on techinc and society

Back in the days I met people who were fundamentalist vegans, calling themselves “straight edge” – we lived for half a year in the same building till we could not stand each other anymore – Some people would boycott what the other was doing/liking/listening to because somewhere it conflicted with the ethics of one of the Vegans.

We stopped listening to music together (because %recordlabel% was supporting the exploitation of children somewhere), we stopped cooking and eating together (because %shop% supports the destruction of rice fields somewhere) and so on.. everything had a problem that made it unethical/impossible to reach common ground

Now you could ask yourself why this happened.. were the fundamentalists too fundamentalist? They would not be fundamentalist, then, right? <<— edit: maybe ideologist/ideology would be more fitting – thanks

Were we too “corrupted” by society to accept their point of view?

In fact, everyone had sound arguments and reasons for what he was doing, yet our shared apartment that was started on the premise of “Hey, you people are cool, we meet at many parties, lets live together”

The two emails I received on the techinc mailing list regarding hitb and the reputation of techinc painfully remind me of that time…

Probably the katholics/protestants felt similar like 500 years ago.. we all know how that ended ;)
Heck, the entire civilization we currently live in has been like that and I still don’t like it but you know what? Democracy may be inherently bad it it is still the most common form of “how to piss the least people off and still manage to keep the show going”. This system is powered by public reward for things done well (salary, media, etc.. ) and punishment for things not done right (penalties, fees, court, jail, public shaming, exclusion from the “club”)

Again, I don’t think it is the best system to have but all the alternatives cause only more fragmentation and dissent.. do we want that? Shall we continue as one block of awesome people standing together or shall we just let it fall apart because we don’t like the hair of the other person?
(*glances at Mitch Altman and giggles*)

windows media / gaming pc

windows 8.1 seems solid so as I want to play games I decided to throw some servers / services on there, too

but first disable that tablet crap and the “metro” interface
I will be using desktop software anyway so no need for that touch stuff

Right-click the taskbar on the desktop and under “Navigation” disable all “corner navigation” charms/crap
then select “show desktop instead of start” and “show apps view” – disable “search all” and enable “list apps first”

go to the metro search > uninstall programs and delete them all

install vlc, foxit reader, itunes, steam, quasselclient, firefox, spotify, etc)

also> gpedit > comuter management > administrative > windows components > onedrive > prevent onedrive

install calibre ebook server and plex media server (once I have a NAS this will change)

enable file sharing and streaming for the home group

check firewall for permissions / check device is not reachable from the outside

enable file history / add shared media folders to libraries

consider growing disks for backup > FAIL – not enough SATA ports > see NAS project :)

dolby downmixing for games

assuming a gaming PC using windows, transporting video and audio via hdmi to a TV and connected an amplifier with a 2.1 setup to that. however the subwofer is controlled by the amplifier so all I want is plain stereo into the amplifier.

Now, when playing old games sometimes the audio is just off or very silent (like: wing commander 4, many gog games that use dolby stereo in the cutscenes) – this is because the software has “dolby stereo” hardcoded on the CD/DVD and windows assumes that the hdmi interface can process dolby stereo.

windows itself doesn’t help you here, blaming the game/the TV and it kinda annoys me to hear only the left and right channel and not the center, rear and subwofer channels – it apparently assumes that the game specifies the desired output or whatnot… and we all know who’s mother assumption is

remedy is an AC3 splitter or directshow filter
a very good one is included in the “shark007 codec pack” – get it here
I am sure there are others but that one is my favorite since I migrated away from CCCP (combined community codec pack) years ago (which was needed to decode mkv anime with dual audio, etc…)

just install the “advanced” package, use shark007’s recommended settings and then in the settings set up “2.0” stereo downmixing (or whatever you are feeding into your amplifier) – I have only two wires – left and right – for the moment. once I upgrade my amplifier this will basically work against me… but hey, first I need a better amp ;)

private server install log 03/2014

this is taken from here:


and I want to play with ansible on my other server (the .eu domain) but this will be my private server where things are (of course) different.
UPDATE 7/2014: added webmail and roundcube and owncloud plugin
NEEDS: backup scripts / dumps

– create a VM with basic specs for Ubuntu
– set up 12.04 LTS with 64bit flavor >> UPDATE: 14.04 LTS is out – mail server is on 14, rest stays on 12 for now…
– chose for LVM and encrypted home directory during install
– install VMware tools / xen tools > or stick to KVM

- allow SSH on the firewall
dont’ forget IPv6 for the rules or use UFW
#ufw allow ssh
#ufw limit ssh/tcp < -- is this actually useful in combination with fail2ban?
check /etc/ssh/sshd_conf if it uses PAM - we can plug in the 2-factor-authenticator, then :)

- mosh – useful
apt-get install mosh
open ports correspondingly
#ufw allow proto udp from any to any port 60000:60010
this allows for mosh instead of ssh to your server which helps with lag/latency

- htop – interactive “top”


- fail2ban – block connection attempts
apt-get install fail2ban
edit /etc/fail2ban/fail2ban.conf
and edit
or better: create a jail.local (it overrules the jail.conf)
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

here check for the following:

separate whitelisted hosts/subnets/cidr blocks using space under ‘ignoreip’
also, set up your mta and receipient address under destemail
bantime and maxretry can be adjusted
backend can be auto

edit /etc/fail2ban/jail.local
and apply the banactions for UFW as we are not using iptables directly (we suck!)

enabled = true
banaction = ufw-ssh
port = 2992
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

enabled = true
port = http,https
banaction = ufw-apache
filter = apache-auth
logpath = /var/log/apache*/error*.log
maxretry = 4

enabled = true
port = http,https
banaction = ufw-apache
filter = apache-nohome
logpath = /var/log/apache*/error*.log
maxretry = 3

enabled = true
port = http,https
banaction = ufw-apache
filter = apache-noscript
logpath = /var/log/apache*/error*.log
maxretry = 6

enabled = true
port = http,https
banaction = ufw-apache
filter = apache-overflows
logpath = /var/log/apache*/error*.log
maxretry = 2

create /etc/fail2ban/action.d/ufw-ssh.conf:

actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from to any app OpenSSH
actionunban = ufw delete deny from
to any app OpenSSH

and /etc/fail2ban/action.d/ufw-apache.conf:

actionstart =
actionstop =
actioncheck =
actionban = ufw insert 2 deny from to any app “Apache Full”
actionunban = ufw delete deny from
to any app “Apache Full”

DISCUSS: IPv6 – hack a little 64 gateway or block SSH for IPv6 (which would be silly…)

restart ufw and fail2ban to activate:

andreas@telecity:~$ sudo service fail2ban restart
* Restarting authentication failure monitor fail2ban [ OK ]
andreas@telecity:~$ sudo service ufw restart
ufw stop/waiting
ufw start/running

check status (default only SSH is enabled)
andreas@telecity:~# fail2ban-client status
|- Number of jail: 1
`- Jail list: ssh

it works! UFW injects a deny statement for every host that tries to bruteforce

tail -f /var/log/fail2ban.log
2014-07-19 11:24:49,201 fail2ban.actions: WARNING [ssh] Ban

$ sudo ufw status
Status: active
To Action From
— —— —-

– install build-essential, openssl and libssl-dev to be able to create a wildcard certificate (self-signed) and other stuff we have to build from scratch

– owncloud – via owncloud.com
install according to manual there (#apt-get install owncloud)
admin docs: http://doc.owncloud.com/
modify your webserver to allow owncloud to do its magic:
#chown -R www-data:www-data /path/to/your/owncloud/apps
#chown -R www-data:www-data /path/to/your/owncloud/data
#chown -R www-data:www-data /path/to/your/owncloud/config
set ‘AllowOverride All’ in the /var/www/ section of apache2 config file
#a2enmod rewrite
#a2enmod headers
then restart apache
#service apache2 restart
open firewall ports: ufw enable http(s)
then point browser to https://[your server’s URL]/owncloud
if you want to install into mysql chose “advanced” – otherwise just go with sqlite and create an admin user
you are done!

go admin > create a group and some users
set up the client (owncloud-client) and point it to your server’s URL (use https and a full path)
create folders > they will be synced by owncloud and to your server

other features:
use cardDAV/calDAV
sync music (amaroK/tomahawk)
plugins (roundcube, large files, mobile interface, etc…)

once it works, why not make it secure and install SSL:
– create a self-signed SSL certificate (for web and mail server) or buy one ;)


and install them
# cp server.crt /etc/ssl/certs
# cp server.key /etc/ssl/private
adjust apache2 config to enable SSL:

edit sites-available/default-ssl
enable “AllowOverride All” for all /var/www instances as before
check ‘SSLEngine On’ is there
add the two certificates to it instead of the “snakeoil” cert

SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

enable the engine with
#a2ensite default-ssl

and restart server
#service apache2

and check if your browser accepts the cert :)

hints to make SSL more secure from phra.gs


now get connected using owncloud client using the username/password you set as admin

NOTE: every time you update the owncloud binaries you need to go to the website once to apply the update!

– quassel


apt-get install quassel-core
for the server
open port 4242 on your firewall/iptables

and use quassel-client for the client
there is quasseldroid and iQuassel for mobile clients

it doesn’t use SSL by default – so stop the service and launch quasselcore manually
it will show you where it wants the config files and SSL certs

then create the cert as indicated here:
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout ~/.config/quassel-irc.org/quasselCert.pem -out ~/.config/quassel-irc.org/quasselCert.pem

connect to your server for the first time and a welcome dialog will appear
set up the first user (who will be an admin)
and then go play :) (and chat from anywhere)

useful for irssi integration:


mmarley has a more recent repository on launchpad – use it if you want to use 0.10 and not 0.8

simple: apt-get install gallery2
install mysql-server and set up the database (Remember the user/pass)


then run the webinstaller and do the rest


edit /etc/php5/apache2/php.ini and raise the file limits if you want /need

add a seedbox? transmission-bt !


although that is something for my raspi at home / openelec style

install transmission-daemon – set up config and password
apt-get install transmission-daemon

nano /etc/transmission-daemon/settings.json

and open firewall for the tcp ports – done :)

– diaspora


seems I need a “valid” SSL cert and a dedicated webserver – so I will do that virtually instead or from home or not at all.

apt-get install prosody
configure as per example / global settings and add an admin user there

create some keys:

openssl req -new -x509 -days 1000 -nodes -out “/etc/ssl/certs/xxxxxxxx.crt” -newkey rsa:4096 -keyout “/etc/ssl/private/xxxxxxxx.key”

under your server add the certs
ssl = {

and create symlinks

test the keys:
sudo chmod 600 /path/to/certificate.key
sudo chown prosody:prosody /path/to/certificate.key

Prosody should also be able to read the parent directories of the file.

To test that only Prosody can read the file:

sudo -u prosody cat /path/to/certificate.key # Should succeed
sudo -u nobody cat /path/to/certificate.key # Should fail

Declaring host

The configuration of the host im.example.org will be done in the file « /etc/prosody/conf.avail/im.example.org.cfg.lua », the file example.com.cfg.lua may serve as a model:

cp -a /etc/prosody/conf.avail/example.com.cfg.lua /etc/prosody/conf.avail/.cfg.lua

With your favorite editor change the settings for VirtualHost and enabled so you have:

VirtualHost “im.example.org”
–enabled = false — Remove this line to enable this host

The line “- enabled = […]” can also be removed, instead of of removing the comment like above.

Also represent the key and the SSL certificate:

ssl = {
key = “/etc/prosody/certs/im.example.org.key”;
certificate = “/etc/prosody/certs/im.example.org.cert”;

If you already have a key / certificate pair on the same domain name (Common Name), for example for apache, point to it instead of the files listed above.

Now create the symbolic link in« /etc/prosody/conf.d/ » with:

ln -sf /etc/prosody/conf.avail/im.example.org.cfg.lua /etc/prosody/conf.d/im.example.org.cfg.lua

Several host by one configuration

Here is an example to declare a single configuration for multiple hosts (thank you MattJ):

for _, host in ipairs { “example.net”, “example.org” } do
VirtualHost (host)
option1 = “foo”
option2 = “bar”

Create users (single)

Creating user accounts is done with the command « prosodyctl »

prosodyctl adduser romeo@im.example.org

open firewall for ports 5222 and 5269 IP and IPv6

create DNS SRV records for optimal federation / domain delegation
use this template:
_xmpp-client._tcp.example.com. 18000 IN SRV 0 5 5222 xmpp.example.com.
_xmpp-server._tcp.example.com. 18000 IN SRV 0 5 5269 xmpp.example.com.
_jabber._tcp.example.com 18000 IN SRV 0 5 5222 xmpp.example.com < -- that still relevant? also.. no dots after TLD? doubt this will work...

in fact: the domain is automatically added so just add this:
_xmpp-client._tcp type SRV with value 0 5 5222 xmpp.domain.com.
_xmpp-server._tcp type SRV with value 0 5 5222 xmpp.domain.com.

it must point to an existing A-record - not an IP address (this also helps with IPv6 I guess...)

;_xmpp-client._tcp.rudel.nl. IN SRV

_xmpp-client._tcp.rudel.nl. 3600 IN SRV 0 5 5222 telecity.rudel.nl.

telecity.rudel.nl. 3600 IN A

– rkhunter

– sendmail / mail sever?
— dovecot imap and roundcube look neat – with a plugin for owncloud? awesome!
– tarpitting / greylisting / smarthost with ISP relay?
found iredmail!


install script works nice on a new /fresh ubuntu server – delete defaults later and change passwords
set up domain records (MX and A-records) and set up SPF

– two-factor authentication? google authenticator?
sudo apt-get install libpam-google-authenticator
run google-authenticator as the user you will be logging in as
it will create a qr code with the secret key that google authenticator app can scan
it will also update the PAM module and ask you some questions
do this for every user

now edit /etc/pam.d/sshd
add this line(s):
# enable Google authenticator
auth required pam_google_authenticator.so

then edit /etc/ssh/sshd_config
and change or add this line to say yes
ChallengeResponseAuthentication yes

restart ssh to enable
sudo service ssh restart

next login looks like that:
login as: andreas
Using keyboard-interactive authentication.
Using keyboard-interactive authentication.
Verification code:





let’s see how that feels :)

Kopf rasieren und sterben

neulich, im Badezimmer:

Papa, warum rasierst Du Dir die Haare weg?

weil mir das gefällt

aber… nur alte Menschen haben keine Haare, willst Du alt sein?

ich mache das, weil es mir gefällt. schau, da hinten, da wachsen mir keine Haare mehr, darum schneide ich sie lieber alle ab.

ich will lieber lange Haare haben.

wenn du in der schule bist darfst Du selber entscheiden, wie Du Deine Haare trägst.

hast Du auch lange Haare gehabt?

ja, bis zu meinen Schultern

aber wenn Du keine Haare mehr hast dann bist Du alt und dann stirbst Du.. ICH WILL NICHT DASS DU STIRBST

du musst keine Angst haben, ich sterbe nicht so schnell


das dauert noch sehr lange, hab Keine Angst


Pass auf, sterben gehört zum Leben dazu, irgendwann stirbt jeder. das ist aber nicht schlimm weil wenn wir sterben dann ist der Körper ganz kaputt und alles tut weh und dann kann man auch nicht mehr spielen und rumspringen


Schau mal, ich erkläre Dir was: Ein Baum wächst auf dem Boden, ein Tier frisst die Blätter des Baumes, wir essen das Tier auf, dann sterben wir und werden wieder zu Erde, da kann dann wieder ein Baum wachsen.. so ist alles ein Kreislauf, der Kreis des Lebens


vielleicht wirst Du ja ein Baum?

Kann ich auch ein Schiff werden?

wenn Du ein Baum wirst und jemand aus dem Holz des Baumes ein Schiff baut dann wirst Du vielleicht ein Schiff

Dann muss ich aber den Mund und die Augen zumachen sonst hat das Schiff ein Loch

ich glaube nicht, dass man Deinen Mund dann noch sieht aber die Idee ist lustig


Pass Auf, weisst Du wie man lange leben kann?

*schnief* nein

man muss gesund essen, weisst Du was?

Gemüse, Fleisch und Kartoffeln und… Früchte?

Richtig! und viel Sport machen! Pass auf, wenn Du jeden Abend Sport mit mir machst dann stehe ich nicht weil ich dann gesund bin und dann können wir zusammen spielen und fahrradfahren oder rennen.


und was auch wichtig ist, ist dass Du auf Dich aufpasst, zum Beispiel auf der Strasse, dass Dich kein Auto überfährt

und auch nicht rauchen?

stimmt, vom Rauchen wird man krank…

und dann stirbt man?

vom Rauchen kann man sterben, ja

aber der Wolfgang raucht… dann muss der sterben… ICH WILL NICHT DASS DER STIRBT, DER IST MEIN BESTER FREUND!

dann musst Du ihm das sagen, dass Du nicht willst, dass er raucht.


wenn Du das willst machen wir das gleich morgen


aus: Diskussionen mit einem Vierjährigen…

hackintosh 10.8.5 and fixes

using kakewalk 4.5 for initial install
somehow kakewalking after install fails so:
Using latest BIOS again (F11)
then using dsdt and multibeast 5.5 > easybeast install with dsdt (has to be on desktop)
using Audio > With DSDT > ALC888 “current” (as opposed to “legacy”)
also use TRIM enabler
here the dsdt – put on desktop and run multibeast
then update using the combined update pack and do the same again :)

Update1: Chameleon corrupted
sometimes, if you have multiple harddisks (and one of them windows) the chameleon bootloader is being confused and dies – you can still start up with a unibeast/myhack/kakewalk USB stick but to fix the issue you need to use: Chameleon Wizard
there is one way to use when you have another disk that contains windows :)

update2: White screen with R9-280x/Radeon 7950/7970
basically editing /Extra/boot.chameleon.plist and setting “GraphisEnabler = No” allows the card to work (use PartedMagic to start up and use fsck and mount to get write access if you had “yes” before…

#fsck.hfsplus -f /dev/sdax
#mount -t hfsplus -o force,rw /dev/sdax /media/sdax

Now, the card will start up but will show only white.
If you make the hackintosh sleep and wake it again it works! So let’s just rotate the screen 90 degrees and put it back to normal. here a Rotate screen fix converted into an app (use with assistive technologies)


set up IRC server using irssi




should get you started
I am using auto away and hilight
this does send push away_messages to iOS


however the push service cost $$$ and bittlbee is not what I want…


basically something that should trigger my pebble would be nice :)
like this:


now I only need an android phone

alternative for @work:
In irssi:
/set bell_beeps on

And in putty:
Go to Terminal -> Bell in the settings, and set “Taskbar/caption indication on bell” to Flashing or Steady (whichever you prefer).

last thing: in screen session housing irssi: Ctrl-A > Ctrl-G (enable audible bell!)

then chose > flashing window or system sound

this is till I have an android phone

URL logger to mysql? > irssi_url_logger

depression prevention

recently I got trapped in one of my “downward spiral” thought patterns while having fun which was a not so pleasant experience… back then when I was in therapy for depression I tought myself some methods for detecting and getting rid of unpleasant thoughts – I used the image of a “black dog” (W. Churchill used that image) so all I had to do was “make the black dog go away”
this did not work last week.
Luckily a friend who has a couple more psychological issues was nearby and recognized my thoughs and the mood I was drifting into.
He gave me a new method to get rid of the “black dog” – did you read Harry Potter? The Patronus charm?

“…will work only if you are concentrating, with all your might, on a single, very happy memory.”

that’s it – even easier than the “black dog” method
It worked instantly because instead of concentrating on something unpleasant (the black dog) I was now concentrating on something which already has a positive bias.

Thank you, you know who you are!

Cinnamon Roll Pancakes

Love cinnamon rolls? Love pancakes? Have them both! These are an awesome decadent breakfast.
Total Time: 20 minutes

Cinnamon Swirl:
4 Tablespoons unsalted butter, melted
1 tablespoon cinnamon
1/4 cup plus 2 tablespoons brown sugar
Mix ingredients together and stick in a Ziploc bag. Seal and let sit to thicken.

1 cup powdered sugar
1 teaspoon vanilla
2 teaspoons milk
Heat ingredients in a saucepan. Mix until sugar is melted and everything is mixed together well.

1. Make Cinnamon Swirl and let thicken.
2. Mix up the pancake batter. I used a just-add-water pancake mix.
3. Form round pancakes on griddle/skillet and cook on medium heat until bubbles start to show (about 2-3 minutes).
4. Snip the end of the Ziploc bag off and pipe on a cinnamon swirl. Don’t pipe too close to the edges or it will melt off.

5. Flip the pancake quickly and cook 2-3 minutes on the other side.

6. Make and drizzle glaze over the pancakes.

HINT: Wipe pan clean with paper towel in between pancakes.