\documentclass{beamer} \hypersetup{pdfpagemode=FullScreen} \title[Dodging Raindrops]{Dodging Raindrops: Escaping the Public Cloud} \subtitle{A User Story of De-Google-ication Using FreeBSD and Other Open Source Software} \author{Michael "Ike" Eichorn} \date{BSDCan 2016} \AtBeginSection[] { \begin{frame} \frametitle{Table of Contents} \tableofcontents[currentsection] \end{frame} } \begin{document} \frame{\titlepage} \begin{frame} \frametitle{Table of Contents} \tableofcontents \end{frame} \section{Who is the Guy? And Why Should I Listen?} % 3 -- 3 \begin{frame} \frametitle{From Windows Fanboy to BSD User} \begin{itemize}[<+->] \item Windows Vista and my college laptop the Thinkpad X61t \item Windows 7 not enough configuration options \item Ubuntu was my gateway, but upgrades were terrible \item Mangling .deb and .rpm distros \item Archlinux gateway to the terminal \item The crash that brought me to BSD \item FreeBSD to OpenBSD to PCBSD to FreeBSD \end{itemize} \end{frame} \begin{frame} \frametitle{The Day Job} \begin{itemize}[<+->] \item Mechanical Test Engineer \item 'Data Engineer' \item And by Mechanical I mean Aerospace \item Not Admin, Not Programmer, but an 'Operator' \item FORTRAN 77 with bad comments \item 'Like we did it last time' \item (And by 'last time' they mean 10-15 years ago) \item A member of the \TeX\, faction \item Hater of Excel \end{itemize} \end{frame} \begin{frame} \frametitle{Yea, but Why Should I Listen to You} \begin{itemize}[<+->] \item I am in front of you \item I have the podium \item I like to hear myself talk \item IANALawyer \item IANADev \item IANASysAdmin \item IANANetAdmin \item I am a User \end{itemize} \end{frame} \section{What Does He Have Against Google and the Cloud?} % 3 -- 6 \begin{frame} \frametitle{A \emph{Reasonable} Expectation of Privacy} \begin{itemize}[<+->] \item Everyone has the right to record anything that is public \item Most legal systems recognize a right to privacy \item In the USA the 4th Amemendment restriction on searches and seisures uses the "Reasonable Expectation of Privacy" test \item This is a problem because it can be twisted by denying that there is an expectation of privacy in some way long enough that the expectation becomes lost \item Some thought in the liberal tradition held that mearely searching one's papers was potentially on par with a violation of freedom of thought. \item The nothing to hide argument is short sighted and lazy \end{itemize} \end{frame} \begin{frame} \frametitle{The Third Party Doctrine and the ECPA (USA)} \begin{itemize}[<+->] \item The Third Party Doctrine -- If you voluntarily give information to third parties you have no reasonable expectation of privacy over that information. \item 1967 -- US v. Katz -- wiretapping a public phone booth is a search and requires a warrant. \item 1976 -- US v. Miller -- No privacy in banking records -- Third Party Doctrine Established \item 1979 -- Smith v. Maryland -- No privacy in phone records \item 1982 -- RFC 821 -- SMTP Standardized \item 1984 -- RFC 918 -- POP Standardized \item 1986 -- The Electronic Communications Privacy Act -- Emails left unopened for 180 days are abandoned and not private, Opened Emails are not private \item 1988 -- RFC 1064 -- IMAP Standarized \end{itemize} \end{frame} \begin{frame} \frametitle{So Who 'Owns' that Data} \begin{itemize}[<+->] \item Possession is 9/10 of the Law \item If your neighbor was keeping your lawnmower and sold it, you could sue them. \item All of those Terms of Service really make you abandon most of your rights. \item Are you really the customer or is it really some advertiser who is the customer? \end{itemize} \end{frame} \begin{frame} \frametitle{Digital Data Wants to be Copied} \begin{itemize}[<+->] \item DRM does not work well if at all \item Copies are economically almost free \item Coping does not harm the original \item The cost is all in creation, transmission, and storage. \item Privacy and Copyright are human notions we put on data, not an inherent property of data. \end{itemize} \end{frame} \begin{frame} \frametitle{To Companies and Governments You are Data} \begin{itemize}[<+->] \item With friends and family we interact as individuals, actions are based on personal knowledge \item Beyond that scope social and commerical interaction must use less personal knowledge \item At some scope you and your preferences can be aggregated with other individuals \item While one person may be unpredictable a sufficient number will be. \item Credit Scores and other Single Numbers \end{itemize} \end{frame} \section{Three Domains Served From Home} % 7 Min -- 22 \begin{frame} \frametitle{The Hardware} \begin{itemize}[<+->] \item Athlon 64 X2 on a Socket AM2+ Board \item Purchased in mid to late 2000's \item 4 GiB DDR2 RAM \item Pair of 3TB WD Reds mirrored with ZFS root \item No performance tuning at all \end{itemize} \end{frame} \begin{frame} \frametitle{My ISP} \begin{itemize}[<+->] \item A large cable company \item 30/5 Mbit/s Residential Service \item Dynamic IP Address \item No ports blocked \end{itemize} \end{frame} \begin{frame} \frametitle{The Network} \begin{center} \includegraphics[scale=0.25]{netgraph.png} \end{center} \end{frame} \begin{frame} \frametitle{Jails, Jails, and Even More Jails} \begin{itemize}[<+->] \item fileserver \item http(s) reverse proxy (nginx) \item wordpress (Apache-MariaDB-PHP) \item mediawiki (Apache-MariaDB-PHP) \item PHP website (Apache-PHP) \item PHP website (Apache-PHP) \item Static website (nginx) \item Static website (nginx) \item SMTP (OpenSMPTD) \item LDAP (Dovecot) \item Webmail (Roundcube) \item CalDav/CardDav (Radicale) \item Owncloud \item Experiment of the week \end{itemize} \end{frame} \section{Email with a Residential ISP} % 8 Min -- 30 \begin{frame} \frametitle{SMTP} \begin{itemize}[<+->] \item In my case no ports were blocked so the home email server is the first MX \item ISP has an outgoing relay that I once used \item MTA/MSA was Postfix, moved to OpenSMTPD about a year ago \item Two backup MXs using DigitalOcean in NY and CA \item I have never had a problem receiving mail \item Mail is delivered to Dovecot via LMTP \item SMTPS on port 465 is DEPRECIATED and IANA has reassigned it! \end{itemize} \end{frame} \begin{frame} \frametitle{IMAP} \begin{itemize}[<+->] \item Dovecot -- WARN: Monoculture \item IMAP + STARTTLS Only \item Works great with Evolution/Thunderbird/K9 \item Sieve Filtering is great but the documentation was rough \end{itemize} \end{frame} \begin{frame} \frametitle{Spam and Avoiding Blacklists} \begin{itemize}[<+->] \item Do not send directly from a dynamic IP, use a relay \item Backup MXs are already there and make great relays \item Spam has not really been a problem, Spammers do not seem to target domains where the first MX is dynamic \item Per-website emails e.g. google@yourdomain.tld allow you to throw away emails if they are compromised \item Will soon be adding spam filtering thanks to Aaron Poffenberger's OpenSMTPD Tutorial \end{itemize} \end{frame} \section{File Sharing - Many Solutions} % 5 Min -- 35 \begin{frame} \frametitle{Requirements} \begin{itemize}[<+->] \item Public or Private \item Level of Security \item Ease of Use \item Ease of Setup \item Robustness \end{itemize} \end{frame} \begin{frame} \frametitle{FTP} \begin{itemize}[<+->] \item No security. \item Does not behave well with firewalls. \item Works in a web browser \item Old and durable \end{itemize} \end{frame} \begin{frame} \frametitle{SFTP} \begin{itemize}[<+->] \item Secured with SSH \item Easy to setup \item May not be easy to use for un-savy \item SSHFS is nice \item SSH is robust \end{itemize} \end{frame} \begin{frame} \frametitle{Plain Old Apache} \begin{itemize}[<+->] \item Built-in .htpasswd is probably fine for most security needs \item Made for serving files \item Works in all web browsers \item Robust \item Populating files would seem to be a problem \item Unless you do something like SSHFS mount that server directory as /home/user/public \end{itemize} \end{frame} \begin{frame} \frametitle{Owncloud et al.} \begin{itemize}[<+->] \item Web-app style login security \item Fine grained sharing control \item Desktop sync apps \item Has been known to loose files \item *AMP deployment \item Easy to use and pretty \end{itemize} \end{frame} \begin{frame} \frametitle{Syncthing et al.} \begin{itemize}[<+->] \item No easy to use config files \item Works well \item No way family will use this unless you set it up \end{itemize} \end{frame} \section{My To Do List} % 5 Min -- 40 \begin{frame} \frametitle{Fixing Things I Broke} \begin{itemize}[<+->] \item CalDav/CardDav \item Taskd (Taskwarrior) \item Owncloud \item Local Backup \item VPN \item LDAP/Kerberos \end{itemize} \end{frame} \begin{frame} \frametitle{Adding New Tools That Exist} \begin{itemize}[<+->] \item XMPP or similar IM solution \item Nagios/Icinga or similar monitoring solution \item TinyTinyRSS or similar RSS feed reader \item Improved Remote Backup (Tarsnap) \item VOIP \end{itemize} \end{frame} \section{What is Missing? (Or at least hard to find)} % 10 Min - 50 \begin{frame} \frametitle{Mobile Problems} \begin{itemize}[<+->] \item Outside Location tracking generally is too easy on phones \item Google Maps dominant in navigation. \item Whole sandboxes are geared to forcing the use of 'thier' cloud solutions \item Remember Google bought Android to dominiate mobile search. \item Google Now / Siri are nice, but I want to control my personal assistant not have it be a spy for an advertising company. \end{itemize} \end{frame} \begin{frame} \frametitle{Simple Deployments} \begin{itemize}[<+->] \item Having lots of knobs is nice, it is a major draw for me. \item Sane defaults are better. \item Most users do not want to change all of the knobs and will accept mediocre performance \item Consider Sendmail vs Postfix vs OpenSMTPD \item More options are more things to support and test \end{itemize} \end{frame} \section{What was Painful?} % 10 Min - 60 \begin{frame} \frametitle{Multiple Computer Multidirectional File Syncing} \begin{itemize}[<+->] \item Trying to keep local copies in sync is bad everwhere \item Microsoft Offline Files \item Unison \item Owncloud - sometimes looses files \item Syncthing - sometimes fails to connect \item Permissions and UIDs not always part of sync solution \end{itemize} \end{frame} \begin{frame} \frametitle{NFS} \begin{itemize}[<+->] \item I cannot make it work \item Documentation often skips firewall config \item Lots of documentation confusion about NFSv3 vs NFSv4 \item I am a rocket scientist and I cannot make it work \end{itemize} \end{frame} \begin{frame} \frametitle{Spam Filtering} \begin{itemize}[<+->] \item Lots of solutions but often described as chained together \item Most documentation seems to assume that all of the components are on the same machine, I want to jail them all separately and connect them on lo0. \item Thanks to Aaron Poffenberger's OpenSMTPD Tutorial I may be able to finish figuring this out. \end{itemize} \end{frame} \begin{frame} \frametitle{FreeBSD-update Related Booting Problems} \begin{itemize}[<+->] \item I have lost my system multiple times to boot problems \item Would not boot off the ZFS root pool \item Usually happened after a freebsd-update \item Never had time to fully diagnose, I only had one server so I restored from backups. \item There seem to be some ways to shoot your foot off with regard to booting in the update procedure \end{itemize} \end{frame} \end{document}