The Blog of Tom Webster
Chronic Ranter, Reviewer, and Developer. I speak only for myself, opinions are my own.
Since deactivating my Facebook account, I’ve come to realize that I really only miss one thing about the service… the constant access to all of my contacts email addresses and phone numbers. The really important ones, I’ve had stored in my phone all along, but I’ve never bothered to make a backup of the one’s that I contact less often. As we all know, doing precise dentistry with a nine-iron is easier than getting data out of Facebook, especially email addresses. This is one of the biggest problems with Facebook, we put all of our data into it, but they leave us with two very important questions unanswered:_ _
1. We are made no guarantees what will be done with our data if we choose to delete our accounts.
2. We can never export data that either, A: We have access to. Or B: That we’ve made ourselves.
Have you ever tried to export a photo album from Facebook? You can’t do it.
Well…. you can… If you right click and ‘Save Image As’ on every single
picture in that album. Its a pain in the ass to say the least. Third-party
developers have created certain applications that Facebook have
banned due to “Terms of Service
Violations”, meaning, “You are not allowed to remove your data from Facebook”.
The easiest way to extract and move your Facebook contacts to a standard CSV
file that any mail
service/application can use is to import your Facebook contacts to
Yahoo!. You can then export from Yahoo and import wherever you
please. Your contact data is now free from Facebook’s clutches and yours to do
whatever the hell you want with it.
For photo’s, I used
FaceDown, a super-
simple, but now banned Facebook Album downloader to pull all of my albums and
import them to Google’s Picasa Web. You can
also use a program called Fotobounce, but I
have only read about this. I have not tried this program myself. The
tutorial seems pretty straight-forward and easy, so go for it.
Liberate your data.
Contact Export How-To (Via Digital Inspiration):
http://www.labnol.org/internet/export-email-addresses-from-facebook/12970/
Photo Export How-To (Via Digital Inspiration):
http://www.labnol.org/software/download-facebook-photo-albums/9647/
This all said, Facebook has admitted that their privacy models have become a bit too complex and that they will soon be implementing simpler (and hopefully better) privacy controls. So we’ll see… I may end up coming back to Facebook if things work out for the best.
Not all of us are computer geeks… Actually… the vast majority of us are
anything but. Yes, there are privacy settings, and in the case that you have a
PhD in Facebooking, you can edit these settings and know exactly how they will
function. In a perfect world, we could set, process, and understand each and
every one of these privacy settings and know exactly how they will work,
regardless of our friends’ privacy settings, the applications they use, or the
websites we visit that have included Facebook technology.
Facebook’s privacy settings have been
worsening ever since the company came into being in 2004, and it doesn’t
look like Facebook’s stance will change anytime
in the near future. I’ve deleted my account for a few reasons, but the biggest
reason is the same as Leo Laporte’s. If I
continue to stay on Facebook, even as just a content publisher and
aggregator, I’m pushing people to continue to use that service and put their
privacy and data at risk. Just my presence on the service is like saying, “No,
its ok if you’re on Facebook, just use it in this way.”, but we all know that
won’t fix anything. Just by participating, I’m giving more power to the
Facebook machine. This is why I’ve decided to end my Facebook account and move
to more
open
services. Jason
Calacanis made many excellent points in his blog
post/email and it appears that he will also follow suit. As
always, you can follow me here or on
Twitter to stay up with the latest.
I don’t think I can do this anymore, and this time, its not me, its you. When
our relationship started, it was all comments, groups, and wall posts. It was
wonderful, we were madly in love. You didn’t need (or support) sparkling gifs,
you had no auto-playing music, users couldn’t even change the color scheme on
the page. You knew what our relationship needed better than I did. And you
know what? It worked.
Sadly… you’ve changed, and not for the best. Over the past few years, I’ve
overlooked your very closed and very buggy chat, your outright theft of “The
Like Button” from FriendFeed, your ever-opening
‘privacy’ settings,
your support of apps that steal all
of
your personal
information,
and your
complete
disregard
for my private information. I
consider myself a public figure
on the internet, and you are still creeping me out. I thought we had something
special.
Your recent push to share me with your new friends
(Pandora, Yelp,
Docs) has me confused, and it is just about impossible to
get away from them. At
first you wanted me all to yourself, it was a fight to get you to play nice
with any other websites, but now… Especially with giving everyone access to
your ‘Like’ button,
you seem to be interested in more than just me. These things have all led up
to my thoughts right now, but they haven’t been enough to push me over the
edge. Even my friends tell me that I should leave
you, but
I felt that we still had something to hold onto… Until this morning.
Last night, I was incredibly frustrated with the way you’ve been treating me, and I needed to vent to my friends. I posted a link to Jeff Jarvis’ article on your recent behavior, and my friend even commented on it, asking if there were any others I could run to. You must have seen this and not appreciated the candid honesty because you deleted it. Right off of my wall. Removing the comments, removing the post. I thought it was my Nexus One’s Facebook App being buggy (Because that happens sometimes) and not displaying the post. But when I checked with you the next morning, it was true. You had removed the link that I had posted on my own wall. I feel that this could be the final straw. We really had a good time while it lasted, but I’m not entirely sure I want to continue this relationship anymore. I think I’ve found someone else. Someone that will respect my privacy and leave my posts intact. I’m going away for a little while to cool down and think about things, but I don’t think this will work anymore.
Last night, I posted a link to Jeff Jarvis’ article entitled: Here’s The Privacy Line That Facebook Just Crossed… and got a comment on it pretty soon after it was up. It was listed in my Facebook notifications, even! I figured I would respond in the morning and went to bed.
To my surprise this morning, I find that the links didn’t work. The link in
the ‘Notifications’ page and in the email I received (I have email
notifications for just about everything enabled) in the Facebook app led to
this error message [Content Not Found: The page you requested cannot be
displayed right now. It may be temporarily unavailable, the link you clicked
on may be broken or expired, or you may not have permission to view this
page.]
Strange… Very strange. I went to my computer to check, hoping that my phone
was being buggy…
Yep… there is the email… clicks link
[This post is not available anymore]
Facebook deleted my post. They removed the link I posted (And naturally, all of the links associated with the post) because it put them in a bad light. I did also link to the same article using a bit.ly link (Fetched from Twitter), and that was not removed. Its apparent that I’m not an important enough target for profile manipulation, and I seriously doubt that Zuckerberg is sitting in his office, picking off links I post about his baby. The most likely scenario is that Jeff’s article was flagged on Facebook for mass deletion sometime yesterday. Since this incident, I have re-posted the link to the article and asked others to do the same (many have now shared the link as well). So far, the link survives. This is the final straw. I am seriously considering deleting my Facebook account. With the recent anti-privacy stunts, bugs, and now censoring of anti-Facebook content, this is far from the “Safe Haven” picture that Zuckerberg paints atop his high tower. Starting today, I will be moving over my data/comments/time to other services (Twitter, Buzz, Flickr, Delicious, Google Profile) and weaning myself off of Facebook in the likely event that I will be deleting my account.
If you would like, go ahead and join me on any one of these services, my
username is samurailink3 on everything. Facebook was a huge convenience,
but this was the final straw, I’m moving on.
Looking to delete your account? Click here.
So, I’ve completed work (a while ago… was still gathering the time necessary
to write this blog post) on Project: SHROUD (Link defunct for now…) and
it is time to release the documentation on how I’ve put it together. The
pieces have been floating around the internet for some time, but I’m here to
put this in one central location so you can have it up and running in no time
flat.
But what exactly is Project SHROUD?
From the PastaNet blog: “Completely encrypted storage space via PastaNet
using TrueCrypt and SSH. Hosted on an encrypted RAID-5 server and stored in
your own personal encrypted volume, your data is not only safe, but extremely
secured. Your personal file volume is dismounted 60 seconds after you
disconnect, leaving your data completely encrypted (Twice over!!). Completely
secured network access through SSH encryption. You can access your SHROUD
drive through any FTP program that supports SFTP (The vast majority of these
programs do) or by mounting it as a network drive through ExpanDrive (working
on alternatives for this) [Linux users need not apply, as mounting SSH volumes
is built into the OS]. Completely encrypted, completely secured, cloud-based
storage.”
See the full article after the jump.
When a user logs in, their TrueCrypt volume is mounted as their home
directory. The system then watches to see when the user logs off and dismounts
their TrueCrypt volume 60 seconds after they disconnect. This SFTP storage
area can then be used through virtually any FTP program or mounted as a
Network Shared Drive for the user. These users are forbidden from shell
access, VPN, and other areas of the filesystem.
As a server admin, it is bad karma (and very bad practice) to keep your users’
passwords. Create the volume, throw away the key, the rest is up to them. This
keeps them and you safe in a worst-case-scenario.
The first thing you need to do is create a directory in /home for the location of the TrueCrypt volumes.
mkdir /home/private
In this directory, we will keep all of the SHROUD users’ TrueCrypt volumes. They will have a home directory to be used purely as a mount point for the volume.
Now, the difficult part (Which isn’t too terribly hard), compiling a more modern version of PAM, known to work well with automatic TrueCrypt mounting (Terminal Commands Ahoy!):
wget http://dl.dropbox.com/u/860936/Blog/pam_1.1.1.orig.tar.gz
tar xfzv pam_1.1.1.orig.tar.gz
cd Linux-PAM-1.1.1/
./configure
cd modules/pam_exec/
make
sudo cp .libs/pam_exec.so /lib/security/pam_exec_UNSTABLE.so
We have just compiled the new PAM_EXEC to a new, different file on your system. We will reference this module in the TrueCrypt-mounting script instead of your standard PAM module. This will avoid dependency and package confliction issues later on. We now need to edit the “Common-Auth” and “Common-Session” text files that controls what happens when a user enters their password. We’ll add the lines via the ‘echo’ command with sudo privileges.
sudo echo “# SHROUD code below” >> /etc/pam.d/common-auth
sudo echo “auth optional pam_exec_UNSTABLE.so debug expose_authtok seteuid /bin/bash /bin/cryptmount.sh” >> /etc/pam.d/common-auth
sudo echo “# SHROUD code below” >> /etc/pam.d/common-session
sudo echo “session optional pam_exec_UNSTABLE.so seteuid /bin/bash /bin/cryptmount.sh” >> /etc/pam.d/common-session
Whenever a user now logs in, the shell will automatically execute
“cryptmount.sh”. One problem: cryptmount.sh doesn’t exist yet. You need to
create it. Create a new file inside of ‘/bin’ and name it “cryptmount.sh”.
Here are the contents of that file:
[TIP: For your convenience, here is the
file]
#!/bin/bash
/bin/cryptmount.sh
CRYPTVOLUME=/home/private/$PAM_USER.tc
MOUNTPOINT=/home/$PAM_USERcase “$PAM_USER” in
root | anotheruser) #homedirs of non-shroud_users are not encrypted
exit 0
;;
esaccase “$PAM_TYPE” in
auth )
head -c -1 | truecrypt -t --protect-hidden=no -k “” \
“$CRYPTVOLUME” “$MOUNTPOINT”
;;
close_session )
MOUNTS=$(mount | grep “ $MOUNTPOINT “)
if test -z $MOUNTS ; then
echo MOUNTS $MOUNTS > /tmp/debug
exit 0
fi
OTHER=$(who | grep “^$PAM_USER “ | grep -v “ $PAM_TTY “)
if test -z “$OTHER”; then
echo truecrypt -d $MOUNTPOINT | at now + 1 minute
fi
;;
esac
exit 0
You will need to make sure to add your username, and any other username that
will not be using SHROUD to that list of usernames inside of the script.
Users will see an error if they are not using SHROUD, but are not listed. Here
are the rules: Using SHROUD - Not named in the file. Not using SHROUD -
Named in the file.
Get it? Good.
The next thing we need to do is limit the amount of access your SHROUD users have. We want them to be ‘jailed’ into their home directory, with no hope of escaping. We need to edit the SSHD configuration file to do this.
sudo nano /etc/ssh/sshd_config
Comment out the line “Subsystem sftp /usr/lib/openssh/sftp-server” by placing a ‘#’ next to it. It’ll end up looking like this:
#Subsystem sftp /usr/lib/openssh/sftp-server
Now that we have the old system commented out, you will need to add the
following lines of code to your sshd_config:
[TIP: Use Control+O to save the file and Control+X to exit nano]
#Start SHROUD code here
Subsystem sftp internal-sftpUsePAM yes
Match group shroud_users
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
We will be putting all of the SHROUD users into a group named “shroud_users” and they will be forced to the following rules:
You can also give granular permissions to specific users. Lets say that you want bob to have SHROUD, but would also like to give him the ability to use VPN:
Match user bob
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding yes
ForceCommand internal-sftp
You can set specific user permissions this way. You can even remove the ‘chroot’ bit if you wanted to give a user permission to roam about your filesystem, taking whatever they have access to (this is helpful if you are running a distribution center).
The next step is to make a script to make building the users and setting the
permissions correctly stupidly easy for you to do. In my experience, creating
a SHROUD user with 1GB of usable space took about 10-12 minutes, depending on
how much I fat-fingered the commands. With this script, you’ll be creating
users in 1-2 minutes:
[TIP: READ THE COMMENTS!! Commented code (any line starting with a ‘#’) is an
easy way to figure out exactly what is going on. Use this script as a learning
experience!]
#!/bin/bash
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
#
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
#
You should have received a copy of the GNU General Public License
along with this program. If not, see http://www.gnu.org/licenses/gpl.html.
Original code by SamuraiLink3 (2010)
MakeUser() {
#The commands below will set the variable names for both the user and the user’s password. These will then be used to create the new user, volume, directory structure, and set them all in motion.
echo
echo -n “Enter username for new SHROUD user: “
read user
echo “”
echo -n “Now enter the password for the new user: “
read password
VolumeCreateAndMove
}
VolumeCreateAndMove() {
echo “We need sudo permission to continue…”
sudo echo “”
cat /dev/urandom | head -c 4096 > rand.txt
#This command has created a random 4096-byte text file from /dev/urandom for random salt used to create the TrueCrypt volume
truecrypt –text -c $user -p $password –encryption=AES –filesystem=none –hash=ripemd-160 –size=1073741824 –random-source=rand.txt -v –non- interactive –volume-type=normal –keyfiles=
#This command creates a TrueCrypt volume with the name of the user and the password you chose at the start of the script. The size is 1GB in bytes. It is using AES and RIPEMD-160 to create a normal TrueCrypt volume.
sudo truecrypt –text –filesystem=none –password=$password –keyfiles= –protect-hidden=no $user
sudo truecrypt –text -l
#This will mount the new user volume and list the TrueCrypt volumes for the next step.
echo
echo -n “Please choose the mapper number you would like to format: “
read number
sleep 5
sudo mkfs.ext4 /dev/mapper/truecrypt$number
#After the volume is mounted, the admin will need to choose which TrueCrypt mount to format (DO NOT FORMAT THE WRONG ONE!!). After this, an EXT4 filesystem is created within the volume.
sudo mkdir /home/$user
sudo truecrypt -d $user
sudo truecrypt –text –password=$password –keyfiles= –protect-hidden=no $user /home/$user
sleep 3
sudo cp -r /etc/ServerSoftware/SHROUD/* /home/$user/
#This is the directory you will need to populate with your wanted default folder structure, change this at your will.
UserAddAndConfigure
#Now, the TrueCrypt volume is mounted as the user’s home directory and a folder structure is copied into the new volume. You will need to create this folder structure on your own server. Mine is as follows: Code Documents Downloads Misc Music Pictures Videos. Create any directories/files you would like to be pushed and defaulted to all of your users.
}
UserAddAndConfigure() {
sudo useradd -N -M -g shroud_users -s /bin/sh -b /home/$user -p $password $user
#The user is created with the ‘shroud_users’ group, will not create a home directory, and will not create a specific user-group (as we are placing them into the ‘shroud_users’ group).
sudo chown -R $user /home/$user/
#This makes the user the owner of all the folders within their home directory
sudo chmod -R 700 /home/$user/
#This sets secure permissions on the folders of the user
sudo chown root /home/$user/
sudo chgrp shroud_users /home/$user/
sudo chmod 750 /home/$user/
#For chroot to work correctly, the chrooted directory needs to be owned by root and not writable by any other party. To satisfy these requirements, we make the owner of the main folder, root, but we make the folders inside of the home directory, owned and writable by the user. This is why the top level directory is not writable in SHROUD, but everything inside of it is. A slight workaround, but it works for now and maintains security.
sudo truecrypt –text -d $user
#This dismounts the user’s directory
echo $user:$password | sudo chpasswd
#This command ‘chpasswd’ works differently from ‘passwd’, it is a scripted way to change a user’s password. While it is normally used to change a very large list of users, it works nicely for our script as well.
sudo mv $user /home/private/$user.tc
#This will move the user’s TrueCrypt volume to the /home/private directory so cryptmount.sh can get to it.
Cleanup
}
Cleanup() {
echo “User: “$user” created.”
rm rand.txt
#Nicely removes the random-salt text file.
echo “Cleanup complete.”
echo
echo “========================”
echo “USER DETAILS:”
echo “USERNAME: “$user
echo “PASSWORD: “$password
echo “========================”
#Echo’s the username and password so the user can writedown/memorize/backup their username and password.
echo
echo “Program complete, now exiting.”
}
MakeUser
To make it easier on you (Because copy/paste can be fickle with some text editors/IDEs) here is the file, I recommend reading the file with Notepad++ on Windows or Gedit on Linux.
Now all that is left is to create your first user, distribute a connection program (such as FileZilla Portable), and start providing encrypted storage. So far, this has been the biggest undertaking on PastaNet and the biggest post on this blog. Enjoy it.
To make things easier on my users, I have rolled a modified FileZilla Portable zip file for them to download and easily connect to my server. The modifications were trivial, I just saved the standard connection profile to the ‘saved sites’ button in FileZilla, then re-zipped the folder. I provide this file to each user that will be using the SHROUD system. I suggest doing the same for your users. Here is the documentation I provide for my users, I also suggest that you build some form of documentation that your users can dig through as well.
There are a few things I would like to be made known, there are a few quirks with Project SHROUD that you _(and your users) _should be aware of:
This post heavily influenced, paraphrased, and copied (with very slight modification) from the following sources:
**
Little Impact - Automatic encryption of home directories using TrueCrypt 6.2a
and pam_exec**
Debian-Administration - OpenSSH SFTP chroot() with ChrootDirectory
OpenBSD journal @ undeadly.org - Chroot in OpenSSH - Contributed by merdely (Mike Erdely)
This UbuntuForums.org post and the UbuntuForums community in general, this community is one of the best I have ever been involved with and they make me a smarter person every time I log on. I want to specifically thank cdenley and sublimination for all the help they provided me with on this project.
These people have done the amazing legwork. Go to their blog, leave comments, click ads, donate cash, do something if this post helped you out at all. Without them, Project: SHROUD would just be a twinkle in my eye. Props to them!!
About Server-Bits:
If you’ve ever wanted to get started building a server, right in your own backyard, kitchen, closet, mother’s closet, mother’s basement, then this is the read for you. Aimed at the not-so-technical-but-willing-to-learn, this will give you everything you need to build… that monster-server you’ve dreamed of. My goal: To give you a working, rocking server, for free, that you can use daily.
Have you ever been away from your machine when you’ve thought to yourself, “Oh! I need to torrent COMPLETELY LEGAL CONTENT HERE!! I wish I was at my machine…”. Now you don’t have to be at your computer, you can control all of your torrents, and add new ones, entirely through Transmission’s web client.
Transmission should be installed on Ubuntu by default, but just in case it isn’t, you can install it by running the command:
sudo apt-get install transmission
Go ahead and start this in GUI-mode. Just open Transmission while you are logged into Gnome. From here, go to: Edit -> Preferences. Navigate to the Privacy tab. There are a few options that **NEED **to be changed.
First off: Blocklist. Blocklist. Blocklist. Enabling the blocklist will keep the vast majority of anti-P2P groups off of your back. Make sure that you enable automatic updates as well. The next thing you need to change is the encryption. Change this to Encryption Required. This will ignore and close any connection that is not masked by encryption.
Next, in the Network tab, check the “Pick a random port every time Transmission is started” box.
In the Web tab, check the “Enable web client” box, change the listening port to whatever you prefer (and forward the port on your router if you so choose [forwarding this port will give you the ability to manage your torrents outside of your network]). Make sure “Use authentication” box is checked and choose a username/password. If you would like, you can also restrict access to certain IP Addresses. This is helpful if you are only going to be accessing this page from a known machine with a constant known address.
Now, in a web browser of your choice, navigate to ‘YourHostname:YourTransmissionPort’ and you should be greeted by a popup login box. Enter the username/password combination that you set up and start remote torrenting!!
About Server-Bits:
If you’ve ever wanted to get started building a server, right in your own backyard, kitchen, closet, mother’s closet, mother’s basement, then this is the read for you. Aimed at the not-so-technical-but-willing-to-learn, this will give you everything you need to build… that monster server you’ve dreamed of. My goal: To give you a working, rocking server, for free, that you can use daily.