commit c93b03258d1daa7f2d7155e1156c6323080df02a
parent 06dfb8a1af907804d1b012c57e6b8b9de0e478fe
Author: lash <dev@holbrook.no>
Date: Sat, 10 Aug 2024 19:38:19 +0100
content server post
Diffstat:
3 files changed, 526 insertions(+), 1 deletion(-)
diff --git a/content.proposed/20240810_comms.rst b/content.proposed/20240810_comms.rst
@@ -0,0 +1,325 @@
+Comms summary
+############
+
+:date: 2024-08-10 18:10:25
+:category: Hygiene
+:author: Louis Holbrook
+:tags: ssh,bash
+:slug: put-anon
+:summary: How to set up your own mini-service to share files safely and anonymously
+:lang: en
+:status: draft
+
+
+One should think that sharing a single file with someone else on the internet without anyone else knowing would be the simplest thing there is.
+
+Sadly, it's not. Really not.
+
+Let's see how to traverse the obstacles with a minimum of skill, and a minimum of tools.
+
+
+Anonymous VPN
+=============
+
+First step is to make sure that the connection you use to register the service has some degree of anonymity.
+
+There are and will always be services out there that will enable you to do this. They will never be the same as time passes. The important thing is to know what to look for.
+
+
+Connecting
+----------
+
+No matter which of the two stategies you are using, you should use some unidentifiable, disposable connection to do the initial registration.
+
+ * A truly anonymous VPN (it's harder than you think)
+
+
+The public wifi
++++++++++++++++
+
+Unless you are *really really* in the sights of the surveillance state, a random internet cafe access point should do nicely.
+
+Just make sure that if you are using a public wifi, you randomize your MAC address before connecting. I myself use `wpa_supplicant` directly, and it offers the `mac_addr` and `preassoc_mac_addr` configuration directives for this purpose (for connection and access point search, respectively). Otherwise, your MAC address can be correlated across access points, that increasingly as "Local Magic Device" offers from big corporations.
+
+
+The Tor Browser
++++++++++++++++
+
+It's really hard to say whether the Tor Browser is a honey-trap or not. But single-shot sessions used for one single purpose has a low risk of compromise.
+
+Still, the public wifi option is preferable.
+
+
+The anonymous VPN
++++++++++++++++++
+
+Now, this is much harder than you may think.
+
+How do you sign up for the VPN? Some email? How did you get that email? Without the same VPN? How did you pay for it?
+
+VPN is an extra layer of protection that is as secure as the security you used to sign up for it.
+
+The only service I've come across so far that counts as an exception is the self-sources method for registration used by `Mullvad <https://mullvad.net/en>`_ It's nearly unfathomable that some 15 years after the Bitcoin revolution, client-side secrets aren't the canonical way of authentication. With Mullvad, you generate a secret on the fly, and if you lose the secret you lose the account. And the account may be paid for with cryptocurrency. (Remember, though, you are just as safe as the connection used to generate that account.)
+
+An example
+++++++++++
+
+1. You go to a random wifi access point
+2. You randomize your MAC address
+3. You start a TOR session
+4. You make a VPN account with Mullvad
+
+Now, the payme
+
+
+The email anachronism
+=====================
+
+It is nearly unfathomable that still 15 years on from the Bitcoin revolution, we are still working with emails and, even worse, phone numbers, to register accounts.
+
+I haven't seen a single VPS provider that does not use one of these forms of registration.
+
+So, seriously! Anyone! Do something!
+
+Anyway, right now it is how it is, so the next step becomes making an email address with our anonymous connection.
+
+Unsurprisingly, getting an anonymous email is getting harder and harder.
+
+No sweat, you may thinkg. You could just roll your own.
+
+But then, how do you register the domain name for the email, and how do you pay for that? Not easy. The registrars will want an email.
+
+Confound it! You're back to square one.
+
+
+The honeytrap method
+--------------------
+
+Currently, `Protonmail <https://proton.me>` is one of the few options at the time of writing. However, it has been around for so long as a private email solutino that there is good reason to suspect that they are just one more of those honeypots that promise you safety and privacy for everything except what's inside their services, and ultimately they both mine your data for yourself and give you up to the empire if compelled to do so.
+
+
+The lone geek site method
+-------------------------
+
+Funnily, small individual-run private services like `<https://danwin1210.de/mail/>`_ still exist out there.
+
+To be honest, I would love to see more services like that. Services that are simply too small and obscure for the empire to care about. And when they start caring, it closes down and 10 more take its place.
+
+That would be how we win.
+
+
+The disposable method
+---------------------
+
+I have used `receivemail.org <https://www.receivemail.org>`_ for several years now as a disposable email recipient for registrations and contacts of all sorts that I didn't want polluting my email.
+
+The main feature of services like this is that no registration is required. A related type of service is `guerrillamail.com <https://guerrillamail.com>`
+
+Of course, there is no access control for these mailboxes, so you cannot use it to protect anything of real value. For any service that requires one email service once and never again, it will probably do nicely.
+
+Keep in mind that a lot of Fascism-as-a-Service providers out there will block entities like this from receiving email from them. If they do, probably they are not for you.
+
+
+The anonymous server
+====================
+
+There *are* options out there that will let you establish a VPS for a small amount of cryptocurrency per year. I have had luck with using `1984.is <https://1984.is>`_.
+
+Iceland is a good territory for digital anonymity and sovereginty ever since they gave the middle finger to the global banking establishment after the 2008 crash, when they wanted to loot the country under the legal cover of utter fraud of the population.
+
+You only need the email for registration. After that, your email will be your username, and you don't have to verify it exists. At least not for now. Who knows what the future will bring.
+
+So sign up for the VPS, in which you can set up a webserver.
+
+
+The web server
+==============
+
+Settings up a webserver is out of the scope of this post.
+
+However, all you need is a vanilla server that serves any file in a given directory.
+
+
+The posts
+=========
+
+How do we get the content to the server?
+
+First of all, remember that the same anonymity precautions are valid for any connection you make to the VPS.
+
+Having established that, here's a small shell script [1]_ that will upload a file to a random identifier, while creating
+
+* A retrieval URI
+* A QR code for the retrieval URL
+
+.. code-block:: bash
+
+ REMOTEPROTO=${REMOTEPROTO:-http}
+ REMOTESSHHOST=${REMOTESSHHOST:-localhost}
+ REMOTEHOST=${REMOTEHOST:-localhost}
+ REMOTESSHPATH=${REMOTESSHPATH:-/var/www}
+ # note this should handle missing start or end slash if exposed!
+ REMOTEPATH=/
+ TMPDIR=/tmp
+
+ fi=$1
+
+ if [ ! -f "$fi" ]; then
+ exit 1
+ fi
+
+ uu=$(uuidgen)
+
+ d=$(mktemp -d)
+
+ ext=${fi##*.}
+
+ fn="$uu.$ext"
+
+ fo=$d/$fn
+
+ cp $fi $fo
+
+ scp -q $fo ${REMOTESSHHOST}:${REMOTESSHPATH}
+ ssh ${REMOTESSHHOST} chmod 644 ${REMOTESSHPATH}/$fn
+
+ url="${REMOTEPROTO}://${REMOTEHOST}${REMOTEPATH}$fn"
+
+ qrencodebin=$(which qrencode)
+ if [ ! -z "$qrencodebin" ]; then
+ $qrencodebin "$url" -s 10 -m 6 -o $TMPDIR/${uu}_qr.png
+ fi
+
+ echo $url
+
+Simply:
+
+1. Generate a random identifier as a file basename
+2. Attach the file extension to the filename
+3. Make a file copy through SSH to the public web folder of the VPS
+4. Share the URI (or qr code stored to `$TMPDIR` with the same name) to retrieve.
+
+
+The get
+=======
+
+Safety always depends on the weakest link in the chain.
+
+In this example, your privacy is not necessarily compromised by stupidity on the other end, that does not mean that the other party is secure.
+
+But I would beg of you; show me one single example where this isn't the case. Where the sender and/or receiver:
+
+* is in full control of their client
+* is in full control of their node, receiving or sending
+* is in full control of their relay
+
+I have looked! Oh my, have I looked. Let's look at some of them?
+
+
+Signal
+------
+
+`Signal <https://signal.org>`_
+
+Yes, the canonical safe space. Endorsed by Snowden himself. The forward- and backward secret axolotl crypto protocol.
+
+... and it asks for your phone number.
+
+Ant how many places in the world do you get anonymous phone numbers anymore?
+
+Norway, where I'm from, will ask you for your digital ID.
+
+The belgians distribute fucking passport scanners to their SIM card vendors.
+
+Portugal, where I live, actually still offers them. For now.
+
+And many places there is still a second-hand market available.
+
+But in general, you have to bend or break the law to get them.
+
+So that's the premise for your super-secret app? Sorry, I don't buy it.
+
+... and apart from that, good luck setting up your own infrastructure.
+
+
+Session Messenger
+-----------------
+
+`Session <https://getsession.org>`_
+
+The app is immature.
+
+The GUI is buggy.
+
+The anonymity is arguably less than with Signal.
+
+If only setting up your own node was easier.
+
+It's not.
+
+It's *SO* complicated.
+
+And it even requires buying into the `Oxen <https://oxen.io/>`_ cryptocurrency, which is its own snake pit of track coverings.
+
+
+
+Deltachat
+---------
+
+`DeltaChat <https://delta.chat/en/>`_
+
+I absolutely adore Deltachat.
+
+If content secrecy was all I cared about, I would say that this service is the no-brainer default.
+
+It is email-as-a-chat, making the encryption part automagical and easy.
+
+No evil middle party involved. Largely like the original intention of email and Pretty-Good-Privacy.
+
+I may do a separate post on how this option could be implemented within the same security scope of the webserver VPS, but it will take quite a bit more effort for the provider.
+
+But as stated; *who* is talking to *who* is less of a secret here.
+
+
+SimpleX
+-------
+
+`SimpleX <https://simplex.org>`_
+
+This is a newer arrival, and it stands out in two aspects in particular:
+
+* Running a node is *easy*, and requires *no resources*.
+* It has a bundled CLI client!!
+
+Like Signal, it offers double-ratchet encryption.
+
+However, unlike most all other applications, it tries to make its absence of a user id its selling point. The idea is you make a connection link on the fly, and that connection link is never translated to an ID.
+
+And yes, this theoretically helps avoid collateral damage when one conversation pair is disclosed. Let's say the authorities seize your friend, and forces him or her to decrypt his or her phone. They can see what he or she wrote, but not necessarily any identity of counterparties (except for whatever is disclosed in the messages themselves, of course). It is a neat, neat trick.
+
+
+whatever-paste-as-a-service
+---------------------------
+
+Yes, for sure. Hiding among the masses works perfectly.
+
+**IF** you will encrypt the data you post yourself. Because whatever encryption offered by the server is not under your control.
+
+Will you?
+
+Really?
+
+Securely?
+
+Good for you!
+
+But if not: You're screwed!
+
+In this case - at a minimum, the other party should be retrieving the file using the same precautions as you took above. Tha is, through a VPN or Tor or public wifi, or all two or three.
+
+Remember, though, that not all cases are a question of both parties being secret. If the retriever does not have to hide (much), then they may act accordingly.
+
+
+..
+
+ .. [1] You will need the `qrencode` packagefor that
diff --git a/content/20240517_localmd.rst b/content/20240517_localmd.rst
@@ -2,6 +2,7 @@ Support Your Local Viewer
#########################
:date: 2024-07-07 21:03:40
+:updated: 2024-07-21 01:53:05
:category: Offlining
:author: Louis Holbrook
:tags: bash,markdown,pandoc,vimb,w3m,lynx,xdg
@@ -21,7 +22,7 @@ So much everywhere, in fact, that it's kind of puzzling there is not a dedicated
Pinning down markdown
=====================
-There is no shortage of applications that *can* render markdown. Among the alternatives are free code editors like Atom_ or Geany_, the browser plugin `Markdown Viewer`_ and even a dedicated markdown editor like Marktext_.
+There is no shortage of applications that *can* render markdown. Among the alternatives are free code editors like Atom_ or Geany_, the browser plugin `Markdown Viewer`_ and even a dedicated markdown editor like Marktext_, retext_ and ghostwriter_.
And of course, there exist SaaS offerings such as hackmd_. But seeing as those are not alternatives for offline use, we don't concern ourselves with those here.
@@ -282,3 +283,7 @@ And voilá:
.. _love to know: https://holbrook.no/msg
.. _ini: https://en.wikipedia.org/wiki/INI_file
+
+.. _retext: https://github.com/retext-project/retext
+
+.. _ghostwriter: https://ghostwriter.kde.org/
diff --git a/content/20240726_putanon.rst b/content/20240726_putanon.rst
@@ -0,0 +1,195 @@
+An anonymous content server
+###########################
+
+:date: 2024-08-10 18:23:30
+:category: Hygiene
+:author: Louis Holbrook
+:tags: ssh,bash,apache,http,qr
+:slug: put-anon
+:summary: How to set up your own mini-service to share files anonymously
+:lang: en
+:status: published
+
+
+Let's say you want to share files or contents with someone you don't know. And you don't want to reveal anything about yourself.
+
+And let's say, being a concerned and responsible cyber-citizen, you will host the service yourself.
+
+A few lines of bash script and a webserver is all you need.
+
+
+Dis-blamer
+==========
+
+Staying fully anonymous is out of scope of this post.
+
+And as you've probably have heard, staying anonymous on the internet is really, really hard.
+
+Correct that. Staying anonymous on the internet will demand inconveniences that you are most likely not prepared to endure.
+
+We'll be getting into that some other time.
+
+Meanwhile, I don't want you to blame me if you dis-, mis- and malinformation [1]_ Thought Police come knocking because of what you posted on your content server.content server.
+
+So let's first be clear what we don't cover here.
+
+
+Host registration
+-----------------
+
+To register for a hosting provider, you still need an email. Everywhere. To my knowledge, at least [2]_.
+
+To get an email, you may need to provide an email. Or a phonenumber. And so on...
+
+
+Safe connection
+---------------
+
+Are you using VPN or overlay?
+
+How did you pay for the service?
+
+Are you sure they're not keeping logs?
+
+Is your DNS leaking?
+
+Remember: You need to use a safe connection whenever you are interacting with the server. Not only when you are setting up.
+
+
+Payments
+--------
+
+If you pay with card, privacy is out the window anyway.
+
+So crypto is really the only way. And making sure the crypto cannot be traced back to you is tricky in itself.
+
+
+
+The anonymous host
+==================
+
+Now, let's pretend you got through all of these precautions, and you are ready to sign up for hosting for your content server.
+
+There *are* options out there that will let you establish a VPS for a small amount of cryptocurrency per year. I have had luck with using `1984.is <https://1984.is>`_ [3]_. That is not an endorsement, and I'm sure there are other similar options out there.
+
+Now that you have a VPS, you can set up a webserver.
+
+
+The web server
+==============
+
+Settings up a webserver is out of the scope of this post.
+
+I use `Apache Webserver <https://apache.org>`_ myself. I've always used Apache Webserver. You can consider *that* an endorsement!
+
+You don't really need to set it up much either. All you need is a vanilla server that serves any file in a given directory.
+
+
+The posts
+=========
+
+How do we get the content to the server?
+
+First of all, remember that the same anonymity precautions are valid for any connection you make to the VPS.
+
+Having established that, here's a small shell script [4]_ that will upload a file to a random identifier, while creating
+
+* A retrieval URI
+* A QR code for the retrieval URL
+
+.. code-block:: bash
+
+ REMOTEPROTO=${REMOTEPROTO:-http}
+ REMOTESSHHOST=${REMOTESSHHOST:-localhost}
+ REMOTEHOST=${REMOTEHOST:-localhost}
+ REMOTESSHPATH=${REMOTESSHPATH:-/var/www}
+ # note this should handle missing start or end slash if exposed!
+ REMOTEPATH=/
+ TMPDIR=/tmp
+
+ fi=$1
+
+ if [ ! -f "$fi" ]; then
+ exit 1
+ fi
+
+ uu=$(uuidgen)
+
+ d=$(mktemp -d)
+
+ ext=${fi##*.}
+
+ fn="$uu.$ext"
+
+ fo=$d/$fn
+
+ cp $fi $fo
+
+ scp -q $fo ${REMOTESSHHOST}:${REMOTESSHPATH}
+ ssh ${REMOTESSHHOST} chmod 644 ${REMOTESSHPATH}/$fn
+
+ url="${REMOTEPROTO}://${REMOTEHOST}${REMOTEPATH}$fn"
+
+ qrencodebin=$(which qrencode)
+ if [ ! -z "$qrencodebin" ]; then
+ $qrencodebin "$url" -s 10 -m 6 -o $TMPDIR/${uu}_qr.png
+ fi
+
+ echo $url
+
+Simply:
+
+1. Generate a random identifier as a file basename
+2. Attach the file extension to the filename
+3. Make a file copy through SSH to the public web folder of the VPS
+4. Share the URI (or qr code stored to ``$TMPDIR`` with the same name) to retrieve.
+
+
+Get a way
+=========
+
+So you have the link. You show the QR code. The other party scans it and all is good.
+
+But, can it still be used if you share it digitally?
+
+You just send it off to whoever is the recipient, right?
+
+Not so fast.
+
+If you send the link from an email address that is linked to you, that may also link the content server to you. Then all of the above may have been for naught.
+
+And any other email address you send it from, will be linked to the recipient and the content when future emails are sent.
+
+Remember, the recipient's email server (which is very likely to be G00gl€, Amaz0n or Micr0$0ft) **can plainly read all your emails**. Unless you are messing with PGP. Which you should. Which is very unlikely that you are.
+
+Encrypted messengers? Well, they may not be as encrypted as you think. And the same problem applies: If you use one for something, then that something will create context for other things you use it for.
+
+
+Proportional paranoia
+---------------------
+
+There is scarcely any limit to how paranoid you can get when you start to decompose problems like this.
+
+So only worry about what is reasonable to worry about.
+
+In this case, the issue is to protect your identity from the recipient. Maybe you shouldn't worry about a third party listening in.
+
+Worrying an knowing doesn't have to be the same thing, though. And one thing we do know is that something is listening. To everything. Always.
+
+
+..
+
+ .. [1] You can't make this stuff up: "Malinformation is the intentional spreading of genuine information with the intent to cause harm." - [USA Homeland Security](https://www.dhs.gov/sites/default/files/2022-08/22_0824_ope_hsac-disinformation-subcommittee-final-report-08242022.pdf) ([copy](https://g33k.holbrook.no/1ff4b6a6ad8556884de6fc0bfe4756a1ade34cf32abe67c69dba9f16eeeef283))
+
+
+..
+
+ .. [2] If you know of any that do *not* require an identifier in others' custody to sign up, please let me know: `<http://holbrook.no/msg>`_.
+
+..
+
+ .. [3] In general, Iceland seems a good territory for digital anonymity and sovereginty ever since they gave the middle finger to the global banking establishment after the 2008 crash, when they wanted to loot the country under the legal cover of utter fraud of the population.
+
+..
+
+ .. [4] You will need the ``qrencode`` package for that
