Only Threema rated uncritical, Telegram rated critical for privacy

The German “Stiftung Warentest” had a closer look (text is german) at instant messengers like WhatsApp, Telegram and Threema. The only one with a good privacy rating: Threema.

When Facebook bought WhatsApp, many started to look for alternatives. Telegram was chosen by millions of new users, probably also because it’s free to use. The problem with things free to use on the internet is this: If something’s free on the internet, you are the product.

This seems to be true yet again – Telegram uploads your full address book to the operators servers, of course without asking for your permission first. This is even more critical when one of the creators of Telegram is VK, the Russian Facebook alternative.

Contrary to that, the swiss based Threema asks for your permission to upload your address book and it’s used for synchronization purposes only. Even if uploaded, only aliases are transmitted.

Only Teleram and Threema provide useful end-to-end encryption, but on Telegram it has to be enabled explicitly (Secret Chat), while on Threema you can’t even disable it.

One constraint is left: none of the tested app is open source.

nginx server status page and interpretation

Server tuning starts with server monitoring, with server-stats you can learn about the usage of nginx.

First, check if nginx has been compiled with –with-http_stub_status_module.

$ /usr/sbin/nginx -V 2>&1 | grep --color with-http_stub_status_module

Check the output for –with-http_stub_status_module. If it’s not there, you must compile it in manually.

If you have it, start by add this config snippet to your server config:

server {
  listen 127.0.0.1:8200;
  location /server-status {
    stub_status on;
    access_log off;
    allow 127.0.0.1;
    deny all;
  }
}

Then, reload nginx. You can query the status page from localhost only with this config. Try it:

$ wget http://127.0.0.1:8200/server-status -qO -

Active connections: 4
server accepts handled requests
488803 488803 1002230
Reading: 0 Writing: 2 Waiting: 2

This reads like this:

We have 4 active connections, 2 of them are currently being served by nginx (Writing), 0 are requesting something (Reading) and 2 have open connections but there is no activity at the moment (Waiting), this is because of keep-alive connections.

The server has accepted 488803 connections and could answer 488803 of it (100%). Within this connections, 1002230 requests have been served (2.05 requests/connection).

import and export GPG keys

list keys

list all keys currently in keyring:

gpg --list-keys

import

and to import private and public keys in binary or ASCII format:

gpg --import xyz.key

export

To export your private key in ASCII format, e.g. to send it via E-Mail:

gpg --export-secret-key --armor you@dom.tld > private.key

To export your public key, again in ASCII format:

gpg --export --armor you@dom.tld > public.key

If you don’t need it in ASCII format use for the private:

gpg --export-secret-key you@dom.tld > private.key

and the public:

gpg --export you@dom.tld > public.key

make git use vim and vimdiff

I like git, vim and vimdiff a lot! Here’s how you configure git to use vim as editor and vimdiff as merge tool:

git config --global merge.tool vimdiff
git config --global core.editor vim

enable SELinux on a Debian DO droplet

debian-DO-SELinux

Sometimes I have a natural attraction to things making my life more complicated. I could have just installed CentOS. Or rented a dedicated server. Or stopped using SELinux. But I wanted it all. So I’d like to show you how you can install Debian 7 on a DigitalOcean droplet and have SELinux enabled.

The problem is that at DO the kernel comes from outside (KVM) and you cannot manipulate it nor it’s parameters. But you can use kexec to replace the kernel as soon as you’re in control.

Before you begin:

  • I assume a freshly installed Debian 7 here (tested on 64bit version)
  • you should take a backup before proceeding!

Okay, get all the updates and install the required software

$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get install selinux-basics selinux-policy-default auditd kexec-tools

Run selinux-activate, it modifies grub (no matter here), PAM and touches /.autorelabel:

$ sudo selinux-activate

Then, edit the file /etc/init.d/rcS and put the following in front of exec /etc/init.d/rc S

if grep -v kexeced /proc/cmdline ;then
      kexec -l /vmlinuz --initrd=/initrd.img --command-line="$(cat /proc/cmdline) selinux=1 security=selinux kexeced" && kexec -e
fi

If this is done, you’re ready to reboot!

$ sudo reboot

You can add some extra time for the reboot as it has to relabel all the files for the first time.

When rebooted, check the SELinux status with:

$ sestatus

Happy labeling :)

© 2014 netmess

Theme by Anders NorenUp ↑