Jekyll2021-01-04T01:17:36+01:00https://mark.altmann.it/feed.xmlAltmann.ITMusings from the world of Privacy, InfoSec, Philosophy etc...Mark Altmannmark@altmann.itSimple VPN with Wireguard2020-05-09T00:00:00+02:002020-05-09T00:00:00+02:00https://mark.altmann.it/Simple-VPN-with-Wireguard<h2 id="securely-connect-to-your-home">Securely connect to your home</h2>
<p>Nowadays we all have many connected devices at home for a plethora of reasons: SmartHome, AdBlocker, DNS, Storage. Furthermore we maybe want to connect to our home environment on the road to use home backup or geo-blocked services.<br />
And maybe we also have systems somewhere else, where we want to connect securely. Like the cloud…</p>
<h3 id="what-is-a-virtual-private-networkvpn">What is a virtual private network(VPN)</h3>
<p>A virtual private network let’s you access remote resources, as if you would be connected to the same network. Hence the name <strong>virtual</strong> private network (VPN)</p>
<p>There are many protocols and provider out there. Some of the more noteworthy:</p>
<ul>
<li><a href="https://www.cisco.com/c/de_de/products/security/anyconnect-secure-mobility-client/index.html">Cisco AnyConnect</a></li>
<li><a href="https://en.wikipedia.org/wiki/IPsec">IPSec</a></li>
<li><a href="https://openvpn.net/">OpenVPN</a></li>
<li><a href="https://www.torproject.org/">The Onion Router (TOR)</a></li>
</ul>
<p>Connecting to a VPN is mainly used to connect to private networks of your own, so you don’t have to directly connect to the services over the internet directly.<br />
Another main use case is to reach the internet in a privacy minded fashion. If you connect to a VPN and then open a website, the Website will only see the IP of the VPN provider and your ISP will only see the connection to the VPN provider.</p>
<h3 id="why-wireguard">Why Wireguard</h3>
<p>I won’t cover here in detail the concepts and inner workings of wireguard. The author himself explains it on his own homepage really well: <a href="https://www.wireguard.com/#conceptual-overview">https://www.wireguard.com/#conceptual-overview</a></p>
<p>Some of the noteworthy advantages:</p>
<ul>
<li>Direct kernel integration (from 5.6 onward)</li>
<li>Modern cryptography</li>
<li>Easy to use</li>
<li>Available for Windows, macOS, BSD, iOS and Android</li>
</ul>
<p>It’s important to note, that Wireguard is mainly a <strong>VPN protocol</strong>, and not a full blown VPN service. Just as OpenVPN is a protocol and the OpenVPN Access Server is a service. However, you can use the base functionality of Wireguard quite easy. But that only applies to the server, there are already nice clients available for all platforms for a ease of use. You’ll see that in the configuration section later.</p>
<p>However enterprise integrations are not yet created. For instance, you can’t properly manage users, network access control, public keys etc for a Wireguard server instance. But those will probably come pretty soon. Would be nice to see Wireguard in Windows integrated as well…</p>
<h3 id="is-wireguard-secure">Is Wireguard secure</h3>
<p>Wireguard is now considered pretty secure, although it just recently reached version 1.0 and completed an independent penetration test: <a href="https://arstechnica.com/gadgets/2020/03/wireguard-vpn-makes-it-to-1-0-0-and-into-the-next-linux-kernel/">https://arstechnica.com/gadgets/2020/03/wireguard-vpn-makes-it-to-1-0-0-and-into-the-next-linux-kernel/</a></p>
<p>However, if you use Wireguard as a service from a provider, keep in mind, that your ip in the VPN is locked to your public key and your latest connected public IP is also stored in the log.</p>
<p>These aspects are not very relevant in your own small private environment, but they would matter greatly when you use Wireguard as an interface to a VPN service provider.</p>
<h2 id="wireguard-installation">Wireguard Installation</h2>
<p>Installation is pretty straightforward. Either you have already a kernel 5.6, then you basically don’t need to do anything.<br />
If you have a more or less modern environment, it might very well be, that wireguard is in the backports section of the distribution (like Debian and thus Raspbian).<br />
There is a nice installation guide for Debian/Raspbian:</p>
<ul>
<li><a href="https://engineerworkshop.com/2020/02/20/how-to-set-up-wireguard-on-a-raspberry-pi/">https://engineerworkshop.com/2020/02/20/how-to-set-up-wireguard-on-a-raspberry-pi/</a></li>
<li><a href="https://engineerworkshop.com/2020/04/22/how-to-set-up-a-wireguard-vpn-server-on-ubuntu-linux/">https://engineerworkshop.com/2020/04/22/how-to-set-up-a-wireguard-vpn-server-on-ubuntu-linux/</a></li>
</ul>
<ol>
<li>The current Debian Buster 10 does not have the wireguard packages yet, but the package is already included in the backports repository:</li>
</ol>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">echo</span> <span class="s2">"deb http://deb.debian.org/debian buster-backports main"</span> | <span class="nb">sudo tee</span> <span class="nt">--append</span> /etc/apt/sources.list
</code></pre></div></div>
<ol>
<li>Next, install the Debian distro keys:</li>
</ol>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>apt-key adv <span class="nt">--keyserver</span> keyserver.ubuntu.com <span class="nt">--recv-keys</span> 04EE7237B7D453EC
<span class="nb">sudo </span>apt-key adv <span class="nt">--keyserver</span> keyserver.ubuntu.com <span class="nt">--recv-keys</span> 648ACFD622F3D138
</code></pre></div></div>
<ol>
<li>Update your package list:</li>
</ol>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>apt update
</code></pre></div></div>
<ol>
<li>Install WireGuard:</li>
</ol>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>apt <span class="nt">-t</span> buster-backports <span class="nb">install </span>wireguard
</code></pre></div></div>
<h2 id="configuration-client">Configuration Client</h2>
<p>In our example we install the mobile app. Just go to the app store of your choice and install the app. Find the direct links also on the wireguard homepage: <a href="https://www.wireguard.com/install/">https://www.wireguard.com/install/</a></p>
<p>When you start the app, just create a new manual config:</p>
<ul>
<li>Name -> Your Client Name</li>
<li>Private Key -> Press the reload button on the right</li>
<li>Public Key -> copy the public key, after you have created the private one</li>
<li>Address -> Choose an address in the same block as your server. In our example: 10.0.0.10/32</li>
<li>DNS -> Your DNS server in your local net, or a good one in the internet: 1.1.1.1 or 9.9.9.9</li>
<li>Press the save icon on the top right</li>
</ul>
<p>Now you can transport the client key to the server.</p>
<h2 id="configuration-server">Configuration Server</h2>
<p>First we need to create our public/private pairs for our server. You should create the client key pair on the client. Most apps actually do support that and you can write down the public key actually anywhere.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>su
<span class="nb">cd</span> /etc/wireguard
<span class="nb">umask </span>077
wg genkey | <span class="nb">tee </span>server_private_key | wg pubkey <span class="o">></span> server_public_key
</code></pre></div></div>
<p>You can see the generated keys with:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">cat </span>server_private_key
<span class="nb">cat </span>server_public_key
</code></pre></div></div>
<p>Next we create the WireGuard Server configuration with:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nano wg0.conf
</code></pre></div></div>
<p>And add the following:<br />
(change the server private and client public keys, and adapt the network and port if you want)</p>
<div class="language-config highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[<span class="n">Interface</span>]
<span class="n">Address</span> = <span class="m">10</span>.<span class="m">0</span>.<span class="m">0</span>.<span class="m">1</span>/<span class="m">24</span>
<span class="n">SaveConfig</span> = <span class="n">true</span>
<span class="n">PrivateKey</span> = <<span class="n">insert</span> <span class="n">server_private_key</span>>
<span class="n">ListenPort</span> = <span class="m">51900</span>
<span class="n">PostUp</span> = <span class="n">iptables</span> -<span class="n">A</span> <span class="n">FORWARD</span> -<span class="n">i</span> %<span class="n">i</span> -<span class="n">j</span> <span class="n">ACCEPT</span>; <span class="n">iptables</span> -<span class="n">A</span> <span class="n">FORWARD</span> -<span class="n">o</span> %<span class="n">i</span> -<span class="n">j</span> <span class="n">ACCEPT</span>; <span class="n">iptables</span> -<span class="n">t</span> <span class="n">nat</span> -<span class="n">A</span> <span class="n">POSTROUTING</span> -<span class="n">o</span> <span class="n">eth0</span> -<span class="n">j</span> <span class="n">MASQUERADE</span>
<span class="n">PostDown</span> = <span class="n">iptables</span> -<span class="n">D</span> <span class="n">FORWARD</span> -<span class="n">i</span> %<span class="n">i</span> -<span class="n">j</span> <span class="n">ACCEPT</span>; <span class="n">iptables</span> -<span class="n">D</span> <span class="n">FORWARD</span> -<span class="n">o</span> %<span class="n">i</span> -<span class="n">j</span> <span class="n">ACCEPT</span>; <span class="n">iptables</span> -<span class="n">t</span> <span class="n">nat</span> -<span class="n">D</span> <span class="n">POSTROUTING</span> -<span class="n">o</span> <span class="n">eth0</span> -<span class="n">j</span> <span class="n">MASQUERADE</span>
[<span class="n">Peer</span>]
<span class="n">PublicKey</span> = <<span class="n">insert</span> <span class="n">client_public_key</span>>
<span class="n">AllowedIPs</span> = <span class="m">10</span>.<span class="m">0</span>.<span class="m">0</span>.<span class="m">10</span>/<span class="m">32</span>
</code></pre></div></div>
<p>Edit sysctl.conf on the Raspberry Pi and uncomment the line with “net.ipv4.ip_forward=1” and save.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nano /etc/sysctl.conf
</code></pre></div></div>
<p>Reboot your RPi for all of your changes to take effect.</p>
<h3 id="operations">Operations</h3>
<p>Set up WireGuard to start automatically on reboot:</p>
<div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">systemctl enable wg-quick@wg0
chown -R root:root /etc/wireguard/
chmod -R og-rwx /etc/wireguard/*
</span></code></pre></div></div>
<p>You can check the status via:</p>
<div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">sudo wg show
</span></code></pre></div></div>
<p><img src="/assets/images/wireguard.png" alt="NextDNS Storage Location" class="img-responsive" /></p>
<hr />
<p>Thanks for reading and feedback is welcome!</p>Mark Altmannmark@altmann.itconnect to your home from anywhere, simple and easy.Modern Adblocking via DNS2020-04-19T00:00:00+02:002020-04-19T00:00:00+02:00https://mark.altmann.it/Modern-Adblocking-via-DNS<h2 id="advertisements-and-tracking-are-a-problem">Advertisements and Tracking are a Problem</h2>
<p>Almost all mobile devices and especially smart devices are nowadays tracking you to use that data in sophisticated schemes. Where you can on browsers at least choose the browser and plugins to safeguard you, with IoT devices you are out of luck.</p>
<p>Additionally the whole tracking and advertising is also using quite some bandwidth in everyday surfing. So blocking traffic, does not only make surfing more agreeable, it’s also faster, while you are preserving your privacy! So i guess, it’s worth a try ;)</p>
<p>Below we will look at a core technology in the internet: <strong>D</strong>omain <strong>N</strong>ame <strong>S</strong>ystem (DNS). And how we can use it to help us.</p>
<h2 id="how-does-dns-work">How does DNS work</h2>
<p>Instead of explaining DNS myself, have a look at this simple scrollable explanation: <a href="https://www.verisign.com/en_US/website-presence/online/how-dns-works/index.xhtml">https://www.verisign.com/en_US/website-presence/online/how-dns-works/index.xhtml</a></p>
<p>Or in one simple image:</p>
<p><img src="https://i.pinimg.com/originals/16/cb/d7/16cbd7c29d95c03777950cac0c21b101.gif" alt="DNS - HowStuffWorks" class="img-responsive" /></p>
<h2 id="pihole">PiHole</h2>
<p>Now, as you can imagine, we can use DNS to create lists of targets, we just don’t want to resolve the malicious domain and that’s it ;) Unfortunately you home router is not equipped to help us here.</p>
<p>That’s why we have a quick look at PiHole and a small device, called a RaspberryPi. Essentially a RaspberryPi is a very small, very power efficient computer, where will run our adblocking machine.</p>
<h3 id="raspberry-pi">Raspberry Pi</h3>
<p>Learn more about a raspberry pi: <a href="https://www.raspberrypi.org/">https://www.raspberrypi.org/</a></p>
<p>It’s really small and versatile:<br />
<img src="https://makezine.com/wp-content/uploads/2016/02/Raspberry-Pi-3-small.gif" alt="Raspberry Pi 3" class="img-responsive" /></p>
<h3 id="installation">Installation</h3>
<p>You just have to get one of those devices and install the PiHole Software from: <a href="https://pi-hole.net/">https://pi-hole.net/</a> on that machine. The last thing you should do after the installation is to set now the DNS from your provider to the PiHole device.</p>
<h3 id="configuration">Configuration</h3>
<p>After the installation you should configure your block lists. Here my recommendation (to bet set under: <a href="http://pi.hole/admin/settings.php?tab=blocklists">http://pi.hole/admin/settings.php?tab=blocklists</a>):</p>
<ul>
<li><a href="https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts">https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts</a></li>
<li><a href="https://mirror1.malwaredomains.com/files/justdomains">https://mirror1.malwaredomains.com/files/justdomains</a></li>
<li><a href="http://sysctl.org/cameleon/hosts">http://sysctl.org/cameleon/hosts</a></li>
<li><a href="https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist">https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist</a></li>
<li><a href="https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt">https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt</a></li>
<li><a href="https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt">https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt</a></li>
<li><a href="https://hosts-file.net/ad_servers.txt">https://hosts-file.net/ad_servers.txt</a></li>
<li><a href="https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt">https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt</a></li>
<li><a href="https://raw.githubusercontent.com/StevenBlack/hosts/master/data/KADhosts/hosts">https://raw.githubusercontent.com/StevenBlack/hosts/master/data/KADhosts/hosts</a></li>
<li><a href="https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.Spam/hosts">https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.Spam/hosts</a></li>
<li><a href="https://v.firebog.net/hosts/static/w3kbl.txt">https://v.firebog.net/hosts/static/w3kbl.txt</a></li>
</ul>
<h3 id="operation">Operation</h3>
<p>When you got it live it will work like this:<br />
<img src="https://piholenet.b-cdn.net/wp-content/uploads/2018/05/pihole-traditional-dns-1024x630.png" alt="Pi Hole working" class="img-responsive" /></p>
<p>You will mainly use this awesome dashboard where you can configure everything!
<img src="https://i0.wp.com/pi-hole.net/wp-content/uploads/2018/12/dashboard.png?zoom=2&w=3840&ssl=1" alt="PiHole Dashboard" class="img-responsive" /></p>
<h2 id="nextdns">NextDNS</h2>
<p>Using the PiHole is a very smooth and just working solution. You just have one challenge now:</p>
<p class="notice--warning">No safeguards when you are on the road!</p>
<p>That’s a real bummer, as you should use this technology also, when you are on the road. Running a PiHole locally seems messy and constantly connecting to a VPN also seems impractical.</p>
<p>That’s where NextDNS comes into play! It’s basically a PiHole-as-a-service. It can basically provide the very same service as your PiHole, on the road. For more information, you can also read this very good article: <a href="https://medium.com/@mlapida/replacing-pi-hole-with-nextdns-faed99277997">https://medium.com/@mlapida/replacing-pi-hole-with-nextdns-faed99277997</a></p>
<p>Setting that up is also quite easy:</p>
<ol>
<li>Register under <a href="https://my.nextdns.io">https://my.nextdns.io</a></li>
<li>Configure your log storage endpoint (select EU, if you live in EU and so on)
<img src="/assets/images/nextdns_logstorage.png" alt="NextDNS Storage Location" class="img-responsive" /></li>
<li>Configure your endpoints
<img src="/assets/images/nextdns_setup.png" alt="NextDNS Setup" class="img-responsive" /></li>
<li>Configure your security and privacy settings
The blocklists are already there to pick. No need to look for the urls.</li>
<li>Check the logs and analytics
<img src="/assets/images/nextdns_analysis.png" alt="NextDNS Analysis" class="img-responsive" /></li>
<li>Done!</li>
</ol>
<p>One of the prime motivation to use the service is it’s wide range of supported protocols and devices. It supports for instance the private DNS mode of Android natively and supports endpoints for DNS-over-TLS and DNS-over-HTTP. Exactly what we need.</p>
<h2 id="using-both">Using both</h2>
<p>You can of course set the external DNS servers of NextDNS directly in your router and forget about it. But you will not have 2 features to be considered:</p>
<ol>
<li>No device difference in the logs. All is coming from your router</li>
<li>No encrypted DNS communication (through DoT, for example)</li>
</ol>
<p>In order to combine now the PiHole (or just an ordinary base RaspberryPi) with NextDNS, we can just install the nextdns CLI on the Raspberry Pi and route the upstream DNS requests there.</p>
<p>Just follow the instructions from here: <a href="https://github.com/nextdns/nextdns">https://github.com/nextdns/nextdns</a></p>
<p>Create a config file under “/etc/nextdns.conf”. You should enable caching and auto activate, when you let it run alone:</p>
<div class="language-config highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">hardened</span>-<span class="n">privacy</span> <span class="n">false</span>
<span class="n">timeout</span> <span class="m">5</span><span class="n">s</span>
<span class="n">config</span> <span class="n">YOUR_NETWORK_ID</span>
<span class="n">log</span>-<span class="n">queries</span> <span class="n">false</span>
<span class="n">cache</span>-<span class="n">size</span> <span class="m">0</span>
<span class="n">cache</span>-<span class="n">max</span>-<span class="n">age</span> <span class="m">0</span><span class="n">s</span>
<span class="n">max</span>-<span class="n">ttl</span> <span class="m">0</span><span class="n">s</span>
<span class="n">report</span>-<span class="n">client</span>-<span class="n">info</span> <span class="n">true</span>
<span class="n">detect</span>-<span class="n">captive</span>-<span class="n">portals</span> <span class="n">false</span>
<span class="n">bogus</span>-<span class="n">priv</span> <span class="n">true</span>
<span class="n">listen</span> :<span class="m">5353</span>
<span class="n">use</span>-<span class="n">hosts</span> <span class="n">true</span>
<span class="n">setup</span>-<span class="n">router</span> <span class="n">false</span>
<span class="n">auto</span>-<span class="n">activate</span> <span class="n">false</span>
</code></pre></div></div>
<p>Now you only have to set the upstream DNS server in the PiHole to “127.0.0.1#5353 and deactivate the blocklist rules (next dns does that for you and we cache locally…)</p>
<hr />
<p>Thanks for reading and feedback is welcome!</p>Mark Altmannmark@altmann.itadvertisements and tracking blocked efficientlySupporting the Tor network with a relay node2020-04-14T00:00:00+02:002020-04-14T00:00:00+02:00https://mark.altmann.it/Tor-Relay-Node<h2 id="what-is-tor-and-a-relay-server">What is Tor and a Relay server?</h2>
<p><strong>Tor</strong> is short for <strong>T</strong>he <strong>O</strong>nion <strong>R</strong>outer, like the layers of an onion, it encrypts your data in multiple layers and sends it through a circuit of multiple nodes. Each node (or relay) only decrypts the outer layer to get the information where to send the packet next. The last hop, the Exit Node, decrypts the last layer and sends your information to it’s destination address without revealing the IP Address of the original sender (you). That way Tor can help you to improve your anonymity while using the internet.</p>
<p>Now, the network of Tor can only work, if as many people as possible are donating their bandwidth as Relay or Bridge servers. They are essentially providing the bandwidth that is needed for the network to actually work. And thats where you come in! You can actually run a Tor relay server by yourself!</p>
<p>So let’s get started!</p>
<h3 id="preparation">Preparation</h3>
<p>As we talked before, you will need a <strong>Raspberry Pi</strong> or something comparable, installed with an operating system like <strong>Raspbian</strong>.</p>
<h3 id="config-file-creation">Config file creation</h3>
<p>The /etc/tor/torrc is THE base config file, where you configure everything concerning tor.
You can either just go to the provided standard file itself and make your changes, or use this website to generate the config file through the following service: <strong><a href="https://tor-relay.co/">https://tor-relay.co/</a></strong></p>
<p>Even better, the website provides a simple script, which performs all the steps to get tor running after you have filled out the web form. More on that under Installation</p>
<p>In case you are interested, these are the important fields we need:</p>
<div class="language-config highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">SocksPort</span> <span class="m">9050</span>
<span class="n">RunAsDaemon</span> <span class="m">1</span>
<span class="n">ORPort</span> <span class="m">9001</span>
<span class="n">Nickname</span> <span class="n">YOURNICKNAME</span>
<span class="n">ContactInfo</span> *<span class="n">mail</span> <span class="n">address</span> <span class="n">or</span> <span class="n">even</span> <span class="n">empty</span>*
<span class="n">DirPort</span> <span class="m">9030</span>
<span class="n">ExitPolicy</span> <span class="n">reject</span> *:*
<span class="n">DisableDebuggerAttachment</span> <span class="m">0</span>
<span class="n">ControlPort</span> <span class="m">9051</span>
<span class="n">CookieAuthentication</span> <span class="m">1</span>
</code></pre></div></div>
<h3 id="installation">Installation</h3>
<p>Installation is pretty simple if you follow the guide from the tor relay website, you will have a script, that does all the configuration for you. See the guide from the creator himself:<br />
<a href="https://flxn.de/posts/tor-relay-tutorial/">https://flxn.de/posts/tor-relay-tutorial/</a></p>
<p>Apart from that guide, you can also easily install Tor manually.<br />
As we have a Raspberry Pi, which is based on Debian, we just follow the official guide: <a href="https://www.torproject.org/docs/debian.html.en">https://www.torproject.org/docs/debian.html.en</a></p>
<p>Add the following entries to /etc/apt/sources.list or a new file in /etc/apt/sources.list.d/:</p>
<div class="language-config highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">deb</span> <span class="n">https</span>://<span class="n">deb</span>.<span class="n">torproject</span>.<span class="n">org</span>/<span class="n">torproject</span>.<span class="n">org</span> <span class="n">stretch</span> <span class="n">main</span>
<span class="n">deb</span>-<span class="n">src</span> <span class="n">https</span>://<span class="n">deb</span>.<span class="n">torproject</span>.<span class="n">org</span>/<span class="n">torproject</span>.<span class="n">org</span> <span class="n">stretch</span> <span class="n">main</span>
</code></pre></div></div>
<p>Then add the gpg key used to sign the packages by running the following commands at your command prompt:</p>
<div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -
</span></code></pre></div></div>
<p>The Tor project provides a Debian package to help you keep our signing key current. It is recommended you use it. Additionally, we are installing arm/nyx, which is a monitoring tool for tor.
Install it with the following commands:</p>
<div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">apt update
</span><span class="gp">#</span><span class="w"> </span>Debian 9 <span class="o">(</span>stretch<span class="o">)</span>
<span class="go">apt install tor arm deb.torproject.org-keyring
</span><span class="gp">#</span><span class="w"> </span>Debian 10 <span class="o">(</span>buster<span class="o">)</span>
<span class="go">apt install tor nyx deb.torproject.org-keyring
</span></code></pre></div></div>
<p>After that make sure that you have the proper settings in the torrc file, and you are good to go.</p>
<h3 id="checking-the-installation">Checking the Installation</h3>
<p>After you have installed Tor and configured your torrc file, you can check on the status of your tor service and restart.</p>
<p>It should come up normally:</p>
<div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">sudo service tor status
</span></code></pre></div></div>
<p><img src="/assets/images/tor-service-status.png" alt="tor service status" class="img-responsive" /></p>
<p>If you are not sure whether the service already uses your latest config file, you can simply restart the service:</p>
<div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">sudo service tor restart
</span></code></pre></div></div>
<h3 id="automatically-upading-everything">Automatically upading everything</h3>
<p>Perfect! You have now everything set up and should work like a charm. However there are updates coming out regularly of the operating system or tor itself. Hence you should regularly update.<br />
The easiest approach is to use a cronjob there. Here’s how you do it:</p>
<div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">sudo crontab -e
</span></code></pre></div></div>
<p>That opens crontab in an editor. We will update the system everyday at midnight in regards to packages, which includes the tor package. And once a month, we are restarting the tor service, so that we actually use updated packages for tor.<br />
Add the following lines in crontab to achieve that:</p>
<div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">0 0 * * 0 root (apt update && apt upgrade -d -y) ></span><span class="w"> </span>/dev/null
<span class="gp">0 3 1 * * root (service tor restart) ></span><span class="w"> </span>/dev/null
</code></pre></div></div>
<h2 id="checking-your-tor-service">Checking your Tor service</h2>
<p>With the very nice tool ARM, you can now connect to your local Tor Server and see some statistics:</p>
<div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">#</span><span class="w"> </span>Debian 9 <span class="o">(</span>Stretch<span class="o">)</span>
<span class="go">sudo -u debian-tor arm
</span><span class="gp">#</span><span class="w"> </span>Debian 10 <span class="o">(</span>Buster<span class="o">)</span>
<span class="go">sudo -u debian-tor nyx
</span></code></pre></div></div>
<p><img src="/assets/images/tor_relay.png" alt="tor service status" class="img-responsive" /></p>
<hr />
<p>Thanks for reading and feedback is welcome!</p>Mark Altmannmark@altmann.itSetup of a Tor relay serverPortfolio Rebalancing2020-04-13T00:00:00+02:002020-04-13T00:00:00+02:00https://mark.altmann.it/Portfolio-Rebalancing<h2 id="portfolio-rebalancing">Portfolio Rebalancing</h2>
<p>When you have your asset portfolio in your brokerage depot, you would probably want to rebalance your portfolio once in a while. The motivation behind that is to uphold your risk distribution in your portfolio and follow anti-cyclical investment decisions.<br />
The rationale is that growth equals out over long terms.</p>
<p>As a good general overview on Portfolio Rebalancing on <a href="https://www.justetf.com/de-en/academy/what-is-portfolio-rebalancing.html">justetf.com</a>.</p>
<p>Many brokers do offer portfolio rebalancing, however that usually comes at a price. Couldn’t be so hard, i thought myself and created a Google Spreadsheet…</p>
<h3 id="rebalancing-approaches">Rebalancing Approaches</h3>
<p>There are 2 well known approaches to portfolio rebalancing:</p>
<ol>
<li>Classic Rebalancing</li>
<li>Cash Flow Rebalancing</li>
</ol>
<p>The main difference is, that you only buy and not sell any assets in the cash flow approach. The classic rebalancing approach works with selling/buying at the same time to reach the target distribution. Check out the following picture for explanation:</p>
<p><img src="/assets/images/cash-flow-rebalancing-en.jpg" alt="Portfolio Rebalancing" class="img-responsive" /></p>
<h3 id="preparation">Preparation</h3>
<p>The first thing we need is a kind of export of your portfolio with all the necessary data to make the calculation. We need the assets, current price, amount, savings rate, item distribution etc…</p>
<p><img src="/assets/images/portfolio_import.png" alt="Portfolio Import" class="img-responsive" /></p>
<p>Use the following spreadsheet as a template: <a href="https://docs.google.com/spreadsheets/d/1Lc1U3VXlsYPMxnCoAKxJSRJ92Z6olWBUA3U1ve67kxA/edit?usp=sharing">https://docs.google.com/spreadsheets/d/1Lc1U3VXlsYPMxnCoAKxJSRJ92Z6olWBUA3U1ve67kxA/edit?usp=sharing</a></p>
<p>The usage is pretty simple:</p>
<ol>
<li>Import your portfolio balance as a CSV and import it into the “import” sheet:
<ul>
<li><img src="/assets/images/portfolio_import_finalize.png" alt="Portfolio Import Finalize" class="img-responsive" /></li>
</ul>
</li>
<li>Set the savings rate in the first sheet</li>
<li>Distribute savings rate among the assets you want</li>
<li>Finished!</li>
</ol>
<h3 id="calculation">Calculation</h3>
<p>Now that we have imported the portfolio and pre-configured our desired distribution, we can go to the rebalancing sheet.<br />
There you will then see, in a cash flow rebalancing, how much from what asset you would need to buy in order to achieve your target distribution:</p>
<p><img src="/assets/images/portfolio_rebalancing.png" alt="Portfolio Rebalancing" class="img-responsive" /></p>
<p>The sheet can also easily be adapted to calculate the classic rebalancing, which includes also selling assets.</p>
<hr />
<p>Hope that was helpful. Feedback welcome.</p>Mark Altmannmark@altmann.itCash Flow Rebalancing of your Portfolio with Google SpreadsheetsFacebook and WhatsApp: Take back control of your digital life and stay safe2017-03-06T00:00:00+01:002017-03-06T00:00:00+01:00https://mark.altmann.it/Why-I-Quit-Facebook<h2 id="digital-life">Digital Life</h2>
<figure style="width: 60%" class="align-left">
<img src="https://mark.altmann.it/assets/images/digital_life.jpg" alt="" />
<figcaption>Paul Reynolds, CC-BY-SA-2.0, <a href="https://www.flickr.com/photos/sirexkat/1686705977">https://www.flickr.com/photos/sirexkat/1686705977</a></figcaption>
</figure>
<p>The average value in 2014 of a Google or Facebook account are each <strong>$223</strong> and <strong>$20.75</strong>. You are a prime commodity in the “data is the new oil” age. Be prepared that, whatever you share, can and will be used by corporations for their benefit and advancement.</p>
<p>For me, it dawned a while ago, that this might not be something i want. It all started a while back with that uneasy, ungrounded feeling that internet services are trying to control and take over more and more of our lives. Facebook has the <strong>“wall”</strong> where they stipulate what we see. Or Google has its Search Rank or optimized inbox.</p>
<p>Don’t get me wrong, I was a first adopter of Facebook , and the idea and practice of connecting you to your friends, family and close ones, no matter where they are, is very powerful and enticing.</p>
<p>But Facebook got more complicated, started this whole app ecosystem, payment possibilities, games, groups and many more things. To what purpose? —</p>
<p>— To entice you to spend as much time on Facebook as possible! To transform, filter and reduce the breadth and depth of the internet to the Facebook Wall. To control what you are seeing.<br />
In the same direction went this whole facebook.com mail plague… Pushing you to the point where you will use the Facebook ecosystem even for mails. Striving to become the middle-man in all private conversations.</p>
<p>All of the above is already scary, but after reading the really well explained blog article from Salim Virani, that was my tipping point: <a href="http://www.salimvirani.com/facebook/">http://www.salimvirani.com/facebook/</a></p>
<p>Facebook even started to do deep learning on facial recognition inside each uploaded Facebook photo (article by Alex Yumashev). That means Facebook is learning, how you look like on photos and knows, where you are on photos, even if you never have been tagged on those photos.<br />
To make it even worse, the U.S. can require your social media accounts password to “check” you, before entering the country!</p>
<p>What a unreasonable violation of privacy! Through these repercussions, I finally understood fully, that I can’t have “privacy” on social media platforms like Facebook in any way.</p>
<p>So my initial approach was to handle Facebook like a website. Everything I post there, is public. And for private conversations/file exchange/sensitive data, I will have to use tools that are sufficiently secure to provide me the privacy I require.</p>
<p>Even if you don’t have a mail handle or the cell number, solutions like <a href="https://keybase.io">https://keybase.io</a> can provide secure communications and file exchange, without knowing nothing more than a avatar name or handle. Quite powerful, in guess.</p>
<p>In the end, I have decided too, to delete my Facebook account. However, everybody has to decide for himself. If you want to keep your account, that’s also OK. Just be aware about the implications and make an informed decision.</p>
<p>In end, you want to be back in charge of your own conversations and thoughts, without the fear that its being steered or controlled. And i believe, this is your interest as well. Privacy is peace of mind…</p>
<p>Sources:</p>
<ul>
<li><a href="http://adage.com/article/digital/worth-facebook-google/293042/">http://adage.com/article/digital/worth-facebook-google/293042/</a></li>
</ul>
<p>Addendum (April 2nd, 2017)</p>
<ul>
<li><a href="https://www.theguardian.com/technology/2017/mar/14/deleted-social-media-apps-facebook-instagram-emotions-likes">https://www.theguardian.com/technology/2017/mar/14/deleted-social-media-apps-facebook-instagram-emotions-likes</a></li>
<li><a href="https://thebolditalic.com/facebook-goes-full-black-mirror-how-facebook-is-making-membership-a-prerequisite-to-everyday-e88fb03b0eb9">https://thebolditalic.com/facebook-goes-full-black-mirror-how-facebook-is-making-membership-a-prerequisite-to-everyday-e88fb03b0eb9</a></li>
<li><a href="https://www.nytimes.com/2016/11/20/jobs/quit-social-media-your-career-may-depend-on-it.html">https://www.nytimes.com/2016/11/20/jobs/quit-social-media-your-career-may-depend-on-it.html</a></li>
</ul>
<p>Addendum (May 2nd, 2017)</p>
<ul>
<li><a href="https://www.theguardian.com/technology/2017/may/01/facebook-advertising-data-insecure-teens">https://www.theguardian.com/technology/2017/may/01/facebook-advertising-data-insecure-teens</a></li>
</ul>
<p>Addendum (September 23rd, 2017)</p>
<ul>
<li><a href="https://www.theguardian.com/technology/2017/sep/19/facebooks-war-on-free-will">https://www.theguardian.com/technology/2017/sep/19/facebooks-war-on-free-will</a></li>
</ul>
<h2 id="delete-facebook">Delete Facebook</h2>
<figure style="width: 60%" class="align-left">
<img src="https://mark.altmann.it/assets/images/delete_facebook.jpg" alt="" />
<figcaption>Stephen Edgar, CC-BY-SA-2.0, <a href="https://www.flickr.com/photos/netweb/4656088682">https://www.flickr.com/photos/netweb/4656088682</a></figcaption>
</figure>
<p>I am a strong believer, that the decisions you make as a consumer, are shaping the services and companies you consume from. If you do not consent with the actions of such a company: Don’t buy/consume from them. In a bit extreme way, you are supporting the policies from those companies yourself with the consumption.</p>
<p>Before deleting, I wanted to explain on Facebook why I am leaving. Surely, it will be gone when the account is deleted, but the people that matter, will notice.</p>
<p>I am retaining some social network connections on Twitter which is more like a blog and is public anyway. I have no private conversations on Twitter, it’s intended to be public. For writing and publishing articles i can recommend Medium or your own blog.</p>
<p>When you are ready, download a backup, detach your apps and so on. If you like, you can use a guide from the internet, for example: <strong><a href="https://deletefacebook.com/">https://deletefacebook.com/</a></strong></p>
<blockquote>
<p>And remember, where you have a concentration of power in a few hands, all too frequently men with the mentality of gangsters get control. History has proven that. All power corrupts; absolute power corrupts absolutely.<br />
<cite>Sir John Dalberg-Acton</cite></p>
</blockquote>
<p>Well done!</p>
<h2 id="delete-whatsapp">Delete WhatsApp</h2>
<figure style="width: 60%" class="align-left">
<img src="https://mark.altmann.it/assets/images/delete_whatsapp.jpg" alt="" />
<figcaption>CC-BY-SA-2.0</figcaption>
</figure>
<p>One surprising outcome of deleting Facebook for me as well, was that there is no real need for an alternative. In my experience, you have more personal visits and phone calls and most real conversations do not happen on Facebook these days. Instead we mostly use messengers.</p>
<p>That’s the main reason Facebook bought WhatsApp, even though they have Facebook Messenger: They want to stay the prime method of contact for all conversations.</p>
<p>The good news are, that there are many good alternatives to WhatsApp. The only difference for most users is:</p>
<blockquote>
<p>Who is using these alternatives?</p>
</blockquote>
<p>Hence it’s important to get as many peers on those alternative networks. If you only want to choose one and only, then I recommend Signal.</p>
<p>Recommendations:</p>
<ul>
<li><strong><a href="https://whispersystems.org">Signal</a></strong>: OpenSource, Free, Security Audited, Android, iOS, Chrome App, Chat, Video, Decent Crypto</li>
<li><strong><a href="https://wire.com">Wire Messenger</a></strong>: Closed Source, Free, Security Audited, Android, iOS, Chat, Video, Good Crypto</li>
<li><strong><a href="https://www.telegram.org">Telegram</a></strong>: Closed Source MProto Protocol, Security Audited, Android, iOS, Windows Phone, native Desktop Apps, optional end-to-end encryption, Good Crypto</li>
<li><strong><a href="https://threema.ch">Threema</a></strong>: Closed Source, Costs 2,99 €, Android, iOS, Windows Phone</li>
<li><strong><a href="https://wickr.com">Wickr</a></strong>: Photo, Video, Voice Messages, Share Files, Decent Crypto</li>
</ul>
<p>Sources:</p>
<ul>
<li><a href="http://www.theverge.com/2017/1/12/14244634/signal-app-secure-messaging-trump-surveillance-encryption">http://www.theverge.com/2017/1/12/14244634/signal-app-secure-messaging-trump-surveillance-encryption</a></li>
<li><a href="https://vowe.net/archives/016174.html">https://vowe.net/archives/016174.html</a></li>
</ul>
<h2 id="browse-privacyaware">Browse privacy aware</h2>
<p>Even when you have deleted your Facebook account and you browse the web, you should take care what footprints you leave behind. Google, Facebook, Amazon and so on are trying to track you, even if you have no account.</p>
<p>The Electronic Frontier Foundation is a good place to start:</p>
<ul>
<li><a href="https://www.eff.org/HTTPS-everywhere/">HTTPS Everywhere</a></li>
<li><a href="https://www.eff.org/de/node/73969/">Privacy Badger</a></li>
<li><a href="https://github.com/gorhill/uBlock/">uBlock Origin</a></li>
</ul>
<p>Otherwise, the Firefox mobile browser is quite decent, fast and works basically like any browser on your device. On Android, you can literally install all of the plugins, you already use on Desktop.<br />
Mobile browsers on iOS are bound basically to Safari, whatever app you use, due to restrictions from Apple. But adblocking got a lot better these days.</p>
<h2 id="privacy-respecting-mailprovider">Privacy respecting mail provider</h2>
<p>If you want to go the extra mile (as i did), you can change your mail provider to a privacy aware one. There are real decent providers out there, that can rival GMails UI or Google Docs like apps.</p>
<p>Recommendations:</p>
<ul>
<li><a href="https://mailbox.org">https://mailbox.org</a></li>
<li><a href="https://posteo.de">https://posteo.de</a></li>
<li><a href="https://hushmail.com">https://hushmail.com</a></li>
<li><a href="https://lavabit.com">https://lavabit.com</a></li>
<li><a href="https://protonmail.ch">https://protonmail.ch</a></li>
</ul>
<p>Generally, the most important point is that your privacy should be at the core DNA of the company. That they are hosting the data in a “safe” country with good privacy laws. And lastly, that they do a very good job at encryption, meaning where PGP is kind of built in. The term coined by the community is: <em>Zero Knowledge</em> (only your machine has your decrypted data).</p>
<h2 id="encrypt-your-personalfiles">Encrypt your personal files</h2>
<p>Feeling uneasy about who could access your files like children pictures, important tax documents or a health diagnosis?<br />
Microsoft(<strong>OneDrive</strong>), Google(<strong>GDrive</strong>) and Apple(<strong>iCloud</strong>) are U.S. companies and are not really encrypting your data end-to-end. Meaning, they could, if need be, decrypt and hand out the data to authorities or use it for their own purposes.</p>
<p>In the current situation a subpoena is enough to access your data, without your consent or approval. Even the latest Privacy Shield (US-EU data exchange) regulation does not protect you properly. Hence you can do these 3 things (not necessarily exclusively):</p>
<ol>
<li><em>Leave everything as it is</em>, and accept the risk that 3rd parties could access your files.
<ul>
<li>I do that with my standard photos. I use the backup function of Prime Photos. But i could just as well use my NAS.</li>
</ul>
</li>
<li><em>Move all your personal files to a private storage</em>, like a QNAP/Synology at a safe location.
<ul>
<li>I have that as well, for the big data chunks, local backup of data and photos etc..</li>
</ul>
</li>
<li>Use your Cloud Storage (OneDrive, Google Drive etc.), <em><strong>but</strong> do encrypt them</em> with a tool like <a href="https://cryptomator.org"><strong>Cryptomator</strong></a>
<ul>
<li>That’s what i personally did, and can really recommend to most people.</li>
<li>I use it for confidential data, like contracts, doctor stuff and personal memories.</li>
</ul>
</li>
</ol>
<hr />
<p>Feedback is highly welcome!</p>Mark Altmannmark@altmann.itData is the new oil. Opinions can be swayed on a massively. What can you do?