Permission is granted to copy, distribute and/or modify this document under the terms of the [[https://gnu.org/licenses/fdl.html][GNU Free Documentation License]], Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
Source for this web site in [[https://en.wikipedia.org/wiki/Org-mode][Emacs org-mode]] format is available [[/beaglebone.txt][here]]. Comments or patches may be submitted via [[https://github.com/bashrc/freedombone][Github]].
/The battle for liberty is never won, and is never lost. The battle for liberty always continues. It is never too late, and it is never soon enough, to defend freedom. No matter how enslaved we are, we always have hope. No matter how free we are we are never safe. Nothing ever limits the government, except the people. Any generation which fails to defend freedom will lose it, and the next generation will have to shed blood to gain it back./
Today many of us rely upon "free" services in the cloud, such as Gmail, Facebook, Google+ and so on. It might appear that these services are indispensible infrastructure of the modern internet, but actually they're not strictly needed and the amount of value which they deliver to the average internet user is very marginal. It is possible to be a citizen of the internet and yet not use those things - to disintermediate the most well known companies and cut out their prurient or merely cringeworthy business models.
FreedomBone is a personal home communications server based upon the BeagleBone Black hardware. It's small and cheap and will allow you to use email, have your own web site and do social networking in a federated way without needing to rely upon any intermediary companies other than your ISP.
** Do I need any prior knowledge?
In these instructions only a minimal level of familiarity with Linux is assumed. It's assumed that you know the basics of the /nano/ and /emacs/ editors, but it would be simple to also use other editors if you prefer.
You should consider doing this if you are a freedom-oriented sort of person and you want to maintain sovereignty over your information. Laws in many places in the world consider you to have relinquished any property rights over data which you put onto a server not owned by youself (i.e. owned by a third party, such as Google or Facebook). The frequently cited and often absurd mantra is that there is "/no reasonable expectation of privacy/".
If you don't like the idea of having all your communications intercepted and investigated by the Surveillance State then you should consider running a FreedomBone. If your profession involves maintaining confidentiality as an essential feature, such as legal or medical services, counselling, teaching or any sort of activism then you should consider running a FreedomBone. Especially if your activities include [[https://firstlook.org/theintercept/article/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/][systems administration]] or [[http://www.spiegel.de/international/germany/gchq-and-nsa-targeted-private-german-companies-a-961444.html][software engineering for any communications-related systems]] then it is highly likely that you have already been targeted and "tasked" by the surveillance apparatus.
As Eben Moglen noted in his now famous [[https://www.youtube.com/watch?v=QOEMv0S8AcA]["Freedom in The Cloud"]] talk the simple fact of you keeping your own internet logs (found in the /var/log directory) puts a certain amount of power in your hands and takes it away from parties who would otherwise sell that information without your knowledge or permission to advertisers or other shady outfits who may not have your best interests at heart.
** After it's installed will it need a lot of maintenance?
So long as the hardware is ok the amount of maintenance needed should be very small. Unlike on Windows based systems you don't need to defragment drives or mess about with anti-virus programs. I ran a similar Sheevaplug system between 2010 and 2013 with only occasional software updates or reboots, and uptime was probably 99% or better.
Nothing is totally secure or infallible. You could have the most secure technology and yet still use easy to guess passwords. In general any software described as "uncrackable" or "guaranteed secure" is likely to be bogus and should be treated with suspicion. No matter what the hype may claim, all software has bugs so it's really a question of whether your communications are more secure or less secure. Using something like Freedombone will be likely to increase your degree of communications security to a level which is above average.
This system will not defend you from an attacker who is actively trying to block or corrupt your communications, but I assume that doesn't apply in the majority of cases. Another thing to be aware of is that running a FreedomBone could make you more vulnerable to traffic analysis, since the server is associated with your home address and isn't a giant aggregation of users somewhere in the cloud. You need to weigh this alongside the additional legal protection which owning the server and having it in your own home gives you.
FreedomBone should be far more secure than using popular cloud-based services which have spying built into them as a core feature (although not one which is typically advertised), but it is not necessarily any kind of impenetrable information fortress.
This project is not only about security. It's also about having independence and at least in the realm of information being able to have more control over your own life, without having gatekeepers, censors or companies in the middle. That's the way that the internet was designed to be in the first place.
** Can I use a Raspberry Pi or Cubieboard instead?
These instructions are not highly specific to the Beaglebone Black and so will likely also work on other single board computers (SBCs) such as the [[https://en.wikipedia.org/wiki/Raspberry_pi][Raspberry Pi]] or [[https://en.wikipedia.org/wiki/Cubieboard][Cubieboard]]. The original Raspberry Pi only had 256MB of RAM and so the performance of some services may be more limited. The Beaglebone Black was chosen mainly because of its low cost, relatively good CPU performance for the price (by the standards of 2013) and also low electricity consumption. The Cubieboard is also another good alternative, with the A20 version having similar specifications but twice as much RAM as the BeagleBone Black.
** Why should I trust the packages or source code downloaded from this site?
If you're particularly security conscious then you shouldn't. Binary or source packages have only been included here for convenience and to avoid confusion. "/Go and find a Debian installation for the BeagleBone Black somewhere on the web/" is too vague an instruction for my liking, and I've attempted to keep things as concise and unambiguous as possible - particularly with an average or new Linux user in mind.
However, for maximum security for those software systems which are not already packaged within the Debian repositories then seek out the original sources and verify the hashes independently.
It's worth adopting an attitude of "/trust but verify/". Don't let fear of mass surveillance and [[https://www.techdirt.com/articles/20140207/08354426130/gchq-has-entire-program-dirty-tricks-including-honeypots-using-journalists-deleting-online-accounts.shtml]["dirty tricks"]] paralyse you into trusting nothing and consequently doing nothing. Doing nothing means that the surveillance apparatus has succeeded in keeping you under observation at all times.
This is often a question which people ask about running a server from home. The answer is that you don't need a static IP address. In the vast majority of cases you will have a dynamic IP address issued by your ISP, which may change from time to time. How then does the DNS system know how to resolve your domain name correctly? To do this you need to use a dynamic IP address system, such as [[http://freedns.afraid.org/][freeDNS]]. The details of that are explained [[Getting onto the web][here]]. Other services are available, but they're not usually /free as in beer/. In this guide a static IP address of 192.168.1.60 is only used within your /local network/ (i.e. not the big bad internet of public IP addresses), so that your internet router can be set up to send incoming traffic to the right computer.
These instructions assume that you have the following ingredients.
** A BeagleBone Black (BBB)
It should come with a suitable USB cable for the initial setup. To make things look nicer you may also want to get a case for it.
** An internet connection
It is assumed that the most common situation is via a router installed at home. The router should have ethernet sockets on it and a web interface which allows you to forward ports (sometimes under the "firewall" settings), so that you can forward ssh and web traffic to the BBB.
** microSD card
To use as the main storage for the BBB. 16 or 32GB is fine, and can be obtained quite cheaply. Try to use Sandisk (class 10 or better) where possible and avoid cheaper cards which often have poor performance.
You may also need an SD card adaptor or USB card reader in order to flash the operating image to the microSD card. For instance, many laptops have an SD card slot but not a microSD slot.
With a plug suitable for powering the BBB. If you have some device with a USB socket nearby you may also be able to just use that for electrical power. However, powering from the USB cable alone might result in crashes when the system is under load, depending upon how many milliamps can be supplied by the USB hub/socket. If the system crashes due to running out of power then you will see that the LEDs on the BBB are continuously on, rather than flashing. One way to test whether the board has enough power is to try compiling a Linux kernel on it, but any CPU and disk intensive program will also suffice as a test.
[[http://beagleboard.org/Support/FAQ][beagleboard.org]] gives the following advice on power supplies:
#+BEGIN_VERSE
/Power over USB is sufficient as long as the software and system running perform some management to keep it under the USB current limit threshold. For simplicity and maximum capability, powering over the 5V barrel connector is typically recommended./
/The power adapter is required to provide 5V over a 5.5mm outer diameter and 2.1mm inner diameter barrel connector (a barrel connector length of 9.5mm is more than sufficient). The recommended supply current is at least 1.2A (or 6W), but at least 2A (or 10W) is recommended if you are going to connect up anything over the USB./
The Debian Linux OS will be installed onto a small flash drive. It's a good idea to do this rather than using the internal flash, because it will allow you to easily create backups of the entire system if necessary using the dd command.
Create the disk image, where sdX is the name of the flash drive (probably it will be sdb or sdc). An easy way to find out the device name of the flash drive is to enter the command:
#+BEGIN_SRC: bash
ls /dev/sd*
#+END_SRC
then plug in the flash drive and type the same command again. You'll be able to see the difference. Once you know the device name then you can proceed to install the image onto the flash drive.
The Debian Linux OS will be installed onto a small flash drive. It's a good idea to do this rather than using the internal flash, because it will allow you to easily create backups of the entire system if necessary using the dd command.
Download the Cubieboard image from http://cubian.org/downloads/
#+BEGIN_SRC: bash
sudo apt-get install p7zip-full
7z x CUBIAN_IMAGE.7z
#+END_SRC
Create the disk image, where sdX is the name of the flash drive (probably it will be sdb or sdc). An easy way to find out the device name of the flash drive is to enter the command:
#+BEGIN_SRC: bash
ls /dev/sd*
#+END_SRC
then plug in the flash drive and type the same command again. You'll be able to see the difference. Once you know the device name then you can proceed to install the image onto the flash drive.
/Build the tools for a future you would want to live in/
-- Kurt Opsahl
#+END_VERSE
** Things to be aware of
*** A note on ssh
When using ssh to log into the BBB if you get warnings of the type "/the ECDSA host key for domain differs from the key for the IP address/" then run the command:
#+BEGIN_SRC: bash
ssh-keygen -R <IP address>
#+END_SRC
*** Passwords
It's highly recommended that you use a password manager, such as KeepassX, and make all your passwords long random strings. It's also a good idea to use different passwords for different pieces of software, instead of one or two passwords for the whole system. That compartmentalises the security such that even if an attacker gains access to one system they can't necessarily get access to others.
Throughout these instructions self signed SSL certificates are used to implement access to web pages via HTTPS. The whole HTTPS security model upon which much of the internet currently rests seems broken in that it usually depends upon "trusted certificate authorities" who are not really trusted, except perhaps by the maintainers of certain web browser software. So all that HTTPS really guarantees is that you have an encrypted connection, but an encrypted connection /to who/ can be subject to doubt. As was seen in 2013 with the [[https://www.schneier.com/essay-455.html][information coming from Edward Snowden]], and also the [[http://en.wikipedia.org/wiki/Lavabit][Lavabit email service]], it's possible for companies/organisations to be compromised or bribed and SSL private keys for all users can be demanded using gagging orders or secret laws without any individual user ever being able to know that their communications is no longer secure..
Not knowing who you're really connecting to is especially true for self-signed certificates, so it is in principle possible that when logging into a site with a username and password a system such as [[http://arstechnica.com/tech-policy/2013/11/uk-spies-continue-quantum-insert-attack-via-linkedin-slashdot-pages/][Quantum Insert]], or a compromised [[http://en.wikipedia.org/wiki/Domain_Name_System][DNS service]], could be used to direct the user to a fake copy of the login screen for the purposes of obtaining their login details. While this doesn't seem to be a major problem at the time of writing it's something to keep in mind. So if you can't log in or if you log in and what you see doesn't look like your site then it's possible that such a compromise could have taken place. Using a password manager with different login details for each site is one way to ensure that if one system is compromised then the attacker can't necessarily get access to all your other stuff.
Eject the microSD card from your computer and plug it into the BBB, then connect the USB cable between the two. You may need to wait for a couple of minutes for the BBB to boot from the card, then you can then open a terminal and login via ssh.
Note that if you're using a Cubieboard then the ssh login is different (see https://github.com/cubieplayer/Cubian/wiki/Get-started-with-Cubian) and it may be easier to directly edit the following files with the microSD card plugged into your laptop.
The first thing to do is to change the passwords from their defaults.
#+BEGIN_SRC: bash
passwd
#+END_SRC
Then you will need to change the network interfaces. The main task here is to comment out the stuff related to usb0. That will enable you to plug the BBB into the back of a router and for it to be detectable on the network.
#+BEGIN_SRC: bash
nano /etc/network/interfaces
#+END_SRC
The resulting interfaces file should look like this:
#+BEGIN_SRC: bash
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address 192.168.1.60
netmask 255.255.255.0
gateway 192.168.1.254
dns-nameservers 213.73.91.35 85.214.20.141
# Example to keep MAC address between reboots
#hwaddress ether DA:AD:CE:EF:CA:FE
# WiFi Example
#auto wlan0
#iface wlan0 inet dhcp
# wpa-ssid "essid"
# wpa-psk "password"
# Ethernet/RNDIS gadget (g_ether)
# ... or on host side, usbnet and random hwaddr
# Note on some boards, usb0 is automaticly setup with an init script
# in that case, to completely disable remove file [run_boot-scripts] from the boot partition
In the above example "address 192.168.1.60" is a static IP address for the BBB, which will allow incoming network traffic to be directed from the router in a reliable manner. It should be outside of the DHCP range set up on the router.
"gateway 192.168.1.254" should be the IP address of the router.
Note that setting the DNS servers with dns-nameservers is important because some home routers do not allow you to change the DNS settings.
It's not a good idea to use the DNS servers provided by default by your ISP, since those are almost certainly subject to censorship and monitoring. Other possible IP addresses are:
Now disconnect the BBB from your computer and plug it into the router. You'll need an ethernet patch cable and you may also need a 5V/1A power supply for the BBB.
If you go to the web administration screen for your internet router (often it's on 192.168.2.1 or 192.168.1.254) then after a few minutes you should see the BBB appear on the network. It's name will be "arm".
Delete the existing sources and replace them with the sources [[Example software sources][listed here]], then save and exit. If you use the default Cubian software sources then dependency problems will occur later on.
Then make a new user. It's a bad idea to add users to the sudo group, because that then means that an attacker potentially only needs to know one password in order to get administrator access to the system. With no sudoers an attacker needs to know, or be able to obtain, two separate passwords to be able to really compromise the system.
Exit from the ssh login by typing "exit" a couple of times, then ssh back in as the new user. Make sure you use a difficult to guess password/phrase, or ideally a randomly generated password used together with a password manager such as KeepassX.
Remove the default debian user.
#+BEGIN_SRC: bash
userdel -r debian
#+END_SRC
** Text editor
For an editor which is less erratic than vi when used within a remote console such as Terminator.
Using a more recent kernel should improve stability of the system and also allow it to make use of hardware random number generation, which improves the overall security. Please note that this kernel is specific to the BBB, so if you're using a Raspberry Pi, Cubieboard or other SBC then look elsewhere on the web for information about upgrading the kernel.
If you get a certificate error then edit *install-me.sh* and change the /https/ to /http/, save and try again. Once the installation has completed then you can reboot by typing:
After the system has rebooted you can ssh back unto it and log in as the root user. You can check that the kernel version has changed with the command:
/Near as I can tell, the answer on what has been requested is everything: deliberate weakenings of encryption algorithms, deliberate weakenings of random number generations, copies of master keys, encryption of the session key with an NSA-specific key … everything./
-- Bruce Schneier, on the 2013 leaked NSA documents
The security of encryption depends upon the randomness of the random source used on your system. If it isn't very random then it may be far more vulnerable to cryptanalysis, and it's known that in the past some dubious agencies have encouraged the use of flawed random number generators to assist with their prurient activities. Randomness - typically referred to as /entropy/ - is often gathered from factors such as the timing of key presses or mouse movements, but since the BBB won't have such devices plugged into it this reduces the amount of entropy available.
Computers can't really generate truly random numbers by themselves, since they're deterministic and so operate in a highly predictable manner. Fortunately, the BBB has an onboard hardware random number generator, which is a physical process which behaves randomly and which can then be read into the computer and stored for later use in encryption algorithms.
Information on exactly how the hardware random number generator on the Beaglebone AM335x CPU works [[http://e2e.ti.com/support/arm/sitara_arm/f/791/t/292794.aspx][seems hard to come by]], but we can later use some software to verify that it does indeed produce random numbers and hasn't been deliberately weakened.
If you are not using a Beaglebone (a Cubieboard for example), or if you didn't update the kernel, then you can still improve the random number generation by installing:
Ideally it should be in the range 1000-4096. If it is persistently below 500 then there may be a problem with your system which could make it less secure.
To verify that random number generation is good on the BBB run:
#+BEGIN_SRC: bash
cat /dev/hwrng | rngtest -c 1000
#+END_SRC
You should see something like this, with zero or a small number of failures:
An optional extra is the [[http://cryptotronix.com/products/hashlet/][Cryptotronix Hashlet]] which also has hardware random number generation capability via the [[./Atmel-8740-CryptoAuth-ATSHA204-Datasheet.pdf][Atmel ATSHA204]] chip.
It should return the message "/Factory/". This is intended to provide an indication that the hardware hasn't been tampered with by [[https://en.wikipedia.org/wiki/Tailored_Access_Operations][TAO]] or other shady outfits in transit. If /i2c-2/ fails then try /i2c-1/ or /i2c-0/.
Nothing should be returned by this command, but a file called ~/.hashlet will be generated which is the private key of the device. This personalization process is a one-time operation which physically alters the hardware, so it would not be trivial to reset the device back to "Factory" again. To make sure it's only accessible by the root user:
The rate of entropy generation by the Hashlet seems very slow compared to */dev/hwrng*, and this is most likely because of the I2C interface. So it's probably a good idea to keep hwrng as the main random source and only use the Hashlet's random number generator for any ancillary stuff.
/The privacy rights of US persons in international communications are significantly diminished, if not completely eliminated, when those communications have been transmitted to or obtained from non-US persons located outside the United States./
Create a subdomain on [[http://freedns.afraid.org][freeDNS]]. You may need to click on "/subdomains/" a couple of times. FreeDNS is preferred because it is one of the few domain name providers which supports genuinely free (as in beer) accounts. So if your budget is tiny or non-existent you can still participate as a first class citizen of the internet. If you do have money to spend there is also a premium option.
Select "/dynamic DNS/" then click "/quick cron example/"
It's important to make sure that you change the *http* to *https*, since this will help to prevent a potential attacker from hijacking your site and redirecting it to a fake version for the purposes of obtaining your login details.
Via your router's firewall settings you should now open port 22 (secure shell). This will allow you to ssh into your BBB from any location - not just your own local network.
The freeDNS subdomain which you just created will hereafter just be refered to as "/your domain name/".
If you have multiple freedns subdomains then you may want to rationalise that a little within */etc/crontab*. Rather than listing them all individually create a script:
It's convenient to have the clock on your server automatically synchronised with other servers on the internet so that you don't need to set the clock manually. The usual way of doing this is via [[https://en.wikipedia.org/wiki/Network_Time_Protocol][NTP]], but that method uses unencrypted signals which could potentially be interfered with in order to mess up your system. /tlsdate/ provides a slightly more secure way of setting the date and time over a SSL/TLS connection to a known good time source.
This obtains the date and time from www.ptb.de every 15 minutes. Obviously if you wish to use a different source for the date and time then the cron entry can be edited accordingly.
/The NSA also attacks network devices directly: routers, switches, firewalls, etc. Most of these devices have surveillance capabilities already built in; the trick is to surreptitiously turn them on. This is an especially fruitful avenue of attack; routers are updated less frequently, tend not to have security software installed on them, and are generally ignored as a vulnerability./
A basic firewall limits the maximum rate at which connections can be made and closes any unused ports, and this helps to defend against various kinds of DDOS attack. Your internet router may contain a firewall, but chances are that it also contains proprietary software which can be remotely changed/updated by the ISP. Unless you're running free software, such as [[https://en.wikipedia.org/wiki/OpenWrt][OpenWrt]], on your internet router then it's reasonable to assume that the device is hostile and could be conducting surveillance, trying to do [[https://en.wikipedia.org/wiki/Man-in-the-middle_attack]["man in the middle"]] attacks or be pushing "implants" onto the computers and mobile devices on your local network. That means that your server needs its own firewall.
Also disable ping. This may be inconvenient to some extent, but it seems common for malicious systems, including but not limited to the [[http://www.nbcnews.com/news/investigations/snowden-docs-british-spies-used-sex-dirty-tricks-n23091][JTRIG "EFFECTS" team]], to try to disable the machine by flooding it with pings. These days there seems to be not much difference between "cybercrime" and nefarious state-sponsored internet activities.
Save and exit. It may be a good idea to reboot at this point and then log back into the BBB using ssh. You can do a safe reboot of the system by typing:
/The government argued that, since the "inspection" of the data was to be carried out by a machine, they were exempt from the normal search-and-seizure protections of the Fourth Amendment...The prosecution also argued that my users had no expectation of privacy, even though the service I provided - encryption - is designed for users' privacy/
Email is not very secure, but its usefulness and ubiquity mean that it's likely to continue as a primary communications method for many years to come. You can encrypt the contents of email using PGP/GPG, but very few people do that and even for those that do the metadata (the From/To/CC/BCC) is always transmitted in the clear as a fundamental aspect of the protocol, allowing an attacker to easily construct detailed models of people's social network and life patterns even without knowing the content.
Exim4 seems much easier to install and configure than Postfix.
This will generate the certificate used for email authentication. You will be asked for various details, the most important of which is the server name, which should be your domain name.
If you encounter any problems with dependencies then select 'n' and then 'y' to whatever the suggestion for removals is. Repeat the aptitude install process until you don't get any more dependency errors.
The key ID is the second part of the string of numbers and letters. So for example in:
#+BEGIN_SRC: bash
pub 4096R/EA982E38 2012-05-20
#+END_SRC
the key ID is EA982E38. Now send your public key to a server so that others can find it.
#+BEGIN_SRC: bash
gpg --send-keys $MYGPGKEYID
#+END_SRC
*** root settings
If you later create an encrypted mailing list then the root user will also need to have good GPG settings so that it can generate key pairs for the list. The easiest way to ensure this is to do the following, replacing /myusername/ with your username:
Because the BBB has limited RAM some processes may occasionally be automatically killed if physical memory availability is getting too low. The way in which processes are chosen to be sacrificed is not particularly intelligent, and so can result in vital systems being stopped. To try to prevent that from ever happening the following script can be used, which should ensure that at a minimum ssh, email and mysql keep running.
/It's important to have the geek community as a whole think about its responsibility and what it can do. We need various alternative voices pushing back on conventional government sometimes./
Enter some trivial password for the key file, such as "password". The password will be removed as part of the /makecert/ script which you just created. Note that leaving a password on the key file would mean that after a power cycle the Apache server will not be able to boot properly (it would wait indefinitely for a password to be manually entered) and would look as if it had crashed.
If all has gone well then there should be no warnings or errors after you run the service restart command. After that you should enable ports 80 (HTTP) and 443 (HTTPS) on your internet router/firewall, such that they are redirected to the BBB.
Save and exit. Also edit */etc/php5/cli/php.ini* and set /memory_limit/ to the same value. This should prevent any rogue scripts from crashing the system.
/The emails showed that Google...was among several other military/defense contractors vying for a piece of DAC’s $10.9-million surveillance contracting action./
Finally you can then type *mutt* to get access to your email. Hence as a fallback, or if you prefer as the primary way of accessing email, you can ssh into the BBB and use the mutt command line email client. Ssh clients are available for all operating systems, and also you should be reasonably protected from passive surveillance between wherever you are and the BBB (although not between the BBB and the wider internet), which can be useful if you are for example using an Android tablet from a cafe or railway station.
To use the address book system open an email and then to add the sender to the address list press the A key. It will ask you for an alias which may be used the next time you want to send a mail. Alternatively you may just edit the *~/.mutt-alias* file directly to add email addresses.
One of the most common things which you might wish to do is to send an email. To do this first press /m/ to create a new message. Enter the address to send to and the subject, then after a few seconds the Emacs editor will appear with a blank document. Type your email then press /CTRL-x CTRL-s/ to save it and /CTRL-x CTRL-c/ to exit. You will then see a summary of the email to be sent out. Press /y/ to send it and then enter your GPG key passphrase (the one you gave when creating a PGP/GPG key). The purpose of that is to add a signature which is a strong proof that the email was written by you and not by someone else.
To view any new folders which you may have created using the /mailinglistrule/ script from your inbox press the *K9 icon* at the top left to access folders, then press the *menu button* and select *refresh folder list*.
If your folder still doesn't show up then press the *menu button*, select *show folders* and select *all folders*.
For maximum speed and efficiency the recommended email client is Mutt, accessed via ssh, but non-technical people who aren't using an Android app are unlikely to want to use email in that manner. So it's a good idea to also have a webmail system installed, both for accessibility and as a fallback should ssh not be available due to port blocking.
You'll notice that you may not be able to see any mailing list folders which you may have created earlier using the /mailinglistrule/ script. To make folders visible click on the cog-like settings icon at the bottom left of the screen then select *manage folders*. You will then be able to select which folders you wish to become visible. Make sure that the *Sent*, *spam* and *ham* folders are selected.
Click on the *Mail* icon to go back to your main mail screen then click on the *Settings* icon at the top right of the screen and select *special folders*. Set *Junk* to *spam* then click the save button. Also select *identities* and make sure that your email address is correct.
/Towards the end of 2012, we heard from the National Technical Assistance Centre (NTAC), a division of GCHQ and a liaison with the Home Office, [that] they wanted the keys to decrypt the customer data./
-- Brian Spector, on the shutting down of the PrivateSky encrypted email service
#+END_VERSE
Another common way in which you may want to access email is via Thunderbird. This may be especially useful if you're trying to convert former Windows users who may previously have been using some version of Outlook.
The following instructions should be carried out on the client machines (laptop, etc), not on the BBB itself.
**** Initial setup
Install *Thunderbird* and *Enigmail*. How you do this just depends upon your distro and software manager or "app store".
Open Thinderbird
Select "*Skip this and use existing email*"
Enter your name, email address (myusername@mydomainname.com) and the password for your user (the one from [[Add a user]]).
You'll get a message saying "/Thunderbird failed to find the settings/"
The settings should be as follows, substituting /mydomainname.com/ for your domain name and /myusername/ for the username given previously in [[Add a user]].
* Incoming: IMAP, mydomainname.com, 993, SSL/TLS, Normal Password
From OpenPGP setup select "*Yes, I would like the wizard to get me started*". If the wizard doesn't start automatically then "setup wizard" can be selected from OpenPGP on the menu bar.
Enter a passphrase and click *Next* a couple of times.
Click *Generate Certificate* to generate a revocation certificate.
Enter the passphrase which you gave previously.
Click *Finish*
From the menu select *OpenPGP* and then *Key Management*. Make sure that *Display all keys* is selected and then select your key. Select *Keyserver* on the menu and then *Upload Public Keys*. This will upload your public key to a key server so that others can find it.
Select *File* from the menu then *Export keys to file*. Click on *Export Secret keys* and select a location to save them to. It's a good idea to save them to a USB stick which can then be removed from the computer and carried around on a keyring together with your physical keys. If you need to set up GPG or Thunderbird/Enigmail on others then this file will be used to import your keys.
Select *OpenPGP Security* and make sure that *use PGP/MIME by default* is ticked. This will enable you to sign/encrypt attachments, HTML bodies and UTF-8 without any problems.
Note that when sending an email for the first time you will also need to accept the SSL certificate.
Get into the habit of using email encryption and encourage others to do so. Remember that you may not think that your emails are very interesting but the Surveillance State is highly interested in them and will be actively trying to data mine your private life looking for "suspicious" patterns, regardless of whether you are guilty of any crime or not.
Make sure that "*show only subscribed folders*" is not checked. Then click the *ok* buttons. Folders will be re-scanned, which may take some time depending upon how much email you have, but your folders will then appear.
/Yes, the NSA set fire to the Internet but it’s the business models of Google, Facebook, etc, that provide the firewood. Trusting the companies supplying the firewood to be your fire fighters is naïve at best./
-- Aral Balkan
#+END_VERSE
*** Rules for mailing lists
A common situation with email is that you may be subscribed to various mailing lists and want incoming email from those to be automatically grouped into a separate folder for each list.
We can make a script to make adding mailing list rules easy:
Now we can add a new mailing list rule with the following, where /myusername/ is your username, /mailinglistname/ is the name of the mailing list (with no spaces) and /subjecttag/ is the tag which usually appears within square brackets in the subject line of emails from the list.
/When society gives censors wide and vague powers they never confine themselves to deserving targets. They are not snipers, but machine-gunners. Allow them to fire at will, and they will hit anything that moves./
Wordpress is the most popular blogging platform, but in practice I found it to be high maintenance with frequent security updates and breakages. More practical for a home server is Flatpress. Flatpress doesn't use a MySql database, just text files, and so is easy to relocate or reinstall.
Now visit your blog and follow the setup instructions, which are quite minimal. Various themes and addons are available from the Flatpress web site, http://www.flatpress.org
IRC is not an especially secure system. For instance, even with the best encryption it's easily possible to imagine IRC-specific cribs which could be used by cryptanalytic systems. However, we'll try to implement it in a manner which will at least give the surveillance aparatus something to ponder over.
Customise the configuration to your system, giving it a name and description. In this example 192.168.1.60 is the static IP address on the BBB on the local network, so change that if necessary.
Within the *auth* section set user = "*@192.168.1.60" - or whatever the fixed IP address of the BBB is on your network - and password to the desired password for the IRC server. If you don't wish to use a password then remove need_password from the flags.
Save and exit, then restart the IRC server. Open port 6697 on your internet router and forward it to the BBB. Note that although ports 6665 to 6669 are active within the configuration file in practice we will only use the encrypted port.
Change #MD5 PASSWORD HERE# to the md5 operator password created earlier, mydomainname.com to your domain name and mysendacceptpassword to the send/accept password specified within /ircd.conf/.
Connect to the IRC and identify yourself as an operator. Here /mynetwork/ should be the same as *network_name* specified earlier within /ircd.conf/. The network name is something equivalent to "freenode".
It may be useful to run a persistent Irssi session on the BBB. This will enable you to log in and see any entries which occurred previously so that you don't find yourself in an argument without knowledge of what was said in the last few minutes or hours. This feature only works for a single user on the BBB - typically the administrator.
Add a user. You will be prompted to specify a password. You can repeat the process for as many users as needed. This will also be your Jabber ID (JID).
It's possible to test that your XMPP server is working at https://xmpp.net. It may take several minutes and you'll get a low score because of the self-signed certificate, but it will at least verify that your server is capable of communicating.
Jitsi is the recommended communications client for desktop or laptop systems, since it includes the /off the record/ (OTR) feature which provides some additional security beyond the usual SSL certificates.
Jitsi can be downloaded from https://jitsi.org/
On your desktop/laptop open Jitsi and select *Options* from the *Tools* menu.
Click *Add* to add a new user, then enter the Jabber ID which you previously specified with /prosodyctl/ when setting up the XMPP server. Close and then you should notice that your status is "Online" (or if not then you should be able to set it to online).
From the *File* menu you can add contacts, then select the chat icon to begin a chat. Click on the lock icon on the right hand side and this will initiate an authentication procedure in which you can specify a question and answer to verify the identity of the person you're communicating with. Once authentication is complete then you'll be chating using OTR, which provides an additional layer of security.
When opening Jitsi initially you will get a certificate warning for your domain name (assuming that you're using a self-signed certificate). If this happens then select *View Certificate* and enable the checkbox to trust the certificate, then select *Continue Anyway*. Once you've done this then the certificate warning will not appear again unless you reinstall Jitsi or use a different computer.
You can also [[https://www.youtube.com/watch?v=vgx7VSrDGjk][see this video]] as an example of using OTR.
*** Using with Ubuntu
The default XMPP client in Ubuntu is Empathy. Using Empathy isn't as secure as using Jitsi, since it doesn't include the /off the record/ feature, but since it's the default it's what many users will have easy access to.
Open *System Settings* and select *Online Accounts*, *Add account* and then *Jabber*.
Enter your username (myusername@mydomainname.com) and password.
Click on *Advanced* and make sure that *Encryption required* and *Ignore SSL certificate errors* are checked. Ignoring the certificate errors will allow you to use the self-signed certificate created earlier. Then click *Done* and set your Jabber account and Empathy to *On*.
There are a few XMPP clients available on Android. Ideally choose ones which support off-the-record messaging. Here are some examples.
**** Xabber
Install [[https://f-droid.org/][F-Droid]]
Search for and install Xabber.
Add an account and enter your Jabber/XMPP ID and password.
From the menu select *Settings* then *Security* then *OTR mode*. Set the mode to *Required*.
Make sure that *Check server certificate* is not checked.
Go back to the initial screen and then using the menu you can add contacts and begin chatting. Both parties will need to go through the off-the-record question and answer verification before the chat can begin, but that only needs to be done once for each person you're chatting with.
See [[Setting up a web site]] for details of how to update the Apache configuration for your Friendica site. You should have a separate domain name specifically to run Friendica on. It can't be installed in a subdirectory on a domain used for something else.
Edit your Apache configuration and disable the port 80 (HTTP) version of the site. We only want to log into Friendica via HTTPS, so to prevent anyone from accidentally logging in insecurely:
Replace the section which begins with *<VirtualHost *:80>* with the following, replacing /myusername@mydomainname.com/ with your email address and /myfriendicadomainname.com/ with your Friendica domain name:
When installation is complete if you already have an exported account which you wish to import then visit https://myfriendicadomain.com/uimport, rather than registering a new user. If you get an error when trying to import an account then try increasing the value of LimitRequestBody within your apache configuration and restart the apache2 service.
If you have trouble with "allow override" ensure that "AllowOverride" is set to "all" in your Apache settings for the site (within /etc/apache2/sites-available) and then restart the apache2 service.
Make sure that the database gets backed up. By using cron if anything goes wrong then you should be able to recover the database either from the previous day or the previous week.
To get to the admin settings you will need to be logged in with the admin email address which you specified at the beginning of the installation procedure. Depending upon the theme which you're using "/admin/" will be available either as an icon or on a drop down menu.
Under the *plugins* section the main one which you may wish to enable is the NSFW plugin. With that enabled if a post contans the #NSFW tag then it will appear minimised by default and you will need to click a button to open it.
Under the *themes* section select a few themes, including mobile themes which are suitable for phones or tablets.
Under the *site* section give your Friendica node a name other than "/my friend network/", you can change the icon and banner text and set the default mobile theme typically to /frost-mobile/. If you don't want your node to host a lot of accounts for people you don't know then you may want to set the register policy to "/requires approval/". For security it's probably a good idea only to host accounts for people who you actually know, rather than random strangers. Also be aware that the Beaglebone does not have a great deal of computational power or bandwidth and will not function well if there are hundreds of users using your node. If you're not federating with Diaspora or other sites then you may wish to select "/only allow Friendica contacts/". That improves the security of the system, since communication between Friendica nodes is always encrypted separately and in addition to the usual SSL encryption layer - which makes life interesting for the Surveillance State and at least keeps those cryptanalysts employed.
It's probably a good idea to enable "/private posts by default for new users/" and also "/don't include post content in email notifications/". Since traditional email isn't a secure system and is easily vulnerable to attack by systems such as [[https://en.wikipedia.org/wiki/XKeyscore][Xkeyscore]].
Each user has their own customisable settings, typically available either via an icon or by an entry on a drop down menu.
Under *additional features* enable "/richtext editor/", "/post preview/", "/group filter/", "/network filter/", "/edit sent posts/" and "/dislike posts/".
Under *display settings* select your desktop and mobile themes.
Once you have connected to enough friends it's also a good idea to use the "/export personal data/" option from here. This will save a file to your local system, which you can import into another friendica node if necessary.
**** To access from an Android device
***** App
Open a browser on your device and go to https://f-droid.org/ then download and install the F-Droid apk. If you then open F-Droid you can search for and install the Friendica app.
If you are using a self-signed certificate then at the login screen scroll down to the bottom, select the SSL settings then scroll down and disable SSL certificate checks. You will then be able to log in using https, which at least gives you some protection via the encryption.
More information about the Friendica app can be found on http://friendica-for-android.wiki-lab.net/
***** Mobile Theme
Another way to access Friendica from a mobile device is to just use the web browser. If you have selected a mobile theme within your settings then when viewing from an Android system the mobile theme will be displayed.
Edit your Apache configuration and disable the port 80 (HTTP) version of the site. We only want to log into Movim via HTTPS, so to prevent anyone from accidentally logging in insecurely:
Click on /General Settings/ and alter the administrator username to /movimadmin/ and password to some long random string (using a password manager such as KeepassX).
The /BOSH URL/ should be http://localhost:5280/http-bind (TODO: should this be https://localhost:5281/http-bind and if so do certificate warnings need to be disabled?)
Click on /Database Settings/ and alter the MySql movim database username to /movimadmin/ and password to the password you specified in the previous step.
Click /Submit/ followed by /Resend/. If you get a lot of orange warnings about database fields being created then hit /Submit/ again until you see "Movim database is up to date".
If everything on all three tabs looks green then you are ready to go. Click on the Movim logo at the top left and then log in with your Jabber ID (JID).
Red Matrix is the current version of the Friendica social networking system. It's more general than Friendica in that it's designed as a generic communication system based around a protocol called "zot". At the time of writing in early 2014 Red Matrix remains at an alpha stage of development and so it's not advised that you install it unless you're willing to put up with bugs and frustrations. In the large majority of cases it's better to stick with Friendica for now.
The main problem with Red Matrix is that in order to install it you will need to have purchased a domain name (i.e. not a FreeDNS subdomain) and a SSL certificate for it.
You could join some other Red Matrix server, but this suffers from "/The Levison Problem/" in which some goons show up with a gagging order demanding coppies of the SSL private key. In that scenario unless the owner of the server is exceptionally brave users may never be informed that the site has been compromised or that there is interception hardware attached to the server. Joining another server defeats the object of being digitally self-sufficient and raises legal question marks about the ownership of data which you might upload to a server which doesn't belong to you.
See [[Setting up a web site]] for details of how to update the Apache configuration for your Red Matrix site. You should have a separate domain name specifically to run Red Matrix on. It can't be installed in a subdirectory on a domain used for something else.
Edit your Apache configuration and disable the port 80 (HTTP) version of the site. We only want to log into Red Matrix via HTTPS, so to prevent anyone from accidentally logging in insecurely:
Now visit the URL of your site and you should be taken through the rest of the installation procedure. Note that this may take a few minutes so don't be concerned if it looks as if it has crashed - just leave it running. If you have trouble with "allow override" ensure that "AllowOverride" is set to "all" in your Apache settings for the site (within /etc/apache2/sites-available) and then restart the apache2 service.
Make sure that the database gets backed up. By using cron if anything goes wrong then you should be able to recover the database either from the previous day or the previous week.
If you already have a backup script created for Friendica then just uncomment the lines for Red Matrix. The backup script should look something like the following:
If you already have a backup script created for Friendica then just uncomment the lines for Red Matrix. The backup script should look something like the following:
If you already have a backup script created for Friendica then just uncomment the lines for Red Matrix. The backup script should look something like the following:
Open a browser on your device and go to https://f-droid.org/ then download and install the F-Droid apk. If you then open F-Droid you can search for and install the Friendica app.
If you are using a self-signed certificate then at the login screen scroll down to the bottom, select the SSL settings then scroll down and disable SSL certificate checks. You will then be able to log in using https, which at least gives you some protection via the encryption.
More information about the Friendica app can be found on http://friendica-for-android.wiki-lab.net/
pump.io is the successor to StatusNet (which later became [[GNU Social]]) and is a communications system which can do things other than just microblogging. It takes fewer system resources to run and so is better suited to low power servers such as the BBB, but is more complicated to install. pump.io doesn't work well with self-signed SSL certificates so this may be something which you can only use if you have your own domain and an "authority" issued certificate. Using a self-signed certificate you can only use pump.io as a /data silo/ which won't federate with other servers.
For a pump.io site you will need a separate domain/subdomain, so see [[Setting up a web site]] for details of how to create an Apache configuration for your site. If you're using freedns then you will need to create a new subdomain.
The initial section which begins with *<VirtualHost *:80>* should be replaced by the following, replacing /mypumpiodomainname.com/ with your pump.io domain name and /myusername@mydomainname.com/ with your email address.
and add a new user. If you wish this to be a single user node not open to the general public (including spammers and sockpuppets) then edit */etc/pump.io.json* and set *disableRegistration* to *true*. After making that change restart with the command *service pumpio restart*.
Once you've set up your user account it's recommended that you don't use the web based user interface and instead use a native client such as [[http://jancoding.wordpress.com/dianara/][Dianara]] or Pumpa. On Ubuntu you can install these via the Software Center. On mobile devices you can install AndStatus via F-Droid.
A list of pump.io sites can be found at http://pumpstatus.jpope.org. At the time of writing there isn't any public directory and so finding people to follow is really a question of navigating through lists of /following/ or /followers/ (rather like the web before search engines were invented).
At the time of writing creating backups of the pump.io database is critically important, because regenerating the database or moving to a different databank type causes you to be /permanently banned/ from the pump.io network unless you change your domain name (which may not always be an available option).
Gopher is an old internet protocol which originated a few years before the web and is purely text based. It can be quite fun to build a gopher site and browse the gopherverse. One thing to keep in mind is that there is no security with gopher, so any text transmitted is trivially interceptable by systems such as [[https://en.wikipedia.org/wiki/XKeyscore][Xkeyscore]] or deep packet inspection.
Your content should be placed within /var/gopher with the index page being named index.gph. The Gopher format is very simple - simpler than HTML - so creating pages is not much more difficult than editing a text file.
On your internet router change the firewall settings to route port 70 to the BBB, then provided that you have a gopher plugin installed within your browser then you should be able to navigate to your gopher site with:
#+BEGIN_SRC: bash
gopher://mydomainname.com
#+END_SRC
There is a browser addon for Gopher called "overbite". Installing that should enable you to view your site.
Owncloud will allow you to upload and download files, share photos, collaboratively edit documents, have a calendar and more. You should be warned that Owncloud runs quite slowly via an ordinary web browser, but it can be a convenient way to access and share your data from any location in a reasonably secure manner.
It's very important that /mod_php5/ and not /mod_php5filter/ be installed. If you have /mod_php5filter/ installed then Owncloud will always fail to install.
#+BEGIN_SRC: bash
a2dismod php5filter
apt-get install libapache2-mod-php5
#+END_SRC
Ensure that the size of files which may be uploaded or downloaded is large enough.
And add the following, to the 443 VirtualHost section. Really we only will want to be using Owncloud with HTTPS to ensure some level of security and avoidance of dragnet surveillance.
For extra security you may also wish to create an ordinary owncloud user with limited privileges. To do that click on the *settings* dropdown menu (top right) then *users* then enter a *Login Name* and *password* and click on *create*. Under *quota* select a size which is suitable for the remaining space on your microSD card, then select the settings menu from the top right and select *log out*. You can now log back in as your new user.
First install [[https://f-droid.org/][F-Droid]] and then search for the current Owncloud app. Once it's installed you'll then be able to log into the BBB with the URL https://mydomainname.com/opencloud, supplying your username and password.
/I believe that technology can liberate, but you need to be a master rather than a user. You need to pull technology apart and master it rather than letting it control you./
If you need to be able to upload large files to the wiki then edit */etc/php5/apache2/php.ini* and set *upload_max_filesize* accordingly. If the directory */etc/php5/apache2* doesn't exist then you will need to install the package *libapache2-mod-php5*.
/The weakness of mass surveillance is that it can very easily be made much more expensive through changes in technical standards: pervasive, end-to-end encryption can quickly make indiscriminate surveillance impossible on a cost-effective basis/
[[https://bitmessage.org][Bitmessage]] is a new type of messaging system intended to fulfill the same role as email, but without the security problems. In particular, Bitmessage attempts to not just encrypt the content but also the metadata. It's message broadcasting system makes it exceedingly difficult for an attacker to know which computer a message is destined for. The only way you know whether a message has been sent to you is whether you are able to decrypt it from the passing stream of messages.
Although similar to Bitcoin in some regards, such as "/proof of work/", Bitmessage has no block chain and messages are only buffered for approximately three days after which they are deleted from any given node.
Installing Bitmessage as a daemon will increase the size of the network, and therefore the level of security for all users.
Add a user which will be specifically for Bitmessage. Since bitmessage is still a relatively young and experimental project, this adds further compartmentalisation such that if there are any bugs within PyBitmessage then an attacker can't neccessarily gain control of root or any other user account. Here we create a user called /bitmsg/ and give it a long random password.
#+BEGIN_SRC: bash
adduser bitmsg
#+END_SRC
Create a /keys.dat/ file which is used to configure Bitmessage.
Although in principle it would be possible to send Bitmessages directly from the BBB, in practice the /proof of work/ requirement would mean that it would take an infeasibly long time to send messages, and the computational workload would likely greatly impair the performance of other services also running on the system. So to send and receive Bitmessages it's better to just install the client on a laptop or desktop machine.
The easiest way to install the client is either to download it from [[https://bitmessage.org][bitmessage.org]] or to get the latest build from Github as follows:
It may be convenient to have any Bitmessages addressed to you which arrive at the BBB to be transfered to your email, so that you can check for messages on mobile devices or on computers where installing a Bitmessage client isn't an available option. This transference will take place on the BBB itself, so will not involve transmitting any plaintext over the local network or internet. To do this first you'll need to set up a receiving Bitmessage address by editing:
#+BEGIN_SRC: bash
/home/bitmsg/.config/PyBitmessage/keys.dat
#+END_SRC
and adding the details for your address, which could be coppied from another machine (such as a laptop running a Bitmessage client).
Note that it's particularly important that /label/ be set to your email address. This is how the system will know that when a bitmessage arrives which account to transfer it to.
You should also make sure that /apipassword/ is set to some long random string.
Save and close /keys.dat/, then restart the Bitmessage daemon.
#+BEGIN_SRC: bash
service pybitmessage restart
#+END_SRC
The restart will take 30 seconds or so. Next install the Bitmessage to email gateway.
In some environments, such as behind corporate firewalls or under regimes hostile towards the idea of open access to knowledge and information you may find that you're not able to use tools such as /ssh/ to get access to the BBB. In the worst case all ports other than 80 and 443 may be blocked.
In that scenario you can use a tool called [[http://code.google.com/p/shellinabox/][shellinabox]] to log into your BBB via your web site rather than via a terminal. This means that you can administrate your system from any device which has a web browser and keyboard.
Within the section which begins with *<VirtualHost *:443>* add the following, replacing /mydomainname.com/ with your domain name and /myusername/ with your username.
Save and exit, then create a login password. It's recommended that the password be a long random string and that you then access it using a password manager such as KeepassX.
Now with a web browser navigate to https://mydomainname.com/shell and log in.
If you're in a very locked down environment where access to web sites is severely restricted then as a last resort you may be able to use a command line browser, such as [[https://en.wikipedia.org/wiki/Lynx_%28web_browser%29][lynx]] from within /shellinabox/.
/All over the world there are many people who are united in creating software, content, and culture that is freely available for others to share, enjoy and enrich their lives. Together we believe that freedom is good. We believe it helps people do good things, make better choices, and lead safer and more secure lives. Together we are a community united by this belief./
Email mailing lists are old skool but still remain as a common and easy way of communicating on the internet. If you're running a public organisation such as an open source project or community group then you may want to set one up.
In addition to conventional public email lists it's also possible to set up a private mailing list which is only readable by members. A private email list uses [[https://en.wikipedia.org/wiki/GNU_Privacy_Guard][GPG]] and a public/private key pair for the server which can then be used to send emails to the list in an encrypted form. The email addresses and public GPG keys of members may be added to the list so that any new messages can be distributed to them in a secure manner.
Private mailing lists are likely to be able to keep the contents of the discussion out of the clutches of warrantless mass surveillance but, as with all conventional email, it won't prevent such systems from generating social graphs of who is communicating with the list since the /from/ and /to/ attributes are always transmitted in the clear.
Then to create a mailing list, replacing /mydomainname.com/ with your domain name, /myusername/ with your username and /mailinglistname/ with the name of the mailing list. /mailinglistname/ should be all one word, with no spaces.
A disadvantage with encrypted mailing lists which use the conventional email system is that there is a single server on which the list resides, and this creates a single point of failure and a bandwidth bottleneck for more heavily subscribed lists. If the mailing list server goes down for whatever reason then that may cause a lot of disruption to its users.
An alternative is to use a decentralised mailing list, implemented using Bitmessage. On your local machine (not the BBB) you can make a private mailing list which is difficult to censor and where there is no single point of failure. This type of mailing list is known as a "/chan/".
With Bitmessage if any one computer goes offline then the conversation can still keep going since there is no central mailing list server. Bitmessages are also encrypted with public/private key pairs and the manner in which the system operates makes it very difficult for the surveillance apparatus to exfiltrate the social graph of list users.
You can hand out the random string used to generate the mailing list and its corresponding BM address to fellow members, either within a bitmessage or on paper or via [[https://en.wikipedia.org/wiki/Sneakernet][sneakernet]] or in a GPG/PGP encrypted email or via an XMPP+OTR or Friendica private message. Once others have those two pieces of data then they will be able to join.
To make the list easier to identify, rather than just appearing as a random string, then under the *Your Identities* tab right click on it and select *Set Avatar* and assign a suitable icon.
The disadvantage of this type of mailing list is that it's not possible for any one participant to act as a list moderator, or in other words each participant must do their own moderation. That's ok if the size of the group is small, but if it's larger then anyone spamming or trolling the list can make things miserable for the others.
/If you want to have more control over how you interact on the web, and regain your freedom, privacy and autonomy from outside interference, you need to start moving towards using programs like GNU Social/
-- Jason Self
#+END_VERSE
For a microblog you will need a separate domain/subdomain, so see [[Setting up a web site]] for details of how to create an Apache configuration for your microblog. If you're using freedns then you will need to create a new subdomain.
DB Password; your gnu social admin password goes here
Administrator nickname: myusername
Administrator password: mylongrandompassword
Subscribe to announcements: ticked
Site profile: Community
Press the *Submit* button. It may take a few minutes, so don't be concerned that it has crashed. When the process completes you will see a lot of "Strict standards" warnings which you can ignore.
Navigate to http://$HOSTNAME/gnusocial and you can then complete the configuration via the *Admin* section on the header bar. Some recommended admin settings are:
Under the *Site* settings:
Text limit: 140
Dupe Limit: 60000
Under the *User* settings:
Bio limit: 1000
Under the *Access* settings:
/Invite only/ ticked
Under the License section select a license if you wish. Details for Creative Commons licenses [[https://creativecommons.org/licenses/][can be found here]]. If you only intend to do private microblogging then just leave these settings as they are.
If you want to invite more users then click on the big button *Invite more colleagues*, then enter their email addresses and hit the *send* button. The invite only configuration which you've just installed is useful because it prevents spammers, or other [[https://en.wikipedia.org/wiki/Joint_Threat_Research_Intelligence_Group]["bad actors"]], from clogging your system with nonsense.
So, you're now microblogging on the open web, with no companies in the middle. Congratulations! To find some other people to connect to you can try searching other nodes listed at http://gnu.io/try/
/The silos that are the main current points of media sharing are not only vulnerable to attacks on free speech, but also hamper important grassroots economic activity by privileging the interests of a tiny minority over those of most of the world./
#+END_VERSE
Mediagoblin allows you to have a YouTube/Soundcloud/Flickr/Picasa type of site to share your pictures, videos or audio files. An advantage of not having any company in the middle is that you can't be arbitrarily censored without any explanation, as seems to frequently occur on YouTube. It is recommended that you use media formats which are not encumbered by patents, such as /ogg/ or /ogv/.
For a mediagoblin site it is recommended to use a separate domain/subdomain, so see [[Setting up a web site]] for details of how to create an Apache configuration for your microblog. If you're using freedns then you will need to create a new subdomain.
Change *email_sender_address* to your email address and set *email_debug_mode* to false. Also append the following to the bottom of the file, under the *plugins* section.
Delete the existing configuration (in Emacs it's CTRL-x h then CTRL-w) and paste the following, replacing /mymediagoblindomain/ with your mediagoblin domain name and /myusername@mydomainname.com/ with your email address.
Now in a browser visit http://mymediagoblindomain and create a user. If you wish this to be a single user installation to prevent a lot of spammers signing up.
If you need to be able to share short text files or other kinds of files on a temporary basis (doing technical support or reporting a bug, for example) then it's useful to have a pastebin system running on your server.
For this you will need to set up a new subdomain and create a new Apache configuration. For details on how to do that see [[Getting onto the web]] and [[Setting up a web site]].
For the /chown/ command you may need to change the directory name within /dist-packages/, depending upon the version number of [[https://github.com/sametmax/0bin][0bin]].
Now edit the Apache configuration, delete anything which already exists and add the following, changing /mypastedomainname.com/ to your pastebin subdomain and /username@mydomainname.com/ to your email address:
#+BEGIN_SRC: bash
<VirtualHost *:80>
ServerAdmin username@mydomainname.com
ServerName mypastedomainname.com
<Location />
ProxyPass http://localhost:8000/
Order allow,deny
Allow from all
LimitRequestBody 256000
</Location>
ErrorLog ${APACHE_LOG_DIR}/paste_error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel error
CustomLog ${APACHE_LOG_DIR}/paste.log combined
</VirtualHost>
#+END_SRC
Save and exit.
The encryption used here is really just intended to provide you with plausible deniability for content which other users may post to your server. Pastes aren't really intended to be totally private, so if your intention is to send private messages then Bitmessage, an XMPP chat session with OTR or a GPG encrypted email is a far better solution.
You can now visit your new site and paste things for others to see, and vice versa. Uploads are limited to 256K in size to prevent your storage space from being used up. You can further limit the maximum amount of storage space by doing the following:
/...by the time you get done with all of that, we have a freedom box/
-- Eben Moglen
#+END_VERSE
Tripwire will try to detect any intrusions into your system. It's a good idea to install it after you have installed all of the other programs which you intend to use.
If you get errors when running *apt-get update* then you may need to check your repositories list. Here are examples of repositories within */etc/apt/sources.list*
*** Beaglebone Black
#+BEGIN_SRC: bash
deb http://ftp.us.debian.org/debian/ wheezy main contrib non-free
deb-src http://ftp.us.debian.org/debian/ wheezy main contrib non-free
deb http://ftp.us.debian.org/debian/ wheezy-updates main contrib non-free
deb-src http://ftp.us.debian.org/debian/ wheezy-updates main contrib non-free
deb http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-free
deb http://ftp.us.debian.org/debian wheezy-backports main contrib non-free
If you're connected to other friends via Friendica then the preferred way to send private messages is via Friendica's built-in messaging system. This is a lot more convenient than using GPG with ordinary email and yet still provides a similar level of protection from unwarranted interception.
** Moving Domains
If you're moving servers and using a different domain name or path then you can search and replace URLs within files in the following way:
#+BEGIN_SRC: bash
find /var/www/mynewdomain/htdocs -type f -exec sed -i 's@myolddomain@mynewdomain@g' {} \;
Then visit your blog and reinstall it. Your existing content will be unaffected but you will need to delete the welcome post which gets added and also re-select your chosen theme.
If you need to import blog posts from another blog then copy the *fp-content/content* directory from the old blog to the new blog, then within the admin panel select *maintain* and *rebuild index*.
If a security vulnerability arrises which requires you to regenerate your SSL certificates, such as [[http://filippo.io/Heartbleed]["heartbleed"]], then this can be done as follows:
This is an example of what your crontab file might look like, with the more frequently run tasks at the top. For the two most frequent tasks specific minutes within each hour are given and they're arranged to try to minimise the number of things running simultaneously.
#+BEGIN_SRC: bash
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
Suppose that you have bought a domain name (rather than using a free subdomain on freedns) and you want to use that instead.
Remove any existing nameservers for your domain (or select "custom" nameservers), then add:
#+BEGIN_SRC: bash
NS1.AFRAID.ORG
NS2.AFRAID.ORG
NS3.AFRAID.ORG
NS4.AFRAID.ORG
#+END_SRC
It might take a few minutes for the above change to take effect. Within freedns click on "Domains" and add your domains (this might only be available to paid members). Make sure that they're marked as "private".
Select "Subdomains" from the menu on the left then select the MX entry for your domain and change the destination to *10:mydomainname* rather than *10:mail.mydomainname*.
You can obtain a free "official" (as in recognised by default by web browsers) SSL certificate from [[https://www.startssl.com/][StartSSL]]. You will first need to have bought a domain name, since it's not possible to obtain one for a freedns subdomain, so see [[Using your own domain]] for details of how to do that. You should also have tested that you can send email to the domain and receive it on the BBB (via Mutt or any other email client).
When creating a SSL certificate it's important that the private key (the private component of the public/private pair in [[https://en.wikipedia.org/wiki/Public-key_cryptography][public key cryptography]]) be generated on the BBB /and remain there/. Don't generate the private key via the StartSSL certificate wizard because this means that potentially they may retain a copy of it which could then be exfiltrated either via [[https://en.wikipedia.org/wiki/Lavabit][Lavabit]] style methodology, "implants", compromised sysadmins or other "side channel" methods. So that the private key isn't broadcast on the internet we can instead generate a certificate request, which is really just a request for authorisation of a public key.
You can then click on "skip" within the StartSSL certificates wizard and copy and paste the encrypted request into the text entry box. A confirmation will be emailed back to you normally within a few hours.
Now visit your web site at https://mydomainname.com and you should notice that there is no certificate warning displayed. You will now be able to install systems which don't allow the use of self-signed certificates, such as [[https://redmatrix.me/&JS=1][Red Matrix]].