Jan-Piet Mens

Some time ago, a friend's house was broken into, and some bits and pieces were stolen. One of those pieces was the family's laptop with six or seven years of digital photographs stored on it. Next to the laptop lay a stack of DVDs on which my friend's wife wanted to backup the photos and some other personal data. Unfortunately, it was to be the very first backup of the laptop. With the thief went all the photographs of the kids' lives. It is very unfortunate (and exceedingly stupid, being an IT guy!) that he didn't do anything in terms of backup.

As many of you know, I'm almost paranoid in terms of backing up my data, and I care a great deal for where I locate the data I backup; it is useless to keep the backup next to the computer(s) you are backing up: theft and fire can take care of both very quickly. Keeping current backups off-site is easy, if you remember to swap the data carriers once in a while, but it is a bit of a pain.

Amazon (yes, the book people) have a service called S3. You apply for an S3 account with your regular Amazon credentials (e-mail address and password), and they offer as much storage as you want, for as long as you need it. What makes S3 unique, is that you don't pay a flat fee: you pay for what you use. Every GB of data you store costs USD 0.15 (or 0.18 for Europeans) per month. Every GB you upload or download costs USD 0.10. Knowing that, you can easily calculate what backing up your data will cost you per year (use the Amazon calculator as a guide).

With Amazon S3, and end-user can't do very much: you need tools to deposit and access data, and that is where JungleDisk comes in.

JungleDisk is a marvellous little program, which costs a one-time fee of USD 20.00. It is easy to set up, and JungleDisk assists you with the process of signing up for Amazon S3 by pointing you to the correct URLs at the Amazon web sites.

If you use a single S3 key with it, you can use JungleDisk from your Linux, Mac OS X and your Linux computer at the same time if you like. You give JungleDisk your S3 key and it handles the data management on your S3 account for you. So for example, you can use JungleDisk to backup your files at home, and retrieve them on your laptop at the office. JungleDisk maps your S3 storage onto a drive (on Windows) or a volume (on Mac). On Linux you use the command-line program (jungledisk) to mount your S3 storage using FUSE. With this, you can, for example, rsync your backups into JungleDisk, which then transparently uploads those to Amazon's S3 storage. Additionally, JungleDisk provides a WebDAV compatible service that you access via TCP port 2667 from the loopback interface:

You access the WebDAV interface from Windows, Mac OSX finder, or from Linux. Even with cadaver if you want to:

$ cadaver http://localhost:2667/
...

The JungleDisk GUI (available on all platforms) offers automatic backups.

The buckets stored on the S3 servers are encrypted by Amazon's service. Theoretically it is possible for Amazon employees to access that data, but it isn't very likely they'd do that. JungleDisk supports an additional AES encryption on the files you submit to it. The way this works is like this: you configure JungleDisk with an encryption key, effectively a passphrase you set (don't use a comma in it) with which JungleDisk encrypts the files transparently between itself and S3. When you attempt to access a file (via JungleDisk), it transparently decrypts it with your key, giving you the original data. You don't have to manually encrypt the files (with GPG or whatever): JungleDisk handles the encryption for you.

Amazon S3 allows you to divide your online storage space into multiple "buckets". Each bucket has its own set of files and directories that are completely separate from all other buckets. You can only access a single bucket at a time within Jungle Disk, and you cannot copy files and folders between buckets. Most users should be able to use just a single bucket for all their files, even when using Jungle Disk on multiple machines. However, Jungle Disk does allow you to create alternate buckets under your account if desired.

JungleDisk has good documentation, some answers, is actively supported and has an active support forum. You can get started immediately, by downloading JungleDisk and trying it for a month; but you will of course require an Amazon S3 account.

There are alternative services to S3, some of them even free of charge, but remember: you get what you pay for.

Lady Mens gave me a lovely new Tumi trolley bag to replace the very embarrassing (because broken) one I had.

The included combination lock looked funny, so I glanced at the instruction leaflet for the lock, wherein it says:

The Tumi combination lock is recognized by the TSA (Transportation Security Administration), and allows the TSA to open the lock using special access codes should the need arise for a security search. This lock can then be re-locked by the TSA with no damage to the lock or your bag.

WTF? I may be a bit naive sometimes, but is Tumi trying to tell me that they give a backdoor into my luggage to persons unknown to me? That these persons can open my luggage, rummage around, extract (or even worse, insert!) items into my luggage, and close the lot up without me noticing?

And I thought the Vorratsdatenspeicherung was bad enough…

That lock is going straight into the rubbish.

What's the difference between Raid 0 and Raid 1?

In Raid 0 the zero stands for how many files you are going to get back if something goes wrong.

[Thanks, Simon. :-)]

OpenVPN by Markus Feilner is a comprehensive reference of the excellent OpenVPN software. The book's subtitle, Building and Integrating Virtual Private Networks does it justice.

In 11 Chapters, the author introduces VPN and VPN security, shows you how to install OpenVPN on a number of different platforms (incl. Linux, MacOSX and Windows), and runs the reader through configuring OpenVPN as a server and/or as a client.

Securing OpenVPN with X.509 Certificates is well covered, including creating certificates with some special (GUI) tools. The OpenVPN configurations are well covered and the book closes with a chapter on Advanced configuration (tunnels, scripting, authentication, etc.) and Troubleshooting.

All in all, the book is for advanced users. The introduction is a bit quick for a novice.

The book lacks diagrams of what the author is showing us when he builds tunnels and discusses possibilities. Without a great deal of imagination (or experience), it is hard to follow without network diagrams.

Apart from that, I recommend the book to anybody who has to set up OpenVPN, and it is good that Feilner shows very clearly what you do if yo are on Windows XP.

This is good news: TrueCrypt, the open-source disk encryption software for Windows Vista/XP , Mac OS X, and Linux, now supports full disk encryption. This System Encryption can encrypt a whole partition, and it offers pre-boot authentication which forces you to enter a password when the system boots.

That should solve the spot of trouble that Chris reported about…

Two upgrades performed since yesterday: one on a ReadyNAS NV, and the other on SafeBoot.

First the good: I upgraded my ReadyNAS NV+ from its web interface to RAIDiator 4.00c1-p2, which was completely painless and works as advertised, directly from the FrontView web interface.

One reboot later, the system was up and running. Beautiful.

Then the bad and the ugly: I wanted to upgrade my SafeBoot installation from version 4.2 to version 5 because the speed of hibernation has increased thirty-fold in the newer version. No problem, thought we; install the new version, reboot and bob is your uncle.

The reboot looked promising and the hibernation really is very much faster. What the program doesn't tell you though, is that it totally fucks up the partition table. Now that is one bit of miserable software (I mean the partition table. Oh, and I also mean any software that screws with it). Not that it deletes partitions, but SafeBoot sort of moved some sectors around. Not much mind you:

the situation "before":

/dev/sda4 : start=128744910, size=105691635, Id= f
/dev/sda5 : start=128744973, size=105691572, Id=8e

the situation "after":

/dev/sda4 : start=128680650, size=105755895, Id=8e

You'll see some bits missing (duh!) and a little bit of "movement" in the sizes and starting sectors of the partition.

Now, might that be a reason why my Centos doesn't want to start up any more?

About seventy two reboots later, after having uninstalled SafeBoot (meaning two hours for decryption), the system was back to normal. Oh yes, we called support, after all that is why you have a corporate support contract, isn't it? Their answer: "it appears that the partitions have been changed. Reinstall the system". Good thing, a support contract; we wouldn't have otherwise known… Damn them!

I'm back to SafeBoot 4.2. Thanks for fifteen billable hours wasted!

Several years ago (5 to the week) I designed and implemented a PKI infrastructure for enrolling users, enabling them to send secure (i.e. encrypted) S/MIME messages. The nifty bits were that we have an off-site enrollment "agency" that create the private keys which are kept in a safe and a certification authority that does the actual signing. The enrollment agency and the authority transmit signing requests and signed (public) certificates to eachother via custom made XML messages. The whole thing is of course managed in LDAP.

All has been well, and both OpenSSL and the pile of code I wrote at the time, have been performing admirably. Just one thing was missing, and that was certificate renewal, which I postponed, because I knew I had plenty of time® to implement that.

Time flies…

Suddenly, the first announcement of expired certificates arrives. Damn. Ok, no problem: simply renew the certificate, right? OpenSSL forsees that, so I simply start re-issuing the certificates from the original Certificate Signing Requests, which we keep in store; that is easy.

No sir. Nothing doing.

Upon re-issuing a certificate, it gets a new serial number assigned and the combination of that plus the private key is not sufficient to access S/MIME messages encrypted to the old certificate pair. It took a bit to find, but I managed to create some code which does just that. Actually it is of course documented: if you look carefully at section 6.2 of RFC 3852 the fog lifts.

Remember: re-use the serial number, or you are in trouble.

Ich halte mich für gewöhnlich aus der Politik raus, aber der Bundestag geht diesmal zu Weit. Daher unterstütze ich die Verfassungsbeschwerde die eingereicht wird falls der Bundespräsident das Gesetz zur Einführung der Vorratsdatenspeicherung in Deutschland unterschreibt.

Die Sammelklage ist Kostenneutral für die die mitmachen. Mehr Information dazu gibt es hier, und das Formular ist hier.