FAIL: this experiment did not work / needs more testing
Continue reading
Category Archives: personal
on techinc and society
Back in the days I met people who were fundamentalist vegans, calling themselves “straight edge” – we lived for half a year in the same building till we could not stand each other anymore – Some people would boycott what the other was doing/liking/listening to because somewhere it conflicted with the ethics of one of the Vegans.
We stopped listening to music together (because %recordlabel% was supporting the exploitation of children somewhere), we stopped cooking and eating together (because %shop% supports the destruction of rice fields somewhere) and so on.. everything had a problem that made it unethical/impossible to reach common ground
Now you could ask yourself why this happened.. were the fundamentalists too fundamentalist? They would not be fundamentalist, then, right? <<--- edit: maybe ideologist/ideology would be more fitting - thanks
Were we too "corrupted" by society to accept their point of view?
In fact, everyone had sound arguments and reasons for what he was doing, yet our shared apartment that was started on the premise of "Hey, you people are cool, we meet at many parties, lets live together"
The two emails I received on the techinc mailing list regarding hitb and the reputation of techinc painfully remind me of that time...
Probably the katholics/protestants felt similar like 500 years ago.. we all know how that ended ;)
Heck, the entire civilization we currently live in has been like that and I still don't like it but you know what? Democracy may be inherently bad it it is still the most common form of "how to piss the least people off and still manage to keep the show going". This system is powered by public reward for things done well (salary, media, etc.. ) and punishment for things not done right (penalties, fees, court, jail, public shaming, exclusion from the "club")
Again, I don't think it is the best system to have but all the alternatives cause only more fragmentation and dissent.. do we want that? Shall we continue as one block of awesome people standing together or shall we just let it fall apart because we don't like the hair of the other person?
(*glances at Mitch Altman and giggles*)
windows media / gaming pc
windows 8.1 seems solid so as I want to play games I decided to throw some servers / services on there, too
but first disable that tablet crap and the “metro” interface
I will be using desktop software anyway so no need for that touch stuff
Right-click the taskbar on the desktop and under “Navigation” disable all “corner navigation” charms/crap
then select “show desktop instead of start” and “show apps view” – disable “search all” and enable “list apps first”
go to the metro search > uninstall programs and delete them all
install vlc, foxit reader, itunes, steam, quasselclient, firefox, spotify, etc)
also> gpedit > comuter management > administrative > windows components > onedrive > prevent onedrive
install calibre ebook server and plex media server (once I have a NAS this will change)
enable file sharing and streaming for the home group
check firewall for permissions / check device is not reachable from the outside
enable file history / add shared media folders to libraries
consider growing disks for backup > FAIL – not enough SATA ports > see NAS project :)
dolby downmixing for games
assuming a gaming PC using windows, transporting video and audio via hdmi to a TV and connected an amplifier with a 2.1 setup to that. however the subwofer is controlled by the amplifier so all I want is plain stereo into the amplifier.
Now, when playing old games sometimes the audio is just off or very silent (like: wing commander 4, many gog games that use dolby stereo in the cutscenes) – this is because the software has “dolby stereo” hardcoded on the CD/DVD and windows assumes that the hdmi interface can process dolby stereo.
windows itself doesn’t help you here, blaming the game/the TV and it kinda annoys me to hear only the left and right channel and not the center, rear and subwofer channels – it apparently assumes that the game specifies the desired output or whatnot… and we all know who’s mother assumption is
remedy is an AC3 splitter or directshow filter
a very good one is included in the “shark007 codec pack” – get it here
I am sure there are others but that one is my favorite since I migrated away from CCCP (combined community codec pack) years ago (which was needed to decode mkv anime with dual audio, etc…)
just install the “advanced” package, use shark007’s recommended settings and then in the settings set up “2.0” stereo downmixing (or whatever you are feeding into your amplifier) – I have only two wires – left and right – for the moment. once I upgrade my amplifier this will basically work against me… but hey, first I need a better amp ;)
private server install log 03/2014
this is taken from here:
https://github.com/al3x/sovereign
and I want to play with ansible on my other server (the .eu domain) but this will be my private server where things are (of course) different.
UPDATE 7/2014: added webmail and roundcube and owncloud plugin
NEEDS: backup scripts / dumps
– create a VM with basic specs for Ubuntu
– set up 12.04 LTS with 64bit flavor >> UPDATE: 14.04 LTS is out – mail server is on 14, rest stays on 12 for now…
– chose for LVM and encrypted home directory during install
– install VMware tools / xen tools > or stick to KVM
– allow SSH on the firewall
dont’ forget IPv6 for the rules or use UFW
#ufw allow ssh
#ufw limit ssh/tcp < -- is this actually useful in combination with fail2ban?
check /etc/ssh/sshd_conf if it uses PAM - we can plug in the 2-factor-authenticator, then :)
– mosh – useful
apt-get install mosh
open ports correspondingly
#ufw allow proto udp from any to any port 60000:60010
this allows for mosh instead of ssh to your server which helps with lag/latency
– htop – interactive “top”
http://hisham.hm/htop/
– fail2ban – block connection attempts
apt-get install fail2ban
edit /etc/fail2ban/fail2ban.conf
and edit
/etc/fail2ban/jail.conf
or better: create a jail.local (it overrules the jail.conf)
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
here check for the following:
separate whitelisted hosts/subnets/cidr blocks using space under ‘ignoreip’
also, set up your mta and receipient address under destemail
bantime and maxretry can be adjusted
backend can be auto
edit /etc/fail2ban/jail.local
and apply the banactions for UFW as we are not using iptables directly (we suck!)
[ssh]
enabled = true
banaction = ufw-ssh
port = 2992
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
[apache]
enabled = true
port = http,https
banaction = ufw-apache
filter = apache-auth
logpath = /var/log/apache*/error*.log
maxretry = 4
[apache-filenotfound]
enabled = true
port = http,https
banaction = ufw-apache
filter = apache-nohome
logpath = /var/log/apache*/error*.log
maxretry = 3
[apache-noscript]
enabled = true
port = http,https
banaction = ufw-apache
filter = apache-noscript
logpath = /var/log/apache*/error*.log
maxretry = 6
[apache-overflows]
enabled = true
port = http,https
banaction = ufw-apache
filter = apache-overflows
logpath = /var/log/apache*/error*.log
maxretry = 2
create /etc/fail2ban/action.d/ufw-ssh.conf:
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from
actionunban = ufw delete deny from
and /etc/fail2ban/action.d/ufw-apache.conf:
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 2 deny from
actionunban = ufw delete deny from
DISCUSS: IPv6 – hack a little 64 gateway or block SSH for IPv6 (which would be silly…)
restart ufw and fail2ban to activate:
andreas@telecity:~$ sudo service fail2ban restart
* Restarting authentication failure monitor fail2ban [ OK ]
andreas@telecity:~$ sudo service ufw restart
ufw stop/waiting
ufw start/running
check status (default only SSH is enabled)
andreas@telecity:~# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: ssh
root@telecity:~#
it works! UFW injects a deny statement for every host that tries to bruteforce
tail -f /var/log/fail2ban.log
2014-07-19 11:24:49,201 fail2ban.actions: WARNING [ssh] Ban 116.10.191.163
$ sudo ufw status
Status: active
To Action From
— —— —-
OpenSSH DENY 116.10.191.163
– install build-essential, openssl and libssl-dev to be able to create a wildcard certificate (self-signed) and other stuff we have to build from scratch
– owncloud – via owncloud.com
install according to manual there (#apt-get install owncloud)
admin docs: http://doc.owncloud.com/
modify your webserver to allow owncloud to do its magic:
#chown -R www-data:www-data /path/to/your/owncloud/apps
#chown -R www-data:www-data /path/to/your/owncloud/data
#chown -R www-data:www-data /path/to/your/owncloud/config
set ‘AllowOverride All’ in the /var/www/ section of apache2 config file
(/etc/apache2/sites-available/default)
#a2enmod rewrite
#a2enmod headers
then restart apache
#service apache2 restart
open firewall ports: ufw enable http(s)
then point browser to https://[your server’s URL]/owncloud
if you want to install into mysql chose “advanced” – otherwise just go with sqlite and create an admin user
you are done!
go admin > create a group and some users
set up the client (owncloud-client) and point it to your server’s URL (use https and a full path)
create folders > they will be synced by owncloud and to your server
other features:
use cardDAV/calDAV
sync music (amaroK/tomahawk)
plugins (roundcube, large files, mobile interface, etc…)
once it works, why not make it secure and install SSL:
– create a self-signed SSL certificate (for web and mail server) or buy one ;)
https://help.ubuntu.com/12.04/serverguide/certificates-and-security.html
and install them
# cp server.crt /etc/ssl/certs
# cp server.key /etc/ssl/private
adjust apache2 config to enable SSL:
edit sites-available/default-ssl
enable “AllowOverride All” for all /var/www instances as before
check ‘SSLEngine On’ is there
add the two certificates to it instead of the “snakeoil” cert
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
enable the engine with
#a2ensite default-ssl
and restart server
#service apache2
and check if your browser accepts the cert :)
hints to make SSL more secure from phra.gs
https://phra.gs/blob/2014-02-14-apachessl.html
now get connected using owncloud client using the username/password you set as admin
NOTE: every time you update the owncloud binaries you need to go to the website once to apply the update!
– quassel
http://bugs.quassel-irc.org/projects/quassel-irc/wiki
apt-get install quassel-core
for the server
open port 4242 on your firewall/iptables
and use quassel-client for the client
there is quasseldroid and iQuassel for mobile clients
it doesn’t use SSL by default – so stop the service and launch quasselcore manually
it will show you where it wants the config files and SSL certs
then create the cert as indicated here:
http://bugs.quassel-irc.org/projects/quassel-irc/wiki/Client-Core_SSL_support
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout ~/.config/quassel-irc.org/quasselCert.pem -out ~/.config/quassel-irc.org/quasselCert.pem
connect to your server for the first time and a welcome dialog will appear
set up the first user (who will be an admin)
and then go play :) (and chat from anywhere)
useful for irssi integration:
https://github.com/phhusson/quassel-irssi
mmarley has a more recent repository on launchpad – use it if you want to use 0.10 and not 0.8
gallery2:
simple: apt-get install gallery2
install mysql-server and set up the database (Remember the user/pass)
http://codex.galleryproject.org/Gallery2:Installation_on_Debian
then run the webinstaller and do the rest
http://yourdomain/gallery2
edit /etc/php5/apache2/php.ini and raise the file limits if you want /need
add a seedbox? transmission-bt !
http://filesharefreak.com/2012/05/10/seedbox-from-scratch-new-server-to-seeding-in-less-than-5-minutes
although that is something for my raspi at home / openelec style
install transmission-daemon – set up config and password
apt-get install transmission-daemon
nano /etc/transmission-daemon/settings.json
and open firewall for the tcp ports – done :)
– diaspora
https://wiki.diasporafoundation.org/Installation/Ubuntu/Precise
seems I need a “valid” SSL cert and a dedicated webserver – so I will do that virtually instead or from home or not at all.
– XMPP
apt-get install prosody
configure as per example / global settings and add an admin user there
create some keys:
openssl req -new -x509 -days 1000 -nodes -out “/etc/ssl/certs/xxxxxxxx.crt” -newkey rsa:4096 -keyout “/etc/ssl/private/xxxxxxxx.key”
under your server add the certs
ssl = {
/path/to,,,
and create symlinks
test the keys:
sudo chmod 600 /path/to/certificate.key
sudo chown prosody:prosody /path/to/certificate.key
Prosody should also be able to read the parent directories of the file.
To test that only Prosody can read the file:
sudo -u prosody cat /path/to/certificate.key # Should succeed
sudo -u nobody cat /path/to/certificate.key # Should fail
Declaring host
The configuration of the host im.example.org will be done in the file « /etc/prosody/conf.avail/im.example.org.cfg.lua », the file example.com.cfg.lua may serve as a model:
cp -a /etc/prosody/conf.avail/example.com.cfg.lua /etc/prosody/conf.avail/.cfg.lua
With your favorite editor change the settings for VirtualHost and enabled so you have:
VirtualHost “im.example.org”
–enabled = false — Remove this line to enable this host
The line “- enabled = […]” can also be removed, instead of of removing the comment like above.
Also represent the key and the SSL certificate:
ssl = {
key = “/etc/prosody/certs/im.example.org.key”;
certificate = “/etc/prosody/certs/im.example.org.cert”;
}
If you already have a key / certificate pair on the same domain name (Common Name), for example for apache, point to it instead of the files listed above.
Now create the symbolic link in« /etc/prosody/conf.d/ » with:
ln -sf /etc/prosody/conf.avail/im.example.org.cfg.lua /etc/prosody/conf.d/im.example.org.cfg.lua
Several host by one configuration
Here is an example to declare a single configuration for multiple hosts (thank you MattJ):
for _, host in ipairs { “example.net”, “example.org” } do
VirtualHost (host)
option1 = “foo”
option2 = “bar”
end
Create users (single)
Creating user accounts is done with the command « prosodyctl »
prosodyctl adduser romeo@im.example.org
open firewall for ports 5222 and 5269 IP and IPv6
create DNS SRV records for optimal federation / domain delegation
use this template:
_xmpp-client._tcp.example.com. 18000 IN SRV 0 5 5222 xmpp.example.com.
_xmpp-server._tcp.example.com. 18000 IN SRV 0 5 5269 xmpp.example.com.
_jabber._tcp.example.com 18000 IN SRV 0 5 5222 xmpp.example.com < -- that still relevant? also.. no dots after TLD? doubt this will work...
in fact: the domain is automatically added so just add this:
_xmpp-client._tcp type SRV with value 0 5 5222 xmpp.domain.com.
and
_xmpp-server._tcp type SRV with value 0 5 5222 xmpp.domain.com.
it must point to an existing A-record - not an IP address (this also helps with IPv6 I guess...)
;; QUESTION SECTION:
;_xmpp-client._tcp.rudel.nl. IN SRV;; ANSWER SECTION:
_xmpp-client._tcp.rudel.nl. 3600 IN SRV 0 5 5222 telecity.rudel.nl.;; ADDITIONAL SECTION:
telecity.rudel.nl. 3600 IN A 80.252.86.117– rkhunter
– sendmail / mail sever?
— dovecot imap and roundcube look neat – with a plugin for owncloud? awesome!
– tarpitting / greylisting / smarthost with ISP relay?
found iredmail!
http://www.iredmail.org/install_iredmail_on_ubuntu.html
install script works nice on a new /fresh ubuntu server – delete defaults later and change passwords
set up domain records (MX and A-records) and set up SPF– two-factor authentication? google authenticator?
sudo apt-get install libpam-google-authenticator
run google-authenticator as the user you will be logging in as
it will create a qr code with the secret key that google authenticator app can scan
it will also update the PAM module and ask you some questions
do this for every usernow edit /etc/pam.d/sshd
add this line(s):
# enable Google authenticator
auth required pam_google_authenticator.sothen edit /etc/ssh/sshd_config
and change or add this line to say yes
ChallengeResponseAuthentication yesrestart ssh to enable
sudo service ssh restartnext login looks like that:
login as: andreas
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
Verification code:
biking
http://www.mtbroutes.nl/index.php/kaart-nederland
http://mtb-noordwest9.nl/?module=Basis%20Hoofdmenu&actie=&subactie=16
http://www.onyva.org/index.php?page=subitem-2
let’s see how that feels :)
hackintosh 10.8.5 and fixes
using kakewalk 4.5 for initial install
somehow kakewalking after install fails so:
Using latest BIOS again (F11)
then using dsdt and multibeast 5.5 > easybeast install with dsdt (has to be on desktop)
using Audio > With DSDT > ALC888 “current” (as opposed to “legacy”)
also use TRIM enabler
here the dsdt – put on desktop and run multibeast
DSDT-GA-EP45-UD3LR-1.0-F11.aml
then update using the combined update pack and do the same again :)
Update1: Chameleon corrupted
sometimes, if you have multiple harddisks (and one of them windows) the chameleon bootloader is being confused and dies – you can still start up with a unibeast/myhack/kakewalk USB stick but to fix the issue you need to use: Chameleon Wizard
there is one way to use when you have another disk that contains windows :)
update2: White screen with R9-280x/Radeon 7950/7970
basically editing /Extra/boot.chameleon.plist and setting “GraphisEnabler = No” allows the card to work (use PartedMagic to start up and use fsck and mount to get write access if you had “yes” before…
#fsck.hfsplus -f /dev/sdax
#mount -t hfsplus -o force,rw /dev/sdax /media/sdax
Now, the card will start up but will show only white.
If you make the hackintosh sleep and wake it again it works! So let’s just rotate the screen 90 degrees and put it back to normal. here a Rotate screen fix converted into an app (use with assistive technologies)
http://www.tonymacx86.com/graphics/124093-r9-280x-mountain-lion-white-screen-fix-inside.html
set up IRC server using irssi
http://quadpoint.org/articles/irssi/
and
http://www.antonfagerberg.com/archive/my-perfect-irssi-setup/
should get you started
I am using auto away and hilight
this does send push away_messages to iOS
http://clockwork.fr/2012/04/push-irssi-away-messages-to-your-iphone/
however the push service cost $$$ and bittlbee is not what I want…
http://www.bitlbee.org
basically something that should trigger my pebble would be nice :)
like this:
https://irssinotifier.appspot.com/
now I only need an android phone
alternative for @work:
In irssi:
/set bell_beeps on
/set beep_msg_level MSGS NOTICES DCC DCCMSGS HILIGHT
And in putty:
Go to Terminal -> Bell in the settings, and set “Taskbar/caption indication on bell†to Flashing or Steady (whichever you prefer).
last thing: in screen session housing irssi: Ctrl-A > Ctrl-G (enable audible bell!)
then chose > flashing window or system sound
this is till I have an android phone
URL logger to mysql? > irssi_url_logger
depression prevention
recently I got trapped in one of my “downward spiral” thought patterns while having fun which was a not so pleasant experience… back then when I was in therapy for depression I tought myself some methods for detecting and getting rid of unpleasant thoughts – I used the image of a “black dog” (W. Churchill used that image) so all I had to do was “make the black dog go away”
this did not work last week.
Luckily a friend who has a couple more psychological issues was nearby and recognized my thoughs and the mood I was drifting into.
He gave me a new method to get rid of the “black dog” – did you read Harry Potter? The Patronus charm?
“…will work only if you are concentrating, with all your might, on a single, very happy memory.”
that’s it – even easier than the “black dog” method
It worked instantly because instead of concentrating on something unpleasant (the black dog) I was now concentrating on something which already has a positive bias.
Thank you, you know who you are!
Cinnamon Roll Pancakes
Love cinnamon rolls? Love pancakes? Have them both! These are an awesome decadent breakfast.
Total Time: 20 minutes
Cinnamon Swirl:
4 Tablespoons unsalted butter, melted
1 tablespoon cinnamon
1/4 cup plus 2 tablespoons brown sugar
Mix ingredients together and stick in a Ziploc bag. Seal and let sit to thicken.
Glaze:
1 cup powdered sugar
1 teaspoon vanilla
2 teaspoons milk
Heat ingredients in a saucepan. Mix until sugar is melted and everything is mixed together well.
Directions:
1. Make Cinnamon Swirl and let thicken.
2. Mix up the pancake batter. I used a just-add-water pancake mix.
3. Form round pancakes on griddle/skillet and cook on medium heat until bubbles start to show (about 2-3 minutes).
4. Snip the end of the Ziploc bag off and pipe on a cinnamon swirl. Don’t pipe too close to the edges or it will melt off.
5. Flip the pancake quickly and cook 2-3 minutes on the other side.
6. Make and drizzle glaze over the pancakes.
HINT: Wipe pan clean with paper towel in between pancakes.