Posted via email from It should be illegal to be this geeky

Like many others in today’s age we met online and played phone and email tag for a month. I was on a business trip to Tucson and her messages and voice were such a welcome escape from the crazy hours and stress. We exchanged stories of growing up, life dreams, and all the goofy little jokes that make us giggle. All I could think about in the desert that trip was, first getting home, second meeting her. I did so in rapid succession

The rest as they say is history, but as we come up on a year of dating I can say there is simply BB and AB, Before Becca and After. Life BB was a mix of black areas and wandering. AB she balances me out, is my confidant and advisor, my business partner and best friend. She accepts me for who I am in every way and I the same for her. In fact she hasn’t peeped about me sitting here writing a blog post, AMAZING! :)

I usually post technical documents on this website and insights into whatever geeky adventure I am on. Sometimes though it is important to know what powers the man who is typing. I love you Becca and thanks for letting me be who I am…

0100011001110010011011110110110100100000011110010110111101110101011100100010000001110110011001010111001001111001001000000

110110001101111011101100110100101101110011001110010000001100111011001010110010101101011

Books you need to read from Amazon.com I compiled a list there so you can just purchase in whole or pick what is interesting. If you only pick one book be sure it is the Mythical Man Month. It brought home for me the resource vs. task view of the world. Being able to defend your position and schedules is just as important as being able to create them. Highly Recommend

From blogs you should monitor via Google Reader or various other RSS reader…

Specific posts that made me take pause and wonder what I was doing:

Tips for Managing Geeks is a big topic in my world. The models you will read in books apply to MBA and more traditional engineering models. Geeks have nuances, this is my mix of all the sites I have read on the topic and many you guys have heard me say:

https://wiki.ubuntu.com/HardwareSupp…sPoulsbo#lucid

It is now possible to upgrade to 10.04 Lucid with no issues. In fact the previous gobi WWAN, sleep, and qcserial hacks are no longer needed. On first boot everything worked other than the videocard. Go Linux!

The amount of banter on the topic is extensive, but there really are good reasons to leave Facebook. When I started dabbling in Social Networking back on the BBS days there was always a desire and reason for anonymity. It could have been for the illegal activities going on or for the fact people just didn’t want to over expose themselves. It was around the time AOL picked up some steam that sharing really became trendy. There were extensive pushes to kick AOL off the grid for the amount of anonymous data leaked from their pipes, but that was not enough to place controls on the system. As I joined sites like Friendster, Jaiku, etc. there were always controls in place for the amount of information I could share and what people could share about me. That layer of control allowed me to keep tabs on my personal identity and persona. I left MySpace and Hi5 since everyone told me “Facebook is way more secure,” but at the time I was unable to join due to no college affiliation. That changed and I joined…

My biggest gripe about Facebook isn’t that Big Brother will learn everything about me. I am a Defense Contractor and prior military, Big Brother knows more about me than I know. My gripe is that Facebook has no legal mandate to control my data. If I post that my dogs name is Tim, I was born on Mars, and my mom used to be Misses Fraglerock – you have in essence enough information to reset passwords on most major websites. I would share that information under the guise that Google would not crawl the info or some outside source. The issue with Facebook is even if I set the control to ONLY allow for you, my bestest friend to see it, as soon as you visit a website or take a stupid quiz my information is accessible to other folks. My circle of trust (COT) is now broken.

As a security professional we must place our money where our mouths are. If we are going to preach two factor authentication and default-deny, then we must live it. Facebook violates a default-deny policy by constantly changing TOS and releasing my information. They refuse to validate and control my data from myself and friends despite any setting I select…as such…auf weidersahn

Further Reading:

http://consumerist.com/2010/05/top-10-reasons-to-quit-facebook.html

http://www.technologygear.net/top-10-reasons-for-why-you-should-join-facebook.html

http://sickfacebook.com/top-10-reasons-why-facebook-sucks/

http://gizmodo.com/5530178/top-ten-reasons-you-should-quit-facebook

The first step was to get a current version of OpenVPN installed on the Ubuntu 9.10 server. I decided to go with the bridge setup rather than a routed so that I could play more easily with my VMware clusters at the house and the lab with my BeOS and OpenBSD boxes.

sudo apt-get install openvpn bridge-utils

Next I setup a bridged adapter to use on the Ubuntu 9.10 box that would give me transparent access. Open the /etc/network/interfaces file in vi

auto lo br0
iface lo inet loopback

iface br0 inet static
address 172.16.1.102
network 172.16.1.0
broadcast 172.16.1.255
netmask 255.255.255.0
gateway 172.16.1.1
bridge_ports eth0
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off

iface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

Afterward you need to restart the network interfaces

sudo /etc/init.d/networking restart

Since I was using the desktop edition of Ubuntu rather than Server (this machine was a pseudo desktop for a little bit) I had to enable ip forwarding by editing /etc/sysctl.conf with vi and adding

net.ipv4.ip_forward=1

Next few steps are to setup the CA you need for certificate generation. Easy-rsa is pretty sweet for quick and dirty CA for these type of things. You can also use the openvpn tools to do static keys, but where is the fun in that?

sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
sudo vi /etc/openvpn/easy-rsa/vars

Change these lines at the bottom so that they reflect your new CA.

export KEY_COUNTRY=”US”
export KEY_PROVINCE=”VA”
export KEY_CITY=”Alexandria”
export KEY_ORG=”oneguynick”
export KEY_EMAIL=”nick@notlikelytopostinanopenwebsite.com”

Now to generate your root

cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
sudo chown -R root:admin . ## make this directory writable by the system administrators
sudo chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool –initca ## creates ca cert and key
./pkitool –server server ## creates a server cert and key
cd keys
openvpn –genkey –secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../

These next two up/down scripts setup the bridge when the server starts. This is the magic in not having to perform the routing you used to be required to do in OpenVPN1

sudo vi /etc/openvpn/up.sh

This script should contain the following

#!/bin/sh
BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV

Now, we’ll create a “down” script.

sudo vi /etc/openvpn/down.sh

It should contain the following.

#!/bin/sh
BR=$1
DEV=$2
/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down

Now, make both scripts executable.

sudo chmod +x /etc/openvpn/up.sh /etc/openvpn/down.sh

Below is my example /etc/openvpn/server.conf Customize as you see fit

mode server
tls-server

local 172.16.1.102
port 443 ## i am running on 443 rather than the default for firewall bypassing
proto udp

#bridging directive
dev tap0
up “/etc/openvpn/up.sh br0″
down “/etc/openvpn/down.sh br0″

persist-key
persist-tun

#certs
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0

#cipher and compression
cipher BF-CBC # Blowfish (default)
comp-lzo

#DHCP
ifconfig-pool-persist ipp.txt
server-bridge 172.16.1.102 255.255.255.0 172.16.1.50 172.16.1.60
push “dhcp-option DNS 172.16.1.1″
push “dhcp-option DOMAIN geekyschmidt.com”
max-clients 10

#log and security
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3

Afterward restart the OpenVPN Server

sudo /etc/init.d/openvpn restart

Now it is time to generate your client certs that you will need to copy to each device. I use n900 as the name here, but you can replace with whatever you wish. I try to keep names and machines close for my poor memory

cd /etc/openvpn/easy-rsa/
source ./vars
./pkitool n900

You will be left with a few files in your /etc/openvpn/easy-rsa/keys directory you need to copy to the device. In my case I copied them to the MyDocs/openvpn area of my N900 to be sure the applet could see them. Most linux machines store them in /etc/openvpn. The list of files to copy is below. Keep in mind that mine are named n900 due to the above pkitool n900 command.

1. ca.crt
2. ta.key
3. n900.key
4. n900.crt

Once those are on the machine you need to generate a config file. Here is mine from the n900.

### Client configuration file for OpenVPN

# Specify that this is a client
client

# Bridge device setting
dev tap

# Host name and port for the server (default port is 1194)
# note: replace with the correct values your server set up
remote notlikelytopostinanopenwebsite.com 443

# Client does not need to bind to a specific local port
nobind

# Keep trying to resolve the host name of OpenVPN server.
## The windows GUI seems to dislike the following rule.
##You may need to comment it out.
resolv-retry infinite

# Preserve state across restarts
persist-key
persist-tun

# SSL/TLS parameters – files created previously
ca ca.crt
cert n900.crt
key n900.key

# Since we specified the tls-auth for server, we need it for the client
# note: 0 = server, 1 = client
tls-auth ta.key 1

# Specify same cipher as server
cipher BF-CBC

# Use compression
comp-lzo

# Log verbosity (to help if there are problems)
verb 3

On the n900 you will need to install from extras-testing the openvpn packages

sudo gainroot
apt-get install openvpn openvpn-applet

Thats it! Click in your status bar with the n900 and import the config file stored in MyDocs/openvpn from earlier. It will import the keys into the correct locations and allow you to test the connection.

playback_mime_types=video/mp4-generic, video/quicktime, video/mp4, video/mpeg4, video/3gp, video/3gpp2, application/sdp, audio/3gpp, audio/3ga, audio/3gpp2, audio/amr, audio/x-amr, audio/mpa, audio/mp3, audio/x-mp3, audio/x-mpg, audio/mpeg, audio/mpeg3, audio/mpg3, audio/mpg, audio/mp4, audio/m4a, audio/aac, audio/x-aac, audio/mp4a-latm, audio/wav
playlist_formats=audio/x-scpls, audio/mpegurl, audio/x-mpegurl
audio_folders=.sounds/, .videos/, Music/
video_folders=.videos/, Video/
icon_names=phone-nokia-n900
folder_depth=2
coverartfilename=cover.jpg
coverartfiletype=jpeg
coverartsize=200

is_audio_player

The keyring daemon is not available

FIX:

Install sshfs sudo apt-get install sshfs

Modify your tomboy start to:

eval `gnome-keyring-daemon` && export GNOME_KEYRING_SOCKET && export GNOME_KEYRING_PID && tomboy –search