Sorry, this entry is only available in German.
- I strongly prefer to keep social networks in a “privacy container”. It is no business of Facebook, where I surf on the web. Thus, I’d like to keep social networking sessions separate from my day-to-day surfing (this also applies to my Google account, of course).
- When chatting, it is an absolute necessity for me to be able to use my keyboard. Smartphones are, in my opinion, not a good device to use for chatting. Typing on a touchscreen slows me down in an unbearable manner—not mentioning the fact that half of my data is not available on my smartphone.
As long as I used Facebook, I was content to open up a Firefox “private window” whenever someone messaged me, continuing the conversation from there. This required a single login, but I regularly could type that faster than the page loaded. However, with WhatsApp this is different. The web interface requires me to scan a QR code every time I want to log in. I will not comment on the architectural reasons behind that (it’s just too ridiculous). However, another approach is needed.
My plan, therefore: Having a dedicated Firefox session for social networks and chatting.
Unfortunately, Firefox does not support running two separate processes as the same user. It does support having different user profiles—but those cannot run in parallel. I would have had to shut down my regular session to open the social network session. Not an option!
So I came up with the idea of creating a dedicated user for running this Firefox session. Turns out this is not quite as straightforward as expected, but with a bit of hacking it works surprisingly well.
Step 1: I need a new user. I’ll call this one “snim” for “Social Networks and Instant Messaging”. Under Ubuntu:
sudo adduser --disabled-password snim
I disabled the password, because I do not want to ever log into that account. It’s just there for running my Firefox process.
At this point I expected step 2 would be as easy as allowing a
sudo for Firefox. Turns out it is not: Firefox needs access to the current X11 session and requires a full user environment to play nicely with temporary files and the likes. So
sudo -u snim firefox actually does not work. Well, the solution is to create a small shell script, instead:
xhost + # Allow X11 access
su -c firefox - snim # Execute firefox in the environment of "snim"
There’s still the problem that this script would ask me for the password of “snim”—which I deliberately deactivated before. So, instead I’ll have to add a line to the
/etc/sudoers file that allows me to execute that script without asking for a password. The line is simple:
# ... (stuff before)
# ... at the end: the firefox-hack
myusername ALL=(ALL) NOPASSWD: /path/to/my/firefox_hack
Of course, “myusername” has to be replaced with the actual user name and “/path/to/my/firefox_hack” should be the path to the script above.
Having that, a
sudo /path/to/my/firefox_hack will start a separate Firefox session without asking for a password. In that session I can now keep Facebook, WhatsApp and Google logged into my accounts at all time, without having any other data from my regular browsing session “spill over”. I keep the three websites open in tabs, set Firefox to remember my tabs, and define a shortcut for the
sudo command above. Bam! Convenient privacy-aware social networking and chatting :)
Anyone hosting internal critical services today is well advised to protect them properly behind a firewall. Linux usually does a pretty good job at that—at least if your bandwidth requirements aren’t too excessive. It is a very good idea to use a graphical tool to create a ruleset, instead of writing iptables rules manually, and fwbuilder tends to get the job done quite nicely.
On the other hand, employees need access to internal information when they are on the road. OpenVPN is a great open source tool to enable this scenario, with nice clients for all major operating systems. New keys are easily generated, and with a bit of scripting, setting up a new laptop for a road worker becomes really trivial.
Is it a good idea to host the OpenVPN service on the firewall itself? In my opinion: yes. The two tasks—firewalling and VPN—are conceptually the same: Regulating network traffic from and to internal machines. Moreover, hosting the VPN access point on the firewall has the added benefit of being able to distinguish individual VPN clients at the firewall before any NAT kicks in.
However, I was seeing major issues with this setup. In particular, my VPN clients could connect just fine, but no packets could traverse the firewall. No matter what rule I added, and how lenient the firewall was set, packets disappeared right after exiting the VPN tunnel—no matter whether NAT was active or not. The strangest symptom I got: Even after flushing all rules, access was still not possible for the VPN clients. Only when the machine was restarted, and before the firewall was reinstated, did VPN work. So the problem was apparently not with VPN, but with the firewall. But I just couldn’t find the problem. It was driving me mad!
It took me literally ages to find out that fwbuilder actually deletes old routes on the host when it is asked to install additional ones. This included an apparently vital OpenVPN route that was unintuitively set to use X.X.X.2 as the gateway. Must be some kind of default config—I’m pretty sure I never touched that. The “2” was also the reason that this change escaped my attention for so long.
Bottom line (TL/DR): fwbuilder is a really versatile tool. But check what it does to your network configuration. Changes are not limited to iptables!
Trotz dem was wir erlangen,
In unsrem Leben gefangen,
Getriebne des eigenen Zorns
Erfolg unsre Maske des Glücks
Die faden Siege,
Die wir dennoch verlorn
Durch unsre Hoffnung getragen,
Über alle Zweifel erhaben,
Symbol für eine bessere Welt,
Ist jetzt durch banales entweiht,
Der hehre Götze
Durch den Alltag entstellt.
Da alle Wunden geschlagen,
Alle Schmerzen ertragen,
Da das Leben uns endlos verrinnt
Bleibt nichts als die Kälte der Nacht
Und grauer Nebel,
Der mich leise umfängt.
Installing WordPress on current Ubuntu versions is reasonably easy when using the repositories. There is, however, one drawback to using the repos: The wordpress version you will get tends to be somewhat out of date and some plugins may refuse to work with it. Regarding security updates, I guess it boils down to whom you trust more: the WordPress developers or the Ubuntu repository maintainers. As for me, I found that after upgrading Ubuntu to 14.04 the wordpress version I got was pre-4.0 and I wanted 4.0 at least. I could have
apt-get remove wordpress, but I didn’t want to lose my existing configuration. So I had to find out how to switch from the Ubuntu version out of the repositories to the official WordPress release. Continue reading
I just wrote a small Webservice that creates a nicely formatted list of references in PDF format from a raw BibTeX file. I have needed that a few times already. Since I was cleaning up my computer and didn’t want to lose the functionality, I “outsourced it to the cloud”, so to speak :)
(shamelessly copying the style of Randall Munroe of XKCD fame)
Academic publications in the area of computer science (actually, most natural sciences, as well) are often prepared using the LaTeX typesetting system. LaTeX is great for a number of reasons. It separates content from presentation and, thereby, allows authors to concentrate on one without worrying too much about the other. While pure LaTeX already offers a large number of options for authors, its full power really stems from the abundance of specialized packages available for almost everything related to typesetting and page layout.