Links from 2017-05-25

The remarkable Neal Stephenson interview | Damien Walter

Neal Stephenson – legendary author of speculative fiction –  on Elon Musk and geek culture, the  NSA revelations of Edward Snowden, how negative cultural narratives are killing big science  – and the upbringing that made him the writer he is.

Tagged as: , , , | Author:
[Freitag, 20170526, 04:00 | permanent link | 0 Kommentar(e)


The Future of Work

Seit 4 Monaten testet Finnland das Grundeinkommen — schon jetzt gibt es einen unerwarteten Effekt

Obwohl das Pilotprojekt der Finnen erst vor kurzer Zeit begonnen hat, ist schon ein wichtiger Effekt zu erkennen — viele Teilnehmer sind deutlich weniger gestresst als zu der Zeit, in der sie Arbeitslosengeld erhalten haben.

Elon Musk: Automation Will Force Governments to Introduce Universal Basic Income

Elon Musk believes artificial intelligence that is much smarter than the smartest human on Earth could result in dangerous situations. Musk argues that the government must introduce a universal basic income program in order to compensate for automation

The meaning of life in a world without work

As technology renders jobs obsolete, what will keep us busy? Sapiens author Yuval Noah Harari examines ‘the useless class’ and a new quest for purpose

Oxford-Studie: In 25 Jahren werden 47 Prozent der Jobs verschwunden sein — und auch eurer ist nicht sicher

Auch eine Studie der renommierten University of Oxford stellt nun die Behauptung auf: In den nächsten 25 Jahren werden 47 Prozent der Jobs verschwinden — zumindest in den weit entwickelten Ländern dieser Erde.

Tagged as: , , , | Author:
[Donnerstag, 20170525, 17:42 | permanent link | 0 Kommentar(e)


Happy Towel Day

The Hitchhikers Guide To The Galaxy Wikipedia has the following to say about Towel Day:

Towel Day is celebrated every May 25 as a tribute by fans of the late author Douglas Adams. The commemoration was first held in 2001, two weeks after his death on May 11, and since then has been extended to an annual event. On this day, fans carry a towel with them throughout the day. The towel is a reference to Adams’s popular science fiction comedy series The Hitchhiker’s Guide to the Galaxy.

For this year, I found Douglas Adams reading from The Hitchhiker’s Guide to the Galaxy:

Tagged as: , , , , , , , | Author:
[Donnerstag, 20170525, 11:29 | permanent link | 0 Kommentar(e)


Radicale Calendar Server with Debian 8 (Jessie) and IMAP/SHADOW Authentication via Apache httpd

As I plan to move from a proprietary calendaring to a more „ressource-aware” open source solution, I decided to give Radicale a try. It is open source, appears to be rather pragmatic in its approach to „standards” and has a small footprint in regards to system requirements.

With me running Debian 8 on my server, I decided to stick with the available package and not install „from source”. So a quick „apt-get install radicale” took care of installing the necessary software (do not forget to enable the Radicale daemon in /etc/default/radicale).

The configuration of Radicale is rather straightforward and simple. In regards to transport security, You can reuse an existing TLS certificate (or get a new one from Let’s encrypt). For authentication, you can choose between several options. As I don’t have an LDAP server (yet) and I didn’t want to create a .httpasswd entry for each user, I chose „IMAP”. So Radicale will validate all credentials against the local IMAP server (Dovecot in my case).

The relevant bits and pieces of my /etc/radicale/config file look like this:

# bin to all legacy IP addresses
hosts = 0.0.0.0:5232
 
# SSL flag, enable HTTPS protocol
ssl = True
 
# SSL certificate path
certificate = /etc/ssl/certs/kalender.fullchain.cer
# SSL private key
key = /etc/ssl/private/kalender.key
 
# SSL Protocol used. See python's ssl module for available values
# TLS 1.0 or higher, as I still have to support older Android clients
protocol = ssl.PROTOCOL_TLSv1_2
 
# Ciphers available. See python's ssl module for available ciphers
# OWASP Cipher String 'B' (Broad compatibility)
# Again, more then strictly recommended in 2017 due to older Android devices
ciphers = DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA
 
# Message displayed in the client when a password is needed
realm ="Kalenderserver - Password Required"
 
[auth]
# Authentication method
# Value: None | htpasswd | IMAP | LDAP | PAM | courier | http | remote_user | custom
type = IMAP
 
# IMAP Configuration
imap_hostname = localhost
imap_port = 143
imap_ssl = true
 
[rights]
# Rights backend
# Value: None | authenticated | owner_only | owner_write | from_file | custom
type = owner_only
 
[storage]
# Storage backend
# Value: filesystem | multifilesystem | database | custom
type = filesystem
 
# Folder for storing local collections, created if not present
filesystem_folder = /var/lib/radicale/collections

If you want/need to share your calendar with other users, play around with the [rights] section. For my setup, this was fine.

This setup should also give you an adequate TLS configuration. There is of course room for improvement, if you know your clients all support TLS 1.2 and modern ciphers. See the OWASP TLS Cipher String Cheat Sheet and bettercrypto.org for details.

Once you restart the Radicale server via sudo service radicale restart you should get a "Radicale works!" message in the browser – if you opened up port 5232 on the firewall.

If you also enabled any form of authentication, the browser or ical/caldav client will prompt you with a „Basic Authentication” prompt for the credentials. If you, like in my case, configured IMAP, you will see in your IMAP log a connection, verifying the credentials you entered.

This is nice, but I did not want to open another port on my firewall for this. So how could I proxy this through my existing Apache httpd? Unfortunately, this is only covered halfway in the documentation.

You do have to create a (new) virtual host (eg. „calendar.example.com”) and configure the python WSGI module as well as authentication. To do so, we need a few modules installed and activated:

sudo apt-get install libapache2-mod-wsgi libapache2-mod-authnz-external pwauth
sudo a2enmod authnz_external
sudo a2enmod wsgi

The Apache httpd config for that virtual host including WSGI setup and authentication via mod-auth-external and pwauth might look like this:

<VirtualHost *:443>
    ServerName calendar.example.com
    
    # WSGI (WSGI is the Web Server Gateway Interface) config for radicale
    # Group "adm" so radicale can write to it's log file in /var/log/radicale
    WSGIDaemonProcess radicale user=radicale group=adm threads=1
    WSGIScriptAlias / /usr/share/radicale/radicale.wsgi
    
    # Add Authentication via pwauth
    <IfModule mod_authnz_external.c>
        AddExternalAuth pwauth /usr/sbin/pwauth
        SetExternalAuthMethod pwauth pipe
    </IfModule>
    
    <Directory /usr/share/radicale>
        WSGIProcessGroup radicale
        WSGIApplicationGroup %{GLOBAL}
        # Pass on authentication data to radicale
        WSGIPassAuthorization On
        AllowOverride None
        
        AuthType Basic
        # This should be the same string as the radicale "realm" value
        AuthName "Kalenderserver - Password Required"
        AuthBasicProvider external
        AuthExternal pwauth
        # Any valid user will be allowed to athenticate.
        # You could restrict this further via authz_unixgroup
        Require valid-user
    </Directory>

With that configuration, Apache will verify access against usernames & passwords in the passwd/shadow files (do NOT use mod_authnz_pam for that!) and will pass the authentication data on to radicale. If you add authz_unixgroup, you could further limit the number of users to the members of a specific group, …

 

As always, I stood on the shoulders of giants in my work on this. So further reading should be:

Do be aware, that Radicale 2, which is currently at RC2, will bring changes (only support for httpasswd auth, …). As I am using Debian stable and do not see any immediate benefits in upgrading Radicale atm., I am rather happy with this setup.

Tagged as: , , , , , , , , | Author:
[Samstag, 20170520, 17:19 | permanent link | 0 Kommentar(e)


Public Speaking 2017

Linuxwochen Wien

2017-05-04..06 Linuxwochen Wien 2017, FH Technikum Wien, Wien

Awwwwww - Advanced Wibbly-Wobbly World Wide Webserver Wizardry

Ein Rückblick auf die Transportverschlüsselung in Webservern, insbesondere nginx und Apache, sowie die Möglichkeiten Inhalte vor der Auslieferung zu komprimieren und bei Proxies und clients zu cachen. Abgerundet wird der Talk durch security relvante HTTP Response Header.

Gemeinsam mit MacLemon.
Slidedeck als PDF
Video auf Youtube

VPNs - Angewandte Verwirrung für Leitweg Tabellen

Die gängigsten VPN Protokolle sowie Nutzungsempfehlungen. Konfigurationsanleitung für OpenVPN 2.3/2.4.1 inkl. sicherer Ciphersuiten für zeitgemäße Verschlüsselung. Die Konfiguration von Clients auf unterschiedlichen Platformen, wie Linux, BSD, Windows und macOS wird behandelt. Im zweiten Teil geht es um die Konfiguration eine IPSec und IKEv2 basierten VPN Servers auf Basis der Scripte von AlgoVPN auf einem eigenen Ubuntu Server. Danach wird die Konfiguration von macOS und iOS Clients gezeigt. Den erwähnten VPN-Anbieter Vergleich findet man unter iThat One Privacy Site.

Gemeinsam mit MacLemon.
Slidedeck als PDF
Video auf Youtube

SSH Workshop - From Zero to Hero*ine.

Grundlagen für die Benutzung von SSH, insbesondere OpenSSH. Ein zweistündiger Workshop für Einsteiger*innen in die Benutzung von des ssh(1) Commandline Clients.

Gemeinsam mit MacLemon.

Grazer Linuxtage

2017-04-28..29, Grazer Linuxtage 2017, FH Joanneum, Graz

SSH Workshop - From Zero to Hero*ine.

Grundlagen für die Benutzung von SSH, insbesondere OpenSSH. Ein zweistündiger Workshop für Einsteiger*innen in die Benutzung von des ssh(1) Commandline Clients.

Gemeinsam mit MacLemon.

Awwwwww - Advanced Wibbly-Wobbly World Wide Webserver Wizardry

Ein Rückblick auf die Transportverschlüsselung in Webservern, insbesondere nginx und Apache, sowie die Möglichkeiten Inhalte vor der Auslieferung zu komprimieren und bei Proxies und clients zu cachen. Abgerundet wird der Talk durch security relvante HTTP Response Header.

Gemeinsam mit MacLemon.
Slidedeck als PDF

BSides Ljubljana 0x7E1

2017-03-10, BSides Ljubljana 0x7E1, Poligon creative centre, Ljubljana, Slovenia

Peculiar SSH – May we interest you in this particular feature?

We all use SSH on a more or less daily basis. More advanced users even have created a config file for their clients in order to spare some typos. So let us take you on a journey into the more “”peculiar”” features of SSH. From multi-factor authentication to jump hosts all the way to GPG and the use of SmartCards. Let us show you what SSH can do, if you invest some into configuring it.

Together with MacLemon.
Slidedeck as PDF

SSH Workshop - From Zero to Hero*ine.

Securely connecting though several host to a remote server and obfuscating the local configuration will also be part of the workshop. If there is time, we will also look at the server side of things and work through a few possible improvements. This workshops targets beginner to intermediate SSH users. As long as you have a fairly recent command line OpenSSH client, you are welcome no matter what operating system you are using. Basic knowledge of the Linux or BSD command line is required. (navigating the file system, editing files, …). OpenSSH 7.4 or higher recommended!

Together with MacLemon.

Tagged as: , , , | Author:
[Sonntag, 20170507, 22:38 | permanent link | 0 Kommentar(e)


Disclaimer

„Leyrers Online Pamphlet“ ist die persönliche Website von mir, Martin Leyrer. Die hier veröffentlichten Beiträge spiegeln meine Ideen, Interessen, meinen Humor und fallweise auch mein Leben wider.
The postings on this site are my own and do not represent the positions, strategies or opinions of any former, current or future employer of mine.
Impressum / Offenlegung gemäß § 25 Mediengesetz

Search

Me, Elsewhere

Tag Cloud

2007, 2blog, 2do, 2read, a-trust, a.trust, a1, accessability, acta, advent, age, ai, amazon, ankündigung, apache, apple, at, audio, austria, backup, barcamp, basteln, bba, big brother awards, birthday, blog, blogging, book, books, browser, Browser_-_Firefox, bruce sterling, buch, bürgerkarte, cars, cartoon, ccc, cfp, christmas, cloud, coding, collection, command line, commandline, computer, computing, concert, conference, copyright, covid19, css, database, date, datenschutz, debian, delicious, demokratie, design, desktop, deutsch, deutschland, dev, developer, development, devops, digitalisierung, digitalks, dilbert, disobay, dna, dns, Doctor Who, documentation, Domino, domino, Douglas Adams, download, downloads, drm, dsk, dvd, e-card, e-government, e-mail, e-voting, E71, education, Ein_Tag_im_Leben, elga, email, encryption, essen, EU, eu, event, events, exchange, Extensions, fail, fedora, feedback, film, firefox, flash, flightexpress, food, foto, fsfe, fun, future, games, gaming, geek, geld, git, gleichberechtigung, google, graz, grüne, grüninnen, hack, hacker, handtuch, handy, hardware, HHGTTG, history, how-to, howto, hp, html, humor, ibm, IBM, ical, iCalendar, image, innovation, intel, internet, internet explorer, iot, iphone, ipod, isp, it, IT, itfails, itfailsAT, itfailsDE, java, javascript, job, jobmarket, journalismus, keyboard, knowledge, konzert, language, laptop, law, lego, lenovo, life, links, linux, Linux, linuxwochen, linuxwochenende, live, living, living, lol, london, lost+found, Lotus, lotus, lotus notes, Lotus Notes, lotusnotes, LotusNotes, Lotusphere, lotusphere, Lotusphere2006, lotusphere2007, lotusphere2008, Lotusphere2008, lustig, m3_bei_der_Arbeit, mac, mail, marketing, mathematik, media, medien, metalab, microsoft, Microsoft, mITtendrin, mITtendrin, mobile, mood, motivation, movie, mp3, multimedia, music, musik, männer, nasa, nerd, netwatcher, network, netzpolitik, news, nokia, notes, Notes, Notes+Domino, office, online, OOXML, open source, openoffice, opensource, orf, orlando, os, outlook, patents, pc, pdf, performance, perl, personal, php, picture, pictures, podcast, politics, politik, pr, press, press, presse, privacy, privatsphäre, productivity, programming, protest, public speaking, qtalk, quintessenz, quote, quotes, radio, rant, rant, recherche, recht, release, review, rezension, rezension, rip, rss, science, search, security, server, settings, sf, shaarli, Show-n-tell thursday, sicherheit, silverlight, smtp, SnTT, social media, software, sony, sound, space, spam, sprache, sprache, spö, ssh, ssl, standards, storage, story, stupid, summerspecial, summerspecial, sun, surveillance, sysadmin, talk, talk, talks, technology, The Hitchhikers Guide to the Galaxy, theme, think, thinkpad, thunderbird, tip, tipp, tools, topgear, torrent, towel, Towel Day, TowelDay, travel, truth, tv, twitter, ubuntu, ui, uk, unix, update, usa, usb, vds, video, video, videoüberwachung, vienna, vim, Vim, vintage, vista, vorratsdatenspeicherung, vortrag, wahl, wcm, wcm, web, web 2.0, web2.0, web20, Web20, webdesign, werbung, wien, wiener linien, wikileaks, windows, windows, windows 7, wired, wishlist, wissen, Wissen_ist_Macht, wlan, work, workshops, wow, writing, wtf, Wunschzettel, wunschzettel, www, xbox, xml, xp, zensur, zukunft, zukunft, zune, österreich, österreich, övp, übersetzung, überwachung

AFK Readinglist