, the “Global Mobile Map Viewing and Navigation for Online and Offline OpenStreetMaps”.

You can get it in the usual app-stores, but as it is Free Software, you can also get in on F-Droid, the Free Software app repository. For your privacy I recommend the latter and I wrote up a short manual about how to do it in a previous blogpost. If you choose this way, however, please consider donating to finance further development.

Sync your time

It is crucial that you have the time on your devices in sync. If not, there are possibilities to fix that afterwards, but you save yourself a lot of work if you make sure that your GPS-recorder (your smartphone in our case) and your camera are in time sync.

In action: record your track

Once you have downloaded Osmand, there is no need to download additional plugins. However, you have to activate the Trip recording plugin first.

Here is how to do and use it:

And by the way:

Afterwards: Geotag your pictures

Get GPS Correlate

There are many ways to get GPS Correlate. You can

• get it from Github
• via your terminal with $ apt-get install gpscorrelate
• or via the Synaptic package manager:

Use GPS Correlate

The interface is pretty simple:

Now you should see the interpolated match of your pictures and your gpx-track and you are done:

Enjoy your batch processed pictures!

A big hug and thank you to all the people behind OpenStreetMap, behind Osmand, to Daniel Foote and Dan Fandrich for making this possible! Happy I love Free Software Day 2018!

—

Related articles:

• How to edit OpenStreetMap “to go” in Osmand

FOSDEM 2018 - recap

Inductive Bias | 06:13, Tuesday, 13 February 2018

• Exploiting modern microarchitectures - Meltdown, Spectre, and other hardware attacks by Jon Masters in case you want to understand what the Meltdown and Spectre and the underlying causes really mean for computer security.
• Passing the Baton: Succession Planning for FOSS leadership by VM (Vicky) Brasseur on why you should build hand over into your open source project before it's too late including some hints on how to best do that.
• Too young to Rock'n'Roll by Dominik George and Niels Hradek on what legal hurdles minors encounter when trying to contribute to open source projects.
• State of OpenJDK by Mark Reinhold if you're interested in the state of OpenJDK, both in terms of community as well as in terms of technical challenges ahead.

KDE Applications 18.04 Schedule finalized

TSDgeos' blog | 20:56, Wednesday, 07 February 2018

FSFE Assembly at 34C3: Wir taten was

English Planet – Dreierlei | 20:04, Wednesday, 07 February 2018

In December 2017, the Chaos Communication Congress moved for the first time onto the Messegelände Leipzig. The FSFE came along and as in recent years, our assembly attracted a lot of visitors. Together with EDRi, for the first time we have been setting up a cluster called “Rights & Freedoms” with our own stage for multiple sessions. Although there have been some organisational issues, this Cluster was a big success and during three days, it has been visited by thousands of people.

I am happy to see the FSFE assembly again growing every year and having the possibility to bring our message of Software Freedom to the people at the Chaos Communication Congress. The CCC is Germany’s biggest annual meetup of hackers and political activists and is “considered one of the largest events of this kind, alongside the DEF CON in Las Vegas” (wikipedia).

After setting up our own self-created track in the session-rooms offered by the CCC in the last two years [2015, 2016], we aligned this year with European Digital Rights (EDRi) and together we have been forming a Cluster called “Rights & Freedoms” around our own lecture hall with a 100-people-audience stage in one half – and room for several friendly organisations to settle their own assemblies in the other half.

This way, the FSFE’s track became for the first time official part of the CCC-program. Together with likeminded organisations we used our stage to set up a full-time-program in our cluster that in sum led thousands of visitors in there with the FSFE booth being prominently located directly at its entrance.

Also from the organisers of the CCC, people were very happy with us and our organisation and we were giving the hope to get an even bigger lecture room next year. I see this FSFE’s growing presence at the CCC as a strategically important success because it is not “the usual Free Software conference” but a general technology meet-up. So, a good presence at CCC is not simply stewing our own soup but instead extending our outreach into new networks.

As is true for most of our booths and activities, the whole booth would not have been possible to run without our dedicated volunteer booth team! You are the ones empowering FSFE. And I like to use this occasion to give a special thanks to André Klöpfel, Berlin-based volunteer, without whom I would have not been able to organise our booth so smooth this year and last year already.

More XEPs for Smack

vanitasvitae's blog » englisch | 14:05, Wednesday, 07 February 2018

I spent the last weekend from Thursday to Sunday in Brussels at the XSF-Summit (here is a very nice post about it by JCBrand) and the FOSDEM. It was really nice to meet all the faces belonging to the JIDs you otherwise only see in the MUCs or on GitHub in real life.

There was a lot of discussion about how to make XMPP more accessible to the masses and one point that came up was to pay more attention to XMPP libraries, as they are often somewhat of a gateway for new developers who discovered the XMPP protocol. A good library with good documentation can help those new developers immensely to get started with XMPP.

During my stay and while on the train, I found some time to work on Smack again and so I added support for 3 more XEPs:

Ge0rG gave a talk about what’s currently wrong with the XMPP protocol.  One suggested improvement was to rely more on Stable and Unique Stanza IDs to improve message identification in various use-cases, so I quickly implemented XEP-0359.

XEP-0372: References is one dependency of XEP-0385: Stateless Inline Media Sharing, which I’m planning to implement next, so the boring lengthy train ride was spent adding support for XEP-0372.

A very nice XEP to implement was XEP-0392: Consistent Color Generation, which is used to generate consistent colors for usernames across different clients. I really like the accessibility aspect of that XEP, as it provides methods to generate colors easily distinguishable by users with color vision deficiency.

I hope my contributions will draw one or two developers who seak to implement a chat client themselves to the awesome XMPP protocol

Happy Hacking!

Everything you didn't know about FSFE in a picture

DanielPocock.com - fsfe | 09:51, Friday, 02 February 2018

containers containers containers

Evaggelos Balaskas - System Engineer | 21:08, Thursday, 01 February 2018

systemd

Latest systemd version now contains the systemd-importd daemon .

That means that we can use machinectl to import a tar or a raw image from the internet to use it with the systemd-nspawn command.

so here is an example

machinectl

from my archlinux box:

# cat /etc/arch-release

Arch Linux release

We can download the tar centos7 docker image from the docker hub registry:

# machinectl pull-tar --verify=no https://github.com/CentOS/sig-cloud-instance-images/raw/79db851f4016c283fb3d30f924031f5a866d51a1/docker/centos-7-docker.tar.xz

...
Created new local image 'centos-7-docker'.
Operation completed successfully.
Exiting.

we can verify that:

# ls -la /var/lib/machines/centos-7-docker

total 28
dr-xr-xr-x 1 root root   158 Jan  7 18:59 .
drwx------ 1 root root   488 Feb  1 21:17 ..
-rw-r--r-- 1 root root 11970 Jan  7 18:59 anaconda-post.log
lrwxrwxrwx 1 root root     7 Jan  7 18:58 bin -> usr/bin
drwxr-xr-x 1 root root     0 Jan  7 18:58 dev
drwxr-xr-x 1 root root  1940 Jan  7 18:59 etc
drwxr-xr-x 1 root root     0 Nov  5  2016 home
lrwxrwxrwx 1 root root     7 Jan  7 18:58 lib -> usr/lib
lrwxrwxrwx 1 root root     9 Jan  7 18:58 lib64 -> usr/lib64
drwxr-xr-x 1 root root     0 Nov  5  2016 media
drwxr-xr-x 1 root root     0 Nov  5  2016 mnt
drwxr-xr-x 1 root root     0 Nov  5  2016 opt
drwxr-xr-x 1 root root     0 Jan  7 18:58 proc
dr-xr-x--- 1 root root   120 Jan  7 18:59 root
drwxr-xr-x 1 root root   104 Jan  7 18:59 run
lrwxrwxrwx 1 root root     8 Jan  7 18:58 sbin -> usr/sbin
drwxr-xr-x 1 root root     0 Nov  5  2016 srv
drwxr-xr-x 1 root root     0 Jan  7 18:58 sys
drwxrwxrwt 1 root root   140 Jan  7 18:59 tmp
drwxr-xr-x 1 root root   106 Jan  7 18:58 usr
drwxr-xr-x 1 root root   160 Jan  7 18:58 var

systemd-nspawn

Now test we can test it:

[root@myhomepc ~]# systemd-nspawn --machine=centos-7-docker

Spawning container centos-7-docker on /var/lib/machines/centos-7-docker.
Press ^] three times within 1s to kill container.

[root@centos-7-docker ~]#
[root@centos-7-docker ~]#
[root@centos-7-docker ~]# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
[root@centos-7-docker ~]#
[root@centos-7-docker ~]# exit
logout
Container centos-7-docker exited successfully.

and now returning to our system:

[root@myhomepc ~]#
[root@myhomepc ~]#
[root@myhomepc ~]# cat /etc/arch-release
Arch Linux release

CS3 Workshop 2018 - Global Scale and the future of Federated Cloud Sharing

English on Björn Schießle - I came for the code but stayed for the freedom | 17:00, Thursday, 01 February 2018

At this years CS3 Workshop in Krakow I presented the current state of Nextcloud’s Global Scale architecture. Probably the most interesting part of the talk was the current development in the area of Federated Cloud Sharing, a central component of Global Scale. Originally, Federated Cloud Sharing was developed by Frank Karlitschek and me in 2014 at ownCloud. These day it enables cloud solutions from ownCloud, Pydio and Nextcloud to exchange files.

As part of Global Scale we will add federated group sharing in the coming months. Further we want to enable apps to provide additional “federated share providers” in order to implement federated calendar sharing, federated contact sharing and more.

The next iteration of Federated Cloud Sharing will be based on the Open Cloud Mesh (OCM) specification. The Open Cloud Mesh initiative by GÉANT aims to turn our original idea of Federated Cloud Sharing into a vendor neutral standard. Something I explicitly support. In the process of implementing OCM we will propose some minor changes and additions to the existing specification to meet all our requirements. Directly after my talk I received a lot of positive feedback from different members of the Open Cloud Mesh initiative. I was especially happy to hear that PowerFolder already started to implement OCM as well and that our friends at Seafile also want to join us. I’m looking forward to work together with the OCM-Community in the following weeks and months in order to make our changes part of the official specification.

I will write a more detailed article once we have a first prototype of our implementation. For now I want to share my presentation slides with you:

(This blog contain some presentation slides, you can see them here.)

Tags: #Nextcloud #cs3 #ocm #cloud #federation #slides

Our future relationship with FSFE

DanielPocock.com - fsfe | 13:19, Thursday, 01 February 2018

Network-Bound Disk Encryption

Evaggelos Balaskas - System Engineer | 23:25, Wednesday, 31 January 2018

Network-Bound Disk Encryption

I was reading the redhat release notes on 7.4 and came across: Chapter 15. Security

New packages: tang, clevis, jose, luksmeta

Network Bound Disk Encryption (NBDE) allows the user to encrypt root volumes of the hard drives on physical and virtual machines without requiring to manually enter password when systems are rebooted.

That means, we can now have an encrypted (luks) volume that will be de-crypted on reboot, without the need of typing a passphrase!!!

Really - really useful on VPS (and general in cloud infrastructures)

Useful Links

• https://github.com/latchset/tang
• https://github.com/latchset/jose
• https://github.com/latchset/clevis

CentOS 7.4 with Encrypted rootfs

(aka client machine)

Below is a test centos 7.4 virtual machine with an encrypted root filesystem:

/boot

/

Tang Server

(aka server machine)

Tang is a server for binding data to network presence. This is a different centos 7.4 virtual machine from the above.

Installation

Let’s install the server part:

# yum -y install tang

Start socket service:

# systemctl restart tangd.socket

Enable socket service:

# systemctl enable tangd.socket

TCP Port

Check that the tang server is listening:

# netstat -ntulp | egrep -i systemd

tcp6    0    0 :::80    :::*    LISTEN    1/systemd

Firewall

Dont forget the firewall:

Firewall Zones

# firewall-cmd --get-active-zones

public
  interfaces: eth0

Firewall Port

# firewall-cmd --zone=public --add-port=80/tcp --permanent

or

# firewall-cmd --add-port=80/tcp --permanent

success

Reload

# firewall-cmd --reload

success

We have finished with the server part!

Client Machine - Encrypted rootfs

Now it is time to configure the client machine, but before let’s check the encrypted partition:

CryptTab

Every encrypted block devices is configured under crypttab file:

[root@centos7 ~]# cat /etc/crypttab

luks-3cc09d38-2f55-42b1-b0c7-b12f6c74200c UUID=3cc09d38-2f55-42b1-b0c7-b12f6c74200c none 

FsTab

and every filesystem that is static mounted on boot, is configured under fstab:

[root@centos7 ~]# cat /etc/fstab

UUID=c5ffbb05-d8e4-458c-9dc6-97723ccf43bc          /boot  xfs  defaults  0 0

/dev/mapper/luks-3cc09d38-2f55-42b1-b0c7-b12f6c74200c  /  xfs  defaults,x-systemd.device-timeout=0 0 0

Installation

Now let’s install the client (clevis) part that will talk with tang:

# yum -y install clevis clevis-luks clevis-dracut

Configuration

with a very simple command:

# clevis bind luks -d /dev/vda2 tang '{"url":"http://192.168.122.194"}'

The advertisement contains the following signing keys:

FYquzVHwdsGXByX_rRwm0VEmFRo

Do you wish to trust these keys? [ynYN] y

You are about to initialize a LUKS device for metadata storage.
Attempting to initialize it may result in data loss if data was
already written into the LUKS header gap in a different format.
A backup is advised before initialization is performed.

Do you wish to initialize /dev/vda2? [yn] y

Enter existing LUKS password:

we’ve just configured our encrypted volume against tang!

Luks MetaData

We can verify it’s luks metadata with:

[root@centos7 ~]# luksmeta show -d /dev/vda2

0   active empty
1   active cb6e8904-81ff-40da-a84a-07ab9ab5715e
2 inactive empty
3 inactive empty
4 inactive empty
5 inactive empty
6 inactive empty
7 inactive empty

dracut

We must not forget to regenerate the initramfs image, that on boot will try to talk with our tang server:

[root@centos7 ~]# dracut -f

Reboot

Now it’s time to reboot!

A short msg will appear in our screen, but in a few seconds and if successfully exchange messages with the tang server, our server with de-crypt the rootfs volume.

Tang messages

To finish this article, I will show you some tang msg via journalct:

Initialization

Getting the signing key from the client on setup:

Jan 31 22:43:09 centos7 systemd[1]: Started Tang Server (192.168.122.195:58088).
Jan 31 22:43:09 centos7 systemd[1]: Starting Tang Server (192.168.122.195:58088)...
Jan 31 22:43:09 centos7 tangd[1219]: 192.168.122.195 GET /adv/ => 200 (src/tangd.c:85)

reboot

Client is trying to decrypt the encrypted volume on reboot

Jan 31 22:46:21 centos7 systemd[1]: Started Tang Server (192.168.122.162:42370).
Jan 31 22:46:21 centos7 systemd[1]: Starting Tang Server (192.168.122.162:42370)...
Jan 31 22:46:22 centos7 tangd[1223]: 192.168.122.162 POST /rec/Shdayp69IdGNzEMnZkJasfGLIjQ => 200 (src/tangd.c:168)

Fair communication requires mutual consent

DanielPocock.com - fsfe | 20:33, Tuesday, 30 January 2018

Imagine the world's biggest Kanban / Scrumboard

DanielPocock.com - fsfe | 18:52, Tuesday, 30 January 2018

Let's talk about Hacking (EPFL, Lausanne, 20 February 2018)

DanielPocock.com - fsfe | 21:54, Sunday, 28 January 2018

Local OsmAnd and Geo URL's

Ramblings of a sysadmin (Posts about planet-fsfe) | 22:50, Friday, 26 January 2018

http://osmand.net/go?lat=51.4404&lon=4.3294&z=16

<a href="geo:51.4404,4.3294;u=15">Hoogerheide</a>

Do the little things matter?

DanielPocock.com - fsfe | 20:44, Thursday, 25 January 2018

gmail.com   REJECT  The person you are trying to contact hasn't accepted Gmail's privacy policy.  Please try sending the email from a regular email provider.

What is DNS Privacy and how to set it up for OpenWRT

Free Software – | 19:08, Wednesday, 24 January 2018

The Domain Name System (DNS) enables your computer to find the actual addresses of other computers. So when you type fsfe.org in your browser, the DNS tells you that 217.69.89.176 is the actual IP address for fsfe.org. It needs this real address to make a connection to that server and present the website hosted there to you.

DNS requests leak a lot of data to anybody who can read your network traffic, because they are typically not encrypted. Every server/site you visit will be leaked in a DNS request.

To solve this problem, there is DNS Privacy, a project dedicated to improve privacy around DNS. The most obvious solution is to encrypt the DNS requests, so someone looking at your internet traffic doesn’t see anymore which sites you visit just by looking into your DNS queries.

There’s many different ways to encrypt this information. I will focus on DNS over TLS as this seems to be the best solution at the moment and is relatively easy to set up.

Everything you own that is connected to the internet is making DNS requests. You could of course try to set all of these devices up for DNS over TLS individually, but that is mostly not even possible and a lot of work. If you just have one local desktop or laptop computer, you can use Stubby a local DNS Privacy stub resolver. The solution I recommend is to set up DNS Privacy directly on your router, so all devices entering the internet via this router (and using it for DNS queries) will benefit from it.

DNS over TLS for OpenWRT

OpenWRT (or LEDE) is a Free Software operating system for routers. The following assumes that you are running the latest version of OpenWRT (at the moment LEDE 17.01.4).

Log into your router via ssh and then run:

# Install unbound (System -> Software -> Find package: unbound -> Install)
opkg install unbound

Add some more privacy options to the unbound server config:

cat >> /etc/unbound/unbound_srv.conf <<UNBOUND_SERVER_CONF
do-tcp: yes
prefetch: yes
qname-minimisation: yes
rrset-roundrobin: yes
use-caps-for-id: yes
UNBOUND_SERVER_CONF

# Don't let each server know the next recursion.
uci set 'unbound.@unbound[0].query_minimize=1'

Now, the important part comes. It tells unbound to forward all (except local) DNS requests to special DNS resolvers that allow you to connect encrypted with TLS on port 853.

cat >> /etc/unbound/unbound_ext.conf <<UNBOUND_FORWARD_CONF
forward-zone:
        name: "."
        forward-addr: 9.9.9.9@853         # quad9.net primary
        forward-addr: 149.112.112.112@853 # quad9.net secondary
        forward-addr: 145.100.185.15@853  # Surfnet primary
        forward-addr: 145.100.185.16@853  # Surfnet secondary
        forward-addr: 185.49.141.37@853   # getdnsapi.net
        forward-ssl-upstream: yes
UNBOUND_FORWARD_CONF

The last option turns on DNS over TLS.

Now, you just need to move the existing dnsmasq server aside, so unbound can answer your devices DNS queries.

# Move dnsmasq to port 53535 where it will still serve local DNS from DHCP
# Network -> DHCP & DNS -> Advanced Settings -> DNS server port to 53535
uci set 'dhcp.@dnsmasq[0].port=53535'

# Configure dnsmasq to send a DNS Server DHCP option with its LAN IP
# since it does not do this by default when port is configured.
uci add_list "dhcp.lan.dhcp_option=option:dns-server,$(uci get network.lan.ipaddr)"
uci set 'unbound.@unbound[0].dhcp_link=dnsmasq'

# Save & Apply (will restart dnsmasq, DNS unreachable until unbound is up)
uci commit

# Restart (or start) unbound (System -> Startup -> unbound -> Restart)
/etc/init.d/unbound restart

Now you can test your DNS queries:

nslookup fsfe.org

If this works, your DNS requests should now be made over TLS and even cached locally by unbound. If you have problems, try the logread command to see what is going on. If you want to further tune the settings, checkout OpenWRT’s awesome unbound README.

Note: The DNS servers you use can of course still see your requests and the domains in them. Only passive network observers get locked out by using DNS over TLS.

apt-get install more contributors

DanielPocock.com - fsfe | 11:21, Wednesday, 24 January 2018

Ready Player One by Ernest Cline

Evaggelos Balaskas - System Engineer | 10:51, Wednesday, 24 January 2018

Ready Player One by Ernest Cline

I’ve listened to the audiobook, Narrated by Wil Wheaton.

The book is AMAZING! Taking a trip down memory lane to ’80s pop culture, video games, music & movies. A sci-fi futuristic book that online gamers are trying to solve puzzles on a easter egg hunt for the control of oasis, a virtual reality game.

You can find more info here

FOSS Backstage - CfP open

Inductive Bias | 16:21, Tuesday, 23 January 2018

Concise Attribute Initialisation in Lichen… and Python?

Paul Boddie's Free Software-related blog » English | 21:50, Monday, 22 January 2018

In my review of 2017, I mentioned a project of mine to make a Python-like language called Lichen that is more amenable to compile-time analysis than Python is, while still having a feature set I might actually be able to use in “real” programs one day. There are a lot of different “moving parts” in the Lichen toolchain, and being preoccupied with various other projects and activities, I haven’t been able to get back into working on it properly in the last few months.

Recently, as I found myself writing Python code for another of my projects, I got to wondering about something in Python that can occur a lot: the initialisation of instance attributes. Here is a classic example:

class Point:
    def __init__(self, x, y):
        self.x = x
        self.y = y

# For illustration, here is how the class is used...
p = Point(640, 512)
print p.x, p.y # 640 512

In this example, having to assign the parameter values to the instance attributes is not much of a hardship. But with more verbose initialisation methods with more parameters and more attributes involved, writing everything out can be tiresome. Moreover, mistakes can be made, particularly if the interfaces and structures are evolving. Naturally, there are a range of improvements and measures that attempt to alleviate the problem. Here is the most obvious:

class Point:
    def __init__(self, x, y):
        self.x = x; self.y = y

This just puts the same statements on one line, so let us move beyond it to the next attempt:

class Point:
    def __init__(self, x, y):
        self.x, self.y = x, y

Here, we are actually performing “tuple assignment”, with the parameter values being placed in a tuple whose elements are then assigned to the names in the corresponding positions on the left-hand side of the assignment.

Now, without any Python “magic”, this is probably as far as you can get. The “magic” involves introspection and a feature known as “decorators” (which Lichen doesn’t support) to let us use something like this:

class Point:
    @initialising("x", "y")
    def __init__(self, x, y):
        pass

Here, I am taking inspiration from a collection of actual suggestions and solutions, but none of them look like the above. Indeed, many of them take the approach of initialising attributes using every parameter in the method signature which isn’t always what you want, although it does seem to be requested every now and again.

Although the above example looks quite nice, the mechanism responsible for performing the attribute assignments will not look as nice, and so I won’t show it here. And unless a mode is supported where the names can be omitted, thus initialising attributes using all parameters (except self) when you do want to, it is perhaps tiresome to have to write the names out again somewhere else, even more so as strings.

You will also find people advocating more transparent use of the ** catch-all parameter (also not supported by Lichen), sometimes in response to people worried that writing out lots of assignments is a sign of bad code. This yields solutions like this one:

class Point:
    def __init__(self, **kw):
        for name in ("x", "y"):
            setattr(self, name, kw.get(name))

But keeping named parameters in the signature helps to prevent certain kinds of errors, which is one reason why I don’t intend to support catch-all parameters in Lichen.

But what I wondered is why Python never supported something closer to C++’s initialisation lists. In C++, we might write the code somewhat as follows:

class Point
{
    Number x, y;
public:
    Point(Number x, Number y) : x(x), y(y) {};
}

Here, it is evident that repetition occurs just as in the “magic” Python example, which is something I might want to eliminate. Maybe we would want to have a shorthand for attribute initialisation within the parameter list itself. And then I thought of a possible syntax:

class Point:
    def __init__(self, .x, .y):
        pass

So, any parameter employing a dot before its name would result in the assignment of its value to the instance attribute having the same name. Of course, this wouldn’t support a parameter with one name having its value assigned to an attribute with another name, but I thought it best to stick to the simple cases. “Why not add this to Lichen?” I thought.

And in line with not getting too immersed in the toolchain straight away after such a long break, I decided on some rather simple semantics for this feature: dot-prefixed names would still exist as local names; dot-prefixing would just be a form of shorthand meaning that an assignment would be generated at the very start of the function body. So, the above would really translate to the very first example given at the start of this article or, indeed, the second one which is equivalent and is reproduced below:

# Lichen-only...                   # Python and Lichen...
class Point:                       class Point:
    def __init__(self, .x, .y):        def __init__(self, x, y):
        pass                               self.x = x; self.y = y

Keeping the sophistication of the feature at an unambitious level, besides letting me slowly familiarise myself again with the code, also helps to deal with potential conflicts with other mechanisms. For example, what if someone wanted to employ a name twice – once dot-prefixed, once unprefixed – like this…?

class Point:
    def __init__(self, .x, .y, x):
        self.intensity = x ** 2

By asserting that the dot-prefixed x is really just x that also initialises the attribute of the same name, we can fall back on the normal rules around parameters and forbid such duplicate names without having to think very hard about temporary names or more exotic mechanisms that might be used to initialise attributes directly. One other thing worth mentioning is that I don’t reserve the use of such parameters for the exclusive use of initialiser methods, so other applications are possible. For example:

class Point:
    def __init__(.x, .y): pass
    def update(.x, .y): pass

Here, I also omit self because Lichen defines it as always being present in methods, anyway. And we could actually make the update method an alias of the initialiser method, too, but let us not get too carried away!

Fortunately, I adopted a parser framework in Lichen that was originally written for PyPy that allows relatively straightforward modification of the language grammar. Conveniently, the grammar changes required for this feature are minimal and I don’t even have to add any extra tokens. That made me wonder whether such a syntax had been suggested for Python at some point or other. Some quick searches haven’t yielded any results, and I can’t be bothered to trawl the different mailing list archives to find mentions of such features. I can easily imagine that such a feature might have been discussed rather early in Python’s lifetime, possibly in the mid-1990s.

Arguments for new syntax in Python are often met with arguments against “syntactic sugar”, with such “sugar” introducing more convenient notation or a form of shorthand for particular operations. Over the years, people have argued for more concise ways of referencing instance attributes and class attributes instead of using the almost-special self name (that is rather more special in Lichen). Compound assignments to instance attributes have probably been discussed, too, maybe proposing things like this:

# Compound assignment idea...      # Equivalent assignment...
self.(x, y) = x, y                 self.x, self.y = x, y

In response to such suggestions, people seem to be asked how often they need to write such things, whether it is really such a burden to do so, and whether their programming tools cannot help them write out the conventional assignments semi-automatically instead. Proposed general language constructs may well risk introducing conflicts with other language features in unanticipated ways, and if such constructs only ever get used in certain, rather limited, circumstances then one can justifiably ask whether it is really worth the effort to support them. They will, after all, need people to implement them, test them, maintain them, and keep fixing them long into the future.

As is evident from the discussion of the problem of concise initialisation, Python’s community has grown accustomed to solving simple problems in fairly complicated ways using general mechanisms introduced to support broad classes of functionality. Decorators were introduced into Python as a way of inserting extra code around methods and functions to modify or extend their behaviour, allowing people to tackle such problems by getting that extra code to initialise attributes or to do many other weird, wild and wonderful things. Providing such mechanisms lets the language designers send people elsewhere when those people descend on the designers demanding a quick syntactic fix for a specific problem they might be having.

But it really does surprise me that something as simple as dot-prefixing parameter names never managed to get suggested and quickly introduced into an early version of Python. I did wonder whether other Python-inspired languages might have subconsciously inspired me, but a brief perusal of the Boo, Cobra, Delight and Genie documentation turned up nothing. And so, without any more insight into my inspiration, that is the tale of my first experiment in extending Lichen’s syntax beyond that of Python.

Update

I finally remembered where I had seen the dot-prefixed name notation before. When initialising structures in C, you can explicitly indicate a structure member when specifying a value, and I do this all the time in the code generated for Lichen programs. I even define macros that use this feature. For example:

#define __INTVALUE(VALUE) ((__attr) {.intvalue=((VALUE) << 1) | 1})

So I suppose it shows how long it has been since I had to look at that part of the toolchain! Of course, this is directly initialising a structure member by indicating a value, whereas the Lichen syntax enhancement associates an attribute, which is similar to a member, with a parameter received in a method call. But there are some similarities in purpose, nevertheless.

Keeping an Irish home warm and free in winter

DanielPocock.com - fsfe | 09:20, Monday, 22 January 2018

Fabric MiniTutorial

Evaggelos Balaskas - System Engineer | 20:27, Sunday, 21 January 2018

Fabric

Fabric is a Python (2.5-2.7) library and command-line tool for streamlining the use of SSH for application deployment or systems administration tasks.

You can find the documentation here

Installation

# yum -y install epel-release

# yum -y install fabric

Hello World

# cat > fabfile.py <<EOF
> def hello():
>     print("Hello world!")
>
> EOF

and run it

# fab hello -f ./fabfile.py

Hello world!

Done.

A more complicated example

def HelloWorld():
        print("Hello world!")

def hello(name="world"):
        print("Hello %s!" % name )

# fab HelloWorld -f ./fabfile.py
Hello world!

Done.

# fab hello -f ./fabfile.py
Hello world!

Done.

# fab hello:name=ebal -f ./fabfile.py
Hello ebal!

Done.

A remote example

from fabric.api import run , env

env.use_ssh_config = True

def HelloWorld():
    print("Hello world!")

def hello(name="world"):
    print("Hello %s!" % name )

def uptime():
    run('uptime')

ssh configuration file

with the below variable declaration
(just remember to import env)
fabric can use the ssh configuration file of your system

  env.use_ssh_config = True

and run it against server test

$ fab -H test uptime -f ./fabfile.py

[test] Executing task 'uptime'
[test] run: uptime
[test] out:  20:21:30 up 10 days, 11 min,  1 user,  load average: 0.00, 0.00, 0.00
[test] out: 

Done.
Disconnecting from 192.168.122.1:22... done.