Make Your Own Private Bitcoin Node to Anonymize Transactions over Tor

This article has been updated to include instructions to update Tor to the latest version, as I discovered it was using a really old version in the repositories. There was also an addition to tell the systemd services to safely shutdown bitcoin when it is stopped. There has also been an amendment to the bitcoin.conf file I made. You can find the amendments in the Tor, Installing Bitcoin Core, and Autostart sections

Chances are you’ve heard of Bitcoin, the anonymous and secure cryptocurrency which has made waves over many years. One of the main issues I see is that people are trusting others to handle their transactions. So I set about purchasing a tiny Dell netbook with a measly Intel Atom CPU, 2GB of RAM, and a 240GB SSD to act as my primary wallet for cryptocurrency, and is more or less my bank. The laptop has a fully encrypted drive, and I back up the keys for my wallet and have them in three different places. However when you are running a full version of the core wallets, that means you have to store a whole copy of the entire block chain on the device using it. Currently the Bitcoin blockchain is around 200GB if I recall, and that’s a lot of data to hold onto just to transact. Not to mention the whole idea of my netbook was to only be on when I needed to transact as it’s most secure when it is powered off. So obviously running the blockchain on the laptop was not the most ideal option as it would always have to be on. Not to mention I want to further anonymize the connections coming in and out, so I wanted to tunnel all of the traffic for the node over a VPN such as Private Internet Access, with a VPN killswitch so if the VPN doesn’t work it won’t connect, as well as bolt The Onion Relay (TOR) on top of it to further anonymize the entire transactions. The advantage of all this will be to allow any device on my LAN to transact with the blockchain network directly using my node to send and receive my transactions rather than trusting other people. The other advantage this has is since I am running a full copy of the blockchain I am also helping support the Bitcoin network by providing another peer with a full copy of the blockchain. However this guide will not cover the VPN aspect, but we will cover how to bolt on Tor as well as build your own node entirely.

I originally got the idea from pinode.co.uk where they have a lot of these projects, and I am already running a Monero node on a Pi 3B+ with a 128GB flash drive. But for this tutorial I am merging the ideas from pinode, along with the Thundroid tutorial, and adding some of my own twists and spins. I chose an Odroid Home Cloud 2 as it allows for a native SATA hard drive, and the HC2 variant allows for 3.5″ disks where as the HC1 allows for 2.5″ disks. Either version is fine, and if you really wanted you could probably go for the straight XU4 version, or even a Raspberry Pi 3B+ if you use a 512GB flash drive or larger, or a kit to allow additional drives. But for the sake of this tutorial we will be discussing the Odroid platform, however you can use whatever platform you like. Technically if you wanted to, you could use a full dedicated PC, but that seems like a waste of hardware and will be far less power efficient. I prefer the Odroid over the Raspberry Pi as it’s a more powerful hardware platform.

Hardware (all links are to Ameri Droid as I am in the USA):

Odroid Home Cloud 2 with RTC battery, 1TB Seagate Iron Wolf HDD, and Model 3 Wifi NIC.

The reason I specified using a NAS drive is that this drive will be on 24/7 and always writing as well as reading data. NAS drives are specifically optimized for this kind of behavior, and will therefore be more reliable. You can use a non-NAS drive just fine, but in the long term a NAS drive is best.

Odroid HC2 pictured in the clear acryllic case option with the wireless NIC inserted, and 16GB flash card before it was flashed with the Ubuntu 18.04.1 OS

Optional Hardware:

Odroid HC2 being worked on at my desk with the UART connector kit pictured.

First things first we have to connect it to the internet. So if you are planning on using wifi please follow the wiki here for nmcli for the Odroid. If using the UART console connection follow this tutorial here. You will need to flash Ubuntu 18.04 minimal image which can be downloaded here and then use Etcher to flash it to a MicroSD. Once that is down put it in the Odroid, and boot it up and either SSH or connect via console to it. Either way the credentials on start are:
username: root
password: odroid

For Raspberry Pi users you will have to look up the credentials for the image you are using.

Prep-Work

We’ll need to take care of some things first before we actually make it a Bitcoin node. So first let’s create a new user with a secure password and superuser rights and change the root password. Don’t forget to change “USER” to what you want.

[email protected]:~# passwd
[email protected]:~# adduser USER
[email protected]:~# usermod -aG sudo USER
[email protected]:~# adduser bitcoin

Now we need to update the system and change the timezone and locale data, as well as change the hostname in both /etc/hosts and /etc/hostname to match. I named mine “btcdroid” but you can make it whatever you want:

[email protected]:~# apt update
[email protected]:~# apt dist-upgrade -y
[email protected]:~# apt install htop git curl bash-completion jq
[email protected]:~# dpkg-reconfigure tzdata
[email protected]:~# dpkg-reconfigure locales
[email protected]:~# nano /etc/hosts
[email protected]:~# nano /etc/hostname

Mount the Hard Drive

Now we need to mount the hard drive. In my case the hard drive was brand new and unformatted, so I had to do that first, you can follow the instructions here at Digital Ocean if you are in the same situation. Regardless, once you have a formatted drive compatible with Linux we can proceed.

We will need to get the UUID of the partition that has been created. To do that is very simple we run the lsblk command and it will spit out the names and UUID of all drives.

[email protected]:~# lsblk --fs

After running that command you should see something like this. We will need to notate the UUID it has given us for the next steps.

Now we need to edit the fstab with nano and add a whole new line. Replace 123456 with the UUID given from the command above

[email protected]:~# nano /etc/fstab
# New Line in /etc/fstab
UUID=123456 /mnt/hdd ext4 noexec,defaults 0 0 

Awesome, now the fstab has been modified and we need to create the mount point, mount it, check it, and set the owner.

[email protected]:~# mkdir /mnt/hdd
[email protected]:~# mount -a
[email protected]:~# df /mnt/hdd 

At this point if everything was done correctly you should see something similar to this.


Now let’s give permissions to that entire hard drive to the bitcoin user we made earlier

[email protected]:~# chown -R bitcoin:bitcoin /mnt/hdd/ 

Moving Swap to the HDD

Now we need to move the swap file to the HDD. So we need to install a package and then do some configuration changes.

[email protected]:~# apt install dphys-swapfile
[email protected]:~# nano /etc/dphys-swapfile
#Add the following lines
CONF_SWAPFILE=/mnt/hdd/swapfile
CONF_SWAPSIZE=2048
[email protected]:~# dphys-swapfile setup
[email protected]:~# dphys-swapfile swapon
[email protected]:~# shutdown -r now 

Hardening The Security

Now it should be reconfigured to have a 2GB swap file on the hard drive, and should be rebooting. At this point log back in as the regular user and not as root. Because we are about to disable root via SSH, however if you are using the optional UART serial connection kit, you can still login as root that way. Now let’s continue on and remove the old swap file.

SSH Hardening

We need to lock down remote access to SSH, and Digital Ocean has a great guide going over SSH security. I highly recommend disabling password logins and requiring an SSH key pair to be generated. You can read the tutorial here, but we will definitely need to be disabling root access as well. It’s a major security risk if root is allowed, as everyone knows Linux has a root user.

Type the following command to edit the sshd_config file.

[email protected]:~$ sudo nano /etc/ssh/sshd_config

#Find the following line PermitRootLogin yes #Change it to no so it looks like below PermitRootLogin no #Save and quit
[email protected]:~$ sudo service sshd restart

That will disable root login, but again I highly recommend making it only allow logins with SSH key pairs as it is far more secure than a password.

Firewall

So one of my favorite tools, which I have written about before is uncomplicated firewall. We are going to allow only pinholes for the firewall to allow communication through as well as limit ssh connections so it is less likely to be brute forced. We will also be adding some defenses for brute forcing in a bit.

The line ufw allow from 192.168.0.0/24, below assumes that the IP address of your btcdroid is something like 192.168.0.xxx, the xxx being any number from 0 to 255. If your IP address is 12.34.56.78, you must adapt this line to ufw allow from 12.34.56.0/24. Otherwise you will lock yourself out for good unless you connect the UART serial connection kit.

[email protected]:~$ sudo apt install ufw
[email protected]:~$ sudo ufw default deny incoming
[email protected]:~$ sudo ufw default allow outgoing

# make sure to use the correct subnet mask and IP ranges. (see warning above)
[email protected]:~$ sudo ufw allow from 192.168.0.0/24 to any port 22 comment 'allow SSH from local LAN'
[email protected]:~$ sudo ufw allow 9735 comment 'allow Lightning'
[email protected]:~$ sudo ufw allow 8333 comment 'allow Bitcoin mainnet'
[email protected]:~$ sudo ufw allow 18333 comment 'allow Bitcoin testnet'
[email protected]:~$ sudo ufw enable
[email protected]:~$ sudo systemctl enable ufw
[email protected]:~$ sudo ufw status

Now we should install Fail2Ban, which I have talked about often. This will make it so after five unsuccessful attempts at SSH it blocks the IP for ten minutes. Making a brute force almost impossible to conduct.

[email protected]:~$ sudo apt install fail2ban

Increase open file limit

In case your BTCDroid is swamped with internet requests (honest or malicious due to a DDoS attack), you will quickly encounter the can't accept connection: too many open files error. This is due to a limit on open files (representing individual tcp connections) that is set too low.

Edit the following three files, add the additional line(s) right before the end comment, save and exit.

[email protected]:~$ sudo nano /etc/security/limits.conf
#add/change the following lines
*    soft nofile 128000
*    hard nofile 128000
root soft nofile 128000
root hard nofile 128000

[email protected]:~$ sudo nano /etc/pam.d/common-session #add the following session required pam_limits.so
[email protected]:~$ sudo nano /etc/pam.d/common-session-noninteractive #add the following session required pam_limits.so

Installing Bitcoin Core

We’re finally ready to start with the fun parts. These parts were mostly derived from pinode.co.uk, but seem to work perfectly fine for the Odroid HC2, albeit with some tweaks we have already performed specific to the Odroid platform.

First we need to install our dependencies:

[email protected]:~$ sudo apt install autoconf libevent-dev libtool libssl-dev libboost-all-dev libminiupnpc-dev -y 

Now we need to make a directory to download our files into, and ultimately download those files using git

[email protected]:~$ mkdir ~/bin
[email protected]:~$ cd ~/bin
[email protected]:~$ git clone -b 0.17 https://github.com/bitcoin/bitcoin.git

Now after it’s downloaded we are going to configure, compile, and install the files. Now I tell it in the final commands to run six jobs at the same time since the Odroid has eight cores so it can run faster. You may want to reduce that number to two with a Raspberry Pi. You can also run it without the “-jX” switch to just run as a single job, although that may take a couple hours. Once you run the make command, go make dinner or something because this will take an hour or two even on the Odroid XU4’s eight core Samsung Exynos 5422 CPU.

[email protected]:~$ cd bitcoin
[email protected]:~$ ./autogen.sh
[email protected]:~$ ./configure --enable-upnp-default --disable-wallet
[email protected]:~$ make -j6
[email protected]:~$ sudo make install

Now we need to prepare the Bitcoin directory, we’re going to switch into the non super user we created earlier which we named bitcoin, although you can name it whatever you want. The most important thing is that this user only have permissions to administrate the bitcoin node itself and not able to make any system changes. This is the great thing about Linux in regards to security and permissions versus Windows. This in theory should isolate an attack so at worst they can mess with just the bitcoin systems and not the operating system itself.

We use the Bitcoin daemon, called “bitcoind”, that runs in the background without user interface and stores all data in the directory /home/bitcoin/.bitcoin. Instead of creating a real directory, we create a link that points to a directory on the external hard disk.

[email protected]:~$ sudo su bitcoin

# add symbolic link that points to the external hard drive
[email protected]:~$ mkdir /mnt/hdd/bitcoin
[email protected]:~$ ln -s /mnt/hdd/bitcoin /home/bitcoin/.bitcoin

# Navigate to home directory and check the symbolic link (the target must not be red). 
[email protected]:~$ cd ~
[email protected]:~$ ls -la

Now we need to configure the Bitcoin daemon, and make sure to set an extremely secure password and username seperate from your username and password on the system, and then we will log out of the bitcoin user to setup Tor.

[email protected]:~$ nano /home/bitcoin/.bitcoin/bitcoin.conf

# BTCDroid: bitcoind configuration
# /home/bitcoin/.bitcoin/bitcoin.conf

# Bitcoind options
server=1
daemon=1
txindex=1
disablewallet=1

# Connection settings
rpcuser=SECURE_USERNAME
rpcpassword=SECURE_PASSWORD

# Optimizations for Odroid Hardware
dbcache=192
maxorphantx=60
maxmempool=192
maxconnections=80
maxuploadtarget=5000



#Optimizations for Raspberry Pi 3B.
#I commented out the ones for the ones I recommend for a Raspberry Pi 3B, just uncomment those, and comment out the Odroid ones for it to work
#dbcache=96
#maxorphantx=30
#maxmempool=96
#maxconnections=40
#maxuploadtarget=5000

[email protected]:~$ exit

Tor IT Up

Now we get to install Tor to encapsulate all the traffic and encrypt as well as anonymize everything. So we are going to install Tor, but also add a repository to give us the most up to date Tor version, as the one in the default repositories is really old.

First we will be adding a couple entries to /etc/apt/sources.list.d/, add the GPG key to accept it, update our repository, and finally install Tor.

[email protected]:~$ sudo nano /etc/apt/sources.list.d/tor.list
#Add the following lines and then save and close
deb https://deb.torproject.org/torproject.org bionic main
deb-src https://deb.torproject.org/torproject.org bionic main
#save and exit
[email protected]:~$ curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import
[email protected]:~$ gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
[email protected]:~$  sudo apt update
[email protected]:~$  sudo apt install tor deb.torproject.org-keyring tor-arm nyx

Now we need to configure Tor

[email protected]:~$ sudo nano /etc/tor/torrc
#add these settings to the bottom of the file
ControlPort 9051
CookieAuthentication 1
CookieAuthFileGroupReadable 1
HiddenServiceDir /var/lib/tor/bitcoin-service/
HiddenServicePort 8333 127.0.0.1:8333
#save and exit
[email protected]:~$ sudo systemctl restart tor.service
#Get your Tor hostname
[email protected]:~$ sudo cat /var/lib/tor/bitcoin-service/hostname

That hostname it spits out with a “.onion” address, we’re going to need that, so notate what it just gave us with the last command.

configure everything to autostart

Now we need to program everything to start on boot, so we will make a SystemD service that will start our Bitcoin node how we would like it to start with it running as the bitcoin user and passing it through to Tor. Now I will give you the option at this point to either have it run only on Tor, or to allow it to run over Tor, IPv4, and IPv6. The Tor only option is more anonymous, but the other mode is like a dual mode so if Tor is down it can still sync, but it also will sync faster. The choice is yours, just remove the comment for the one you want where it says ExecStart and don’t forget to insert your hostname.onion we pulled from earlier where it asks for it in the ExecStart command. After that we will reboot and see if everything works. Make sure to put your username we created earlier on where it says USER_NAME

[email protected]:~$ sudo nano /etc/systemd/system/bitcoind.service

# BTCdroid systemd unit for bitcoind
# /etc/systemd/system/bitcoind.service

[Unit]
Description=Bitcoin daemon
After=network.target

[Service]
#Uncomment the ExecStart string below to force the node to only run over Tor
#ExecStart= /usr/local/bin/bitcoind -datadir=/home/bitcoin/.bitcoin/data -daemon -proxy=127.0.0.1:9050 -externalip=HOSTNAME.onion -conf=/home/bitcoin/.bitcoin/bitcoin.conf -listen -bind=127.0.0.1 -pid=/run/bitcoind/bitcoind.pid

#Uncomment the ExecStart string below to allow Tor, IPv4, and IPv6 connections
#ExecStart= /usr/local/bin/bitcoind -datadir=/home/bitcoin/.bitcoin/data -daemon -proxy=127.0.0.1:9050 -externalip=HOSTNAME.onion -conf=/home/bitcoin/.bitcoin/bitcoin.conf -listen -discover -pid=/run/bitcoind/bitcoind.pid

#Tells Bitcoin to shutdown safely when stopped. 
ExecStop= /usr/local/bin/bitcoin-cli stop


# Creates /run/bitcoind owned by bitcoin
RuntimeDirectory=bitcoind
User=bitcoin
Group=bitcoin
Type=forking
PIDFile=/run/bitcoind/bitcoind.pid
Restart=on-failure

# Hardening measures
####################

# Provide a private /tmp and /var/tmp.
PrivateTmp=true

# Mount /usr, /boot/ and /etc read-only for the process.
ProtectSystem=full

# Disallow the process and all of its children to gain
# new privileges through execve().
NoNewPrivileges=true

# Use a new /dev namespace only populated with API pseudo devices
# such as /dev/null, /dev/zero and /dev/random.
PrivateDevices=true

# Deny the creation of writable and executable memory mappings.
MemoryDenyWriteExecute=true

[Install]
WantedBy=multi-user.target
#save and exit
[email protected]:~$ sudo systemctl enable bitcoind.service
[email protected]:~$ sudo shutdown -r now 
[email protected]:~$ mkdir /home/USER_NAME/.bitcoin
[email protected]:~$ sudo cp /home/bitcoin/.bitcoin/bitcoin.conf /home/USER_NAME/.bitcoin/
[email protected]:~$ sudo chown USER_NAME:USER_NAME /home/USER_NAME/.bitcoin/bitcoin.conf

Now it should be restarting so give it a minute and reconnect as the user we created in the beginning. It may take a few minutes for the node to get its first connections, and then it will start pulling in the blocks. You can check the status with the bitcoin-cli command.

[email protected]:~$ bitcoin-cli getblockchaininfo 

It should display something like this, and as long as the number of blocks is increasing every few minutes, it is running fine. Bare in mind this could take a few days as we need to download at least 200GB at the time of writing to be up to date with the block chain.

Output of bitcoin-cli

In addition to checking the status of the blockchain download, you can monitor the traffic over Tor with Nyx.

[email protected]:~$ sudo nyx 
Seeing the traffic via Tor on Nyx

Auto Update Security Patches

Since this is a device we are going to leave on and unattended most likely. It’s best we have it auto apply any of the security related patches that may be out there so it can maintain itself. So let’s enable the unattended-upgrades package and configure it. The first step brings up an interactive prompt, and then we proceed to editing the files.

[email protected]:~$ sudo dpkg-reconfigure --priority=low unattended-upgrades
[email protected]:~$ sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
#modify these lines in the file to look like the following, although you can make it reboot whenever you want. Make sure there is a semicolon at the end of each line. You can uncomment the "${distro_id}:${distro_codename}-updates"; line if you want it to update non security related packages too

#near the top of the file
Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        "${distro_id}ESM:${distro_codename}";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

#below are spread out in the same file
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:30";
#save and exit 

That’s it, you’re all finished. Let me know what you think or if you have any improvements to the project. I may eventually be hosting these on a Supermicro server in my rack with a ZFS array next year.

Moving to Xubuntu 16.04 for my personal items

Well my Home Theater PC is just about finished… I just installed samba, enabled openSSH via my SSH key, along with my other goodies. Just doing the final tweaks to smooth out video playback via xorg.conf hopefully all the settings will carry over perfectly as this the same exact GPU and such.
But my Nvidia driver is 361 instead of 358 which I was using when on 14.04.
I am just hoping I don’t have to recompile a kernel just for the “Intel Core 2 or Newer” CPU’s along with modifying the system timer from 250Hz to at least 300Hz to have a number more evenly divisible into 30FPS to equal US NTSC video vs European PAL at 25FPS, if that is the case I will bump it to a 1000Hz timer for faster responsiveness as it’s a desktop, as well as being divisible into 30 and 25 in case I take it over seas. If I have to recompile for the Home Theater I am merely going to recompile from the Ubuntu sources rather than directly from kernel.org. My laptop will be getting a custom kernel from kernel.org though as it doesn’t have the proprietary GPU for smoother video playback

I opted for fresh reinstalls for my laptop and HTPC as I ran into issues with the upgrade and then merely reinstalled all my applications and such through my scripts, as I always keep my /home on a separate partition just in case I have to reinstall things.

I am working on upgrading my servers from 14.04LTS to 16.04LTS as well by Q2 of 2017 after lots of testing. Some servers will probably be rebuilt from scratch. However I am in no rush as we all have until 2019 for the end of life of Ubuntu 14.04 LTS to end.

Nginx Filters for Fail2Ban

When making my other servers I was double checking fail2ban configurations and noticed there is no fail2ban settings for nginx seeing as the webmail runs on it. Not sure if it’s an issue, or anything but I was hoping some other could tell me if I am on the right track, or if it’s not even necessary.

I did this for my email server which runs nginx as the web server.

In the /etc/fail2ban/jail.local

[nginx-http-auth]
enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /var/log/nginx/error.log
[nginx-badbots]
enabled  = true
port     = http,https
filter   = nginx-badbots
logpath  = /var/log/nginx/access.log
maxretry = 2

thencd /etc/fail2ban/filter.d
sudo nano nginx-http-auth.conf

make sure it’s like below

[Definition]


failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
            ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$

ignoreregex =

copy badbots config from apache
sudo cp apache-badbots.conf nginx-badbots.conf

Free(dom) Software: Why Your PC should have Liberty

RYF-300x300

 

“Freedom” is the very word at the core of libertarianism: the ability for us to be able to do anything we believe in freely, so long as it does not infringe on the freedoms of another individual. When you think of freedom, what comes to your mind? Speech, religion, assembly, press, property, perhaps the right to bear arms, perhaps the ability for us to do whatever we please to our own bodies, and we can go on from there. So why do many not consider freedom to mean the ability to own our software in our own computers like we view our bodies or our vehicles? This is where Free, Libre, and Open Source Software (FLOSS aka Free or Libre) comes in. What exactly does Free and Open Source mean? Free and Open source software is software whose source code is available for modification or enhancement by anyone. But let us always remember, Free software came before Open Source.

“Source code” is the part of software that most computer users don’t ever see; it’s the code which computer programmers can manipulate to change how a piece of software—a “program” or “application”—works. Programmers who have access to a computer program’s source code can improve that program by adding features to it, or fixing parts that don’t always work correctly.

Source: https://opensource.com/resources/what-open-source

open source logo

 

The problems with Windows and Apple are that you can’t really trust them all that much in terms of privacy. They both have backdoors for the government. Now, while the government may have good intentions according to some, they are severely flawed. The problems with a backdoor in a system that I can’t close as a user, means that malicious hackers have another exploit to get into your system with and potentially monitor or steal information from you. Allowing software to be Free means that it is transparent and vetted by thousands of people all around the world, who are constantly working on the software.

Take for example Mozilla Firefox, formerly Netscape Navigator. It’s not maintained by some giant company like Google, Apple, or Microsoft that make their browsers and have parts that are completely closed. Firefox, being Free, is maintained by a large community who make one of the freest browsers, with a non-profit foundation maintaining all the thousands of additions to code that go on every day. We can ensure there are no intentional backdoors in the code, while making it as customizable as we want. In fact the GNU/Linux (often just called “Linux”) back door attempt of 2003 some suspected of being done by the NSA, is proof of that very fact that Free software is more secure.

“Free software” means software that respects users’ freedom and community. Roughly, it means that the users have the freedom to run, copy, distribute, study, change and improve the software. Thus, “free software” is a matter of liberty, not price. To understand the concept, you should think of “free” as in “free speech,” not as in “free beer”. We sometimes call it “libre software” to show we do not mean it is gratis.

Source: https://gnu.org/philosophy/free-sw.html

Richard Stallman, founder of the Free Software Movement, said Windows and OS X are malware, even stated the observation Amazon’s Kindle has an Orwellian back door, and has said that only an idiot would trust the Internet of Things.

“Malware is the name for a program designed to mistreat its users,” Stallman wrote in The Guardian.

What kinds of programs constitute malware? Operating systems, first of all. Windows snoops on users, shackles users and, on mobiles, censors apps; it also has a universal backdoor that allows Microsoft to remotely impose software changes. Microsoft sabotages Windows users by showing security holes to the NSA before fixing them.

Apple systems are malware too: MacOS [OS X] snoops and shackles; iOS snoops, shackles, censors apps and has a backdoor. Even Android contains malware in a non-free component: a backdoor for remote forcible installation or de-installation of any app.

quote-to-have-the-choice-between-proprietary-software-packages-is-being-able-to-choose-your-master-richard-stallman-268889-768x361 (1)
Richard Stallman: Founder of the Free Software Movement. President of the Free Software Foundation

In fact the entire Free, Libre, and Open Software Software Movements are already unsung heroes of our most precious example of our freedom, the internet. People don’t recall, but many years ago the internet as a whole was very close to becoming proprietary in the software market. You had to buy a lot of closed source software to even connect to the internet. Once upon a time, you actually used to pay for an Internet browser. Microsoft was very close to choking off freedom on the internet when it had, at its peak, 95% of the market share on internet browsers. The internet stagnated for many years, and we were stuck with Internet Explorer, one of the worst browsers ever because it was so full of holes, for a very long time. Microsoft could have also done the same with Windows server,when in fact the majority of web servers and critical components that run the web today are run on GNU/Linux or FreeBSD which are both Free and Open Sourced. In fact GNU/Linux and FreeBSD were the first to have the components to even be able to connect to the internet. For years people were forced to pay for software to create documents, we had Open Office (now deprecated), and LibreOffice which has replaced Open Office. In fact I wrote this rough draft on my laptop running GNU/Linux using LibreOffice. The Being Libertarian site itself is run on GNU/Linux and WordPress, both are Free and Open Sourced software. In fact Bitcoin wouldn’t even exist were it not for FLOSS. I have actually been a member of the FOSS and FLOSS movements for 10 years now, starting when I was 14 years old. GNU/Linux and the FLOSS communities were the first to introduce many of the features now found common on Windows and Mac OS X, including, but not limited to, remote desktop, virtual desktops, and a TCP/IP stack so they can use the internet. In fact a lot of Mac OS X relies on Open Source software, but it’s not as Free as it actually should be, because there is no way I can have access to the complete source code and compile my own Mac OS X, like I can do with GNU/Linux or FreeBSD.

Use-of-Open-Source-Software-Is-Now-Mandatory-In-Indian-Government-Offices-477052-2-768x390 (1)

Now I know a lot of libertarians and conservatives would rather place their trust in businesses managing things. But this is where voluntarism come in, because no one is forcing you to contribute to the code. Far more people are using the software without contributing the software, but if you see a problem or feature that can be added you are more than welcome to do so. This is best explained in Eric Raymond’s “Cathedral and the Bazaar”, of why the FLOSS model of a bazaar with the community voluntarily working together is better than the cathedral approach of Apple or Microsoft. It’s also one of the most influential essays ever written in the IT world.

Eric S. Raymond: One of the key people in the Free, Libre, and Open Source Movement, and author of the “Cathedral and the Bazaar”
Eric S. Raymond: One of the key people in the Free, Libre, and Open Source Movement, and author of the “Cathedral and the Bazaar”

Linux overturned much of what I thought I knew. I had been preaching the Unix gospel of small tools, rapid prototyping and evolutionary programming for years. But I also believed there was a certain critical complexity above which a more centralized, a priori approach was required. I believed that the most important software (operating systems and really large tools like the Emacs programming editor) needed to be built like cathedrals, carefully crafted by individual wizards or small bands of mages working in splendid isolation, with no beta to be released before its time.

Linus Torvalds’s style of development—release early and often, delegate everything you can, be open to the point of promiscuity—came as a surprise. No quiet, reverent cathedral-building here—rather, the Linux community seemed to resemble a great babbling bazaar of differing agendas and approaches (aptly symbolized by the Linux archive sites, who’d take submissions from anyone) out of which a coherent and stable system could seemingly emerge only by a succession of miracles.

Source: http://www.catb.org/esr/writings/cathedral-bazaar/cathedral-bazaar/
*I highly recommend reading the entire essay (~36 Pages on paper)

 

Linux_Distro

I have mentioned LibreOffice and Mozilla Firefox as FLOSS software, but there are thousands of distributions of GNU/Linux to use, and thousands of Free, Libre, and Open Source Software out there. It’s all about freedom of choice. If you don’t like one part of the system or program you can change it. For example I used to be a Gentoo GNU/Linux user where I can completely build my own system the way I wanted, then I became a bit lazy and switched to Ubuntu a few years ago as I didn’t want to have to spend so much time on each installation. I, of course, still didn’t like Ubuntu on a few parts, so I modified a lot of the operating system, until eventually Ubuntu decided to add the Unity User Interface, which I hated with a passion. So I switched to Xubuntu as a day to day work OS, withKali GNU/Linux on the same laptop for all my tools to penetrate network security as part of my job. One GNU/Linux in particular a lot of people who love their privacy like is Tails, which leaves no trace of you on the host computer, and encrypts as well as anonymizes all of your data. The Condor intraoral scanner, which I previously covered inMarch of 2015, is running Manjaro GNU/Linux. I also have been looking into Trisquel GNU/Linux which is a completely Free version of GNU/Linux, which Richard Stallman himself uses. There are parts in a quite a few distributions of GNU/Linux that use “non-free” software meaning its use, redistribution or modification is prohibited, or requires you to ask for permission, or is restricted so much that you effectively can’t do it freely. There are a few classes of types of software which the Free Software Foundation does a good job of explaining to the average user.

But back to the main point. The beauty of GNU/Linux and FLOSS in general is freedom, as what works for some, doesn’t work for all. Linus Torvalds, the maker of the GNU/Linux kernel, himself didn’t like Ubuntu, whereas I kind of like the Ubuntu environment.

Linus Torvalds: Founder of the Linux Kernel. In 1991 introduced Linux to the world saying, “I’m doing a (free) operating system (just a hobby, won’t be big and professional like gnu) for 386(486) AT clones.” Despite Linus being the creator of Linux, and also the largest contributor of code to the project, Linus has only contributed 1% of the total code.
Linus Torvalds: Founder of the Linux Kernel.
In 1991 introduced Linux to the world saying, “I’m doing a (free) operating system (just a hobby, won’t be big and professional like gnu) for 386(486) AT clones.” Despite Linus being the creator of Linux, and also the largest contributor of code to the project, Linus has only contributed 1% of the total code.

So at the end of it all, those who call themselves true libertarians, conservatives, or even just a full out privacy rights advocate should be throwing their closed source software away whenever possible, and embrace the true freedom only granted by software to the user which is FOSS or even better, FLOSS. It’s time to really embrace freedom to its fullest extent in all facets of your life. You can even start slowly dipping your toes in the water of the open source movement. I use Mozilla Thunderbird instead of Microsoft Outlook, Mozilla Firefox or even better GNU IceCatinstead of Microsoft Edge or Internet Explorer, Notepad++ (NotepadQQ in GNU/Linux) instead of Notepad,LibreOffice instead of Microsoft Office, GNUCash instead of Quickbooks, ProjectLibre instead of Microsoft Project,7-zip instead of WinZIP and WinRAR, Dia instead of Microsoft Visio, Scribus instead of Microsoft Publisher, and etc. You can find a FOSS or FLOSS solution for almost any task that you need to do today.

download (3)

If any readers are interested in a deep look into the philosophy, culture, and history of the entire Free, Libre, and Open Source Movements, I highly recommend watching the documentary Revolution OS (About 1 1/2 hours) which is freely available on YouTube ( https://youtu.be/jw8K460vx1c) and elsewhere.

Update: After Speaking to Richard Stallman some changes were made

This article was originally written by me for Being Libertarian

Install the latest Mozilla Thunderbird or Firefox in Ubuntu GNU/Linux

So I ran into an issue with my Mozilla Thunderbird today when I was finished setting up my new email, contact, and calendar server with Mail-in-a-box. So I go to add the lightning extension for calendars, and low and behold I find out my Thunderbird (the one that came in the the default Xubuntu repos for 14.04LTS) was out of date and not supported by lightning. The Ubuntu repos had version 38.8, but what version was Mozilla at themselves? 45.1 as of this post. So I quickly installed the latest binary but I tend to be forgetful about updates, so I wanted to tie it into the apt package manager so I found a PPA that works.

First if thunderbird is installed remove it, and maybe backup your .thunderbird folder just in case. But you shouldn’t have to worry about losing any data.

sudo apt-get remove -y thunderbird

Next we need to add a new repository called Ubuntuzilla so edit your sources.list. I used nano for this, but feel free to use whatever you like.

sudo nano /etc/apt/sources.list
add to the end
deb http://downloads.sourceforge.net/project/ubuntuzilla/mozilla/apt all main

or you can do that all with one command
echo -e "\ndeb http://downloads.sourceforge.net/project/ubuntuzilla/mozilla/apt all main" | sudo tee -a /etc/apt/sources.list > /dev/null

Then grab the keys and update
sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com C1289A29
sudo apt-get update

Install your desired package, with one of the following commands:
sudo apt-get install firefox-mozilla-build
sudo apt-get install thunderbird-mozilla-build
sudo apt-get install seamonkey-mozilla-build

Source

How to Make Super Secure Passwords Easily with One Command

We all know when it comes to security, a secure password is always the most important thing. However remembering a complex password is always the toughest part anywhere. Especially when it comes to being a system administrator, our passwords are usually the most vital of anyone in the company. When it comes to telling people they need complex passwords, what always comes to mind is this xkcd comic about passwords.

password_strength

As the bottom text suggests we have come to the point where it’s hard for us to remember passwords, but easy for computers to guess. So what’s the solution? Well what I do as a GNU/Linux person is use the command already built in to generate super secure passwords using the sha1sum, sha224sum, sha256sum, sha384sum, and sha512sum commands.

First off pick a random word or phrase. Now remember capitalization, spaces, and such will always effect the sum spit out. let’s start with sha1sum which is the shortest, and using the word “password” as our example throughout this tutorial

echo "password" | sha1sum
c8fed00eb2e87f1cee8e90ebbe870c190ac3848c

So we see using the word “password” it spits out the sha1sum of the word, and we now have a very complex password. Now let’s try it with SHA256

echo "password" | sha256sum
6b3a55e0261b0304143f805a24924d0c1c44524821305f31d9277843b8a10f4e

So you see as we increase the strength of the sha256sum, the output sum is longer, and with a longer password comes even more security. Now let’s try SHA512

echo "password" | sha512sum
9151440965cf9c5e07f81eee6241c042a7b78e9bb2dd4f928a8f6da5e369cdffdd2b70c70663ee30d02115731d35f1ece5aad9b362aaa9850efa99e3d197212a

So now we see the output is incredibly long and complex. This is a great way to make incredibly secure passwords.

 

 

Redis Caching with OwnCloud

While setting up an OwnCloud server for my company, I couldn’t really find any good way to cache, and with the Ubuntu repos having an old version of Redis, meant of course it couldn’t be used for best performance and stability. I tried installing it manually from some guides I found, and trying to see OwnCloud’s documentation and was last using an Apcu and Redis (older version) combined so I stumbled upon a guide from TechandMe.se which actually resolved my issues of an old Redis, and dramatically sped up my server.

This guide is also scripted for an automated install, you can download the script here.

  1. GET RID OF APCU & MEMCACHED
    $~: sudo php5dismod apcu && sudo apt-get purge php5-apcu -y
    $~: rm /etc/php5/mods-available/apcu-cli.ini
    $~: sudo apt-get purge --auto-remove memcached -y && php5dismod memcached
  2. INSTALL NEEDED DEPENDENCIES TO PREPARE THE REDIS INSTALLATION
    $~: sudo apt-get update && sudo apt-get install build-essential -y

Continue reading “Redis Caching with OwnCloud”

Tip for OwnCloud

I was building my OwnCloud file storage on Ubuntu 14.04LTS (upgrading to 16.04.1 LTS this summer), which if you haven’t heard of definitely check out it is the most amazing cloud storage program and you control it yourself. It even offers server side encryption, and tons of options to make it how you want it for you or your company. See it at www.owncloud.org

But I was coming across an .htaccess issue that kept popping up so I modified Apache so much and it still appeared. So I finally stumbled across my fix. Move the OwnCloud data directory out of the default location. So here are the steps I took

Stop apache2

sudo service apache2 stop

Edit config file in default location

sudo nano /var/www/html/owncloud/config/config.php

Change default location to new location

(pick one, I chose /mnt/owncloud_data but put it anywhere you like)

Move the data folder to new location

sudo mv /var/www/html/owncloud/data /new/data/directory/here

if required change permissions

sudo chown -R www-data:www-data /new/data/directory/here

Restart apache2

sudo service apache2 start

Voila .htaccess issue is GONE!