Raspberry Pi as Budget BitTorrent Server

The raspberry pi is a surprisingly powerful and cost-efficient computing device. Yesterday I put together this simple setup script to turn your new raspberry into a mean green downloading machine. The only requirement is an existing internet router and a working raspberry with SD-card.

Update July 2013: Here is another image for headless installations, only 220 MB big.

The guys on the official raspberry site have some nice images for downloading, but since we won't be using the graphical UI, we can use a the slim image put together by darkbasic on his site linuxsystems.it. Just follow his instructions to download, extract and install the image to a compatible SD-card. A list of tested and compatible SD-cards is available from the official site.

While installing make sure to enable SSH-access by renaming the boot-enable-ssh.rc boot.rc

Once your raspberry has booted, you need to find out its IP by looking at the router's DHCP table. Just look for a device name raspberry-pi.

Next just create a new text file by typing vi setup.sh in your terminal window while logged into the RP. Then just copy the script provided with this blog post to your clipboard. Press "i" to go into editing mode and paste the script with Ctrl/Cmd+v. Then save it with ESC, : x. Execute the script by issuing sh setup.sh. As opposed to the default Debian image, the darkbasic image gives you root access by default. When using another image, execute the script with sudo sh setup.sh.

Continue reading

UPC Vienna Wifi-Passwords easily broken with GPUs

With a majority of households using wireless access points (AP) for internet, secure Wifi has become a key consideration in people's digital lifes. The outdated encryption standard WEP, which is rarely used any more can be broken in less than 10 minutes. For the newer WPA no direct attack exists so far. The only way is to try a large number of passwords.

Recent advances in parallel computing and graphic cards (GPU) have drastically shifted the odds in favour of potential attackers. With an ordinary CPU, found in most desktop computers and laptops, about 500 Pairwise Master Key (PMK) can be evaluated each second. Modern GPUs can calculate up to 80 000 PMKs per second.

Such an increase in speed doesn't mean that each and every wireless network is at risk, it only shifts the vulnerable keylength further up. Consider this: At 500 PMKs per second it would take approximately 3 years to break a 6-digit password that uses upper- and lower letters, as well as digits. When using a high-end GPU, 3 years become 5.5 days.

Since password complexity increases in an exponential fashion, slightly longer passwords offer a radically better protection. A 8-letter password from the same number space would take 50 years to crack, even on a high-end GPU.

As we can see, faster cracking techniques only affect password length at the margin, if done right. At UPC Vienna, in Austria this principle is not as well understood. The routers that come bundeld with their broadband connection use an 8-letter password that only seems to consist of capital letters. (I only have access to a limited sample at this time.)

When doing the same calculations as before, such a password took about 7 years to crack, when done on a standard CPU. This would be a huge effort, just to steal your neighbors internet. If we throm in GPUs, the story changes. 7 years become about 16 days on a single workstation. This timespan is quite doable. When performing the calculations in Amazon's EC2 cloud each UPC-password can be cracked at the cost of about 180 EUR in 3-4 hours. This number is expeced to come down in the following months, due to an increased interest in the topic.

Since it's not feasible for UPC to change hundreds of thousands of passwords in Vienna (and maybe the whole of Austria), consumers need to act for themselves and pick a more secure key for their AP.


Data Retention Coming to Austria

On Sunday all connection data for telephone and internet connections will be saved for 6 months. This might sound harmless and people will say that they don't mind, because they have "nothing to hide". No matter what, once this infrastructure is in place, it can be used for all kinds of things and should therefor be opposed from the start. Consider this: Before contacting someone, you need to think, whether you want this person to be associated with you or not (because this information will be saved). If your friend is a drug dealer or pimp (and you don't know about it), you might be surveilled as well.

For doctors and lawyers this new measure brings another problem. They can't guarantee the confidentiality of their client correspondence any more and will have to resort to sending letters again. A detailed explaination can be found here.

If you worry about government surveillance or want to protect sensible data, contact us for consulting and secure offshore hosting services.

Easily Resize PDF on Mac OSX and Linux

On many occasions, you might want to resize a PDF to send it by Email or put it on the web. There are many useless Share- and Bloatware-tools (like Adobe Acrobat) that might or might not help you with that.

If you happen to work on a Linux, BSD or Mac OSX machine, you can simply use ghostscript for the task. It's much faster and gets better filesizes than the Optimize-function of Adobe Acrobat.

Continue reading

Secure backups in an untrusted cloud with duplicity

These days it's quite easy to get incredible deals on shared hosting space. Mostly with dodgy providers in the US or former cyberlockers (like filesonic). They don't give you SSH access, but only FTP. Rsync doesn't work with FTP, but duplicity does. While not as robust and fast as rsync, it's built to work with any service that can store files. Examples include any FTP-server, Amazon S3 and SFTP.

Many tutorials suggest using a GnuPG-key for asymetric encryption, but for only protecting your content from the hosting provider, a simple symetric password should work just as well and makes things easier. So a simple working example would be:

[cc lang="bash" width="100%" noborder="1" theme="dawn"]

export PASSPHRASE=xxx
export FTP_PASSWORD=xxx
export TARGET=ftp://foo@bar.com/backups/machine

duplicity -v8 \
--exclude $HOME/'Library/Logs' \
--exclude-regexp '\.DS_Store' \
--exclude-regexp '^~\$.*' \

This works well on both Linux and Mac OSX machines. Extended options can be found on the duplicity man pages.

Recent Updates

Webmail was updated to version 0.7 with a new skin. I also removed the last bits of MySQL-dependence of the email-system. This has the benefit that everything is simpler to administer and more stable.

Apple iOS 5

Apple's latest operating system for mobile devices has been out for a few weeks now. The upgrade was mostly an evolutionary one and didn't add too many new features. One thing apple has done tough was to tighten their grip on devices after they have been sold, by tighter integrating them into their iCloud service. If customers should wish, they can now upload their pictures, calendar, address book, bookmarks, notes, documents or location to Apple's servers. Since the firm's own data center in North Carolina isn't finished yet, extra capacity was rented from Microsoft and Amazon. This is problematic, because now we don't even know which company is handling our data.

This is one reason why I want to remind people that almost all of iCloud's functionality can be realized by using a simple Unix-server as well. This includes email and notes by simply using IMAP. Contacts, calendars and reminders are based on CalDAV and CardDAV. For bookmarks, documents and photos one could use WebDAV.

When using the open version of iCloud, you don't only keep your data under control, but can also use them from non-Apple Android, Windows and Linux systems.

New nameservers

About a year ago EditDNS was bought by Dyn Inc. They have in fact ruined the old site and tried to lure as many customers as possible to their site. They didn't honor lifetime memberships at EditDNS and even charged money for migration. Their prices are absolutely unrealistic as well. Hosting your DNS with them costs more than hosting a whole server. Fortunately there are some alternatives left.

Currently the site's nameservers are mirrored in four locations, which should provide plenty of redundancy.

Additionally the most popular nameservers run by ISP are monitored hourly to detect any anomalies.

Contacts and Calendar

Hosted calendar and contacts service is now available for all users of email. It's base on Card/CalDAV and should work out-of-the-box with all newer Apple devices, as well as most open source clients. For Android there are apps available.

Leaving Lighty for Apache

In the early days of my server-career, I had to use lighttpd for RAM-reasons. Over time the limitations of lighttpd were mounting. E.g. no .htaccess-files, no auth with certificates, bad DAViCal integration, inconsistent LDAP-filters. Moreover after some time lighttpd uses up more and more memory.

So for now I'm just using both of them to compare performance and overall ease-of-user.

Email Arrival Times

I was interested in arrival times of emails this morning. This should reflect the world's work- and communication patterns. Sample size is around 80,000. Here are the results. Most messages arrive in the late morning and from Mon to Thu. Sat is rather quiet. Times normalized to UTC+1

Email-Privacy and the Law

After having sent and received as many as 13,196 emails in 2010, I started thinking about how well this kind of communication is actually protected. The problem has a technical and legal perspective. I've long focused on the technical side. SSL, good passwords and some hard drive encryption should offer reasonable protection. The legal perspective is also not too bad. At least in Austria.

As opposed to Germany, Austrian law gives emails a similar protection as letters, as long as they are in transit and haven't been downloaded to a user's personal computer (=letter is still closed).

Abschließend kann also gesagt werden, dass die passwortgesicherten e-Mails in Österreich dem Schutz nach § 118 StGB (Briefgeheimnis) unterliegen. In Deutschland scheitert man beim Briefgeheimnis (§ 202 dStGB) für e-Mails am Erfordernis der Körperlichkeit. Nach § 202a dStGB sind nur passwortgesicherte bzw auf dem Übertragungsweg verschlüsselte  e-Mails geschützt.
by Prof Dr. Thomas Hoeren, Briefgeheimnis im Strafrecht

This general protection has been substantially weakened by a variety of "anti-terror laws" that have been imposed in the US and Europe. In fact most big providers who want to display advertising already weaken your privacy in their terms of service. Moreover, once they surpass a certain number of users, they are usually obliged to install a backdoor for government bodies.

For that reason, I strongly encourage everyone to run a private email-server. If you share it with your friend, the costs won't be more than a few EURs per year and it's a good learning opportunity. Moreover, if your admin lives in Austria you can hold him accountable, as if he was opening up your love letters.

If you can somehow emphasize the educational point of view, Amazon might even give you a free server for some time.