The Blog of Tom Webster

Chronic Ranter, Reviewer, and Developer

Why Defaults Matter - Another Look at the Facebook Debate

  2010-05-17 14:33:00 PDT

Not all of us are computer geeks... Actually... the vast majority of us are anything but. Yes, there are privacy settings, and in the case that you have a PhD in Facebooking, you can edit these settings and know exactly how they will function. In a perfect world, we could set, process, and understand each and every one of these privacy settings and know exactly how they will work, regardless of our friends' privacy settings, the applications they use, or the websites we visit that have included Facebook technology.
Facebook's privacy settings have been worsening ever since the company came into being in 2004, and it doesn't look like Facebook's stance will change anytime in the near future. I've deleted my account for a few reasons, but the biggest reason is the same as Leo Laporte's. If I continue to stay on Facebook, even as just a content publisher and aggregator, I'm pushing people to continue to use that service and put their privacy and data at risk. Just my presence on the service is like saying, "No, its ok if you're on Facebook, just use it in this way.", but we all know that won't fix anything. Just by participating, I'm giving more power to the Facebook machine. This is why I've decided to end my Facebook account and move to more open services. Jason Calacanis made many excellent points in his blog post/email and it appears that he will also follow suit. As always, you can follow me here or on Twitter to stay up with the latest.

Dear Facebook, Its over.

  2010-05-10 18:26:00 PDT

I don't think I can do this anymore, and this time, its not me, its you. When our relationship started, it was all comments, groups, and wall posts. It was wonderful, we were madly in love. You didn't need (or support) sparkling gifs, you had no auto-playing music, users couldn't even change the color scheme on the page. You knew what our relationship needed better than I did. And you know what? It worked.
Sadly... you've changed, and not for the best. Over the past few years, I've overlooked your very closed and very buggy chat, your outright theft of "The Like Button" from FriendFeed, your ever-opening 'privacy' settings, your support of apps that steal all of your personal information, and your complete disregard for my private information. I consider myself a public figure on the internet, and you are still creeping me out. I thought we had something special.
Your recent push to share me with your new friends (Pandora, Yelp, Docs) has me confused, and it is just about impossible to get away from them. At first you wanted me all to yourself, it was a fight to get you to play nice with any other websites, but now... Especially with giving everyone access to your 'Like' button, you seem to be interested in more than just me. These things have all led up to my thoughts right now, but they haven't been enough to push me over the edge. Even my friends tell me that I should leave you, but I felt that we still had something to hold onto... Until this morning.

Last night, I was incredibly frustrated with the way you've been treating me, and I needed to vent to my friends. I posted a link to Jeff Jarvis' article on your recent behavior, and my friend even commented on it, asking if there were any others I could run to. You must have seen this and not appreciated the candid honesty because you deleted it. Right off of my wall. Removing the comments, removing the post. I thought it was my Nexus One's Facebook App being buggy (Because that happens sometimes) and not displaying the post. But when I checked with you the next morning, it was true. You had removed the link that I had posted on my own wall. I feel that this could be the final straw. We really had a good time while it lasted, but I'm not entirely sure I want to continue this relationship anymore. I think I've found someone else. Someone that will respect my privacy and leave my posts intact. I'm going away for a little while to cool down and think about things, but I don't think this will work anymore.

The Tipping Point:

Last night, I posted a link to Jeff Jarvis' article entitled: Here's The Privacy Line That Facebook Just Crossed... and got a comment on it pretty soon after it was up. It was listed in my Facebook notifications, even! I figured I would respond in the morning and went to bed.

To my surprise this morning, I find that the links didn't work. The link in the 'Notifications' page and in the email I received (I have email notifications for just about everything enabled) in the Facebook app led to this error message [Content Not Found: The page you requested cannot be displayed right now. It may be temporarily unavailable, the link you clicked on may be broken or expired, or you may not have permission to view this page.]
Strange... Very strange. I went to my computer to check, hoping that my phone was being buggy...

Yep... there is the email... clicks link

[This post is not available anymore]
Facebook deleted my post. They removed the link I posted (And naturally, all of the links associated with the post) because it put them in a bad light. I did also link to the same article using a bit.ly link (Fetched from Twitter), and that was not removed. Its apparent that I'm not an important enough target for profile manipulation, and I seriously doubt that Zuckerberg is sitting in his office, picking off links I post about his baby. The most likely scenario is that Jeff's article was flagged on Facebook for mass deletion sometime yesterday. Since this incident, I have re-posted the link to the article and asked others to do the same (many have now shared the link as well). So far, the link survives. This is the final straw. I am seriously considering deleting my Facebook account. With the recent anti-privacy stunts, bugs, and now censoring of anti-Facebook content, this is far from the "Safe Haven" picture that Zuckerberg paints atop his high tower. Starting today, I will be moving over my data/comments/time to other services (Twitter, Buzz, Flickr, Delicious, Google Profile) and weaning myself off of Facebook in the likely event that I will be deleting my account.

If you would like, go ahead and join me on any one of these services, my username is samurailink3 on everything. Facebook was a huge convenience, but this was the final straw, I'm moving on.
Looking to delete your account? Click here.

Server-Bits #8: TrueCrypted Home Directories or SHROUD

  2010-05-04 16:56:00 PDT

So, I've completed work (a while ago... was still gathering the time necessary to write this blog post) on ~~Project: SHROUD~~ (Link defunct for now...) and it is time to release the documentation on how I've put it together. The pieces have been floating around the internet for some time, but I'm here to put this in one central location so you can have it up and running in no time flat.

But what exactly is Project SHROUD?
From the PastaNet blog: "Completely encrypted storage space via PastaNet using TrueCrypt and SSH. Hosted on an encrypted RAID-5 server and stored in your own personal encrypted volume, your data is not only safe, but extremely secured. Your personal file volume is dismounted 60 seconds after you disconnect, leaving your data completely encrypted (Twice over!!). Completely secured network access through SSH encryption. You can access your SHROUD drive through any FTP program that supports SFTP (The vast majority of these programs do) or by mounting it as a network drive through ExpanDrive (working on alternatives for this) [Linux users need not apply, as mounting SSH volumes is built into the OS]. Completely encrypted, completely secured, cloud-based storage."

See the full article after the jump.

When a user logs in, their TrueCrypt volume is mounted as their home directory. The system then watches to see when the user logs off and dismounts their TrueCrypt volume 60 seconds after they disconnect. This SFTP storage area can then be used through virtually any FTP program or mounted as a Network Shared Drive for the user. These users are forbidden from shell access, VPN, and other areas of the filesystem.
As a server admin, it is bad karma (and very bad practice) to keep your users' passwords. Create the volume, throw away the key, the rest is up to them. This keeps them and you safe in a worst-case-scenario.

The first thing you need to do is create a directory in /home for the location of the TrueCrypt volumes.

mkdir /home/private

In this directory, we will keep all of the SHROUD users' TrueCrypt volumes. They will have a home directory to be used purely as a mount point for the volume.

Now, the difficult part (Which isn't too terribly hard), compiling a more modern version of PAM, known to work well with automatic TrueCrypt mounting (Terminal Commands Ahoy!):

wget http://dl.dropbox.com/u/860936/Blog/pam1.1.1.orig.tar.gz
tar xfzv pam
1.1.1.orig.tar.gz
cd Linux-PAM-1.1.1/
./configure
cd modules/pamexec/
make
sudo cp .libs/pam
exec.so /lib/security/pamexecUNSTABLE.so

We have just compiled the new PAM_EXEC to a new, different file on your system. We will reference this module in the TrueCrypt-mounting script instead of your standard PAM module. This will avoid dependency and package confliction issues later on. We now need to edit the "Common-Auth" and "Common-Session" text files that controls what happens when a user enters their password. We'll add the lines via the 'echo' command with sudo privileges.

sudo echo "# SHROUD code below" >> /etc/pam.d/common-auth

sudo echo "auth optional pamexecUNSTABLE.so debug expose_authtok seteuid /bin/bash /bin/cryptmount.sh" >> /etc/pam.d/common-auth

sudo echo "# SHROUD code below" >> /etc/pam.d/common-session

sudo echo "session optional pamexecUNSTABLE.so seteuid /bin/bash /bin/cryptmount.sh" >> /etc/pam.d/common-session

Whenever a user now logs in, the shell will automatically execute "cryptmount.sh". One problem: cryptmount.sh doesn't exist yet. You need to create it. Create a new file inside of '/bin' and name it "cryptmount.sh". Here are the contents of that file:
[TIP: For your convenience, here is the file]

!/bin/bash

/bin/cryptmount.sh

CRYPTVOLUME=/home/private/$PAMUSER.tc
MOUNTPOINT=/home/$PAM
USER

case "$PAMUSER" in
**root | anotheruser) #homedirs of non-shroud
users are not encrypted**
exit 0
;;
esac

case "$PAMTYPE" in
auth )
head -c -1 | truecrypt -t --protect-hidden=no -k "" \
"$CRYPTVOLUME" "$MOUNTPOINT"
;;
close
session )
MOUNTS=$(mount | grep " $MOUNTPOINT ")
if test -z $MOUNTS ; then
echo MOUNTS $MOUNTS > /tmp/debug
exit 0
fi
OTHER=$(who | grep "^$PAMUSER " | grep -v " $PAMTTY ")
if test -z "$OTHER"; then
echo truecrypt -d $MOUNTPOINT | at now + 1 minute
fi
;;
esac
exit 0

You will need to make sure to add your username, and any other username that will not be using SHROUD to that list of usernames inside of the script. Users will see an error if they are not using SHROUD, but are not listed. Here are the rules: Using SHROUD - Not named in the file. Not using SHROUD - Named in the file.
Get it? Good.

The next thing we need to do is limit the amount of access your SHROUD users have. We want them to be 'jailed' into their home directory, with no hope of escaping. We need to edit the SSHD configuration file to do this.

sudo nano /etc/ssh/sshd_config

Comment out the line "Subsystem sftp /usr/lib/openssh/sftp-server" by placing a '#' next to it. It'll end up looking like this:

Subsystem sftp /usr/lib/openssh/sftp-server

Now that we have the old system commented out, you will need to add the following lines of code to your sshdconfig:
_[TIP: Use Control+O to save the file and Control+X to exit nano]

Start SHROUD code here

Subsystem sftp internal-sftp

UsePAM yes

Match group shroud_users

ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

We will be putting all of the SHROUD users into a group named "shroud_users" and they will be forced to the following rules:

You can also give granular permissions to specific users. Lets say that you want bob to have SHROUD, but would also like to give him the ability to use VPN:

Match user bob

ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding yes
ForceCommand internal-sftp

You can set specific user permissions this way. You can even remove the 'chroot' bit if you wanted to give a user permission to roam about your filesystem, taking whatever they have access to (this is helpful if you are running a distribution center).

The next step is to make a script to make building the users and setting the permissions correctly stupidly easy for you to do. In my experience, creating a SHROUD user with 1GB of usable space took about 10-12 minutes, depending on how much I fat-fingered the commands. With this script, you'll be creating users in 1-2 minutes:
[TIP: READ THE COMMENTS!! Commented code (any line starting with a '#') is an easy way to figure out exactly what is going on. Use this script as a learning experience!]

!/bin/bash

This program is free software: you can redistribute it and/or modify

it under the terms of the GNU General Public License as published by

the Free Software Foundation, either version 3 of the License, or

(at your option) any later version.

This program is distributed in the hope that it will be useful,

but WITHOUT ANY WARRANTY; without even the implied warranty of

MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

GNU General Public License for more details.

You should have received a copy of the GNU General Public License

along with this program. If not, see http://www.gnu.org/licenses/gpl.html.

Original code by SamuraiLink3 (2010)

MakeUser() {

The commands below will set the variable names for both the user and the

user's password. These will then be used to create the new user, volume, directory structure, and set them all in motion.
echo
echo -n "Enter username for new SHROUD user: "
read user
echo ""
echo -n "Now enter the password for the new user: "
read password
VolumeCreateAndMove

}
VolumeCreateAndMove() {

echo "We need sudo permission to continue..."
sudo echo ""
cat /dev/urandom | head -c 4096 > rand.txt
#This command has created a random 4096-byte text file from /dev/urandom for random salt used to create the TrueCrypt volume
truecrypt --text -c $user -p $password --encryption=AES --filesystem=none --hash=ripemd-160 --size=1073741824 --random-source=rand.txt -v --non- interactive --volume-type=normal --keyfiles=
#This command creates a TrueCrypt volume with the name of the user and the password you chose at the start of the script. The size is 1GB in bytes. It is using AES and RIPEMD-160 to create a normal TrueCrypt volume.
sudo truecrypt --text --filesystem=none --password=$password --keyfiles= --protect-hidden=no $user
sudo truecrypt --text -l
#This will mount the new user volume and list the TrueCrypt volumes for the next step.
echo
echo -n "Please choose the mapper number you would like to format: "
read number
sleep 5
sudo mkfs.ext4 /dev/mapper/truecrypt$number
#After the volume is mounted, the admin will need to choose which TrueCrypt mount to format (DO NOT FORMAT THE WRONG ONE!!). After this, an EXT4 filesystem is created within the volume.
sudo mkdir /home/$user
sudo truecrypt -d $user
sudo truecrypt --text --password=$password --keyfiles= --protect-hidden=no $user /home/$user
sleep 3
sudo cp -r /etc/ServerSoftware/SHROUD/* /home/$user/
#This is the directory you will need to populate with your wanted default folder structure, change this at your will.
UserAddAndConfigure
#Now, the TrueCrypt volume is mounted as the user's home directory and a folder structure is copied into the new volume. You will need to create this folder structure on your own server. Mine is as follows: Code Documents Downloads Misc Music Pictures Videos. Create any directories/files you would like to be pushed and defaulted to all of your users.

}
UserAddAndConfigure() {

sudo useradd -N -M -g shroudusers -s /bin/sh -b /home/$user -p $password $user
#The user is created with the 'shroud
users' group, will not create a home directory, and will not create a specific user-group (as we are placing them into the 'shroudusers' group).
sudo chown -R $user /home/$user/
#This makes the user the owner of all the folders within their home directory
sudo chmod -R 700 /home/$user/
#This sets secure permissions on the folders of the user
sudo chown root /home/$user/
sudo chgrp shroud
users /home/$user/
sudo chmod 750 /home/$user/
#For chroot to work correctly, the chrooted directory needs to be owned by root and not writable by any other party. To satisfy these requirements, we make the owner of the main folder, root, but we make the folders inside of the home directory, owned and writable by the user. This is why the top level directory is not writable in SHROUD, but everything inside of it is. A slight workaround, but it works for now and maintains security.
sudo truecrypt --text -d $user
#This dismounts the user's directory
echo $user:$password | sudo chpasswd
#This command 'chpasswd' works differently from 'passwd', it is a scripted way to change a user's password. While it is normally used to change a very large list of users, it works nicely for our script as well.
sudo mv $user /home/private/$user.tc
#This will move the user's TrueCrypt volume to the /home/private directory so cryptmount.sh can get to it.
Cleanup

}

Cleanup() {
echo "User: "$user" created."
rm rand.txt
#Nicely removes the random-salt text file.
echo "Cleanup complete."
echo
echo "========================"
echo "USER DETAILS:"
echo "USERNAME: "$user
echo "PASSWORD: "$password
echo "========================"
#Echo's the username and password so the user can writedown/memorize/backup their username and password.
echo
echo "Program complete, now exiting."

}
MakeUser

To make it easier on you (Because copy/paste can be fickle with some text editors/IDEs) here is the file, I recommend reading the file with Notepad++ on Windows or Gedit on Linux.

Now all that is left is to create your first user, distribute a connection program (such as FileZilla Portable), and start providing encrypted storage. So far, this has been the biggest undertaking on PastaNet and the biggest post on this blog. Enjoy it.

To make things easier on my users, I have rolled a modified FileZilla Portable zip file for them to download and easily connect to my server. The modifications were trivial, I just saved the standard connection profile to the 'saved sites' button in FileZilla, then re-zipped the folder. I provide this file to each user that will be using the SHROUD system. I suggest doing the same for your users. Here is the documentation I provide for my users, I also suggest that you build some form of documentation that your users can dig through as well.

There are a few things I would like to be made known, there are a few quirks with Project SHROUD that you _(and your users) _should be aware of:

This post heavily influenced, paraphrased, and copied (with very slight modification) from the following sources:
**
Little Impact - Automatic encryption of home directories using TrueCrypt 6.2a and pam_exec**
Debian-Administration - OpenSSH SFTP chroot() with ChrootDirectory
OpenBSD journal @ undeadly.org - Chroot in OpenSSH - Contributed by merdely (Mike Erdely)
This UbuntuForums.org post and the UbuntuForums community in general, this community is one of the best I have ever been involved with and they make me a smarter person every time I log on. I want to specifically thank cdenley and sublimination for all the help they provided me with on this project.

These people have done the amazing legwork. Go to their blog, leave comments, click ads, donate cash, do something if this post helped you out at all. Without them, Project: SHROUD would just be a twinkle in my eye. Props to them!!

About Server-Bits:

If you've ever wanted to get started building a server, right in your own backyard, kitchen, closet, mother's closet, mother's basement, then this is the read for you. Aimed at the not-so-technical-but-willing-to-learn, this will give you everything you need to build... that monster-server you've dreamed of. My goal: To give you a working, rocking server, for free, that you can use daily.

Server-Bits #7: Transmission and Web-Controlled Torrents

  2010-05-01 20:58:00 PDT

Have you ever been away from your machine when you've thought to yourself, "Oh! I need to torrent COMPLETELY LEGAL CONTENT HERE!! I wish I was at my machine...". Now you don't have to be at your computer, you can control all of your torrents, and add new ones, entirely through Transmission's web client.

Transmission should be installed on Ubuntu by default, but just in case it isn't, you can install it by running the command:

sudo apt-get install transmission

Go ahead and start this in GUI-mode. Just open Transmission while you are logged into Gnome. From here, go to: Edit -> Preferences. Navigate to the Privacy tab. There are a few options that *NEED *to be changed.

First off: Blocklist. Blocklist. Blocklist. Enabling the blocklist will keep the vast majority of anti-P2P groups off of your back. Make sure that you enable automatic updates as well. The next thing you need to change is the encryption. Change this to Encryption Required. This will ignore and close any connection that is not masked by encryption.

Next, in the Network tab, check the "Pick a random port every time Transmission is started" box.

In the Web tab, check the "Enable web client" box, change the listening port to whatever you prefer (and forward the port on your router if you so choose [forwarding this port will give you the ability to manage your torrents outside of your network]). Make sure "Use authentication" box is checked and choose a username/password. If you would like, you can also restrict access to certain IP Addresses. This is helpful if you are only going to be accessing this page from a known machine with a constant known address.

Now, in a web browser of your choice, navigate to 'YourHostname:YourTransmissionPort' and you should be greeted by a popup login box. Enter the username/password combination that you set up and start remote torrenting!!

About Server-Bits:

If you've ever wanted to get started building a server, right in your own backyard, kitchen, closet, mother's closet, mother's basement, then this is the read for you. Aimed at the not-so-technical-but-willing-to-learn, this will give you everything you need to build... that monster server you've dreamed of. My goal: To give you a working, rocking server, for free, that you can use daily.

Quick Notes on "Thoughts on Flash"

  2010-05-01 13:18:00 PDT

Lets start with a quote from the original article:

"Adobe's Flash products are 100% proprietary. They are only available from Adobe, and Adobe has sole authority as to their future enhancement, pricing, etc. While Adobe’s Flash products are widely available, this does not mean they are open, since they are controlled entirely by Adobe and available only from Adobe. By almost any definition, Flash is a closed system."

Lets make some quick changes to this...

"~~Adobe's Flash~~ Apple products are 100% proprietary. They are only available from ~~Adobe~~ Apple, and ~~Adobe~~ Apple has sole authority as to their future enhancement, pricing, etc. While ~~Adobe’s Flash~~ Apple's products are widely available, this does not mean they are open, since they are controlled entirely by ~~Adobe~~ Apple and available only from ~~Adobe~~ Apple. By almost any definition, ~~Flash~~ _any Apple software _is a closed system."

Don't even get me started on the App Store. Hey, Jobs, talk when you can put your app store where your mouth is. Just sayin'.

Page: 26 of 31