 Hello and welcome I Am giving a talk today about a topic that I personally think it's not shouldn't be necessary to give a talk about that And for a long time it has not been necessary because Nearly every group we did know and that was around did actually do precisely that I want to encourage All of the newer groups now to actually also do This talk is about running your own fucking infrastructure It came up as rent talk on tour camp When I discovered that the whole tour camp was completely run on Google groups Google documents and everything else that you could see that this company from Silicon Valley can provide So we have the situation that on a hacker camp Actually a company that everybody likes and loves for the product has the complete data of all participants for the camp because it wasn't possible to sign up there Without a Google account That made me make the first version of this talk short beer Okay, I'm giving this talk in English because we want to have a video presentation And the idea behind that is that I don't want to give this talk anymore And actually want to point out there is a link on the internet to media CC CD or whatever the way you can look for this talk I personally think this talk shouldn't need to be given anywhere but I think if this talk would be available as a acceptable video presentation you can show it in your hacker space and encourage people there to Do all this and this is the reason why I'm giving the talk in English on a German event was Nearly exclusively German speaking people. I'm sorry. Yeah for my very English Okay Most of me most of you know me. I'm McFly. I'm actually around this CCC thingy for a bit, I guess My study at computer science at the University of Darmstadt Meanwhile had Over five years and this is slightly outdated Experience of working admin as an administrator in security related environments At the moment, I work at a payment provider in security and security specialist there and my job contains and Map and meta-sploit and all those stuff all the day. So it's good fun and keep doing this There's a lot of nice jobs in security Yeah I gave talks on some conferences and like to run around at hacker spaces and other conferences and Basically, I think what most people know me for is running the miliways that Will show up on the next camp again Why why should I want to run my own infrastructure? because it's Actually convenient to have somebody else run right If you ever try to run your own fucking infrastructure You might have set up a server that runs your mail left it there for two years And then you accidentally SSH in the server again and have two years of more experience and you were like, oh my What did I do there? This is a process where you possibly need to go through and iterations help there and it will end with you Understanding lots of computers in the end So why should I give this? Oh, yeah Nope, I think that's fine here in Germany So it's so easy to put stuff in the cloud why should I run my own fucking infrastructure? One of the reasons that is pretty obvious to everybody and that is mentioned here very often is if you put your stuff on the cloud The government will have access to it actually pretty easy But that's not the only reason there are other things like the Provider will modify the service you have all seen when somebody changes the website that you use heavily because some user experience Guy said do this totally different and you find it unusable and you can't do anything about that You might experience who of you has a Facebook account. Okay, you don't need to admit that But I assume they're like people in here that have a Facebook account maybe a third of you and Do you remember the last time the terms of services and Facebook changed? It does so pretty frequently. It does change a lot of the legal stuff around documents and things published there and If you want to keep your Facebook account, don't look in there ever Another problem is that a provider might cancel a server a service Rarely unknown providers might modify your data. This does happen They might steal your data and one of the worst things that actually Does happen is providers might get hacked The question you're all seeing those questions up there is who do you trust with your data? Do you want to trust a? Cloud provider that is possibly not even in your legal sphere of the country or whatever you are in or Do you want to trust in administrators that you can go to and give him a beer and given a club Marta or? Tell him what you think of the latest other things positive and yeah Well, nothing for the we had the topic for the no more positive government has access I Think today that is a question that is does not really need a long discussion anymore for a long time It meant that basically the five eyes had access to the data you put in the cloud and to other providers Today we need to say that almost every government that asked has access to the data and It's not only the police. It's Dex authorities and invigilization services and as we see in cases in America the school authority there is tons of government related groups that get at one point or another point access to your data and Not in all countries and in every case that means that there is a judge that needs to be asked before that In a lot of the cases and a lot of the countries the police just writes a mail to Facebook and Well gets the data they asked for actually they usually don't write mails They have still in this paper time where they send pieces of papers So for the stuff that's not government because there's a lots of other stuff that That are interesting there why you want to run your own fucking infrastructure Providers Changed the service from time to time Most providers that haven't changed the service in the last 10 years are actually around anymore today Only very few are and the might change their services very often. That's an improvement Sometimes that's not really improvement Very important point is there that if you start with a service that is especially in the beginning of the service free and after a certain time after an certain amount of users have been boarded it comes to this point that in the Documentations of the companies very often described as the monetization strategy Usually you get either get ads or Parts of the service will turn into what they call freemium That basically means you then suddenly have to pay to access your own data Provider mice cancel service The monetization strategy That's actually not that unimportant point for most of those service providers because if you fail there usually the service is gone after a while It very often ends in a way that it gets bought by another company and the data migrated to somewhere you can't really see or say But even in cases where the data doesn't show up anywhere else somebody of you who remembers Google Wave Who did like it See There is other cities geo cities that contains tons of tons of Free private websites is closed and not reachable anymore today mega upload dodgeball Microsoft Zune Whoever bought their music in the beginning of the digital age was Microsoft Zune. They had some DMA protected Music files that needed to talk to their home server every time you wanted to play them and At one point Microsoft decided to switch off their server and you had some time to download it I'm at mp3 and if you didn't your music's gone. Well, the music you paid for is gone provider might modify data This is a point that is very often Not really seen as one of the dangers when you when it comes to serving data in the cloud and this came I'm mostly referencing to YouTube where it is mostly most obvious Play music in a German video put it on YouTube and it's gone faster than you can count to like five And that is not only true for music that really The music companies that claim to have the rights really have the rights We had lots of problems with some videos We published about the data retention law because we had some creative common music in there And it got taken down at 20 times because of claims of Time Warner's and Sony and whatever so no, this is Claims like we have had was one of the videos we had about the forward start by showing the data retention laws We had more than 20 claims from music companies for music in there that actually was creative comments music Another interesting thing not so obvious in Germany and This is also very interesting because this gets localized If you have a video that contains fuck in Germany, you can hear the fuck And if you watch over your VPN connection as American the fuck gets silenced out this is this is a modification of data and You possibly do not really realize that you have given YouTube the right to modify your data this way Another thing that actually modifying data is Thing that's more legal wise Your data is also the stuff you put in into the websites like Facebook and stuff And if you use that you will find that they constantly modify your especially privacy settings and I'm not don't want to just bash Facebook and they're all the time most of the social media platforms actually do that Provider mine steal data Did anyone have you have you ever used these URL shortness? Did you read the documentation which company runs them and what their monetization strategy is because that's actually interesting? You completely give them the right on the data to modify search Whatever when you link them with that and they don't only mean the link with that actually the data management there and They have business models for searching for some Terms and phrases and things that get fashion So this is what this partly is used to to find the latest trends To get through all this data to get some metadata out of that and to even use your data because was all of those Instagram anyone here? Did any picture of your Instagram ever show up on a Instagram website like an ads or something I? Know at least two cases and you really can't do anything about that You're allowed that to them they can at every time use any of your pictures to just make ads and stuff that like that without even telling you Provisors might abuse your data That is also rather Hard to see one of the points where I saw that is if you run your own in fucking infrastructure You actually see in your log files. What happens and who accesses your data And if you then for example on your server share something over In this example Skype who does that but other do that also You will see that the first thing happening is Skype is accessing the data and then the data around that and The official excuse for that is that I need to prefetch that you don't share any malicious stuff with that but Also after pointing it out they stopped for that mmm Other thing is those people who use lots of applications Where they abuse your data they sometimes stated in the terms of services But did you ever had the problem that somebody was posting on your behalf because you accidentally allowed any application in something to whatever? This happens actually quite a lot especially in the gaming scene and for the last and the most funny of that especially here is One of the dangers you run into when you leave your cloud on your stuff in the cloud is That your stuff might get hacked This might happen also if you run your data by your own but Just imagine the size of the target that is laying around there if you can Pwn 13.7 million users compared to the 12 on the hacker space so Yeah Does anybody know how often Sony has even been hacked in the last two years because I tried to find it that out and I failed Yeah, that's The did Sony get hacked last week website that basically answers Yes, I know if Sony got hacked last week was on no for eight days in 2013 Go daddy got hacked Dropbox got hacked AT&T. There's somebody well I that's not really completely got hacked that is more they misconfigured their service and somebody Was very stupid and pointing that out so they put him to jail for that which totally makes sense Well Blizzard was heck living social rock you and I'm very sure those three points are By far not enough to describe and count all the other companies that got hacked and their data lost over the time This actually is a problem of a size that is Hardly even comes to surface because if the company's got hacked it's The common the corporate communication usually tries to keep that another carpet and And not publish too much about that it would be very interesting to get lost that forced them to inform the users of personal data When data got hacked, but this is not the case and this is not happening at all So there's way more So you see all those questions really a lot of them come to one point are you and your provider's interest really aligned Do you have the same interest as your provider does? The other answer is very clearly. Yes, if you're your own provider If not the provider might be only interested in profits due to legal reasons because most companies that are created for profit Actually are required by law to at least try to make profit Therefore keeping your data safe and private is For them a case of Balancing out the cost for security versus the benefits they have from keeping your data private So your data actually gets a price tag. That is one of the results of that. This is the security price tags and this is Something that should fuck up the shut up as said the only provider there is where your interests Are really aligned with you is yourself if you look for your hacker space that might be a slightly different thing though And always remember if it's free, you're the product That is sadly nearly always true Okay, this is a disclaimer slide that says If you run your own fucking infrastructure, you might end up being hacked to So Find some people in your hacker space that are capable or you think are most capable of that and Make a group of people that run that In the end I would say is if you run your updates pretty frequently you are out of most of the stuff Furthermore there are some mailing lists you might want to read and follow there What usually does not help is go and install a security solution from a company that promises you to put security in there But we all know that so the first talk as I said, I gave this talk. I gave this talk on the talk amp and Everybody was like but it's a comfort was comfy to just put them on the slides, but then something happened this guy As He said I'm not really making anything up of the axis of the government. I think most of you have read Way more stuff. They hope they would never have to read somewhere in the papers about where your data travels and Where data about you travels and what data is collected about you and all the stuff besides the companies But also if it's collected by the companies The government requires just the right to access any of those data so For first for many people prison was the first case where this really become public But if you Google for that and follow the common conspiracy theories websites like FIFA or others you will easily realize that This has been going on this way at least since 1990 Where the first of those programs started? Some of them became slightly more sophisticated than they had been before some of them now target stuff that is really interesting and not like before just the noise in the internet but the Will of the security Services and all the three letter agencies to get your fingers onto your data That's nothing new that is at least since the 1990s So what to do? How many different Hacker spaces do we have here? Who from you is from Hacker space? 42 I Think a third of the people are from any Hacker space. I'm pretty sure this is more like 10 15 different Hacker spaces of you Can the Hacker spaces that actually do run their own fucking infrastructure just raise their hand? that's At least most of that if not all do we have a Hacker space here that does not run their own fucking infrastructure Okay One very brave one person at least that I hope where this actually does it or Hacker space where that does actually does change something for very very very long time this is and this is maybe the wrong event to tell that the people because for a Lot of people this is since a very long time when you look around It really has been that the Hacker spaces runs their own fracking infrastructure That has been mostly websites and mails and mailing lists I don't think that today. This is everything you should run I think today you need slightly more and it helps a lot to run more What can I run myself by myself? All those services above there are not really really complicated to run by yourself and Also, I'm very sure that several people of you will miss something for that. So if you run something for yourself One of the things you need to I'm sorry. It's hard to yeah This is the stuff that Millie ways runs by ourselves We are not a Hacker space. We are a group of people that sit around on the internet So we at some points needed some things and this came along with the making of the talk over the time We have set up all of this in I think a week and then some weekends It's not really a lot of work. I think and I propose what every Hacker space in every group here should run by themselves is for example a Java server if you have seen the CCC Java server and given the point that I owe error told in his talk everybody to use of the CCC Java server. It's not one of the biggest in the world it makes it at That big target and it makes it that big hassle to keep it running which actually is mostly the bigger problem You should run in your Hacker space email because even still today where most people think that is just the delivery pass for spam It is very important, especially together with mailing lists You want to add next the cult of and the card of because that's something where you what you actually use a lot on your mobile phone and That is a very nice place where you share a lot of data with Google automatically Just think of your phone book Fits easily and perfectly with an Android phone on the server Cloud storage we use C file for that another possibly is dropbox. There are other things For that C file works really fine. I can show some of that later for organization. We have red mime and an either pad and For most Hacker spaces having that around or at least in use not everybody needs to set up its own pad But for example for the red mime for example, I think that is if you actually do projects very very valuable for tool One of the rules that everybody knows that has done administration for while is administration is kind of work So it helps to script and monitor that and another point if you start at start in the beginning with Setting something up with a centralized address thing. I We have started with an open LDAP the guys who wrote open LDAP really like brackets and it's Set it up get it running and they would never ever look in there It's really kind of ugly, but in the end it saves a lot of work. So I think it's worth it An alternative there is privacy idea which allows to factor authorization It supplies you with an LDAP and a radios interface You can authenticate all your services websites emails Jabba and all this stuff against that But Introducing privacy idea here would be enough for its own talk that is maybe scheduled for the Mitter and Mancows days or something Yeah, and also the last point we want to put up is we'll put up all the code and the config Sniplets we had to connect all the different software because this is most of the work setting all this up In a gip until the end of the Easter egg. This is not done yet. So don't try to clone it yet Yeah the thing that saves most of the Work is actually you need to write some software around the user on today's Authentification that we can give you we hope that somebody takes it and write something even more awesome about that For us it works Let me see if I find it. This is So this is The stuff that actually takes most work and as yes as you can see it's really not complicated Everybody who has spent a while coding knows that Using this is not a lot of work You basically have a registry where you sign up with a username and password that gets submitted into a database and Administrator later moves that on into an L up. This is everything you practically know needs to do and That sounds like pretty easy and like the rest of the whole talk Which I think is from the beginning at the end kind of obvious and should need to well anyway This is the stuff you need in your daily life And it's very nice to just be able to drop this link in an IC channel should just say hey Everybody who wants to use that sign up here and Some lines later you have the people on the network and they can all use all the stuff you build is actually nice thing I thought in the beginning that not a lot of people would use that We still don't consider milliways like being Productive it's still a kind of better and stuff like that but we are at how many users we had 70 users in a short time and especially this stuff that gets used a lot which did surprise me was the C file which is the cloud Storage a lot of people use that for example to get the pictures from their mobile phones on their laptops because It's a Dropbox replacement where you start in your own a hacker space And that's everything You need to set up for the people that just everybody can use it Okay, I think there's just the thank you slides left. So Does any one of you have any questions? I'm a administrator for longer time. So I like to use the DB and given tools. I use postfix Dove cut and stuff like that for that I don't really like to use pre-built stuff in the accept in the extent this pre-built stuff comes to Docker and I like those ideas in the one side but You will import a lot of security problems Possibly what you can't really overlook into your own house In the end and Docker I looked up for something for WordPress the most famous WordPress plug WordPress doc has in somewhere down there in the area for updates something like W gets and then they get something from an HDTV website and then it possess pipe bash and This updates your Docker So I looked into that and said yeah, they possibly need some To become a bit more mature before I would use that I think in most hackers space is not really a problem to set up Postfix Dove card run cubes squirrel mail or around creep or squirrel mail And there's tons of really good how-tos on the internet to do this with DB and if you've done this more than once I don't think in a group of two three people who do administration. This shouldn't take more longer than like two hours In the whole list I have had here The whole LDAP was roughly a third of the time and the rest is basically set it up with DB on and then I connected to the LDAP and it's done So I hope in the future we will be able to provide a Docket container that we can just give around or any other container software to people to just run that At the moment I would recommend everybody to look in those containers and see what the people are doing in there and You see ugly things if you actually do Are there any more questions? Yes? there are a lot of NGOs not In hacking issues and they need the same thing they need their own infrastructure. I always Ask us and digital quality ask us what can we do and we always say go to the next heck space ask them. Is that a good idea? Depends on the heck heck of space There are some heck of spaces where I would say this is a really good idea And there are some heck of spaces where I would be careful about that If their website is hosted the worst press and the mailing list is on Google news and Google groups and their stuff. Usually it's not a good address, too They all can learn Any more questions? Well, I tried to desperately find the other slides again we ended with On cloud That we don't use for file storage Because of the caldoff and cartoff part is actually pretty decent On cloud sucks if you use the storage part we use C file for the storage, but the caldoff and cartoff is awesome If anyone has any better solutions who would be very proud to get something running there and one of the stuffs we want to do is This allows will allow comments and discussions. I hope So we look for people that want to help with that and if you look for help setting this up You can reach us the best thing to actually reach us is ISE We hang around on pound me the ways on hack and Yeah, I'm coming to the end of the talk. Nobody has any questions one question Yes, we use Ron cube with Seaf plug-in that is actually pretty neat because and this actually gets users over to your server Because everybody has this tons of mailing lists They're subscribed to and have the sun about configured their filters to filter all their stuff But they would like to have it on the server, but they never set up see if so with us you or with the stuff We have you just upload your fire your thunderbird filter file and it imports it into the seaf and works awesome. I Can really really recommend that just for this detail the around cube see filter Did the question was did we allow our use collab? We looked on it and it looked kind of interesting, but Also very big and complicated and complex and so we decided to go with our way Any more questions? So first of all Danny coming to thanks. Thank you for the US government that actually makes this talk easier and really made it easier for me to tell people that you should run your own fucking infrastructure because Thanks to them who started all this and thanks to Snowden suit unveiled all this I don't really have to argue a lot about that anymore and just show them Do you know this face like this guy? He sits in Russia at the moment Okay, but I would also like to use this To say thank you for the administrators that run stuff for me. I Try to frequently give people that run stuff for me a club Marta or beer from while to while from time to time I think that's actually a good idea. And if there are some people around that run stuff for you you possibly should take this up and supply them with a club Marta from time to time because Administrating stuff is Often work at the time where you can't need it. It's not a lot of work though And I would like to also like to thanks. Thank you to some of the people from Millie ways Who have gone over the slide and made us made all the server