Proxmox Testing

Built a Proxmox cluster of 4 Dell Optiplex 380s we had around. Installed glusterfs and created a triple replica across the machines. Gluster is running great, but the lack of resource pools in Proxmox kinda bummed me out.

Testing? Spun up 3 instances of StressLinux and set to them max out the CPUs. I didn't bother with the gluster testing, as with only a single gigabit NIC I know performance would be pretty bad.

Maxing out the CPUs, KVM was still able to keep my git VM responsive, if it was slow. It was usable.

Homo Meliorian

Building a Better Human.

Whoa. I'm just going to post this and see if anyone strikes me down for the hubris of these words (as I wished would have happened for the asshat who came up with homo sapien.)

Things this encompasses:

• Understanding symmetric and asymmetric encryption.
• Understanding biological evolution and how our species got here.
• If you're part of 99% of all organized religions, you're disqualified. Sorry. 

More to come.

gandi.net problems

Wanting to ditch GoDaddy for multiple reasons (sexism, SOPA, their website can easily be compared to hell), I just looked to who the EFF is hosted with, assuming them to be a good company. It wasn't hard to sell me on a motto of No Bullshit so I transfered my domains to gandi.net. I made a promise to myself after high school that I would tolerate no bullshit in the rest of my life, a decision which so far has treated me well. I thought it a good match.

Domains were cheap, UI was good, I was happy. I signed up with their free privacy blocker service, which at least keeps my address out of WHOIS, if not my name.  I was enamored with their policy of no advertising other than by word of mouth. I even won a free tshirt signing up when I did, embossed with the motto. My problems began when I tried to actually buy another domain from them. All three orders were rejected.

For reasons of my eclectic life, I receive mail to 3 places. The WHOIS one is set to the one on my state issued ID. My credit cards bills go to a different address. Originally this caused a fraud alert on my side, with my bank calling me within an hour of paying gandi.net asking if I had initiated a transaction to France. I said sure, they had the wrong address, all was well. When I made my first domain purchase, I assumed the rejection was because of my bank again, having made it late at night outside of hours of their risk departments. So I tried to make the order again with a different card, and then switched to PayPal (which cost me more) to avoid Visa/Mastercard altogether. All of these orders were rejected. Aftering calling my bank to confirm all the transactions had been approved on my side, I emailed gandi.net.

Getting back an email from abuse@support.gandi.net, I find this:

Dear Gandi customer,

Thank you for your mail.

Unfortunately, we have not been able to complete your order as requested. 

Note that you will need to start your order over again in order for it to be once more entered into our database.

So that your order can pass this time, we require :

* A valid Government-issued Drivers License or Valid Government-issued passport with recognizable photo

AND

* A document from your telephone service provider that clearly states the telephone number and the address as presented in the whois as belonging to the registrant.

Please send us these documents by replying to this email or by fax to: +33.1.43.73.18.51 with [redacted] as reference.

Best regards, 

Gandi.net

I was a bit surprised, considering how many things that same photocopy of my ID can be used for. And my phone is provided by Google Voice. Why would I need to have such a relationship with a domain provider? Asking this, the reply was:

Hello,

This is required by our bank partner (for security reasons)

Feel free to contact us should you have any other question.

Best regards

Gandi.net 

I work in the finance industry, so I sympathize. Often financial agreements will have lots of sticky clauses to mitigate risk in the event of nearly anything. But the problem is that even when I tried to avoid the Visa/Mastercard address problems by paying with PayPal, it was refused. Angry at this, I sent back:

Worried about fraud? I can mail you a check, I can mail you cash. I can send you bitcoin, I can send you paypal, I can send you dwolla. I can walk down to my local bank and pay $25 to send you a wiretransfer of $12.50. I don't really care.

Things I will not do: Send you my government issued ID. And google voice doesn't have a telephone bill. I don't need to have that level of relationship with my domain provider. And another thing, if I was going to send you a photocopy of my drivers license, where is your GPG or S/MIME key? Why would you expect me to send sensitive information overunsecured email?

Unsurprisingly, the person reading my email was not impressed. I'm not either, reading this after the fact. I sound like a dick. I hate me sometimes. Anyway:

Dear Sir,

You can send your documents by courrier 
GANDI SAS (AH-3851464)
63/65 Boulevard Masséna 75013 PARIS – FRANCE
Or by fax : +33 1 43 73 18 51 with ([redacted]) as reference

- - - 

We accept bank transfer, you must indicate the transaction number of the operation on your transfer order

Best regards

Gandi.net

Not supporting some form of encrypted communication other than by shipping/courrier should be embarrassing in 2012. Regardless, I'm still not sending them documents they don't require.

I'm tempted to ask them for the account number of their bank account so I can do the transfer. I'd rather just pay them, get my domain and be on my way. But it still bothers me. There are multiple things companies can do to mitigate financial risk and fraud without needing to poke into their clients lives, while still providing liability information for police. One of the easiest things to do is simply put a time block on the account, that the domain is not purchased until the 30 days after the credit card transaction. These are sane, and I have no problem working with them.

I don't expect to have to have a valid address on file with Visa/Mastercard just to be able to do business in the modern world. If you remember the reason PayPal was started and why it quickly grew in popularity was to protect your personal information from random merchants online. This is a wanted feature used by legitimate people. Why is more personal information expected from Gandi?

Hackerspaces: Notaries

 Worries.

Having a conversation on #hackerspaces on Freenode, a friend mentioned that she thought hackerspaces should be model digital citizens. I'm not sure of all the things that entails, but its one of those ideas that got inside of my head and hasn't left. I recently made my Twitter public, forgoing a lot of privacy and whatever protection that afforded me to have a bigger audience for my ideas. I've started posting a lot of things I find during my day to Twitter and Facebook in the hope good ideas will spread.

My preference is to take nothing seriously, to laugh and troll. But I'm finding it harder and harder to laugh. The 60,000 ineffective TSA employees molesting travelers. Private prison systems and the prohibition laws that fuel them. Our slow descent into a surveillance state and all the abuses that entails. Things on my mind. Possibly a part of the apocalyptic mindset my generation has, I see this model digital citizen as the 'prepper' for the surveillance society that may be inevitable as technology grows.

All of it has to do with information. No longer are we just creatures of flesh and blood and beard and boobs. Half of our existence is prostheticly attached to the hivemind we call the Internet. And like a mycelia of a mushroom, the internets thin tendrils keep showing up. They're in our self checkout lanes at the supermarket, correlating our 'loyalty cards' with advertisements on the screen. They're in friends who show up to drink after seeing you checked in on 4Square or Latitude. The cop who can scan every single car license plate in real time just by driving by. If we don't cultivate these tendrils with care, keeping them in the garden and not around our throats, I fear one day we will fail to awaken.

If that sounded a little morbid, don't worry. Originally this was just me on my WindowsME box trying to hide some porn. Turned into a bit of a hobby.
 
To protect information and communication, you need trust. And a lack of blatant security holes. Some days I think I'd have better luck helping Obama win Mississippi than ensure those two things, but *shrug*. Technology wise, I think things aren't too bad. You can't use every technology with every combination of hardware and OS, but there's a pretty diverse range. OTR for instance. There are some holes in coverage with smartphones as well, but if two people can follow our model digizen (digital citizen?), it can be done. Things like Retroshare try to make it easy. But who will teach our digizens? Like how our parents taught us not to put metal in the microwave, who's going to teach us not to leave our GPG key unencrypted?

There are too many ways to leak information, set bad passwords, mishandle keys. And then theres the whole arcane knowledge of running a PKI. I'm talking about all things that have caused us to have a completely separate IT security industry.

Who's going to save us from ourselves?

 

 I'd like to get a collection of people together to form a formal network. Not necessarily of technology, but to have the trust relationships in place. Maybe the most trusted one or two people per space. Mitch Altman? James Carlson?  I don't have much more an idea beyond that, so I won't bore you with conjecture. Things we could do initially?

• Run our own CA using Shamir Secret Sharing for unlocking the CA's private key. We could delegate CA's to each space to sign their own domains (*.pumpingstationone.org in our case) all backed by a single Space Federation trust.
• GPG Signing Service.

I believe there will have to be some kind of compensation for the role.

Thoughts? PS: This document is a work in progress.

Rhys Box

A while back (say a year+ ?) I had a problem with PS:1's internet. It was running through an Astaro security gateway that Astaro had donated to us. Its a nice piece of equipment, but more business than hacker in setup. Having experience with pfSense from using it heavily at work, I thought to build something from thrown away equipment.

 

Its built from a pair of solid steel 4U cases that magically were ATX spec. A few old power supplies and the guts of some Pentium4 Compaq desktops and I had the routers. I also came across a literal case (24) of Intel 1Gbit PCI NICs in behind some stuff at work. 3 of those per router. 

The APC 2200 UPSes were similarly being discarded. A few new batteries and USB-B cables from Microcenter for monitoring, and we are up and running. The rack was about the right size, so I wanted to call it K-9. But since no one knew that they just called it "Rhys Box." 

The green cables you see in the picture of the rack match the LAGG group you see between the Ironside1 and 2. I do a trick here I've been using for a while to good success. I allocate VLANs (in a secure manner, switch based only) that let me bring WAN links into the switch, not the router. Why? Instead of needing dual switches on both the WAN and LAN sides of the router cluster, I can use the same pair for both.

The only sad part of this because of shitty CPE equipment I am double NATed. As a network admin, there is nothing I hate more than double NAT, save for triple NAT and Netgear.

RSTP runs on all switches, my only modifications being to shorten the convergence time and to set Ironside1 and 2 as priority for the root of the tree. I'll be happy for the future where the handmedown switches support layer3 routing and OSPF.

The Sandwich

Bacon, Egg, Pepperjack on Sourdough. Told you I was gonna get a sandwich.

Retroshare, Because Cupcakes Rock

I am going to finish this post and then I'm gonna go fetch a sandwich. An awesome sandwhich which I'm gonna take a nice walk to get. Yeah.

So Retroshare, a distributed communications and filesharing application written in QT. Don't like QT? I'd like to say I understand, oh ye toolkit pureist, but I think you should accept the Linux Desktop requires a wide cacophony of applications, toolkits and libraries to be useful. Its never going to have the consistency that Apple or Microsoft can do. Computers are a tool, not a temple, Adeptus Mechanicus aside.

Why is Retroshare different? One is that it bootstraps using the already existing GPG key infrastructure. If you already have a bunch of fellow developers in your GPG keyring, sharing with them on Retroshare is a breeze. The second thing is that its not just a filesharing program, it also supports IM/Email messages, group chats, "channels" which are essentially RSS feeds of files/data, and its own forum/email list creation. You can create private lists among subsections of your friends.

Sharing is done at two levels. You share your IP address and files directly to your friends. Through searching you can reach friends of friends, who must be proxied through your friends. But don't worry, if two of your friends should be friends too, its easy to recommend them to each other so they can connect directly.

Why is something like this important? Because the Internet is becoming increasingly monitored. That monitoring negatively effects the ability to have a free and open society, or even a democratic one. This monitoring creates power for those who hold its information, creating inequality. While I don't believe in right or wrong, morality, I do think systems should be balanced. Unbalanced systems don't work real well, they tend to stagnate, to collapse, to undergo revolution causing violence and burning and most importantly getting in the way of my hedonistic ass and a chicken sandwich. You can see how this is an issue for me.

Hackerspaces have a role here. If you build a network where a single hackerspace's members are fully meshed, because they all can meet in person, the overlap between hackerspaces will create a rather mighty network in terms of "reachable users." These people who have friends in multiple spaces will act as supernodes. This would put Hackerspaces into a role of 'model digital citizens,' something I will explain more later. It would create a vaguely trusted network that no simple legislation would be capable of harming.

Also,

Cupcakes, noun. Digital goodness. See: the objects obtained from the holy act of copying.

So add me as a friend, say hi to rhys on freenode, lets see what Cupcakes are buried in the hivemind of the hackerspaces.

 

• In Retroshare, go to the "Friends" Tab. Click on the + symbol, Add Friend. Click the "Enter Certificate Manually" and copypasta my public key into the box.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)

mQENBEzJCMsBCACyFirRZRmWpr6dh10MDZ/tT7sBkiJNHpG/3+i1qt9XnamRSrDZ
/FQfvgmafOZ/Km1s/PkaqS4qOTHzck97K6J4e6f+bfhQNJ6eixKIpqdRDP3ZYyr/
fcuQYvEF4BPGbq95SZzoDWHB9R+5jTLeE+16Euca8+pCV62nBLTvCcvSjnNtl++m
QA7wADE8rIAZwT95ODCjG3cuoOqr6R48Ndn88OKFbLyIpFN0i4vIyqxjqBYXlKQz
tGqkVcIiyMmj5BRN+9pgfRY0MSWWpu7Hj/ywP8ofGlkAWlsyNCO/DRPc0MpWEg24
xmda36J2zVrHEzvIzDOwZ+aLaJQKTVd7owqxABEBAAG0JlJoeXMgUmhhdmVuIDxy
aHlzQHJoYXZlbmluZHVzdHJ5cy5jb20+iQE+BBMBAgAoBQJMyQjLAhsjBQkJZgGA
BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRA3fXd2xDqeQddvCAClwVSY1Pqv
CBNfn4CFrxjAEhRo7MY9aTFBgXRCY77H64HWVIcwTf15BaYy1kaSdG62el9FFyxs
rzkPPEfDKhDK+iSmSAwjYIrTFoGjOENwwXrPlZlXIIbII7g0qp78AG4LkeDDTBxl
Yz72RrC70+Zm6JsTGE2jmJF/kk6eYNr7x+lZs+u6MwsdAQUrqpd7UNYnPDwExkjL
AzQHwteFLxpTWvLp4Cjy4MXUxCqZhPVHuHCTufhRXs9hch7MBad17jDxQX2XCIr7
fYvK3/7J0Dz3clxY7rpahnTilsSs0jxWmAUcOPbisSGwVgYHPlrprmjM5g00fP67
tUkaGa6YSI/S
=0zA+
-----END PGP PUBLIC KEY BLOCK-----