Dec 03 2014

ARD: Die geheime Macht von Google

Category: Allgemein,ComputerTuxevara @ 00:36

Die folgenden Zeilen habe ich bereits während der Ausstrahlung der Sendung auf meinem Smartphone angefangen zu schreiben und war kurz davor es einfach auf Google Plus zu posten. Aber ich denke in meinem Blog ist es besser aufgehoben. Anscheinend liege ich mit meiner Meinung zu der Sendung nicht ganz falsch, wenn ich mir angucke, was z.B. auf ZDNET dazu geschrieben wurde.

Was zeigt mir “Die Story im Ersten – Die geheime Macht von Google”: Mangelnde Medienkompetenz wohin man schaut. Merkel hat recht, ist alles #Neuland

Die gezeigten Nutzer fallen auf Anzeigen rein, die als solche gekennzeichnet sind und regelmäßige Benutzer von Google eigentlich sofort erkennen sollten. Eine Lehrerin ist überrascht was im Dashboard zu sehen ist. Vor allem das Tracking über das Smartphone überrascht sie. Aber hey, man wird beim ersten Nutzen ja nur danach gefragt ob diese Funktionen aktiviert werden sollen. Immerhin gibt sie am Ende ihr eigenes Versagen zu, indem Sie feststellt, sich wahrscheinlich nicht genug damit beschäftigt zu haben. Nochmal: Ich habe schon einige Androiden im Auslieferungszustand gesehen und man muss diverse Sachen die mit Tracking, Privatsphäre und Datenschutz zu tun haben bestätigen oder gar erst aktivieren. Wer da einfach immer auf “Weiter” drückt ohne zu lesen ist selbst schuld – basta!

Und für einen weinerlichen Anbieter von Kartendiensten, im Beitrag immer schön peinlich als “Internet-Manager” bezeichnet (was zum Henker soll das sein?!), dessen Branche jahrelang selbst Privatnutzer wegen jedem kleinen Kartenschnipsel verfolgt hat ohne ein akzeptables Geschäftsmodell anzubieten, habe ich leider auch kein Mitleid übrig. (Wie ich irgendwie schon vermutet hatte, verbirgt sich hinter einem der beiden gezeigten “Internet-Manager” anscheinend ein Mitarbeiter von Axel-Springer).

Da Google kein so erfolgreiches Soziales Netzwerk wie Facebook oder LinkedIN besitzt, gibt es auch keinen “Gruppenzwang” und jeder Nutzer kann selber entscheiden ob und was er von Google nutzt. Von daher sind wir Nutzer wohl eher die geheime Macht hinter Google. Zumindest konnte der Beitrag nicht ansatzweise irgendein Geheimnis lüften.

Tags: , ,


Nov 23 2014

Getting Webcam of Dell M1330 running

Category: Computer,Hardware,LinuxTuxevara @ 09:52

In order to get the webcam running that is identified by lsusb as

Bus 002 Device 003: ID 05a9:7670 OmniVision Technologies, Inc. OV7670 Webcam

you just have to enable quirks mode for the uvcvideo kernel module:

echo "options uvcvideo quirks=0x100" > /etc/modprobe.d/uvcvideo.conf

After that, reboot or reload the kernel module (sudo rmmod uvcvideo && sudo modprobe uvcvideo). This seems to work on most recent Linux distributions and has been tested by myself on Xubuntu 14.04. If not, check that a corresponding video device has been created. More details about that issue (which I had not), can be found in a post on (German only)


Nov 23 2014

Mailserver Reloaded – Step 1

Category: Computer,LinuxTuxevara @ 09:42

To reproduce the latest setup of my email server and being able to work on this series of posts as promised months ago, I created a new LXC container with Debian Wheezy first. As LXC is not part of this series, no further details about it are provided here.

Like always, the first thing to do on a brand new machine is checking for the latest updates:

apt-get update && apt-get dist-upgrade

First we need to install a mail transfer agent (MTA), which in our case will be Exim. As some enhanced capabilities, such as SASL authentication are required, the Debian package exim4-daemon-heavy must be installed:

apt-get install exim4-daemon-heavy

Given that we are going to manually create an Exim configuration from scratch later, answers to configuration related questions during the installation process are irrelevant to this setup.

Now that our machine has an MTA installed, MySQL server can be installed:

apt-get install mysql-server

Hint: If you try to installed MySQL server before an MTA is installed, Debian might choose an other MTA than Exim to fulfill MySQL’s requirements. This may lead to additional, unnecessary steps or even a configuration conflict that you would have to resolve when installing Exim.

After that, Dovecot can be installed with the following command:

apt-get install dovecot-core dovecot-mysql dovecot-lmtpd dovecot-imapd dovecot-sieve dovecot-managesieved

Additionally to the more or less obvious packages dovecot-mysql, dovecot-lmtpd and dovecot-imapd, the packages dovecot-sieve and dovecot-managesieved are also installed, so that server-side filtering based on Sieve is possible. Roundcube has some great plugins to create and manage Sieve filter rules.

Talking about Roundcube: This is the last of piece we have to install, before we can glue everything together. Though I generally prefer distribution packages, I mostly end up with installing software manually when in comes to web applications. As Roundcube is written in PHP, we need web server that is capable of executing PHP scripts. For simplicity we choose Apache plus the appropriate PHP 5 module in this howto:

apt-get install libapache2-mod-php5

That’s it for the first step. All required software is installed, so we can proceed with the configuration of each in the next step.

Tags: , , ,


Jun 10 2014

Installing .NET Framework 4.5.1 on Windows 2008 R2 Server Core

Category: ComputerTuxevara @ 14:16

If you try to install .NET Framework 4.5.1 on a fresh installation of Windows 2008 R2 Server Core you may see the follow error message:

You must install the .NET Framework 2.0 SP2 OS component.

Well, there IS a link to a list off reasons for a blockage of the 4.5.1 installation, but it wouldn’t be Microsoft if that error message is really in the list. After having a look at the listing of available features, I tried NetFx2-ServerCore first, which should be sufficient on a 64bit platform. Error message still occurred, so I installed the 32bit compatibility feature NetFx2-ServerCore-WOW64 as well. There we go: .NET Framework 4.5.1 could be installed successfully.

As searching for the error message did not return any useful results, I am documenting the solution here.
For completeness, here are the two commands that install the missing features on Server Core:

dism /online /enable-feature /featurename:NetFx2-ServerCore
dism /online /enable-feature /featurename:NetFx2-ServerCore-WOW64

Tags: , ,


May 19 2014

Mailserver Reloaded – The Idea

Category: Computer,LinuxTuxevara @ 23:14

It has been a while since the last big update of my email server configuration. For years it has been running solid as a rock based on Exim/Dovecot with a LDAP-backed configuration.

You may ask: Why change a running system?

One of the things that bugged me for months, was the fact that I am using self-signed certificates on that server. That means that all email clients have been set to accept ANY SSL certificate without further checks (at least manual pinning or something would be great). So any evil hacker in a public WiFi network could use SSL interception to get my username and password. To eliminate this risk, replacing the self-signed certificate with ones signed by a well-know CA (I’d never call them trustworthy!) would probably be enough, but who really wants such a simple solution?

So additionally to replacing the self-signed certificates, I decided to add some extra security by implementing application-specific passwords. Google user’s may already now how they work, for all others here comes a little introduction: Application-specific passwords allow users to create unique passwords for each application that is interacting with your email server. That means that regular user passwords, that are often used for other services as well, must neither be stored in email clients nor will they ever get transferred via SMTP, IMAP or POP3. The whole setup could even be hardened more, by creating a whole new username-password combination for each application, but that seems to be a little over the top to me.

As I also wanted to easily support multiple email domains in the future, I completely moved away from the LDAP backend, that was a partly replication of my LDAP database I use at home for authentication the accounts of my family, to a MySQL-backed setup. To reduce complexity and be more flexible in the future, I also made Dovecot my MDA (LMTP) and authentication service (SASL).

One thing that I also had to solve was the problem that no tools exist to allow users the management of their application-specific passwords. As I am using Roundcube Webbmail for years now and still more than happy with it, I decided to use Roundcube as the one and only tool that I provide users for managing their email settings, including the application-specific passwords. A corresponding plugin was therefore developed by me and has been published on GitHub in the meanwhile. Access to Roundcube is possible only with the normal user passwords BUT requires the use of one-time-passwords created with Google Authenticator (or compatible).

Now you know what I did and why I did it. I know that you now want to know how I actually implemented that setup, but unfortunately you must be patient. I’ll reproduce the setup in a brand new LXC container in order to provide a series of blog posts with precise information how to set this up on your own within the next two weeks. So stay tuned!

Tags: , , ,


Feb 02 2014

Migrating from KVM to LXC

Category: LinuxTuxevara @ 18:58

After I had to replace the mainboard of my HTPC, on which also two other virtual machines were running on KVM, the kvm_amd module crashed on every boot on the replacement hardware. Though KVM still worked, I don’t like to see any modules crashing on boot. I began asking myself whether I really need full KVM virtualization or if some kind of container based virtualization would do a good or even better job for me.

After reading into the pros and cons of different solutions, I concluded that LinuX Containers (LXC) should probably first choice for me. As the HTPC is running on Ubuntu 12.04, which also has Apparmor profiles that enhance the security of LXC’s weak security concept, I actually decided to continue with LXC.

I don’t want to explain how to install LXC, because this is already covered by many other sites. The only thing that I found which is not covered well enough, is the conversion of machines from KVM (or similar) to LXC. In my case the KVM guests where using RAW disk images, so I am exclusively focusing on converting such below.

Step 1 – Prepare the rootfs folder

First, the new target folder for the root file system of the LXC guest must be created.

mkdir -p /var/lib/lxc//rootfs

Step 2 – Mount the RAW image

Then the RAW disk image must be mounted to access the files. In my case the disk contained only one partition. Modify the mount command may be necessary.

kpartx -a
mount /dev/mapper/loop0p1 /mnt

Step 3 – Copy files to rootfs

Now that the content of the RAW image can be accessed, the files can be copied into the new rootfs folder created in step 1. I have been using the below command for years, to create more or less exact copies:

cd /mnt
find . -xdev | cpio -pmv /var/lib/lxc//rootfs

Step 4 – Modify the configuration

Now comes the trickiest part: The configuration of the new machine must be modified, otherwise it is unlikely that it will boot successfully. Most required changes can be extracted from the template files in /usr/lib/lxc/templates/, which are typically used for the creation of new machines. Below are the modification for Debian machines, which worked perfectly well for Debian Lenny (shame in me) and Squeeze.


cat < $rootfs/etc/inittab
l0:0:wait:/etc/init.d/rc 0
l1:1:wait:/etc/init.d/rc 1
l2:2:wait:/etc/init.d/rc 2
l3:3:wait:/etc/init.d/rc 3
l4:4:wait:/etc/init.d/rc 4
l5:5:wait:/etc/init.d/rc 5
l6:6:wait:/etc/init.d/rc 6
# Normally not reached, but fallthrough in case of emergency.
1:2345:respawn:/sbin/getty 38400 console
c1:12345:respawn:/sbin/getty 38400 tty1 linux
c2:12345:respawn:/sbin/getty 38400 tty2 linux
c3:12345:respawn:/sbin/getty 38400 tty3 linux
c4:12345:respawn:/sbin/getty 38400 tty4 linux

mkdir -p $rootfs/selinux
echo 0 > $rootfs/selinux/enforce

mknod $rootfs/dev/tty1 c 4 1
mknod $rootfs/dev/tty2 c 4 2
mknod $rootfs/dev/tty3 c 4 3
mknod $rootfs/dev/tty4 c 4 4

# reconfigure some services

locale="$LANG $(echo $LANG | cut -d. -f2)"
chroot $rootfs echo "locales locales/default_environment_locale select $LANG" | chroot $rootfs sh -c "LANG=C debconf-set-selections"
chroot $rootfs echo "locales locales/default_environment_locale seen true" | chroot $rootfs sh -c "LANG=C debconf-set-selections"
chroot $rootfs echo "locales locales/locales_to_be_generated seen true" | chroot $rootfs sh -c "LANG=C debconf-set-selections"
chroot $rootfs sed -i -e "0,/^[# ]*$locale *$/ s/^[# ]*$locale *$/$locale/" /etc/locale.gen
chroot $rootfs sh -c "LANG=C dpkg-reconfigure locales -f noninteractive"

# remove pointless services in a container
chroot $rootfs /usr/sbin/update-rc.d -f remove # S
chroot $rootfs /usr/sbin/update-rc.d stop 09 S .

chroot $rootfs /usr/sbin/update-rc.d -f umountfs remove # 0 6
chroot $rootfs /usr/sbin/update-rc.d umountfs start 09 0 6 .

chroot $rootfs /usr/sbin/update-rc.d -f umountroot remove # 0 6
chroot $rootfs /usr/sbin/update-rc.d umountroot start 10 0 6 .

# The following initscripts don't provide an empty start or stop block.
# To prevent them being enabled on upgrades, we leave a start link on
# runlevel 3.
chroot $rootfs /usr/sbin/update-rc.d -f remove # S 0 6
chroot $rootfs /usr/sbin/update-rc.d start 10 3 .

chroot $rootfs /usr/sbin/update-rc.d -f remove # S
chroot $rootfs /usr/sbin/update-rc.d hwclockfirst start 08 3 .

chroot $rootfs /usr/sbin/update-rc.d -f module-init-tools remove # S
chroot $rootfs /usr/sbin/update-rc.d module-init-tools start 10 3 .

rm $rootfs/etc/udev/rules.d/70-persistent-net.rules

Step 5 – Create LXC config

Finally we have to create a LXC configuration file for the new machine. Lazy as I am, I have copied an existing config file into /var/lib/lxc// and modified the paths and network configuration accordingly.

After that the machine can be started with

lxc-start -n

Keep in mind that you won’t be able to detach from that console again. But to debug boot problems it is essential to not launch the machine in background mode (-d).

Tags: , , ,


Dec 13 2013

Vdr-sxfe audio output issues over and over again

Category: Computer,LinuxTuxevara @ 20:53

And after fixing them for the hundredth time in the last ten years, I finally decided to write down what I seem to always forget. Isn’t this what tech blogs are for?!

So what was happening this time: After some years without any major issues, our media center PC decided to reboot in circles, which turned out to be caused be a defective motherboard. After replacing it with the one from my gaming PC everything worked fine, except that I had to use the onboard graphics card as the passive cooler of the former PC-Express graphics card wouldn’t allow me to use the DVB-S card in the upper PCI slot.

In my vdr-sxfe startup script I’ve set the audio parameter to alsa:plug:'hdmi:CARD=NVidia,DEV=0'. But the only results I get is either no sound at all or vdr-sxfe restarting every few seconds. At some point I managed to set the audio channel in VDR to stereo instead of AC3. Guess what happened? Immediately vdr-sxfe stopped restarting and sound was coming from the left and right speakers.

Conclusion: Something must be terribly wrong with the AC3 passthrough. But what? And who controls which device is used for the AC3 passthrough? I know that I should have asked myself this questions earlier, but trial and error worked perfectly well in the past ;)

After trying to remember which files I modified several times before to optimize vdr-sxfe audio and video output, I came to the point where I felt certain that the whole magic must only happen in ~/.xine/config_xineliboutput. As vdr-sxfe is based on Xine this seems to make sense.

Some tests later it was proven, that the audio parameter of vdr-sxfe never affects the value of audio.device.alsa_passthrough_device in the config file.

So the solution to my AC3 passthrough problem is setting the audio.device.alsa_passthrough_device value in the config file to plug:'hdmi:CARD=NVidia,DEV=0'.

Today the new PCI-Express graphics card arrived and all I had to do is changing the vdr-sxfe audio parameter and the audio.device.alsa_passthrough_device value in the config file to plug:'hdmi:CARD=NVidia_1,DEV=0'.

For the sake of completeness, here are all non-default values from my ~/.xine/config_xineliboutput

audio.output.speaker_arrangement:Pass Through

Tags: , , , , ,


Nov 21 2013

Sophos UTM 9.1 Changlog Fun

Category: Computer,FunTuxevara @ 22:47

While reading through Sophos’ UTM 9.2 Beta overview is stumbled across the following:


Thumbs up, guys! Though I’m more the LOTRO kind of MMORPG player I love your sense of humor.

Looking forward to the release.


Nov 11 2013

FOTD: Windows driven water dispenser

Category: ComputerTuxevara @ 19:36

Let’s call it Fail Of The Day! I am just back from the the gym and here is what happened while checking out at the counter: The boss was typing with a pen on the water dispenser’s touch screen as the normal touch screen interface obviously crashed. Of cause this attracted by immediate interest and I went over to him to figure out what operating system is running on that device. And now comes the part which really hurts: IT’S WINDtOWS, W-I-N-D-O-W-S!!! Get down everybody and search for cover, we are doomed! The human race has really made it this far: We are building water dispensers driven by a too insecure, probably never receiving patches, unstable operating system.

Not that I would feel much more comfortable with any other operating systems on water dispensers, but at least you could strip down Linux so far, that nearly no services are running and use framebuffer output instead of a X-Sserver which would minimize any attack vector nearly to zero.

But hey, if that is the way we let technology take control over our lives…


Nov 11 2013

Open Rhein Ruhr 2013

Category: Allgemein,Computer,LinuxTuxevara @ 14:50

Wieder ist ein spannendes Open Rhein Ruhr Wochenende vorueber. Fuer mich war es diesmal etwas Besonderes, da ich nicht als Helfer sondern als Orga dabei und auf der Veranstaltung fuer das Netzwerk verantwortlich war. Ausser zwei nicht so ganz sauberen DSL-Leitungen gab es jedoch keine groesseren Probleme, weshalb mir genug Zeit blieb mich unter die Besucher zu mischen und interessante Gespraeche an den Staenden zu fuehren.

ORR Social Event

Auch das Social Event war wie in der Vergangenheit eine tolle Sache, nicht zuletzt wegen der Location.

Was mich aber wirklich jedesmal auf solchen Linux und Open Source Events begeistert, ist der Umgang miteinander. Es fuehlt sich eigentlich immer so an, ob als ob es kein oben oder unten gibt, kein gut oder schlecht gibt und jeder ist in irgendeiner Weise Anbieter und Konsument zugleich. Alle packen mit an wo Haende gebraucht werden. Ich hoffe, dass mich mein Eindruck nicht taeuscht und dass all diese Menschen im Alltag genau so einen offenen Umgang miteinander pflegen.

Mein besonderer Dank gilt natuerlich allen Helfern und vor allem den Freifunkern, welche durch Bereitstellen von weiterer Hardware sowohl das ORR eigene WLAN verbessert haben, als auch zusaetzlich noch Ihr eigenes Freifunk Mesh bereitgestellt haben.

Bis zum naechsten Jahr,wenn es wieder heisst: “Ein Pott voll Software”.

Tags: , ,


Next Page »